fix: harden off-chain ABI decoding against malicious receiver metadata (Report #71024)

- Revert on-chain receiver_registry changes to keep fix entirely off-chain
- Convert decodeParam panics to errors with checked type assertions
- Add explicit TypeParameter rejection in ABI parameter decoding
- Add defer/recover defense-in-depth in BuildOffRampExecutePTB
- Fix unchecked assertions in token pool and receiver PTB construction
- Add comprehensive unit tests for malformed and adversarial ABI shapes

Author: faisal-chainlink

bindings/generated/ccip/ccip/receiver_registry/receiver_registry.go

@@ -233,7 +233,7 @@ public fun consume_any2sui_message<TypeProof: drop>(
     let receiver_package_id = address::from_ascii_bytes(&ascii::into_bytes(address_str));
 
     let receiver_config = receiver_registry::get_receiver_config(ref, receiver_package_id);
-    let (_, proof_typename, _) = receiver_registry::get_receiver_config_fields(receiver_config);
+    let (_, proof_typename) = receiver_registry::get_receiver_config_fields(receiver_config);
     assert!(proof_typename == proof_tn.into_string(), ETypeProofMismatch);
 
     client::consume_any2sui_message(message, receiver_package_id)

contracts/ccip/ccip/sources/offramp_state_helper.move

@@ -13,12 +13,6 @@ use sui::linked_table::{Self, LinkedTable};
 public struct ReceiverConfig has copy, drop, store {
     module_name: String,
     proof_typename: ascii::String,
-    /// The number of extra object IDs that the receiver's ccip_receive callback
-    /// expects beyond the standard 3 parameters (expected_message_id,
-    /// &CCIPObjectRef, Any2SuiMessage). The relayer uses this to validate that
-    /// the receiverObjectIds count in a CCIP message matches what the receiver
-    /// registered, preventing object injection attacks.
-    expected_receiver_object_id_count: u64,
 }
 
 public struct ReceiverRegistry has key, store {
@@ -31,7 +25,6 @@ public struct ReceiverRegistered has copy, drop {
     receiver_package_id: address,
     receiver_module_name: String,
     proof_typename: ascii::String,
-    expected_receiver_object_id_count: u64,
 }
 
 public struct ReceiverUnregistered has copy, drop {
@@ -64,7 +57,6 @@ public fun register_receiver<ProofType: drop>(
     ref: &mut CCIPObjectRef,
     publisher_wrapper: PublisherWrapper<ProofType>,
     _proof: ProofType,
-    expected_receiver_object_id_count: u64,
 ) {
     verify_function_allowed(
         ref,
@@ -81,15 +73,13 @@ public fun register_receiver<ProofType: drop>(
     let receiver_config = ReceiverConfig {
         module_name: receiver_module_name,
         proof_typename: proof_typename.into_string(),
-        expected_receiver_object_id_count,
     };
     registry.receiver_configs.push_back(receiver_package_id, receiver_config);
 
     event::emit(ReceiverRegistered {
         receiver_package_id,
         receiver_module_name,
         proof_typename: proof_typename.into_string(),
-        expected_receiver_object_id_count,
     });
 }
 
@@ -142,15 +132,15 @@ public fun get_receiver_config(ref: &CCIPObjectRef, receiver_package_id: address
     *registry.receiver_configs.borrow(receiver_package_id)
 }
 
-public fun get_receiver_config_fields(rc: ReceiverConfig): (String, ascii::String, u64) {
-    (rc.module_name, rc.proof_typename, rc.expected_receiver_object_id_count)
+public fun get_receiver_config_fields(rc: ReceiverConfig): (String, ascii::String) {
+    (rc.module_name, rc.proof_typename)
 }
 
 // this will return empty string if the receiver is not registered.
 public fun get_receiver_info(
     ref: &CCIPObjectRef,
     receiver_package_id: address,
-): (String, ascii::String, u64) {
+): (String, ascii::String) {
     verify_function_allowed(
         ref,
         string::utf8(b"receiver_registry"),
@@ -161,12 +151,8 @@ public fun get_receiver_info(
 
     if (registry.receiver_configs.contains(receiver_package_id)) {
         let receiver_config = registry.receiver_configs.borrow(receiver_package_id);
-        return (
-            receiver_config.module_name,
-            receiver_config.proof_typename,
-            receiver_config.expected_receiver_object_id_count,
-        )
+        return (receiver_config.module_name, receiver_config.proof_typename)
     };
 
-    (string::utf8(b""), ascii::string(b""), 0)
+    (string::utf8(b""), ascii::string(b""))
 }

contracts/ccip/ccip/sources/receiver_registry.move

@@ -258,7 +258,6 @@ public fun test_extract_any2sui_message() {
         &mut ref,
         publisher_wrapper,
         TestTypeProof {},
-        0,
     );
     package::burn_publisher(publisher);