Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: audit revision 2 #92

Merged
merged 14 commits into from
Nov 24, 2023
Merged

chore: audit revision 2 #92

merged 14 commits into from
Nov 24, 2023

Conversation

brandonchuah
Copy link
Collaborator

@brandonchuah
Copy link
Collaborator Author

brandonchuah commented Nov 20, 2023

[WP-I3]: I dont see a way to prevent this unless there is communication between the two w3fs. Even if we revert at requestPending[requestId] == false , the Automate contract catches the error and the fee will still be imposed on the user.

[WP-I4]: Based on w3f-backend implementation, we simulate with max gas limit, then pass a suitable gas limit to the executor. I think it is safe to assume executors will not submit with a lower gas limit.

2b1db7b: Calculating dRand round onchain introduces a possibility of manipulation by miners, causing the randomness to not be fulfilled

uint256 elapsedFromGenesis = block.timestamp - _GENESIS;

@goums
Copy link
Contributor

goums commented Nov 20, 2023

[WP-I3]: I dont see a way to prevent this unless there is communication between the two w3fs. Even if we revert at requestPending[requestId] == false , the Automate contract catches the error and the fee will still be imposed on the user.

@brandonchuah I'd be in favor of reverting still, so that at least it fails explicitly on a simulation.

We don't plan to have the 2 W3F running in parallel at the moment. If we do, we will probably use the time interval one as a fallback, and it should try to fulfill VRF only after a delay is elapsed, to avoid racing the Event trigger W3F.

@jack-the-pug
Copy link
Collaborator

The smart contract should emit the requested round in the event, and the Web3Function should use the round in the event directly.

    function _requestRandomness(
        bytes memory extraData
    ) internal returns (uint256 requestId) {
        requestId = uint256(requestPending.length);
        requestPending.push();
        requestPending[requestId] = true;

        bytes memory data = abi.encode(requestId, extraData);
        uint256 round = _round();

        bytes memory dataWithRound = abi.encode(data, round);
        bytes32 requestHash = keccak256(dataWithRound);

        requestedHash[requestId] = requestHash;

        emit RequestedRandomness(data, round);
    }
Web3Function.onRun(async (context: Web3FunctionEventContext) => {
  const { userArgs, multiChainProvider, log } = context;

  const provider = multiChainProvider.default();

  const consumerAddress = userArgs.consumerAddress as string;
  const consumer = new Contract(consumerAddress, CONSUMER_ABI, provider);

  const event = consumer.interface.parseLog(log);
  const [consumerData, round] = event.args;

  const randomness = await getRandomnessByRound(round);
  const encodedRandomness = ethers.BigNumber.from(`0x${randomness}`);

  const consumerDataWithRound = ethers.utils.defaultAbiCoder.encode(
    ["bytes", "uint256"],
    [consumerData, round]
  );

  const data = consumer.interface.encodeFunctionData("fulfillRandomness", [
    encodedRandomness,
    consumerDataWithRound,
  ]);

  return {
    canExec: true,
    callData: [{ to: consumerAddress, data }],
  };
});

src/drand_util.ts Outdated Show resolved Hide resolved
contracts/IGelatoVRFConsumer.sol Outdated Show resolved Hide resolved
@goums goums merged commit 0c2ddb3 into main Nov 24, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants