fix(agglayer): replace NoAuth with NetworkAccount on bridge and faucet#2818
Draft
partylikeits1983 wants to merge 4 commits intoajl-network-account-componentfrom
Draft
fix(agglayer): replace NoAuth with NetworkAccount on bridge and faucet#2818partylikeits1983 wants to merge 4 commits intoajl-network-account-componentfrom
NoAuth with NetworkAccount on bridge and faucet#2818partylikeits1983 wants to merge 4 commits intoajl-network-account-componentfrom
Conversation
Closes #2797. Installs the NetworkAccount auth component (added in #2817) on both the AggLayer bridge and the AggLayer faucet, with per-account whitelists of input-note script roots. This closes the forged-MINT attack surface: an attacker can no longer finalize an arbitrary transaction against the bridge and emit a bridge-authored MINT note. Whitelists: - Bridge: CLAIM, B2AGG, CONFIG_AGG_BRIDGE, UPDATE_GER - Faucet: MINT, BURN Changes: - crates/miden-agglayer/src/lib.rs: swap NoAuth for NetworkAccount in create_bridge_account, create_existing_bridge_account, create_agglayer_faucet, create_existing_agglayer_faucet. Add helper functions bridge_note_whitelist() and faucet_note_whitelist(), plus a claim_script_root() accessor mirroring the other note wrappers. - crates/miden-agglayer/build.rs: compute BRIDGE_CODE_COMMITMENT and FAUCET_CODE_COMMITMENT using NetworkAccount (whitelist contents do not affect the commitment, so an empty whitelist suffices). - crates/miden-testing/tests/agglayer/network_account_regression.rs: two regression tests that replay the #2797 attack paths (tx-script rejection and non-whitelisted-note rejection) against a bridge account built with the production `create_existing_bridge_account` helper. Depends on #2816 (kernel tx_get_script_root) and #2817 (NetworkAccount component).
partylikeits1983
changed the title
NoAuth with NetworkAccount on bridge and faucet
…d comments
- Rename bridge_rejects_tx_script_after_2797_fix ->
bridge_rejects_tx_script and bridge_rejects_non_whitelisted_input_note_after_2797_fix ->
bridge_rejects_non_whitelisted_input_note; the suffixes referenced a PR number that will not
age well.
- Rewrite the module-level doc comment to describe the attack
("forged-MINT attack") instead of linking out to issue and PR numbers, which rot.
- Drop the build.rs comment about the whitelist being irrelevant to
the code commitment; the surrounding "dummy metadata for code commitment"
context already explains why empty placeholder values are fine here.
partylikeits1983
added
agglayer
Collaborator
|
Note: this and the supporting PR(s) should be cherry-picked into the |
Contributor
|
I think this PR is a requirement before we can remove My understanding is this PR deals with the bridge and agglayer faucet, so the next step after this PR is to migrate the network fungible faucet (as created by |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #2797.
Installs the
NetworkAccountauth component (added in #2817) on both the AggLayer bridge and the AggLayer faucet, with per-account whitelists of input-note script roots. This closes the forged-MINT attack surface: an attacker can no longer finalize an arbitrary transaction against the bridge and emit a bridge-authoredMINTnote.Whitelists
CLAIM,B2AGG,CONFIG_AGG_BRIDGE,UPDATE_GERMINT,BURNChanges
crates/miden-agglayer/src/lib.rs— swapNoAuthforNetworkAccountincreate_bridge_account,create_existing_bridge_account,create_agglayer_faucet,create_existing_agglayer_faucet. New helpersbridge_note_whitelist()/faucet_note_whitelist()and aclaim_script_root()accessor mirroring the other note wrappers.crates/miden-agglayer/build.rs— computeBRIDGE_CODE_COMMITMENTandFAUCET_CODE_COMMITMENTusingNetworkAccount. Whitelist contents do not affect the commitment, so an empty whitelist suffices here.crates/miden-testing/tests/agglayer/network_account_regression.rs— two regression tests that replay theNoAuthon the bridge account lets anyone emit bridge-authored MINT notes #2797 attack paths against a bridge account built with the productioncreate_existing_bridge_accounthelper:bridge_rejects_tx_script_after_2797_fix— any tx with a tx script is rejected withERR_NETWORK_ACCOUNT_TX_SCRIPT_NOT_ALLOWED.bridge_rejects_non_whitelisted_input_note_after_2797_fix— any tx consuming a non-whitelisted note is rejected withERR_NETWORK_ACCOUNT_NOTE_NOT_WHITELISTED.Stacking
This PR is the final one in the #2797 fix chain:
tx::get_script_rootkernel procedureNetworkAccountauth component #2817 —NetworkAccountauth componentStacked on top of
ajl-network-account-component; rebase ontonextonce the parents merge.