feat(solana/ift): add propose_admin validation guards and e2e edge case tests

- Reject proposing zero address, self-proposal and duplicate proposals
- Add unit tests for all three new validation guards
- Add e2e negative tests: unauthorized propose/accept, cancel with no
  pending, propose while pending exists, stale accept after cancel
- Explicitly set pending_admin = None in initialize

Author: mariuszzak

e2e/interchaintestv8/solana_ift_test.go

@@ -1785,6 +1785,138 @@ func (s *IbcEurekaSolanaIFTTestSuite) Test_IFT_TwoStepAdminTransfer() {
 		s.Require().Equal(thirdAdminWallet.PublicKey(), state.Admin, "Admin should be the third admin")
 		s.Require().Nil(state.PendingAdmin, "Pending admin should be cleared")
 	}))
+
+	// Edge case: unauthorized propose (non-admin tries to propose)
+	s.Require().True(s.Run("Unauthorized propose is rejected", func() {
+		unauthorizedWallet, err := s.Solana.Chain.CreateAndFundWallet()
+		s.Require().NoError(err)
+
+		proposeIx, err := ift.NewProposeAdminInstruction(
+			unauthorizedWallet.PublicKey(),
+			s.IFTAppState,
+			unauthorizedWallet.PublicKey(), // not the admin
+			solanago.SysVarInstructionsPubkey,
+		)
+		s.Require().NoError(err)
+
+		tx, err := s.Solana.Chain.NewTransactionFromInstructions(unauthorizedWallet.PublicKey(), proposeIx)
+		s.Require().NoError(err)
+
+		_, err = s.Solana.Chain.SignAndBroadcastTxWithRetry(ctx, tx, rpc.CommitmentConfirmed, unauthorizedWallet)
+		s.Require().Error(err, "Non-admin should not be able to propose")
+	}))
+
+	// Edge case: cancel with no pending proposal
+	s.Require().True(s.Run("Cancel with no pending proposal is rejected", func() {
+		cancelIx, err := ift.NewCancelAdminProposalInstruction(
+			s.IFTAppState,
+			thirdAdminWallet.PublicKey(), // current admin
+			solanago.SysVarInstructionsPubkey,
+		)
+		s.Require().NoError(err)
+
+		tx, err := s.Solana.Chain.NewTransactionFromInstructions(thirdAdminWallet.PublicKey(), cancelIx)
+		s.Require().NoError(err)
+
+		_, err = s.Solana.Chain.SignAndBroadcastTxWithRetry(ctx, tx, rpc.CommitmentConfirmed, thirdAdminWallet)
+		s.Require().Error(err, "Cancel should fail when no pending proposal exists")
+	}))
+
+	// Set up a proposal so we can test more edge cases
+	var fourthAdminWallet *solanago.Wallet
+	s.Require().True(s.Run("Propose fourth admin for edge case tests", func() {
+		var err error
+		fourthAdminWallet, err = s.Solana.Chain.CreateAndFundWallet()
+		s.Require().NoError(err)
+
+		proposeIx, err := ift.NewProposeAdminInstruction(
+			fourthAdminWallet.PublicKey(),
+			s.IFTAppState,
+			thirdAdminWallet.PublicKey(),
+			solanago.SysVarInstructionsPubkey,
+		)
+		s.Require().NoError(err)
+
+		tx, err := s.Solana.Chain.NewTransactionFromInstructions(thirdAdminWallet.PublicKey(), proposeIx)
+		s.Require().NoError(err)
+
+		_, err = s.Solana.Chain.SignAndBroadcastTxWithRetry(ctx, tx, rpc.CommitmentConfirmed, thirdAdminWallet)
+		s.Require().NoError(err)
+	}))
+
+	// Edge case: unauthorized accept (non-pending wallet tries to accept)
+	s.Require().True(s.Run("Unauthorized accept is rejected", func() {
+		acceptIx, err := ift.NewAcceptAdminInstruction(
+			s.IFTAppState,
+			thirdAdminWallet.PublicKey(), // current admin, not the pending admin
+			solanago.SysVarInstructionsPubkey,
+		)
+		s.Require().NoError(err)
+
+		tx, err := s.Solana.Chain.NewTransactionFromInstructions(thirdAdminWallet.PublicKey(), acceptIx)
+		s.Require().NoError(err)
+
+		_, err = s.Solana.Chain.SignAndBroadcastTxWithRetry(ctx, tx, rpc.CommitmentConfirmed, thirdAdminWallet)
+		s.Require().Error(err, "Non-pending admin should not be able to accept")
+	}))
+
+	// Edge case: propose while pending already exists
+	s.Require().True(s.Run("Propose while pending exists is rejected", func() {
+		anotherWallet, err := s.Solana.Chain.CreateAndFundWallet()
+		s.Require().NoError(err)
+
+		proposeIx, err := ift.NewProposeAdminInstruction(
+			anotherWallet.PublicKey(),
+			s.IFTAppState,
+			thirdAdminWallet.PublicKey(), // current admin
+			solanago.SysVarInstructionsPubkey,
+		)
+		s.Require().NoError(err)
+
+		tx, err := s.Solana.Chain.NewTransactionFromInstructions(thirdAdminWallet.PublicKey(), proposeIx)
+		s.Require().NoError(err)
+
+		_, err = s.Solana.Chain.SignAndBroadcastTxWithRetry(ctx, tx, rpc.CommitmentConfirmed, thirdAdminWallet)
+		s.Require().Error(err, "Propose should fail when a pending proposal already exists")
+	}))
+
+	// Edge case: cancel then stale accept
+	s.Require().True(s.Run("Cancel the proposal", func() {
+		cancelIx, err := ift.NewCancelAdminProposalInstruction(
+			s.IFTAppState,
+			thirdAdminWallet.PublicKey(),
+			solanago.SysVarInstructionsPubkey,
+		)
+		s.Require().NoError(err)
+
+		tx, err := s.Solana.Chain.NewTransactionFromInstructions(thirdAdminWallet.PublicKey(), cancelIx)
+		s.Require().NoError(err)
+
+		_, err = s.Solana.Chain.SignAndBroadcastTxWithRetry(ctx, tx, rpc.CommitmentConfirmed, thirdAdminWallet)
+		s.Require().NoError(err)
+	}))
+
+	s.Require().True(s.Run("Stale accept after cancel is rejected", func() {
+		acceptIx, err := ift.NewAcceptAdminInstruction(
+			s.IFTAppState,
+			fourthAdminWallet.PublicKey(), // was the pending admin before cancel
+			solanago.SysVarInstructionsPubkey,
+		)
+		s.Require().NoError(err)
+
+		tx, err := s.Solana.Chain.NewTransactionFromInstructions(fourthAdminWallet.PublicKey(), acceptIx)
+		s.Require().NoError(err)
+
+		_, err = s.Solana.Chain.SignAndBroadcastTxWithRetry(ctx, tx, rpc.CommitmentConfirmed, fourthAdminWallet)
+		s.Require().Error(err, "Previously-pending admin should not be able to accept after cancel")
+	}))
+
+	// Verify state unchanged after all negative tests
+	s.Require().True(s.Run("Verify admin unchanged after edge case tests", func() {
+		state := readAppState()
+		s.Require().Equal(thirdAdminWallet.PublicKey(), state.Admin, "Admin should still be the third admin")
+		s.Require().Nil(state.PendingAdmin, "Pending admin should be nil")
+	}))
 }
 
 // Test_IFT_ExistingToken_InvalidPendingTransfer tests that ift_transfer rejects a wrong pending_transfer PDA

programs/solana/programs/ift/src/errors.rs

@@ -114,6 +114,15 @@ pub enum IFTError {
 
     #[msg("Signer is not the pending admin")]
     UnauthorizedPendingAdmin,
+
+    #[msg("Cannot propose the zero address as admin")]
+    InvalidProposedAdmin,
+
+    #[msg("Cannot propose the current admin as the new admin")]
+    SelfProposal,
+
+    #[msg("A pending admin proposal already exists; cancel it first")]
+    PendingAdminAlreadyExists,
 }
 
 impl From<CpiValidationError> for IFTError {

programs/solana/programs/ift/src/instructions/admin.rs

@@ -39,6 +39,19 @@ pub struct ProposeAdmin<'info> {
 pub fn propose_admin(ctx: Context<ProposeAdmin>, new_admin: Pubkey) -> Result<()> {
     reject_cpi(&ctx.accounts.instructions_sysvar, &crate::ID).map_err(IFTError::from)?;
 
+    require!(
+        new_admin != Pubkey::default(),
+        IFTError::InvalidProposedAdmin
+    );
+    require!(
+        new_admin != ctx.accounts.admin.key(),
+        IFTError::SelfProposal
+    );
+    require!(
+        ctx.accounts.app_state.pending_admin.is_none(),
+        IFTError::PendingAdminAlreadyExists
+    );
+
     ctx.accounts.app_state.pending_admin = Some(new_admin);
 
