Skip to content

Commit

Permalink
vuln fix
Browse files Browse the repository at this point in the history
  • Loading branch information
benesjan committed Aug 8, 2024
1 parent e6f5144 commit 0f16ebe
Show file tree
Hide file tree
Showing 9 changed files with 17 additions and 8 deletions.
6 changes: 5 additions & 1 deletion docs/docs/migration_notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,16 +39,20 @@ Token contract diff:
- subtracted = subtracted + note.get_amount();
- }
-}
-assert(minuend >= subtrahend, "Balance too low");
+let options = NoteGetterOptions::with_filter(filter_notes_min_sum, target_amount).set_limit(max_notes);
+let notes = self.map.at(owner).pop_notes(options);
+let mut subtracted = U128::from_integer(0);
+for i in 0..options.limit {
+ if i < notes.len() {
+ let note = notes.get_unchecked(i);
+ self.map.at(owner).remove(note);
+ subtracted = subtracted + note.get_amount();
+ }
+}
+assert(minuend >= subtrahend, "Balance too low");

Note that the notes are not ensured to be obtained and removed so you have the place checks on the returned notes (e.g. in the example above by checking a sum of balances or by checking that returned note length assert(notes.len() == expected_num_notes)).



## 0.47.0
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ contract Benchmarking {
let owner_notes = storage.notes.at(owner);
let mut getter_options = NoteGetterOptions::new();
let notes = owner_notes.pop_notes(getter_options.set_limit(1).set_offset(index));
let note = notes.get_unchecked(0);
let note = notes.get(0);
increment(owner_notes, note.value, owner, outgoing_viewer);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ impl Deck<&mut PrivateContext> {
}

pub fn remove_cards<N>(&mut self, cards: [Card; N]) {
// TODO(benesjan): try to simplify this func
let options = NoteGetterOptions::with_filter(filter_cards, cards);
let notes = self.set.pop_notes(options);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,8 @@ contract InclusionProofs {
let private_values = storage.private_values.at(owner);
let mut options = NoteGetterOptions::new();
options = options.set_limit(1);
private_values.pop_notes(options);
let notes = private_values.pop_notes(options);
assert(notes.len() == 1, "note not popped");
}
// docs:end:nullify_note

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,8 @@ contract TokenBlacklist {
Option::none()
).set_limit(1);

storage.pending_shields.pop_notes(options);
let notes = storage.pending_shields.pop_notes(options);
assert(notes.len() == 1, "note not popped");

// Add the token note to user's balances set
let caller = context.msg_sender();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,8 @@ contract Token {
Option::none()
).set_limit(1);

storage.pending_shields.pop_notes(options);
let notes = storage.pending_shields.pop_notes(options);
assert(notes.len() == 1, "note not popped");

// Add the token note to user's balances set
// Note: Using context.msg_sender() as a sender below makes this incompatible with escrows because we send
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,8 @@ contract TokenWithRefunds {
Option::none()
).set_limit(1);

storage.pending_shields.pop_notes(options);
let notes = storage.pending_shields.pop_notes(options);
assert(notes.len() == 1, "note not popped");

// Add the token note to user's balances set
// Note: Using context.msg_sender() as a sender below makes this incompatible with escrows because we send
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ describe('e2e_blacklist_token_contract mint', () => {
'The note has been destroyed.',
);
await expect(asset.methods.redeem_shield(wallets[0].getAddress(), amount, secret).prove()).rejects.toThrow(
`Assertion failed: Attempted to read past end of BoundedVec`,
`Assertion failed: note not popped 'notes.len() == 1'`,
);
});

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ describe('e2e_token_contract minting', () => {
'The note has been destroyed.',
);
await expect(asset.methods.redeem_shield(accounts[0].address, amount, secret).simulate()).rejects.toThrow(
`Assertion failed: Attempted to read past end of BoundedVec`,
`Assertion failed: note not popped 'notes.len() == 1'`,
);
});

Expand Down

0 comments on commit 0f16ebe

Please sign in to comment.