Ithaca account#86
Conversation
* feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * Add .circleci/config.yml (#1) Add CircleCI configuration file to set up a basic pipeline with a say-hello job and workflow CI: Add .circleci/config.yml to define a say-hello job that checks out the code and prints a greeting using the cimg/base Docker image Add a workflow to orchestrate the say-hello job under the CircleCI 2.1 engine * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. * Create CNAME (#9) * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Delete .circleci directory (#27) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * pre-commit * deploy execute_config.sh * Update forge-std * test: add tests for getContextKeyHash in Account.t.sol (ithacaxyz#412) * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Update LayerZero-v2 * Update LayerZero-v2 --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
* feat: add ERC20 transfer benchmark for Porto with passkey Add testERC20TransferViaPortoOrchestratorWithPasskey() benchmark to isolate passkey authentication costs from spend limit enforcement costs. - Uses secp256k1 passkey for transaction signing - Sets execution permissions for ERC20 transfers - Requires spend limits (set to max) for passkey operations - Gas cost: 116,094 (vs 97,030 without passkey, 117,083 with restrictive limits) - Provides clean measurement of passkey overhead (~19k gas) Resolves ithacaxyz#272 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com> * chore: use `auto-assign-pr.yml` org action * feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * # Default ignored files * .snapshot_worktree * Delete .idea directory (#35) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Revert "Delete .idea directory (#35)" (#55) This reverts commit 512c204. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com> Co-authored-by: o-az <omaraziz.dev@proton.me> Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
* feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * pre-commit * deploy execute_config.sh * Update forge-std * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Update LayerZero-v2 * Update LayerZero-v2 --------- Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
* feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * Add .circleci/config.yml (#1) Add CircleCI configuration file to set up a basic pipeline with a say-hello job and workflow CI: Add .circleci/config.yml to define a say-hello job that checks out the code and prints a greeting using the cimg/base Docker image Add a workflow to orchestrate the say-hello job under the CircleCI 2.1 engine * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. * Create CNAME (#9) * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Delete .circleci directory (#27) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * test: add tests for getContextKeyHash in Account.t.sol (ithacaxyz#412) * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Update LayerZero-v2 --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
* feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * Add .circleci/config.yml (#1) Add CircleCI configuration file to set up a basic pipeline with a say-hello job and workflow CI: Add .circleci/config.yml to define a say-hello job that checks out the code and prints a greeting using the cimg/base Docker image Add a workflow to orchestrate the say-hello job under the CircleCI 2.1 engine * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. * Create CNAME (#9) * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Delete .circleci directory (#27) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * pre-commit * deploy execute_config.sh * Update forge-std * test: add tests for getContextKeyHash in Account.t.sol (ithacaxyz#412) * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Update LayerZero-v2 * Update LayerZero-v2 --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
…n permissions (#66) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…n permissions (#67) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…n permissions (#68) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* feat: add ERC20 transfer benchmark for Porto with passkey Add testERC20TransferViaPortoOrchestratorWithPasskey() benchmark to isolate passkey authentication costs from spend limit enforcement costs. - Uses secp256k1 passkey for transaction signing - Sets execution permissions for ERC20 transfers - Requires spend limits (set to max) for passkey operations - Gas cost: 116,094 (vs 97,030 without passkey, 117,083 with restrictive limits) - Provides clean measurement of passkey overhead (~19k gas) Resolves ithacaxyz#272 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com> * chore: use `auto-assign-pr.yml` org action * feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * # Default ignored files * .snapshot_worktree * Delete .idea directory (#35) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Revert "Delete .idea directory (#35)" (#55) This reverts commit 512c204. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com> Co-authored-by: o-az <omaraziz.dev@proton.me> Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
Signed-off-by: Dargon789 <null>
This reverts commit 0cb7a77. @gemini-code-assist Code Review This pull request cleans up the repository by removing various IDE-specific configuration files located in the .idea directory. Additionally, it removes the testERC20TransferViaPortoOrchestratorWithPasskey function from the BenchmarkTest contract in test/Benchmark.t.sol. I have no feedback to provide.
Reviewer's GuideAdds Merkle tree–based signature support to IthacaAccount (including a merkle flag in wrapped signatures), updates tests and benchmarks to the new signature encoding, and introduces fuzz tests for Merkle signatures, along with minor EIP-712 domain and version updates plus some IDE config files. Sequence diagram for merkle-based wrapped signature verificationsequenceDiagram
actor ExternalCaller
participant IthacaAccount
participant MerkleProofLib
ExternalCaller->>IthacaAccount: unwrapAndValidateSignature(digest, wrappedSig)
alt signature_length == 65
IthacaAccount-->>ExternalCaller: isValid = (ECDSA.recoverCalldata == this), keyHash = 0
else wrapped_signature
IthacaAccount->>IthacaAccount: parse keyHash, prehashFlag, merkleFlag from wrappedSig
alt prehashFlag != 0
IthacaAccount->>IthacaAccount: digest = EfficientHashLib.sha2(digest)
end
alt merkleFlag != 0
IthacaAccount->>IthacaAccount: _verifyMerkleSig(digest, merkleSigPayload)
IthacaAccount->>MerkleProofLib: verifyCalldata(proof, root, digest)
alt MerkleProofLib returns true
IthacaAccount->>IthacaAccount: unwrapAndValidateSignature(root, rootSig)
IthacaAccount-->>ExternalCaller: isValid, keyHash (from rootSig validation)
else MerkleProofLib returns false
IthacaAccount-->>ExternalCaller: isValid = false, keyHash = 0
end
else merkleFlag == 0
IthacaAccount->>IthacaAccount: getKey(keyHash) and validate
IthacaAccount-->>ExternalCaller: isValid, keyHash
end
end
Class diagram for updated IthacaAccount merkle-aware signature validationclassDiagram
class IthacaAccount {
+unwrapAndValidateSignature(bytes32 digest, bytes signature) bool isValid, bytes32 keyHash
-_verifyMerkleSig(bytes32 digest, bytes signature) bool isValid, bytes32 keyHash
+eip712DomainDetails() string name, string version
}
class MerkleProofLib {
+verifyCalldata(bytes32[] proof, bytes32 root, bytes32 leaf) bool
}
class LibBytes {
+loadCalldata(bytes data, uint256 index) bytes32
+truncatedCalldata(bytes data, uint256 newLength) bytes
}
class EfficientHashLib {
+sha2(bytes32 digest) bytes32
}
class ECDSA {
+recoverCalldata(bytes32 digest, bytes signature) address
}
IthacaAccount ..> MerkleProofLib : uses
IthacaAccount ..> LibBytes : uses
IthacaAccount ..> EfficientHashLib : uses
IthacaAccount ..> ECDSA : uses
File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Hey - I've found 3 issues, and left some high level feedback:
- The recursive use of
unwrapAndValidateSignaturefrom_verifyMerkleSigcan lead to unbounded recursion if an attacker sets the merkle flag inrootSig; consider explicitly rejecting or ignoring merkle-enabled wrapped signatures when verifying the root to avoid potential DoS or deep nesting. - The manual calldata decoding in
_verifyMerkleSigrelies on the exactabi.encode(bytes32[] proof, bytes32 root, bytes rootSig)layout; adding a brief comment documenting the expected calldata layout (offsets and lengths) or factoring the decoding into a small helper would make this less brittle and easier to maintain. - The
.ideadirectory and related IDE configuration files appear to have been committed; these should generally be removed from version control and added to.gitignoreto avoid noise and local-environment-specific artifacts in the repo.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The recursive use of `unwrapAndValidateSignature` from `_verifyMerkleSig` can lead to unbounded recursion if an attacker sets the merkle flag in `rootSig`; consider explicitly rejecting or ignoring merkle-enabled wrapped signatures when verifying the root to avoid potential DoS or deep nesting.
- The manual calldata decoding in `_verifyMerkleSig` relies on the exact `abi.encode(bytes32[] proof, bytes32 root, bytes rootSig)` layout; adding a brief comment documenting the expected calldata layout (offsets and lengths) or factoring the decoding into a small helper would make this less brittle and easier to maintain.
- The `.idea` directory and related IDE configuration files appear to have been committed; these should generally be removed from version control and added to `.gitignore` to avoid noise and local-environment-specific artifacts in the repo.
## Individual Comments
### Comment 1
<location path="src/IthacaAccount.sol" line_range="525" />
<code_context>
/// @dev Returns if the signature is valid, along with its `keyHash`.
/// The `signature` is a wrapped signature, given by
- /// `abi.encodePacked(bytes(innerSignature), bytes32(keyHash), bool(prehash))`.
+ /// `abi.encode(bytes(innerSignature), bytes32(keyHash), bool(prehash), bool(merkle))`.
function unwrapAndValidateSignature(bytes32 digest, bytes calldata signature)
public
</code_context>
<issue_to_address>
**issue (bug_risk):** Signature encoding comment likely mismatches the actual layout used by the parsing logic.
The parser still assumes a fixed 0x22-byte trailer (`32 bytes keyHash + 1 prehash + 1 merkle`) and slices with `signature.length - 0x22` using `LibBytes.loadCalldata`. That only matches a tightly packed layout (e.g. `abi.encodePacked(inner, keyHash, prehash, merkle)`), not `abi.encode` with 32-byte–padded bools that won’t sit in the last 2 bytes. Either update the extraction indices to match `abi.encode`, or keep the packed layout and update the docstring so callers don’t encode signatures incorrectly.
</issue_to_address>
### Comment 2
<location path="src/IthacaAccount.sol" line_range="542-549" />
<code_context>
+ bool merkle;
unchecked {
- uint256 n = signature.length - 0x21;
+ uint256 n = signature.length - 0x22;
keyHash = LibBytes.loadCalldata(signature, n);
signature = LibBytes.truncatedCalldata(signature, n);
// Do the prehash if last byte is non-zero.
if (uint256(LibBytes.loadCalldata(signature, n + 1)) & 0xff != 0) {
digest = EfficientHashLib.sha2(digest); // `sha256(abi.encode(digest))`.
}
+ merkle = uint256(LibBytes.loadCalldata(signature, n + 2)) & 0xff != 0;
+ }
+
</code_context>
<issue_to_address>
**suggestion (bug_risk):** No explicit length checks before subtracting 0x22 can underflow for malformed or short signatures.
This implicitly assumes `signature.length >= 0x22`. If `signature.length < 0x22` (malformed or adversarial input), `n` underflows in the `unchecked` block, becomes a huge value, and `LibBytes.loadCalldata`/`truncatedCalldata` then use nonsensical offsets. Consider adding a minimal length check before entering the `unchecked` block (revert or return `false`) to harden this against bad calldata without affecting the normal path.
Suggested implementation:
```
// Minimal length check to avoid underflow when computing `n = signature.length - 0x22`.
// If `signature.length < 0x22`, `n` would underflow inside the `unchecked` block.
if (signature.length < 0x22) {
revert("IthacaAccount: invalid merkle signature length");
}
bool merkle;
unchecked {
```
If your codebase prefers custom errors or reusable validation functions, you may want to:
1. Replace the string revert with a custom error, e.g. `error InvalidSignatureLength();` declared at the top of the file, and use `revert InvalidSignatureLength();` here.
2. Ensure any callers/tests that rely on this function are updated to expect a revert on malformed/short signatures instead of undefined behavior.
</issue_to_address>
### Comment 3
<location path="src/IthacaAccount.sol" line_range="493-502" />
<code_context>
+ function _verifyMerkleSig(bytes32 digest, bytes calldata signature)
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Assembly decoding of the Merkle signature does not guard against inconsistent or truncated ABI-encoding.
This assembly decoding assumes a correctly formed `abi.encode(bytes32[] proof, bytes32 root, bytes rootSig)` payload, but never checks that `proofOffset` and `rootSigOffset` stay within `signature.offset + signature.length`. With a short or malformed `signature`, the derived `proof.length` / `rootSig.length` can become garbage and cause `MerkleProofLib.verifyCalldata` / `unwrapAndValidateSignature` to read arbitrary calldata. Please add a cheap length precondition and bounds checks on the computed offsets before using the decoded lengths.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Code Review
This pull request introduces Merkle tree-based signature verification to the IthacaAccount contract, allowing for more flexible authorization structures. The implementation includes a new internal verification function using assembly and updates the signature format to include a Merkle flag, with corresponding updates to the test suite and benchmarks. Feedback focuses on critical safety improvements in the signature parsing logic, specifically addressing potential underflows and out-of-bounds reads caused by missing length checks and the improper sequencing of calldata truncation. Additionally, several IDE-specific cache files were committed and should be removed to maintain repository hygiene.
* Update issue templates * Update .github/ISSUE_TEMPLATE/feature_request.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update .github/ISSUE_TEMPLATE/bug_report.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update .github/ISSUE_TEMPLATE/bug_report.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update .github/ISSUE_TEMPLATE/custom.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* feat: add ERC20 transfer benchmark for Porto with passkey Add testERC20TransferViaPortoOrchestratorWithPasskey() benchmark to isolate passkey authentication costs from spend limit enforcement costs. - Uses secp256k1 passkey for transaction signing - Sets execution permissions for ERC20 transfers - Requires spend limits (set to max) for passkey operations - Gas cost: 116,094 (vs 97,030 without passkey, 117,083 with restrictive limits) - Provides clean measurement of passkey overhead (~19k gas) Resolves ithacaxyz#272 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com> * feat: allow early refunds by recipient in escrow * feat: add callSansTo support to ERC7821 execute * chore: improvements and fixes to ERC7821Ithaca * chore: add address(0) replacement to new compute digest * fix: sanitize upper bits before checking replacement + tests * feat: do not add replay safe wrapper if sig is eoa * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * chore: use `auto-assign-pr.yml` org action * fix: combine improvements from PRs ithacaxyz#357, ithacaxyz#314, and ithacaxyz#379 Combines the following fixes: - PR ithacaxyz#357: Replace SuperAdminCanSpendAnything with SuperAdminCanExecuteEverything in setCallChecker - PR ithacaxyz#314: Fix typos across codebase (overriden→overridden, Calcualated→Calculated, etc.) - PR ithacaxyz#379: Correct inline comment about approval amount (20-byte all-ones, not type(uint256).max) Co-Authored-By: GarmashAlex <noreply@github.com> Co-Authored-By: sukrucildirr <noreply@github.com> Co-Authored-By: Forostovec <noreply@github.com> 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * feat: subaccount design using spend function * test: complete subaccount flow with unit test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * feat: fix and simplify multichain design (ithacaxyz#327) * feat: simplify multichain nonce design * chore: readd merkle verification prefix * chore: undo blank line addns * chore: lint * chore: redundant multichain bool * fix: lint * . * feat: remove intent struct (ithacaxyz#365) * feat: simplify multichain nonce design * chore: readd merkle verification prefix * chore: undo blank line addns * chore: lint * . * ~50 failing tests down to 5 * down to 1 failing test * fixed failing test * chore: remove console logs and bench * . * Update test/Base.t.sol * Update src/Orchestrator.sol * Update test/utils/mocks/MockPayerWithSignatureOptimized.sol * chore: final cleanup, rebench * Update src/Orchestrator.sol * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount,Orchestrator,SimpleFunder,Simulator * chore: cleanup * rebase * fix --------- Co-authored-by: GitHub Action <action@github.com> * feat: native merkle sig verification in Account * chore: fmt * chore: unify merkle sig flow for orchestrator multi chain intents * chore: bump contract versions due to bytecode changes - Contracts updated: Orchestrator,SimpleFunder,Simulator * Add .circleci/config.yml (#1) Add CircleCI configuration file to set up a basic pipeline with a say-hello job and workflow CI: Add .circleci/config.yml to define a say-hello job that checks out the code and prints a greeting using the cimg/base Docker image Add a workflow to orchestrate the say-hello job under the CircleCI 2.1 engine * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * save local changes before merge * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. * Create CNAME (#9) * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#10) reback use test CI and automation chores (ithacaxyz#394) 7dd8a5d Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Potential fix for code scanning alert no. 3: Workflow does not contain permissions (#15) https://github.com/Dargon789/account/security/code-scanning/3 Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Update ci.yaml (#16) reback use test CI and automation chores (ithacaxyz#394) 7dd8a5d Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Delete CNAME * Update Brutalizer.sol * Potential fix for code scanning alert no. 2: Workflow does not contain permissions (#17) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Refactor deployment scripts and update configs Migrates deployment scripts to use fork-based configuration loading, removes legacy CircleCI and GitHub workflow files, and introduces a registry-based contract deployment record. Updates .env.example, README, and foundry configuration. Removes LayerZero vendor and test files, adds devtools submodule, and improves LayerZeroSettler configuration logic for multi-chain deployments. * Fix commit user email format in CI workflow (#18) 30a2096 Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Potential fix for code scanning alert no. 4: Workflow does not contain permissions (#19) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 1: Workflow does not contain permissions (#20) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Update ci.yaml (#21) reback use test CI and automation chores (ithacaxyz#394) 7dd8a5d Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Master (#22) * Merge branch 'master' (#8) * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Revert "fix vm block accoount (#11)" (#13) Reverts #11 Summary by Sourcery CI: Update the Forge test command in the CI workflow to enable reruns and increase verbosity. This reverts commit 942017f. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Refactor function signatures and formatting for consistency Updated function signatures in IFunder and SimpleFunder for single-line style, and improved code formatting in IthacaAccount, test/Account.t.sol, test/Benchmark.t.sol, and test/LayerZeroSettler.t.sol for readability and consistency. No logic changes were made. * Add Multicall3 simulation support to Simulator Introduces Multicall3 simulation methods in Simulator.sol, enabling simulation of orchestrator calls with pre-execution calls via Multicall3. Adds IMulticall3 interface, updates related tests to cover multicall simulation flows, and includes minor formatting and interface signature changes for consistency. * feat: add multicall to simulator (ithacaxyz#402) (#24) * feat: add multicall to simulator (ithacaxyz#402) * feat: add multicall to simulator * chore: add gas test * chore: review fixes * chore: fmt contracts and update gas snapshots * test: add tests for getContextKeyHash in Account.t.sol (ithacaxyz#412) --------- Co-authored-by: howy <132113803+howydev@users.noreply.github.com> Co-authored-by: Roberto Delgado Ferrezuelo <108575058+robertodf99@users.noreply.github.com> * Fix commit user email formatting in CI workflow Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Revert "feat: add multicall to simulator (ithacaxyz#402) (#24)" (#26) This reverts commit 1aef318. * Delete .circleci directory (#27) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * # Default ignored files * Potential fix for code scanning alert no. 3: Workflow does not contain permissions (#32) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * .snapshot_worktree * Delete .idea directory (#35) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * pre-commit * pre-commit * deploy execute_config.sh * Update forge-std * Update check-bytecode-changes.js * pre-commit * chore: bump contract versions due to bytecode changes * chore: bump contract versions due to bytecode changes * chore: bump contract versions due to bytecode changes contracts update * v0.5.11 * chore: unify merkle sig flow for orchestrator multi chain intents * test: add tests for getContextKeyHash in Account.t.sol (ithacaxyz#412) * Refactor function signatures and formatting for consistency * Legion (#38) * feat: add ERC20 transfer benchmark for Porto with passkey Add testERC20TransferViaPortoOrchestratorWithPasskey() benchmark to isolate passkey authentication costs from spend limit enforcement costs. - Uses secp256k1 passkey for transaction signing - Sets execution permissions for ERC20 transfers - Requires spend limits (set to max) for passkey operations - Gas cost: 116,094 (vs 97,030 without passkey, 117,083 with restrictive limits) - Provides clean measurement of passkey overhead (~19k gas) Resolves ithacaxyz#272 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com> * feat: allow early refunds by recipient in escrow * feat: add callSansTo support to ERC7821 execute * chore: improvements and fixes to ERC7821Ithaca * chore: add address(0) replacement to new compute digest * fix: sanitize upper bits before checking replacement + tests * feat: do not add replay safe wrapper if sig is eoa * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * chore: use `auto-assign-pr.yml` org action * fix: combine improvements from PRs ithacaxyz#357, ithacaxyz#314, and ithacaxyz#379 Combines the following fixes: - PR ithacaxyz#357: Replace SuperAdminCanSpendAnything with SuperAdminCanExecuteEverything in setCallChecker - PR ithacaxyz#314: Fix typos across codebase (overriden→overridden, Calcualated→Calculated, etc.) - PR ithacaxyz#379: Correct inline comment about approval amount (20-byte all-ones, not type(uint256).max) Co-Authored-By: GarmashAlex <noreply@github.com> Co-Authored-By: sukrucildirr <noreply@github.com> Co-Authored-By: Forostovec <noreply@github.com> 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * feat: subaccount design using spend function * test: complete subaccount flow with unit test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * feat: fix and simplify multichain design (ithacaxyz#327) * feat: simplify multichain nonce design * chore: readd merkle verification prefix * chore: undo blank line addns * chore: lint * chore: redundant multichain bool * fix: lint * . * feat: remove intent struct (ithacaxyz#365) * feat: simplify multichain nonce design * chore: readd merkle verification prefix * chore: undo blank line addns * chore: lint * . * ~50 failing tests down to 5 * down to 1 failing test * fixed failing test * chore: remove console logs and bench * . * Update test/Base.t.sol * Update src/Orchestrator.sol * Update test/utils/mocks/MockPayerWithSignatureOptimized.sol * chore: final cleanup, rebench * Update src/Orchestrator.sol * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount,Orchestrator,SimpleFunder,Simulator * chore: cleanup * rebase * fix --------- Co-authored-by: GitHub Action <action@github.com> * feat: native merkle sig verification in Account * chore: fmt * chore: unify merkle sig flow for orchestrator multi chain intents * chore: bump contract versions due to bytecode changes - Contracts updated: Orchestrator,SimpleFunder,Simulator * Add .circleci/config.yml (#1) Add CircleCI configuration file to set up a basic pipeline with a say-hello job and workflow CI: Add .circleci/config.yml to define a say-hello job that checks out the code and prints a greeting using the cimg/base Docker image Add a workflow to orchestrate the say-hello job under the CircleCI 2.1 engine * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. * Create CNAME (#9) * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME * Revert "Merge branch 'master'" This reverts commit 6c02fbf, reversing changes made to a317ddb. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#10) reback use test CI and automation chores (ithacaxyz#394) 7dd8a5d Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Potential fix for code scanning alert no. 3: Workflow does not contain permissions (#15) https://github.com/Dargon789/account/security/code-scanning/3 Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Update ci.yaml (#16) reback use test CI and automation chores (ithacaxyz#394) 7dd8a5d Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Delete CNAME * Update Brutalizer.sol * Potential fix for code scanning alert no. 2: Workflow does not contain permissions (#17) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Refactor deployment scripts and update configs Migrates deployment scripts to use fork-based configuration loading, removes legacy CircleCI and GitHub workflow files, and introduces a registry-based contract deployment record. Updates .env.example, README, and foundry configuration. Removes LayerZero vendor and test files, adds devtools submodule, and improves LayerZeroSettler configuration logic for multi-chain deployments. * Fix commit user email format in CI workflow (#18) 30a2096 Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Potential fix for code scanning alert no. 4: Workflow does not contain permissions (#19) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Potential fix for code scanning alert no. 1: Workflow does not contain permissions (#20) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Update ci.yaml (#21) reback use test CI and automation chores (ithacaxyz#394) 7dd8a5d Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Master (#22) * Merge branch 'master' (#8) * Update ci.yaml (#2) CI: Update Forge test command to use --rerun and increase verbosity to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#4) Enhance the CI test step to automatically rerun failed tests and increase verbosity in Forge. CI: Enable the --rerun flag for Forge tests to retry failures automatically Increase Forge test verbosity from -vvv to -vvvvv Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml (#5) Change Forge test invocation from "forge test --rerun -vvvvv" to "forge test -vvv" Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Create CNAME --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Revert "fix vm block accoount (#11)" (#13) Reverts #11 Summary by Sourcery CI: Update the Forge test command in the CI workflow to enable reruns and increase verbosity. This reverts commit 942017f. --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Update ci.yaml Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * Refactor function signatures and formatting for consistency Updated function signatures in IFunder and SimpleFunder for single-line style, and improved code formatting in IthacaAccount, test/Account.t.sol, test/Benchmark.t.sol, and test/LayerZeroSettler.t.sol for readability and consistency. No logic changes were made. * Delete .circleci directory (#27) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * # Default ignored files * .snapshot_worktree * Delete .idea directory (#35) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> * pre-commit * pre-commit * deploy execute_config.sh * Update forge-std * Update check-bytecode-changes.js * pre-commit * chore: bump contract versions due to bytecode changes * chore: bump contract versions due to bytecode changes * chore: bump contract versions due to bytecode changes contracts update * v0.5.11 * chore: unify merkle sig flow for orchestrator multi chain intents * test: add tests for getContextKeyHash in Account.t.sol (ithacaxyz#412) * Refactor function signatures and formatting for consistency --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com> Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: howy <132113803+howydev@users.noreply.github.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: o-az <omaraziz.dev@proton.me> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com> * Add .idea configs and tweak .env comments Add IntelliJ IDEA project files under .idea and lib/.idea (modules, caches, iml, vcs, and a .gitignore) and update the lib/forge-std gitlink (submodule) reference. Also adjust .env.example by removing spaces before inline comments on RPC URLs (UPGRADE_TEST_RPC_URL, RPC_1, RPC_11155111) to standardize formatting. * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Update LayerZero-v2 * Update LayerZero-v2 --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Tanishk Goyal <legion2002@users.noreply.github.com> Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: howy <132113803+howydev@users.noreply.github.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: o-az <omaraziz.dev@proton.me> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: John Doe <jdoe@email.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Roberto Delgado Ferrezuelo <108575058+robertodf99@users.noreply.github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
* feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * pre-commit * deploy execute_config.sh * Update forge-std * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Update LayerZero submodule & remove exec bits Normalize file permissions and advance submodule: change file modes from executable (100755) to non-executable (100644) for deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js. Update lib/LayerZero-v2 submodule commit from 88428755be6caa71cb1d2926141d73c8989296b5 to ab9b083410b9359285a5756807e1b6145d4711a7. * Update LayerZero-v2 * Update LayerZero-v2 --------- Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
* feat: add merkle sigs natively into the account * fix: tests * test: add more sophisticated fuzz test * chore: bump contract versions due to bytecode changes - Contracts updated: IthacaAccount * pre-commit * deploy execute_config.sh * Update forge-std * Normalize file modes and update forge-std submodule Remove executable bit from deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js (mode 100755 → 100644). Update lib/forge-std submodule from commit c2cf7017d27c1d20e74ace4dacb6c5ce4bbbe899 to 07853315f998f94dc724e464b1bab1270888ee64. No other content changes. * Update LayerZero submodule & remove exec bits Normalize file permissions and advance submodule: change file modes from executable (100755) to non-executable (100644) for deploy/execute_config.sh, deploy/verify_config.sh, and prep/check-bytecode-changes.js. Update lib/LayerZero-v2 submodule commit from 88428755be6caa71cb1d2926141d73c8989296b5 to ab9b083410b9359285a5756807e1b6145d4711a7. * Update LayerZero-v2 * Update LayerZero-v2 * clear && forge fmt && forge snapshot clear && forge fmt && forge snapshot --isolate --match-contract Benchmark --via-ir && git add snapshots --------- Co-authored-by: Tanishk Goyal <goyaltanishk02@gmail.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: googleworkspace-bot <googleworkspace-bot@google.com>
…s' into IthacaAccount
36bd206
into
Dargon789-Refactor-deployment-scripts-and-update-configs
Summary by Sourcery
Add Merkle tree–based signature support to IthacaAccount and update tests and benchmarks for the extended wrapped-signature format.
New Features:
Enhancements:
Tests:
Chores: