Movement Aptos Core has merged a significant protocol enhancement to its confidential assets module, introducing a two-tier auditor model with monotonic epoch tracking. The update establishes a mandatory chain-level auditor, governed at the framework level, layered alongside the existing per-asset auditor mechanism. Both auditor layers now support append-only historical tracking, enabling full reconstruction of which auditor keys were active during any given transfer.
New Architecture
The auditor slot layout has been restructured to enforce a fixed hierarchy: slot [0] is reserved for the chain-level auditor (always required), slot [1] for asset-specific auditors (when configured), and slots [2+] for voluntary auditors selected by the sender. This deterministic ordering is bound into each transfer's cryptographic proof via the Fiat–Shamir transcript, preventing substitution attacks. Every confidential transfer now timestamps the active chain and asset auditor epochs onto its `Transferred` event, preserving an immutable record of which auditor keys covered which transfers.
Validation and Rotation
The `validate_auditors` function now aborts with a new error (`ECHAIN_AUDITOR_NOT_SET`) if the chain auditor is unconfigured, and rejects transfers where auditor slots do not match their corresponding active keys. Auditor rotations on either layer invalidate any pending user transactions signed against the old key but not yet executed, as the proof's transcript is bound to auditor identity. The protocol tracks both `FAController` and `FAConfig` epoch counters and append-only history vectors, recording the activation and deactivation epochs for all historical auditor entries.
Testing and Coverage
The PR includes comprehensive test coverage: 64 passing Move unit tests in `confidential_asset_tests.move` covering chain auditor validation, slot ordering, rotation behavior, and history tracking, plus seven passing Rust e2e tests validating rejection paths and rotation scenarios. Test harnesses have been updated to include a default chain auditor, and new helpers support both happy-path and rejection-scenario testing.