fix: use msg.sender instead of _msgSender() in ERC20Bridgeable events

[PivasDesant]

Use msg.sender in events to match the standard and the security comment.

Events should log the bridge address, not the meta-transaction sender.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f444517

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This pull request modifies the ERC20Bridgeable contract to change how event parameters are captured in the CrosschainMint and CrosschainBurn events. The change replaces _msgSender() with msg.sender in the event emissions, meaning the events will now record the direct caller address instead of the potentially modified sender address. This affects both crosschain mint and burn operations within the ERC20 Bridgeable extension.

Possibly related PRs

• Use Context._msgSender in BridgeERC20Core and ERC20Crosschain #6189: Modifies the choice between _msgSender() and msg.sender in crosschain/ERC20 bridge-related contracts in the opposite direction (switching usages to _msgSender()).

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: replacing _msgSender() with msg.sender in ERC20Bridgeable events, which matches the actual code modification.
Description check	✅ Passed	The description is directly related to the changeset, explaining the rationale for using msg.sender in events to log the bridge address instead of meta-transaction senders.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a83d9aa and f444517.

📒 Files selected for processing (1)

• contracts/token/ERC20/extensions/draft-ERC20Bridgeable.sol

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: Amxx
Repo: OpenZeppelin/openzeppelin-contracts PR: 5914
File: contracts/crosschain/bridges/BridgeERC20.sol:57-58
Timestamp: 2025-10-03T13:14:57.679Z
Learning: In cross-chain bridge contracts like BridgeERC20, when processing incoming messages in _processMessage, avoid validation checks that revert on malformed addresses. Reverting would create cross-chain inconsistency where tokens are locked/burned on the source chain but never minted on the destination. Instead, use best-effort address extraction (e.g., address(bytes20(toBinary))) to maintain atomicity across chains. If tokens are minted to an incorrect address due to user error, recovery may be possible through admin controls rather than leaving funds permanently locked.

📚 Learning: 2025-10-03T13:14:57.679Z

Learnt from: Amxx
Repo: OpenZeppelin/openzeppelin-contracts PR: 5914
File: contracts/crosschain/bridges/BridgeERC20.sol:57-58
Timestamp: 2025-10-03T13:14:57.679Z
Learning: In cross-chain bridge contracts like BridgeERC20, when processing incoming messages in _processMessage, avoid validation checks that revert on malformed addresses. Reverting would create cross-chain inconsistency where tokens are locked/burned on the source chain but never minted on the destination. Instead, use best-effort address extraction (e.g., address(bytes20(toBinary))) to maintain atomicity across chains. If tokens are minted to an incorrect address due to user error, recovery may be possible through admin controls rather than leaving funds permanently locked.

Applied to files:

• contracts/token/ERC20/extensions/draft-ERC20Bridgeable.sol

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Redirect rules - solidity-contracts
• GitHub Check: Header rules - solidity-contracts
• GitHub Check: tests-foundry
• GitHub Check: tests-upgradeable
• GitHub Check: coverage
• GitHub Check: slither
• GitHub Check: tests
• GitHub Check: halmos
• GitHub Check: Pages changed - solidity-contracts

🔇 Additional comments (3)

contracts/token/ERC20/extensions/draft-ERC20Bridgeable.sol (3)

33-33: Excellent fix - aligns event emission with access control.

This change correctly ensures the CrosschainMint event logs the actual bridge contract address (msg.sender) that was validated by the onlyTokenBridge modifier (line 19), rather than a potentially meta-transaction-modified sender. This aligns with the security comment on lines 17-18 stating that the bridge should never be impersonated via a relayer/forwarder.

---

41-41: Excellent fix - consistent with line 33.

This change correctly mirrors the fix on line 33, ensuring the CrosschainBurn event also logs the actual bridge contract address validated by the onlyTokenBridge modifier.

---

33-33: No action required—implementation aligns with ERC-7802.

The use of msg.sender as the third parameter in both CrosschainMint and CrosschainBurn events is compliant with ERC-7802, which explicitly specifies that _sender must be msg.sender at call time.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}