Add address tree validation checks to all programs

ananas-block · ananas-block · commit 9a227225dbe2 · 2026-01-08T00:32:02.000Z
Validate that address tree pubkeys match allowed constants before
creating compressed accounts or deriving addresses:
- V1 programs check against ADDRESS_TREE_V1
- V2 programs check against ADDRESS_TREE_V2

This prevents use of unauthorized address trees in instructions.
diff --git a/account-comparison/programs/account-comparison/src/lib.rs b/account-comparison/programs/account-comparison/src/lib.rs
@@ -4,6 +4,7 @@ use anchor_lang::prelude::*;
 use light_sdk::{
     account::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{v1::CpiAccounts, CpiSigner},
     derive_light_cpi_signer,
     instruction::{account_meta::CompressedAccountMeta, PackedAddressTreeInfo, ValidityProof},
@@ -58,11 +59,18 @@ pub mod account_comparison {
             CPI_SIGNER,
         );
 
+        let address_tree_pubkey = address_tree_info
+            .get_tree_pubkey(&light_cpi_accounts)
+            .map_err(|err| ProgramError::from(LightSdkError::from(err)))?;
+
+        if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+            msg!("Invalid address tree");
+            return Err(ProgramError::InvalidAccountData.into());
+        }
+
         let (address, address_seed) = derive_address(
             &[b"account", ctx.accounts.user.key().as_ref()],
-            &address_tree_info
-                .get_tree_pubkey(&light_cpi_accounts)
-                .map_err(|err| ProgramError::from(LightSdkError::from(err)))?,
+            &address_tree_pubkey,
             &crate::ID,
         );
 
diff --git a/basic-operations/anchor/burn/programs/burn/src/lib.rs b/basic-operations/anchor/burn/programs/burn/src/lib.rs
@@ -5,6 +5,7 @@ use anchor_lang::{prelude::*, AnchorDeserialize, AnchorSerialize};
 use light_sdk::{
     account::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{v1::CpiAccounts, CpiSigner},
     derive_light_cpi_signer,
     instruction::{account_meta::CompressedAccountMetaBurn, PackedAddressTreeInfo, ValidityProof},
@@ -38,11 +39,18 @@ pub mod burn {
             crate::LIGHT_CPI_SIGNER,
         );
 
+        let address_tree_pubkey = address_tree_info
+            .get_tree_pubkey(&light_cpi_accounts)
+            .map_err(|_| ErrorCode::AccountNotEnoughKeys)?;
+
+        if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+            msg!("Invalid address tree");
+            return Err(ProgramError::InvalidAccountData.into());
+        }
+
         let (address, address_seed) = derive_address(
             &[b"message", ctx.accounts.signer.key().as_ref()],
-            &address_tree_info
-                .get_tree_pubkey(&light_cpi_accounts)
-                .map_err(|_| ErrorCode::AccountNotEnoughKeys)?,
+            &address_tree_pubkey,
             &crate::ID,
         );
 
diff --git a/basic-operations/anchor/close/programs/close/src/lib.rs b/basic-operations/anchor/close/programs/close/src/lib.rs
@@ -5,6 +5,7 @@ use anchor_lang::{prelude::*, AnchorDeserialize, AnchorSerialize};
 use light_sdk::{
     account::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{v1::CpiAccounts, CpiSigner},
     derive_light_cpi_signer,
     instruction::{account_meta::CompressedAccountMeta, PackedAddressTreeInfo, ValidityProof},
@@ -38,11 +39,18 @@ pub mod close {
             crate::LIGHT_CPI_SIGNER,
         );
 
+        let address_tree_pubkey = address_tree_info
+            .get_tree_pubkey(&light_cpi_accounts)
+            .map_err(|_| ErrorCode::AccountNotEnoughKeys)?;
+
+        if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+            msg!("Invalid address tree");
+            return Err(ProgramError::InvalidAccountData.into());
+        }
+
         let (address, address_seed) = derive_address(
             &[b"message", ctx.accounts.signer.key().as_ref()],
-            &address_tree_info
-                .get_tree_pubkey(&light_cpi_accounts)
-                .map_err(|_| ErrorCode::AccountNotEnoughKeys)?,
+            &address_tree_pubkey,
             &crate::ID,
         );
 
diff --git a/basic-operations/anchor/create/programs/create/src/lib.rs b/basic-operations/anchor/create/programs/create/src/lib.rs
@@ -5,6 +5,7 @@ use anchor_lang::{prelude::*, AnchorDeserialize, AnchorSerialize};
 use light_sdk::{
     account::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{v1::CpiAccounts, CpiSigner},
     derive_light_cpi_signer,
     instruction::{PackedAddressTreeInfo, ValidityProof},
@@ -38,11 +39,18 @@ pub mod create {
             crate::LIGHT_CPI_SIGNER,
         );
 
+        let address_tree_pubkey = address_tree_info
+            .get_tree_pubkey(&light_cpi_accounts)
+            .map_err(|_| ErrorCode::AccountNotEnoughKeys)?;
+
+        if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+            msg!("Invalid address tree");
+            return Err(ProgramError::InvalidAccountData.into());
+        }
+
         let (address, address_seed) = derive_address(
             &[b"message", ctx.accounts.signer.key().as_ref()],
-            &address_tree_info
-                .get_tree_pubkey(&light_cpi_accounts)
-                .map_err(|_| ErrorCode::AccountNotEnoughKeys)?,
+            &address_tree_pubkey,
             &crate::ID,
         );
 
diff --git a/basic-operations/anchor/reinit/programs/reinit/src/lib.rs b/basic-operations/anchor/reinit/programs/reinit/src/lib.rs
@@ -5,6 +5,7 @@ use anchor_lang::{prelude::*, AnchorDeserialize, AnchorSerialize};
 use light_sdk::{
     account::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{v1::CpiAccounts, CpiSigner},
     derive_light_cpi_signer,
     instruction::{account_meta::CompressedAccountMeta, PackedAddressTreeInfo, ValidityProof},
@@ -38,11 +39,18 @@ pub mod reinit {
             crate::LIGHT_CPI_SIGNER,
         );
 
+        let address_tree_pubkey = address_tree_info
+            .get_tree_pubkey(&light_cpi_accounts)
+            .map_err(|_| ErrorCode::AccountNotEnoughKeys)?;
+
+        if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+            msg!("Invalid address tree");
+            return Err(ProgramError::InvalidAccountData.into());
+        }
+
         let (address, address_seed) = derive_address(
             &[b"message", ctx.accounts.signer.key().as_ref()],
-            &address_tree_info
-                .get_tree_pubkey(&light_cpi_accounts)
-                .map_err(|_| ErrorCode::AccountNotEnoughKeys)?,
+            &address_tree_pubkey,
             &crate::ID,
         );
 
diff --git a/basic-operations/anchor/update/programs/update/src/lib.rs b/basic-operations/anchor/update/programs/update/src/lib.rs
@@ -5,6 +5,7 @@ use anchor_lang::{prelude::*, AnchorDeserialize, AnchorSerialize};
 use light_sdk::{
     account::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{v1::CpiAccounts, CpiSigner},
     derive_light_cpi_signer,
     instruction::{account_meta::CompressedAccountMeta, PackedAddressTreeInfo, ValidityProof},
@@ -38,11 +39,18 @@ pub mod update {
             crate::LIGHT_CPI_SIGNER,
         );
 
+        let address_tree_pubkey = address_tree_info
+            .get_tree_pubkey(&light_cpi_accounts)
+            .map_err(|_| ErrorCode::AccountNotEnoughKeys)?;
+
+        if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+            msg!("Invalid address tree");
+            return Err(ProgramError::InvalidAccountData.into());
+        }
+
         let (address, address_seed) = derive_address(
             &[b"message", ctx.accounts.signer.key().as_ref()],
-            &address_tree_info
-                .get_tree_pubkey(&light_cpi_accounts)
-                .map_err(|_| ErrorCode::AccountNotEnoughKeys)?,
+            &address_tree_pubkey,
             &crate::ID,
         );
 
diff --git a/basic-operations/native/programs/burn/src/lib.rs b/basic-operations/native/programs/burn/src/lib.rs
@@ -8,6 +8,7 @@ use light_macros::pubkey;
 use light_sdk::{
     account::sha::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{
         v1::{CpiAccounts, LightSystemProgramCpi},
         CpiSigner, InvokeLightSystemProgram, LightCpiInstruction,
@@ -81,12 +82,19 @@ fn create(accounts: &[AccountInfo], instruction_data: &[u8]) -> Result<(), Light
 
     let light_cpi_accounts = CpiAccounts::new(signer, &accounts[1..], LIGHT_CPI_SIGNER);
 
+    let address_tree_pubkey = instruction_data
+        .address_tree_info
+        .get_tree_pubkey(&light_cpi_accounts)
+        .map_err(|_| ProgramError::NotEnoughAccountKeys)?;
+
+    if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+        solana_program::msg!("Invalid address tree");
+        return Err(LightSdkError::ProgramError(ProgramError::InvalidAccountData));
+    }
+
     let (address, address_seed) = derive_address(
         &[b"message", signer.key.as_ref()],
-        &instruction_data
-            .address_tree_info
-            .get_tree_pubkey(&light_cpi_accounts)
-            .map_err(|_| ProgramError::NotEnoughAccountKeys)?,
+        &address_tree_pubkey,
         &ID,
     );
 
diff --git a/basic-operations/native/programs/close/src/lib.rs b/basic-operations/native/programs/close/src/lib.rs
@@ -8,6 +8,7 @@ use light_macros::pubkey;
 use light_sdk::{
     account::sha::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{
         v1::{CpiAccounts, LightSystemProgramCpi},
         CpiSigner, InvokeLightSystemProgram, LightCpiInstruction,
@@ -81,12 +82,19 @@ fn create(accounts: &[AccountInfo], instruction_data: &[u8]) -> Result<(), Light
 
     let light_cpi_accounts = CpiAccounts::new(signer, &accounts[1..], LIGHT_CPI_SIGNER);
 
+    let address_tree_pubkey = instruction_data
+        .address_tree_info
+        .get_tree_pubkey(&light_cpi_accounts)
+        .map_err(|_| ProgramError::NotEnoughAccountKeys)?;
+
+    if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+        solana_program::msg!("Invalid address tree");
+        return Err(LightSdkError::ProgramError(ProgramError::InvalidAccountData));
+    }
+
     let (address, address_seed) = derive_address(
         &[b"message", signer.key.as_ref()],
-        &instruction_data
-            .address_tree_info
-            .get_tree_pubkey(&light_cpi_accounts)
-            .map_err(|_| ProgramError::NotEnoughAccountKeys)?,
+        &address_tree_pubkey,
         &ID,
     );
 
diff --git a/basic-operations/native/programs/create/src/lib.rs b/basic-operations/native/programs/create/src/lib.rs
@@ -8,6 +8,7 @@ use light_macros::pubkey;
 use light_sdk::{
     account::sha::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{
         v1::{CpiAccounts, LightSystemProgramCpi},
         CpiSigner, InvokeLightSystemProgram, LightCpiInstruction,
@@ -93,12 +94,19 @@ pub fn create(
 
     let light_cpi_accounts = CpiAccounts::new(signer, &accounts[1..], LIGHT_CPI_SIGNER);
 
+    let address_tree_pubkey = instruction_data
+        .address_tree_info
+        .get_tree_pubkey(&light_cpi_accounts)
+        .map_err(|_| ProgramError::NotEnoughAccountKeys)?;
+
+    if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+        solana_program::msg!("Invalid address tree");
+        return Err(ProgramError::InvalidAccountData);
+    }
+
     let (address, address_seed) = derive_address(
         &[b"message", signer.key.as_ref()],
-        &instruction_data
-            .address_tree_info
-            .get_tree_pubkey(&light_cpi_accounts)
-            .map_err(|_| ProgramError::NotEnoughAccountKeys)?,
+        &address_tree_pubkey,
         &ID,
     );
 
diff --git a/basic-operations/native/programs/reinit/src/lib.rs b/basic-operations/native/programs/reinit/src/lib.rs
@@ -8,6 +8,7 @@ use light_macros::pubkey;
 use light_sdk::{
     account::sha::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{
         v1::{CpiAccounts, LightSystemProgramCpi},
         CpiSigner, InvokeLightSystemProgram, LightCpiInstruction,
@@ -89,12 +90,19 @@ fn create(accounts: &[AccountInfo], instruction_data: &[u8]) -> Result<(), Light
 
     let light_cpi_accounts = CpiAccounts::new(signer, &accounts[1..], LIGHT_CPI_SIGNER);
 
+    let address_tree_pubkey = instruction_data
+        .address_tree_info
+        .get_tree_pubkey(&light_cpi_accounts)
+        .map_err(|_| ProgramError::NotEnoughAccountKeys)?;
+
+    if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+        solana_program::msg!("Invalid address tree");
+        return Err(LightSdkError::ProgramError(ProgramError::InvalidAccountData));
+    }
+
     let (address, address_seed) = derive_address(
         &[b"message", signer.key.as_ref()],
-        &instruction_data
-            .address_tree_info
-            .get_tree_pubkey(&light_cpi_accounts)
-            .map_err(|_| ProgramError::NotEnoughAccountKeys)?,
+        &address_tree_pubkey,
         &ID,
     );
 
diff --git a/basic-operations/native/programs/update/src/lib.rs b/basic-operations/native/programs/update/src/lib.rs
@@ -8,6 +8,7 @@ use light_macros::pubkey;
 use light_sdk::{
     account::sha::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{
         v1::{CpiAccounts, LightSystemProgramCpi},
         CpiSigner, InvokeLightSystemProgram, LightCpiInstruction,
@@ -109,12 +110,19 @@ pub fn create(
 
     let light_cpi_accounts = CpiAccounts::new(signer, &accounts[1..], LIGHT_CPI_SIGNER);
 
+    let address_tree_pubkey = instruction_data
+        .address_tree_info
+        .get_tree_pubkey(&light_cpi_accounts)
+        .map_err(|_| ProgramError::NotEnoughAccountKeys)?;
+
+    if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+        solana_program::msg!("Invalid address tree");
+        return Err(ProgramError::InvalidAccountData);
+    }
+
     let (address, address_seed) = derive_address(
         &[b"message", signer.key.as_ref()],
-        &instruction_data
-            .address_tree_info
-            .get_tree_pubkey(&light_cpi_accounts)
-            .map_err(|_| ProgramError::NotEnoughAccountKeys)?,
+        &address_tree_pubkey,
         &ID,
     );
 
diff --git a/counter/anchor/programs/counter/src/lib.rs b/counter/anchor/programs/counter/src/lib.rs
@@ -5,6 +5,7 @@ use anchor_lang::{prelude::*, AnchorDeserialize, Discriminator};
 use light_sdk::{
     account::LightAccount,
     address::v1::derive_address,
+    constants::ADDRESS_TREE_V1,
     cpi::{v1::CpiAccounts, CpiSigner},
     derive_light_cpi_signer,
     instruction::{account_meta::CompressedAccountMeta, PackedAddressTreeInfo, ValidityProof},
@@ -41,11 +42,18 @@ pub mod counter {
             crate::LIGHT_CPI_SIGNER,
         );
 
+        let address_tree_pubkey = address_tree_info
+            .get_tree_pubkey(&light_cpi_accounts)
+            .map_err(|_| ErrorCode::AccountNotEnoughKeys)?;
+
+        if address_tree_pubkey.to_bytes() != ADDRESS_TREE_V1 {
+            msg!("Invalid address tree");
+            return Err(ProgramError::InvalidAccountData.into());
+        }
+
         let (address, address_seed) = derive_address(
             &[b"counter", ctx.accounts.signer.key().as_ref()],
-            &address_tree_info
-                .get_tree_pubkey(&light_cpi_accounts)
-                .map_err(|_| ErrorCode::AccountNotEnoughKeys)?,
+            &address_tree_pubkey,
             &crate::ID,
         );
 
diff --git a/counter/native/src/lib.rs b/counter/native/src/lib.rs
diff --git a/counter/pinocchio/src/lib.rs b/counter/pinocchio/src/lib.rs
diff --git a/create-and-update/programs/create-and-update/src/lib.rs b/create-and-update/programs/create-and-update/src/lib.rs
diff --git a/read-only/src/lib.rs b/read-only/src/lib.rs
diff --git a/zk-id/src/lib.rs b/zk-id/src/lib.rs
