(audit 6.1.2) CatapultarFactory allows _saltPrefix() collisions

[reednaa]

Refine factory salt computation

Replaces the ownerInSalt modifier and _saltPrefix branching logic in both CatapultarFactory and CatapultarFactoryTron with a unified _salt(preSalt, ktp, owner) function.

Why: The old _saltPrefix had a collision vulnerability (audit 6.1.2) — an attacker could register an
ECDSAOrSmartContract owner whose raw value matched the hash-derived prefix of a victim's P256/WebAuthn key, front-running their deployment and bricking the address.

What changed:

• _salt now hashes all inputs together: keccak256(preSalt ‖ ktp ‖ numOwners ‖ owners...), making cross-key-type collisions computationally infeasible
• preSalt is included so different user-provided salts always yield different addresses
• TooManyOwners guard added (>255 owners reverts)
• Stale SaltDoesNotStartWith revert tests removed; new tests added covering salt encoding correctness and the TooManyOwners path

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced account deployment with multiple key types (ECDSA, P256, WebAuthn P256).
  • Added execution validator (CATValidator) for constrained asset transaction approval.
  • Introduced multi-chain account deployment support and Tron network compatibility.
  • New TypeScript SDK for simplified account interactions.

• Documentation

  • Comprehensive smart account architecture documentation.

• Tests

  • Expanded test coverage across both packages with gas snapshots.

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

Major refactor introducing Catapultar v0.1.0 smart account architecture. Reorganizes Solidity into solidity/ subdirectory with new factory/validator/executor contracts, KeyedOwnable ownership model, and execution constraints. Adds comprehensive TypeScript SDK in typescript/ directory with account management, transaction builders, and Tron deployment support. Updates CI/CD workflows and includes extensive documentation and test coverage.

Changes

Cohort / File(s)	Summary
CI/CD Workflows .github/workflows/bun-test.yml, .github/workflows/forge-test.yml, .github/workflows/test.yml	Replaces monolithic test workflow with separate Bun and Forge workflows, each with dedicated coverage reporting to Codecov.
Repository Configuration .gitignore, .gitmodules, .wake/extension/*	Updates ignore patterns for coverage/lock files, reorganizes git submodules under solidity/lib/, removes Wake extension state.
Documentation & Guidelines AGENTS.md, README.md, solidity/README.md	Adds contributor guidelines for monorepo structure and build commands. Restructures main README; adds comprehensive solidity architecture docs.
Solidity Core Contracts solidity/src/Catapultar.sol, solidity/src/CatapultarFactory.sol, solidity/src/CatapultarFactory.tron.sol	Refactors Catapultar to use KeyedOwnable (multi-key type support), adds deterministic factory with three deployment modes, includes Tron-specific variant.
Solidity Supporting Contracts solidity/src/CATValidator.sol, solidity/src/CallProxy.sol, solidity/src/libs/IntentExecutor.sol	New validator for constrained asset execution with EIP-712 approval, proxy for call forwarding, permissionless multi-call executor with sweeping.
Solidity Key Infrastructure solidity/src/libs/KeyedOwnable.sol, solidity/src/libs/LibExecutionConstraint.sol, solidity/src/libs/LibCloneTron.sol	Introduces multi-key-type ownership (ECDSA/P256/WebAuthn), execution constraint structs/hashing, Tron-specific CREATE2 address derivation.
Solidity Scripts & Deployment solidity/script/deploy.s.sol, solidity/script/setupanvil.s.sol, solidity/script/tron/deploy-catapultar.ts, solidity/deployments/tron.json	Multi-chain deployment script with account creation, Anvil setup with mock tokens, Tron-specific TypeScript deployment tool with address recording.
Solidity Configuration & Remappings solidity/foundry.toml, solidity/remappings.txt, solidity/script/multichain.s.sol	Adds Tron profile to Foundry config with specific compiler settings, updates library remappings for new structure, fixes Script import paths.
Solidity Test Snapshots solidity/snapshots/Catapultar*.json, solidity/snapshots/CatapultarFactory*.json	Records gas snapshots for factory deployments and account transactions across minimal/upgradeable variants and Tron tests.
Solidity Unit Tests - Core solidity/test/Catapultar/*.t.sol, solidity/test/CatapultarFactory.t.sol, solidity/test/Integration.t.sol	Tests for account initialization with keyed ownership, factory deployment determinism, integration with validator and assets.
Solidity Unit Tests - Libraries solidity/test/libs/*.t.sol, solidity/test/helpers/*.t.sol	Comprehensive coverage for KeyedOwnable multi-key validation, IntentExecutor sweeping, CallProxy forwarding, CATValidator constraints.
Solidity Tron Tests solidity/test/Tron/Catapultar/*.tron.t.sol, solidity/test/Tron/CatapultarFactory.tron.t.sol	Tron-specific deployment and factory tests using LibCloneTron, including minimal and upgradeable variants.
Solidity Deleted Files src/CatapultarFactory.sol, script/deploy.s.sol, lib/forge-std, remappings.txt, snapshots/*.json, test/CatapultarFactory.t.sol	Removes old root-level factory, deployment script, and tests; migrates to solidity/ structure with updated architecture.
TypeScript SDK Package Setup typescript/package.json, typescript/tsconfig*.json, typescript/.gitignore, typescript/LICENSE, typescript/.husky/pre-commit	Configures Bun-based package with ESM exports, TypeScript build, pre-commit linting/testing, LGPL-3.0 license.
TypeScript README & Documentation typescript/README.md, typescript/src/global.d.ts	Documents library purpose, exported classes, RPC-less defaults, Actionables pattern, CAT constraints, directory layout.
TypeScript Core Account Logic typescript/src/catapultar/account.ts, typescript/src/catapultar/account.spec.ts	Implements deterministic account prediction, deployment with multi-key support, RPC-driven nonce/owner/signature validation, account interaction helpers.
TypeScript Transaction Builders typescript/src/catapultar/catapultar.ts, typescript/src/catapultar/catapultar.spec.ts, typescript/src/transaction/transaction.ts, typescript/src/transaction/transaction.spec.ts	Provides CatapultarTx for batched calls, MetaCatapultarTx for nested batches, BaseTransaction for low-level encoding with digest embedding.
TypeScript Constrained Assets typescript/src/transaction/constrainedtransaction.ts, typescript/src/transaction/constrainedtransaction.spec.ts	Builder for CAT flows with allowances/outcomes, validator integration, refund support.
TypeScript Types & Configuration typescript/src/types/types.ts, typescript/src/config.ts, typescript/src/index.ts	Defines ExecutionMode/AccountPublicKeyType enums, Call/Calls/ExecutionConstraint types, factory/template address constants, main package exports.
TypeScript ABIs typescript/src/abi/*.ts	Exported ABI constants for Catapultar (v0.0.1/v0.1.0), Factory (v0.0.1/v0.1.0), CATValidator, MockERC20.
TypeScript Utilities typescript/src/utils/helpers.ts, typescript/src/utils/helpers.spec.ts, typescript/src/utils/signature.ts, typescript/src/utils/viem.ts	Hex padding/conversion helpers, salt address validation, signature compact/full conversion, Viem chain ID resolution.
TypeScript Test Infrastructure typescript/test/setup.ts	Prool-based Anvil server provisioning with fixed port/RPC URL, test lifecycle management.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Factory as CatapultarFactory
    participant Clone as Catapultar (Clone)
    participant Owner as KeyedOwnable
    participant Validator as CATValidator
    participant Token as ERC20

    User->>Factory: deploy(ktp, owner[], salt)
    Factory->>Clone: CREATE2 (deterministic)
    activate Clone
    Factory->>Clone: init(ktp, owner[])
    Clone->>Owner: _transferOwnership(ktp, owner[])
    Owner->>Owner: store owner in keyed slots
    deactivate Clone
    Factory-->>User: address payable proxy

    User->>Clone: execute(calls)
    activate Clone
    Clone->>Clone: validateOpData(opData)
    Clone->>Clone: _execute(calls)
    deactivate Clone

    User->>Validator: entry(target, payload, account, nonce, allowances, outcomes, sig)
    activate Validator
    Validator->>Validator: _checkNonce(account, nonce)
    Validator->>Validator: _validateApproval(digest, sig)
    Validator->>Validator: _handleAllowances(allowances)
    Validator->>Token: transferFrom(source, dest, amount)
    Validator->>Validator: _call(target, payload)
    Validator->>Validator: _compareOutcomes(outcomes)
    deactivate Validator

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

This pull request introduces substantial new architecture across three domains (CI/CD, Solidity contracts, TypeScript SDK) with high-density logic including multi-signature verification schemes (ECDSA/P256/WebAuthn), deterministic CREATE2 deployments with complex salt encoding, execution constraint validation with EIP-712 hashing, and a comprehensive transaction builder API. The changes span 100+ new files with interconnected dependencies requiring careful review of cryptographic implementations, contract state management, and SDK API design.

Possibly related PRs

• Provide an option for wrapping eth #13 — Introduces the same CI workflow refactor (bun-test.yml, forge-test.yml) replacing the monolithic test.yml, aligning Catapultar repository workflow structure.
• feat(intent factory): add executor contract #14 — Adds IntentExecutor contract and supporting test infrastructure for multi-call execution with sweeping, directly related to the solidity/src/libs/IntentExecutor.sol additions.
• Tron version #16 — Implements Tron network support including LibCloneTron and CatapultarFactoryTron variants, directly related to the Tron-specific deployment infrastructure in this PR.

Suggested reviewers

• mirooon

Poem

🐰 From root to solidity we hop,
TypeScript builds where smart contracts pop,
Keys of P256 and ECDSA blend,
Factory deploys on which we depend,
Validator guards our asset flow,
Catapultar launches—watch it go! 🚀

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refine-factory-salt

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.82%. Comparing base (3630cee) to head (be1ea97).

Additional details and impacted files

@@             Coverage Diff             @@
##           ts-library      #20   +/-   ##
===========================================
  Coverage       95.82%   95.82%           
===========================================
  Files              14       14           
  Lines            2446     2446           
===========================================
  Hits             2344     2344           
  Misses            102      102           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.