fix(cancelOrders): reject orders that span different protocol addresses#1976
Open
Nexory wants to merge 1 commit into
Open
fix(cancelOrders): reject orders that span different protocol addresses#1976Nexory wants to merge 1 commit into
Nexory wants to merge 1 commit into
Conversation
cancelOrders sends a single transaction to one Seaport contract, but it derived the target protocol with a last-write-wins loop over the orders' protocolAddress. Two valid protocols exist (CROSS_CHAIN_SEAPORT_V1_6 and ALTERNATE_SEAPORT_V1_6), so a batch mixing them passed validation and cancelled only the last protocol's orders. The rest were sent to the wrong contract and silently left live (still fillable), while the caller believed every order was cancelled. Reject up front when the provided orders span more than one protocol address, so the caller cancels each protocol separately instead of getting a silent partial cancel. Adds a regression test.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
cancelOrdersrejects a batch of orders that span more than one Seaport protocol address, instead of silently cancelling only one protocol's orders.Why
cancelOrdersbuilds a single transaction to one Seaport contract, but it derives the target protocol with a last-write-wins loop over the orders:There are two valid protocol addresses (
CROSS_CHAIN_SEAPORT_V1_6_ADDRESSandALTERNATE_SEAPORT_V1_6_ADDRESSinVALID_PROTOCOL_ADDRESSES), so a batch that mixes them passesrequireValidProtocolfor every order.effectiveProtocolAddressends as the last order's protocol, and the single cancel transaction goes to that one contract with all of the order components. The orders that belong to the other protocol are sent to the wrong contract and are not cancelled, so they remain live and fillable, while the caller believes every order in the batch was cancelled.Change
Before building the transaction, reject when the provided orders span more than one protocol address, with a message telling the caller to cancel each protocol separately. The check runs with the other up-front input validation so it fails fast.
Tests
Adds a regression test (
test/sdk/cancelOrders.spec.ts). Against the current code it fails (the mixed-protocol batch is not rejected; it falls through to the account check):With the fix it passes (the batch is rejected up front).
tsc --noEmitandbiome checkare clean on the changed files.