Release 3.9.1 (#1026)

### Fixes

- Improve security of the `exit_to_near` precompile by [@aleksuss].
([#1024])

[#1024]: #1024

Author: aleksuss

CHANGES.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.9.1] 2025-07-09
+
+- Improve security of the `exit_to_near` precompile by [@aleksuss]. ([#1024])
+
+[#1024]: https://github.com/aurora-is-near/aurora-engine/pull/1024
+
 ## [3.9.0] 2025-04-07
 
 ### Additions
@@ -756,7 +762,8 @@ struct SubmitResult {
 
 ## [1.0.0] - 2021-05-12
 
-[Unreleased]: https://github.com/aurora-is-near/aurora-engine/compare/3.9.0...develop
+[Unreleased]: https://github.com/aurora-is-near/aurora-engine/compare/3.9.1...develop
+[3.9.1]: https://github.com/aurora-is-near/aurora-engine/compare/3.9.0...3.9.1
 [3.9.0]: https://github.com/aurora-is-near/aurora-engine/compare/3.8.0...3.9.0
 [3.8.0]: https://github.com/aurora-is-near/aurora-engine/compare/3.7.0...3.8.0
 [3.7.0]: https://github.com/aurora-is-near/aurora-engine/compare/3.6.4...3.7.0

Cargo.lock

@@ -1 +1 @@
-3.9.0
+3.9.1

VERSION

@@ -16,14 +16,16 @@ publish = true
 aurora-engine-modexp.workspace = true
 aurora-engine-sdk.workspace = true
 aurora-engine-types.workspace = true
+aurora-evm.workspace = true
 bn.workspace = true
 ethabi.workspace = true
-aurora-evm.workspace = true
 hex.workspace = true
 num.workspace = true
 ripemd.workspace = true
 sha2.workspace = true
 sha3.workspace = true
+serde.workspace = true
+serde_json.workspace = true
 
 [dev-dependencies]
 aurora-engine-test-doubles.workspace = true
@@ -34,7 +36,7 @@ workspace = true
 
 [features]
 default = ["std"]
-std = ["aurora-engine-types/std", "aurora-engine-sdk/std", "bn/std", "aurora-evm/std", "ripemd/std", "sha2/std", "sha3/std", "ethabi/std"]
+std = ["aurora-engine-types/std", "aurora-engine-sdk/std", "bn/std", "aurora-evm/std", "ripemd/std", "sha2/std", "sha3/std", "ethabi/std", "serde/std", "serde_json/std"]
 contract = ["aurora-engine-sdk/contract"]
 log = []
 error_refund = []

engine-precompiles/Cargo.toml

@@ -518,11 +518,11 @@ fn exit_base_token_to_near(
     match exit_params.message {
         Some(Message::Omni(msg)) => Ok((
             eth_connector_account_id,
-            format!(
-                r#"{{"receiver_id":"{}","amount":"{}","msg":"{msg}"}}"#,
-                exit_params.receiver_account_id,
-                context.apparent_value.as_u128(),
-            ),
+            ft_transfer_call_args(
+                &exit_params.receiver_account_id,
+                context.apparent_value,
+                msg,
+            )?,
             events::ExitToNear::Omni(ExitToNearOmni {
                 sender: Address::new(context.caller),
                 erc20_address: events::ETH_ADDRESS,
@@ -613,11 +613,7 @@ fn exit_erc20_token_to_near<I: IO>(
         // In this flow, we're just forwarding the `msg` to the `ft_transfer_call` transaction.
         Some(Message::Omni(msg)) => (
             nep141_account_id,
-            format!(
-                r#"{{"receiver_id":"{}","amount":"{}","msg":"{msg}"}}"#,
-                exit_params.receiver_account_id, // the locker's account id in case of OMNI
-                exit_params.amount.as_u128(),
-            ),
+            ft_transfer_call_args(&exit_params.receiver_account_id, exit_params.amount, msg)?,
             "ft_transfer_call",
             None,
             events::ExitToNear::Omni(ExitToNearOmni {
@@ -795,6 +791,30 @@ fn parse_input(input: &[u8]) -> Result<&[u8], ExitError> {
     Ok(&input[1..])
 }
 
