Skip to content

feat: add TIP-403 policy data endpoint#214

Draft
0xrusowsky wants to merge 18 commits into
mainfrom
rus/403-policies
Draft

feat: add TIP-403 policy data endpoint#214
0xrusowsky wants to merge 18 commits into
mainfrom
rus/403-policies

Conversation

@0xrusowsky

Copy link
Copy Markdown
Contributor

No description provided.

@socket-security

socket-security Bot commented Jun 1, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedtempo-alloy@​1.8.09510090100100
Addedtempo-primitives@​1.8.010010090100100
Updatedalloy@​2.0.0 ⏵ 2.0.510010093100100
Addedtempo-contracts@​1.8.0100100100100100

View full report

@0xrusowsky

Copy link
Copy Markdown
Contributor Author

cyclops audit fast

1 similar comment
@0xrusowsky

Copy link
Copy Markdown
Contributor Author

cyclops audit fast

@legion2002

Copy link
Copy Markdown
Contributor

cyclops audit fast

@legion2002

Copy link
Copy Markdown
Contributor

cyclops audit fast

@legion2002

Copy link
Copy Markdown
Contributor

cyclops audit fast

@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

cc @legion2002

Cyclops audit event published. View workflow run

Config: config: default, iterations: 1, hours: default

@tempoxyz-cyclops-bot tempoxyz-cyclops-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👁️ Cyclops Review

PR #214 adds a public GET /policy-data endpoint that reconstructs TIP-403 policy metadata and direct whitelist/blacklist membership from indexed logs. Two actionable issues were found and are commented inline: unbounded member materialization on the public endpoint, and missing support for valid compound TIP-403 policies.

Reviewer Callouts
  • Collection endpoint limits: Require mandatory limit/cursor semantics and response-size caps for public APIs that return collections derived from indexed logs.
  • Hardcoded TIP-403 address literals: src/api/tip403_registry.rs imports TIP403_REGISTRY_ADDRESS but duplicates the raw \x403c... bytea literal in SQL filters. If the precompile address changes, these queries will silently return empty results; consider binding the imported constant or centralizing the literal.

decofe and others added 2 commits June 7, 2026 13:20
## Summary
- add bounded member pagination to `/policy-data` with a hard max page
size and cursor support
- support `CompoundPolicyCreated` and resolve compound policies to
sender, recipient, and mint-recipient child policy data
- bind the TIP-403 registry address constant in SQL instead of
duplicating the byte literal

## Verification
- cargo fmt --check
- cargo test --test api_live_test policy_data --no-run
- cargo test --test api_live_test policy_data -- --nocapture (compiled,
then blocked because DATABASE_URL is not set)

Prompted by: @0xrusowsky
@0xrusowsky
0xrusowsky marked this pull request as ready for review June 7, 2026 11:21
@0xrusowsky

Copy link
Copy Markdown
Contributor Author

cyclops audit fast

@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

cc @0xrusowsky

Cyclops audit event published. View workflow run

Config: config: default, iterations: 1, hours: default

@tempoxyz tempoxyz deleted a comment from tempoxyz-cyclops-bot Jun 7, 2026
@tempoxyz tempoxyz deleted a comment from tempoxyz-cyclops-bot Jun 7, 2026

@tempoxyz-bot tempoxyz-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👁️ Cyclops Review

PR #214 adds a public read-only /policy-data endpoint that reconstructs TIP-403 policy data from indexed registry logs. Two verified security issues remain: virtual built-in policies are not modeled, and first-page member pagination skips address(0).

Reviewer Callouts
  • Compound child pagination: load_tip403_child_policy always calls load_tip403_policy_members with cursor = None, so a compound response can expose a child next_member_cursor without any child-specific cursor parameter to resume that page in the same compound view. Decide whether to document that clients must query the child policy directly for pagination or add child-scoped cursor parameters.
  • Latest-update query plan: The reported DoS from selector = ANY(...) was not verified because the existing (topic1, address, block_num DESC) index can avoid a full scan on tested PostgreSQL versions. Still, production should confirm the plan with real data; if it regresses, split the latest-update lookup into per-selector LIMIT 1 queries or a UNION ALL.

)
.await?;

let Some(row) = row else { return Ok(None) };

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [SECURITY] Built-in TIP-403 policies are reported as missing

load_tip403_policy_metadata reconstructs every policy only from PolicyCreated/CompoundPolicyCreated logs and returns None when no creation log exists. Tempo policy IDs 0 (REJECT_ALL) and 1 (ALLOW_ALL) are virtual built-ins that always exist but do not emit creation logs, so direct lookups return 404 and valid compound policies referencing them fail during child expansion.

Recommended Fix:
Special-case policy IDs 0 and 1 before the creation-log query, returning synthetic zero-admin metadata with empty members (0 => WHITELIST, 1 => BLACKLIST), and reuse that path for compound child resolution.

topic2, topic3, data
FROM logs
WHERE address = $1
AND selector = $2 AND topic1 = $3 AND topic3 IS NOT NULL AND topic3 > $4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 [SECURITY] First-page member pagination skips address(0)

When no cursor is supplied, the code substitutes an all-zero 32-byte cursor and then filters with topic3 > $4. An indexed EVM address(0) member is also the all-zero topic, so it is excluded from the first page forever. Consumers can receive incomplete whitelist/blacklist data and make incorrect enforcement decisions.

Recommended Fix:
Do not apply the cursor predicate unless a cursor was provided, or use a separate first-page query that includes the zero topic. Avoid changing all pages to >= without handling duplicate cursor rows.

@0xrusowsky
0xrusowsky marked this pull request as draft June 8, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants