Skip to content

Comments

fix(tip-1004): reject zero-address ecrecover in permit, add edge-case tests#2786

Open
howydev wants to merge 5 commits intohowy/add-permitfrom
howy/fix-zellic-53
Open

fix(tip-1004): reject zero-address ecrecover in permit, add edge-case tests#2786
howydev wants to merge 5 commits intohowy/add-permitfrom
howy/fix-zellic-53

Conversation

@howydev
Copy link
Contributor

@howydev howydev commented Feb 19, 2026

Summary

Addresses ZELLIC-53: audit findings on TIP-1004 permit implementation.

Changes

Bug fix — zero-address recovery rejection

permit() now explicitly rejects recovered == address(0) before comparing against owner, matching the Solidity reference ecrecover behavior. Previously, a crafted signature that somehow recovered to address(0) could have been accepted if owner was also address(0).

New tests

  • test_permit_zero_address_recovery_reverts — verifies InvalidSignature is returned when ecrecover yields the zero address
  • test_permit_domain_separator_changes_with_chain_id — verifies the EIP-712 domain separator differs across chain IDs (fork safety)

@github-actions
Copy link

github-actions bot commented Feb 19, 2026
edited
Loading

📊 Tempo Precompiles Coverage

precompiles

Coverage: 20582/21614 lines (95.23%)

File details
File Lines Coverage
src/account_keychain/dispatch.rs 36/41 87.80%
src/account_keychain/mod.rs 1131/1150 98.35%
src/error.rs 139/158 87.97%
src/ip_validation.rs 10/10 100.00%
src/lib.rs 328/339 96.76%
src/nonce/dispatch.rs 19/23 82.61%
src/nonce/mod.rs 252/260 96.92%
src/stablecoin_dex/dispatch.rs 349/353 98.87%
src/stablecoin_dex/error.rs 51/51 100.00%
src/stablecoin_dex/mod.rs 2850/2948 96.68%
src/stablecoin_dex/order.rs 362/362 100.00%
src/stablecoin_dex/orderbook.rs 651/683 95.31%
src/storage/evm.rs 321/347 92.51%
src/storage/hashmap.rs 128/140 91.43%
src/storage/mod.rs 5/5 100.00%
src/storage/packing.rs 526/552 95.29%
src/storage/thread_local.rs 146/195 74.87%
src/storage/types/array.rs 211/262 80.53%
src/storage/types/bytes_like.rs 323/338 95.56%
src/storage/types/mapping.rs 148/148 100.00%
src/storage/types/mod.rs 67/91 73.63%
src/storage/types/primitives.rs 564/567 99.47%
src/storage/types/set.rs 454/474 95.78%
src/storage/types/slot.rs 282/296 95.27%
src/storage/types/vec.rs 1078/1095 98.45%
src/test_util.rs 194/231 83.98%
src/tip20/dispatch.rs 584/616 94.81%
src/tip20/mod.rs 1759/1830 96.12%
src/tip20/rewards.rs 444/487 91.17%
src/tip20/roles.rs 187/206 90.78%
src/tip20_factory/dispatch.rs 26/29 89.66%
src/tip20_factory/mod.rs 543/555 97.84%
src/tip403_registry/dispatch.rs 406/443 91.65%
src/tip403_registry/mod.rs 1338/1423 94.03%
src/tip_fee_manager/amm.rs 1111/1147 96.86%
src/tip_fee_manager/dispatch.rs 278/289 96.19%
src/tip_fee_manager/mod.rs 495/510 97.06%
src/validator_config/dispatch.rs 210/221 95.02%
src/validator_config/mod.rs 604/658 91.79%
src/validator_config_v2/dispatch.rs 201/214 93.93%
src/validator_config_v2/mod.rs 1771/1867 94.86%

contracts

Coverage: 206/383 lines (53.79%)

File details
File Lines Coverage
src/lib.rs 1/71 1.41%
src/precompiles/account_keychain.rs 24/30 80.00%
src/precompiles/nonce.rs 9/18 50.00%
src/precompiles/stablecoin_dex.rs 33/48 68.75%
src/precompiles/tip20.rs 52/70 74.29%
src/precompiles/tip20_factory.rs 6/12 50.00%
src/precompiles/tip403_registry.rs 12/15 80.00%
src/precompiles/tip_fee_manager.rs 21/45 46.67%
src/precompiles/validator_config.rs 12/26 46.15%
src/precompiles/validator_config_v2.rs 36/48 75.00%

Total: 20788/21997 lines (94.50%)

📦 Download full HTML report

howydev and others added 3 commits February 19, 2026 14:49
@howydev @ampcode-com
fix: unchecked seed++ in _selectActorKeyExcluding to prevent overflow
09710e5 
Amp-Thread-ID: https://ampcode.com/threads/T-019c76d4-c191-703b-a1da-a66c517ebed4
Co-authored-by: Amp <amp@ampcode.com>
@howydev @ampcode-com
fix(tip-1004): reject zero-address ecrecover in permit, add edge-case…
630e542 
… tests

Address Zellic audit finding ZELLIC-53:

1. Explicitly reject recovered == address(0) in permit() before
   comparing against owner, matching Solidity reference behavior.

2. Add missing test coverage:
   - Zero-address recovery reverts with InvalidSignature
   - Domain separator changes when chainId changes

Amp-Thread-ID: https://ampcode.com/threads/T-019c76d4-c191-703b-a1da-a66c517ebed4
Co-authored-by: Amp <amp@ampcode.com>
@howydev @ampcode-com
chore: fmt
898fd70 
Amp-Thread-ID: https://ampcode.com/threads/T-019c76d4-c191-703b-a1da-a66c517ebed4
Co-authored-by: Amp <amp@ampcode.com>
howydev and others added 2 commits February 19, 2026 14:51
@howydev
chore: fmt
48400ac
@howydev @ampcode-com
docs(tip-1004): document v=27/28 requirement, no v=0/1 normalization
ed2a75a 
Addresses ZELLIC-53 item #2: explicitly documents that permit only
accepts v=27/28 and does not normalize v=0/1. Added to both the
TIP-1004 spec and as a code comment in the Rust implementation.

Amp-Thread-ID: https://ampcode.com/threads/T-019c76d4-c191-703b-a1da-a66c517ebed4
Co-authored-by: Amp <amp@ampcode.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xrusowsky 0xrusowsky Awaiting requested review from 0xrusowsky 0xrusowsky is a code owner

@0xKitsune 0xKitsune Awaiting requested review from 0xKitsune 0xKitsune is a code owner

@fgimenez fgimenez Awaiting requested review from fgimenez fgimenez is a code owner

@klkvr klkvr Awaiting requested review from klkvr klkvr is a code owner

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@legion2002 legion2002 Awaiting requested review from legion2002 legion2002 is a code owner

@danrobinson danrobinson Awaiting requested review from danrobinson danrobinson is a code owner

@dankrad dankrad Awaiting requested review from dankrad dankrad is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@howydev