search

aurora-is-near / aurora-engine

⚙️ Aurora Engine implements an Ethereum Virtual Machine (EVM) on the NEAR Protocol.
https://doc.aurora.dev/develop/compat/evm
330 stars 82 forks source link

Fix: Private Calls Without Callbacks Require Access Keys #727

Closed lempire123 closed 1 year ago

lempire123 commented 1 year ago

The function new_eth_connector() is a private call that must be called by the current account.

The requirement assert_private_call()on line [519] ensures that the predecessor account ID matches the current account ID. This requirement can only be filled by two conditions.

  1. If the contract makes a callback to itself.
  2. If an access key belonging to this account is used to sign the transaction.

It is advised to remove the access key and instead enforce the predecessor account to be EngineState.owner_id for each of the functions listed above.

This can be done using the function require_owner_only().

Aurora-ClickUp commented 1 year ago

Task linked: CU-85zrqmen6 AUR-31 Private Calls Without Callbacks Require Access Keys