Merging Security Audit Fixes into main#104
Draft
ashishchandr70 wants to merge 22 commits intomainfrom
Draft
Conversation
* Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com>
* Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) --------- Co-authored-by: ashishchandr70 <41921015+ashishchandr70@users.noreply.github.com> Co-authored-by: Ashish Chandra <ashish@saga.xyz>
* Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#172 (#88) Co-authored-by: Ashish Chandra <ashish@saga.xyz> * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#174 (#89) Co-authored-by: Ashish Chandra <ashish@saga.xyz> --------- Co-authored-by: ashishchandr70 <41921015+ashishchandr70@users.noreply.github.com> Co-authored-by: Ashish Chandra <ashish@saga.xyz>
* Fix sherlock-audit/2025-11-saga-ssc-nov-14th#187 * Re-ran protocgen.sh to regenerate proto code --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz>
* Fix sherlock-audit/2025-11-saga-ssc-nov-14th#190 * Removed test for a single change. --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz>
ashishchandr70
requested review from
2opremio,
emanuelconunaemme,
facundomedica,
luckychess,
lukitsbrian and
rkollar
* Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
* Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#196 * Updates based on Roman's comment --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
…History and GetKprValidatorPayoutHistory (#110) * Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#186 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
* Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#189 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
…ck version (#108) * Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#192 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
…vent emission (#106) * Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#193 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
* Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests * fix(escrow): reset shares when pool is fully drained Clear all funders and reset shares to zero when billing drains a pool's balance to zero. Also add defensive check in deposit to handle invalid pool states. Fixes sherlock-audit/2025-11-saga-ssc-nov-14th#181 * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#176 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
…ack (#111) * Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests * Fix sherlock-audit/2025-11-saga-ssc-nov-14th#184 * Addressing Roman's change request. * Fixed Roman's concern around using AdddVersion * Updated code comment --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
* Release 1.0: Upgrade Handler and Module Improvements (#82) * Upgrade to 1.0 and fix gosec issues * Added acltypes.StoreKey to registered upgrade handlers * Added more store upgrades * Added remaining custom stores to storeUpgrades * Removing ccvprovider types store key * Changed genesis module init order * use non-consumer modules * WIP for handling the InitGenesis related error * manually initialize provider module (#81) * Renamed upgrade to match go proposal passed in staging * Renamed upgrade back to 1.0 --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> * update params to match spc params (#84) * fix: capture setup fee in escrow deposit calculation (#92) The setup fee in LaunchChainlet() was added to deposit without capturing the returned coin, so the escrow account was funded with only the epoch deposit. This fix assigns the result of deposit.Add(setupfee) back to deposit before calling NewChainletAccount. * Use platform validator set for epoch reward distribution (#93) * use platform validator set for chainlet token distributions * Add fallback to staking validators when no platform validators configured - If PlatformValidators param is empty, fall back to GetValidators() - Add guard against division by zero if no validators exist - Fixes potential panic when PlatformValidators is not set * Fix lint errors in billing module * Fix params test: use nil instead of empty slice for PlatformValidators default * fix(escrow): use QuoTruncate for withdrawal to prevent over-withdrawal (#94) * fix: complete genesis export/import for all modules (#95) * fix: complete genesis export/import for all modules Multiple custom modules only serialized params in ExportGenesis, leaving their keeper KV state out of every exported genesis. This caused data loss during export/import upgrades, state sync bootstraps, or genesis restarts. Changes: - x/chainlet: Export/import chainlets, chainlet stacks, and chainlet count - x/escrow: Export/import chainlet accounts, denomination pools, and funders - x/billing: Export/import billing history and validator payout history - x/peers: Export/import peer data and chain counters For each module: - Extended genesis protobuf to include full KV store contents - Updated ExportGenesis to iterate store prefixes and serialize data - Updated InitGenesis to rehydrate from serialized data - Added validation for duplicate entries - Updated tests to cover new fields and validation * x/peers: input validation * x/chainlet: add IBC tests * fix(escrow): reset shares when pool is fully drained (#113) Clear all funders and reset shares to zero when billing drains a pool's balance to zero. Also add defensive check in deposit to handle invalid pool states. Fixes sherlock-audit/2025-11-saga-ssc-nov-14th#181 * x/chainlet: non-CCV chainlet upgradeable by Saga * x/chainlet: add upgrade restrictions and unit tests * x/chainlet: make upgrade access check more readable * x/chainlet: fix service chainlet not added as a consumer * Missing commits from main. Updated failing mock test * Update saga-sdk (#117) Fixes x/peers access control in the ante handler. --------- Co-authored-by: Ashish Chandra <ashish@saga.xyz> Co-authored-by: Brian Luk <brian6.dev@gmail.com> Co-authored-by: Brian <45702419+lukitsbrian@users.noreply.github.com> Co-authored-by: Roman Kollár <10644651+rkollar@users.noreply.github.com>
Co-authored-by: Ashish Chandra <ashish@saga.xyz>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR merges high priority fixes applied to security audit branch
release/1.0tomain.