Skip to content

Address pre-audit findings F-1..F-5#14

Merged
DROOdotFOO merged 1 commit into
mainfrom
docs/erc-spec-uae-and-normative-language
Jun 14, 2026
Merged

Address pre-audit findings F-1..F-5#14
DROOdotFOO merged 1 commit into
mainfrom
docs/erc-spec-uae-and-normative-language

Conversation

@DROOdotFOO

Copy link
Copy Markdown
Contributor

Summary

Closes the five pre-EIP findings from the zk-x-ray report (zk-x-ray/x-ray.md).

F-1 (Medium) -- UAE jurisdiction missing from spec

  • Added UAE (id=4, VARA) to the Jurisdiction Configuration threshold table.
  • Updated three @param jurisdictionId enumerations in interface NatSpec to include 4=UAE.

F-2 (Low) -- requireSignedSignals / minMultiProviderThreshold not normative

  • Added a new "Jurisdiction Policy" subsection right after the threshold table. Tabulates the canonical "accepts unsigned" and "min threshold_m" values per jurisdiction and binds them with MUST language.
  • Replaced four scattered "(e.g. US BSA, Singapore)" asides with cross-refs to the new subsection. EU/UK/SG/UAE/US policies are now in one place.

F-3 (Low) -- pattern.settlement_root binding depended on consumer discipline

  • Pattern proof bullet: SHOULD mark each consumed pattern proof -> MUST mark.
  • Added the canonical computation keccak256(abi.encode(uint8 subTradeCount, bytes32[] subProofHashes)) mod BN254_FR_MODULUS so consumers do not roll their own and drift from the prover side.

F-4 (Informational) -- proof-hash binding documented only as struct encoding

  • Updated the proofHash struct field comment to point at the existing normative "Proof replay prevention" subsection, which already mandates keccak256(proof, proofType, chainId, oracleAddr).

F-5 (Informational) -- compactConfigHistory gas at the 256 cap

  • Added the ~2.5M gas note to the corresponding row in docs/THREAT_MODEL.md's admin capability matrix, plus operational guidance to schedule it standalone rather than bundled into another tx.

Out of scope

There is significant drift between this repo's ERC-8262.md and the upstream ../ERCs/ERCS/erc-8262.md submitted to ethereum/ERCs#1747. The upstream has Proof System Requirements, Circuit Conventions, Commitment Layouts, and per-circuit specifications that this repo's copy is missing; this repo's copy now has F-2/F-3 which upstream is missing. A follow-up PR will sync both files to a single source of truth.

Manual testing

  • forge test -- 505/505 pass (spec text changes don't touch contract behaviour)
  • forge fmt --check -- clean
  • python3 scripts/eip-interface-drift.py -- clean (no interface drift introduced)

@DROOdotFOO DROOdotFOO merged commit 2ddb4bb into main Jun 14, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant