docs: clarify timestamp precedence governs expiration, not amounts#62
docs: clarify timestamp precedence governs expiration, not amounts#62re1ro wants to merge 1 commit into
Conversation
OverviewThis PR primarily updates documentation to clarify timestamp semantics, emphasizing that timestamp precedence governs the QA & Test CoverageNo issues found in this domain. Web SecuritySkipped: not applicable to this PR — PR is documentation-only with no web-facing code changes Blockchain SecurityNo issues found in this domain. PerformanceNo issues found in this domain. Stats
Automated review by Eco's specialized review team. Architecture, business logic, and correctness remain with the human reviewer. |
The README and docs implied that signed timestamps "order operations across chains," which is misleading. The on-chain behavior in Permit3._processIncreaseOrUpdate is: - amountDelta is applied unconditionally before the timestamp check; each Increase adds and each Decrease subtracts regardless of order. - The timestamp precedence rule (most-recent-wins) governs only the expiration field and the stored timestamp. - Replay protection comes from per-salt non-sequential nonces, not from timestamp ordering. Reword the README "Timestamp Management" section and the related concept/API docs to state this precisely so integrators do not assume cross-chain timestamp ordering serializes balance changes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
c338da3 to
30c97d0
Compare
There was a problem hiding this comment.
Pull request overview
This PR primarily updates the documentation to clarify that signed timestamp precedence governs expiration updates only, and does not serialize/order allowance amount changes; amount deltas apply unconditionally per operation and replay protection is nonce-based. However, the PR also includes Solidity changes that affect EIP-712 hashing for nonce invalidation, which is a behavioral/API change beyond “docs-only”.
Changes:
- Reframed docs/README explanations of timestamp precedence to apply only to
expiration, and clarified unconditional amount deltas + nonce-based replay protection. - Updated cross-chain/security documentation references to avoid implying timestamp-ordered amount updates.
- Modified
hashNoncesToInvalidatehashing logic (and adjusted EIP-712 caching commentary), impacting off-chain signing/proof derivations.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
src/NonceManager.sol |
Changes EIP-712 struct hashing for NoncesToInvalidate (affects signature/proof compatibility). |
src/lib/EIP712.sol |
Updates domain-separator caching commentary and removes unused cached chain-id state. |
README.md |
Clarifies timestamp precedence applies to expiration only; amounts are unconditional; replay is nonce-based. |
docs/concepts/allowance-system.md |
Reframes “Timestamp Management” to explicitly scope precedence to expirations and explain amount/replay behavior. |
docs/concepts/architecture.md |
Renames/clarifies “Timestamp Ordering” as “Timestamp-Ordered Expirations”. |
docs/concepts/cross-chain-operations.md |
Clarifies timestamp precedence in security best practices (but surrounding domain-separation text remains inconsistent). |
docs/api/data-structures.md |
Corrects Allowance.timestamp field description to reflect expiration-only precedence. |
docs/api/events.md |
Updates event interpretation guidance to “expiration precedence” rather than general operation ordering. |
docs/api/api-reference.md |
Updates security bullet to reflect expiration-only precedence + nonce-based replay protection. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ### 4. **Additional Security Best Practices** | ||
| - **Deadline Validation**: Set reasonable deadlines to limit the window of vulnerability | ||
| - **Timestamp Ordering**: Be aware of timestamp-based operation ordering across chains | ||
| - **Timestamp Ordering**: Be aware that timestamp precedence orders `expiration` updates across chains only — amount changes apply unconditionally and replay is prevented by per-salt nonces | ||
| - **Proof Verification**: Ensure proofs correctly link chain-specific permits to the root hash | ||
| - **Witness validation**: When using witness data, ensure proper validation on each chain |
Summary
The README and docs stated that signed timestamps "order operations across chains" and that "most recent timestamp takes precedence in expiration updates." Taken together this is misleading: it suggests cross-chain timestamp ordering also serializes/orders allowance amount changes. It does not.
Verified against
src/Permit3.sol:_processIncreaseOrUpdate(lines ~464-492):amountDeltais applied unconditionally and before the timestamp comparison. The timestamp check (timestamp > allowed.timestamp) only updatesexpirationand the storedtimestamp._decreaseAllowance: subtractsamountDeltaunconditionally, with no timestamp logic at all.So the precise statement is: timestamps order expiration updates, not amount changes.
Files changed
README.md— rewrote the "Timestamp Management" bullets.docs/concepts/allowance-system.md— reframed the Timestamp Management "Purpose"/"Rules" and the "Operation Priority" list; added a note that amounts apply unconditionally and replay is nonce-based.docs/concepts/architecture.md— "Timestamp Ordering" -> "Timestamp-Ordered Expirations".docs/concepts/cross-chain-operations.md— clarified the security-considerations bullet.docs/api/data-structures.md— corrected thetimestampfield description.docs/api/events.md— corrected three operation-ordering references.docs/api/api-reference.md— corrected the "Timestamp Ordering" security bullet.Notes
This is a docs-only change; no
.solsource was modified.🤖 Generated with Claude Code