Skip to content

docs(svm): document facilitator fee payer guards #546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 29, 2025
Merged

docs(svm): document facilitator fee payer guards #546

merged 1 commit into from
Oct 29, 2025

Conversation

@notorious-d-e-v
Copy link
Contributor

@notorious-d-e-v notorious-d-e-v commented Oct 29, 2025

Description

tests(svm): add fee payer validation tests and fix mocks to Instruction accounts array; chore: align high-level tests with signer-aware verification

Tests

All pass. New tests to verify that instructions with facilitator address as authority fail.

Checklist

  • I have formatted and linted my code
  • All new and existing tests pass
  • My commits are signed (required for merge) -- you may need to rebase if you initially pushed unsigned commits

@notorious-d-e-v
docs(svm): document facilitator fee payer guards; tests(svm): add fee…
77450f8 
… payer validation tests and fix mocks to Instruction accounts array; chore: align high-level tests with signer-aware verification
@cb-heimdall
Copy link

cb-heimdall commented Oct 29, 2025
edited
Loading

✅ Heimdall Review Status

Requirement Status More Info
Reviews 1/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

@vercel
Copy link

vercel bot commented Oct 29, 2025

@notorious-d-e-v is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

marcin-cb
marcin-cb reviewed Oct 29, 2025
View reviewed changes
typescript/packages/x402/src/schemes/exact/svm/facilitator/verify.ts
verifyComputePriceInstruction(transactionMessage.instructions[1]);

// verify that the fee payer is not included in any instruction's accounts
transactionMessage.instructions.forEach(instruction => {
Copy link

@marcin-cb marcin-cb Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@notorious-d-e-v can we do this check right before we verify any instructions? So start to do it on line 201. I feel before we verify any instructions it's good to check the fee payer first.

Also, is there anything malicious that can be done with the fee payer being an account in the compute limit and price instructions? Not sure if we really have to check them. That being said, since the instructions list we are searching in is a fixed size, don't see this increasing latency with a low constant factor.

CarsonRoscoe
CarsonRoscoe approved these changes Oct 29, 2025
View reviewed changes
Copy link
Contributor

@CarsonRoscoe CarsonRoscoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merging for the sake of the fix, but I do agree with Marcin's comment about moving it up in a follow

@CarsonRoscoe CarsonRoscoe merged commit d7042f3 into coinbase:main Oct 29, 2025
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CarsonRoscoe CarsonRoscoe CarsonRoscoe approved these changes

+1 more reviewer

@marcin-cb marcin-cb marcin-cb left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@notorious-d-e-v @cb-heimdall @CarsonRoscoe @marcin-cb