BurnMint pool using multisig (#911)

Author: toblich

chains/solana/contracts/programs/burnmint-token-pool/src/context.rs

@@ -411,6 +411,12 @@ pub struct DeleteChainConfig<'info> {
     pub authority: Signer<'info>,
 }
 
+#[error_code]
+pub enum CcipBnMTokenPoolError {
+    #[msg("Invalid Multisig Mint")]
+    InvalidMultisig,
+}
+
 // This account can not be declared in the common crate, the program ID for that Account would be incorrect.
 #[account]
 #[derive(InitSpace)]

chains/solana/contracts/programs/burnmint-token-pool/src/lib.rs

@@ -203,8 +203,8 @@ pub mod burnmint_token_pool {
         Ok(())
     }
 
-    pub fn release_or_mint_tokens(
-        ctx: Context<TokenOfframp>,
+    pub fn release_or_mint_tokens<'info>(
+        ctx: Context<'_, '_, 'info, 'info, TokenOfframp<'info>>,
         release_or_mint: ReleaseOrMintInV1,
     ) -> Result<ReleaseOrMintOutV1> {
         let parsed_amount = to_svm_token_amount(
@@ -230,14 +230,38 @@ pub mod burnmint_token_pool {
             ctx.accounts.rmn_remote_config.to_account_info(),
         )?;
 
+        // For a burnmint pool, the mint authority should never be empty (that would mean a fixed supply and prevent minting)
+        // If not set, then the mint operation will fail
+        require!(
+            ctx.accounts.mint.mint_authority.is_some(),
+            CcipBnMTokenPoolError::InvalidMultisig
+        );
+
+        let mint_authority = ctx.accounts.mint.mint_authority.unwrap();
+
+        let multisig = if mint_authority != ctx.accounts.pool_signer.key() {
+            let multisig_account = ctx
+                .remaining_accounts
+                .iter()
+                .find(|acc| acc.key() == mint_authority)
+                .ok_or(CcipBnMTokenPoolError::InvalidMultisig)?;
+
+            Some(multisig_account)
+        } else {
+            None
+        };
+
         mint_tokens(
             ctx.accounts.token_program.key(),
-            ctx.accounts.receiver_token_account.to_account_info(),
-            ctx.accounts.mint.to_account_info(),
-            ctx.accounts.pool_signer.to_account_info(),
-            ctx.bumps.pool_signer,
             release_or_mint,
             parsed_amount,
+            MintTokenAccountsInfo {
+                receiver_token_account: &ctx.accounts.receiver_token_account.to_account_info(),
+                mint: &ctx.accounts.mint.to_account_info(),
+                pool_signer: &ctx.accounts.pool_signer.to_account_info(),
+                pool_signer_bump: ctx.bumps.pool_signer,
+                multisig,
+            },
         )?;
 
         Ok(ReleaseOrMintOutV1 {
@@ -338,43 +362,60 @@ pub fn burn_tokens<'a>(
     Ok(())
 }
 
-pub fn mint_tokens<'a>(
+pub struct MintTokenAccountsInfo<'a, 'b> {
+    pub receiver_token_account: &'a AccountInfo<'b>,
+    pub mint: &'a AccountInfo<'b>,
+    pub pool_signer: &'a AccountInfo<'b>,
+    pub pool_signer_bump: u8,
+    pub multisig: Option<&'a AccountInfo<'b>>,
+}
+
+pub fn mint_tokens(
     token_program: Pubkey,
-    receiver_token_account: AccountInfo<'a>,
-    mint: AccountInfo<'a>,
-    pool_signer: AccountInfo<'a>,
-    pool_signer_bump: u8,
     release_or_mint: ReleaseOrMintInV1,
     parsed_amount: u64,
+    accounts: MintTokenAccountsInfo,
 ) -> Result<()> {
     // mint to receiver
     // https://docs.rs/spl-token-2022/latest/spl_token_2022/instruction/fn.mint_to.html
     let mut ix = mint_to(
         &spl_token_2022::ID, // use spl-token-2022 to compile instruction - change program later
-        &mint.key(),
-        &receiver_token_account.key(),
-        &pool_signer.key(),
-        &[],
+        &accounts.mint.key(),
+        &accounts.receiver_token_account.key(),
+        &accounts.multisig.unwrap_or(accounts.pool_signer).key(),
+        &[accounts.pool_signer.key],
         parsed_amount,
     )?;
     ix.program_id = token_program.key(); // set to user specified program
 
     let seeds = &[
         POOL_SIGNER_SEED,
-        &mint.key().to_bytes(),
-        &[pool_signer_bump],
+        &accounts.mint.key().to_bytes(),
+        &[accounts.pool_signer_bump],
     ];
-    invoke_signed(
-        &ix,
-        &[receiver_token_account, mint.clone(), pool_signer.clone()],
-        &[&seeds[..]],
-    )?;
+
+    let account_infos: Vec<AccountInfo> = if accounts.multisig.is_some() {
+        vec![
+            accounts.receiver_token_account.clone(),
+            accounts.mint.clone(),
+            accounts.multisig.unwrap().clone(),
+            accounts.pool_signer.clone(),
+        ]
+    } else {
+        vec![
+            accounts.receiver_token_account.clone(),
+            accounts.mint.clone(),
+            accounts.pool_signer.clone(),
+        ]
+    };
+
+    invoke_signed(&ix, &account_infos, &[&seeds[..]])?;
 
     emit!(Minted {
-        sender: pool_signer.key(),
+        sender: accounts.pool_signer.key(),
         recipient: release_or_mint.receiver,
         amount: parsed_amount,
-        mint: mint.key(),
+        mint: accounts.mint.key(),
     });
 
     Ok(())

chains/solana/contracts/programs/test-token-pool/src/lib.rs

@@ -9,7 +9,7 @@ use crate::context::*;
 #[program]
 pub mod test_token_pool {
     use anchor_lang::solana_program::{instruction::Instruction, program::invoke_signed};
-    use burnmint_token_pool::{burn_tokens, mint_tokens};
+    use burnmint_token_pool::{burn_tokens, mint_tokens, MintTokenAccountsInfo};
     use lockrelease_token_pool::{lock_tokens, release_tokens};
 
     use super::*;
@@ -152,6 +152,8 @@ pub mod test_token_pool {
             ctx.accounts.rmn_remote_config.to_account_info(),
         )?;
 
+        let mint_authority = ctx.accounts.mint.mint_authority.unwrap_or_default();
+
         match ctx.accounts.state.pool_type {
             PoolType::LockAndRelease => release_tokens(
                 ctx.accounts.token_program.key(),
@@ -166,12 +168,24 @@ pub mod test_token_pool {
             )?,
             PoolType::BurnAndMint => mint_tokens(
                 ctx.accounts.token_program.key(),
-                ctx.accounts.receiver_token_account.to_account_info(),
-                ctx.accounts.mint.to_account_info(),
-                ctx.accounts.pool_signer.to_account_info(),
-                ctx.bumps.pool_signer,
                 release_or_mint,
                 parsed_amount,
+                MintTokenAccountsInfo {
+                    receiver_token_account: &ctx.accounts.receiver_token_account.to_account_info(),
+                    mint: &ctx.accounts.mint.to_account_info(),
+                    pool_signer: &ctx.accounts.pool_signer.to_account_info(),
+                    pool_signer_bump: ctx.bumps.pool_signer,
+                    multisig: if mint_authority != ctx.accounts.pool_signer.key() {
+                        Some(
+                            ctx.remaining_accounts
+                                .iter()
+                                .find(|acc| acc.key() == mint_authority)
+                                .ok_or(CcipTokenPoolError::InvalidInputs)?,
+                        )
+                    } else {
+                        None
+                    },
+                },
             )?,
             PoolType::Wrapped => {
                 // The External Execution Config Account is used to sign the CPI instruction

chains/solana/contracts/target/idl/burnmint_token_pool.json

@@ -685,5 +685,12 @@
         ]
       }
     }
+  ],
+  "errors": [
+    {
+      "code": 6000,
+      "name": "InvalidMultisig",
+      "msg": "Invalid Multisig Mint"
+    }
   ]
 }

chains/solana/contracts/target/types/burnmint_token_pool.ts

@@ -685,6 +685,13 @@ export type BurnmintTokenPool = {
         ]
       }
     }
+  ],
+  "errors": [
+    {
+      "code": 6000,
+      "name": "InvalidMultisig",
+      "msg": "Invalid Multisig Mint"
+    }
   ]
 };
 
@@ -1375,5 +1382,12 @@ export const IDL: BurnmintTokenPool = {
         ]
       }
     }
+  ],
+  "errors": [
+    {
+      "code": 6000,
+      "name": "InvalidMultisig",
+      "msg": "Invalid Multisig Mint"
+    }
   ]
 };

chains/solana/contracts/tests/ccip/ccip_router_test.go

@@ -101,6 +101,8 @@ func TestCCIPRouter(t *testing.T) {
 	// Random-generated key, but fixing it adds determinism to tests to make it easier to debug.
 	linkMintPrivK := solana.MustPrivateKeyFromBase58("32YVeJArcWWWV96fztfkRQhohyFz5Hwno93AeGVrN4g2LuFyvwznrNd9A6tbvaTU6BuyBsynwJEMLre8vSy3CrVU")
 
+	token0Multisig := solana.MustPrivateKeyFromBase58("5BayUa1C1nfiSptuV521hYPKZZsjHJM5YDfWZJkyrDgnEhzvZS4x5Nuqn6n4E6anuqAc7dJpAr1faNUwyK99cf3C") // EkopXthh6nbLKkgEnACc94mygKsSfcaX4EjXLgt1LiR4
+
 	token0Mint := solana.MustPrivateKeyFromBase58("42uJJqZk4gFz6Q6ghMiaYrFdDapXhbufQdTCGJDMeyv2wN6wNBbXkBBPibF7xQQZemzRaDH66ouJmjfvWhPJKtQC")
 	token0, gerr := tokens.NewTokenPool(config.Token2022Program, config.CcipTokenPoolProgram, token0Mint.PublicKey())
 	require.NoError(t, gerr)
@@ -382,6 +384,10 @@ func TestCCIPRouter(t *testing.T) {
 			ix0, ixErr0 := tokens.CreateToken(ctx, token0.Program, token0.Mint, token0PoolAdmin.PublicKey(), token0Decimals, solanaGoClient, config.DefaultCommitment)
 			require.NoError(t, ixErr0)
 
+			ixMsig, ixErrMsig := tokens.CreateMultisig(ctx, user.PublicKey(), token0.Program, token0Multisig.PublicKey(), []solana.PublicKey{token0PoolAdmin.PublicKey(), token0.PoolSigner}, solanaGoClient, config.DefaultCommitment)
+			require.NoError(t, ixErrMsig)
+			testutils.SendAndConfirm(ctx, t, solanaGoClient, ixMsig, token0PoolAdmin, config.DefaultCommitment, common.AddSigners(token0Multisig, user))
+
 			ix1, ixErr1 := tokens.CreateToken(ctx, token1.Program, token1.Mint, token1PoolAdmin.PublicKey(), token1Decimals, solanaGoClient, config.DefaultCommitment)
 			require.NoError(t, ixErr1)
 
@@ -432,7 +438,7 @@ func TestCCIPRouter(t *testing.T) {
 		})
 
 		t.Run("token-pool", func(t *testing.T) {
-			token0.AdditionalAccounts = append(token0.AdditionalAccounts, solana.MemoProgramID) // add test additional accounts in pool interactions
+			token0.AdditionalAccounts = append(token0.AdditionalAccounts, token0Multisig.PublicKey()) // add test additional accounts in pool interactions
 
 			type ProgramData struct {
 				DataType uint32
@@ -560,7 +566,7 @@ func TestCCIPRouter(t *testing.T) {
 			linkPool.PoolTokenAccount = addrLink
 			linkPool.User[linkPool.PoolSigner] = linkPool.PoolTokenAccount
 
-			ixAuth, err := tokens.SetTokenMintAuthority(token0.Program, token0.PoolSigner, token0.Mint, token0PoolAdmin.PublicKey())
+			ixAuth, err := tokens.SetTokenMintAuthority(token0.Program, token0Multisig.PublicKey(), token0.Mint, token0PoolAdmin.PublicKey())
 			require.NoError(t, err)
 
 			testutils.SendAndConfirm(ctx, t, solanaGoClient, []solana.Instruction{ixInit0, ixInit1, ixInit2, ixInitLink}, legacyAdmin, config.DefaultCommitment)

chains/solana/contracts/tests/examples/pools_test.go

@@ -33,11 +33,14 @@ var pools = []PoolInfo{
 type TokenInfo struct {
 	tokenName    string
 	tokenProgram solana.PublicKey
+	multisig     bool
 }
 
 var tokenPrograms = []TokenInfo{
-	{tokenName: "spl-token", tokenProgram: solana.TokenProgramID},
-	{tokenName: "spl-token-2022", tokenProgram: config.Token2022Program},
+	{tokenName: "spl-token", tokenProgram: solana.TokenProgramID, multisig: false},
+	{tokenName: "spl-token", tokenProgram: solana.TokenProgramID, multisig: true},
+	{tokenName: "spl-token-2022", tokenProgram: config.Token2022Program, multisig: false},
+	{tokenName: "spl-token-2022", tokenProgram: config.Token2022Program, multisig: true},
 }
 
 type ProgramData struct {
@@ -203,8 +206,22 @@ func TestBaseTokenPoolHappyPath(t *testing.T) {
 						poolInitI, err := tokenpool.NewInitializeInstruction(dumbRamp, config.RMNRemoteProgram, poolConfig, mint, admin.PublicKey(), solana.SystemProgramID, poolProgram, programData.Address, configPDA).ValidateAndBuild()
 						require.NoError(t, err)
 
+						newMintAuthority := poolSigner
+
+						if v.multisig {
+							// create multisig
+							multisig, err := solana.NewRandomPrivateKey()
+							require.NoError(t, err)
+							ixMsig, ixErrMsig := tokens.CreateMultisig(ctx, admin.PublicKey(), v.tokenProgram, multisig.PublicKey(), []solana.PublicKey{admin.PublicKey(), poolSigner}, solanaGoClient, config.DefaultCommitment)
+							require.NoError(t, ixErrMsig)
+							testutils.SendAndConfirm(ctx, t, solanaGoClient, ixMsig, admin, config.DefaultCommitment, common.AddSigners(multisig, admin))
+
+							newMintAuthority = multisig.PublicKey()
+							p.MintAuthorityMultisig = multisig.PublicKey() // set multisig as mint authority
+						}
+
 						// make pool mint_authority for token (required for burn/mint)
-						authI, err := tokens.SetTokenMintAuthority(v.tokenProgram, poolSigner, mint, admin.PublicKey())
+						authI, err := tokens.SetTokenMintAuthority(v.tokenProgram, newMintAuthority, mint, admin.PublicKey())
 						require.NoError(t, err)
 
 						// set pool config
@@ -310,7 +327,7 @@ func TestBaseTokenPoolHappyPath(t *testing.T) {
 					t.Run("releaseOrMint", func(t *testing.T) {
 						require.Equal(t, "0", getBalance(p.User[admin.PublicKey()]))
 
-						rmI, err := test_ccip_invalid_receiver.NewPoolProxyReleaseOrMintInstruction(
+						raw := test_ccip_invalid_receiver.NewPoolProxyReleaseOrMintInstruction(
 							test_ccip_invalid_receiver.ReleaseOrMintInV1{
 								LocalToken:          mint,
 								SourcePoolAddress:   remotePool.Address,
@@ -332,7 +349,13 @@ func TestBaseTokenPoolHappyPath(t *testing.T) {
 							config.RMNRemoteCursesPDA,
 							config.RMNRemoteConfigPDA,
 							p.User[admin.PublicKey()],
-						).ValidateAndBuild()
+						)
+
+						if v.multisig {
+							raw.AccountMetaSlice.Append(solana.Meta(p.MintAuthorityMultisig))
+						}
+
+						rmI, err := raw.ValidateAndBuild()
 						require.NoError(t, err)
 
 						cu := testutils.GetRequiredCU(ctx, t, solanaGoClient, []solana.Instruction{rmI}, admin, config.DefaultCommitment)

chains/solana/utils/tokens/token.go

@@ -55,6 +55,34 @@ func CreateToken(ctx context.Context, program, mint, admin solana.PublicKey, dec
 	return []solana.Instruction{initI, mintWrap}, nil
 }
 
+func CreateMultisig(ctx context.Context, payer, program, multisig solana.PublicKey, signers []solana.PublicKey, client *rpc.Client, commitment rpc.CommitmentType) ([]solana.Instruction, error) {
+	// get stake amount for init
+	lamports, err := client.GetMinimumBalanceForRentExemption(ctx, 355, commitment)
+	if err != nil {
+		return nil, err
+	}
+
+	// initialize mint account
+	initI, err := system.NewCreateAccountInstruction(lamports, 355, program, payer, multisig).ValidateAndBuild()
+	if err != nil {
+		return nil, err
+	}
+
+	// Manually add the signer metas, as the SDK wrongly tries to set them as transaction signers
+	// when they are just meant to be registered as part of the multisig
+	raw := token.NewInitializeMultisig2Instruction(1, multisig, []solana.PublicKey{})
+	for _, signer := range signers {
+		raw.Signers = append(raw.Signers, solana.Meta(signer))
+	}
+	msigInitIx, err := raw.ValidateAndBuild()
+	if err != nil {
+		return nil, err
+	}
+
+	msigWrap := &TokenInstruction{msigInitIx, program}
+	return []solana.Instruction{initI, msigWrap}, nil
+}
+
 var AssociatedTokenProgramID solana.PublicKey = ata.ProgramID
 
 func CreateAssociatedTokenAccount(tokenProgram, mint, address, payer solana.PublicKey) (ins solana.Instruction, ataAddress solana.PublicKey, err error) {