fix: smart contract security hardening from audit (CPL-199)#265
Open
fix: smart contract security hardening from audit (CPL-199)#265
Conversation
- Restrict setApiPayers and setPricingOperator to owner-only (was api-payer-or-owner) - Add array-size bounds to addGroup (10) and setUsageApiKey (50) - Add duplicate PKP registration check in registerWalletDerivation - Add events to all state-changing functions for off-chain monitoring - Add receive() to reject direct ETH transfers - Simplify debitApiKey/creditApiKey by removing dead code branch - Remove unused LibERC2771.sol meta-transaction library - Pin pragma to =0.8.28 across all 21 contracts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Security hardening for the AccountConfig diamond proxy contracts based on audit CPL-199, including tighter access control, added input bounds, additional event emission for auditability, and deterministic compilation via pinned Solidity pragma.
Changes:
- Restricted privileged configuration functions (e.g.,
setApiPayers,setPricingOperator) and addedSecurityLib.revertIfNotOwner. - Added input size bounds and expanded event emission across state-changing facets for better auditability.
- Pinned Solidity pragma to
=0.8.28and removed unusedLibERC2771.sol; addedreceive()to explicitly reject ETH transfers.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| lit-api-server/blockchain/lit_node_express/libraries/LibERC2771.sol | Removed unused ERC-2771 helper library. |
| lit-api-server/blockchain/lit_node_express/libraries/LibDiamond.sol | Pinned compiler pragma for deterministic builds. |
| lit-api-server/blockchain/lit_node_express/libraries/diamond/OwnershipFacet.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/libraries/diamond/DiamondMultiInit.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/libraries/diamond/DiamondLoupeFacetNoERC165.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/libraries/diamond/DiamondLoupeFacet.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/libraries/diamond/DiamondInit.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/libraries/diamond/DiamondCutFacet.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/interfaces/IERC173.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/interfaces/IERC165.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/interfaces/IDiamondLoupe.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/interfaces/IDiamondCut.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/interfaces/IDiamond.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/WritesFacet.sol | Added events, input bounds, and duplicate PKP registration check. |
| lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/ViewsFacet.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/SecurityLib.sol | Added owner-only guard helper using LibDiamond ownership. |
| lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/DiamondInit.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/BillingFacet.sol | Simplified debit/credit logic, added events, tightened pricing-operator update access control. |
| lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/AppStorage.sol | Pinned compiler pragma. |
| lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/APIConfigFacet.sol | Added events and restricted setApiPayers to owner-only. |
| lit-api-server/blockchain/lit_node_express/contracts/AccountConfig.sol | Added receive() to explicitly reject ETH transfers and pinned pragma. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
lit-api-server/blockchain/lit_node_express/contracts/AccountConfigFacets/WritesFacet.sol
Outdated
Show resolved
Hide resolved
Comment on lines
+141
to
+146
| "cidHashes must be less than 10 items" | ||
| ); | ||
| } | ||
| if (pkpIds.length > 10) { | ||
| revert AppStorage.InvalidRequest( | ||
| "pkpIds must be less than 10 items" |
There was a problem hiding this comment.
The revert message is inconsistent with the bound check. The code permits pkpIds.length == 10 (reverts only when > 10), but the message says "less than 10 items". Align the message with the actual limit (e.g., "10 items or fewer") or change the condition to match the message.
Suggested change
| "cidHashes must be less than 10 items" | |
| ); | |
| } | |
| if (pkpIds.length > 10) { | |
| revert AppStorage.InvalidRequest( | |
| "pkpIds must be less than 10 items" | |
| "cidHashes must be 10 items or fewer" | |
| ); | |
| } | |
| if (pkpIds.length > 10) { | |
| revert AppStorage.InvalidRequest( | |
| "pkpIds must be 10 items or fewer" |
Comment on lines
445
to
+449
| AppStorage.AccountConfigStorage storage s = AppStorage.getStorage(); | ||
| AppStorage.Account storage account = s.accounts[masterHash]; | ||
| if (account.pkpData[pkpId].id != 0) { | ||
| revert AppStorage.InvalidRequest("PKP already registered"); | ||
| } |
There was a problem hiding this comment.
Duplicate registration detection relies on account.pkpData[pkpId].id != 0, but pkpData is mapping(address => Metadata) where id is documented as the derivation path (AppStorage.sol:97). If derivationPath can be 0, the first registration stores id = 0 and subsequent calls will bypass this check, leading to duplicate entries and inconsistent pkpCounts/indexes. Consider either forbidding derivationPath == 0 at input validation, or tracking registration with a dedicated boolean/sentinel that cannot collide with valid derivationPath values.
Comment on lines
+40
to
+43
| /// @notice Reject any ETH sent directly to the contract. | ||
| receive() external payable { | ||
| revert(); | ||
| } |
There was a problem hiding this comment.
receive() unconditionally calls revert() with no reason data, which makes it hard to diagnose failed transfers from tooling/wallets. Consider reverting with a custom error (preferred) or a short revert string so callers can tell the failure is specifically due to direct ETH transfers being unsupported.
…nfigFacets/WritesFacet.sol Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Run `make generate` to update the ABI and Rust ethers bindings to include new events, the NotContractOwner error, and updated function signatures from the security hardening commit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Use custom error DirectETHTransferNotAllowed() in receive() for better diagnostics - Fix inconsistent error messages: "less than 10" -> "10 items or fewer" - Add derivationPath != 0 validation to prevent duplicate detection bypass - Regenerate Rust contract bindings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The previous commit restricted setApiPayers to owner-only, but the signer pool reconciliation (signer_pool.rs) calls this function via get_admin_api_payer_contract(), which signs with the admin API payer key, not the diamond owner. This would break signer pool updates in production. New access control: owner OR admin API payer (but NOT regular API payers), which still prevents the hostile payer takeover from H-2 while keeping the signer pool operational. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security hardening of the AccountConfig diamond proxy contracts based on a comprehensive audit (CPL-199). All 21 Solidity files reviewed, 0 critical vulnerabilities found, 2 high and 4 medium issues fixed.
Access Control Tightening:
setApiPayersrestricted to owner-only (was api-payer-or-owner), preventing hostile payer takeoversetPricingOperatorrestricted to owner-only (was api-payer-or-pricing-operator), preventing privilege escalationInput Validation:
addGroup(max 10 cidHashes/pkpIds) matching existingupdateGrouplimitssetUsageApiKey(max 50 per permission array)registerWalletDerivationCode Cleanup:
debitApiKey/creditApiKeysimplified (was unreachable due torevertIfNotMasterAccountguard)LibERC2771.solmeta-transaction library removed (no imports reference it)Auditability:
receive()function added to AccountConfig to explicitly reject direct ETH transfersCompiler:
=0.8.28across all 21 contracts for deterministic compilationPre-Landing Review
No security vulnerabilities found in the diff. All changes are security-positive hardening measures. Two independent security reviews confirmed no issues.
Test plan
22 Solidity files successfully (evm target: paris)Full audit report:
.context/attachments/CPL-199-audit-report.md🤖 Generated with Claude Code