SmartDropLabs · prodbycorne · Jun 27, 2026 · Jun 24, 2026
diff --git a/src/lib/error-handler.ts b/src/lib/error-handler.ts
@@ -174,6 +174,30 @@ export class ValidationError extends SmartDropError {
   }
 }
 
+/**
+ * Security-sensitive transaction validation errors.
+ */
+export class SecurityError extends SmartDropError {
+  readonly code = "SECURITY_ERROR";
+  readonly isTransient = false;
+  readonly isCritical = true;
+
+  constructor(message: string, originalError?: Error) {
+    super(message, originalError);
+    Object.setPrototypeOf(this, SecurityError.prototype);
+  }
+
+  readonly userMessage = this.message;
+
+  getLogContext() {
+    return {
+      ...super.getLogContext(),
+      errorType: "SecurityError",
+      isSigningSafetyIssue: true,
+    };
+  }
+}
+
 /**
  * Configuration errors (missing env vars, invalid config).
  */
@@ -248,6 +272,19 @@ export function normalizeError(error: unknown, context?: string): SmartDropError
       return new FreighterError("FREIGHTER_UNKNOWN", error.message, error);
     }
 
+    // Security/signing-safety errors
+    if (
+      msg.includes("security") ||
+      msg.includes("signing was blocked") ||
+      msg.includes("authorization entry") ||
+      msg.includes("unexpected auth") ||
+      msg.includes("simulation auth") ||
+      msg.includes("simulated authorization")
+    ) {
+      return new SecurityError(error.message, error);
+    }
+
+
     // RPC errors
     if (msg.includes("timeout") || msg.includes("timed out")) {
       return new RPCError("RPC_TIMEOUT", error.message, error);

diff --git a/src/lib/soroban.auth.test.ts b/src/lib/soroban.auth.test.ts
@@ -0,0 +1,69 @@
+import { describe, expect, it } from 'vitest';
+import { Address, type xdr } from '@stellar/stellar-sdk';
+import { SecurityError } from './error-handler';
+import { validateSimulationAuth } from './soroban';
+
+describe('validateSimulationAuth', () => {
+  const contractId = 'CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSC4';
+
+  it('throws SecurityError when simulation includes an extra unexpected auth entry', () => {
+    const unexpectedAuthEntry = {} as xdr.SorobanAuthorizationEntry;
+
+    const simResult = {
+      result: {
+        auth: [unexpectedAuthEntry, unexpectedAuthEntry],
+      },
+    };
+
+    expect(() =>
+      validateSimulationAuth(simResult, [
+        {
+          contractId,
+          functionName: 'unlock_assets',
+        },
+      ]),
+    ).toThrow(SecurityError);
+  });
+
+  it('throws SecurityError when expected root auth includes nested sub-invocations', () => {
+    const authEntry = {
+      credentials: () => ({}),
+      rootInvocation: () => ({
+        function: () => ({
+          switch: () => 'contract',
+          contractFn: () => ({
+            contractAddress: () => Address.fromString(contractId).toScAddress(),
+            functionName: () => 'unlock_assets',
+          }),
+        }),
+        subInvocations: () => [
+          {
+            function: () => ({
+              switch: () => 'contract',
+              contractFn: () => ({
+                contractAddress: () => Address.fromString(contractId).toScAddress(),
+                functionName: () => 'malicious_call',
+              }),
+            }),
+            subInvocations: () => [],
+          },
+        ],
+      }),
+    } as xdr.SorobanAuthorizationEntry;
+
+    const simResult = {
+      result: {
+        auth: [authEntry],
+      },
+    };
+
+    expect(() =>
+      validateSimulationAuth(simResult, [
+        {
+          contractId,
+          functionName: 'unlock_assets',
+        },
+      ]),
+    ).toThrow(SecurityError);
+  });
+});