diff --git a/.github/workflows/ci-verifiable-build.yml b/.github/workflows/ci-verifiable-build.yml new file mode 100644 index 0000000..d6a51e6 --- /dev/null +++ b/.github/workflows/ci-verifiable-build.yml @@ -0,0 +1,50 @@ +name: Verifiable Build +on: + push: + tags: + - 'executor-v*' + +env: + APP_NAME: autobahn_executor + +jobs: + build: + name: Build Verifiable Artifact + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: 'recursive' + + - name: Setup Anchor + run: | + cargo install --git https://github.com/coral-xyz/anchor --rev 4e5280be46d859ba1c57fabe4c3916bec742fd69 anchor-cli --locked --force + + - name: Verifiable Build + run: | + anchor build --verifiable --docker-image backpackapp/build:v0.28.0 --solana-version 1.17.34 --env GITHUB_SHA --env GITHUB_REF_NAME + + - name: Generate Checksum + run: | + echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV + + - name: Generate SBOM + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'cyclonedx' + output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json' + + - name: Create Release + id: create_release + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ github.ref_name }} + name: ${{ github.ref_name }} + body: | + sha256 checksum: ${{ env.CHECKSUM }} + github commit: ${{ github.sha }} + files: | + ./target/verifiable/${{ env.APP_NAME }}.so + ./${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json \ No newline at end of file diff --git a/Anchor.toml b/Anchor.toml new file mode 100644 index 0000000..98cf500 --- /dev/null +++ b/Anchor.toml @@ -0,0 +1,20 @@ +[toolchain] +anchor_version = "0.28.0" +solana_version = "1.17.34" + +[features] +resolution = true +skip-lint = false + +[programs.mainnet] +autobahn_executor = "AutobNFLMzX1rFCDgwWpwr3ztG5c1oDbSrGq7Jj2LgE" + +[registry] +url = "https://api.apr.dev" + +[provider] +cluster = "Mainnet" +wallet = "~/.config/solana/id.json" + +[workspace] +members = ["programs/autobahn-executor"] \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock index f188675..2c1370a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -681,13 +681,15 @@ dependencies = [ [[package]] name = "autobahn-executor" -version = "0.1.0" +version = "1.0.0" dependencies = [ "bonfida-test-utils", "bytemuck", + "default-env", "solana-program", "solana-program-test", "solana-sdk", + "solana-security-txt", "spl-token 3.5.0", "test-case", "tokio", @@ -6153,8 +6155,8 @@ dependencies = [ "sanctum-token-ratio", "solana-program", "solana-readonly-account", - "spl-associated-token-account 1.1.3", - "spl-token 3.5.0", + "spl-associated-token-account 2.3.0", + "spl-token 4.0.0", "spl-token-metadata-interface", "static_assertions", ] @@ -6267,7 +6269,7 @@ source = "git+https://github.com/igneous-labs/sanctum-solana-utils.git?rev=2d171 dependencies = [ "solana-program", "solana-readonly-account", - "spl-associated-token-account 1.1.3", + "spl-associated-token-account 2.3.0", ] [[package]] @@ -6320,7 +6322,7 @@ source = "git+https://github.com/igneous-labs/sanctum-solana-utils.git?rev=2d171 dependencies = [ "solana-program", "solana-readonly-account", - "spl-token-2022 0.6.1", + "spl-token-2022 1.0.0", ] [[package]] diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..5ce393a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,31 @@ +# Important Notice +Please **DO NOT** create a GitHub issue to report a security problem. Instead, please send an email to security@mango.markets with a detailed description of the attack vector and security risk you have identified. + +# Bug Bounty Overview +Mango Markets offers bug bounties for Mango Markets' on-chain program code; UI only bugs are omitted. + +|Severity|Description|Bug Bounty| +|-----------|--------------|-------------| +|Critical|Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures|10% of the value of the hack up to $1,000,000| +|High|Bugs that could temporarily freeze user funds or incorrectly assign value to user funds|$10,000 to $50,000 per bug, assessed on a case by case basis| +|Medium/Low|Bugs that don't threaten user funds|$1,000 to $5,000 per bug, assessed on a case by case basis| + +The severity guidelines are based on [Immunefi's classification system](https://immunefi.com/severity-updated/). +Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis. + +## Submission +Please email security@mango.markets with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty. + +## Bug Bounty Payment +Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a valid bug bounty so far. + +## Invalid Bug Bounties +The following are out of scope for the bug bounty: +1. Attacks that the reporter has already exploited themselves, leading to damage. +2. Attacks requiring access to leaked keys/credentials. +3. Attacks requiring access to privileged addresses (governance, admin). +4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks). +5. Lack of liquidity. +6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts). +7. Best practice critiques. +8. Sybil attacks. \ No newline at end of file diff --git a/bin/cli/Cargo.toml b/bin/cli/Cargo.toml index 67df022..629a431 100644 --- a/bin/cli/Cargo.toml +++ b/bin/cli/Cargo.toml @@ -13,7 +13,7 @@ tokio = { workspace = true } anyhow = { workspace = true } solana-sdk = { workspace = true } solana-client = { workspace = true } -autobahn-executor = { path = "../../programs/autobahn-executor", version = "0.1.0" } +autobahn-executor = { path = "../../programs/autobahn-executor" } router-lib = { path = "../../lib/router-lib/", version = "0.0.1" } router-config-lib = { path = "../../lib/router-config-lib/", version = "0.0.1" } serde = "1.0" diff --git a/programs/autobahn-executor/Cargo.toml b/programs/autobahn-executor/Cargo.toml index f8276fd..9eac676 100644 --- a/programs/autobahn-executor/Cargo.toml +++ b/programs/autobahn-executor/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "autobahn-executor" -version = "0.1.0" +version = "1.0.0" edition = "2021" [features] @@ -11,6 +11,8 @@ test-bpf = ["no-entrypoint"] solana-program = "1.17" spl-token = { version = "3.5.0", features = ["no-entrypoint"] } bytemuck = "1.16.1" +solana-security-txt = "1.1.1" +default-env = "0.1.1" [lib] name = "autobahn_executor" diff --git a/programs/autobahn-executor/src/lib.rs b/programs/autobahn-executor/src/lib.rs index 50e14c4..50dd562 100644 --- a/programs/autobahn-executor/src/lib.rs +++ b/programs/autobahn-executor/src/lib.rs @@ -13,14 +13,26 @@ use solana_program::program_error::ProgramError; use solana_program::program_pack::Pack; use solana_program::{account_info::AccountInfo, pubkey::Pubkey}; -#[cfg(not(feature = "no-entrypoint"))] -use solana_program::entrypoint; -declare_id!("AutobNFLMzX1rFCDgwWpwr3ztG5c1oDbSrGq7Jj2LgE"); +#[cfg(not(feature = "no-entrypoint"))] +use {default_env::default_env, solana_program::entrypoint, solana_security_txt::security_txt}; + +#[cfg(not(feature = "no-entrypoint"))] +security_txt! { + name: "Autobahn Executor", + project_url: "https://autobahn.ag", + contacts: "email:security@mango.markets", + policy: "https://github.com/blockworks-foundation/autobahn/blob/master/SECURITY.md", + source_code: "https://github.com/blockworks-foundation/autobahn", + source_revision: default_env!("GITHUB_SHA", ""), + source_release: default_env!("GITHUB_REF_NAME", "") +} #[cfg(not(feature = "no-entrypoint"))] entrypoint!(process_instruction); +declare_id!("AutobNFLMzX1rFCDgwWpwr3ztG5c1oDbSrGq7Jj2LgE"); + #[repr(u8)] pub enum Instructions { ExecuteSwapV3 = 1,