fix(7702): revert BatchExecutor address — prior deploy was the spike contract#194
Merged
Merged
Conversation
… not the hardened contract PR #193 wired 0x97b99a4ac0BDA988B4c9C6BA1398deB22a577be4 as the production BatchExecutor. Bytecode comparison after the merge shows that address holds the SPIKE contract from contracts-spike/src/BatchExecutor.sol (deployedBytecode 1535 chars), NOT the hardened production contract at contracts/src/BatchExecutor.sol (1783 chars). The spike lacks: - onlySelf modifier (msg.sender == address(this)) — without this, anyone can call execute() on a delegated EOA and run arbitrary calls in its context. - ReentrancyGuard from OpenZeppelin. - EmptyBatch guard. Source comment on the spike literally says "SPIKE-ONLY. NOT for mainnet deployment with user funds." Risk of the prior PR landing as-is: zero today, because the saga7702 path is gated off behind StatsigFeatureGates.WRI_DOLLARS_SPEND_7702_V1 (default false), but flipping Phase 1 dogfood with the spike wired would have exposed internal IDs to anyone-can-execute. Restoring the zero-address placeholder. A follow-up commit lands a contracts/script/DeployBatchExecutor.s.sol that targets the hardened source, and once the user runs it with their deploy key we re-wire to that address.
This was referenced Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
Prior PR #193 wired
0x97b99a4ac0BDA988B4c9C6BA1398deB22a577be4as the production BatchExecutor on Celo mainnet. Bytecode comparison after the merge shows that address is the SPIKE contract, not the hardened production contract.This PR reverts
BATCH_EXECUTOR_ADDRESS_CELOto the zero-address placeholder until we deploy the real hardened contract.What I found
0x97b99a4ac0BDA988B4c9C6BA1398deB22a577be4contracts-spike/src/BatchExecutor.sol(SPIKE, "NOT for mainnet")contracts/src/BatchExecutor.sol(hardened production)The deploy script
contracts-spike/script/DeployBatchExecutor.s.solimports../src/BatchExecutor.sol, which is the spike source. No broadcast log exists forcontracts/.What the spike contract is missing
onlySelfmodifier (msg.sender == address(this)) — without it, anyone can callexecute()on a delegated EOA and run arbitrary calls in its context.ReentrancyGuardfrom OpenZeppelin.EmptyBatchrevert.Source comment on the spike literally says: "SPIKE-ONLY. NOT for mainnet deployment with user funds."
Risk
Zero today. The saga7702 path is gated off behind
StatsigFeatureGates.WRI_DOLLARS_SPEND_7702_V1(defaults to false), so no users delegate to anything. But flipping Phase 1 dogfood with the spike wired would have exposed internal IDs.Next steps
contracts/script/DeployBatchExecutor.s.solthat targets the hardened source. (Follow-up PR.)forge scriptwith the production deploy key.Test plan
yarn build:tscleanyarn lintcleanyarn test src/web3 src/dollarsSpend/saga7702(45/45 pass)