feat: add recursive check for nested authz exec messages and enforce … (#2420)

* feat: add recursive check for nested authz exec messages and enforce max depth limit

* changelog

* docs(CHANGELOG): move log entry to correct position

---------

Co-authored-by: Unique Divine <51418232+Unique-Divine@users.noreply.github.com>

Author: expertdicer

CHANGELOG.md

@@ -49,6 +49,7 @@ See https://github.com/dangoslen/changelog-enforcer.
 
 - [#2418](https://github.com/NibiruChain/nibiru/pull/2418) - fix(evmstate/test): stabilize trace tx tests with deterministic ERC20 transfer recipient
 - [#2419](https://github.com/NibiruChain/nibiru/pull/2419) - ci: simplify Go caching in CI to prevent file collisions
+- [#2420](https://github.com/NibiruChain/nibiru/pull/2420) - feat: add recursive check for nested authz exec messages and enforce max depth limit
 
 ## [v2.8.0](https://github.com/NibiruChain/nibiru/releases/tag/v2.8.0) - 2025-10-28
 

app/ante/auth_guard_test.go

@@ -97,6 +97,45 @@ func (s *Suite) TestAnteDecoratorAuthzGuard() {
 			},
 			wantErr: "ExtensionOptionsEthereumTx",
 		},
+		{
+			name: "sad: nested authz exec with evm message inside",
+			txMsg: func() sdk.Msg {
+				// inner exec contains an EVM message
+				inner := authz.NewMsgExec(
+					sdk.AccAddress("nibiuser"),
+					[]sdk.Msg{
+						&evm.MsgEthereumTx{},
+					},
+				)
+				// outer exec wraps inner
+				outer := authz.NewMsgExec(
+					sdk.AccAddress("nibiuser"),
+					[]sdk.Msg{&inner},
+				)
+				return &outer
+			},
+			wantErr: "ExtensionOptionsEthereumTx",
+		},
+		{
+			name: "sad: nested authz exec exceeds max depth",
+			txMsg: func() sdk.Msg {
+				// Build triple-nested exec without EVM msgs to trigger depth check only
+				lvl3 := authz.NewMsgExec(
+					sdk.AccAddress("nibiuser"),
+					[]sdk.Msg{&banktypes.MsgSend{}},
+				)
+				lvl2 := authz.NewMsgExec(
+					sdk.AccAddress("nibiuser"),
+					[]sdk.Msg{&lvl3},
+				)
+				lvl1 := authz.NewMsgExec(
+					sdk.AccAddress("nibiuser"),
+					[]sdk.Msg{&lvl2},
+				)
+				return &lvl1
+			},
+			wantErr: "exceeded max nested message depth: 2",
+		},
 		{
 			name: "happy: authz exec without evm messages",
 			txMsg: func() sdk.Msg {

app/ante/authz_guard.go

@@ -2,6 +2,8 @@
 package ante
 
 import (
+	"fmt"
+
 	sdkioerrors "cosmossdk.io/errors"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
@@ -10,6 +12,8 @@ import (
 	"github.com/NibiruChain/nibiru/v2/x/evm"
 )
 
+const maxNestedMsgs = 2
+
 // AnteDecAuthzGuard filters autz messages
 type AnteDecAuthzGuard struct{}
 
@@ -46,22 +50,43 @@ func (anteDec AnteDecAuthzGuard) AnteHandle(
 		}
 		// Also reject MsgEthereumTx in exec
 		if msgExec, ok := msg.(*authz.MsgExec); ok {
-			msgsInExec, err := msgExec.GetMessages()
-			if err != nil {
-				return ctx, sdkioerrors.Wrapf(
+			if err := anteDec.checkMsgExecRecursively(msgExec, 0, maxNestedMsgs); err != nil {
+				return ctx, sdkerrors.Wrapf(
 					sdkerrors.ErrInvalidType,
-					"failed getting exec messages %s", err,
+					err.Error(),
 				)
 			}
-			for _, msgInExec := range msgsInExec {
-				if _, ok := msgInExec.(*evm.MsgEthereumTx); ok {
-					return ctx, sdkioerrors.Wrapf(
-						sdkerrors.ErrInvalidType,
-						"MsgEthereumTx needs to be contained within a tx with 'ExtensionOptionsEthereumTx' option",
-					)
-				}
-			}
 		}
 	}
 	return next(ctx, tx, simulate)
 }
+
+func (anteDec AnteDecAuthzGuard) checkMsgExecRecursively(msgExec *authz.MsgExec, depth int, maxDepth int) error {
+	if depth >= maxDepth {
+		return fmt.Errorf("exceeded max nested message depth: %d", maxDepth)
+	}
+
+	msgsInExec, err := msgExec.GetMessages()
+	if err != nil {
+		return sdkerrors.Wrapf(
+			sdkerrors.ErrInvalidType,
+			"failed getting exec messages %s", err,
+		)
+	}
+
+	for _, msg := range msgsInExec {
+		if _, ok := msg.(*evm.MsgEthereumTx); ok {
+			return sdkioerrors.Wrapf(
+				sdkerrors.ErrInvalidType,
+				"MsgEthereumTx needs to be contained within a tx with 'ExtensionOptionsEthereumTx' option",
+			)
+		}
+		if nestedExec, ok := msg.(*authz.MsgExec); ok {
+			if err := anteDec.checkMsgExecRecursively(nestedExec, depth+1, maxDepth); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}