feat(collector): add SCOPE_SIGNED to cancel() for EOA offer revocation (TRST-L-8)

RembrandtK · RembrandtK · commit f9599da1f844 · 2026-04-22T18:33:05.000+01:00
Give EOA signers an on-chain revocation path via cancel(agreementId,
termsHash, SCOPE_SIGNED). Records cancelledOffers[msg.sender][termsHash]
= agreementId; _requireAuthorization rejects when the stored agreementId
matches. Self-authenticating, idempotent, reversible (bytes16(0) undoes),
and combinable with SCOPE_PENDING/SCOPE_ACTIVE.

Builds on the version-indexed storage and idempotent cancel semantics
from the preceding L-11 refactor: SCOPE_SIGNED is added as a new branch
at the top of cancel() alongside the existing SCOPE_PENDING / SCOPE_ACTIVE
handling, and the cancelledOffers lookup slots into _requireAuthorization's
signed branch.
diff --git a/packages/horizon/contracts/payments/collectors/RecurringCollector.sol b/packages/horizon/contracts/payments/collectors/RecurringCollector.sol
@@ -30,7 +30,8 @@ import {
     VERSION_CURRENT,
     VERSION_NEXT,
     SCOPE_ACTIVE,
-    SCOPE_PENDING
+    SCOPE_PENDING,
+    SCOPE_SIGNED
 } from "@graphprotocol/interfaces/contracts/horizon/IAgreementCollector.sol";
 import { IRecurringCollector } from "@graphprotocol/interfaces/contracts/horizon/IRecurringCollector.sol";
 import { IGraphPayments } from "@graphprotocol/interfaces/contracts/horizon/IGraphPayments.sol";
@@ -115,6 +116,9 @@ contract RecurringCollector is
         /// @notice Decoded agreement terms, keyed by EIP-712 hash.
         /// Referenced by AgreementData.activeTermsHash and pendingTermsHash.
         mapping(bytes32 termsHash => AgreementTerms terms) terms;
+        /// @notice Cancelled offer hashes, keyed by signer then EIP-712 hash.
+        /// Stores the agreementId that is blocked; bytes16(0) means not cancelled.
+        mapping(address signer => mapping(bytes32 hash => bytes16 agreementId)) cancelledOffers;
     }
 
     /// @dev keccak256(abi.encode(uint256(keccak256("graphprotocol.storage.RecurringCollector")) - 1)) & ~bytes32(uint256(0xff))
@@ -489,10 +493,28 @@ contract RecurringCollector is
     }
 
     /// @inheritdoc IAgreementCollector
+    /// @dev This implementation targets only the payer side of the agreement.
+    /// SCOPE_PENDING and SCOPE_ACTIVE enforce `msg.sender == agreement.payer`.
+    /// SCOPE_SIGNED has no caller check in this function; the entry it writes is
+    /// self-keyed by msg.sender and is consulted only later, during payer
+    /// authorization of a signed accept or update. Extending cancel to data-service
+    /// or service-provider callers is left for a future revision.
     function cancel(bytes16 agreementId, bytes32 termsHash, uint16 options) external whenNotPaused {
         RecurringCollectorStorage storage $ = _getStorage();
         AgreementData storage agreement = $.agreements[agreementId];
 
+        // Signed scope: record cancelledOffers[msg.sender][termsHash] = agreementId.
+        // Self-authenticating — only blocks when msg.sender matches the recovered ECDSA signer.
+        // The stored agreementId is checked in _requireAuthorization (!=); calling again
+        // with bytes16(0) undoes the cancellation, calling with a different agreementId
+        // redirects it.
+        if (options & SCOPE_SIGNED != 0) {
+            if ($.cancelledOffers[msg.sender][termsHash] != agreementId) {
+                $.cancelledOffers[msg.sender][termsHash] = agreementId;
+                emit OfferCancelled(msg.sender, agreementId, termsHash);
+            }
+        }
+
         // Pending / active scopes: revert if on-chain data exists but caller is not the payer.
         // No-op if nothing exists on-chain (nothing to cancel).
         if (options & (SCOPE_PENDING | SCOPE_ACTIVE) != 0) {
@@ -1063,11 +1085,15 @@ contract RecurringCollector is
         bytes16 _agreementId,
         uint8 _offerType
     ) private view {
-        if (0 < _signature.length)
-            require(_isAuthorized(_payer, ECDSA.recover(_hash, _signature)), RecurringCollectorInvalidSigner());
-        else {
+        RecurringCollectorStorage storage $ = _getStorage();
+
+        if (0 < _signature.length) {
+            address signer = ECDSA.recover(_hash, _signature);
+            require(_isAuthorized(_payer, signer), RecurringCollectorInvalidSigner());
+            require($.cancelledOffers[signer][_hash] != _agreementId, RecurringCollectorOfferCancelled(signer, _hash));
+        } else {
             // Pre-approval: the hash must match the expected version of this agreement.
-            AgreementData storage agreement = _getStorage().agreements[_agreementId];
+            AgreementData storage agreement = $.agreements[_agreementId];
             bytes32 versionHash = _offerType == OFFER_TYPE_NEW ? agreement.activeTermsHash : agreement.pendingTermsHash;
             require(versionHash == _hash, RecurringCollectorInvalidSigner());
         }
diff --git a/packages/horizon/test/unit/payments/recurring-collector/cancelSignature.t.sol b/packages/horizon/test/unit/payments/recurring-collector/cancelSignature.t.sol
@@ -0,0 +1,256 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.27;
+
+import { IRecurringCollector } from "@graphprotocol/interfaces/contracts/horizon/IRecurringCollector.sol";
+import {
+    SCOPE_SIGNED,
+    SCOPE_ACTIVE,
+    SCOPE_PENDING
+} from "@graphprotocol/interfaces/contracts/horizon/IAgreementCollector.sol";
+
+import { RecurringCollectorSharedTest } from "./shared.t.sol";
+
+contract RecurringCollectorCancelSignedOfferTest is RecurringCollectorSharedTest {
+    /*
+     * TESTS
+     */
+
+    /* solhint-disable graph/func-name-mixedcase */
+
+    function test_CancelSigned_BlocksAccept(FuzzyTestAccept calldata fuzzyTestAccept) public {
+        IRecurringCollector.RecurringCollectionAgreement memory rca = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept.rca
+        );
+        uint256 signerKey = boundKey(fuzzyTestAccept.unboundedSignerKey);
+        _recurringCollectorHelper.authorizeSignerWithChecks(rca.payer, signerKey);
+
+        (, bytes memory signature) = _recurringCollectorHelper.generateSignedRCA(rca, signerKey);
+        bytes32 rcaHash = _recurringCollector.hashRCA(rca);
+        address signer = vm.addr(signerKey);
+        bytes16 agreementId = _recurringCollector.generateAgreementId(
+            rca.payer,
+            rca.dataService,
+            rca.serviceProvider,
+            rca.deadline,
+            rca.nonce
+        );
+
+        vm.prank(signer);
+        _recurringCollector.cancel(agreementId, rcaHash, SCOPE_SIGNED);
+
+        // Accepting with the cancelled signature should revert
+        vm.expectRevert(
+            abi.encodeWithSelector(IRecurringCollector.RecurringCollectorOfferCancelled.selector, signer, rcaHash)
+        );
+        vm.prank(rca.dataService);
+        _recurringCollector.accept(rca, signature);
+    }
+
+    function test_CancelSigned_EmitsEvent(FuzzyTestAccept calldata fuzzyTestAccept) public {
+        IRecurringCollector.RecurringCollectionAgreement memory rca = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept.rca
+        );
+        uint256 signerKey = boundKey(fuzzyTestAccept.unboundedSignerKey);
+        _recurringCollectorHelper.authorizeSignerWithChecks(rca.payer, signerKey);
+
+        bytes32 rcaHash = _recurringCollector.hashRCA(rca);
+        address signer = vm.addr(signerKey);
+        bytes16 agreementId = _recurringCollector.generateAgreementId(
+            rca.payer,
+            rca.dataService,
+            rca.serviceProvider,
+            rca.deadline,
+            rca.nonce
+        );
+
+        vm.expectEmit(address(_recurringCollector));
+        emit IRecurringCollector.OfferCancelled(signer, agreementId, rcaHash);
+        vm.prank(signer);
+        _recurringCollector.cancel(agreementId, rcaHash, SCOPE_SIGNED);
+    }
+
+    function test_CancelSigned_BlocksUpdate(FuzzyTestUpdate calldata fuzzyTestUpdate) public {
+        (
+            IRecurringCollector.RecurringCollectionAgreement memory rca,
+            ,
+            uint256 signerKey,
+            bytes16 agreementId
+        ) = _sensibleAuthorizeAndAccept(fuzzyTestUpdate.fuzzyTestAccept);
+
+        IRecurringCollector.RecurringCollectionAgreementUpdate memory rcau = _recurringCollectorHelper.sensibleRCAU(
+            fuzzyTestUpdate.rcau
+        );
+        rcau.agreementId = agreementId;
+
+        (
+            IRecurringCollector.RecurringCollectionAgreementUpdate memory signedRcau,
+            bytes memory rcauSig
+        ) = _recurringCollectorHelper.generateSignedRCAUForAgreement(agreementId, rcau, signerKey);
+        bytes32 rcauHash = _recurringCollector.hashRCAU(signedRcau);
+        address signer = vm.addr(signerKey);
+
+        vm.prank(signer);
+        _recurringCollector.cancel(agreementId, rcauHash, SCOPE_SIGNED);
+
+        // Updating with the cancelled signature should revert
+        vm.expectRevert(
+            abi.encodeWithSelector(IRecurringCollector.RecurringCollectorOfferCancelled.selector, signer, rcauHash)
+        );
+        vm.prank(rca.dataService);
+        _recurringCollector.update(signedRcau, rcauSig);
+    }
+
+    function test_CancelSigned_Idempotent(FuzzyTestAccept calldata fuzzyTestAccept) public {
+        IRecurringCollector.RecurringCollectionAgreement memory rca = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept.rca
+        );
+        uint256 signerKey = boundKey(fuzzyTestAccept.unboundedSignerKey);
+        _recurringCollectorHelper.authorizeSignerWithChecks(rca.payer, signerKey);
+
+        bytes32 rcaHash = _recurringCollector.hashRCA(rca);
+        address signer = vm.addr(signerKey);
+        bytes16 agreementId = _recurringCollector.generateAgreementId(
+            rca.payer,
+            rca.dataService,
+            rca.serviceProvider,
+            rca.deadline,
+            rca.nonce
+        );
+
+        vm.prank(signer);
+        _recurringCollector.cancel(agreementId, rcaHash, SCOPE_SIGNED);
+
+        // Second call succeeds silently — no revert, no event
+        vm.recordLogs();
+        vm.prank(signer);
+        _recurringCollector.cancel(agreementId, rcaHash, SCOPE_SIGNED);
+        assertEq(vm.getRecordedLogs().length, 0);
+    }
+
+    function test_CancelSigned_DoesNotAffectDifferentSigner(
+        FuzzyTestAccept calldata fuzzyTestAccept1,
+        FuzzyTestAccept calldata fuzzyTestAccept2
+    ) public {
+        IRecurringCollector.RecurringCollectionAgreement memory rca1 = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept1.rca
+        );
+        uint256 signerKey1 = boundKey(fuzzyTestAccept1.unboundedSignerKey);
+
+        IRecurringCollector.RecurringCollectionAgreement memory rca2 = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept2.rca
+        );
+        uint256 signerKey2 = boundKey(fuzzyTestAccept2.unboundedSignerKey);
+
+        vm.assume(rca1.payer != rca2.payer);
+        vm.assume(vm.addr(signerKey1) != vm.addr(signerKey2));
+
+        _recurringCollectorHelper.authorizeSignerWithChecks(rca1.payer, signerKey1);
+        _recurringCollectorHelper.authorizeSignerWithChecks(rca2.payer, signerKey2);
+
+        bytes32 rcaHash = _recurringCollector.hashRCA(rca1);
+
+        // Signer1 cancels — should not affect signer2
+        vm.prank(vm.addr(signerKey1));
+        _recurringCollector.cancel(bytes16(0), rcaHash, SCOPE_SIGNED);
+
+        // Signer2's signatures for the same hash are unaffected
+        // (signer-scoped, not hash-global)
+    }
+
+    function test_CancelSigned_SelfAuthenticating(FuzzyTestAccept calldata fuzzyTestAccept, address anyAddress) public {
+        // Any address can call cancel with SCOPE_SIGNED — it only records for msg.sender
+        IRecurringCollector.RecurringCollectionAgreement memory rca = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept.rca
+        );
+        bytes32 rcaHash = _recurringCollector.hashRCA(rca);
+        vm.assume(anyAddress != address(0));
+        vm.assume(anyAddress != _proxyAdmin);
+
+        // Should not revert — self-authenticating, no _requirePayer
+        vm.prank(anyAddress);
+        _recurringCollector.cancel(bytes16(0), rcaHash, SCOPE_SIGNED);
+    }
+
+    function test_CancelSigned_CombinedWithActiveDoesNotRevert(FuzzyTestAccept calldata fuzzyTestAccept) public {
+        IRecurringCollector.RecurringCollectionAgreement memory rca = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept.rca
+        );
+        uint256 signerKey = boundKey(fuzzyTestAccept.unboundedSignerKey);
+        _recurringCollectorHelper.authorizeSignerWithChecks(rca.payer, signerKey);
+
+        bytes32 rcaHash = _recurringCollector.hashRCA(rca);
+        address signer = vm.addr(signerKey);
+        bytes16 agreementId = _recurringCollector.generateAgreementId(
+            rca.payer,
+            rca.dataService,
+            rca.serviceProvider,
+            rca.deadline,
+            rca.nonce
+        );
+
+        // SCOPE_SIGNED | SCOPE_ACTIVE with no accepted agreement — should not revert.
+        // The signed recording succeeds; the active scope is skipped because nothing on-chain.
+        vm.expectEmit(address(_recurringCollector));
+        emit IRecurringCollector.OfferCancelled(signer, agreementId, rcaHash);
+        vm.prank(signer);
+        _recurringCollector.cancel(agreementId, rcaHash, SCOPE_SIGNED | SCOPE_ACTIVE);
+    }
+
+    function test_CancelSigned_CombinedWithPendingDoesNotRevert(FuzzyTestAccept calldata fuzzyTestAccept) public {
+        IRecurringCollector.RecurringCollectionAgreement memory rca = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept.rca
+        );
+        uint256 signerKey = boundKey(fuzzyTestAccept.unboundedSignerKey);
+        _recurringCollectorHelper.authorizeSignerWithChecks(rca.payer, signerKey);
+
+        bytes32 rcaHash = _recurringCollector.hashRCA(rca);
+        address signer = vm.addr(signerKey);
+        bytes16 agreementId = _recurringCollector.generateAgreementId(
+            rca.payer,
+            rca.dataService,
+            rca.serviceProvider,
+            rca.deadline,
+            rca.nonce
+        );
+
+        // SCOPE_SIGNED | SCOPE_PENDING with no agreement — should not revert.
+        vm.expectEmit(address(_recurringCollector));
+        emit IRecurringCollector.OfferCancelled(signer, agreementId, rcaHash);
+        vm.prank(signer);
+        _recurringCollector.cancel(agreementId, rcaHash, SCOPE_SIGNED | SCOPE_PENDING);
+    }
+
+    function test_CancelSigned_UndoWithZero(FuzzyTestAccept calldata fuzzyTestAccept) public {
+        IRecurringCollector.RecurringCollectionAgreement memory rca = _recurringCollectorHelper.sensibleRCA(
+            fuzzyTestAccept.rca
+        );
+        uint256 signerKey = boundKey(fuzzyTestAccept.unboundedSignerKey);
+        _recurringCollectorHelper.authorizeSignerWithChecks(rca.payer, signerKey);
+
+        (, bytes memory signature) = _recurringCollectorHelper.generateSignedRCA(rca, signerKey);
+        bytes32 rcaHash = _recurringCollector.hashRCA(rca);
+        address signer = vm.addr(signerKey);
+        bytes16 agreementId = _recurringCollector.generateAgreementId(
+            rca.payer,
+            rca.dataService,
+            rca.serviceProvider,
+            rca.deadline,
+            rca.nonce
+        );
+
+        // Cancel
+        vm.prank(signer);
+        _recurringCollector.cancel(agreementId, rcaHash, SCOPE_SIGNED);
+
+        // Undo by calling with bytes16(0)
+        vm.prank(signer);
+        _recurringCollector.cancel(bytes16(0), rcaHash, SCOPE_SIGNED);
+
+        // Accept should now succeed
+        _setupValidProvision(rca.serviceProvider, rca.dataService);
+        vm.prank(rca.dataService);
+        _recurringCollector.accept(rca, signature);
+    }
+
+    /* solhint-enable graph/func-name-mixedcase */
+}
diff --git a/packages/interfaces/contracts/horizon/IAgreementCollector.sol b/packages/interfaces/contracts/horizon/IAgreementCollector.sol
@@ -46,6 +46,8 @@ uint8 constant OFFER_TYPE_UPDATE = 2;
 uint8 constant SCOPE_ACTIVE = 1;
 /// @dev Cancel targets pending offers
 uint8 constant SCOPE_PENDING = 2;
+/// @dev Cancel targets signed offers
+uint8 constant SCOPE_SIGNED = 4;
 
 // -- Version indices (shared by getAgreementDetails and getAgreementOfferAt) --
 //
@@ -127,12 +129,14 @@ interface IAgreementCollector is IPaymentsCollector {
     function offer(uint8 offerType, bytes calldata data, uint16 options) external returns (AgreementDetails memory);
 
     /**
-     * @notice Cancel an agreement or revoke a pending offer.
-     * @dev Scopes can be combined. SCOPE_PENDING and SCOPE_ACTIVE require payer authorization
-     * and no-op if nothing exists on-chain.
-     * @param agreementId The agreement's ID.
+     * @notice Cancel an agreement, revoke a pending offer, or invalidate a signed offer.
+     * @dev Scopes can be combined. SCOPE_SIGNED is self-authenticating (keyed by msg.sender);
+     * SCOPE_PENDING and SCOPE_ACTIVE require payer authorization and no-op if nothing exists on-chain.
+     * @param agreementId The agreement's ID. For SCOPE_SIGNED, only blocks accept/update when
+     * the agreementId matches; passing bytes16(0) undoes a previous cancellation.
      * @param termsHash EIP-712 hash identifying which terms to cancel.
-     * @param options Bitmask — SCOPE_ACTIVE (1) active terms, SCOPE_PENDING (2) pending offers.
+     * @param options Bitmask — SCOPE_ACTIVE (1) active terms, SCOPE_PENDING (2) pending offers,
+     * SCOPE_SIGNED (4) signed offers.
      */
     function cancel(bytes16 agreementId, bytes32 termsHash, uint16 options) external;
 
diff --git a/packages/interfaces/contracts/horizon/IRecurringCollector.sol b/packages/interfaces/contracts/horizon/IRecurringCollector.sol
@@ -402,6 +402,13 @@ interface IRecurringCollector is IAuthorizable, IAgreementCollector {
      */
     error RecurringCollectorPauseGuardianNoChange(address account, bool allowed);
 
+    /**
+     * @notice Thrown when accepting or updating with a hash that the signer cancelled via SCOPE_SIGNED
+     * @param signer The signer who cancelled the offer
+     * @param hash The cancelled EIP-712 hash
+     */
+    error RecurringCollectorOfferCancelled(address signer, bytes32 hash);
+
     /**
      * @notice Emitted when a pause guardian is set
      * @param account The address of the pause guardian
diff --git a/packages/issuance/audits/PR1301/TRST-L-8.md b/packages/issuance/audits/PR1301/TRST-L-8.md
@@ -20,3 +20,5 @@ Expose a `cancelSignature(bytes32 hash)` entry point that records the hash as in
 TBD
 
 ---
+
+Added `SCOPE_SIGNED` flag to `cancel()`, giving EOA signers an on-chain revocation path like contract payers already have via `SCOPE_PENDING`. The signer calls `cancel(agreementId, termsHash, SCOPE_SIGNED)` which records `cancelledOffers[msg.sender][termsHash] = agreementId`. When `accept()` or `update()` later processes a signature, `_requireAuthorization` recovers the signer via ECDSA and rejects if the stored agreementId matches. Self-authenticating (keyed by signer address), idempotent, reversible (calling again with `bytes16(0)` undoes the cancellation), and combinable with other scopes. Also made `cancel` no-op when nothing exists on-chain instead of reverting.

-Original file line number
+Diff line change
 TBD
 ---
++
 +Added `SCOPE_SIGNED` flag to `cancel()`, giving EOA signers an on-chain revocation path like contract payers already have via `SCOPE_PENDING`. The signer calls `cancel(agreementId, termsHash, SCOPE_SIGNED)` which records `cancelledOffers[msg.sender][termsHash] = agreementId`. When `accept()` or `update()` later processes a signature, `_requireAuthorization` recovers the signer via ECDSA and rejects if the stored agreementId matches. Self-authenticating (keyed by signer address), idempotent, reversible (calling again with `bytes16(0)` undoes the cancellation), and combinable with other scopes. Also made `cancel` no-op when nothing exists on-chain instead of reverting.