verify cpi mint matches transfer mint in hook

programs/asset_controller/src/error.rs

@@ -24,4 +24,6 @@ pub enum AssetControllerErrors {
     InvalidCpiTransferProgram,
     #[msg("Invalid cpi amount in transfer")]
     InvalidCpiTransferAmount,
+    #[msg("Invalid cpi mint in transfer")]
+    InvalidCpiTransferMint,
 }

programs/asset_controller/src/instructions/execute.rs

@@ -63,7 +63,11 @@ pub struct ExecuteTransferHook<'info> {
 }
 
 pub fn handler(ctx: Context<ExecuteTransferHook>, amount: u64) -> Result<()> {
-    verify_cpi_program_is_token22(&ctx.accounts.instructions_program.to_account_info(), amount)?;
+    verify_cpi_program_is_token22(
+        &ctx.accounts.instructions_program.to_account_info(),
+        amount,
+        ctx.accounts.asset_mint.key(),
+    )?;
 
     let asset_mint = ctx.accounts.asset_mint.key();
 

programs/asset_controller/src/utils.rs

@@ -92,9 +92,12 @@ pub fn verify_pda(address: Pubkey, seeds: &[&[u8]], program_id: &Pubkey) -> Resu
     Ok(())
 }
 
+pub const TRANSFER_HOOK_MINT_INDEX: usize = 1;
+
 pub fn verify_cpi_program_is_token22(
     instructions_program: &AccountInfo,
     amount: u64,
+    mint: Pubkey,
 ) -> Result<()> {
     let ix_relative = get_instruction_relative(0, instructions_program)?;
     if ix_relative.program_id != token_2022::ID {
@@ -103,6 +106,14 @@ pub fn verify_cpi_program_is_token22(
     if ix_relative.data[1..9] != amount.to_le_bytes() {
         return Err(AssetControllerErrors::InvalidCpiTransferAmount.into());
     }
+    // make sure transfer mint is same
+    if let Some(account) = ix_relative.accounts.get(TRANSFER_HOOK_MINT_INDEX) {
+        if account.pubkey != mint {
+            return Err(AssetControllerErrors::InvalidCpiTransferMint.into());
+        }
+    } else {
+        return Err(AssetControllerErrors::InvalidCpiTransferProgram.into());
+    }
 
     Ok(())
 }