[ALPHANET] Token PayChannel#30
Conversation
3edb7a8 to
da130bf
Compare
| language: python | ||
| types_or: [c++, c] | ||
| exclude: ^include/xrpl/protocol_autogen/(transactions|ledger_entries)/ | ||
| - id: fix-pragma-once |
There was a problem hiding this comment.
Every other hook that runs on C++ headers in this file explicitly excludes include/xrpl/protocol_autogen/ (clang-tidy, fix-include-style, and clang-format all do so), but the new fix-pragma-once hook has no exclude at all. When any autogenerated header under that directory is staged, the hook will attempt to prepend #pragma once to it — modifying a file that is supposed to be owned by the code generator, and causing the hook to return a failure exit code that blocks the commit. Add exclude: ^include/xrpl/protocol_autogen/ to match the pattern the sibling hooks already use.
Suggested fix
Add exclude: ^include/xrpl/protocol_autogen/ to the fix-pragma-once hook definition, consistent with the exclude patterns on fix-include-style, clang-tidy, and clang-format.
| find_package(gRPC REQUIRED) | ||
| find_package(LibArchive REQUIRED) | ||
| find_package(lz4 REQUIRED) | ||
| find_package(mpt-crypto REQUIRED) |
There was a problem hiding this comment.
mpt-crypto/0.4.0-rc2 — a release-candidate pre-release — is introduced as a hard required dependency and linked into xrpl_libs, making it the sole verification engine for all zero-knowledge proofs in ConfidentialMPTSend, ConfidentialMPTConvert, and ConfidentialMPTConvertBack transactions on the consensus-critical path. A proof-verification defect in a pre-release cryptographic library at this position lets an attacker craft a structurally valid but mathematically invalid proof that passes mpt_verify_send_proof / mpt_verify_convert_back_proof, enabling confidential token movements that are unsupported by the underlying balance commitments. The package is served from XRPLF's private Conan remote (conan.xrplf.org) rather than public Conan Center, meaning it has not received the independent third-party review expected of a production cryptographic dependency. Promote this to a stable, externally audited release before mainnet activation, and gate all ConfidentialMPT* transaction types behind an amendment that remains disabled until that review is complete.
Suggested fix
Replace mpt-crypto/0.4.0-rc2 with a stable, non-RC release that has undergone external cryptographic audit. Until then, ensure all ConfidentialMPT* transaction types are guarded by an amendment flag that is not enabled on mainnet, so a latent proof-verification bug in the RC library cannot be triggered on production ledger state. Additionally, consider publishing the mpt-crypto recipe to public Conan Center or providing a reproducible build from a public source repository to enable community security review.
| ) | ||
| endif() | ||
|
|
||
| include(PatchNixBinary) |
There was a problem hiding this comment.
PatchNixBinary.cmake is now included unconditionally and, during the CMake configure phase, executes /tmp/loader-path.sh via execute_process and passes its stdout verbatim as the --set-interpreter argument to patchelf on every built binary. /tmp/ is world-writable on Linux, so any concurrent process on the CI host — another job, a dependency script, or an attacker who has compromised the build environment — can overwrite that script and plant an arbitrary ELF interpreter path in the shipped rippled binary before main() ever runs. Validate the script's integrity against a pinned hash before executing it, or move it to a root-owned path outside /tmp/.
Suggested fix
Hash /tmp/loader-path.sh against a known-good value at configure time and abort if the hash does not match, or relocate the loader-path mechanism to a path that cannot be written by non-root processes (e.g., an image-baked /etc/xrplf/loader-path.sh). Alternatively, store the expected default loader path as a compile-time constant in the Nix flake and skip the runtime script entirely.
High Level Overview of Change
Context of Change
API Impact
libxrplchange (any change that may affectlibxrplor dependents oflibxrpl)