Skip to content

fix(cancelOrders): reject orders that span different protocol addresses#1976

Open
Nexory wants to merge 1 commit into
ProjectOpenSea:mainfrom
Nexory:fix/cancelorders-reject-mixed-protocol
Open

fix(cancelOrders): reject orders that span different protocol addresses#1976
Nexory wants to merge 1 commit into
ProjectOpenSea:mainfrom
Nexory:fix/cancelorders-reject-mixed-protocol

Conversation

@Nexory

@Nexory Nexory commented Jun 11, 2026

Copy link
Copy Markdown

What

cancelOrders rejects a batch of orders that span more than one Seaport protocol address, instead of silently cancelling only one protocol's orders.

Why

cancelOrders builds a single transaction to one Seaport contract, but it derives the target protocol with a last-write-wins loop over the orders:

let effectiveProtocolAddress = protocolAddress
orderComponents = orders.map(order => {
  if ("protocolData" in order) {
    requireValidProtocol(orderV2.protocolAddress)
    effectiveProtocolAddress = orderV2.protocolAddress // overwritten each iteration
    ...

There are two valid protocol addresses (CROSS_CHAIN_SEAPORT_V1_6_ADDRESS and ALTERNATE_SEAPORT_V1_6_ADDRESS in VALID_PROTOCOL_ADDRESSES), so a batch that mixes them passes requireValidProtocol for every order. effectiveProtocolAddress ends as the last order's protocol, and the single cancel transaction goes to that one contract with all of the order components. The orders that belong to the other protocol are sent to the wrong contract and are not cancelled, so they remain live and fillable, while the caller believes every order in the batch was cancelled.

Change

Before building the transaction, reject when the provided orders span more than one protocol address, with a message telling the caller to cancel each protocol separately. The check runs with the other up-front input validation so it fails fast.

Tests

Adds a regression test (test/sdk/cancelOrders.spec.ts). Against the current code it fails (the mixed-protocol batch is not rejected; it falls through to the account check):

AssertionError: expected 'Specified accountAddress is not avail...' to contain 'same protocolAddress'

With the fix it passes (the batch is rejected up front). tsc --noEmit and biome check are clean on the changed files.

cancelOrders sends a single transaction to one Seaport contract, but it
derived the target protocol with a last-write-wins loop over the orders'
protocolAddress. Two valid protocols exist (CROSS_CHAIN_SEAPORT_V1_6 and
ALTERNATE_SEAPORT_V1_6), so a batch mixing them passed validation and
cancelled only the last protocol's orders. The rest were sent to the
wrong contract and silently left live (still fillable), while the caller
believed every order was cancelled.

Reject up front when the provided orders span more than one protocol
address, so the caller cancels each protocol separately instead of
getting a silent partial cancel. Adds a regression test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant