feat: add wasm tx generator for snap sign (#4)

This commit introduces a WASM transaction parser and encoder to the snap. The returned bytes of the `signTransaction` method will be a borsh serialized transaction, that can be directly sent to sequencers. It adds the bytecode of the wasm to the hardcoded snap source so its source is committed to the hash of the published snap. It is done that way to avoid exploits from the UI that might return malicious WASM files and sign tampered messages for the user - having the bytes of the WASM committed to the plugin asserts the signature will be only for the intended message.
Sovereign-Labs · Nov 15, 2023 · 651f535 · 651f535
1 parent 723b096
commit 651f535
Show file tree

Hide file tree

Showing 60 changed files with 9,066 additions and 30,233 deletions.
diff --git a/.eslintignore b/.eslintignore
@@ -0,0 +1,2 @@
+packages/snap/src/module.ts
+scripts/readWasm.js
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -1,5 +1,6 @@
 module.exports = {
   root: true,
+
   parserOptions: {
     sourceType: 'module',
   },
@@ -8,20 +9,17 @@ module.exports = {
 
   overrides: [
     {
-      files: ['**/*.js'],
+      files: ['*.js'],
       extends: ['@metamask/eslint-config-nodejs'],
     },
 
     {
-      files: ['**/*.{ts,tsx}'],
+      files: ['*.ts', '*.tsx'],
       extends: ['@metamask/eslint-config-typescript'],
-      rules: {
-        '@typescript-eslint/consistent-type-definitions': ['error', 'type'],
-      },
     },
 
     {
-      files: ['**/*.test.ts', '**/*.test.js'],
+      files: ['*.test.ts', '*.test.js'],
       extends: ['@metamask/eslint-config-jest'],
       rules: {
         '@typescript-eslint/no-shadow': [

diff --git a/.github/workflows/build-lint-test.yml b/.github/workflows/build-lint-test.yml
@@ -6,25 +6,34 @@ on:
   pull_request:
 
 jobs:
-  build-lint-test:
-    name: Build, Lint, and Test
+  prepare:
+    name: Prepare
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [16.x, 18.x]
     steps:
       - uses: actions/checkout@v3
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version-file: '.nvmrc'
           cache: 'yarn'
-      - run: yarn install --immutable
+      - name: Install Yarn dependencies
+        run: yarn --immutable
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+      - run: yarn --immutable --immutable-cache
       - run: yarn build
-      - run: yarn lint
-      - run: yarn test
       - name: Cache snap build
-        if: ${{ matrix.node-version == '18.x' }}
         uses: actions/cache@v3
         with:
           path: ./packages/snap/dist
@@ -33,22 +42,59 @@ jobs:
         shell: bash
         run: |
           if ! git diff --exit-code; then
-            echo "Working tree dirty after building"
+            echo "Working tree dirty at end of job"
+            exit 1
+          fi
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+      - run: yarn --immutable --immutable-cache
+      - run: yarn lint
+      - name: Require clean working directory
+        shell: bash
+        run: |
+          if ! git diff --exit-code; then
+            echo "Working tree dirty at end of job"
             exit 1
           fi
 
-  e2e:
-    name: End-to-end Tests
+  e2e-test:
+    name: End-to-end Test
     runs-on: ubuntu-latest
     needs:
-      - build-lint-test
+      - prepare
+      - build
     steps:
       - uses: actions/checkout@v3
-      - name: Set up Node.js
+      - name: Use Node.js
         uses: actions/setup-node@v3
         with:
           node-version-file: '.nvmrc'
           cache: 'yarn'
+      - name: Install WASM tools
+        run: |
+          PACKAGE_URL="https://github.com/WebAssembly/binaryen/releases/download/version_116/binaryen-version_116-x86_64-linux.tar.gz"
+          INSTALL_PATH="/usr/local/bin"
+          curl -L $PACKAGE_URL | tar xz -C $INSTALL_PATH
+        shell: bash
+      - name: Install WABT
+        run: |
+          PACKAGE_URL="https://github.com/WebAssembly/wabt/releases/download/1.0.34/wabt-1.0.34-ubuntu.tar.gz"
+          INSTALL_PATH="/usr/local/bin"
+          curl -L $PACKAGE_URL | tar xz -C $INSTALL_PATH
+        shell: bash
+      - name: Setup Rust toolchain
+        run: rustup target add wasm32-wasi
       - name: Restore snap build cache
         uses: actions/cache@v3
         with:
@@ -57,14 +103,7 @@ jobs:
       - run: yarn install --immutable
       - name: Install Google Chrome
         run: yarn install-chrome
+      - name: Update WASM
+        run: PATH="/usr/local/bin/binaryen-version_116/bin:/usr/local/bin/wabt-1.0.34/bin:$PATH" yarn update-wasm
       - name: Run e2e tests
-        run: yarn workspace @sovereign-sdk/sov-snap run test
-
-  all-jobs-pass:
-    name: All jobs pass
-    runs-on: ubuntu-latest
-    needs:
-      - build-lint-test
-      - e2e
-    steps:
-      - run: echo "Great success!"
+        run: yarn workspace sov-snap run test
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-v18.6
+lts/*
diff --git a/.prettierignore b/.prettierignore
@@ -0,0 +1 @@
+packages/snap/snap.manifest.json
diff --git a/.yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs b/.yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
@@ -0,0 +1,9 @@
+/* eslint-disable */
+//prettier-ignore
+module.exports = {
+name: "@yarnpkg/plugin-allow-scripts",
+factory: function (require) {
+var plugin=(()=>{var l=Object.defineProperty;var s=Object.getOwnPropertyDescriptor;var a=Object.getOwnPropertyNames;var c=Object.prototype.hasOwnProperty;var p=(t=>typeof require<"u"?require:typeof Proxy<"u"?new Proxy(t,{get:(o,e)=>(typeof require<"u"?require:o)[e]}):t)(function(t){if(typeof require<"u")return require.apply(this,arguments);throw new Error('Dynamic require of "'+t+'" is not supported')});var u=(t,o)=>{for(var e in o)l(t,e,{get:o[e],enumerable:!0})},f=(t,o,e,r)=>{if(o&&typeof o=="object"||typeof o=="function")for(let i of a(o))!c.call(t,i)&&i!==e&&l(t,i,{get:()=>o[i],enumerable:!(r=s(o,i))||r.enumerable});return t};var m=t=>f(l({},"__esModule",{value:!0}),t);var g={};u(g,{default:()=>d});var n=p("@yarnpkg/shell"),x={hooks:{afterAllInstalled:async()=>{let t=await(0,n.execute)("yarn run allow-scripts");t!==0&&process.exit(t)}}},d=x;return m(g);})();
+return plugin;
+}
+};
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -1,7 +1,17 @@
+enableScripts: false
+
+enableTelemetry: 0
+
+logFilters:
+  - code: YN0004
+    level: discard
+
 nodeLinker: node-modules
 
 plugins:
   - path: .yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs
     spec: '@yarnpkg/plugin-workspace-tools'
+  - path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
+    spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
 
 yarnPath: .yarn/releases/yarn-3.2.1.cjs
diff --git a/external/sov-wasm/.gitignore b/external/sov-wasm/.gitignore
@@ -0,0 +1 @@
+/target