Skip to content

Legion#69

Merged
Dargon789 merged 104 commits into
porto.shfrom
legion
Apr 11, 2026
Merged

Legion#69
Dargon789 merged 104 commits into
porto.shfrom
legion

Conversation

@Dargon789

Copy link
Copy Markdown
Owner

No description provided.

github-actions Bot and others added 30 commits August 5, 2025 22:58
Add testERC20TransferViaPortoOrchestratorWithPasskey() benchmark to isolate
passkey authentication costs from spend limit enforcement costs.

- Uses secp256k1 passkey for transaction signing
- Sets execution permissions for ERC20 transfers
- Requires spend limits (set to max) for passkey operations
- Gas cost: 116,094 (vs 97,030 without passkey, 117,083 with restrictive limits)
- Provides clean measurement of passkey overhead (~19k gas)

Resolves ithacaxyz#272

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com>
…thacaxyz#379

Combines the following fixes:
- PR ithacaxyz#357: Replace SuperAdminCanSpendAnything with SuperAdminCanExecuteEverything in setCallChecker
- PR ithacaxyz#314: Fix typos across codebase (overriden→overridden, Calcualated→Calculated, etc.)
- PR ithacaxyz#379: Correct inline comment about approval amount (20-byte all-ones, not type(uint256).max)

Co-Authored-By: GarmashAlex <noreply@github.com>
Co-Authored-By: sukrucildirr <noreply@github.com>
Co-Authored-By: Forostovec <noreply@github.com>

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
* feat: simplify multichain nonce design

* chore: readd merkle verification prefix

* chore: undo blank line addns

* chore: lint

* chore: redundant multichain bool

* fix: lint

* .
* feat: simplify multichain nonce design

* chore: readd merkle verification prefix

* chore: undo blank line addns

* chore: lint

* .

* ~50 failing tests down to 5

* down to 1 failing test

* fixed failing test

* chore: remove console logs and bench

* .

* Update test/Base.t.sol

* Update src/Orchestrator.sol

* Update test/utils/mocks/MockPayerWithSignatureOptimized.sol

* chore: final cleanup, rebench

* Update src/Orchestrator.sol

* chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount,Orchestrator,SimpleFunder,Simulator

* chore: cleanup

* rebase

* fix

---------

Co-authored-by: GitHub Action <action@github.com>
Add CircleCI configuration file to set up a basic pipeline with a say-hello job and workflow

CI:

Add .circleci/config.yml to define a say-hello job that checks out the code and prints a greeting using the cimg/base Docker image
Add a workflow to orchestrate the say-hello job under the CircleCI 2.1 engine
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
CI:
Update Forge test command to use --rerun and increase verbosity to -vvvvv
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge.
CI:
Enable the --rerun flag for Forge tests to retry failures automatically
Increase Forge test verbosity from -vvv to -vvvvv
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv"
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
googleworkspace-bot and others added 25 commits March 14, 2026 14:59
* feat: add ERC20 transfer benchmark for Porto with passkey

Add testERC20TransferViaPortoOrchestratorWithPasskey() benchmark to isolate
passkey authentication costs from spend limit enforcement costs.

- Uses secp256k1 passkey for transaction signing
- Sets execution permissions for ERC20 transfers
- Requires spend limits (set to max) for passkey operations
- Gas cost: 116,094 (vs 97,030 without passkey, 117,083 with restrictive limits)
- Provides clean measurement of passkey overhead (~19k gas)

Resolves ithacaxyz#272

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com>

* feat: allow early refunds by recipient in escrow

* feat: add callSansTo support to ERC7821 execute

* chore: improvements and fixes to ERC7821Ithaca

* chore: add address(0) replacement to new compute digest

* fix: sanitize upper bits before checking replacement + tests

* feat: do not add replay safe wrapper if sig is eoa

* chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount

* chore: use `auto-assign-pr.yml` org action

* fix: combine improvements from PRs ithacaxyz#357, ithacaxyz#314, and ithacaxyz#379

Combines the following fixes:
- PR ithacaxyz#357: Replace SuperAdminCanSpendAnything with SuperAdminCanExecuteEverything in setCallChecker
- PR ithacaxyz#314: Fix typos across codebase (overriden→overridden, Calcualated→Calculated, etc.)
- PR ithacaxyz#379: Correct inline comment about approval amount (20-byte all-ones, not type(uint256).max)

Co-Authored-By: GarmashAlex <noreply@github.com>
Co-Authored-By: sukrucildirr <noreply@github.com>
Co-Authored-By: Forostovec <noreply@github.com>

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount

* feat: subaccount design using spend function

* test: complete subaccount flow with unit test

* chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount

* feat: add merkle sigs natively into the account

* fix: tests

* test: add more sophisticated fuzz test

* chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount

* feat: fix and simplify multichain design (ithacaxyz#327)

* feat: simplify multichain nonce design

* chore: readd merkle verification prefix

* chore: undo blank line addns

* chore: lint

* chore: redundant multichain bool

* fix: lint

* .

* feat: remove intent struct (ithacaxyz#365)

* feat: simplify multichain nonce design

* chore: readd merkle verification prefix

* chore: undo blank line addns

* chore: lint

* .

* ~50 failing tests down to 5

* down to 1 failing test

* fixed failing test

* chore: remove console logs and bench

* .

* Update test/Base.t.sol

* Update src/Orchestrator.sol

* Update test/utils/mocks/MockPayerWithSignatureOptimized.sol

* chore: final cleanup, rebench

* Update src/Orchestrator.sol

* chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount,Orchestrator,SimpleFunder,Simulator

* chore: cleanup

* rebase

* fix

---------

Co-authored-by: GitHub Action <action@github.com>

* feat: native merkle sig verification in Account

* chore: fmt

* chore: unify merkle sig flow for orchestrator multi chain intents

* chore: bump contract versions due to bytecode changes - Contracts updated: Orchestrator,SimpleFunder,Simulator

* Add .circleci/config.yml (#1)

Add CircleCI configuration file to set up a basic pipeline with a say-hello job and workflow

CI:

Add .circleci/config.yml to define a say-hello job that checks out the code and prints a greeting using the cimg/base Docker image
Add a workflow to orchestrate the say-hello job under the CircleCI 2.1 engine

* Update ci.yaml

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml (#2)

CI:
Update Forge test command to use --rerun and increase verbosity to -vvvvv
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml (#4)

Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge.
CI:
Enable the --rerun flag for Forge tests to retry failures automatically
Increase Forge test verbosity from -vvv to -vvvvv
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml (#5)

Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv"
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Create CNAME

* Revert "Merge branch 'master'"

This reverts commit 6c02fbf, reversing
changes made to a317ddb.

* Create CNAME (#9)

* Update ci.yaml (#2)

CI:
Update Forge test command to use --rerun and increase verbosity to -vvvvv
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml (#4)

Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge.
CI:
Enable the --rerun flag for Forge tests to retry failures automatically
Increase Forge test verbosity from -vvv to -vvvvv
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml (#5)

Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv"
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Create CNAME

* Revert "Merge branch 'master'"

This reverts commit 6c02fbf, reversing
changes made to a317ddb.

---------

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml (#10)

reback use test 
CI and automation chores (ithacaxyz#394)
 7dd8a5d

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Potential fix for code scanning alert no. 3: Workflow does not contain permissions (#15)

https://github.com/Dargon789/account/security/code-scanning/3
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update ci.yaml (#16)

reback use test 
CI and automation chores (ithacaxyz#394)
 7dd8a5d

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Delete CNAME

* Update Brutalizer.sol

* Potential fix for code scanning alert no. 2: Workflow does not contain permissions (#17)

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Refactor deployment scripts and update configs

Migrates deployment scripts to use fork-based configuration loading, removes legacy CircleCI and GitHub workflow files, and introduces a registry-based contract deployment record. Updates .env.example, README, and foundry configuration. Removes LayerZero vendor and test files, adds devtools submodule, and improves LayerZeroSettler configuration logic for multi-chain deployments.

* Fix commit user email format in CI workflow (#18)

30a2096

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Potential fix for code scanning alert no. 4: Workflow does not contain permissions (#19)

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 1: Workflow does not contain permissions (#20)

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update ci.yaml (#21)

reback use test 
CI and automation chores (ithacaxyz#394)
 7dd8a5d

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Master (#22)

* Merge branch 'master' (#8)

* Update ci.yaml (#2)

CI:
Update Forge test command to use --rerun and increase verbosity to -vvvvv
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml (#4)

Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge.
CI:
Enable the --rerun flag for Forge tests to retry failures automatically
Increase Forge test verbosity from -vvv to -vvvvv
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml (#5)

Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv"
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Create CNAME

---------

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Revert "fix vm block accoount (#11)" (#13)

Reverts #11

Summary by Sourcery
CI:

Update the Forge test command in the CI workflow to enable reruns and increase verbosity.
This reverts commit 942017f.

---------

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Update ci.yaml

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* Refactor function signatures and formatting for consistency

Updated function signatures in IFunder and SimpleFunder for single-line style, and improved code formatting in IthacaAccount, test/Account.t.sol, test/Benchmark.t.sol, and test/LayerZeroSettler.t.sol for readability and consistency. No logic changes were made.

* Delete .circleci directory (#27)

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* # Default ignored files

* .snapshot_worktree

* Delete .idea directory (#35)

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

* pre-commit

* pre-commit

* deploy execute_config.sh

* Update forge-std

* Update check-bytecode-changes.js

* pre-commit

* chore: bump contract versions due to bytecode changes

* chore: bump contract versions due to bytecode changes

* chore: bump contract versions due to bytecode changes

contracts update

* v0.5.11

* chore: unify merkle sig flow for orchestrator multi chain intents

* test: add tests for getContextKeyHash in Account.t.sol (ithacaxyz#412)

* Refactor function signatures and formatting for consistency

---------

Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com>
Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com>
Co-authored-by: howy <132113803+howydev@users.noreply.github.com>
Co-authored-by: GitHub Action <action@github.com>
Co-authored-by: o-az <omaraziz.dev@proton.me>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
Add IntelliJ IDEA project files under .idea and lib/.idea (modules, caches, iml, vcs, and a .gitignore) and update the lib/forge-std gitlink (submodule) reference. Also adjust .env.example by removing spaces before inline comments on RPC URLs (UPGRADE_TEST_RPC_URL, RPC_1, RPC_11155111) to standardize formatting.
Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes.
@vercel

vercel Bot commented Apr 11, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
legion Canceled Canceled Apr 11, 2026 2:34pm

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @Dargon789, your pull request is larger than the review limit of 150000 diff characters

@Dargon789 Dargon789 merged commit 7854f5e into porto.sh Apr 11, 2026
11 of 14 checks passed

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request overhauls the deployment system by introducing a registry-based tracking mechanism and refactoring scripts to use Foundry's readFork cheatcodes. It also implements significant optimizations in the Orchestrator and Simulator by replacing the structured Intent object with manual calldata parsing via a new IntentHelpers library. Critical feedback highlights a security flaw in Escrow.sol where depositors can trigger early refunds, logic errors in IntentHelpers.sol regarding calldata offsets and address extraction, and an execution order issue in Orchestrator.sol that breaks funding via preCalls.

Comment thread src/Escrow.sol
Escrow storage _escrow = escrows[escrowIds[i]];
// If refund timestamp hasn't passed yet, then the refund is invalid.
if (block.timestamp <= _escrow.refundTimestamp) {
if (block.timestamp > _escrow.refundTimestamp || msg.sender == _escrow.depositor) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

The addition of || msg.sender == _escrow.depositor allows the depositor to unilaterally trigger a refund of the refundAmount before the refundTimestamp has passed. This undermines the security model of the escrow for the recipient, who relies on the funds being locked until either the transaction is settled or the timeout expires. A malicious depositor could grief the recipient by withdrawing the guarantee funds immediately after the recipient begins performing the off-chain action.

Comment on lines +35 to +45
uint256 internal constant _SUPPORTED_ACCOUNT_IMPLEMENTATION_OFFSET = 68;
uint256 internal constant _EOA_OFFSET = 88;
uint256 internal constant _NONCE_OFFSET = 120;
uint256 internal constant _PAYER_OFFSET = 152;
uint256 internal constant _PAYMENT_TOKEN_OFFSET = 184;
uint256 internal constant _PAYMENT_MAX_AMOUNT_OFFSET = 216;
uint256 internal constant _COMBINED_GAS_OFFSET = 248;
uint256 internal constant _EXPIRY_OFFSET = 280;
uint256 internal constant _PAYMENT_AMOUNT_OFFSET = 312;
uint256 internal constant _PAYMENT_RECIPIENT_OFFSET = 344;
uint256 internal constant _EXECUTION_DATA_OFFSET = 364;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The offsets defined here appear to assume that the Intent data is packed (e.g., address taking 20 bytes). However, the Orchestrator and Simulator use calldataload, which reads 32-byte words. If the input data is standard ABI encoded (where each field is 32-byte aligned), these offsets are incorrect. For example, if supportedAccountImplementation is at offset 68 and is 32-byte aligned, the eoa field should start at offset 100, not 88. If the data is indeed packed, calldataload will read across field boundaries, leading to corrupted data extraction.

Comment on lines +51 to +59
function _getSupportedAccountImplementation() internal pure returns (address) {
return address(
bytes20(
msg.data[
_SUPPORTED_ACCOUNT_IMPLEMENTATION_OFFSET:
_SUPPORTED_ACCOUNT_IMPLEMENTATION_OFFSET + 20
]
)
);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The use of msg.data[offset:offset+20] to extract an address from a 32-byte word in calldata is incorrect for standard ABI encoding. In ABI encoding, an address is right-aligned in a 32-byte word. Extracting the first 20 bytes will return the leading padding (zeros) rather than the actual address. It should be msg.data[offset+12:offset+32] or simply use calldataload and cast to address as done in other getters in this file.

Comment thread src/Orchestrator.sol
Comment on lines +345 to 351
if (TokenTransferLib.balanceOf(_getPaymentToken(), payer) < _getPaymentAmount()) {
err = PaymentError.selector;

if (flags == _SIMULATION_MODE_FLAG) {
revert PaymentError();
}
if (flags == _SIMULATION_MODE_FLAG) {
revert PaymentError();
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This early payment check is performed before _handlePreCalls. If a preCall is intended to fund the account (e.g., via a cross-chain bridge or a swap to the payment token), this check will fail because the balance is checked against the state before the pre-calls are executed. This limits the utility of preCalls for funding intents. Consider moving this check after _handlePreCalls or removing it, as the actual payment logic in _pay already performs a balance check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Sequence diagram for merkle-based signature verification in IthacaAccount

7 participants