Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V3.1 audit fixes #255

Merged
merged 52 commits into from
Dec 19, 2024
Merged

V3.1 audit fixes #255

merged 52 commits into from
Dec 19, 2024

Conversation

CostinCarabas
Copy link
Contributor

@CostinCarabas CostinCarabas commented Nov 19, 2024
edited by iulianpascalau
Loading

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 21, 2024
edited
Loading

Coverage Summary

Totals

Count Covered %
Lines 12174 10524 86.45
Regions 1772 1271 71.73
Functions 896 674 75.22
Instantiations 5318 1877 35.30

Files

Expand
File Lines Regions Functions Instantiations
/home/runner/.cargo/git/checkouts/mx-contracts-rs-13011bd47afef959/e72c201/contracts/crowdfunding-esdt/src/crowdfunding_esdt.rs 51.56% 57.14% 77.78% 64.00%
/home/runner/.cargo/git/checkouts/mx-contracts-rs-13011bd47afef959/e72c201/contracts/crowdfunding-esdt/src/crowdfunding_esdt_proxy.rs 100.00% 100.00% 100.00% 100.00%
/bridge-proxy/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/bridge-proxy/src/bridge-proxy.rs 74.38% 71.43% 81.25% 20.26%
/bridge-proxy/src/config.rs 100.00% 66.67% 100.00% 25.68%
/bridge-proxy/src/events.rs 100.00% 66.67% 100.00% 17.65%
/bridge-proxy/tests/bridge_proxy_blackbox_test.rs 97.26% 90.32% 85.00% 85.00%
/bridged-tokens-wrapper/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/bridged-tokens-wrapper/src/dfp_big_uint.rs 50.00% 45.45% 100.00% 40.00%
/bridged-tokens-wrapper/src/events.rs 100.00% 33.33% 100.00% 10.34%
/bridged-tokens-wrapper/src/lib.rs 100.00% 100.00% 100.00% 23.90%
/bridged-tokens-wrapper/tests/bridged_tokens_wrapper_whitebox_test.rs 89.24% 90.32% 89.66% 89.66%
/bridged-tokens-wrapper/tests/scenario_go_test.rs 100.00% 100.00% 100.00% 100.00%
/common/eth-address/src/lib.rs 93.33% 66.67% 88.89% 58.82%
/common/fee-estimator-module/src/lib.rs 100.00% 93.33% 100.00% 33.33%
/common/fee-estimator-module/src/price_aggregator_proxy.rs 6.14% 4.76% 6.67% 13.16%
/common/max-bridged-amount-module/src/lib.rs 100.00% 87.50% 100.00% 33.98%
/common/mock-contracts/mock-bridge-proxy/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/common/mock-contracts/mock-bridge-proxy/src/mock_bridge_proxy.rs 100.00% 33.33% 100.00% 3.70%
/common/mock-contracts/mock-bridged-tokens-wrapper/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/common/mock-contracts/mock-bridged-tokens-wrapper/src/mock_bridged_tokens_wrapper.rs 100.00% 33.33% 100.00% 5.26%
/common/mock-contracts/mock-esdt-safe/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/common/mock-contracts/mock-esdt-safe/src/mock_esdt_safe.rs 25.00% 26.32% 25.00% 16.92%
/common/mock-contracts/mock-multi-transfer-esdt/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/common/mock-contracts/mock-multi-transfer-esdt/src/mock_multi_transfer_esdt.rs 100.00% 100.00% 100.00% 17.31%
/common/mock-contracts/mock-multisig/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/common/mock-contracts/mock-multisig/src/mock_multisig.rs 100.00% 100.00% 100.00% 35.48%
/common/mock-contracts/mock-price-aggregator/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/common/mock-contracts/mock-price-aggregator/src/mock_price_aggregator.rs 100.00% 66.67% 100.00% 25.00%
/common/mock-proxies/src/mock_multisig_proxy.rs 72.41% 62.50% 62.50% 55.56%
/common/sc-proxies/src/bridge_proxy_contract_proxy.rs 67.88% 66.67% 66.67% 55.32%
/common/sc-proxies/src/bridged_tokens_wrapper_proxy.rs 48.04% 47.37% 47.37% 37.74%
/common/sc-proxies/src/crowdfunding_esdt_proxy.rs 0.00% 0.00% 0.00% 0.00%
/common/sc-proxies/src/esdt_safe_proxy.rs 83.59% 64.06% 72.73% 48.94%
/common/sc-proxies/src/multi_transfer_esdt_proxy.rs 70.19% 68.75% 68.75% 46.67%
/common/sc-proxies/src/multisig_proxy.rs 71.44% 52.58% 60.71% 40.28%
/common/storage-module/src/lib.rs 100.00% 88.89% 100.00% 31.54%
/common/token-module/src/lib.rs 89.18% 80.43% 90.48% 34.67%
/common/transaction/src/lib.rs 86.79% 52.94% 70.83% 44.03%
/common/transaction/src/transaction_status.rs 83.33% 66.67% 83.33% 45.10%
/common/tx-batch-module/src/batch_status.rs 66.67% 50.00% 66.67% 20.00%
/common/tx-batch-module/src/lib.rs 95.95% 88.00% 100.00% 28.43%
/common/tx-batch-module/src/tx_batch_mapper.rs 97.14% 93.10% 100.00% 55.00%
/esdt-safe/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/esdt-safe/src/lib.rs 82.61% 65.45% 74.36% 27.54%
/esdt-safe/tests/esdt_safe_blackbox_test.rs 99.19% 83.33% 100.00% 100.00%
/esdt-safe/tests/esdt_safe_scenario_rs_test.rs 100.00% 100.00% 100.00% 100.00%
/esdt-safe/tests/scenario_go_test.rs 100.00% 100.00% 100.00% 100.00%
/multi-transfer-esdt/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/multi-transfer-esdt/src/lib.rs 85.78% 80.36% 85.71% 26.16%
/multi-transfer-esdt/tests/multi_transfer_blackbox_test.rs 91.84% 78.57% 82.35% 82.35%
/multi-transfer-esdt/tests/multi_transfer_esdt_scenario_rs_test.rs 57.14% 30.00% 30.00% 30.00%
/multi-transfer-esdt/tests/scenario_go_test.rs 30.00% 30.00% 30.00% 30.00%
/multisig/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/multisig/src/action.rs 25.00% 22.22% 33.33% 30.77%
/multisig/src/events.rs 100.00% 66.67% 100.00% 29.03%
/multisig/src/lib.rs 89.33% 81.18% 95.24% 36.25%
/multisig/src/multisig_general.rs 98.00% 80.77% 100.00% 46.15%
/multisig/src/queries.rs 65.93% 65.62% 57.89% 15.79%
/multisig/src/setup.rs 99.16% 92.31% 100.00% 31.28%
/multisig/src/storage.rs 100.00% 66.67% 100.00% 33.77%
/multisig/src/user_role.rs 83.33% 72.73% 75.00% 41.67%
/multisig/src/util.rs 96.30% 87.50% 100.00% 44.12%
/multisig/tests/multisig_blackbox_test.rs 100.00% 100.00% 100.00% 100.00%
/multisig/tests/multisig_scenario_rs_test.rs 82.69% 72.73% 72.73% 72.73%
/multisig/tests/scenario_go_test.rs 70.00% 70.00% 70.00% 70.00%
/test-caller/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/test-caller/src/test-caller.rs 0.00% 0.00% 0.00% 0.00%

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 21, 2024
edited
Loading

Contract comparison - from 7eb68ea to fdcecd4

Path                                                                                             size                  has-allocator                     has-format
test-caller.wasm 3802 false without message
esdt-safe.wasm 25531 ➡️ 27249 🔴 false without message
mock-multi-transfer-esdt.wasm 521 false none
mock-multisig.wasm 2186 false none
mock-esdt-safe.wasm 1931 ➡️ 1937 🔴 false without message
mock-price-aggregator.wasm 1099 false none
mock-bridge-proxy.wasm 241 false none
mock-bridged-tokens-wrapper.wasm 942 false none
multi-transfer-esdt.wasm 16519 ➡️ 16906 🔴 false without message
bridge-proxy.wasm 13363 ➡️ 14731 🔴 false without message
bridged-tokens-wrapper.wasm 8781 ➡️ 9037 🔴 false without message
multisig.wasm 28936 ➡️ 29401 🔴 false without message

@CostinCarabas CostinCarabas changed the title V3.5 audit fixes V3.1 audit fixes Dec 2, 2024
alyn509
alyn509 previously approved these changes Dec 2, 2024
View reviewed changes
andreiblt1304
andreiblt1304 previously approved these changes Dec 2, 2024
View reviewed changes
@CostinCarabas CostinCarabas changed the base branch from feat/v3.5 to feat/v3.1 December 2, 2024 17:03
@CostinCarabas CostinCarabas dismissed stale reviews from andreiblt1304 and alyn509 December 2, 2024 17:03

The base branch was changed.

iulianpascalau
iulianpascalau reviewed Dec 12, 2024
View reviewed changes
bridge-proxy/src/bridge-proxy.rs Outdated

if call_data.endpoint.is_empty()
let non_empty_args = call_data.args.is_some();
if (call_data.endpoint.is_empty() && non_empty_args)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrote an integration test for this. Apparently, if I send this RAW SC call data 000000000000000002faf08000 (empty function and 50 mil gas limit) it does not refund the transfer. Good catch @dragos-rebegea

esdt-safe/src/lib.rs Show resolved Hide resolved
multi-transfer-esdt/src/lib.rs
eth_tx.tx_nonce,
);
// emit events only for non-SC destinations
if self.blockchain().is_smart_contract(&eth_tx.to) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To solve what @dragos-rebegea mentioned and fix the audit finding #9, do you think it would be better to do the following:

  • emit the event only if the destination address is not a SC
  • remove the transfer_performed_sc_event and instead emit the transfer_performed_event in the bridge proxy if the call to the SC succeeded

multisig/src/setup.rs
multi_transfer_esdt_proxy,
};

const MAX_BOARD_MEMBERS: usize = 40;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why 40? I would go to a higher value like 100 or something

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a fix for issue 4 from the Audit document.
We iterate over all board signatures and the call may run out of gas.
Maybe an integration test from your side could help us adjust this value.

multisig/src/setup.rs Outdated

#[only_owner]
#[payable("*")]
#[endpoint(bridgedTokensWrapperDepositLiquidity)]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this? The owner of the wrapper is not the multisig contract

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed.

iulianpascalau
iulianpascalau reviewed Dec 12, 2024
View reviewed changes
multisig/src/lib.rs Outdated

let action_ids_mapper = self.batch_id_to_action_id_mapping(eth_batch_id);

for act_id in action_ids_mapper.values() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should take max values here also

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added.

esdt-safe/src/lib.rs
transaction_details.refund_info.initial_nonce,
);
}
let transaction_details = self.create_transaction_common(to, OptionalValue::None);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

require call from bridge proxy

Copy link
Contributor Author

@CostinCarabas CostinCarabas Dec 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added + unit test.

dragos-rebegea
dragos-rebegea reviewed Dec 19, 2024
View reviewed changes
multi-transfer-esdt/src/lib.rs Outdated
refund_tx_list.push(refund_tx);
self.token_with_transfer_role(eth_tx.token_id);
// let refund_tx = self.convert_to_refund_tx(eth_tx.clone());
// refund_tx_list.push(refund_tx);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commented code

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed.

bridged-tokens-wrapper/src/lib.rs Outdated
@@ -135,10 +134,18 @@ pub trait BridgedTokensWrapper:
self.token_decimals_num(&chain_specific_token_id).clear();
}

#[only_owner]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still present

@iulianpascalau iulianpascalau merged commit 67f7f6b into feat/v3.1 Dec 19, 2024
5 checks passed
@iulianpascalau iulianpascalau deleted the v3.5-audit-fixes branch December 19, 2024 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evelinemolnar evelinemolnar evelinemolnar approved these changes

@dragos-rebegea dragos-rebegea dragos-rebegea approved these changes

@iulianpascalau iulianpascalau iulianpascalau approved these changes

@andreiblt1304 andreiblt1304 andreiblt1304 left review comments

@alyn509 alyn509 alyn509 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@CostinCarabas @alyn509 @iulianpascalau @dragos-rebegea @evelinemolnar @andreiblt1304