Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BBB-01 | Lack Of Input Validation #3171 #3279

Open
wants to merge 3 commits into
base: future/peggy2
Choose a base branch
from
Open

BBB-01 | Lack Of Input Validation #3171 #3279

wants to merge 3 commits into from

Conversation

Brando753
Copy link
Contributor

Added input validation on BridgeBank _initialize function.

@Brando753
BBB-01 | Lack Of Input Validation #3171
af13c11 
Added input validation on BridgeBank _initialize function.
@banshee
Copy link
Contributor

banshee commented Sep 23, 2022

Should we also add:

diff --git a/smart-contracts/contracts/BridgeBank/BridgeBank.sol b/smart-contracts/contracts/BridgeBank/BridgeBank.sol
index e9757073a..f48bdbdbc 100644
--- a/smart-contracts/contracts/BridgeBank/BridgeBank.sol
+++ b/smart-contracts/contracts/BridgeBank/BridgeBank.sol
@@ -147,7 +147,9 @@ contract BridgeBank is BankStorage, CosmosBank, EthereumWhiteList, CosmosWhiteLi
     require(_operator != address(0), "invalid _operator address");
     require(_cosmosBridgeAddress != address(0), "invalid _cosmosBridgeAddress address");
     require(_owner != address(0), "invalid _owner address");
+    require(_pauser != address(0), "invalid _pauser address");
     require(_networkDescriptor >= 0 && _networkDescriptor <= 9999, "invalid _networkDescriptor");
+    require(_rowanTokenAddress != address(0), "invalid _rowanTokenAddress address");
 
     Pausable._pausableInitialize(_pauser);

@banshee
Copy link
Contributor

banshee commented Sep 23, 2022

And should we shorten the error strings?

diff --git a/smart-contracts/contracts/BridgeBank/BridgeBank.sol b/smart-contracts/contracts/BridgeBank/BridgeBank.sol
index e9757073a..ca3528a8b 100644
--- a/smart-contracts/contracts/BridgeBank/BridgeBank.sol
+++ b/smart-contracts/contracts/BridgeBank/BridgeBank.sol
@@ -144,10 +144,12 @@ contract BridgeBank is BankStorage, CosmosBank, EthereumWhiteList, CosmosWhiteLi
     address _rowanTokenAddress
   ) private {
     
-    require(_operator != address(0), "invalid _operator address");
-    require(_cosmosBridgeAddress != address(0), "invalid _cosmosBridgeAddress address");
-    require(_owner != address(0), "invalid _owner address");
-    require(_networkDescriptor >= 0 && _networkDescriptor <= 9999, "invalid _networkDescriptor");
+    require(_operator != address(0), "_operator");
+    require(_cosmosBridgeAddress != address(0), "_cosmosBridgeAddress");
+    require(_owner != address(0), "_owner");
+    require(_pauser != address(0), "_pauser");
+    require(_networkDescriptor >= 0 && _networkDescriptor <= 9999, "_networkDescriptor");
+    require(_rowanTokenAddress != address(0), "_rowanTokenAddress");
 
     Pausable._pausableInitialize(_pauser);

@banshee banshee added Peggy Team Peggy team task Peggy2 Audit - Sifnode Issue Issue that came out of the Peggy2 audits that requires remediation by Sifnode Peggy 2.0 An issue blocking the Peggy 2.0 release labels Sep 23, 2022
smartyalgo
smartyalgo reviewed Sep 26, 2022
View reviewed changes
smart-contracts/contracts/BridgeBank/BridgeBank.sol Outdated
require(_operator != address(0), "invalid _operator address");
require(_cosmosBridgeAddress != address(0), "invalid _cosmosBridgeAddress address");
require(_owner != address(0), "invalid _owner address");
require(_networkDescriptor >= 0 && _networkDescriptor <= 9999, "invalid _networkDescriptor");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

network descriptor of 0 shouldn't be allowed. It is the default when not specified.

smartyalgo
smartyalgo suggested changes Sep 26, 2022
View reviewed changes
Copy link
Contributor

@smartyalgo smartyalgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not required for this ticket, we should add the same checks for

@Brando753 Brando753 mentioned this pull request Sep 29, 2022
Open
@Brando753
Copy link
Contributor Author

Null address is a valid RowanAddress as this value would only be set on Ethereum which is the network which held eRowan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smartyalgo smartyalgo smartyalgo requested changes

@banshee banshee banshee approved these changes

@juniuszhou juniuszhou Awaiting requested review from juniuszhou

Assignees
No one assigned
Labels
Peggy Team Peggy team task Peggy2 Audit - Sifnode Issue Issue that came out of the Peggy2 audits that requires remediation by Sifnode Peggy 2.0 An issue blocking the Peggy 2.0 release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Brando753 @banshee @smartyalgo