fix(token): bypass cache for payment-critical account reads (#418)

* fix(token): force fresh account reads in payment validation

Bypass Redis account cache for destination and mint lookups in
TokenUtil::find_payment_in_transaction to avoid stale account
state during payment authorization and pricing.

* fix(token2022): reject mutable transfer-hook authority in payments

Reject Token-2022 payment mints that carry a mutable TransferHook authority so post-sign hook updates cannot alter the execution surface Kora approved.

Apply the same guard for destination ATA-creation flows and extend mint test builders to configure TransferHook authority/program fields for coverage.

* fix(config): accept validation.token2022 alias

* fix(token): scope token2022 payment checks to payment candidates

Run Token-2022 extension and transfer-hook authority validation only after destination-owner matching in find_payment_in_transaction.

This avoids rejecting unrelated Token-2022 transfers that are not payment instructions while preserving the mutable transfer-hook guard for actual payment paths.

* fix(transaction): enforce signer-slot signature indexing

Restrict signer position lookup to the first num_required_signatures account keys so unsigned pubkey occurrences cannot be treated as signer slots.

Also switch both normal and bundle signing flows to checked signature-slot writes and return InvalidTransaction on slot mismatch instead of panicking.

Add coverage for rejecting unsigned fee payer occurrences in bundle signing tests.

* fix(validator): enforce disallowed accounts in instruction data

Extend parsed system and SPL/Token-2022 instruction data to retain destination authority/owner pubkeys carried in instruction bytes (e.g. AuthorizeNonceAccount new_authority, SetAuthority new_authority, InitializeMint freeze_authority).

Add a dedicated disallowed-instruction-data validation pass and run it during transaction validation so blacklisted pubkeys in instruction data are rejected the same way as account metas/program IDs.

Includes new validator tests for nonce authorize, SPL/Token-2022 set_authority, initialize_account2 owner, and initialize_mint2 freeze_authority bypass paths.

* fix(token): net token2022 inflows by transfer fee

Adjust SPL transfer value accounting so Token-2022 inflows to fee-payer-owned
accounts are credited at post-fee amounts, while outflows remain gross.

This closes the transfer-fee over-credit path where fee payer outflow was
underestimated against max_allowed_lamports.

* fix(validator): block confidential token2022 and parse reallocate

Reject confidential Token-2022 extension instruction families by default and
add explicit Token-2022 Reallocate parsing.

Also reject fee-payer-involved Token-2022 Reallocate usage in transaction
validation to close fee-payer policy bypass paths.

---------

Co-authored-by: Jo D <dev-jodee@users.noreply.github.com>

Author: dev-jodee

crates/lib/src/config.rs

@@ -126,7 +126,7 @@ pub struct ValidationConfig {
     pub fee_payer_policy: FeePayerPolicy,
     #[serde(default)]
     pub price: PriceConfig,
-    #[serde(default)]
+    #[serde(default, alias = "token2022")]
     pub token_2022: Token2022Config,
     /// Allow durable transactions (nonce-based). Default: false.
     /// When false, rejects any transaction containing AdvanceNonceAccount instruction.
@@ -834,6 +834,42 @@ mod tests {
         assert!(config.validation.token_2022.get_blocked_account_extensions().is_empty());
     }
 
+    #[test]
+    fn test_token2022_config_parsing_alias_token2022_table() {
+        let wrong_key_alias_toml = r#"
+[validation]
+max_allowed_lamports = 1
+max_signatures = 1
+allowed_programs = []
+allowed_tokens = []
+allowed_spl_paid_tokens = []
+disallowed_accounts = []
+price_source = "Mock"
+
+[validation.token2022]
+blocked_mint_extensions = ["interest_bearing_config"]
+blocked_account_extensions = ["memo_transfer"]
+
+[kora]
+rate_limit = 1
+"#;
+
+        let config = crate::tests::toml_mock::create_invalid_config(wrong_key_alias_toml)
+            .expect("Config with [validation.token2022] alias should parse");
+
+        assert!(
+            config
+                .validation
+                .token_2022
+                .is_mint_extension_blocked(ExtensionType::InterestBearingConfig),
+            "InterestBearingConfig should be blocked via [validation.token2022] alias"
+        );
+        assert!(
+            config.validation.token_2022.is_account_extension_blocked(ExtensionType::MemoTransfer),
+            "MemoTransfer should be blocked via [validation.token2022] alias"
+        );
+    }
+
     #[test]
     fn test_token2022_extension_blocking_check() {
         let config = ConfigBuilder::new()

crates/lib/src/constant.rs

@@ -212,6 +212,13 @@ pub mod instruction_indexes {
         pub const FREEZE_AUTHORITY_INDEX: usize = 2;
     }
 
+    pub mod spl_token_reallocate {
+        pub const REQUIRED_NUMBER_OF_ACCOUNTS: usize = 4;
+        pub const ACCOUNT_INDEX: usize = 0;
+        pub const PAYER_INDEX: usize = 1;
+        pub const OWNER_INDEX: usize = 3;
+    }
+
     // ATA instruction indexes
     pub mod ata_instruction_indexes {
         pub const ATA_ADDRESS_INDEX: usize = 1;

crates/lib/src/signer/bundle_signer.rs

@@ -65,7 +65,16 @@ impl BundleSigner {
         };
 
         let fee_payer_position = resolved.find_signer_position(fee_payer)?;
-        resolved.transaction.signatures[fee_payer_position] = signature;
+        let signatures_len = resolved.transaction.signatures.len();
+        let signature_slot = match resolved.transaction.signatures.get_mut(fee_payer_position) {
+            Some(slot) => slot,
+            None => {
+                return Err(KoraError::InvalidTransaction(format!(
+                    "Signer position {fee_payer_position} is out of bounds for signatures (len={signatures_len})"
+                )));
+            }
+        };
+        *signature_slot = signature;
 
         Ok(())
     }
@@ -91,6 +100,18 @@ mod tests {
         VersionedTransactionResolved::from_kora_built_transaction(&versioned).unwrap()
     }
 
+    fn create_test_resolved_with_unsigned_fee_payer_occurrence(
+        signer_like_fee_payer: &Pubkey,
+    ) -> VersionedTransactionResolved {
+        let attacker_fee_payer = Keypair::new();
+        let instruction = transfer(&attacker_fee_payer.pubkey(), signer_like_fee_payer, 1000);
+        let message = Message::new(&[instruction], Some(&attacker_fee_payer.pubkey()));
+        let transaction = Transaction::new_unsigned(message);
+        let versioned = solana_sdk::transaction::VersionedTransaction::from(transaction);
+
+        VersionedTransactionResolved::from_kora_built_transaction(&versioned).unwrap()
+    }
+
     #[tokio::test]
     async fn test_sign_transaction_for_bundle_success() {
         let fee_payer_keypair = Keypair::new();
@@ -143,6 +164,31 @@ mod tests {
         assert!(matches!(result.unwrap_err(), KoraError::InvalidTransaction(_)));
     }
 
+    #[tokio::test]
+    async fn test_sign_transaction_for_bundle_rejects_unsigned_fee_payer_occurrence() {
+        let fee_payer_keypair = Keypair::new();
+        let fee_payer = fee_payer_keypair.pubkey();
+
+        let external_signer = Signer::from_memory(&fee_payer_keypair.to_base58_string()).unwrap();
+        let signer = Arc::new(external_signer);
+
+        let blockhash = Some(Hash::new_unique());
+        let config = ConfigMockBuilder::new().build();
+
+        let mut resolved = create_test_resolved_with_unsigned_fee_payer_occurrence(&fee_payer);
+        let result = BundleSigner::sign_transaction_for_bundle(
+            &mut resolved,
+            &signer,
+            &fee_payer,
+            &blockhash,
+            &config,
+        )
+        .await;
+
+        assert!(result.is_err());
+        assert!(matches!(result.unwrap_err(), KoraError::InvalidTransaction(_)));
+    }
+
     #[tokio::test]
     async fn test_sign_transaction_for_bundle_signature_position() {
         let fee_payer_keypair = Keypair::new();

crates/lib/src/tests/account_mock.rs

@@ -307,6 +307,8 @@ pub struct MintAccountMockBuilder {
     rent_epoch: u64,
     // Token2022-specific fields
     extensions: Vec<ExtensionType>,
+    transfer_hook_authority: Option<Pubkey>,
+    transfer_hook_program_id: Option<Pubkey>,
 }
 
 impl Default for MintAccountMockBuilder {
@@ -326,6 +328,8 @@ impl MintAccountMockBuilder {
             lamports: 0,
             rent_epoch: DEFAULT_RENT_EPOCH,
             extensions: Vec::new(),
+            transfer_hook_authority: None,
+            transfer_hook_program_id: None,
         }
     }
 
@@ -365,6 +369,16 @@ impl MintAccountMockBuilder {
         self
     }
 
+    pub fn with_transfer_hook_authority(mut self, authority: Option<Pubkey>) -> Self {
+        self.transfer_hook_authority = authority;
+        self
+    }
+
+    pub fn with_transfer_hook_program_id(mut self, program_id: Option<Pubkey>) -> Self {
+        self.transfer_hook_program_id = program_id;
+        self
+    }
+
     /// Add an extension type (Token2022 only)
     pub fn with_extension(mut self, extension: ExtensionType) -> Self {
         if !self.extensions.contains(&extension) {
@@ -472,7 +486,12 @@ impl MintAccountMockBuilder {
                         )?;
                     }
                     ExtensionType::TransferHook => {
-                        state.init_extension::<extension::transfer_hook::TransferHook>(true)?;
+                        let transfer_hook =
+                            state.init_extension::<extension::transfer_hook::TransferHook>(true)?;
+                        transfer_hook.authority =
+                            OptionalNonZeroPubkey::try_from(self.transfer_hook_authority)?;
+                        transfer_hook.program_id =
+                            OptionalNonZeroPubkey::try_from(self.transfer_hook_program_id)?;
                     }
                     // Add other extension types as needed
                     _ => {}