Skip to content

fix: PumpSwap PDA derivation + token type test coverage#13

Merged
smypmsa merged 6 commits intomainfrom
fix/pumpswap-pda-and-token-type-coverage
Mar 18, 2026
Merged

fix: PumpSwap PDA derivation + token type test coverage#13
smypmsa merged 6 commits intomainfrom
fix/pumpswap-pda-and-token-type-coverage

Conversation

@smypmsa
Copy link
Member

@smypmsa smypmsa commented Mar 18, 2026
edited by coderabbitai bot
Loading

Summary

  • Replace getProgramAccounts with PDA derivation for PumpSwap pool lookup — single getAccountInfo call instead of expensive account scan
  • Extract derive_amm_pool and derive_pool_authority into protocol/address.py, consolidating the duplicate in instructions.py
  • Add full token type test matrix (mayhem, cashback, SPL vs Token-2022) at protocol, core, and surfpool integration layers
  • Add surfpool integration tests for cashback-enabled tokens (buy, sell, dry-run)

Test plan

  • uv run pytest tests/ -q — all unit tests pass
  • ./scripts/surfpool-autodiscover.sh — surfpool integration tests pass (cashback mint auto-discovered)
  • Verify PumpSwap buy/sell still works on mainnet tokens

🤖 Generated with Claude Code

Security & Protocol Analysis

Critical Protocol Changes ✓

This PR modifies the PumpSwap pool lookup mechanism, a code path that directly affects real fund transfers in buy/sell operations. The change replaces expensive getProgramAccounts account scanning with deterministic PDA (Program Derived Address) derivation:

  • Old approach: Filtered all program accounts using MemcmpOpts to find the pool (vulnerable to account scan RPC timeouts and attacks)
  • New approach: Derives the pool address deterministically using seeds ["pool", [0,0], pool_authority, mint, WSOL_MINT] and fetches it with a single getAccountInfo call

Security assessment: ✅ Improved security and reliability

  • Eliminates RPC timeout vulnerabilities from account scanning
  • Reduces attack surface (single deterministic call vs. filtered scan)
  • Proper error handling validates empty responses and wraps exceptions

Transaction Construction Impacts

Code that builds and sends signed transactions is affected:

  1. get_pool_by_mint() in protocol/pumpswap.py: Used in hot paths for buy_pumpswap() and sell_pumpswap() operations (both send real transactions to blockchain)
  2. build_migrate_instruction() in protocol/instructions.py: Extracted derive_pool_authority(mint) into shared address module to ensure consistent PDA derivation across bonding-curve graduation and trading paths

Correctness verification: Three protocol-level tests confirm:

  • derive_amm_pool is deterministic (same mint → same address)
  • derive_amm_pool matches the inline derivation in build_migrate_instruction
  • Different mints produce different pool addresses

Comprehensive Test Coverage

The PR adds 48 new tests across three execution layers:

  • Protocol layer (15 tests): Validates PDA derivation correctness and instruction building for buy/sell with Token-2022, SPL, mayhem, and cashback combinations
  • Core layer (24 tests): Tests transaction construction with mocked RPC, fee routing, and token program forwarding
  • Integration layer (3 tests): End-to-end surfpool cashback token trading on mainnet (buy, sell, dry-run)

Token-type matrix covers: {Token-2022, SPL} × {Mayhem, Standard} × {Cashback, Non-cashback} for both bonding-curve and PumpSwap trading paths.

No Wallet/Key Handling Changes

No modifications to wallet management, key derivation, or signature logic. Only pool discovery and instruction account derivation are affected.

smypmsa and others added 6 commits March 17, 2026 17:03
@smypmsa @claude
test: add token type matrix tests for all pump.fun token combinations
eb3cb6d 
Cover the full token dimensions matrix: Token-2022 vs SPL, mayhem vs
standard, cashback vs non-cashback, bonding curve vs PumpSwap. Tests
verify correct account counts, fee routing, ATA derivation, and
instruction data for every combination.

- 15 protocol-level tests (instruction builders, account layouts)
- 13 core-level tests (buy/sell with mocked RPC for all state flags)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@smypmsa @claude
fix: replace getProgramAccounts with PDA derivation for PumpSwap pool…
c3ae38b 
… lookup

getProgramAccounts is an expensive RPC call that scans the entire
program account space. On slower RPC endpoints (e.g. Chainstack free
tier) it consistently times out at the 30s default, making all
graduated token trading fail with "Failed to query PumpSwap pools".

Replace with deterministic PDA derivation (same seeds as the migrate
instruction) followed by a single getAccountInfo call. This is:
- Instant (~1s vs ~45s)
- Works on any RPC endpoint (no getProgramAccounts support needed)
- No timeout issues

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@smypmsa @claude
test: add surfpool integration tests for cashback token type
9f88a20 
Extend surfpool test infrastructure to discover and test cashback-enabled
bonding curve tokens. The autodiscover script finds a cashback token from
the pump.fun API (new --cashback flag), and tests verify buy + sell work
correctly with the user_volume_accumulator in remaining accounts.

Also update PumpSwap test comments to reflect the PDA-based pool lookup.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@smypmsa @claude
fix: increase compute budget for cashback token surfpool tests
f3712ca 
Cashback tokens need more compute units due to extra account processing
(user_volume_accumulator). Bumped from 100k to 200k in the buy+sell
cashback surfpool test to avoid ComputationalBudgetExceeded.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@smypmsa @claude
refactor: deduplicate test fixtures and remove trivial wrapper
9dcc17a 
- Extract shared tmp_keystore/mock_keypair fixtures to test_core/conftest.py
- Extract shared build_pool_data() to test_core/helpers.py
- Remove duplicate fixture definitions from test_trade, test_pumpswap, test_token_types
- Inline derive_pool_authority in build_migrate_instruction, remove _derive_migrate_pool_authority wrapper
- Simplify test_pumpswap_buy_passes_token_program to use shared helpers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@smypmsa @claude
refactor: simplify token type tests — remove redundant cases, merge m…
a088dbd 
…ock helpers

- Remove test_buy_cashback_token and test_buy_mayhem_cashback_token (buy is
  cashback-agnostic, these tested nothing different from standard buy)
- Merge _setup_buy_mocks/_setup_sell_mocks into single _setup_mocks(side=)
- Use _setup_mocks for graduated error tests instead of inline mock setup
- Remove section separator comments (docstrings suffice)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@smypmsa smypmsa merged commit ed5e22f into main Mar 18, 2026
4 checks passed
@smypmsa smypmsa deleted the fix/pumpswap-pda-and-token-type-coverage branch March 18, 2026 15:24
@coderabbitai
Copy link

coderabbitai bot commented Mar 18, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e710b794-d447-46ec-97fd-dc3ca08f2ac7

📥 Commits

Reviewing files that changed from the base of the PR and between f813aed and a088dbd.

📒 Files selected for processing (15)
  • scripts/surfpool-autodiscover.sh
  • scripts/surfpool-test.sh
  • src/pumpfun_cli/protocol/address.py
  • src/pumpfun_cli/protocol/instructions.py
  • src/pumpfun_cli/protocol/pumpswap.py
  • tests/test_core/conftest.py
  • tests/test_core/helpers.py
  • tests/test_core/test_pumpswap.py
  • tests/test_core/test_token_types.py
  • tests/test_core/test_trade.py
  • tests/test_protocol/test_pumpswap.py
  • tests/test_protocol/test_token_types.py
  • tests/test_surfpool/conftest.py
  • tests/test_surfpool/test_pumpswap.py
  • tests/test_surfpool/test_token_types.py
📝 Walkthrough

Walkthrough

The pull request adds cashback-enabled bonding-curve token support to the Solana CLI and refactors pool account discovery from expensive program account filtering to deterministic PDA derivation. Updates shell scripts for cashback mint discovery, introduces PDA-based pool lookup functions, and adds comprehensive test coverage across protocol and integration layers.

Changes

Cohort / File(s) Summary
Shell Script Enhancements
scripts/surfpool-autodiscover.sh, scripts/surfpool-test.sh		 Added cashback mint discovery via pumpfun query with fallback warning. New --cashback flag in test script exports SURFPOOL_CASHBACK_MINT when set. Preserves existing active/graduated mint handling.
Protocol PDA Derivation
src/pumpfun_cli/protocol/address.py		 Added derive_pool_authority(mint) and derive_amm_pool(mint) functions for deterministic PDA derivation of AMM pool addresses using Pump program seeds.
Protocol Refactoring
src/pumpfun_cli/protocol/instructions.py, src/pumpfun_cli/protocol/pumpswap.py		 Removed internal _derive_migrate_pool_authority and replaced with imported derive_pool_authority. Refactored get_pool_by_mint to use deterministic PDA derivation and single get_account_info call instead of filtering program accounts.
Test Infrastructure
tests/test_core/conftest.py, tests/test_core/helpers.py		 Added mock_keypair and tmp_keystore fixtures; introduced build_pool_data helper for synthetic on-chain pool data construction.
Core Layer Tests
tests/test_core/test_pumpswap.py, tests/test_core/test_token_types.py		 Refactored pumpswap mocking from get_program_accounts to get_account_info with new helpers. Added comprehensive token type tests for buy/sell flows across Token-2022, SPL, mayhem, and cashback scenarios.
Protocol Layer Tests
tests/test_protocol/test_pumpswap.py, tests/test_protocol/test_token_types.py		 Added PDA determinism and cross-mint derivation tests. Comprehensive bonding-curve buy/sell tests validating account counts, fee routing, token program addressing, and ATA derivation across token types.
Integration Tests
tests/test_surfpool/conftest.py, tests/test_surfpool/test_pumpswap.py, tests/test_surfpool/test_token_types.py		 Added cashback_mint fixture reading SURFPOOL_CASHBACK_MINT env var. Updated documentation for PDA-based pool lookups. New integration tests for cashback token buy/sell/dry-run flows.
Fixture Migration
tests/test_core/test_trade.py		 Removed duplicate mock_keypair and tmp_keystore fixtures (now in conftest.py).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

protocol, tests

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/pumpswap-pda-and-token-type-coverage
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/pumpswap-pda-and-token-type-coverage
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai bot mentioned this pull request Mar 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

protocol tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@smypmsa