Skip to content

[02/03] DeepSec approvals: shared gate and classic permit paths#7838

Draft
fairlighteth wants to merge 2 commits into
deepsec/approval-permit-01-cache-storagefrom
deepsec/approval-permit-02-shared-gate
Draft

[02/03] DeepSec approvals: shared gate and classic permit paths#7838
fairlighteth wants to merge 2 commits into
deepsec/approval-permit-01-cache-storagefrom
deepsec/approval-permit-02-shared-gate

Conversation

@fairlighteth

@fairlighteth fairlighteth commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

What changed

  • Add a shared callOnBeforeApprovalWidgetHook helper for approval-policy payloads.
  • Route classic ERC-20 approvals and permit-in-advance generation through that shared gate.
  • Use the same spender for allowance checks, pending approval checks, permit lookup, and the widget approval payload.
  • Treat unresolved allowance reads as approval-needed until the value is known.

Why

  • Approval-like paths had drifted: permit signing could skip the widget approval policy boundary, while some readiness checks could evaluate a different or unresolved approval state.
  • A single helper keeps the policy payload explicit and makes the token, amount, wallet, and spender reviewed by the host match the operation the app prepares.

DeepSec findings addressed

  • Source: DeepSec vulnerability scan report dated 2026-05-05. This waterfall supersedes the closed aggregate PR fix: align approval hooks and permit spender checks #7620.
  • MEDIUM - Permit approval path bypasses injected widget onBeforeApproval hook: permit-capable swaps could start permit signing before the widget integrator had a chance to reject the approval operation. Permit generation now passes through the same approval gate as the classic on-chain path.
  • BUG - Unknown allowance is treated as approval not needed: an unresolved allowance read could temporarily suppress a required approval. The hook now keeps approval required until the allowance value is available.

Review guide

QA Testing

Developer verification on 4b5e4ea43:

  • Targeted approval and permit hooks: 5 suites, 39 tests passed.
  • cowswap-frontend TypeScript check passed.

CI status on the amended head:

  • Passing as of this update: Lint, Typecheck, Agent Harness, Setup, i18n extraction, Socket Security, CLA, and completed Vercel deployments.
  • Test, Cypress, and the remaining preview deployments were still incomplete; use the Checks tab for their live result.

Known QA gaps

  • No fresh manual real-wallet signing pass for ERC-20 approval, EIP-2612 permit, or DAI-like permit signing on this branch.

Preview URLs

Surface URL
swap-dev - branch preview URL https://swap-dev-git-deepsec-approval-permit-02-shared-gate-cowswap-dev.vercel.app
explorer-dev - branch preview URL https://explorer-dev-git-deepsec-approval-permit-02-781289-cowswap-dev.vercel.app
cowfi - branch preview URL https://cowfi-git-deepsec-approval-permit-02-shared-gate-cowswap.vercel.app
storybook - branch preview URL https://storybook-git-deepsec-approval-permit-02-sha-7e23b4-cowswap-dev.vercel.app
widget-configurator - branch preview URL https://widget-configurator-git-deepsec-approval-per-272c1c-cowswap-dev.vercel.app
sdk-tools - branch preview URL https://sdk-tools-git-deepsec-approval-permit-02-sha-399503-cowswap-dev.vercel.app

@vercel

vercel Bot commented Jul 9, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cowfi Ready Ready Preview Jul 10, 2026 12:17pm
explorer-dev Ready Ready Preview Jul 10, 2026 12:17pm
storybook Ready Ready Preview Jul 10, 2026 12:17pm
swap-dev Ready Ready Preview Jul 10, 2026 12:17pm
widget-configurator Ready Ready Preview Jul 10, 2026 12:17pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
cosmos Ignored Ignored Jul 10, 2026 12:17pm
sdk-tools Ignored Ignored Preview Jul 10, 2026 12:17pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: eeb88617-1589-4e22-b570-ea1b256e2635

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch deepsec/approval-permit-02-shared-gate

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 9, 2026

Copy link
Copy Markdown

Deploying swap-dev with  Cloudflare Pages  Cloudflare Pages

Latest commit: 773c0b9
Status: ✅  Deploy successful!
Preview URL: https://97e9f093.swap-dev-5u6.pages.dev
Branch Preview URL: https://deepsec-approval-permit-02-s.swap-dev-5u6.pages.dev

View logs

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 9, 2026

Copy link
Copy Markdown

Deploying explorer-dev with  Cloudflare Pages  Cloudflare Pages

Latest commit: 773c0b9
Status: ✅  Deploy successful!
Preview URL: https://863416d7.explorer-dev-dxz.pages.dev
Branch Preview URL: https://deepsec-approval-permit-02-s.explorer-dev-dxz.pages.dev

View logs

@fairlighteth

Copy link
Copy Markdown
Contributor Author

Cross-PR coordination heads-up: #7697 is an older open fix for the same onBeforeApproval permit-signing gap. Both PRs modify useGeneratePermitInAdvanceToTrade; #7697 additionally covers the limit-order and lower-level swapFlow paths.

The review on #7697 found that both implementations invoke the approval hook before generatePermit performs its persistent cache lookup. Cached permits can therefore still prompt the integrator even though no signature is needed. Please coordinate the two implementations so this is fixed once through the shared gate and the unique flow coverage is not lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant