API tools faq
paste
Guest User

Opensea <> Spearbit Call

a guest
Aug 11th, 2022
444
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.56 KB | None | 0 0
raw download clone embed print report
  1. **Speakers**
  2.  
  3. - z0age
  4. - Seaport Core Dev
  5. - Alex Beregszaszi
  6. - Solidity Co-Lead
  7. - Spearbit Founder
  8. - Hari
  9. - Solidity Compiler
  10. - Spearbit Founder
  11. - Math background
  12. - Gerard Persoon
  13. - Security Researcher for Spearbit and C4
  14. - Sawmon and Natalie
  15. - Has been looking at z0age’s work and is into low level code
  16.  
  17.  
  18. **Main Questions**
  19.  
  20. - Q: How did Opensea go about launching Seaport and how did they approach security?
  21. - Work on Seaport started earlier this year
  22. - Spent months on architecting
  23. - Wrote a full suite of Hardhat and Foundry tests
  24. - Got multiple auditors (OZ + TOB)
  25. - “Nothing quite gives you the confidence that something is production ready like wide spread review from experts”
  26. - Q: How did the Spearbit team come along?
  27. - Saw the announcement and realized it was challenging their knowledge of the EVM and solidity
  28. - Once they started looking at it, it was even more complex than they expected.
  29. - Q: Going into the contest, where there risks you were already aware of / anticipating?
  30. - Assembly code is really something you only reach for when you need it.
  31. - Opensea’s prior contract (Wyvern) was at the top of gas guzzlers and was designed in the era when gas prices were not as much of a concern.
  32. - Q: What were some of the surprises that came from the review?
  33. - Many of the core optimizations and key findings for Seaport didn’t actually involve the assembly code.
  34. - The fact that this had a lot of assembly actually got more eyes on the code than they expected.
  35. - Q: Spearbit Team & Sawmon - what were some of the surprises when reviewing Seaport?
  36. - **Gerard**
  37. - Found something strange in the basic order for filling transactions that was almost a bug but a small piece of solidity prevented the finding from elevating.
  38. - **z0age**
  39. - Gerard is impressive when it comes to branchless logic.
  40. - On the note of constants:
  41. - On one hand, if you are really fluent (e.g. you know exactly what the offsets for the compiler constructs are going to be, you know how abi encoding works for how you will assemble those structs into inline, etc.) then assembling those constants inline makes sense. We made the decision to blow away constants and replace them with named constants.
  42. - This has been very helpful for people who don’t have that knowledge to be able to review the code. This is one of many controversial aspects of the seaport code base.
  43. - **Alex**
  44. - The cleanup of enums can occur at the end of a solidity function. In this particular case we had assembly blocks and then there was a call to somewhere else. The call would trigger the enum cleanup and validation. This particular case directed us to looking at similar cases to look for areas where this cleanup was or wasn’t happen.
  45. - There are a bunch of functions that do memory transfers. One of these is the ERC-1155 batch transfer. Some of these functions store the value and re-store it, so you are able to use it multiple times. It is not something you want to use multiple times, it can only be used once and then you terminate.
  46. - Q: Where did you even start when taking a first look at this codebase and putting together an approach given the finite timelines and complexity?
  47. - **Sawmon**
  48. - First thing I did was skimmed through the whole codebase.
  49. - Second I created a diagram of the different classes and contracts to create an inheritance tree.
  50. - Then I started bottom up (from the very last grandchildren) and worked my way up to the very top.
  51. - For each contract you have to go through each function, the assembly just makes it take a little bit longer.
  52. - Once you have a good understanding of each contract on their own, then you have to draw a bigger picture of how things interact with each other.
  53. - One thing I found interesting about Seaport is that if you look at the code there’s basically 3 storage slots that are private (1 for re-entrancy guard, 1 for counters/nonce, 1 keeping tab of order hash validity). The code is very memory intensive.
  54. - **z0age**: This is one of the areas where assembly really shines. A lot of work has gone into keeping the solidity compiler memory-safe, but this creates inefficiencies.
  55. - One of the primary places you would reach for assembly is in memory management.
  56. - It does make code re-use way more dangerous.
  57. - Reach out to OS if you are thinking of using portions of the Seaport code base.
  58. - **Alex**
  59. - One reason you want to optimize memory is because solidity functions wouldn’t necessarily free memory at all so you can end up with larger memory use than you expect.
  60. - Wasn’t sure about the memory savings this code has gotten.
  61. - The code uses two more tricks that I think are even more significant
  62. - In one part that operates with external data, it ensures that when that data is passed down that it is marked as call data.
  63. - Solidity expects a generalized decoder and Opensea has strict structuring requirements.
  64. - Discuss some of the findings
  65. - Can view findings in the Seaport Repo under “seaport test findings”
  66. - Partial Fulfillment
  67. - With Seaport you can specify on the order type that you are able to take a partial fulfillment on an order type. It scales everything down on a fraction.
  68. - You get into trouble when you set very large numerators and denominators.
  69. - In the unchecked block you could overflow the partial fill fraction and then re-fill an order. You could spend more than you were asked to. You could also construct malicious fractions that essentially block an order from being filled.
  70. - We solved this by computing the greatest common denominator using a Euclidian algorithm.
  71. - Criteria resolvers
  72. - In Seaport you can specify there is a criteria that needs to be satisfied.
  73. - You can insert a token ID into a merkle root, in Seaport we pushed this too far (treating the token ID as the leaf).
  74. - This caused some issues:
  75. - You can resolve intermediate nodes in that tree as though they were token IDs (including the very roots).
  76. - **Alex:** Same logic has been used in many other projects that I’ve seen.
  77. - How did you convince Opensea and how do you think about security spend?
  78. - **z0age**: You can come at security spend from “ok it’s going to cost X, it could be spent on something else, but instead it’s going into this.” It’s a cost benefit analysis.
  79. - On the flipside, what are the odds that something really terrible is going to happen and what are the costs there?
  80. - For Seaport, even if the chance for something going wrong was really small, the damage would be massive.
  81.  
  82. **Q&A**
  83.  
  84. - **Alex to z0age**: Is there anything you would have done differently on the code or security process that Seaport has taken?
  85. - **z0age**: In terms of the code base, we’re putting finishing touches on a library of verification of orders. Seaport is pretty low level in that it is expressive and there are many ways to ‘footgun’ yourself. For validating those orders, because it is so code and gas optimized there is an expectation that whoever is receiving those orders the code is going to be validating on top to make sure there are no issues.
  86. - Some of those orders that are malicious we should have caught earlier on.
  87. - **Ikhlas to z0age:**
  88. - What's the future of Seaport in terms of security and is there any plan to list bug bounties?
  89. - **z0age**: Seaport immediately became a community owned and led project. Continuing to improve formal verification, test suite and invariants. For now the focus is on deploying Seaport across every EVM compatible chain. I imagine as we move forward in the coming months that we’ll start to see new developments (e.g. Seaport 1.2 or 2.0).
  90. - In terms of Immunifi - there’s always more you can be doing, that being said, Opensea has a Hacker One setup with Seaport in scope (up to $3m for a crit).
  91. - **Rowin to auditors:**
  92. - What is the approach you do with the complex contracts?
  93. - **Gerard**: Get an overview of the code and make a drawing to see how contracts relate. Start at the top of the code to read and understand it. Everything I don’t understand I keep diving deeper until you finally understand the whole codebase. With Opensea there was not enough time to understand it completely so it was nice to work as a team to focus on different areas so you can select pieces of code to dive into.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!