Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce ACL to IP Graph Precompile #230

Open
kingster-will opened this issue Jul 3, 2024 · 2 comments
Open

Introduce ACL to IP Graph Precompile #230

kingster-will opened this issue Jul 3, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@kingster-will
Copy link

Description and context

We propose to introduce an Access Control List (ACL) mechanism to the IP Graph precompile contracts to enhance security and control over write operations. This ACL will ensure that only addresses/accounts that are whitelisted can access and execute write functions, such as addParents(). The primary goal is to restrict state-changing operations to valid contracts, like the "LicensingModule", thereby preventing unauthorized modifications to the IP Graph.

Details

Currently, the IP Graph precompile contracts do not have an explicit access control mechanism for write operations. This lack of access control could potentially expose the system to unauthorized state changes, leading to security vulnerabilities. By implementing an ACL, we can ensure that only whitelisted addresses, which are recognized and authorized by the system, can perform write operations.

Key Features to Implement:

  • Whitelist Management: Functions to add and remove addresses from the whitelist. These functions should be accessible only by the contract owner or designated administrators.
  • Access Control Checks: Modify existing write functions (e.g., addParents()) to include checks that ensure the caller's address is in the whitelist before executing any state-changing logic.
  • Event Logging: Emit events for critical actions, including adding or removing addresses from the whitelist, to ensure transparency and facilitate monitoring.

Acceptance Criteria

  • An ACL mechanism is implemented and integrated with the IP Graph precompile contracts.
  • Only addresses/accounts in the whitelist can execute write functions in the precompile contracts.
  • Functions to manage the whitelist (add/remove addresses) are implemented and secured.
  • All modifications and access attempts are logged through events for auditability.
  • The system maintains full functionality with the added ACL, without introducing regressions or performance issues.
@kingster-will kingster-will added the enhancement New feature or request label Jul 3, 2024
@Ramarti
Copy link

Ramarti commented Aug 22, 2024

Great writeup. We could implement this in 2 phases, the first one a simple hard coded maping to remove the vector, then we can make it more flexible to not require hard forks. It could be tied to Module Registry, but not to all modules. There could be an extra property 'writesIPGraph' that the precompile checks.

@jdubpark
Copy link

Shouldn't this be in the geth repo, not here in protocol core, as it requires changes in the precompile?

@kingster-will kingster-will transferred this issue from another repository Sep 5, 2024
@kingster-will kingster-will transferred this issue from storyprotocol/protocol-temp Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Ramarti @jdubpark @kingster-will