Makes sure that only EOAs can mint #728
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ation Add contract detection to all vending minter variants to prevent malicious smart contracts from exploiting the random token selection mechanism by reverting transactions until they get desired NFTs. Changes: - Add ContractsCannotMint error variant to all minter error types - Add is_contract() function using cw2::query_contract_info to detect contracts - Block contract addresses from execute_mint_sender in all 6 minter variants: * vending-minter * vending-minter-wl-flex * vending-minter-wl-flex-featured * vending-minter-featured * vending-minter-merkle-wl * vending-minter-merkle-wl-featured - Admin mints (mint_to/mint_for) still work from contracts for legitimate use cases - Only public and whitelist mints are blocked from contract addresses 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Improve contract detection to use address length as primary method with cw2 fallback: - Contract addresses are typically longer (>50 chars) than EOA addresses - Use address length as primary detection method for reliability - Keep cw2::query_contract_info as secondary check for contracts using cw2 - More robust across different contract types (even those not using cw2) Add comprehensive test suite covering: - EOA addresses can mint successfully - Short addresses (typical EOAs) are treated correctly - Long addresses (contract-like) are blocked from minting - Boundary testing at 50-character threshold - Admin functions still work regardless of address type All 50 existing vending minter tests continue to pass. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Apply cargo fmt to ensure all code follows project formatting standards. This addresses CI lint failures by fixing: - Import ordering - Line length formatting - Comment alignment - Consistent spacing All functionality remains unchanged. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
…act detection - Updated is_contract() function in all 6 vending minter variants - Replaced cw2::query_contract_info with direct ContractInfoResponse query - This is more reliable since cw2 is optional for contracts - Primary detection still uses address length (>50 chars) - All tests pass including 5 contract detection tests 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Added test_real_contract_detected_by_contract_info_query test - Tests that actual contracts (like minter addresses) are properly detected - Even if contract address is <50 chars, ContractInfo query catches it - Now have 6 total contract detection tests covering all scenarios: 1. EOAs can mint 2. Short addresses treated as EOAs 3. Long addresses blocked as contracts 4. Admin mints bypass checks 5. Boundary testing at 50 chars 6. Real contracts detected by ContractInfo query 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
This adds a comprehensive contract whitelist feature that allows the admin to specify trusted contracts that can mint despite the general contract blocking policy. ## New Features ### State Storage - Added WHITELISTED_CONTRACTS map to store approved contract addresses ### New Execute Messages - AddContractToWhitelist: Admin can whitelist individual contracts - RemoveContractFromWhitelist: Admin can remove contracts from whitelist - UpdateContractWhitelist: Admin can batch add/remove multiple contracts ### New Query Messages - IsContractWhitelisted: Check if specific contract is whitelisted - WhitelistedContracts: List all whitelisted contracts with pagination ### Updated Contract Detection Logic - Modified is_contract() to check whitelist first - If address is whitelisted, it's treated as an EOA (allowed to mint) - Otherwise continues with existing detection (length + ContractInfo query) ### Security - Only admin can modify the whitelist - All addresses are validated before adding to whitelist - Events emitted for transparency ## Use Cases This enables legitimate contracts to mint while maintaining security: - DAO contracts can be whitelisted for governance-based minting - Multisig contracts can be whitelisted for collaborative minting - Authorized automation contracts can be whitelisted ## Implementation Status - ✅ Complete implementation for vending-minter - ⏳ Still needs to be applied to other 5 vending minter variants - ✅ All existing tests pass - ✅ Comprehensive test suite created (contract_whitelist.rs) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Extended contract whitelist feature to vending-minter-wl-flex variant: ## Changes Applied - ✅ Added WHITELISTED_CONTRACTS storage map to state.rs - ✅ Added new ExecuteMsg variants (Add/Remove/Update contract whitelist) - ✅ Added new QueryMsg variants (IsContractWhitelisted, WhitelistedContracts) - ✅ Added response types for new queries - ✅ Updated is_contract() to check whitelist first - ✅ Added execute handlers with admin-only access control - ✅ Added query handlers with pagination support - ✅ All imports and dependencies updated - ✅ Code compiles successfully ## Implementation Status - ✅ vending-minter (complete) - ✅ vending-minter-wl-flex (complete) - ⏳ vending-minter-wl-flex-featured (pending) - ⏳ vending-minter-featured (pending) - ⏳ vending-minter-merkle-wl (pending) - ⏳ vending-minter-merkle-wl-featured (pending) The same pattern needs to be applied to the remaining 4 variants: 1. Update state.rs: Add WHITELISTED_CONTRACTS map 2. Update msg.rs: Add execute/query messages and response types 3. Update contract.rs: Modify is_contract(), add handlers, update imports 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Extends the contract whitelist security feature to all 4 remaining vending minter variants: - vending-minter-featured - vending-minter-wl-flex-featured - vending-minter-merkle-wl - vending-minter-merkle-wl-featured Each variant now supports: - Admin-only contract whitelist management - Whitelisted contracts can mint despite being contracts - Query functions to check whitelist status and retrieve whitelisted contracts - Batch whitelist operations for efficiency This completes the rollout of contract whitelist functionality across all 6 vending minter variants, providing comprehensive protection against random minting attacks while allowing approved contracts to mint. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Move all contract whitelist operations from individual minters to the factory contract for centralized governance-only management. ## Factory Contract Changes: - Add centralized whitelist storage (WHITELISTED_CONTRACTS map) - Add sudo operations for whitelist management (add/remove/update) - Add query operations for whitelist status checking - Implement governance-only whitelist control via sudo messages ## Minter Contract Changes (all 6 variants): - Update is_contract() to query factory for whitelist status - Remove local WHITELISTED_CONTRACTS storage and operations - Remove whitelist execute/query handlers and message types - Clean up unused imports and response types ## Architecture Benefits: - Centralized whitelist policy managed by governance - Consistent contract detection across all minters - Reduced code duplication and maintenance overhead - Clear separation of concerns (factory handles policy, minters handle minting) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Add comprehensive whitelist management to factory contract without requiring governance/sudo for all operations. ## New Features: ### Instantiate Support: - Add optional `initial_whitelist` field to InstantiateMsg - Enable factory initialization with predefined contract whitelist - Maintain backward compatibility with `None` default ### Execute Operations (Non-Sudo): - Add ExecuteMsg::AddContractToWhitelist for individual additions - Add ExecuteMsg::RemoveContractFromWhitelist for individual removals - Add ExecuteMsg::UpdateContractWhitelist for batch operations - Enable permissionless whitelist management alongside governance control ### Migrate Support: - Add MigrateMsg with optional WhitelistUpdate structure - Support batch add/remove operations during contract migration - Maintain proper contract versioning and validation ## Multiple Access Patterns: 1. **Governance Control**: Sudo operations for restricted management 2. **Open Operations**: Execute operations for permissionless management 3. **Initial Setup**: Instantiate operations for one-time initialization 4. **Migration Updates**: Migrate operations for upgrade-time updates ## Test Coverage: - Add 9 comprehensive test functions covering all new functionality - Update all InstantiateMsg usages across test suite (10 files) - Validate 55/55 whitelist tests pass with no regressions ## Benefits: - Remove governance dependency for routine whitelist operations - Enable flexible factory setup and management workflows - Maintain full backward compatibility with existing deployments - Provide multiple operational patterns for different use cases 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
SECURITY FIX: Remove unrestricted execute operations that allowed anyone to manipulate contract whitelist. ## Critical Vulnerability Identified: - ExecuteMsg::AddContractToWhitelist had NO access control - ExecuteMsg::RemoveContractFromWhitelist had NO access control - ExecuteMsg::UpdateContractWhitelist had NO access control - ANY user could whitelist malicious attack contracts - Completely defeated the security purpose of the whitelist system ## Security Impact: - Enabled the exact random minting attack the whitelist was designed to prevent - Malicious actors could whitelist their own attack contracts - Attackers could remove legitimate whitelisted contracts - Created a security bypass undermining the entire protection system ## Fix Applied: - Remove all unrestricted ExecuteMsg whitelist operations - Maintain secure governance-controlled sudo operations - Keep safe instantiate and migrate whitelist functionality - Remove associated vulnerable execute handler functions - Remove tests that validated the vulnerable functionality ## Remaining Safe Operations: - ✅ Sudo operations (governance-only) - SECURE - ✅ Instantiate with initial_whitelist - SECURE - ✅ Migrate with whitelist updates - SECURE - ❌ Execute whitelist operations - REMOVED (was vulnerable) This fix eliminates the critical security vulnerability while preserving the beneficial instantiate and migrate functionality. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Extends Sg2QueryMsg with whitelist queries to provide a unified interface across all factory contracts while maintaining backward compatibility. Key changes: - Extended Sg2QueryMsg enum with IsContractWhitelisted and WhitelistedContracts variants - Added corresponding response types to sg2 package - Updated all factory contracts (base, vending, open-edition) to handle whitelist queries - Fixed template function to use correct base minter configuration - Updated test imports to use unified Sg2QueryMsg interface Fixes 8 failing tests: - vending_factory::tests::sudo_tests::test_factory_* - vending_minter::tests::contract_whitelist::test_* All 164 tests now pass while preserving security functionality. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.