Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit fixes #9

Open
wants to merge 47 commits into
base: main
Choose a base branch
from
Open

audit fixes #9

wants to merge 47 commits into from

Conversation

alyn509
Copy link
Contributor

@alyn509 alyn509 commented Oct 31, 2023
edited
Loading

@github-actions
Copy link

github-actions bot commented Oct 31, 2023
edited
Loading

Contract comparison - from 2fd5e11 to e6fef64
⚠️ Warning: Could not download the report for the base branch. Displaying only the report for the current branch. ⚠️

Path                                                                                             size                  has-allocator                     has-format
mx-liquid-staking-sc
- delegation-mock/delegation-mock.wasm 2896 No No
- liquid-staking/liquid-staking.wasm 25004 No No

CostinCarabas
CostinCarabas reviewed Nov 22, 2023
View reviewed changes
liquid-staking/src/lib.rs
@@ -43,9 +42,6 @@ pub trait LiquidStaking<ContractReader>:
#[init]
fn init(&self) {
self.state().set(State::Inactive);
self.max_delegation_addresses()
.set(MAX_DELEGATION_ADDRESSES);

let current_epoch = self.blockchain().get_block_epoch();
let claim_status = ClaimStatus {
status: ClaimStatusType::Insufficient,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

last_claim_block should have been self.blockchain().get_block_nonce(), right?

psorinionut
psorinionut requested changes Nov 24, 2023
View reviewed changes
liquid-staking/src/delegation.rs Outdated
@@ -285,6 +280,20 @@ pub trait DelegationModule:
.get_sc_balance(&EgldOrEsdtTokenIdentifier::egld(), 0)
- current_total_withdrawn_egld;
}

let mut last_node = current_claim_status.current_node;
let mut delegation_addresses: ManagedVec<Self::Api, ManagedAddress> = ManagedVec::new();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach is good, but I don't think it fully resolves the issue. Right now, we initialize a new list with each new claimRewards, which is taken from the delegation_addresses_mapper storage, which may change in between claimRewards operations, especially if they're not emitted consecutively.

What I would suggest is to keep this implementation, but instead of creating the list each time, to have a new vec variable in the ClaimStatus struct and load the list of addresses in the struct directly. From there, we work only on the mutable struct. Then, the next time we try to claimRewards, we both save some gas as we don't create the list again, as well as knowing for sure the list was not updated since our last claim.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to a mapper. This should iterate over and pop addresser from after claiming, as it was suggested in the audit

liquid-staking/src/lib.rs Outdated
});

total_unstake_amount += unstake_amount;
providers_unbond_from.push(unstake_token_attributes);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the use of this variable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure which one you refer to.. anyway the logic was changed

liquid-staking/src/lib.rs
#[call_result] result: ManagedAsyncCallResult<()>,
) {
match result {
ManagedAsyncCallResult::Ok(()) => {
let withdraw_amount = self.call_value().egld_value().clone_value();
let mut storage_cache = StorageCache::new(self);
let delegation_contract_mapper =
self.delegation_contract_data(&delegation_contract);
self.delegation_contract_data(&unstake_token_attributes.delegation_contract);
if withdraw_amount > 0u64 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is important to keep in mind that the withdraw process happens at the SC's level, and not for a specific user. I think we should only update the storage (total_withdrawn_egld and total_unbonded_from_ls_contract) inside the if statement withdraw_amount > 0u64. In other words, we should update unbond_from_provider and burn the tokens, regardless the withdraw amount (as the tokens may have been previously withdrawn by other user).
Moreover, maybe we would be more safe if we cover the case of an error as well (by sending back the tokens to the user if the withdraw callback receives an error).

liquid-staking/src/lib.rs Outdated
let delegation_contract_data = delegation_contract_mapper.get();

if delegation_contract_data.total_unbonded_from_ls_contract < unstake_amount {
continue;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should really not get to this point, as all unbonds are correlated with an actual user. I would keep the check, but instead panic the SC if it gets to this point.

liquid-staking/src/lib.rs Outdated
}

#[payable("*")]
#[endpoint(withdrawAll)]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure of the naming, as we only withdraw from a single provider, not from "all".

Copy link
Contributor Author

@alyn509 alyn509 May 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jacob's idea. I think he's refering to the funds.. withdraw all funds from the specific provider

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 26, 2024
edited
Loading

Coverage Summary

Totals

Count Covered %
Lines 1526 1357 88.93
Regions 438 304 69.41
Functions 174 136 78.16
Instantiations 870 183 21.03

Files

Expand
File Lines Regions Functions Instantiations
/delegation-mock/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/delegation-mock/src/delegation.rs 98.53% 90.32% 100.00% 32.47%
/liquid-staking/meta/src/main.rs 0.00% 0.00% 0.00% 0.00%
/liquid-staking/src/config.rs 11.11% 28.57% 30.00% 6.72%
/liquid-staking/src/contexts/base.rs 100.00% 100.00% 100.00% 33.33%
/liquid-staking/src/delegation.rs 71.37% 54.01% 51.28% 11.81%
/liquid-staking/src/delegation_proxy.rs 71.70% 71.43% 71.43% 30.00%
/liquid-staking/src/events.rs 95.45% 53.33% 71.43% 16.28%
/liquid-staking/src/lib.rs 89.82% 71.93% 96.30% 18.34%
/liquid-staking/src/liquidity_pool.rs 97.14% 76.92% 90.91% 20.41%
/liquid-staking/tests/contract_interactions/mod.rs 100.00% 100.00% 100.00% 100.00%
/liquid-staking/tests/contract_setup/mod.rs 100.00% 100.00% 100.00% 100.00%
/liquid-staking/tests/test.rs 95.51% 63.64% 63.64% 63.64%

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrei-marinica andrei-marinica andrei-marinica left review comments

@psorinionut psorinionut Awaiting requested review from psorinionut

@CostinCarabas CostinCarabas Awaiting requested review from CostinCarabas

Requested changes must be addressed to merge this pull request.

Assignees

@alyn509 alyn509

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@alyn509 @CostinCarabas @andrei-marinica @psorinionut @andreibancioiu @mihaicalinluca