This PR addresses all remaining findings from the NCC audit (including appendix) except those related to Paillier---namely, finding numbers 003, 004, 005. Those findings will be handled in a separate PR along with Paillier improvements.
That leaves only the following items covered by this PR: findings 001, 006, and an un-numbered note from the appendix on session nonce length range checks.
As of this PR, all notes from the appendix are complete and the status of numbered findings is as follows:
001: this PR
002: nothing to fix
003: TODO later, Paillier
004: TODO later, Paillier
005: TODO later, Paillier
006: this PR
007: already done
Draft status
Need to verify that the new length restrictions on session nonce do not break existing usage in axelar-core. Until then, this PR is stuck in draft mode.
This PR addresses all remaining findings from the NCC audit (including appendix) except those related to Paillier---namely, finding numbers 003, 004, 005. Those findings will be handled in a separate PR along with Paillier improvements.
That leaves only the following items covered by this PR: findings 001, 006, and an un-numbered note from the appendix on session nonce length range checks.
As of this PR, all notes from the appendix are complete and the status of numbered findings is as follows:
Draft status
Need to verify that the new length restrictions on session nonce do not break existing usage in axelar-core. Until then, this PR is stuck in draft mode.
Currently, the only use of the affected session nonce by axelar-core is for the
new_key_uid
in keygen: https://github.com/axelarnetwork/grpc-protobuf/blob/afb7358f2051370950881220be6ae51f4dbafdb9/grpc.proto#L109 On the axelar-core side, this uid is provided by the end user via CLI command: https://github.com/axelarnetwork/axelar-core/blob/0cd3073bd4745c97112f2a7948fed19c9c1e4359/x/tss/client/cli/tx.go#L40 As such, the only restriction on uid length is that it be nonzero.How to proceed?
Options:
@cgorenflo any opinions?