Restrict Asset Hub agent from executing contract calls in V2#1788
Open
yrong wants to merge 5 commits into
Open
Restrict Asset Hub agent from executing contract calls in V2#1788yrong wants to merge 5 commits into
yrong wants to merge 5 commits into
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1788 +/- ##
==========================================
- Coverage 76.90% 76.79% -0.11%
==========================================
Files 24 24
Lines 983 987 +4
Branches 186 187 +1
==========================================
+ Hits 756 758 +2
- Misses 203 205 +2
Partials 24 24
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| vm.expectEmit(true, false, false, true); | ||
| emit IGatewayV2.InboundMessageDispatched(1, topic, true, relayerRewardAddress); | ||
|
|
||
| address bridgeHubAgent = IGatewayV2(address(gateway)).agentOf(Constants.BRIDGE_HUB_AGENT_ID); |
Contributor
There was a problem hiding this comment.
Kind of a weird test to allow BH agent to make arbitrary contract calls, since this is privileged as well, right? Even if the BH agent doesn't hold funds.
Contributor
Author
There was a problem hiding this comment.
Allowing BH is expected. Yes, it’s not privilege-based — it only disables the AH agent that holds the funds.
| } | ||
|
|
||
| /// Looks up an agent contract address, failing if no such mapping exists or if the agent is the primary asset hub agent | ||
| function ensureNonPrivilegedAgent(bytes32 agentID) internal view returns (address agent) { |
Contributor
There was a problem hiding this comment.
Suggested change
| function ensureNonPrivilegedAgent(bytes32 agentID) internal view returns (address agent) { | |
| function ensureNotAssetHubAgent(bytes32 agentID) internal view returns (address agent) { |
Since it only checks AH, not other privileged origins too.
Contributor
claravanstaden
left a comment
claravanstaden
left a comment
There was a problem hiding this comment.
I think this okay in principle. AH is the only agent that contains token transfer funds, right?
2 tasks
Contributor
|
Added some more tests here: #1793 |
* Add tests for ensureNotAssetHubAgent Strengthens coverage around the AssetHub-agent callContract block introduced in #1788: - positive: a v2_createAgent'd user agent can still callContract - direct: ensureNotAssetHubAgent revert reason and allow/deny paths pinned via an exposed wrapper on MockGateway, including a fuzz invariant that only ASSET_HUB_AGENT_ID returns UnauthorizedPrivilegedAgent - no-state-leak: AssetHub failure path emits no SaidHello, leaves agent balance and registration untouched - dual-invariant: ASSET_HUB_AGENT_ID is rejected as a callContract origin AND still accepted as an unlockNativeToken recipient - multi-command: a poisoned AssetHub-origin callContract bundled with a legit one fails every command; same payload from a user agent succeeds - skipped: testAgentCallContractFailsForBridgeHub documents the latent AliasOrigin(Here) -> BRIDGE_HUB_AGENT_ID bypass that the current single-entry deny list does not cover Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Drop BridgeHub-block skip test BridgeHub is intentionally non-privileged in the V2 deny list; only ASSET_HUB_AGENT_ID is reserved. Remove the speculative testAgentCallContractFailsForBridgeHub skip and clarify the existing testEnsureNotAssetHubAgent_AllowsBridgeHub with a comment so future readers know the allow is by design. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Drop ticket id from section comment Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Drop PR reference from section comment Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
claravanstaden
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.