@layerzerolabs/protocol-stellar-v2 0.2.21 → 0.2.23

package/contracts/oapps/oft-core/src/tests/test_utils.rs

@@ -536,11 +536,6 @@ impl<'a> OFTTestSetupBuilder<'a> {
         self
     }
 
-    pub fn mint_burn(mut self) -> Self {
-        self.oft_type = OFTType::MintBurn;
-        self
-    }
-
     pub fn lock_unlock(mut self) -> Self {
         self.oft_type = OFTType::LockUnlock;
         self
@@ -552,11 +547,6 @@ impl<'a> OFTTestSetupBuilder<'a> {
         self
     }
 
-    pub fn with_contract_token(mut self) -> Self {
-        self.token_type = TokenType::ContractToken;
-        self
-    }
-
     pub fn build(self) -> OFTTestSetup<'a> {
         let env = self.env;
         let native_fee = self.native_fee;
@@ -655,16 +645,6 @@ impl<'a> OFTTestSetup<'a> {
         OFTTestSetupBuilder::new(env).build()
     }
 
-    /// Create a builder for customized test setup
-    pub fn builder(env: &'a Env) -> OFTTestSetupBuilder<'a> {
-        OFTTestSetupBuilder::new(env)
-    }
-
-    /// Returns true if this setup uses a MintBurn OFT
-    pub fn is_mint_burn(&self) -> bool {
-        self.oft_type == OFTType::MintBurn
-    }
-
     /// Returns true if this setup uses a LockUnlock OFT
     pub fn is_lock_unlock(&self) -> bool {
         self.oft_type == OFTType::LockUnlock
@@ -886,27 +866,4 @@ impl<'a> OFTTestSetup<'a> {
         LayerZeroReceiverClient::new(self.env, &self.oft.address)
             .lz_receive(executor, origin, guid, message, extra_data, &value);
     }
-
-    /// Try lz_receive with proper executor authentication (returns Result)
-    pub fn try_lz_receive(
-        &self,
-        executor: &Address,
-        origin: &Origin,
-        guid: &BytesN<32>,
-        message: &Bytes,
-        extra_data: &Bytes,
-        value: i128,
-    ) -> Result<Result<(), soroban_sdk::ConversionError>, Result<soroban_sdk::Error, soroban_sdk::InvokeError>> {
-        self.env.mock_auths(&[MockAuth {
-            address: executor,
-            invoke: &MockAuthInvoke {
-                contract: &self.oft.address,
-                fn_name: "lz_receive",
-                args: (executor, origin, guid, message, extra_data, value).into_val(self.env),
-                sub_invokes: &[],
-            },
-        }]);
-        LayerZeroReceiverClient::new(self.env, &self.oft.address)
-            .try_lz_receive(executor, origin, guid, message, extra_data, &value)
-    }
 }

package/contracts/upgrader/src/tests/test_upgrader.rs

@@ -127,3 +127,21 @@ fn test_upgrade_with_upgrader() {
 
     assert_eq!(client_v2.counter2(), counter_value);
 }
+
+#[test]
+fn test_upgrade_without_migration_data_returns_error_for_non_unit_migration() {
+    let e = Env::default();
+    e.mock_all_auths_allowing_non_root_auth();
+
+    let owner = Address::generate(&e);
+    let contract_id = e.register(contract_v1::WASM, (&owner,));
+
+    let upgrader = e.register(Upgrader, ());
+    let upgrader_client = UpgraderClient::new(&e, &upgrader);
+
+    let new_wasm_hash = install_new_wasm(&e);
+    // The upgradeable WASM fixture requires non-unit migration data (u32).
+    // `Upgrader::upgrade` always passes empty `()` migration bytes, so this must fail.
+    let res = upgrader_client.try_upgrade(&contract_id, &new_wasm_hash);
+    assert_eq!(res.err().unwrap().unwrap(), utils::errors::UpgradeableError::InvalidMigrationData.into());
+}

package/contracts/utils/src/auth.rs

@@ -12,13 +12,13 @@ use soroban_sdk::{contractclient, Address, Env};
 /// Base trait for authorization.
 ///
 /// Provides the authorizer address for owner-protected operations. This trait
-/// is implemented by both `Ownable` (external owner) and `Multisig` (self-owning).
+/// is implemented by both `Ownable` (external owner) and `MultiSig` (self-owning).
 #[contractclient(name = "AuthClient")]
 pub trait Auth: Sized {
     /// Returns the address that authorizes owner-protected operations.
     ///
     /// For `Ownable` contracts, this returns the stored owner address.
-    /// For `Multisig` contracts, this returns the contract's own address
+    /// For `MultiSig` contracts, this returns the contract's own address
     /// (self-owning pattern).
     fn authorizer(env: &Env) -> Address;
 }

package/contracts/utils/src/buffer_reader.rs

@@ -1,19 +1,27 @@
-use soroban_sdk::{
-    address_payload::AddressPayload, assert_with_error, panic_with_error, Address, Bytes, BytesN, Env, U256,
-};
-
 use crate::{
     buffer_writer::{ACCOUNT_PAYLOAD_TYPE, CONTRACT_PAYLOAD_TYPE},
     bytes_ext::BytesExt,
     errors::BufferReaderError,
 };
+use core::mem;
+use soroban_sdk::{
+    address_payload::AddressPayload, assert_with_error, panic_with_error, Address, Bytes, BytesN, Env, I256, U256,
+};
 
-/// Macro to generate read methods for primitive integer types (big-endian).
-macro_rules! impl_read_uint {
-    ($($method:ident, $type:ty, $len:expr);* $(;)?) => {
+/// Generates read methods for primitive integer types using big-endian byte order.
+///
+/// Each generated method reads a fixed number of bytes from the buffer, converts them
+/// from big-endian format to the target integer type, and advances the read position.
+///
+/// # Syntax
+/// ```ignore
+/// impl_read_int!(method_name, Type; ...);
+/// ```
+macro_rules! impl_read_int {
+    ($($method:ident, $type:ty);* $(;)?) => {
         $(
             pub fn $method(&mut self) -> $type {
-                <$type>::from_be_bytes(self.read_bytes($len).to_array())
+                <$type>::from_be_bytes(self.read_bytes(mem::size_of::<$type>() as u32).to_array())
             }
         )*
     };
@@ -23,6 +31,14 @@ macro_rules! impl_read_uint {
 ///
 /// Maintains a position cursor that advances as data is read.
 /// All integer reads are big-endian.
+///
+/// # Example
+/// ```ignore
+/// let mut reader = BufferReader::new(&bytes);
+/// let value = reader.read_u32();
+/// let value = reader.read_bool();
+/// let addr = reader.read_address();
+/// ```
 pub struct BufferReader<'a> {
     buffer: &'a Bytes,
     pos: u32,
@@ -34,6 +50,7 @@ impl<'a> BufferReader<'a> {
         Self { buffer, pos: 0 }
     }
 
+    /// Sets the read position to an absolute byte offset.
     pub fn seek(&mut self, pos: u32) -> &mut Self {
         assert_with_error!(self.buffer.env(), pos <= self.buffer.len(), BufferReaderError::InvalidLength);
         self.pos = pos;
@@ -53,7 +70,9 @@ impl<'a> BufferReader<'a> {
     }
 
     // Generates: read_u8 (1 byte), read_u16 (2 bytes), read_u32 (4 bytes), read_u64 (8 bytes), read_u128 (16 bytes)
-    impl_read_uint!(read_u8, u8, 1; read_u16, u16, 2; read_u32, u32, 4; read_u64, u64, 8; read_u128, u128, 16; read_i128, i128, 16);
+    impl_read_int!(read_u8, u8; read_u16, u16; read_u32, u32; read_u64, u64; read_u128, u128);
+    // Generate: read_i8 (1 byte), read_i16 (2 bytes), read_i32 (4 bytes), read_i64 (8 bytes), read_i128 (16 bytes)
+    impl_read_int!(read_i8, i8; read_i16, i16; read_i32, i32; read_i64, i64; read_i128, i128);
 
     /// Reads a boolean (1 byte, non-zero = true).
     pub fn read_bool(&mut self) -> bool {
@@ -65,6 +84,11 @@ impl<'a> BufferReader<'a> {
         U256::from_be_bytes(self.buffer.env(), &self.read_bytes(32))
     }
 
+    /// Reads a I256 (32 bytes, big-endian).
+    pub fn read_i256(&mut self) -> I256 {
+        I256::from_be_bytes(self.buffer.env(), &self.read_bytes(32))
+    }
+
     /// Reads a Stellar address (33 bytes: 1 type + 32 payload).
     pub fn read_address(&mut self) -> Address {
         let payload_type = self.read_u8();
@@ -79,7 +103,11 @@ impl<'a> BufferReader<'a> {
 
     /// Reads N bytes as a fixed-size BytesN<N>.
     pub fn read_bytes_n<const N: usize>(&mut self) -> BytesN<N> {
-        BytesN::<N>::from_array(self.buffer.env(), &self.read_bytes(N as u32).to_array())
+        BytesN::<N>::from_array(self.buffer.env(), &self.read_array())
+    }
+
+    pub fn read_array<const N: usize>(&mut self) -> [u8; N] {
+        self.read_bytes(N as u32).to_array()
     }
 
     /// Reads `len` bytes from current position and advances.
@@ -141,3 +169,26 @@ impl<'a> BufferReader<'a> {
         Address::from_payload(self.buffer.env(), addr_payload)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_size_of_unsigned_integers() {
+        assert_eq!(mem::size_of::<u8>(), 1);
+        assert_eq!(mem::size_of::<u16>(), 2);
+        assert_eq!(mem::size_of::<u32>(), 4);
+        assert_eq!(mem::size_of::<u64>(), 8);
+        assert_eq!(mem::size_of::<u128>(), 16);
+    }
+
+    #[test]
+    fn test_size_of_signed_integers() {
+        assert_eq!(mem::size_of::<i8>(), 1);
+        assert_eq!(mem::size_of::<i16>(), 2);
+        assert_eq!(mem::size_of::<i32>(), 4);
+        assert_eq!(mem::size_of::<i64>(), 8);
+        assert_eq!(mem::size_of::<i128>(), 16);
+    }
+}

package/contracts/utils/src/buffer_writer.rs

@@ -1,9 +1,16 @@
-use soroban_sdk::{address_payload::AddressPayload, Address, Bytes, BytesN, Env, U256};
-
 use crate::{errors::BufferWriterError, option_ext::OptionExt};
+use soroban_sdk::{address_payload::AddressPayload, Address, Bytes, BytesN, Env, I256, U256};
 
-/// Macro to generate write methods for primitive integer types (big-endian).
-macro_rules! impl_write_uint {
+/// Generates write methods for primitive integer types using big-endian byte order.
+///
+/// Each generated method writes a fixed number of bytes to the buffer, converts the
+/// integer value to big-endian format, and advances the write position.
+///
+/// # Syntax
+/// ```ignore
+/// impl_write_int!(method_name, Type; ...);
+/// ```
+macro_rules! impl_write_int {
     ($($method:ident, $type:ty);* $(;)?) => {
         $(
             pub fn $method(&mut self, value: $type) -> &mut Self {
@@ -47,7 +54,9 @@ impl BufferWriter {
     }
 
     // Generates: write_u8 (1 byte), write_u16 (2 bytes), write_u32 (4 bytes), write_u64 (8 bytes), write_u128 (16 bytes)
-    impl_write_uint!(write_u8, u8; write_u16, u16; write_u32, u32; write_u64, u64; write_u128, u128; write_i128, i128);
+    impl_write_int!(write_u8, u8; write_u16, u16; write_u32, u32; write_u64, u64; write_u128, u128);
+    // Generate: write_i8 (1 byte), write_i16 (2 bytes), write_i32 (4 bytes), write_i64 (8 bytes), write_i128 (16 bytes)
+    impl_write_int!(write_i8, i8; write_i16, i16; write_i32, i32; write_i64, i64; write_i128, i128);
 
     /// Write a boolean value to the buffer (true as 1, false as 0).
     pub fn write_bool(&mut self, value: bool) -> &mut Self {
@@ -60,20 +69,9 @@ impl BufferWriter {
         self
     }
 
-    /// Write a byte slice to the buffer (appends without length prefix).
-    pub fn write_bytes(&mut self, bytes: &Bytes) -> &mut Self {
-        self.buffer.append(bytes);
-        self
-    }
-
-    pub fn write_array<const N: usize>(&mut self, array: &[u8; N]) -> &mut Self {
-        self.buffer.extend_from_array(array);
-        self
-    }
-
-    /// Write a fixed-size BytesN<N> to the buffer.
-    pub fn write_bytes_n<const N: usize>(&mut self, bytes_n: &BytesN<N>) -> &mut Self {
-        self.buffer.extend_from_array(&bytes_n.to_array());
+    /// Write a signed 256-bit integer in big-endian format.
+    pub fn write_i256(&mut self, value: I256) -> &mut Self {
+        self.buffer.append(&value.to_be_bytes());
         self
     }
 
