Fix panics in reply parsing + validate route continuity in set_route#23
Open
Syzygys wants to merge 1 commit into
Open
Fix panics in reply parsing + validate route continuity in set_route#23Syzygys wants to merge 1 commit into
Syzygys wants to merge 1 commit into
Conversation
parse_market_order_response() used two unwrap()s after already constructing the correct ContractError variants (SubMsgFailure, ReplyParseFailure) - change its return type from StdResult to Result<_, ContractError> so those errors can actually be returned with '?' instead of discarded via panic. Also handle an empty msg_responses list explicitly instead of unwrapping Option::None. fix(admin): validate route continuity in set_route verify_route_exists() only checked that the first market contains the source denom and the last market contains the target denom. A multi-hop route with a broken middle hop (market[i] and market[i+1] sharing no denom) would pass set_route and only fail later at swap execution time with a generic exchange-module rejection. Add an explicit continuity check between each consecutive pair of markets so a bad route is rejected immediately, with a specific error message, at configuration time.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds continuity validation for multi-hop swap routes in ChangesSwap Contract Robustness Improvements
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Admin as set_route (admin.rs)
participant Verify as verify_route_exists
participant Contract as ContractError
Admin->>Verify: validate route (source_denom, target_denom, markets)
Verify->>Verify: build (quote_denom, base_denom) list
Verify->>Verify: check first/last denom match
loop each consecutive market pair
Verify->>Verify: check shared denom
alt no shared denom
Verify->>Contract: return CustomError (route not continuous)
end
end
Verify-->>Admin: route valid
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
parse_market_order_response()used twounwrap()s after already constructing the correctContractErrorvariants — changed its return type fromStdResulttoResult<_, ContractError>so those errors are actually returned via?instead of discarded via panic. Also handles an emptymsg_responseslist explicitly instead of unwrappingNone.verify_route_exists()only checked the first and last market in a route. A route with a broken middle hop would passset_routeand only fail later at swap time with a generic exchange-module rejection. Added an explicit continuity check between consecutive markets so a bad route is rejected immediately with a specific error.Why
Found while reviewing the contract for a security bounty pass. Neither issue is exploitable beyond a failed/reverted transaction (CosmWasm traps roll back the whole tx, and
set_routeis admin-only), so this is a robustness/error-message improvement, not a security report.Testing
cargo check -p swap-contract --libandcargo clippy -p swap-contract --libboth pass clean. Could not run the fullcargo testsuite locally —injective-test-tube's build script requires agotoolchain (cgo) that isn't available in my environment; CI should cover it.Summary by CodeRabbit