Skip to content

Disallow duplicate *mutable* accounts by default#3946

Merged
jacobcreech merged 46 commits into
otter-sec:masterfrom
swaroop-osec:feat/issue-3825
Dec 9, 2025
Merged

Disallow duplicate *mutable* accounts by default#3946
jacobcreech merged 46 commits into
otter-sec:masterfrom
swaroop-osec:feat/issue-3825

Conversation

@swaroop-osec

@swaroop-osec swaroop-osec commented Sep 16, 2025

Copy link
Copy Markdown
Collaborator

Fixes #3825

@swaroop-osec
feat: Add duplicate mutable account constraint
b425392
@swaroop-osec
feat: tests for duplicate mutable accounts
505727e
@swaroop-osec
feat: add test for duplicate mutable accounts in workflow
e42b1bc
@swaroop-osec
style(tests): prettier
da757c8
@swaroop-osec
chore: update benchmarks
b077343
@swaroop-osec
feat: exclude UncheckedAccounts from duplicate mutable account checks
62b76d0
@swaroop-osec
feat(tests): add duplicate-mutable-accounts to test scripts
4b3b85c
@swaroop-osec
feat: enhance duplicate mutable account checks for optional fields
da22fa8
@swaroop-osec
chore(bench): update
0ee61f8
@swaroop-osec
fix: update program IDs
a6f6c57
@swaroop-osec
feat: allow duplicate accounts in realloc2 ix
4035b0e
@swaroop-osec
chore(bench): update
c65be84
@swaroop-osec
chore(bench): update
d55c2ef
@swaroop-osec
feat(tests): allow duplicate accounts in misc tests
5c228f5
@swaroop-osec
fix(bench):update
8dd5c8d
@swaroop-osec
fix: update program ID for duplicate mutable accounts
a42335a
@swaroop-osec
fix: update program ID
5237b78
@swaroop-osec
fix(bench): update
4a1503e
@swaroop-osec
chore(docs): Updated docs and CHANGELOG.md
6389a61
@swaroop-osec
refactor: ignore init accounts
bd20367
@swaroop-osec
fix(bench): update
e5fd855
@vercel

vercel Bot commented Sep 16, 2025

Copy link
Copy Markdown

@swaroop-osec is attempting to deploy a commit to the Solana Foundation Team on Vercel.

A member of the Team first needs to authorize it.

@swaroop-osec swaroop-osec marked this pull request as ready for review September 16, 2025 07:15
@nutafrost nutafrost moved this to Security Review Required in Anchor 1.0 Sep 16, 2025
jamie-osec
jamie-osec reviewed Sep 16, 2025
View reviewed changes
Comment thread lang/syn/src/codegen/accounts/try_accounts.rs Outdated
@vercel

vercel Bot commented Oct 27, 2025
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
anchor-docs Ignored Ignored Preview Dec 9, 2025 6:41am

@swaroop-osec
feat(lang): Added checks for duplicate mutable accounts in `remaining…
8fa5a37 
…_accounts` to prevent validation bypass.
@swaroop-osec
feat(tests): Add nested duplicate account test to prevent mutable acc…
7797270 
…ount conflicts
@swaroop-osec
chore(bench): Update benchmarks
bbff6e9
@swaroop-osec
fix(lang): Exclude Signer accounts from duplicate mutable checks in a…
74f1898 
…ccount validation
@swaroop-osec
feat(tests): Add test to initialize multiple accounts with the same p…
2ab93ce 
…ayer
@swaroop-osec
chore(bench): Update
10da01a
@swaroop-osec
Merge branch 'master' into feat/issue-3825
116bf4c
@swaroop-osec
fix: package.json
21b3461
@swaroop-osec
refactor: remove unused confirmOptions from event tests
a196525
@swaroop-osec
chore: update benchmarks
11c7e47
@swaroop-osec
chore: update benchmarks
0557e75
@swaroop-osec
Merge branch 'master' into feat/issue-3825
ad3f631
@swaroop-osec
Update benchmarks
aea833c
@swaroop-osec
Merge branch 'master' into feat/issue-3825
b1a06c4
@swaroop-osec
chore: Update benchmarks
6f0944f
@jacobcreech jacobcreech merged commit 48aba30 into otter-sec:master Dec 9, 2025
59 checks passed
@github-project-automation github-project-automation Bot moved this from Security Review Done to Done in Anchor 1.0 Dec 9, 2025
@acheroncrypto acheroncrypto mentioned this pull request Dec 11, 2025
Merged
swaroop-osec added a commit to swaroop-osec/anchor that referenced this pull request Jan 28, 2026
@swaroop-osec
lang: Update duplicate mutable account validation logic to include on…
f98fb48 
…ly types that serialize on exit (otter-sec#3946)
swaroop-osec added a commit to swaroop-osec/anchor that referenced this pull request Feb 12, 2026
@swaroop-osec
lang: Update duplicate mutable account validation logic to include on…
c4c1537 
…ly types that serialize on exit (otter-sec#3946)
jamie-osec pushed a commit that referenced this pull request Feb 12, 2026
@swaroop-osec
Fix: Relax duplicate mutable constraint (#3946) (#4202)
d790f27 
* lang: Update duplicate mutable account validation logic to include only types that serialize on exit (#3946)

* lang: Update documentation for `dup` constraint

* chore: Fix PR link
* lang: Update duplicate mutable account constraint to include `Migration` type
* lang: Allow duplicates in remaining accounts
* fix: use strict AnchorError assertion in nested duplicate test
* lang: Introduce `DuplicateMutableAccountKeys` trait for composite account validation
Otter-0x4ka5h pushed a commit to Otter-0x4ka5h/anchor that referenced this pull request Mar 25, 2026
@swaroop-osec
feat: Disallow duplicate *mutable* accounts by default (otter-sec#3946)
782869b 
* feat: Add duplicate mutable account constraint

* feat: tests for duplicate mutable accounts

* feat: add test for duplicate mutable accounts in workflow

* style(tests): prettier

* chore: update benchmarks

* feat: exclude UncheckedAccounts from duplicate mutable account checks

* feat(tests): add duplicate-mutable-accounts to test scripts

* feat: enhance duplicate mutable account checks for optional fields

* chore(bench): update

* fix: update program IDs

* feat: allow duplicate accounts in realloc2 ix

* chore(bench): update

* chore(bench): update

* feat(tests): allow duplicate accounts in misc tests

* fix(bench):update

* fix: update program ID for duplicate mutable accounts

* fix: update program ID

* fix(bench): update

* chore(docs): Updated docs and CHANGELOG.md

* refactor: ignore init accounts

* fix(bench): update

* chore: formating

* refactor: optimize duplicate mutable checks generation

* refactor: replace BTreeSet with HashSet

* (chore): Update benchmarks

* test(events): use confirmOptions for transaction handling

* chore: Update CHANGELOG.md

* feat(lang): Added checks for duplicate mutable accounts in `remaining_accounts` to prevent validation bypass.

* feat(tests): Add nested duplicate account test to prevent mutable account conflicts

* chore(bench): Update benchmarks

* fix(lang): Exclude Signer accounts from duplicate mutable checks in account validation

* feat(tests): Add test to initialize multiple accounts with the same payer

* chore(bench): Update

* fix: package.json

* refactor: remove unused confirmOptions from event tests

* chore: update benchmarks

* chore: update benchmarks

* Update benchmarks

* chore: Update benchmarks
Otter-0x4ka5h pushed a commit to Otter-0x4ka5h/anchor that referenced this pull request Mar 25, 2026
@swaroop-osec
Fix: Relax duplicate mutable constraint (otter-sec#3946) (otter-sec#4202
40e15fa 
)

* lang: Update duplicate mutable account validation logic to include only types that serialize on exit (otter-sec#3946)

* lang: Update documentation for `dup` constraint

* chore: Fix PR link
* lang: Update duplicate mutable account constraint to include `Migration` type
* lang: Allow duplicates in remaining accounts
* fix: use strict AnchorError assertion in nested duplicate test
* lang: Introduce `DuplicateMutableAccountKeys` trait for composite account validation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacobcreech jacobcreech jacobcreech approved these changes

@jamie-osec jamie-osec jamie-osec approved these changes

Assignees

@jacobcreech jacobcreech

Labels

breaking Merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

lang: Disallow duplicate *mutable* accounts by default

4 participants

@swaroop-osec @jacobcreech @jamie-osec @nutafrost