Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Add OpenZeppelin example #199

Open
wants to merge 1 commit into
base: next
Choose a base branch
from
Open

chore: Add OpenZeppelin example #199

wants to merge 1 commit into from

Conversation

claudioantonio
Copy link
Contributor

@claudioantonio claudioantonio commented Jan 30, 2025
edited
Loading

@claudioantonio claudioantonio added the a-examples Area: examples label Jan 30, 2025
@claudioantonio claudioantonio self-assigned this Jan 30, 2025
@vercel Vercel
Copy link

vercel bot commented Jan 30, 2025

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
bug-buster ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 30, 2025 5:22pm

guidanoli
guidanoli reviewed Jan 30, 2025
View reviewed changes
Copy link
Contributor

@guidanoli guidanoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to have a valid exploit to test the bounty and add that to the unit test bench in Lua. Instead of deploying and sending a transaction to an exploit contract, we could have the exploit contract be a Forge script, which would allow us to broadcast transactions on behalf of any EOA, including the contract owner. We could avoid the long compilation process by defining a minimal Vm interface with just the functions we need. What do you think?

@claudioantonio
Copy link
Contributor Author

It would be nice to have a valid exploit to test the bounty and add that to the unit test bench in Lua.

No doubt!

Instead of deploying and sending a transaction to an exploit contract, we could have the exploit contract be a Forge script, which would allow us to broadcast transactions on behalf of any EOA, including the contract owner. We could avoid the long compilation process by defining a minimal Vm interface with just the functions we need. What do you think?

The long compilation time is only a problem when doing it inside the machine. 😉

doubt: You mentioned above this test improvement as a "nice to have" thing and I agree. Do you think we should delay the publishing of the second tutorial until we implement this test improvement?

@guidanoli
Copy link
Contributor

The long compilation time is only a problem when doing it inside the machine.

You're right, but if the exploit is now a Forge script, the hacker would have to use vm.startBroadcast to send their transaction, which would require them to either use the forge-std lib built into the Cartesi Machine, or define a timmed-down version of it.

Do you think we should delay the publishing of the second tutorial until we implement this test improvement?

I do think it is important to test code before publishing it, yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guidanoli guidanoli guidanoli left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@claudioantonio claudioantonio

Labels
a-examples Area: examples
Projects
Bug Buster
Status: Todo
Milestone
0.10.0 - Smart contract bounties
Development

Successfully merging this pull request may close these issues.
2 participants
@claudioantonio @guidanoli