fix(pxe): enforce full field consumption at oracle boundaries#23802
Merged
Conversation
vezenovm
approved these changes
Jun 2, 2026
| deserialization: { | ||
| fn: readers => { | ||
| const value = element.deserialization!.fn(readers); | ||
| assertReadersConsumed(readers); |
Contributor
There was a problem hiding this comment.
can we elaborate on why we need to assert here and the assert in makeEntry is not enough?
| } | ||
| // Drain the trailing zero-padding (maxLength - length unused element slots) so the storage reader is | ||
| // fully consumed. | ||
| storageReader.skip(storageReader.remainingFields()); |
Contributor
There was a problem hiding this comment.
Would be good to have a BoundedVec test where capacity > length, I didn't see one.
Collaborator
Flakey Tests🤖 says: This CI run detected 1 tests that failed, but were tolerated due to a .test_patterns.yml entry. |
danielntmd
pushed a commit
to danielntmd/aztec-packages
that referenced
this pull request
Jun 4, 2026
BEGIN_COMMIT_OVERRIDE feat(aztec-nr): Add a delivery mode to handshake notes (AztecProtocol#23783) fix(pxe): enforce full field consumption at oracle boundaries (AztecProtocol#23802) chore(ci): Static oracle version check (AztecProtocol#23805) END_COMMIT_OVERRIDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
EphemeralArray<T>refactor in #23649 moved deserialization into the oracle registry but dropped the per-row field-consumption check. Extra trailing fields in an ephemeral-array row, and in oracle parameter slots generally, were silently ignored. A malformed oracle input that should be rejected deserialized as if it were well-formed, weakening the oracle ABI.Fix
Adds
assertReadersConsumedand calls it at the two boundaries where eachFieldReaderwraps exactly one logical value: oracle parameter slots (inmakeEntry) and ephemeral-array rows (via a wrapped element inEPHEMERAL_ARRAY). Trailing fields there now throw. Streaming combinators that deliberately under-consume a shared reader keep working:BOUNDED_VECandOPTIONdrain their trailing zero-padding so the boundary check sees a fully-consumed reader.