fix: reject placeholder bridge recipients before posting by fairlighteth · Pull Request #7622 · cowprotocol/cowswap

fairlighteth · 2026-06-06T09:03:37Z

What changed

Extracted the existing swap-flow placeholder bridge recipient check into a shared trade-flow guard.
Reused that guard before posting/signing in swap, EthFlow, Safe approval bundle, and Safe ETH bundle flows.

Why

Non-EVM bridge placeholder recipients are valid only for quote fetching before the user enters a real destination.
Those placeholders must never reach order posting, even if UI validation is bypassed or a stale quote path calls a posting flow directly.
This keeps the PR scoped to the DeepSec bridge-recipient posting-path finding; quote freshness/signability work is left out of this PR.

Validation

pnpm agents:check
CI covers the usual lint, typecheck, and test gates.

vercel · 2026-06-06T09:03:41Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cowfi	Building	Preview	Jun 17, 2026 4:05pm
explorer-dev	Ready	Preview	Jun 17, 2026 4:05pm
storybook	Ready	Preview	Jun 17, 2026 4:05pm
swap-dev	Ready	Preview	Jun 17, 2026 4:05pm
widget-configurator	Ready	Preview	Jun 17, 2026 4:05pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
cosmos	Ignored		Jun 17, 2026 4:05pm
sdk-tools	Ignored	Preview	Jun 17, 2026 4:05pm

cloudflare-workers-and-pages · 2026-06-06T09:13:30Z

Deploying explorer-dev with Cloudflare Pages

Latest commit:	`53328cd`
Status:	✅ Deploy successful!
Preview URL:	https://7911bbc7.explorer-dev-dxz.pages.dev
Branch Preview URL:	https://deepsec-medium-06-quote-sign.explorer-dev-dxz.pages.dev

View logs

cloudflare-workers-and-pages · 2026-06-06T09:17:35Z

Deploying swap-dev with Cloudflare Pages

Latest commit:	`1e45a58`
Status:	✅ Deploy successful!
Preview URL:	https://59c74e5e.swap-dev-5u6.pages.dev
Branch Preview URL:	https://deepsec-medium-06-quote-sign.swap-dev-5u6.pages.dev

View logs

- keep a quote non-signable when the latest optimal fetch failed - add a regression for fast-success then optimal-error state

- ignore same-cycle fast errors once an optimal quote is active - add a regression for optimal-success then fast-error ordering

- Share the existing placeholder recipient guard across trade posting paths - Remove the broader quote freshness changes from this PR Refs #7622

Refs #7622

fairlighteth · 2026-06-17T16:06:43Z

Superseded by #7670 after renaming the head branch to deepsec/medium-06-bridge-recipient-guard.

docs: open quote and signing consistency plan

fa6ed11

vercel Bot deployed to Preview – storybook June 6, 2026 09:04 View deployment

vercel Bot deployed to Preview – widget-configurator June 6, 2026 09:04 View deployment

vercel Bot deployed to Preview – explorer-dev June 6, 2026 09:05 View deployment

vercel Bot deployed to Preview – cowfi June 6, 2026 09:06 View deployment

vercel Bot deployed to Preview – swap-dev June 6, 2026 09:06 View deployment

fairlighteth added the Security label Jun 6, 2026

fairlighteth self-assigned this Jun 6, 2026

fix: block stale quotes and invalid recipients

d1a4025

vercel Bot deployed to Preview – storybook June 6, 2026 12:03 View deployment

vercel Bot deployed to Preview – widget-configurator June 6, 2026 12:04 View deployment

vercel Bot deployed to Preview – explorer-dev June 6, 2026 12:04 View deployment

vercel Bot deployed to Preview – cowfi June 6, 2026 12:05 View deployment

vercel Bot deployed to Preview – swap-dev June 6, 2026 12:05 View deployment

fix: block fast quotes from reopening optimal signing

553468f

- keep a quote non-signable when the latest optimal fetch failed - add a regression for fast-success then optimal-error state

vercel Bot deployed to Preview – storybook June 7, 2026 08:31 View deployment

vercel Bot deployed to Preview – widget-configurator June 7, 2026 08:31 View deployment

vercel Bot deployed to Preview – explorer-dev June 7, 2026 08:32 View deployment

vercel Bot deployed to Preview – cowfi June 7, 2026 08:32 View deployment

vercel Bot deployed to Preview – swap-dev June 7, 2026 08:33 View deployment

fix: preserve optimal quotes after late fast failures

9196a13

- ignore same-cycle fast errors once an optimal quote is active - add a regression for optimal-success then fast-error ordering

vercel Bot deployed to Preview – storybook June 7, 2026 08:40 View deployment

vercel Bot deployed to Preview – widget-configurator June 7, 2026 08:40 View deployment

vercel Bot deployed to Preview – explorer-dev June 7, 2026 08:41 View deployment

vercel Bot deployed to Preview – cowfi June 7, 2026 08:41 View deployment

vercel Bot deployed to Preview – swap-dev June 7, 2026 08:42 View deployment

fairlighteth marked this pull request as ready for review June 8, 2026 08:10

vercel Bot deployed to Preview – widget-configurator June 17, 2026 09:06 View deployment

vercel Bot deployed to Preview – cowfi June 17, 2026 09:07 View deployment

Merge branch 'develop' into deepsec/medium-06-quote-signing-consistency

a4d69f9

vercel Bot deployed to Preview – storybook June 17, 2026 09:30 View deployment

vercel Bot deployed to Preview – widget-configurator June 17, 2026 09:31 View deployment

vercel Bot deployed to Preview – cowfi June 17, 2026 09:31 View deployment

fairlighteth added 2 commits June 17, 2026 15:54

fix: resolve trade quote lint failures

1e45a58

Merge branch 'develop' into deepsec/medium-06-quote-signing-consistency

d6cb82e

fairlighteth requested review from alfetopito and shoom3301 June 17, 2026 14:56

vercel Bot deployed to Preview – storybook June 17, 2026 14:56 View deployment

vercel Bot deployed to Preview – widget-configurator June 17, 2026 14:56 View deployment

vercel Bot deployed to Preview – cowfi June 17, 2026 14:57 View deployment

This comment was marked as outdated.

Sign in to view

fairlighteth marked this pull request as draft June 17, 2026 15:58

fix: guard bridge placeholders in posting flows

53328cd

- Share the existing placeholder recipient guard across trade posting paths - Remove the broader quote freshness changes from this PR Refs #7622

cowprotocol deleted a comment from coderabbitai Bot Jun 17, 2026

fairlighteth changed the title ~~fix: block stale quotes and invalid bridge recipients~~ fix: reject placeholder bridge recipients before posting Jun 17, 2026

vercel Bot deployed to Preview – storybook June 17, 2026 16:02 View deployment

vercel Bot deployed to Preview – widget-configurator June 17, 2026 16:03 View deployment

vercel Bot deployed to Preview – cowfi June 17, 2026 16:03 View deployment

docs: preserve bridge placeholder guard rationale

7bd687b

Refs #7622

vercel Bot deployed to Preview – storybook June 17, 2026 16:04 View deployment

vercel Bot deployed to Preview – widget-configurator June 17, 2026 16:05 View deployment

fairlighteth closed this Jun 17, 2026

fairlighteth deleted the deepsec/medium-06-quote-signing-consistency branch June 17, 2026 16:05

cowprotocol deleted a comment from coderabbitai Bot Jun 17, 2026

github-actions Bot locked and limited conversation to collaborators Jun 17, 2026

vercel Bot deployed to Preview – cowfi June 17, 2026 16:05 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: reject placeholder bridge recipients before posting#7622

fix: reject placeholder bridge recipients before posting#7622
fairlighteth wants to merge 11 commits into
developfrom
deepsec/medium-06-quote-signing-consistency

fairlighteth commented Jun 6, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Jun 6, 2026 •

edited

Loading

Uh oh!

cloudflare-workers-and-pages Bot commented Jun 6, 2026 •

edited

Loading

Uh oh!

cloudflare-workers-and-pages Bot commented Jun 6, 2026 •

edited

Loading

Uh oh!

This comment was marked as outdated.

Uh oh!

fairlighteth commented Jun 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

fairlighteth commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What changed

Why

Validation

Uh oh!

vercel Bot commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cloudflare-workers-and-pages Bot commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Deploying explorer-dev with Cloudflare Pages

Uh oh!

cloudflare-workers-and-pages Bot commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Deploying swap-dev with Cloudflare Pages

Uh oh!

This comment was marked as outdated.

Uh oh!

fairlighteth commented Jun 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

fairlighteth commented Jun 6, 2026 •

edited

Loading

vercel Bot commented Jun 6, 2026 •

edited

Loading

cloudflare-workers-and-pages Bot commented Jun 6, 2026 •

edited

Loading

cloudflare-workers-and-pages Bot commented Jun 6, 2026 •

edited

Loading