Skip to content

fix: harden EIP-7702 backend validation in sell confirmation flow#3673

Merged
davidleomay merged 4 commits intodevelopfrom
feature/harden-eip7702-validation
May 5, 2026
Merged

fix: harden EIP-7702 backend validation in sell confirmation flow#3673
davidleomay merged 4 commits intodevelopfrom
feature/harden-eip7702-validation

Conversation

@TaprootFreak
Copy link
Copy Markdown
Collaborator

@TaprootFreak TaprootFreak commented May 4, 2026

Summary

Closes #3672

Security hardening of the EIP-7702 delegation flow for RealUnit sells:

  • Signature verification: Cryptographic verification of EIP-712 delegation signature (recoverTypedDataAddress) and EIP-7702 authorization signature (recoverAuthorizationAddress) before broadcasting — prevents gas drain via garbage signatures
  • ChainId validation: Authorization chainId is validated against expected blockchain before any processing
  • Receipt confirmation: waitForTransactionReceipt (60s timeout) after broadcast — request is only marked complete if the transaction succeeds on-chain
  • Nonce lock: Sequential lock (withNonceLock) around nonce fetch + sign + broadcast prevents concurrent nonce collisions; uses blockTag: 'pending' for pending-aware nonce queries
  • Both _executeBrokerBotSellInternal and _transferTokenWithUserDelegationInternal are hardened

Test plan

  • TypeScript compiles without errors
  • All 27 EIP-7702 tests pass (including 4 new tests)
  • New tests cover: invalid delegation signature, invalid authorization signature, chainId mismatch, on-chain revert
  • Manual test on Sepolia with RealUnit app

@TaprootFreak
fix: harden EIP-7702 backend validation in sell confirmation flow (#3672
145235c 
)

- Add cryptographic signature verification for EIP-712 delegation and EIP-7702 authorization
- Validate authorization chainId against expected blockchain
- Wait for transaction receipt before marking request complete
- Add nonce lock to prevent concurrent relayer nonce collisions
- Use pending blockTag for nonce queries
@TaprootFreak
style: fix prettier formatting
8f39873
@TaprootFreak TaprootFreak marked this pull request as ready for review May 4, 2026 19:13
@TaprootFreak TaprootFreak requested a review from davidleomay as a code owner May 4, 2026 19:13
@TaprootFreak
refactor: extract EIP-712 constants, add address validation, proper H…
b84a1d1 
…TTP errors

- Extract EIP-712 domain/types to shared constants (DRY, prevents drift)
- Validate authorization.address against DELEGATOR_ADDRESS
- Wrap delegation service errors as BadRequestException in confirmSell()
@TaprootFreak
fix: remove blanket BadRequestException catch to preserve 5xx alerts
bad49b0
@davidleomay davidleomay merged commit 0b4761e into develop May 5, 2026
7 checks passed
@davidleomay davidleomay deleted the feature/harden-eip7702-validation branch May 5, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidleomay davidleomay davidleomay approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Harden EIP-7702 backend validation in RealUnit sell confirmation flow

2 participants

@TaprootFreak @davidleomay