Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/fallback selector security check #85

Merged
merged 15 commits into from
Jun 2, 2024
Merged

Feat/fallback selector security check #85

merged 15 commits into from
Jun 2, 2024

Conversation

Aboudjem
Copy link
Contributor

@Aboudjem Aboudjem commented May 29, 2024
edited
Loading

  • add new error: error FallbackSelectorForbidden();
  • The use of OnInstall + OnUninstall selector should be avoided as they can lead to security issues
  • Add run on prettier on the gas report script to avoid too much diff when pushing gas reports
  • lint fix
  • remove CI on push

@Aboudjem Aboudjem self-assigned this May 29, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 29, 2024
edited
Loading

Changes to gas cost

Generated at commit: ccfddb76d023d458caa5615a93dc854824cb3893, compared to commit: 61cced585686781952cf972c60cd7d7e0966cee6

🧾 Summary (5% most significant diffs)

Contract Method Avg (+/-) %
Full diff report 👇
Contract Deployment Cost (+/-) Method Min (+/-) % Avg (+/-) % Median (+/-) % Max (+/-) % # Calls (+/-)
Nexus 4,412,316 (+38,079) execute
installModule		 6,368 (0)
27,921 (0)		 0.00%
0.00%		 47,628 (+2)
33,124 (+5)		 +0.00%
+0.02%		 36,232 (0)
34,715 (0)		 0.00%
0.00%		 143,146 (0)
38,844 (0)		 0.00%
0.00%		 76 (0)
23 (0)
Bootstrap 1,660,788 (+38,105)

@codecov Codecov
Copy link

codecov bot commented May 29, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.78%. Comparing base (61cced5) to head (3a03ad7).

Additional details and impacted files 
@@            Coverage Diff             @@
##              dev      #85      +/-   ##
==========================================
+ Coverage   86.73%   86.78%   +0.05%     
==========================================
  Files          35       35              
  Lines         769      772       +3     
  Branches      107      108       +1     
==========================================
+ Hits          667      670       +3     
  Misses         88       88              
  Partials       14       14
Flag Coverage Δ
foundry 71.85% <50.00%> (-0.03%) ⬇️
hardhat 86.78% <100.00%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

livingrockrises
livingrockrises reviewed May 29, 2024
View reviewed changes
contracts/base/ModuleManager.sol Outdated

// Revert if the selector is either `onInstall(bytes)` (0x6d61fe70) or `onUninstall(bytes)` (0x8a91b0e3)
// These selectors are forbidden as they can lead to security vulnerabilities
// and unexpected behavior during fallback handler installation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you describe what's the unexpected security behavior?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"If it’s added a fallback method. Anyone can uninstall and reinstall the module. If it’s a validator, this will most likely pwn the account"

@openzeppelin-code OpenZeppelin Code
Copy link

openzeppelin-code bot commented Jun 1, 2024
edited
Loading

Feat/fallback selector security check

Generated at commit: 3a03ad7302761296e8e5f3552394b355f8bc6846

🚨 Report Summary

Severity Level Results
Contracts Critical
High
Medium
Low
Note
Total		 0
2
0
6
23
31

For more details view the full report in OpenZeppelin Code Inspector

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 2, 2024

🤖 Slither Analysis Report 🔎

Slither report

# Slither report

THIS CHECKLIST IS NOT COMPLETE. Use --show-ignored-findings to show all the results.
Summary

_This comment was automatically generated by the GitHub Actions workflow._

@livingrockrises livingrockrises merged commit 6d6bf3b into dev Jun 2, 2024
10 checks passed
@livingrockrises livingrockrises deleted the feat/fallback-selector-security-check branch June 2, 2024 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@livingrockrises livingrockrises livingrockrises approved these changes

Assignees

@Aboudjem Aboudjem

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Aboudjem @livingrockrises