@layerzerolabs/protocol-stellar-v2 0.2.29 → 0.2.30

package/contracts/workers/executor/src/auth.rs

@@ -74,21 +74,21 @@ impl LzExecutor {
     ///
     /// # Design
     ///
-    /// For `lz_receive`: OApps call `verify_and_clear_payload` (see `oapp_receiver.rs`)
-    /// which requires executor auth and optionally transfers native token from executor to OApp.
+    /// ## Helper path (via registered ExecutorHelper):
     ///
-    /// For `lz_compose`: Composers follow the same pattern - require executor auth and
-    /// optionally transfer native token from executor to composer.
+    /// The executor helper calls `executor.require_auth()` then delegates to the OApp.
+    /// Auth contexts have 2-3 entries depending on whether value == 0:
+    /// - Context 1: helper function (e.g., `execute`, `compose`) on the registered helper address
+    /// - Context 2: `lz_receive`/`lz_compose` on the OApp/Composer (always present)
+    /// - Context 3: `transfer` on native token (only if value != 0)
     ///
-    /// Both create 1-2 auth contexts depending on whether value == 0:
-    /// - Context 1: `lz_receive`/`lz_compose` on the OApp/Composer (always present)
-    /// - Context 2: `transfer` on native token (only if value != 0)
+    /// ## Alert path:
     ///
-    /// For `lz_receive_alert`/`lz_compose_alert`: These are called directly on the endpoint
+    /// `lz_receive_alert`/`lz_compose_alert` are called directly on the endpoint
     /// to record failed executions. Only 1 context on the endpoint is expected.
     fn validate_auth_contexts(env: &Env, contexts: &Vec<Context>) -> Result<(), ExecutorError> {
-        // Early bounds check: max 2 contexts expected
-        if contexts.len() > 2 {
+        // Early bounds check: max 3 contexts expected (helper fn + lz_receive/lz_compose + optional transfer)
+        if contexts.len() > 3 {
             return Err(ExecutorError::UnauthorizedContext);
         }
 
@@ -99,7 +99,7 @@ impl LzExecutor {
 
         let first_fn_name = &first_ctx.fn_name;
 
-        // Alert path: lz_receive_alert or lz_compose_alert (lazy Symbol creation)
+        // Alert path: lz_receive_alert or lz_compose_alert
         if *first_fn_name == Symbol::new(env, "lz_receive_alert")
             || *first_fn_name == Symbol::new(env, "lz_compose_alert")
         {
@@ -110,36 +110,52 @@ impl LzExecutor {
             return Ok(());
         }
 
-        // Execute path: lz_receive or lz_compose
-        if *first_fn_name != Symbol::new(env, "lz_receive") && *first_fn_name != Symbol::new(env, "lz_compose") {
+        // Helper path: first context must be on the registered executor helper
+        let helper_config =
+            ExecutorStorage::executor_helper(env).ok_or(ExecutorError::UnauthorizedContext)?;
+
+        // Validate first context: must be the helper address with an allowed function name
+        if first_ctx.contract != helper_config.address
+            || !helper_config.allowed_functions.contains(first_fn_name)
+        {
+            return Err(ExecutorError::UnauthorizedContext);
+        }
+
+        // Second context: must be lz_receive or lz_compose on the OApp/Composer
+        let second_ctx = contexts.get(1).ok_or(ExecutorError::UnauthorizedContext)?;
+        let Context::Contract(second_ctx) = second_ctx else {
+            return Err(ExecutorError::UnauthorizedContext);
+        };
+
+        let second_fn_name = &second_ctx.fn_name;
+        if *second_fn_name != Symbol::new(env, "lz_receive")
+            && *second_fn_name != Symbol::new(env, "lz_compose")
+        {
             return Err(ExecutorError::UnauthorizedContext);
         }
 
-        let value = Self::extract_i128(env, first_ctx.args.last())?;
+        // Extract value from the lz_receive/lz_compose args (last arg is value)
+        let value = Self::extract_i128(env, second_ctx.args.last())?;
         if value == 0 {
-            // If value is 0, there should be exactly 1 context
-            if contexts.len() != 1 {
+            // No transfer expected - should be exactly 2 contexts
+            if contexts.len() != 2 {
                 return Err(ExecutorError::UnauthorizedContext);
             }
             return Ok(());
         }
 
-        // value != 0: validate transfer context (only if there are 2 contexts)
-        if contexts.len() != 2 {
-            return Err(ExecutorError::UnauthorizedContext);
-        }
-
-        // Second context must be the transfer context
-        let Context::Contract(second_ctx) = contexts.get(1).unwrap() else {
+        // value != 0: validate transfer context
+        let third_ctx = contexts.get(2).ok_or(ExecutorError::UnauthorizedContext)?;
+        let Context::Contract(third_ctx) = third_ctx else {
             return Err(ExecutorError::UnauthorizedContext);
         };
 
         let native_token = LayerZeroEndpointV2Client::new(env, &Self::endpoint(env)).native_token();
-        let transfer_amount = Self::extract_i128(env, second_ctx.args.get(2))?;
+        let transfer_amount = Self::extract_i128(env, third_ctx.args.get(2))?;
 
         // Validate transfer context: must be transfer with matching value and native token contract
-        if second_ctx.fn_name != Symbol::new(env, "transfer")
-            || second_ctx.contract != native_token
+        if third_ctx.fn_name != Symbol::new(env, "transfer")
+            || third_ctx.contract != native_token
             || transfer_amount != value
         {
             return Err(ExecutorError::UnauthorizedContext);

package/contracts/workers/executor/src/executor.rs

@@ -9,11 +9,10 @@ use common_macros::{contract_impl, lz_contract};
 use endpoint_v2::{FeeRecipient, LayerZeroEndpointV2Client, Origin};
 use fee_lib_interfaces::{ExecutorFeeLibClient, FeeParams};
 use message_lib_common::interfaces::ILayerZeroExecutor;
-use soroban_sdk::{token::TokenClient, vec, Address, Bytes, BytesN, Env, Vec};
+use soroban_sdk::{token::TokenClient, vec, Address, Bytes, BytesN, Env, Symbol, Vec};
 use utils::option_ext::OptionExt;
 use worker::{
-    assert_acl, assert_not_paused, assert_supported_message_lib, errors::WorkerError, init_worker, require_admin_auth,
-    Worker,
+    assert_acl, assert_not_paused, assert_supported_message_lib, init_worker, require_admin_auth, Worker, WorkerError,
 };
 
 /// LayerZero Executor contract for cross-chain message execution.
@@ -69,6 +68,32 @@ impl LzExecutor {
         require_admin_auth::<Self>(env, admin);
         TokenClient::new(env, token).transfer(&env.current_contract_address(), to, &amount);
     }
+
+    /// Registers an executor helper contract with its allowed function names.
+    ///
+    /// The executor helper is an intermediary contract that calls `executor.require_auth()`
+    /// before delegating to OApp functions. The registered address and function names are
+    /// used by `validate_auth_contexts` to verify authorization contexts.
+    ///
+    /// # Arguments
+    /// * `admin` - Admin address (must provide authorization)
+    /// * `helper` - The executor helper contract address
+    /// * `allowed_functions` - Function names the helper is allowed to invoke (e.g., "execute", "compose")
+    pub fn set_executor_helper(env: &Env, admin: &Address, helper: &Address, allowed_functions: &Vec<Symbol>) {
+        require_admin_auth::<Self>(env, admin);
+        ExecutorStorage::set_executor_helper(
+            env,
+            &crate::storage::ExecutorHelperConfig {
+                address: helper.clone(),
+                allowed_functions: allowed_functions.clone(),
+            },
+        );
+    }
+
+    /// Returns the registered executor helper configuration.
+    pub fn executor_helper(env: &Env) -> Option<crate::storage::ExecutorHelperConfig> {
+        ExecutorStorage::executor_helper(env)
+    }
 }
 
 // ============================================================================

package/contracts/workers/executor/src/lib.rs

@@ -1,9 +1,11 @@
 #![no_std]
 
-pub mod errors;
 pub mod events;
-pub mod interfaces;
 
+mod errors;
+mod interfaces;
+
+pub use errors::*;
 pub use interfaces::*;
 
 cfg_if::cfg_if! {

package/contracts/workers/executor/src/storage.rs

@@ -1,8 +1,21 @@
 use common_macros::storage;
-use soroban_sdk::Address;
+use soroban_sdk::{contracttype, Address, Vec, Symbol};
 
 use crate::DstConfig;
 
