Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate transmitter lengths against F values #1432

Merged
merged 7 commits into from
Sep 13, 2024
Merged

Validate transmitter lengths against F values #1432

merged 7 commits into from
Sep 13, 2024

Conversation

elatoskinas
Copy link
Collaborator

@elatoskinas elatoskinas commented Sep 12, 2024
edited
Loading

Motivation

Improves validations for OCR3 and CCIPConfig contracts

Solution

Covers validations:

  • fChain <= F, since F represents the full role DON
  • Allows setting empty transmitters in CCIPConfig to allow len(transmitters) <= len(signers), while still enforcing len(transmitters) >= 3 * fChain + 1
  • Validates non-zero transmitters length in MultiOCR3
  • Validates len(signers) >= len(transmitters) in MultiOCR3

Tooling implications

  • When setting OCR configs on OffRamp contracts, the list from CCIPConfig must be filtered to exclude 0-bytes addresses. The reason for this is that the MultiOCR3Base disallows zero addresses and duplicates
  • Signer and transmitter duplication must be checked in tooling scripts off-chain prior to setting CCIPConfig (otherwise it will result in OffRamp breakage)
  • chainConfigs must be set before OCR3 configs due to the added fChain == F validation
  • If fChain becomes higher than F after updates, existing OCR3 configs get invalidated without an on-chain check (since it is difficult to do). There should be an off-chain validation script that prevents this (first, F should be increased for all configs, only after which fChain can be increased)
  • OffRamp transmitters.length should be validated such that it meets the 3 * fChain + 1 criteria off-chain, since fChain is not tracked in the OffRamp

Gas

Function Name min avg median max # calls
validateConfig (without loop check) 7040 20701 8436 122591 11
validateConfig (with loop check) 7040 21006 9132 123442 11

@elatoskinas elatoskinas force-pushed the feat/transmitter-validation branch from f39fe10 to 535a28e Compare September 12, 2024 12:06
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 12, 2024
edited
Loading

LCOV of commit 00f1248 during Solidity Foundry #8172

Summary coverage rate:
  lines......: 97.6% (2229 of 2283 lines)
  functions..: 94.5% (411 of 435 functions)
  branches...: 93.5% (529 of 566 branches)

Files changed coverage rate: n/a

@elatoskinas elatoskinas force-pushed the feat/transmitter-validation branch from 28db659 to 0d6f63c Compare September 12, 2024 12:21
@elatoskinas elatoskinas marked this pull request as ready for review September 12, 2024 12:21
@elatoskinas elatoskinas requested review from makramkd, RayXpub and a team as code owners September 12, 2024 12:21
RensR
RensR reviewed Sep 13, 2024
View reviewed changes
contracts/src/v0.8/ccip/ocr/MultiOCR3Base.sol
@@ -157,6 +163,9 @@ abstract contract MultiOCR3Base is ITypeAndVersion, OwnerIsCreator {

if (signers.length > MAX_NUM_ORACLES) revert InvalidConfig(InvalidConfigErrorType.TOO_MANY_SIGNERS);
if (signers.length <= 3 * ocrConfigArgs.F) revert InvalidConfig(InvalidConfigErrorType.F_TOO_HIGH);
// NOTE: Transmitters cannot exceed signers. Transmitters do not have to be >= 3F + 1 because they can match >= 3fChain + 1, where fChain <= F.
// fChain is not represented in MultiOCR3Base - so we skip this check.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it not?

Copy link
Collaborator Author

@elatoskinas elatoskinas Sep 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mainly because fChain is not part of the OCR config in the CCIPConfig logic, and not part of the blue/green deployments. We aimed to keep the OCR3 configs as consistent as possible.

fChain can be updated outside of b/g flows (valid updates would be decreases), which would prompt updates in MultiOCR3 through the non b/g path - that would complicate tooling since we typically only update MultiOCR3 in the b/g update path

RensR
RensR reviewed Sep 13, 2024
View reviewed changes
contracts/src/v0.8/ccip/test/ocr/MultiOCR3Base.t.sol
vm.assume(ocrConfig.transmitters.length <= 31);
vm.assume(ocrConfig.signers.length <= 31);
vm.assume(ocrConfig.transmitters.length <= 255);
vm.assume(ocrConfig.signers.length <= 255);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These might be very restrictive assumes. Assume is only correct to exclude a very small set of inputs. The check below of > 0 is perfect for it. The check ocrConfig.transmitters.length <= ocrConfig.signers.length is already too restrictive as it discards half of all inputs it tried.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could release the assumes, but then the test would be more complex to cover unhappy paths (which are already covered by non-fuzz tests)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can punt this test improvement

@elatoskinas elatoskinas enabled auto-merge (squash) September 13, 2024 16:39
@elatoskinas elatoskinas merged commit 258959a into ccip-develop Sep 13, 2024
120 checks passed
@elatoskinas elatoskinas deleted the feat/transmitter-validation branch September 13, 2024 16:51
@cl-sonarqube-production
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RensR RensR RensR left review comments

@RayXpub RayXpub RayXpub approved these changes

@makramkd makramkd makramkd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@elatoskinas @RensR @makramkd @RayXpub