SuperPaymaster v5.3.3-beta.3 — Security Hotfix
Pre-release
SuperPaymaster v5.3.3-beta.3
Security-only hotfix on top of beta.2. Deploys on Sepolia, all proxy addresses unchanged.
Security Fixes (2 High severity)
H-1 — Credit ceiling bypass in debt-fallback path
When postOp cannot burn xPNTs (user drained balance mid-UserOp), it falls back to debt recording. Before beta.3, the fallback path had no credit limit check — attackers could accumulate unlimited operator debt. Fixed: fallback now enforces existingDebt + pendingDebts + bill ≤ creditLimit. Over-ceiling users are auto-blocked (DVT/BLS unlock only).
H-2 — xPNTs emergency switch bypass in transferFrom
xPNTsToken.transferFrom() with to == msg.sender (self-pull/facilitator path) bypassed both emergencyDisabled and daily rate-limit. Fixed: self-pull path now goes through full emergency + rate-limit check. SP carve-out (to == SUPERPAYMASTER_ADDRESS) preserved.
What's unchanged
- All proxy addresses (SuperPaymaster, Registry) — no SDK update needed for hot path
- All beta.2 features: gasless, human+agent sponsorship, credit/debt, MicroPaymentChannel, x402
Config change (community operators only)
xPNTsFactory redeployed (EIP-1167 clones cannot upgrade in-place):
0xC4f5A121... → 0xc312CAFcb49dFe3aB76bFB2F3e37CaEdBa65ccd9
Deployed addresses (Sepolia)
| Contract | Address |
|---|---|
| SuperPaymaster proxy | 0xFb090E82bD041C6e9787eDEbE1D3BE55b3c7266a |
| SuperPaymaster impl | 0xEB2C9Cb434682FB1F3A6B3036358eA10C23Db981 |
| Registry proxy | 0xB5Fb8920F7AcD8b395934bd1F21222b32A30eF1A |
| xPNTsFactory | 0xc312CAFcb49dFe3aB76bFB2F3e37CaEdBa65ccd9 |
Audit status
8 total fixes across beta.2 + beta.3 (2 Critical + 6 High). All Codex-reviewed.
Full report: docs/audit/comprehensive-audit-2026-06-11.md