Skip to content

Bugfix/audit report missing fixes #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 27, 2025
Merged

Bugfix/audit report missing fixes #240

merged 3 commits into from
Oct 27, 2025

Conversation

@dev-jodee
Copy link
Contributor

@dev-jodee dev-jodee commented Oct 27, 2025
edited by github-actions bot
Loading

Important

Update dependencies, improve error handling, enhance validation logic, and refine transaction and token handling across modules.

  • Dependencies:
    • Update Cargo.lock to remove unused dependencies and add new ones like bitvec, bytecheck, rust_decimal, etc.
    • Remove jup-ag from Cargo.toml and crates/lib/Cargo.toml.
  • Error Handling:
    • Remove ThreadSafetyError from KoraError in error.rs.
    • Improve error messages in account_validator.rs for executable flag mismatches.
  • Validation:
    • Add Default derive to several policy structs in config.rs.
    • Update CacheValidator to handle Redis connection errors more gracefully.
    • Enhance ConfigValidator to include warnings for insecure configurations.
  • Transaction and Token Handling:
    • Change fee calculation in fee.rs to return u64 instead of f64.
    • Use Decimal for price calculations in token.rs and oracle.rs.
    • Refactor verify_token_payment in token.rs to improve logic.
  • Testing:
    • Update integration tests in integration.test.ts to remove redundant checks.
    • Add new test cases in jupiter_integration.rs for price validation.
    • Modify test configurations in tests/Cargo.toml to include new dependencies.

This description was created by Ellipsis for 102945a. You can customize this summary. It will automatically update as commits are pushed.

📊 Unit Test Coverage

Coverage

Unit Test Coverage: 80.3%

View Detailed Coverage Report

@dev-jodee
bugfix: Post audit report fixes
bba4bcb 
- Removed outdated dependencies such as `jup-ag` and updated versions for several packages in `Cargo.lock`.
- Enhanced `ConfigValidator` to include warnings for security risks related to token extensions and authentication configurations.
- Updated fee payer policies to default to more secure settings, ensuring better protection against unauthorized transfers.
- Refactored several structs to implement `Default` for improved initialization.
- Adjusted transaction fee response types for consistency and accuracy in handling fees.
- Use of fixed point decimals for price manipulation
- Constant equal for API KEY comparaison
@dev-jodee
Remove get all signers function for added safety
27e98d0
@dev-jodee
test fixes
102945a
@dev-jodee dev-jodee requested a review from amilz October 27, 2025 20:48
@github-actions
Copy link

github-actions bot commented Oct 27, 2025

📊 TypeScript Coverage Report

Coverage: 82.0%

View detailed report

Coverage artifacts have been uploaded to this workflow run.
View Artifacts

ellipsis-dev[bot]
ellipsis-dev bot reviewed Oct 27, 2025
View reviewed changes
Copy link
Contributor

@ellipsis-dev ellipsis-dev bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

Looks good to me! 👍

Reviewed everything up to 102945a in 1 minute and 56 seconds. Click for details.
  • Reviewed 2824 lines of code in 27 files
  • Skipped 0 files when reviewing.
  • Skipped posting 9 draft comments. View those below.
  • Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. crates/lib/src/signer/pool.rs:152
  • Draft comment:
    Use 'rand::thread_rng()' and 'rng.gen_range(...)' instead of 'rand::rng()' and 'rng.random_range(...)'. The current API may be non‐standard or deprecated.
  • Reason this comment was not posted:
    Comment was not on a location in the diff, so it can't be submitted as a review comment.
2. crates/lib/src/rpc_server/auth.rs:76
  • Draft comment:
    Good use of constant‐time comparison to mitigate timing attacks.
  • Reason this comment was not posted:
    Confidence changes required: 0% <= threshold 50% None
3. crates/lib/src/validator/transaction_validator.rs:141
  • Draft comment:
    Consider refactoring the long validation logic into smaller helper functions to improve maintainability.
  • Reason this comment was not posted:
    Confidence changes required: 50% <= threshold 50% None
4. crates/lib/src/token/token.rs:98
  • Draft comment:
    Ensure that conversion from u64 to Decimal and back handles edge cases properly and consider logging conversion errors for better debugging.
  • Reason this comment was not posted:
    Confidence changes required: 30% <= threshold 50% None
5. tests/external/jupiter_integration.rs:60
  • Draft comment:
    Integration tests depend on live Jupiter API responses. Consider mocking network responses or using a sandbox environment to reduce flakiness.
  • Reason this comment was not posted:
    Comment was on unchanged code.
6. sdks/ts/test/integration.test.ts:50
  • Draft comment:
    The tests assert that various configuration fields are defined. Verify that edge cases (e.g. empty arrays or zero limits) are also tested.
  • Reason this comment was not posted:
    Confidence changes required: 20% <= threshold 50% None
7. tests/Cargo.toml:43
  • Draft comment:
    Dependency versions appear consistent; ensure workspace dependencies are kept up-to-date.
  • Reason this comment was not posted:
    Confidence changes required: 0% <= threshold 50% None
8. crates/lib/src/validator/config_validator.rs:148
  • Draft comment:
    Consider adding more detailed logging during configuration validation to aid troubleshooting in production.
  • Reason this comment was not posted:
    Confidence changes required: 30% <= threshold 50% None
9. Cargo.lock:4361
  • Draft comment:
    Typo alert: The dependency named "rend" on this line seems suspicious. Could it be a typo for "rand" (or another intended crate name)? Please verify the correct spelling.
  • Reason this comment was not posted:
    Comment looked like it was already resolved.

Workflow ID: wflow_OgvFNQGuTydJBqu5

You can customize Ellipsis by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.

@dev-jodee dev-jodee merged commit 5af3b80 into release/feature-freeze-for-audit Oct 27, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ellipsis-dev ellipsis-dev[bot] ellipsis-dev[bot] left review comments

@amilz amilz Awaiting requested review from amilz

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dev-jodee