Escrow Account Should Probably Be Enforced To Be An ATA

[bonedaddy]

Overview

Currently the escrow account is only validated that the owner address is the wrapped mint authority. This has an edge case in which callers of the Wrap instruction provide a non ATA address that is still owned by the wrapped mint authority. This would pass the current validation, and thus allow successful wrapping of tokens, but fragmenting the actual balance of the escrowed tokens account potentially many different token accounts.

While this is probably unlikely to happen in practice, it's a potentially very annoying issue, and also very easy to fix.

Proposed Fix

Instead of just checking that the owner of the provided escrow account is the wrapped mint authority, derive the ATA for the unwrapped token + wrapped mint authority, and check that the provided escrow account is equal to the derived account.

[joncinque]

We purposely avoided requiring the use of an ATA to make the program more generally usable in ways we're not imagining. For example, by convention, a program can wrap tokens into an account on a PDA.

The main potential downside I can see is getting "frontrun" by someone else withdrawing everything from an account before you can. But if that happens, you could just try again with a different account.

On the flipside, if you're a DAO or multisig, it would be very annoying to get a whole transaction together, get signoff from everyone, and then the unwrapping fails because the account got drained.

Other than that, is there a particular issue that you're worried about?

cc @grod220

[bonedaddy]

@joncinque

No particular issue that I'm worried about other than what you mentioned about frontrunning the withdrawals.