Missing unsafe in validate_owner function
The validate_owner function in p-token carries with it an additional safety requirement necessary to prevent undefined behavior. Because of this additional requirement not being statically checked by the compiler that influences memory safety, the function should be marked unsafe to properly communicate the risk.
#[inline(always)]
#[allow(clippy::arithmetic_side_effects)]
fn validate_owner(
expected_owner: &Pubkey,
owner_account_info: &AccountInfo,
signers: &[AccountInfo],
) -> ProgramResult {
if expected_owner != owner_account_info.key() {
return Err(TokenError::OwnerMismatch.into());
}
if owner_account_info.data_len() == Multisig::LEN
&& owner_account_info.is_owned_by(&TOKEN_PROGRAM_ID)
{
// SAFETY: the caller guarantees that there are no mutable borrows of
// `owner_account_info` account data and the `load` validates that the
// account is initialized; additionally, `Multisig` accounts are only
// ever loaded in this function, which means that previous loads will
// have already failed by the time we get here.
let multisig = unsafe { load::<Multisig>(owner_account_info.borrow_data_unchecked())? };
...