Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f5c8bcc. Configure here.
| takerAmount, | ||
| side, | ||
| signatureType: resolvedSignatureType, | ||
| timestamp: timestamp ?? Date.now().toString(), |
There was a problem hiding this comment.
Default timestamp uses milliseconds instead of seconds
High Severity
The default timestamp value uses Date.now().toString(), which returns milliseconds since epoch. In blockchain contexts, timestamps are in seconds (block.timestamp is unix seconds). The sibling expiration field is explicitly documented as "unix seconds, '0' = no expiration", strongly indicating timestamp is also expected in seconds. A millisecond value will be ~1000x too large, causing incorrect order timestamps and likely on-chain validation failures.
Reviewed by Cursor Bugbot for commit f5c8bcc. Configure here.
| @@ -0,0 +1,21 @@ | |||
| // V2 Exchange constants | |||
| // Domain name is shared with V1; only the version changes. | |||
| export const PROTOCOL_NAME_V2 = 'Polymarket CTF Exchange'; | |||
There was a problem hiding this comment.
Exported PROTOCOL_NAME_V2 constant is never used
Low Severity
PROTOCOL_NAME_V2 is exported but never imported or referenced anywhere in the codebase. The V2 builder imports PROTOCOL_NAME from the V1 constants file instead. The comment notes the domain name is shared with V1, making this constant redundant with the identically-valued PROTOCOL_NAME. Having both creates a maintenance risk where they could diverge unintentionally.
Reviewed by Cursor Bugbot for commit f5c8bcc. Configure here.
2 participants
Note
Medium Risk
Introduces new EIP-712 v2 order types and signing flow, including special-casing signer validation for
POLY_DEPOSIT_WALLET, which can affect correctness of order signing/hashing. Risk is moderate because it touches cryptographic signing inputs but is additive and doesn’t modify the existing v1 builder.Overview
Adds a new v2 order-building API via
ExchangeOrderBuilderV2, includingOrderV2/SignedOrderV2models, v2 EIP-712 struct/constants, and exports fromindex.ts.The v2 typed-data payload updates the signed fields (adds
timestamp/metadata/builder, and keepsexpirationas an API-only field not included in the EIP-712 message), and extendsSignatureTypewithPOLY_DEPOSIT_WALLETwhile relaxing the “signer must match signer.getAddress()” check for that signature type.Reviewed by Cursor Bugbot for commit f5c8bcc. Bugbot is set up for automated code reviews on this repo. Configure here.