Sanity check key updates

The current key update function allows following bad values. 1. Zero threshold value, when renders multisig contract without any additional security. 2. Threshold value that is larger than the number of keys, which locks out the multisig contract completely and renders it useless. This change adds sanity checks that rejects bad threshold/key pairs as listed above.
murbard · Mar 17, 2020 · 8402d1a · 8402d1a
1 parent 562fe78
commit 8402d1a
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/multisig/michelson/generic.tz b/multisig/michelson/generic.tz
@@ -85,6 +85,18 @@ code
           }
           {
             # Change set of signatures
+
+            # Sanity check threshold/key pair
+            DUP;
+            DIP {
+                  UNPAIR;
+
+                  # Check threshold is not zero
+                  DUP; INT; ASSERT_NEQ;
+
+                  # Check threshold less then or equal to number of keys
+                  DIP { SIZE } ; ASSERT_CMPLE; };
+
             DIP { CAR } ; SWAP ; PAIR ; NIL operation
           };
         PAIR }

diff --git a/multisig/michelson/multisig.tz b/multisig/michelson/multisig.tz
@@ -80,5 +80,17 @@ code
                   SET_DELEGATE ; CONS }
                 {
                   # Change set of signatures
+
+                  # Sanity check threshold/key pair
+                  DUP;
+                  DIP {
+                        UNPAIR;
+
+                        # Check threshold is not zero
+                        DUP; INT; ASSERT_NEQ;
+
+                        # Check threshold less then or equal to number of keys
+                        DIP { SIZE } ; ASSERT_CMPLE; };
+
                   DIP { SWAP ; CAR } ; SWAP ; PAIR ; SWAP }} ;
     PAIR }