Account Security
1. Strategy Mapping Validation
Always validate that thestrategy account passed by the vault matches your protocol’s expected state account:
2. PDA Derivation Security
Verify protocol accounts using seeds to prevent spoofed accounts:3. Token Account Safety
Validate token account ownership and associations:Position Value Accuracy
Accurate Return Values
The vault relies on theu64 returned by deposit and withdraw to track strategy positions and compute P&L. Inaccurate values can lead to incorrect fee calculations or accounting errors.
Handling Edge Cases
CPI Safety
Delegate Validation to the Target Program
When your adaptor is a CPI wrapper, the target protocol program validates its own accounts. Use/// CHECK: check in CPI call to document this delegation:
CPI Context Construction
Build CPI contexts carefully, mapping adaptor accounts to the target program’s expected structure:Arithmetic Safety
Use Checked Math
All arithmetic must use checked operations to prevent overflows:Use u128 for Intermediate Calculations
Prevent overflow in multiplication before division:Testing Requirements
- Core Flow Tests: Deposit, withdraw, and initialize with valid inputs
- Edge Cases: First deposit (zero supply), full withdrawal, zero-amount operations
- Position Value Tests: Verify returned
u64values match expected position values after operations - Integration Tests: End-to-end tests with the vault program calling your adaptor
- Error Cases: Invalid accounts, overflow scenarios, unauthorized access
Security Checklist
Account Security
Account Security
- Strategy account mapping validated
- PDA derivation verified with correct seeds and program
- Token accounts validated (mint, authority, token program)
- Signer constraints enforced
Position Value
Position Value
- Accounts reloaded after CPI calls before computing position value
- First-deposit edge case handled (zero supply)
- Exchange rate calculation uses u128 intermediates
- Returned u64 accurately represents position in underlying token terms
CPI Safety
CPI Safety
- CPI accounts correctly mapped to target program
- CHECK comments document which program validates each unchecked account
- All CPI return values checked
Testing
Testing
- Core flow tests passed
- Edge cases covered
- Integration tests with vault program
- Error scenarios tested