Skip to content

feat(lazer/sui): state and initializer #2972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 21 commits into from
Aug 25, 2025
Merged

feat(lazer/sui): state and initializer #2972

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
2c4ae46
feat(lazer/sui): specify version
tejasbadadare Aug 19, 2025
69682bc
feat(lazer-sui): add state module with trusted signer storage and tests
devin-ai-integration[bot] Aug 19, 2025
21d8937
Merge branch 'tb/lazer/sui-storage' of github.com:pyth-network/pyth-c…
tejasbadadare Aug 19, 2025
7380293
fix
devin-ai-integration[bot] Aug 19, 2025
0e70796
Merge branch 'tb/lazer/sui-storage' of github.com:pyth-network/pyth-c…
tejasbadadare Aug 19, 2025
f34b7fc
fix(sui-lazer): finalize state module with trusted signer management …
devin-ai-integration[bot] Aug 19, 2025
112cd39
Merge branch 'tb/lazer/sui-storage' of github.com:pyth-network/pyth-c…
tejasbadadare Aug 19, 2025
d7bd862
chore(sui-lazer): remove warnings in state module; clean build on Sui…
devin-ai-integration[bot] Aug 19, 2025
48e070d
feat(lazer/sui): add trusted signer state
tejasbadadare Aug 19, 2025
8ee64ba
feat(lazer/sui): add package init and AdminCapability; share State an…
devin-ai-integration[bot] Aug 19, 2025
a7436fa
comments
tejasbadadare Aug 19, 2025
88ef465
Merge branch 'tb/lazer/sui-storage' of github.com:pyth-network/pyth-c…
tejasbadadare Aug 19, 2025
e64eb21
resolve warnings
tejasbadadare Aug 19, 2025
187f0e9
feat(sui-lazer): add admin-gated entry to update trusted signer via A…
devin-ai-integration[bot] Aug 19, 2025
ddad6d6
Revert "feat(sui-lazer): add admin-gated entry to update trusted sign…
devin-ai-integration[bot] Aug 19, 2025
0fc417e
naming, make update_trusted_signer public
tejasbadadare Aug 20, 2025
da1a2a1
feat(sui-lazer): use OTW for AdminCap in admin::init; add OTW to pyth…
devin-ai-integration[bot] Aug 20, 2025
389f5d7
lint
tejasbadadare Aug 20, 2025
f1b6fc4
doc
tejasbadadare Aug 20, 2025
b9a844d
remove unneeded otw type check
tejasbadadare Aug 22, 2025
41c66dc
lint
tejasbadadare Aug 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion lazer/contracts/sui/Move.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

[move]
version = 3
manifest_digest = "DD0B86B0E012F788977D2224EA46B39395FCF48AB7DAE200E70E6E12F9445868"
manifest_digest = "5B8FA4A1860DFE72BCB751FB8D867DA8D63CCFD7029F175B345B072433DFC568"
deps_digest = "F9B494B64F0615AED0E98FC12A85B85ECD2BC5185C22D30E7F67786BB52E507C"
dependencies = [
{ id = "Bridge", name = "Bridge" },
Expand Down
3 changes: 1 addition & 2 deletions lazer/contracts/sui/Move.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
[package]
name = "pyth_lazer"
version = "0.0.0"
edition = "2024.beta"

[dependencies]

[addresses]
pyth_lazer = "0x0"

Expand Down
2 changes: 1 addition & 1 deletion lazer/contracts/sui/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

`pyth_lazer` is a Sui package that allows consumers to easily parse and verify cryptographically signed price feed data from the Pyth Network's high-frequency Lazer protocol for use on-chain.

This package is built using the Move language and Sui framework.
This package is built using the Move language edition `2024.beta` and Sui framework `v1.53.2`.

### Build, test, deploy

Expand Down
32 changes: 32 additions & 0 deletions lazer/contracts/sui/sources/admin.move
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
module pyth_lazer::admin;
use sui::types;

public struct AdminCap has key, store {
id: UID,
}

/// The `ADMIN` resource serves as the one-time witness.
/// It has the `drop` ability, allowing it to be consumed immediately after use.
/// See: https://move-book.com/programmability/one-time-witness
public struct ADMIN has drop {}


/// Initializes the module. Called at publish time.
/// Creates and transfers ownership of the singular AdminCap capability to the deployer.
/// Only the AdminCap owner can update the trusted signers.
fun init(otw: ADMIN, ctx: &mut TxContext) {
assert!(types::is_one_time_witness(&otw), 1);
let cap = AdminCap { id: object::new(ctx) };
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AdminCap can be created in other places by mistake no? If you want the admin cap to be only made by one, you need to enforce it via a type (like the cap retaining the witness, or having a phantom data or something).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, the existing pyth contract also can't guard against new logic adding the ability to edit state. Any friend of state can call assert_latest_only and obtain a LatestOnly cap that lets them edit state. Currently governance and the "create price feeds" codepaths call it but others could be introduced in the future.

If the AdminCap retains the witness, doesn't the vuln just move to the witness? i.e. some codepath can be introduced in the future that can instantiate the witness, allowing instantiation of the AdminCap

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm you can't get the witness out of AdminCap without deconstructing it, right?

Regardless, I was thinking about the problem you are trying to solve (not being able to instantiate AdminCap twice) and I'm not sure we really need to solve it. We generally trust ourselves and not the others and in the future might have good reasons to have two or divide it in two capabilities.

The usage of witness also seems to be where you want external people to behave in a certain way and not us. (like someone is creating a Coin and we want to impose some certain characteristic there)

transfer::public_transfer(cap, tx_context::sender(ctx));
}

#[test_only]
public fun mint_for_test(ctx: &mut TxContext): AdminCap {
AdminCap { id: object::new(ctx) }
}

#[test_only]
public fun destroy_for_test(cap: AdminCap) {
let AdminCap { id } = cap;
object::delete(id)
}
19 changes: 16 additions & 3 deletions lazer/contracts/sui/sources/pyth_lazer.move
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,34 @@ use pyth_lazer::i64::Self;
use pyth_lazer::update::{Self, Update};
use pyth_lazer::feed::{Self, Feed};
use pyth_lazer::channel::Self;
use pyth_lazer::state;
use sui::bcs;
use sui::ecdsa_k1::secp256k1_ecrecover;
use sui::types;

const SECP256K1_SIG_LEN: u32 = 65;
const UPDATE_MESSAGE_MAGIC: u32 = 1296547300;
const PAYLOAD_MAGIC: u32 = 2479346549;


// TODO:
// initializer
// administration -> admin cap, upgrade cap, governance?
// storage module -> trusted signers, update fee?, treasury?
// error handling
// standalone verify signature function

/// The `PYTH_LAZER` resource serves as the one-time witness.
/// It has the `drop` ability, allowing it to be consumed immediately after use.
/// See: https://move-book.com/programmability/one-time-witness
public struct PYTH_LAZER has drop {}

/// Initializes the module. Called at publish time.
/// Creates and shares the singular State object.
/// AdminCap is created and transferred in admin::init via a One-Time Witness.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm it's not here right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it's happening in the admin module's init, but it should happen within the same publish PTB

fun init(otw: PYTH_LAZER, ctx: &mut TxContext) {
assert!(types::is_one_time_witness(&otw), 1);
let s = state::new(ctx);
transfer::public_share_object(s);
}

/// Parse the Lazer update message and validate the signature.
///
/// The parsing logic is based on the Lazer rust protocol definition defined here:
Expand Down
214 changes: 214 additions & 0 deletions lazer/contracts/sui/sources/state.move
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
module pyth_lazer::state;

use pyth_lazer::admin::AdminCap;
use pyth_lazer::admin;

const ED25519_PUBKEY_LEN: u64 = 32;
const EInvalidPubkeyLen: u64 = 1;
const ESignerNotFound: u64 = 2;


/// Lazer State consists of the current set of trusted signers.
/// By verifying that a price update was signed by one of these public keys,
/// you can validate the authenticity of a Lazer price update.
///
/// The trusted signers are subject to rotations and expiry.
public struct State has key, store {
id: UID,
trusted_signers: vector<TrustedSignerInfo>,
}

/// A trusted signer is comprised of a pubkey and an expiry time.
/// A signer's signature should only be trusted up to timestamp `expires_at`.
public struct TrustedSignerInfo has copy, drop, store {
public_key: vector<u8>,
expires_at: u64,
}

public(package) fun new(ctx: &mut TxContext): State {
State {
id: object::new(ctx),
trusted_signers: vector::empty<TrustedSignerInfo>(),
}
}

/// Get the trusted signer's public key
public fun public_key(info: &TrustedSignerInfo): &vector<u8> {
&info.public_key
}

/// Get the trusted signer's expiry timestamp
public fun expires_at(info: &TrustedSignerInfo): u64 {
info.expires_at
}

/// Get the list of trusted signers
public fun get_trusted_signers(s: &State): &vector<TrustedSignerInfo> {
&s.trusted_signers
}

/// Upsert a trusted signer's information or remove them. Can only be called by the AdminCap holder.
/// - If the trusted signer pubkey already exists, the expires_at will be updated.
/// - If the expired_at is set to zero, the trusted signer will be removed.
/// - If the pubkey isn't found, it is added as a new trusted signer with the given expires_at.
public fun update_trusted_signer(_: &AdminCap, s: &mut State, pubkey: vector<u8>, expires_at: u64) {
assert!(vector::length(&pubkey) as u64 == ED25519_PUBKEY_LEN, EInvalidPubkeyLen);

let mut maybe_idx = find_signer_index(&s.trusted_signers, &pubkey);
if (expires_at == 0) {
if (option::is_some(&maybe_idx)) {
let idx = option::extract(&mut maybe_idx);
// Remove by swapping with last (order not preserved), discard removed value
let _ = vector::swap_remove(&mut s.trusted_signers, idx);
} else {
option::destroy_none(maybe_idx);
abort ESignerNotFound
};
return
};

if (option::is_some(&maybe_idx)) {
let idx = option::extract(&mut maybe_idx);
let info_ref = vector::borrow_mut(&mut s.trusted_signers, idx);
info_ref.expires_at = expires_at
} else {
option::destroy_none(maybe_idx);
vector::push_back(
&mut s.trusted_signers,
TrustedSignerInfo { public_key: pubkey, expires_at },
)
}
}

fun find_signer_index(signers: &vector<TrustedSignerInfo>, target: &vector<u8>): Option<u64> {
let len = vector::length(signers);
let mut i: u64 = 0;
while (i < (len as u64)) {
let info_ref = vector::borrow(signers, i);
if (*public_key(info_ref) == *target) {
return option::some(i)
};
i = i + 1
};
option::none()
}

#[test_only]
public fun new_for_test(ctx: &mut TxContext): State {
State {
id: object::new(ctx),
trusted_signers: vector::empty<TrustedSignerInfo>(),
}
}

#[test]
public fun test_add_new_signer() {
let mut ctx = tx_context::dummy();
let mut s = new_for_test(&mut ctx);
let admin_cap = admin::mint_for_test(&mut ctx);

let pk = x"0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20";
let expiry: u64 = 123;

update_trusted_signer(&admin_cap, &mut s, pk, expiry);

let signers_ref = get_trusted_signers(&s);
assert!(vector::length(signers_ref) == 1, 100);
let info = vector::borrow(signers_ref, 0);
assert!(expires_at(info) == 123, 101);
let got_pk = public_key(info);
assert!(vector::length(got_pk) == (ED25519_PUBKEY_LEN as u64), 102);
let State { id, trusted_signers } = s;
let _ = trusted_signers;
object::delete(id);
admin::destroy_for_test(admin_cap);
}

#[test]
public fun test_update_existing_signer_expiry() {
let mut ctx = tx_context::dummy();
let mut s = new_for_test(&mut ctx);
let admin_cap = admin::mint_for_test(&mut ctx);

update_trusted_signer(
&admin_cap,
&mut s,
x"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a",
1000,
);
update_trusted_signer(
&admin_cap,
&mut s,
x"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a",
2000,
);

let signers_ref = get_trusted_signers(&s);
assert!(vector::length(signers_ref) == 1, 110);
let info = vector::borrow(signers_ref, 0);
assert!(expires_at(info) == 2000, 111);
let State { id, trusted_signers } = s;
let _ = trusted_signers;
object::delete(id);
admin::destroy_for_test(admin_cap);
}

#[test]
public fun test_remove_signer_by_zero_expiry() {
let mut ctx = tx_context::dummy();
let mut s = new_for_test(&mut ctx);
let admin_cap = admin::mint_for_test(&mut ctx);

update_trusted_signer(
&admin_cap,
&mut s,
x"0707070707070707070707070707070707070707070707070707070707070707",
999,
);
update_trusted_signer(
&admin_cap,
&mut s,
x"0707070707070707070707070707070707070707070707070707070707070707",
0,
);

let signers_ref = get_trusted_signers(&s);
assert!(vector::length(signers_ref) == 0, 120);
let State { id, trusted_signers } = s;
let _ = trusted_signers;
object::delete(id);
admin::destroy_for_test(admin_cap);
}

#[test, expected_failure(abort_code = EInvalidPubkeyLen)]
public fun test_invalid_pubkey_length_rejected() {
let mut ctx = tx_context::dummy();
let mut s = new_for_test(&mut ctx);
let admin_cap = admin::mint_for_test(&mut ctx);

let short_pk = x"010203";
update_trusted_signer(&admin_cap, &mut s, short_pk, 1);
let State { id, trusted_signers } = s;
let _ = trusted_signers;
object::delete(id);
admin::destroy_for_test(admin_cap);
}

#[test, expected_failure(abort_code = ESignerNotFound)]
public fun test_remove_nonexistent_signer_fails() {
let mut ctx = tx_context::dummy();
let mut s = new_for_test(&mut ctx);
let admin_cap = admin::mint_for_test(&mut ctx);

// Try to remove a signer that doesn't exist by setting expires_at to 0
update_trusted_signer(
&admin_cap,
&mut s,
x"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
0,
);
let State { id, trusted_signers } = s;
let _ = trusted_signers;
object::delete(id);
admin::destroy_for_test(admin_cap);
}