Skip to content

fix: make contract delivery retry-safe#67

Merged
andreogle merged 3 commits into
andreogle:mainfrom
saviro-orin:fix/contract-callback-integrity
Jul 11, 2026
Merged

fix: make contract delivery retry-safe#67
andreogle merged 3 commits into
andreogle:mainfrom
saviro-orin:fix/contract-callback-integrity

Conversation

@saviro-orin

@saviro-orin saviro-orin commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • makes callback delivery atomic and retry-safe by bubbling callback reverts
  • rejects callback and verifier addresses without deployed code
  • fixes unbounded-staleness arithmetic in the reference price consumer
  • adds future and stale timestamp protection to the confidential feed
  • aligns the FHE adapter with current fromExternal semantics and removes nonexistent revocation behavior
  • documents signer, chain-domain, adapter, and persistent-ACL trust boundaries honestly
  • aligns the published verifier guide with retry-safe callback behavior

Audit findings fixed

High

  • A premature, deliberately reverting, or underfunded callback could consume a valid delivery permanently because the verifier ignored callback failure and retained replay state.

Medium

  • ConfidentialPriceFeed accepted future timestamps, allowing a trusted signer or clock error to poison an endpoint against later valid updates.
  • ConfidentialPriceFeed had no maximum-age check and could accept arbitrarily old first observations.
  • The FHE example exposed a deny/revocation operation that the current FHE ACL does not provide.
  • Consumer constructors accepted verifier EOAs, allowing direct unverified callback invocation after misconfiguration.
  • The price consumer's attestedAt + maxStaleness check could overflow when configured with an unbounded maximum.

Review-discovered product risk

  • An exact-match quorum example was initially added, then removed after independent integration review showed that separately operated Airnodes generate timestamps after independent HTTP requests. Requiring byte-identical data and the same timestamp second would make the example impractical and misleading without a protocol-level shared round or observation identifier.

Example decision

No new example ships in this PR. The candidate quorum example was removed rather than publishing a copy-paste pattern that the current signing pipeline cannot support reliably.

Verification

  • forge test: 49 tests pass, including 6 invariant properties at 16,384 calls each and 1,000 fuzz runs for arbitrary int256 prices
  • forge coverage: 100% line and statement coverage for AirnodeVerifier, AirnodePriceConsumer, and ConfidentialPriceFeed
  • Slither: 4 contracts, 101 detectors, 0 findings
  • Bun: 584 tests pass, 0 fail; 99.27% line coverage
  • Prettier: pass
  • ESLint: pass
  • Docusaurus production build: pass
  • independent protocol and patch reviews: zero unresolved high-confidence Critical, High, or Medium findings in the retained Solidity surface

Compatibility note

Callback failure semantics change intentionally. A callback revert now reverts the verifier transaction and preserves a retry path instead of marking the delivery successful.

Remaining boundaries

  • Signatures remain chain-agnostic by design. Consumers needing domain binding must include it in the signed endpoint specification or data.
  • ConfidentialPriceFeed is an adapter-based example, not a production FHE integration. It trusts the configured adapter to validate ciphertext proofs and binding.
  • FHE access grants are persistent and not revocable under the modeled current API.

Bubble callback failures so valid signed payloads cannot be consumed by premature or underfunded submissions. Harden freshness, dependency validation, and FHE trust semantics, and add a strict-majority quorum consumer example with adversarial tests.
@saviro-orin
saviro-orin requested a review from andreogle as a code owner July 11, 2026 20:34
Independent review found that exact timestamp and payload matching is not viable with separately timed Airnode responses. Remove the copy-paste trap and align verifier documentation with retry-safe callback semantics.
Replace an accidentally committed truncation marker with the complete retry-safety explanation.
@andreogle
andreogle merged commit 7e91c57 into andreogle:main Jul 11, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants