[BOOST-5830] add targetContract check in action validation

[mmackz]

Description

• adds a check to make sure the log address (or the to address for functions) matches the provided targetContract in the actionStep
• allows this check to be bypassed by using zeroAddress as the targetContract

Summary by CodeRabbit

• Bug Fixes

  • Improved event and transaction validation to enforce target contract address matching, reducing false positives while preserving wildcard behavior for unspecified targets.

• Chores

  • Updated an internal dependency reference with no user-facing changes.

[changeset-bot]

🦋 Changeset detected

Latest commit: 899bdfe

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR

Some errors occurred when validating the changesets config:
The package or glob expression "@boostxyz/test" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.

[coderabbitai]

Walkthrough

Updates include a submodule pointer change under packages/evm/lib/openzeppelin-contracts-upgradeable and address-gating additions in packages/sdk/src/Actions/EventAction.ts to validate transaction and log addresses against actionStep.targetContract, with zeroAddress acting as a wildcard. No public APIs were changed.

Changes

Cohort / File(s)	Summary of changes
Submodule update packages/evm/lib/openzeppelin-contracts-upgradeable	Updated submodule reference to commit e3ba7f6a236c55e3fb7e569ecd6043b11d567c3d; no code changes in this repo.
SDK action validation packages/sdk/src/Actions/EventAction.ts	Added targetContract address checks: reject tx/logs when addresses don’t match actionStep.targetContract; allow wildcard when targetContract is zeroAddress. Applied in isActionEventValid, isActionStepValid, and filterLogsByActionStepCriteria. Control flow updated without API changes.
Changeset .changeset/beige-radios-cry.md	Added changeset entry noting the behavioral change: "add targetContract check in action validation" and minor version bump for @boostxyz/sdk.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant EventAction
  participant Validator as Validation Helpers

  Client->>EventAction: validate(actionStep, tx, logs)
  rect rgba(220,240,255,0.4)
    note over Validator: isActionStepValid
    EventAction->>Validator: check tx.to vs actionStep.targetContract
    alt targetContract == zeroAddress
      note right of Validator: Wildcard — skip address check
      Validator-->>EventAction: true
    else addresses match
      Validator-->>EventAction: true
    else addresses do not match
      Validator-->>EventAction: false
    end
  end

  alt step valid
    rect rgba(240,255,220,0.4)
      note over Validator: isActionEventValid / filterLogsByActionStepCriteria
      loop for each log
        EventAction->>Validator: compare log.address to targetContract
        alt targetContract == zeroAddress
          note right of Validator: Wildcard — accept any address
          Validator-->>EventAction: include
        else address matches
          Validator-->>EventAction: include
        else address does not match
          Validator-->>EventAction: skip
        end
      end
    end
    EventAction-->>Client: result based on filtered logs
  else step invalid
    EventAction-->>Client: false / no match
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitch my ears at gates so bright,
Addresses checked in moonlit night;
Zero’s wild, a friendly star—
Let matching guides decide who you are.
Submodules hop to fresher ground,
Logs align, the right ones found.
Thump-thump—validation’s sound! 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes Check	⚠️ Warning	The pull request includes an unrelated update to the openzeppelin-contracts-upgradeable submodule, which is outside the scope of the targetContract validation objectives defined in [BOOST-5830].	Please remove or isolate the submodule reference update into a separate pull request to keep this change focused on the targetContract validation enhancements.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “[BOOST-5830] add targetContract check in action validation” concisely and accurately summarizes the core change to enforce a targetContract filter in action validation without extraneous details or noise. It clearly reflects the main focus of the pull request and will be understandable to other contributors scanning through history.
Linked Issues Check	✅ Passed	The changes to EventAction enforce targetContract matching in actionStep validation, implement a zeroAddress bypass for actionSteps, and do not modify claimant targetContract logic, satisfying all objectives from [BOOST-5830].
Description Check	✅ Passed	The description provides the required “### Description” section and clearly outlines the added address matching check for logs and function calls along with the zeroAddress bypass behavior, meeting the template’s core requirement for describing the change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch matthew/boost-5830-add-target-contract-check-in-actionstep-validation

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e4120a5 and 081b414.

📒 Files selected for processing (1)

• .changeset/beige-radios-cry.md (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .changeset/beige-radios-cry.md

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jonathandiep]

	Warnings
⚠️	Are you sure you want to be submitting a change without including a changeset? If you're just changing docs or tests, you probably don't need to. See the publishing section of the README for more info.

Generated by 🚫 dangerJS against e4120a5

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/sdk/src/Actions/EventAction.ts (1)

1407-1412: LGTM! Address validation is consistent with other methods.

The targetContract validation logic is correctly implemented and consistent with isActionEventValid.

Optional refactor: The address-matching logic appears in three locations (lines 822-828, 1009-1016, and 1407-1412). Consider extracting this into a helper method to reduce duplication and improve maintainability.

Example helper method:

private shouldValidateAddress(
  actionStep: ActionStep,
  address: Address | null | undefined,
): boolean {
  if (actionStep.targetContract === zeroAddress) {
    return true; // wildcard - skip validation
  }
  if (!address) {
    return false;
  }
  return isAddressEqual(address, actionStep.targetContract);
}

Then use it as:

if (!this.shouldValidateAddress(actionStep, log.address)) {
  continue;
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b36f86d and e4120a5.

📒 Files selected for processing (2)

• packages/evm/lib/openzeppelin-contracts-upgradeable (1 hunks)
• packages/sdk/src/Actions/EventAction.ts (3 hunks)

🔇 Additional comments (2)

packages/sdk/src/Actions/EventAction.ts (2)

822-828: LGTM! Correctly implements targetContract validation with wildcard support.

The address-matching logic properly validates that log addresses match the targetContract, with zeroAddress serving as a wildcard to skip the check. The continue statement appropriately filters out non-matching logs.

---

1009-1016: LGTM! Correctly handles targetContract validation for function calls.

The implementation properly validates transaction.to against targetContract with zeroAddress wildcard support. The null check for transaction.to is good defensive programming.

Note: Contract creation transactions (where transaction.to is null) will fail validation unless targetContract is set to zeroAddress, which is the expected behavior.

[jonathandiep]

	Warnings
⚠️	Are you sure you want to be submitting a change without including a changeset? If you're just changing docs or tests, you probably don't need to. See the publishing section of the README for more info.

Generated by 🚫 dangerJS against e4120a5