fix(zoe): assert that amountKeywordRecord is a copyRecord #4069
Conversation
katelynsills
force-pushed
the
4061-assert-keyword
branch
from
114fd75 to
dda45dd
Compare
| lenderSeat.incrementBy( | ||
| harden(repaySeat.decrementBy(harden({ Loan: debt }))), | ||
| ); |
There was a problem hiding this comment.
Ideally the creator of an object is the one to harden the object before releasing it. The typical and best case, as in the remaining harden here, is on the object literal itself. Otherwise, things should only be passing hardened objects to each other. The receiver should be defensively checking and rejecting, as incrementBy already does. It should not be doing its own defensive hardening, as that masks bugs in the source of the object. For example, if decrementBy returned an unhardened object, the defensive harden would mask the bug. In this case it is fine because decrementBy is not buggy in this way.
| lenderSeat.incrementBy( | |
| harden(repaySeat.decrementBy(harden({ Loan: debt }))), | |
| ); | |
| lenderSeat.incrementBy(repaySeat.decrementBy(harden({ Loan: debt }))); |
Please correct all places where this PR makes this error.
This will also cause some error messages to revert to what they were before this PR. IMO the old error messages were better anyway, so this is welcome.
There was a problem hiding this comment.
Hmm, I'm not seeing how this will cause some error messages to revert. I would expect the effect to be the same.
But, I just removed all of the harden calls on outputs from incrementBy and decrementBy, since they are already hardened.
katelynsills
force-pushed
the
4061-assert-keyword
branch
from
b948ff5 to
8b9910e
Compare
BREAKING CHANGE: must harden `amountKeywordRecord` before passing to ZCF objects
katelynsills
force-pushed
the
4061-assert-keyword
branch
from
de412fe to
25a9901
Compare
katelynsills
force-pushed
the
4061-assert-keyword
branch
2 times, most recently
from
5857bef to
103e787
Compare
katelynsills
force-pushed
the
4061-assert-keyword
branch
from
103e787 to
824a96b
Compare
BREAKING CHANGE:
amountKeywordRecordmust be hardened before passing tozcfMintandzcfSeatmethodsNote: because this is a breaking change, we may want to wait to merge until we have other Zoe input validation complete, so there's only one breaking change to Zoe.
closes: #4061
Description
This PR changes the code of
zcfMint.burnLosses,zcfMint.mintGains,zcfSeat.incrementBy, andzcfSeat.decrementByto assert that the user-definedamountKeywordRecordis actually a keyword record and coerce the amounts. This means checking that it is a copyRecord, among other things. The actual function used iscoerceAmountKeywordRecordfromcleanProposal.js.coerceAmountKeywordRecordrequires a hardened object, thus, this is a breaking change. AnyamountKeywordRecordnot hardened will cause the function to throw.Security Considerations
This is part of the input validation that we need to do for Zoe, but not the entirety of it. #4068 is the input validation task covering all of Zoe.
Documentation Considerations
This is a breaking change that will effect dapps. We should explain the need to
hardenin our documentation.Testing Considerations
No additional tests needed.