Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: sign orders and whitelist makers #2087

Merged
merged 3 commits into from
Feb 22, 2024
Merged

feat: sign orders and whitelist makers #2087

merged 3 commits into from
Feb 22, 2024

Conversation

bonomat
Copy link
Contributor

@bonomat bonomat commented Feb 22, 2024

only whitelisted makers are allowed to post limit orders

Note: this is a breaking change:

  • apps which do not upgrade, cannot post orders --> I think this is a feature and not a bug :)
  • our old maker won't work anymore --> we need to deploy our new maker in production

@holzeis
Copy link
Contributor

holzeis commented Feb 22, 2024

Note: this is a breaking change:

we should release 1.9.0 then :)

holzeis
holzeis requested changes Feb 22, 2024
View reviewed changes
crates/commons/src/order.rs Outdated
impl NewOrderRequest {
pub fn verify(&self) -> Result<()> {
let message = self.value.message();
self.signature.verify(&message, &self.public_key)?;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 That doesn't make much sense does it?

Any body could send any message signed with the public key that they provide. We need to verify the signature on the node id of the user. This information can be found in the trader_id field.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wups,that's the reason why we have PR reviews I guess 🙈

mobile/native/src/trade/order/orderbook_client.rs Outdated
let new_order_request = NewOrderRequest {
value: order,
signature,
public_key: secret_key.public_key(SECP256K1),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 why not use order.trader_id?

mobile/native/src/trade/order/orderbook_client.rs
@@ -15,10 +18,19 @@ impl OrderbookClient {
}

pub(crate) async fn post_new_order(&self, order: NewOrder) -> Result<OrderResponse> {
let secret_key = get_node_key();
let message = order.message();
let signature = secret_key.sign_ecdsa(message);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 It would probably reasonable to put the signing into a function and do not leak the secret_key just like that. Have a look at the AesCipher.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is the advantage? The AesCipher needs to be initialized using the secret_key, meaning, we just move this to a different place.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well at least it would be wrapped a little bit nicer. Also you could get the secret key there the way you get it here, thus hiding the key handling away from this part.

But it's probably just a nit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@luckysori : I'm keen on hearing your thoughts on this and happily will change it in a follow-up PR.

@bonomat bonomat requested a review from holzeis February 22, 2024 15:10
holzeis
holzeis approved these changes Feb 22, 2024
View reviewed changes
Copy link
Contributor

@holzeis holzeis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@bonomat
feat: add maker whitelist to coordinator
d942bb1 
only whitelisted makers are allowed to post limit orders
@bonomat
feat: enforce create new orders to be signed
a741975
@bonomat
feat: allow disabling/enabling whitelist
7b4842a 
This simplifies our test env setup as we can simply disable it.
@bonomat bonomat added this pull request to the merge queue Feb 22, 2024
Merged via the queue into main with commit dcad903 Feb 22, 2024
20 checks passed
@bonomat bonomat deleted the feat/whitelist-makers branch February 22, 2024 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@holzeis holzeis holzeis approved these changes

@luckysori luckysori Awaiting requested review from luckysori

Assignees

@bonomat bonomat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bonomat @holzeis