feat: backport release/v1.6.x to main (#1926)

* feat: check authorization list in e2ee (#1903)

* check authorisation list in e2ee

* fix golang-ci

* fix upgrade

* add integration tests

* feat: check destination address in the blocklist (#1922)

* add check destination address

* add changelog

* add nil check

* fix: add authorisation address check in the blocklist (#1924)

* add missing authorisation address

* add changelog

* remove extra line

* fix changelog

* python lint

Author: thomas-nguy

CHANGELOG.md

@@ -7,6 +7,20 @@
 * [#1880](https://github.com/crypto-org-chain/cronos/pull/1880) Move module from v2 to v1 to follow semver convention
 
 
+*Dec 1, 2025*
+
+## v1.6.0
+
+### Improvements
+
+* [#1903](https://github.com/crypto-org-chain/cronos/pull/1903) Feat: check authorization list in e2ee.
+* [#1922](https://github.com/crypto-org-chain/cronos/pull/1922) Feat: check destination address in the blocklist
+* [#1924](https://github.com/crypto-org-chain/cronos/pull/1924) Fix: check authorisation address in the blocklist
+
+### Bug fixes
+
+* [#1918](https://github.com/crypto-org-chain/cronos/pull/1918) Chore: cleanup and improve x/mint params validation and test in cosmos-sdk
+
 
 *Nov 30, 2025*
 

app/block_address.go

@@ -43,11 +43,17 @@ func (bad BlockAddressesDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simula
 			}
 		}
 
-		// check EIP-7702 authorisation list
 		for _, msg := range tx.GetMsgs() {
 			msgEthTx, ok := msg.(*evmtypes.MsgEthereumTx)
 			if ok {
 				ethTx := msgEthTx.AsTransaction()
+				// check the destination address
+				if ethTx.To() != nil {
+					if _, ok := bad.blockedMap[sdk.AccAddress(ethTx.To().Bytes()).String()]; ok {
+						return ctx, fmt.Errorf("destination address is blocked: %s", sdk.AccAddress(ethTx.To().Bytes()).String())
+					}
+				}
+				// check EIP-7702 authorisation list
 				if ethTx.SetCodeAuthorizations() != nil {
 					for _, auth := range ethTx.SetCodeAuthorizations() {
 						addr, err := auth.Authority()
@@ -56,6 +62,10 @@ func (bad BlockAddressesDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simula
 								return ctx, fmt.Errorf("signer is blocked: %s", addr.String())
 							}
 						}
+						// check the target address
+						if _, ok := bad.blockedMap[sdk.AccAddress(auth.Address.Bytes()).String()]; ok {
+							return ctx, fmt.Errorf("authorisation address is blocked: %s", sdk.AccAddress(auth.Address.Bytes()).String())
+						}
 					}
 				}
 			}

app/proposal.go

@@ -175,11 +175,21 @@ func (h *ProposalHandler) ValidateTransaction(tx sdk.Tx, txBz []byte) error {
 		}
 	}
 
-	// check EIP-7702 authorisation list
 	for _, msg := range tx.GetMsgs() {
 		msgEthTx, ok := msg.(*evmtypes.MsgEthereumTx)
 		if ok {
 			ethTx := msgEthTx.AsTransaction()
+			// check the destination address
+			if ethTx.To() != nil {
+				encoded, err := h.addressCodec.BytesToString(ethTx.To().Bytes())
+				if err != nil {
+					return fmt.Errorf("invalid bech32 address: %s, err: %w", ethTx.To(), err)
+				}
+				if _, ok := h.blocklist[encoded]; ok {
+					return fmt.Errorf("destination address is blocked: %s", encoded)
+				}
+			}
+			// check EIP-7702 authorisation list
 			if ethTx.SetCodeAuthorizations() != nil {
 				for _, auth := range ethTx.SetCodeAuthorizations() {
 					addr, err := auth.Authority()
@@ -188,6 +198,14 @@ func (h *ProposalHandler) ValidateTransaction(tx sdk.Tx, txBz []byte) error {
 							return fmt.Errorf("signer is blocked: %s", addr.String())
 						}
 					}
+					// check the target address
+					encoded, err := h.addressCodec.BytesToString(auth.Address.Bytes())
+					if err != nil {
+						return fmt.Errorf("invalid bech32 address: %s, err: %w", auth.Address, err)
+					}
+					if _, ok := h.blocklist[encoded]; ok {
+						return fmt.Errorf("authorisation address is blocked: %s", encoded)
+					}
 				}
 			}
 		}

integration_tests/test_e2ee.py

@@ -159,7 +159,7 @@ def test_invalid_block_list(cronos):
     assert "failed to read header" in str(exc.value)
 
 
-def test_block_list_eip7702(cronos):
+def test_block_list_eip7022(cronos):
     gen_validator_identity(cronos)
     cli = cronos.cosmos_cli()
     w3 = cronos.w3
@@ -208,3 +208,35 @@ def test_block_list_eip7702(cronos):
     wait_for_new_blocks(cli, 1)
     assert nonce + 1 == get_nonce(cli, sender)
     assert w3.eth.get_filter_changes(flt.filter_id) == []
+
+
+def test_block_list_contract(cronos):
+    gen_validator_identity(cronos)
+    cli = cronos.cosmos_cli()
+    user = cli.address("signer2")
+    blocked_destination = cli.address("signer1")
+    # set blocklist
+    encrypt_to_validators(cli, {"addresses": [blocked_destination]})
+    tx = {
+        "from": to_checksum_address(bech32_to_eth(user)),
+        "to": to_checksum_address(bech32_to_eth(blocked_destination)),
+        "value": 1,
+    }
+    base_port = cronos.base_port(0)
+    wait_for_port(ports.evmrpc_ws_port(base_port))
+    w3 = cronos.w3
+    flt = w3.eth.filter("pending")
+    assert flt.get_new_entries() == []
+
+    txhash = w3.eth.send_transaction(tx).hex()
+    nonce = get_nonce(cli, user)
+    # check tx in mempool
+    assert HexBytes(txhash) in w3.eth.get_filter_changes(flt.filter_id)
+
+    # clear blocklist
+    encrypt_to_validators(cli, {})
+
+    # the blocked tx should be unblocked now
+    wait_for_new_blocks(cli, 1)
+    assert nonce + 1 == get_nonce(cli, user)
+    assert w3.eth.get_filter_changes(flt.filter_id) == []

integration_tests/test_mempool.py

@@ -78,13 +78,26 @@ def test_mempool(cronos_mempool):
     assert len(all_pending) == 0
 
 
-def test_blocked_address(cronos_mempool):
+def test_blocked_from_address(cronos_mempool):
     cli = cronos_mempool.cosmos_cli(0)
-    rsp = cli.transfer("signer1", cli.address("validator"), "1basecro")
+    rsp = cli.transfer("signer1", cli.address("validator"), "1basetcro")
     assert rsp["code"] != 0
     assert "signer is blocked" in rsp["raw_log"]
 
 
+def test_blocked_to_contract_address(cronos_mempool):
+    w3 = cronos_mempool.w3
+    tx = {
+        "to": ADDRS["signer1"],
+        "value": 1,
+        "from": ADDRS["validator"],
+    }
+    tx1_signed = sign_transaction(w3, tx, key=KEYS["validator"])
+    with pytest.raises(exceptions.Web3RPCError) as exc:
+        _ = w3.eth.send_raw_transaction(tx1_signed.raw_transaction)
+    assert "destination address is blocked" in str(exc)
+
+
 @pytest.mark.flaky(max_runs=3)
 def test_mempool_nonce(cronos_mempool):
     """