Skip to content

Comments

L-10: Validate originChainId in gasless order preparation#26

Merged
mgretzke merged 2 commits intov1-audit1from
fix/l10-validate-originchainid
Dec 9, 2025
Merged

L-10: Validate originChainId in gasless order preparation#26
mgretzke merged 2 commits intov1-audit1from
fix/l10-validate-originchainid

Conversation

@ccashwell
Copy link
Member

@ccashwell ccashwell commented Sep 11, 2025

Summary

  • Adds originChainId validation in ERC7683AllocatorLib.openForPreparation
    • enforces order.originChainId == block.chainid.
  • Introduces new error InvalidOriginChainId(uint256, uint256).

Changes

  • src/allocators/lib/ERC7683AllocatorLib.sol: added InvalidOriginChainId error and validation in openForPreparation.
  • test/ERC7683Allocator.t.sol: added negative test for invalid originChainId.

Rationale

Ensures orders are processed only on the intended origin chain, preventing misuse across chains.

@ccashwell
ERC7683AllocatorLib: validate originChainId in openForPreparation (L-10)
23e4477 
Ensure gasless orders are processed only when originChainId matches current chain. Adds negative test for mismatch.
@ccashwell ccashwell requested a review from a team as a code owner September 11, 2025 13:50
@mgretzke
Copy link
Collaborator

mgretzke commented Dec 9, 2025

This is also prevented by the sponsors signature / registration check after the allocation as well, but doesn't hurt to have it in the beginning as well for an early revert.

@mgretzke mgretzke merged commit e224fab into v1-audit1 Dec 9, 2025
4 checks passed
@mgretzke mgretzke deleted the fix/l10-validate-originchainid branch December 9, 2025 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ccashwell @mgretzke