From fd00f5ee32106678d71a0e1c4dd607db1e44259d Mon Sep 17 00:00:00 2001 From: Pi Lanningham Date: Sun, 11 Feb 2024 15:46:34 -0500 Subject: [PATCH 1/3] Resolve SSW-202 Enforce that the metadata datum attached to the metadata output is void, to prevent accidental locking, or metadata hijacking (such as attaching hardcore pornography to the logo for the LP token). --- validators/pool.ak | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/validators/pool.ak b/validators/pool.ak index 0a1eaff..cb0d695 100644 --- a/validators/pool.ak +++ b/validators/pool.ak @@ -422,7 +422,12 @@ validator(settings_policy_id: PolicyId) { list.at(ctx.transaction.outputs, metadata_output_ix) expect metadata_output.address == settings_datum.metadata_admin expect value.quantity_of(metadata_output.value, own_policy_id, new_pool_ref_token) == 1 - + // We also check that the datum on the metadata output is void; It would be complex and in-flexible to enforce any particular structure on this, so we + // instead leave it to the metadata admin to spend the output and provide it the correct datum; We also don't want to leave it unspecified, because + // 1) the metadata admin might actually be a script address, in which case having no datum will permanently lock the metadata + // 2) the pool minter might include malicious metadata, such as an icon pointing at hardcore porn; until the metadata admin spent it, this would appear in users wallets, + // and potentially even on access UIs for the Sundae protocol + expect metadata_output.datum == InlineDatum(Void) // And check that the datum is initialized correctly; This is part of why we have a minting policy handling this, // as it allows us to authenticate the providence of the datum. From 465977e182a029b2bdfe4fb2888a2315d26c9283 Mon Sep 17 00:00:00 2001 From: Pi Lanningham Date: Mon, 12 Feb 2024 14:48:26 -0500 Subject: [PATCH 2/3] Fix failing test --- validators/pool.ak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/validators/pool.ak b/validators/pool.ak index cb0d695..bf39129 100644 --- a/validators/pool.ak +++ b/validators/pool.ak @@ -1118,7 +1118,7 @@ test mint_test() { address: user_address, value: value.from_lovelace(2_000_000) |> value.add(hash_of_pool_script, new_pool_ref_token, 1), - datum: NoDatum, + datum: InlineDatum(Void), reference_script: None, } let poolMintRedeemer = CreatePool { From f2ee6adc18c0396651515d99915efcda013bc4bc Mon Sep 17 00:00:00 2001 From: card Date: Fri, 1 Mar 2024 03:34:30 -0500 Subject: [PATCH 3/3] test that we cannot attach spam inline datum to metadata output --- validators/tests/pool.ak | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/validators/tests/pool.ak b/validators/tests/pool.ak index 5024066..d621f50 100644 --- a/validators/tests/pool.ak +++ b/validators/tests/pool.ak @@ -678,3 +678,19 @@ test mint_test_wrong_address () fail { ) minted } + +// make sure we can't include any spam on the datum +test mint_test_nonvoid_datum() fail { + let minted = mint_test_modify( + identity, + identity, + fn (ref_metadata_output) { + Output { + ..ref_metadata_output, + datum: InlineDatum("Evil data") + } + }, + identity + ) + minted +} \ No newline at end of file