🛡️ Not All Storage Elements Are Exposed Through Queries

[ccamel]

Note

Severity: Low
target: v5.0.0 - Commit: cde785fbd2dad71608d53f8524e0ef8c8f8178af
Ref: OKP4 CosmWasm Audit Report v1.0 - 02-05-2024 - BlockApex

Description

The Cognitarium and Objectarium contracts exhibit limitations in their query functionalities. This forces users and other contracts to perform a raw query to read the stored value, tying their code to the current implementation of the cognitarium contract, which is error-prone.

• Cognitarium Contract Limitations: This contract lacks query functions for critical state variables such as NAMESPACE_KEY_INCREMENT and BLANK_NODE_IDENTIFIER_COUNTER. These variables are fundamental for tracking the increments of namespace keys and the identifiers for blank nodes, pivotal for organizing and retrieving semantic data. The absence of query functions for these variables restricts the ability to monitor and manage internal state changes effectively.
• Objectarium Contract Limitations: Similarly, the Objectarium contract does not provide adequate query functions for accessing important metadata about buckets, such as the owner details, statistics (size, compressed_size, object_count), and other configuration parameters. This limitation hinders users or applications from retrieving essential information that could assist in assessing the usage, management, and ownership of buckets.

Recommendation

We recommend exposing a smart query that returns the above-mentioned elements.

[ccamel]

1. Cognitarium

As far as the Cognitarium contract is concerned, the limitations on the state variables mentioned (NAMESPACE_KEY_INCREMENT and BLANK_NODE_IDENTIFIER_COUNTER) are, in my view, implementation details, and as such should not be exposed, and moreover may change in the future. Additionally, as mentioned in the audit report, it is still possible to make targeted raw queries.

For instance, the NAMESPACE_KEY_INCREMENT can be retrieved as follows:

➜ okp4d query wasm contract-state raw okp41cd4zj2hw48mwyc4h2knlk863q7sg534j8z4lfpphulaxvsmv3jhsphstwf $(echo -n "namespace_key" | xxd -p) --node https://api.drunemeton.okp4.network:443/rpc --output json | jq -r ".data | @base64d"
"19"

However, this approach is suitable for diagnostic or specific analysis purposes, which require a good understanding of the implementation of the smart contract.

2. Objectarium

Regarding the Objectarium contract, it is true that statistics should be returned with the information about the bucket. This would allow users or applications to retrieve essential information necessary for assessing usage, management, and ownership of the buckets.