Skip to content

feat: allow AdminWithdrawManager to specify to address#1441

Open
mrice32 wants to merge 1 commit into
taylor/counterfactual-route-policyfrom
matt/withdraw-to-address
Open

feat: allow AdminWithdrawManager to specify to address#1441
mrice32 wants to merge 1 commit into
taylor/counterfactual-route-policyfrom
matt/withdraw-to-address

Conversation

@mrice32

@mrice32 mrice32 commented May 25, 2026

Copy link
Copy Markdown
Contributor

Summary

  • directWithdraw: new to parameter — the admin (typically multisig) can withdraw to any address
  • signedWithdraw: to hardcoded to cloneArgs.userAddress — signer can never redirect funds
  • WithdrawImplementation: user path always overrides to to userAddress, regardless of what's passed in submitterData

Test plan

  • testDirectWithdrawSendsToUserAddress — direct withdraw to user still works
  • testDirectWithdrawToArbitraryAddress — admin can send to non-user address
  • testSignedWithdrawSendsToUserAddress — signed path always lands at user
  • testSignerCannotRedirectFunds — compromised signer cannot redirect
  • testUserToIsAlwaysOverridden — user passes different to, funds still go to userAddress
  • testAdminCanWithdrawToArbitraryAddress — impl-level test for arbitrary admin to

🤖 Generated with Claude Code

- directWithdraw: new `to` parameter, unrestricted (admin/multisig controls destination)
- signedWithdraw: `to` hardcoded to `cloneArgs.userAddress` (signer cannot redirect)
- WithdrawImplementation: user path always overrides `to` to `userAddress`

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f4b24ae0a4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

if (msg.sender != admin && msg.sender != userAddress) revert Unauthorized();

(address token, uint256 amount) = abi.decode(submitterData, (address, uint256));
(address token, uint256 amount, address to) = abi.decode(submitterData, (address, uint256, address));

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Accept legacy withdraw payloads without to

execute now always decodes submitterData as (address token, uint256 amount, address to), which breaks callers still sending the previous two-field payload (token, amount). In that case the call reverts during abi.decode before the user-recipient override runs, so existing user self-withdraw calldata generated by older clients will fail until every integration is updated. Consider supporting both encodings (or defaulting to = userAddress when omitted) to avoid this backward-compatibility regression.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant