magicblock-labs · bmuddha · Sep 10, 2025 · Sep 9, 2025 · Sep 9, 2025 · Sep 10, 2025
diff --git a/src/access_permissions.rs b/src/access_permissions.rs
@@ -0,0 +1,44 @@
+use solana_svm_transaction::svm_message::SVMMessage;
+use solana_transaction_error::{TransactionError, TransactionResult};
+
+use crate::account_loader::LoadedTransaction;
+
+// NOTE:
+// this impl is kept separately to simplify synchoronization with upstream
+impl LoadedTransaction {
+    /// Validates that a transaction does not attempt to write to non-delegated accounts.
+    ///
+    /// This is a critical security check to prevent privilege escalation by ensuring
+    /// account modifications are restricted to accounts explicitly delegated to the
+    /// validator node.
+    ///
+    /// ## Logic
+    /// This function enforces a security rule with a key exception: **if the fee payer
+    /// has privileged access, this check is bypassed entirely.**
+    ///
+    /// For standard, non-privileged transactions, it enforces that **any account
+    /// marked as writable (excluding the fee payer) must be a delegated account.**
+    ///
+    /// Read-only accounts are ignored. The fee payer's writability is handled in
+    /// separate validation logic.
+    pub(crate) fn validate_accounts_access(
+        &self,
+        message: &impl SVMMessage,
+    ) -> TransactionResult<()> {
+        let payer = self.accounts.first().map(|(_, acc)| acc);
+        if payer.map(|p| p.privileged()).unwrap_or_default() {
+            // Payer has privileged access, so we can skip the validation.
+            return Ok(());
+        }
+
+        // For non-privileged payers, validate the rest of the accounts.
+        // Skip the fee payer (index 0), as its writability is validated elsewhere.
+        for (i, (_, acc)) in self.accounts.iter().enumerate().skip(1) {
+            // Enforce that any account intended to be writable must be a delegated account.
+            if message.is_writable(i) && !acc.delegated() {
+                return Err(TransactionError::InvalidWritableAccount);
+            }
+        }
+        Ok(())
+    }
+}
diff --git a/src/lib.rs b/src/lib.rs
@@ -1,6 +1,7 @@
 #![cfg_attr(feature = "frozen-abi", feature(min_specialization))]
 #![allow(clippy::arithmetic_side_effects)]
 
+mod access_permissions;
 pub mod account_loader;
 pub mod account_overrides;
 pub mod escrow;

diff --git a/src/transaction_processor.rs b/src/transaction_processor.rs
@@ -462,6 +462,17 @@ impl<FG: ForkGraph> TransactionBatchProcessor<FG> {
                     }
                 }
                 TransactionLoadResult::Loaded(loaded_transaction) => {
+                    // This transaction loaded all its accounts successfully. Now, we must
+                    // perform the security check to ensure any *writable* accounts
+                    // (excluding the fee payer) are delegated accounts.
+                    //
+                    // This check is unnecessary for other load results (like `FeesOnly`),
+                    // as those states imply the transaction failed to load these other accounts,
+                    // and the fee payer is validated separately.
+                    if let Err(err) = loaded_transaction.validate_accounts_access(tx) {
+                        processing_results.push(Err(err));
+                        continue;
+                    }
                     // observe all the account balances before executing the transaction
                     balances
                         .pre

diff --git a/tests/conformance.rs b/tests/conformance.rs
@@ -108,6 +108,7 @@ fn cleanup() {
 }
 
 #[test]
+#[ignore = "these tests mostly fail due to failed account delegation check"]
 fn execute_fixtures() {
     let mut base_dir = setup();
     base_dir.push("instr");

diff --git a/tests/integration_test.rs b/tests/integration_test.rs
@@ -7,6 +7,7 @@ use {
         register_builtins, MockBankCallback, MockForkGraph, EXECUTION_EPOCH, EXECUTION_SLOT,
         WALLCLOCK_TIME,
     },
+    solana_account::test_utils::create_borrowed_account_shared_data,
     solana_sdk::{
         account::{AccountSharedData, ReadableAccount, WritableAccount},
         clock::Slot,
@@ -2317,6 +2318,7 @@ fn simd83_account_reallocate(enable_fee_only_transactions: bool) -> Vec<SvmTestE
 #[test_case(simd83_fee_payer_deallocate(true))]
 #[test_case(simd83_account_reallocate(false))]
 #[test_case(simd83_account_reallocate(true))]
+#[ignore = "we don't support entries in blocks"]
 fn svm_integration(test_entries: Vec<SvmTestEntry>) {
     for test_entry in test_entries {
         let env = SvmTestEnvironment::create(test_entry);
@@ -2339,8 +2341,13 @@ fn svm_inspect_account() {
     // Setting up the accounts for the transfer
 
     // fee payer
-    let mut fee_payer_account = AccountSharedData::default();
-    fee_payer_account.set_delegated(true);
+    let fee_payer_account = AccountSharedData::default();
+    let (_buffer, mut fee_payer_account) =
+        create_borrowed_account_shared_data(&fee_payer_account, 0);
+    fee_payer_account
+        .as_borrowed_mut()
+        .unwrap()
+        .set_privileged(true);
     fee_payer_account.set_lamports(85_000);
     fee_payer_account.set_rent_epoch(u64::MAX);
     initial_test_entry.add_initial_account(fee_payer, &fee_payer_account);