anchor icon indicating copy to clipboard operation
anchor copied to clipboard

Published 20 hours ago verified publisher icon coral-xyz

docs: Add sealevel-exploits along with descriptions to docs

Open thenoahhein opened this issue 3 years ago • 15 comments
trafficstars

In the process of adding the contents of: https://github.com/coral-xyz/sealevel-attacks to the docs.

This PR will add all of the exploits, as well as describe them in detail, instead of providing just the code.

progress

  • [x] - signer authorization
  • [x] account data matching
  • [x] - owner checks
  • [x] - type cosplay
  • [x] - initialization
  • [x] - arbitrary cpi
  • [x] - duplicate mutable accounts
  • [x] - bump seed canonicalization
  • [x] - pda sharing
  • [x] - Closing accounts (kinda...No explanation here, but all code examples displayed for easy comparison)

thenoahhein avatar Jul 07 '22 19:07 thenoahhein

@nheingit is attempting to deploy a commit to the 200ms Team on Vercel.

A member of the Team first needs to authorize it.

vercel[bot] avatar Jul 07 '22 19:07 vercel[bot]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated
anchor-docs ✅ Ready (Inspect) Visit Preview Dec 6, 2022 at 5:15PM (UTC)

vercel[bot] avatar Jul 13 '22 18:07 vercel[bot]

Amazing contribution.

I wonder if the first section called "Sealevel Attacks" is redundant now that we have independent articles.

cc @armaniferrante wdyt?

italoacasas avatar Jul 13 '22 18:07 italoacasas

@nheingit, you can see all the new pages in your dev env?

I can't see some in the test deployment

italoacasas avatar Jul 13 '22 19:07 italoacasas

Weird.

Yeah I can see them on mine:

Screen Shot 2022-07-13 at 2 09 29 PM

thenoahhein avatar Jul 13 '22 19:07 thenoahhein

@italoacasas any idea why the tests are failing here? I can't tell what Clippy would be having problems with here...

thenoahhein avatar Jul 20 '22 15:07 thenoahhein

No idea, but I doubt it's related to this PR.

italoacasas avatar Jul 20 '22 16:07 italoacasas

Okay cool, then I won't worry about it 👍

Unrelated to this PR, but don't really want to open an issue for it.

Would I be able to open a PR if I wrote a guide on an updated version of the escrow-program? I was going to put it on my blog, but thought it could live here under the proejcts instead.

Didn't know what kind of review process that would take, or if y'all were interested in having more "anchor approved" projects up on the site.

thenoahhein avatar Jul 20 '22 16:07 thenoahhein

if you rebase from master the clippy warnings have been fixed and the tests should pass

callensm avatar Jul 20 '22 17:07 callensm

Would I be able to open a PR if I wrote a guide on an updated version of the escrow program? I was going to put it on my blog but thought it could live here under the projects instead.

It sounds like a good idea.

Didn't know what kind of review process that would take, or if y'all were interested in having more "anchor approved" projects up on the site.

Historically the escrow program has been an excellent example for learning to use anchor/Solana. Go for it.

italoacasas avatar Jul 20 '22 17:07 italoacasas

Great job, Noah! As best as I can tell the examples are correct, so my suggestions are purely fixes for spelling, grammar, and typos. I even learned a few things while reviewing...

ashpoolin avatar Jul 22 '22 21:07 ashpoolin

Thanks for the review @ashpoolin !

@italoacasas is there anything else I need to do to get this merged in?

thenoahhein avatar Aug 04 '22 17:08 thenoahhein

@nheingit, my plate is a little insane right now, but I will start reviewing the content tonight. Either way, I'm not an expert on the exploits. We may need @armaniferrante help on this one.

italoacasas avatar Aug 04 '22 18:08 italoacasas

Don't want it to cause any undue stress! Just wanted to bump this since it had been a little bit. Happy to hop on a call or anything to help. You have me on Twitter I think, and my tg handle is the same if you want to kick off any discussion there.

thenoahhein avatar Aug 04 '22 18:08 thenoahhein

ping @callensm

thenoahhein avatar Sep 03 '22 18:09 thenoahhein

I wish i could figure out how to preview this on vercel

Henry-E avatar Dec 05 '22 18:12 Henry-E

Bloody hell, this rebase thing is a mess, sorry about this. it's harder to fix this particular mess since somehow git has snuck in extra commits between commit: cb46474c38d1a7137e919d35c6dff57ea4b06fb1 and commit: 0101d583b830868692ccea4d818bc24c54574f5b .

Sorry to leave this mess here but i have to run right now. When I get back i will revert back to commit 0101d583b830868692ccea4d818bc24c54574f5b and pick out the extra random commits that git added in.

Maybe then the rebasing will work properly.

Henry-E avatar Dec 06 '22 16:12 Henry-E

Just trying to authorize the vercel deployment so that I can more easily read through and actually check out what this PR is adding in.

Henry-E avatar Dec 06 '22 17:12 Henry-E

This honestly seems harmless enough to merge. Will probably do so once the tests finish running (even though they're technically unrelated)

Henry-E avatar Dec 06 '22 17:12 Henry-E

Upon further reflection I think this just highlights that the anchor site needs a better way to curate and link to relevant blog posts. That way we can keep the main site mostly clean and help people by linking out where needed. For example to all of the great blog posts written by nheingit, rather than hosting them on the anchor site itself.

Henry-E avatar Dec 07 '22 10:12 Henry-E

Just now seeing these @Henry-E

Linking out would be fine. But I only put them up on my site after seeing coral wasn't going to merge this.

thenoahhein avatar Dec 14 '22 14:12 thenoahhein

ah ok cool, sorry about the lack of communication. Thanks for posting them on your blog anyway!

Henry-E avatar Dec 14 '22 19:12 Henry-E