This repository is for the audit competition for the Aleph-Zero--Most-Relayer. To participate, submit your findings only by using the on-chain submission process on https://app.hats.finance/vulnerability .
- follow the instructions on https://app.hats.finance/
We look forward to seeing your findings.
Bring your assets to Aleph Zero and benefit from its scalable privacy-enhancing ecosystem.
*'bridge' in Slavic languages.
azero
- Aleph Zero contractsazero/contracts/most
- the main bridge contractazero/contracts/gas-price-oracle
- a contract for informing the guardians about Ethereum gas pricesazero/contracts/token
- a PSP22 token implementation for the tokens created by the bridge
eth
- Ethereum contractseth/contracts/Most.sol
- the main bridge contracteth/contracts/Governance.sol
- a contract for making governance decisions about the bridge contracts on Ethereumeth/contracts/WETH9.sol
- a wrapped ethereum implementation for testing purposeseth/contract/Token.sol
- an ERC20 token implementation for testing purposes
relayer
- the component doing the actual bridging between the chains
Have docker, docker-compose (1.29.2
) and cargo-contract (3.2.0
) installed.
To run the tests for the Solidity Most.sol
contract, run:
make test-solidity
It will run the tests using the Hardhat framework.
Alternatively, you can run the tests directly from the selected file in the eth
directory, for example:
cd eth
npx hardhat test test/Most.js
To run the unit tests for the ink! contracts, run:
make test-ink-unit
These will allow you to test the contracts in isolation, without the need for running a blockchain node in the background.
To run DRink! based tests, which allow for testing interactions between multiple contracts without the need to run a node, run:
make drink-tests
DRink! tests are located in azero/contracts/drink-tests/
.
To run the end-to-end tests for the ink! most
contracts, run (requires docker-compose 1.29.2
):
make test-ink-e2e
These tests are located at azero/contracts/tests
.
To run a local development environment, run:
make bridge
This will start a local development environment with the following components:
- Aleph Zero Development chain
- Ethereum PoS Development chain
- Bridge contracts deployed on both chains
- Redis instance
- Relayer process
To run the development chain without deploying the contracts or running the relayer, run:
make devnet-eth
or
make devnet-azero
First, run the signer:
cd relayer
RELAYER_ID=1 scripts/run_signer.sh
The signer will output the CID on which it is running, but you should also be able to just use 2 (meaning host) as the CID.
Next, run the relayer, passing the signer CID to connect to:
# in most/relayer
SIGNER_CID=2 scripts/run_relayer.sh
To stop the networks (and redis) and clean up:
make clean
get a shell into running container:
docker exec -it eth_bootnode "geth attach /root/.ethereum/geth.ipc"
attach console to the geth process:
geth attach /root/.ethereum/geth.ipc
Check the connected peers, confirm these are the correct nodes:
net.peerCount
admin.peers
To deploy the contracts on the EVM chain:
make deploy-eth
This command will deploy the contracts and print out the contract addresses.
Now, open a Hardhat console:
cd eth && npx hardhat console --network development
Interact with the deployed contracts instance:
let Most = await ethers.getContractFactory("Most")
let most = Most.attach("insert contract address here")
let accounts = await ethers.getSigners();
await most.isGuardian(accounts[0])
await most.isGuardian(accounts[1])
To deploy the contracts on the Aleph Zero chain:
make deploy-azero
make run-relayers
Given a deployed (by us) Aleph Zero contract with some code hash C
it's possible to check that the contract has been
produced from a certain version of the source code in this repo (say a given commit). To do so:
git checkout $COMMIT
make print-azero-codehashes
- Find the contract in question in the list and ensure that the printed code hash is the same as
C
The contracts will be deployed using the same docker image as the one used for this procedure, which smooths out indeterminism in ink! contract compilation.
Given a deployed Ethereum contract address it's possible to post verified sources to etherscan and sourcify. You will need an API key for etherscan - can be obtained at https://etherscan.io/myapikey if you have an account. To do so:
git checkout $COMMIT
- where$COMMIT
is the commit from which the contract has been deployedcd eth
ETHERSCAN_API_KEY=[YOUR API KEY] npx hardhat verify [CONTRACT ADDRESS] [CONSTRUCTOR ARGS]
For example, if you deploy Token.sol
to the sepolia testnet like so:
const usdt = await Token.deploy(
"12000000000000000000000000",
"Tether",
"USDT",
);
and the address is 0xbd737D2061ed3b24C95FA88566Ad896c9Fcc84b0
, then you would post verified sources like so:
ETHERSCAN_API_KEY=[YOUR API KEY] npx hardhat --network sepolia verify "0xbd737D2061ed3b24C95FA88566Ad896c9Fcc84b0" \
"12000000000000000000000000" "Tether" "USDT"
Assuming a contract verified on etherscan, there's a convenience script to decode a call to that contract. Just call:
NETWORK=[NETWORK NAME] CALL=[CALL DATA] CONTRACT=[CONTRACT ADDRESS] make decode-eth
Valid values for NETWORK
are mainnet (default)
, sepolia
, and goerli
.
For example:
NETWORK=sepolia \
CALL=0x095ea7b30000000000000000000000005a344a8721d743393847c17613dd78c7776b271400000000000000000000000000000000000000000000000000000000000004d2 \
CONTRACT=0x5a344a8721d743393847C17613dd78C7776b2714 \
make decode-eth
gives:
Contract: Token
Method: approve(address,uint256)
Arguments: Result(2) [ '0x5a344a8721d743393847C17613dd78C7776b2714', 1234n ]