Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/onramp allowlist race condition #1480

Merged
merged 13 commits into from
Oct 8, 2024
Merged

Fix/onramp allowlist race condition #1480

merged 13 commits into from
Oct 8, 2024

Conversation

0xsuryansh
Copy link
Member

@0xsuryansh 0xsuryansh commented Oct 2, 2024
edited
Loading

Motivation

When the onRamp::_applyDestChainConfigUpdates is invoked in the constructor, the allowListEnabled field of the destination chain configuration is not set directly. As a result, if an onRamp with an allow list is required, the deployment must be bundled with a call to onRamp::applyAllowListUpdates

Solution

Directly sets the allowListEnabled field during the constructor execution.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 2, 2024
edited
Loading

LCOV of commit 1f26f49 during Solidity Foundry #8538

Summary coverage rate:
  lines......: 97.9% (2279 of 2329 lines)
  functions..: 95.1% (428 of 450 functions)
  branches...: 93.6% (538 of 575 branches)

Files changed coverage rate: n/a

@0xsuryansh 0xsuryansh marked this pull request as ready for review October 2, 2024 15:35
@0xsuryansh 0xsuryansh requested a review from RyanRHall October 2, 2024 15:36
RensR
RensR reviewed Oct 4, 2024
View reviewed changes
contracts/src/v0.8/ccip/onRamp/OnRamp.sol Outdated
@@ -91,6 +91,7 @@ contract OnRamp is IEVM2AnyOnRampClient, ITypeAndVersion, OwnerIsCreator {
struct DestChainConfigArgs {
uint64 destChainSelector; // Destination chain selector
IRouter router; // Source router address
bool allowListEnabled; // Boolean indicator to specify if allowList check is enabled
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's add struct packing comments, they should have been there already but the previous person also missed them :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/smartcontractkit/ccip/pull/1480/commits

@0xsuryansh
Merge branch 'ccip-develop' into fix/onramp-allowlist-race-condition
d7e8c4b 
# Conflicts:
#	contracts/gas-snapshots/ccip.gas-snapshot
#	core/gethwrappers/ccip/generated/onramp/onramp.go
#	core/gethwrappers/ccip/generation/generated-wrapper-dependency-versions-do-not-edit.txt
@0xsuryansh
chore: gen wrappers
0b96b55 
Signed-off-by: 0xsuryansh <[email protected]>
@0xsuryansh
add struct packing comment
a0cc771 
Signed-off-by: 0xsuryansh <[email protected]>
@0xsuryansh
add test
549b19d 
Signed-off-by: 0xsuryansh <[email protected]>
@0xsuryansh
Copy link
Member Author

Added a test for setting a new chain with allowedListEnabled : true and then trying out sending a msg with empty allowed list, the forwardFromRouter call should revert here

549b19d

@0xsuryansh
Merge branch 'ccip-develop' into fix/onramp-allowlist-race-condition
4ddff04 
# Conflicts:
#	contracts/gas-snapshots/ccip.gas-snapshot
#	core/gethwrappers/ccip/generation/generated-wrapper-dependency-versions-do-not-edit.txt
@0xsuryansh
chore: wrappers and snapshot
6b592cb 
Signed-off-by: 0xsuryansh <[email protected]>
elatoskinas
elatoskinas reviewed Oct 7, 2024
View reviewed changes
contracts/src/v0.8/ccip/onRamp/OnRamp.sol
IRouter router; // Source router address
uint64 destChainSelector; // ─╮ Destination chain selector
IRouter router; // │ Source router address
bool allowListEnabled; //─────╯ Boolean indicator to specify if allowList check is enabled
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

q: since this is now part of dest chain config args - do we still need it in allowListConfigArgs? There are now 2 ways to change the allowlist - is this intended?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This just enables it when a new chain it set, to prevent unauthorised access to a private chain. The other method is still required to set the actual permitted addresses

Copy link
Collaborator

@elatoskinas elatoskinas Oct 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the first option it makes sense, for the second option - we can always batch 2 MCMS calls:

  1. setDestChainConfigArgs
  2. setAllowlistConfigArgs

Seems slightly redundant to have the flag twice

@cl-sonarqube-production
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@0xsuryansh 0xsuryansh merged commit f772bcf into ccip-develop Oct 8, 2024
127 checks passed
@0xsuryansh 0xsuryansh deleted the fix/onramp-allowlist-race-condition branch October 8, 2024 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elatoskinas elatoskinas elatoskinas approved these changes

@RensR RensR RensR approved these changes

@makramkd makramkd Awaiting requested review from makramkd makramkd is a code owner

@RayXpub RayXpub Awaiting requested review from RayXpub RayXpub is a code owner

@RyanRHall RyanRHall Awaiting requested review from RyanRHall

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@0xsuryansh @RensR @elatoskinas