sphinx-tribes icon indicating copy to clipboard operation
sphinx-tribes copied to clipboard

Published 20 hours ago verified publisher icon stakwork

SPHINX TRIBES BOUNTIES CRITICAL AREAS TO TEST

Open elraphty opened this issue 11 months ago • 3 comments

Relay

Point Of Failures:

  • Tribes Server is dependent on Relay for bounty payment and invoice generation if Relay is down we won't be able to make bounty payments or generate invoices. (There is a check that makes sure a Relay Auth Key is available, if not available the server panics and exits).

Bounty Creation

Point Of Failures:

  • When a token is not passed, a token is expired, or an invalid token is passed
  • When incorrect data is passed to the backend, or required fields are not met.

Bounty Payment

Point Of Failures:

  • JWT Error
  • Race Conditions: This has been fixed with Golang Mutex lock which makes the payment logic synchronous, making sure only one request can be processed at a time, this has also been tested.
  • If the user access logic fails, this will allow a user who is not the organization admin or has no PayBounty role to pay a bounty.
  • If the wrong organization budget is fetched, to get the budget balance of an organization, this may lead to paying a bounty when an organization does not have sufficient balance
  • If Sphinx Relay provides Tribes with inaccurate data about the keysend payment of a user.

Organization Budget Withdrawal

Point Of Failures:

  • JWT Error
  • Race Conditions: If multiple withdrawal requests are sent at the same time and the DB balance does not get updated before processing the next request. (To be fixed with Golang Mutex Lock).
  • If the user access logic fails, this will allow a user who is not the organization admin or has no WithdrawBudget role to withdraw from the organization.
  • Invoice Decode Bolt11 library if the decoder returns an inaccurate amount and our node ends up paying a bigger or smaller amount than what was intended
  • If the wrong organization's budget is fetched from the DB, it will lead to an inaccurate budget balance, and this will break the budget balance amount check before processing a withdrawal.
  • If Sphinx Relay provides Tribes with inaccurate data about the withdrawal invoice payment.

Organization Budget Addition

Point Of Failures:

  • If Sphinx Relay fails to generate an invoice with the specified amount
  • JWT error occurs during polling of budget invoice
  • If the Invoices for the wrong organization are returned
  • If Sphinx Relay returns the wrong response for the status of an invoice

Payment History

Point Of Failures:

  • If a payment fails to be added to history by the PayBounty, WithdrawBudget, and AddBudget logic.
  • If the polling of invoice logic fails to update the status of a payment
  • If Relay provides polling of invoice logic with the wrong Lightning invoice status
  • If the Budget addition logic fails, the invoice amount is not added to an organization's budget.

Invoice Tracking

Point Of Failures:

  • If the add budget invoice logic fails to add an invoice
  • If the polling of invoice logic fails to update the status of an invoice
  • If Relay provides polling of invoice logic with the wrong Lightning invoice status

@pitoi @kevkevinpal These are the critical areas on the Tribes Server.

elraphty avatar Mar 08 '24 14:03 elraphty