Skip to content

fix(ata): validate token dispatch and existing occupants#84

Open
3esmit wants to merge 2 commits intomainfrom
fix/ata-validate-token-dispatch
Open

fix(ata): validate token dispatch and existing occupants#84
3esmit wants to merge 2 commits intomainfrom
fix/ata-validate-token-dispatch

Conversation

@3esmit
Copy link
Copy Markdown
Collaborator

@3esmit 3esmit commented May 4, 2026

Closes #83

Summary

This PR makes ATA token operations dispatch only to the canonical token program and tightens idempotent Create handling for already occupied ATA PDAs.

ATA now receives the trusted token program ID from guest wiring instead of deriving downstream token dispatch from caller-supplied account metadata. Existing ATA occupants are accepted as idempotent only when they are canonical token holdings for the requested token definition.

Changes

  • Threaded the trusted token program ID through ATA create, transfer, and burn logic.
  • Wired ATA guest dispatch to token_methods::TOKEN_ID without adding a caller-supplied instruction argument or changing the ATA IDL.
  • Added canonical ownership and decode checks for token definitions and ATA holdings before emitting chained token calls.
  • Made idempotent Create reject malformed, foreign-owned, or wrong-definition ATA PDA occupants.
  • Made Burn reject foreign-owned token definitions and holder/definition mismatches before forwarding the burn.
  • Updated ATA core comments so they no longer describe token dispatch as account-owner-derived.
  • Added unit and integration coverage for non-canonical token owners, malformed existing ATA occupants, and burn definition mismatches.

Validation

The following checks passed:

cargo +nightly fmt --all -- --check
taplo fmt --check .
RISC0_SKIP_BUILD=1 cargo +1.94.0 clippy --workspace --all-targets -- -D warnings
RISC0_DEV_MODE=1 cargo +1.94.0 test --workspace --exclude integration_tests
RISC0_DEV_MODE=1 cargo +1.94.0 test -p integration_tests
cargo +1.94.0 run -p idl-gen -- ata/methods/guest/src/bin/ata.rs > /tmp/lez-ata-idl.json
diff -u artifacts/ata-idl.json /tmp/lez-ata-idl.json

Copilot AI review requested due to automatic review settings May 4, 2026 14:09
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the ATA program’s trust boundary by ensuring chained token operations only dispatch to the canonical token program (wired by the ATA guest), and by tightening idempotent Create so an already-occupied ATA PDA is only accepted if it is a valid canonical token holding for the requested token definition.

Changes:

  • Threaded a trusted token_program_id through ATA create, transfer, and burn, and validated token definition / holding ownership + decoding before emitting chained token calls.
  • Strengthened idempotent Create to reject malformed, foreign-owned, or wrong-definition occupants at the derived ATA PDA.
  • Added unit + integration tests covering foreign token owners, malformed existing ATA occupants, and burn definition mismatches.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
integration_tests/tests/ata.rs Adds integration coverage for rejecting foreign-owned token definitions, malformed ATA occupants, foreign-owned sender ATA, and burn definition mismatches.
ata/src/validation.rs Introduces helpers to enforce canonical token-program ownership and decode token definitions/holdings.
ata/src/transfer.rs Uses trusted token_program_id and canonical holding validation instead of deriving dispatch from account owners.
ata/src/tests.rs Extends unit tests to cover foreign-owned/malformed accounts and definition mismatches across create/transfer/burn.
ata/src/lib.rs Registers the new validation module.
ata/src/create.rs Validates canonical token definition and existing ATA occupant correctness for idempotent create.
ata/src/burn.rs Validates canonical token definition + holding, and enforces holding/definition match before chaining burn.
ata/methods/guest/src/bin/ata.rs Wires ATA dispatch to the canonical token program ID via token_methods::TOKEN_ID.
ata/methods/guest/Cargo.toml Adds a dependency on token-methods to access the canonical token program ID.
ata/methods/guest/Cargo.lock Records the new token-methods dependency resolution.
ata/core/src/lib.rs Updates documentation to reflect canonical guest-wired token dispatch (no longer account-owner-derived).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ata/methods/guest/Cargo.toml Outdated
risc0-zkvm = { version = "=3.0.5", default-features = false }
ata_core = { path = "../../core" }
ata_program = { path = "../..", package = "ata_program" }
token-methods = { path = "../../../token/methods" }
@3esmit
Copy link
Copy Markdown
Collaborator Author

3esmit commented May 5, 2026

This should not be merged yet. I am researching on a proper solution (actually a proposal/feature request for LEZ), which would not require hardcoding programid, because this limitation causes a lot of problems down the road for the future of this ecossystem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Validate ATA token-program dispatch and existing occupants

2 participants

@3esmit