Skip to content

Update gas station SDK with post audit contracts #1089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 13, 2025
Merged

Update gas station SDK with post audit contracts #1089

merged 5 commits into from
Nov 13, 2025
+117 −121

Conversation

@Bijan-Massoumi
Copy link
Contributor

@Bijan-Massoumi Bijan-Massoumi commented Nov 11, 2025

Summary & Motivation

Updated the @turnkey/gas-station SDK to align with the audited smart contract changes. The audit resulted in several interface updates:

Contract Changes:

  1. New contract addresses: Updated both delegate and execution contract addresses to the newly deployed versions
  2. ABI updates: New ABI with function additions/removals (handled separately)
  3. EIP-712 field name changes: The canonical delegate contract interface uses simplified field names (to, value, data) instead of the previous descriptive names (outputContract, ethAmount, arguments)

SDK Updates:

  1. Updated DEFAULT_EXECUTION_CONTRACT address from 0x4ece92b06C7d2d99d87f052E0Fca47Fb180c3348 to 0x00000000008c57a1CE37836a5e9d36759D070d8c
  2. Updated DEFAULT_DELEGATE_CONTRACT address from 0xC2a37Ee08cAc3778d9d05FF0a93FD5B553C77E3a to 0x000066a00056CD44008768E2aF00696e19A30084
  3. Updated EIP-712 Execution typehash field names to match the contract's canonical interface
  4. Updated EIP-712 ApproveThenExecute typehash field names to match the contract's canonical interface
  5. Updated Turnkey policy conditions in buildIntentSigningPolicy to reference the new field names (to, value instead of outputContract, ethAmount)
  6. Updated documentation and examples to reflect the new field names

Files Modified:

  • packages/gas-station/src/config.ts - Updated contract addresses
  • packages/gas-station/src/intentBuilder.ts - Updated EIP-712 type definitions and message objects
  • packages/gas-station/src/policyUtils.ts - Updated policy condition field references and documentation

How I Tested These Changes

Unit Tests:
Ran the comprehensive policy enforcement test suite (npm run test:policies) which validates:

  1. Layer 1: EOA Intent Signing Policy

    • ✓ Policies correctly allow EOA to sign USDC transfer intents with new EIP-712 field names
    • ✓ Policies correctly block unauthorized DAI transfers (not in policy)
    • ✓ Dynamic policy updates work correctly with new field names

  2. Layer 2: Paymaster Execution Policy

    • ✓ Paymaster can sign USDC executions within policy limits
    • ✓ Paymaster correctly blocked from signing DAI executions (not in policy)
    • ✓ Paymaster correctly blocked when ETH amount exceeds policy limit (2 ETH > 1 ETH max)

  3. Layer 3: Multi-Approval Consensus

    • ✓ Multi-signature consensus enforcement works correctly with updated field names

Result: All 7 tests passed (28.9s runtime), confirming:

  • EIP-712 signatures are correctly generated with new field names
  • Turnkey policies properly evaluate conditions against the new eth.eip_712.message['to'] and eth.eip_712.message['value'] fields
  • Policy enforcement works as expected at both the signing and execution layers

Did you add a changeset?

yes

@Bijan-Massoumi Bijan-Massoumi changed the title Update gas station contract addresses and modify intent builder types… Update gas station SDK with post audit contracts Nov 11, 2025
@codesandbox-ci
Copy link

codesandbox-ci bot commented Nov 11, 2025
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 9997e60:

Sandbox Source
@turnkey/example-react-components Configuration

andrewkmin
andrewkmin reviewed Nov 11, 2025
View reviewed changes
andrewkmin
andrewkmin reviewed Nov 13, 2025
View reviewed changes
Copy link
Collaborator

@andrewkmin andrewkmin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

double checking a few things:

want to confirm that these arguments / param names are still correct:

sdk/packages/gas-station/src/policyUtils.ts

Lines 272 to 274 in 632d53c

// Check output contract address using ABI parsing
// Turnkey parses execute(address _targetEoA, address _to, uint256 ethAmount, bytes _data)
// and exposes arguments via eth.tx.contract_call_args

sdk/packages/gas-station/src/policyUtils.ts

Lines 201 to 205 in 632d53c

* "(eth.tx.contract_call_args['_to'] == '0x833...usdc' || " +
* "eth.tx.contract_call_args['_to'] == '0x6b1...dai') && " +
* "(eth.tx.contract_call_args['_targetEoA'] == '0xali...ce' || " +
* "eth.tx.contract_call_args['_targetEoA'] == '0xbob...by') && " +
* "eth.tx.contract_call_args['ethAmount'] <= 100000000000000000 && " +

very small nit: I see that several examples contain dummy IDs like the following:

sdk/packages/gas-station/src/policyUtils.ts

Lines 51 to 53 in 632d53c

* organizationId: "org-123",
* eoaUserId: "user-456",
* additionalApprovers: ["backup-user-789"],

I'd recommend altering these such that it's more clear that these are UUIDs, not tags/simple strings

packages/gas-station/README.md
@@ -1,7 +1,5 @@
# Turnkey Gas Station SDK

> **⚠️ BETA WARNING**: This SDK is currently in beta. The underlying smart contracts are **unaudited** and should not be used in production environments. Use at your own risk.
Copy link
Collaborator

@andrewkmin andrewkmin Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹

packages/gas-station/src/abi/gas-station.ts
type: "function",
},
{
inputs: [
Copy link
Collaborator

@andrewkmin andrewkmin Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we make explicit note of this somewhere? or no need given this wasn't really being used in the first place?

ngmihodl
ngmihodl previously approved these changes Nov 13, 2025
View reviewed changes
@Bijan-Massoumi
Update gas station SDK to reflect audited contract changes, including…
9997e60 
… new contract addresses and EIP-712 field name adjustments. Modify related documentation and examples for consistency.
@Bijan-Massoumi Bijan-Massoumi merged commit a1fa36b into main Nov 13, 2025
4 checks passed
@Bijan-Massoumi Bijan-Massoumi deleted the update-gas-station-sdk-post-audit branch November 13, 2025 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkmin andrewkmin andrewkmin left review comments

@ngmihodl ngmihodl ngmihodl approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Bijan-Massoumi @andrewkmin @ngmihodl