Surge gameplay iteration stage #205

gwalen · 2025-10-18T08:56:35Z

Summary by CodeRabbit

New Features
- Added Solana network integration for cross-chain functionality
- Introduced SUSDC token management on Solana with new deposit and withdrawal flows
- Added cryptographic utilities for Solana interoperability (signature verification, hashing)
Refactor
- Updated credit tracking system with refined terminology for EVMx receivers
- Modified event signatures for deposit and token configuration tracking
- Adjusted function signatures for improved clarity on chain-specific token handling
Tests
- Added test coverage for Solana data decoding scenarios
Chores
- Updated compiler configuration and optimization settings
- Refreshed deployment addresses across multiple networks

…; minor refacotr

…dd callAp to forwarderSolana

…ts in WriterPrecompile

… contracts to be able to call solana

… .. token_) params from bytes32 to address - not used param which is problematic

…t it can do forwarder calls;

…irpt to set it; configure feesPlug solana as plug for feesManager gateway

coderabbitai · 2025-10-18T08:58:49Z

Walkthrough

Introduces Solana blockchain integration throughout the protocol via new Ed25519 cryptographic verification, PDA derivation, and Solana-specific contract interactions. Refactors fees and credit management to support both EVM and Solana chains. Updates multiple contract interfaces and deployment configurations.

Changes

Cohort / File(s)	Summary
Solana Cryptographic Libraries `contracts/evmx/helpers/solana-utils/Ed25519.sol`, `Ed25519_pow.sol`, `Sha512.sol`, `SolanaSignature.sol`	New libraries implementing Ed25519 signature verification (with elliptic-curve arithmetic), SHA-512 hashing, modular exponentiation helpers, and signature delegation wrapper. Pure, internal functions returning verification results.
Solana PDA Utilities `contracts/evmx/helpers/solana-utils/SolanaPda.sol`, `program-pda/FeesPlugPdas.sol`, `program-pda/SUSDCPdas.sol`	Added PDA derivation and validation logic with off-curve checks, canonical bump validation, token ATA derivation, and program-specific seed constants for FeesPlug and SUSDC programs.
Core Fees & Credit Refactor `contracts/evmx/fees/Credit.sol`, `FeesManager.sol`	Major refactor to support Solana integration: introduced `forwarderSolana`, `susdcSolanaProgramId`, `feesPlugSolanaProgramId` fields; updated `deposit()` signature to use bytes32 token and `depositToEvmxAddress_`; added Solana-specific mint/withdraw flows (`mintSusdcOnSolana`, `withdrawCreditsSolana`, `feesPlugWithdrawSolana`); renamed whitelist mapping to `whitelistedEvmxReceivers`.
ForwarderSolana & Interfaces `contracts/evmx/helpers/ForwarderSolana.sol`, `contracts/evmx/interfaces/IFeesManager.sol`, `IConfigurations.sol`, `IPrecompile.sol`	Added `callerAppGateway` parameter to `ForwarderSolana.callSolana()`; updated interface signatures (deposit/withdraw parameter types and names); removed `view` qualifiers from `verifyConnections()` and `validateAndGetPrecompileData()`.
Watcher & Precompile Updates `contracts/evmx/watcher/Configurations.sol`, `RequestHandler.sol`, `precompiles/WritePrecompile.sol`	Replaced `VerifyConnectionsSB` event with `VerifyGateway`; removed `view` from `verifyConnections()`; added Solana diagnostic events (`SolanaInstructionInput`, `SolanaDecodedInstruction`, `SolanaFunctionArgsPacked`) in WritePrecompile; hardcoded `transmitterSolana` in Solana digest creation.
Borsh Serialization `contracts/evmx/watcher/borsh-serde/BorshDecoder.sol`, `BorshEncoder.sol`, `BorshUtils.sol`	BorshDecoder/Utils: formatting and inline comment additions. BorshEncoder: enhanced [u8;N] array handling with multi-path decoding (tightly packed, padded, decoded forms) and fallback logic.
Deployment Configuration `deployments/dev_addresses.json`, `dev_verification.json`, `stage_addresses.json`, `stage_verification.json`, `prod_verification.json`	Replaced contract addresses across network IDs (14323, 421614, 11155420, etc.); added ForwarderSolana entries; reduced dev_verification.json to minimal entries; added FeesPool and AddressResolver blocks in stage.
Hardhat Config & Build `foundry.toml`, `hardhat.config.ts`, `package.json`	Solc bumped to 0.8.29; optimizer_runs reduced to 1, via_ir enabled; package version bumped 1.1.48→1.1.50; label mappings updated for ForwarderSolana.
Deployment & Setup Scripts `hardhat-scripts/deploy/1.deploy.ts`, `3.configureChains.ts`, `6.connect.ts`, `8.setupEnv.ts`, `9.setupTransmitter.ts`, `WhitelistFeesReceiver.ts`	Added ForwarderSolana deployment; configured Solana-specific SUSDC and FeesPlug via new setter functions; renamed `mockForwarderSolanaOnChainAddress32Bytes` → `superTokenSolanaAddress32Bytes`; hardcoded solanaSwitchboardId=1; switched ARBITRUM_SEPOLIA to ARBITRUM; added `checkAndDepositCredits` for FeesManager.
Test Infrastructure `test/BorshDecoderTest.t.sol`, `BorshEncoderTest.t.sol`, `DigestTest.t.sol`, `ReturnValueSolanaTest.t.sol`	Added three Solana return-data decode tests (rugPool, pumpPool, userSwap); added two Borsh encode tests (bytes32Account, SolanaInstruction); formatting updates.
App Gateway & Scripts `test/apps/app-gateways/super-token/EvmSolanaAppGateway.sol`, `script/super-token-solana/EvmSolanaOnchainCalls.s.sol`, `script/helpers/DepositCredit.s.sol`	Updated `ForwarderSolana.callSolana()` calls to pass `address(this)` as third argument; switched DepositCredit from ARBITRUM_SEPOLIA to BASE_SEPOLIA addresses; added debug logging.
Infrastructure `.gitignore`, `lib/forge-std`, `lib/solady`, `src/enums.ts`, `setupInfraContracts.sh`, `hardhat-scripts/test/chainTest.ts`, `hardhat-scripts/utils/deployUtils.ts`, `hardhat-scripts/utils/overrides.ts`, `hardhat-scripts/verify/verify.ts`	.gitignore: added `.env.` and wildcard deployment patterns; submodule updates; added `ForwarderSolanaImpl` to Contracts enum; reordered script execution (3.configureChains after 4.configureEVMx); added ARBITRUM_SEPOLIA and OPTIMISM_SEPOLIA to test chains; BASE gasLimit override 2M→5M; formatting fixes.
Documentation `.gitignore`, `Errors.md`, `EventTopics.md`	Errors.md: added `InvalidSolanaChainSlug()` and `AddressResolverNotSet()` to ForwarderSolana. EventTopics.md: updated FeesManager Deposited/SusdcTokenSet signatures (address→bytes32, renamed params); added Solana events (FeesPlugSolanaSet, SolanaDecodedInstruction, etc.); added ForwarderSolana Initialized event.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ForwarderSolana
    participant SolanaSignature
    participant Ed25519
    participant SolanaPda

    Client->>ForwarderSolana: callSolana(payload, target, callerAppGateway)
    ForwarderSolana->>ForwarderSolana: msgSender = callerAppGateway
    ForwarderSolana->>ForwarderSolana: Check isAsyncModifierSet()

    Note over ForwarderSolana: Path A: Signature Verification
    ForwarderSolana->>SolanaSignature: verifyMessage(pubkey, r, s, msg)
    SolanaSignature->>Ed25519: verify(k, r, s, m)
    Ed25519->>Ed25519: Compute SHA-512(R, A, M)
    Ed25519->>Ed25519: Unpack & compute elliptic-curve points
    Ed25519->>Ed25519: Final comparison & masking
    Ed25519-->>SolanaSignature: bool result
    SolanaSignature-->>ForwarderSolana: Signature valid/invalid

    Note over ForwarderSolana: Path B: PDA Derivation
    ForwarderSolana->>SolanaPda: findProgramAddress(programId, seeds)
    SolanaPda->>SolanaPda: Iterate bump: 255 → 0
    SolanaPda->>SolanaPda: sha256(seeds || bump || programId || "ProgramDerivedAddress")
    SolanaPda->>SolanaPda: Check result is OFF-curve
    SolanaPda-->>ForwarderSolana: (pda, bump)

    ForwarderSolana-->>Client: Result

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Areas requiring extra attention:

Cryptographic implementations (Ed25519.sol, Sha512.sol, Ed25519_pow.sol): These require cryptographic audit against FIPS 186-3 and RFC 8032. Verify bit operations, modular arithmetic, and elliptic-curve arithmetic are correct. Payable attack surface on Ed25519 signature verification.
PDA derivation logic (SolanaPda.sol): Validate off-curve checks and canonical bump iteration. Ensure seed count/length constraints match Solana spec. Test deriveTokenAtaAddress() against known Solana PDAs.
Interface mutability changes: Removal of view from verifyConnections(), validateAndGetPrecompileData(), and _validateAndGetPrecompileData() implies state changes. Verify actual state mutations occur and callers handle side effects.
ForwarderSolana.callSolana signature change: New callerAppGateway parameter replaces msg.sender-derived logic. Confirm all call sites pass the correct address and that the parameter truly represents the caller's app gateway.
Credit.sol refactor: Extensive changes to deposit/withdraw signatures and blockedCredits accounting. Verify balance calculations, particularly balanceOf() with new blockedCredits subtraction. Test wrap/unwrap and Solana withdrawal flows end-to-end.
Hardcoded solanaSwitchboardId = 1 in deployment scripts: Justify why switchboard ID is hardcoded instead of parameterized. Risk of incorrect switchboard routing on chain updates.
Deployment address updates: Validate all address replacements across dev/stage addresses JSON files. Check startBlock values are correct for each network. Verify ForwarderSolana deployment succeeded on each chain.
BorshEncoder fixed-length array handling: Multi-path decoding for [u8;N] is error-prone. Verify length validation prevents buffer overflows and that padding-aware decoding handles all three cases (tightly packed, padded, decoded).

Possibly related PRs

Deploy scripts #185: Overlapping changes to FeesManager event signatures, error metadata, and event topics documentation—suggests coordinated protocol-wide interface updates.
Script and proxy changes #196: Overlapping fees stack refactor (Credit.sol, FeesManager, interface changes, precompile mutability)—parallel or dependent changes to same surfaces.
Merge again solana-triggers to dev-solana-v2 #195: Solana integration surface changes (ForwarderSolana, event/error plumbing)—likely related Solana feature work.

Suggested reviewers

arthcp

Poem

🔐 Ed25519 curves dance in Solana light,
PDA bumps iterate through the night,
Credits wrapped in bytes32 threads,
From EVM chains to Solana spreads.
Forwarders call with gateways true—
One protocol now, bridged anew. 🌉

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.
Title check	❓ Inconclusive	The title 'Surge gameplay iteration stage' is vague and generic, providing no meaningful information about the changeset's technical content or primary objective.	Replace with a specific title describing the main change, such as 'Add Solana ForwarderSolana integration and Solana utility libraries' or 'Integrate Solana support for SUSDC and fees management'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch surge-gameplay-iteration-stage

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 29

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (9)

script/super-token-solana/EvmSolanaOnchainCalls.s.sol (1)
215-221: Enforce u64 width for Solana argument; cast explicitly.

This should validate and cast order.srcAmount to uint64 to match "u64" type name. Without it, large values silently misencode and break Solana program expectations.

Apply this diff:
 function buildMintTokenSolanaInstruction(
     EvmSolanaAppGateway.TransferOrderEvmToSolana memory order
 ) internal view returns (SolanaInstruction memory) {
+    // Ensure EVM value fits Solana u64
+    require(order.srcAmount <= type(uint64).max, "srcAmount exceeds u64");
@@
-    bytes[] memory functionArguments = new bytes[](1);
-    // TODO:GW: in watcher and transmitter we might need to convert this value if on Solana mint has different decimals, for now we assume that both are the same
-    functionArguments[0] = abi.encode(order.srcAmount);
+    bytes[] memory functionArguments = new bytes[](1);
+    // TODO: decimals alignment to be handled in watcher/transmitter if needed
+    functionArguments[0] = abi.encode(uint64(order.srcAmount));
contracts/evmx/watcher/RequestHandler.sol (1)
283-295: Fix state mutation order and missing zero-address guard in getPrecompileFees.

_createRequest stores state at line 226 before the loop where _validateAndGetPrecompileData (a non-view, external call) executes at line 247. If the precompile reverts mid-request, _requestBatchIds is already mutated. Move the external call before storage writes, or restructure to defer all mutations until validation succeeds.

Also add a zero-address check to getPrecompileFees (line 119) matching the guard at _validateAndGetPrecompileData line 288:
function getPrecompileFees(
    bytes4 callType_,
    bytes memory precompileData_
) external view returns (uint256) {
    if (address(precompiles[callType_]) == address(0)) revert InvalidCallType();
    return precompiles[callType_].getPrecompileFees(precompileData_);
}
Without this guard, callers get an opaque low-level call revert instead of a domain-specific error. The precompile could also be a zero address if misconfigured, leading to silent failures.
contracts/evmx/helpers/ForwarderSolana.sol (1)
59-76: Critical: Unauthenticated caller spoofing via callerAppGateway.

callSolana trusts the caller-provided callerAppGateway instead of msg.sender. Any EOA/contract can spoof a valid AppGateway, passing isAsyncModifierSet() and getOverrideParams(), and be queued as that gateway. This should bind callerAppGateway to msg.sender (or an allowlisted proxy) and validate inputs.
-    function callSolana(
+    function callSolana(
         bytes memory solanaPayload,
         bytes32 target,
         address callerAppGateway
     ) external {
@@
-        // address msgSender = msg.sender;
-        address msgSender = callerAppGateway;
+        if (callerAppGateway == address(0)) revert InvalidOnChainAddress();
+        // Bind the logical gateway to the actual caller to prevent spoofing.
+        if (callerAppGateway != msg.sender) revert AsyncModifierNotSet(); // or define a dedicated error e.g., InvalidCaller()
+        address msgSender = callerAppGateway;
Add basic payload/target validation too:
+        if (solanaPayload.length == 0) revert InvalidOnChainAddress();
+        if (target == bytes32(0)) revert InvalidOnChainAddress();
If proxy callers are intended, maintain an allowlist in AddressResolver and check msg.sender against it, not arbitrary input.
hardhat-scripts/deploy/1.deploy.ts (1)
107-115: Missing await on getWatcherSigner().

getWatcherSigner() is awaited elsewhere and likely returns a Promise. Without await, signer becomes a Promise, breaking uses like signer.address.
-      const signer: Wallet = getWatcherSigner();
+      const signer: Wallet = await getWatcherSigner();
hardhat-scripts/deploy/3.configureChains.ts (1)
502-506: Bug: missing await on susdcContractId() breaks forwarder lookup.

This returns a Promise and is used immediately, causing invalid argument errors downstream.

Apply:
-  const susdcToken = contractInstance.susdcContractId();
+  const susdcToken = await contractInstance.susdcContractId();
contracts/evmx/watcher/precompiles/WritePrecompile.sol (4)
178-183: Fix misleading variable/comment in decode tuple.

value is msg.value-equivalent; comment says switchboardId. Either capture the switchboardId into a variable or fix the comment to avoid confusion. This should not ship with misleading annotations.
-            uint256 value, // switchboardId
+            uint256 value,
+            uint64 /* switchboardId */
306-358: Hardcoded Solana socket/transmitter is unsafe and environment-specific.

Using hardcodedSocket and transmitterSolana bakes network addresses into the binary and breaks configurability, upgrades, and testability. This should be injected from configuration (e.g., configurations__(), storage setters) and validated per chainSlug. Also remove the unused transmitter_ parameter in the signature and call site to avoid confusion.
-    function _createSolanaDigestParams(
+    function _createSolanaDigestParams(
         PayloadParams memory payloadParams_,
         Transaction memory transaction_,
         address appGateway_,
-        address /*transmitter_*/,
+        // transmitter and socket are injected via configuration
         bytes32 prevBatchDigestHash_,
         uint256 deadline_,
         uint256 gasLimit_,
         uint256 value_
-    ) internal returns (DigestParams memory) {
+    ) internal returns (DigestParams memory) {
@@
-        // TODO: this is temporary, must be injected from function arguments
-        // bytes32 of Solana Socket address : 9vFEQ5e3xf4eo17WttfqmXmnqN3gUicrhFGppmmNwyqV
-        bytes32 hardcodedSocket = 0x84815e8ca2f6dad7e12902c39a51bc72e13c48139b4fb10025d94e7abea2969c;
-        // bytes32 of Solana transmitter address : pFCBP4bhqdSsrWUVTgqhPsLrfEdChBK17vgFM7TxjxQ
-        bytes32 transmitterSolana = 0x0c1a5886fe1093df9fc438c296f9f7275b7718b6bc0e156d8d336c58f083996d;
+        bytes32 socket = configurations__().sockets(transaction_.chainSlug);
+        bytes32 transmitterSolana = configurations__().transmitters(transaction_.chainSlug);
@@
-                hardcodedSocket,
+                socket,
And update call site to drop the unused transmitter_ argument.

396-403: Doc/modifier mismatch.

setExpiryTime says “Only callable by the contract owner” but uses onlyWatcher. Fix the comment or the modifier. This should be consistent.

224-231: Fix transmitter type divergence in WriteProofRequested event for Solana flows.

The event emits address transmitter_ but the digest uses a different transmitter for Solana chains:

Line 201 TODO explicitly states this is known: "we should use here Solana transmitter address"

Line 310: _createSolanaDigestParams ignores the transmitter parameter entirely

Lines 340, 346: Solana digest actually uses transmitterSolana (bytes32), a hardcoded Solana address

Line 225: Event always emits the EVM address passed to the function

Off-chain consumers reading the event will see a different transmitter than what was used to compute the digest.

Change the event field to bytes32 and emit the correct transmitter for each chain, or add a Solana-specific event variant.

🧹 Nitpick comments (33)

.gitignore (1)
16-16: Consider whether .env.example or template files should be committed.

The .env.* pattern is overly broad—it ignores all environment files with extensions, including template/reference files like .env.example or .env.template that teams typically want to version-control for documentation.

If the project needs to commit environment templates, either use a more specific pattern (e.g., .env.local*, .env.*.local) or add an exception rule:
 .env
-.env.*
+.env.*
+!.env.example
Alternatively, if all .env.* files should be ignored regardless, this is fine—just verify that's intentional.
test/ReturnValueSolanaTest.t.sol (1)
21-22: LGTM. Add length checks to harden the test.

This should assert decoded sizes to catch schema drift early.

