fix!: protocol fixes

BREAKING CHANGE - Nonce init (PrivateAuthorizedInit): the initial nonce for PrivateAuthorizedInit accounts was incorrectly computed. Privacy preserving circuit code changed, as well as its id. - Authorization bidirectional check: programs must now set is_authorized = true for every authorized account in pre-states, not just avoid marking unauthorized ones as authorized. - Authorization in chained calls: authorized-account set is now the union across the call chain instead of being reset at each hop.
2026-06-02 07:09:29 +00:00 · 2026-05-28 00:03:30 -03:00 · 2026-05-28 00:03:30 -03:00 · 48da4b5119
commit 48da4b5119
parent 84bda7be34
46 changed files with 34 additions and 9 deletions
--- a/artifacts/program_methods/amm.bin
+++ b/artifacts/program_methods/amm.bin
--- a/artifacts/program_methods/associated_token_account.bin
+++ b/artifacts/program_methods/associated_token_account.bin
--- a/artifacts/program_methods/authenticated_transfer.bin
+++ b/artifacts/program_methods/authenticated_transfer.bin
--- a/artifacts/program_methods/clock.bin
+++ b/artifacts/program_methods/clock.bin
--- a/artifacts/program_methods/faucet.bin
+++ b/artifacts/program_methods/faucet.bin
--- a/artifacts/program_methods/pinata.bin
+++ b/artifacts/program_methods/pinata.bin
--- a/artifacts/program_methods/pinata_token.bin
+++ b/artifacts/program_methods/pinata_token.bin
--- a/artifacts/program_methods/privacy_preserving_circuit.bin
+++ b/artifacts/program_methods/privacy_preserving_circuit.bin
--- a/artifacts/program_methods/token.bin
+++ b/artifacts/program_methods/token.bin
--- a/artifacts/program_methods/vault.bin
+++ b/artifacts/program_methods/vault.bin
--- a/artifacts/test_program_methods/auth_asserting_noop.bin
+++ b/artifacts/test_program_methods/auth_asserting_noop.bin
--- a/artifacts/test_program_methods/auth_transfer_proxy.bin
+++ b/artifacts/test_program_methods/auth_transfer_proxy.bin
--- a/artifacts/test_program_methods/burner.bin
+++ b/artifacts/test_program_methods/burner.bin
--- a/artifacts/test_program_methods/chain_caller.bin
+++ b/artifacts/test_program_methods/chain_caller.bin
--- a/artifacts/test_program_methods/changer_claimer.bin
+++ b/artifacts/test_program_methods/changer_claimer.bin
--- a/artifacts/test_program_methods/claimer.bin
+++ b/artifacts/test_program_methods/claimer.bin
--- a/artifacts/test_program_methods/clock_chain_caller.bin
+++ b/artifacts/test_program_methods/clock_chain_caller.bin
--- a/artifacts/test_program_methods/data_changer.bin
+++ b/artifacts/test_program_methods/data_changer.bin
--- a/artifacts/test_program_methods/extra_output.bin
+++ b/artifacts/test_program_methods/extra_output.bin
--- a/artifacts/test_program_methods/faucet_chain_caller.bin
+++ b/artifacts/test_program_methods/faucet_chain_caller.bin
--- a/artifacts/test_program_methods/flash_swap_callback.bin
+++ b/artifacts/test_program_methods/flash_swap_callback.bin
--- a/artifacts/test_program_methods/flash_swap_initiator.bin
+++ b/artifacts/test_program_methods/flash_swap_initiator.bin
--- a/artifacts/test_program_methods/malicious_authorization_changer.bin
+++ b/artifacts/test_program_methods/malicious_authorization_changer.bin
--- a/artifacts/test_program_methods/malicious_caller_program_id.bin
+++ b/artifacts/test_program_methods/malicious_caller_program_id.bin
--- a/artifacts/test_program_methods/malicious_injector.bin
+++ b/artifacts/test_program_methods/malicious_injector.bin
--- a/artifacts/test_program_methods/malicious_launderer.bin
+++ b/artifacts/test_program_methods/malicious_launderer.bin
--- a/artifacts/test_program_methods/malicious_self_program_id.bin
+++ b/artifacts/test_program_methods/malicious_self_program_id.bin
--- a/artifacts/test_program_methods/minter.bin
+++ b/artifacts/test_program_methods/minter.bin
--- a/artifacts/test_program_methods/missing_output.bin
+++ b/artifacts/test_program_methods/missing_output.bin
--- a/artifacts/test_program_methods/modified_transfer.bin
+++ b/artifacts/test_program_methods/modified_transfer.bin
--- a/artifacts/test_program_methods/nonce_changer.bin
+++ b/artifacts/test_program_methods/nonce_changer.bin
--- a/artifacts/test_program_methods/noop.bin
+++ b/artifacts/test_program_methods/noop.bin
--- a/artifacts/test_program_methods/pda_claimer.bin
+++ b/artifacts/test_program_methods/pda_claimer.bin
--- a/artifacts/test_program_methods/pda_spend_proxy.bin
+++ b/artifacts/test_program_methods/pda_spend_proxy.bin
--- a/artifacts/test_program_methods/pinata_cooldown.bin
+++ b/artifacts/test_program_methods/pinata_cooldown.bin
--- a/artifacts/test_program_methods/private_pda_delegator.bin
+++ b/artifacts/test_program_methods/private_pda_delegator.bin
--- a/artifacts/test_program_methods/program_owner_changer.bin
+++ b/artifacts/test_program_methods/program_owner_changer.bin
--- a/artifacts/test_program_methods/simple_balance_transfer.bin
+++ b/artifacts/test_program_methods/simple_balance_transfer.bin
--- a/artifacts/test_program_methods/time_locked_transfer.bin
+++ b/artifacts/test_program_methods/time_locked_transfer.bin
--- a/artifacts/test_program_methods/two_pda_claimer.bin
+++ b/artifacts/test_program_methods/two_pda_claimer.bin
--- a/artifacts/test_program_methods/validity_window.bin
+++ b/artifacts/test_program_methods/validity_window.bin
--- a/artifacts/test_program_methods/validity_window_chain_caller.bin
+++ b/artifacts/test_program_methods/validity_window_chain_caller.bin
--- a/nssa/core/src/commitment.rs
+++ b/nssa/core/src/commitment.rs
@ -7,8 +7,9 @@ use crate::account::{Account, AccountId};
 /// A commitment to all zero data.
 /// ```python
 /// from hashlib import sha256
+/// prefix = b"/LEE/v0.3/Commitment/\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
 /// hasher = sha256()
-/// hasher.update(bytes([0] * 32 + [0] * 32 + [0] * 16 + [0] * 16 + list(sha256().digest())))
+/// hasher.update(prefix + bytes([0] * 32 + [0] * 32 + [0] * 16 + [0] * 16 + list(sha256().digest())))
 /// DUMMY_COMMITMENT = hasher.digest()
 /// ```
 pub const DUMMY_COMMITMENT: Commitment = Commitment([
--- a/nssa/src/error.rs
+++ b/nssa/src/error.rs
@ -96,6 +96,9 @@ pub enum InvalidProgramBehaviorError {
    #[error("Unauthorized account marked as authorized")]
    InvalidAccountAuthorization { account_id: AccountId },

+    #[error("Authorized account marked as not authorized")]
+    AuthorizedAccountMarkedAsNotAuthorized { account_id: AccountId },
+
    #[error("Program ID mismatch: expected {expected:?}, actual {actual:?}")]
    MismatchedProgramId {
        expected: ProgramId,
--- a/nssa/src/validated_state_diff.rs
+++ b/nssa/src/validated_state_diff.rs
@ -173,12 +173,18 @@ impl ValidatedStateDiff {
                );

                // Check that the program output pre_states marked as authorized are indeed
-                // authorized.
+                // authorized, and vice-versa.
                let is_indeed_authorized = is_authorized(&account_id);
                ensure!(
                    !pre.is_authorized || is_indeed_authorized,
                    InvalidProgramBehaviorError::InvalidAccountAuthorization { account_id }
                );
+                ensure!(
+                    pre.is_authorized || !is_indeed_authorized,
+                    InvalidProgramBehaviorError::AuthorizedAccountMarkedAsNotAuthorized {
+                        account_id
+                    }
+                );
            }

            // Verify that the program output's self_program_id matches the expected program ID.
@ -269,11 +275,20 @@ impl ValidatedStateDiff {
            // the loop above already gates program_output's `is_authorized` via the
            // `!pre.is_authorized || is_indeed_authorized` check, while `chained_call.
            // pre_states` is caller-controlled and can be forged (audit-issue 91).
-            let authorized_accounts: HashSet<_> = program_output
-                .pre_states
-                .iter()
-                .filter(|pre| pre.is_authorized)
-                .map(|pre| pre.account_id)
+            //
+            // Union with the caller's authorized set so that authorization is monotonically
+            // growing: once an account is authorized at any point in the chain it remains
+            // authorized for all subsequent calls.
+            let authorized_accounts: HashSet<_> = caller_data
+                .authorized_accounts
+                .into_iter()
+                .chain(
+                    program_output
+                        .pre_states
+                        .iter()
+                        .filter(|pre| pre.is_authorized)
+                        .map(|pre| pre.account_id),
+                )
                .collect();
            for new_call in program_output.chained_calls.into_iter().rev() {
                chained_calls.push_front((
@ -341,7 +356,13 @@ impl ValidatedStateDiff {

        // Check there are no duplicate nullifiers in the new_nullifiers list
        ensure!(
-            n_unique(&message.new_nullifiers) == message.new_nullifiers.len(),
+            n_unique(
+                &message
+                    .new_nullifiers
+                    .iter()
+                    .map(|(n, _)| n)
+                    .collect::<Vec<_>>()
+            ) == message.new_nullifiers.len(),
            NssaError::InvalidInput("Duplicate nullifiers found in message".into())
        );

--- a/program_methods/guest/src/bin/privacy_preserving_circuit/output.rs
+++ b/program_methods/guest/src/bin/privacy_preserving_circuit/output.rs
@ -62,7 +62,7 @@ pub fn compute_circuit_output(
                    Nullifier::for_account_initialization(&account_id),
                    DUMMY_COMMITMENT_HASH,
                );
-                let new_nonce = pre_state.account.nonce.private_account_nonce_increment(nsk);
+                let new_nonce = Nonce::private_account_nonce_init(&account_id);

                emit_private_output(
                    &mut output,