Skip to content

fix(abi): add missing ABI validation in argument encoder#22529

Merged
vezenovm merged 1 commit intonextfrom
claudebox/9a3d10cc66fed7fd-2
Apr 16, 2026
Merged

fix(abi): add missing ABI validation in argument encoder#22529
vezenovm merged 1 commit intonextfrom
claudebox/9a3d10cc66fed7fd-2

Conversation

@AztecBot
Copy link
Copy Markdown
Collaborator

@AztecBot AztecBot commented Apr 14, 2026
edited by benesjan
Loading

Summary

Adds missing ABI enforcement in the ArgumentEncoder that allowed invalid inputs to be silently accepted during simulation via aztec.js.

Fixes

  • Fixed-size arrays: Oversized arrays were silently truncated (e.g., passing 5 elements for [Field; 2] would encode only the first 2). Now throws if array length doesn't match exactly.
  • Strings: Strings longer than the declared length were silently truncated. Now throws if string exceeds max length.
  • Top-level argument count: Extra arguments were silently ignored. Now throws if argument count doesn't match parameter count.
  • Integer overflow: Values outside the valid range for the declared width were accepted without error. Now validates unsigned values fit in [0, 2^width - 1] and signed values fit in [-2^(width-1), 2^(width-1) - 1].
  • Array type guard: Non-array values passed for array parameters now get a clear error instead of a cryptic runtime failure.

Context

BoundedVec already had proper length validation — these checks bring fixed-size arrays, strings, integers, and top-level args to the same standard.

ClaudeBox log: https://claudebox.work/s/9a3d10cc66fed7fd?run=2

Fixes #12221

@AztecBot AztecBot added ci-draft Run CI on draft PRs. claudebox Owned by claudebox. it can push to this PR. labels Apr 14, 2026
@ledwards2225 ledwards2225 mentioned this pull request Apr 14, 2026
Closed
@vezenovm vezenovm changed the title fix(stdlib): add missing ABI validation in argument encoder fix(abi): add missing ABI validation in argument encoder Apr 14, 2026
@vezenovm vezenovm force-pushed the claudebox/9a3d10cc66fed7fd-2 branch 6 times, most recently from 157ff25 to 0134d7b Compare April 14, 2026 20:27
@vezenovm vezenovm marked this pull request as ready for review April 14, 2026 20:53
@vezenovm vezenovm requested review from benesjan and nventuro April 14, 2026 20:53
benesjan
benesjan approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@benesjan benesjan left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great. Thanks for cleaning our mess!

Just please wait for Jean's response before merging - would be nice to get a confirmation that the AVM truncation thingy is tested.

(Unrelated but we also got very lucky that AI matured fast enough for us to not have to suffer through this tech debt now. So in hindsight being sloppy a few years ago and move fast seemed to have been a good strategy)

Comment thread yarn-project/bb-prover/src/avm_proving_tests/avm_check_circuit1.test.ts Outdated
Comment thread yarn-project/end-to-end/src/e2e_blacklist_token_contract/minting.test.ts
Comment thread yarn-project/end-to-end/src/e2e_blacklist_token_contract/minting.test.ts Outdated
Comment thread yarn-project/end-to-end/src/e2e_blacklist_token_contract/minting.test.ts Outdated
Comment thread yarn-project/end-to-end/src/e2e_token_contract/minting.test.ts Outdated
Comment thread yarn-project/end-to-end/src/e2e_token_contract/minting.test.ts
Comment thread yarn-project/simulator/src/public/fixtures/bulk_test.ts
Comment thread yarn-project/simulator/src/public/fixtures/bulk_test.ts
@vezenovm vezenovm force-pushed the claudebox/9a3d10cc66fed7fd-2 branch from 0134d7b to b882037 Compare April 16, 2026 14:39
@vezenovm vezenovm enabled auto-merge April 16, 2026 14:40
@vezenovm vezenovm added this pull request to the merge queue Apr 16, 2026
Merged via the queue into next with commit 499dcde Apr 16, 2026
20 checks passed
@vezenovm vezenovm deleted the claudebox/9a3d10cc66fed7fd-2 branch April 16, 2026 15:34
@AztecBot
Copy link
Copy Markdown
Collaborator Author

AztecBot commented Apr 16, 2026

❌ Failed to cherry-pick to v4-next due to conflicts. (🤖) View backport run.

AztecBot pushed a commit that referenced this pull request Apr 16, 2026
@vezenovm @AztecBot
cherry-pick: fix(stdlib): add missing ABI validation in argument enco…
f0e3778 
…der (from PR #22529)

Cherry-pick of b882037 with conflicts preserved for review.
@AztecBot AztecBot mentioned this pull request Apr 16, 2026
Merged
3 tasks
vezenovm added a commit that referenced this pull request Apr 20, 2026
@vezenovm
fix(abi): add missing ABI validation in argument encoder (backport #2…
d0bc8ec 
…2529) (#22608)

## Summary

Backport of #22529
to v4-next.

Adds missing ABI enforcement in the `ArgumentEncoder` that allowed
invalid inputs to be silently accepted during simulation via aztec.js:

- **Fixed-size arrays**: Oversized/undersized arrays were silently
truncated. Now throws if array length doesn't match.
- **Strings**: Strings longer than declared length were silently
truncated. Now throws if string exceeds max length.
- **Top-level argument count**: Extra arguments were silently ignored.
Now throws if argument count doesn't match.
- **Integer overflow**: Values outside valid range for declared width
were accepted without error. Now validates ranges.
- **Array type guard**: Non-array values for array parameters now get a
clear error.

## Cherry-pick conflict

One conflict in `e2e_ha_full.test.ts` — the incoming commit included a
"should reload keystore" test block from a different PR not present on
v4-next. Resolved by dropping the unrelated test block.

## Test plan

- [x] Encoder unit tests pass (34/34)
- [x] TypeScript compilation succeeds for changed packages
- [x] Verified Noir contract ABIs on v4-next match the updated test
arguments

ClaudeBox log: https://claudebox.work/s/49d536b7c0544efb?run=1
@AztecBot AztecBot mentioned this pull request Apr 20, 2026
Merged
Thunkar added a commit that referenced this pull request Apr 20, 2026
@Thunkar
chore: Accumulated backports to v4-next (#22666)
30ce825 
BEGIN_COMMIT_OVERRIDE
fix(abi): add missing ABI validation in argument encoder (backport
#22529) (#22608)
fix(pxe): verify private event commitment matches content (#22638)
feat!: kv-store on SQLite-wasm over OPFS (backport #22666)
END_COMMIT_OVERRIDE
@jeanmon jeanmon mentioned this pull request Apr 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benesjan benesjan benesjan approved these changes

@vezenovm vezenovm vezenovm left review comments

@jeanmon jeanmon jeanmon left review comments

@fcarreiro fcarreiro Awaiting requested review from fcarreiro fcarreiro is a code owner

@dbanks12 dbanks12 Awaiting requested review from dbanks12 dbanks12 is a code owner

@sirasistant sirasistant Awaiting requested review from sirasistant sirasistant is a code owner

@nventuro nventuro Awaiting requested review from nventuro

Assignees

No one assigned

Labels

backport-to-v4-next ci-draft Run CI on draft PRs. claudebox Owned by claudebox. it can push to this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement overflow checks when encoding uint public function args

5 participants

@AztecBot @benesjan @vezenovm @jeanmon @nventuro