@layerzerolabs/protocol-stellar-v2 0.2.34 → 0.2.36

package/contracts/macro-integration-tests/tests/runtime/multisig/self_auth.rs

@@ -19,7 +19,7 @@ fn authorizer_is_current_contract_address() {
 
     let expected = env.as_contract(&contract_id, || env.current_contract_address());
     let got = client.authorizer();
-    assert_eq!(got, expected);
+    assert_eq!(got, Some(expected));
 }
 
 #[test]

package/contracts/macro-integration-tests/tests/runtime/ownable/initialization.rs

@@ -7,7 +7,7 @@
 
 use super::{TestContract, TestContractClient};
 use soroban_sdk::{testutils::Address as _, Address, Env};
-use utils::errors::OwnableError;
+use utils::errors::{AuthError, OwnableError};
 
 #[test]
 fn init_and_query() {
@@ -52,9 +52,12 @@ fn uninitialized_returns_none() {
     // No init() call - owner should be None
     assert_eq!(client.owner(), None);
 
-    // All owner-protected operations should fail
-    assert_eq!(client.try_authorizer().unwrap_err().unwrap(), OwnableError::OwnerNotSet.into());
-    assert_eq!(client.try_guarded().unwrap_err().unwrap(), OwnableError::OwnerNotSet.into());
+    // authorizer() returns None when owner is not set (no panic)
+    assert_eq!(client.authorizer(), None);
+
+    // guarded() uses require_auth -> AuthorizerNotFound when authorizer is None
+    assert_eq!(client.try_guarded().unwrap_err().unwrap(), AuthError::AuthorizerNotFound.into());
+    // transfer/renounce use enforce_owner_auth -> OwnerNotSet when owner is None
     assert_eq!(
         client.try_transfer_ownership(&Address::generate(&env)).unwrap_err().unwrap(),
         OwnableError::OwnerNotSet.into()
@@ -71,5 +74,5 @@ fn authorizer_returns_owner() {
     let owner = Address::generate(&env);
     client.init(&owner);
 
-    assert_eq!(client.authorizer(), owner);
+    assert_eq!(client.authorizer(), Some(owner));
 }

package/contracts/macro-integration-tests/tests/runtime/ownable/ownership_transfer.rs

@@ -10,7 +10,7 @@ use soroban_sdk::{
     xdr::{ScErrorCode, ScErrorType},
     Address, Env, Error, IntoVal,
 };
-use utils::errors::OwnableError;
+use utils::errors::{AuthError, OwnableError};
 use utils::ownable::{OwnershipRenounced, OwnershipTransferred};
 use utils::testing_utils::assert_eq_event;
 
@@ -161,7 +161,7 @@ fn renounce_clears_owner() {
             },
         }])
         .try_guarded();
-    assert_eq!(guarded_result.unwrap_err().unwrap(), OwnableError::OwnerNotSet.into());
+    assert_eq!(guarded_result.unwrap_err().unwrap(), AuthError::AuthorizerNotFound.into());
 
     assert_eq!(
         client.try_transfer_ownership(&Address::generate(&env)).unwrap_err().unwrap(),

package/contracts/macro-integration-tests/tests/runtime/rbac/guard_behavior.rs

@@ -0,0 +1,91 @@
+use super::{TestContract, TestContractClient};
+use soroban_sdk::{
+    testutils::{Address as _, MockAuth, MockAuthInvoke},
+    xdr::{ScErrorCode, ScErrorType},
+    Address, Env, Error, IntoVal,
+};
+
+#[test]
+fn has_role_allows_member_and_rejects_non_member() {
+    let env = Env::default();
+    let contract_id = env.register(TestContract, ());
+    let client = TestContractClient::new(&env, &contract_id);
+
+    let admin = Address::generate(&env);
+    let minter = Address::generate(&env);
+    let other = Address::generate(&env);
+
+    client.init(&admin, &minter);
+
+    // Member call should succeed.
+    client.has_role_guarded(&minter);
+
+    // Non-member call should fail with RBAC Unauthorized.
+    let res = client.try_has_role_guarded(&other);
+    assert_eq!(res.err().unwrap().ok().unwrap(), utils::errors::RbacError::Unauthorized.into());
+}
+
+#[test]
+fn only_role_enforces_require_auth_and_role_membership() {
+    let env = Env::default();
+    let contract_id = env.register(TestContract, ());
+    let client = TestContractClient::new(&env, &contract_id);
+
+    let admin = Address::generate(&env);
+    let minter = Address::generate(&env);
+    let other = Address::generate(&env);
+
+    client.init(&admin, &minter);
+
+    // 1) Role holder without auth should fail at `require_auth()`.
+    let no_auth = client.try_only_role_guarded(&minter);
+    assert_eq!(
+        no_auth.unwrap_err().unwrap(),
+        Error::from_type_and_code(ScErrorType::Context, ScErrorCode::InvalidAction)
+    );
+
+    // 2) With auth but role missing, should fail with RBAC Unauthorized.
+    let missing_role_with_auth = client
+        .mock_auths(&[MockAuth {
+            address: &other,
+            invoke: &MockAuthInvoke {
+                contract: &contract_id,
+                fn_name: "only_role_guarded",
+                args: (&other,).into_val(&env),
+                sub_invokes: &[],
+            },
+        }])
+        .try_only_role_guarded(&other);
+    assert_eq!(missing_role_with_auth.err().unwrap().ok().unwrap(), utils::errors::RbacError::Unauthorized.into());
+
+    // 3) With auth + role, should succeed.
+    client
+        .mock_auths(&[MockAuth {
+            address: &minter,
+            invoke: &MockAuthInvoke {
+                contract: &contract_id,
+                fn_name: "only_role_guarded",
+                args: (&minter,).into_val(&env),
+                sub_invokes: &[],
+            },
+        }])
+        .only_role_guarded(&minter);
+}
+
+#[test]
+fn only_role_checks_role_before_require_auth() {
+    let env = Env::default();
+    let contract_id = env.register(TestContract, ());
+    let client = TestContractClient::new(&env, &contract_id);
+
+    let admin = Address::generate(&env);
+    let minter = Address::generate(&env);
+    let other = Address::generate(&env);
+
+    client.init(&admin, &minter);
+
+    // No auth, no role: current macro expansion checks role first, so this should
+    // return RBAC Unauthorized (not an auth error).
+    let res = client.try_only_role_guarded(&other);
+    assert_eq!(res.err().unwrap().ok().unwrap(), utils::errors::RbacError::Unauthorized.into());
+}

package/contracts/macro-integration-tests/tests/runtime/rbac/mod.rs

@@ -0,0 +1,30 @@
+use soroban_sdk::{contract, contractimpl, Address, Env, Symbol};
+
+mod guard_behavior;
+
+const MINTER_ROLE: &str = "minter";
+
+#[contract]
+pub struct TestContract;
+
+#[contractimpl]
+impl TestContract {
+    /// Test helper to deterministically grant the minter role to `minter`.
+    ///
+    /// This is intentionally unguarded; it is only used in integration tests.
+    pub fn init(env: Env, admin: Address, minter: Address) {
+        let role = Symbol::new(&env, MINTER_ROLE);
+        utils::rbac::grant_role_no_auth(&env, &minter, &role, &admin);
+    }
+
+    #[common_macros::has_role(caller, MINTER_ROLE)]
+    pub fn has_role_guarded(env: &Env, caller: Address) {
+        let _ = (env, caller);
+    }
+
+    #[common_macros::only_role(caller, MINTER_ROLE)]
+    pub fn only_role_guarded(env: &Env, caller: Address) {
+        let _ = (env, caller);
+    }
+}
+

package/contracts/macro-integration-tests/tests/runtime/ttl_configurable/configuration.rs

@@ -14,7 +14,7 @@ use soroban_sdk::{
 };
 use utils::testing_utils::assert_eq_event;
 use utils::ttl_configurable::TtlConfigsSet;
-use utils::{errors::{OwnableError, TtlConfigurableError}, ttl_configurable::TtlConfig};
+use utils::{errors::{AuthError, TtlConfigurableError}, ttl_configurable::TtlConfig};
 
 #[contract]
 #[ttl_configurable]
@@ -98,7 +98,7 @@ fn set_before_init_fails_with_owner_not_set() {
     let instance = Some(TtlConfig::new(1, 2));
     let persistent = None::<TtlConfig>;
     let err = client.try_set_ttl_configs(&instance, &persistent).unwrap_err().unwrap();
-    assert_eq!(err, OwnableError::OwnerNotSet.into());
+    assert_eq!(err, AuthError::AuthorizerNotFound.into());
 }
 
 #[test]

package/contracts/macro-integration-tests/tests/runtime/upgradeable/migrate_guard_and_state.rs

@@ -14,7 +14,7 @@ use soroban_sdk::{
     Address, Bytes, BytesN, Env, Error, IntoVal, Val,
 };
 use utils::upgradeable::{UpgradeableInternal, UpgradeableStorage};
-use utils::errors::OwnableError;
+use utils::errors::AuthError;
 
 // A small, known-good contract WASM used for upgrade() testing.
 // Sourced from the `upgrader` crate test fixtures.
@@ -192,10 +192,10 @@ fn upgrade_and_migrate_fail_before_owner_init() {
     let contract_id = env.register(TestContract, ());
     let client = TestContractClient::new(&env, &contract_id);
 
-    // Without owner initialization, authorizer lookup fails (OwnableError::OwnerNotSet),
+    // Without owner initialization, authorizer lookup fails (AuthError::AuthorizerNotFound),
     // which should surface as a contract error (not Context/InvalidAction).
     let hash = BytesN::<32>::from_array(&env, &[7u8; 32]);
-    assert_eq!(client.try_upgrade(&hash).unwrap_err().unwrap(), OwnableError::OwnerNotSet.into());
+    assert_eq!(client.try_upgrade(&hash).unwrap_err().unwrap(), AuthError::AuthorizerNotFound.into());
 
     // Even if migrating is set, migrate() still fails before init because auth can't resolve authorizer.
     env.as_contract(&contract_id, || {
@@ -204,7 +204,7 @@ fn upgrade_and_migrate_fail_before_owner_init() {
     let migration_data = 1u32.to_xdr(&env);
     assert_eq!(
         client.try_migrate(&migration_data).unwrap_err().unwrap(),
-        OwnableError::OwnerNotSet.into()
+        AuthError::AuthorizerNotFound.into()
     );
 }
 

package/contracts/macro-integration-tests/tests/ui/lz_contract/pass/basic.rs

@@ -20,7 +20,7 @@ impl MyContract {
 
     pub fn smoke(env: Env) {
         // Auth impl exists (provided by ownable/multisig, here: ownable).
-        let _authorizer: Address = <Self as utils::auth::Auth>::authorizer(&env);
+        let _authorizer: Option<Address> = <Self as utils::auth::Auth>::authorizer(&env);
         let _owner: Option<Address> = <Self as utils::ownable::Ownable>::owner(&env);
 
         let _cfg: (Option<TtlConfig>, Option<TtlConfig>) = Self::ttl_configs(&env);

package/contracts/macro-integration-tests/tests/ui/ownable/pass/basic.rs

@@ -22,7 +22,7 @@ impl MyContract {
         <Self as utils::ownable::OwnableInitializer>::init_owner(&env, &owner);
 
         // Auth impl exists (type-check only).
-        let _authorizer: Address = <Self as utils::auth::Auth>::authorizer(&env);
+        let _authorizer: Option<Address> = <Self as utils::auth::Auth>::authorizer(&env);
 
         // Ownable trait impl exists (type-check only).
         let _owner: Option<Address> = <Self as utils::ownable::Ownable>::owner(&env);

package/contracts/macro-integration-tests/tests/ui/rbac/fail/missing_env.rs

@@ -0,0 +1,18 @@
+// UI (trybuild) negative test: `#[has_role]` requires an `Env` parameter.
+
+use soroban_sdk::{contract, contractimpl, Address};
+
+#[contract]
+pub struct MyContract;
+
+#[contractimpl]
+impl MyContract {
+    // Intentionally missing `Env`: should fail during macro expansion.
+    #[common_macros::has_role(caller, "minter")]
+    pub fn bad(caller: Address) {
+        let _ = caller;
+    }
+}
+
+fn main() {}
+

package/contracts/macro-integration-tests/tests/ui/rbac/fail/missing_env.stderr

@@ -0,0 +1,16 @@
+error: custom attribute panicked
+  --> tests/ui/rbac/fail/missing_env.rs:11:5
+   |
+11 |     #[common_macros::has_role(caller, "minter")]
+   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = help: message: function must have an Env argument
+
+error[E0599]: no function or associated item named `bad` found for struct `MyContract` in the current scope
+  --> tests/ui/rbac/fail/missing_env.rs:12:12
+   |
+ 6 | pub struct MyContract;
+   | --------------------- function or associated item `bad` not found for this struct
+...
+12 |     pub fn bad(caller: Address) {
+   |            ^^^ function or associated item not found in `MyContract`

package/contracts/macro-integration-tests/tests/ui/rbac/fail/param_not_address.rs

@@ -0,0 +1,18 @@
+// UI (trybuild) negative test: `#[has_role]` requires the named parameter to be `Address` or `&Address`.
+
+use soroban_sdk::{contract, contractimpl, Env};
+
+#[contract]
+pub struct MyContract;
+
+#[contractimpl]
+impl MyContract {
+    // `caller` exists but is not an Address type.
+    #[common_macros::has_role(caller, "minter")]
+    pub fn bad(env: Env, caller: u32) {
+        let _ = (env, caller);
+    }
+}
+
+fn main() {}
+

package/contracts/macro-integration-tests/tests/ui/rbac/fail/param_not_address.stderr

@@ -0,0 +1,24 @@
+error: custom attribute panicked
+  --> tests/ui/rbac/fail/param_not_address.rs:11:5
+   |
+11 |     #[common_macros::has_role(caller, "minter")]
+   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = help: message: Parameter `caller` must be of type `Address` or `&Address`
+
+warning: unused import: `Env`
+ --> tests/ui/rbac/fail/param_not_address.rs:3:43
+  |
+3 | use soroban_sdk::{contract, contractimpl, Env};
+  |                                           ^^^
+  |
+  = note: `#[warn(unused_imports)]` on by default
+
+error[E0599]: no function or associated item named `bad` found for struct `MyContract` in the current scope
+  --> tests/ui/rbac/fail/param_not_address.rs:12:12
+   |
+ 6 | pub struct MyContract;
+   | --------------------- function or associated item `bad` not found for this struct
+...
+12 |     pub fn bad(env: Env, caller: u32) {
+   |            ^^^ function or associated item not found in `MyContract`

package/contracts/macro-integration-tests/tests/ui/rbac/fail/param_not_found.rs

@@ -0,0 +1,18 @@
+// UI (trybuild) negative test: `#[has_role]` requires the first arg to name a parameter in the signature.
+
+use soroban_sdk::{contract, contractimpl, Address, Env};
+
+#[contract]
+pub struct MyContract;
+
+#[contractimpl]
+impl MyContract {
+    // Macro names `caller` but the signature uses `account`.
+    #[common_macros::has_role(caller, "minter")]
+    pub fn bad(env: Env, account: Address) {
+        let _ = (env, account);
+    }
+}
+
+fn main() {}
+

package/contracts/macro-integration-tests/tests/ui/rbac/fail/param_not_found.stderr

@@ -0,0 +1,24 @@
+error: custom attribute panicked
+  --> tests/ui/rbac/fail/param_not_found.rs:11:5
+   |
+11 |     #[common_macros::has_role(caller, "minter")]
+   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |
+   = help: message: Parameter `caller` not found in function signature
+
+warning: unused import: `Env`
+ --> tests/ui/rbac/fail/param_not_found.rs:3:52
+  |
+3 | use soroban_sdk::{contract, contractimpl, Address, Env};
+  |                                                    ^^^
+  |
+  = note: `#[warn(unused_imports)]` on by default
+
+error[E0599]: no function or associated item named `bad` found for struct `MyContract` in the current scope
+  --> tests/ui/rbac/fail/param_not_found.rs:12:12
+   |
+ 6 | pub struct MyContract;
+   | --------------------- function or associated item `bad` not found for this struct
+...
+12 |     pub fn bad(env: Env, account: Address) {
+   |            ^^^ function or associated item not found in `MyContract`

package/contracts/macro-integration-tests/tests/ui/rbac/pass/basic.rs

@@ -0,0 +1,71 @@
+// UI (trybuild) test: `#[has_role]` and `#[only_role]` compile for common signatures.
+//
+// Purpose:
+// - Verifies the RBAC attribute macros can locate an `Env` argument anywhere in the signature.
+// - Verifies both `Address` and `&Address` parameters are accepted.
+// - Verifies role argument can be a literal or const expression.
+
+use soroban_sdk::{contract, Address, Env};
+
+const MINTER_ROLE: &str = "minter";
+
+#[contract]
+pub struct MyContract;
+
+impl MyContract {
+    // Env by reference, Address by value, role literal.
+    #[common_macros::has_role(caller, "minter")]
+    pub fn f1(env: &Env, caller: Address) {
+        let _ = (env, caller);
+    }
+
+    // Env by value, Address by value, role const expr.
+    #[common_macros::has_role(caller, MINTER_ROLE)]
+    pub fn f2(env: Env, caller: Address) {
+        let _ = (env, caller);
+    }
+
+    // Env not first param, Address by value.
+    #[common_macros::has_role(caller, "minter")]
+    pub fn f3(x: u32, env: &Env, caller: Address) {
+        let _ = (x, env, caller);
+    }
+
+    // &Address param is accepted (forwarded without extra borrow).
+    #[common_macros::has_role(caller, "minter")]
+    pub fn f4(env: &Env, caller: &Address) {
+        let _ = (env, caller);
+    }
+
+    // only_role also injects `require_auth()`.
+    #[common_macros::only_role(caller, "minter")]
+    pub fn f5(env: &Env, caller: Address) {
+        let _ = (env, caller);
+    }
+
+    // only_role also injects `require_auth()`.
+    #[common_macros::only_role(caller, MINTER_ROLE)]
+    pub fn f6(env: &Env, caller: Address) {
+        let _ = (env, caller);
+    }
+
+    // Env not first param (only_role).
+    #[common_macros::only_role(caller, "minter")]
+    pub fn f7(x: u32, env: &Env, caller: Address) {
+        let _ = (x, env, caller);
+    }
+
+    // Qualified Env + Address types are accepted.
+    #[common_macros::has_role(caller, "minter")]
+    pub fn f8(env: &soroban_sdk::Env, caller: soroban_sdk::Address) {
+        let _ = (env, caller);
+    }
+
+    // Fully-qualified Env path + qualified &Address.
+    #[common_macros::only_role(caller, MINTER_ROLE)]
+    pub fn f9(x: u32, env: ::soroban_sdk::Env, caller: &soroban_sdk::Address) {
+        let _ = (x, env, caller);
+    }
+}
+
+fn main() {}

package/contracts/macro-integration-tests/tests/ui_rbac.rs

@@ -0,0 +1,12 @@
+#[test]
+fn ui_rbac() {
+    // Important: set this before trybuild::TestCases::new() so each shard has
+    // its own trybuild project directory + lock + artifacts.
+    let target_dir = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("target/trybuild-shards/ui_rbac");
+    std::env::set_var("CARGO_TARGET_DIR", target_dir.as_os_str());
+
+    let t = trybuild::TestCases::new();
+    t.pass("tests/ui/rbac/**/pass/*.rs");
+    t.compile_fail("tests/ui/rbac/**/fail/*.rs");
+}
+

package/contracts/message-libs/blocked-message-lib/src/lib.rs

@@ -15,12 +15,12 @@
 #[cfg(test)]
 mod tests;
 
-use common_macros::{contract_error, contract_impl};
+use common_macros::contract_error;
 use endpoint_v2::{
     FeesAndPacket, IMessageLib, ISendLib, MessageLibType, MessageLibVersion, MessagingFee, OutboundPacket,
     SetConfigParam,
 };
-use soroban_sdk::{contract, panic_with_error, Address, Bytes, Env, Vec};
+use soroban_sdk::{contract, contractimpl, panic_with_error, Address, Bytes, Env, Vec};
 
 #[contract_error]
 pub enum BlockedMessageLibError {
@@ -31,7 +31,7 @@ pub enum BlockedMessageLibError {
 #[contract]
 pub struct BlockedMessageLib;
 
-#[contract_impl]
+#[contractimpl]
 impl IMessageLib for BlockedMessageLib {
     /// Always panics - config modification is not supported.
     fn set_config(env: &Env, _oapp: &Address, _param: &Vec<SetConfigParam>) {
@@ -59,7 +59,7 @@ impl IMessageLib for BlockedMessageLib {
     }
 }
 
-#[contract_impl]
+#[contractimpl]
 impl ISendLib for BlockedMessageLib {
     /// Always panics - quoting is blocked.
     fn quote(env: &Env, _packet: &OutboundPacket, _options: &Bytes, _pay_in_zro: bool) -> MessagingFee {

package/contracts/message-libs/uln-302/src/send_uln.rs

@@ -45,7 +45,7 @@ impl ISendLib for Uln302 {
 
         // Treasury fee
         let workers_fee = executor_fee + dvns_fee;
-        let (_, treasury_fee) = Self::quote_treasury(env, &packet.sender, packet.dst_eid, &workers_fee, &pay_in_zro);
+        let (_, treasury_fee) = Self::quote_treasury(env, &packet.sender, packet.dst_eid, workers_fee, pay_in_zro);
 
         if pay_in_zro {
             MessagingFee { native_fee: workers_fee, zro_fee: treasury_fee }
@@ -91,7 +91,7 @@ impl ISendLib for Uln302 {
         // Treasury fee
         let total_worker_fee = native_fee_recipients.iter().map(|fee| fee.amount).sum();
         let (treasury_addr, treasury_fee) =
-            Self::quote_treasury(env, &packet.sender, packet.dst_eid, &total_worker_fee, &pay_in_zro);
+            Self::quote_treasury(env, &packet.sender, packet.dst_eid, total_worker_fee, pay_in_zro);
 
         // Handle ZRO fee recipients
         let mut zro_fee_recipients = vec![env];
@@ -280,12 +280,12 @@ impl Uln302 {
         env: &Env,
         sender: &Address,
         dst_eid: u32,
-        workers_fee: &i128,
-        pay_in_zro: &bool,
+        workers_fee: i128,
+        pay_in_zro: bool,
     ) -> (Address, i128) {
         let treasury_addr = Self::treasury(env);
         let treasury_fee =
-            LayerZeroTreasuryClient::new(env, &treasury_addr).get_fee(sender, &dst_eid, workers_fee, pay_in_zro);
+            LayerZeroTreasuryClient::new(env, &treasury_addr).get_fee(sender, &dst_eid, &workers_fee, &pay_in_zro);
         assert_with_error!(env, treasury_fee >= 0, Uln302Error::InvalidFee);
         (treasury_addr, treasury_fee)
     }

package/contracts/oapps/counter/src/counter.rs

@@ -67,6 +67,12 @@ impl Counter {
         }
     }
 
+    #[only_auth]
+    pub fn withdraw(env: &Env, to: &Address, amount: i128) {
+        let native_token = LayerZeroEndpointV2Client::new(env, &Self::endpoint(env)).native_token();
+        TokenClient::new(env, &native_token).transfer(&env.current_contract_address(), to, &amount);
+    }
+
     // ============================================================================================
     // View functions
     // ============================================================================================

package/contracts/oapps/oapp/src/oapp_sender.rs

@@ -3,7 +3,7 @@ use crate::{
     oapp_core::{endpoint_client, get_peer_or_panic, OAppCore},
 };
 use endpoint_v2::{MessagingFee, MessagingParams, MessagingReceipt};
-use soroban_sdk::{token::TokenClient, Address, Bytes, Env};
+use soroban_sdk::{contracttype, token::TokenClient, Address, Bytes, Env};
 use utils::option_ext::OptionExt;
 
 /// The version of the OAppSender implementation.
@@ -22,7 +22,8 @@ pub const SENDER_VERSION: u64 = 1;
 /// - `Verified` — Caller asserts that `require_auth()` has already been called.
 ///   Use this to avoid a duplicate `require_auth()` node in the Soroban auth tree
 ///   (e.g., when the same address was already authorized as the message sender).
-#[derive(Clone)]
+#[contracttype]
+#[derive(Clone, Debug, Eq, PartialEq)]
 pub enum FeePayer {
     /// The fee payer has **not** been authorized yet.
     /// `__lz_send` will call `fee_payer.require_auth()` before transferring fees.

package/contracts/oapps/oft/src/extensions/oft_fee.rs

@@ -122,6 +122,11 @@ pub trait OFTFee: OFTFeeInternal + Auth {
         Self::__effective_fee_bps(env, dst_eid)
     }
 
+    /// Returns true if the OFT has a fee rate greater than 0 for the specified destination
+    fn has_oft_fee(env: &soroban_sdk::Env, dst_eid: u32) -> bool {
+        Self::__effective_fee_bps(env, dst_eid) > 0
+    }
+
     /// Returns the fee deposit address.
     fn fee_deposit_address(env: &soroban_sdk::Env) -> Option<soroban_sdk::Address> {
         Self::__fee_deposit_address(env)

package/contracts/oapps/oft/src/interfaces/mintable.rs

@@ -8,7 +8,7 @@ use soroban_sdk::{contractclient, Address, Env};
 /// for crediting; the OFT calls the token (SAC) directly for burn on debit.
 #[contractclient(name = "MintableClient")]
 pub trait Mintable {
-    /// Mints `amount` tokens to `to`. The `operation` address is the caller (e.g. OFT)
+    /// Mints `amount` tokens to `to`. The `operator` address is the caller (e.g. OFT)
     /// requesting the mint, for use by SAC wrappers that enforce authorization.
-    fn mint(env: &Env, to: &Address, amount: i128, operation: &Address);
+    fn mint(env: &Env, to: &Address, amount: i128, operator: &Address);
 }

package/contracts/oapps/oft/src/oft.rs

@@ -80,21 +80,22 @@ impl OFTInternal for OFT {
     /// Overrides default to add pausable check and fee calculation.
     ///
     /// Dust handling (consistent with EVM):
-    /// - fee = 0: dust stays with sender (amount_sent_ld has dust removed)
-    /// - fee > 0: dust is absorbed into the charged fee (amount_sent_ld is the full amount)
+    /// - no fee: dust stays with sender (amount_sent_ld has dust removed)
+    /// - has fee: dust is absorbed into the charged fee (amount_sent_ld is the full amount)
     fn __debit_view(env: &Env, amount_ld: i128, min_amount_ld: i128, dst_eid: u32) -> (i128, i128) {
         Self::__assert_not_paused(env);
 
         let conversion_rate = Self::__decimal_conversion_rate(env);
-        let fee = Self::__fee_view(env, dst_eid, amount_ld);
+        let has_fee = Self::has_oft_fee(env, dst_eid);
 
-        let (amount_sent_ld, amount_received_ld) = if fee == 0 {
+        let (amount_sent_ld, amount_received_ld) = if !has_fee {
             // No fee: dust stays with sender (default OFT behavior)
             let amount_sent_ld = oft_utils::remove_dust(amount_ld, conversion_rate);
             (amount_sent_ld, amount_sent_ld)
         } else {
             // With fee: match EVM OFTFee behavior
             // - sender pays full amount_ld (no dust removed), dust is absorbed into the charged fee
+            let fee = Self::__fee_view(env, dst_eid, amount_ld);
             let amount_received_ld = oft_utils::remove_dust(amount_ld - fee, conversion_rate);
             (amount_ld, amount_received_ld)
         };

package/contracts/oapps/oft/src/tests/extensions/oft_fee.rs

@@ -17,8 +17,8 @@ use utils::auth::Auth;
 struct FeeTestContract;
 
 impl Auth for FeeTestContract {
-    fn authorizer(env: &Env) -> Address {
-        env.current_contract_address()
+    fn authorizer(env: &Env) -> Option<Address> {
+        Some(env.current_contract_address())
     }
 }
 

package/contracts/oapps/oft/src/tests/extensions/pausable.rs

@@ -12,8 +12,8 @@ use utils::auth::Auth;
 struct PausableTestContract;
 
 impl Auth for PausableTestContract {
-    fn authorizer(env: &Env) -> Address {
-        env.current_contract_address()
+    fn authorizer(env: &Env) -> Option<Address> {
+        Some(env.current_contract_address())
     }
 }
 

package/contracts/oapps/oft/src/tests/extensions/rate_limiter.rs

@@ -15,8 +15,8 @@ use utils::auth::Auth;
 struct RateLimiterTestContract;
 
 impl Auth for RateLimiterTestContract {
-    fn authorizer(env: &Env) -> Address {
-        env.current_contract_address()
+    fn authorizer(env: &Env) -> Option<Address> {
+        Some(env.current_contract_address())
     }
 }