feat: add access control for authorized callers #62
Conversation
Only authorized callers are allowed to call `pledge`, `onSettleBondEscalation`, and `releasePledge`.
gas1cent
requested review from
0xJabberwock,
0xShaito and
gas1cent
and removed request for
0xJabberwock and
0xShaito
| address[] memory authorizedCallers = new address[](1); | ||
| authorizedCallers[0] = address(bondEscalationModule); | ||
| bondEscalationAccounting = new BondEscalationAccounting(oracle, authorizedCallers); |
There was a problem hiding this comment.
Just a note here that we don't have any integration tests for the BondEscalationResolutionModule, only for the dispute one. Hence we're not adding it to the list of authorized callers.
solidity/test/unit/modules/dispute/BondEscalationAccounting.t.sol
Outdated
Show resolved
Hide resolved
solidity/test/unit/modules/dispute/BondEscalationAccounting.t.sol
Outdated
Show resolved
Hide resolved
solidity/test/unit/modules/dispute/BondEscalationAccounting.t.sol
Outdated
Show resolved
Hide resolved
solidity/test/unit/modules/dispute/BondEscalationAccounting.t.sol
Outdated
Show resolved
Hide resolved
| vm.startPrank(unauthorizedCaller); | ||
| // Check: does it revert if the caller is not authorized? | ||
| vm.expectRevert(IBondEscalationAccounting.BondEscalationAccounting_UnauthorizedCaller.selector); | ||
|
|
||
| vm.prank(unauthorizedCaller); |
There was a problem hiding this comment.
I changed vm.prank to vm.startPrank here because I was testing something but it doesn't hurt tbh
| vm.expectRevert(ValidatorLib.ValidatorLib_InvalidDisputeBody.selector); | ||
| vm.expectRevert(IBondEscalationAccounting.BondEscalationAccounting_UnauthorizedCaller.selector); |
There was a problem hiding this comment.
I think the erased expectation of reversion should still be tested, since the attacker could theoretically be an authorized caller.
There was a problem hiding this comment.
Good point.
What do you think about mocking authorizedCallers immediately after the line you selected, something like this:
stdstore
.target(address(_bondEscalationAccounting))
.sig('authorizedCallers(address)')
.with_key(_attacker)
.checked_write(true);
vm.expectRevert(ValidatorLib.ValidatorLib_InvalidDisputeBody.selector);
_bondEscalationAccounting.releasePledge(mockRequest, mockDispute, _attacker, usdc, _pledgeSize * 4);
There was a problem hiding this comment.
That could work, although I'd try to avoid mocking in integration tests—a workaround could be to redeploy BondEscalationAccounting with the attacker as an authorized caller (maybe in a separate test case).
There was a problem hiding this comment.
Perfect 👌
Yes, I thought about that but redeploying the BondEscalationAccounting is somewhat cumbersome because integration tests rely on common variables like mockRequest.
| ////////////////// DISPUTE ESCALATION //////////////////////// | ||
| // Step 1: Proposer pledges against the dispute | ||
| _deposit(_bondEscalationAccounting, proposer, usdc, _pledgeSize); |
There was a problem hiding this comment.
I think the whole dispute escalation flow should be replicated in test_authorizedAttackerAllowedModules, as these tests are meant to simulate a specific attack which was once possible.
There was a problem hiding this comment.
I think this further escalation is only meant to exemplify a particular scenario (a request/dispute gathers tokens from multiple parties/sources) so it won't change the final result (revert when the attacker tries to finalize the attack) but I can add it to replicate the exact same scenario of attackerAllowedModules if that makes it clearer.
There was a problem hiding this comment.
I think the purpose of these test cases in particular should be to be anti-regressive with a specific bug, hence why I wouldn't disesteem the featured scenario in any of them. However, we can invoke its creator's opinion: @0xShaito.
There was a problem hiding this comment.
Anyway, I agree with your reasoning. I'll revert that commit and redo it.
xorsal
force-pushed
the
feat/BEA-authorized-callers
branch
from
0aac1a0 to
c149038
Compare
🤖 Linear
Closes OPO-646