Skip to content
This repository was archived by the owner on May 11, 2026. It is now read-only.

fix: use funderAddress for POLY_ADDRESS header in Magic wallet flows#339

Open
skyc1e wants to merge 1 commit into
Polymarket:mainfrom
skyc1e:fix/funder-address-header
Open

fix: use funderAddress for POLY_ADDRESS header in Magic wallet flows#339
skyc1e wants to merge 1 commit into
Polymarket:mainfrom
skyc1e:fix/funder-address-header

Conversation

@skyc1e
Copy link
Copy Markdown

@skyc1e skyc1e commented Mar 31, 2026
edited
Loading

Summary

Fixes #248.

When using Magic wallet (POLY_PROXY signature type), the API key is associated with the funderAddress, not the signer address. Currently, createL1Headers and createL2Headers always resolve POLY_ADDRESS from the signer, causing L2 authenticated requests to fail for proxy/Magic wallet users because the server expects the funder address.

Changes

  • Added optional funderAddress parameter to createL1Headers and createL2Headers in src/headers/index.ts
  • Address resolution now uses funderAddress ?? (await getSignerAddress(signer)), preserving backward compatibility for non-proxy wallets
  • Stored the existing funderAddress constructor param as a class property on ClobClient and pass it through to all createL2Headers call sites (29 in client.ts, 11 in rfq-client.ts)
  • Added funderAddress to RfqDeps interface and wired it through the RFQ client
  • Added 4 unit tests covering L1/L2 funderAddress override and fallback behavior

Test plan

  • tsc --noEmit passes
  • All existing + new header tests pass (vitest run tests/headers/)
  • Build succeeds (tsc -p tsconfig.build.json)
  • No new lint errors introduced (pre-existing CRLF warnings unchanged)

Note

Medium Risk
Touches request authentication headers used across many L2 endpoints; a wrong POLY_ADDRESS could break signed requests or affect account attribution, though changes are additive and fallback to signer behavior.

Overview
Fixes proxy/Magic-wallet flows by allowing an optional funderAddress to override POLY_ADDRESS in createL1Headers and createL2Headers, falling back to the signer-derived address when not provided.

Threads this funderAddress through ClobClient into RFQ dependencies and passes it to all createL2Headers call sites so L2-authenticated CLOB/RFQ requests use the expected address. Adds unit tests covering override and fallback behavior for both L1 and L2 headers.

Written by Cursor Bugbot for commit e3a6762. This will update automatically on new commits. Configure here.

@skyc1e
fix: use funderAddress for POLY_ADDRESS header in Magic wallet flows
e3a6762 
When using Magic wallet (POLY_PROXY signature type), the API key is
associated with the funderAddress, not the signer address. This causes
L2 authenticated requests to fail because POLY_ADDRESS is set to the
signer's address instead of the funder's.

Pass the existing funderAddress constructor parameter through to
createL1Headers and createL2Headers so that POLY_ADDRESS uses the
correct address for proxy/Magic wallet users, while falling back to
the signer address for regular wallets.

Closes Polymarket#248
@skyc1e skyc1e requested a review from a team as a code owner March 31, 2026 21:21
cursor[bot]
cursor Bot reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread src/client.ts
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
Copy link
Copy Markdown

@cursor cursor Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

L1 and L2 address headers diverge

Medium Severity

createApiKey and deriveApiKey still call createL1Headers without this.funderAddress, while L2 calls now send this.funderAddress. In proxy/Magic flows this can create credentials under one address and authenticate requests with another, leading to inconsistent auth behavior across src/client.ts.

Additional Locations (1)
Fix in Cursor Fix in Web

Comment thread src/headers/index.ts
ts = timestamp;
}
const address = await getSignerAddress(signer);
const address = funderAddress ?? (await getSignerAddress(signer));
Copy link
Copy Markdown

@cursor cursor Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty funder address overrides signer address

Medium Severity

createL1Headers and createL2Headers treat funderAddress as present when it is an empty string because they use ??. That sets POLY_ADDRESS to "" instead of falling back to getSignerAddress, which can break authentication for integrations that pass blank environment values into funderAddress.

Additional Locations (1)
Fix in Cursor Fix in Web

@hooptiehunnyd
Copy link
Copy Markdown

hooptiehunnyd commented Apr 1, 2026 via email

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@cursor cursor[bot] cursor[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

POLY_ADDRESS header uses signer address instead of funderAddress for Magic wallet (signature type 1)

2 participants

@skyc1e @hooptiehunnyd