Skip to content
This repository was archived by the owner on May 11, 2026. It is now read-only.

fix: use funderAddress for POLY_ADDRESS header in Magic wallet flows #339

Open
skyc1e wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: use funderAddress for POLY_ADDRESS header in Magic wallet flows #339

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions src/client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ export class ClobClient {
readonly retryOnError?: boolean;

readonly throwOnError: boolean;
readonly funderAddress?: string;

private tickSizeTimestamps: Record<string, number>;

Expand Down Expand Up @@ -217,6 +218,7 @@ export class ClobClient {
this.useServerTime = useServerTime;
this.retryOnError = retryOnError;
this.throwOnError = throwOnError ?? false;
this.funderAddress = funderAddress;
if (builderConfig !== undefined) {
this.builderConfig = builderConfig;
}
Expand All @@ -227,6 +229,7 @@ export class ClobClient {
creds: this.creds,
useServerTime: this.useServerTime,
geoBlockToken: this.geoBlockToken,
funderAddress: this.funderAddress,
userType: this.orderBuilder.signatureType,
getServerTime: this.getServerTime.bind(this),
getTickSize: this.getTickSize.bind(this),
Expand Down Expand Up @@ -505,6 +508,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
Copy link
Copy Markdown

@cursor cursor Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

L1 and L2 address headers diverge

Medium Severity

createApiKey and deriveApiKey still call createL1Headers without this.funderAddress, while L2 calls now send this.funderAddress. In proxy/Magic flows this can create credentials under one address and authenticate requests with another, leading to inconsistent auth behavior across src/client.ts.

Additional Locations (1)
Fix in Cursor Fix in Web

);

return this.get(`${this.host}${endpoint}`, { headers });
Expand All @@ -524,6 +528,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.get(`${this.host}${endpoint}`, { headers });
Expand All @@ -543,6 +548,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.del(`${this.host}${endpoint}`, { headers });
Expand All @@ -566,6 +572,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.post(`${this.host}${endpoint}`, { headers });
Expand All @@ -585,6 +592,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.get(`${this.host}${endpoint}`, { headers });
Expand All @@ -611,6 +619,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.del(`${this.host}${endpoint}`, { headers, data: payload });
Expand Down Expand Up @@ -642,6 +651,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

// builders flow
Expand Down Expand Up @@ -673,6 +683,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

let results: Trade[] = [];
Expand Down Expand Up @@ -709,6 +720,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

next_cursor = next_cursor || INITIAL_CURSOR;
Expand Down Expand Up @@ -783,6 +795,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.get(`${this.host}${endpoint}`, {
Expand All @@ -805,6 +818,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.del(`${this.host}${endpoint}`, {
Expand All @@ -829,6 +843,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

const _params = {
Expand All @@ -853,6 +868,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

const _params = {
Expand Down Expand Up @@ -968,6 +984,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

// builders flow
Expand Down Expand Up @@ -1023,6 +1040,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

// builders flow
Expand Down Expand Up @@ -1069,6 +1087,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

// builders flow
Expand Down Expand Up @@ -1099,6 +1118,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);
return this.del(`${this.host}${endpoint}`, { headers, data: payload });
}
Expand All @@ -1117,6 +1137,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);
return this.del(`${this.host}${endpoint}`, { headers, data: ordersHashes });
}
Expand All @@ -1134,6 +1155,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);
return this.del(`${this.host}${endpoint}`, { headers });
}
Expand Down Expand Up @@ -1165,6 +1187,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.post(`${this.host}${endpoint}`, { headers, data: serialized });
Expand All @@ -1184,6 +1207,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
l2HeaderArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);
return this.del(`${this.host}${endpoint}`, { headers, data: payload });
}
Expand All @@ -1202,6 +1226,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.get(`${this.host}${endpoint}`, { headers, params });
Expand All @@ -1223,6 +1248,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.post(`${this.host}${endpoint}`, {
Expand All @@ -1246,6 +1272,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

let results: UserEarning[] = [];
Expand Down Expand Up @@ -1281,6 +1308,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

const params = {
Expand Down Expand Up @@ -1313,6 +1341,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

let results: UserRewardsEarning[] = [];
Expand Down Expand Up @@ -1351,6 +1380,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

const _params = {
Expand Down Expand Up @@ -1426,6 +1456,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.post(`${this.host}${endpoint}`, { headers });
Expand All @@ -1445,6 +1476,7 @@ export class ClobClient {
this.creds as ApiKeyCreds,
headerArgs,
this.useServerTime ? await this.getServerTime() : undefined,
this.funderAddress,
);

return this.get(`${this.host}${endpoint}`, { headers });
Expand Down
6 changes: 4 additions & 2 deletions src/headers/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ export const createL1Headers = async (
chainId: Chain,
nonce?: number,
timestamp?: number,
funderAddress?: string,
): Promise<L1PolyHeader> => {
let ts = Math.floor(Date.now() / 1000);
if (timestamp !== undefined) {
Expand All @@ -27,7 +28,7 @@ export const createL1Headers = async (
}

const sig = await buildClobEip712Signature(signer, chainId, ts, n);
const address = await getSignerAddress(signer);
const address = funderAddress ?? (await getSignerAddress(signer));

const headers = {
POLY_ADDRESS: address,
Expand All @@ -43,12 +44,13 @@ export const createL2Headers = async (
creds: ApiKeyCreds,
l2HeaderArgs: L2HeaderArgs,
timestamp?: number,
funderAddress?: string,
): Promise<L2PolyHeader> => {
let ts = Math.floor(Date.now() / 1000);
if (timestamp !== undefined) {
ts = timestamp;
}
const address = await getSignerAddress(signer);
const address = funderAddress ?? (await getSignerAddress(signer));
Copy link
Copy Markdown

@cursor cursor Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty funder address overrides signer address

Medium Severity

createL1Headers and createL2Headers treat funderAddress as present when it is an empty string because they use ??. That sets POLY_ADDRESS to "" instead of falling back to getSignerAddress, which can break authentication for integrations that pass blank environment values into funderAddress.

Additional Locations (1)
Fix in Cursor Fix in Web


const sig = await buildPolyHmacSignature(
creds.secret,
Expand Down
11 changes: 11 additions & 0 deletions src/rfq-client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

return this.deps.post(`${this.deps.host}${endpoint}`, { headers, data: payload });
Expand All @@ -160,6 +161,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

return this.deps.del(`${this.deps.host}${endpoint}`, { headers, data: request });
Expand All @@ -182,6 +184,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

const query = buildRepeatedQuery(params);
Expand Down Expand Up @@ -267,6 +270,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

return this.deps.post(`${this.deps.host}${endpoint}`, { headers, data: quoteWithUserType });
Expand All @@ -290,6 +294,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

const query = buildRepeatedQuery(params);
Expand Down Expand Up @@ -318,6 +323,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

const query = buildRepeatedQuery(params);
Expand All @@ -344,6 +350,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

return this.deps.get(`${this.deps.host}${endpoint}`, { headers, params });
Expand All @@ -367,6 +374,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

return this.deps.del(`${this.deps.host}${endpoint}`, { headers, data: quote });
Expand All @@ -389,6 +397,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

return this.deps.get(`${this.deps.host}${endpoint}`, { headers });
Expand Down Expand Up @@ -457,6 +466,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

return this.deps.post(`${this.deps.host}${endpoint}`, { headers, data: acceptPayload });
Expand Down Expand Up @@ -523,6 +533,7 @@ export class RfqClient implements IRfqClient {
this.deps.creds as ApiKeyCreds,
l2HeaderArgs,
this.deps.useServerTime ? await this.deps.getServerTime() : undefined,
this.deps.funderAddress,
);

return this.deps.post(`${this.deps.host}${endpoint}`, { headers, data: approvePayload });
Expand Down
1 change: 1 addition & 0 deletions src/rfq-deps.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ export interface RfqDeps {
useServerTime?: boolean;

geoBlockToken?: string;
funderAddress?: string;

/**
* Numeric user type (backed by SignatureType in the order builder).
Expand Down
Loading