CPI (Cross-Program Invocation)

CPI — Cross-Program Invocation

CPI is the mechanism that lets one Solana program call another during execution. DEXes call the Token program to move funds, lending protocols call oracle programs for price reads, wallets call the System program to create accounts. Without CPI there would be no composable DeFi on Solana.

How it works

Program A prepares an instruction for program B (with accounts and data) and calls invoke() or invoke_signed(). The runtime executes B and returns the result to A. All account modifications are atomic — either the entire outer transaction succeeds or nothing does.

Depth limit

Solana allows only four nested CPI levels. A program can call another, which can call a third, and so on — but not arbitrarily deep. This protects against stack overflow and limits reentrancy risks.

Transfer-hook attack surface

With Token-2022 transfer hooks, CPI depth became a new attack surface. A malicious hook can intentionally exhaust CPI depth, so legitimate follow-up calls fail with CallDepthExceeded.

Cost

Every CPI call costs around 1,000 compute units of overhead. P-Token’s new batch instruction reduces this by bundling multiple token instructions into a single CPI call.

Deep dive

Pillar P-Token explained.