fix: validate transaction calls before co-signing as fee payer#64
Closed
brendanjryan wants to merge 2 commits intofeat/full-fee-payer-supportfrom
Closed
fix: validate transaction calls before co-signing as fee payer#64brendanjryan wants to merge 2 commits intofeat/full-fee-payer-supportfrom
brendanjryan wants to merge 2 commits intofeat/full-fee-payer-supportfrom
Conversation
- Add _validate_cosign_calls() to reject transactions that don't match the charge request (currency, recipient, amount, selector) before the server co-signs them. Prevents the fee payer from being used as an open gas relay. - Move attrs import to top-level in client.py and intents.py (hard dep). - Add 11 tests: cosign roundtrip, malformed input rejection, call validation (wrong currency/amount/recipient), and fee_payer propagation through tempo() factory.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on #62.
Problem
_cosign_as_fee_payer()would co-sign any valid 0x76 transaction without verifying the call target, selector, amount, or recipient. An attacker could submit a sender-signed tx targeting any contract and the server would sponsor it.Changes
Security fix
_validate_cosign_calls()that checks decoded transaction calls match the charge request (currency, recipient, amount, selector, memo) before the server co-signsChargeRequestthrough to_cosign_as_fee_payer()Cleanup
import attrsto top-level in bothclient.pyandintents.py(hard dependency, was imported inline)Tests (11 new)
TestCosignAsFeePayer: roundtrip co-signing, wrong tx type rejection, malformed hex rejection, no fee payer configured, wrong currency/amount/recipient rejection, matching request acceptanceTestFeePayerPropagation: fee_payer propagation via_methodbacklink, default None, standalone None