     let clock = Clock::get()?;
@@ -466,6 +479,123 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_propose_admin_zero_address_rejected() {
+        let mollusk = setup_mollusk();
+
+        let admin = Pubkey::new_unique();
+        let (app_state_pda, app_state_bump) = get_app_state_pda();
+        let (sysvar_id, sysvar_account) = create_instructions_sysvar_account();
+
+        let app_state_account = create_ift_app_state_account(app_state_bump, admin);
+
+        let instruction = Instruction {
+            program_id: crate::ID,
+            accounts: vec![
+                AccountMeta::new(app_state_pda, false),
+                AccountMeta::new_readonly(admin, true),
+                AccountMeta::new_readonly(sysvar_id, false),
+            ],
+            data: crate::instruction::ProposeAdmin {
+                new_admin: Pubkey::default(),
+            }
+            .data(),
+        };
+
+        let accounts = vec![
+            (app_state_pda, app_state_account),
+            (admin, create_signer_account()),
+            (sysvar_id, sysvar_account),
+        ];
+
+        let result = mollusk.process_instruction(&instruction, &accounts);
+        assert_eq!(
+            result.program_result,
+            Err(solana_sdk::instruction::InstructionError::Custom(
+                ANCHOR_ERROR_OFFSET + IFTError::InvalidProposedAdmin as u32,
+            ))
+            .into(),
+        );
+    }
+
+    #[test]
+    fn test_propose_admin_self_proposal_rejected() {
+        let mollusk = setup_mollusk();
+
+        let admin = Pubkey::new_unique();
+        let (app_state_pda, app_state_bump) = get_app_state_pda();
+        let (sysvar_id, sysvar_account) = create_instructions_sysvar_account();
+
+        let app_state_account = create_ift_app_state_account(app_state_bump, admin);
+
+        let instruction = Instruction {
+            program_id: crate::ID,
+            accounts: vec![
+                AccountMeta::new(app_state_pda, false),
+                AccountMeta::new_readonly(admin, true),
+                AccountMeta::new_readonly(sysvar_id, false),
+            ],
+            data: crate::instruction::ProposeAdmin { new_admin: admin }.data(),
+        };
+
+        let accounts = vec![
+            (app_state_pda, app_state_account),
+            (admin, create_signer_account()),
+            (sysvar_id, sysvar_account),
+        ];
+
+        let result = mollusk.process_instruction(&instruction, &accounts);
+        assert_eq!(
+            result.program_result,
+            Err(solana_sdk::instruction::InstructionError::Custom(
+                ANCHOR_ERROR_OFFSET + IFTError::SelfProposal as u32,
+            ))
+            .into(),
+        );
+    }
+
+    #[test]
+    fn test_propose_admin_pending_already_exists() {
+        let mollusk = setup_mollusk();
+
+        let admin = Pubkey::new_unique();
+        let first_proposed = Pubkey::new_unique();
+        let second_proposed = Pubkey::new_unique();
+        let (app_state_pda, app_state_bump) = get_app_state_pda();
+        let (sysvar_id, sysvar_account) = create_instructions_sysvar_account();
+
+        let app_state_account =
+            create_ift_app_state_account_full(app_state_bump, admin, false, Some(first_proposed));
+
+        let instruction = Instruction {
+            program_id: crate::ID,
+            accounts: vec![
+                AccountMeta::new(app_state_pda, false),
+                AccountMeta::new_readonly(admin, true),
+                AccountMeta::new_readonly(sysvar_id, false),
+            ],
+            data: crate::instruction::ProposeAdmin {
+                new_admin: second_proposed,
+            }
+            .data(),
+        };
+
+        let accounts = vec![
+            (app_state_pda, app_state_account),
+            (admin, create_signer_account()),
+            (sysvar_id, sysvar_account),
+        ];
+
+        let result = mollusk.process_instruction(&instruction, &accounts);
+        assert_eq!(
+            result.program_result,
+            Err(solana_sdk::instruction::InstructionError::Custom(
+                ANCHOR_ERROR_OFFSET + IFTError::PendingAdminAlreadyExists as u32,
+            ))
+            .into(),
+        );
+    }
+
     #[test]
     fn test_accept_admin_success() {
         let mollusk = setup_mollusk();

programs/solana/programs/ift/src/instructions/initialize.rs

@@ -30,6 +30,7 @@ pub fn initialize(ctx: Context<Initialize>, admin: Pubkey) -> Result<()> {
     app_state.version = AccountVersion::V1;
     app_state.bump = ctx.bumps.app_state;
     app_state.admin = admin;
+    app_state.pending_admin = None;
 
     let clock = Clock::get()?;
     emit!(IFTInitialized {
@@ -103,6 +104,7 @@ mod tests {
         let state = deserialize_app_state(&updated_account);
         assert_eq!(state.admin, admin);
         assert!(!state.paused);
+        assert_eq!(state.pending_admin, None);
     }
 
     #[test]