fix(audit): align sponsor revoke with transfer drift window (MULT-5)#34
Merged
dev-jodee merged 7 commits intoApr 28, 2026
Conversation
Extract is_effectively_expired helper. Sponsor revocation now waits the same TIME_DRIFT_ALLOWED_SECS past expiry that transfers tolerate, so sponsor cannot close a delegation while the delegatee can still pull.
Compute Unit Report
Generated: 2026-04-28 |
5 tasks
Extend SubscribeData with expected_mint/amount/period_hours/created_at. Program rejects with PlanTermsMismatch if the live plan disagrees with what the subscriber signed. Stale-signed subscribe transactions can no longer enroll into a recreated plan with different terms. SDK and webapp callers fetch plan data and pass the snapshot.
Plan::check_destination and Plan::can_pull now filter out zero-padded slots before membership tests. A plan with fewer than four configured destinations no longer authorizes a zero-owned receiver, and a plan with fewer than four pullers no longer authorizes a zero-pubkey caller.
…-10) Webapp exit flows now pass the on-chain payer as receiver when it differs from the connected signer, so sponsor-funded delegations and SubscriptionAuthority accounts can actually be closed. Also migrates revokeSubscription and cancelAndRevokeSubscription from buildRevokeDelegation to buildRevokeSubscription with planPda + receiver, fixing subscription revoke for both sponsor and non-sponsor cases.
…(MULT-9) Stale-delegation cleanup no longer appends a close on the current SubscriptionAuthority. Revoking stale delegations is now scoped to the supplied delegation accounts; the SA stays open and current grants remain valid.
dev-jodee
merged commit e35e571
into
audit/ai-scanner/04-recurring-rollover-guard
6 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Audit finding: MULT-5
Sponsor revocation used a strict
expiry_ts > current_tscheck while transfer paths accepted pulls forTIME_DRIFT_ALLOWED_SECSpastexpiry_ts. A sponsor could close a delegation account inside the drift window, destroying allowance the delegatee could still legally pull.Fix
Extract
is_effectively_expired(expiry_ts, current_ts)helper. Sponsor revoke and both transfer validators (fixed + recurring) now use it. Sponsor must wait until the drift window closes before reclaiming rent.Test plan
cargo build -p subscriptionscargo test -p subscriptions --lib(212/212 pass; one new regression test)sponsor_cannot_revoke_within_drift_windowasserts sponsor blocked at +110s and allowed at +231sStack
Stacked on top of #33 (MULT-7).