Skip to content

feat:offramp only if more than zero balance #823

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

feat:offramp only if more than zero balance #823

wants to merge 7 commits into from

Conversation

@subhasishgoswami
Copy link
Contributor

No description provided.

@octane-security-app
Copy link

octane-security-app bot commented Oct 14, 2025
edited
Loading

Summary by Octane

New Contracts

No new contracts were added in this PR.

Updated Contracts

  • OfframpTokensHook.sol: Enhanced token handling by sorting, uniquifying, and streamlining execution array updates for native and ERC20 tokens.

🔗 Commit Hash: da25e89

@subhasishgoswami subhasishgoswami marked this pull request as draft October 14, 2025 14:23
@graphite-app
Copy link
Contributor

graphite-app bot commented Oct 14, 2025

How to use the Graphite Merge Queue

Add the label contracts to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

@octane-security-app
Copy link

octane-security-app bot commented Oct 14, 2025
edited
Loading

Overview

Vulnerabilities found: 1                                                                                
Severity breakdown: 1 Critical

Detailed findings

src/hooks/tokens/OfframpTokensHook.sol

  • Unbounded user-controlled tokens array iteration in OfframpTokensHook causes paymaster deposit drain and cross-chain relayer gas grief. See more

🔗 Commit Hash: da25e89
🛡️ Octane Dashboard: All vulnerabilities

@super-timepunk super-timepunk marked this pull request as ready for review October 23, 2025 07:49
@graphite-app graphite-app bot requested a review from 0xTimepunk October 23, 2025 07:50
@graphite-app
Copy link
Contributor

graphite-app bot commented Oct 23, 2025

Graphite Automations

"Request reviewers once CI passes" took an action on this PR • (10/23/25)

1 reviewer was added to this PR based on 's automation.

graphite-app[bot]
graphite-app bot reviewed Oct 23, 2025
View reviewed changes
@cursor
Copy link

cursor bot commented Oct 23, 2025

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

@cursor
Copy link

cursor bot commented Oct 23, 2025

Bug: In-place Sorting Alters Token Order

The getExecutions function sorts and deduplicates the tokens array in-place, which is decoded from calldata. This modifies the order of tokens from the caller's input, resulting in a breaking behavioral change for any code relying on the original token sequence.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

@super-timepunk super-timepunk Awaiting requested review from super-timepunk super-timepunk is a code owner

@0xTimepunk 0xTimepunk Awaiting requested review from 0xTimepunk

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@subhasishgoswami @supervaulter