Join our Discordv1.1.9 — Cartridge Slot Support & Security Hardening
Native Cartridge Slot integration, built-in relayer, and security hardening in cavos-account — offset-injection protection, cross-provider issuer binding, and self-revocation guard.
We're shipping v1.1.9 of the Cavos React SDK along with a round of security hardening in cavos-account. This release introduces native Cartridge Slot support and closes two potential attack vectors in the Cairo contract.
What's new in @cavos/react v1.1.9
Cartridge Slot support
Cartridge Slot is a private, fee-free Katana chain forked from Starknet mainnet. It is purpose-built for games and high-throughput apps that need instant, zero-cost transactions — no gas sponsorship required.
Starting with v1.1.9, the Cavos SDK natively supports Slot. Users authenticate with Google or Apple as usual, their wallet is deployed on mainnet, and the SDK automatically mirrors it to your Slot instance. From that point on, every executeOnSlot() call goes directly to the Slot chain — instant and free.
Use cases:
- Onchain games — submit moves, update state, and process rewards at any frequency without worrying about gas costs or paymaster limits
- High-frequency DeFi — execute strategies, rebalance positions, or run automated actions in a private environment before settling to mainnet
- App-specific rollups — give your users a dedicated chain with full Starknet account abstraction but none of the mainnet overhead
Configuring Slot takes a single field:
<CavosProvider
config={{
appId: 'your-app-id',
network: 'mainnet',
paymasterApiKey: 'your-key',
slot: {
rpcUrl: 'https://api.cartridge.gg/x/your-project/katana',
},
}}
>
Then use executeOnSlot() anywhere you'd use execute():
const { execute, executeOnSlot } = useCavos();
// Mainnet — gas sponsored by Cavos Paymaster
await execute(settlementCall);
// Slot — instant, free
await executeOnSlot(gameMoveCall);
The first call to executeOnSlot() deploys the account on Slot and registers the session key. Every subsequent call goes straight through.
Built-in relayer — no configuration needed
Registering a session key on Slot requires a relayer to submit the first transaction via execute_from_outside_v2 (JWT verification calls call_contract, which is not allowed inside __validate__). The SDK now ships with a built-in Cavos relayer for this purpose — developers don't need to configure anything.
If you were on an early build that required relayer credentials, remove them:
slot: {
rpcUrl: 'https://api.cartridge.gg/x/your-project/katana',
// relayerAddress and relayerPrivateKey — no longer accepted
}
Configurable chain ID
By default, the SDK fetches the chain ID from the Slot RPC on the first call. If you want to skip that round-trip or use a local Katana with a custom chain ID, pin it explicitly:
slot: {
rpcUrl: 'https://api.cartridge.gg/x/your-project/katana',
chainId: '0x534e5f4d41494e', // optional — omit to auto-detect
}
Security hardening in cavos-account
The following fixes are live in the deployed cavos-account contract. No action required from SDK users — the SDK already targets the correct class hash.
Offset-injection attack prevention
JWT claims (exp, iss, sub, nonce, kid) are extracted by offset from the raw JWT byte array. A maliciously crafted offset could previously point to an arbitrary position in the token, potentially matching an attacker-controlled value.
The fix adds assert_json_key_prefix(), which validates that the bytes immediately before the provided offset form the expected JSON key:
// For the "exp" claim, the bytes at offset-7..offset must be:
// 34 'e' 'x' 'p' 34 ':' ' ' → "exp":
fn assert_json_key_prefix(jwt_bytes: @ByteArray, value_offset: u32, key: felt252) {
// Checks that the field key appears exactly before the value in the raw JWT
// Panics on mismatch — prevents any offset-crafting attack
}
This is applied to every claim verified during JWT validation.
Cross-provider issuer binding
A JWKS registry entry now carries a provider field that must match the JWT's iss claim:
assert!(jwks_key.provider == jwt_iss, "Key/issuer provider mismatch");
Without this check, a compromised JWKS key registered for one provider (e.g., Apple) could be used to forge a valid JWT for another provider (e.g., Google), enabling cross-provider account takeover. The binding closes this vector.
Self-revocation protection
revoke_session and emergency_revoke can now only be called by the account itself:
assert!(
get_caller_address() == get_contract_address(),
"Only self can revoke session"
);
This prevents an external contract or EOA from force-revoking sessions on another user's account.
How to upgrade
npm install @cavos/react@1.1.9
Reach out on Discord if you run into anything.