emergency upgrade: using whitelisted validators (hardcoded)

scrtlabs · Oct 27, 2024 · 91be67e · 91be67e
1 parent ee9d211
commit 91be67e
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 8 deletions.
diff --git a/cosmwasm/enclaves/execute/Cargo.toml b/cosmwasm/enclaves/execute/Cargo.toml
@@ -87,7 +87,7 @@ log = "0.4.17"
 simple_logger = { version = "2.3.0", default-features = false, features = [
   "stderr"
 ] }
-block-verifier = { path = "../shared/block-verifier", optional = true }
+block-verifier = { path = "../shared/block-verifier", optional = true, features = ["verify-validator-whitelist"] }
 time = "=0.3.17"
 ed25519-dalek = { version = "1.0", default-features = false }
 sha2 = "0.10"

diff --git a/cosmwasm/enclaves/execute/src/registration/offchain.rs b/cosmwasm/enclaves/execute/src/registration/offchain.rs
@@ -39,6 +39,9 @@ use super::seed_service::get_next_consensus_seed_from_service;
 use crate::registration::attestation::verify_quote_ecdsa;
 use crate::registration::onchain::split_combined_cert;
 
+use block_verifier::validator_whitelist;
+use validator_whitelist::ValidatorList;
+
 use super::persistency::{write_master_pub_keys, write_seed};
 use super::seed_exchange::{decrypt_seed, encrypt_seed, SeedType};
 use enclave_utils::storage::write_to_untrusted;
@@ -738,6 +741,9 @@ fn is_export_approved_offchain(mut f_in: File, report: &sgx_report_body_t) -> bo
     // verify all the signatures, and build the set of addresses
     let mut signers_set: BTreeSet<[u8; 20]> = BTreeSet::new();
 
+    let mut whitelisted_signers: usize = 0;
+    let white_list: &ValidatorList = &validator_whitelist::VALIDATOR_WHITELIST;
+
     for (addr_str, (pubkey_str, sig_str)) in &signatures {
         let pubkey_bytes = base64::decode(pubkey_str).unwrap();
 
@@ -770,10 +776,22 @@ fn is_export_approved_offchain(mut f_in: File, report: &sgx_report_body_t) -> bo
             panic!("Incorrect signature for address: {}", addr_str);
         }
 
-        signers_set.insert(addr);
+        if !signers_set.contains(&addr) {
+            signers_set.insert(addr);
+
+            let is_whitelisted = white_list.contains(addr_str);
+            if is_whitelisted {
+                whitelisted_signers += 1;
+            }
+
+            println!(
+                "  Approved by {}, whitelisted = {}",
+                addr_str, is_whitelisted
+            );
+        }
     }
 
-    false
+    whitelisted_signers >= validator_whitelist::VALIDATOR_THRESHOLD
 }
 
 fn is_export_approved(report: &sgx_report_body_t) -> bool {

diff --git a/cosmwasm/enclaves/shared/block-verifier/src/validator_whitelist.rs b/cosmwasm/enclaves/shared/block-verifier/src/validator_whitelist.rs
@@ -7,13 +7,13 @@ const WHITELIST_FROM_FILE: &str = include_str!("../fixtures/validator_whitelist.
 const WHITELIST_FROM_FILE: &str = include_str!("../fixtures/validator_whitelist_prod.txt");
 
 #[cfg(not(feature = "production"))]
-const VALIDATOR_THRESHOLD: usize = 1;
+pub const VALIDATOR_THRESHOLD: usize = 1;
 
 #[cfg(feature = "production")]
-const VALIDATOR_THRESHOLD: usize = 5;
+pub const VALIDATOR_THRESHOLD: usize = 5;
 
 lazy_static::lazy_static! {
-    static ref VALIDATOR_WHITELIST: ValidatorList = ValidatorList::from_str(WHITELIST_FROM_FILE);
+    pub static ref VALIDATOR_WHITELIST: ValidatorList = ValidatorList::from_str(WHITELIST_FROM_FILE);
 }
 
 #[derive(Debug, Clone)]
@@ -27,11 +27,11 @@ impl ValidatorList {
 
     // use for tests
     #[allow(dead_code)]
-    fn len(&self) -> usize {
+    pub fn len(&self) -> usize {
         self.0.len()
     }
 
-    fn contains(&self, input: &String) -> bool {
+    pub fn contains(&self, input: &String) -> bool {
         self.0.contains(input)
     }
 }