Disallow duplicate *mutable* accounts by default

.github/workflows/reusable-tests.yaml

@@ -416,6 +416,8 @@ jobs:
             path: tests/declare-program
           - cmd: cd tests/typescript && anchor test --skip-lint && npx tsc --noEmit
             path: tests/typescript
+          - cmd: cd tests/duplicate-mutable-accounts && anchor test --skip-lint
+            path: tests/duplicate-mutable-accounts
           # zero-copy tests cause `/usr/bin/ld: final link failed: No space left on device`
           # on GitHub runners. It is likely caused by `cargo test-sbf` since all other tests
           # don't have this problem.

CHANGELOG.md

@@ -16,6 +16,7 @@ The minor version will be incremented upon a breaking change and the patch versi
 - lang: Replace `solana-program` crate with smaller crates ([#3819](https://github.com/solana-foundation/anchor/pull/3819)).
 - cli: Replace `anchor verify` to use `solana-verify` under the hood, adding automatic installation via AVM, local path support, and future-proof argument passing ([#3768](https://github.com/solana-foundation/anchor/pull/3768)).
 - cli: Make `anchor deploy` to upload the IDL to the cluster by default unless `--no-idl` is passed ([#3863](https://github.com/solana-foundation/anchor/pull/3863)).
+- lang: Disallow duplicate mutable accounts by default. But allows duplicate mutable accounts in instruction contexts using `dup` constraint ([#3899](https://github.com/solana-foundation/anchor/pull/3899)).
 
 ### Fixes
 

bench/BINARY_SIZE.md

@@ -16,9 +16,9 @@ The programs and their tests are located in [/tests/bench](https://github.com/co
 
 Solana version: 2.1.0
 
-| Program | Binary Size | -   |
-| ------- | ----------- | --- |
-| bench   | 1,041,928   | -   |
+| Program | Binary Size | -                      |
+| ------- | ----------- | ---------------------- |
+| bench   | 1,058,168   | 🔴 **+16,240 (1.56%)** |
 
 ### Notable changes
 

docs/content/docs/references/account-constraints.mdx

@@ -38,6 +38,33 @@ Examples: [Github](https://github.com/solana-developers/anchor-examples/tree/mai
 #[account(mut @ <custom_error>)]
 ```
 
+### `#[account(dup)]`
+
+Description: By default, Anchor will prevents duplicate mutable accounts to avoid potential security issues and unintended behavior. 
+The `dup` constraint explicitly allows this for cases where it's intentional and safe.
+
+**Note**: This constraint only applies to mutable accounts (`mut`). Readonly accounts naturally allow duplicates without requiring the `dup` constraint.
+
+```rust title="attribute"
+#[account(mut, dup)]
+#[account(mut, dup @ <custom_error>)]
+```
+
+```rust title="snippet"
+#[derive(Accounts)]
+pub struct AllowsDuplicateMutable<'info> {
+    #[account(mut)]
+    pub account1: Account<'info, Counter>,
+    // This account can be the same as account1
+    #[account(mut, dup)]
+    pub account2: Account<'info, Counter>,
+}
+
+pub fn allows_duplicate_mutable(ctx: Context<AllowsDuplicateMutable>) -> Result<()> {
+    Ok(())
+}
+```
+
 ### `#[account(init)]`
 
 Description: Creates the account via a CPI to the system program and initializes

lang/derive/accounts/src/lib.rs

@@ -90,6 +90,22 @@ use syn::parse_macro_input;
 ///         </tr>
 ///         <tr>
 ///             <td>
+///                 <code>#[account(dup)]</code> <br><br>
+///             </td>
+///             <td>
+///                 Allows the same mutable account to be passed multiple times within the same instruction context.<br>
+///                 By default, Anchor will prevents duplicate mutable accounts to avoid potential security issues and unintended behavior.<br>
+///                 The <code>dup</code> constraint explicitly allows this for cases where it's intentional and safe.<br>
+///                 This constraint only applies to mutable accounts (<code>mut</code>). Readonly accounts naturally allow duplicates without requiring the <code>dup</code> constraint.<br>
+///                 Example:
+///                 <pre><code>
+/// #[account(mut)]
+/// pub account1: Account<'info, Counter>,
+///                 </code></pre>
+///             </td>
+///         </tr>
+///         <tr>
+///             <td>
 ///                 <code>#[account(init, payer = &lt;target_account&gt;, space = &lt;num_bytes&gt;)]</code>
 ///             </td>
 ///             <td>

lang/src/error.rs

@@ -177,6 +177,9 @@ pub enum ErrorCode {
     /// 2039 - A transfer hook extension transfer hook program id constraint was violated
     #[msg("A transfer hook extension transfer hook program id constraint was violated")]
     ConstraintMintTransferHookExtensionProgramId,
+    /// 2040 - A duplicate mutable account constraint was violated
+    #[msg("A duplicate mutable account constraint was violated")]
+    ConstraintDuplicateMutableAccount,
 
     // Require
     /// 2500 - A require expression was violated

lang/syn/src/codegen/accounts/constraints.rs

@@ -76,6 +76,7 @@ pub fn linearize(c_group: &ConstraintGroup) -> Vec<Constraint> {
         init,
         zeroed,
         mutable,
+        dup,
         signer,
         has_one,
         raw,
@@ -111,6 +112,9 @@ pub fn linearize(c_group: &ConstraintGroup) -> Vec<Constraint> {
     if let Some(c) = mutable {
         constraints.push(Constraint::Mut(c));
     }
+    if let Some(c) = dup {
+        constraints.push(Constraint::Dup(c));
+    }
     if let Some(c) = signer {
         constraints.push(Constraint::Signer(c));
     }
@@ -149,6 +153,7 @@ fn generate_constraint(
         Constraint::Init(c) => generate_constraint_init(f, c, accs),
         Constraint::Zeroed(c) => generate_constraint_zeroed(f, c, accs),
         Constraint::Mut(c) => generate_constraint_mut(f, c),
+        Constraint::Dup(_) => quote! {}, // No-op: dup is handled by duplicate checking logic
         Constraint::HasOne(c) => generate_constraint_has_one(f, c, accs),
         Constraint::Signer(c) => generate_constraint_signer(f, c),
         Constraint::Raw(c) => generate_constraint_raw(&f.ident, c),

lang/syn/src/codegen/accounts/try_accounts.rs

@@ -157,6 +157,9 @@ pub fn generate_constraints(accs: &AccountsStruct) -> proc_macro2::TokenStream {
         .map(|f| constraints::generate(f, accs))
         .collect();
 
+    // Generate duplicate mutable account validation
+    let duplicate_checks = generate_duplicate_mutable_checks(accs);
+
     // Constraint checks for each account fields.
     let access_checks: Vec<proc_macro2::TokenStream> = non_init_fields
         .iter()
@@ -168,6 +171,7 @@ pub fn generate_constraints(accs: &AccountsStruct) -> proc_macro2::TokenStream {
 
     quote! {
         #(#init_fields)*
+        #duplicate_checks
         #(#access_checks)*
     }
 }
@@ -202,3 +206,64 @@ fn is_init(af: &AccountField) -> bool {
         AccountField::Field(f) => f.constraints.init.is_some(),
     }
 }
+
+// Generates duplicate mutable account validation logic
+fn generate_duplicate_mutable_checks(accs: &AccountsStruct) -> proc_macro2::TokenStream {
+    // Collect all mutable account fields without `dup` constraint, excluding UncheckedAccount & init accounts.
+    let candidates: Vec<_> = accs
+        .fields
+        .iter()
+        .filter_map(|af| match af {
+            AccountField::Field(f)
+                if f.constraints.is_mutable()
+                    && !f.constraints.is_dup()
+                    && f.constraints.init.is_none() =>
+            {
+                match &f.ty {
+                    crate::Ty::UncheckedAccount => None, // unchecked by design
+                    _ => Some(f),
+                }
+            }
+            _ => None,
+        })
+        .collect();
+
+    if candidates.len() <= 1 {
+        // 0 or 1 -> no duplicates possible
+        return quote! {};
+    }
+
+    // Generate validation code using BTreeSet
+    let mut field_keys = Vec::with_capacity(candidates.len());
+    let mut field_name_strs = Vec::with_capacity(candidates.len());
+
+    for f in candidates.iter() {
+        let name = &f.ident;
+
+        if f.is_optional {
+            field_keys.push(quote! { #name.as_ref().map(|f| f.key()) });
+        } else {
+            field_keys.push(quote! { Some(#name.key()) });
+        }
+
+        // Use stringify! to avoid runtime allocation
+        field_name_strs.push(quote! { stringify!(#name) });
+    }
+
+    quote! {
+        // Duplicate mutable account validation - using BTreeSet for efficiency
+        {
+            let mut __mutable_accounts = std::collections::BTreeSet::new();
+            #(
+                if let Some(key) = #field_keys {
+                    // Check for duplicates and insert the key and account name
+                    if !__mutable_accounts.insert(key) {
+                        return Err(anchor_lang::error::Error::from(
+                            anchor_lang::error::ErrorCode::ConstraintDuplicateMutableAccount
+                        ).with_account_name(#field_name_strs));
+                    }
+                }
+            )*
+        }
+    }
+}

lang/syn/src/lib.rs

@@ -678,6 +678,7 @@ pub struct ConstraintGroup {
     pub init: Option<ConstraintInitGroup>,
     pub zeroed: Option<ConstraintZeroed>,
     pub mutable: Option<ConstraintMut>,
+    pub dup: Option<ConstraintDup>,
     pub signer: Option<ConstraintSigner>,
     pub owner: Option<ConstraintOwner>,
     pub rent_exempt: Option<ConstraintRentExempt>,
@@ -702,6 +703,10 @@ impl ConstraintGroup {
         self.mutable.is_some()
     }
 
+    pub fn is_dup(&self) -> bool {
+        self.dup.is_some()
+    }
+
     pub fn is_signer(&self) -> bool {
         self.signer.is_some()
     }
@@ -720,6 +725,7 @@ pub enum Constraint {
     Init(ConstraintInitGroup),
     Zeroed(ConstraintZeroed),
     Mut(ConstraintMut),
+    Dup(ConstraintDup),
     Signer(ConstraintSigner),
     HasOne(ConstraintHasOne),
     Raw(ConstraintRaw),
@@ -742,6 +748,7 @@ pub enum ConstraintToken {
     Init(Context<ConstraintInit>),
     Zeroed(Context<ConstraintZeroed>),
     Mut(Context<ConstraintMut>),
+    Dup(Context<ConstraintDup>),
     Signer(Context<ConstraintSigner>),
     HasOne(Context<ConstraintHasOne>),
     Raw(Context<ConstraintRaw>),
@@ -807,6 +814,9 @@ pub struct ConstraintMut {
     pub error: Option<Expr>,
 }
 
+#[derive(Debug, Clone)]
+pub struct ConstraintDup {}
+
 #[derive(Debug, Clone)]
 pub struct ConstraintReallocGroup {
     pub payer: Expr,

lang/syn/src/parser/accounts/constraints.rs

@@ -50,6 +50,7 @@ pub fn parse_token(stream: ParseStream) -> ParseResult<ConstraintToken> {
         "executable" => {
             ConstraintToken::Executable(Context::new(ident.span(), ConstraintExecutable {}))
         }
+        "dup" => ConstraintToken::Dup(Context::new(ident.span(), ConstraintDup {})),
         "mint" => {
             stream.parse::<Token![:]>()?;
             stream.parse::<Token![:]>()?;
@@ -543,6 +544,7 @@ pub struct ConstraintGroupBuilder<'ty> {
     pub realloc: Option<Context<ConstraintRealloc>>,
     pub realloc_payer: Option<Context<ConstraintReallocPayer>>,
     pub realloc_zero: Option<Context<ConstraintReallocZero>>,
+    pub dup: Option<Context<ConstraintDup>>,
 }
 
 impl<'ty> ConstraintGroupBuilder<'ty> {
@@ -588,6 +590,7 @@ impl<'ty> ConstraintGroupBuilder<'ty> {
             realloc: None,
             realloc_payer: None,
             realloc_zero: None,
+            dup: None,
         }
     }
 
@@ -800,6 +803,7 @@ impl<'ty> ConstraintGroupBuilder<'ty> {
             realloc,
             realloc_payer,
             realloc_zero,
+            dup,
         } = self;
 
         // Converts Option<Context<T>> -> Option<T>.
@@ -1031,6 +1035,7 @@ impl<'ty> ConstraintGroupBuilder<'ty> {
             seeds,
             token_account: if !is_init {token_account} else {None},
             mint: if !is_init {mint} else {None},
+            dup: into_inner!(dup),
         })
     }
 
@@ -1093,6 +1098,7 @@ impl<'ty> ConstraintGroupBuilder<'ty> {
             ConstraintToken::ExtensionPermanentDelegate(c) => {
                 self.add_extension_permanent_delegate(c)
             }
+            ConstraintToken::Dup(c) => self.add_dup(c),
         }
     }
 
@@ -1675,4 +1681,12 @@ impl<'ty> ConstraintGroupBuilder<'ty> {
         self.extension_permanent_delegate.replace(c);
         Ok(())
     }
+
+    fn add_dup(&mut self, c: Context<ConstraintDup>) -> ParseResult<()> {
+        if self.dup.is_some() {
+            return Err(ParseError::new(c.span(), "dup already provided"));
+        }
+        self.dup.replace(c);
+        Ok(())
+    }
 }

tests/bench/bench.json

@@ -1305,7 +1305,7 @@
     "solanaVersion": "2.1.0",
     "result": {
       "binarySize": {
-        "bench": 1041928
+        "bench": 1058168
       },
       "computeUnits": {
         "accountInfo1": 571,

tests/duplicate-mutable-accounts/Anchor.toml

@@ -0,0 +1,9 @@
+[provider]
+cluster = "localnet"
+wallet = "~/.config/solana/id.json"
+
+[programs.localnet]
+duplicate_mutable_accounts = "4D6rvpR7TSPwmFottLGa5gpzMcJ76kN8bimQHV9rogjH"
+
+[scripts]
+test = "yarn run ts-mocha -t 1000000 tests/*.ts"

tests/duplicate-mutable-accounts/Cargo.toml

@@ -0,0 +1,8 @@
+[workspace]
+members = [
+    "programs/duplicate-mutable-accounts",
+]
+resolver = "2"
+
+[profile.release]
+overflow-checks = true

tests/duplicate-mutable-accounts/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "duplicate-mutable-accounts",
+  "version": "0.31.1",
+  "license": "(MIT OR Apache-2.0)",
+  "homepage": "https://github.com/coral-xyz/anchor#readme",
+  "bugs": {
+    "url": "https://github.com/coral-xyz/anchor/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/coral-xyz/anchor.git"
+  },
+  "engines": {
+    "node": ">=17"
+  },
+  "scripts": {
+    "test": "anchor test"
+  }
+}

tests/duplicate-mutable-accounts/programs/duplicate-mutable-accounts/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "duplicate-mutable-accounts"
+version = "0.1.0"
+description = "Created with Anchor"
+edition = "2018"
+
+[lib]
+crate-type = ["cdylib", "lib"]
+name = "duplicate_mutable_accounts"
+
+[features]
+no-entrypoint = []
+cpi = ["no-entrypoint"]
+idl-build = ["anchor-lang/idl-build"]
+
+[dependencies]
+anchor-lang = { path = "../../../../lang" }

tests/duplicate-mutable-accounts/programs/duplicate-mutable-accounts/Xargo.toml

@@ -0,0 +1,2 @@
+[target.bpfel-unknown-unknown.dependencies.std]
+features = []