Fix audit findings in EVM Cadence contract

[joshuahannan]

Summary

Security and quality audit fixes for fvm/evm/stdlib/contract.cdc:

• Fix dead variable and redundant borrow in validateCOAOwnershipProof: replaced nil-check + force-unwrap pattern with if let, and captured coaRef.address().bytes into a single binding rather than calling address() twice.
• Fix Balance.isZero() missing view annotation: allows use in view contexts and pre-conditions.
• Remove redundant isPaused() pre-condition from CadenceOwnedAccount.deposit: the delegated call to EVMAddress.deposit already enforces the pause guard.
• Simplify CadenceOwnedAccount.balance(): call InternalEVM.balance directly instead of constructing an intermediate EVMAddress struct.
• Remove incorrect @return docs on initAddress and CadenceOwnedAccount.deposit (both said "returns the token decimals of the ERC20").
• Add docs to encodeABI and decodeABI.
• Document setupHeartbeat access(all) rationale: explains why public access is safe (idempotency enforced by storage path collision).
• Document dry-run pause exemption on dryRun: clarifies that dry-run functions intentionally bypass the pause guard since they perform no state mutations.
• Fix typo: "Etherem" → "Ethereum" in file-level comment.
• Fix stale docs link: update /evm/about → /build/evm/how-it-works.

Summary by CodeRabbit

• Bug Fixes

  • Optimized EVM balance computation; made EVM.Balance.isZero() a read-only view; removed pause guard from CadenceOwnedAccount.deposit().

• Documentation

  • Added EVM contract security audit report; expanded docs for dry-run, ABI encode/decode, ownership proof validation, and heartbeat behavior.

• Tests

  • Updated bootstrap test fixtures and genesis state-commitment constants.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 43afd43.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updated the EVM Cadence stdlib contract (docs, ABI helpers, COA validation, pause guards, and a small API purity change) and replaced hardcoded genesis/state-commitment hexes used by bootstrap tests and unit-test utilities. (26 words)

Changes

Cohort / File(s)	Summary
EVM Cadence contract fvm/evm/stdlib/contract.cdc	Documentation fixes and expansions (typo, external link, encode/decode ABI docs, dryRun, setupHeartbeat). Changed EVM.Balance.isZero() to view fun; CadenceOwnedAccount.balance() now uses InternalEVM.balance(address: self.addressBytes); removed pre { !EVM.isPaused() } from CadenceOwnedAccount.deposit; refactored validateCOAOwnershipProof borrow/return logic and simplified error messages.
Bootstrap tests engine/execution/state/bootstrap/bootstrap_test.go	Updated expected state commitment hex literals in two bootstrap tests to new precomputed values.
Unit test utils utils/unittest/execution_state.go	Replaced GenesisStateCommitmentHex and updated genesisCommitHexByChainID return values for flow.Testnet and default cases.
New audit report fvm/evm/stdlib/REPORT.md	Added security audit report for fvm/evm/stdlib/contract.cdc listing findings (two open low-severity items) and remediation suggestions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• [FVM] Expose transaction index to Cadence #8252 — modifies the same bootstrap test expected state commitment hex literals and genesis constants.
• [Flow EVM] Handle empty RLP list in Cadence Arch verifyCOAOwnershipProof() #8361 — touches COA ownership-proof verification and error/guard handling related to the Cadence-side refactor.
• [Flow EVM] Check for integer overflow when reading ABI encoded bytes #8357 — addresses ABI decoding/bounds checks that align with the ABI docs and decode behavior changes here.

Suggested labels

Improvement, Flow EVM

Suggested reviewers

• janezpodhostnik
• zhangchiqing
• fxamacker

Poem

🐰 I hopped through bytes and docs with glee,
Tuned guards, fixed links, and balanced a tree,
I nudged a view here, smoothed a borrow there,
Updated hashes, tests, and left a tiny hare-care,
Carrots poured in CI — a gentle, joyful spree.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: applying audit findings fixes to the EVM Cadence contract, which is the primary objective evident from the raw summary.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch josh/evm-contract-security-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
utils/unittest/execution_state.go	0.00%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@fvm/evm/stdlib/contract.cdc`:
- Around line 1088-1110: The error message concatenation in the COA ownership
mismatch branch concatenates "EVM.validateCOAOwnershipProof(): Cannot validate
COA ownership." with "The provided evm address..." resulting in "ownership.The"
without a space; update the string used in the first ValidationResult (inside
the if let coaRef borrow branch) so there is a trailing space (or include a
leading space in the concatenated string) before concatenation—locate the
ValidationResult construction that returns isValid: false in the COA address
bytes loop (using coaRef, coaAddressBytes, evmAddress) and add the missing
whitespace to the concatenated message.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: abff165d-e6d8-4024-99f2-db1f22ed1124

📥 Commits

Reviewing files that changed from the base of the PR and between 9596707 and bb521c5.

📒 Files selected for processing (1)

• fvm/evm/stdlib/contract.cdc

[coderabbitai]

♻️ Duplicate comments (1)

fvm/evm/stdlib/contract.cdc (1)

1095-1096: ⚠️ Potential issue | 🟡 Minor

Add the missing space in the COA mismatch message.

These literals still concatenate as ownership.The, so the returned problem string reads awkwardly.

✏️ Suggested fix

-                        problem: "EVM.validateCOAOwnershipProof(): Cannot validate COA ownership."
-                                 .concat("The provided evm address does not match the account's COA address.")
+                        problem: "EVM.validateCOAOwnershipProof(): Cannot validate COA ownership. "
+                                 .concat("The provided evm address does not match the account's COA address.")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@fvm/evm/stdlib/contract.cdc` around lines 1095 - 1096, The problem string
concatenation in EVM.validateCOAOwnershipProof() produces "ownership.The"
because there's no space between the two literals; update the concatenation
around the variable/problem construction (the `problem` assignment in
EVM.validateCOAOwnershipProof) to include a space either at the end of the first
literal ("EVM.validateCOAOwnershipProof(): Cannot validate COA ownership. ") or
at the start of the second literal (" The provided evm address...") so the final
message reads correctly.

🧹 Nitpick comments (1)

fvm/evm/stdlib/contract.cdc (1)

928-930: Clarify the bytes mapping example.

This contract already defines EVMBytes/EVMBytes4/EVMBytes32 as the Cadence-side byte wrappers. Showing [UInt8] → bytes here is confusing unless raw [UInt8] is intentionally supported too.

✏️ One possible doc fix

-    /// corresponding Solidity types (e.g. UInt256 → uint256, [UInt8] → bytes).
+    /// corresponding Solidity types (e.g. UInt256 → uint256, EVMBytes → bytes).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@fvm/evm/stdlib/contract.cdc` around lines 928 - 930, The documentation
comment that maps Cadence types to Solidity types is ambiguous about bytes;
update the example to reference the Cadence EVM byte wrapper types (EVMBytes,
EVMBytes4, EVMBytes32) instead of showing [UInt8] → bytes, or explicitly state
if raw [UInt8] arrays are also supported; edit the comment near the ABI encoding
routine so it reads something like: Cadence EVMBytes / EVMBytes4 / EVMBytes32
map to Solidity bytes/bytes4/bytes32 (or, if raw [UInt8] is supported, add a
sentence clarifying that [UInt8] will be accepted and converted to EVMBytes).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@fvm/evm/stdlib/contract.cdc`:
- Around line 1095-1096: The problem string concatenation in
EVM.validateCOAOwnershipProof() produces "ownership.The" because there's no
space between the two literals; update the concatenation around the
variable/problem construction (the `problem` assignment in
EVM.validateCOAOwnershipProof) to include a space either at the end of the first
literal ("EVM.validateCOAOwnershipProof(): Cannot validate COA ownership. ") or
at the start of the second literal (" The provided evm address...") so the final
message reads correctly.

---

Nitpick comments:
In `@fvm/evm/stdlib/contract.cdc`:
- Around line 928-930: The documentation comment that maps Cadence types to
Solidity types is ambiguous about bytes; update the example to reference the
Cadence EVM byte wrapper types (EVMBytes, EVMBytes4, EVMBytes32) instead of
showing [UInt8] → bytes, or explicitly state if raw [UInt8] arrays are also
supported; edit the comment near the ABI encoding routine so it reads something
like: Cadence EVMBytes / EVMBytes4 / EVMBytes32 map to Solidity
bytes/bytes4/bytes32 (or, if raw [UInt8] is supported, add a sentence clarifying
that [UInt8] will be accepted and converted to EVMBytes).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 517fb23f-5b51-4710-9d6c-935fd32362ad

📥 Commits

Reviewing files that changed from the base of the PR and between bb521c5 and e29a7fd.

📒 Files selected for processing (1)

• fvm/evm/stdlib/contract.cdc

[turbolent]

Nice!

[m-Peter]

How come the pre check here is removed? This will allow EVM state-change, allowing funds to enter Flow EVM, but the withdraw function below still has the pre check. Note that COA.deposit & COA.withdraw do create EVM.TransactionExecuted events, which means that an EVM state-change occurred.

[m-Peter]

My bad, just missed the comment in the PR description:

Remove redundant isPaused() pre-condition from CadenceOwnedAccount.deposit: the delegated call to EVMAddress.deposit already enforces the pause guard.

[m-Peter]

Good addition 👍

[m-Peter]

Do we still need the String.concat here? Not related to the PR, but it's a good opportunity to update it.

[joshuahannan]

Good catch! I'll change that

[m-Peter]

Do we still need the String.concat here? Not related to the PR, but it's a good opportunity to update it.

[m-Peter]

LGTM!