Example patch (contextual):
 bytes[] memory parsedData = BorshDecoder.decodeGenericSchema(returnDataSchema, returnData);
+assertEq(parsedData.length, 2, "schema items");

 uint8[] memory transmitterSolanaArray = abi.decode(parsedData[0], (uint8[]));
 bytes memory transmitterSolana = BorshEncoder.packUint8Array(transmitterSolanaArray);
+assertEq(transmitterSolana.length, 32, "transmitter len");

 uint8[] memory returnValueArray = abi.decode(parsedData[1], (uint8[]));
 bytes memory returnValue = BorshEncoder.packUint8Array(returnValueArray);
+assertEq(returnValue.length, 4, "return value len");
Also applies to: 37-40
setupInfraContracts.sh (1)
22-24: Clarify the commented-out upgrade script.

The UpgradeForwarderSolana.ts script is commented out. Either enable this step if it's required for the Solana integration, or remove it if it's not needed for this deployment.

If this is an optional upgrade path for future use, add a comment explaining when it should be enabled:
+# Optional: Uncomment to upgrade ForwarderSolana implementation
+# Required after initial deployment when implementation changes
 # time npx hardhat run hardhat-scripts/deploy/UpgradeForwarderSolana.ts --no-compile
contracts/evmx/watcher/RequestHandler.sol (1)
115-121: Guard against unset precompile to avoid opaque zero‑address call reverts.

getPrecompileFees should revert with InvalidCallType when precompiles[callType_] is unset.

Apply this diff:
 function getPrecompileFees(
     bytes4 callType_,
     bytes memory precompileData_
 ) external view returns (uint256) {
-    return precompiles[callType_].getPrecompileFees(precompileData_);
+    IPrecompile pre = precompiles[callType_];
+    if (address(pre) == address(0)) revert InvalidCallType();
+    return pre.getPrecompileFees(precompileData_);
 }
script/super-token-solana/EvmSolanaOnchainCalls.s.sol (2)
309-344: Type descriptor vs. encoded value mismatch ([u64;100] vs uint256[100]).

This should encode a uint64[100] (or update the descriptor). Keeping uint256 here contradicts "functionArgumentTypeNames[1] = "[u64;100]"".

Apply this diff:
-    uint256[] memory array = new uint256[](100);
-    functionArguments[1] = abi.encode(array);
+    uint64[] memory array64 = new uint64[](100);
+    functionArguments[1] = abi.encode(array64);
33-37: Avoid hard‑coding mainnet slug and unconditional enable in scripts.

This should be gated by env to prevent accidental mainnet state mutation when someone runs the script with real RPCs.

Apply this diff:
-        // appGateway.setIsValidPlug(CHAIN_SLUG_SOLANA_MAINNET, solanaTargetProgramId);
-        appGateway.setIsValidPlugForSolana(true, CHAIN_SLUG_SOLANA_MAINNET, solana_plug_signer);
+        bool enable = vm.envBool("ENABLE_SET_VALID_PLUG");
+        bytes32 chainSlug = vm.envBytes32("CHAIN_SLUG"); // e.g., CHAIN_SLUG_SOLANA_MAINNET
+        appGateway.setIsValidPlugForSolana(enable, chainSlug, solana_plug_signer);
-        // appGateway.setIsValidPlug(CHAIN_SLUG_SOLANA_MAINNET, solana_plug_signer);
+        // appGateway.setIsValidPlug(chainSlug, solana_plug_signer);
contracts/evmx/watcher/borsh-serde/BorshDecoder.sol (1)
14-18: Validate full consumption to catch truncated/malformed payloads.

This should assert there are no trailing bytes after decoding the declared fields. Add data.done() before returning.

Apply this diff:
     for (uint256 i = 0; i < schema.valuesTypeNames.length; i++) {
         ...
     }
-
-    return decodedParams;
+    data.done();
+    return decodedParams;
Also applies to: 101-106
contracts/evmx/helpers/solana-utils/SolanaSignature.sol (2)
1-2: Align SPDX license identifier with repo convention.

This should use "GPL-3.0-only" like other contracts.

Apply this diff:
-// SPDX-License-Identifier: GPL-3.0
+// SPDX-License-Identifier: GPL-3.0-only
13-16: Inline return; drop the temporary variable.

Saves a few bytes and reads cleaner.

Apply this diff:
-        bool valid = Ed25519.verify(public_key, signature_r, signature_s, message);
-
-        return valid;
+        return Ed25519.verify(public_key, signature_r, signature_s, message);
contracts/evmx/helpers/solana-utils/Ed25519_pow.sol (2)
5-8: Document the addition chain and return semantics.

This should state the exact addition chain used to compute 2^250−1 and prove p11 is v^11. Add a brief derivation and cite the standard chain to aid auditing and maintenance.

40-328: Highly unrolled squaring inflates code size; risk of exceeding contract size and high deployment cost.

This unrolled chain issues hundreds of mulmod calls with repeated constants. It risks hitting the 24KB code size limit once linked into the consuming library/contract and significantly increases deployment gas. This should be collapsed into small helpers to square N times and to multiply when needed; the compiler will keep loops tight while shrinking bytecode.

Example approach:
+    function _squareN(uint256 x, uint256 n) private pure returns (uint256 r) {
+        r = x;
+        unchecked {
+            for (uint256 i = 0; i < n; ++i) r = mulmod(r, r, P);
+        }
+    }
Then rewrite long runs like “a = mulmod(a,a,P)” repeated K times into “a = _squareN(a, K)”. Keep the exact addition chain but reduce bytecode and improve auditability. Consider the modexp precompile (0x05) for v^(2^250−1) if acceptable for gas/precision trade‑offs.
hardhat-scripts/deploy/1.deploy.ts (1)

522-536: Provider init is independent of Hardhat runtime; consider reusing the signer’s provider.

getStorageAt via a separate JsonRpcProvider can drift from the active network. This should reuse deployUtils.signer.provider or ensure EVMX_RPC matches the current network.

test/BorshDecoderTest.t.sol (1)

684-701: Remove noisy console logs in stable tests.

console.log/console.logBytes add clutter and slow CI. This should be gated behind a debug flag or removed in non-debug tests.

contracts/evmx/watcher/Configurations.sol (1)

121-136: Docstring vs access control mismatch.

setIsValidPlug comment says “Only callable by the app gateway” but the guard is onlyWatcher. This should be corrected to avoid confusion.

test/apps/app-gateways/super-token/EvmSolanaAppGateway.sol (1)

123-126: Direct watcher setIsValidPlug call bypasses access checks on gateway side.

This should remain limited to test scaffolding. In production, only the watcher owner/admin should configure validity. Consider protecting this function (onlyOwner) in tests or confining to Foundry scripts.

test/BorshEncoderTest.t.sol (1)

252-276: Use abi.encodePacked for fixed 32-byte arguments to match decoder expectations.

Your comment explains the panic when using abi.encode; keeping raw 32 bytes or abi.encodePacked is correct for [u8;32]. Consider adding a small helper to avoid future mistakes.
hardhat-scripts/deploy/6.connect.ts (1)
1-1: Avoid ethers.utils in v6; support both v5 and v6.

Using ethers.utils.hexZeroPad assumes v5. If the repo is on ethers v6, utils is removed. This should use zeroPadValue/hexlify for v6 or centralize in a helper.

Minimal compatibility wrapper:
-const solanaAppGatewayId = ethers.utils.hexZeroPad(appGatewayAddress, 32);
+const zeroPad32 = (v: string) =>
+  (ethers as any).utils?.hexZeroPad ? (ethers as any).utils.hexZeroPad(v, 32) : (ethers as any).zeroPadValue(v, 32);
+const solanaAppGatewayId = zeroPad32(appGatewayAddress);
Or better: use toBytes32FormatHexString everywhere (as above) and drop direct hexZeroPad calls.

Also applies to: 183-184, 230-233, 244-248, 258-263
contracts/evmx/fees/FeesManager.sol (1)
150-156: Emit events on Solana program ID changes.

Administrative setters should emit events for observability and off-chain indexing.
 function setFeesPlugSolanaProgramId(bytes32 feesPlugSolanaProgramId_) external onlyOwner {
   feesPlugSolanaProgramId = feesPlugSolanaProgramId_;
+  emit FeesPlugSolanaSet(feesPlugSolanaProgramId_);
 }
 
 function setSusdcSolanaProgramId(bytes32 susdcSolanaProgramId_) external onlyOwner {
   susdcSolanaProgramId = susdcSolanaProgramId_;
+  emit SusdcSolanaProgramSet(susdcSolanaProgramId_);
 }
(Define the two events.)
contracts/evmx/helpers/solana-utils/program-pda/SUSDCPdas.sol (1)

12-17: Seed literals look fine; add a canonical-bump variant and doc the trailing “:” seeds.

These PDAs depend on exact seed bytes (including the trailing colon). This should be documented to avoid silent mismatches with the on-chain Solana programs. Consider adding a validate helper that asserts the derived bump is canonical using SolanaPDA.validatePDAWithCanonicalBump to catch accidental noncanonical bumps in tests.

Also applies to: 19-24
hardhat-scripts/deploy/3.configureChains.ts (1)
207-213: Logging path also assumes hex input; fix to log base58→hex conversion.

toBytes32Format(solanaSwitchboard) expects hex but you’ll pass base58. Use toBytes32FromBase58 for display too.
-  console.log(
-    "solanaSwitchboard as bytes32: ",
-    Buffer.from(toBytes32Format(solanaSwitchboard)).toString("hex")
-  );
+  const ssHex = toBytes32FromBase58(solanaSwitchboardB58);
+  console.log("solanaSwitchboard as bytes32:", ssHex);
contracts/evmx/helpers/solana-utils/program-pda/FeesPlugPdas.sol (1)

30-39: Expose seed bytes intentionally; add unit tests asserting Solana parity.

These helpers mirror Solana program logic and look correct. Add tests that cross-check against a reference off-chain PDA (same seeds, programId) to prevent regressions and ensure the trailing colon seed strings match the on-chain program.

Also applies to: 41-46
contracts/evmx/helpers/solana-utils/SolanaPda.sol (3)
6-13: False-positive secret scan; constants are public program IDs.

These hex constants are base58-decoded program IDs, not secrets. Add a comment to silence future secret scans and include the original base58 strings for auditability.
-// TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA
+// Token Program (base58): TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA — public constant, not a secret
 // ...
-// TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb
+// Token-2022 (base58): TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb — public constant, not a secret
 // ...
-// ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL
+// Associated Token (base58): ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL — public constant, not a secret
223-240: deriveTokenAtaAddress: OK; add a counterpart for Token-2022.

Some mints use TOKEN_2022_PROGRAM_ID. Provide an overload to derive ATAs for Token-2022, or a flag to select program ID.
-    function deriveTokenAtaAddress(
-        bytes32 solanaAddress,
-        bytes32 mint
-    ) internal pure returns (bytes32) {
+    function deriveTokenAtaAddress(
+        bytes32 solanaAddress,
+        bytes32 mint
+    ) internal pure returns (bytes32) {
         bytes[] memory seeds = new bytes[](3);
         // user solanaAddress
         seeds[0] = abi.encodePacked(solanaAddress);
         // token programId
         seeds[1] = abi.encodePacked(TOKEN_PROGRAM_ID);
         // token mint
         seeds[2] = abi.encodePacked(mint);

         (bytes32 pda /*uint8 bump*/, ) = SolanaPDA.findProgramAddress(
             ASSOCIATED_TOKEN_PROGRAM_ID,
             seeds
         );
         return pda;
     }
+
+    function deriveToken2022AtaAddress(
+        bytes32 solanaAddress,
+        bytes32 mint
+    ) internal pure returns (bytes32) {
+        bytes[] memory seeds = new bytes[](3);
+        seeds[0] = abi.encodePacked(solanaAddress);
+        seeds[1] = abi.encodePacked(TOKEN_2022_PROGRAM_ID);
+        seeds[2] = abi.encodePacked(mint);
+        (bytes32 pda, ) = SolanaPDA.findProgramAddress(ASSOCIATED_TOKEN_PROGRAM_ID, seeds);
+        return pda;
+    }
147-186: Micro-optimization: use unchecked increments in tight loops.

These loops are hot for PDA derivation. Wrap the p++ style counters in unchecked to shave gas.
contracts/evmx/interfaces/IFeesManager.sol (1)

59-65: Clarify burn vs burnSolana semantics.

burnSolana adds burnTokenMint_. This should be mirrored in docs/Natspec and validated at implementation (correct Solana mint, chain slug). If both functions are externally visible, add explicit revert messages for wrong chainSlug.

EventTopics.md (2)

348-351: Mark Solana debug events as non-contractual.

SolanaDecodedInstruction / SolanaFunctionArgsPacked / SolanaInstructionInput are debug-only. This should be clearly labeled as temporary in docs and omitted from any public API commitments to avoid downstream coupling.

153-158: ForwarderSolana section needs cross-reference.

Add a link/section that explains where ForwarderSolana is set and which chains/slugs it applies to, to reduce ambiguity during integration.
contracts/evmx/fees/Credit.sol (6)
310-312: balanceOf may underflow-revert if blockedCredits > balance.

Returning super.balanceOf - blockedCredits can revert on view. This should return 0 in that edge case or enforce the invariant elsewhere. At minimum, add a safety check.
-        return super.balanceOf(account) - blockedCredits[account];
+        uint256 bal = super.balanceOf(account);
+        uint256 blocked = blockedCredits[account];
+        return blocked > bal ? 0 : bal - blocked;
418-441: withdrawCredits: burn occurs before pool balance decrement checks.

If tokenOnChainBalances underflows, the whole tx reverts and the burn is reverted, but this ordering obscures the failure mode. This should validate and decrement pool balance before burning, or compute and assert sufficiency first to surface precise errors.

171-175: setFeesPlugSolana: mainnet-only.

This hardcodes CHAIN_SLUG_SOLANA_MAINNET in watcher__.setIsValidPlug. If devnet/testnet are used, add a setter for those slugs or document the expectation.

251-265: wrap: event and accounting ok, but document ETH funding assumptions.

wrap mints credits and sends ETH to FeesPool. Document how FeesPool is funded and reconciled with native withdrawals to avoid pool insolvency when deposits/withdraws occur via watchers.

548-563: mintSusdcOnSolana: missing slippage/amount guards.

Consider enforcing a max mint amount or policy via configuration to prevent accidental large mints if upstream passes wrong units.

715-719: convertToSolanaUint64 silently truncates decimals.

This divides by 1e12 and truncates. If precision matters, add rounding or require divisibility by 1e12 to prevent silent value loss.
-    uint256 scaledAmount = amount / 10 ** 12;
+    require(amount % (10 ** 12) == 0, "Amount not 6-decimal aligned");
+    uint256 scaledAmount = amount / (10 ** 12);

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5525f32 and 0723eb4.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (52)

.gitignore (1 hunks)
Errors.md (1 hunks)
EventTopics.md (4 hunks)
contracts/evmx/fees/Credit.sol (14 hunks)
contracts/evmx/fees/FeesManager.sol (3 hunks)
contracts/evmx/helpers/ForwarderSolana.sol (2 hunks)
contracts/evmx/helpers/solana-utils/Ed25519.sol (1 hunks)
contracts/evmx/helpers/solana-utils/Ed25519_pow.sol (1 hunks)
contracts/evmx/helpers/solana-utils/Sha512.sol (1 hunks)
contracts/evmx/helpers/solana-utils/SolanaPda.sol (1 hunks)
contracts/evmx/helpers/solana-utils/SolanaSignature.sol (1 hunks)
contracts/evmx/helpers/solana-utils/program-pda/FeesPlugPdas.sol (1 hunks)
contracts/evmx/helpers/solana-utils/program-pda/SUSDCPdas.sol (1 hunks)
contracts/evmx/interfaces/IConfigurations.sol (1 hunks)
contracts/evmx/interfaces/IFeesManager.sol (3 hunks)
contracts/evmx/interfaces/IPrecompile.sol (1 hunks)
contracts/evmx/watcher/Configurations.sol (2 hunks)
contracts/evmx/watcher/RequestHandler.sol (2 hunks)
contracts/evmx/watcher/borsh-serde/BorshDecoder.sol (3 hunks)
contracts/evmx/watcher/borsh-serde/BorshEncoder.sol (2 hunks)
contracts/evmx/watcher/borsh-serde/BorshUtils.sol (2 hunks)
contracts/evmx/watcher/precompiles/WritePrecompile.sol (5 hunks)
contracts/utils/common/Structs.sol (1 hunks)
deployments/dev_addresses.json (1 hunks)
deployments/dev_verification.json (1 hunks)
deployments/prod_verification.json (1 hunks)
deployments/stage_verification.json (7 hunks)
foundry.toml (1 hunks)
hardhat-scripts/config/config.ts (2 hunks)
hardhat-scripts/constants/feeConstants.ts (1 hunks)
hardhat-scripts/deploy/1.deploy.ts (3 hunks)
hardhat-scripts/deploy/2.roles.ts (1 hunks)
hardhat-scripts/deploy/3.configureChains.ts (7 hunks)
hardhat-scripts/deploy/6.connect.ts (4 hunks)
hardhat-scripts/deploy/9.setupTransmitter.ts (1 hunks)
hardhat-scripts/deploy/UpgradeForwarderSolana.ts (1 hunks)
hardhat-scripts/deploy/WhitelistFeesReceiver.ts (1 hunks)
hardhat-scripts/test/chainTest.ts (1 hunks)
hardhat-scripts/utils/deployUtils.ts (3 hunks)
hardhat-scripts/verify/verify.ts (1 hunks)
hardhat.config.ts (4 hunks)
lib/forge-std (1 hunks)
lib/solady (1 hunks)
package.json (2 hunks)
script/super-token-solana/EvmSolanaOnchainCalls.s.sol (9 hunks)
setupInfraContracts.sh (1 hunks)
src/enums.ts (1 hunks)
test/BorshDecoderTest.t.sol (40 hunks)
test/BorshEncoderTest.t.sol (2 hunks)
test/DigestTest.t.sol (1 hunks)
test/ReturnValueSolanaTest.t.sol (2 hunks)
test/apps/app-gateways/super-token/EvmSolanaAppGateway.sol (6 hunks)

🧰 Additional context used

🧬 Code graph analysis (4)

hardhat.config.ts (2)

hardhat-scripts/s3Config/buildConfig.ts (1)

getChainConfig (51-72)

src/chain-enums/chainSlugToId.ts (1)

ChainSlugToId (4-83)

hardhat-scripts/deploy/UpgradeForwarderSolana.ts (7)

hardhat-scripts/constants/types.ts (1)

DeploymentAddresses (3-5)

hardhat-scripts/utils/address.ts (1)

getAddresses (8-27)

hardhat-scripts/config/config.ts (2)

mode (10-12)

EVMX_CHAIN_ID (181-181)

src/types.ts (1)

ChainAddressesObj (18-33)

hardhat-scripts/utils/sign.ts (1)

getWatcherSigner (11-14)

hardhat-scripts/utils/deployUtils.ts (4)

DeployParams (32-37)

getOrDeploy (39-78)

getInstance (131-135)

storeAddresses (168-195)

hardhat-scripts/utils/overrides.ts (1)

overrides (94-105)

hardhat-scripts/deploy/6.connect.ts (4)

hardhat-scripts/deploy/1.deploy.ts (1)

superTokenSolanaAddress32Bytes (51-54)

hardhat-scripts/constants/types.ts (2)

AppGatewayConfig (14-21)

DeploymentAddresses (3-5)

hardhat-scripts/utils/address.ts (1)

getAddresses (8-27)

hardhat-scripts/config/config.ts (2)

mode (10-12)

EVMX_CHAIN_ID (181-181)

hardhat-scripts/deploy/3.configureChains.ts (5)

hardhat-scripts/config/config.ts (1)

EVMX_CHAIN_ID (181-181)

hardhat-scripts/constants/constants.ts (2)

CCTP_SWITCHBOARD_TYPE (10-10)

FAST_SWITCHBOARD_TYPE (9-9)

hardhat-scripts/utils/address.ts (2)

toBytes32Format (58-65)

toBytes32FormatHexString (42-56)

hardhat-scripts/utils/deployUtils.ts (2)

updateContractSettings (348-387)

getInstance (131-135)

hardhat-scripts/utils/sign.ts (1)

getWatcherSigner (11-14)

🪛 Gitleaks (8.28.0)

contracts/evmx/helpers/solana-utils/SolanaPda.sol

[high] 7-7: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[high] 9-9: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[high] 11-11: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (32)

deployments/prod_verification.json (1)

131-131: Formatting consistency improvement.

Inlining the Socket constructor arguments for chain 5000 matches the existing single-line format used for Socket entries on chains 169 and 747. No data changes; semantic content remains identical.

lib/solady (1)

1-1: Verify solady update addresses known security vulnerability.

The new commit 836c169f is valid, but a critical vulnerability exists in solady: CVE-2025-53638 documents a lack-of-extcodesize validation issue in ERC4337Factory / silent initialization failures; upgrade to v0.1.24+ recommended.

Confirm: (1) does commit 836c169f include the security fix for CVE-2025-53638, (2) was the old commit vulnerable, and (3) does the codebase use ERC4337Factory or related components that require this update?

lib/forge-std (1)

1-1: No issues—forge-std submodule update is justified and necessary.

Verification confirms forge-std is actively used across multiple test files including ReturnValueSolanaTest.t.sol, DigestTest.t.sol, BorshEncoderTest.t.sol, and BorshDecoderTest.t.sol—all directly supporting the Solana integration work in this PR. The update is not spurious; it's required test infrastructure for the cryptographic and protocol changes being introduced.

package.json (2)

12-12: Patch version bump aligns with iterative Solana integration.

The version bump from 1.1.48 to 1.1.49 is appropriate for this PR's scope. Since the package is in active development (alpha), patch increments are standard for feature and protocol iterations.

35-35: Verify package version constraint and review @socket.tech/socket-protocol-common release notes manually.

Version discrepancy detected: package.json specifies 1.1.46, but yarn.lock contains @socket.tech/[email protected]. Confirm which version is intended—1.2.46 is a minor version bump (not a patch) and has higher breaking-change risk.

No public changelog exists for this package. Review the package release notes directly on npm or the Socket repository for any Solana PDA derivation, message type schema, or event signature changes. The codebase has extensive Solana integration (ForwarderSolana, SolanaPDA library, Borsh encoding), so confirm Solana-specific protocol updates don't conflict with existing Credit.sol, FeesManager.sol, or WritePrecompile.sol implementations.

contracts/utils/common/Structs.sol (1)

262-262: No-op formatting.

Fine to keep; no behavioral impact.

test/DigestTest.t.sol (1)

28-28: Formatting-only change.

No impact. Keep as is.

deployments/stage_verification.json (1)

56-56: Formatting change verified. No schema violations.

The array compaction preserves the required structure—Socket entries maintain the [chainId, address, "EVMX"] format across all updated lines (56, 114, 294, 351, 407, 465). The schema check passes.

hardhat-scripts/constants/feeConstants.ts (1)

345-345: No action required. Ignore the guard suggestion.

The guard is unnecessary because mode is typed as DeploymentMode (from the cast process.env.DEPLOYMENT_MODE as DeploymentMode | DeploymentMode.DEV), and all four DeploymentMode values—LOCAL, DEV, STAGE, PROD—are already mapped in the feePools object (lines 345–348). TypeScript enforces that feePools[mode] can never be undefined given the type constraints. Adding a guard would be defensive coding that masks the actual guarantee the type system provides.

The address update at line 345 is verified and consistently referenced across the codebase (foundry.toml, dev_addresses.json, and the new LOCAL mapping).

Likely an incorrect or invalid review comment.

hardhat-scripts/test/chainTest.ts (1)

9-30: Test chain scope aligns with DEV configuration.

The reduction to ARBITRUM_SEPOLIA and OPTIMISM_SEPOLIA matches the DEV mode chain list in config.ts, ensuring test coverage focuses on actively configured chains.

Errors.md (1)

19-25: Error documentation added for ForwarderSolana.

Clear documentation of the new error signatures for Solana integration.

hardhat-scripts/config/config.ts (2)

43-65: DEV chain scope reduced for focused Solana iteration.

The chain list reduction to ARBITRUM_SEPOLIA and OPTIMISM_SEPOLIA aligns with the test configuration changes and the PR's focus on Solana gameplay iteration.

35-35: No issues found. The evmChainId migration is complete and consistent.

The old LOCAL chain ID (7625382) has zero references in the codebase. The new chain ID (14323) is correctly applied across LOCAL, DEV, and STAGE configs in hardhat-scripts/config/config.ts and synchronized in all deployment JSON files. No hardcoded references to the old ID remain, and the change poses no risk to deployment targets.

deployments/dev_verification.json (1)

1-5: Verification data reduced to match DEV chain scope.

The minimal entries for chains 14323 (EVMX), 421614 (ARBITRUM_SEPOLIA), and 11155420 (OPTIMISM_SEPOLIA) align with the reduced DEV mode chain configuration.

foundry.toml (1)

20-45: Label updates align with Solana integration.

The address label mappings correctly reflect the new ForwarderSolana contract architecture. The changes are consistent with the deployment addresses in dev_addresses.json.

deployments/dev_addresses.json (1)

1-56: Deployment addresses updated for Solana integration.

The address updates across multiple networks (14323, 421614, 11155420) are consistent with the ForwarderSolana deployment. All new contract addresses follow the expected format.

src/enums.ts (1)

81-81: Enum addition follows established patterns.

The ForwarderSolanaImpl enum entry is consistent with other implementation contract naming conventions in the codebase.

hardhat-scripts/deploy/9.setupTransmitter.ts (1)

26-27: Credit deposit for fees manager aligns with Solana integration.

Ensuring the fees manager contract has sufficient credits is a logical step given the new Solana forwarding capabilities. This follows the same pattern used for the transmitter address.

contracts/evmx/watcher/borsh-serde/BorshUtils.sol (1)

23-29: Formatting improvements enhance readability.

The multi-line formatting for memory calculations and inline comments for character token matching improve code readability without affecting functionality.

Also applies to: 106-132

contracts/evmx/interfaces/IConfigurations.sol (1)

11-16: All implementations and consumers are correctly synchronized with the interface change.

The breaking change from view to mutable has been properly implemented:

Interface (IConfigurations.sol:11-16) and implementation (Configurations.sol:159-171) both show external (view modifier removed)

Event emission is correctly placed in the implementation (line 167: emit VerifyGateway)

All callers (5 test locations in Watcher.t.sol + 1 production call in WritePrecompile.sol:121) use standard function calls, which are compatible with mutable functions

No static calls exist that would break—zero instances of staticCall or callStatic in the codebase

The change is complete and requires no further action.

contracts/evmx/helpers/ForwarderSolana.sol (1)

81-93: Queue context integrity.

watcher__().queue(queueParams, msgSender) relies on msgSender for downstream auth (Configurations.verifyConnections). This should only be a verified gateway address (post the fix above). Also consider emitting an event with chainSlug/target/appGateway to aid tracing.
hardhat-scripts/deploy/1.deploy.ts (3)
51-55: Name clarifies intent. LGTM.

Renaming to superTokenSolanaAddress32Bytes improves clarity for Solana target.

175-187: Propagating possibly-zero ForwarderSolana into FeesManager.

If deployment failed, FeesManager will be initialized with AddressZero. This should guard and fail fast (or skip FeesManager) to avoid configuring unusable state.
-      deployUtils = await deployContractWithProxy(
+      if (forwarderSolanaAddress === ethers.constants.AddressZero) {
+        throw new Error("ForwarderSolana not deployed; aborting FeesManager deployment");
+      }
+      deployUtils = await deployContractWithProxy(
1-5: No v5/v6 mix detected; codebase is consistently ethers v5.

The project uses ethers 5.6.6 with @nomiclabs/hardhat-ethers 2.2.3. All imports follow v5 conventions: formatEther from "ethers/lib/utils", ethers.providers.JsonRpcProvider, and ethers.utils.* patterns are correct and consistent throughout the codebase. The concern about mixed versions does not apply here.

Likely an incorrect or invalid review comment.
test/BorshDecoderTest.t.sol (1)

774-816: Good coverage for envelope + inner payload decoding.

Validates Vec envelope then u64 triplet. Clear assertions.

contracts/evmx/watcher/Configurations.sol (1)

160-171: verifyConnections changed to non-view; confirm callers and gas expectations.

Switching to external (non‑view) impacts call sites and gas budgets. Ensure watcher__().queue callers don’t assume staticcall, and update interfaces.

test/apps/app-gateways/super-token/EvmSolanaAppGateway.sol (2)

135-141: Binding to ForwarderSolana.callerAppGateway is correct.

Passing address(this) matches the new signature and helps bind the logical caller. This assumes ForwarderSolana enforces callerAppGateway == msg.sender.

270-279: Event-only “increase” is fine for testing.

No state other than counter; good for signal.

test/BorshEncoderTest.t.sol (1)

278-295: Instruction args encoding smoke test looks good.

encodeFunctionArgs(instruction) coverage is useful; keep payload in a fixture to declutter the test.

contracts/evmx/helpers/solana-utils/SolanaPda.sol (1)

70-141: Verification successful: all three program ID constants match their base58 encodings.

The constants in SolanaPda.sol are correct:

TOKEN_PROGRAM_ID at line 7 ✓

TOKEN_2022_PROGRAM_ID at line 9 ✓

ASSOCIATED_TOKEN_PROGRAM_ID at line 11 ✓

All decoded values match their hex representations exactly. The code is sound.

contracts/evmx/interfaces/IFeesManager.sol (1)

8-13: Inconsistency is intentional and correct—do not align token types.

The bytes32 vs address difference reflects proper cross-chain vs on-chain distinction:

deposit(bytes32 token_) is a cross-chain bridge function that stores chain-specific token identifiers in tokenOnChainBalances[chainSlug_][onChainTokenAddress_]

withdrawCredits(address token_) is an on-chain EVM function that works with actual EVM token addresses

This design is sound. The pattern applies across Solana functions too: withdrawCreditsSolana, burnSolana all use bytes32 for off-chain identifiers.

The deposit implementation includes a TODO noting the parameter may be unused, but aligning it to address would break cross-chain functionality. Instead, add brief interface documentation explaining the bytes32/address split reflects chain scope.

Likely an incorrect or invalid review comment.

contracts/evmx/fees/Credit.sol (1)

93-101: Storage layout concern is partially inaccurate; gap math discrepancy needs clarification.

The review lists "(forwarderSolana, susdcSolanaProgramId, feesPlugSolanaProgramId, whitelists, maps)" as new vars shrinking the gap. However:

Only 3 vars are new (forwarderSolana, susdcSolanaProgramId, feesPlugSolanaProgramId)

whitelistedEvmxReceivers and maxFeesPerChainSlug already existed at slot 59

Additionally, the gap math doesn't align: the comment reserves slots [60-107] (48 slots), but _gap_after is only 44 slots. With 3 new vars consuming 3 slots, the remaining gap should be 45 slots if the original was 48—the 1-slot discrepancy suggests a documentation error or alignment issue.

To verify storage collision risk, compare the prior deployed contract's storage layout against the current version. This requires either a storage layout snapshot from the previous release or running forge inspect against both versions—neither is available in the repo.

coderabbitai · 2025-10-18T09:11:30Z