Skip to content

add pinocchio pda-mint-authority example#612

Open
MarkFeder wants to merge 3 commits into
solana-foundation:mainfrom
MarkFeder:tokens-pda-mint-authority-pinocchio
Open

add pinocchio pda-mint-authority example#612
MarkFeder wants to merge 3 commits into
solana-foundation:mainfrom
MarkFeder:tokens-pda-mint-authority-pinocchio

Conversation

@MarkFeder

Copy link
Copy Markdown
Contributor

Adds a Pinocchio port of the tokens/pda-mint-authority example, alongside the existing anchor and native versions.

What it does

A program-derived address — not a wallet — is the mint and freeze authority for every NFT this program creates. Three instructions, dispatched by a leading discriminator byte (matching the native MyInstruction enum):

  • Init (0) — creates the mint-authority PDA ([b"mint_authority"]), signed by its own seeds, and persists the canonical bump in the account.
  • Create (1) — creates a 0-decimal SPL mint whose authority is the PDA, then attaches a Metaplex metadata account via a hand-rolled CreateMetadataAccountV3 CPI. The metadata CPI is authorized with the PDA's seeds via invoke_signed.
  • Mint (2) — creates the payer's associated token account (idempotent), mints the single token, then creates the master edition via a hand-rolled CreateMasterEditionV3 CPI (max_supply = Some(1)). Both the MintTo and master-edition CPIs are signed by the PDA.

The new building block here versus the other token examples is PDA-as-signer: Init, the metadata CPI, the MintTo, and the master-edition CPI all sign as the PDA using pinocchio::cpi::{Seed, Signer} and invoke_signed, rather than relying on a wallet signature. The bump recorded by Init is read back from the PDA account to rebuild the signer seeds without re-deriving the address on-chain.

Tests

tests/test.ts runs under solana-bankrun, loading the program plus the Token Metadata program (dumped from mainnet into tests/fixtures by prepare.mjs). Three cases:

  • Init asserts the PDA account is owned by the program and stores the expected bump.
  • Create asserts the mint is owned by the Token program and the metadata account is owned by Token Metadata and contains the NFT name.
  • Mint asserts the ATA holds exactly 1 token and the master edition account exists and is owned by Token Metadata (proving the PDA-signed CreateMasterEditionV3 CPI succeeded).

@greptile-apps

greptile-apps Bot commented Jun 24, 2026

Copy link
Copy Markdown

Greptile Summary

This PR adds a Pinocchio port of the tokens/pda-mint-authority example, implementing the same three-instruction NFT minting flow (Init, Create, Mint) as the existing anchor and native versions, with the PDA-as-signer pattern as the central teaching concept.

  • Init creates the mint-authority PDA via invoke_signed, stores the canonical bump in account byte 0, and verifies the supplied bump produces the expected address before writing.
  • Create reads the stored bump, re-derives and verifies the PDA address, creates and initialises the SPL mint (0 decimals), then CPIs CreateMetadataAccountV3 via a hand-rolled Borsh payload signed by the PDA's seeds.
  • Mint idempotently creates the ATA, performs a PDA-signed MintTo, and issues a PDA-signed CreateMasterEditionV3 CPI \u2014 all exercised by a bankrun test suite that loads the Metaplex program from a mainnet fixture.

Confidence Score: 5/5

Safe to merge — all three instruction handlers, the hand-rolled Metaplex CPIs, and the bankrun test suite are logically correct with no data-loss or security-bypass paths introduced.

The three instructions implement a straightforward and well-tested PDA-as-signer flow. Both PDA address verifications are correctly applied in create_token and mint_to. The hand-rolled Borsh payloads for the Metaplex CPIs match the expected account layouts and are exercised end-to-end by the bankrun tests. No data-corruption, re-entrancy, or authority-bypass paths were found.

No files require special attention; the most complex logic is in create.rs and mint.rs (hand-rolled Metaplex CPI payloads), both of which are covered by passing bankrun tests.

Important Files Changed

Filename Overview
tokens/pda-mint-authority/pinocchio/program/src/instructions/init.rs Creates the mint-authority PDA via signed CreateAccount CPI, verifies the supplied bump produces the expected address, and stores the bump in account byte 0. Straightforward and correct.
tokens/pda-mint-authority/pinocchio/program/src/instructions/create.rs Reads bump from the PDA account, verifies PDA address, creates and initialises the SPL mint, then CPIs into Token Metadata via a hand-rolled CreateMetadataAccountV3 payload; missing program ownership check on mint_authority before reading its data (defense-in-depth only, not exploitable).
tokens/pda-mint-authority/pinocchio/program/src/instructions/mint.rs Idempotently creates the ATA, mints the single token, and CPIs CreateMasterEditionV3; same pattern as create.rs regarding the missing ownership check on mint_authority, all other logic is correct.
tokens/pda-mint-authority/pinocchio/program/src/state.rs Simple one-field struct; allocates 16 bytes but only uses 1 (mirrors native example intentionally); serialize/deserialize are correct and safe.
tokens/pda-mint-authority/pinocchio/program/src/processor.rs Clean discriminator-based dispatch over three instructions with a catch-all error for unknown variants.
tokens/pda-mint-authority/pinocchio/tests/test.ts Three bankrun test cases covering all three instructions with meaningful on-chain assertions; follows existing pinocchio test patterns.
tokens/pda-mint-authority/pinocchio/prepare.mjs Uses per-command -um flag to dump the Metaplex program from mainnet without mutating the global CLI config (previous review concern addressed).

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Client
    participant Program as PDA-Mint-Authority Program
    participant SysProg as System Program
    participant TokProg as Token Program
    participant ATA as Associated Token Program
    participant Meta as Token Metadata Program

    Note over Client, Meta: Instruction 0 - Init
    Client->>Program: Init(bump)
    Program->>Program: derive PDA and verify address
    Program->>SysProg: "CreateAccount(PDA, space=16, owner=Program) signed by PDA seeds"
    Program->>Program: Write bump into PDA account byte 0

    Note over Client, Meta: Instruction 1 - Create
    Client->>Program: Create(name, symbol, uri)
    Program->>Program: Read bump from PDA, re-derive and verify PDA address
    Program->>SysProg: "CreateAccount(mint, space=82, owner=TokenProgram)"
    Program->>TokProg: "InitializeMint2(decimals=0, mint_auth=PDA, freeze_auth=PDA)"
    Program->>Meta: CreateMetadataAccountV3 signed by PDA seeds

    Note over Client, Meta: Instruction 2 - Mint
    Client->>Program: Mint
    Program->>Program: Read bump from PDA, re-derive and verify PDA address
    Program->>ATA: CreateIdempotent(ATA for payer)
    Program->>TokProg: "MintTo(amount=1) signed by PDA seeds"
    Program->>Meta: "CreateMasterEditionV3(max_supply=1) signed by PDA seeds"
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Client
    participant Program as PDA-Mint-Authority Program
    participant SysProg as System Program
    participant TokProg as Token Program
    participant ATA as Associated Token Program
    participant Meta as Token Metadata Program

    Note over Client, Meta: Instruction 0 - Init
    Client->>Program: Init(bump)
    Program->>Program: derive PDA and verify address
    Program->>SysProg: "CreateAccount(PDA, space=16, owner=Program) signed by PDA seeds"
    Program->>Program: Write bump into PDA account byte 0

    Note over Client, Meta: Instruction 1 - Create
    Client->>Program: Create(name, symbol, uri)
    Program->>Program: Read bump from PDA, re-derive and verify PDA address
    Program->>SysProg: "CreateAccount(mint, space=82, owner=TokenProgram)"
    Program->>TokProg: "InitializeMint2(decimals=0, mint_auth=PDA, freeze_auth=PDA)"
    Program->>Meta: CreateMetadataAccountV3 signed by PDA seeds

    Note over Client, Meta: Instruction 2 - Mint
    Client->>Program: Mint
    Program->>Program: Read bump from PDA, re-derive and verify PDA address
    Program->>ATA: CreateIdempotent(ATA for payer)
    Program->>TokProg: "MintTo(amount=1) signed by PDA seeds"
    Program->>Meta: "CreateMasterEditionV3(max_supply=1) signed by PDA seeds"
Loading

Reviews (5): Last reviewed commit: "pda-mint-authority pinocchio: make bankr..." | Re-trigger Greptile

Comment on lines +22 to +25
try {
mkdirSync(outputDir, { recursive: true });
// Point the Solana CLI at mainnet, where the canonical program lives.
execSync("solana config set -um", { stdio: "inherit" });

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 solana config set -um is never reverted

pnpm install runs this script as a postinstall hook, permanently redirecting the developer's Solana CLI cluster to mainnet. A developer who normally works against devnet or localnet will silently end up with a wrong cluster config after installing. Saving the current cluster with solana config get json_rpc_url, pointing to mainnet only for the dump, then restoring it afterward would avoid the side-effect.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — fixed in 1cfe23d. prepare.mjs now dumps the program with a per-command solana program dump -um … instead of solana config set -um, so pnpm install no longer mutates the developer's global Solana CLI cluster.

Comment on lines +30 to +37
let bump = *data.first().ok_or(ProgramError::InvalidInstructionData)?;

// Verify the supplied account is the canonical PDA for this bump.
let pda = derive_address(
&[MintAuthorityPda::SEED_PREFIX],
Some(bump),
program_id.as_array(),
);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Non-canonical bump is accepted without validation

The bump is taken directly from instruction data and passed to derive_address with Some(bump), which computes a PDA for whatever bump value was supplied rather than requiring the canonical one. A caller who deliberately (or accidentally) provides a non-canonical bump will create the mint-authority account at a different address than findProgramAddressSync would derive client-side. Downstream clients that recompute the PDA without knowing which bump was stored will then resolve a different address and be unable to interact with the mints this program created. Since pinocchio_pubkey::derive_address with bump: None finds the canonical bump on-chain, using it here would prevent this class of error.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving this as-is, for two reasons:

  1. Consistency with the established pinocchio pattern. This is exactly what the already-merged tokens/escrow/pinocchio does (make_offer.rs): take the bump from instruction data, then derive_address(&[seed], Some(bump), program_id) and reject the tx unless the supplied account equals that PDA. Every pinocchio example in the repo follows this; matching it keeps the teaching examples uniform.

  2. Toolchain constraint. Deriving the canonical bump on-chain needs find_program_address/create_program_address, whose off-target implementation in solana-address is gated behind the curve25519 feature. CI lint runs cargo clippy -- -D warnings on the host target (no --target sbf), so referencing it there fails to compile unless we pull in the curve25519 dependency — which the lightweight pinocchio stack intentionally avoids. derive_address (from pinocchio-pubkey) is the host-compatible primitive, and it only derives for a given bump.

On safety: the supplied mint-authority account is validated against derive_address(Some(bump)), and create/mint re-derive the signer seeds from the bump persisted in that account, so the program is internally consistent. A client that deliberately passes a non-canonical bump only affects its own address derivation; the test (and any normal client) sources the bump from findProgramAddressSync, which always returns the canonical one.

@MarkFeder MarkFeder force-pushed the tokens-pda-mint-authority-pinocchio branch from 1cfe23d to 0be01f1 Compare July 8, 2026 21:13
MarkFeder and others added 2 commits July 9, 2026 09:31
Use 'solana program dump -um' instead of 'solana config set -um', so
running pnpm install no longer permanently switches the developer's
Solana CLI cluster to mainnet.
@MarkFeder MarkFeder force-pushed the tokens-pda-mint-authority-pinocchio branch from 0be01f1 to 0f6fa01 Compare July 9, 2026 07:32
@MarkFeder

Copy link
Copy Markdown
Contributor Author

@Perelyn-sama @dev-jodee — rebased onto latest main (picks up the ASM sbpf/Solana pin from #625), CI is now fully green. Ready for review whenever you have a chance 🙏

Move the async bankrun setup out of the `describe` callback and into a
`before` hook so Mocha collects the `it` blocks (an async `describe` body
registers tests after the suite is already collected, so nothing ran).

With the test now executing, replace `Rent::try_minimum_balance` (both the
mint and the PDA account) with the integer rent formula: its floating-point
exemption-threshold path emits an opcode the bankrun VM rejects ("unsupported
BPF instruction"). Matches the create-token example.
@MarkFeder MarkFeder requested a review from dev-jodee as a code owner July 15, 2026 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant