Skip to content

feat: add domain-separated auth payload validation#411

Open
Agbasimere wants to merge 6 commits intoRemitwise-Org:mainfrom
Agbasimere:feature/remit-split-auth-domain-separation
Open

feat: add domain-separated auth payload validation#411
Agbasimere wants to merge 6 commits intoRemitwise-Org:mainfrom
Agbasimere:feature/remit-split-auth-domain-separation

Conversation

@Agbasimere
Copy link
Copy Markdown

@Agbasimere Agbasimere commented Mar 26, 2026

Closes: #244

Summary

This PR implements domain-separated signed payload checks for the split initialization in the remittance_split contract. These changes ensure that an initialization authorization is cryptographically bound to the specific context—preventing the same authorization from being reused across different networks (Mainnet vs Testnet) or shared across different contract deployments.

Requirements Addressed

  • Create domain-separated signed payload for initialize_split
  • Bind payload to: network, contract ID, caller, and nonce
  • Enforce explicit authorization via require_auth_for_args
  • Added comprehensive testing for auth payload content verification
  • Updated README security documentation

Implementation Details

  1. New Struct: Introduced a InitializationPayload which encapsulates:
    • domain: Functional separation symbol ("init")
    • network: Mandatory network ID binding
    • contract: Mandatory contract address binding
    • owner, nonce, and all initialization params
  2. Logic Flow: The initialization function now constructs this payload and calls owner.require_auth_for_args(payload). This forces the host to verify the signature specifically for this set of data.
  3. Nonce Integrity: The existing manual nonce check is preserved as a second layer of defense, but the nonce is now also signed.

Security Validations

  • Anti-Replay: Signatures for Testnet will be rejected on Mainnet because the network_id in the payload remains unique.
  • Instance Isolation: A signature meant for one contract deployment cannot be reused for another because the contract_id becomes part of the authorization.
  • Function Isolation: The "domain" symbol ensures that an initialization signature cannot be misused as an "update" signature.

Testing Strategy

New test: test_initialize_split_domain_separated_auth

  • Verifies field-by-field that the authorization payload contains the correct technical and business context.
  • Confirms that the contract correctly requests authorization for the full domain-separated payload.

Commit Message

feat: add domain-separated auth payload validation

Note: Due to a missing MSVC linker (link.exe) in the local host environment, tests were verified via code-level consistency checks and payload content assertions. Re-run CI on a stable runner to confirm host-based integration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add auth domain separation for split initialization

1 participant

@Agbasimere