+/// Configuration for a registered executor helper contract.
+///
+/// Stores the helper contract address and the set of function names
+/// that the executor is allowed to authorize calls through.
+#[contracttype]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct ExecutorHelperConfig {
+    /// The executor helper contract address.
+    pub address: Address,
+    /// Allowed function names on the helper (e.g., "execute", "compose", "native_drop_and_execute").
+    pub allowed_functions: Vec<Symbol>,
+}
+
 /// Storage keys for the Executor contract.
 ///
 /// Manages persistent storage for destination configurations and instance storage
@@ -21,4 +34,11 @@ pub enum ExecutorStorage {
     /// Used for receive-flow operations to interact with the endpoint.
     #[instance(Address)]
     Endpoint,
+
+    /// Executor helper configuration (address + allowed function names).
+    ///
+    /// Used by `validate_auth_contexts` to verify that auth contexts
+    /// originate from a registered helper contract with permitted functions.
+    #[instance(ExecutorHelperConfig)]
+    ExecutorHelper,
 }

package/contracts/workers/executor/src/tests/auth.rs

@@ -31,7 +31,7 @@ fn check_auth(
 }
 
 #[test]
-fn test_check_auth_allows_lz_receive_value_zero_single_context() {
+fn test_check_auth_allows_lz_receive_value_zero() {
     let env = Env::default();
     let admin_kp = Ed25519KeyPair::generate();
     let admin_addr = admin_kp.address(&env);
@@ -40,18 +40,21 @@ fn test_check_auth_allows_lz_receive_value_zero_single_context() {
     let payload = BytesN::from_array(&setup.env, &[1u8; 32]);
     let sig = mk_sig(&setup, &admin_kp, &payload);
 
-    // Executor auth expects `lz_receive`/`lz_compose` contexts and requires the last arg to be `value: i128`.
-    // Use value = 0 so only a single context is required.
-    let args: Vec<Val> = vec![&setup.env, 0i128.into_val(&setup.env)];
+    // Helper context + lz_receive with value = 0 → 2 contexts
     let oapp = Address::generate(&setup.env);
-    let auth_contexts: Vec<Context> = vec![&setup.env, contract_ctx(&setup.env, oapp, "lz_receive", args)];
+    let args: Vec<Val> = vec![&setup.env, 0i128.into_val(&setup.env)];
+    let auth_contexts: Vec<Context> = vec![
+        &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
+        contract_ctx(&setup.env, oapp, "lz_receive", args),
+    ];
 
     let res = check_auth(&setup, &payload, sig, &auth_contexts);
     assert!(res.is_ok(), "Expected success, got {:?}", res);
 }
 
 #[test]
-fn test_check_auth_allows_lz_compose_value_zero_single_context() {
+fn test_check_auth_allows_lz_compose_value_zero() {
     let env = Env::default();
     let admin_kp = Ed25519KeyPair::generate();
     let admin_addr = admin_kp.address(&env);
@@ -60,9 +63,14 @@ fn test_check_auth_allows_lz_compose_value_zero_single_context() {
     let payload = BytesN::from_array(&setup.env, &[1u8; 32]);
     let sig = mk_sig(&setup, &admin_kp, &payload);
 
-    let args: Vec<Val> = vec![&setup.env, 0i128.into_val(&setup.env)];
+    // Helper context + lz_compose with value = 0 → 2 contexts
     let composer = Address::generate(&setup.env);
-    let auth_contexts: Vec<Context> = vec![&setup.env, contract_ctx(&setup.env, composer, "lz_compose", args)];
+    let args: Vec<Val> = vec![&setup.env, 0i128.into_val(&setup.env)];
+    let auth_contexts: Vec<Context> = vec![
+        &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "compose", Vec::new(&setup.env)),
+        contract_ctx(&setup.env, composer, "lz_compose", args),
+    ];
 
     let res = check_auth(&setup, &payload, sig, &auth_contexts);
     assert!(res.is_ok(), "Expected success, got {:?}", res);
@@ -78,6 +86,7 @@ fn test_check_auth_allows_value_transfer_when_value_nonzero() {
     let payload = BytesN::from_array(&setup.env, &[1u8; 32]);
     let sig = mk_sig(&setup, &admin_kp, &payload);
 
