Skip to content

Allow mixed case hex when validating erc20 token addresses#8127

Open
jeffsmale90 wants to merge 1 commit intomainfrom
fix/erc20-token-address-validation
Open

Allow mixed case hex when validating erc20 token addresses#8127
jeffsmale90 wants to merge 1 commit intomainfrom
fix/erc20-token-address-validation

Conversation

@jeffsmale90
Copy link
Contributor

@jeffsmale90 jeffsmale90 commented Mar 6, 2026
edited by cursor bot
Loading

Explanation

Previously we used the isHexAddress function to validate the erc20 token address. This function expects the input value to be in lowercase hex.

Now this uses isHexChecksumAddress which ensures a 20byte hex value, but allows mixed case.

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed
  • I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

Note

Medium Risk
Updates token address validation for ERC20 stream/periodic permission decoding, which can change which permissions are accepted as valid. Risk is limited to input validation logic but affects permission gating behavior.

Overview
ERC20 stream and periodic permission decoding now accepts mixed-case token addresses. The erc20-token-stream and erc20-token-periodic rules switch address validation from isHexAddress to isHexChecksumAddress, relaxing the prior lowercase-only requirement while still enforcing a 20-byte hex address.

Tests are extended in both rule suites to assert successful decoding when the tokenAddress in terms is mixed-case (case-insensitive match on decoded output).

Written by Cursor Bugbot for commit b2107ce. This will update automatically on new commits. Configure here.

@jeffsmale90 jeffsmale90 requested a review from a team as a code owner March 6, 2026 09:20
@jeffsmale90 jeffsmale90 enabled auto-merge March 6, 2026 09:20
cursor[bot]
cursor bot reviewed Mar 6, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

packages/gator-permissions-controller/src/decodePermission/rules/erc20TokenPeriodic.ts
const startTime = hexToNumber(startTimeRaw);

if (!isHexAddress(tokenAddress)) {
if (!isHexChecksumAddress(tokenAddress)) {
Copy link

@cursor cursor bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checksum validation rejects valid lowercase token addresses

High Severity

Replacing isHexAddress with isHexChecksumAddress will reject valid lowercase token addresses. EIP-55 checksum validation requires a specific mixed-case pattern derived from the keccak256 hash — it does not simply "allow mixed case." All-lowercase addresses like 0xcccccccccccccccccccccccccccccccccccccccc (used in the existing unchanged "successfully decodes" test) are not valid EIP-55 checksum addresses and will now be rejected, breaking existing functionality. The splitHex utility preserves the original casing from encoded terms, so lowercase-encoded addresses will fail this stricter check.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeffsmale90