@agirails/sdk 2.0.1-beta → 2.0.2

package/src/protocol/EASHelper.ts

@@ -1,6 +1,11 @@
-import { Contract, Signer, AbiCoder, zeroPadValue } from 'ethers';
+import { AbiCoder, Signer } from 'ethers';
+import { EAS } from '@ethereum-attestation-service/eas-sdk';
 import { DeliveryProof } from '../types';
 import { deliveryProofDataFromProof } from '../types/eip712';
+import {
+  IUsedAttestationTracker,
+  InMemoryUsedAttestationTracker
+} from '../utils/UsedAttestationTracker';
 
 export interface EASConfig {
   contractAddress: string;
@@ -15,18 +20,65 @@ export interface AttestationResponse {
 /**
  * EASHelper - utility wrapper for Ethereum Attestation Service interactions
  */
-const EAS_ABI = [
-  'event Attested(address indexed attester, bytes32 indexed uid, bytes32 indexed schema)',
-  'function attest(tuple(bytes32 schema, tuple(address recipient, uint64 expirationTime, bool revocable, bytes32 refUID, bytes data) data) request) external returns (bytes32)',
-  'function revoke(tuple(bytes32 schema, bytes32 uid) request) external returns (bytes32)',
-  'function getAttestation(bytes32 uid) external view returns (tuple(bytes32 uid, bytes32 schema, address recipient, address attester, uint64 time, uint64 expirationTime, bool revocable, bytes32 refUID, bytes data, uint32 bump))'
-];
-
 export class EASHelper {
-  private readonly eas: Contract;
+  private readonly eas: EAS;
+  private readonly attestationTracker: IUsedAttestationTracker;
 
-  constructor(signer: Signer, private readonly config: EASConfig) {
-    this.eas = new Contract(config.contractAddress, EAS_ABI, signer);
+  /**
+   * Create EASHelper instance
+   *
+   * @param signer - Ethers signer for signing attestations
+   * @param config - EAS configuration
+   * @param attestationTracker - Optional tracker for replay attack prevention (C-1 fix)
+   *
+   * SECURITY FIX (NEW-M-2): Validates schema UID format in constructor
+   */
+  constructor(
+    signer: Signer,
+    private readonly config: EASConfig,
+    attestationTracker?: IUsedAttestationTracker
+  ) {
+    // SECURITY FIX (NEW-M-2): Validate schema UID format
+    if (!config.deliveryProofSchemaId || !/^0x[a-fA-F0-9]{64}$/.test(config.deliveryProofSchemaId)) {
+      throw new Error(
+        `Invalid deliveryProofSchemaId: must be bytes32 hex string (0x...). ` +
+        `Got: ${config.deliveryProofSchemaId}`
+      );
+    }
+
+    if (config.deliveryProofSchemaId === '0x0000000000000000000000000000000000000000000000000000000000000000') {
+      throw new Error('deliveryProofSchemaId cannot be zero bytes32');
+    }
+
+    // Use official EAS SDK wrapper to ensure ABI correctness across deployments
+    // (includes fields like revocationTime that are required for security checks).
+    this.eas = new EAS(config.contractAddress);
+    this.eas.connect(signer as any);
+    // SECURITY FIX (C-1): Use provided tracker or create new in-memory one
+    if (!attestationTracker) {
+      // SECURITY WARNING (HIGH-5): In-memory tracker does not persist across restarts!
+      // For production use, provide a FileBasedUsedAttestationTracker with a stateDirectory:
+      //
+      //   import { FileBasedUsedAttestationTracker } from '../utils/UsedAttestationTracker';
+      //   const tracker = new FileBasedUsedAttestationTracker('/path/to/state');
+      //   const easHelper = new EASHelper(signer, config, tracker);
+      //
+      // Without persistence, attestation replay protection is lost on process restart,
+      // allowing potential double-spend attacks.
+      console.warn(
+        '[SECURITY WARNING] EASHelper: Using in-memory attestation tracker. ' +
+        'Replay protection will be lost on process restart. ' +
+        'For production, provide FileBasedUsedAttestationTracker for persistence.'
+      );
+    }
+    this.attestationTracker = attestationTracker || new InMemoryUsedAttestationTracker();
+  }
+
+  /**
+   * Get the attestation tracker for external use
+   */
+  getAttestationTracker(): IUsedAttestationTracker {
+    return this.attestationTracker;
   }
 
   /**
@@ -57,31 +109,26 @@ export class EASHelper {
       schema: this.config.deliveryProofSchemaId,
       data: {
         recipient,
-        expirationTime,
+        expirationTime: BigInt(expirationTime),
         revocable,
         refUID: proof.txId,
-        data: encodedData
+        data: encodedData,
+        // For Base EAS, value is typically 0. Keep explicit to avoid ambiguity.
+        value: 0n
       }
     });
 
-    const receipt = await tx.wait();
-    // ethers v6: events → logs, and logs are parsed differently
-    const attestedLog = receipt?.logs?.find((log: any) => {
-      try {
-        const parsed = this.eas.interface.parseLog(log);
-        return parsed?.name === 'Attested';
-      } catch {
-        return false;
-      }
-    });
-
-    const uid = attestedLog
-      ? this.eas.interface.parseLog(attestedLog)?.args?.uid
-      : zeroPadValue('0x00', 32);
+    const uid = await tx.wait();
+    if (!uid || !/^0x[a-fA-F0-9]{64}$/.test(uid)) {
+      throw new Error(`Failed to obtain attestation UID from EAS transaction. Got: ${String(uid)}`);
+    }
+    if (uid === '0x0000000000000000000000000000000000000000000000000000000000000000') {
+      throw new Error('EAS returned zero UID for attestation (unexpected).');
+    }
 
     return {
       uid,
-      transactionHash: receipt.transactionHash
+      transactionHash: tx.tx.hash
     };
   }
 
@@ -89,18 +136,24 @@ export class EASHelper {
    * Revoke a previously issued attestation by UID.
    */
   async revokeAttestation(uid: string): Promise<string> {
+    if (!uid || !/^0x[a-fA-F0-9]{64}$/.test(uid)) {
+      throw new Error(`Invalid attestation UID format: ${uid}`);
+    }
     const tx = await this.eas.revoke({
       schema: this.config.deliveryProofSchemaId,
-      uid
+      data: { uid }
     });
-    const receipt = await tx.wait();
-    return receipt.transactionHash;
+    await tx.wait();
+    return tx.tx.hash;
   }
 
   /**
    * Fetch attestation data from the EAS contract.
    */
   async getAttestation(uid: string) {
+    if (!uid || !/^0x[a-fA-F0-9]{64}$/.test(uid)) {
+      throw new Error(`Invalid attestation UID format: ${uid}`);
+    }
     return await this.eas.getAttestation(uid);
   }
 
@@ -125,6 +178,13 @@ export class EASHelper {
     txId: string,
     attestationUID: string
   ): Promise<boolean> {
+    if (!txId || !/^0x[a-fA-F0-9]{64}$/.test(txId)) {
+      throw new Error(`Invalid txId format (expected bytes32): ${txId}`);
+    }
+    if (!attestationUID || !/^0x[a-fA-F0-9]{64}$/.test(attestationUID)) {
+      throw new Error(`Invalid attestationUID format (expected bytes32): ${attestationUID}`);
+    }
+
     // 1. Fetch attestation from EAS contract
     const attestation = await this.eas.getAttestation(attestationUID);
 
@@ -145,53 +205,177 @@ export class EASHelper {
     // 4. Check revocation - EAS uses revocationTime field (not revoked boolean)
     // revocationTime = 0 means not revoked
     // revocationTime > 0 means revoked at that timestamp
-    // NOTE: attestation.revoked field does NOT exist! (see genetic-memory.md)
-    const isRevoked = attestation.revocationTime > 0n;
+    const revocationTime = BigInt((attestation as any).revocationTime ?? 0);
+    const isRevoked = revocationTime > 0n;
+
     if (isRevoked) {
       throw new Error(
-        `Attestation has been revoked: ${attestationUID} (revoked at timestamp ${attestation.revocationTime})`
+        `Attestation has been revoked: ${attestationUID} (revoked at timestamp ${revocationTime})`
       );
     }
 
     // 5. Check expiration
     // expirationTime = 0 means no expiration
     // expirationTime > 0 means expires at that timestamp
-    if (attestation.expirationTime > 0n) {
+    const expirationTime = BigInt((attestation as any).expirationTime ?? 0);
+    if (expirationTime > 0n) {
       const now = Math.floor(Date.now() / 1000);
-      if (Number(attestation.expirationTime) < now) {
+      if (Number(expirationTime) < now) {
         throw new Error(
-          `Attestation has expired: ${attestationUID} (expired at ${attestation.expirationTime})`
+          `Attestation has expired: ${attestationUID} (expired at ${expirationTime})`
         );
       }
     }
 
     // 6. Decode attestation data to extract txId
-    // Schema: bytes32 txId, bytes32 contentHash, uint256 timestamp, string deliveryUrl, uint256 size, string mimeType
-    let attestedTxId: string;
+    let attestedTxId: string = '';
+
     try {
       const abiCoder = AbiCoder.defaultAbiCoder();
-      const decoded = abiCoder.decode(
-        ['bytes32', 'bytes32', 'uint256', 'string', 'uint256', 'string'],
-        attestation.data
-      );
-      attestedTxId = decoded[0]; // First field is txId
+      const rawData: string = (attestation as any).data;
+
+      // Prefer AIP-6 decoding (current DX Playground schema)
+      // - Official AIP-6: bytes32 txId,string resultCID,bytes32 resultHash,uint256 deliveredAt
+      // - Test schema:    + uint256 testTimestamp
+      try {
+        const decoded = abiCoder.decode(
+          ['bytes32', 'string', 'bytes32', 'uint256', 'uint256'],
+          rawData
+        );
+        attestedTxId = decoded[0];
+        const resultCID: string = decoded[1];
+        const resultHash: string = decoded[2];
+        const deliveredAt: bigint = decoded[3];
+
+        if (!attestedTxId || !/^0x[a-fA-F0-9]{64}$/.test(attestedTxId)) {
+          throw new Error(`Decoded txId is not valid bytes32: ${attestedTxId}`);
+        }
+        if (typeof resultCID !== 'string' || resultCID.length === 0 || resultCID.length > 2048) {
+          throw new Error(`Decoded resultCID invalid length: ${resultCID?.length}`);
+        }
+        if (!resultHash || !/^0x[a-fA-F0-9]{64}$/.test(resultHash)) {
+          throw new Error(`Decoded resultHash is not valid bytes32: ${resultHash}`);
+        }
+        const now = BigInt(Math.floor(Date.now() / 1000));
+        if (deliveredAt > now + 86400n) {
+          throw new Error(`Decoded deliveredAt is in far future: ${deliveredAt.toString()}`);
+        }
+      } catch (_e) {
+        // Fallback: official AIP-6 schema without testTimestamp
+        try {
+          const decoded = abiCoder.decode(
+            ['bytes32', 'string', 'bytes32', 'uint256'],
+            rawData
+          );
+          attestedTxId = decoded[0];
+          const resultCID: string = decoded[1];
+          const resultHash: string = decoded[2];
+          const deliveredAt: bigint = decoded[3];
+
+          if (!attestedTxId || !/^0x[a-fA-F0-9]{64}$/.test(attestedTxId)) {
+            throw new Error(`Decoded txId is not valid bytes32: ${attestedTxId}`);
+          }
+          if (typeof resultCID !== 'string' || resultCID.length === 0 || resultCID.length > 2048) {
+            throw new Error(`Decoded resultCID invalid length: ${resultCID?.length}`);
+          }
+          if (!resultHash || !/^0x[a-fA-F0-9]{64}$/.test(resultHash)) {
+            throw new Error(`Decoded resultHash is not valid bytes32: ${resultHash}`);
+          }
+          const now = BigInt(Math.floor(Date.now() / 1000));
+          if (deliveredAt > now + 86400n) {
+            throw new Error(`Decoded deliveredAt is in far future: ${deliveredAt.toString()}`);
+          }
+        } catch (__e) {
+          // Final fallback: legacy AIP-4 schema
+          // Schema: bytes32 txId, bytes32 contentHash, uint256 timestamp, string deliveryUrl, uint256 size, string mimeType
+          const decoded = abiCoder.decode(
+            ['bytes32', 'bytes32', 'uint256', 'string', 'uint256', 'string'],
+            rawData
+          );
+          attestedTxId = decoded[0];
+          const contentHash: string = decoded[1];
+          const timestamp: bigint = decoded[2];
+          const deliveryUrl: string = decoded[3];
+          const size: bigint = decoded[4];
+          const mimeType: string = decoded[5];
+
+          if (!attestedTxId || !/^0x[a-fA-F0-9]{64}$/.test(attestedTxId)) {
+            throw new Error(`Decoded txId is not valid bytes32: ${attestedTxId}`);
+          }
+          if (!contentHash || !/^0x[a-fA-F0-9]{64}$/.test(contentHash)) {
+            throw new Error(`Decoded contentHash is not valid bytes32: ${contentHash}`);
+          }
+          const now = BigInt(Math.floor(Date.now() / 1000));
+          if (timestamp > now + 86400n) {
+            throw new Error(`Decoded timestamp is in far future: ${timestamp.toString()}`);
+          }
+          if (typeof deliveryUrl !== 'string' || deliveryUrl.length > 2048) {
+            throw new Error('Decoded deliveryUrl too long');
+          }
+          if (size < 0n) {
+            throw new Error(`Decoded size is negative: ${size}`);
+          }
+          if (typeof mimeType !== 'string' || mimeType.length > 256) {
+            throw new Error('Decoded mimeType too long');
+          }
+        }
+      }
+
     } catch (error: any) {
       throw new Error(
         `Attestation data format mismatch: cannot decode attestation ${attestationUID}. ` +
-        `Expected AIP-4 delivery proof schema format. ` +
+        `Expected AIP-6 (preferred) or AIP-4 (legacy) delivery proof schema format. ` +
         `Original error: ${error.message}`
       );
     }
 
     // 7. Verify attestation txId matches expected transaction ID
-    if (attestedTxId !== txId) {
+    if (attestedTxId.toLowerCase() !== txId.toLowerCase()) {
       throw new Error(
         `Attestation txId mismatch: expected ${txId}, got ${attestedTxId}. ` +
         `Provider may be attempting to use attestation from different transaction!`
       );
     }
 
+    // SECURITY FIX (C-1): Check if attestation has been used for a different transaction
+    if (!this.attestationTracker.isValidForTransaction(attestationUID, txId)) {
+      const usedFor = this.attestationTracker.getUsageForAttestation(attestationUID);
+      throw new Error(
+        `Attestation replay attack detected: attestation ${attestationUID} ` +
+        `was already used for transaction ${usedFor}. ` +
+        `Cannot reuse for transaction ${txId}.`
+      );
+    }
+
+    // Record this attestation as used for this transaction
+    const recorded = await this.attestationTracker.recordUsage(attestationUID, txId);
+    if (!recorded) {
+      const usedFor = this.attestationTracker.getUsageForAttestation(attestationUID);
+      throw new Error(
+        `Attestation replay attack detected: attestation ${attestationUID} ` +
+          `was already used for transaction ${usedFor}. Cannot reuse for ${txId}.`
+      );
+    }
+
     // All checks passed
     return true;
   }
+
+  /**
+   * Verify attestation for escrow release with mandatory replay protection
+   *
+   * SECURITY FIX (C-4): This method MUST be called before releaseEscrow()
+   * to prevent attestation replay attacks.
+   *
+   * @param txId - Expected transaction ID (bytes32)
+   * @param attestationUID - Attestation UID to verify (bytes32)
+   * @throws Error if verification fails or replay attack detected
+   */
+  async verifyAndRecordForRelease(
+    txId: string,
+    attestationUID: string
+  ): Promise<void> {
+    // Verify the attestation
+    await this.verifyDeliveryAttestation(txId, attestationUID);
+  }
 }

package/src/protocol/EscrowVault.ts

@@ -20,15 +20,19 @@ interface GasOptions {
 /**
  * EscrowVault - Escrow contract wrapper
  *
- * IMPORTANT: Per AIP-3 specification, escrow creation happens atomically
- * inside ACTPKernel.linkEscrow(). This module provides read-only access
- * to escrow state and helper methods for USDC approvals.
+ * IMPORTANT:
+ * - Escrow creation happens atomically inside `ACTPKernel.linkEscrow()`.
+ * - Payout/refund functions are `onlyKernel` on-chain and MUST NOT be called by users.
+ *
+ * This module provides:
+ * - Helper methods for USDC approvals (requester → EscrowVault allowance)
+ * - Read-only access to escrow state (`escrows()` / `remaining()`)
  *
  * Workflow (per AIP-3):
  * 1. Consumer approves USDC to EscrowVault address (use approveToken)
  * 2. Consumer calls ACTPKernel.linkEscrow(txId, escrowVault, escrowId)
- * 3. Kernel internally calls EscrowVault.createEscrow() (onlyKernel modifier)
- * 4. Escrow pulls USDC from consumer and auto-transitions to COMMITTED
+ * 3. Kernel internally calls IEscrowValidator.createEscrow(escrowId, requester, provider, amount)
+ * 4. Escrow pulls USDC from requester
  *
  * Reference: AIP-3 §3.2 (Escrow Linking Workflow), lines 258-336
  */
@@ -52,7 +56,6 @@ export class EscrowVault {
    */
   private getGasBufferMultiplier(operation: string): number {
     const buffers: Record<string, number> = {
-      'releaseEscrow': 1.30,     // 30% - Multi-recipient disbursement
       'approveToken': 1.20       // 20% - Standard ERC20 approval
     };
 
@@ -62,12 +65,35 @@ export class EscrowVault {
   /**
    * Build transaction options with gas settings and estimated gas
    * V6 Enhancement: Dynamic buffer based on operation type
+   *
+   * SECURITY FIX (NEW-C-1): Gas estimation manipulation attack protection
+   * - Enforces minimum gas floor regardless of estimate
+   * - Uses safe BigInt arithmetic with overflow detection
    */
   private buildTxOptions(estimatedGas: bigint, operation: string = 'default'): any {
+    // SECURITY FIX (NEW-C-1): Minimum gas floor to prevent manipulation
+    // Malicious contracts could return artificially low gas estimates
+    const MIN_GAS_FLOOR = 100000n;
+    const safeEstimate = estimatedGas > MIN_GAS_FLOOR ? estimatedGas : MIN_GAS_FLOOR;
+
     const bufferMultiplier = this.getGasBufferMultiplier(operation);
 
+    // SECURITY FIX (NEW-H-1): Safe BigInt arithmetic with overflow check
+    // Use 10000 denominator to avoid floating point precision issues
+    const bufferNumerator = BigInt(Math.floor(bufferMultiplier * 10000));
+    const bufferDenominator = 10000n;
+    const gasLimit = (safeEstimate * bufferNumerator) / bufferDenominator;
+
+    // Overflow detection: result should always be >= original estimate
+    if (gasLimit < safeEstimate) {
+      throw new Error(
+        `Gas calculation overflow detected for operation ${operation}. ` +
+        `Estimate: ${safeEstimate}, Buffer: ${bufferMultiplier}x, Result: ${gasLimit}`
+      );
+    }
+
     const options: any = {
-      gasLimit: (estimatedGas * BigInt(Math.round(bufferMultiplier * 100))) / 100n
+      gasLimit
     };
 
     if (this.gasSettings?.maxFeePerGas) {
@@ -87,6 +113,18 @@ export class EscrowVault {
     return this.address;
   }
 
+  /**
+   * Get the underlying ethers Contract instance.
+   *
+   * SECURITY FIX (C-3): Provides public access to contract for EventMonitor
+   * instead of accessing private field via bracket notation.
+   *
+   * @returns ethers Contract instance
+   */
+  getContract(): Contract {
+    return this.contract;
+  }
+
   /**
    * Approve USDC token for escrow creation
    *
@@ -151,68 +189,48 @@ export class EscrowVault {
    * Get escrow details
    */
   async getEscrow(escrowId: string): Promise<Escrow> {
+    validateTxId(escrowId, 'escrowId');
     const escrowData = await this.contract.escrows(escrowId);
 
     return {
       escrowId,
-      kernel: escrowData.kernel,
-      txId: escrowData.txId,
-      token: escrowData.token,
+      requester: escrowData.requester,
+      provider: escrowData.provider,
       amount: escrowData.amount,
-      beneficiary: escrowData.beneficiary,
-      createdAt: 0, // Not exposed in minimal ABI
-      released: escrowData.released
+      releasedAmount: escrowData.releasedAmount,
+      active: escrowData.active
     };
   }
 
   /**
-   * Get escrow balance
+   * Get escrow remaining balance (amount - releasedAmount)
    */
   async getEscrowBalance(escrowId: string): Promise<bigint> {
-    const escrow = await this.getEscrow(escrowId);
-    return escrow.amount;
+    validateTxId(escrowId, 'escrowId');
+    return await this.contract.remaining(escrowId);
   }
 
   /**
-   * Release escrow to recipients
-   * Note: Only callable by authorized kernel
+   * @deprecated
+   *
+   * Payouts/refunds are executed by ACTPKernel (on-chain) as part of state transitions.
+   * EscrowVault disbursement methods are `onlyKernel` and cannot be called by EOAs.
+   *
+   * Use:
+   * - `BlockchainRuntime.releaseEscrow(txId, attestationUID?)` (recommended)
+   * - or `ACTPKernel.transitionState(txId, State.SETTLED, proof)` (advanced)
    */
   async releaseEscrow(
     escrowId: string,
-    recipients: string[],
-    amounts: bigint[]
+    _recipients: string[],
+    _amounts: bigint[]
   ): Promise<void> {
-    // Input validation
     validateTxId(escrowId, 'escrowId');
-
-    if (recipients.length !== amounts.length) {
-      throw new ValidationError('recipients/amounts', 'Recipients and amounts length mismatch');
-    }
-
-    if (recipients.length === 0) {
-      throw new ValidationError('recipients', 'Must provide at least one recipient');
-    }
-
-    // Validate each recipient and amount
-    recipients.forEach((recipient, i) => {
-      validateAddress(recipient, `recipients[${i}]`);
-      validateAmount(amounts[i], `amounts[${i}]`);
-    });
-
-    try {
-      // ethers v6: use getFunction()
-      const disburseFunc = this.contract.getFunction('disburse');
-
-      // Estimate gas with safety buffer (30% for multi-recipient disbursement)
-      const estimatedGas = await disburseFunc.estimateGas(escrowId, recipients, amounts);
-      const txOptions = this.buildTxOptions(estimatedGas, 'releaseEscrow');
-
-      const tx = await disburseFunc(escrowId, recipients, amounts, txOptions);
-
-      await tx.wait();
-    } catch (error: any) {
-      throw new TransactionRevertedError(error.transactionHash, error.reason || error.message);
-    }
+    throw new ValidationError(
+      'EscrowVault.releaseEscrow',
+      'Escrow payouts are performed by ACTPKernel (onlyKernel). ' +
+        'Use BlockchainRuntime.releaseEscrow(txId, attestationUID?) or ACTPKernel.transitionState(txId, SETTLED).'
+    );
   }
 
   /**

package/src/protocol/EventMonitor.ts

@@ -3,6 +3,12 @@ import { State, Transaction } from '../types';
 
 /**
  * EventMonitor - Listen to blockchain events
+ *
+ * SECURITY FIX (EVENT-MONITOR): Corrected event parameter order to match ABI.
+ * Per ACTPKernel.json, TransactionCreated signature is:
+ *   (bytes32 indexed transactionId, address indexed requester, address indexed provider, uint256 amount, bytes32 serviceHash)
+ *
+ * Previous code had requester/provider swapped which caused wrong filter results.
  */
 export class EventMonitor {
   constructor(
@@ -55,18 +61,29 @@ export class EventMonitor {
 
   /**
    * Get all transactions for an address
-   * Fixed: Correct filter parameters (txId, provider, requester, amount)
+   *
+   * SECURITY FIX (EVENT-MONITOR): Corrected filter parameter order.
+   * Per ACTPKernel.json ABI, TransactionCreated event signature is:
+   *   (bytes32 indexed transactionId, address indexed requester, address indexed provider, uint256 amount, bytes32 serviceHash)
+   *
+   * Filter order: TransactionCreated(txId, requester, provider)
+   * - To filter by requester: (null, address, null)
+   * - To filter by provider: (null, null, address)
+   *
+   * SECURITY FIX (EVENT-MONITOR): Use getTransaction() instead of transactions()
+   * The kernel contract exposes getTransaction(bytes32) not transactions(bytes32).
    */
   async getTransactionHistory(
     address: string,
     role: 'requester' | 'provider' = 'requester'
   ): Promise<Transaction[]> {
-    // TransactionCreated event signature: (bytes32 indexed txId, address indexed provider, address indexed requester, uint256 amount)
-    // Filter format: TransactionCreated(txId, provider, requester)
+    // TransactionCreated event signature per ABI:
+    // (bytes32 indexed transactionId, address indexed requester, address indexed provider, uint256 amount, bytes32 serviceHash)
+    // Filter format: TransactionCreated(txId, requester, provider)
     const filter =
       role === 'requester'
-        ? this.kernelContract.filters.TransactionCreated(null, null, address) // Match requester
-        : this.kernelContract.filters.TransactionCreated(null, address, null); // Match provider
+        ? this.kernelContract.filters.TransactionCreated(null, address, null) // Match requester (2nd indexed param)
+        : this.kernelContract.filters.TransactionCreated(null, null, address); // Match provider (3rd indexed param)
 
     const events = await this.kernelContract.queryFilter(filter);
 
@@ -77,20 +94,28 @@ export class EventMonitor {
           throw new Error('Event does not contain args (not an EventLog)');
         }
         const txId = (event as EventLog).args?.transactionId;
-        const txData = await this.kernelContract.transactions(txId);
+
+        // SECURITY FIX: Use getTransaction() - the actual ABI function
+        // Previous code called transactions(txId) which doesn't exist in ABI
+        const txData = await this.kernelContract.getTransaction(txId);
 
         return {
-          txId: txData.transactionId,
+          txId: txData.transactionId || txId,
           requester: txData.requester,
           provider: txData.provider,
           amount: txData.amount,
-          state: txData.state as State,
+          state: (typeof txData.state === 'bigint' ? Number(txData.state) : txData.state) as State,
           createdAt: Number(txData.createdAt),
+          updatedAt: Number(txData.updatedAt),
           deadline: Number(txData.deadline),
           disputeWindow: Number(txData.disputeWindow),
           escrowContract: txData.escrowContract,
           escrowId: txData.escrowId,
-          metadata: txData.serviceHash
+          serviceHash: txData.serviceHash,
+          attestationUID: txData.attestationUID,
+          // Use metadata field (quote hash for QUOTED state) if available, fallback to serviceHash
+          metadata: txData.metadata || txData.serviceHash,
+          platformFeeBpsLocked: Number(txData.platformFeeBpsLocked)
         };
       })
     );
@@ -98,21 +123,25 @@ export class EventMonitor {
 
   /**
    * Subscribe to transaction creation events
-   * Fixed: Correct event parameter order (txId, provider, requester, amount)
+   *
+   * SECURITY FIX (EVENT-MONITOR): Corrected event parameter order.
+   * Per ACTPKernel.json ABI:
+   *   TransactionCreated(bytes32 indexed transactionId, address indexed requester, address indexed provider, uint256 amount, bytes32 serviceHash)
    */
   onTransactionCreated(
-    callback: (tx: { txId: string; provider: string; requester: string; amount: bigint }) => void
+    callback: (tx: { txId: string; requester: string; provider: string; amount: bigint; serviceHash?: string }) => void
   ): () => void {
     const filter = this.kernelContract.filters.TransactionCreated();
 
-    // Event signature: TransactionCreated(bytes32 indexed txId, address indexed provider, address indexed requester, uint256 amount)
+    // Event signature per ABI: (txId, requester, provider, amount, serviceHash)
     const listener = async (
       txId: string,
-      provider: string,
       requester: string,
-      amount: bigint
+      provider: string,
+      amount: bigint,
+      serviceHash?: string
     ) => {
-      callback({ txId, provider, requester, amount });
+      callback({ txId, requester, provider, amount, serviceHash });
     };
 
     this.kernelContract.on(filter, listener);