Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance escrow interface for metadata resolution from escrowed NFTs & FT Vaults #112

Closed
sisyphusSmiling opened this issue Aug 30, 2024 · 2 comments
Closed

Enhance escrow interface for metadata resolution from escrowed NFTs & FT Vaults #112

sisyphusSmiling opened this issue Aug 30, 2024 · 2 comments
Assignees
@sisyphusSmiling
Labels
Improvement

Comments

@sisyphusSmiling
Copy link
Contributor

sisyphusSmiling commented Aug 30, 2024
edited
Loading

Description

As reported by @bjartek, the interface for metadata resolution on escrowed NFTs is lacking. At a minimum a caller should be able to:

  • Resolve a view against an escrowed NFT
  • Get views supported by an escrowed NFT

Originally, the idea of exposing a reference to an escrowed resource sounded like a potential vulnerability given the ability to downcast the reference. However, any project implementing an NFT in a manner that would expose sensitive methods by downcasting form a publicly available reference (see ViewResolver.ResolverCollection.borrowViewResolver) would be doing so against the intended use of the ecosystem standards and so would be vulnerable in any context, not exclusively from escrow.

What we'll likely do then is simply add the ability to borrow an escrowed NFT as a &{ViewResolver.Resolver} to FlowEVMBridgeNFTEscrow with a signature like:

access(all) view fun borrowViewResolver(nftType: Type, id: UInt64): &{ViewResolver.Resolver}?

We'll of course also want to add a similar method to FlowEVMBridgeTokenEscrow
@sisyphusSmiling sisyphusSmiling self-assigned this Aug 30, 2024
@sisyphusSmiling sisyphusSmiling moved this to 🏗 In Progress in 🌊 Flow 4D Aug 30, 2024
@bjartek
Copy link
Contributor

bjartek commented Aug 30, 2024
edited
Loading

we have

flow-evm-bridge/cadence/contracts/bridge/FlowEVMBridgeNFTEscrow.cdc

Line 124 in a9d52f9

access(account) view fun borrowLockedNFT(type: Type, id: UInt64): &{NonFungibleToken.NFT}? {
so if we make that all we should be good to go really.

@sisyphusSmiling sisyphusSmiling mentioned this issue Aug 31, 2024
Merged
6 tasks
@sisyphusSmiling
Copy link
Contributor Author

Updating to reflect recent conversations. Any non-view method calling through to an escrowed resource should be protected with view to ensure state in the escrowed resource cannot be mutated by external actors. To ensure metadata can be resolved, scripts should be updated to support retrieval of metadata solely within the context of a script which is inherently non-mutating.

@sisyphusSmiling sisyphusSmiling mentioned this issue Sep 1, 2024
Open
@sisyphusSmiling sisyphusSmiling moved this from 🏗 In Progress to 👀 In Review in 🌊 Flow 4D Sep 1, 2024
@github-project-automation github-project-automation bot moved this from Todo to Done in FlowEVM Bridge Sep 3, 2024
@github-project-automation github-project-automation bot moved this from 👀 In Review to ✅ Done in 🌊 Flow 4D Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sisyphusSmiling sisyphusSmiling

Labels
Improvement
Projects
FlowEVM Bridge
Status: Done
🌊 Flow 4D
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bjartek @sisyphusSmiling