-
Notifications
You must be signed in to change notification settings - Fork 267
SIMD-0431: Loader V3: Permissioned Extend Program #431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
deanmlittle
wants to merge
14
commits into
solana-foundation:main
Choose a base branch
from
blueshift-gg:permissioned-extend-program
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
0b554ed
Permissioned program extend
deanmlittle 60d7d2e
Rename 0431-permissioned-program-extend.md to 0431-permissioned-exten…
deanmlittle 4b82626
lint
deanmlittle 76748d7
lint
deanmlittle 8c56c34
incrrect directory
deanmlittle 52ce763
Update proposals/0431-permissioned-extend-program.md
deanmlittle ec1b9aa
Update proposals/0431-permissioned-extend-program.md
deanmlittle a6e8efa
Update proposals/0431-permissioned-extend-program.md
deanmlittle 04ae5b1
Update proposals/0431-permissioned-extend-program.md
deanmlittle c4aa022
Update proposals/0431-permissioned-extend-program.md
deanmlittle ebc7a2e
typo
deanmlittle d84354f
flesh out detailed design
buffalojoec df5f51d
Merge pull request #2 from buffalojoec/permissioned-extend-program
deanmlittle 740e3ab
Update security considerations and alternatives section
deanmlittle File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| --- | ||
| simd: '0431' | ||
| title: Permissioned Extend Program | ||
| authors: | ||
| - Dean Little (Blueshift) | ||
| - Joe Caulfield (Anza) | ||
| category: Standard | ||
| type: Core | ||
| status: Review | ||
| created: 2025-12-14 | ||
| feature: (fill in with feature key and github tracking issues once accepted) | ||
| supersedes: '0164' | ||
| --- | ||
|
|
||
| ## Summary | ||
|
|
||
| This SIMD proposes restricting invocation of the extend program instruction in | ||
| Loader V3 to the program's upgrade authority, along with lifting the current | ||
| restriction preventing it from being invoked via CPI. | ||
|
|
||
| ## Motivation | ||
|
|
||
| Currently, due to the permissionless nature of the extend program instruction | ||
| and some complexities surrounding the program cache, there is a DoS vector by | ||
| which anyone could disable a program for one slot by permissionlessly | ||
| extending its program data account. Thus the motivation of this SIMD is to both | ||
| resolve the DoS vector by restricting access to this instruction to the | ||
| program's upgrade authority, whilst improving the devex of this new | ||
| restriction by allowing ExtendProgram to be invoked via CPI. | ||
|
|
||
| ## New Terminology | ||
|
|
||
| No new terminology is introduced by this proposal. | ||
|
|
||
| ## Detailed Design | ||
|
|
||
| The `ExtendProgram` instruction will require the program's upgrade authority as | ||
| a signer and it will be available for invocation via CPI. | ||
|
|
||
| ### Changes to Required Accounts | ||
|
|
||
| The current `ExtendProgram` instruction expects the following accounts: | ||
|
|
||
| ``` | ||
| 0. [w] ProgramData account | ||
| 1. [w] Program account | ||
| 2. [ ] System program, optional | ||
| 3. [ws] Payer, optional | ||
| ``` | ||
|
|
||
| After this proposal's feature gate is activated, the instruction will expect: | ||
|
|
||
| ``` | ||
| 0. [w] ProgramData account | ||
| 1. [w] Program account | ||
| 2. [s] Upgrade authority // New | ||
| 3. [ ] System program, optional | ||
| 4. [ws] Payer, optional | ||
| ``` | ||
|
|
||
| ### Control Flow | ||
|
|
||
| The instruction will verify: | ||
|
|
||
| 1. The program has an upgrade authority set (i.e., is not immutable). If not, | ||
| return `Immutable`. | ||
| 2. The provided authority matches the program's stored upgrade authority. If | ||
| not, return `IncorrectAuthority`. | ||
| 3. The authority account is a signer. If not, return | ||
| `MissingRequiredSignature`. | ||
|
|
||
| ### CPI Restriction Removal | ||
|
|
||
| The current restriction preventing `ExtendProgram` from being invoked via CPI | ||
| will be removed. The instruction will be fully available for CPI. | ||
|
|
||
| ## Alternatives Considered | ||
|
|
||
| - Allow DoS vector to remain unresolved | ||
| - Retain existing account ordering by combining payer and authority into a | ||
| single mandatory account | ||
|
|
||
| ## Impact | ||
|
|
||
| This proposal will remove the DoS vector for all deployed programs. Due to | ||
| constraints of ABI V1, in the case that a multisig upgrade authority wishes to | ||
| extend the program data account by greater than 10KiB, it will either need to | ||
| create multiple resize proposals, or atomically set its authority to a | ||
| top-level signer and reclaim it in the same transaction. The `ExtendProgram` | ||
| instruction will now also be invokable by CPI. | ||
|
|
||
| ## Security Considerations | ||
|
|
||
| In the case of a multisig atomically setting its authority to a top-level | ||
| signer, it is important to introspect the transaction and ensure that it | ||
| executes the following behavior: | ||
|
|
||
| - Set upgrade authority to top-level signer | ||
| - Extend program data account in top-level instruction | ||
| - Set upgrade authority back to quorum | ||
|
|
||
| If this behavior is not observed, it would be possible for a quorum to | ||
| accidentally lose its upgrade authority. | ||
|
|
||
| ## Backwards Compatibility | ||
|
|
||
| This feature places additional restrictions upon an existing Loader V3 | ||
| instruction and is therefore not backwards compatible, necessitating a feature gate. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
think this is what you meant here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That line means reclaim the authority after extending at top-level with the temporary authority.