feat: implement oracle signature verification and replay protection#250
Open
francisdouglas-ux wants to merge 1 commit intodev-fatima-24:mainfrom
Open
Conversation
|
@francisdouglas-ux Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces critical on-chain cryptographic security measures to the Carbon Ledger smart contract. It ensures that all monitoring data, price updates, and project flags submitted by the Python oracle services are cryptographically authenticated and protected against replay attacks.
Key Changes & Security Enhancements:
Signature Verification: Implemented a new internal verify_oracle_signature helper function that utilizes the Soroban SDK's env.crypto().ed25519_verify() to validate the authenticity of incoming XDR payloads against the stored Oracle Public Key.
Replay Protection: Added an OracleNonce (u64) to persistent storage. All submissions must now include a strictly monotonically increasing nonce, returning an InvalidNonce error if tampered with or replayed.
Endpoint Upgrades: Modified submit_monitoring_data, update_credit_price, and flag_project to accept and enforce the new signature (BytesN<64>) and nonce parameters.
Key Rotation: Updated initialize and created an admin-only rotate_oracle function to securely update the Oracle Public Key and automatically reset the nonce to 0.
Error Handling: Introduced CarbonError::InvalidNonce (21) and CarbonError::InvalidSignature (22).
Testing Notes & Upstream Blocker:
A comprehensive test suite using ed25519-dalek and rand was written to validate valid signatures, trap invalid signatures, and enforce nonce monotonicity.
Important: The test suite is currently blocked from compiling due to a known upstream dependency conflict in the Stellar/Soroban SDK ecosystem. Specifically, soroban-env-common v20.3.0 hard-requires arbitrary = "=1.3.2", which conflicts with stellar-xdr v20.1.0's reliance on try_size_hint (a feature removed in that version of arbitrary). The cryptographic logic and test structures are completely sound, but cargo test will fail to build when the testutils feature is active until the workspace SDK version is bumped to align these dependencies.
Close #103