Fix CRITICAL/HIGH/MEDIUM issues from round 4 audit#6
Merged
Conversation
CRITICAL fixes: - internet-identity: Remove .unwrap() on StableCell::init() (v0.7 returns Self not Result) - icrc-ledger: Convert icp.json config to icp.yaml (icp-cli uses YAML) - wallet: Fix create_canister → create_canister_with_extra_cycles, fix cycles API paths - evm-rpc: Add deprecation note on call_with_payment128 import path HIGH fixes: - ckbtc: Add transient to actor refs, remove stub getBalance that returned 0 - evm-rpc: Fix CustomRpcService.headers type (struct not tuple), fix transactions_root optionality - asset-canister: Fix AssetManager import to @dfinity/assets (not yet migrated to @icp-sdk) - icrc-ledger: Fix --storage-mode flag to --storage - wallet: Add missing wasm_memory_threshold field to CanisterSettings MEDIUM fixes: - internet-identity: new HttpAgent() → HttpAgent.create() for @icp-sdk/core v5 - asset-canister: new HttpAgent() → HttpAgent.create() - vetkd: Fix stale dfinity/examples reference, update @dfinity/vetkeys to @icp-sdk/vetkeys - sns-launch: Add missing [package] and [lib] sections to Cargo.toml
JoshDFN
requested review from
andreacerulli,
aterga,
bjoernek,
gregorydemay and
raymondk
as code owners
marc0olo
added a commit
that referenced
this pull request
Feb 27, 2026
The "Frontend — Safe Agent Configuration" section used the deprecated @dfinity/agent package and is out of scope for a canister security skill. The fetchRootKey warning remains in pitfall #6.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Round 4 of multi-agent verification audit found and fixed issues across 8 skills.
CRITICAL (4 fixes):
StableCell::init().unwrap()won't compile with ic-stable-structures 0.7 (returnsSelfnotResult)icp.json(JSON) but icp-cli usesicp.yaml(YAML)create_canistercalled with wrong signature; needscreate_canister_with_extra_cyclesmsg_cycles_available128→msg_cycles_available)HIGH (5 fixes):
transienton actor references (upgrade failure), removed stubgetBalancethat returned hardcoded 0CustomRpcService.headersused tuple instead of struct,transactions_rootincorrectlyOptionAssetManagerimport reverted to@dfinity/assets(not yet migrated to@icp-sdk)--storage-mode=plaintext→--storage plaintext(icp-cli flag)CanisterSettingsmissingwasm_memory_thresholdfieldMEDIUM (4 fixes):
new HttpAgent()→HttpAgent.create()for @icp-sdk/core v5dfinity/examplesreference,@dfinity/vetkeys→@icp-sdk/vetkeys[package]and[lib]to Cargo.tomlTest plan
npm run buildpasses