fix(OwnableValidator): bump checknsignatures to revert-4-fix#32
fix(OwnableValidator): bump checknsignatures to revert-4-fix#32highskore wants to merge 1 commit into
Conversation
Pins @rhinestone/checknsignatures to the revert-4-fix/checknsignatures branch, which restores the strict signature verification semantics: - Requires exactly `requiredSignatures` valid signatures (the previous main allowed any number of valid sigs >= threshold among extra junk) - Reverts on malformed contract signatures with WrongContractSignatureFormat / WrongContractSignature instead of silently treating them as invalid Required for the OwnableValidator redeploy that fixes contract-owner (ERC-1271) signature flows. OwnableValidator imports CheckNSignatures directly; SocialRecovery and WebAuthnValidator also pick up the fix. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
greg-rhinestone
left a comment
greg-rhinestone
left a comment
There was a problem hiding this comment.
🤖 Greg ·
Pins @rhinestone/checknsignatures to the revert-4-fix/checknsignatures branch so the next OwnableValidator redeploy picks up the strict signature-count and malformed-contract-signature fixes.
Risk: High — this dependency update also lands a known transitive regression outside OwnableValidator on main.
| "@erc7579/enumerablemap4337": "github:erc7579/enumerablemap", | ||
| "@openzeppelin/contracts": "^5.3.0", | ||
| "@rhinestone/checknsignatures": "github:rhinestonewtf/checknsignatures", | ||
| "@rhinestone/checknsignatures": "github:rhinestonewtf/checknsignatures#revert-4-fix/checknsignatures", |
There was a problem hiding this comment.
This pin is also what pulls in the newer @rhinestone/sentinellist, and the PR notes say that version breaks OwnableExecutor because popAll() now leaves the list looking initialized. Since this merges to main, we would be landing a known regression outside OwnableValidator just to prep the redeploy. Please either pin/override the old sentinellist here or vendor the checkNSignatures fix so the repo stays green.
2 participants
Summary
@rhinestone/checknsignaturesto therevert-4-fix/checknsignaturesbranch so the nextOwnableValidatorredeploy bakes in the un-buggedcheckNSignatures(strict required-signatures count + revert on malformed contract sigs).OwnableValidatordeployment).Notes
pnpm installalso updated transitivesentinellist(e722c5cc→4b03ebb5) andsolady(0.1.14 → 0.1.26). The new sentinellist'spopAllresetsentries[SENTINEL] = SENTINELinstead of leaving it cleared, which meansSentinelListLib.alreadyInitialized()returnstrueafterpopAll.isInitializedchecksthreshold[smartAccount] != 0, not list state. SocialRecovery and WebAuthnValidator follow the same pattern and are also unaffected.OwnableExecutorwhoseisInitializedcallsaccountOwners[smartAccount].alreadyInitialized()directly (2 integration tests now fail). OwnableExecutor is not part of this redeploy; tracking the fix separately.Test plan
forge build— compilesforge test --mp "test/OwnableValidator/**/*.sol"— 51/51 passcheckNSignaturesreverts on malformed contract-sig payload🤖 Generated with Claude Code