Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: on-chain collections whitelist #1339

Open
wants to merge 16 commits into
base: main
Choose a base branch
from

Conversation

WaDadidou
Copy link
Collaborator

@WaDadidou WaDadidou commented Nov 5, 2024

The purpose is to replace this actual Collections Whitelist handling:

Actually, the whitelisted collections are in this env variable:
TERITORI_COLLECTION_WHITELIST=testeth-0x43cc70bf324d716782628bed38af97e4afe92f69,mumbai-0x916ad9d549907ccbbaf9ba65526826bfc3a9c0c4,testori-tori1r8raaqul4j05qtn0t05603mgquxfl8e9p7kcf7smwzcv2hc5rrlq0vket0,testori-tori1436kxs0w2es6xlqpp9rd35e3d0cjnw4sv8j3a7483sgks29jqwgsjscd88

We handle it though the backend:
whitelistString = fs.String("teritori-collection-whitelist", "", "whitelist of collections to return")

New smart contract

It allows to add/remove collections addresses to an on-chain addresses list
It can query this addresses list

New indexes events

It allows to enable/disable a whitelisted flag on an item from the collections table

…dexer.

Add whitelisted prop to Collection and update it by listening add/remove from cw-address-list contract
…new version, remove old script, make generate
Copy link

netlify bot commented Nov 5, 2024

Deploy Preview for testitori ready!

Name Link
🔨 Latest commit 0c99b4d
🔍 Latest deploy log https://app.netlify.com/sites/testitori/deploys/673edf9c7e6d2c0008308276
😎 Deploy Preview https://deploy-preview-1339--testitori.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Copy link

netlify bot commented Nov 5, 2024

Deploy Preview for teritori-dapp ready!

Name Link
🔨 Latest commit 73e91a8
🔍 Latest deploy log https://app.netlify.com/sites/teritori-dapp/deploys/6749f27c94f84600088d26f6
😎 Deploy Preview https://deploy-preview-1339--teritori-dapp.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@WaDadidou WaDadidou changed the title feat: marketplace whitelisted collection indexer feat(marketplace): handle whitelisted collection through indexer Nov 5, 2024
@n0izn0iz n0izn0iz changed the title feat(marketplace): handle whitelisted collection through indexer feat: on-chain collections whitelist Nov 6, 2024
@WaDadidou WaDadidou self-assigned this Nov 7, 2024
@WaDadidou WaDadidou requested review from n0izn0iz and MikaelVallenet and removed request for n0izn0iz and MikaelVallenet November 8, 2024 00:40
None => Ok(()),
})?;

Ok(Response::default())
return Ok(Response::new()
.add_attribute("action", "add_whitelisted_collection")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

keep the contract generic, it's used for the marketplace whitelist but it's actually just a list of addresses, we could use it for many other things

also the convention is to use the method name as action I believe

Suggested change
.add_attribute("action", "add_whitelisted_collection")
.add_attribute("action", "add")

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oki
842ce2b


Ok(Response::default())
return Ok(Response::new()
.add_attribute("action", "remove_whitelisted_collection")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.add_attribute("action", "remove_whitelisted_collection")
.add_attribute("action", "remove")

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok(Response::default())
return Ok(Response::new()
.add_attribute("action", "add_whitelisted_collection")
.add_attribute("collection_addr", addr));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.add_attribute("collection_addr", addr));
.add_attribute("added_addr", addr));

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok(Response::default())
return Ok(Response::new()
.add_attribute("action", "remove_whitelisted_collection")
.add_attribute("collection_addr", addr));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.add_attribute("collection_addr", addr));
.add_attribute("removed_addr", addr));

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment on lines 10 to 12
if execMsg.Contract != h.config.Network.VaultContractAddress {
return nil
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can't work, the whitelist is not the marketplace contract

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is still a problem, we should check that the contract is actually the whitelist contract, are you testing this?

you can't rely on events for security, anyone can create any event, you need to make sure you are in the correct context

also since this is supposed to be managed by a DAO, the handler should be matched also in the DAO proposal execution case

in all cases, your handlers must be restricted to only run when the execMsg.Contract is the whitelist contract

you must stat to think about how your code can be exploited, in this specific case, how the whitelist could be manipulated without being the admin. it's not only in the contract but also in the backend services

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a big mistake, CwAdminFactory is off topic wtf sorry. I'll commit the right code

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -62,7 +62,7 @@ export const teritoriTestnetNetwork: CosmosNetworkInfo = {
"https://explorer.teritori.com/teritori-testnet/account/$address",
idPrefix: "testori",
testnet: true,
backendEndpoint: "https://dapp-backend.testnet.teritori.com",
backendEndpoint: "http://192.168.1.78:9090",
Copy link
Collaborator

@n0izn0iz n0izn0iz Nov 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

revert this pls

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My apologies for that..
439ae84

Copy link

netlify bot commented Nov 29, 2024

Deploy Preview for gno-dapp ready!

Name Link
🔨 Latest commit 73e91a8
🔍 Latest deploy log https://app.netlify.com/sites/gno-dapp/deploys/6749f27c8218850008d5f1ea
😎 Deploy Preview https://deploy-preview-1339--gno-dapp.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@WaDadidou WaDadidou requested review from n0izn0iz and removed request for n0izn0iz November 29, 2024 16:49
Copy link
Collaborator

@n0izn0iz n0izn0iz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should also edit the collections queries to use this new whitelist column

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants