BM-261: Added signature validation to orders + unit test (github#104)

This PR adds signature checking for new orders coming from the market
events before they are added to the broker DB. Additionally it adds unit
tests for signing and validating proof request signatures.

closes BM-261

Author: mothran

crates/boundless-market/src/contracts/mod.rs

@@ -9,6 +9,7 @@ use std::str::FromStr;
 #[cfg(not(target_os = "zkvm"))]
 use alloy::{
     contract::Error as ContractErr,
+    primitives::SignatureError,
     signers::{Error as SignerErr, Signature, SignerSync},
     sol_types::{Error as DecoderErr, SolInterface, SolStruct},
     transports::TransportError,
@@ -182,6 +183,25 @@ impl ProvingRequest {
         let hash = self.eip712_signing_hash(&domain.alloy_struct());
         signer.sign_hash_sync(&hash)
     }
+
+    /// Verifies the proving request signature with the given signer and EIP-712 domain derived from
+    /// the given contract address and chain ID.
+    pub fn verify_signature(
+        &self,
+        signature: &Bytes,
+        contract_addr: Address,
+        chain_id: u64,
+    ) -> Result<(), SignerErr> {
+        let sig = Signature::try_from(signature.as_ref())?;
+        let domain = eip712_domain(contract_addr, chain_id);
+        let hash = self.eip712_signing_hash(&domain.alloy_struct());
+        let addr = sig.recover_address_from_prehash(&hash)?;
+        if addr == self.client_address() {
+            Ok(())
+        } else {
+            Err(SignerErr::SignatureError(SignatureError::FromBytes("Address mismatch")))
+        }
+    }
 }
 
 impl Requirements {
@@ -587,3 +607,76 @@ pub mod test_utils {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use alloy::signers::local::PrivateKeySigner;
+
+    fn create_order(
+        signer: &impl SignerSync,
+        signer_addr: Address,
+        order_id: u32,
+        contract_addr: Address,
+        chain_id: u64,
+    ) -> (ProvingRequest, [u8; 65]) {
+        let request_id = request_id(&signer_addr, order_id);
+
+        let req = ProvingRequest {
+            id: request_id,
+            requirements: Requirements {
+                imageId: B256::ZERO,
+                predicate: Predicate {
+                    predicateType: PredicateType::PrefixMatch,
+                    data: Default::default(),
+                },
+            },
+            imageUrl: "test".to_string(),
+            input: Input { inputType: InputType::Url, data: Default::default() },
+            offer: Offer {
+                minPrice: U96::from(0),
+                maxPrice: U96::from(1),
+                biddingStart: 0,
+                timeout: 1000,
+                rampUpPeriod: 1,
+                lockinStake: U96::from(0),
+            },
+        };
+
+        let client_sig = req.sign_request(&signer, contract_addr, chain_id).unwrap();
+
+        (req, client_sig.as_bytes())
+    }
+
+    #[test]
+    fn validate_sig() {
+        let signer: PrivateKeySigner =
+            "6f142508b4eea641e33cb2a0161221105086a84584c74245ca463a49effea30b".parse().unwrap();
+        let order_id: u32 = 1;
+        let contract_addr = Address::ZERO;
+        let chain_id = 1;
+        let signer_addr = signer.address();
+
+        let (req, client_sig) =
+            create_order(&signer, signer_addr, order_id, contract_addr, chain_id);
+
+        req.verify_signature(&Bytes::from(client_sig), contract_addr, chain_id).unwrap();
+    }
+
+    #[test]
+    #[should_panic(expected = "SignatureError")]
+    fn invalid_sig() {
+        let signer: PrivateKeySigner =
+            "6f142508b4eea641e33cb2a0161221105086a84584c74245ca463a49effea30b".parse().unwrap();
+        let order_id: u32 = 1;
+        let contract_addr = Address::ZERO;
+        let chain_id = 1;
+        let signer_addr = signer.address();
+
+        let (req, mut client_sig) =
+            create_order(&signer, signer_addr, order_id, contract_addr, chain_id);
+
+        client_sig[0] = 1;
+        req.verify_signature(&Bytes::from(client_sig), contract_addr, chain_id).unwrap();
+    }
+}

crates/broker/src/market_monitor.rs

@@ -160,6 +160,8 @@ where
     }
 
     async fn monitor_orders(market_addr: Address, provider: Arc<P>, db: DbObj) -> Result<()> {
+        let chain_id = provider.get_chain_id().await?;
+
         let market = ProofMarketService::new(market_addr, provider, Address::ZERO);
         // TODO: RPC providers can drop filters over time or flush them
         // we should try and move this to a subscription filter if we have issue with the RPC
@@ -173,6 +175,19 @@ where
                 match log_res {
                     Ok((event, _log)) => {
                         tracing::info!("Detected new request {:x}", event.request.id);
+
+                        if let Err(err) = event.request.verify_signature(
+                            &event.clientSignature,
+                            market_addr,
+                            chain_id,
+                        ) {
+                            tracing::warn!(
+                                "Failed to validate order signature: 0x{:x} - {err:?}",
+                                event.request.id
+                            );
+                            return;
+                        }
+
                         if let Err(err) = db
                             .add_order(
                                 U256::from(event.request.id),