Summary
The RaindexV6 subparser exposes all context words globally with no per-entrypoint gating. In the add/remove-order post-action context (which only populates base column 0 + calling-context column 1 rows 0–1), words that map to absent columns/rows are footguns. Protofire M02 (#2619) named the reverting case for order-counterparty(); this generalizes it and adds a more dangerous silent-value variant.
Observed (verified on current main)
- Silent wrong value.
deposit-token() maps to calling-context column 1 row 0 — the same slot order-hash() uses. In an addOrder4 post-action that slot holds the order hash, so deposit-token() does not revert — it silently returns the order hash. Repro testProbeDepositTokenSilentlyReturnsOrderHash passes (it asserts deposit-token() == order-hash()). The same slot-aliasing affects withdraw-token() and other col1-row0/row1 words across entrypoints.
- Generalized reverts.
calculated-max-output() (col 2), input-token() (col 3) — and every other word for a column/row absent in the post-action context — revert with panic: array out-of-bounds access (0x32), the same revert M02 flagged for order-counterparty(). Repros testProbeAddOrderCalculatedMaxOutput / testProbeAddOrderInputToken fail (revert) on main.
Why it matters / triage
The silent-value case is the concerning one: an author who uses deposit-token() in the wrong entrypoint gets a plausible-looking 32-byte value (an unrelated field) with no signal, and it would survive a fix that only addresses the reverting words. The generalized reverts mean a per-word point-fix for order-counterparty() leaves the rest of the class broken.
Whether slot-aliasing across entrypoints is "by design" (words documented for their own entrypoints) is a maintainer call — surfaced for triage, not adjudicated.
Relationship
Generalizes / extends Protofire M02 (#2619) (same root cause: a single global word surface with no per-entrypoint gating). The audit recommendation — "make context availability explicit per entrypoint rather than presenting one global word surface" — covers the whole class.
Provenance
Surfaced and verified by an adversarial review pass over current main. Repro tests live on a throwaway scratch branch (uncommitted); happy to push them if useful.
Summary
The
RaindexV6subparser exposes all context words globally with no per-entrypoint gating. In the add/remove-order post-action context (which only populates base column 0 + calling-context column 1 rows 0–1), words that map to absent columns/rows are footguns. Protofire M02 (#2619) named the reverting case fororder-counterparty(); this generalizes it and adds a more dangerous silent-value variant.Observed (verified on current
main)deposit-token()maps to calling-context column 1 row 0 — the same slotorder-hash()uses. In anaddOrder4post-action that slot holds the order hash, sodeposit-token()does not revert — it silently returns the order hash. ReprotestProbeDepositTokenSilentlyReturnsOrderHashpasses (it assertsdeposit-token() == order-hash()). The same slot-aliasing affectswithdraw-token()and other col1-row0/row1 words across entrypoints.calculated-max-output()(col 2),input-token()(col 3) — and every other word for a column/row absent in the post-action context — revert withpanic: array out-of-bounds access (0x32), the same revert M02 flagged fororder-counterparty(). ReprostestProbeAddOrderCalculatedMaxOutput/testProbeAddOrderInputTokenfail (revert) onmain.Why it matters / triage
The silent-value case is the concerning one: an author who uses
deposit-token()in the wrong entrypoint gets a plausible-looking 32-byte value (an unrelated field) with no signal, and it would survive a fix that only addresses the reverting words. The generalized reverts mean a per-word point-fix fororder-counterparty()leaves the rest of the class broken.Whether slot-aliasing across entrypoints is "by design" (words documented for their own entrypoints) is a maintainer call — surfaced for triage, not adjudicated.
Relationship
Generalizes / extends Protofire M02 (#2619) (same root cause: a single global word surface with no per-entrypoint gating). The audit recommendation — "make context availability explicit per entrypoint rather than presenting one global word surface" — covers the whole class.
Provenance
Surfaced and verified by an adversarial review pass over current
main. Repro tests live on a throwaway scratch branch (uncommitted); happy to push them if useful.