@@ -89,7 +87,24 @@ impl BufferWriter {
         self.write_bytes_n(&payload)
     }
 
-    /// Get the complete buffer as a Bytes, consuming the writer.
+    /// Write a byte slice to the buffer (appends without length prefix).
+    pub fn write_bytes(&mut self, bytes: &Bytes) -> &mut Self {
+        self.buffer.append(bytes);
+        self
+    }
+
+    /// Write a fixed-size BytesN<N> to the buffer.
+    pub fn write_bytes_n<const N: usize>(&mut self, bytes_n: &BytesN<N>) -> &mut Self {
+        self.buffer.extend_from_array(&bytes_n.to_array());
+        self
+    }
+
+    pub fn write_array<const N: usize>(&mut self, array: &[u8; N]) -> &mut Self {
+        self.buffer.extend_from_array(array);
+        self
+    }
+
+    /// Get the complete buffer as a Bytes.
     pub fn to_bytes(&self) -> Bytes {
         self.buffer.clone()
     }

package/contracts/utils/src/bytes_ext.rs

@@ -1,6 +1,5 @@
-use soroban_sdk::{assert_with_error, Bytes};
-
 use crate::errors::BytesExtError;
+use soroban_sdk::{assert_with_error, Bytes};
 
 /// Extension trait for `Bytes` to convert to fixed-size arrays
 pub trait BytesExt {

package/contracts/utils/src/errors.rs

@@ -27,7 +27,8 @@ pub enum TtlConfigurableError {
 /// OwnableError: 1030-1039
 #[contract_error]
 pub enum OwnableError {
-    InvalidPendingOwner = 1030,
+    InvalidAuthorizer = 1030,
+    InvalidPendingOwner,
     InvalidTtl,
     NoPendingTransfer,
     OwnerAlreadySet,
@@ -49,10 +50,11 @@ pub enum UpgradeableError {
     UpgradesFrozen,
 }
 
-/// MultisigError: 1060-1069
+/// MultiSigError: 1060-1069
 #[contract_error]
-pub enum MultisigError {
+pub enum MultiSigError {
     AlreadyInitialized = 1060,
+    InvalidAuthorizer,
     InvalidSigner,
     SignatureError,
     SignerAlreadyExists,

package/contracts/utils/src/multisig.rs

@@ -1,13 +1,13 @@
 use crate::{
     self as utils, // Alias for #[storage] macro's generated `utils::ttl_configurable` path
-    auth::{self, Auth},
-    errors::MultisigError,
+    auth::Auth,
+    errors::MultiSigError,
 };
 use common_macros::{contract_trait, storage};
 use soroban_sdk::{assert_with_error, contractevent, Bytes, BytesN, Env, Vec};
 
 // ===========================================================================
-// Multisig events
+// MultiSig events
 // ===========================================================================
 
 /// Event emitted when a signer is added or removed.
@@ -27,39 +27,46 @@ pub struct ThresholdSet {
 }
 
 // ===========================================================================
-// Multisig storage
+// MultiSig storage
 // ===========================================================================
 
-/// Storage keys for Multisig.
+/// Storage keys for MultiSig.
 #[storage]
-pub enum MultisigStorage {
+pub enum MultiSigStorage {
+    /// List of authorized signers as Ethereum-style addresses (20 bytes).
+    ///
+    /// Practically, multisig has 2-5 signers, so storing them in a single `Vec` is fine.
+    /// This makes `get_signers` trivial (just read the Vec), while `set_signer` is slightly
+    /// more complex (read-modify-write). Since reads are frequent and writes are rare,
+    /// this trade-off is acceptable.
     #[persistent(Vec<BytesN<20>>)]
     #[default(Vec::new(env))]
     Signers,
 
+    /// Minimum number of valid signatures required to authorize operations (quorum).
     #[instance(u32)]
     #[default(0)]
     Threshold,
 }
 
 // ===========================================================================
-// Multisig trait with default implementation
+// MultiSig trait with default implementation
 // ===========================================================================
 
 /// Trait for contracts with secp256k1 multisig signature verification.
 ///
 /// Extends `Auth` to provide self-owning authorization. Contracts implementing
-/// `Multisig` should implement `Auth::authorizer()` to return `env.current_contract_address()`,
+/// `MultiSig` should implement `Auth::authorizer()` to return `env.current_contract_address()`,
 /// allowing the multisig quorum to serve as the authorizer for owner-protected operations.
 #[contract_trait]
-pub trait Multisig: Auth {
+pub trait MultiSig: Auth {
     // ===========================================================================
     // Mutation functions, only callable by the contract itself
     // ===========================================================================
 
     /// Adds or removes a signer from the multisig. Requires owner authorization.
     fn set_signer(env: &soroban_sdk::Env, signer: &soroban_sdk::BytesN<20>, active: bool) {
-        auth::require_auth::<Self>(env);
+        enforce_multisig_auth::<Self>(env);
         match active {
             true => add_signer(env, signer),
             false => remove_signer(env, signer),
@@ -68,7 +75,7 @@ pub trait Multisig: Auth {
 
     /// Sets the signature threshold (quorum). Requires owner authorization.
     fn set_threshold(env: &soroban_sdk::Env, threshold: u32) {
-        auth::require_auth::<Self>(env);
+        enforce_multisig_auth::<Self>(env);
         set_threshold(env, threshold);
     }
 
@@ -78,22 +85,22 @@ pub trait Multisig: Auth {
 
     /// Returns all registered signers.
     fn get_signers(env: &soroban_sdk::Env) -> soroban_sdk::Vec<soroban_sdk::BytesN<20>> {
-        MultisigStorage::signers(env)
+        MultiSigStorage::signers(env)
     }
 
     /// Returns the total number of registered signers.
     fn total_signers(env: &soroban_sdk::Env) -> u32 {
-        MultisigStorage::signers(env).len()
+        MultiSigStorage::signers(env).len()
     }
 
     /// Checks if an address is a registered signer.
     fn is_signer(env: &soroban_sdk::Env, signer: &soroban_sdk::BytesN<20>) -> bool {
-        MultisigStorage::signers(env).iter().any(|s| &s == signer)
+        MultiSigStorage::signers(env).iter().any(|s| &s == signer)
     }
 
     /// Returns the current signature threshold (quorum).
     fn threshold(env: &soroban_sdk::Env) -> u32 {
-        MultisigStorage::threshold(env)
+        MultiSigStorage::threshold(env)
     }
 
     // ===========================================================================
@@ -106,7 +113,7 @@ pub trait Multisig: Auth {
         digest: &soroban_sdk::BytesN<32>,
         signatures: &soroban_sdk::Vec<soroban_sdk::BytesN<65>>,
     ) {
-        Self::verify_n_signatures(env, digest, signatures, MultisigStorage::threshold(env));
+        Self::verify_n_signatures(env, digest, signatures, MultiSigStorage::threshold(env));
     }
 
     /// Verifies signatures against a custom threshold.
@@ -116,10 +123,10 @@ pub trait Multisig: Auth {
         signatures: &soroban_sdk::Vec<soroban_sdk::BytesN<65>>,
         threshold: u32,
     ) {
-        assert_with_error!(env, threshold > 0, MultisigError::ZeroThreshold);
-        assert_with_error!(env, signatures.len() >= threshold, MultisigError::SignatureError);
+        assert_with_error!(env, threshold > 0, MultiSigError::ZeroThreshold);
+        assert_with_error!(env, signatures.len() >= threshold, MultiSigError::SignatureError);
 
-        let signers = MultisigStorage::signers(env);
+        let signers = MultiSigStorage::signers(env);
         let mut last_signer: Option<BytesN<20>> = None;
         for signature in signatures.iter() {
             let signer = recover_signer(env, digest, &signature);
@@ -127,9 +134,9 @@ pub trait Multisig: Auth {
             assert_with_error!(
                 env,
                 last_signer.as_ref().is_none_or(|last| &signer > last),
-                MultisigError::UnsortedSigners
+                MultiSigError::UnsortedSigners
             );
-            assert_with_error!(env, signers.iter().any(|s| s == signer), MultisigError::SignerNotFound);
+            assert_with_error!(env, signers.iter().any(|s| s == signer), MultiSigError::SignerNotFound);
 
             last_signer = Some(signer);
         }
@@ -142,7 +149,7 @@ pub trait Multisig: Auth {
 
 /// Initializes multisig with signers and threshold. Called from contract constructors.
 pub fn init_multisig(env: &Env, signers: &Vec<BytesN<20>>, threshold: u32) {
-    assert_with_error!(env, !MultisigStorage::has_signers(env), MultisigError::AlreadyInitialized);
+    assert_with_error!(env, !MultiSigStorage::has_signers(env), MultiSigError::AlreadyInitialized);
 
     signers.iter().for_each(|signer| add_signer(env, &signer));
     set_threshold(env, threshold);
@@ -151,13 +158,29 @@ pub fn init_multisig(env: &Env, signers: &Vec<BytesN<20>>, threshold: u32) {
 /// Recovers Ethereum-style signer address from secp256k1 signature (65 bytes: r + s + v).
 pub fn recover_signer(env: &Env, digest: &BytesN<32>, signature: &BytesN<65>) -> BytesN<20> {
     let sig_bytes: Bytes = signature.into();
+
+    // Extract recovery ID (v) - normalize from Ethereum's 27-30 range if needed
     let v = sig_bytes.get(64).unwrap();
     let recovery_id = if (27..=30).contains(&v) { v - 27 } else { v };
+
+    // Extract r,s components (first 64 bytes)
     let sig_rs: BytesN<64> = sig_bytes.slice(0..64).try_into().unwrap();
 
+    // Recover uncompressed public key (65 bytes with 0x04 prefix)
     let public_key = env.crypto_hazmat().secp256k1_recover(digest, &sig_rs, recovery_id as u32);
 
-    Bytes::from(env.crypto().keccak256(&Bytes::from(public_key).slice(1..65))).slice(12..32).try_into().unwrap()
+    // Derive Ethereum address: keccak256(pubkey[1..65])[12..32]
+    let pubkey_body: Bytes = Bytes::from(public_key).slice(1..65);
+    let hash: Bytes = env.crypto().keccak256(&pubkey_body).into();
+    hash.slice(12..32).try_into().unwrap()
+}
+
+/// Enforces multisig authorization by requiring the contract's own address to authorize.
+/// Panics with `InvalidAuthorizer` if the authorizer is not the contract's own address.
+pub fn enforce_multisig_auth<T: MultiSig>(env: &Env) {
+    // Ensure the authorizer is the contract's own address
+    assert_with_error!(env, T::authorizer(env) == env.current_contract_address(), MultiSigError::InvalidAuthorizer);
+    env.current_contract_address().require_auth();
 }
 
 // ===========================================================================
@@ -167,24 +190,24 @@ pub fn recover_signer(env: &Env, digest: &BytesN<32>, signature: &BytesN<65>) ->
 /// Adds a new signer to the multisig.
 fn add_signer(env: &Env, signer: &BytesN<20>) {
     // Not allowed to add zero address as signer
-    assert_with_error!(env, signer != &BytesN::from_array(env, &[0u8; 20]), MultisigError::InvalidSigner);
+    assert_with_error!(env, signer != &BytesN::from_array(env, &[0u8; 20]), MultiSigError::InvalidSigner);
     // Not allowed to add same signer twice
-    let mut signers = MultisigStorage::signers(env);
-    assert_with_error!(env, !signers.iter().any(|s| &s == signer), MultisigError::SignerAlreadyExists);
+    let mut signers = MultiSigStorage::signers(env);
+    assert_with_error!(env, !signers.iter().any(|s| &s == signer), MultiSigError::SignerAlreadyExists);
 
     // Add signer to list
     signers.push_back(signer.clone());
-    MultisigStorage::set_signers(env, &signers);
+    MultiSigStorage::set_signers(env, &signers);
 
     SignerSet { signer: signer.clone(), active: true }.publish(env);
 }
 
 /// Removes a signer from the multisig.
 fn remove_signer(env: &Env, signer: &BytesN<20>) {
-    let mut signers = MultisigStorage::signers(env);
+    let mut signers = MultiSigStorage::signers(env);
     let index = signers.first_index_of(signer);
     // Not allowed to remove non-existent signer
-    assert_with_error!(env, index.is_some(), MultisigError::SignerNotFound);
+    assert_with_error!(env, index.is_some(), MultiSigError::SignerNotFound);
 
     // Remove signer from list
     signers.remove(index.unwrap());
@@ -192,12 +215,12 @@ fn remove_signer(env: &Env, signer: &BytesN<20>) {
     // Not allowed to remove signer if it would violate the threshold
     assert_with_error!(
         env,
-        signers.len() >= MultisigStorage::threshold(env),
-        MultisigError::TotalSignersLessThanThreshold
+        signers.len() >= MultiSigStorage::threshold(env),
+        MultiSigError::TotalSignersLessThanThreshold
     );
 
