across-protocol · md0x · Apr 23, 2025 · Apr 16, 2025 · Apr 17, 2025 · Apr 17, 2025
@@ -11,7 +11,7 @@ use crate::{
     error::{CommonError, SvmError},
     event::FundsDeposited,
     state::{Route, State},
-    utils::{get_current_time, get_unsafe_deposit_id, transfer_from},
+    utils::{derive_delegate_seed_hash, get_current_time, get_unsafe_deposit_id, transfer_from},
 };
 
 #[event_cpi]
@@ -36,6 +36,17 @@ pub struct Deposit<'info> {
     )]
     pub state: Account<'info, State>,
 
+    #[account(
+        seeds = [
+            b"delegate",
+            state.seed.to_le_bytes().as_ref(),
+            &derive_delegate_seed_hash(input_token, output_token, input_amount, output_amount, destination_chain_id),
+        ],
+        bump
+    )]
+    /// CHECK: PDA derived with seeds ["delegate", state.seed, delegate_seed_hash]; used as a CPI signer. No account data is read or written.
+    pub delegate: UncheckedAccount<'info>,
+
     #[account(
         seeds = [b"route", input_token.as_ref(), state.seed.to_le_bytes().as_ref(), destination_chain_id.to_le_bytes().as_ref()],
         bump,
@@ -85,13 +96,11 @@ pub fn _deposit(
     message: Vec<u8>,
 ) -> Result<()> {
     let state = &mut ctx.accounts.state;
-
     let current_time = get_current_time(state)?;
 
     if current_time.checked_sub(quote_timestamp).unwrap_or(u32::MAX) > state.deposit_quote_time_buffer {
         return err!(CommonError::InvalidQuoteTimestamp);
     }
-
     if fill_deadline > current_time + state.fill_deadline_buffer {
         return err!(CommonError::InvalidFillDeadline);
     }
@@ -101,21 +110,26 @@ pub fn _deposit(
         if exclusivity_deadline <= MAX_EXCLUSIVITY_PERIOD_SECONDS {
             exclusivity_deadline += current_time;
         }
-
         if exclusive_relayer == Pubkey::default() {
             return err!(CommonError::InvalidExclusiveRelayer);
         }
     }
 
-    // Depositor must have delegated input_amount to the state PDA.
+    let bump = ctx.bumps.delegate;
+    let delegate_hash =
+        derive_delegate_seed_hash(input_token, output_token, input_amount, output_amount, destination_chain_id);
+    let state_seed_bytes = state.seed.to_le_bytes();
+    let signer_seeds: &[&[u8]] = &[b"delegate", &state_seed_bytes, &delegate_hash, &[bump]];
+
+    // Relayer must have delegated output_amount to the delegate PDA
     transfer_from(
         &ctx.accounts.depositor_token_account,
         &ctx.accounts.vault,
         input_amount,
-        state,
-        ctx.bumps.state,
+        &ctx.accounts.delegate,
         &ctx.accounts.mint,
         &ctx.accounts.token_program,
+        signer_seeds,
     )?;
 
     let mut applied_deposit_id = deposit_id;

@@ -32,6 +32,10 @@ pub struct FillRelay<'info> {
     )]
     pub state: Account<'info, State>,
 
+    #[account(seeds = [b"delegate", state.seed.to_le_bytes().as_ref(), relay_hash.as_ref()], bump)]
+    /// CHECK: PDA derived with seeds ["delegate", state.seed, relay_hash]; used as a CPI signer. No account data is read or written.
+    pub delegate: UncheckedAccount<'info>,
+
     #[account(
         mint::token_program = token_program,
         address = relay_data
@@ -81,6 +85,7 @@ pub struct FillRelay<'info> {
 
 pub fn fill_relay<'info>(
     ctx: Context<'_, '_, '_, 'info, FillRelay<'info>>,
+    relay_hash: [u8; 32],
     relay_data: Option<RelayData>,
     repayment_chain_id: Option<u64>,
     repayment_address: Option<Pubkey>,
@@ -114,15 +119,19 @@ pub fn fill_relay<'info>(
         _ => FillType::FastFill,
     };
 
-    // Relayer must have delegated output_amount to the state PDA
+    let bump = ctx.bumps.delegate;
+    let state_seed_bytes = state.seed.to_le_bytes();
+    let signer_seeds: &[&[u8]] = &[b"delegate", &state_seed_bytes, &relay_hash, &[bump]];
+
+    // Relayer must have delegated output_amount to the delegate PDA
     transfer_from(
         &ctx.accounts.relayer_token_account,
         &ctx.accounts.recipient_token_account,
         relay_data.output_amount,
-        state,
-        ctx.bumps.state,
+        &ctx.accounts.delegate,
         &ctx.accounts.mint,
         &ctx.accounts.token_program,
+        signer_seeds,
     )?;
 
     // Update the fill status to Filled, set the relayer and fill deadline

@@ -413,7 +413,7 @@ pub mod svm_spoke {
     /// - system_program (Interface): The system program.
     ///
     /// ### Parameters:
-    /// - _relay_hash: The hash identifying the deposit to be filled. Caller must pass this in. Computed as hash of
+    /// - relay_hash: The hash identifying the deposit to be filled. Caller must pass this in. Computed as hash of
     ///   the flattened relay_data & destination_chain_id.
     /// - relay_data: Struct containing all the data needed to identify the deposit to be filled. Should match
     ///   all the same-named parameters emitted in the origin chain FundsDeposited event.
@@ -440,12 +440,12 @@ pub mod svm_spoke {
     /// is passed, the caller must load them via the instruction_params account.
     pub fn fill_relay<'info>(
         ctx: Context<'_, '_, '_, 'info, FillRelay<'info>>,
-        _relay_hash: [u8; 32],
+        relay_hash: [u8; 32],
         relay_data: Option<RelayData>,
         repayment_chain_id: Option<u64>,
         repayment_address: Option<Pubkey>,
     ) -> Result<()> {
-        instructions::fill_relay(ctx, relay_data, repayment_chain_id, repayment_address)
+        instructions::fill_relay(ctx, relay_hash, relay_data, repayment_chain_id, repayment_address)
     }
 
     /// Closes the FillStatusAccount PDA to reclaim relayer rent.

diff --git a/programs/svm-spoke/src/utils/deposit_utils.rs b/programs/svm-spoke/src/utils/deposit_utils.rs
@@ -9,3 +9,19 @@ pub fn get_unsafe_deposit_id(msg_sender: Pubkey, depositor: Pubkey, deposit_nonc
 
     keccak::hash(&data).to_bytes()
 }
+
+pub fn derive_delegate_seed_hash(
+    input_token: Pubkey,
+    output_token: Pubkey,
+    input_amount: u64,
+    output_amount: u64,
+    destination_chain_id: u64,
+) -> [u8; 32] {
+    let mut data = Vec::with_capacity(32 + 32 + 8 + 8 + 8);
+    data.extend_from_slice(input_token.as_ref());
+    data.extend_from_slice(output_token.as_ref());
+    data.extend_from_slice(&input_amount.to_le_bytes());
+    data.extend_from_slice(&output_amount.to_le_bytes());
+    data.extend_from_slice(&destination_chain_id.to_le_bytes());
+    keccak::hash(&data).to_bytes()
+}
@@ -1,29 +1,25 @@
 use anchor_lang::prelude::*;
 use anchor_spl::token_interface::{transfer_checked, Mint, TokenAccount, TokenInterface, TransferChecked};
 
-use crate::State;
-
 pub fn transfer_from<'info>(
     from: &InterfaceAccount<'info, TokenAccount>,
     to: &InterfaceAccount<'info, TokenAccount>,
     amount: u64,
-    state: &Account<'info, State>,
-    state_bump: u8,
+    delegate: &UncheckedAccount<'info>,
     mint: &InterfaceAccount<'info, Mint>,
     token_program: &Interface<'info, TokenInterface>,
+    signer_seeds: &[&[u8]],
 ) -> Result<()> {
     let transfer_accounts = TransferChecked {
         from: from.to_account_info(),
         mint: mint.to_account_info(),
         to: to.to_account_info(),
-        authority: state.to_account_info(),
+        authority: delegate.to_account_info(),
     };
 
-    let state_seed_bytes = state.seed.to_le_bytes();
-    let seeds = &[b"state", state_seed_bytes.as_ref(), &[state_bump]];
-    let signer_seeds = &[&seeds[..]];
-
-    let cpi_context = CpiContext::new_with_signer(token_program.to_account_info(), transfer_accounts, signer_seeds);
+    let signer_seeds_slice = &[signer_seeds];
+    let cpi_context =
+        CpiContext::new_with_signer(token_program.to_account_info(), transfer_accounts, signer_seeds_slice);
 
     transfer_checked(cpi_context, amount, mint.decimals)
 }
@@ -1,6 +1,8 @@
-import { AnchorProvider } from "@coral-xyz/anchor";
+import { AnchorProvider, BN } from "@coral-xyz/anchor";
 import { BigNumber } from "@ethersproject/bignumber";
 import { ethers } from "ethers";
+import { DepositData } from "../../types/svm";
+import { PublicKey } from "@solana/web3.js";
 
 /**
  * Returns the chainId for a given solana cluster.
@@ -20,3 +22,32 @@ export const isSolanaDevnet = (provider: AnchorProvider): boolean => {
   else if (solanaRpcEndpoint.includes("mainnet")) return false;
   else throw new Error(`Unsupported solanaCluster endpoint: ${solanaRpcEndpoint}`);
 };
+
+/**
+ * Returns the delegate PDA for a deposit.
+ */
+export const getDepositDelegatePda = (depositData: DepositData, stateSeed: BN, programId: PublicKey) => {
+  const raw = Buffer.concat([
+    depositData.inputToken!.toBytes(),
+    depositData.outputToken.toBytes(),
+    depositData.inputAmount.toArrayLike(Buffer, "le", 8),
+    depositData.outputAmount.toArrayLike(Buffer, "le", 8),
+    depositData.destinationChainId.toArrayLike(Buffer, "le", 8),
+  ]);
+  const hashHex = ethers.utils.keccak256(raw);
+  const seedHash = Buffer.from(hashHex.slice(2), "hex");
+  return PublicKey.findProgramAddressSync(
+    [Buffer.from("delegate"), stateSeed.toArrayLike(Buffer, "le", 8), seedHash],
+    programId
+  )[0];
+};
+
+/**
+ * Returns the delegate PDA for a fill relay.
+ */
+export const getFillRelayDelegatePda = (relayHash: Uint8Array, stateSeed: BN, programId: PublicKey) => {
+  return PublicKey.findProgramAddressSync(
+    [Buffer.from("delegate"), stateSeed.toArrayLike(Buffer, "le", 8), relayHash],
+    programId
+  )[0];
+};