Skip to content

add pinocchio pda-mint-authority example#612

Open
MarkFeder wants to merge 2 commits into
solana-foundation:mainfrom
MarkFeder:tokens-pda-mint-authority-pinocchio
Open

add pinocchio pda-mint-authority example#612
MarkFeder wants to merge 2 commits into
solana-foundation:mainfrom
MarkFeder:tokens-pda-mint-authority-pinocchio

Conversation

@MarkFeder

Copy link
Copy Markdown
Contributor

Adds a Pinocchio port of the tokens/pda-mint-authority example, alongside the existing anchor and native versions.

What it does

A program-derived address — not a wallet — is the mint and freeze authority for every NFT this program creates. Three instructions, dispatched by a leading discriminator byte (matching the native MyInstruction enum):

  • Init (0) — creates the mint-authority PDA ([b"mint_authority"]), signed by its own seeds, and persists the canonical bump in the account.
  • Create (1) — creates a 0-decimal SPL mint whose authority is the PDA, then attaches a Metaplex metadata account via a hand-rolled CreateMetadataAccountV3 CPI. The metadata CPI is authorized with the PDA's seeds via invoke_signed.
  • Mint (2) — creates the payer's associated token account (idempotent), mints the single token, then creates the master edition via a hand-rolled CreateMasterEditionV3 CPI (max_supply = Some(1)). Both the MintTo and master-edition CPIs are signed by the PDA.

The new building block here versus the other token examples is PDA-as-signer: Init, the metadata CPI, the MintTo, and the master-edition CPI all sign as the PDA using pinocchio::cpi::{Seed, Signer} and invoke_signed, rather than relying on a wallet signature. The bump recorded by Init is read back from the PDA account to rebuild the signer seeds without re-deriving the address on-chain.

Tests

tests/test.ts runs under solana-bankrun, loading the program plus the Token Metadata program (dumped from mainnet into tests/fixtures by prepare.mjs). Three cases:

  • Init asserts the PDA account is owned by the program and stores the expected bump.
  • Create asserts the mint is owned by the Token program and the metadata account is owned by Token Metadata and contains the NFT name.
  • Mint asserts the ATA holds exactly 1 token and the master edition account exists and is owned by Token Metadata (proving the PDA-signed CreateMasterEditionV3 CPI succeeded).

@greptile-apps

greptile-apps Bot commented Jun 24, 2026

Copy link
Copy Markdown

Greptile Summary

Adds a Pinocchio port of the tokens/pda-mint-authority example alongside the existing Anchor and native versions. The program implements three instructions (Init, Create, Mint) that use a PDA as the mint and freeze authority for NFTs, with all CPI signings authorized via invoke_signed and the PDA's seeds.

  • Init creates the mint-authority PDA ([b\"mint_authority\"]) and stores the canonical bump; Create initializes a 0-decimal SPL mint and attaches Metaplex metadata via a hand-rolled CreateMetadataAccountV3 CPI; Mint creates the payer's ATA idempotently, mints a single token, and issues a CreateMasterEditionV3 CPI to finalize the NFT.
  • The on-chain serialization of both Metaplex instruction payloads (build_metadata_data / build_master_edition_data) is hand-crafted in Rust; the bump-verification pattern (read bump from account data, re-derive address, compare) is consistent with the repo's existing pinocchio examples.
  • Tests run under solana-bankrun with the Token Metadata program pre-loaded from mainnet via a postinstall hook in prepare.mjs.

Confidence Score: 5/5

Safe to merge; the three-instruction flow, PDA signing, and hand-rolled Metaplex CPI payloads are all implemented correctly and validated by the bankrun test suite.

The PDA-as-signer pattern, bump verification, Borsh payload construction for both Metaplex CPIs, and account ordering are all correct. The two findings are a silent error swallow in the postinstall fixture script and a small over-allocation in the PDA account — neither affects runtime correctness.

No files require special attention; state.rs and prepare.mjs have minor nits but no correctness impact.

Important Files Changed

Filename Overview
tokens/pda-mint-authority/pinocchio/program/src/instructions/init.rs Creates the mint-authority PDA and persists the bump; bump verified against derived address before account creation. Correct.
tokens/pda-mint-authority/pinocchio/program/src/instructions/create.rs Creates SPL mint and attaches Metaplex metadata via hand-rolled CPI; account ordering and bump-verification logic are correct.
tokens/pda-mint-authority/pinocchio/program/src/instructions/mint.rs Mints single token to payer's ATA and creates master edition via PDA-signed CPI; account layout matches Metaplex spec.
tokens/pda-mint-authority/pinocchio/program/src/state.rs MintAuthorityPda stores only 1 byte (bump) but ACCOUNT_SPACE=16 over-allocates by 15 bytes; no Anchor discriminator is needed in pinocchio.
tokens/pda-mint-authority/pinocchio/prepare.mjs Dumps Token Metadata program from mainnet at postinstall time; silently swallows dump failures, making CI failures harder to diagnose.
tokens/pda-mint-authority/pinocchio/tests/test.ts Three-case bankrun test suite correctly validates PDA ownership/bump, mint ownership, metadata content, ATA balance, and master edition existence.
tokens/pda-mint-authority/pinocchio/program/src/instructions/mod.rs Defines shared constants, CreateTokenArgs Borsh parser, and Metaplex program ID; parsing is bounds-safe and correct.
tokens/pda-mint-authority/pinocchio/program/src/processor.rs Clean discriminator-based dispatch; correctly strips the leading byte before forwarding args to each handler.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Client
    participant Program as pda-mint-authority (pinocchio)
    participant System as System Program
    participant Token as Token Program
    participant Meta as Token Metadata Program

    Note over Client,Meta: Instruction 0 — Init
    Client->>Program: Init(bump)
    Program->>Program: derive_address([mint_authority], bump), verify address
    Program->>System: CreateAccount invoke_signed(PDA seeds)
    Program->>Program: MintAuthorityPda.serialize(bump)

    Note over Client,Meta: Instruction 1 — Create
    Client->>Program: Create(name, symbol, uri)
    Program->>Program: read bump from PDA, verify address
    Program->>System: CreateAccount (payer to mint keypair)
    Program->>Token: "InitializeMint2 (decimals=0, authority=PDA)"
    Program->>Meta: CreateMetadataAccountV3 invoke_signed(PDA seeds)

    Note over Client,Meta: Instruction 2 — Mint
    Client->>Program: Mint
    Program->>Program: read bump from PDA, verify address
    Program->>Token: CreateIdempotent ATA
    Program->>Token: "MintTo(amount=1) invoke_signed(PDA seeds)"
    Program->>Meta: "CreateMasterEditionV3(max_supply=Some(1)) invoke_signed(PDA seeds)"
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Client
    participant Program as pda-mint-authority (pinocchio)
    participant System as System Program
    participant Token as Token Program
    participant Meta as Token Metadata Program

    Note over Client,Meta: Instruction 0 — Init
    Client->>Program: Init(bump)
    Program->>Program: derive_address([mint_authority], bump), verify address
    Program->>System: CreateAccount invoke_signed(PDA seeds)
    Program->>Program: MintAuthorityPda.serialize(bump)

    Note over Client,Meta: Instruction 1 — Create
    Client->>Program: Create(name, symbol, uri)
    Program->>Program: read bump from PDA, verify address
    Program->>System: CreateAccount (payer to mint keypair)
    Program->>Token: "InitializeMint2 (decimals=0, authority=PDA)"
    Program->>Meta: CreateMetadataAccountV3 invoke_signed(PDA seeds)

    Note over Client,Meta: Instruction 2 — Mint
    Client->>Program: Mint
    Program->>Program: read bump from PDA, verify address
    Program->>Token: CreateIdempotent ATA
    Program->>Token: "MintTo(amount=1) invoke_signed(PDA seeds)"
    Program->>Meta: "CreateMasterEditionV3(max_supply=Some(1)) invoke_signed(PDA seeds)"
Loading

Reviews (4): Last reviewed commit: "pda-mint-authority pinocchio: dump fixtu..." | Re-trigger Greptile

Comment on lines +22 to +25
try {
mkdirSync(outputDir, { recursive: true });
// Point the Solana CLI at mainnet, where the canonical program lives.
execSync("solana config set -um", { stdio: "inherit" });

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 solana config set -um is never reverted

pnpm install runs this script as a postinstall hook, permanently redirecting the developer's Solana CLI cluster to mainnet. A developer who normally works against devnet or localnet will silently end up with a wrong cluster config after installing. Saving the current cluster with solana config get json_rpc_url, pointing to mainnet only for the dump, then restoring it afterward would avoid the side-effect.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — fixed in 1cfe23d. prepare.mjs now dumps the program with a per-command solana program dump -um … instead of solana config set -um, so pnpm install no longer mutates the developer's global Solana CLI cluster.

Comment on lines +30 to +37
let bump = *data.first().ok_or(ProgramError::InvalidInstructionData)?;

// Verify the supplied account is the canonical PDA for this bump.
let pda = derive_address(
&[MintAuthorityPda::SEED_PREFIX],
Some(bump),
program_id.as_array(),
);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Non-canonical bump is accepted without validation

The bump is taken directly from instruction data and passed to derive_address with Some(bump), which computes a PDA for whatever bump value was supplied rather than requiring the canonical one. A caller who deliberately (or accidentally) provides a non-canonical bump will create the mint-authority account at a different address than findProgramAddressSync would derive client-side. Downstream clients that recompute the PDA without knowing which bump was stored will then resolve a different address and be unable to interact with the mints this program created. Since pinocchio_pubkey::derive_address with bump: None finds the canonical bump on-chain, using it here would prevent this class of error.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving this as-is, for two reasons:

  1. Consistency with the established pinocchio pattern. This is exactly what the already-merged tokens/escrow/pinocchio does (make_offer.rs): take the bump from instruction data, then derive_address(&[seed], Some(bump), program_id) and reject the tx unless the supplied account equals that PDA. Every pinocchio example in the repo follows this; matching it keeps the teaching examples uniform.

  2. Toolchain constraint. Deriving the canonical bump on-chain needs find_program_address/create_program_address, whose off-target implementation in solana-address is gated behind the curve25519 feature. CI lint runs cargo clippy -- -D warnings on the host target (no --target sbf), so referencing it there fails to compile unless we pull in the curve25519 dependency — which the lightweight pinocchio stack intentionally avoids. derive_address (from pinocchio-pubkey) is the host-compatible primitive, and it only derives for a given bump.

On safety: the supplied mint-authority account is validated against derive_address(Some(bump)), and create/mint re-derive the signer seeds from the bump persisted in that account, so the program is internally consistent. A client that deliberately passes a non-canonical bump only affects its own address derivation; the test (and any normal client) sources the bump from findProgramAddressSync, which always returns the canonical one.

@MarkFeder MarkFeder force-pushed the tokens-pda-mint-authority-pinocchio branch from 1cfe23d to 0be01f1 Compare July 8, 2026 21:13
MarkFeder and others added 2 commits July 9, 2026 09:31
Use 'solana program dump -um' instead of 'solana config set -um', so
running pnpm install no longer permanently switches the developer's
Solana CLI cluster to mainnet.
@MarkFeder MarkFeder force-pushed the tokens-pda-mint-authority-pinocchio branch from 0be01f1 to 0f6fa01 Compare July 9, 2026 07:32
@MarkFeder

Copy link
Copy Markdown
Contributor Author

@Perelyn-sama @dev-jodee — rebased onto latest main (picks up the ASM sbpf/Solana pin from #625), CI is now fully green. Ready for review whenever you have a chance 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant