fix(rpc): surface StorageOverrideNotPermitted from seismic-evm#384
Open
HenryMBaldwin wants to merge 3 commits intoveridise-audit-april-2026from
Open
fix(rpc): surface StorageOverrideNotPermitted from seismic-evm#384HenryMBaldwin wants to merge 3 commits intoveridise-audit-april-2026from
HenryMBaldwin wants to merge 3 commits intoveridise-audit-april-2026from
Conversation
added 2 commits
April 23, 2026 19:01
Companion to the seismic-evm change that rejects `state` / `stateDiff` overrides at the `apply_account_override` chokepoint. Adds the corresponding `EthApiError::StorageOverrideNotPermitted` variant, includes it in the `invalid_params_rpc_err` arm so it surfaces as -32602 (matching `CodeOverrideNotPermitted`), and maps the underlying `StateOverrideError` variant through `From<StateOverrideError>`. The seismic-evm dep bump is a separate change and must land before this compiles.
Bumps `alloy-evm` / `alloy-seismic-evm` to e644240, which adds `StateOverrideError::StorageOverrideNotPermitted` and rejects `state` / `stateDiff` overrides at the `apply_account_override` chokepoint. Required for the preceding commit to compile.
Contributor
|
Updates seismic-evm dependency to pick up storage-override rejection and adds corresponding RPC error handling with e2e test coverage. Phase 1 Phase 2
Phase 3 The changes are well-structured:
LGTM |
Adds three integration tests mirroring the existing code-override coverage — asserts that `eth_call`, `eth_estimateGas`, and `eth_simulateV1` reject requests carrying a `stateDiff` override and surface the "storage overrides are not permitted" error through the full RPC wiring.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Companion to seismic-evm#52, which rejects
state/stateDiffoverrides at theapply_account_overridechokepoint to close an audit finding where signed reads could be evaluated against attacker-controlled storage.EthApiError::StorageOverrideNotPermitted(Address)next to the existingCodeOverrideNotPermittedvariant.invalid_params_rpc_errarm so it surfaces as-32602(matching the code-override behavior).StateOverrideError::StorageOverrideNotPermittedthroughFrom<StateOverrideError> for EthApiError.alloy-evm/alloy-seismic-evmto the seismic-evm branch tip (e644240) so the new variant resolves.Merge order
Do not merge this PR until:
seismic.alloy-evm/alloy-seismic-evmrev inCargo.toml(lines 794-795) is re-bumped to the post-merge commit onseismic— the current pin points at the branch commit, which will differ from the merge commit (squash / merge / rebase).Test plan
cargo check -p reth-rpc-eth-typesbuilds clean for the error module changes. (Note: the baseveridise-audit-april-2026has pre-existingUrl: serdeerrors unrelated to this PR — verified by building the baseline without these changes.)eth_callwith astateDiffoverride returns-32602 invalid paramswith the storage-override message.