From 9480ee34bdb994744b08170b6de35ace2894b272 Mon Sep 17 00:00:00 2001
From: Charles-Edouard de la Vergne <charles-edouard.delavergne@ledger.fr>
Date: Thu, 18 Sep 2025 15:44:02 +0200
Subject: [PATCH 1/4] Align on reusable workflows

---
 .github/workflows/codeql_checks.yml | 33 +++--------------------------
 .github/workflows/python-client.yml | 30 +++++++++-----------------
 2 files changed, 13 insertions(+), 50 deletions(-)

diff --git a/.github/workflows/codeql_checks.yml b/.github/workflows/codeql_checks.yml
index c243752be..1c89d5075 100644
--- a/.github/workflows/codeql_checks.yml
+++ b/.github/workflows/codeql_checks.yml
@@ -15,33 +15,6 @@ on:
 
 jobs:
   analyse:
-    name: Analyse
-    strategy:
-      fail-fast: false
-      matrix:
-        sdk: ["$NANOX_SDK", "$NANOSP_SDK", "$STAX_SDK", "$FLEX_SDK"]
-        # 'cpp' covers C and C++
-        language: ['cpp']
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest
-
-    steps:
-      - name: Clone
-        uses: actions/checkout@v4
-        with:
-          submodules: true
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: ${{ matrix.language }}
-          queries: security-and-quality
-
-      # CodeQL will create the database during the compilation
-      - name: Build
-        run: |
-          make BOLOS_SDK=${{ matrix.sdk }}
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+    name: Call Ledger CodeQL analysis
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1
+    secrets: inherit
diff --git a/.github/workflows/python-client.yml b/.github/workflows/python-client.yml
index af2b57311..dd528fe07 100644
--- a/.github/workflows/python-client.yml
+++ b/.github/workflows/python-client.yml
@@ -19,28 +19,18 @@ on:
 
 jobs:
   lint:
-    name: Linting
-    runs-on: ubuntu-latest
-    steps:
-      - name: Clone
-        uses: actions/checkout@v4
-      - run: pip install flake8 flake8-pyproject
-      - name: Flake8 lint Python code
-        run: (cd client && flake8 src/)
-
-  mypy:
-    name: Type checking
-    runs-on: ubuntu-latest
-    steps:
-      - name: Clone
-        uses: actions/checkout@v4
-      - run: pip install mypy
-      - name: Mypy type checking
-        run: (cd client && mypy src/)
+    name: Call Ledger Python linters
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_python_checks.yml@v1
+    with:
+      run_linter: flake8
+      run_type_check: true
+      src_directory: src
+      setup_directory: client
+      req_directory: client
 
   package_and_deploy:
     name: Build and deploy the Ethereum client Python package
-    needs: [lint, mypy]
+    needs: [lint]
     uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_pypi_deployment.yml@v1
     with:
       package_name: ledger_app_clients.ethereum
@@ -49,4 +39,4 @@ jobs:
       jfrog_deployment: false
       release: false
     secrets:
-      pypi_token: ${{ secrets.PYPI_PUBLIC_API_TOKEN  }}
+      pypi_token: ${{ secrets.PYPI_PUBLIC_API_TOKEN }}

From 25e86c2d7526e7e05d0ba6a793d105a694d60672 Mon Sep 17 00:00:00 2001
From: Charles-Edouard de la Vergne <charles-edouard.delavergne@ledger.fr>
Date: Thu, 18 Sep 2025 16:36:37 +0200
Subject: [PATCH 2/4] Update iotex icons

---
 glyphs/chain_4689_48px.gif     | Bin 1445 -> 287 bytes
 glyphs/chain_4689_64px.gif     | Bin 1450 -> 711 bytes
 icons/apex_app_chain_4689.gif  | Bin 1198 -> 199 bytes
 icons/flex_app_chain_4689.gif  | Bin 1337 -> 564 bytes
 icons/nanox_app_chain_4689.gif | Bin 1221 -> 1154 bytes
 icons/stax_app_chain_4689.gif  | Bin 1294 -> 435 bytes
 6 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/glyphs/chain_4689_48px.gif b/glyphs/chain_4689_48px.gif
index 3dce2761f39156d41958916f7273253e57a55095..8c93aad578ead6a5f519eb6889b4f30f65eac5b9 100644
GIT binary patch
literal 287
zcmV+)0pR{eNk%w1VK4wN0Pq0-00030|NkNR1ONa4001HX3rTHZXJt)cXK7<=4rgI)
zZDBnyE;KbXH8eE<EC2ui05AYB0008mjE||y?GK}DpxRrfHn{u!c;W{t<B63A%BElo
zTU$&6Q(Z^+6|~T9L!d%FS7ONUaWalm(kYY?I}4<+Cv8%XpDbtPts22wY_P|jhDTi6
zd8PKU+iz@~xg?R%`MRlWR+i;9CN{>lruTGcMOOI7*cgbX70Kf0x5$IpB@=e{=5(eA
z8YM{gX}H-($#(^)n%L^PgjxAnI4V0kIjcvw3b#6k>Pd>H1PS9<{KzT#NUVv|%v-(8
l3Oh~Ht4#qU`2#LeGVXn2u5z8MZW_}L>I^?mU*Avw06T-;exv{Z

