From 451814696d98a345795f509781a5ea18f82a9a7c Mon Sep 17 00:00:00 2001 From: Giannis Chatziveroglou Date: Wed, 21 Sep 2022 09:46:38 -0700 Subject: [PATCH 1/2] check metadata program id --- .../src/instructions/handle_payment_with_royalties.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/cardinal-payment-manager/src/instructions/handle_payment_with_royalties.rs b/programs/cardinal-payment-manager/src/instructions/handle_payment_with_royalties.rs index 8c6268bca..c5101daa3 100644 --- a/programs/cardinal-payment-manager/src/instructions/handle_payment_with_royalties.rs +++ b/programs/cardinal-payment-manager/src/instructions/handle_payment_with_royalties.rs @@ -50,7 +50,7 @@ pub fn handler<'key, 'accounts, 'remaining, 'info>(ctx: Context<'key, 'accounts, if !ctx.accounts.mint_metadata.data_is_empty() { let mint_metadata_data = ctx.accounts.mint_metadata.try_borrow_mut_data().expect("Failed to borrow data"); let mint_metadata = Metadata::deserialize(&mut mint_metadata_data.as_ref())?; - if mint_metadata.mint != ctx.accounts.mint.key() { + if ctx.accounts.mint_metadata.to_account_info().owner.key() != mpl_token_metadata::id() || mint_metadata.mint != ctx.accounts.mint.key() { return Err(error!(ErrorCode::InvalidMintMetadata)); } From 42709fc37800a4090dbaae79787e9c7a0ce7d78c Mon Sep 17 00:00:00 2001 From: Giannis Chatziveroglou Date: Wed, 21 Sep 2022 10:00:39 -0700 Subject: [PATCH 2/2] searate checks --- programs/cardinal-payment-manager/src/errors.rs | 2 ++ .../src/instructions/handle_payment_with_royalties.rs | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/programs/cardinal-payment-manager/src/errors.rs b/programs/cardinal-payment-manager/src/errors.rs index 3f59ac3f7..c52934e60 100644 --- a/programs/cardinal-payment-manager/src/errors.rs +++ b/programs/cardinal-payment-manager/src/errors.rs @@ -14,4 +14,6 @@ pub enum ErrorCode { InvalidTokenAccount, #[msg("Invalid payment manager")] InvalidPaymentManager, + #[msg("Mint metadata is owned by the incorrect program")] + InvalidMintMetadataOwner, } diff --git a/programs/cardinal-payment-manager/src/instructions/handle_payment_with_royalties.rs b/programs/cardinal-payment-manager/src/instructions/handle_payment_with_royalties.rs index c5101daa3..a4e3df2ab 100644 --- a/programs/cardinal-payment-manager/src/instructions/handle_payment_with_royalties.rs +++ b/programs/cardinal-payment-manager/src/instructions/handle_payment_with_royalties.rs @@ -48,9 +48,12 @@ pub fn handler<'key, 'accounts, 'remaining, 'info>(ctx: Context<'key, 'accounts, // royalties let mut fees_paid_out: u64 = 0; if !ctx.accounts.mint_metadata.data_is_empty() { + if ctx.accounts.mint_metadata.to_account_info().owner.key() != mpl_token_metadata::id() { + return Err(error!(ErrorCode::InvalidMintMetadataOwner)); + } let mint_metadata_data = ctx.accounts.mint_metadata.try_borrow_mut_data().expect("Failed to borrow data"); - let mint_metadata = Metadata::deserialize(&mut mint_metadata_data.as_ref())?; - if ctx.accounts.mint_metadata.to_account_info().owner.key() != mpl_token_metadata::id() || mint_metadata.mint != ctx.accounts.mint.key() { + let mint_metadata = Metadata::deserialize(&mut mint_metadata_data.as_ref()).expect("Failed to desirialize metadata"); + if mint_metadata.mint != ctx.accounts.mint.key() { return Err(error!(ErrorCode::InvalidMintMetadata)); }