perf(program): reduce PDA validation compute units

dev-jodee · dev-jodee · commit b63b66fe51a3 · 2026-04-07T12:58:42.000-04:00
Replace find_program_address in validate_pda with create_program_address
since the bump is already provided in instruction data. Override
validate_self in Escrow, Receipt, AllowedMint, and EscrowExtensions to
use derive_address with the stored bump, avoiding the off-curve check
that is unnecessary for accounts validated at creation.

Also documents 2-step admin transfer as a future improvement.
diff --git a/docs/IMPROVEMENTS.md b/docs/IMPROVEMENTS.md
@@ -13,3 +13,5 @@ The following enhancements could be considered for future iterations of the prog
 5. **Receipt Seed Space Optimization** - The current `receipt_seed` uses a 32-byte `Address` type. Two alternatives could save space:
     - **Use `u8` counter**: Change to a simple counter (0-255), saving 31 bytes per receipt. Limits to 256 receipts per depositor/escrow/mint combination, which is acceptable for most use cases.
     - **Single receipt with `deposit_additional` instruction**: Allow users to add to an existing receipt rather than creating new ones. This would require handling complexities around `deposited_at` timestamps (e.g., weighted average, use latest, or track per-deposit).
+
+6. **Two-Step Admin Transfer** - The current `UpdateAdmin` instruction requires both the current and new admin to sign the same transaction. This is problematic when transferring to/from multisig wallets (e.g., Squads), since both parties must be present in one transaction. A 2-step pattern (`ProposeAdmin` → `AcceptAdmin`, with optional `CancelAdminTransfer` and a timeout) would allow async coordination between parties and is the standard pattern for admin handoffs in production programs.
diff --git a/program/src/state/allowed_mint.rs b/program/src/state/allowed_mint.rs
@@ -65,8 +65,14 @@ impl AllowedMint {
         mint: &Address,
     ) -> Result<&'a Self, ProgramError> {
         let state = Self::from_bytes(data)?;
-        let pda = AllowedMintPda::new(escrow, mint);
-        pda.validate_pda(account, program_id, state.bump)?;
+        let derived = Address::derive_address(
+            &[AllowedMintPda::PREFIX, escrow.as_ref(), mint.as_ref()],
+            Some(state.bump),
+            program_id,
+        );
+        if account.address() != &derived {
+            return Err(ProgramError::InvalidSeeds);
+        }
         Ok(state)
     }
 }
diff --git a/program/src/state/escrow.rs b/program/src/state/escrow.rs
@@ -79,6 +79,15 @@ impl PdaAccount for Escrow {
     fn bump(&self) -> u8 {
         self.bump
     }
+
+    #[inline(always)]
+    fn validate_self(&self, account: &AccountView, program_id: &Address) -> Result<(), ProgramError> {
+        let derived = Address::derive_address(&[Self::PREFIX, self.escrow_seed.as_ref()], Some(self.bump), program_id);
+        if account.address() != &derived {
+            return Err(ProgramError::InvalidSeeds);
+        }
+        Ok(())
+    }
 }
 
 impl Escrow {
diff --git a/program/src/state/escrow_extensions.rs b/program/src/state/escrow_extensions.rs
@@ -374,21 +374,26 @@ pub fn update_or_append_extension<const N: usize>(
 ///
 /// Returns `Ok(())` if:
 /// - Extensions account is the correct PDA for this escrow
-/// - If data exists, the stored bump matches the canonical bump
+/// - If data exists, the stored bump matches the derived address
 pub fn validate_extensions_pda(escrow: &AccountView, extensions: &AccountView, program_id: &Address) -> ProgramResult {
-    let extensions_pda = ExtensionsPda::new(escrow.address());
-    let expected_bump = extensions_pda.validate_pda_address(extensions, program_id)?;
-
     if extensions.data_len() > 0 {
         if !extensions.owned_by(program_id) {
             return Err(ProgramError::InvalidAccountOwner);
         }
 
         let data = extensions.try_borrow()?;
         let header = EscrowExtensionsHeader::from_bytes(&data)?;
-        if header.bump != expected_bump {
+
+        // Use stored bump with derive_address (~85 CU) — off-curve already validated at creation
+        let derived =
+            Address::derive_address(&[ExtensionsPda::PREFIX, escrow.address().as_ref()], Some(header.bump), program_id);
+        if extensions.address() != &derived {
             return Err(ProgramError::InvalidSeeds);
         }
+    } else {
+        // Extensions account not yet created — derive canonical bump via find_program_address
+        let extensions_pda = ExtensionsPda::new(escrow.address());
+        extensions_pda.validate_pda_address(extensions, program_id)?;
     }
 
     Ok(())
diff --git a/program/src/state/receipt.rs b/program/src/state/receipt.rs
@@ -124,6 +124,25 @@ impl PdaAccount for Receipt {
     fn bump(&self) -> u8 {
         self.bump
     }
+
+    #[inline(always)]
+    fn validate_self(&self, account: &AccountView, program_id: &Address) -> Result<(), ProgramError> {
+        let derived = Address::derive_address(
+            &[
+                Self::PREFIX,
+                self.escrow.as_ref(),
+                self.depositor.as_ref(),
+                self.mint.as_ref(),
+                self.receipt_seed.as_ref(),
+            ],
+            Some(self.bump),
+            program_id,
+        );
+        if account.address() != &derived {
+            return Err(ProgramError::InvalidSeeds);
+        }
+        Ok(())
+    }
 }
 
 impl Receipt {
diff --git a/program/src/traits/pda.rs b/program/src/traits/pda.rs
@@ -21,20 +21,28 @@ pub trait PdaSeeds {
         Address::find_program_address(&seeds, program_id)
     }
 
-    /// Validate that account matches derived PDA
+    /// Validate that account matches derived PDA using `create_program_address` (~1500 CU).
+    ///
+    /// Cheaper than `find_program_address` since bump is already known.
+    /// Use `validate_self` instead when the bump is stored in the account.
     #[inline(always)]
-    fn validate_pda(&self, account: &AccountView, program_id: &Address, expected_bump: u8) -> Result<(), ProgramError> {
-        let (derived, bump) = self.derive_address(program_id);
-        if bump != expected_bump {
-            return Err(ProgramError::InvalidSeeds);
-        }
+    fn validate_pda(&self, account: &AccountView, program_id: &Address, bump: u8) -> Result<(), ProgramError> {
+        let seeds = self.seeds();
+        let bump_arr = [bump];
+        let mut seeds_with_bump = seeds;
+        seeds_with_bump.push(&bump_arr[..]);
+        let derived =
+            Address::create_program_address(&seeds_with_bump, program_id).map_err(|_| ProgramError::InvalidSeeds)?;
         if account.address() != &derived {
             return Err(ProgramError::InvalidSeeds);
         }
         Ok(())
     }
 
-    /// Validate that account address matches derived PDA, returns canonical bump
+    /// Validate that account address matches derived PDA and return the canonical bump.
+    ///
+    /// Uses `find_program_address` — only call this when the bump is not already known.
+    /// When bump is available, prefer `validate_pda` or `validate_self`.
     #[inline(always)]
     fn validate_pda_address(&self, account: &AccountView, program_id: &Address) -> Result<u8, ProgramError> {
         let (derived, bump) = self.derive_address(program_id);
