diff --git a/packages/layerzero-v2/solana/programs/programs/executor/src/errors.rs b/packages/layerzero-v2/solana/programs/programs/executor/src/errors.rs index 6ef8c5c..e9b00e3 100644 --- a/packages/layerzero-v2/solana/programs/programs/executor/src/errors.rs +++ b/packages/layerzero-v2/solana/programs/programs/executor/src/errors.rs @@ -19,4 +19,5 @@ pub enum ExecutorError { InsufficientBalance, EidNotSupported, ExecutorIsAdmin, + InvalidOwner, } diff --git a/packages/layerzero-v2/solana/programs/programs/executor/src/instructions/compose.rs b/packages/layerzero-v2/solana/programs/programs/executor/src/instructions/compose.rs index 4f366bb..fd52469 100644 --- a/packages/layerzero-v2/solana/programs/programs/executor/src/instructions/compose.rs +++ b/packages/layerzero-v2/solana/programs/programs/executor/src/instructions/compose.rs @@ -1,5 +1,5 @@ use crate::*; -use anchor_lang::solana_program::{instruction::Instruction, program::invoke}; +use anchor_lang::solana_program::{instruction::Instruction, program::invoke, system_program}; use oapp::{ endpoint::{ self, cpi::accounts::LzComposeAlert, instructions::LzComposeAlertParams, program::Endpoint, @@ -73,6 +73,11 @@ impl Compose<'_> { ExecutorError::InsufficientBalance ); } + require!( + ctx.accounts.executor.owner.key() == system_program::ID, + ExecutorError::InvalidOwner + ); + require!(ctx.accounts.executor.data_is_empty(), ExecutorError::InvalidSize); Ok(()) } } diff --git a/packages/layerzero-v2/solana/programs/programs/executor/src/instructions/execute.rs b/packages/layerzero-v2/solana/programs/programs/executor/src/instructions/execute.rs index 6edbf7c..6e825d4 100644 --- a/packages/layerzero-v2/solana/programs/programs/executor/src/instructions/execute.rs +++ b/packages/layerzero-v2/solana/programs/programs/executor/src/instructions/execute.rs @@ -1,5 +1,5 @@ use crate::*; -use anchor_lang::solana_program::{instruction::Instruction, program::invoke}; +use anchor_lang::solana_program::{instruction::Instruction, program::invoke, system_program}; use oapp::{ endpoint::{ self, cpi::accounts::LzReceiveAlert, instructions::LzReceiveAlertParams, program::Endpoint, @@ -74,6 +74,11 @@ impl Execute<'_> { ExecutorError::InsufficientBalance ); } + require!( + ctx.accounts.executor.owner.key() == system_program::ID, + ExecutorError::InvalidOwner + ); + require!(ctx.accounts.executor.data_is_empty(), ExecutorError::InvalidSize); Ok(()) } } diff --git a/packages/layerzero-v2/solana/programs/verify-contracts.md b/packages/layerzero-v2/solana/programs/verify-contracts.md index 7416615..577d964 100644 --- a/packages/layerzero-v2/solana/programs/verify-contracts.md +++ b/packages/layerzero-v2/solana/programs/verify-contracts.md @@ -163,7 +163,21 @@ avm install 0.29.0 avm use 0.29.0 ``` -### Step 2.9: Install Repository Dependencies +### Step 2.9: Install solana-verify + +`solana-verify` is a tool used to verify that the hash of the on-chain program matches the hash of the locally compiled program. By default, `solana-verify` removes any trailing zeros from the program executable and computes its hash using the `sha256` algorithm. You can install `solana-verify` using the following command: + +```bash +cargo install solana-verify +``` + +**Note:** Starting from Solana version 1.18, new program deployments will use the exact program size. + +> By default, new program deployments use the exact size of the program rather than doubling the size. If a program needs more space for an upgrade, the program account must be extended using `solana program extend` before upgrading. + +If a program was deployed using Solana versions earlier than 1.18, the size of the file generated by `solana program dump` may differ from the locally built program size. + +### Step 2.10: Install Repository Dependencies Before building the program, navigate to the cloned LayerZero-v2 repository and install the necessary dependencies using `yarn`: @@ -185,40 +199,32 @@ cd ~/Desktop/layerzero/monorepo/packages/layerzero-v2/solana/programs anchor build ``` -Once the build is complete, generate the SHA256 checksum for the compiled Solana program: +Once the build is complete, generate the program hash for the compiled Solana program: ```bash -sha256sum ./target/deploy/endpoint.so +solana-verify get-executable-hash ./target/deploy/endpoint.so ``` ### Step 3.2: Download and Verify Program Data -To verify the bytecode deployed on the Solana network, download the program data using the Solana CLI, and compare its checksum with the one you generated. - -Download the program data and save it to `/tmp/endpoint.so`: +To verify the bytecode deployed on the Solana network, generate the program hash for the program. ```bash -solana program dump 76y77prsiCMvXMjuoZ5VRrhG5qYBrUMYTE5WgHqgjEn6 /tmp/endpoint.so +solana-verify get-program-hash -u https://api.mainnet-beta.solana.com 76y77prsiCMvXMjuoZ5VRrhG5qYBrUMYTE5WgHqgjEn6 ``` -Generate the checksum for the downloaded program: - -```bash -sha256sum /tmp/endpoint.so -``` - -### Step 3.3: Compare the Results - -Now, compare the checksums of the built program and the downloaded program. They should match if the deployed bytecode is identical to your local build. +### Step 3.3: Compare the Results -| Program | Address | Commit | SHA256 | -| ------------------ | -------------------------------------------- | ------------ | ---------------------------------------------------------------- | -| blocked-messagelib | 2XrYqmhBMPJgDsb4SVbjV1PnJBprurd5bzRCkHwiFCJB | 37c598b | f92e599beb2fdfa53e7061ce4421f91b561c2d927a722ec3399f13a42edbe125 | -| dvn | HtEYV4xB4wvsj5fgTkcfuChYpvGYzgzwvNhgDZQNh7wW | 37c598b | b241d72e5b7fca532db12f22e128824c9316a887edbecc97f1f76fb0113e9127 | -| endpoint | 76y77prsiCMvXMjuoZ5VRrhG5qYBrUMYTE5WgHqgjEn6 | 37c598b | caa868d80b000c488e60e99828e366e773dde877ccc92b67f81df03b608639d4 | -| oft | HRPXLCqspQocTjfcX4rvAPaY9q6Gwb1rrD3xXWrfJWdW | 37c598b | cd470fa5a7d287b4145068a546da32d5e21c71b3406d094280583e32644255b7 | -| pricefeed | 8ahPGPjEbpgGaZx2NV1iG5Shj7TDwvsjkEDcGWjt94TP | 37c598b | e7349c171c43c971044ea0ddc4c6f75b7b1395afde2b3d9243c5e2dce7ba9459 | -| uln | 7a4WjyR8VZ7yZz5XJAKm39BUGn5iT9CKcv2pmG9tdXVH | 7aebbd7 | 3f5e4b54a281804aade7d24efd7957b30663e2f9a1f5e88ca4a6d539848f6e06 | | +Now, compare the program hash of the built program and the on-chain program. They should match if the deployed bytecode is identical to your local build. +| Program | Address | Commit | Platform | Program Hash | +| ------------------ | -------------------------------------------- | ------- | -------------------- | ---------------------------------------------------------------- | +| blocked-messagelib | 2XrYqmhBMPJgDsb4SVbjV1PnJBprurd5bzRCkHwiFCJB | 37c598b | aarch64-apple-darwin | e8f5412527e5138f626299c9b78a2e2f859d306f4c744472d7a2fde34988f3b1 | +| dvn | HtEYV4xB4wvsj5fgTkcfuChYpvGYzgzwvNhgDZQNh7wW | 37c598b | aarch64-apple-darwin | 98c89ebdd94b2563d3aabba118ce012965c344e98c70600f66365dae2d66de39 | +| endpoint | 76y77prsiCMvXMjuoZ5VRrhG5qYBrUMYTE5WgHqgjEn6 | 37c598b | aarch64-apple-darwin | 9012552d8a15d230791e2582e6320eff872a651fb110d2198020ed12e5547e74 | +| executor | 6doghB248px58JSSwG4qejQ46kFMW4AMj7vzJnWZHNZn | 02f5bef | aarch64-apple-darwin | b17a413d00a54e8c666cf57797884504702ac032e8022fb0fa9c84516ef534f1 | +| oft | HRPXLCqspQocTjfcX4rvAPaY9q6Gwb1rrD3xXWrfJWdW | 37c598b | aarch64-apple-darwin | b4feeed20ca0ff9be4398b5478c10ba7fd06746605d5f57552d36bc73f5ecc20 | +| pricefeed | 8ahPGPjEbpgGaZx2NV1iG5Shj7TDwvsjkEDcGWjt94TP | 37c598b | aarch64-apple-darwin | 5209029bd51341cc70af6d1d82d182dae6dd90076265c7300434d0c5b6e8f2d6 | +| uln | 7a4WjyR8VZ7yZz5XJAKm39BUGn5iT9CKcv2pmG9tdXVH | 7aebbd7 | aarch64-apple-darwin | 325085140b5d375d2250732a231120076f45ca8a582caf56b54fc9c33319d9af | If the checksums match, the verification is successful.