From 0c1ebdccce28b774e4ea24a77367916e2682c2ce Mon Sep 17 00:00:00 2001 From: mootz12 Date: Wed, 11 Feb 2026 15:25:03 -0500 Subject: [PATCH] fix: clarify root auth rationale for cross-contract calls --- docs/build/guides/auth/contract-authorization.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/build/guides/auth/contract-authorization.mdx b/docs/build/guides/auth/contract-authorization.mdx index 6072aa210e..ff280523fa 100644 --- a/docs/build/guides/auth/contract-authorization.mdx +++ b/docs/build/guides/auth/contract-authorization.mdx @@ -252,7 +252,7 @@ To illustrate how to add authorization to a simple cross-contract invocation, we The invoking contract in the mentioned example contract creates a client for invoking the `add()` function in the addition contract. Let’s say we want the `add()` contract to be authorized by a user. Then, we need to pass the user to the `add()` contract function from the invoking function. -Even though the invoking function may not require the user’s authorization, the `add()` function will panic if it encounters authorization not tied to the root/top contract invocation. Therefore, we need to use `require_auth()` on the user in the invoking function. +Even though the invoking function may not require the user’s authorization, it's recommended to authorize the user at the entry point. Without that, the authorized inner `add()` call can be front-run by anyone without being wrapped in `add_with()`. Adding `require_auth()` at the entry point ensures that all the inner contract calls that are authorized on behalf of user will be executed atomically together with the entry point call. Therefore, we need to use `require_auth()` on the user in the invoking function. This is how the function looks: