Restrict adapter calls to registered agents only#1730
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1730 +/- ##
==========================================
+ Coverage 75.20% 78.80% +3.59%
==========================================
Files 24 24
Lines 996 1000 +4
Branches 186 188 +2
==========================================
+ Hits 749 788 +39
+ Misses 223 186 -37
- Partials 24 26 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| Agent(payable(msg.sender)).GATEWAY() == GATEWAY, | ||
| "Caller is not a registered Gateway Agent" |
There was a problem hiding this comment.
| Agent(payable(msg.sender)).GATEWAY() == GATEWAY, | |
| "Caller is not a registered Gateway Agent" | |
| IGatewayV2(GATEWAY).isAgent(msg.sender), | |
| "Caller is not a registered Gateway Agent" |
Otherwise someone can deploy a contract that returns the expected GATEWAY address from a GATEWAY() function without actually being a real Agent.
There was a problem hiding this comment.
Nice catch!
It seems we don't have IGatewayV2(GATEWAY).isAgent(msg.sender) implemented yet? To achieve this, I assume we would need an additional mapping from agent address to ID in storage?
There was a problem hiding this comment.
I feel this is valid flaw, but if someone went to all that trouble to deploy a Fake Agent contract which claimed to be a valid Agent with our Gateway, they would still only affect their own fake agent right?
This is only some extra hardening so make sure average users don't misuse the L1 Wrapper and hurt themselves. My understanding is that there is no threat to valid agents or the gateway here.
3 participants
No description provided.