santos177
commented
4 years ago working in reverttobackup branch
Closed patrickdugan closed 1 year ago
santos177
commented
4 years ago working in reverttobackup branch
patrickdugan
commented
4 years ago tl.getpayload_oraclebackup = function(contractTitle){ //the reference address is the new backup, including if the backup address, now admin addess, is changed from being adming to some new address //even then the reference address here is still the back-up. The usage of hot vs. cold keys applies here: admin can be hot, back-ups are always cold. client.cmd('tl_createpayload_oraclebackup', contractTitle, function(err,data,resHeaders){ if(err == null){ return cb(data) }else{return err} }) }
This is the RPC wrapper function I am working with re: revert, I'm making it so you get the raw tx as a string and the local wallet can sign it for broadcast outside the airgap environment.
patrickdugan
commented
4 years ago I saw there was a tx RPC for backup reversion, I think? (Not for the payload but for the whole tx) and I wonder if you have already implemented the underlying tx? In which case I just need the payload tx and the rollback settlement tx.
On Tue, May 5, 2020 at 2:47 PM Santos notifications@github.com wrote:
working in reverttobackup branch
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/BlockPo/BlockPo-to-Tradelayer/issues/243#issuecomment-624238431, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAS2CBMU4H2MDC6DZ44SQOLRQBNL7ANCNFSM4MT6Y3XQ .
patrickdugan
commented
4 years ago I think by default we are going back a few blocks. Let's just check that we're doing that so the immediate hijacked tx's can't even weigh on mark price liquidations, and let oracle operators keep a multisig-signed back-up restore tx pending publication. I can write an audit bot to publish that if there is a deviant print. Instead of force-settling the contract let's just omit some oracle published numbers from the TWAP vector whenever this happens.
patrickdugan
commented
2 years ago @santos177 We clearly spent time on this, is this done? Is there testing I can refer to?
patrickdugan
commented
1 year ago { "trade layer (payload creation)", "tl_createpayload_change_oracleadm", &tl_createpayload_change_oracleadm, {} },
{ "trade layer (payload creation)", "tl_createpayload_create_oraclecontract", &tl_createpayload_create_oraclecontract, {} },
{ "trade layer (payload creation)", "tl_createpayload_setoracle", &tl_createpayload_setoracle, {} },
{ "trade layer (payload creation)", "tl_createpayload_closeoracle", &tl_createpayload_closeoracle, {} },
Looking over the Oracle code and the related tx I noticed we don't have one to actually restore the admin over to the backup address!
We have tx for:
create contract while defining back-up move admin change back-up publish close the contract (presumably, forever)
What we lack are implements to recover from a compromise of the admin address. Since admin keys are presumably hot to maintain uptime, hence the back-up address oriented security model. An attacker could print bad prices to manipulate positions in their favor, or try to capture the contract by moving the admin address (which is thwarted by cold back-up keys). In either case, revertToBackup is a tx that is only valid if published for the established back-up address for a contract with a given id or title.
For rollbackSettle, an attacker could in some time period move the mark price with several limit-bound prints. Right now we don't have any circuit breakers for consecutive oracle prints. Instead of necessarily adding that feature, which may run into trouble during times of extreme, legitimate volatility, we should just have an integer parameter for the rollbackSettle transaction to complement the contractid or title parameter, which has a settlement ignore N blocks worth of Oracle publishing from the TWAP used to immediately settle the contract. A boolean parameter 'expire' would, if true, have the contract positions settle permanently, as if an expiring futures contract.