@layerzerolabs/protocol-stellar-v2 0.2.53 → 0.2.55

package/contracts/oapps/counter/integration_tests/setup_uln.rs

@@ -494,24 +494,19 @@ fn setup_chain_workers<'a>(
     let executor_helper = ExecutorHelperClient::new(env, &executor_helper_address);
 
     // Register the executor helper with the executor (address + allowed function names)
-    let allowed_functions: Vec<Symbol> = vec![
-        env,
-        Symbol::new(env, "execute"),
-        Symbol::new(env, "compose"),
-        Symbol::new(env, "native_drop_and_execute"),
-    ];
-    let admin = &infra.admin;
+    let allowed_functions: Vec<Symbol> =
+        vec![env, Symbol::new(env, "execute"), Symbol::new(env, "compose")];
     let lz_executor = LzExecutorClient::new(env, &executor_address);
     env.mock_auths(&[MockAuth {
-        address: admin,
+        address: owner,
         invoke: &MockAuthInvoke {
             contract: &executor_address,
             fn_name: "set_executor_helper",
-            args: (admin, &executor_helper_address, &allowed_functions).into_val(env),
+            args: (&executor_helper_address, &allowed_functions).into_val(env),
             sub_invokes: &[],
         },
     }]);
-    lz_executor.set_executor_helper(admin, &executor_helper_address, &allowed_functions);
+    lz_executor.set_executor_helper(&executor_helper_address, &allowed_functions);
 
     (dvn, dvn2, executor, executor_helper)
 }

package/contracts/workers/dvn/src/auth.rs

@@ -2,9 +2,10 @@ use super::*;
 use crate::{Sender, TransactionAuthData};
 use soroban_sdk::{
     address_payload::AddressPayload,
+    assert_with_error,
     auth::{Context, CustomAccountInterface},
     crypto::Hash,
-    vec, Symbol,
+    Bytes, Symbol,
 };
 
 // ============================================================================
@@ -23,9 +24,12 @@ impl CustomAccountInterface for LzDVN {
         auth_data: Self::Signature,
         auth_contexts: Vec<Context>,
     ) -> Result<(), Self::Error> {
-        let TransactionAuthData { vid, expiration, signatures, sender } = auth_data;
+        let TransactionAuthData { vid, expiration, signatures, sender, preimage } = auth_data;
 
-        // 1. Check VID and expiration
+        // 1. Verify preimage matches signature_payload
+        let invocation = Self::verify_preimage(&env, &signature_payload, &preimage);
+
+        // 2. Check VID and expiration
         if vid != Self::vid(&env) {
             return Err(DvnError::InvalidVid);
         }
@@ -33,21 +37,20 @@ impl CustomAccountInterface for LzDVN {
             return Err(DvnError::AuthDataExpired);
         }
 
-        // 2. Admin verification (`set_admin` bypasses this - allows quorum-only admin changes)
+        // 3. Admin verification (`set_admin` bypasses this - allows quorum-only admin changes)
         let requires_admin = !Self::is_invoking_worker_set_admin(&env, &auth_contexts);
         if requires_admin {
             Self::verify_admin_signature(&env, &sender, &signature_payload)?;
         }
 
-        // 3. Replay protection
-        let calls = Self::extract_contract_calls(&env, &auth_contexts)?;
-        let hash = Self::hash_call_data(&env, vid, expiration, &calls);
+        // 4. Replay protection
+        let hash = Self::hash_call_data(&env, vid, expiration, &invocation);
         if DvnStorage::used_hash(&env, &hash) {
             return Err(DvnError::HashAlreadyUsed);
         }
         DvnStorage::set_used_hash(&env, &hash, &true);
 
-        // 4. MultiSig verification (most expensive - do last)
+        // 5. MultiSig verification (most expensive - do last)
         Self::verify_signatures(&env, &hash, &signatures);
 
         Ok(())
@@ -59,6 +62,17 @@ impl CustomAccountInterface for LzDVN {
 // ============================================================================
 
 impl LzDVN {
+    /// Verifies the preimage matches the host-provided `signature_payload`
+    /// and returns the invocation bytes extracted from it.
+    fn verify_preimage(env: &Env, signature_payload: &Hash<32>, preimage: &Bytes) -> Bytes {
+        let computed = env.crypto().sha256(preimage);
+        assert_with_error!(env, computed.to_bytes() == signature_payload.to_bytes(), DvnError::InvalidPreimage);
+
+        // Skip the 48-byte fixed prefix:
+        // envelope_type (4) + network_id (32) + nonce (8) + expiry_ledger (4) = 48
+        preimage.slice(48..)
+    }
+
     /// Verifies that the sender is an admin with a valid signature.
     ///
     /// # Errors
@@ -78,18 +92,6 @@ impl LzDVN {
         Ok(())
     }
 
-    /// Collects contract calls from the auth contexts.
-    fn extract_contract_calls(env: &Env, auth_contexts: &Vec<Context>) -> Result<Vec<Call>, DvnError> {
-        let mut calls = vec![env];
-        for context in auth_contexts.iter() {
-            let Context::Contract(ctx) = context else {
-                return Err(DvnError::NonContractInvoke);
-            };
-            calls.push_back(Call { to: ctx.contract, func: ctx.fn_name, args: ctx.args });
-        }
-        Ok(calls)
-    }
-
     /// Checks if the first auth context is a call to `set_admin` on this contract.
     ///
     /// Used to allow quorum-only admin changes without requiring existing admin authorization.

package/contracts/workers/dvn/src/dvn.rs

@@ -5,12 +5,12 @@
 //! signatures for authorization and implements Soroban's custom account
 //! interface for transaction signing.
 
-use crate::{errors::DvnError, events::SetDstConfig, storage::DvnStorage, Call, DstConfig, DstConfigParam, IDVN};
+use crate::{errors::DvnError, events::SetDstConfig, storage::DvnStorage, DstConfig, DstConfigParam, IDVN};
 use common_macros::{contract_impl, lz_contract};
 use endpoint_v2::FeeRecipient;
 use fee_lib_interfaces::{DvnFeeLibClient, DvnFeeParams};
 use message_lib_common::interfaces::ILayerZeroDVN;
-use soroban_sdk::{xdr::ToXdr, Address, Bytes, BytesN, Env, Vec};
+use soroban_sdk::{Address, Bytes, BytesN, Env, Vec};
 use utils::{buffer_writer::BufferWriter, multisig, option_ext::OptionExt};
 use worker::{
     assert_acl, assert_not_paused, assert_supported_message_lib, init_worker, require_admin_auth, set_admin_by_admin,
@@ -107,12 +107,12 @@ impl IDVN for LzDVN {
         DvnStorage::vid(env).unwrap()
     }
 
-    /// Computes the hash of call data for multisig signing.
+    /// Computes the hash of invocation data for multisig signing.
     ///
     /// Off-chain signers use this to compute the hash they need to sign.
-    fn hash_call_data(env: &Env, vid: u32, expiration: u64, calls: &Vec<Call>) -> BytesN<32> {
+    fn hash_call_data(env: &Env, vid: u32, expiration: u64, invocation: &Bytes) -> BytesN<32> {
         let mut writer = BufferWriter::new(env);
-        let data = writer.write_u32(vid).write_u64(expiration).write_bytes(&calls.to_xdr(env)).to_bytes();
+        let data = writer.write_u32(vid).write_u64(expiration).write_bytes(invocation).to_bytes();
         env.crypto().keccak256(&data).into()
     }
 }

package/contracts/workers/dvn/src/errors.rs

@@ -5,7 +5,7 @@ pub enum DvnError {
     AuthDataExpired,
     EidNotSupported,
     HashAlreadyUsed,
+    InvalidPreimage,
     InvalidVid,
-    NonContractInvoke,
     OnlyAdmin,
 }

package/contracts/workers/dvn/src/interfaces/dvn.rs

@@ -1,5 +1,5 @@
 use message_lib_common::interfaces::ILayerZeroDVN;
-use soroban_sdk::{auth::CustomAccountInterface, contractclient, contracttype, Address, BytesN, Env, Symbol, Val, Vec};
+use soroban_sdk::{auth::CustomAccountInterface, contractclient, contracttype, Address, Bytes, BytesN, Env, Vec};
 use utils::multisig::MultiSig;
 use worker::Worker;
 
@@ -32,6 +32,9 @@ pub struct TransactionAuthData {
     pub signatures: Vec<BytesN<65>>,
     /// Entity submitting the transaction (admin, or permissionless).
     pub sender: Sender,
+    /// XDR-encoded `HashIdPreimage::SorobanAuthorization` from the auth entry.
+    /// Layout: envelope_type (4) || network_id (32) || nonce (8) || expiry_ledger (4) || invocation (variable).
+    pub preimage: Bytes,
 }
 
 // ============================================================================
@@ -63,20 +66,6 @@ pub struct DstConfigParam {
     pub config: DstConfig,
 }
 
-/// Represents a single contract invocation for multisig authorization.
-///
-/// Used in `hash_call_data` to compute the hash that signers sign over.
-#[contracttype]
-#[derive(Clone, Debug, Eq, PartialEq)]
-pub struct Call {
-    /// Target contract address.
-    pub to: Address,
-    /// Function name to invoke.
-    pub func: Symbol,
-    /// Function arguments.
-    pub args: Vec<Val>,
-}
-
 /// DVN (Decentralized Verifier Network) contract interface.
 ///
 /// Extends the LayerZero DVN interface with destination configuration management
@@ -104,17 +93,17 @@ pub trait IDVN: ILayerZeroDVN + Worker + MultiSig + CustomAccountInterface {
     /// The VID is a unique identifier used in multisig authentication.
     fn vid(env: &Env) -> u32;
 
-    /// Computes the hash of call data for multisig signing.
+    /// Computes the hash of invocation data for multisig signing.
     ///
     /// Off-chain signers use this to compute the hash they need to sign.
-    /// The hash includes the VID, expiration, and the calls being authorized.
+    /// The hash includes the VID, expiration, and the raw invocation XDR.
     ///
     /// # Arguments
     /// * `vid` - Verifier ID (must match contract's VID)
     /// * `expiration` - Expiration timestamp for the authorization
-    /// * `calls` - The contract calls being authorized
+    /// * `invocation` - XDR-encoded `SorobanAuthorizedInvocation` from the auth entry
     ///
     /// # Returns
     /// A 32-byte keccak256 hash to be signed by the multisig quorum
-    fn hash_call_data(env: &Env, vid: u32, expiration: u64, calls: &Vec<Call>) -> BytesN<32>;
+    fn hash_call_data(env: &Env, vid: u32, expiration: u64, invocation: &Bytes) -> BytesN<32>;
 }

package/contracts/workers/dvn/src/tests/auth.rs

@@ -1,11 +1,27 @@
 use crate::{
     errors::DvnError,
     tests::setup::{TestSetup, VID},
-    Sender, TransactionAuthData,
+    LzDVNClient, Sender, TransactionAuthData,
 };
 use ed25519_dalek::{Signer, SigningKey};
 use rand::thread_rng;
-use soroban_sdk::{auth::Context, vec, Bytes, BytesN, Env, IntoVal, Vec};
+use soroban_sdk::{auth::Context, vec, xdr::ToXdr, Bytes, BytesN, Env, IntoVal, Vec};
+use utils::buffer_writer::BufferWriter;
+
+const AUTH_NONCE: i64 = 0;
+const AUTH_EXPIRY_LEDGER: u32 = 10000;
+const ENVELOPE_TYPE_SOROBAN_AUTHORIZATION: u32 = 9;
+
+/// Build the full preimage bytes from auth fields.
+fn build_preimage(env: &Env, auth_nonce: i64, auth_expiry_ledger: u32, invocation: &Bytes) -> Bytes {
+    BufferWriter::new(env)
+        .write_u32(ENVELOPE_TYPE_SOROBAN_AUTHORIZATION)
+        .write_bytes_n(&env.ledger().network_id())
+        .write_i64(auth_nonce)
+        .write_u32(auth_expiry_ledger)
+        .write_bytes(invocation)
+        .to_bytes()
+}
 
 struct Ed25519KeyPair {
     signing_key: SigningKey,
@@ -30,14 +46,16 @@ impl Ed25519KeyPair {
     }
 }
 
-fn hash_auth_data(env: &Env, vid: u32, expiration: u64, auth_contexts: &Vec<Context>) -> BytesN<32> {
-    use soroban_sdk::xdr::ToXdr;
-    let mut data = Bytes::new(env);
-    data.extend_from_array(&vid.to_be_bytes());
-    data.extend_from_array(&expiration.to_be_bytes());
-    data.append(&auth_contexts.to_xdr(env));
-    let hash = env.crypto().keccak256(&data);
-    BytesN::from_array(env, &hash.to_array())
+/// Compute signature_payload = SHA256(preimage) for the given preimage bytes.
+fn compute_signature_payload(env: &Env, preimage: &Bytes) -> BytesN<32> {
+    env.crypto().sha256(preimage).into()
+}
+
+/// Compute call hash for multisig: keccak256(vid || expiration || invocation).
+fn compute_call_hash(env: &Env, vid: u32, expiration: u64, invocation: &Bytes) -> BytesN<32> {
+    let mut writer = BufferWriter::new(env);
+    let data = writer.write_u32(vid).write_u64(expiration).write_bytes(invocation).to_bytes();
+    env.crypto().keccak256(&data).into()
 }
 
 #[test]
@@ -51,11 +69,13 @@ fn test_check_auth_success() {
     let expiration = env.ledger().timestamp() + 1000;
     let auth_contexts: Vec<Context> = Vec::new(&env);
 
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
     let public_key = admin_kp.public_key(&env);
     let signature = admin_kp.sign(&env, &payload.to_array());
 
-    let hash = hash_auth_data(&env, VID, expiration, &auth_contexts);
+    let hash = compute_call_hash(&env, VID, expiration, &invocation);
     let sig = setup.key_pairs[0].sign_bytes(&env, &hash);
 
     let tx_auth = TransactionAuthData {
@@ -63,6 +83,7 @@ fn test_check_auth_success() {
         expiration,
         signatures: vec![&env, sig],
         sender: Sender::Admin(public_key, signature),
+        preimage,
     };
 
     let res = env.try_invoke_contract_check_auth::<DvnError>(
@@ -85,11 +106,13 @@ fn test_check_auth_not_admin() {
     let expiration = env.ledger().timestamp() + 1000;
     let auth_contexts: Vec<Context> = Vec::new(&env);
 
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
     let public_key = non_admin_kp.public_key(&env);
     let signature = non_admin_kp.sign(&env, &payload.to_array());
 
-    let hash = hash_auth_data(&env, VID, expiration, &auth_contexts);
+    let hash = compute_call_hash(&env, VID, expiration, &invocation);
     let sig = setup.key_pairs[0].sign_bytes(&env, &hash);
 
     let tx_auth = TransactionAuthData {
@@ -97,6 +120,7 @@ fn test_check_auth_not_admin() {
         expiration,
         signatures: vec![&env, sig],
         sender: Sender::Admin(public_key, signature),
+        preimage,
     };
 
     let res = env.try_invoke_contract_check_auth::<DvnError>(
@@ -120,11 +144,13 @@ fn test_check_auth_wrong_signer_fails() {
     let expiration = env.ledger().timestamp() + 1000;
     let auth_contexts: Vec<Context> = Vec::new(&env);
 
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
     let public_key = admin_kp.public_key(&env);
     let signature = admin_kp.sign(&env, &payload.to_array());
 
-    let hash = hash_auth_data(&env, VID, expiration, &auth_contexts);
+    let hash = compute_call_hash(&env, VID, expiration, &invocation);
     let wrong_sig = crate::tests::key_pair::KeyPair::generate().sign_bytes(&env, &hash);
 
     let tx_auth = TransactionAuthData {
@@ -132,9 +158,9 @@ fn test_check_auth_wrong_signer_fails() {
         expiration,
         signatures: vec![&env, wrong_sig],
         sender: Sender::Admin(public_key, signature),
+        preimage,
     };
 
-    // verify_signatures panics with MultiSigError::SignerNotFound when signer is not found
     let res = env.try_invoke_contract_check_auth::<utils::errors::MultiSigError>(
         &setup.contract_id,
         &payload,
@@ -157,11 +183,13 @@ fn test_check_auth_invalid_vid_fails() {
     let wrong_vid = VID + 1;
     let auth_contexts: Vec<Context> = Vec::new(&env);
 
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
     let public_key = admin_kp.public_key(&env);
     let signature = admin_kp.sign(&env, &payload.to_array());
 
-    let hash = hash_auth_data(&env, wrong_vid, expiration, &auth_contexts);
+    let hash = compute_call_hash(&env, wrong_vid, expiration, &invocation);
     let sig = setup.key_pairs[0].sign_bytes(&env, &hash);
 
     let tx_auth = TransactionAuthData {
@@ -169,6 +197,7 @@ fn test_check_auth_invalid_vid_fails() {
         expiration,
         signatures: vec![&env, sig],
         sender: Sender::Admin(public_key, signature),
+        preimage,
     };
 
     let res = env.try_invoke_contract_check_auth::<DvnError>(
@@ -192,11 +221,13 @@ fn test_check_auth_expired_fails() {
     let expiration = env.ledger().timestamp();
     let auth_contexts: Vec<Context> = Vec::new(&env);
 
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
     let public_key = admin_kp.public_key(&env);
     let signature = admin_kp.sign(&env, &payload.to_array());
 
-    let hash = hash_auth_data(&env, VID, expiration, &auth_contexts);
+    let hash = compute_call_hash(&env, VID, expiration, &invocation);
     let sig = setup.key_pairs[0].sign_bytes(&env, &hash);
 
     let tx_auth = TransactionAuthData {
@@ -204,6 +235,7 @@ fn test_check_auth_expired_fails() {
         expiration,
         signatures: vec![&env, sig],
         sender: Sender::Admin(public_key, signature),
+        preimage,
     };
 
     let res = env.try_invoke_contract_check_auth::<DvnError>(
@@ -227,11 +259,13 @@ fn test_check_auth_hash_already_used_fails() {
     let expiration = env.ledger().timestamp() + 1000;
     let auth_contexts: Vec<Context> = Vec::new(&env);
 
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
     let public_key = admin_kp.public_key(&env);
     let signature = admin_kp.sign(&env, &payload.to_array());
 
-    let hash = hash_auth_data(&env, VID, expiration, &auth_contexts);
+    let hash = compute_call_hash(&env, VID, expiration, &invocation);
     let sig = setup.key_pairs[0].sign_bytes(&env, &hash);
 
     let tx_auth = TransactionAuthData {
@@ -239,6 +273,7 @@ fn test_check_auth_hash_already_used_fails() {
         expiration,
         signatures: vec![&env, sig.clone()],
         sender: Sender::Admin(public_key.clone(), signature.clone()),
+        preimage: preimage.clone(),
     };
 
     let res = env.try_invoke_contract_check_auth::<DvnError>(
@@ -254,6 +289,7 @@ fn test_check_auth_hash_already_used_fails() {
         expiration,
         signatures: vec![&env, sig],
         sender: Sender::Admin(public_key, signature),
+        preimage,
     };
 
     let res2 = env.try_invoke_contract_check_auth::<DvnError>(
@@ -269,25 +305,21 @@ fn test_check_auth_hash_already_used_fails() {
 #[test]
 fn test_check_auth_sender_none_fails_when_admin_required() {
     extern crate std;
-    use crate::Sender;
 
     let setup = TestSetup::new(1);
     let env = setup.env.clone();
     let expiration = env.ledger().timestamp() + 1000;
     let auth_contexts: Vec<Context> = Vec::new(&env);
 
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
 
-    let hash = hash_auth_data(&env, VID, expiration, &auth_contexts);
+    let hash = compute_call_hash(&env, VID, expiration, &invocation);
     let sig = setup.key_pairs[0].sign_bytes(&env, &hash);
 
-    // Use Sender::None which should fail when admin is required
-    let tx_auth = TransactionAuthData {
-        vid: VID,
-        expiration,
-        signatures: vec![&env, sig],
-        sender: Sender::None,
-    };
+    let tx_auth =
+        TransactionAuthData { vid: VID, expiration, signatures: vec![&env, sig], sender: Sender::None, preimage };
 
     let res = env.try_invoke_contract_check_auth::<DvnError>(
         &setup.contract_id,
@@ -302,14 +334,12 @@ fn test_check_auth_sender_none_fails_when_admin_required() {
 #[test]
 fn test_check_auth_set_admin_bypasses_admin_verification() {
     extern crate std;
-    use crate::{Call, LzDVNClient, Sender};
     use soroban_sdk::{auth::ContractContext, Symbol};
 
     let setup = TestSetup::new(1);
     let env = setup.env.clone();
     let expiration = env.ledger().timestamp() + 1000;
 
-    // Create a context for set_admin call on the DVN contract
     let set_admin_context = Context::Contract(ContractContext {
         contract: setup.contract_id.clone(),
         fn_name: Symbol::new(&env, "set_admin"),
@@ -317,30 +347,16 @@ fn test_check_auth_set_admin_bypasses_admin_verification() {
     });
     let auth_contexts: Vec<Context> = vec![&env, set_admin_context.clone()];
 
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
 
-    // Create Call structs matching what extract_contract_calls would produce
-    let calls: Vec<Call> = vec![
-        &env,
-        Call {
-            to: setup.contract_id.clone(),
-            func: Symbol::new(&env, "set_admin"),
-            args: Vec::new(&env),
-        }
-    ];
-
-    // Use the contract's hash_call_data function directly
     let dvn_client = LzDVNClient::new(&env, &setup.contract_id);
-    let hash = dvn_client.hash_call_data(&VID, &expiration, &calls);
+    let hash = dvn_client.hash_call_data(&VID, &expiration, &invocation);
     let sig = setup.key_pairs[0].sign_bytes(&env, &hash);
 
-    // Use Sender::None - should succeed for set_admin since it bypasses admin verification
-    let tx_auth = TransactionAuthData {
-        vid: VID,
-        expiration,
-        signatures: vec![&env, sig],
-        sender: Sender::None,
-    };
+    let tx_auth =
+        TransactionAuthData { vid: VID, expiration, signatures: vec![&env, sig], sender: Sender::None, preimage };
 
     let res = env.try_invoke_contract_check_auth::<DvnError>(
         &setup.contract_id,
@@ -349,43 +365,41 @@ fn test_check_auth_set_admin_bypasses_admin_verification() {
         &auth_contexts,
     );
 
-    // Should succeed because set_admin bypasses admin verification
     assert!(res.is_ok(), "Expected success for set_admin call, got {:?}", res);
 }
 
 #[test]
-fn test_check_auth_non_contract_context_fails() {
+fn test_check_auth_invalid_signature_payload_fails() {
     extern crate std;
-    use crate::Sender;
-    use soroban_sdk::auth::{ContractExecutable, CreateContractHostFnContext};
-
     let admin_kp = Ed25519KeyPair::generate();
     let admin_bytes = admin_kp.public_key_bytes();
 
     let setup = TestSetup::with_admin_bytes(1, std::vec![admin_bytes]);
     let env = setup.env.clone();
     let expiration = env.ledger().timestamp() + 1000;
+    let auth_contexts: Vec<Context> = Vec::new(&env);
 
-    // Create a non-Contract context (CreateContractHostFn)
-    let non_contract_context = Context::CreateContractHostFn(CreateContractHostFnContext {
-        executable: ContractExecutable::Wasm(BytesN::from_array(&env, &[0; 32])),
-        salt: BytesN::from_array(&env, &[0; 32]),
-    });
-    let auth_contexts: Vec<Context> = vec![&env, non_contract_context];
-
-    let payload = BytesN::from_array(&env, &[0u8; 32]);
+    let invocation = auth_contexts.clone().to_xdr(&env);
+    // Compute the correct payload so admin signature is valid
+    let preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &invocation);
+    let payload = compute_signature_payload(&env, &preimage);
     let public_key = admin_kp.public_key(&env);
     let signature = admin_kp.sign(&env, &payload.to_array());
 
-    // Use empty hash for signatures since we expect early error
-    let hash = hash_auth_data(&env, VID, expiration, &auth_contexts);
+    let hash = compute_call_hash(&env, VID, expiration, &invocation);
     let sig = setup.key_pairs[0].sign_bytes(&env, &hash);
 
+    // Tamper with preimage so it no longer matches the signature_payload
+    let mut tampered_invocation = Bytes::new(&env);
+    tampered_invocation.extend_from_array(&[0u8; 32]);
+    let tampered_preimage = build_preimage(&env, AUTH_NONCE, AUTH_EXPIRY_LEDGER, &tampered_invocation);
+
     let tx_auth = TransactionAuthData {
         vid: VID,
         expiration,
         signatures: vec![&env, sig],
         sender: Sender::Admin(public_key, signature),
+        preimage: tampered_preimage,
     };
 
     let res = env.try_invoke_contract_check_auth::<DvnError>(
@@ -395,6 +409,5 @@ fn test_check_auth_non_contract_context_fails() {
         &auth_contexts,
     );
 
-    // Should fail with NonContractInvoke error
-    assert_eq!(res, Err(Ok(DvnError::NonContractInvoke)));
+    assert_eq!(res, Err(Ok(DvnError::InvalidPreimage)));
 }

package/contracts/workers/executor/src/executor.rs

@@ -5,7 +5,7 @@ use crate::{
     storage::ExecutorStorage,
     NativeDropParams,
 };
-use common_macros::{contract_impl, lz_contract};
+use common_macros::{contract_impl, lz_contract, only_auth};
 use endpoint_v2::{FeeRecipient, LayerZeroEndpointV2Client, Origin};
 use fee_lib_interfaces::{ExecutorFeeLibClient, FeeParams};
 use message_lib_common::interfaces::ILayerZeroExecutor;
@@ -76,11 +76,10 @@ impl LzExecutor {
     /// used by `validate_auth_contexts` to verify authorization contexts.
     ///
     /// # Arguments
-    /// * `admin` - Admin address (must provide authorization)
     /// * `helper` - The executor helper contract address
     /// * `allowed_functions` - Function names the helper is allowed to invoke (e.g., "execute", "compose")
-    pub fn set_executor_helper(env: &Env, admin: &Address, helper: &Address, allowed_functions: &Vec<Symbol>) {
-        require_admin_auth::<Self>(env, admin);
+    #[only_auth]
+    pub fn set_executor_helper(env: &Env, helper: &Address, allowed_functions: &Vec<Symbol>) {
         ExecutorStorage::set_executor_helper(
             env,
             &crate::storage::ExecutorHelperConfig {

package/contracts/workers/executor/src/storage.rs

@@ -12,7 +12,7 @@ use crate::DstConfig;
 pub struct ExecutorHelperConfig {
     /// The executor helper contract address.
     pub address: Address,
-    /// Allowed function names on the helper (e.g., "execute", "compose", "native_drop_and_execute").
+    /// Allowed function names on the helper (e.g., "execute", "compose").
     pub allowed_functions: Vec<Symbol>,
 }
 

package/contracts/workers/executor/src/tests/setup.rs

@@ -167,12 +167,8 @@ impl<'a> TestSetup<'a> {
 
         // Register executor helper config directly in storage
         let executor_helper = Address::generate(&env);
-        let allowed_functions: Vec<Symbol> = vec![
-            &env,
-            Symbol::new(&env, "execute"),
-            Symbol::new(&env, "compose"),
-            Symbol::new(&env, "native_drop_and_execute"),
-        ];
+        let allowed_functions: Vec<Symbol> =
+            vec![&env, Symbol::new(&env, "execute"), Symbol::new(&env, "compose")];
         env.as_contract(&contract_id, || {
             crate::storage::ExecutorStorage::set_executor_helper(
                 &env,