-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[tgrade-valset] Metadata issues #66
Comments
Let's validate all this. Good points. |
https://github.com/confio/poe-contracts/blob/main/contracts/tgrade-valset/src/contract.rs#L239 operators().update(deps.storage, &info.sender, |info| match info {
|
Good. Missed that; was looking for the typical auth pattern I guess. |
Please check this. I think this is handled the same way as update (sender set their own key) |
I think max length of 256 or so should be plenty. You can make it a bit bigger if you think for some fields |
Yup. let pubkey: Ed25519Pubkey = pubkey.try_into()?;
let operator = OperatorInfo {
...
match operators().may_load(deps.storage, &info.sender)? {
Some(_) => return Err(ContractError::OperatorRegistered {}),
None => operators().save(deps.storage, &info.sender, &operator)?,
}; |
During #42, noticed a number of relatively small issues with metadata handling in
tgrade-valset
:The sender is not validated during metadata update. That means anybody can overwrite the metadata of an operator.The sender is not validated during validator key registration. That means anybody can register a public key and associated metadata for an operator. Perhaps this is the intended feature, as this registration method can only used for setting a pubkey, not updating one.The text was updated successfully, but these errors were encountered: