Skip to content

feat(pxe): disallow registering invalid addresses as senders#22489

Merged
benesjan merged 1 commit intomerge-train/fairiesfrom
jan/f-512-disallow-registering-invalid-addresses-as-senders-in-pxe
Apr 14, 2026
Merged

feat(pxe): disallow registering invalid addresses as senders#22489
benesjan merged 1 commit intomerge-train/fairiesfrom
jan/f-512-disallow-registering-invalid-addresses-as-senders-in-pxe

Conversation

@benesjan
Copy link
Copy Markdown
Contributor

@benesjan benesjan commented Apr 13, 2026

Summary

Resolves https://linear.app/aztec-labs/issue/F-512/disallow-registering-invalid-addresses-as-senders-in-pxe

  • Validates sender addresses in PXE.registerSender() via address.isValid() before storing them in the sender address book
  • Removes the TODO(F-512) comment in LogService.#getSecretsForSenders
  • Adds a unit test with a known invalid Grumpkin x-coordinate

Why validate at the API boundary instead of globally?

We considered enforcing validity at the AztecAddress constructor level, but this is impractical:

  • isValid() is async (calls into Barretenberg WASM for bn254FrSqrt), so making construction enforce validity would require making all ~650+ construction sites async
  • There are legitimate uses of invalid addresses internally (representing external blockchain data, graceful handling in crypto code)
  • The performance cost (~1-2ms per check at the WASM boundary) would be significant in deserialization-heavy paths like block processing

Validating at the PXE API boundary targets the real risk (invalid addresses from untrusted user input) without the migration and performance costs.

Test plan

  • Unit test verifies registerSender rejects an address with x=3 (not on the Grumpkin curve since y^2 = 10 has no square root in Fr)

🤖 Generated with Claude Code

@benesjan @claude
feat(pxe): disallow registering invalid addresses as senders
c6999ab 
Validates that addresses correspond to a point on the Grumpkin curve
before allowing them to be added to the sender address book. This
prevents runtime failures in LogService when computing tagging secrets
for invalid senders.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@benesjan benesjan added the ci-draft Run CI on draft PRs. label Apr 13, 2026
@benesjan benesjan marked this pull request as ready for review April 14, 2026 03:35
@benesjan benesjan removed the ci-draft Run CI on draft PRs. label Apr 14, 2026
@benesjan benesjan requested a review from Thunkar April 14, 2026 03:36
@benesjan benesjan merged commit e095e36 into merge-train/fairies Apr 14, 2026
45 checks passed
@benesjan benesjan deleted the jan/f-512-disallow-registering-invalid-addresses-as-senders-in-pxe branch April 14, 2026 06:12
AztecBot pushed a commit that referenced this pull request Apr 14, 2026
@benesjan
feat(pxe): disallow registering invalid addresses as senders (#22489)
6383b35
@AztecBot
Copy link
Copy Markdown
Collaborator

AztecBot commented Apr 14, 2026

❌ Failed to cherry-pick to v4-next due to conflicts. (🤖) View backport run.

@AztecBot AztecBot mentioned this pull request Apr 14, 2026
Open
critesjosh pushed a commit that referenced this pull request Apr 14, 2026
@benesjan @critesjosh
feat(pxe): disallow registering invalid addresses as senders (#22489)
5ff4b2b
@AztecBot AztecBot mentioned this pull request Apr 14, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Thunkar Thunkar Thunkar approved these changes

Assignees

No one assigned

Labels

backport-to-v4-next

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benesjan @AztecBot @Thunkar