From 21167128572c12def1c3bdb73d954517cb624c65 Mon Sep 17 00:00:00 2001 From: Leslie Fung Date: Tue, 16 Apr 2024 11:29:39 +1000 Subject: [PATCH 1/8] Add threat model skeleton for ImmutableSignedZoneV2 --- ...4-threat-model-immutable-signed-zone-v2.md | 151 +++++++++++++++++- 1 file changed, 150 insertions(+), 1 deletion(-) diff --git a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md index e927f318..ee55a7fc 100644 --- a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md +++ b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md @@ -2,14 +2,163 @@ ## Introduction -This document is a threat model for the [Immutable Signed Zone (v2)](../../contracts/trading/seaport/zones/immutable-signed-zone/v2/README.md) contract built by Immutable. +This threat model document for the [Immutable Signed Zone (v2)](../../contracts/trading/seaport/zones/immutable-signed-zone/v2/README.md) contract has been created in preparation for internal audit. + +## Rationale + +Immutable operates a global off-chain orderbook across Immutable zkEVM chains and relies on the Seaport protocol for on-chain settlement. The orderbook primarily intends to: + +* Centralise liquidity +* Enforce payment of fees (protocol, royalty, marketplace) + +The [Immutable Signed Zone (v2)](../../contracts/trading/seaport/zones/immutable-signed-zone/v2/README.md) is an implementation of [SIP-7: Server-Signed Orders [TBD]](). The reasons Immutable has chosen this solution is: + +* It requires orders to be known by the orderbook prior to fulfilment +* It allows the orderbook to refuse fulfilment of an order at its discretion (e.g. for gasless cancellations, or compromised collections) +* It allows for arbitrary logic to be defined off-chain and enforced on-chain (e.g. to enforce fees) + +## Threat Model Scope + +The threat model is limited to the following Solidity files at GitHash [TBD]: + +* [ImmutableSignedZoneV2.sol [TBD]]() +* [SIP5EventsAndErrors.sol [TBD]]() +* [SIP5Interface [TBD]]() +* [SIP6EventsAndErrors [TBD]]() +* [SIP6Interface [TBD]]() +* [SIP7EventsAndErrors [TBD]]() +* [SIP7Interface [TBD]]() + +## Background + +Seaport: [Documentation](https://github.com/ProjectOpenSea/seaport/blob/20b84b94755ab4fcdd88735d5f8f1f578e07924a/docs/SeaportDocumentation.md) for v1.6 but relevant for v1.5 which Immutable's Seaport fork is based on. + +SIP-7: [Documentation [TBD]](). ## Architecture +### Top Level Architecture + +The trading system on the Immutable platform is shown in the diagram below. + +```mermaid +flowchart LR + client[Client] <-- 1. POST .../fulfillment-data ---> ob[Immutable Off-Chain\nOrderbook] + client -- 2. fulfillAdvancedOrder ---> seaport[ImmutableSeaport.sol] + seaport -- 3a. transferFrom --> erc20[IERC20.sol] + seaport -- 3b. transferFrom --> erc721[IERC721.sol] + seaport -- 3c. safeTransferFrom --> erc1155[IERC1155.sol] + seaport -- 4. validateOrder --> Zone + subgraph Zone + direction TB + zone[ImmutableSignedZoneV2.sol] --> AccessControlEnumerable.sol + end +``` + +The sequence of events is as follows: + +1. The client makes a HTTP `POST .../fulfillment-data` request to the Immutable Orderbook, which will construct and sign an `extraData` payload to return to the client +2. The client calls `fulfillAdvancedOrder` or `fulfillAvailableAdavancedOrders` on `ImmutableSeaport.sol` to fulfill an order +3. `ImmutableSeaport.sol` executes the fufilment by transferring items between parties +4. `ImmutableSeaport.sol` calls `validateOrder` on `ImmutableSignedZoneV2.sol`, passing it the fulfilment execution details as well as the `extraData` parameter + 1. `ImmutableSignedZoneV2.sol` validates the fulfilment execution details using the `extraData` payload, reverting if expectations are not met + +### Immutable Signed Zone (v2) Design + +This section explains the security relevant aspects of the Immutable Signed Zone (v2) contract beyond the scope of the SIP-7 specification. + +#### Roles + +The Immutable Signed Zone (v2) supports the following roles: + +* Default Admin + * Creates and removes other administrators + * First admin is assigned to the `address owner` param on the `constructor` + * Call the following configuration functions: + * `addSigner` + * `removeSigner` + * `updateAPIEndpoint` + * `updateDocumentationURI` + +### Other Information + +This section provides links to test plans and test code. + +#### Test Plans and Test Code + +The test plan is available here: [Test Plan for Immutable Signed Zone (v2)](../../test/trading/seaport/zones/immutable-signed-zone/v2/README.md). The test code is contained in the same directory at the test plan. + +#### Continuous Integration + +Each time a commit is pushed to a pull request, the [continuous integration loop executes](https://github.com/immutable/contracts/actions). + +#### Building, Testing, Coverage and Static Code Analysis + +For instructions on building the code, running tests, coverage, and Slither, see the [BUILD.md](https://github.com/immutable/contracts/blob/main/BUILD.md). + ## Attack Surfaces +The following sections list attack surfaces evaluated as part of this threat modelling exercise. + +### Externally Visible Functions + +An attacker could formulate an attack in which they send one or more transactions that execute one or more of these functions. + +#### ImmutableSignedZoneV2 + +This section describes the externally visible functions available in ImmutableSignedZoneV2. The list of functions and their function selectors was determined by the following command. The additional information was obtained by reviewing the code. + +``` +forge inspect ImmutableSignedZoneV2 --pretty methods +``` + +Functions that *change* state: + +| Name | Function Selector | Access Control | +| -------------------------------- | ----------------- | --------------- | +| `addSigner(address)` | eb12d61e | `DEFAULT_ADMIN` | +| `grantRole(bytes32,address)` | 2f2ff15d | Role admin | +| `removeSigner(address)` | 0e316ab7 | `DEFAULT_ADMIN` | +| `renounceRole(bytes32,address)` | 36568abe | `msg.sender` | +| `revokeRole(bytes32,address)` | d547741f | Role admin | +| `updateAPIEndpoint(string)` | 297234d7 | `DEFAULT_ADMIN` | +| `updateDocumentationURI(string)` | 0a904f08 | `DEFAULT_ADMIN` | + +Functions that *do not change* state: + +| Name | Function Selector | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| `DEFAULT_ADMIN_ROLE()` | a217fddf | +| `getRoleAdmin(bytes32)` | 248a9ca3 | +| `getRoleMember(bytes32,uint256)` | 9010d07c | +| `getRoleMemberCount(bytes32)` | ca15c873 | +| `getSeaportMetadata()` | 2e778efc | +| `hasRole(bytes32,address)` | 91d14854 | +| `sip7Information()` | d600940e | +| `supportsInterface(bytes4)` | 01ffc9a7 | +| `validateOrder((bytes32,address,address,(uint8,address,uint256,uint256)[],(uint8,address,uint256,uint256,address)[],bytes,bytes32[],uint256,uint256,bytes32))` | 17b1f942 | + +### Admin Roles + +### Signers + ## Perceived Attackers +### TBD + ## Attack Mitigation +### TBD + ## Conclusion + + + + + + + + + + + From f91b03b0a2492ff09525a5de2c45df6583c62820 Mon Sep 17 00:00:00 2001 From: Leslie Fung Date: Tue, 16 Apr 2024 11:34:11 +1000 Subject: [PATCH 2/8] Add section about upgrade attacks --- .../trading/202404-threat-model-immutable-signed-zone-v2.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md index ee55a7fc..1321c79a 100644 --- a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md +++ b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md @@ -142,6 +142,10 @@ Functions that *do not change* state: ### Signers +### Upgrade and Storage Slots + +`ImmutableSignedZoneV2.sol` is not upgradeable, and hence not subject to an upgrade attack. + ## Perceived Attackers ### TBD From 5f613359c160d0e7eded44e25eb0e1cb288613bd Mon Sep 17 00:00:00 2001 From: Leslie Fung Date: Tue, 16 Apr 2024 11:49:02 +1000 Subject: [PATCH 3/8] Add note about substandards --- audits/trading/202404-threat-model-immutable-signed-zone-v2.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md index 1321c79a..872def5e 100644 --- a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md +++ b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md @@ -35,6 +35,8 @@ Seaport: [Documentation](https://github.com/ProjectOpenSea/seaport/blob/20b84b94 SIP-7: [Documentation [TBD]](). +* Note: Immutable Signed Zone (v2) implements substandards 3, 4 and 6. + ## Architecture ### Top Level Architecture From 5072c4ba49aa47d44bf7e5d6483dee156aaf98e3 Mon Sep 17 00:00:00 2001 From: Leslie Fung Date: Tue, 16 Apr 2024 14:43:12 +1000 Subject: [PATCH 4/8] Clarify SIP-7 implementation in design section --- .../trading/202404-threat-model-immutable-signed-zone-v2.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md index 872def5e..00df3f93 100644 --- a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md +++ b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md @@ -35,8 +35,6 @@ Seaport: [Documentation](https://github.com/ProjectOpenSea/seaport/blob/20b84b94 SIP-7: [Documentation [TBD]](). -* Note: Immutable Signed Zone (v2) implements substandards 3, 4 and 6. - ## Architecture ### Top Level Architecture @@ -67,6 +65,8 @@ The sequence of events is as follows: ### Immutable Signed Zone (v2) Design +Immutable Signed Zone (v2) is an implementation of the SIP-7 specification, supporting substandards 3, 4 and 6. + This section explains the security relevant aspects of the Immutable Signed Zone (v2) contract beyond the scope of the SIP-7 specification. #### Roles From 86b547326684f4b24cd621f8d5e6ce6e8acbb172 Mon Sep 17 00:00:00 2001 From: Leslie Fung Date: Wed, 17 Apr 2024 22:06:58 +1000 Subject: [PATCH 5/8] Attack analysis --- ...4-threat-model-immutable-signed-zone-v2.md | 57 +++++++++++++++++-- 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md index 00df3f93..a7e444c1 100644 --- a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md +++ b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md @@ -33,7 +33,7 @@ The threat model is limited to the following Solidity files at GitHash [TBD]: Seaport: [Documentation](https://github.com/ProjectOpenSea/seaport/blob/20b84b94755ab4fcdd88735d5f8f1f578e07924a/docs/SeaportDocumentation.md) for v1.6 but relevant for v1.5 which Immutable's Seaport fork is based on. -SIP-7: [Documentation [TBD]](). +SIP-7: [Documentation [TBD]](https://github.com/ProjectOpenSea/SIPs/blob/main/SIPS/sip-7.md). ## Architecture @@ -142,7 +142,27 @@ Functions that *do not change* state: ### Admin Roles -### Signers +Accounts with administrative privileges could be used by attackers to facilitate attacks. This section analyses what each role can do. + +#### Accounts with `DEFAULT_ADMIN` role on ImmutableSignedZoneV2 contract + +This role is granted to the `owner` specified in the `constructor` of the contract. Accounts with the `DEFAULT_ADMIN` account can: + +* Grant can grant administrator roles to any account, including the `DEFAULT_ADMIN` role +* Revoke `DEFAULT_ADMIN` role from any account +* Renounce the `DEFAULT_ADMIN` role for itself, possibly leading to no administrators and loss of control of the contract +* Update API endpoint and documentation URI (no impact to Immutable system as these values are not utilised) +* Add and remove SIP-7 signers, letting them control the result of order validation + +Exploiting this attack surface requires compromising an account with `DEFAULT_ADMIN` role. + +### SIP-7 Signers on the ImmutableSignedZoneV2 contract + +Accounts added as SIP-7 signers could be used by attackers to facilitate attacks. Accounts added as an SIP-7 signer can: + +* Control the result of order validation + +Exploiting this attack surface requires compromising an account added as an SIP-7 signer. ### Upgrade and Storage Slots @@ -150,21 +170,46 @@ Functions that *do not change* state: ## Perceived Attackers -### TBD +This section lists the attackers that could attack the trading system. -## Attack Mitigation +It is assumed that all attackers have access to all documentation and source code of all systems related to the Immutable zkEVM, irrespective of whether the information resides in a public or private GitHub repository, email, Slack, Confluence, or any other information system. -### TBD +### Spear Phisher -## Conclusion +This attacker compromises accounts of people by using Spear Phishing attacks. For example they send a malicious PDF file to a user, which the user opens, the PDF file then installs malware on the user's computer. At this point, it is assumed that the Spear Phisher Attacker can detect all key strokes, mouse clicks, see all information retrieved, see any file in the user's file system, and execute any program on the user's computer. +### Server Powner +This attacker is able to compromise any server computer, *Powerfully Owning* the computer. For instance, they can compromise an Immutable server responsible for signing SIP-7 data. They can read values from the computer's RAM and access key material for an SIP-7 signer. +### Immutable zkEVM Block Proposer +An operator of an Immutable zkEVM Block Proposer could, within narrow limits, alter the block timestamp of the block they produce. If this block included transactions related to this zone, it could allow an expired signature to evaluated as valid. +### Insider +This attacker works for a company helping operate the Immutable zkEVM. This attacker could be being bribed or blackmailed. They can access the keys that they as an individual employee have access to. For instance, they might be one of the signers of the multi-signer administrative role. +## Attack Mitigation + +This section outlines possible attacks against the attack surfaces by the attackers, and how those attacks are mitigated. + +### `DEFAULT_ADMIN` Role Account Compromise + +**Detection:** Monitoring role change events and SIP-7 signer events. + +The mitigation is to assume that the role will be operated by multi-signature addresses such that an attacker would need to compromise multiple signers simultaneously. As such, even if some keys are compromised due to the Spear Phishing Attacker or the Insider Attacker, the administrative actions will not be able to be executed as a threshold number of keys will not be available. +### SIP-7 Signer Account Compromise +**Detection:** Monitoring order fulfilment events against SIP-7 data signed by Immutable's systems. +The Spear Phisher or Server Powner Attackers can compromise Immutable's systems to extract SIP-7 signer key material. Due to the nature of the trading system requiring high frequency signing of SIP-7 data, signer key material is stored on the server. The mitigation to this is to rotate SIP-7 signers on a regular cadence. + +### `block.timestamp` Manipulation + +This attack performed by an operator of an Immutable zkEVM Block Proposer, could allow an attacker to alter the result of order validation, only where it concerns SIP-7 signature expiry within a narrow time range. This attack is unlikely to be meaningful for an attacker. + +## Conclusion +This threat model has presented the architecture of the system, determined attack surfaces, and identified possible attackers and their capabilities. It has walked through each attack surface and based on the attackers, determined how the attacks are mitigated. From 44ae6b2fec67c3c4c2ad35f3cf8d76d038ed24ed Mon Sep 17 00:00:00 2001 From: Leslie Fung Date: Mon, 22 Apr 2024 22:22:51 +1000 Subject: [PATCH 6/8] Add zone manager role management --- ...4-threat-model-immutable-signed-zone-v2.md | 44 +++++++++++++------ 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md index a7e444c1..2ffd2862 100644 --- a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md +++ b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md @@ -116,21 +116,22 @@ forge inspect ImmutableSignedZoneV2 --pretty methods Functions that *change* state: -| Name | Function Selector | Access Control | -| -------------------------------- | ----------------- | --------------- | -| `addSigner(address)` | eb12d61e | `DEFAULT_ADMIN` | -| `grantRole(bytes32,address)` | 2f2ff15d | Role admin | -| `removeSigner(address)` | 0e316ab7 | `DEFAULT_ADMIN` | -| `renounceRole(bytes32,address)` | 36568abe | `msg.sender` | -| `revokeRole(bytes32,address)` | d547741f | Role admin | -| `updateAPIEndpoint(string)` | 297234d7 | `DEFAULT_ADMIN` | -| `updateDocumentationURI(string)` | 0a904f08 | `DEFAULT_ADMIN` | +| Name | Function Selector | Access Control | +| -------------------------------- | ----------------- | ------------------- | +| `addSigner(address)` | eb12d61e | `ZONE_MANAGER_ROLE` | +| `grantRole(bytes32,address)` | 2f2ff15d | Role admin | +| `removeSigner(address)` | 0e316ab7 | `ZONE_MANAGER_ROLE` | +| `renounceRole(bytes32,address)` | 36568abe | `msg.sender` | +| `revokeRole(bytes32,address)` | d547741f | Role admin | +| `updateAPIEndpoint(string)` | 297234d7 | `ZONE_MANAGER_ROLE` | +| `updateDocumentationURI(string)` | 0a904f08 | `ZONE_MANAGER_ROLE` | Functions that *do not change* state: | Name | Function Selector | | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | | `DEFAULT_ADMIN_ROLE()` | a217fddf | +| `ZONE_MANAGER_ROLE()` | c6e95ae7 | | `getRoleAdmin(bytes32)` | 248a9ca3 | | `getRoleMember(bytes32,uint256)` | 9010d07c | | `getRoleMemberCount(bytes32)` | ca15c873 | @@ -148,13 +149,22 @@ Accounts with administrative privileges could be used by attackers to facilitate This role is granted to the `owner` specified in the `constructor` of the contract. Accounts with the `DEFAULT_ADMIN` account can: -* Grant can grant administrator roles to any account, including the `DEFAULT_ADMIN` role -* Revoke `DEFAULT_ADMIN` role from any account -* Renounce the `DEFAULT_ADMIN` role for itself, possibly leading to no administrators and loss of control of the contract +* Grant administrator roles to any account, including the `DEFAULT_ADMIN` role +* Revoke administrator roles from any account, including the `DEFAULT_ADMIN` role + * The `DEFAULT_ADMIN` role cannot be revoked from an account if it the only account with the `DEFAULT_ADMIN` role +* Renounce the `DEFAULT_ADMIN` role for itself, unless it is the only account with the `DEFAULT_ADMIN` role + +Exploiting this attack surface requires compromising an account with `DEFAULT_ADMIN` role. + +#### Accounts with `ZONE_MANAGER` role on ImmutableSignedZoneV2 contract + +An account with `ZONE_MANAGER` role can: + * Update API endpoint and documentation URI (no impact to Immutable system as these values are not utilised) * Add and remove SIP-7 signers, letting them control the result of order validation +* Renounce the `ZONE_MANAGER` role for itself -Exploiting this attack surface requires compromising an account with `DEFAULT_ADMIN` role. +Exploiting this attack surface requires compromising an account with `ZONE_MANAGER` role. ### SIP-7 Signers on the ImmutableSignedZoneV2 contract @@ -196,7 +206,13 @@ This section outlines possible attacks against the attack surfaces by the attack ### `DEFAULT_ADMIN` Role Account Compromise -**Detection:** Monitoring role change events and SIP-7 signer events. +**Detection:** Monitoring role change events. + +The mitigation is to assume that the role will be operated by multi-signature addresses such that an attacker would need to compromise multiple signers simultaneously. As such, even if some keys are compromised due to the Spear Phishing Attacker or the Insider Attacker, the administrative actions will not be able to be executed as a threshold number of keys will not be available. + +### `ZONE_MANAGER` Role Account Compromise + +**Detection:** Monitoring SIP-7 signer events. The mitigation is to assume that the role will be operated by multi-signature addresses such that an attacker would need to compromise multiple signers simultaneously. As such, even if some keys are compromised due to the Spear Phishing Attacker or the Insider Attacker, the administrative actions will not be able to be executed as a threshold number of keys will not be available. From 5f09bc8aef0fa897a6d6e01705f394d4ec4d4fd6 Mon Sep 17 00:00:00 2001 From: Leslie Fung Date: Tue, 23 Apr 2024 10:13:59 +1000 Subject: [PATCH 7/8] Add final links --- ...4-threat-model-immutable-signed-zone-v2.md | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md index 2ffd2862..d7831bd5 100644 --- a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md +++ b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md @@ -11,7 +11,7 @@ Immutable operates a global off-chain orderbook across Immutable zkEVM chains an * Centralise liquidity * Enforce payment of fees (protocol, royalty, marketplace) -The [Immutable Signed Zone (v2)](../../contracts/trading/seaport/zones/immutable-signed-zone/v2/README.md) is an implementation of [SIP-7: Server-Signed Orders [TBD]](). The reasons Immutable has chosen this solution is: +The [Immutable Signed Zone (v2)](../../contracts/trading/seaport/zones/immutable-signed-zone/v2/README.md) is an implementation of [SIP-7: Server-Signed Orders](https://github.com/ProjectOpenSea/SIPs/blob/main/SIPS/sip-7.md). The reasons Immutable has chosen this solution is: * It requires orders to be known by the orderbook prior to fulfilment * It allows the orderbook to refuse fulfilment of an order at its discretion (e.g. for gasless cancellations, or compromised collections) @@ -19,21 +19,23 @@ The [Immutable Signed Zone (v2)](../../contracts/trading/seaport/zones/immutable ## Threat Model Scope -The threat model is limited to the following Solidity files at GitHash [TBD]: +The threat model is limited to the following Solidity files at GitHash [`f6dffe08db1ff2daead3abe0c22b44d792ce5e59`](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2): -* [ImmutableSignedZoneV2.sol [TBD]]() -* [SIP5EventsAndErrors.sol [TBD]]() -* [SIP5Interface [TBD]]() -* [SIP6EventsAndErrors [TBD]]() -* [SIP6Interface [TBD]]() -* [SIP7EventsAndErrors [TBD]]() -* [SIP7Interface [TBD]]() +* [ImmutableSignedZoneV2.sol](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/ImmutableSignedZoneV2.sol) +* [ZoneAccessControl.sol](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/ZoneAccessControl.sol) +* [ZoneAccessControlEventsAndErrors.sol](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/interfaces/ZoneAccessControlEventsAndErrors.sol) +* [SIP5EventsAndErrors.sol](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/interfaces/SIP5EventsAndErrors.sol) +* [SIP5Interface](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/interfaces/SIP5Interface.sol) +* [SIP6EventsAndErrors](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/interfaces/SIP6EventsAndErrors.sol) +* [SIP6Interface](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/interfaces/SIP6Interface.sol) +* [SIP7EventsAndErrors](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/interfaces/SIP7EventsAndErrors.sol) +* [SIP7Interface](https://github.com/immutable/contracts/blob/f6dffe08db1ff2daead3abe0c22b44d792ce5e59/contracts/trading/seaport/zones/immutable-signed-zone/v2/interfaces/SIP7Interface.sol) ## Background Seaport: [Documentation](https://github.com/ProjectOpenSea/seaport/blob/20b84b94755ab4fcdd88735d5f8f1f578e07924a/docs/SeaportDocumentation.md) for v1.6 but relevant for v1.5 which Immutable's Seaport fork is based on. -SIP-7: [Documentation [TBD]](https://github.com/ProjectOpenSea/SIPs/blob/main/SIPS/sip-7.md). +SIP-7: [Documentation](https://github.com/ProjectOpenSea/SIPs/blob/main/SIPS/sip-7.md). ## Architecture From fa904f667d15799d1b42cd688951e398fae40f81 Mon Sep 17 00:00:00 2001 From: Leslie Fung Date: Tue, 23 Apr 2024 10:18:59 +1000 Subject: [PATCH 8/8] Roles update --- audits/trading/202404-threat-model-immutable-signed-zone-v2.md | 1 + 1 file changed, 1 insertion(+) diff --git a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md index d7831bd5..9bc38bf0 100644 --- a/audits/trading/202404-threat-model-immutable-signed-zone-v2.md +++ b/audits/trading/202404-threat-model-immutable-signed-zone-v2.md @@ -78,6 +78,7 @@ The Immutable Signed Zone (v2) supports the following roles: * Default Admin * Creates and removes other administrators * First admin is assigned to the `address owner` param on the `constructor` +* Zone Manager * Call the following configuration functions: * `addSigner` * `removeSigner`