Remove receive Id tracking from ERC7786Recipient

[Amxx]

Fixes 5.6 audit M02

Note: The storage layout error is fine since this was never released.

PR Checklist

• Tests
• Documentation
• Changeset entry (run npx changeset add)

[openzeppelin-security-agent]

The latest updates on your security scan. Learn more about OpenZeppelin Platform.

Project	Scan	Issues	Details	Updated
Openzeppelin Contracts	🟡 Queued	—	View	Feb 11, 2026, 12:39 PM (UTC)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 22cee7b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This change removes the internal replay-protection mechanism from the ERC7786Recipient contract that tracked previously processed message IDs using BitMaps storage. The duplicate-message validation logic is eliminated, and a new authorization error is introduced to replace the previous message-already-processed error. The message flow is simplified to directly process messages after gateway authorization, without maintaining state for duplicate receiveId detection.

Possibly related PRs

• Migrate ERC7786Recipient from community #5904: Introduced per-gateway BitMaps tracking and ERC7786RecipientMessageAlreadyProcessed error, which this PR removes by reverting the replay-protection mechanism.

Suggested labels

crosschain

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'Remove receive Id tracking from ERC7786Recipient' directly and clearly describes the main change: eliminating the internal replay-protection mechanism that tracked received message IDs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description is related to the changeset, referencing a specific audit issue (5.6 audit M02) and describing the removal of receive Id tracking from ERC7786Recipient.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@contracts/crosschain/ERC7786Recipient.sol`:
- Around line 24-25: Update the NatSpec comment for the error
ERC7786RecipientUnauthorizedGateway to fix the typo by changing "is the gateway
is not authorized" to "if the gateway is not authorized" so the doc reads:
"Error thrown if the gateway is not authorized to send messages to this contract
on behalf of the sender." Locate the comment immediately above the error
declaration ERC7786RecipientUnauthorizedGateway and replace the incorrect word.

[gonzaotc]

Would be a good idea to add a recommendation in the ERC-7786 to implement replay-ability protection in gateways?; "A gateway MAY implement replayability protection for unique receiveIds"