literal 1445
zcmZ?wbhEHbG+;1b_{;zTOiWB7A|j%qqGDoV8X6j!nwr<HUAun$`pcIuU%h(u`t|F-
zfB*jf{~xTDLGdRGn4$QeyCSzhAtkXS5lH{HuP8`N&Q2{+NJ>r5%(GQ`zk9!uLS~As
zQn;zFfp39xYDT6<RZ(him0w75Rd%vvijuvZf=z`LP;YKYqC!P(PF}H9g{@LzN`6wR
z6_A~qT9T-*qySb?l5MNx2$E2U@C{IK&M!(;Fx4~DO*S;KP%yXDGc+?XFgDXsFfuT-
z)HkruH#F8YFtjo-vobYTfC42uo1&C7s~{IQs8v9otx`rwNr9EVetCJhUb$X=QM$gN
zr6te=BYh(yU7!Np;>tXr?{xEum6d>w1sULyTAW;zSx}OhpQliiW|f$fUs__Tq@?g4
z>Vez>xT$%?dSK7!CFkerS0onb8|oQ=JOuG+Zh@~aex<p&VAa5&C@u*~MYtBLxy2!s
z1*!T$sm1xFMaii^<;ozN3ap%qQWHz^i$e1Ab6`Ojkda@KU!0L&pkM@ak%ESAVsd64
zNJLW!sKeLS$}_LHBrz{J)zifmB%+s@nPO$)=4NJYU~Fz=Zf<Dk>Sk$S<YHm$=4|2O
z>f~r<=&bY~WE)VgOMY@`Zfaf$RBsAgtAPnly`Xde)|^_DS(cjOR+OKs0QRy~CQg?a
z7~(Ka392;()ggLFE-}KP)mcd&=oEcmv?9eaSOk)CKuk!21tv`(2cG0p^HToXDir}!
zG~@q&fB*dc_4CK~Z(qNB{`B#~`*&~Oyngla#q(!RpFDo_@WK6ickkT3b@Rsct5+^x
zx_IIIxwB_ZpE`Ns__3o$4j(#rVE?|odv@>Ixnujbty?y4+PGo;y0vRouUffc`Ld-;
z7B5=3VE(+hb7s$)Ib-^?sZ%CTnmD1queYbWtFxoMt+l1Osj;EHuC}JSs<NWIthA)K
zsIVYEFE=MUD>EZKEj1-MDKQ~FE;c4QDl#HGEHorIC@{d^&)3J>%hSW%&DF)($<e{y
z&eq1-%F@Ez%+$o#$k0GvPgh4<OH)H#O;tr%Nl`&wPF6-*N>V~xOjJZzNKk;EkC%s=
zi<5($osE@+nTe5sK?hVgfQl9dmVX;gdamAU@%rrU{|Op>DVg&!R;_zIN$1_6GH*qm
z=71BMw{bKkBpi6{8?*lC!8U0TK93t~$`0EmZb-cv>7&bbsA0ix-u}?Y1rhGsR<d4T
zJsfhH_2Gt}Efe=`_T@})a<R*DY*7udv?`S7V(JM}G2qmXvhJJWWi~@2HC?9BIaa2o
zQY0k2NNN!?r^3qEW!^Ds64q_lzFsVKhveEN((`*)Bvh>4b8NSqecfE4)a>&joDLml
zn#yArH6P?%#B|!k$8v7ulZi_XC@j<0zrgAj;5q&F_IpZuQ@$TfdL&<?HTQRM%jG?d
zm+h_`oVf1LnhM{Lmz;uc1?)0zx?L<RRzG)y&1UmG0TsbZk<uQrstX^a2~Jh))m50*
vUA*q3he=?DVTkGl4|~N0HJ_ZO2fUc5^1eqa_SBY@mzM`D_L3E3WUvMRe%2!N

diff --git a/glyphs/chain_4689_64px.gif b/glyphs/chain_4689_64px.gif
index 4757ffb26260d0915f54966904b8532a52535a05..c1fc2934c730d392857acce7cf0924577d1be5f8 100644
GIT binary patch
literal 711
zcmV;&0yzCgNk%w1VMYK(0P+9;6ciLID=SS+O?7p3o12^d{{8>}00000A^8LV00000
zA^!_WZDD6+O<`wgV`~m)VQp<;JuogbH8eFeH2^FC0000+07d`+1O8aL-2O1iNvpj$
z>&?6WU?`4cSrNn_1V9S}f`FPIvATHf$~2a;x?ph7qX>jZq@eg90FzK1fw?$FuR*30
z%gqI*CPH_d1CIvew95<<tKY=-+dF1+=B>cMHV%BAX?im#R#;0MZfXL1D2*t9P<9uA
zFOHTo1CT;~8faaMM~o?#jVf1%7+o*}rZ1w71(vNyUl^WIt0}Xtq?flss1=5+x~zpQ
zGQFdOnt2zAK><K|tko!)d6|~6*UQ*Jk`Tu_Folc6j@6;cjC<od7D>`EF*~p60Qc#R
z%`YcVt3Ux+G-VKqe9L<6=?5TO18C7eNqnRaO)_t!7&>I|{?3aEP>u+eVuf&2yL}Af
zNa%<opr}|PL6J-*%9<#a0D?hanCGG;deX|F*>kVjO<ELiv3SWWsI(oVj8@~Bl#8HP
z1)KsBv`?zBBvrALYqVnPxu`aG=?HsjMGPB&&WU{GRc#ImJnhi~>VlflQX|`ai)IAM
zxsT;yELEpMu+3t2;Z6AE<*<#t#|~S&wwd!5U=$!iO{-Ybs?ChkvC<e?iB!eN__RDL
z6|gRx8yWCCdm}cX*<Q~A#%Td(HWg2NW`Z%$Yqu0Qbw&^!5eJWSH;!n2)mupJ26=<{
zymn)?D|D2F*y=N$uR3H4uc-Vt<|aLCHjQV=pkK#uqJi$c79KJi444FL!Eu2I9xp8R
z6&K%0U|<vvTJ;BmIZfzH4H#<JLWJ~T2;m6Si3m;!>6w_rd?b3<2Z$Z0=mixDl=wz1
tG%k>08q(!hz>Zg3<s$^L1<AvZCtPM0BS<#s<daZFDdm(@R=Gd|06WM_GbaE5

literal 1450
zcmaJ>d3@7U94|O!jtPo@fSZJD0z=XyZId<`g|T*nAsslzDTg^;*U&bpX}WeB;>0P}
z7^t9|Tq1{-p#mb{xC9kB<Whuzaw%+1Hzz}sDOi)SPX6G-`y+Yp_kQ2s`Tf0NS(z4!
zNz<k2igntGL?V469Va+OLv}`C)c>F%As@rJfda80PY|te<BmNrB=A;vJmJ6`J{xce
z!wY3FrZ78~D|B-d4-Xj(4GPgAug?n<1`2sSqMr^~VTPAjK&yLAjKWZhisH7yL$wP?
z^J$Z001<i;;c$}$GE;h-G+{<^AY{OB3dJlaZbUGg#z>klL#+!|y~(_j&ar2<`ch9;
z*rg~w8byP_pgw5SOL88HQ<Q4MfEo;ls)6_mM1=_<qCY8W!4CYKEcg^b5+ThZ!%6|g
z3agRcPQmMQINA)0etk<qdQS49A;yQ|dJOe?wY*xi{Ynn_Ka9I-`*RC?0L=k@DIjw|
zRZoh7)!N<Lk*26dLywXLwJD6pE^z@b5S1*u6;^Nbyui~8XTi*z(TT8tBM}qp<Pa7o
zFvLkPCeBRo1c5P8J9opA8AI(DnSmSaHUo}lVibW>=_bNv!wp8WDvV;YM8Cp_9EkcB
zRNt*w?4DTKCId#1<XlPeL|HJ}B`K2MCHWwOT2QFJgW&{GlcZ=}x}CHg$U;8gGiAvO
zwUn6_?h*oPz%h=skO-iR05JjJL?{EpBNnHV!vJ78j>F(qJby>|ZqrnisA>43(a?m6
zB1p4|M9fYziC9RJ0byAVM*wFw5v&=*Ri47A8X~GO=ME-CMJheDZQER^hqlQAqB>5p
zIydbi|K7U!&)>~A{`&L!AJ>|${@(aoL;bJ6)cssrbLH|+KVG_c;rzKDzCU}W`t+&q
zPJa8%iQ~tP9{Kw4p@Rp$+W+MjpYPlI*`D3IcJ8S9bo;igpKSSf^QMg-efYtK%Jt#*
z-&?nK&FXhoy|Z$~@?}fkt|))&%_WQ9c>T3S3(FRi&Yw4T&g@rTDS3I;OT{nFd|^gW
zVL>REA5i@A^FB%Rdfd|mSDq8_9Lqd6ZR(WC&rX^+Vf?tUxnpvk89gf7G4kmVS;L2A
zX4q}%L(_%~whl_ADT|pTOh&Z<s2&;k)PR)!{rWzcoCNoQdOwkv@OZDDJs#`ct?Q#*
z9(lNPr-$M@#yuF@;eq>O?rYypr|Z)k)A9}t)V|uYq-!53T^K&x(0TQ;EobNVtlrre
zPo9r0ai$m6_F9uzRF&X4)caQTqU>vB$J$TlEtmF9NUB+kCC{tav?T55w6StxI(mi+
z)@>ecyD)Ek!MfeY-PcQR<zJXp=PDvb?7teYt!T;%)}G!r#x<_ToIq^(f&NX~E!AD>
zh`E+<k5wr(+t*^J$}76jdnc~%*0*ZdjpobKiMXQTs=9C-wUq96U`Ohb!-oRR118s}
zdS=AmtehP`>EM}gDKuqDR@gn?J*oRh!;$67x@7A+l%-4+6DwDg%{-c2Y3&q27M{3r
xu3>lSt}^e+WPd~brHv;WFK#V~+lzTZoqO9$V)}L3;KEn$Ul5bv=&IAD{s-+;BZU9}

diff --git a/icons/apex_app_chain_4689.gif b/icons/apex_app_chain_4689.gif
index 3ab9ecc7c27aeb0cd482673ad050dd1d172f63cc..0faa02cf3d378a0ef083a2fce9ced1720ffeb134 100644
GIT binary patch
delta 164
zcmV;V09*gA3C95pM@dFFIbk3GAOP?Ikqj+=EC2ui03ZM$0007jjE||y3=dzMCR$6?
z-7r@UN>fMzO<6izfU(!Ie&X>Wu?)Ae)a~l*>IGRrlV(=)eR85?$5>$+UqUF5)&tp!
z(w$RyY;K0&@DyX!nUzFZ5o)W#)7a~<?v8BbK(r2NqV`4wmK29lSC&XJXt#)>Hv%aS
Scrxj6$arZMso6<U0028xheX!^

literal 1198
zcmZ?wbhEHbRA5kG_`m=H|NsA2{K*1lD*os8%uP&B^-WCAOwQ&@Pt46tv^CH(F$F;e
zpln5MfkH}RNg|N`Z(mW6n4FzjqL7rDo|$K>^nUk#C56lsTcvPQUjyF)=hTc$kE){7
z;3~h6<f`ms%M>MhI|Z8xE1=%ol0=1y+?>2(s|s7C#FYG`R4X7mH?<^DUr7P1q9of^
z$q^)>5aAo3;GAESs$i;TrkiYNVxeGesb^?rVqk2hqhMrUXsK^tp>JrcYhY+)U}j}%
zt^fr}b~Z&RX;wilZcwX$JX@uVl9B=|ef{$Ca=miB{GxPyLrY7b2}b%xM!G-+y2X`w
zK;P-+6)P(N9SbtRCAB!YD6^m>Ge1wED9tJ{DZjMDR!K?WKhy)c1#naIiuJ&r(M!(H
z)vrh_&^OdG0C@=F)7%1IU;IjQbHS>CK~Y>1l!|aIR&$F(DhpEegHnt0ON)|Ify$LZ
zHWgSo7o{ea<QIkH=jXtJFd!qpB)>Q#zd*qV=pqFT-^Aq1JdlW{5>SV)ua#$BaY<rc
za;m3`El5N!Gc(1?#Ldmj+`!!2$lTn}(ACY-!pOzK*v;9(#ns8t%+OisKgc$qUYGpj
z(%jU%5~$u3xK;xToO(g&0IWH+D6=dz#jPkmR{`v0t4y3OF)+npoDx)P3aUf&kX&Mh
zL#wlrKF}%pz-UE^Wv~b&<$#!w1Pe@>Kn^^~r{<;nw^b?vrfA0h|Nj2@{p;tC@87<D
z`TXhQhxhN^zIpxX<%{Rfo<4c}=;4F=_wL@gee33p>sPN_zI5@z`EzH_oIZ8(#PMTC
zj~qU9@WB3kd-v?#wR6YzZCkf&-n4PU`gLp9tX{Qp#qwoKmn>eiaKZd}bLY&SHFL)F
zX;Y_6o-}bne_wA;cUNaeds}Nub5mnOeO+x$bya0Wd0A;maZzDGeqL@)c2;IadRl5q
za#CVKd|YfybW~(Scvxsia8O`?zn`y<x0k1fyPK<vvy-EPy`8O%wUwoXxtXbnv5}#H
zzMig*ww9)bx|*trvXY{Lyqv6zw3MWTxR|Jju#lhtKOZj-Hy0-dJ3AXI3o{cV1A`8z
z=l~Tb3`_w%{VPwu<zGB!%dP0fV?OzH6&>sePc))d7WwJ!PD}k9__gSAfw^_%2V)jt
t{RE#Ii;s4l@cv}>#di5R#m|MVZc}$Ai@pkNwTztbv&V1s_2*0s)&SVhvP%E}

diff --git a/icons/flex_app_chain_4689.gif b/icons/flex_app_chain_4689.gif
index bf38c34c74eff5d24928bd016ad0d2812710aefd..ba65158366fff1e6918a78cb60c7bf8317f64768 100644
GIT binary patch
literal 564
zcmV-40?YkJNk%w1VJHA70P_F<3JMAp6%{WpFHlfWadB~uj*h3Nr_RpK>gww9^78rl
z`Tzg_000000000000000A^8LV00000A^!_WZDD6+O<`wgV`~m)VQp<;JuogbH8eFe
zH2^FC0000e04M+e1paWzNvpj$Yo$;^V4`T`)g8qk1OOliLvbJ_sU(Kb27J%90>hzZ
zx#a-9WYT4zjfe=sPRT<m0RtNGu%ddEf?<hky?(2@FbSbsdZ$-`^MV+hd#(YYO9c=T
z7zSlmJ9<I{DuZ|i7hGR1F9Ze!1qPOTeR39peF1tZF_V^~Dp!mY34BQ~1g$JEm7|o1
zU|JFfgGeg^t&}OAL9)ICOJWiQik<^@um_U`0+g1%1$$)x1rrK(V2H4iLeSLI);<GI
z3VdbD1hJCUd*hYWsyu)T2wsMyDlpOH?J%+6p$T8IDg#En=n@2At2TJFAV88VPrCs-
zc*zS`4}g{g#9x+)T%o5IId}to++)+N+Ol0G1GZ`hubzN=+mh&Uxp0LGlO|^=IX3~B
z4<s?{_%VQq)y#I2h#k!~0T-20o~A7e;B+3hqsH*ntI{K3R6B^+30!q=0;iNmW2Ci1
z>E)YK6j*+F0SRrZuVBKuJy@m8iWFn<P_+<+FcqI~vSeUG(aoK>wlI*nYzB>B69+JI
z_M!%g=+T7<WG>O+NT(%1Rufs^4C2wkv7gMYa02lUk}?qJ-kssb2M;2MD_<@l0suR0
CrQ)Li

literal 1337
zcmaJ>Yg`mn6kklyu(BtqX$?am6tgq4JCB`#6>*mZvPA+6%3kxh%TBN}+w3eXq-H6J
ziK5v{(;j98m64SOTB1>@Kv|ZS*wY@QC0JHIvhWVD<OhG=5BG8I`JeMY=bm%3b3G1D
zNVX(f=330r*VmWOH@d`|kGKUxfNOe2Bq&H_z(7P$s;Ex1cXKO>D6$hRroDtW=mLHv
zr&<Sv)p<oyb(zG;XvSnDJ;Fx<!2mD>BoZiBLwv-E3bG~w9_~#sjw1akMwt`MG%pa-
zr%TfTLR%S3A}I&La#oU|2s@LC*a(ut2?tKvF@od?hNoF%aG=neF8lZbw`b57JULOn
zVFY;`udJ-JR@$waUW$_(2W{AJn+<~+Sg1-hgb1dF5~CK}ASCHZ&`>lLF)a$B7B-wH
zWI7N+An5fD8CFBq{(!8K7QiDy5GSn!9tfCm^=pTW0`NbLvucNms)7J703j``O8}}T
zM!_(5=XPW&LN@$#U4f4xl)E)490013>vp2>#wsf^FGvo8mFzxD1QLT$qEEs^k|r=8
zEl?6m%QQ_0Q9EbDGg+B#f^oa;ZkLTDJp@OS+*FEoxk#Ixg~BK{R}C40DuJkP1^OPu
zy3UE^T{;j9O)t{4@@N(0`!z!g`L!Tog9$~Fy@I5urX<CDrGcQ`Kvyb&?9sIV(w}Bt
zISU1rlvqxb?HEPV6h=`t851}eU<?HqPPS2kk0#JTynIIb2FeslU>LzD8=j^(nqesh
zV|^@xIT*@@iK0YeKw>FcWC;@1DT+gixLG-8R8mv~%hTKr^#wc(brw)zJL#}*V*393
z_tZZpPaHq?_g{Y={p0r|y*-D2`}NSlU%G$(>Bk=qeE;3I-+cYm{;qvrezAAY=b!EV
z^pjm5f7IF0zH`U+4?lRn?Y(VVTerOX&gM-m&2Mkq@Yb7etbe`fwRNw)@^WLtOE12#
z_W3o>J^Relt5-d>a>bKRJpS0D%O6>`w0_Crx<wB!tX=R>&HQ-}J}~$GIkRWoS6vmU
ztOy$+{obIa2FlCsQT(MoAWNcf_g#11ar?~MZY?RkWkyk9!Oi*8^Sn1ryD>K>+mq#X
zP0gH=G1-}(#&Zsqp((qKBycO1dc*Z8$&-?<yEYL`K(4uZ;)JWlj~jbs{1um9cIhP-
zkGbf=3r5GCKWb#`h~eiAi?LV|P7Lq=hf>Yi{FW@kme<ucb{vjbQ`fYSTbEbTGbU`=
zQ46wHE;_k>Lfod>S=+`t_s7pUGAaJ(+WGaJOAE-@Wm)31hEt2x{O<Ncgr})f-q5kS
zXUmkDoK$*M+e~}Q#N9P}n#1vFyIQv@vzPQ9Td;RtckEa;XM1;BMZ>7#!lW6FgUus%
imaI6QGj3rDn^d*0MaVudqPol9*q+-JSC((Fq@4y&t?0A>

diff --git a/icons/nanox_app_chain_4689.gif b/icons/nanox_app_chain_4689.gif
index 935290a888686abed406836de6fbf216afbf4607..7acaedf35a3dec562de1254193f5d9847251eb83 100644
GIT binary patch
delta 483
zcmX@g*~IDL?&)S>naIb$$MAuX0SNy8|F8Iy1;k=d{Lk%~o0y*Jo0y)NoXwY>n46nu
zYoKRh3W6ZnirfN)l*E!mApL)$lFh_;6D><UL)~Np17ihqOFc_7OM^rU^R#3g1tS9^
zQ+)$teFHOHBLgc_11m$biM!P&KDJ~2Z>u!9k5QK^C$HEFXpXP1?c@YTnaO^PY@8sW
z;*y}$w8;jHa+7Nq#U@uXDF~S985$^P_$DT2=9T0ZXJ}5gVUkvGGPZDbwFD9_28M=i
z22L)P#%^YoZpKE=29Ez7%`GSYXOxk5G6tzJ$EpaVW)+ikeP&*9Nn&1ds;7&s63{t%
znVBh8&gM===1vxt7S7JD7^VX?Dk*?mX_b<nT$-DjR|3<Tg3#)SQ>(t6f{lJrN}82R
zYH@N==HwV=MfQTk<m}Xv|C3voiza_(?zQIT;^bgwV`X7x0>+RIC}u#>#lWP{)4!4-
jOI9M<;FRe7rDbv)dAHO<C4-WdST^~+P|0~C!e9*mHiC%l

delta 554
zcmZ`$&ubGw7@gfz+o(hZ5yTd^OTiX9o0;92*&ilK%@SKBDm{6fot?F-O*U+z<RbpS
zlPD5~f*$)1hzCIsJbLlyxd-XZKfzO+gdV(j`M!_GdwlQlURJ+X?VDTeAmlYr1J41N
zOeO$;<;ltWoqJZyhg|Q*c(Y;1@hh@Q9R>v^f#rt|W(0X`-Et8Q>nNyW4<Z~P7E#|C
zA6`}q#`UvJ+qOpC-QFM?b^D!8(^fAG`_v2=47X)A0~XZ}<Gi|Kti_rV-7WJ6d5`bL
zg?QYRz2R2ew6)kt^EBcjK)&!Ym`K4ONiqQwOcBf|C&H&GrHHHB=Hha@y@5lDnHRSh
z#%-kU@CKo+7Ir;fgSI+jUbK!_^nWaMV60rh4zgA|T;#oBG1ytNuUU;*mME5G{zRtj
zvglf~Fp=6f&pk_Aj6@PJC__&|B4q|cm!~kuGJ&K_gb>I+5~TlR<Y|$}NFzFDf2Wu}
zEBX;7A!R;c(9e7Z14dk!BmzSzd_of+VcmgU*PiNSnrTY|wNzP|AN9F-B!_CVQX22o
z*UH<C6V-+J<HzPIrlHIIGp8#CV0}8KwFC3gn|B|;>!-iAe|~<rRQq)3;M0412N(8#
N#~*87zTGmw)xV?(o__!U

diff --git a/icons/stax_app_chain_4689.gif b/icons/stax_app_chain_4689.gif
index 80bc8916f1d37b51af728cea9ba853909222da59..03374a076d56abc35bb7e3439bd7b3f802f68404 100644
GIT binary patch
literal 435
zcmZ?wbhEHbRA5kG_{_k-#l<BiCT3`8=<n}eR8-X8-@khG>MK{Syn6NO)2B~AfByXc
z|33o~Q2faP<|+Q?_RLL8PxVbq&rHtdOHa(rO|&)8Gcg501|5(ZkPQqh{|Zieu3TmD
zdgX-gC%5)qN)%vPz{H%`qEaTpC~)V8mWYRqq~@Fg2>}Tg=~hK|m0LVZQa^9Yaxx8i
zC7>X|(s`XLDdF<999`#w(Z@LXxKb8fxK_o^y7i&Til<y2+#I#eOe`$SjG5J08l~(a
zY`Lk{tl3?9S<^Z!6S-K-rZ9IhSF?6Zo272aqQu#0xmb5)&9rUP^K6?+V`eU2ykh%u
zCx%@drKZ-#apo1XS$2dRI}x+lV)OawsYiv5w|1P-Z9jC_@>q-OqjJ;5H>aI>!zsML
zslBtkHn#mj<p$HW_G+S@6FFVQ)8|+PT0D4i-@10wpC_vvj{9t`VJfpwVp?&CvBdev
ziWHL_t_|zBB9|5XR625^ZHky`kxF30QZL;^Hwgvf))}WAB=r<lM7GZ8Wtvb^;84)i
W!zW%ah0XWFLFRy!5vDE-4AuZ!m8ORP

literal 1294
zcmaJ>d0Z4#9AC{YjqDD~Y#8!NX6M*Bb_Q0GT~;?;MWiHyVve`$w9L`WAOmGlX?9p<
zSyXgtTBcOmp=D-8hly90-C<>*cGyK_Y4~Pg$v^n`KJ%IP-tT?Czw7;eZ(=MO<VD1X
z_!@oQ=<e>$=^j!ZFF_)rBf`0$&^1Ll1sp^I)v6vs_pjfGBB~NXXEJdjZiYcpoz!4~
z84Xj*<c5^YD`??(q`(zi&D4M+BCb}W+kzWHMa7VS0N0)vN0BtdNrlh}-T~s-3>y|e
z7(a{2BppOJ-cPbL5n%HWiXeHM2;yV_BS?W@1%^X<2MVoON<t`&M0;()T?kD&jw#@H
zU0t2OF5ow;YMkVGsDr{O3WEsDuGbyW#dJG2qagxp*-}kMHFU(&C`v}H6GEY<Jt1gj
zJl>~RxBcmW{Ia3pu4v+<pTITEiz|(`ol@|>8~vi~vU(HXrNB07Eg3*~ZiWnVcXUG@
z5PBm_vs8E~Vok)5Yc-%du}BDoCw@g$1W^tWoE%7C5|CMpmJ%{1kqm()7?GAaMqwC2
z%;@Ql&#=YOV)z9jVTvT91kaFs5zU0dBo*MGFvE@Mwj=5?$k<k)?Otx=s9Ygz0nst6
zGQ+6JR6$A7a11+Xm<R<Eij0YivZ{NMvED891RVjEIvXfa%g~T?ngz8V7dTSpcu5Ih
zG{evsO;ZXc@(RFM8nC=V(PDxj&|bcBMEZKl6iQ$iX2u(Vp?QYoXcprV9E$~6n!+SW
zCNUs$G$U~Y3F{Qap^LazIY(4dMg+^#TlVz@-1K!8&|y1Sux|!*|99x%zyBQg`>#K{
z{`md3Uw_&E^G`qiuy604&W`VQfA{S-yV}40>dP-a|LoIGc7FWPhabGZWBazPTiQ0i
zx9Qz?-hQj~%{N}(_}Ye7*T3@ey0tI8_`>sRRzLUbGcBuDKE2|pCzmgKV(F5{AA9tX
zhaYNw@PYfA?z?yKJ$Em<YvG-DEV%u)TW^_v^Srq?-FQRe_1De0_L_!zw{CW=V_R37
zhOX75u2PfL382W5SaszUl@*uIx~zQWrI(b=D4kw1ZEAeV<cnjICPs@R;i3r_6^;)T
z<O_U|V;MR?kp%9?^2S{_cFgEeBQMBBbCB~#oHzX3bB1M~eb$+0oPOG=rwlzg>!cxr
zPdwrH<BlD4%)kLYU(SI+>31m4`+LulZ(wr4!WC^<Lz^pzZK-{&W#h8UU7ezA3Ck8Q
zSviYrIk=|TZLO%<>uzdW)W}vD?&{%{k@mdorNdG?Mi#~9j94{AS-WS$;QXyyvN!Ku
izP%$ky`{2g{?6c`nx^*7!Y+Ms*XWK><?Bj(zWl?xg493&


From 85eadda3082641c45c3af6f8eb63f17fe5842ce3 Mon Sep 17 00:00:00 2001
From: Charles-Edouard de la Vergne <charles-edouard.delavergne@ledger.fr>
Date: Thu, 18 Sep 2025 17:16:16 +0200
Subject: [PATCH 3/4] [Audit] Fix Safe account

---
 src_features/provide_safe_account/cmd_safe_account.c  |  4 ++++
 src_features/provide_safe_account/signer_descriptor.c | 11 +++++------
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/src_features/provide_safe_account/cmd_safe_account.c b/src_features/provide_safe_account/cmd_safe_account.c
index b62e89a28..14fee3d4f 100644
--- a/src_features/provide_safe_account/cmd_safe_account.c
+++ b/src_features/provide_safe_account/cmd_safe_account.c
@@ -52,6 +52,10 @@ uint16_t handle_safe_account(uint8_t p1,
                 sw = APDU_RESPONSE_OK;  // No error for P1_SAFE_DESCRIPTOR if SAFE_DESC is NULL
             }
             break;
+        default:
+            PRINTF("Error: Invalid P2 (%u)\n", p2);
+            sw = APDU_RESPONSE_INVALID_P1_P2;
+            break;
     }
 
     if (sw != APDU_RESPONSE_OK) {
diff --git a/src_features/provide_safe_account/signer_descriptor.c b/src_features/provide_safe_account/signer_descriptor.c
index e0ad82b22..7b5466b39 100644
--- a/src_features/provide_safe_account/signer_descriptor.c
+++ b/src_features/provide_safe_account/signer_descriptor.c
@@ -37,7 +37,7 @@ enum {
 
 typedef struct {
     signers_descriptor_t *signers;
-    uint8_t addess_count;
+    uint8_t address_count;
     uint8_t sig_size;
     uint8_t *sig;
     cx_sha256_t hash_ctx;
@@ -142,11 +142,11 @@ static bool handle_challenge(const s_tlv_data *data, s_signer_ctx *context) {
 static bool handle_address(const s_tlv_data *data, s_signer_ctx *context) {
     CHECK_FIELD_LENGTH("ADDRESS", data->length, ADDRESS_LENGTH);
     CHECK_EMPTY_BUFFER("ADDRESS", data->value, data->length);
-    if (context->addess_count >= SAFE_DESC->signers_count) {
+    if (context->address_count >= SAFE_DESC->signers_count) {
         PRINTF("Error: Too many addresses in Signer descriptor!\n");
         return false;
     }
-    COPY_FIELD(context->signers->data[context->addess_count++].address, data);
+    COPY_FIELD(context->signers->data[context->address_count++].address, data);
     context->rcv_flags |= SET_BIT(BIT_ADDRESS);
     return true;
 }
@@ -225,7 +225,7 @@ static void print_signer_info(const s_signer_ctx *context) {
 
     PRINTF("****************************************************************************\n");
     PRINTF("[SAFE ACCOUNT] - Retrieved Signer Descriptor:\n");
-    for (i = 0; i < context->addess_count; i++) {
+    for (i = 0; i < context->address_count; i++) {
         PRINTF("[SAFE ACCOUNT] -    Address[%d]: %.*h\n",
                i,
                ADDRESS_LENGTH,
@@ -250,7 +250,7 @@ static bool verify_signer_struct(const s_signer_ctx *context) {
         PRINTF("Error: Signature verification failed for Signer descriptor!\n");
         return false;
     }
-    if (context->addess_count < SAFE_DESC->signers_count) {
+    if (context->address_count < SAFE_DESC->signers_count) {
         PRINTF("Error: Too few addresses in Signer descriptor!\n");
         return false;
     }
@@ -347,7 +347,6 @@ bool handle_signer_tlv_payload(const uint8_t *payload, uint16_t size) {
 void clear_signer_descriptor(void) {
     if (SIGNER_DESC.data != NULL) {
         app_mem_free(SIGNER_DESC.data);
-        SIGNER_DESC.data = NULL;
     }
     explicit_bzero(&SIGNER_DESC, sizeof(SIGNER_DESC));
 }

From 364888922c593ba8c7c36e8b88f4d1131227eba4 Mon Sep 17 00:00:00 2001
From: Charles-Edouard de la Vergne <charles-edouard.delavergne@ledger.fr>
Date: Thu, 18 Sep 2025 17:29:52 +0200
Subject: [PATCH 4/4] [Audit] Fix EIP712 part

---
 src_features/signMessageEIP712/ui_logic.c          | 4 ++--
 src_features/signMessageEIP712_common/common_712.c | 3 +++
 src_nbgl/ui_sign_712.c                             | 4 +++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src_features/signMessageEIP712/ui_logic.c b/src_features/signMessageEIP712/ui_logic.c
index eb30e8638..888840379 100644
--- a/src_features/signMessageEIP712/ui_logic.c
+++ b/src_features/signMessageEIP712/ui_logic.c
@@ -1227,8 +1227,8 @@ void ui_712_set_trusted_name_requirements(uint8_t type_count,
  *
  */
 void ui_712_push_pairs(void) {
-    uint16_t nbPairs = 0;
-    uint16_t pair = 0;
+    uint8_t nbPairs = 0;
+    uint8_t pair = 0;
     s_ui_712_pair *tmp = NULL;
 
     // Initialize the pairs list
diff --git a/src_features/signMessageEIP712_common/common_712.c b/src_features/signMessageEIP712_common/common_712.c
index a6199d587..4296c8c1c 100644
--- a/src_features/signMessageEIP712_common/common_712.c
+++ b/src_features/signMessageEIP712_common/common_712.c
@@ -67,6 +67,9 @@ static char *format_hash(const uint8_t *hash, char *buffer, size_t buffer_size,
 }
 
 void eip712_format_hash(uint8_t index) {
+    if ((g_pairs == NULL) || (g_pairsList == NULL) || (index >= g_pairsList->nbPairs)) {
+        return;
+    }
     g_pairs[index].item = "Domain hash";
     g_pairs[index].value = format_hash(tmpCtx.messageSigningContext712.domainHash,
                                        strings.tmp.tmp,
diff --git a/src_nbgl/ui_sign_712.c b/src_nbgl/ui_sign_712.c
index 49448c118..d91e354e4 100644
--- a/src_nbgl/ui_sign_712.c
+++ b/src_nbgl/ui_sign_712.c
@@ -28,7 +28,9 @@ static void ui_712_start_review(nbgl_operationType_t operationType,
     // Initialize the finish title string
     finish_len += strlen(tx_check_str);
     finish_len += strlen(title_suffix);
-    ui_buffers_init(0, 0, finish_len);
+    if (!ui_buffers_init(0, 0, finish_len)) {
+        return;
+    }
     snprintf(g_finishMsg, finish_len, "%s%s", tx_check_str, title_suffix);
 #ifdef HAVE_TRANSACTION_CHECKS
     set_tx_simulation_warning();