pyth2wormhole: Fix a cfg migration bug, fix cfg lockout (see below) #253
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit resolves a runtime problem in migrate() which occurred on devnet, as well as invalid mutability for the old config and misuse of the checked_sub() method. The runtime problem came from a non-zero balance existing on not-yet-used PDA. Effectively, this means permissionless initialization of PDAs on Solana. Anyone can send lamports to any account on Solana (existing or not), and it doesn't take much funds to keep an empty account exempt. While it is possible to recover from it, this case is relatively rare and takes a lot of code to automate. Instead, we settle for a dumb bump of the config PDA seed (see config.rs). This measure is best used sparingly, as it imposes the same static seed on all SOL networks. This will cause headaches if the attester tooling grows a third-party user base.
ali-behjati
approved these changes
Aug 19, 2022
Collaborator
There was a problem hiding this comment.
Nice! And thanks for your detailed explanation Stan 🙇
Nice catch on wrong mutability of old config. It is still a bit strange that how tests passed with the old config being immutable 🤔 does it mean that contract does not panic on such a change?
btw, I think wherever we go, we manage the attestation contract ourself and let only attesters to be permissionless. So there's no problem to change the version.
Contributor
Author
|
On a closing note: I think the version still affects permissionless attesters because there's still need to compute the config PDA address from seeds. For that reason, they need the p2w crates to be up-to-date with what the contract expects. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit resolves a runtime problem in migrate() which occurred on devnet, as
well as invalid mutability for the old config and misuse of the
checked_sub() method.
The runtime problem came from a non-zero balance existing on
not-yet-used PDA. Effectively, this means permissionless
initialization of PDAs on Solana. Anyone can send lamports to any
account on Solana (existing or not), and it doesn't take much funds to
keep an empty account exempt. While it is possible to recover from it,
this case is relatively rare and takes a lot of code to
automate. Instead, we settle for a dumb bump of the config PDA
seed (see config.rs).
This measure is best used sparingly, as it imposes the same static
seed on all SOL networks. This will cause headaches if the attester
tooling grows a third-party user base.