token-2022: [OS-SPL-ADV-03] Check account mint in approve (#5901)

joncinque · web-flow · commit b41094566e04 · 2023-11-29T14:06:27.000+01:00
* token-2022: [OS-SPL-ADV-03] Check account mint in approve

* Address review feedback
diff --git a/token/program-2022-test/tests/confidential_transfer.rs b/token/program-2022-test/tests/confidential_transfer.rs
@@ -306,6 +306,64 @@ async fn confidential_transfer_configure_token_account() {
     );
 }
 
+#[tokio::test]
+async fn confidential_transfer_fail_approving_account_on_wrong_mint() {
+    let authority = Keypair::new();
+    let auto_approve_new_accounts = false;
+    let auditor_elgamal_keypair = ElGamalKeypair::new_rand();
+    let auditor_elgamal_pubkey = (*auditor_elgamal_keypair.pubkey()).into();
+
+    let mut context_a = TestContext::new().await;
+    context_a
+        .init_token_with_mint(vec![
+            ExtensionInitializationParams::ConfidentialTransferMint {
+                authority: Some(authority.pubkey()),
+                auto_approve_new_accounts,
+                auditor_elgamal_pubkey: Some(auditor_elgamal_pubkey),
+            },
+        ])
+        .await
+        .unwrap();
+
+    let token_a_context = context_a.token_context.unwrap();
+
+    let mut context_b = TestContext {
+        context: context_a.context.clone(),
+        token_context: None,
+    };
+    context_b
+        .init_token_with_mint(vec![
+            ExtensionInitializationParams::ConfidentialTransferMint {
+                authority: Some(authority.pubkey()),
+                auto_approve_new_accounts,
+                auditor_elgamal_pubkey: Some(auditor_elgamal_pubkey),
+            },
+        ])
+        .await
+        .unwrap();
+    let TokenContext { token, alice, .. } = context_b.token_context.unwrap();
+    let alice_meta = ConfidentialTokenAccountMeta::new(&token, &alice, None, false, false).await;
+
+    let err = token_a_context
+        .token
+        .confidential_transfer_approve_account(
+            &alice_meta.token_account,
+            &authority.pubkey(),
+            &[&authority],
+        )
+        .await
+        .unwrap_err();
+    assert_eq!(
+        err,
+        TokenClientError::Client(Box::new(TransportError::TransactionError(
+            TransactionError::InstructionError(
+                0,
+                InstructionError::Custom(TokenError::MintMismatch as u32)
+            )
+        )))
+    );
+}
+
 #[tokio::test]
 async fn confidential_transfer_enable_disable_confidential_credits() {
     let authority = Keypair::new();
diff --git a/token/program-2022/src/extension/confidential_transfer/processor.rs b/token/program-2022/src/extension/confidential_transfer/processor.rs
@@ -171,6 +171,10 @@ fn process_approve_account(accounts: &[AccountInfo]) -> ProgramResult {
     let token_account_data = &mut token_account_info.data.borrow_mut();
     let mut token_account = StateWithExtensionsMut::<Account>::unpack(token_account_data)?;
 
+    if *mint_info.key != token_account.base.mint {
+        return Err(TokenError::MintMismatch.into());
+    }
+
     check_program_account(mint_info.owner)?;
     let mint_data = &mint_info.data.borrow_mut();
     let mint = StateWithExtensions::<Mint>::unpack(mint_data)?;
