Conversation
fix redirects whitelist
User-wallet phases (moneriumOnrampMint, SELL squidRouterApprove/Swap,
squidRouterNoPermit{Approve,Swap,Transfer}) previously fell through
validatePresignedTxs via 'continue', which allowed a malicious client to
attach an unrelated presigned tx labeled with one of these phase names
without any content validation. Flip the skip to a BAD_REQUEST reject and
direct integrators to submit only the on-chain tx hash via additionalData.
Add verifyUserSubmittedTxByHash helper that resolves the receipt and
transaction by hash, then binds receipt.from, tx.to, tx.input, tx.value to
the server-issued unsigned payload (blueprint.signer + blueprint.txData).
Refactor squidrouter-permit-execution-handler.waitForUserHash to delegate
to the helper, and add verifyUserSubmittedSquidHashes at the top of
FundEphemeralPhaseHandler.executePhase so SELL standard EVM offramps
verify squidRouterApprove + squidRouterSwap on-chain before any ephemeral
funding occurs. This closes the F-041 gap where SELL squid hashes were
neither validated as presigned txs nor verified at runtime.
Update validation.test.ts: replace 3 skip-tests with 5 reject-tests
covering each user-wallet phase, plus a positive test confirming BUY
squidRouterSwap still validates as ephemeral-signed. All 50 validation
tests pass.
Update docs/security-spec/03-ramp-engine/transaction-validation.md to
document the two-layer model (reject + by-hash verification), mark F-041
as MITIGATED, and add a threat row for user-wallet phase presigned-tx
smuggling.
The literal-string override widened verifyingContract from EvmAddress
(`0x${string}`) back to plain string, breaking TypedDataDomain
assignability. Narrow the literal to the branded hex type, which is the
canonical pattern for hex-string types in viem/ethers (already used a few
lines below for sig.r / sig.s).
Server-issued unsigned txs with maxPriorityFeePerGas:'0' (or other zero minimums) were rejected when the signer produced a legacy/type-0 tx with only gasPrice, blocking BRL->USDT onramp updateRamp. A zero minimum means 'no constraint', so a missing field is acceptable; only reject if a concrete value is strictly below the minimum. Non-zero minimums still require the field to be present and meet the bound.
…UntilTrue timeout, SSL cert validation, seed phrase, cleanup phase label Agent-Logs-Url: https://github.com/pendulum-chain/vortex/sessions/57d9c30a-ecbd-4c12-b598-95ed6c21e347 Co-authored-by: ebma <6690623+ebma@users.noreply.github.com>
…-audit Create spec and security audit
✅ Deploy Preview for vortex-sandbox ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for vortexfi ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.