feat: calldata length validation of public setup function allowlist#21139
Merged
spalladino merged 3 commits intomerge-train/spartanfrom Mar 4, 2026
Merged
feat: calldata length validation of public setup function allowlist#21139spalladino merged 3 commits intomerge-train/spartanfrom
spalladino merged 3 commits intomerge-train/spartanfrom
Conversation
spalladino
approved these changes
Mar 4, 2026
Contributor
spalladino
left a comment
spalladino
left a comment
There was a problem hiding this comment.
Looks good! My only concern is if the public calldata encoding does not behave as we expect in countArgumentsSize. But I understand that would be caught by one of the e2e_fees tests that depend on the allowlist, right?
spalladino
reviewed
Mar 4, 2026
|
|
||
| /** Returns the expected calldata length for a function: 1 (selector) + arguments size. */ | ||
| function getCalldataLength(artifact: ContractArtifact, functionName: string): number { | ||
| return 1 + countArgumentsSize(getFunctionArtifactByName(artifact, functionName)); |
Contributor
There was a problem hiding this comment.
Hmm seems like CI is choking here. We may need to look more into getFunctionArtifactByName.
Contributor
Author
There was a problem hiding this comment.
yes, I noticed, looking if I can fix it quickly, the other option is to hardcode the expected length for the allowlist as we know it, wdyt?
Contributor
Author
Right - number of e2e tests would fail (as we actually already saw) |
spalladino
approved these changes
Mar 4, 2026
AztecBot
pushed a commit
that referenced
this pull request
Mar 4, 2026
…21139) ## Summary - Add calldata length validation to the public setup function allowlist in `PhasesTxValidator`, preventing setup calls with malformed arguments from being accepted - Extend `AllowedElement` with an optional `calldataLength` field and compute expected lengths dynamically from contract artifacts (`AuthRegistry`, `FeeJuice`, `Token`) - Reject setup calls where calldata length doesn't match the expected length for the matched allowlist entry, returning a new `TX_ERROR_SETUP_WRONG_CALLDATA_LENGTH` error ## Details Even when a setup function call matches the allowlist by address/class and selector, it can still revert if the arguments are malformed. Since Aztec's ABI has no variable-size inputs, validating that the calldata length matches the expected length for a given selector is sufficient to guarantee the arguments are deserializable. **AllowedElement type** (`stdlib`): Added optional `calldataLength?: number` to both `AllowedInstanceFunction` and `AllowedClassFunction`, plus corresponding Zod schema updates. **PhasesTxValidator** (`p2p`): After matching an entry by address or class+selector, checks `entry.calldataLength` against `publicCall.calldata.length` before proceeding to `onlySelf`/`rejectNullMsgSender` checks. When `calldataLength` is not set, any length is accepted (backwards compatible). **Default allowlist** (`p2p`): Uses `getFunctionArtifactByName` + `countArgumentsSize` from `stdlib/abi` to compute expected calldata lengths from `AuthRegistryArtifact`, `FeeJuiceArtifact`, and `TokenContractArtifact`. Fixes A-612
Collaborator
|
✅ Successfully backported to backport-to-v4-staging #21064. |
alexghr
added a commit
that referenced
this pull request
Mar 5, 2026
BEGIN_COMMIT_OVERRIDE chore: chonk proof compression poc (#20645) feat: Update L1 to L2 message APIs (#20913) fix: adapt chonk proof compression for v4 Translator layout (#21067) fix: omit bigint priceBumpPercentage from IPC config in testbench worker (#21086) feat: standby mode for prover broker (#21098) fix(p2p): remove default block handler in favor of block handler (#21105) chore: prepare barretenberg-rs for crates.io publishing (#20496) feat: reenable function selectors + additional validation in public setup allowlist (backport #20909, #21122) (#21129) chore: remove stale aes comments (#21133) chore: remove auto-tag job (#21127) feat: calldata length validation of public setup function allowlist (#21139) feat: run AVM NAPI simulations on dedicated threads instead of libuv pool (#21138) feat: Remove non-protocol contracts from public setup allowlist (#21154) END_COMMIT_OVERRIDE --------- Co-authored-by: ledwards2225 <ledwards2225@users.noreply.github.com> Co-authored-by: PhilWindle <PhilWindle@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: mrzeszutko <mrzeszutko@users.noreply.github.com> Co-authored-by: spalladino <spalladino@users.noreply.github.com> Co-authored-by: johnathan79717 <johnathan79717@users.noreply.github.com> Co-authored-by: nventuro <nventuro@users.noreply.github.com> Co-authored-by: alexghr <alexghr@users.noreply.github.com> Co-authored-by: AztecBot <AztecBot@users.noreply.github.com> Co-authored-by: Martin Verzilli <martin@aztec-labs.com>
This was referenced Mar 5, 2026
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 6, 2026
BEGIN_COMMIT_OVERRIDE test: update proving-real test to mbps (#20991) chore: epoch proving log analyzer (#21033) chore: update pause script to allow resume (#21032) feat: price bump for RPC transaction replacement (#20806) refactor: remove update checker, retain version checks (#20898) fix: (A-592) p2p client proposal tx collector test (#20998) refactor: use publishers-per-pod in deployments (#21039) chore: web3signer refreshes keystore (#21045) feat(sequencer): set block building limits from checkpoint limits (#20974) chore(e2e): fix e2e bot L1 tx nonce reuse (#21052) feat: Update L1 to L2 message APIs (#20913) fix: (A-589) epochs l1 reorgs test (#20999) feat(sequencer): add SEQ_MAX_TX_PER_CHECKPOINT config (#21016) fix: drop --pid=host from docker_isolate (#21081) feat: standby mode for prover broker (#21098) fix(p2p): remove default block handler in favor of block handler (#21105) feat(validator): add VALIDATOR_ env vars for independent block limits (#21060) refactor(p2p): decouple proposal validators from base class via composition (#21075) feat: additional validation in public setup allowlist (onlySelf + null msg sender) (#21122) fix: (A-591) aztecProofSubmissionEpochs incorrectly named as aztecProofSubmissionWindow (#21108) refactor(sequencer): rename SEQ_GAS_PER_BLOCK_ALLOCATION_MULTIPLIER to SEQ_PER_BLOCK_ALLOCATION_MULTIPLIER (#21125) fix: unbound variable in check_doc_references.sh with set -u (#21126) feat: calldata length validation of public setup function allowlist (#21139) fix: include mismatched values in tx metadata validation errors (#21147) feat: single-node implementation of slash-protection signer (#20894) feat: Remove non-protocol contracts from public setup allowlist (#21154) chore: More updated Alpha configuration (#21155) chore: tally slashing pruning improvements (#21161) fix: update dependencies (#20997) fix: omit bigint priceBumpPercentage from IPC config in testbench worker (#21169) refactor(p2p): (A-588) maintain sorted array in tx pool instead of sorting on read (#21079) fix(p2p): report most severe failure in runValidations (#21185) fix: use dedicated L1 account for bot bridge resume tests to avoid nonce race (#21148) fix: parse error.message in formatViemError (#21163) fix: bump lighthouse consensus client v7.1.0 -> v8.0.1 (#21170) chore: code decuplication + refactor (public setup allowlist) (#21200) END_COMMIT_OVERRIDE
ludamad
added a commit
that referenced
this pull request
Mar 10, 2026
BEGIN_COMMIT_OVERRIDE chore: chonk proof compression poc (#20645) feat: Update L1 to L2 message APIs (#20913) fix: adapt chonk proof compression for v4 Translator layout (#21067) fix: omit bigint priceBumpPercentage from IPC config in testbench worker (#21086) feat: standby mode for prover broker (#21098) fix(p2p): remove default block handler in favor of block handler (#21105) chore: prepare barretenberg-rs for crates.io publishing (#20496) feat: reenable function selectors + additional validation in public setup allowlist (backport #20909, #21122) (#21129) chore: remove stale aes comments (#21133) chore: remove auto-tag job (#21127) feat: calldata length validation of public setup function allowlist (#21139) feat: run AVM NAPI simulations on dedicated threads instead of libuv pool (#21138) feat: Remove non-protocol contracts from public setup allowlist (#21154) feat!: Expose offchain effects when simulating/sending txs (backport #20563) (#21110) chore: bump minor version (#21171) chore: backport #21161 (tally slashing pruning improvements) to v4 (#21166) chore: More updated Alpha configuration (backport #21155) (#21165) fix(p2p): report most severe failure in runValidations (#21185) feat: add ergonomic conversions for Noir's `Option<T>` (#21107) docs: clarifying Noir fields vs struct fields in event metadata (#21172) fix: bump lighthouse consensus client v7.1.0 -> v8.0.1 (#21170) fix: update dependencies (#20997) chore: New alpha-net environment (#20800) (#21202) chore: code decuplication + refactor (public setup allowlist) (#21200) feat: mask all ciphertext fields with Poseidon2-derived values (backport #21009) (#21140) chore: disable sponsored FPC in testnet (#21235) feat!: exposing pub event pagination on wallet (#21197) refactor(pxe): narrow tryGetPublicKeysAndPartialAddress return type (backport #21208) (#21236) feat: orchestrator enqueues via serial queue (#21247) feat: rollup mana limit gas validation (#21219) chore: deploy SPONSORED_FPC in test networks (#21254) fix(sequencer): fix log when not enough txs (#21297) END_COMMIT_OVERRIDE --------- Co-authored-by: ledwards2225 <ledwards2225@users.noreply.github.com> Co-authored-by: PhilWindle <PhilWindle@users.noreply.github.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: mrzeszutko <mrzeszutko@users.noreply.github.com> Co-authored-by: spalladino <spalladino@users.noreply.github.com> Co-authored-by: johnathan79717 <johnathan79717@users.noreply.github.com> Co-authored-by: nventuro <nventuro@users.noreply.github.com> Co-authored-by: alexghr <alexghr@users.noreply.github.com> Co-authored-by: AztecBot <AztecBot@users.noreply.github.com> Co-authored-by: Martin Verzilli <martin@aztec-labs.com> Co-authored-by: PhilWindle <60546371+PhilWindle@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: mverzilli <mverzilli@users.noreply.github.com> Co-authored-by: benesjan <benesjan@users.noreply.github.com> Co-authored-by: danielntmd <danielntmd@users.noreply.github.com> Co-authored-by: deffrian <deffrian@users.noreply.github.com> Co-authored-by: benesjan <janbenes1234@gmail.com>
ludamad
added a commit
that referenced
this pull request
Mar 11, 2026
BEGIN_COMMIT_OVERRIDE chore: chonk proof compression poc (#20645) feat: Update L1 to L2 message APIs (#20913) fix: adapt chonk proof compression for v4 Translator layout (#21067) fix: omit bigint priceBumpPercentage from IPC config in testbench worker (#21086) feat: standby mode for prover broker (#21098) fix(p2p): remove default block handler in favor of block handler (#21105) chore: prepare barretenberg-rs for crates.io publishing (#20496) feat: reenable function selectors + additional validation in public setup allowlist (backport #20909, #21122) (#21129) chore: remove stale aes comments (#21133) chore: remove auto-tag job (#21127) feat: calldata length validation of public setup function allowlist (#21139) feat: run AVM NAPI simulations on dedicated threads instead of libuv pool (#21138) feat: Remove non-protocol contracts from public setup allowlist (#21154) feat!: Expose offchain effects when simulating/sending txs (backport #20563) (#21110) chore: bump minor version (#21171) chore: backport #21161 (tally slashing pruning improvements) to v4 (#21166) chore: More updated Alpha configuration (backport #21155) (#21165) fix(p2p): report most severe failure in runValidations (#21185) feat: add ergonomic conversions for Noir's `Option<T>` (#21107) docs: clarifying Noir fields vs struct fields in event metadata (#21172) fix: bump lighthouse consensus client v7.1.0 -> v8.0.1 (#21170) fix: update dependencies (#20997) chore: New alpha-net environment (#20800) (#21202) chore: code decuplication + refactor (public setup allowlist) (#21200) feat: mask all ciphertext fields with Poseidon2-derived values (backport #21009) (#21140) chore: disable sponsored FPC in testnet (#21235) feat!: exposing pub event pagination on wallet (#21197) refactor(pxe): narrow tryGetPublicKeysAndPartialAddress return type (backport #21208) (#21236) feat: orchestrator enqueues via serial queue (#21247) feat: rollup mana limit gas validation (#21219) chore: deploy SPONSORED_FPC in test networks (#21254) fix(sequencer): fix log when not enough txs (#21297) fix: Simulate gas in n tps test. Set min txs per block to 1 (backport #21312) (#21329) fix(log): do not log validation error if unregistered handler (#21111) fix(node): fix index misalignment in findLeavesIndexes (#21327) fix: limit parallel blocks in prover to max AVM parallel simulations (#21320) fix: use native sha256 to speed up proving job id generation (#21292) fix(validator): wait for l1 sync before processing block proposals (#21336) fix(txpool): cap priority fee with max fees when computing priority (#21279) chore: reduce severity of errors due to HA node not acquiring signature (#21311) fix: (A-643) add buffer to maxFeePerBlobGas for gas estimation and fix bump loop truncation (#21323) END_COMMIT_OVERRIDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PhasesTxValidator, preventing setup calls with malformed arguments from being acceptedAllowedElementwith an optionalcalldataLengthfield and compute expected lengths dynamically from contract artifacts (AuthRegistry,FeeJuice,Token)TX_ERROR_SETUP_WRONG_CALLDATA_LENGTHerrorDetails
Even when a setup function call matches the allowlist by address/class and selector, it can still revert if the arguments are malformed. Since Aztec's ABI has no variable-size inputs, validating that the calldata length matches the expected length for a given selector is sufficient to guarantee the arguments are deserializable.
AllowedElement type (
stdlib): Added optionalcalldataLength?: numberto bothAllowedInstanceFunctionandAllowedClassFunction, plus corresponding Zod schema updates.PhasesTxValidator (
p2p): After matching an entry by address or class+selector, checksentry.calldataLengthagainstpublicCall.calldata.lengthbefore proceeding toonlySelf/rejectNullMsgSenderchecks. WhencalldataLengthis not set, any length is accepted (backwards compatible).Default allowlist (
p2p): UsesgetFunctionArtifactByName+countArgumentsSizefromstdlib/abito compute expected calldata lengths fromAuthRegistryArtifact,FeeJuiceArtifact, andTokenContractArtifact.Fixes A-612