Skip to content

[NO-JIRA] - Fix Mainnet Domain signature #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rarcifa wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[NO-JIRA] - Fix Mainnet Domain signature #5

rarcifa wants to merge 4 commits into from

Conversation

@rarcifa
Copy link
Collaborator

@rarcifa rarcifa commented Jan 11, 2026

Title

Fix mainnet X402 payment flow and harden facilitator API typing

Description

This PR fixes a mainnet-only failure in the Facilitator SDK and hardens the API client with strict runtime validation.

Bug Fix: Mainnet EIP-3009 Signature Domain

Mainnet verification was failing because the EIP-712 domain used for USDC.e signing was configured with an incorrect version.

Before

version: '2'

After

version: '1'

Cronos USDC.e implements the EIP-3009 TransferWithAuthorization domain with version "1". Using "2" causes signature verification to fail on mainnet, while testnet appeared to work due to relaxed/local verification.

This change makes mainnet settlement work correctly.

Hard-Typed Facilitator API Responses

The Facilitator HTTP client is now fully runtime-typed using assertion guards:

  • Removes all any usage
  • Parses responses as unknown
  • Validates payload shape before returning
  • Throws descriptive errors on malformed responses

This guarantees that SDK consumers only ever receive correctly shaped data from:

  • /v2/x402/supported
  • /v2/x402/verify
  • /v2/x402/settle

Type Cleanup

Replaced an empty interface alias:

export interface X402PaymentRequirements extends PaymentRequirements {}

with:

export type X402PaymentRequirements = PaymentRequirements;

This avoids @typescript-eslint/no-empty-object-type violations and keeps the type model clean.

Result

Mainnet X402 payments now verify and settle correctly
API client is fully type-safe at runtime
No any, no unsafe casts
No breaking public API changes

Notes for Reviewers

  • Testnet behavior remains unchanged
  • Mainnet now passes /verify with correct EIP-712 domain
  • No dependency changes
  • No API surface changes

@socket-security
Copy link

socket-security bot commented Jan 11, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​crypto.com/​facilitator-client@​1.0.1 ⏵ 1.0.477 +1100100 +193 +3100
Updatednpm/​@​crypto.com/​facilitator-client@​1.0.1 ⏵ 1.0.377 +1100100 +193 +3100

View full report

@rarcifa rarcifa changed the title u [NO-JIRA] - Fix Mainnet Domain signature Jan 11, 2026
@rarcifa rarcifa added the bug Something isn't working label Jan 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rarcifa