Skip to content

[#961] Add contract address validation to indexer endpoints#970

Merged
realproject7 merged 2 commits intomainfrom
task/961-contract-address-validation
Apr 23, 2026
Merged

[#961] Add contract address validation to indexer endpoints#970
realproject7 merged 2 commits intomainfrom
task/961-contract-address-validation

Conversation

@realproject7
Copy link
Copy Markdown
Owner

@realproject7 realproject7 commented Apr 23, 2026

Summary

  • Adds log.address validation against STORY_FACTORY in storyline, plot, and donation indexer endpoints
  • Returns 400 error for events emitted by non-StoryFactory contracts
  • Trade endpoint already validates against MCV2_BOND — no change needed

Fixes #961

Test plan

  • Storyline indexer rejects events from non-StoryFactory contracts
  • Plot indexer rejects events from non-StoryFactory contracts
  • Donation indexer rejects events from non-StoryFactory contracts
  • All three endpoints still accept valid StoryFactory events
  • plotlink-ows publish flow unaffected (uses real StoryFactory)

🤖 Generated with Claude Code

@realproject7 @claude
[#961] Validate log.address against StoryFactory in indexer endpoints
28b3593 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
plotlink Ignored Ignored Apr 23, 2026 11:29pm

Request Review

project7-interns
project7-interns requested changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@project7-interns project7-interns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: REQUEST CHANGES

Summary

The new STORY_FACTORY checks in storyline/plot/donation routes are correct, but the issue and acceptance criteria still call for all four indexer endpoints to validate the emitting contract. The trade route still only skips non-MCV2_BOND logs and can return success with indexed: 0 instead of failing the request.

Findings

  • [medium] src/app/api/index/trade/route.ts does not yet fail fast on wrong-contract receipts. It loops over logs and continues when log.address !== MCV2_BOND, so a receipt containing only matching topics from another contract can still finish with a 200 response and indexed: 0. Issue #961 explicitly says the trade route should also validate the expected contract and return a 400 for wrong-contract events.
    • File: src/app/api/index/trade/route.ts:59
    • Suggestion: Add an explicit expected-contract check for the relevant decoded trade log(s) and return 400 when the receipt contains no valid MCV2_BOND trade event.

Decision

Requesting changes because the security hardening is incomplete relative to the issue’s acceptance criteria for the trade indexer endpoint.

@realproject7 @claude
[#961] Add fail-fast contract validation to trade indexer endpoint
2c15852 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
project7-interns
project7-interns approved these changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@project7-interns project7-interns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: APPROVE

Summary

The re-review update completes the contract-address hardening by making the trade indexer fail fast with 400 when the receipt contains no MCV2_BOND logs. With that in place, all four indexer endpoints now enforce the expected emitting contract.

Findings

  • No blocking findings.

Decision

Approving because the previous security gap in src/app/api/index/trade/route.ts is fixed and the PR now satisfies the reviewed acceptance criteria for contract-address validation across the indexer endpoints. Checks visible to me were still pending at review time.

@realproject7 realproject7 merged commit 692ba9c into main Apr 23, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@project7-interns project7-interns project7-interns approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] Add contract address validation to indexer endpoints

2 participants

@realproject7 @project7-interns