Skip to content

Hing

Latest
Latest
Compare
Choose a tag to compare
@arthcp arthcp released this 26 May 20:52
· 183 commits to dev since this release
hing
a91b90d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This release addresses second batch of issues reported during surge.
It also adds support to send some native tokens to the destination plug along with messages.

registerSwitchBoard griefing

registerSwitchBoard needs to be permissionless at socket level for people to code their own security.
Having it fully open made griefing attacks possible as mentioned in the report.
Changing it to allow switchboards to only register themselves.

Reports

https://github.com/gpersoon/SocketSurge/blob/main/grief.md

Fixes

#236

Arbitrum Native refund addresses

Owner used to control the refund addresses passed to arbitrum native bridge from switchboard.
This discouraged other actors from initiating native confirmation.
Changed to take these addresses as input.

Reports

https://gist.github.com/abhishekvispute/29888273797c761b1249fa4caed517fc

Fixes

#233

Insufficient packet <> message source check

The source chain slug recovered from packetId and one from messageId were not compared while execution.
This allowed the transmitter to forge packets to appear from one chain and message to appear from other.
This resulted in wrong source check on switchboard and message could be executed after timeout.
Added the check so that both packet and message have to be from same source chain.
If transmitters try to forge packets now, either switchboards catch them via trip action or source check fails on execution.

Reports

https://gist.github.com/sujithsomraaj/af2867cad6b13330433c029a6d000570

Fixes

#235

Missed address addition to digests

Contract addresses were added to most digests in last release to guard against signature replay across socket version.
They were missed in few places. Added.
Few other review comments were also fixed.

Reports

https://gist.github.com/abhishekvispute/6f6f32094657e377d8d3ee1e63d2f263

Fixes

#234

Send Native tokens along with message

Added support for plugs to send source native tokens and receive destination native tokens when message is delivered.
Introduced a param to pass such extra data. Which does not need verification as base socket.
Data is passed to execution manager to decode and handle.
Currently this extraData is either used to send native tokens or to do nothing.

Reports

#190

Fixes

#230

Assets 2
Loading