Skip checks for defined appCodes #4118
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a mechanism to bypass signature and balance checks for orders from specified applications using an appCode. However, the implementation has several security vulnerabilities: it allows regular ECDSA orders to bypass critical security checks, the appCode is user-controlled and can be spoofed, and an unbounded cache could lead to a Denial of Service. Additionally, there is a race condition in the appCode caching logic that can lead to redundant work. It is recommended to restrict the bypass to EIP-1271 orders, verify the app_data hash, and use a bounded cache.
fafk
force-pushed
the
skip-checks-for-defined-apps
branch
from
f30e6c2 to
417b044
Compare
fafk
force-pushed
the
skip-checks-for-defined-apps
branch
from
d277f7d to
05c1b38
Compare
There was a problem hiding this comment.
Code Review
This pull request adds a feature to bypass balance and signature checks for orders from specified appCode sources. However, the current implementation introduces significant security vulnerabilities, including an unauthenticated filter bypass where the user-provided appCode can be easily spoofed, and a potential Denial of Service due to unbounded cache growth that could lead to memory exhaustion. Additionally, the implementation in AppCodeBypass::build_bypass_set contains critical syntax errors where if let is incorrectly combined with a boolean condition using &&, which will cause compilation to fail.
fafk
force-pushed
the
skip-checks-for-defined-apps
branch
from
9b8cc52 to
c8eb853
Compare
fafk
force-pushed
the
skip-checks-for-defined-apps
branch
2 times, most recently
from
c4d143f to
3ce6a12
Compare
MartinquaXD
left a comment
MartinquaXD
left a comment
There was a problem hiding this comment.
The change looks alright to me. Regarding the issue with the attack vector:
This change is only supposed to unlock certain complicated order setups ASAP. IMO in the long term we should refactor the balance checking logic to be compatible with all the feature we offer. But this will be quite a bit more work.
| if order.app_data.flashloan().is_some() { | ||
| // If an order requires a flashloan we assume all the necessary | ||
| // sell tokens will come from there. But the receiver must be the | ||
| // settlement contract because that is how the driver expects | ||
| // the flashloan to be repaid for now. | ||
| return order.receiver.as_ref() == Some(settlement_contract); | ||
| } |
There was a problem hiding this comment.
Could you also remove this part while you are at it. Since the redesign of Aave's repayment flow this is requirement is no longer correct.
There was a problem hiding this comment.
Changed to
if let Some(fetched_app_data) = app_data.get(&order.app_data.hash()) {
order.app_data = fetched_app_data.clone().into();
if order.app_data.flashloan().is_some() {
return true;
}
}
kaze-cow
left a comment
kaze-cow
left a comment
There was a problem hiding this comment.
I haven't actually carefully reviewed the code itself. But I was able to incorporate these changes into the feat/playground-use-staging branch and verified that after adding the necessary environment variable settings to indicate Euler appcode as an exclusion, the orders are succeeding to process. Any further changes in that branch are just log changes, etc.
Thanks @fafk !
fafk
force-pushed
the
skip-checks-for-defined-apps
branch
from
e3dc70c to
f87553f
Compare
There was a problem hiding this comment.
Code Review
This pull request introduces a mechanism to bypass balance checks for certain orders and removes some now-obsolete configuration flags. However, the implementation of the balance check bypass is currently unrestricted, allowing any user to bypass these checks by including a wrapper in their AppData, posing a high risk of Denial of Service (DoS). The removal of EIP-1271 signature validation in the autopilot service also reduces defense-in-depth. Additionally, a critical logic issue was found in the new caching implementation, and there's a discrepancy between the intended appCode filtering and the actual wrappers-based implementation. It is recommended to implement the restricted appCode filtering, retain signature validation, and resolve the caching logic.
squadgazzz
left a comment
squadgazzz
left a comment
There was a problem hiding this comment.
@fafk could you update the PR description? I assume it doesn't reflect the changes anymore, so it's hard to understand the reasoning behind.
Done, thanks! I reworked the whole PR and forgot to update the desc. 🙇 |
fafk
force-pushed
the
skip-checks-for-defined-apps
branch
2 times, most recently
from
18c0223 to
70ab1cd
Compare
Resolve conflicts: take NativePriceUpdater rename from main, keep signature_validator removal from branch, remove unused IndexSet.
fafk
force-pushed
the
skip-checks-for-defined-apps
branch
from
70ab1cd to
d5716be
Compare
5 participants
Description
For the integration with Euler we want to skip balance checks, because the order will get the necessary funds from wrapper execution. This PR skip balance checks where wrappers are defined, mirroring what we do for flash loans with flash loan hints.
Signature checks are skipped for all 1271 orders, but kept for presign/Eip712 as these should always be valid independent of prehooks/wrappers. We have been running this way in prod for a while and I just cleaned up the flags.
Changes
How to test
Unit tests.