From af9f413268596862ef64849f930f058bc85794a2 Mon Sep 17 00:00:00 2001
From: Andrew Nguyen <cuong.hv.dtvt@gmail.com>
Date: Thu, 22 Aug 2024 11:06:29 +0700
Subject: [PATCH 1/2] fix based ottersec report

---
 .../src/instructions/create_vesting_escrow.rs    | 16 +++++-----------
 .../update_vesting_escrow_recipient.rs           |  5 +++--
 tests/locker.ts                                  |  1 -
 tests/update_recipient.ts                        | 11 ++++++++++-
 4 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/programs/locker/src/instructions/create_vesting_escrow.rs b/programs/locker/src/instructions/create_vesting_escrow.rs
index 45798b7..879c326 100644
--- a/programs/locker/src/instructions/create_vesting_escrow.rs
+++ b/programs/locker/src/instructions/create_vesting_escrow.rs
@@ -41,7 +41,11 @@ pub struct CreateVestingEscrowCtx<'info> {
     )]
     pub escrow: AccountLoader<'info, VestingEscrow>,
 
-    #[account(mut)]
+    #[account(
+        mut,
+        associated_token::mint = sender_token.mint,
+        associated_token::authority = escrow
+    )]
     pub escrow_token: Box<Account<'info, TokenAccount>>,
 
     #[account(mut)]
@@ -86,16 +90,6 @@ pub fn handle_create_vesting_escrow(
 
     require!(frequency != 0, LockerError::FrequencyIsZero);
 
-    let escrow_token = anchor_spl::associated_token::get_associated_token_address(
-        &ctx.accounts.escrow.key(),
-        &ctx.accounts.sender_token.mint,
-    );
-
-    require!(
-        escrow_token == ctx.accounts.escrow_token.key(),
-        LockerError::InvalidEscrowTokenAddress
-    );
-
     let mut escrow = ctx.accounts.escrow.load_init()?;
     escrow.init(
         vesting_start_time,
diff --git a/programs/locker/src/instructions/update_vesting_escrow_recipient.rs b/programs/locker/src/instructions/update_vesting_escrow_recipient.rs
index 1101ba6..873fb93 100644
--- a/programs/locker/src/instructions/update_vesting_escrow_recipient.rs
+++ b/programs/locker/src/instructions/update_vesting_escrow_recipient.rs
@@ -2,6 +2,7 @@ use crate::*;
 
 /// Accounts for [locker::update_vesting_escrow_recipient].
 #[derive(Accounts)]
+#[event_cpi]
 pub struct UpdateVestingEscrowRecipientCtx<'info> {
     /// Escrow.
     #[account(mut)]
@@ -85,14 +86,14 @@ pub fn handle_update_vesting_escrow_recipient(
             anchor_lang::system_program::transfer(cpi_context, lamports_diff)?;
 
             // realloc
-            escrow_metadata_info.realloc(new_len, true)?;
+            escrow_metadata_info.realloc(new_len, false)?;
             // update new recipient_email
             escrow_metadata.recipient_email = recipient_email;
         } else {
             return Err(LockerError::InvalidEscrowMetadata.into());
         }
     }
-    emit!(EventUpdateVestingEscrowRecipient {
+    emit_cpi!(EventUpdateVestingEscrowRecipient {
         escrow: ctx.accounts.escrow.key(),
         signer,
         old_recipient,
diff --git a/tests/locker.ts b/tests/locker.ts
index 1d3fe9d..996ecd0 100644
--- a/tests/locker.ts
+++ b/tests/locker.ts
@@ -110,7 +110,6 @@ describe("Full flow", () => {
       updateRecipientMode: 0,
     });
 
-
     while (true) {
       const currentBlockTime = await getCurrentBlockTime(program.provider.connection);
       if (currentBlockTime > cliffTime.toNumber()) {
diff --git a/tests/update_recipient.ts b/tests/update_recipient.ts
index 104dde3..ac39b47 100644
--- a/tests/update_recipient.ts
+++ b/tests/update_recipient.ts
@@ -261,7 +261,7 @@ describe("Update recipient", () => {
             isAssertion: true
         });
 
-        console.log("Update recipient");
+        console.log("Update recipient with bigger email size");
         await updateRecipient({
             escrow,
             newRecipient: ReceipentKP.publicKey,
@@ -269,5 +269,14 @@ describe("Update recipient", () => {
             signer: UserKP,
             newRecipientEmail: "maximillian@raccoons.dev",
         });
+
+        console.log("Update recipient with smaller email size");
+        await updateRecipient({
+            escrow,
+            newRecipient: ReceipentKP.publicKey,
+            isAssertion: true,
+            signer: UserKP,
+            newRecipientEmail: "max@raccoons.dev",
+        });
     });
 });

From 93405372d60c9ab3d7070c7dfb3149abe1082450 Mon Sep 17 00:00:00 2001
From: Andrew Nguyen <cuong.hv.dtvt@gmail.com>
Date: Thu, 22 Aug 2024 11:26:35 +0700
Subject: [PATCH 2/2] fix test

---
 tests/escrow_metadata.ts    | 7 +++++--
 tests/locker.ts             | 7 +++++--
 tests/locker_utils/index.ts | 1 +
 tests/update_recipient.ts   | 5 ++++-
 4 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/tests/escrow_metadata.ts b/tests/escrow_metadata.ts
index 5e19bbf..c3d37ee 100644
--- a/tests/escrow_metadata.ts
+++ b/tests/escrow_metadata.ts
@@ -16,7 +16,8 @@ import {
 import { claimToken, createEscrowMetadata, createLockerProgram, createVestingPlan } from "./locker_utils";
 
 
-const provider = anchor.AnchorProvider.env();
+let provider = anchor.AnchorProvider.env();
+provider.opts.commitment = 'confirmed';
 
 describe("Escrow metadata", () => {
     const tokenDecimal = 8;
@@ -41,7 +42,9 @@ describe("Escrow metadata", () => {
             null,
             tokenDecimal,
             web3.Keypair.generate(),
-            null,
+            {
+                commitment: "confirmed",
+            },
             TOKEN_PROGRAM_ID
         );
 
diff --git a/tests/locker.ts b/tests/locker.ts
index 996ecd0..6a4e53c 100644
--- a/tests/locker.ts
+++ b/tests/locker.ts
@@ -16,7 +16,8 @@ import {
 import { claimToken, createLockerProgram, createVestingPlan } from "./locker_utils";
 
 
-const provider = anchor.AnchorProvider.env();
+let provider = anchor.AnchorProvider.env();
+provider.opts.commitment = 'confirmed';
 
 describe("Full flow", () => {
   const tokenDecimal = 8;
@@ -42,7 +43,9 @@ describe("Full flow", () => {
       null,
       tokenDecimal,
       web3.Keypair.generate(),
-      null,
+      {
+        commitment: "confirmed",
+      },
       TOKEN_PROGRAM_ID
     );
 
diff --git a/tests/locker_utils/index.ts b/tests/locker_utils/index.ts
index 4823027..7de3f15 100644
--- a/tests/locker_utils/index.ts
+++ b/tests/locker_utils/index.ts
@@ -16,6 +16,7 @@ export function createLockerProgram(
     const provider = new AnchorProvider(AnchorProvider.env().connection, wallet, {
         maxRetries: 3,
     });
+    provider.opts.commitment = 'confirmed';
     const program = new Program<Locker>(LockerIDL, LOCKER_PROGRAM_ID, provider);
     return program;
 }
diff --git a/tests/update_recipient.ts b/tests/update_recipient.ts
index ac39b47..5136562 100644
--- a/tests/update_recipient.ts
+++ b/tests/update_recipient.ts
@@ -18,6 +18,7 @@ import { claimToken, createEscrowMetadata, createLockerProgram, createVestingPla
 
 
 const provider = anchor.AnchorProvider.env();
+provider.opts.commitment = 'confirmed';
 
 describe("Update recipient", () => {
     const tokenDecimal = 8;
@@ -42,7 +43,9 @@ describe("Update recipient", () => {
             null,
             tokenDecimal,
             web3.Keypair.generate(),
-            null,
+            {
+                commitment: "confirmed",
+            },
             TOKEN_PROGRAM_ID
         );