Skip to content

Bump js-yaml from 4.1.0 to 4.1.1#2

Closed
dependabot[bot] wants to merge 56 commits into
masterfrom
dependabot/npm_and_yarn/js-yaml-4.1.1
Closed

Bump js-yaml from 4.1.0 to 4.1.1#2
dependabot[bot] wants to merge 56 commits into
masterfrom
dependabot/npm_and_yarn/js-yaml-4.1.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Nov 26, 2025

Copy link
Copy Markdown

Bumps js-yaml from 4.1.0 to 4.1.1.

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

circle-terraform-github Bot and others added 30 commits July 29, 2025 16:49
## Summary

Most of the diff here is from adding `yarn.lock` for `solhint` and this
is otherwise mostly copied from evm-cctp-contracts. This mainly adds
- base forge project structure (w/ default `Counter`
contract/script/test)
- basic makefile
- basic CI job
- `solhint` linter support and `mythril` static analyzer support
- OpenZeppelin and forge-std starter dependencies
- `.licenseignore` for dependencies with multiple licenses (safe, but
not processed correctly by the scan action)

#

**Story:** https://circlepay.atlassian.net/browse/CCTPE-1991
Adds the interface as specified in the [contract
requirements](https://circlepay.atlassian.net/wiki/x/MABIig).
This PR updates the project Solidity version from 0.8.20 to 0.7.6 to
match CCTP. This will allow for reuse of library functions and
interfaces.
This PR adds the IHypercoreCctpUsdcForwarder and implementation Stubs
that immediately revert
Updates OpenZeppelin to the `8e029609` commit corresponding with the
version used in evm-cctp-contracts-private. Also updates vscode settings
to be the same as
https://github.com/circlefin/evm-cctp-contracts-private/blob/master/.vscode/settings.json
(except olympix configuration, which isn't enabled currently).
## Summary

Implements CoreDepositWallet `deposit`, `depositFor`, and `transfer`
functions. This is a partial implementation of these features, as this
is still pending 1) initializer configuration 2) tests 3) additional
comments on the interface contract, but will merge for now to unblock
admin role setup.

#

**Story:** https://circlepay.atlassian.net/browse/CCTPE-1999
## Overview 
This PR implements the Hypercore CCTP Forwarder. It roughly goes through
the following steps:

1. Validate message is a valid CCTP mint.
2. Fetches the mint `localToken` by querying CCTP contracts (as decoded
from the message) with the decoded sourceDomain and burnToken.
3. Retrieves the `forwardingAddress` from local mapping. (This mapping
is permissioned via `owner`.)
4. Mints the token by calling receiveMessage on CCTP. Manually keeps
track of self token balance change by calling
`localToken.balanceOf(self)`.
5. Approves the forwardingAddress by the amount previously calculated.
6. Calls `forwardingAddress.depositFor(...)`.

## Interface

```solidity
function mintAndForward(
    bytes calldata message,
    bytes calldata attestation
) external;

function addTokenForwardingAddress(
    address token,
    address forwardingAddress
) external;

function removeTokenForwardingAddress(address token) external;
```

## TODO

 - Inherit `Ownable` and apply to admin functions. Tesets.
 - Inherit `Rescuable`. Tests.
 - Implement deployment script(s) and tests.
 - Integration test with CCTP?
This PR adds Pausable, Rescuable, and Ownable2Step roles and role tests
to the `CoreDepositWallet` contract. It also adds constructor,
initializer, and proxy tests.
Quick follow to my previous PR that updates a revert comment in
depositFor
**Description:**

Add the ICctpExtension contract interface. 

**Testing:**
N/A
… functionality (#14)

## Summary

Adds the required token blacklist check for `depositFor` and adds tests
to `CoreDepositWallet.t.sol` to cover deposit/transfer functionality.

## Details

* Adds `IBlacklistableERC20` interface for the `token` type in
`CoreDepositWallet` - this is necessary to reconcile differences in
Solidity versions between these contracts and the `Blacklistable`
interface defined in `evm-stablecoin`.
* Adds function natspec to `ICoreDepositWallet`.
* Adds `MockBlacklistableMintBurnToken` derived from the CCTP contracts'
`MockMintBurnToken` to test blacklist checks.

## Testing

Adds the following tests for `CoreDepositWallet` to reach 100% coverage:

* `deposit`
  * `testDeposit_succeeds`
  * `testDeposit_revertsWhenTransferFails`
* `depositFor`
  * `testDepositFor_succeeds`
  * `testDepositFor_revertsWhenTransferFails`
  * `testDepositFor_revertsWhenRecipientIsZeroAddress`
  * `testDepositFor_revertsWhenRecipientIsSystemAddress`
  * `testDepositFor_revertsWhenRecipientIsCoreDepositWallet`
  * `testDepositFor_revertsWhenRecipientBlocklisted`
* `transfer`
  * `testTransfer_succeeds`
  * `testTransfer_revertsWhenSenderIsNotSystemAddress`
  * `testTransfer_revertsWhenToIsSystemAddress`
  * `testTransfer_revertsWhenTransferFails`
  * `testTransfer_revertsWhenPaused` 

These tests already existed: `testDeposit_revertsWhenPaused`,
`testDeposit_revertsWithZeroAmount`, `testDepositFor_revertsWhenPaused`,
`testDepositFor_revertsWithZeroAmount`, and
`testTransfer_revertsWhenPaused`.

#

**Story:** <https://circlepay.atlassian.net/browse/CCTPE-1999>
## Overview

This PR implements the deployment scripts for the smart contracts.

 - Added separate scripts for implementations and proxies.
- Implemented the logic for deploying the `CctpForwarder` and
`CoreDepositWallet` contracts.

## Tests
 - Added tests for CctpForwarder around initialization.
 - Injected the deployment scripts directly into the test setups.
 - Added tests for the scripts to verify inputs vs deployed state.
**Description:**
* Add `CctpExtension` contract
* Implement the `CctpExtension` constructor
* Test the `CctpExtension` contract constructor
* Add the mock contracts needed by the `CctpExtension`  contract
* Minor test fixes

**Todo**

- [ ] Implement and test the `batchDepositForBurnWithAuth` function
- [ ] Add/Update the deployment script
- [ ] Add documentation
This PR adds the `Ownable2Step` and `Rescuer` roles to `CctpForwarder`.
Additionally, it enforces `onlyOwner` on `addTokenForwardingAddress` and
`removeTokenForwardingAddress`.

Additionally, I added proxy and constructor tests to get us up to 100%
coverage
## Summary

Adds support for the `depositWithAuth` function in `CoreDepositWallet`.
Also renames `IBlacklistableERC20` to `IDepositableToken` to be a bit
more general with the added requirements (blacklistable, ERC20, EIP3009
support).

## Testing

Added `testDepositWithAuth_succeeds`,
`testDepositWithAuth_revertsWhenPaused`,
`testDepositWithAuth_revertsWithZeroAmount` and
`testDepositWithAuth_revertsWhenReceiveFails` test cases. Updated
coverage below:

```
Ran 5 test suites in 3.10s (7.10s CPU time): 95 tests passed, 0 failed, 0 skipped (95 total tests)

╭----------------------------------------+------------------+-------------------+-----------------+----------------╮
| File                                   | % Lines          | % Statements      | % Branches      | % Funcs        |
+==================================================================================================================+
| scripts/DeployImplementations.s.sol    | 100.00% (14/14)  | 100.00% (11/11)   | 100.00% (0/0)   | 100.00% (3/3)  |
|----------------------------------------+------------------+-------------------+-----------------+----------------|
| scripts/DeployProxies.s.sol            | 100.00% (26/26)  | 100.00% (24/24)   | 100.00% (0/0)   | 100.00% (4/4)  |
|----------------------------------------+------------------+-------------------+-----------------+----------------|
| src/CctpExtension.sol                  | 90.91% (10/11)   | 100.00% (9/9)     | 100.00% (8/8)   | 50.00% (1/2)   |
|----------------------------------------+------------------+-------------------+-----------------+----------------|
| src/CctpForwarder.sol                  | 100.00% (60/60)  | 100.00% (60/60)   | 100.00% (28/28) | 100.00% (9/9)  |
|----------------------------------------+------------------+-------------------+-----------------+----------------|
| src/CoreDepositWallet.sol              | 100.00% (35/35)  | 100.00% (27/27)   | 100.00% (28/28) | 100.00% (8/8)  |
|----------------------------------------+------------------+-------------------+-----------------+----------------|
| src/messages/CctpForwarderHookData.sol | 100.00% (5/5)    | 100.00% (5/5)     | 100.00% (4/4)   | 100.00% (1/1)  |
|----------------------------------------+------------------+-------------------+-----------------+----------------|
| src/roles/Rescuable.sol                | 100.00% (14/14)  | 100.00% (8/8)     | 100.00% (4/4)   | 100.00% (6/6)  |
|----------------------------------------+------------------+-------------------+-----------------+----------------|
| Total                                  | 99.39% (164/165) | 100.00% (144/144) | 100.00% (72/72) | 96.97% (32/33) |
╰----------------------------------------+------------------+-------------------+-----------------+----------------╯
✨  Done in 7.95s.
```
# 

**Story:** <https://circlepay.atlassian.net/browse/CCTPE-2105>
This PR adds an `emitsEvents` test to the `Forwarder` and checks to
ensure `Initialized` is emitted
**Description:**
* Implement the `batchDepositForBurn` function.


**NOTE:** There seems to be a test coverage issue where forge thinking
that there is only 50% of coverage on the branching but I have clearly
tested all branches in the tests and I don't think my tests are failing
either! I will look into this further!!

Metric | Coverage | Status
-- | -- | --
Lines | 100% (9/9) | ✅ Excellent
Statements | 100% (10/10) | ✅ Excellent
Branches | 50% (1/2) | ⚠️ Needs Improvement
Functions | 100% (1/1) | ✅ Excellent

<br class="Apple-interchange-newline">

**Todo:**
- [ ] Add tests for the contract roles
- [ ] Add/Update the deployment script
- [ ] Add documentation
**Description:**
* Add the `CctpExtension` roles tests
## Summary

Updates the `depositFor(address sender, address recipient, uint256
amount)` interface to `depositFor(address recipient, uint256 amount)`
per Slack discussion to draw funds from `msg.sender` instead.

## Testing

Updated relevant test cases, maintained full coverage:

```
Ran 5 test suites in 7.21s (20.18s CPU time): 115 tests passed, 0 failed, 0 skipped (115 total tests)

╭----------------------------------------+-------------------+-------------------+-----------------+-----------------╮
| File                                   | % Lines           | % Statements      | % Branches      | % Funcs         |
+====================================================================================================================+
| scripts/DeployImplementations.s.sol    | 100.00% (14/14)   | 100.00% (11/11)   | 100.00% (0/0)   | 100.00% (3/3)   |
|----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| scripts/DeployProxies.s.sol            | 100.00% (26/26)   | 100.00% (24/24)   | 100.00% (0/0)   | 100.00% (4/4)   |
|----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/CctpExtension.sol                  | 100.00% (23/23)   | 100.00% (23/23)   | 100.00% (10/10) | 100.00% (2/2)   |
|----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/CctpForwarder.sol                  | 100.00% (60/60)   | 100.00% (60/60)   | 100.00% (28/28) | 100.00% (9/9)   |
|----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/CoreDepositWallet.sol              | 100.00% (35/35)   | 100.00% (27/27)   | 100.00% (28/28) | 100.00% (8/8)   |
|----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/messages/CctpForwarderHookData.sol | 100.00% (5/5)     | 100.00% (5/5)     | 100.00% (4/4)   | 100.00% (1/1)   |
|----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/roles/Rescuable.sol                | 100.00% (14/14)   | 100.00% (8/8)     | 100.00% (4/4)   | 100.00% (6/6)   |
|----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| Total                                  | 100.00% (177/177) | 100.00% (158/158) | 100.00% (74/74) | 100.00% (33/33) |
╰----------------------------------------+-------------------+-------------------+-----------------+-----------------╯
✨  Done in 12.56s.

```
…nsion contract (#21)

# Overview
- Changed the deploy scripts to use CREATE2 for all implementations and
proxies. Proxies are deployed with the same method as CCTP V2 such that
their addresses are independent of the implementation.
 - Reorganized deploy scripts by contract.
 - Added script and tests for `CctpExtension` contract.
 - Updated readme and related instructions.
 - Added prediction script for CREATE2 addresses.
…sted runners (#22)

This PR migrates GitHub Actions workflows from GitHub-hosted runners to
self-hosted runners as part of infrastructure modernization. The change
switches from using GitHub's standard ubuntu-latest runner to a custom
large-dind-spot self-hosted runner.

- Updates CI workflow to use self-hosted runner infrastructure
- Replaces ubuntu-latest with large-dind-spot runner
Adding Olympix scanner workflow.

---------

Co-authored-by: Khalid Aliweh <kaliweh@circle.com>
## Summary
We switched over the ci workflows to use self hosted runners in this PR:
circlefin/hyperevm-circle-contracts-private#22

But the runner type we chose is maxing out on cpu causing long build and
test times. Let's revert to self hosted runners for now.

Full context:
https://circlefin.slack.com/archives/CQA25PXR8/p1756133045775629

Ref:
https://app.datadoghq.com/containers?query=large-dind-spot-dtpfv-runner-dkpqp&selectedTopGraph=timeseries&from_ts=1756129610144&to_ts=1756133210144&live=false

<img width="2375" height="972" alt="image"
src="https://github.com/user-attachments/assets/7415c071-9582-427f-81cb-103eccf46aba"
/>
This is a quick PR to update the commands and add a reminder in the
readme.
Remove unnecessary parameter from internal `_deposit` function
**Description:**
Change the `CctpExtension` batching behavior to only allow for equal
sized batches.

Positive side effect: The test coverage now is not confused after we
switched to a `for` loops vs the `while` loop.(shows %100 coverage on
the branches)
## Overview

This PR updates `tokenMessenger` to be immutable.

## Changes

 - Set `tokenMessenger` in **CctpForwarder** constructor.
- Verify `message.recipient == tokenMessenger` before calling
receiveMessage().
 - Update README and scripts.

## Test Coverage
```
╭-----------------------------------------+-------------------+-------------------+-----------------+-----------------╮
| File                                    | % Lines           | % Statements      | % Branches      | % Funcs         |
+=====================================================================================================================+
| scripts/DeployCctpExtension.s.sol       | 100.00% (20/20)   | 100.00% (19/19)   | 50.00% (4/8)    | 100.00% (3/3)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| scripts/DeployCctpForwarder.s.sol       | 100.00% (29/29)   | 100.00% (30/30)   | 100.00% (0/0)   | 100.00% (4/4)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| scripts/DeployCoreDepositWallet.s.sol   | 100.00% (26/26)   | 100.00% (27/27)   | 100.00% (0/0)   | 100.00% (4/4)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| scripts/PredictCreate2Deployments.s.sol | 100.00% (15/15)   | 100.00% (10/10)   | 100.00% (0/0)   | 100.00% (5/5)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/CctpExtension.sol                   | 100.00% (23/23)   | 100.00% (23/23)   | 100.00% (10/10) | 100.00% (2/2)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/CctpForwarder.sol                   | 100.00% (62/62)   | 100.00% (62/62)   | 100.00% (32/32) | 100.00% (9/9)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/CoreDepositWallet.sol               | 100.00% (35/35)   | 100.00% (27/27)   | 100.00% (28/28) | 100.00% (8/8)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/messages/CctpForwarderHookData.sol  | 100.00% (5/5)     | 100.00% (5/5)     | 100.00% (4/4)   | 100.00% (1/1)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| src/roles/Rescuable.sol                 | 100.00% (14/14)   | 100.00% (8/8)     | 100.00% (4/4)   | 100.00% (6/6)   |
|-----------------------------------------+-------------------+-------------------+-----------------+-----------------|
| Total                                   | 100.00% (229/229) | 100.00% (211/211) | 95.35% (82/86)  | 100.00% (42/42) |
╰-----------------------------------------+-------------------+-------------------+-----------------+-----------------╯
```

---------

Co-authored-by: Maxime Berenshteyn <maxime.berenshteyn@circle.com>
epoon-circle and others added 18 commits September 15, 2025 17:16
Small PR to update the fuzz limits to use `bound` instead of
`vm.assume`.
### Summary
- Implement a configurable new Core account fee deducted when depositing
to a non-existent HyperCore account.
- Expose a unified view of Core protocol constants, including CoreWriter
encoding and `CoreUserExists` precompile address.
- Emit a new `SendAsset` event for transparency after CoreWriter action.
- Refactor constants and naming for clarity; update tests with fuzzing
and helpers.
- Maintain proxy upgrade safety and storage compatibility for both
testnet and mainnet deployments.

### Motivation
- Deduct a small fee (default 1 USDC) for first-time Core recipients to
cover creation overhead that will be taken from the `CoreDepositWallet`
spot balance.
- Improve observability around the amount sent to the end user on
HyperCore.

### Deployment instructions
#### Testnet
- Deploy the new implementation contract and update the proxy to point
to the new implementation
- Call the `updateNewCoreAccountFee` from the `owner` wallet to set the
fee to 1 USDC

#### Mainnet
- Deploy the contract and proxy (normal process)
- The `newCoreAccountFee` will be set to the
`DEFAULT_NEW_CORE_ACCOUNT_FEE` (1 USDC) when the `initialize` is called
by the proxy.
Since `coreAmount > _newCoreAccountFee` we don't have to worry about
underflow
…ctp (#40)

Adds support for specifying a dex value, e.g. 0 for Perps, or uint32.max
for Spot, either via hyperEVM or CctpForwarder.

Implementation details:
CoreDepositWallet:
- updates deposit, depositFor, depositWithAuth to have a uint32
destinationDex param
- adds admin functions for enabling and disabling specific destination
dexes, as well as enabling/disabling all dexes. If a user's specified
dex (or all dexes) is disabled, the deposit will fall back to spot,
landing in the user's balance on Hypercore.

CctpForwarder:
- adds 4-byte destinationId to end of hook format (and forwards it to
specified forwarding address)

100% Test Coverage:
```
| src/CctpExtension.sol                       | 100.00% (26/26)  | 100.00% (29/29)   | 100.00% (16/16)  | 100.00% (2/2)   |
|---------------------------------------------+------------------+-------------------+------------------+-----------------|
| src/CctpForwarder.sol                       | 100.00% (62/62)  | 100.00% (62/62)   | 100.00% (32/32)  | 100.00% (9/9)   |
|---------------------------------------------+------------------+-------------------+------------------+-----------------|
| src/CoreDepositWallet.sol                   | 100.00% (86/86)  | 100.00% (75/75)   | 100.00% (46/46)  | 100.00% (18/18) |
|---------------------------------------------+------------------+-------------------+------------------+-----------------|
| src/messages/CctpForwarderHookData.sol      | 100.00% (6/6)    | 100.00% (6/6)     | 100.00% (4/4)    | 100.00% (1/1)   |
```
Enforce a max transfer amount of `type(uint64.max) / 100` on the
transfer to spot route, not just transfers to perp dexes.

Why:
- The maximum supply on Hypercore is the uint64 max, according to
https://docs.layerzero.network/v2/developers/hyperliquid/hyperliquid-concepts#8-the-asset-bridge-linking-evm-spot-erc20-and-core-spot-hip-1.
Since Hypercore uses 8 decimals, this means the max from HyperEVM is
uint64.max / 100. Even if Hypercore supports higher values, capping
deposits at $184 billion has no functional downside

Gas implications:
- insignificant because HyperEVM, but this should slightly reduces gas
cost on the main path (deposits to perps), slightly increases gas cost
on deposits on spot, and slightly reduce contract bytecode size.
…et (#41)

## Summary

Implements contract changes for cross-chain Hyperliquid withdrawals via
`CoreDepositWallet` `coreReceiveWithData` function.

## Testing

Adds tests for `coreReceiveWithData` and max fee control functions,
maintains 100% test coverage on updated code (updated with latest commit
10/27)

```
╭---------------------------------------------+-------------------+-------------------+------------------+-----------------╮
| File                                        | % Lines           | % Statements      | % Branches       | % Funcs         |
+==========================================================================================================================+
| scripts/DeployCoreDepositWallet.s.sol       | 100.00% (27/27)   | 100.00% (28/28)   | 100.00% (0/0)    | 100.00% (4/4)   |
|---------------------------------------------+-------------------+-------------------+------------------+-----------------|
| scripts/PredictCreate2Deployments.s.sol     | 100.00% (15/15)   | 100.00% (10/10)   | 100.00% (0/0)    | 100.00% (5/5)   |
|---------------------------------------------+-------------------+-------------------+------------------+-----------------|
| src/CoreDepositWallet.sol                   | 100.00% (131/131) | 100.00% (115/115) | 100.00% (65/65)  | 100.00% (26/26) |
|---------------------------------------------+-------------------+-------------------+------------------+-----------------|
```

----

**Story:** <https://circlepay.atlassian.net/browse/CCTPE-2279>
Changes:
- Formatting changes
- Add destinationDex to the sendAsset event
- Fix comments
Updates the hook parsing logic, so if the destinationId is
omitted/malformed (less than 4 bytes), it will be set to 0. This ensures
that the funds will be forwarded to the main perps dex rather than
stuck, if, e.g., user formats a hook with only 2 zero-bytes instead of
4.

Coverage:
| src/CctpForwarder.sol | 100.00% (62/62) | 100.00% (62/62) | 100.00%
(32/32) | 100.00% (9/9) |
### 📝 Purpose
Address audit comments 

### 🔧 What Changed
1. **Constant & Struct Renaming (NON-functional)**
   * `CORE_WRITER_TOKEN_INDEX` → `CORE_TOKEN_INDEX`
   * `CORE_WRITER_SOURCE_SPOT_DEX` → `CORE_SPOT_DEX_ID`
   * `CORE_WRITER_DESTINATION_PERP_DEX` → `CORE_PERPS_DEX_ID`
* `<NAME>_ADDRESS` → `<NAME>_PRECOMPILE_ADDRESS` for pre-compile
addresses.
* `MAX_TRANSFER_VALUE_FROM_EVM` now derived from `type(uint64).max /
CORE_SCALING_FACTOR` (safer,
self-documenting).

2. **ABI / Interface tweaks (BREAKING)**
* `CoreProtocolConstants` field names updated to match the new constant
names.
   * `CctpForwardFeeUpdated` now indexes `destinationDomain`.
   * Event/struct docstrings retouched to use “core asset units”.

3. **Logic refactor (behaviour unchanged)**
* `_depositAndForwardIfDexEnabled` reorganised for readability; keeps
same branching but emits
events in clearer order.
   * Bounds-check comment and require wording polished.

4. **Tests updated**
   * Mirror renamed constants & addresses.
   * Indexing change reflected in `expectEmit`.
   * Fixed a flaky test (`testEnableDexForwarding_onlyOwner`) signature.

### 🔎 Reviewer Checklist
* Constants: verify renamed values are **identical** to previous (esp.
Perps = 0, Spot = `uint32.max`).
* MAX_TRANSFER_VALUE_FROM_EVM: confirm new calculation still equals
previous hard-coded value
(`184467440737095516`).
* Tests: verify coverage still passes; no silent logic regression.
## Purpose
– Only charge the *forwarding* fee when the burn hook is the default
“relay” hook (empty data or data that starts with the
`cctp-forward` magic prefix).
– Keep charging the *max* fee in all cases.

## What changed
### CoreDepositWallet.sol
* Replaced the internal `_calculateCrossChainWithdrawFee` with a
**public** `calculateCrossChainWithdrawFee(bytes data, uint32
destDomain)` that
* Detects “forwarding required” when `data.length == 0` **or** `data`
starts with `CCTP_FORWARD_HOOK_MAGIC_BYTES`.
* If forwarding is required: `maxFee = cctpMaxFee + (overrideForwardFee
| defaultForwardFee)`
  * Else:              `maxFee = cctpMaxFee`
* Added private helper `_startsWith(bytes calldata, bytes memory)` for
the prefix check.
* `coreReceiveWithData` now calls the new function and simplifies local
logic.
* Minor doc & comment tweaks; no-op change to scaling-factor comment.

### Tests
* Updated existing tests and added a comprehensive suite covering all
fee-calculation branches (empty data, magic prefix, non-magic
data, override fees).
* Small signature/param clean-ups where the helper is now public.

## Review Checklist
1. Fee logic
• Verify `calculateCrossChainWithdrawFee` truth-table matches business
rules.
• Confirm `_startsWith` cannot underflow/overflow on short data arrays.
2. Security
• Ensure making the function `public` does not leak sensitive
information (it’s pure view).
• Confirm comments about `destinationCaller = bytes32(0)` are still
accurate.
3. Tests
• Make sure new tests cover edge cases (empty data, prefix variants,
override update/unset paths).
### What & Why
* Adds HyperCore transaction nonce support to cross-chain withdrawals
(Jira CCTPE-2405).
• Nonce is now embedded in the CCTP hook payload and surfaced in the
`CrossChainWithdraw` event.
• Keeping the nonce on-chain lets indexers easily tie between Hypercore
and CCTP transactions.

* Replaces ad-hoc hook construction with new library
`CrossChainWithdrawalHookData`.
• Library builds & parses the full wire-format (magic-bytes, version,
len, `from`, `nonce`, user data).
• Also provides cheap helpers to decide whether forwarding is required.

* Streamlines fee calculation.
• Old `calculateCrossChainWithdrawFee(bytes, …)` → new
`calculateCrossChainWithdrawalFee(bool, …)` which takes the forwarding
flag directly.
  • Forwarding flag comes from `_isEmptyOrHasForwardingMagicBytes`.

### How it’s implemented
1. **Contract changes**
* Removed the inline hook constants; all hook logic is delegated to
`CrossChainWithdrawalHookData`.
   * `coreReceiveWithData` signature:
`coreReceiveWithData(address from, bytes32 dest, uint32 domain, uint256
amount, uint64 nonce, bytes data)`
     ‑ adds `nonce`, parameter `data` renamed `_data`.
* Builds hook with `CrossChainWithdrawalHookData._build` and determines
forwarding with library helper.
* New `calculateCrossChainWithdrawalFee(bool shouldForward, …)` replaces
the old function.
   * `CrossChainWithdraw` event extended with `uint64 indexed nonce`.
* Removed now-unused private helpers (`_shouldCrossChainForward`,
`calculateCrossChainWithdrawFee`).

2. **Interfaces / mocks / tests**
   * `ICoreDepositWallet` updated with new function signature & docs.
* All mocks/tests adjusted; tests add helper to reconstruct expected
hook bytes.
   * Test suite extended to cover new fee path and hook encoding.

### Risks / Points to review
* Correctness of the new hook encoding (`_build`) – offsets, endianess,
and length fields.
  Verify against HyperCore & CCTP specs.
* Fee path: ensure `shouldForward` is derived exactly the same as the
old logic (empty data or magic prefix).
  Edge-cases: data length <24, exactly 24 non-magic, long non-magic.
* Gas impact of additional calldata (nonce, larger hook); acceptable?
* Proper casting of `nonce` to `uint64`—overflow impossible? (HyperCore
nonce is `uint64`).
* Event/topic ordering stayed consistent after adding an extra indexed
param.

### Reviewer checklist
- [ ] Confirm library encoding matches documented format.
- [ ] Review test coverage for new paths (forwarding on/off, override
fees, short data).
- [ ] Ensure no leftover references to removed helpers or constants.

================================================================================
### What changed
1. coreReceiveWithData now **accepts hook payloads up to _and including_
1 KB (1024 bytes)**
   * `require(data.length < MAX_HOOK_DATA_SIZE)` ➜ `<=`
   * NatSpec in interface + implementation updated accordingly.
* New positive test written to verify 1024-byte payload is processed
successfully.

2.  _shouldForward early-return reorder
* Empty-payload fast-path moved before `_validateHookData` to skip
unnecessary validation and gas, while preserving behaviour.

3.  Minor documentation/clarity fixes
   * Comment typo: `CORE_USER_EXISTS_PRECOMPILE_ADDRESS` reference.
   * Tests renamed/updated to reflect new inclusive limit.
Add license as pre-requisite of open sourcing repo
### What & Why
This PR expands the unit-test suite for `CrossChainWithdrawalHookData` :

1. Structural limits (max `address`, max `uint64`, large `bytes`)
2. Accuracy of the encoded *length* field under arbitrary fuzzed payload
sizes
3. Readability improvements by replacing hard-coded numbers with named
constants.

### How
test/CrossChainWithdrawalHookData.t.sol
• Added byte-length constants (`ADDRESS_LENGTH`, `UINT64_LENGTH`,
`BYTES24_LENGTH`, `UINT32_LENGTH`) to avoid “magic” numbers.
• New test `testBuild_structuralValidation_largeValues`
– Builds a hook with the largest possible field values and compares the
raw bytes to an `abi.encodePacked` reference.
• New fuzz test `testBuild_lengthFieldAccuracy_fuzzed(uint256 len)`
  – Bounds `len` to a safe range, assembles a hook, then
    1. Reads the encoded length field via `assembly`
    2. Verifies it equals `20 + 8 + userData.length`
    3. Verifies total byte size is header + payload.

No production contracts were touched; only the test file changed.
Update README title to hyperevm-circle-contracts
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Nov 26, 2025
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/js-yaml 4.1.1 🟢 5.2
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 1Found 4/30 approved changesets -- score normalized to 1
Maintained🟢 55 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities🟢 100 existing vulnerabilities detected
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • yarn.lock

@dependabot @github

dependabot Bot commented on behalf of github Dec 5, 2025

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/js-yaml-4.1.1 branch December 5, 2025 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants