Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix (audit AUR-03): signer_id for: deposit and withdraw #14

Merged
merged 7 commits into from
Mar 1, 2023
Merged

Fix (audit AUR-03): signer_id for: deposit and withdraw #14

merged 7 commits into from
Mar 1, 2023

Conversation

mrLSD
Copy link
Collaborator

@mrLSD mrLSD commented Feb 8, 2023
edited
Loading

Description

After Sigma Prime Aurora Engine and Eth-Connector audit, was detected potential issue: AUR-03 - Incorrect Use of Predecessor Account.

Details

The functions deposit() and withdraw() as well as the NEP-141 logic in aurora-eth-connector make use of the predecessor_account_id() function. Since the predecessor_account_id() will always be "aurora" (i.e. engine contract), some code functionality is broken.

The updates to aurora-eth-connector remove logic from the engine contract. The new logic is inserted into a new contract called aurora-eth-connector.

Functions in aurora-eth-connector such as deposit() , withdraw() and the NEP-141 logic are only called from the engine contract. Therefore, in these functions, predecessor_account_id() will always be the engine contract.

Within deposit(), predecessor_account_id() is used to determine ownership and set the relayer_id. Each of the use cases are invalid when the predecessor is always the engine contract.

Similarly, the withdraw() function also uses the predecessor_account_id() to determine ownership.

Gas cost

Not changed.

Solution

Added methods is_owner to manage access rights when paused. If it's is_owner then account has access right with modification operation to paused methods.

How to review

Pay attention to methods:

  • deposit - owner check for admin control
  • withdraw - owner check for admin control

Tests

Tests were extended with new functionality for is_owner.

@mrLSD mrLSD self-assigned this Feb 8, 2023
@mrLSD mrLSD removed the duplicate label Feb 8, 2023
@mrLSD mrLSD marked this pull request as ready for review February 8, 2023 18:20
birchmd
birchmd reviewed Feb 8, 2023
View reviewed changes
Copy link
Contributor

@birchmd birchmd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General design question: is this the right fix for this issue? An alternative fix would be to remove relayer_id entirely (or always set it to some null value if we care about backwards compatibility). If we are removing the fee logic, and this is the only place the relayer_id gets used then I think it is better remove relayer_id also.

@mrLSD
Copy link
Collaborator Author

mrLSD commented Feb 8, 2023

General design question: is this the right fix for this issue? An alternative fix would be to remove relayer_id entirely (or always set it to some null value if we care about backwards compatibility). If we are removing the fee logic, and this is the only place the relayer_id gets used then I think it is better remove relayer_id also.

But the second point is related to is_owner check. We can assume, that the admin always current contract. But is it true?

@mrLSD mrLSD added this to the v0.4.0 milestone Feb 8, 2023
@joshuajbouw
Copy link

No, owner can be something else like a DAO, or a "trusted account" but we don't want to do that. Currently, it is the contract itself, same with the Aurora EVM.

@birchmd
Copy link
Contributor

birchmd commented Feb 9, 2023

But the second point is related to is_owner check

We could do the same check we do for other admin-controlled functions (using the predecessor account id directly). Why should we force these allowed accounts to go through the Aurora Engine to access the NEP-141 contract?

@mrLSD mrLSD requested a review from birchmd February 27, 2023 22:59
birchmd
birchmd approved these changes Feb 28, 2023
View reviewed changes
Copy link
Contributor

@birchmd birchmd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

joshuajbouw
joshuajbouw reviewed Mar 1, 2023
View reviewed changes
eth-connector-tests/src/utils.rs
Ok(res)
}

pub async fn call_deposit_eth_to_aurora(&self) -> anyhow::Result<()> {
let proof: Proof = serde_json::from_str(PROOF_DATA_ETH).unwrap();
let res = self.deposit_with_proof(&proof).await?;
assert!(res.is_success());
assert!(res.is_success(), "call_deposit_eth_to_aurora: {:#?}", res);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a nit, asserts or panic messages should be formatted as full sentences with a capital as it makes grammatical sense on the panics in the return in the terminal.

@mrLSD mrLSD merged commit 16078ae into master Mar 1, 2023
@mrLSD mrLSD deleted the fix/audit-aur-03 branch March 1, 2023 10:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuajbouw joshuajbouw joshuajbouw approved these changes

@birchmd birchmd birchmd approved these changes

Assignees

@mrLSD mrLSD

Labels
audit fix
Projects
None yet
Milestone
v0.4.0
Development

Successfully merging this pull request may close these issues.
3 participants
@mrLSD @joshuajbouw @birchmd