Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial configuration verifier implementation #322

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

mdulin2
Copy link
Collaborator

@mdulin2 mdulin2 commented Mar 19, 2024

The goal with this code is to find bugs in deployed NTT tokens. Right now, it has the following capabilities:

  • Checks decimals of manager on Solana and EVM. Probably the most important thing to get right for the security of this
  • Checks the peers to ensure they line up as expected
  • Quick sanity check on outbound/inbound rate limiting. I think this is bugged out from not considering decimals but it's a good start.
  • Lock is only a single chain and everything else is a burn
  • Threshold maxed out to the amount of transceivers
  • Consistency level check for wormhole transceivers on EVM

Going forward, I want to make this more portable within a Docker container.

* Checks decimals of manager on Solana and EVM
* Checks the peers to ensure they line up as expected
* Quick sanity check on outbound/inbound rate limiting
* Lock is only a single chain and everything else is a burn
* Threshold maxxed out
}

// Check if the rate limit is turned off or maxed out
if(target['outboundRateLimit'].eq(0) || target['outboundRateLimit'].eq(BigNumber.from(2).pow(256).sub(1))){
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can bring the RateLimit checks down by quite a lot:

  1. Solana uses u64 to store this value so this check will never trigger even if capacity is at its maximum value
    https://github.com/wormhole-foundation/example-native-token-transfers/blob/0d764bf7ffbbf81b4d51d1bfd5e51929e7fb0460/solana/programs/example-native-token-transfers/src/queue/rate_limit.rs#L8

  2. I think it's safe to say that both of these cases would count as "disabled". If the rate limit is set to be the maximum possible integer value, there is no rate limit

  3. I wonder if we would add another check that's in the range of 2^32 or even smaller? To me that would still be very high for e.g. a 24h period

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah! Good ideas. I'm unsure if the rateLimit has values that are trimmed or not. I'll confirm this.

The 'delay' check is good! I'll add that in.

- Manager peers match
- Inbound rate limit for each chain is turned on
- Outbound rate limit is turned on
- Rate limit duration queue is greater than 24 hours
Copy link
Collaborator

@johnsaigle johnsaigle Apr 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should read 'greater than or equal to' given that we're using 86400 which is exactly 24 hours.

// console.log(await manager.program.account.registeredTransceiver.fetch(accounts[0].pubkey));
const managerConfig = await manager.getConfig();

managerData['mode'] = (managerConfig['mode'].locking == undefined ? 1 : 0); // Convert to an integer for later use
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if .locking is undefined this should be equal to 1? Is this used more like a boolean/enum for the mode of a contract or does this represent a count similar to your burn and lock variables below?

I think the comment here could be amended to mention what the 'later use' is

managerData['token'] = managerConfig['tokenProgram']
managerData['threshold'] = managerConfig['threshold'].valueOf() // The 'threshold' value
managerData['count'] = managerConfig.enabledTransceivers; // Amount of active transceivers
managerData['chainId'] = 1;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be helpful to add a note here that this is the "wormhole chain ID" for Solana.

- Consistency level is hardcoded on the Solana side to be 'finalized'. So, just hardcoding that here
*/
managerData['transceivers'] = [{
address: transceiver_address_buffer, isWormhole: true, consistencyLevel: 1, nttManager: managerAddress
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So consistencyLevel: 1 means finalized?


break;
}
catch{} // defaults to not adding it
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any chance you could log something here? Having a silent try-catch might hide some important errors

console.log(`ERROR: Transceiver inconsistent NTTManager Ownership: ${target['transceivers'][0]['address']}-${target_id}`);
}

continue;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a note here as to why the 'chain specific code' below is being skipped in this case?

continue;
}

// Don't feel this is necessary or proper. Depends on the use case.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO this is a nice check, especially since you flag it as a warning rather than an error.

}

// Checking if the mint/burn setup is correct
if(Object.keys(chainData).length -1 != burn || lock != 1){
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it possible to do only a mint-and-burn model without a locking chain? I thought this was part of the architecture at least at a certain point of the design discussions.

It might be good to add a check for this. If you don't want to complicate this PR then maybe we could add it as an Issue

targetPeerAddress = BigNumber.from(0x000000000000000000000000000000000000000000000); // Can't find the addresss, since it doesn't exist
}
}else{
console.log("Invaild chain type in checkTransceivers");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
console.log("Invaild chain type in checkTransceivers");
console.log("Invalid chain type in checkTransceivers");

'finalized',
);

managerData['token'] = "0x" + bufferToHex(managerConfig['mint'].toBuffer());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth a comment here that the 0x prefix is being added for convenience to allow comparing Solana/Eth with the same functions.
It looks a little strange to see Solana addresses with a 0x in front since these aren't used in the ecosystem (and in fact program addresses are not hex-encoded but use base58).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants