search

Zondax / filecoin-solidity

Filecoin Solidity API Library
Apache License 2.0
95 stars 43 forks source link

AccountAPI.authenticateMessage does not return boolean #338

Closed ainhoa-a closed 1 year ago

ainhoa-a commented 1 year ago

The authenticateMessage in the AccountAPI library calls the account actor’s AuthenticateMessage method:

function authenticateMessage(CommonTypes.FilActorId target, AccountTypes.AuthenticateMessageParams memory params) internal {
    bytes memory raw_request = params.serializeAuthenticateMessageParams();

    bytes memory data = Actor.callNonSingletonByID(target, AccountTypes.AuthenticateMessageMethodNum, Misc.CBOR_CODEC, raw_request, 0, true);
    if (data.length != 0) {
        revert Actor.InvalidResponseLength();
    }
}

However, only the lenght of the returned data is checked. The data is not parsed and returned as the a bool as by the account actor’s AuthenticateMessage method:

pub fn authenticate_message(
    rt: &mut impl Runtime,
    params: AuthenticateMessageParams,
) -> Result<bool, ActorError> {
    rt.validate_immediate_caller_accept_any()?;
    let st: State = rt.state()?;
    let address = st.address;
    let sig_type: SignatureType = match address.protocol() {
        Protocol::Secp256k1 => Secp256k1,
        Protocol::BLS => BLS,
        protocol => {
            return Err(actor_error!(illegal_state;
                "account address must use BLS or SECP protocol, got {}", protocol));
        }
    };
    let sig = Signature { sig_type, bytes: params.signature };
    rt.verify_signature(&sig, &address, &params.message).map_err(|e| {
        e.downcast_default(
            ExitCode::USR_ILLEGAL_ARGUMENT,
            "failed to authenticate message, signature invalid",
        )
    })?;

    Ok(true)
}

However, the return type of the actor does seem redundant as it return true or raises an error… But even though, a valid signature will make authenticate_message return a boolean and thereby a non-zero data length, which will cause the AccountAPI to fail.

Instead of checking the data length, deserialize data into a boolean and return the result from the authenticateMessage function in AccountAPI.sol to reflect the behavior of the actual account actor.

:link: zboto Link