Skip to content

Add Superchain interop message passing #595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 44 commits into
base: master
Choose a base branch
from
Draft

Add Superchain interop message passing #595

wants to merge 44 commits into from

Conversation

ericglau
Copy link
Member

@ericglau ericglau commented Jul 4, 2025
edited
Loading

Remaining items:

  • Add UI elements to emphasize that this is only compatible with chains on the Superchain and requires deterministic deployments
  • Add unit tests
  • Add snapshot tests
  • Update AI assistant definitions and MCP schemas
  • Test/fix usage with AI assistant
  • Add Optimism contracts for compilation tests
  • Add Optimism contracts to Download Hardhat and Foundry packages
  • Test an example contract locally using supersim, non-upgradeable
  • Test an example contract locally using supersim, upgradeable
  • Add changesets

@ericglau ericglau requested a review from a team July 7, 2025 03:53
@ericglau ericglau requested a review from gonzaotc July 21, 2025 16:32
@gonzaotc
Copy link
Contributor

gonzaotc commented Jul 28, 2025
edited
Loading

Solid!, just one thing that you are probably aware of; the ai assistant seems to be generating crosschain messaging code very well, however the changes aren't getting correctly reflected on the UI, the contract code appears, but the checkboxes are kept unchecked as if nothing happened, they're not in sync with the code changes made by the ai

gonzaotc
gonzaotc reviewed Jul 29, 2025
View reviewed changes
packages/ui/src/solidity/superchain-tooltip.ts Outdated
content:
'<strong>Important:</strong> Only available on chains in the Superchain. Requires deploying your contract to the same address on every chain in the Superchain. <a class="light-link" href="https://docs.optimism.io/stack/interop/superchain-erc20#requirements" target="_blank" rel="noopener noreferrer">Read more.</a>',
'<strong>Important:</strong> Only available on chains in the Superchain. Requires deploying your contract to the same address on every chain in the Superchain.',
Copy link
Contributor

@gonzaotc gonzaotc Jul 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed the current comment in this tooltip suggests that same-address deployment across chains is always required for Superchain messaging passing, but given my current understanding I think this isn't true for all scenarios, and that it only applies when it is desired to allow only the same contract to call itself across chains.

I think there may be other valid cross-chain messaging patterns using the Superchain where contracts accept messages from different origin senders than themselves, and those wouldn't need same-address deployment.

Maybe we could adjust the comment to clarify that this requirement is conditional based on the authentication pattern being used?, wdyt?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed the same address requirement from the tooltip, and reworded the NatSpec message to be clearer in commit 5bb6fe5. Let me know if you think that conveys the points.

@socket-security Socket Security
Copy link

socket-security bot commented Jul 29, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​nomicfoundation/​hardhat-toolbox@​6.0.0981007588100
Added@​eth-optimism/​contracts-bedrock@​0.17.31001001007970
Updatedhardhat@​2.26.1 ⏵ 2.22.19941008999 -180
Updated@​openzeppelin/​contracts@​5.4.0 ⏵ 5.3.010096 -410094100

View full report

@socket-security Socket Security
Copy link

socket-security bot commented Jul 29, 2025
edited
Loading

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Critical
[email protected] has a Critical CVE.

CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL)

Affected versions: < 6.6.1

Patched version: 6.6.1

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Critical
[email protected] has a Critical CVE.

CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL)

Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4

Patched version: 4.0.4

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Critical
[email protected] has a Critical CVE.

CVE: GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos (CRITICAL)

Affected versions: >= 3.0.10 < 3.1.3

Patched version: 3.1.3

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Critical
[email protected] has a Critical CVE.

CVE: GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys (CRITICAL)

Affected versions: < 3.1.3

Patched version: 3.1.3

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
[email protected] has a High CVE.

CVE: GHSA-xq7p-g2vc-g82p Homograph attack allows Unicode lookalike characters to bypass validation. (HIGH)

Affected versions: = 5.0.0, 4.0.0; >= 5.0.0 < 5.0.1; >= 4.0.0 < 4.0.1; < 3.0.11

Patched version: 3.0.11

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
[email protected] has a Low CVE.

CVE: GHSA-49q7-c7j4-3p7m Elliptic allows BER-encoded signatures (LOW)

Affected versions: >= 5.2.1 < 6.5.7

Patched version: 6.5.7

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
[email protected] has a Low CVE.

CVE: GHSA-f7q4-pwc6-w24p Elliptic's EDDSA missing signature length check (LOW)

Affected versions: >= 4.0.0 < 6.5.7

Patched version: 6.5.7

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
[email protected] has a Low CVE.

CVE: GHSA-977x-g7h5-7qgw Elliptic's ECDSA missing check for whether leading bit of r and s is zero (LOW)

Affected versions: >= 2.0.0 < 6.5.7

Patched version: 6.5.7

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
[email protected] has a Low CVE.

CVE: GHSA-434g-2637-qmqr Elliptic's verify function omits uniqueness validation (LOW)

Affected versions: < 6.5.6

Patched version: 6.5.6

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
[email protected] has a Low CVE.

CVE: GHSA-fc9h-whq2-v747 Valid ECDSA signatures erroneously rejected in Elliptic (LOW)

Affected versions: < 6.6.0

Patched version: 6.6.0

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
[email protected] has a Low CVE.

CVE: GHSA-cxrh-j4jr-qwg3 undici Denial of Service attack via bad certificate data (LOW)

Affected versions: < 5.29.0; >= 6.0.0 < 6.21.2; >= 7.0.0 < 7.5.0

Patched version: 5.29.0

From: packages/core/solidity/src/environments/hardhat/optimism/package-lock.jsonnpm/[email protected]npm/@nomicfoundation/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gonzaotc gonzaotc gonzaotc left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ericglau @gonzaotc