Skip to content

Add Solana native staking MERGE transaction validation#32

Open
jdomingos wants to merge 1 commit into
mainfrom
ENG-3836-add-support-to-solana-merge-transaction
Open

Add Solana native staking MERGE transaction validation#32
jdomingos wants to merge 1 commit into
mainfrom
ENG-3836-add-support-to-solana-merge-transaction

Conversation

@jdomingos

@jdomingos jdomingos commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds MERGE support to the Solana native staking validator, allowing Shield to validate stake account merge transactions alongside stake, unstake, and withdraw.

  • Register TransactionType.MERGE and decode stake instruction opcode 7 as Merge
  • Validate merge transactions using the same batch pattern as UNSTAKE: compute budget instructions followed by 1–10 StakeProgram.merge instructions
  • Ensure the stake authority on each merge instruction matches the user address
  • Add unit tests for single and batch merge flows, including rejection cases

Test plan

  • pnpm test src/validators/solana/native-staking/native-staking.validator.test.ts

Note

Medium Risk
Changes pre-sign transaction validation for stake merges (user-controlled funds); logic mirrors existing UNSTAKE checks and is well covered by tests, but incorrect rules could allow or block legitimate merges.

Overview
Shield can now recognize and approve Solana native stake merge transactions for the multivalidator staking yield.

TransactionType.MERGE is registered on SolanaNativeStakingValidator, with stake program opcode 7 decoded as Merge. validateMerge follows the same batch layout as UNSTAKE: SetComputeUnitLimit, SetComputeUnitPrice, then 1–10 Merge instructions (3–12 instructions total). Each merge must use the user as stake authority (account index 4).

A new MERGE validation test suite covers happy paths (single and batch merges) and rejections for wrong instruction counts, missing compute-budget ix, non-merge instructions, and wrong merge authority.

Reviewed by Cursor Bugbot for commit 0dbdf0a. Configure here.

@jdomingos
jdomingos requested review from Philippoes and ajag408 July 16, 2026 15:44
actual: merge.instructionType,
});
}
if (merge.accounts.at(4)?.pubkey.toBase58() !== userAddress) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: HIGH

validateMerge only verifies the merge authority signer equals the user, but it does not validate destination/source stake-account ownership constraints. A crafted merge can still route stake into a destination account whose withdraw authority is attacker-controlled while preserving user staker authority, and this validator would accept it.

Impact: A user can be induced to sign an apparently valid MERGE transaction that transfers stake into an attacker-withdrawable stake account, creating a direct fund-redirection risk.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 0dbdf0a. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: high. Not approving: Cursor Security Agent reported an unresolved HIGH-severity finding on validateMerge stake-account ownership validation. Human review is required; Philippoes and ajag408 are already requested as reviewers.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Router and Approver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant