fix: add paginated device retrieval to prevent DoS on unbounded array return#41
Open
pradhyum6144 wants to merge 2 commits intoc2siorg:mainfrom
Open
fix: add paginated device retrieval to prevent DoS on unbounded array return#41pradhyum6144 wants to merge 2 commits intoc2siorg:mainfrom
pradhyum6144 wants to merge 2 commits intoc2siorg:mainfrom
Conversation
…ion to mintOriginal The mintOriginal() function previously accepted a plain string signature parameter and stored it without any on-chain verification, allowing anyone with an active device address to mint with a fake signature. This commit adds cryptographic proof that the device actually signed the mint request. Changes: - Inherit OpenZeppelin EIP712 in LensMintERC1155 with domain "LensMintERC1155" v1 - Add ECDSA.recover verification against EIP-712 typed data digest in mintOriginal() - Add mapping(bytes32 => bool) usedImageHashes to prevent replay of the same image - Add per-device nonce tracking for additional replay protection - Change mintOriginal() signature to accept (bytes32 imageHash, uint8 v, bytes32 r, bytes32 s) - Expose domainSeparator() view for off-chain signing compatibility - Add 15 Foundry tests covering valid signing, replay rejection, tampered params, wrong signer, wrong nonce, unregistered/deactivated device scenarios - Update existing MintEditionDebug tests to use EIP-712 vm.sign flow - Update web3Service.js with EIP-712 signTypedData and new contract ABI - Fix evm_version paris -> cancun in foundry.toml (resolves mcopy errors) Closes c2siorg#2
…bounded array return getAllDevices() returns the entire registeredDevices array in one call, which causes out-of-gas errors at scale. This adds a paginated alternative that accepts offset and limit parameters, returning a bounded slice plus the total count for client-side paging. - Add getDevicesPaginated(uint256 _offset, uint256 _limit) view function - Handles edge cases: offset beyond length, zero limit, limit > remaining - 12 Foundry tests: basic paging, truncation, edge cases, 2 fuzz tests - getAllDevices() kept for backward compatibility Addresses c2siorg#14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The problem
getAllDevices() returns the entire registeredDevices array in one call. As devices scale, this hits the block gas limit and causes out-of-gas reverts (Issue #14).
PR #18 (LSUDOKO) addresses this at the Node.js server layer. This PR fixes it at the contract level, where the root cause lives.
What changed
DeviceRegistry.sol
New function:
DeviceRegistryPagination.t.sol - 12 tests
All 12 tests pass. Fuzz: 256 runs per test.
Test plan
Addresses #14