fix: Move sender validation from note script into bridge procedures#2511
Merged
fix: Move sender validation from note script into bridge procedures#2511
Conversation
…ocedures Sender authorization for UPDATE_GER and CONFIG_AGG_BRIDGE notes was previously enforced in the note scripts via separate calls to assert_sender_is_ger_manager / assert_sender_is_bridge_admin. This was unsafe because any note script consumed by the bridge account could call update_ger or register_faucet directly, bypassing the sender check. Move the authorization into the account procedures themselves (update_ger and register_faucet) so that sender verification is enforced regardless of which note script invokes them. The assertion procedures have a net-zero stack effect, so they can be called first thing without disturbing the procedure's inputs. https://claude.ai/code/session_01JeSHNeBxs1aTUe3Lm8NjVi
mmagician
changed the title
mmagician
commented
Feb 25, 2026
mmagician
added
the
no changelog
mmagician
added
agglayer
mmagician
changed the title
mmagician
commented
Feb 25, 2026
These procedures are now internal implementation details called via exec from within update_ger and register_faucet. They no longer need to be part of the bridge account's public interface. https://claude.ai/code/session_01JeSHNeBxs1aTUe3Lm8NjVi
partylikeits1983
approved these changes
Feb 25, 2026
Contributor
partylikeits1983
left a comment
partylikeits1983
left a comment
There was a problem hiding this comment.
Really good catch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
While working on the spec, I realized that enforcing who is the note sender from within the note script itself is easily by-passable.
This PR fixes sender validation logic by moving the assertion checks from note scripts into the bridge configuration procedures themselves.
Key Changes
assert_sender_is_ger_managercall at the start to validate the note sender is the global exit root managerassert_sender_is_bridge_admincall at the start to validate the note sender is the bridge adminassert_sender_is_ger_managercall since it's now enforced byupdate_gerassert_sender_is_bridge_admincall since it's now enforced byregister_faucetcalltoexecfor the assertion helper procedures (assert_sender_is_bridge_adminandassert_sender_is_ger_manager)register_faucetprocedurehttps://claude.ai/code/session_01JeSHNeBxs1aTUe3Lm8NjVi