-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(sequencer)!: refactor authorization checks for use in mempool logic #1713
base: main
Are you sure you want to change the base?
Conversation
b9c4815
to
47982cc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have pretty big reservations about this change because it breaks away from the reason we merged check & execute in the first place (namely TOCTOU).
It's also a very large conceptual change change from how we execute transactions. This change does not seem motivated by fixing issues in the execution flow, but is driven by requirements of another component.
Finally, this change moves the state reads in the mempool yet again closer to full execution.
At this point, is there even a lot of extra steps left in check_and_execute
that the extra logic in the mempool?
Is TOCTOU a problem here? We're running the same checks for authorization in both the mempool and in the There is a large overlap between the work that is being done during execution and work done in the mempool checks, I'm not sure how to get around that without re-introducing the TOCTOU issue. |
I partially misunderstood the PR then (because I misread the diff), but that makes my reservations stronger: While the mempool had a very limited subset of checks run in its early days, the fact that it starts to run more and more parts of the full execution pipeline is worrisome. How do you propose to keep the checks that are being run in both cases in sync? |
The auth code is still ran during execution, I just refactored it to a different method on the |
async fn check_and_execute<S: StateWrite>(&self, mut state: S) -> Result<()> { | ||
// Add the current signed transaction into the ephemeral state in case | ||
// downstream actions require access to it. | ||
// XXX: This must be deleted at the end of `check_stateful`. | ||
let mut transaction_context = state.put_transaction_context(self); | ||
|
||
// check authorization | ||
self.check_authorization(&state, self.address_bytes()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The authorization checks are still being ran during execution here @SuperFluffy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the wrong place to call it. The ActionHandler for Transaction
trait delegates to its inner actions.
The idea is that checks and executions are atomic on a per-action level.
This is not atomic and on top of it surprising: why is authorization handled at the transaction but not the action level?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok I see what you mean by calling it in the wrong place. I'll refactor it
I commented on that code. This is a TOCTOU issue which was flagged in an audit and subsequently addressed. Instead of doing the checks atomically this patch is reverting the logic to the status quo ante. It is incompatible with the execution design. |
a94356d
to
d1fba2f
Compare
@SuperFluffy, is this refactor closer to something that is in line with our execution design? I still refactored out the authority checks but this time I wrote it as a new handler similar to the It now runs the checks per-action inside of |
This PR is stale because it has been open 45 days with no activity. Remove stale label or this PR will be |
Summary
We want to be able to reject transactions from the mempool which have incorrect signers for authority actions. In the old code the authentication checks were mixed in with the action execution logic. This PR refactors the authentication checks out of the
ActionHandler::check_and_execute()
and into a new handlerAuthenticationHandler()
, similar to the already existingFeeHandler
.Background
We'd like a way to fail transactions in the mempool's
handle_check_tx()
that will not pass authorization checks.Changes
AuthenticationHandler
.Action
in a transaction.IBC
andIcs20Withdraw
actions.Testing
Metrics
check_tx_duration_seconds_check_authorization
.Breaking Changelist
Changelog
Updated changelog.