search

onflow / flow-evm-gateway

FlowEVM Gateway implements an Ethereum-equivalent JSON-RPC API for EVM clients to use
https://developers.flow.com/evm/about
Apache License 2.0
11 stars 9 forks source link

Safeguard the logic for ingesting EVM-related events #356

Closed m-Peter closed 2 months ago

m-Peter commented 2 months ago

Currently, we have the following logic for checking whether we're dealing with an EVM-related event:

// isTransactionExecutedEvent checks whether the given event contains transaction executed data.
func isTransactionExecutedEvent(event cadence.Event) bool {
    if event.EventType == nil {
        return false
    }
    return strings.Contains(event.EventType.ID(), string(types.EventTypeTransactionExecuted))
}

However, the condition on the return statement is rather weak. For example:

return strings.Contains("A.f8d6e0586b0a20c7.EVM.TransactionExecuted", "EVM.TransactionExecuted")

The above is a concrete example that occurs when ingesting EVM events. However, even though it returns true, we can't know for sure that it came from the official address where the EVM contract is deployed. Any account can deploy a fake EVM contract, with the same events, and emit such events with fake/dummy data. And this will affect the state index of the EVM Gateway, returning incorrect data. So we need to compare for strict equality with the exact AddressLocation for each network (previewnet, testnet, mainnet).

Right now, the ingestion subscriber, creates the appropriate event filters, but we can't rely on this. We need to have strict checks in each place.

m-Peter commented 2 months ago

Since the event subscription already filters only the events we are interested in we don't have to check again if events are coming from the correct address.

Closing this as per the above comment on https://github.com/onflow/flow-evm-gateway/pull/361