Add Solana native staking MERGE transaction validation#32
Open
jdomingos wants to merge 1 commit into
Open
Conversation
| actual: merge.instructionType, | ||
| }); | ||
| } | ||
| if (merge.accounts.at(4)?.pubkey.toBase58() !== userAddress) { |
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: HIGH
validateMerge only verifies the merge authority signer equals the user, but it does not validate destination/source stake-account ownership constraints. A crafted merge can still route stake into a destination account whose withdraw authority is attacker-controlled while preserving user staker authority, and this validator would accept it.
Impact: A user can be induced to sign an apparently valid MERGE transaction that transfers stake into an attacker-withdrawable stake account, creating a direct fund-redirection risk.
Reviewed by Cursor Security Reviewer for commit 0dbdf0a. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.




Summary
Adds
MERGEsupport to the Solana native staking validator, allowing Shield to validate stake account merge transactions alongside stake, unstake, and withdraw.TransactionType.MERGEand decode stake instruction opcode7asMergeUNSTAKE: compute budget instructions followed by 1–10StakeProgram.mergeinstructionsTest plan
pnpm test src/validators/solana/native-staking/native-staking.validator.test.tsNote
Medium Risk
Changes pre-sign transaction validation for stake merges (user-controlled funds); logic mirrors existing UNSTAKE checks and is well covered by tests, but incorrect rules could allow or block legitimate merges.
Overview
Shield can now recognize and approve Solana native stake merge transactions for the multivalidator staking yield.
TransactionType.MERGEis registered onSolanaNativeStakingValidator, with stake program opcode 7 decoded asMerge.validateMergefollows the same batch layout as UNSTAKE:SetComputeUnitLimit,SetComputeUnitPrice, then 1–10Mergeinstructions (3–12 instructions total). Each merge must use the user as stake authority (account index 4).A new
MERGE validationtest suite covers happy paths (single and batch merges) and rejections for wrong instruction counts, missing compute-budget ix, non-merge instructions, and wrong merge authority.Reviewed by Cursor Bugbot for commit 0dbdf0a. Configure here.