token-2022: [L-01] Check for all possible self-auth with CPI guard (#6863)

joncinque · web-flow · commit 4bd421b69754 · 2024-06-24T13:28:27.000+02:00
token-2022: Check for all possible self-auth with CPI guard
diff --git a/token/program-2022-test/tests/cpi_guard.rs b/token/program-2022-test/tests/cpi_guard.rs
@@ -420,6 +420,27 @@ async fn test_cpi_guard_burn() {
         let alice_state = token_obj.get_account_info(&alice.pubkey()).await.unwrap();
         assert_eq!(alice_state.base.amount, amount);
 
+        // delegate-auth cpi burn by self does not work
+        token_obj
+            .approve(
+                &alice.pubkey(),
+                &alice.pubkey(),
+                &alice.pubkey(),
+                1,
+                &[&alice],
+            )
+            .await
+            .unwrap();
+
+        let error = token_obj
+            .process_ixs(&[mk_burn(alice.pubkey(), do_checked)], &[&alice])
+            .await
+            .unwrap_err();
+        assert_eq!(error, client_error(TokenError::CpiGuardBurnBlocked));
+
+        let alice_state = token_obj.get_account_info(&alice.pubkey()).await.unwrap();
+        assert_eq!(alice_state.base.amount, amount);
+
         // delegate-auth cpi burn with cpi guard works
         token_obj
             .approve(
diff --git a/token/program-2022/src/processor.rs b/token/program-2022/src/processor.rs
@@ -381,6 +381,18 @@ impl Processor {
         }
 
         let self_transfer = source_account_info.key == destination_account_info.key;
+        if let Ok(cpi_guard) = source_account.get_extension::<CpiGuard>() {
+            // Blocks all cases where the authority has signed if CPI Guard is
+            // enabled, including:
+            // * the account is delegated to the owner
+            // * the account owner is the permanent delegate
+            if *authority_info.key == source_account.base.owner
+                && cpi_guard.lock_cpi.into()
+                && in_cpi()
+            {
+                return Err(TokenError::CpiGuardTransferBlocked.into());
+            }
+        }
         match (source_account.base.delegate, maybe_permanent_delegate) {
             (_, Some(ref delegate)) if authority_info.key == delegate => Self::validate_owner(
                 program_id,
@@ -403,15 +415,6 @@ impl Processor {
                     authority_info_data_len,
                     account_info_iter.as_slice(),
                 )?;
-                if let Ok(cpi_guard) = source_account.get_extension::<CpiGuard>() {
-                    // If delegated to self, don't allow a transfer with CPI Guard
-                    if delegate == source_account.base.owner
-                        && cpi_guard.lock_cpi.into()
-                        && in_cpi()
-                    {
-                        return Err(TokenError::CpiGuardTransferBlocked.into());
-                    }
-                }
                 let delegated_amount = u64::from(source_account.base.delegated_amount);
                 if delegated_amount < amount {
                     return Err(TokenError::InsufficientFunds.into());
@@ -434,12 +437,6 @@ impl Processor {
                     authority_info_data_len,
                     account_info_iter.as_slice(),
                 )?;
-
-                if let Ok(cpi_guard) = source_account.get_extension::<CpiGuard>() {
-                    if cpi_guard.lock_cpi.into() && in_cpi() {
-                        return Err(TokenError::CpiGuardTransferBlocked.into());
-                    }
-                }
             }
         }
 
@@ -1033,6 +1030,19 @@ impl Processor {
         }
         let maybe_permanent_delegate = get_permanent_delegate(&mint);
 
+        if let Ok(cpi_guard) = source_account.get_extension::<CpiGuard>() {
+            // Blocks all cases where the authority has signed if CPI Guard is
+            // enabled, including:
+            // * the account is delegated to the owner
+            // * the account owner is the permanent delegate
+            if *authority_info.key == source_account.base.owner
+                && cpi_guard.lock_cpi.into()
+                && in_cpi()
+            {
+                return Err(TokenError::CpiGuardBurnBlocked.into());
+            }
+        }
+
         if !source_account
             .base
             .is_owned_by_system_program_or_incinerator()
@@ -1080,12 +1090,6 @@ impl Processor {
                         authority_info_data_len,
                         account_info_iter.as_slice(),
                     )?;
-
-                    if let Ok(cpi_guard) = source_account.get_extension::<CpiGuard>() {
-                        if cpi_guard.lock_cpi.into() && in_cpi() {
-                            return Err(TokenError::CpiGuardBurnBlocked.into());
-                        }
-                    }
                 }
             }
         }
