npm - @axonfi/sdk - Versions diffs - 0.6.0 → 0.7.0 - Mend

@axonfi/sdk 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -318,6 +318,31 @@ await axon.getVaultInfo(); // owner, operator, version
 await axon.canPayTo('0xRecipient'); // destination allowed?
 ```
+### ERC-1271 Bot Signatures (External Protocol Signing)
+By default, only the vault owner's signatures are accepted by external protocols that check ERC-1271 (e.g., Permit2, Cowswap, Seaport). Bot signatures are rejected.
+If your bot needs to sign messages that external protocols validate against the vault (e.g., signing a Cowswap order, a Permit2 approval, or a Seaport listing), the vault owner must explicitly enable bot signing:
+```typescript
+// Check if ERC-1271 bot signing is enabled (direct chain read)
+import { isErc1271BotsEnabled, createAxonPublicClient } from '@axonfi/sdk';
+const publicClient = createAxonPublicClient(chainId, rpcUrl);
+const enabled = await isErc1271BotsEnabled(publicClient, vaultAddress);
+if (!enabled) {
+  console.log('ERC-1271 bot signatures are disabled on this vault.');
+  console.log('The vault owner must enable it via the dashboard or by calling setErc1271Bots(true).');
+}
+```
+**When to enable:** Only if your bots interact with protocols that verify signatures via ERC-1271 — Cowswap (off-chain order signing), Permit2 (gasless token approvals), Seaport (NFT marketplace listings).
+**When to keep disabled (default):** If your bots only make payments, execute DeFi calls, or rebalance tokens through Axon's standard `pay()` / `execute()` / `swap()` endpoints.
+**Security note:** If a bot key is compromised while ERC-1271 is enabled, the attacker could sign Permit2 approvals or marketplace listings that drain vault funds. The owner can disable it instantly via the dashboard or `setErc1271Bots(false)`.
 ### Utilities
 Helper functions for amount conversion, token resolution, and reference encoding.
@@ -366,7 +391,7 @@ Supports EIP-3009 (USDC, gasless) and Permit2 (any ERC-20) settlement schemes.
 ## Security Model
 - **Owners** control everything: bot whitelist, spending limits, withdrawal. Hardware wallet recommended.
-- **Bots** only sign payment intents. They never hold ETH, never submit transactions, and can be removed instantly.
+- **Bots** only sign payment intents. They never hold ETH, never submit transactions, and can be removed instantly. External protocol signing (ERC-1271) is disabled by default — must be explicitly enabled by the owner.
 - **Relayer** (Axon) can only execute bot-signed intents within configured limits. Cannot withdraw or modify vault config.
 - **If Axon goes offline**, the owner retains full withdrawal access directly through the on-chain vault contract.

package/dist/index.cjs CHANGED Viewed

@@ -1057,6 +1057,32 @@ var AxonVaultAbi = [
     ],
     "stateMutability": "view"
   },
+  {
+    "type": "function",
+    "name": "erc1271BotsEnabled",
+    "inputs": [],
+    "outputs": [
+      {
+        "name": "",
+        "type": "bool",
+        "internalType": "bool"
+      }
+    ],
+    "stateMutability": "view"
+  },
+  {
+    "type": "function",
+    "name": "setErc1271Bots",
+    "inputs": [
+      {
+        "name": "enabled",
+        "type": "bool",
+        "internalType": "bool"
+      }
+    ],
+    "outputs": [],
+    "stateMutability": "nonpayable"
+  },
   {
     "type": "function",
     "name": "onERC1155BatchReceived",
@@ -1656,6 +1682,19 @@ var AxonVaultAbi = [
     "outputs": [],
     "stateMutability": "nonpayable"
   },
+  {
+    "type": "event",
+    "name": "ERC1271BotsToggled",
+    "inputs": [
+      {
+        "name": "enabled",
+        "type": "bool",
+        "indexed": false,
+        "internalType": "bool"
+      }
+    ],
+    "anonymous": false
+  },
   {
     "type": "event",
     "name": "BotAdded",
@@ -2097,6 +2136,12 @@ var AxonVaultAbi = [
         "indexed": false,
         "internalType": "uint256"
       },
+      {
+        "name": "value",
+        "type": "uint256",
+        "indexed": false,
+        "internalType": "uint256"
+      },
       {
         "name": "ref",
         "type": "bytes32",
@@ -3270,6 +3315,13 @@ async function operatorMaxDrainPerDay(publicClient, vaultAddress) {
     functionName: "operatorMaxDrainPerDay"
   });
 }
+async function isErc1271BotsEnabled(publicClient, vaultAddress) {
+  return publicClient.readContract({
+    address: vaultAddress,
+    abi: AxonVaultAbi,
+    functionName: "erc1271BotsEnabled"
+  });
+}
 async function isVaultPaused(publicClient, vaultAddress) {
   return publicClient.readContract({
     address: vaultAddress,
@@ -4961,6 +5013,7 @@ exports.getVaultOwner = getVaultOwner;
 exports.getVaultVersion = getVaultVersion;
 exports.isBotActive = isBotActive;
 exports.isDestinationAllowed = isDestinationAllowed;
+exports.isErc1271BotsEnabled = isErc1271BotsEnabled;
 exports.isRebalanceTokenWhitelisted = isRebalanceTokenWhitelisted;
 exports.isVaultPaused = isVaultPaused;
 exports.operatorMaxDrainPerDay = operatorMaxDrainPerDay;