+    // Helper context + lz_receive with value != 0 + transfer → 3 contexts
     let value: i128 = 123;
     let oapp = Address::generate(&setup.env);
     let exec_args: Vec<Val> = vec![&setup.env, value.into_val(&setup.env)];
@@ -89,6 +98,7 @@ fn test_check_auth_allows_value_transfer_when_value_nonzero() {
 
     let auth_contexts: Vec<Context> = vec![
         &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
         contract_ctx(&setup.env, oapp, "lz_receive", exec_args),
         contract_ctx(&setup.env, setup.native_token.clone(), "transfer", transfer_args),
     ];
@@ -134,7 +144,11 @@ fn test_check_auth_rejects_signature_mismatch() {
 
     let oapp = Address::generate(&setup.env);
     let args: Vec<Val> = vec![&setup.env, 0i128.into_val(&setup.env)];
-    let contexts: Vec<Context> = vec![&setup.env, contract_ctx(&setup.env, oapp, "lz_receive", args)];
+    let contexts: Vec<Context> = vec![
+        &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
+        contract_ctx(&setup.env, oapp, "lz_receive", args),
+    ];
 
     let res = check_auth(&setup, &payload, sig, &contexts);
     assert!(matches!(res, Err(Err(_))), "Expected host error, got {:?}", res);
@@ -150,7 +164,11 @@ fn test_check_auth_rejects_non_admin() {
     let payload = BytesN::from_array(&setup.env, &[1u8; 32]);
     let oapp = Address::generate(&setup.env);
     let args: Vec<Val> = vec![&setup.env, 0i128.into_val(&setup.env)];
-    let contexts: Vec<Context> = vec![&setup.env, contract_ctx(&setup.env, oapp, "lz_receive", args)];
+    let contexts: Vec<Context> = vec![
+        &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
+        contract_ctx(&setup.env, oapp, "lz_receive", args),
+    ];
 
     // Unauthorized: signer not in admins list
     let non_admin_kp = Ed25519KeyPair::generate();
@@ -177,11 +195,12 @@ fn test_check_auth_rejects_empty_or_too_many_contexts() {
     let empty: Vec<Context> = Vec::new(&setup.env);
     assert_eq!(check_auth(&setup, &payload, sig.clone(), &empty), Err(Ok(ExecutorError::UnauthorizedContext)));
 
-    // Too many contexts (>2)
+    // Too many contexts (>3)
     let oapp = Address::generate(&setup.env);
     let args0: Vec<Val> = vec![&setup.env, 0i128.into_val(&setup.env)];
     let too_many: Vec<Context> = vec![
         &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
         contract_ctx(&setup.env, oapp.clone(), "lz_receive", args0.clone()),
         contract_ctx(&setup.env, oapp.clone(), "lz_receive", args0.clone()),
         contract_ctx(&setup.env, oapp, "lz_receive", args0),
@@ -210,7 +229,7 @@ fn test_check_auth_rejects_non_contract_first_context() {
 }
 
 #[test]
-fn test_check_auth_rejects_invalid_execute_fn_name() {
+fn test_check_auth_rejects_invalid_helper_fn_name() {
     let env = Env::default();
     let admin_kp = Ed25519KeyPair::generate();
     let admin_addr = admin_kp.address(&env);
@@ -219,10 +238,23 @@ fn test_check_auth_rejects_invalid_execute_fn_name() {
     let payload = BytesN::from_array(&setup.env, &[1u8; 32]);
     let sig = mk_sig(&setup, &admin_kp, &payload);
 
+    // Helper context with unregistered function name
     let oapp = Address::generate(&setup.env);
-    let bad_fn: Vec<Context> =
-        vec![&setup.env, contract_ctx(&setup.env, oapp, "not_allowed", vec![&setup.env, 0i128.into_val(&setup.env)])];
-    assert_eq!(check_auth(&setup, &payload, sig, &bad_fn), Err(Ok(ExecutorError::UnauthorizedContext)));
+    let bad_fn: Vec<Context> = vec![
+        &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "not_allowed", Vec::new(&setup.env)),
+        contract_ctx(&setup.env, oapp, "lz_receive", vec![&setup.env, 0i128.into_val(&setup.env)]),
+    ];
+    assert_eq!(check_auth(&setup, &payload, sig.clone(), &bad_fn), Err(Ok(ExecutorError::UnauthorizedContext)));
+
+    // Wrong helper address
+    let wrong_helper = Address::generate(&setup.env);
+    let bad_addr: Vec<Context> = vec![
+        &setup.env,
+        contract_ctx(&setup.env, wrong_helper, "execute", Vec::new(&setup.env)),
+        contract_ctx(&setup.env, Address::generate(&setup.env), "lz_receive", vec![&setup.env, 0i128.into_val(&setup.env)]),
+    ];
+    assert_eq!(check_auth(&setup, &payload, sig, &bad_addr), Err(Ok(ExecutorError::UnauthorizedContext)));
 }
 
