security fixes

2026-05-29 15:11:03 +00:00 · 2024-03-19 03:08:47 +00:00
parent bb09c693d7
commit 9f6ef5dce1
12 changed files with 231 additions and 85 deletions
--- a/tests/test_mine.rs
+++ b/tests/test_mine.rs
@@ -4,8 +4,8 @@ use ore::{
    instruction::{MineArgs, OreInstruction},
    state::{Bus, Proof, Treasury},
    utils::{AccountDeserialize, Discriminator},
-    BUS_ADDRESSES, BUS_COUNT, INITIAL_REWARD_RATE, MINT_ADDRESS, PROOF, TOKEN_DECIMALS, TREASURY,
-    TREASURY_ADDRESS,
+    BUS_ADDRESSES, BUS_COUNT, INITIAL_REWARD_RATE, MINT_ADDRESS, PROOF, START_AT, TOKEN_DECIMALS,
+    TREASURY, TREASURY_ADDRESS,
 };
 use rand::{distributions::Uniform, Rng};
 use solana_program::{
@@ -33,7 +33,7 @@ use spl_token::state::{AccountState, Mint};
 #[tokio::test]
 async fn test_mine() {
    // Setup
-    let (mut banks, payer, blockhash) = setup_program_test_env().await;
+    let (mut banks, payer, blockhash) = setup_program_test_env(true).await;

    // Submit register tx
    let proof_pda = Pubkey::find_program_address(&[PROOF, payer.pubkey().as_ref()], &ore::id());
@@ -130,11 +130,69 @@ async fn test_mine() {
    assert_eq!(beneficiary.close_authority, COption::None);
 }

+#[tokio::test]
+async fn test_mine_unfunded_bus() {
+    // Setup
+    let (mut banks, payer, blockhash) = setup_program_test_env(false).await;
+
+    // Submit register tx
+    let proof_pda = Pubkey::find_program_address(&[PROOF, payer.pubkey().as_ref()], &ore::id());
+    let ix = ore::instruction::register(payer.pubkey());
+    let tx = Transaction::new_signed_with_payer(&[ix], Some(&payer.pubkey()), &[&payer], blockhash);
+    let res = banks.process_transaction(tx).await;
+    assert!(res.is_ok());
+
+    // Find next hash
+    let proof_account = banks.get_account(proof_pda.0).await.unwrap().unwrap();
+    let proof = Proof::try_from_bytes(&proof_account.data).unwrap();
+    let (next_hash, nonce) = find_next_hash(
+        proof.hash.into(),
+        KeccakHash::new_from_array([u8::MAX; 32]),
+        payer.pubkey(),
+    );
+
+    // Submit mine tx
+    let ix = ore::instruction::mine(payer.pubkey(), BUS_ADDRESSES[0], next_hash.into(), nonce);
+    let tx = Transaction::new_signed_with_payer(&[ix], Some(&payer.pubkey()), &[&payer], blockhash);
+    let res = banks.process_transaction(tx).await;
+    assert!(res.is_err());
+}
+
+#[tokio::test]
+async fn test_exceptional_claim() {
+    // Setup
+    let (mut banks, payer, blockhash) = setup_program_test_env(false).await;
+
+    // Submit register tx
+    let ix = ore::instruction::register(payer.pubkey());
+    let tx = Transaction::new_signed_with_payer(&[ix], Some(&payer.pubkey()), &[&payer], blockhash);
+    let res = banks.process_transaction(tx).await;
+    assert!(res.is_ok());
+
+    // Submit mine tx
+    let beneficiary = get_associated_token_address(&payer.pubkey(), &ore::MINT_ADDRESS);
+    let token_ix = create_associated_token_account(
+        &payer.pubkey(),
+        &payer.pubkey(),
+        &ore::MINT_ADDRESS,
+        &spl_token::id(),
+    );
+    let ix = ore::instruction::claim(payer.pubkey(), beneficiary, 1);
+    let tx = Transaction::new_signed_with_payer(
+        &[token_ix, ix],
+        Some(&payer.pubkey()),
+        &[&payer],
+        blockhash,
+    );
+    let res = banks.process_transaction(tx).await;
+    assert!(res.is_err());
+}
+
 #[tokio::test]
 async fn test_mine_fail_bad_data() {
    // Setup
    const FUZZ: usize = 10;
-    let (mut banks, payer, blockhash) = setup_program_test_env().await;
+    let (mut banks, payer, blockhash) = setup_program_test_env(true).await;

    // Submit register tx
    let proof_pda = Pubkey::find_program_address(&[PROOF, payer.pubkey().as_ref()], &ore::id());
@@ -319,7 +377,9 @@ fn find_next_hash(hash: KeccakHash, difficulty: KeccakHash, signer: Pubkey) -> (
    (next_hash, nonce)
 }

-async fn setup_program_test_env() -> (BanksClient, Keypair, solana_program::hash::Hash) {
+async fn setup_program_test_env(
+    funded_busses: bool,
+) -> (BanksClient, Keypair, solana_program::hash::Hash) {
    let mut program_test = ProgramTest::new("ore", ore::ID, processor!(ore::process_instruction));
    program_test.prefer_bpf(true);

@@ -334,7 +394,7 @@ async fn setup_program_test_env() -> (BanksClient, Keypair, solana_program::hash
                    &(Bus::discriminator() as u64).to_le_bytes(),
                    Bus {
                        id: i as u64,
-                        rewards: 250_000_000,
+                        rewards: if funded_busses { 250_000_000 } else { 0 },
                    }
                    .to_bytes(),
                ]
@@ -358,7 +418,7 @@ async fn setup_program_test_env() -> (BanksClient, Keypair, solana_program::hash
                    bump: treasury_pda.1 as u64,
                    admin: admin_address,
                    difficulty: KeccakHash::new_from_array([u8::MAX; 32]).into(),
-                    last_reset_at: 100,
+                    last_reset_at: START_AT,
                    reward_rate: INITIAL_REWARD_RATE,
                    total_claimed_rewards: 0,
                }
@@ -414,11 +474,11 @@ async fn setup_program_test_env() -> (BanksClient, Keypair, solana_program::hash
    program_test.add_sysvar_account(
        sysvar::clock::id(),
        &Clock {
-            slot: 10,
+            slot: 0,
            epoch_start_timestamp: 0,
            epoch: 0,
            leader_schedule_epoch: DEFAULT_SLOTS_PER_EPOCH,
-            unix_timestamp: 100,
+            unix_timestamp: START_AT + 1,
        },
    );

--- a/tests/test_register.rs
+++ b/tests/test_register.rs
@@ -164,11 +164,11 @@ async fn setup_program_test_env() -> (BanksClient, Keypair, solana_program::hash
    program_test.add_sysvar_account(
        sysvar::clock::id(),
        &Clock {
-            slot: 10,
+            slot: 0,
            epoch_start_timestamp: 0,
            epoch: 0,
            leader_schedule_epoch: DEFAULT_SLOTS_PER_EPOCH,
-            unix_timestamp: 100,
+            unix_timestamp: 0,
        },
    );

--- a/tests/test_reset.rs
+++ b/tests/test_reset.rs
@@ -5,7 +5,7 @@ use ore::{
    state::{Bus, Treasury},
    utils::{AccountDeserialize, Discriminator},
    BUS, BUS_ADDRESSES, BUS_COUNT, BUS_EPOCH_REWARDS, INITIAL_DIFFICULTY, INITIAL_REWARD_RATE,
-    MAX_EPOCH_REWARDS, MINT_ADDRESS, TOKEN_DECIMALS, TREASURY, TREASURY_ADDRESS,
+    MAX_EPOCH_REWARDS, MINT_ADDRESS, START_AT, TOKEN_DECIMALS, TREASURY, TREASURY_ADDRESS,
 };
 use rand::seq::SliceRandom;
 use solana_program::{
@@ -71,7 +71,7 @@ async fn test_reset() {
        Pubkey::from_str("AeNqnoLwFanMd3ig9WoMxQZVwQHtCtqKMMBsT1sTrvz6").unwrap()
    );
    assert_eq!(treasury.difficulty, INITIAL_DIFFICULTY.into());
-    assert_eq!(treasury.last_reset_at as u8, 100);
+    assert_eq!(treasury.last_reset_at, START_AT);
    assert_eq!(treasury.reward_rate, INITIAL_REWARD_RATE.saturating_div(2));
    assert_eq!(treasury.total_claimed_rewards as u8, 0);

@@ -104,7 +104,7 @@ async fn test_reset() {
 }

 #[tokio::test]
-async fn test_reset_busses_out_of_order() {
+async fn test_reset_busses_out_of_order_fail() {
    // Setup
    let (mut banks, payer, blockhash) = setup_program_test_env().await;

@@ -147,15 +147,45 @@ async fn test_reset_busses_out_of_order() {
    };
    let tx = Transaction::new_signed_with_payer(&[ix], Some(&payer.pubkey()), &[&payer], blockhash);
    let res = banks.process_transaction(tx).await;
-    assert!(res.is_ok());
+    assert!(res.is_err());
+}

-    // Test bus state
-    for i in 0..BUS_COUNT {
-        let bus_account = banks.get_account(bus_pdas[i].0).await.unwrap().unwrap();
-        assert_eq!(bus_account.owner, ore::id());
-        let bus = Bus::try_from_bytes(&bus_account.data).unwrap();
-        assert_eq!(bus.rewards, BUS_EPOCH_REWARDS);
-    }
+#[tokio::test]
+async fn test_reset_busses_duplicate_fail() {
+    // Setup
+    let (mut banks, payer, blockhash) = setup_program_test_env().await;
+
+    // Pdas
+    let signer = payer.pubkey();
+    let bus_pda = Pubkey::find_program_address(&[BUS, &[0]], &ore::id());
+    let treasury_tokens = spl_associated_token_account::get_associated_token_address(
+        &TREASURY_ADDRESS,
+        &MINT_ADDRESS,
+    );
+
+    // Submit tx
+    let ix = Instruction {
+        program_id: ore::id(),
+        accounts: vec![
+            AccountMeta::new(signer, true),
+            AccountMeta::new(bus_pda.0, false),
+            AccountMeta::new(bus_pda.0, false),
+            AccountMeta::new(bus_pda.0, false),
+            AccountMeta::new(bus_pda.0, false),
+            AccountMeta::new(bus_pda.0, false),
+            AccountMeta::new(bus_pda.0, false),
+            AccountMeta::new(bus_pda.0, false),
+            AccountMeta::new(bus_pda.0, false),
+            AccountMeta::new(MINT_ADDRESS, false),
+            AccountMeta::new(TREASURY_ADDRESS, false),
+            AccountMeta::new(treasury_tokens, false),
+            AccountMeta::new_readonly(spl_token::id(), false),
+        ],
+        data: OreInstruction::Reset.to_vec(),
+    };
+    let tx = Transaction::new_signed_with_payer(&[ix], Some(&payer.pubkey()), &[&payer], blockhash);
+    let res = banks.process_transaction(tx).await;
+    assert!(res.is_err());
 }

 #[tokio::test]
@@ -308,11 +338,11 @@ async fn setup_program_test_env() -> (BanksClient, Keypair, Hash) {
    program_test.add_sysvar_account(
        sysvar::clock::id(),
        &Clock {
-            slot: 10,
+            slot: 0,
            epoch_start_timestamp: 0,
            epoch: 0,
            leader_schedule_epoch: DEFAULT_SLOTS_PER_EPOCH,
-            unix_timestamp: 100,
+            unix_timestamp: START_AT,
        },
    );