Stackup Bounty Workspace

This skill helps you navigate and work with Stackup's bug bounty workspace containing two independent smart contract protocols built with Foundry.

Repository Structure

The workspace contains two independent Foundry projects:

1. **Keystore** (`keystore/`) - Merkle tree-based configuration management for ERC-4337 smart accounts

2. **Forwarding Address** (`forwarding-address/`) - Deterministic address generation for payment attribution

Instructions

When working with this codebase, follow these guidelines:

Build & Test Commands

Both projects use identical Foundry commands. Always run from the project directory (`keystore/` or `forwarding-address/`):

```bash

forge install # Install dependencies

forge build # Compile contracts

forge test # Run all tests

forge test --mt <name> # Run specific test by name

forge test -vvv # Verbose with traces

```

For Keystore, also handle npm dependencies:

```bash

cd keystore && npm install

npm run examples:verify-ucmt # Generate/verify Merkle tree example

```

Keystore Protocol Architecture

Understand the core structure:

**Core**: `src/core/Keystore.sol` - Singleton storing root hashes, handles updates & validation

**Account**: `src/account/KeystoreAccount.sol` - ERC-4337 account using Keystore

**Verifiers**: `src/verifier/` - ECDSA, MultiSig, WebAuthn signature validation

**Libraries**: `src/lib/` - Actions, UserOperation structs, access control

**Key Concepts:**

UCMT nodes: `abi.encodePacked(verifier, config)` (20 bytes verifier + config)

refHash: Permanent configuration reference for deterministic addresses

rootHash: Current Merkle root, updatable via `handleUpdates()`

2D Nonce: `uint192 key | uint64 sequence` for cross-chain replay protection

**Validation Flow:**

```

Account → Keystore.validate() → Verifier.validateData() → returns 0 (success) or 1 (failed)

```

Forwarding Address Protocol Architecture

Minimal proxy pattern:

`ForwardingAddress.sol` - Receives funds, sweeps to receiver

`ForwardingAddressFactory.sol` - CREATE2 factory with `sweepFor()` convenience

**Address Derivation:**

```

keccak256(abi.encode(receiver, salt)) → deterministic clone address

```

Code Style Conventions

When reviewing or writing code:

Solidity version: 0.8.28

Optimizer: 1,000,000 runs

Internal functions: `_prefixed`

Immutable storage: `_prefixed`

Constructor params: `aParam` prefix when matching storage names

Fuzz tests: `testFuzz_` prefix

Use Solady for gas efficiency (LibBytes, MerkleProofLib, ECDSA, WebAuthn, LibClone)

Use ReentrancyGuardTransient for state-modifying external calls

Security Review Focus

When conducting security reviews, prioritize these critical paths:

**Keystore:**

`Keystore.handleUpdates()` - Root hash updates with Merkle proof verification

`Keystore.validate()` - Transaction validation entry point

`Keystore._fetchOrValidateNode()` - Cache vs proof validation logic

`KeystoreAccount._validateSignature()` - ERC-4337 signature handling

**Forwarding Address:**

`ForwardingAddressFactory.sweepFor()` - Deploy + sweep in single call

`ForwardingAddress.sweep()` - ETH/ERC20 transfer logic

Additional Resources

Full Keystore protocol specification: `keystore/doc/spec.md`

Deployed contract addresses are documented for both protocols

Usage Examples

**Run all tests for Keystore:**

```bash

cd keystore

forge test -vvv

```

**Test specific functionality:**

```bash

cd forwarding-address

forge test --mt testFuzz_sweepFor -vvv

```

**Review critical security paths:**

Start by reading the validation flow in `Keystore.validate()` and trace through to the verifier implementations.

Constraints

Both projects are independent Foundry workspaces

Commands must be run from the appropriate project directory

Security review should focus on state-changing functions and Merkle proof validation

Stackup Bounty Workspace

Stackup Bounty Workspace

Repository Structure

Instructions

Build & Test Commands

Keystore Protocol Architecture

Forwarding Address Protocol Architecture

Code Style Conventions

Security Review Focus

Additional Resources

Usage Examples

Constraints

Reviews (0)