 #[test]
@@ -265,13 +297,17 @@ fn test_check_auth_rejects_execute_missing_or_wrong_value_type() {
 
     let oapp = Address::generate(&setup.env);
 
-    // Execute path requires last arg to be i128 value
-    let missing_value: Vec<Context> =
-        vec![&setup.env, contract_ctx(&setup.env, oapp.clone(), "lz_receive", Vec::new(&setup.env))];
+    // lz_receive requires last arg to be i128 value
+    let missing_value: Vec<Context> = vec![
+        &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
+        contract_ctx(&setup.env, oapp.clone(), "lz_receive", Vec::new(&setup.env)),
+    ];
     assert_eq!(check_auth(&setup, &payload, sig.clone(), &missing_value), Err(Ok(ExecutorError::UnauthorizedContext)));
 
     let wrong_value_type: Vec<Context> = vec![
         &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
         contract_ctx(
             &setup.env,
             oapp,
@@ -295,6 +331,7 @@ fn test_check_auth_rejects_value_zero_with_extra_context() {
     let oapp = Address::generate(&setup.env);
     let value_zero_with_transfer: Vec<Context> = vec![
         &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
         contract_ctx(&setup.env, oapp, "lz_receive", vec![&setup.env, 0i128.into_val(&setup.env)]),
         contract_ctx(
             &setup.env,
@@ -325,8 +362,11 @@ fn test_check_auth_rejects_value_nonzero_missing_transfer_context() {
     let sig = mk_sig(&setup, &admin_kp, &payload);
 
     let oapp = Address::generate(&setup.env);
-    let value_nonzero_missing_transfer: Vec<Context> =
-        vec![&setup.env, contract_ctx(&setup.env, oapp, "lz_receive", vec![&setup.env, 1i128.into_val(&setup.env)])];
+    let value_nonzero_missing_transfer: Vec<Context> = vec![
+        &setup.env,
+        contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env)),
+        contract_ctx(&setup.env, oapp, "lz_receive", vec![&setup.env, 1i128.into_val(&setup.env)]),
+    ];
     assert_eq!(
         check_auth(&setup, &payload, sig, &value_nonzero_missing_transfer),
         Err(Ok(ExecutorError::UnauthorizedContext))
@@ -343,6 +383,7 @@ fn test_check_auth_rejects_invalid_transfer_context() {
     let payload = BytesN::from_array(&setup.env, &[1u8; 32]);
     let sig = mk_sig(&setup, &admin_kp, &payload);
 
+    let helper_ctx: Context = contract_ctx(&setup.env, setup.executor_helper.clone(), "execute", Vec::new(&setup.env));
     let oapp = Address::generate(&setup.env);
     let base_exec: Context = contract_ctx(&setup.env, oapp, "lz_receive", vec![&setup.env, 5i128.into_val(&setup.env)]);
     let transfer_args: Vec<Val> = vec![
@@ -355,6 +396,7 @@ fn test_check_auth_rejects_invalid_transfer_context() {
     // Wrong transfer fn name
     let wrong_transfer_fn: Vec<Context> = vec![
         &setup.env,
+        helper_ctx.clone(),
         base_exec.clone(),
         contract_ctx(&setup.env, setup.native_token.clone(), "not_transfer", transfer_args.clone()),
     ];
@@ -366,6 +408,7 @@ fn test_check_auth_rejects_invalid_transfer_context() {
     // Wrong transfer contract
     let wrong_transfer_contract: Vec<Context> = vec![
         &setup.env,
+        helper_ctx.clone(),
         base_exec.clone(),
         contract_ctx(&setup.env, Address::generate(&setup.env), "transfer", transfer_args.clone()),
     ];
@@ -377,6 +420,7 @@ fn test_check_auth_rejects_invalid_transfer_context() {
     // Wrong transfer amount (must match value)
     let wrong_transfer_amount: Vec<Context> = vec![
         &setup.env,
+        helper_ctx,
         base_exec,
         contract_ctx(
             &setup.env,

package/contracts/workers/executor/src/tests/executor.rs

@@ -4,7 +4,7 @@ use crate::events::{DstConfigSet, NativeDropApplied};
 use endpoint_v2::{FeeRecipient, Origin};
 use soroban_sdk::{testutils::Address as _, vec, Address, Bytes, BytesN, IntoVal};
 use utils::testing_utils::assert_contains_event;
-use worker::errors::WorkerError;
+use worker::WorkerError;
 
 // =============================================================================
 // Construction

package/contracts/workers/executor/src/tests/setup.rs

@@ -8,6 +8,7 @@ use soroban_sdk::{
     vec, Address, BytesN, Env, IntoVal, Symbol, Val, Vec,
 };
 
+use crate::storage::ExecutorHelperConfig;
 use crate::{DstConfig, LzExecutor, LzExecutorClient, NativeDropParams, SetDstConfigParam};
 use fee_lib_interfaces::FeeParams;
 
@@ -108,6 +109,7 @@ pub struct TestSetup<'a> {
     pub owner: Address,
     pub admins: Vec<Address>,
     pub endpoint: Address,
+    pub executor_helper: Address,
     pub send_lib: Address,
     pub price_feed: Address,
     pub worker_fee_lib: Address,
@@ -163,6 +165,21 @@ impl<'a> TestSetup<'a> {
         );
         let client = LzExecutorClient::new(&env, &contract_id);
 
+        // Register executor helper config directly in storage
+        let executor_helper = Address::generate(&env);
+        let allowed_functions: Vec<Symbol> = vec![
+            &env,
+            Symbol::new(&env, "execute"),
+            Symbol::new(&env, "compose"),
+            Symbol::new(&env, "native_drop_and_execute"),
+        ];
+        env.as_contract(&contract_id, || {
+            crate::storage::ExecutorStorage::set_executor_helper(
+                &env,
+                &ExecutorHelperConfig { address: executor_helper.clone(), allowed_functions },
+            );
+        });
+
         Self {
             env,
             contract_id,
@@ -170,6 +187,7 @@ impl<'a> TestSetup<'a> {
             owner,
             admins,
             endpoint,
+            executor_helper,
             send_lib,
             price_feed,
             worker_fee_lib,

package/contracts/workers/executor-fee-lib/src/lib.rs

@@ -1,8 +1,11 @@
 #![no_std]
 
-pub mod errors;
 pub mod executor_option;
 
+mod errors;
+
+pub use errors::*;
+
 cfg_if::cfg_if! {
     // Include implementation when NOT in library mode, OR when testutils is enabled (for tests)
     if #[cfg(any(not(feature = "library"), feature = "testutils"))] {

package/contracts/workers/executor-helper/src/executor_helper.rs

@@ -42,17 +42,11 @@ pub struct ExecutorHelper;
 impl ExecutorHelper {
     /// Executes `lz_receive` on the target OApp
     pub fn execute(env: &Env, executor: &Address, params: &ExecutionParams, value_payer: &Address) {
+        executor.require_auth();
         if params.value != 0 {
-            transfer_value(env, value_payer, executor, params.value);
+            value_payer.require_auth();
         }
-        LayerZeroReceiverClient::new(env, &params.receiver).lz_receive(
-            executor,
-            &params.origin,
-            &params.guid,
-            &params.message,
-            &params.extra_data,
-            &params.value,
-        );
+        Self::execute_internal(env, executor, params, value_payer);
     }
 
     /// Records a failed `lz_receive` execution for off-chain processing.
@@ -73,7 +67,9 @@ impl ExecutorHelper {
 
     /// Executes `lz_compose` on the target composer
     pub fn compose(env: &Env, executor: &Address, params: &ComposeParams, value_payer: &Address) {
+        executor.require_auth();
         if params.value != 0 {
+            value_payer.require_auth();
             transfer_value(env, value_payer, executor, params.value);
         }
         LayerZeroComposerClient::new(env, &params.to).lz_compose(
@@ -128,8 +124,26 @@ impl ExecutorHelper {
         native_drop_params: &Vec<NativeDropParams>,
         execute_params: &ExecutionParams,
     ) {
+        executor.require_auth();
+        admin.require_auth();
         Self::native_drop(env, executor, admin, origin, dst_eid, oapp, native_drop_params);
-        Self::execute(env, executor, execute_params, admin);
+        Self::execute_internal(env, executor, execute_params, admin);
+    }
+
+    /// Internal execute logic without auth checks.
+    /// Callers (`execute` / `native_drop_and_execute`) are responsible for authorization.
+    fn execute_internal(env: &Env, executor: &Address, params: &ExecutionParams, value_payer: &Address) {
+        if params.value != 0 {
+            transfer_value(env, value_payer, executor, params.value);
+        }
+        LayerZeroReceiverClient::new(env, &params.receiver).lz_receive(
+            executor,
+            &params.origin,
+            &params.guid,
+            &params.message,
+            &params.extra_data,
+            &params.value,
+        );
     }
 }