Skip to content

[ALPHANET] Token PayChannel#30

Open
dangell7 wants to merge 16 commits into
developfrom
token-paychan
Open

[ALPHANET] Token PayChannel#30
dangell7 wants to merge 16 commits into
developfrom
token-paychan

Conversation

@dangell7

@dangell7 dangell7 commented May 6, 2026

Copy link
Copy Markdown
Member

High Level Overview of Change

Context of Change

API Impact

  • Public API: New feature (new methods and/or new fields)
  • Public API: Breaking change (in general, breaking changes should only impact the next api_version)
  • libxrpl change (any change that may affect libxrpl or dependents of libxrpl)
  • Peer protocol change (must be backward compatible or bump the peer protocol version)

sentinel-ai-reviewer-dev Bot pushed a commit that referenced this pull request May 11, 2026
@dangell7 dangell7 force-pushed the token-paychan branch 3 times, most recently from 3edb7a8 to da130bf Compare May 20, 2026 10:29
Comment thread .pre-commit-config.yaml
language: python
types_or: [c++, c]
exclude: ^include/xrpl/protocol_autogen/(transactions|ledger_entries)/
- id: fix-pragma-once

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Every other hook that runs on C++ headers in this file explicitly excludes include/xrpl/protocol_autogen/ (clang-tidy, fix-include-style, and clang-format all do so), but the new fix-pragma-once hook has no exclude at all. When any autogenerated header under that directory is staged, the hook will attempt to prepend #pragma once to it — modifying a file that is supposed to be owned by the code generator, and causing the hook to return a failure exit code that blocks the commit. Add exclude: ^include/xrpl/protocol_autogen/ to match the pattern the sibling hooks already use.

Suggested fix

Add exclude: ^include/xrpl/protocol_autogen/ to the fix-pragma-once hook definition, consistent with the exclude patterns on fix-include-style, clang-tidy, and clang-format.

Comment thread CMakeLists.txt
find_package(gRPC REQUIRED)
find_package(LibArchive REQUIRED)
find_package(lz4 REQUIRED)
find_package(mpt-crypto REQUIRED)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mpt-crypto/0.4.0-rc2 — a release-candidate pre-release — is introduced as a hard required dependency and linked into xrpl_libs, making it the sole verification engine for all zero-knowledge proofs in ConfidentialMPTSend, ConfidentialMPTConvert, and ConfidentialMPTConvertBack transactions on the consensus-critical path. A proof-verification defect in a pre-release cryptographic library at this position lets an attacker craft a structurally valid but mathematically invalid proof that passes mpt_verify_send_proof / mpt_verify_convert_back_proof, enabling confidential token movements that are unsupported by the underlying balance commitments. The package is served from XRPLF's private Conan remote (conan.xrplf.org) rather than public Conan Center, meaning it has not received the independent third-party review expected of a production cryptographic dependency. Promote this to a stable, externally audited release before mainnet activation, and gate all ConfidentialMPT* transaction types behind an amendment that remains disabled until that review is complete.

Suggested fix

Replace mpt-crypto/0.4.0-rc2 with a stable, non-RC release that has undergone external cryptographic audit. Until then, ensure all ConfidentialMPT* transaction types are guarded by an amendment flag that is not enabled on mainnet, so a latent proof-verification bug in the RC library cannot be triggered on production ledger state. Additionally, consider publishing the mpt-crypto recipe to public Conan Center or providing a reproducible build from a public source repository to enable community security review.

Comment thread CMakeLists.txt
)
endif()

include(PatchNixBinary)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PatchNixBinary.cmake is now included unconditionally and, during the CMake configure phase, executes /tmp/loader-path.sh via execute_process and passes its stdout verbatim as the --set-interpreter argument to patchelf on every built binary. /tmp/ is world-writable on Linux, so any concurrent process on the CI host — another job, a dependency script, or an attacker who has compromised the build environment — can overwrite that script and plant an arbitrary ELF interpreter path in the shipped rippled binary before main() ever runs. Validate the script's integrity against a pinned hash before executing it, or move it to a root-owned path outside /tmp/.

Suggested fix

Hash /tmp/loader-path.sh against a known-good value at configure time and abort if the hash does not match, or relocate the loader-path mechanism to a path that cannot be written by non-root processes (e.g., an image-baked /etc/xrplf/loader-path.sh). Alternatively, store the expected default loader path as a compile-time constant in the Nix flake and skip the runtime script entirely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants