Release executor 1.0.0 (#11)

* add security txt and policy
* set version number for autobahn executor
* add github workflow

.github/workflows/ci-verifiable-build.yml

@@ -0,0 +1,50 @@
+name: Verifiable Build
+on:
+  push:
+    tags:
+      - 'executor-v*'
+
+env:
+  APP_NAME: autobahn_executor
+
+jobs:
+  build:
+    name: Build Verifiable Artifact
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+
+      - name: Setup Anchor
+        run: |
+          cargo install --git https://github.com/coral-xyz/anchor --rev 4e5280be46d859ba1c57fabe4c3916bec742fd69 anchor-cli --locked --force
+
+      - name: Verifiable Build
+        run: |
+          anchor build --verifiable --docker-image backpackapp/build:v0.28.0 --solana-version 1.17.34 --env GITHUB_SHA --env GITHUB_REF_NAME
+
+      - name: Generate Checksum
+        run: |
+          echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV
+
+      - name: Generate SBOM
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'cyclonedx'
+          output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json'
+
+      - name: Create Release
+        id: create_release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.ref_name }}
+          name: ${{ github.ref_name }}
+          body: |
+            sha256 checksum: ${{ env.CHECKSUM }}
+            github commit: ${{ github.sha }}
+          files: |
+            ./target/verifiable/${{ env.APP_NAME }}.so
+            ./${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json

Anchor.toml

@@ -0,0 +1,20 @@
+[toolchain]
+anchor_version = "0.28.0"
+solana_version = "1.17.34"
+
+[features]
+resolution = true
+skip-lint = false
+
+[programs.mainnet]
+autobahn_executor = "AutobNFLMzX1rFCDgwWpwr3ztG5c1oDbSrGq7Jj2LgE"
+
+[registry]
+url = "https://api.apr.dev"
+
+[provider]
+cluster = "Mainnet"
+wallet = "~/.config/solana/id.json"
+
+[workspace]
+members = ["programs/autobahn-executor"]

Cargo.lock

@@ -681,13 +681,15 @@ dependencies = [
 
 [[package]]
 name = "autobahn-executor"
-version = "0.1.0"
+version = "1.0.0"
 dependencies = [
  "bonfida-test-utils",
  "bytemuck",
+ "default-env",
  "solana-program",
  "solana-program-test",
  "solana-sdk",
+ "solana-security-txt",
  "spl-token 3.5.0",
  "test-case",
  "tokio",
@@ -6153,8 +6155,8 @@ dependencies = [
  "sanctum-token-ratio",
  "solana-program",
  "solana-readonly-account",
- "spl-associated-token-account 1.1.3",
- "spl-token 3.5.0",
+ "spl-associated-token-account 2.3.0",
+ "spl-token 4.0.0",
  "spl-token-metadata-interface",
  "static_assertions",
 ]
@@ -6267,7 +6269,7 @@ source = "git+https://github.com/igneous-labs/sanctum-solana-utils.git?rev=2d171
 dependencies = [
  "solana-program",
  "solana-readonly-account",
- "spl-associated-token-account 1.1.3",
+ "spl-associated-token-account 2.3.0",
 ]
 
 [[package]]
@@ -6320,7 +6322,7 @@ source = "git+https://github.com/igneous-labs/sanctum-solana-utils.git?rev=2d171
 dependencies = [
  "solana-program",
  "solana-readonly-account",
- "spl-token-2022 0.6.1",
+ "spl-token-2022 1.0.0",
 ]
 
 [[package]]

SECURITY.md

@@ -0,0 +1,31 @@
+# Important Notice
+Please **DO NOT** create a GitHub issue to report a security problem. Instead, please send an email to security@mango.markets with a detailed description of the attack vector and security risk you have identified.
+
+# Bug Bounty Overview
+Mango Markets offers bug bounties for Mango Markets' on-chain program code; UI only bugs are omitted.
+
+|Severity|Description|Bug Bounty|
+|-----------|--------------|-------------|
+|Critical|Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures|10% of the value of the hack up to $1,000,000|
+|High|Bugs that could temporarily freeze user funds or incorrectly assign value to user funds|$10,000 to $50,000 per bug, assessed on a case by case basis|
+|Medium/Low|Bugs that don't threaten user funds|$1,000 to $5,000 per bug, assessed on a case by case basis|
+
+The severity guidelines are based on [Immunefi's classification system](https://immunefi.com/severity-updated/). 
+Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.
+
+## Submission
+Please email security@mango.markets with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty.
+
+## Bug Bounty Payment
+Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a valid bug bounty so far.
+
+## Invalid Bug Bounties
+The following are out of scope for the bug bounty:
+1. Attacks that the reporter has already exploited themselves, leading to damage.
+2. Attacks requiring access to leaked keys/credentials.
+3. Attacks requiring access to privileged addresses (governance, admin).
+4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).
+5. Lack of liquidity.
+6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).
+7. Best practice critiques.
+8. Sybil attacks.

bin/cli/Cargo.toml

@@ -13,7 +13,7 @@ tokio = { workspace = true }
 anyhow = { workspace = true }
 solana-sdk = { workspace = true }
 solana-client = { workspace = true }
-autobahn-executor = { path = "../../programs/autobahn-executor", version = "0.1.0" }
+autobahn-executor = { path = "../../programs/autobahn-executor" }
 router-lib = { path = "../../lib/router-lib/", version = "0.0.1" }
 router-config-lib = { path = "../../lib/router-config-lib/", version = "0.0.1" }
 serde = "1.0"

programs/autobahn-executor/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "autobahn-executor"
-version = "0.1.0"
+version = "1.0.0"
 edition = "2021"
 
 [features]
@@ -11,6 +11,8 @@ test-bpf = ["no-entrypoint"]
 solana-program = "1.17"
 spl-token = { version = "3.5.0", features = ["no-entrypoint"] }
 bytemuck = "1.16.1"
+solana-security-txt = "1.1.1"
+default-env = "0.1.1"
 
 [lib]
 name = "autobahn_executor"

programs/autobahn-executor/src/lib.rs

@@ -13,14 +13,26 @@ use solana_program::program_error::ProgramError;
 use solana_program::program_pack::Pack;
 use solana_program::{account_info::AccountInfo, pubkey::Pubkey};
 
-#[cfg(not(feature = "no-entrypoint"))]
-use solana_program::entrypoint;
 
-declare_id!("AutobNFLMzX1rFCDgwWpwr3ztG5c1oDbSrGq7Jj2LgE");
+#[cfg(not(feature = "no-entrypoint"))]
+use {default_env::default_env, solana_program::entrypoint, solana_security_txt::security_txt};
+
+#[cfg(not(feature = "no-entrypoint"))]
+security_txt! {
+    name: "Autobahn Executor",
+    project_url: "https://autobahn.ag",
+    contacts: "email:security@mango.markets",
+    policy: "https://github.com/blockworks-foundation/autobahn/blob/master/SECURITY.md",
+    source_code: "https://github.com/blockworks-foundation/autobahn",
+    source_revision: default_env!("GITHUB_SHA", ""),
+    source_release: default_env!("GITHUB_REF_NAME", "")
+}
 
 #[cfg(not(feature = "no-entrypoint"))]
 entrypoint!(process_instruction);
 
+declare_id!("AutobNFLMzX1rFCDgwWpwr3ztG5c1oDbSrGq7Jj2LgE");
+
 #[repr(u8)]
 pub enum Instructions {
     ExecuteSwapV3 = 1,