Skip to content

feat(validation_logic): disable auto set asset as collateral #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 31, 2025
Merged

feat(validation_logic): disable auto set asset as collateral #40

merged 3 commits into from
Jul 31, 2025

Conversation

@matchv
Copy link
Collaborator

@matchv matchv commented Jul 30, 2025

The purpose is to mitigate griefing and/or DOS attacks.

  • Enhance protocol security and user experience by requiring explicit collateral activation
  • Users must now manually call set_user_use_reserve_as_collateral to enable collateral
  • Update all related test cases to reflect new manual collateral activation behavior
  • Provide users with full control over their collateral settings

Files modified:

  • sources/aave-logic/validation_logic.move: Core logic improvement
  • tests/aave-logic/*.move: Test case adaptations for new behavior
  • tests/aave-pool/*.move: Pool-related test updates
  • tests/aave-periphery/*.move: Periphery test updates

Breaking change: Users must now explicitly enable collateral after supply/transfer/liquidation operations

@matchv
feat(validation_logic): improve user control by disabling auto-collat…
3e5e8a6 
…eralization

- Enhance protocol security and user experience by requiring explicit collateral activation
- Users must now manually call set_user_use_reserve_as_collateral to enable collateral
- Eliminate potential state inconsistencies and improve protocol predictability
- Update all related test cases to reflect new manual collateral activation behavior
- Provide users with full control over their collateral settings

This improvement:
- Reduces protocol complexity and potential edge cases
- Improves user control and account state management
- Enhances protocol reliability and safety
- Slightly increases user operation steps but greatly improves protocol predictability

Files modified:
- sources/aave-logic/validation_logic.move: Core logic improvement
- tests/aave-logic/*.move: Test case adaptations for new behavior
- tests/aave-pool/*.move: Pool-related test updates
- tests/aave-periphery/*.move: Periphery test updates

Breaking change: Users must now explicitly enable collateral after supply/transfer/liquidation operations
@matchv matchv requested review from meng-xu-cs and mpsc0x as code owners July 30, 2025 04:29
@codecov
Copy link

codecov bot commented Jul 30, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.89%. Comparing base (6356330) to head (f4b4285).
⚠️ Report is 14 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #40      +/-   ##
==========================================
- Coverage   97.08%   96.89%   -0.19%     
==========================================
  Files          16       16              
  Lines         514      515       +1     
==========================================
  Hits          499      499              
- Misses         15       16       +1
Flag Coverage Δ
move 96.89% <ø> (-0.19%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

mpsc0x
mpsc0x previously approved these changes Jul 30, 2025
View reviewed changes
@mpsc0x
Copy link
Collaborator

mpsc0x commented Jul 30, 2025

@matchv Please fix the typescript int. test too +rebase to get rid of hte npm failed audits.

meng-xu-cs
meng-xu-cs previously approved these changes Jul 31, 2025
View reviewed changes
@mpsc0x mpsc0x dismissed stale reviews from meng-xu-cs and themself via 7df7baa July 31, 2025 11:53
@mpsc0x mpsc0x force-pushed the mike/improve/150-285 branch from 3e5e8a6 to 7df7baa Compare July 31, 2025 11:53
matchv added 2 commits July 31, 2025 22:09
@matchv
fix(test-suite): adapt TypeScript integration tests for manual collat…
2201234 
…eral activation

- Update all TypeScript integration tests to manually call setUserUseReserveAsCollateral
- Ensure proper collateral setup before borrow, liquidation, and withdraw operations
- Fix test failures caused by disabled auto-collateralization feature
- Maintain test coverage while adapting to new security improvements

Test files updated:
- borrow.spec.ts: Add manual collateral activation before borrow operations
- liquidation.spec.ts: Ensure collateral is properly set for liquidation scenarios
- liquidation-underlying.spec.ts: Fix underlying asset liquidation tests
- withdraw.spec.ts: Add collateral setup for withdrawal operations
- repay.spec.ts: Update repayment test collateral handling
- repay-atoken.spec.ts: Fix aToken repayment test collateral setup
@matchv
fix(deps): resolve ESLint plugin security vulnerability
f4b4285 
- Update @eslint/plugin-kit from <0.3.4 to >=0.3.4 to fix Regular Expression Denial of Service vulnerability
- Add security override in pnpm-workspace.yaml to enforce minimum secure version
- Update pnpm-lock.yaml with patched dependency versions
- Fix GitHub CI pipeline failure caused by security audit

Security fix:
- Addresses GHSA-xffm-g5w8-qvg7 vulnerability in ConfigCommentParser
- Prevents potential ReDoS attacks through malicious regex patterns
- Ensures development environment security compliance

Files modified:
- pnpm-workspace.yaml: Add security override for @eslint/plugin-kit
- pnpm-lock.yaml: Update dependency lock file with secure versions

This fix resolves the CI pipeline failure and ensures all dependencies meet security requirements.
@matchv matchv force-pushed the mike/improve/150-285 branch from a802487 to f4b4285 Compare July 31, 2025 15:16
@mpsc0x mpsc0x merged commit a08f62b into main Jul 31, 2025
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@meng-xu-cs meng-xu-cs meng-xu-cs approved these changes

@mpsc0x mpsc0x mpsc0x approved these changes

Assignees

@matchv matchv

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@matchv @mpsc0x @meng-xu-cs