Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: audit remediations for l1 contracts #457

Merged
merged 20 commits into from
Nov 4, 2024
Merged

fix: audit remediations for l1 contracts #457

merged 20 commits into from
Nov 4, 2024

Conversation

shaspitz
Copy link
Contributor

@shaspitz shaspitz commented Oct 30, 2024
edited
Loading

Describe your changes

Fixes multiple findings from spearbit audit. Context in each link.

  1. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/443?q=443, commit: 117353e
  2. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/676?q=676, commit: 2fa642d
  3. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/124?q=124, commit: fd8838c
  4. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/24?q=24, commit: 090802b
  5. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/55?q=55, commit: 5e69b2f
  6. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/563?q=563, commit: 51eed21
  7. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/185?q=185, commit: 22fa110
  8. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/759?q=759, commit: 03033bc
  9. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/199?q=199, commit: 10c3d83
  10. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/490?q=490, commit: 7c49f23
  11. https://cantina.xyz/code/4ee8716d-3e0e-4f59-b90d-aa56bf3b484c/findings/115?q=115, commit: ee29d99

Non-audit, but related commits in this PR:

  1. Misc readme update: 9dafdfe
  2. Made slashPeriodSeconds constraints more clear: 7fa8f19
  3. Docs suggestions from Christian: 9532113

Checklist before requesting a review

  • I have added tests that prove my fix is effective or that my feature works
  • I have made corresponding changes to the documentation

@shaspitz
fix: Violation Of CEI Pattern In FeePayOut Allows For Reentrancy, 443
117353e
@shaspitz
fix: withdrawalAddress could DOS owners' calls to VanillaRegistry.wit…
2fa642d 
…hdrawAsOwner, 676
@shaspitz
fix: setter for finalizationFee and counterparty fee, finding 124
fd8838c
@shaspitz
docs: comment update for finding 24
090802b
@shaspitz
fix: Oracle will be unable to call executeSlash, finding 55
5e69b2f
@shaspitz
Merge branch 'main' into audit-fixes
20c238a
@shaspitz
update go binding
4692dfc
@shaspitz
fix: insufficient timing buffer in mevCommitMiddleware vetoSlasher co…
51eed21 
…nfig, finding 563
@shaspitz
update abi + binding
03867b1
@shaspitz
fix: increasing minStake in vanillarRegistry will make some stakes un…
22fa110 
…slashable, finding 185
@shaspitz
fix: isValidatorSlashable external func could revert for slashable va…
03033bc 
…lidators, finding 759
@shaspitz
fix: minStake is slashed instead of the slashAmount for vanillaRegist…
10c3d83 
…ry, finding 199
@shaspitz
nit: misc readme update
9dafdfe
@shaspitz
docs: make slashPeriodSeconds constraints more clear
7fa8f19
@shaspitz
Merge branch 'main' into audit-fixes
53c37f7
@shaspitz
Update MevCommitMiddleware.go
747c2b7 
update binding
@shaspitz
docs: review comments from christian
9532113
@shaspitz
fix: proper slash amount updating, finding 490
7c49f23
@shaspitz
fix: modifier usage, finding 115
ee29d99
@shaspitz shaspitz marked this pull request as ready for review November 1, 2024 05:07
chrmatt
chrmatt reviewed Nov 1, 2024
View reviewed changes
Copy link
Member

@chrmatt chrmatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

Note: I've only looked at the "non-audit, but related commits". Let me know if I should look at something else.

contracts/contracts/validator-registry/middleware/README.md

Concretely, for validators to be slashable by the oracle, `slashPeriodSeconds` must be greater than:
Note _currently opted-in_ in this context, means the validator is opted-in with respect to the latest finalized L1 block state, in the worst case this is two L1 epochs ago.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's strictly speaking not correct, since finalization could take longer than 2 epochs. I guess we consider everything from more than 2 epochs ago as finalized, even if it's technically not. Maybe not the right place to discuss this, but wanted to point it out.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a probabilistic/practical block threshold you'd suggest for assuming the vast majority of txes will be finalized?

I actually didn't know finalization could take longer than 2 epochs. A proof of stake protocol should be able to provide some sort of finalization guarantee..

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Asking cause we do need to make some sort of assumption of how long finalization can take in the worst case scenario here

Copy link
Member

@chrmatt chrmatt Nov 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a block tag you can query for whether the block is already finalized or not. There is no guarantee in terms of number of block/slots etc. In theory, finalization could take arbitrarily long. But in practice, it is mostly happening after the 2 epochs. Even if not technically finalized, it already is highly unlikely to reorg much earlier due to how attestions work; I think the longest reorg ever since PoS was 7 blocks. So waiting 2 epochs is plenty in practice, but theoretically not guaranteed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, and yea we're using the finalized block query around the repo. My question here was specific to protocol design and what we can use as a practical max reorg time for determining slashPeriodSeconds. Seems like 2 epochs works as that practical assumption

@shaspitz shaspitz merged commit 26ecd81 into main Nov 4, 2024
6 checks passed
@shaspitz shaspitz deleted the audit-fixes branch November 4, 2024 07:36
@shaspitz shaspitz restored the audit-fixes branch November 5, 2024 02:31
@shaspitz shaspitz mentioned this pull request Nov 5, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrmatt chrmatt chrmatt left review comments

@Mikelle Mikelle Mikelle approved these changes

@mrekucci mrekucci Awaiting requested review from mrekucci

@ckartik ckartik Awaiting requested review from ckartik

@kant777 kant777 Awaiting requested review from kant777

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shaspitz @Mikelle @chrmatt