MF-L02-I03-I04_I05: fix(contracts): add more Node trust assumptions and requirements#738
Conversation
- Fix stale SigQuorum comment on UserState field in AppSessionsV1SubmitDepositStateRequest (I-05) - Add Trust Assumptions section to SECURITY.md documenting Node as off-chain transfer intermediary, Node off-chain credit accounting, and signature validator selection trust; consolidate scattered trust assumptions from Invariants and Signature Validation sections (I-03) - Document on-chain vs off-chain EIP-191/raw-ECDSA signature domain asymmetry in SECURITY.md and protocol-description.md (I-04)
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
nksazonov
changed the title
|
small closure question: the pr body says this pr's |
…on to security-and-limitations.md
|
@ihsraham , thanks for spotting the "L-02" finding discrepancy. I have already edited the description to reflect the correct "L-03" one |
ihsraham
left a comment
ihsraham
left a comment
There was a problem hiding this comment.
approved, this now closes L-03, I-03, I-04, and I-05 for the stated doc and comment fixes.
- MF-L01: fix(contracts/ChannelHub): cap ERC20 transfer returndata copy to 32 bytes (#726) - MF-H01: fix(nitronode): paginate get_last_key_states endpoints (#724) - MF-I01-I02: fix(contracts): address security audit findings I-01 and I-02 (#728) - MF-C01: rpc: cap inbound WebSocket frame size and rate-limit per connection (#723) - MF-L02: docs(protocol): qualify enforcement guarantee for intent-specific execution paths (#737) - MF-L02-I03-I04_I05: fix(contracts): add more Node trust assumptions and requirements (#738) - MF-M01: backfill state user_sig from on-chain events (#731) - MF-M02: fix(rpc): release Serve wait group on processSink overflow (#732) - Fix SDK acknowledgement before home channel creation (#734) - MF-I06: fix(nitronode): gate escrow transitions on home channel onchain materialization (#730) - MF-M05: fix(nitronode): enforce TLS by default for Postgres (#733) - MF-M07: Unblock receiver states after finalized escrow operations (#735) - MF-M04: feat: provide tooling for and enhance docs on ValidatorRegistered event (#744) - MF-L04: fix(contracts): reject redundant native value (#741) - MF-H02: bind session key registration to a single owner per kind (#739) - MF-I07: fix(contracts): enforce max challenge duration (#752) - MF-M08: fix(rpc): replace Origin label with application_id on connection gauge (#745) - MF-C02: fix(core): add ChannelStatusClosing to gate post-finalize state transitions (#746) - MF-L06: fix(contracts): clear stale challengeExpireAt on cooperative escrow finalization (#754) - MF-I08: docs: document ChannelClosed event orientation ambiguity during abandoned migration (#755) - MF-M09: fix(nitronode): auto-challenge home channel on withheld escrow finalize (#753) - MF-L09: fix(nitronode): validate parsed app session nonce (#751) - MF-L05: docs(contracts): document informational events not guaranteed to emit (#756) - MF-L08: fix(nitronode/api): default get_last_key_states to active-only with include_inactive opt-in (#749) - MF-L10: fix: emit escrowIds array in EscrowDepositsPurged event and handle it in Nitronode (#757)
3 participants
Summary
IERC20Metadata.decimals()—validateTokenDecimals()reverts withFailedToFetchDecimalsfor tokens that omit this optional ERC-20 extension. Updatedcontracts/SECURITY.md(new subsection),contracts/src/Utils.sol(NatSpec), andprotocol-description.md(token compatibility bullet).Trust Assumptionssection tocontracts/SECURITY.mddocumenting three explicit Node trust requirements: off-chain transfer routing, off-chain credit accounting, and signature validator selection. Consolidated scattered trust statements from the Invariants and Signature Validation sections.contracts/SECURITY.md(new subsection) andprotocol-description.md(new security property bullet). All clients must use EIP-191.SigQuorumcomment on theUserStatefield inAppSessionsV1SubmitDepositStateRequest(pkg/rpc/api.go).