Decentralization

#CAW Testnet imminent 🌙 .

— CawChallengeRelay #CAW replaced bulk replication with CawChallengeRelay — a contract that sits idle during normal ops. If someone disputes a submission on an archive chain, anyone calls relayChallenge(). The correct hash comes directly from CawActions. Fraud-proof on demand.

— processActionSingle #CAW replaced the implicit self-call pattern in safeProcessActions with an explicit processActionSingle() entry point. require(msg.sender == address(this), 'Only self') — clear, auditable, no ambiguity about who can trigger it.

Checkpoint 128→32 #CAW cut its checkpoint interval from 128 to 32 actions. More granular checkpoints = pack ~25 batches (~800 actions) into one LayerZero message. Worst case: 18KB per checkpoint. Typical case: ~2.4KB. Flexible, efficient cross-chain history.

Packed Calldata #CAW's processActions now uses a custom binary format instead of ABI-encoded structs. Each action packs into tight consecutive bytes, deserialized with raw assembly. Result: ~50% less gas, ~60% less calldata. The validator does more with less.

—Wallet Auth With Timestamp Freshness To verify wallet ownership in #CAW,the signed message includes current Unix timestamp. The backend validates the message is under 5 minutes old AND not from the future. Reuse of stolen signatures is blocked. Clean anti-replay on the auth flow

Session Nonce Anti-Replay on Revocation When a session key is revoked in #CAW, the sessionNonce increments on-chain, instantly invalidating prior delegation signatures. Even if unexpired, a leaked signature can’t be replayed. Anti-replay is enforced in the revocation flow. #caw

ReentrancyGuard on Every Fund Movement #CAW's NFT marketplace applies nonReentrant to EVERY function that moves funds: buy, buyWithToken, placeBid, settleAuction, withdrawBid, reclaimBid, acceptOffer.Not one ETH or ERC-20 transfer without the guard. That's how it should be done.

File Extension Derived from MIME Type In #CAW file uploads, the extension is NOT taken from the user-supplied filename. It’s derived from the MIME type via an internal map: MIME_TO_EXT['image/jpeg'] = '.jpg'. Unknown types get '.bin'. Classic path manipulation vector eliminated.

In #CAW, your withdraw fee is locked at first deposit. If an operator raises fees later, you pay the lower of current vs locked: min(locked, current). Existing depositors can't be retroactively penalized. Fairness enforced by code

— 0% Marketplace Fees Forever CawProfileMarketplace.sol NatSpec: "Trustless, feeless marketplace for CAW username NFTs. 0% fees forever — per the CAW manifesto." No fee receiver, no cut percentage, no owner switch to flip. The code delivers exactly what the manifesto promises.

— Pull Pattern for Bid Refunds In #CAW English auctions, outbid funds are NOT pushed back immediately. They go to pendingReturns[bidder][listingId] for the bidder to pull when ready. Classic pull pattern: eliminates the reentrancy vector on refunds entirely. Well thought out.

Anti-Snipe in English Auctions #CAW's marketplace has anti-snipe protection: a bid placed in the last 10 minutes of an English auction automatically extends the deadline by 10 minutes. Plus a 5% minimum bid increment (500 bps). No last-second sniping advantage. Details matter.

Tiered Rate Limiting by Auth Status #CAW applies different rate limits for authenticated vs unauth users. Uploads: 10/day without session, 30/15min with verified wallet. Short URLs: 10/day vs 60/15min. Session check uses Redis async. Fair model that incentivizes wallet connection

Wallet Auth With Timestamp Freshness To verify wallet ownership in #CAW, the signed message includes current Unix timestamp. The backend validates the message is under 5 minutes old AND not from the future. Reuse of stolen signatures is blocked. Clean anti-replay on the auth flow

— CORS Configured from Env Variables #CAW's CORS config is not hardcoded. It reads from process.env.ALLOWED_ORIGINS, split by comma. In production, empty var = block all origins. Wildcard '*' only works if NODE_ENV is 'development'. Correct separation of config from code.