Remediation of Issues from Filecoin Solidity Audit by Zellic #66
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…cross CBOR contracts
….sol Switched back to using deserializeBigInt for balance, locked, storage_price_per_epoch, provider_collateral, and client_collateral fields to fix deserialization issues and pass all tests.
- Replaced uint256 with uint64 for consistent buffer allocation in capacity calculation and initialization. - Added safety check to prevent array length overflow beyond uint64 limits. - Ensured proper serialization of new_control_addresses without potential truncation. Addresses buffer allocation type mismatch warning.
- Replaced all `assert` statements with `if` checks followed by `revert` and custom errors from `Errors.sol` - Implemented specific custom errors: - `InvalidArrayLength(uint256 expected, uint256 actual)` - `InvalidBooleanType()` - `ExpectedMajorByteString()` - `ExpectedNegativeBigNumTag()` - `ExpectedLowValue27()` - Ensured proper import of `Errors.sol` across relevant CBOR modules - Preserved original indentation and code formatting for readability - Improves error handling consistency and prevents `Panic` exceptions This change aligns with Solidity best practices by using custom errors for more efficient and descriptive error handling.
snissn
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR: Remediation of Issues from Filecoin Solidity Audit by Zellic
Overview
This PR implements fixes and improvements based on the security assessment conducted by Zellic for the Filecoin Solidity project. The audit identified seven issues, categorized as one medium, two low, and four informational. All findings have been remediated as detailed in the audit report.
Summary of Changes
The following changes were made to address the audit findings:
Replaced
assertwithifchecks +revertusing custom errorsPanicexceptions and ensures proper error messaging.Errors.sol:InvalidArrayLength(uint256 expected, uint256 actual)InvalidBooleanType()ExpectedMajorByteString()ExpectedNegativeBigNumTag()ExpectedLowValue27()Commit 72285939
Standardized BigInt deserialization with
deserializeBytesBigIntdeserializeBigIntwithdeserializeBytesBigIntacross CBOR contracts.Commit 09f2f205
Commit ff0b3868
Fixed buffer allocation type mismatch in
serializeChangeWorkerAddressParamsuint256touint64to prevent truncation issues.Commit acf7e81e
Fixed capacity miscalculation in
serializeExtendClaimTermsParamsCommit 14d60cec
Enforced strict array length checks in deserialization
deserializeGetDealDataCommitmentReturnto enforce expected array length instead of silently discarding extra entries.Commit 1eabac47
Added validation for BigInt sign byte in deserialization
0x00or0x01allowed).Commit 9bf88179
Fixed type mismatch in universal receiver params struct
UniversalReceiverParams.type_asuint32.Commit d6bc37bc
Audit Summary
Impact
These changes improve the robustness and security of the Filecoin Solidity library by: