tlv-account-resolution: Always demote signer flag

[joncinque]

Problem

As described at solana-program/transfer-hook#83, there's just too many ways for signers to be potentially abused during transfer hooks.

Summary of changes

Demote all accounts to non-signer when resolving from an extra account metas list.

[buffalojoec]

Lgtm. This is definitely the safer route to take.

[buffalojoec]

Can't you just use account_info_to_meta_non_signer for all of these?

[joncinque]

Ah yes, nice catch!

[joncinque]

Well it's only possible on these three, the rest are account metas already, not account infos

[buffalojoec]

Is this comment incorrect? Shouldn't it say:

Check to see if the account is writable in the original instruction...

• "If it's not, don't escalate it"
• or: "If it's not, deescalate the extra meta is_writable config"

But just worded better than what I wrote.

[joncinque]

Yeah that makes more sense, thanks!

[buffalojoec]

Just checking - when the program is upgraded to deescalate any signers in the ExtraAccountMetaList, someone's existing transfer hook config that depends on an extra meta signer (or a rug, lol) is going to break.

Any particular plan to this upgrade and breaking behavioral change?

[joncinque]

Just checking - when the program is upgraded to deescalate any signers in the ExtraAccountMetaList, someone's existing transfer hook config that depends on an extra meta signer (or a rug, lol) is going to break.

Any particular plan to this upgrade and breaking behavioral change?

From what I understand, there aren't really any uses of signers in transfer hooks, but we'll need to work with Foundation eng to get the word out -- @tiago18c can you help with that?

[tiago18c]

I did some digging:

• 1 702 302 token 2022 mints
• 58 416 using transfer hooks
• 22 extra metas with at least 1 signer dependency
• 1 with >0 supply
• 0 with any transactions <365 days ago

Basically there will be no one affected (other than possible black hats).
cc: @buffalojoec @joncinque