Merge remote-tracking branch 'origin/feat-migration-outbox' into feat-migration-outbox

Author: gzeoneth

audit-ci.jsonc

@@ -27,6 +27,8 @@
     // Regular Expression Denial of Service (ReDoS) in cross-spawn
     "GHSA-3xgq-45jj-v275",
     // axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
-    "GHSA-jr5f-v2jv-69x6"
+    "GHSA-jr5f-v2jv-69x6",
+    // Homograph attack allows Unicode lookalike characters to bypass validation
+    "GHSA-xq7p-g2vc-g82p"
   ]
 }

scripts/boldUpgradeCommon.ts

@@ -1,8 +1,9 @@
 import { BigNumber, providers } from 'ethers'
-import { parseEther } from 'ethers/lib/utils'
+import { isAddress, parseUnits } from 'ethers/lib/utils'
 import fs from 'fs'
 
 import { configs } from './files/configs'
+import { ERC20__factory } from '../build/types'
 
 export interface DeployedContracts {
   bridge: string
@@ -15,10 +16,6 @@ export interface DeployedContracts {
   challengeManager: string
   boldAction: string
   preImageHashLookup: string
-  prover0: string
-  proverMem: string
-  proverMath: string
-  proverHostIo: string
   osp: string
 }
 
@@ -105,6 +102,7 @@ export const validateConfig = async (
   config: Config,
   l1Rpc: providers.Provider
 ) => {
+  // check all config.contracts
   if ((await l1Rpc.getCode(config.contracts.rollup)).length <= 2) {
     throw new Error('rollup address is not a contract')
   }
@@ -126,11 +124,17 @@ export const validateConfig = async (
   if ((await l1Rpc.getCode(config.contracts.upgradeExecutor)).length <= 2) {
     throw new Error('upgradeExecutor address is not a contract')
   }
+  if (!isAddress(config.contracts.excessStakeReceiver)) {
+    throw new Error('excessStakeReceiver is not a valid address')
+  }
 
   // check all the config.proxyAdmins exist
   if ((await l1Rpc.getCode(config.proxyAdmins.outbox)).length <= 2) {
     throw new Error('outbox proxy admin address is not a contract')
   }
+  if ((await l1Rpc.getCode(config.proxyAdmins.inbox)).length <= 2) {
+    throw new Error('inbox proxy admin address is not a contract')
+  }
   if ((await l1Rpc.getCode(config.proxyAdmins.bridge)).length <= 2) {
     throw new Error('bridge proxy admin address is not a contract')
   }
@@ -142,18 +146,22 @@ export const validateConfig = async (
   }
 
   // check all the settings exist
+  // Note: `challengeGracePeriodBlocks` and `validatorAfkBlocks` can both be 0
   if (config.settings.confirmPeriodBlocks === 0) {
     throw new Error('confirmPeriodBlocks is 0')
   }
-  if (config.settings.stakeToken.length === 0) {
-    throw new Error('stakeToken address is empty')
+  if (config.settings.challengePeriodBlocks === 0) {
+    throw new Error('challengePeriodBlocks is 0')
   }
   if ((await l1Rpc.getCode(config.settings.stakeToken)).length <= 2) {
     throw new Error('stakeToken address is not a contract')
   }
   if (config.settings.chainId === 0) {
     throw new Error('chainId is 0')
   }
+  if (config.settings.minimumAssertionPeriod === 0) {
+    throw new Error('minimumAssertionPeriod is 0')
+  }
   if (config.settings.blockLeafSize === 0) {
     throw new Error('blockLeafSize is 0')
   }
@@ -166,22 +174,45 @@ export const validateConfig = async (
   if (config.settings.numBigStepLevel === 0) {
     throw new Error('numBigStepLevel is 0')
   }
+  if (config.settings.maxDataSize === 0) {
+    throw new Error('maxDataSize is 0')
+  }
 
+  // check stake token amount
   const stakeAmount = BigNumber.from(config.settings.stakeAmt)
-  // check it's more than 1 eth
-  if (stakeAmount.lt(parseEther('1'))) {
-    throw new Error('stakeAmt is less than 1 eth')
+  if (stakeAmount.eq(0)) {
+    throw new Error('stakeAmt is 0')
   }
-  const miniStakeAmounts = config.settings.miniStakeAmounts.map(BigNumber.from)
 
+  // check mini stakes
+  const miniStakeAmounts = config.settings.miniStakeAmounts.map(BigNumber.from)
   if (miniStakeAmounts.length !== config.settings.numBigStepLevel + 2) {
     throw new Error('miniStakeAmts length is not numBigStepLevel + 2')
   }
 
-  if (
-    !config.settings.disableValidatorWhitelist &&
-    config.validators.length === 0
-  ) {
-    throw new Error('no validators')
+  // check validators and whitelist
+  if (!config.settings.disableValidatorWhitelist) {
+    if (config.validators.length === 0) {
+      throw new Error('no validators')
+    }
+
+    for (let i = 0; i < config.validators.length; i++) {
+      if (!isAddress(config.validators[i])) {
+        throw new Error(`Invalid address for validator ${i}`)
+      }
+    }
+  }
+
+  // check delaybuffer settings
+  if (config.settings.isDelayBufferable) {
+    if (config.settings.bufferConfig.max === 0) {
+      throw new Error('bufferConfig.max is 0')
+    }
+    if (config.settings.bufferConfig.threshold === 0) {
+      throw new Error('bufferConfig.threshold is 0')
+    }
+    if (config.settings.bufferConfig.replenishRateInBasis === 0) {
+      throw new Error('bufferConfig.replenishRateInBasis is 0')
+    }
   }
 }