From 0d48bacc6ab93dee9820e90bb4a8fdcf6fc3bc16 Mon Sep 17 00:00:00 2001
From: tilo-14 <tilo@luminouslabs.com>
Date: Tue, 17 Feb 2026 23:41:37 +0000
Subject: [PATCH] fix(token-sdk, token-pinocchio): pass fee_payer in
 TransferInterfaceCpi LightToLight path

TransferInterfaceCpi hardcoded fee_payer: None for LightToLight transfers,
causing PrivilegeEscalation when the on-chain program attempted rent top-ups
using the readonly authority account. Pass self.payer as fee_payer instead,
since payer is already writable.

token-sdk: set fee_payer: Some(self.payer) in TransferInterface::instruction()
and add system_program + payer to account_infos in invoke()/invoke_signed().

token-pinocchio: set fee_payer: Some(self.payer) in TransferCpi construction
for both invoke() and invoke_signed(). TransferCpi already handles fee_payer
in its account_infos internally.
---
 .../token-pinocchio/src/instruction/transfer_interface.rs   | 4 ++--
 sdk-libs/token-sdk/src/instruction/transfer_interface.rs    | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/sdk-libs/token-pinocchio/src/instruction/transfer_interface.rs b/sdk-libs/token-pinocchio/src/instruction/transfer_interface.rs
index e7f0e0f085..7fe0f4e2d7 100644
--- a/sdk-libs/token-pinocchio/src/instruction/transfer_interface.rs
+++ b/sdk-libs/token-pinocchio/src/instruction/transfer_interface.rs
@@ -132,7 +132,7 @@ impl<'info> TransferInterfaceCpi<'info> {
                 amount: self.amount,
                 authority: self.authority,
                 system_program: self.system_program,
-                fee_payer: None,
+                fee_payer: Some(self.payer),
             }
             .invoke(),
 
@@ -228,7 +228,7 @@ impl<'info> TransferInterfaceCpi<'info> {
                 amount: self.amount,
                 authority: self.authority,
                 system_program: self.system_program,
-                fee_payer: None,
+                fee_payer: Some(self.payer),
             }
             .invoke_signed(signers),
 
diff --git a/sdk-libs/token-sdk/src/instruction/transfer_interface.rs b/sdk-libs/token-sdk/src/instruction/transfer_interface.rs
index 83720915e9..2fa38c0e63 100644
--- a/sdk-libs/token-sdk/src/instruction/transfer_interface.rs
+++ b/sdk-libs/token-sdk/src/instruction/transfer_interface.rs
@@ -134,7 +134,7 @@ impl TransferInterface {
                 amount: self.amount,
                 authority: self.authority,
                 max_top_up: self.max_top_up,
-                fee_payer: None,
+                fee_payer: Some(self.payer),
             }
             .instruction(),
 
@@ -344,6 +344,8 @@ impl<'info> TransferInterfaceCpi<'info> {
                     self.source_account,
                     self.destination_account,
                     self.authority,
+                    self.system_program,
+                    self.payer,
                 ];
                 invoke(&instruction, &account_infos)
             }
@@ -414,6 +416,8 @@ impl<'info> TransferInterfaceCpi<'info> {
                     self.source_account,
                     self.destination_account,
                     self.authority,
+                    self.system_program,
+                    self.payer,
                 ];
                 invoke_signed(&instruction, &account_infos, signer_seeds)
             }