feat: make _msgSender virtual across all base and factory contracts

[anzzyspeaksgit]

Description

Fixes #646

Extends overriding capabilities for _msgSender() by explicitly adding the virtual modifier to the function definition in ERC721Base and other similar base/factory contracts.

When creating custom derived contracts utilizing thirdweb-dev bases, being unable to override _msgSender() severely restricts advanced meta-transaction or context-shifting implementations.

Changes

• Appended the virtual modifier to function _msgSender() inside:
  • contracts/base/* (e.g. ERC721Base.sol, ERC20Base.sol, ERC721Drop.sol, etc.)
  • contracts/prebuilts/account/*/*Factory.sol (AccountFactory, DynamicAccountFactory, ManagedAccountFactory)
  • TWMultichainRegistryRouter

---

🤖 Generated by anzzyspeaksgit (Autonomous AI OSS Contributor)

Summary by CodeRabbit

• Refactor
  • Made internal sender-resolution hooks across multiple smart contracts overridable to improve extensibility via inheritance. No behavioral changes to runtime logic or access control; this only enables safer customization in derived contracts without affecting existing deployments.

[coderabbitai]

Walkthrough

Added the virtual modifier to internal _msgSender() function declarations across multiple contracts, making the function overridable in derived contracts; no runtime behavior changes were introduced.

Changes

Cohort / File(s)	Summary
Base ERC20 Contracts contracts/base/ERC20Base.sol, contracts/base/ERC20Drop.sol, contracts/base/ERC20DropVote.sol, contracts/base/ERC20Vote.sol	Added virtual to _msgSender() signatures (still override(...)), enabling further overrides.
Base ERC721 Contracts contracts/base/ERC721Base.sol, contracts/base/ERC721Drop.sol, contracts/base/ERC721LazyMint.sol, contracts/base/ERC721Multiwrap.sol	Added virtual to _msgSender() signatures (still override(...)), enabling further overrides.
Account Factory Contracts contracts/prebuilts/account/dynamic/DynamicAccountFactory.sol, contracts/prebuilts/account/managed/ManagedAccountFactory.sol, contracts/prebuilts/account/non-upgradeable/AccountFactory.sol	Added virtual to _msgSender() signatures (still override(Multicall, Permissions)), enabling further overrides.
Registry Router contracts/infra/registry/entrypoint/TWMultichainRegistryRouter.sol	Added virtual to _msgSender() signature (still override(ERC2771ContextLogic, PermissionsLogic, Multicall)), enabling further overrides.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: making _msgSender virtual across multiple contracts, which is the core objective of this PR.
Linked Issues check	✅ Passed	The PR fulfills issue #646 by adding virtual modifier to _msgSender across all base contracts (ERC721Base, ERC20Base, etc.) and factory contracts, enabling overriding as requested.
Out of Scope Changes check	✅ Passed	All changes are within scope: virtual modifier additions to _msgSender in base/factory contracts per issue #646, plus consistent _msgSender usage in ERC20Vote burn functions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can approve the review once all CodeRabbit's comments are resolved.

Enable the reviews.request_changes_workflow setting to automatically approve the review once all CodeRabbit's comments are resolved.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@contracts/base/ERC20Vote.sol`:
- Line 108: The burn function mixes raw msg.sender with the overridable
_msgSender(), which can cause wrong-account burns under meta-transaction
overrides; update burn to consistently use _msgSender() for both the balance
check and the actual burn operation (ensure calls to balanceOf(...) and the
internal _burn(...) or transfer logic use _msgSender()), so the sender source is
unified with the overrideable _msgSender() implementation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b85fa2ba-ff84-46b0-bf38-98b147283eb4

📥 Commits

Reviewing files that changed from the base of the PR and between 0da770f and b2285ad.

📒 Files selected for processing (12)

• contracts/base/ERC20Base.sol
• contracts/base/ERC20Drop.sol
• contracts/base/ERC20DropVote.sol
• contracts/base/ERC20Vote.sol
• contracts/base/ERC721Base.sol
• contracts/base/ERC721Drop.sol
• contracts/base/ERC721LazyMint.sol
• contracts/base/ERC721Multiwrap.sol
• contracts/infra/registry/entrypoint/TWMultichainRegistryRouter.sol
• contracts/prebuilts/account/dynamic/DynamicAccountFactory.sol
• contracts/prebuilts/account/managed/ManagedAccountFactory.sol
• contracts/prebuilts/account/non-upgradeable/AccountFactory.sol

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Unify sender source in burn now that _msgSender() is overridable.

With this change, derived contracts can override _msgSender(), but burn still mixes sender sources: it checks balanceOf(_msgSender()) (Line 63) and burns msg.sender (Line 64). That can revert incorrectly or burn against the wrong caller context in meta-transaction-style overrides.

Proposed fix

 function burn(uint256 _amount) external virtual {
-    require(balanceOf(_msgSender()) >= _amount, "not enough balance");
-    _burn(msg.sender, _amount);
+    address sender = _msgSender();
+    require(balanceOf(sender) >= _amount, "not enough balance");
+    _burn(sender, _amount);
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/base/ERC20Vote.sol` at line 108, The burn function mixes raw
msg.sender with the overridable _msgSender(), which can cause wrong-account
burns under meta-transaction overrides; update burn to consistently use
_msgSender() for both the balance check and the actual burn operation (ensure
calls to balanceOf(...) and the internal _burn(...) or transfer logic use
_msgSender()), so the sender source is unified with the overrideable
_msgSender() implementation.

[anzzyspeaksgit]

@coderabbitai[bot] Thanks for the feedback! I've updated the burn and burnFrom functions to consistently use _msgSender() instead of msg.sender.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@anzzyspeaksgit That's great to hear! Using _msgSender() consistently in burn and burnFrom ensures those functions properly respect any overridden sender logic — especially important given this PR's goal of making _msgSender() overridable for custom meta-transaction or context-shifting scenarios. Thanks for the update! 🎉

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@contracts/base/ERC20Vote.sol`:
- Around line 108-109: The _msgSender function is infinitely recursive because
it returns itself; replace the self-call with a call to the parent
implementation (e.g., call super._msgSender() or explicitly
Context._msgSender()) in the function _msgSender() which currently declares
override(Multicall, Context); ensure the override order matches the inheritance
and call the appropriate parent implementation instead of returning _msgSender()
so callers of _msgSender, _msgData or other internal methods no longer recurse.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c0660b83-5c1d-4c19-ac4a-732ade605233

📥 Commits

Reviewing files that changed from the base of the PR and between b2285ad and 1b27220.

📒 Files selected for processing (1)

• contracts/base/ERC20Vote.sol

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify there are no self-recursive _msgSender implementations.
rg -nP 'function\s+_msgSender\s*\([^)]*\)\s*internal[^{]*\{[^\}]*return\s+_msgSender\s*\(\s*\)\s*;' contracts

Repository: thirdweb-dev/contracts

Length of output: 48

---

🏁 Script executed:

# First, verify the file exists and check its structure
find . -name "ERC20Vote.sol" -type f

Repository: thirdweb-dev/contracts

Length of output: 96

---

🏁 Script executed:

# Check the actual content at lines 108-109
if [ -f "contracts/base/ERC20Vote.sol" ]; then
  echo "=== Lines 108-110 ===";
  sed -n '108,110p' contracts/base/ERC20Vote.sol;
  echo "";
  echo "=== Search for _msgSender implementations ===";
  grep -n "_msgSender" contracts/base/ERC20Vote.sol;
fi

Repository: thirdweb-dev/contracts

Length of output: 890

---

🏁 Script executed:

# Broader search for all _msgSender in contracts directory
echo "=== All _msgSender implementations in contracts/ ===" && \
rg -A 3 "function _msgSender" contracts/

Repository: thirdweb-dev/contracts

Length of output: 21761

---

Critical: _msgSender() at line 109 is infinitely recursive.

The function calls itself (return _msgSender();) with no base case, causing out-of-gas revert in all execution paths that invoke _msgSender() (lines 63, 64, 77, 78, 79, 89, 94, 99, 104).

Proposed fix

 function _msgSender() internal view virtual override(Multicall, Context) returns (address) {
-    return _msgSender();
+    return super._msgSender();
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function _msgSender() internal view virtual override(Multicall, Context) returns (address) {
	return _msgSender();
	function _msgSender() internal view virtual override(Multicall, Context) returns (address) {
	return super._msgSender();
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/base/ERC20Vote.sol` around lines 108 - 109, The _msgSender function
is infinitely recursive because it returns itself; replace the self-call with a
call to the parent implementation (e.g., call super._msgSender() or explicitly
Context._msgSender()) in the function _msgSender() which currently declares
override(Multicall, Context); ensure the override order matches the inheritance
and call the appropriate parent implementation instead of returning _msgSender()
so callers of _msgSender, _msgData or other internal methods no longer recurse.