+#[derive(serde::Serialize)]
+struct FtTransferCallArgs<'a> {
+    receiver_id: &'a AccountId,
+    amount: String,
+    msg: &'a str,
+}
+
+fn ft_transfer_call_args(
+    receiver_id: &AccountId,
+    amount: U256,
+    msg: &str,
+) -> Result<String, ExitError> {
+    if amount > U256::from(u128::MAX) {
+        return Err(ExitError::Other(Cow::from("ERR_INVALID_AMOUNT")));
+    }
+
+    serde_json::to_string(&FtTransferCallArgs {
+        receiver_id,
+        amount: format!("{amount}"),
+        msg,
+    })
+    .map_err(|_| ExitError::Other(Cow::from("ERR_SERIALIZE_JSON")))
+}
+
 pub struct ExitToEthereum<I> {
     io: I,
     #[cfg(not(feature = "ext-connector"))]
@@ -1274,4 +1294,38 @@ mod tests {
             })
         );
     }
+
+    #[test]
+    fn test_ft_transfer_call_args() {
+        let receiver_id = "test.near".parse().unwrap();
+        let amount = U256::from(100);
+        let msg = "some message";
+
+        let args = super::ft_transfer_call_args(&receiver_id, amount, msg).unwrap();
+        let expected =
+            format!(r#"{{"receiver_id":"{receiver_id}","amount":"{amount}","msg":"{msg}"}}"#,);
+        assert_eq!(args, expected);
+    }
+
+    #[test]
+    fn test_ft_transfer_call_args_json_injection() {
+        let receiver_id = "test.near".parse().unwrap();
+        let amount = U256::from(100);
+        let msg = "some message\", \"amount\": \"1000"; // attempt to increase amount
+
+        let args = super::ft_transfer_call_args(&receiver_id, amount, msg).unwrap();
+        let expected = format!(
+            r#"{{"receiver_id":"{receiver_id}","amount":"{amount}","msg":"some message\", \"amount\": \"1000"}}"#
+        );
+        assert_eq!(args, expected);
+    }
+
+    #[test]
+    #[should_panic(expected = "ERR_INVALID_AMOUNT")]
+    fn test_ft_transfer_call_args_u256() {
+        let receiver_id = "test.near".parse().unwrap();
+        let amount = U256::from(u128::MAX) + 1;
+        let msg = "some message";
+        let _ = super::ft_transfer_call_args(&receiver_id, amount, msg).unwrap();
+    }
 }

engine-precompiles/src/native.rs

@@ -71,13 +71,10 @@ impl TestContract {
         let worker = near_workspaces::sandbox()
             .await
             .map_err(|err| anyhow::anyhow!("Failed init sandbox: {:?}", err))?;
-        let testnet = near_workspaces::testnet()
-            .await
-            .map_err(|err| anyhow::anyhow!("Failed init testnet: {:?}", err))?;
         let registrar: AccountId = "registrar".parse()?;
         let sk = SecretKey::from_seed(KeyType::ED25519, registrar.as_str());
         let registrar = worker
-            .import_contract(&registrar, &testnet)
+            .import_contract(&registrar, &worker)
             .transact()
             .await?;
         Self::waiting_account_creation(&worker, registrar.id()).await?;

engine-tests-connector/src/utils.rs

@@ -29,7 +29,7 @@ pub async fn deploy_engine_with_code(code: Vec<u8>) -> EngineContract {
         .with_code(code)
         .with_custodian_address("d045f7e19B2488924B97F9c145b5E51D0D895A65")
         .unwrap()
-        .with_root_balance(NearToken::from_near(10000))
+        .with_root_balance(NearToken::from_near(5000))
         .with_contract_balance(NearToken::from_near(1000))
         .deploy_and_init()
         .await

engine-tests/src/utils/workspace.rs

@@ -66,12 +66,9 @@ impl Node {
                 .transact()
                 .await?
         } else {
-            let testnet = near_workspaces::testnet()
-                .await
-                .map_err(|err| anyhow::anyhow!("Failed init testnet: {:?}", err))?;
             let registrar = "registrar".parse()?;
             worker
-                .import_contract(&registrar, &testnet)
+                .import_contract(&registrar, worker)
                 .transact()
                 .await?
         };

engine-workspace/src/node.rs

@@ -1,6 +1,6 @@
 [package]
 name = "aurora-engine"
-version = "3.9.0"
+version = "3.9.1"
 authors.workspace = true
 edition.workspace = true
 homepage.workspace = true