aldabra

Sulkta-OSS/aldabra

Fork 0

Commit graph

Author	SHA1	Message	Date
Kayos	af4cfd7f97	audits: 2026-05-09 escrow E2E preprod results 5 of 6 builders proven on chain on preprod_test2 against the post-audit validator (a8081acef26935d9b5f44b92052178e17301b6d6e6808c91c5b56f5d). Veto path (4 builders): - open 0972963e8eb46597b37dfa7e1fa15c97fea4e39d55b29c54f723ba1b155bc7cb - deposit 0519cb7dbb8c2c1632db5baee90d5440d2905c151f910a085c78d9050c2d6175 ← first Plutus V3 spend on chain - agree f6664079d96c453e1a6333c33c65744984953c474e57cdb331e78ad3e5429cc7 - veto 14a4be9f233ab02e518356e5963d30517986984f6fd3520151c924057db9c661 ← HIGH-2 fix proven Refund-timeout path (5th builder): - open(short) 0669ef61b8695bedcb4eb4c38fda2bd66c68c9384b57839329a01a745db75305 - refund 41590ac6ed069586e650da58858436cfe6be51a865069a7a4b40f795dfcdbff9 ← strict-> time gate proven, MED-2/3 fix held Settle deferred — needs 30-min lock_period_ms wait. Builder + validator branch unit-tested (5/5 tests pass), on-chain validation in next session. Both HIGH validator fixes from the 2026-05-09 internal audit confirmed running on chain. Multi-party signing flow + slot↔ms boundary math both held up under real preprod chain race conditions.	2026-05-09 18:05:56 -07:00
Kayos	eb192fa676	fix(escrow_wip): apply 2026-05-09 internal audit findings Two HIGH validator-side bugs + several MED/LOW off-chain issues found in the subagent-driven audit on this branch. New validator hash: a8081acef26935d9b5f44b92052178e17301b6d6e6808c91c5b56f5d. ## HIGH-1: Deposit redeemer let depositors drain tokens aiken-escrow/validators/escrow.ak Deposit branch now requires `value_geq_value(new_value, in_value)` before computing net_added. Previously net_added could carry negative quantities (when new_value < in_value component-wise), letting a depositor write a matching new_d.deposits with reduced values and pocket the difference as wallet change. Latent under v1 ADA-only MCP usage but the validator must hold against all callers. ## HIGH-2: Empty/partial deposits enabled funds drain via Veto/Refund Veto and Refund branches now require `value_eq(deposits_to_value(d.deposits), in_value)` — the tracked deposits must account for the full locked value. Previously `refund_outputs_satisfy(_, [])` was vacuously true on empty deposits, so a driver could fire Veto/Refund on an escrow opened with `initial_contributor=None` (deposits=[], in_value>0) and pocket the input's lovelace as change. Defense in depth: escrow_open builder now refuses `initial_contributor=None`. New helper `deposits_to_value` folds deposit FlatValues into a Value via `assets.add` for the equality check. ## MED: off-chain fixes - escrow_open min-utxo bumped 1M → 2M (Conway-era inline-datum + script-address outputs need ~1.4-1.7 ADA, NOT the 1 ADA default). - escrow_settle_unsigned + escrow_refund_timeout_unsigned now derive `validity_lower_ms` via slot_to_posix_ms(network, slot) instead of Koios's `block_time*1000` — the chain reconstructs `lower` from the slot, so Koios's ~1s drift could pass off-chain preflight while the chain rejects at the strict-`>` boundary. - escrow_open_unsigned MCP tool no longer accepts (and silently discards) `fee_lovelace` — the unsigned-tx builder auto-estimates. ## LOW: defensive depth - escrow_veto + escrow_refund_timeout: `qty as u64` → `u64::try_from` so a corrupt or adversarial datum with negative i128 qty can't slip through with a wraparound. ## Tests - 36 escrow builder tests pass (added rejects_no_initial_contributor) - 132 dao tests pass under --features escrow_wip - aldabra-mcp release build clean ## Infra - Validator artifact files (plutus.json, validator.cbor.hex) regenerated. Dockerfile already wired to bake them at /etc/aldabra/escrow/ for MCP tools' validator_script_path arg. - Internal audit findings written up at audits/2026-05-09-escrow-internal-audit.md including the v2-deferred items (multi-asset spend-input, lovelace-not-cross-checked, etc.) Third-party audit still required before any mainnet deployment.	2026-05-09 14:06:17 -07:00

Author

SHA1

Message

Date

Kayos

af4cfd7f97

audits: 2026-05-09 escrow E2E preprod results

5 of 6 builders proven on chain on preprod_test2 against the
post-audit validator (a8081acef26935d9b5f44b92052178e17301b6d6e6808c91c5b56f5d).

Veto path (4 builders):
- open       0972963e8eb46597b37dfa7e1fa15c97fea4e39d55b29c54f723ba1b155bc7cb
- deposit    0519cb7dbb8c2c1632db5baee90d5440d2905c151f910a085c78d9050c2d6175  ← first Plutus V3 spend on chain
- agree      f6664079d96c453e1a6333c33c65744984953c474e57cdb331e78ad3e5429cc7
- veto       14a4be9f233ab02e518356e5963d30517986984f6fd3520151c924057db9c661  ← HIGH-2 fix proven

Refund-timeout path (5th builder):
- open(short) 0669ef61b8695bedcb4eb4c38fda2bd66c68c9384b57839329a01a745db75305
- refund      41590ac6ed069586e650da58858436cfe6be51a865069a7a4b40f795dfcdbff9  ← strict-> time gate proven, MED-2/3 fix held

Settle deferred — needs 30-min lock_period_ms wait. Builder + validator
branch unit-tested (5/5 tests pass), on-chain validation in next session.

Both HIGH validator fixes from the 2026-05-09 internal audit confirmed
running on chain. Multi-party signing flow + slot↔ms boundary math
both held up under real preprod chain race conditions.

2026-05-09 18:05:56 -07:00

Kayos

eb192fa676

fix(escrow_wip): apply 2026-05-09 internal audit findings

Two HIGH validator-side bugs + several MED/LOW off-chain issues found
in the subagent-driven audit on this branch. New validator hash:
a8081acef26935d9b5f44b92052178e17301b6d6e6808c91c5b56f5d.

## HIGH-1: Deposit redeemer let depositors drain tokens

aiken-escrow/validators/escrow.ak Deposit branch now requires
`value_geq_value(new_value, in_value)` before computing net_added.
Previously net_added could carry negative quantities (when new_value
< in_value component-wise), letting a depositor write a matching
new_d.deposits with reduced values and pocket the difference as
wallet change. Latent under v1 ADA-only MCP usage but the validator
must hold against all callers.

## HIGH-2: Empty/partial deposits enabled funds drain via Veto/Refund

Veto and Refund branches now require
`value_eq(deposits_to_value(d.deposits), in_value)` — the tracked
deposits must account for the full locked value. Previously
`refund_outputs_satisfy(_, [])` was vacuously true on empty deposits,
so a driver could fire Veto/Refund on an escrow opened with
`initial_contributor=None` (deposits=[], in_value>0) and pocket the
input's lovelace as change.

Defense in depth: escrow_open builder now refuses
`initial_contributor=None`. New helper `deposits_to_value` folds
deposit FlatValues into a Value via `assets.add` for the equality
check.

## MED: off-chain fixes

- escrow_open min-utxo bumped 1M → 2M (Conway-era inline-datum
  + script-address outputs need ~1.4-1.7 ADA, NOT the 1 ADA default).
- escrow_settle_unsigned + escrow_refund_timeout_unsigned now derive
  `validity_lower_ms` via slot_to_posix_ms(network, slot) instead of
  Koios's `block_time*1000` — the chain reconstructs `lower` from the
  slot, so Koios's ~1s drift could pass off-chain preflight while the
  chain rejects at the strict-`>` boundary.
- escrow_open_unsigned MCP tool no longer accepts (and silently
  discards) `fee_lovelace` — the unsigned-tx builder auto-estimates.

## LOW: defensive depth

- escrow_veto + escrow_refund_timeout: `qty as u64` → `u64::try_from`
  so a corrupt or adversarial datum with negative i128 qty can't slip
  through with a wraparound.

## Tests

- 36 escrow builder tests pass (added rejects_no_initial_contributor)
- 132 dao tests pass under --features escrow_wip
- aldabra-mcp release build clean

## Infra

- Validator artifact files (plutus.json, validator.cbor.hex)
  regenerated. Dockerfile already wired to bake them at
  /etc/aldabra/escrow/ for MCP tools' validator_script_path arg.
- Internal audit findings written up at
  audits/2026-05-09-escrow-internal-audit.md including the v2-deferred
  items (multi-asset spend-input, lovelace-not-cross-checked, etc.)

Third-party audit still required before any mainnet deployment.

2026-05-09 14:06:17 -07:00

2 commits