     // Update signers list
-    MultisigStorage::set_signers(env, &signers);
+    MultiSigStorage::set_signers(env, &signers);
 
     SignerSet { signer: signer.clone(), active: false }.publish(env);
 }
@@ -205,16 +228,16 @@ fn remove_signer(env: &Env, signer: &BytesN<20>) {
 /// Sets the signature threshold (quorum).
 fn set_threshold(env: &Env, threshold: u32) {
     // Not allowed to set threshold to zero
-    assert_with_error!(env, threshold > 0, MultisigError::ZeroThreshold);
+    assert_with_error!(env, threshold > 0, MultiSigError::ZeroThreshold);
     // Not allowed to set threshold to greater than the number of signers
     assert_with_error!(
         env,
-        MultisigStorage::signers(env).len() >= threshold,
-        MultisigError::TotalSignersLessThanThreshold
+        MultiSigStorage::signers(env).len() >= threshold,
+        MultiSigError::TotalSignersLessThanThreshold
     );
 
     // Update threshold
-    MultisigStorage::set_threshold(env, &threshold);
+    MultiSigStorage::set_threshold(env, &threshold);
 
     ThresholdSet { threshold }.publish(env);
 }

package/contracts/utils/src/option_ext.rs

@@ -1,4 +1,4 @@
-use soroban_sdk::{panic_with_error, Env};
+use soroban_sdk::{panic_with_error, Env, Error};
 
 /// Extension trait for `Option<T>` that provides Soroban-specific unwrapping utilities.
 ///
@@ -20,13 +20,13 @@ pub trait OptionExt<T> {
     /// Panics with the specified error if the `Option` is `None`.
     fn unwrap_or_panic<E>(self, env: &Env, error: E) -> T
     where
-        E: Into<soroban_sdk::Error>;
+        E: Into<Error>;
 }
 
 impl<T> OptionExt<T> for Option<T> {
     fn unwrap_or_panic<E>(self, env: &Env, error: E) -> T
     where
-        E: Into<soroban_sdk::Error>,
+        E: Into<Error>,
     {
         match self {
             // Return the inner value if present

package/contracts/utils/src/ownable.rs

@@ -23,6 +23,14 @@ pub struct OwnershipTransferring {
     pub ttl: u32,
 }
 
+/// Event emitted when a 2-step ownership transfer is cancelled.
+#[contractevent]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct OwnershipTransferCancelled {
+    pub owner: Address,
+    pub cancelled_pending_owner: Address,
+}
+
 /// Event emitted when ownership is renounced.
 #[contractevent]
 #[derive(Clone, Debug, Eq, PartialEq)]
@@ -58,7 +66,7 @@ pub enum OwnableStorage {
 /// - Single-step: `transfer_ownership` - Immediate transfer (use with caution)
 /// - Two-step: `propose_ownership_transfer` + `accept_ownership` - Safer, requires new owner to accept
 #[contract_trait]
-pub trait Ownable: Sized + Auth {
+pub trait Ownable: Auth {
     // ===========================================================================
     // View functions
     // ===========================================================================
@@ -123,6 +131,7 @@ pub trait Ownable: Sized + Auth {
             assert_with_error!(env, pending == *new_owner, OwnableError::InvalidPendingOwner);
 
             OwnableStorage::remove_pending_owner(env);
+            OwnershipTransferCancelled { owner: old_owner, cancelled_pending_owner: pending }.publish(env);
             return;
         }
 
@@ -194,15 +203,12 @@ pub trait OwnableInitializer {
 /// Panics if no owner is set or authorization fails.
 pub fn enforce_owner_auth<T: Ownable>(env: &Env) -> Address {
     let owner = T::owner(env).unwrap_or_panic(env, OwnableError::OwnerNotSet);
+    // Ensure the owner is the same as the authorizer
+    assert_with_error!(env, owner == T::authorizer(env), OwnableError::InvalidAuthorizer);
     owner.require_auth();
     owner
 }
 
-/// Enforces owner authorization without returning the address.
-pub fn require_owner_auth<T: Ownable>(env: &Env) {
-    let _ = enforce_owner_auth::<T>(env);
-}
-
 /// Asserts that no 2-step ownership transfer is in progress.
 /// Panics with `TransferInProgress` if a pending transfer exists.
 fn assert_no_pending_transfer<T: Ownable>(env: &Env) {