fix: Silent fallback from BUNDLED PARAM_GROUP to sequential rendering in Generic Transaction Parser

[cerberus-production]

Summary

Automated security fix for Silent fallback from BUNDLED PARAM_GROUP to sequential rendering in Generic Transaction Parser (High).

CWE: CWE-CWE-451
OWASP: A04:2021-Insecure Design
Fix Confidence: high

What Changed

Replaced the silent fallback from BUNDLED to SEQUENTIAL rendering with a hard failure. When a PARAM_GROUP descriptor specifies GROUP_ITER_BUNDLED (or defaults to it), format_param_group now returns false, aborting clear-signing rather than displaying fields in an order that diverges from the signed metadata.

Caveats

• The fix adopts the fail-closed approach suggested in the remediation guidance. If a true BUNDLED renderer is later implemented, this return-false should be replaced with the proper per-element formatting.

Verification Checklist

• Review the code change
• Run tests to verify no regression
• Verify the vulnerability is addressed — already verified by Cerberus Sentinel

---

Created by Cerberus Merlin

[github-actions]

elf sizes
source = source branch security/merlin-7ad9704
target = target branch develop

Device	.text source	.text target	.text delta	.bss source	.bss target	.bss delta	max stack size source	max stack size target	max stack size delta
stax	179966	179966	0	21794	21794	0	15064	15064	0
nanox	114003	114003	0	20520	20520	0	8192	8192	0
apex_p	159897	159897	0	21794	21794	0	19160	19160	0
nanos2	114275	114275	0	20492	20492	0	20464	20464	0
flex	180557	180045	512	21794	21794	0	15064	15064	0

Stack consumption summary (clone_app_stack_consumption)

⚠️ This summary is for informative purpose only. It may not give the application actual worst case, for example if the test coverage is low.

Device	Worst case (bytes)	Remaining stack (bytes)	Test
apex_p	1753	38603	test_clone.py::test_clone_thundercore[apex_p]
flex	1801	34459	test_clone.py::test_clone_thundercore[flex]
nanosp	1705	38651	test_clone.py::test_clone_thundercore[nanosp]
nanox	1697	6495	test_clone.py::test_clone_thundercore[nanox]
stax	1801	34459	test_clone.py::test_clone_thundercore[stax]

Full details

Stack consumption summary

⚠️ This summary is for informative purpose only. It may not give the application actual worst case, for example if the test coverage is low.

Device	Worst case (bytes)	Remaining stack (bytes)	Test
apex_p	3193	15967	test_eip712.py::test_eip712_batch[apex_p]
flex	3193	11871	test_eip712.py::test_eip712_batch[flex]
nanosp	3193	17271	test_eip712.py::test_eip712_batch[nanosp]
nanox	3193	4999	test_eip712.py::test_eip712_batch[nanox]
stax	3193	11871	test_eip712.py::test_eip712_batch[stax]

Full details

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.04%. Comparing base (db1a3d9) to head (a7ceef9).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #1010      +/-   ##
===========================================
- Coverage    56.10%   56.04%   -0.06%     
===========================================
  Files           26       26              
  Lines         2417     2414       -3     
  Branches       312      323      +11     
===========================================
- Hits          1356     1353       -3     
- Misses         979     1057      +78     
+ Partials        82        4      -78     

Flag	Coverage Δ
unittests	56.04% <100.00%> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.