1---
2title: Programs with Pinocchio
3description: Build high-performance Solana programs with zero-copy techniques and minimal dependencies, without the solana-program overhead.
4---
5 
6# Programs with Pinocchio
7 
8Pinocchio is a minimalist Rust crate for crafting Solana programs without the heavyweight `solana-program` crate. It delivers significant performance gains through zero-copy techniques and minimal dependencies.
9 
10## When to Use Pinocchio
11 
12Use Pinocchio when you need:
13 
14- **Compute efficiency potential**: Can reduce compute units and binary size versus higher-level frameworks, depending on instruction complexity and validation strategy
15- **Minimal binary size**: Leaner code paths and smaller deployments
16- **Zero external dependencies**: Only Solana SDK types required
17- **Fine-grained control**: Direct memory access and byte-level operations
18- **no_std environments**: Embedded or constrained contexts
19 
20## Core Architecture
21 
22### Program Structure Validation Checklist
23 
24Before building/deploying, verify lib.rs contains all required components:
25 
26- [ ] `entrypoint!(process_instruction)` macro
27- [ ] `pub const ID: Address = Address::new_from_array([...])` with correct program ID
28- [ ] `fn process_instruction(program_id: &Address, accounts: &[AccountView], data: &[u8]) -> ProgramResult`
29- [ ] Instruction routing logic with proper discriminators
30- [ ] `pub mod instructions; pub use instructions::*;`
31 
32### Entrypoint Pattern
33 
34```rust
35use pinocchio::{
36    account::AccountView,
37    address::Address,
38    entrypoint,
39    error::ProgramError,
40    ProgramResult,
41};
42 
43entrypoint!(process_instruction);
44 
45fn process_instruction(
46    _program_id: &Address,
47    accounts: &[AccountView],
48    instruction_data: &[u8],
49) -> ProgramResult {
50    match instruction_data.split_first() {
51        Some((0, data)) => Deposit::try_from((data, accounts))?.process(),
52        Some((1, _)) => Withdraw::try_from(accounts)?.process(),
53        _ => Err(ProgramError::InvalidInstructionData)
54    }
55}
56```
57 
58Single-byte discriminators support 255 instructions; use two bytes for up to 65,535 variants.
59 
60### Panic Handler Configuration
61 
62**For std environments (SBF builds):**
63 
64```rust
65entrypoint!(process_instruction);
66// Remove nostd_panic_handler!() - std provides panic handling
67```
68 
69**For no_std environments:**
70 
71```rust
72#![no_std]
73entrypoint!(process_instruction);
74nostd_panic_handler!();
75```
76 
77**Critical**: Never include both - causes duplicate lang item error in SBF builds.
78 
79### Program ID Declaration
80 
81```rust
82pub const ID: Address = Address::new_from_array([
83    // Your 32-byte program ID as bytes
84    0xXX, 0xXX, ..., 0xXX,
85]);
86```
87 
88// Note: Use `Address::new_from_array()` not `Address::new()`
89 
90### Recommended Import Structure
91 
92```rust
93use pinocchio::{
94    account::AccountView,
95    address::Address,
96    entrypoint,
97    error::ProgramError,
98    ProgramResult,
99};
100// Add CPI imports only when needed:
101// cpi::{invoke_signed, Seed, Signer},
102// Add system program imports only when needed:
103// pinocchio_system::instructions::Transfer,
104```
105 
106 
107## Utility Macros
108 
109Define in `src/utils/macros.rs`:
110 
111```rust
112// Runtime length check — returns InvalidInstructionData
113macro_rules! require_len {
114    ($data:expr, $len:expr) => {
115        if $data.len() < $len {
116            return Err(ProgramError::InvalidInstructionData);
117        }
118    };
119}
120 
121// Runtime length check — returns InvalidAccountData
122macro_rules! require_account_len {
123    ($data:expr, $len:expr) => {
124        if $data.len() < $len {
125            return Err(ProgramError::InvalidAccountData);
126        }
127    };
128}
129 
130// Validates byte 0 matches expected discriminator
131macro_rules! validate_discriminator {
132    ($data:expr, $disc:expr) => {
133        if $data.is_empty() || $data[0] != $disc {
134            return Err(ProgramError::InvalidAccountData);
135        }
136    };
137}
138 
139// Compile-time: asserts struct size matches expected (catches padding bugs)
140macro_rules! assert_no_padding {
141    ($t:ty, $expected:expr) => {
142        const _: () = assert!(
143            core::mem::size_of::<$t>() == $expected,
144            "struct size mismatch — check for unexpected padding"
145        );
146    };
147}
148 
149assert_no_padding!(Config, 65); // usage example
150```
151 
152## Traits System
153 
154Define these traits once in a shared module (e.g. `src/traits/`) and implement them on all state/instruction types.
155 
156### Account byte layout
157 
158All PDA accounts follow: `[discriminator: u8 | version: u8 | data...]`
159 
160**Important**: Pinocchio uses a 1-byte discriminator. Anchor uses 8 bytes. Don't conflate them.
161 
162```rust
163pub trait Discriminator {
164    const DISCRIMINATOR: u8; // 1 byte, not 8
165}
166 
167pub trait Versioned {
168    const VERSION: u8;
169}
170 
171// DATA_LEN = size of data payload only (excludes disc + version prefix)
172// LEN      = 1 + 1 + DATA_LEN  (total account size)
173pub trait AccountSize {
174    const DATA_LEN: usize;
175    const LEN: usize = 1 + 1 + Self::DATA_LEN;
176}
177 
178// Zero-copy read: validates byte 0 (disc), skips byte 1 (version), casts &data[2..] to &Self
179pub trait AccountDeserialize: Sized + Discriminator + AccountSize {
180    fn from_bytes(data: &[u8]) -> Result<&Self, ProgramError> {
181        validate_discriminator!(data, Self::DISCRIMINATOR);
182        require_account_len!(data, Self::LEN);
183        Ok(unsafe { &*(data[2..].as_ptr() as *const Self) })
184    }
185    fn from_bytes_mut(data: &mut [u8]) -> Result<&mut Self, ProgramError> {
186        validate_discriminator!(data, Self::DISCRIMINATOR);
187        require_account_len!(data, Self::LEN);
188        Ok(unsafe { &mut *(data[2..].as_mut_ptr() as *mut Self) })
189    }
190}
191 
192pub trait AccountSerialize: Discriminator + Versioned {
193    fn to_bytes_inner(&self) -> Vec<u8>;
194    fn to_bytes(&self) -> Vec<u8> {
195        let mut bytes = vec![Self::DISCRIMINATOR, Self::VERSION];
196        bytes.extend(self.to_bytes_inner());
197        bytes
198    }
199}
200 
201// Marker traits — no methods
202pub trait InstructionAccounts<'a> {}
203 
204// Marker trait for data structs; LEN is the expected byte length of instruction data
205pub trait InstructionData<'a>: Sized {
206    const LEN: usize;
207    // Data structs implement TryFrom<&'a [u8]> separately
208}
209 
210pub trait PdaSeeds {
211    const PREFIX: &'static [u8];
212    fn seeds(&self) -> Vec<&[u8]>;
213    // Returns seeds + bump slice, ready for invoke_signed
214    fn seeds_with_bump<'a>(&'a self, bump: &'a [u8; 1]) -> Vec<Seed<'a>> {
215        let mut s: Vec<Seed> = self.seeds().into_iter().map(Seed::from).collect();
216        s.push(Seed::from(bump.as_ref()));
217        s
218    }
219    // Use at initialization to get canonical bump (find loops internally).
220    fn derive_address(&self, program_id: &Address) -> (Address, u8) {
221        Address::find_program_address(&self.seeds(), program_id)
222    }
223    // Use after initialization when bump is already stored (no bump search loop).
224    fn derive_address_with_bump(&self, program_id: &Address, bump: u8) -> Result<Address, ProgramError> {
225        let mut seeds = self.seeds();
226        let bump_seed = [bump];
227        seeds.push(&bump_seed);
228        Address::create_program_address(&seeds, program_id).map_err(|_| ProgramError::InvalidSeeds)
229    }
230    fn validate_pda(&self, account: &AccountView, program_id: &Address, bump: u8) -> ProgramResult {
231        let expected = self.derive_address_with_bump(program_id, bump)?;
232        if account.address() != &expected {
233            return Err(ProgramError::InvalidSeeds);
234        }
235        Ok(())
236    }
237    fn validate_pda_address(&self, account: &AccountView, program_id: &Address) -> Result<u8, ProgramError> {
238        let (expected, canonical_bump) = self.derive_address(program_id);
239        if account.address() != &expected {
240            return Err(ProgramError::InvalidSeeds);
241        }
242        Ok(canonical_bump)
243    }
244}
245 
246// For state structs that store their own bump
247pub trait PdaAccount: PdaSeeds {
248    fn bump(&self) -> u8;
249    fn validate_self(&self, account: &AccountView, program_id: &Address) -> ProgramResult {
250        self.validate_pda(account, program_id, self.bump())
251    }
252}
253```
254 
255## Instruction Directory Structure
256 
257Organize each instruction as its own module:
258 
259```
260src/instructions/
261├── mod.rs              ← re-exports + discriminator enum
262├── impl_instructions.rs ← define_instruction! expansions
263├── deposit/
264│   ├── mod.rs
265│   ├── accounts.rs     ← DepositAccounts, TryFrom<&'a [AccountView]>
266│   ├── data.rs         ← DepositData, TryFrom<&'a [u8]>
267│   └── processor.rs    ← process() business logic
268└── withdraw/
269    └── ...
270```
271 
272Use `define_instruction!` to wire accounts + data into an instruction struct without boilerplate:
273 
274```rust
275macro_rules! define_instruction {
276    ($name:ident, $accounts:ty, $data:ty) => {
277        pub struct $name<'a> {
278            pub accounts: $accounts,
279            pub data: $data,
280        }
281 
282        impl<'a> From<($accounts, $data)> for $name<'a> {
283            fn from((accounts, data): ($accounts, $data)) -> Self {
284                Self { accounts, data }
285            }
286        }
287 
288        impl<'a> TryFrom<(&'a [u8], &'a [AccountView])> for $name<'a> {
289            type Error = ProgramError;
290            fn try_from((data, accounts): (&'a [u8], &'a [AccountView])) -> Result<Self, Self::Error> {
291                Ok(Self {
292                    accounts: <$accounts>::try_from(accounts)?,
293                    data: <$data>::try_from(data)?,
294                })
295            }
296        }
297    };
298}
299 
300define_instruction!(Deposit, DepositAccounts<'a>, DepositData);
301```
302 
303## Account Validation
304 
305Pinocchio requires manual validation. Wrap all checks in `TryFrom` implementations:
306 
307### Account Struct Validation
308 
309```rust
310pub struct DepositAccounts<'a> {
311    pub owner: &'a AccountView,
312    pub vault: &'a AccountView,
313    pub system_program: &'a AccountView,
314}
315 
316impl<'a> TryFrom<&'a [AccountView]> for DepositAccounts<'a> {
317    type Error = ProgramError;
318 
319    fn try_from(accounts: &'a [AccountView]) -> Result<Self, Self::Error> {
320        let [owner, vault, system_program, _remaining @ ..] = accounts else {
321            return Err(ProgramError::NotEnoughAccountKeys);
322        };
323 
324        // Signer check
325        if !owner.is_signer() {
326            return Err(ProgramError::MissingRequiredSignature);
327        }
328 
329        // Owner check
330        if !vault.owned_by(&pinocchio_system::ID) {
331            return Err(ProgramError::InvalidAccountOwner);
332        }
333 
334        // Program ID check (prevents arbitrary CPI)
335        if system_program.address() != &pinocchio_system::ID {
336            return Err(ProgramError::IncorrectProgramId);
337        }
338 
339        Ok(Self { owner, vault, system_program })
340    }
341}
342```
343 
344### Instruction Data Validation
345 
346```rust
347pub struct DepositData {
348    pub amount: u64,
349}
350 
351impl<'a> TryFrom<&'a [u8]> for DepositData {
352    type Error = ProgramError;
353 
354    fn try_from(data: &'a [u8]) -> Result<Self, Self::Error> {
355        require_len!(data, core::mem::size_of::<u64>());
356 
357        let amount = u64::from_le_bytes(data[..8].try_into().map_err(|_| ProgramError::InvalidInstructionData)?);
358 
359        if amount == 0 {
360            return Err(ProgramError::InvalidInstructionData);
361        }
362 
363        Ok(Self { amount })
364    }
365}
366```
367 
368## Token programs
369 
370Use the crates pinocchio-token and pinocchio-token2022
371 
372### SPL Token
373 
374```rust
375use pinocchio_token::{instructions::InitializeMint2, state::Mint};
376 
377...
378InitializeMint2 {
379    mint: account,
380    decimals,
381    mint_authority,
382    freeze_authority,
383}.invoke()?;
384 
385let mint = Mint::from_account_view(account)?;
386```
387 
388### Token2022
389 
390Token2022 provides a similar state struct
391 
392```rust
393let mint = Mint::from_account_view(account)?;
394```
395 
396## Cross-Program Invocations (CPIs)
397 
398### Basic CPI
399 
400```rust
401use pinocchio_system::instructions::Transfer;
402 
403Transfer {
404    from: self.accounts.owner,
405    to: self.accounts.vault,
406    lamports: self.data.amount,
407}.invoke()?;
408```
409 
410### PDA-Signed CPI
411 
412```rust
413use pinocchio::cpi::{Seed, Signer};
414 
415let bump_byte = &[bump];
416let seeds = [
417    Seed::from(b"vault"),
418    Seed::from(self.accounts.owner.address().as_ref()),
419    Seed::from(&bump_byte),
420];
421let signers = [Signer::from(&seeds)];
422 
423Transfer {
424    from: self.accounts.vault,
425    to: self.accounts.owner,
426    lamports: self.accounts.vault.lamports(),
427}.invoke_signed(&signers)?;
428```
429 
430## Reading and Writing Data
431 
432### Struct Field Ordering
433 
434Order fields from largest to smallest alignment to minimize padding:
435 
436```rust
437// Good: 16 bytes total
438#[repr(C)]
439struct GoodOrder {
440    big: u64,     // 8 bytes, 8-byte aligned
441    medium: u16,  // 2 bytes, 2-byte aligned
442    small: u8,    // 1 byte, 1-byte aligned
443    // 5 bytes padding
444}
445 
446// Bad: 24 bytes due to padding
447#[repr(C)]
448struct BadOrder {
449    small: u8,    // 1 byte
450    // 7 bytes padding
451    big: u64,     // 8 bytes
452    medium: u16,  // 2 bytes
453    // 6 bytes padding
454}
455```
456 
457### Compile-Time Layout Assertions
458 
459Use `assert_no_padding!(Type, expected_size)` to catch unintended struct padding at compile time. Pass the expected `DATA_LEN` (the payload, excluding the 2-byte disc+version prefix):
460 
461```rust
462assert_no_padding!(Config, Config::DATA_LEN);
463```
464 
465### Explicit Padding and Versioning
466 
467Reserve bytes for future fields to avoid breaking account layout changes. Remember: the `discriminator` and `version` bytes live in the 2-byte prefix managed by `AccountSerialize`/`AccountDeserialize` — the struct itself contains only the data payload:
468 
469```rust
470#[repr(C)]
471pub struct Config {
472    pub bump: u8,
473    pub authority: [u8; 32],
474    pub _reserved: [u8; 6], // explicit padding for future fields
475}
476 
477impl Discriminator for Config { const DISCRIMINATOR: u8 = 0; }
478impl Versioned for Config     { const VERSION: u8 = 1; }
479impl AccountSize for Config   { const DATA_LEN: usize = 39; }
480 
481assert_no_padding!(Config, 39);
482```
483 
484### Dangerous Patterns to Avoid
485 
486```rust
487// ❌ transmute with unaligned data
488let value: u64 = unsafe { core::mem::transmute(bytes_slice) };
489 
490// ❌ Pointer casting to packed structs
491#[repr(C, packed)]
492pub struct Packed { pub a: u8, pub b: u64 }
493let config = unsafe { &*(data.as_ptr() as *const Packed) };
494 
495// ❌ Direct field access on packed structs creates unaligned references
496let b_ref = &packed.b;
497 
498// ❌ Assuming alignment without verification
499let config = unsafe { &*(data.as_ptr() as *const Config) };
500```
501 
502## Error Handling
503 
504Use `thiserror` for descriptive errors (supports `no_std`):
505 
506```rust
507use thiserror::Error;
508use num_derive::FromPrimitive;
509use pinocchio::program_error::ProgramError;
510 
511#[derive(Clone, Debug, Eq, Error, FromPrimitive, PartialEq)]
512pub enum VaultError {
513    #[error("Lamport balance below rent-exempt threshold")]
514    NotRentExempt,
515    #[error("Invalid account owner")]
516    InvalidOwner,
517    #[error("Account not initialized")]
518    NotInitialized,
519}
520 
521impl From<VaultError> for ProgramError {
522    fn from(e: VaultError) -> Self {
523        ProgramError::Custom(e as u32)
524    }
525}
526```
527 
528## Closing Accounts Securely
529 
530Prevent revival attacks by marking closed accounts:
531 
532```rust
533pub fn close(account: &AccountView, destination: &AccountView) -> ProgramResult {
534    // Add lamports
535    destination.set_lamports(destination.lamports() + account.lamports())?;
536 
537    // Close
538    account.close()
539}
540```
541 
542## Performance Optimization
543 
544### Feature Flags
545 
546```toml
547[features]
548default = ["perf"]
549perf = []
550```
551 
552```rust
553#[cfg(not(feature = "perf"))]
554solana_program_log::log!("Instruction: Deposit");
555```
556 
557### Bitwise Flags for Storage
558 
559Pack up to 8 booleans in one byte:
560 
561```rust
562const FLAG_ACTIVE: u8 = 1 << 0;
563const FLAG_FROZEN: u8 = 1 << 1;
564const FLAG_ADMIN: u8 = 1 << 2;
565 
566// Set flag
567flags |= FLAG_ACTIVE;
568 
569// Check flag
570if flags & FLAG_ACTIVE != 0 { /* active */ }
571 
572// Clear flag
573flags &= !FLAG_ACTIVE;
574```
575 
576### Zero-Allocation Architecture
577 
578Use references instead of heap allocations:
579 
580```rust
581// Good: references with borrowed lifetimes
582pub struct Instruction<'a> {
583    pub accounts: &'a [AccountView],
584    pub data: &'a [u8],
585}
586 
587// Enforce no heap usage
588no_allocator!();
589```
590 
591Respect Solana's memory limits: 4KB stack per function, 32KB total heap.
592 
593### Skip Redundant Checks
594 
595If a CPI will fail on incorrect accounts anyway, skip pre-validation:
596 
597```rust
598// Instead of validating ATA derivation, compute expected address
599let expected_ata = find_program_address(
600    &[owner.address(), token_program.address(), mint.address()],
601    &pinocchio_associated_token_account::ID,
602).0;
603 
604if account.address() != &expected_ata {
605    return Err(ProgramError::InvalidAccountData);
606}
607```
608 
609## Batch Instructions
610 
611Process multiple operations in a single CPI (saves ~1000 CU per batched operation):
612 
613```rust
614const IX_HEADER_SIZE: usize = 2; // account_count + data_length
615 
616pub fn process_batch(mut accounts: &[AccountView], mut data: &[u8]) -> ProgramResult {
617    loop {
618        if data.len() < IX_HEADER_SIZE {
619            return Err(ProgramError::InvalidInstructionData);
620        }
621 
622        let account_count = data[0] as usize;
623        let data_len = data[1] as usize;
624        let data_offset = IX_HEADER_SIZE + data_len;
625 
626        if accounts.len() < account_count || data.len() < data_offset {
627            return Err(ProgramError::InvalidInstructionData);
628        }
629 
630        let (ix_accounts, ix_data) = (&accounts[..account_count], &data[IX_HEADER_SIZE..data_offset]);
631 
632        process_inner_instruction(ix_accounts, ix_data)?;
633 
634        if data_offset == data.len() {
635            break;
636        }
637 
638        accounts = &accounts[account_count..];
639        data = &data[data_offset..];
640    }
641 
642    Ok(())
643}
644```
645 
646## Events
647 
648### Simple logging
649 
650For debug output or non-critical events where truncation is acceptable, use `solana-program-log` (pinocchio's own log module is being removed in favour of this crate — see [anza-xyz/pinocchio#261](https://github.com/anza-xyz/pinocchio/pull/261)):
651 
652```rust
653use solana_program_log::log;
654 
655log!("deposited {}", amount);
656```
657 
658Solana truncates logs beyond ~10KB per transaction. If your event data exceeds this or indexers need to reliably parse it, use the CPI pattern below instead.
659 
660### Event emission via CPI (truncation-safe)
661 
662For production events that indexers must reliably read, emit via CPI into a no-op `EmitEvent` instruction on the program itself. The event data lives in the instruction data field (not logs), which is never truncated.
663 
664Events are validated by an `event_authority` PDA that must sign the CPI:
665 
666```rust
667pub const EVENT_AUTHORITY_SEED: &[u8] = b"event_authority";
668pub const EVENT_IX_TAG: u64 = 0x1d9acb512ea545e4; // Anchor-compatible event tag
669pub const EVENT_IX_TAG_LE: [u8; 8] = EVENT_IX_TAG.to_le_bytes();
670 
671// Event authority PDA (derived at compile time if possible)
672pub fn find_event_authority() -> (Address, u8) {
673    pinocchio_pubkey::find_program_address(&[EVENT_AUTHORITY_SEED], &crate::ID)
674}
675```
676 
677### Event Struct Pattern
678 
679```rust
680pub trait EventDiscriminator {
681    const DISCRIMINATOR: [u8; 9]; // 8-byte tag + 1-byte event id
682}
683 
684pub trait EventSerialize {
685    fn serialize(&self) -> Vec<u8>;
686}
687 
688pub struct DepositEvent {
689    pub owner: [u8; 32],
690    pub amount: u64,
691}
692 
693impl EventDiscriminator for DepositEvent {
694    const DISCRIMINATOR: [u8; 9] =
695        [/* EVENT_IX_TAG_LE bytes */ 0xe4, 0x45, 0xa5, 0x2e, 0x51, 0xcb, 0x9a, 0x1d, /* event id */ 0];
696}
697```
698 
699### Emitting an Event
700 
701```rust
702pub fn emit_event<E: EventDiscriminator + EventSerialize>(
703    event: &E,
704    event_authority: &AccountView,
705    program: &AccountView,
706) -> ProgramResult {
707    let mut data = E::DISCRIMINATOR.to_vec();
708    data.extend(event.serialize());
709 
710    // CPI to self with event_authority as signer
711    pinocchio::program::invoke(
712        &Instruction { program_id: &crate::ID, accounts: &[...], data: &data },
713        &[event_authority, program],
714    )
715}
716```
717 
718### EmitEvent Processor
719 
720Add a dedicated discriminator (conventionally `228`) that validates the event authority and does nothing else:
721 
722```rust
723// In entrypoint routing:
724Some((228, _)) => {
725    if !accounts.iter().any(|a| a.address() == &event_authority && a.is_signer()) {
726        return Err(ProgramError::MissingRequiredSignature);
727    }
728    Ok(()) // no-op, data is read off-chain from instruction data
729}
730```
731 
732## Testing
733 
734Use Mollusk or LiteSVM for fast Rust-based testing:
735 
736```rust
737#[cfg(test)]
738pub mod tests;
739 
740// Run with: cargo test-sbf
741```
742 
743See [testing.md](../testing.md) for detailed testing patterns with Mollusk and LiteSVM.
744 
745## Build & Deployment
746 
747### Build Validation
748 
749After `cargo build-sbf`:
750 
751- [ ] Check .so file size (>1KB, typically 5-15KB for Pinocchio programs)
752- [ ] Verify file type: `file target/deploy/program.so` should show "ELF 64-bit LSB shared object"
753- [ ] Test regular compilation: `cargo build` should succeed
754- [ ] Run tests: `cargo test` should pass
755 
756### Dependency Compatibility Issues
757 
758**If SBF build fails with "edition2024" errors:**
759 
760```bash
761# Downgrade problematic dependencies to compatible versions
762cargo update base64ct --precise 1.6.0
763cargo update constant_time_eq --precise 0.4.1
764cargo update blake3 --precise 1.5.5
765```
766 
767**When to apply**: Only when encountering Cargo "edition2024" errors during `cargo build-sbf`. These downgrades resolve toolchain compatibility issues while maintaining functionality.
768 
769**Note**: These specific versions were tested and verified to work with current Solana toolchain. Regular `cargo update` may pull incompatible versions.
770 
771## Security Checklist
772 
773### Account Validation
774- [ ] Validate account owners with `verify_owned_by` in `TryFrom`
775- [ ] Check signer status with `verify_signer`
776- [ ] Enforce writable/read-only with `verify_writable` / `verify_readonly`
777- [ ] Validate program IDs before CPIs (prevent arbitrary CPI)
778- [ ] Check for duplicate mutable accounts
779 
780### PDA Safety
781- [ ] Derive canonical bump with `find_program_address` at init — never trust user-supplied bumps
782- [ ] Store canonical bump in account data and validate on every use via `PdaAccount::validate_self`
783- [ ] Only transfer the lamport deficit on init — not the full rent amount (lamport griefing)
784 
785### Sysvars (Pinocchio has no implicit validation)
786- [ ] Use `Clock::get()?` and `Rent::get()?` — never accept sysvars as passed-in accounts
787 
788### Data & Arithmetic
789- [ ] Use `require_len!` before parsing instruction data
790- [ ] Use checked math (`checked_add`, `checked_sub`, etc.)
791 
792### Account Lifecycle
793- [ ] Close accounts with `account.close()` — this transfers ownership back to the system program
794- [ ] Discriminator check on every read prevents type cosplay attacks
795