Skip to content

feat: drop PolicyProvider#701

Open
0xrusowsky wants to merge 6 commits into
rus/l1-aware-dbfrom
rus/drop-policy-provider
Open

feat: drop PolicyProvider#701
0xrusowsky wants to merge 6 commits into
rus/l1-aware-dbfrom
rus/drop-policy-provider

Conversation

@0xrusowsky

@0xrusowsky 0xrusowsky commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

stacked on top of #698

fully drops the PolicyProvider

@0xrusowsky
0xrusowsky marked this pull request as ready for review July 17, 2026 15:54
@0xrusowsky
0xrusowsky requested a review from klkvr July 17, 2026 15:54
Comment thread crates/l1/src/block.rs
amount = %d.amount,
"Encrypted deposit recipient unauthorized; queuing deposit bounce-back"
);
queued.rejected = true;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we now never reject deposits? is it safe to just remove this logic?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they are rejected at execution when the 403 logic runs

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

basically it would be this code which calls mint() on the zone's TIP20:

  • regular deposit:
    try IZoneToken(d.token).mint(d.to, d.amount) {
    emit DepositProcessed(
    currentHash, d.sender, d.to, d.token, d.amount, d.memo
    );
    } catch {
    _enqueueDepositBounceBack(d.token, d.amount, d.bouncebackRecipient);
    emit DepositFailed(
    currentHash, d.sender, d.to, d.token, d.amount, d.bouncebackRecipient
    );
    }
  • encrypted deposit:
    try IZoneToken(ed.token).mint(decryptedTo, ed.amount) {
    emit EncryptedDepositProcessed(
    currentHash, ed.sender, decryptedTo, ed.token, ed.amount, decryptedMemo
    );
    } catch {
    _failEncryptedDeposit(currentHash, ed);

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes since this is rejected at execution time, should be safe to remove here.

@0xrusowsky

Copy link
Copy Markdown
Contributor Author

cyclops audit note="focus only on ensuring that the changes in this PR are sound. the base branch is being audited in parallel"

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown

cc @0xrusowsky

Cyclops audit event published. View workflow run

Config: config: default, iterations: default, hours: default, note: focus only on ensuring that the changes in this PR are sound. the base branch is being audited in parallel

@tempoxyz-bot

tempoxyz-bot commented Jul 17, 2026

Copy link
Copy Markdown

👁️ Cyclops Security Review

95366b0

🧭 Verifying · mode=normal · workers 3/3 done (0 left) · verify pending 1 · ending soon

Worker Engine Latest Status Status
pr-701-w1 claude-opus-4-8 🚨 Iteration 3 · Verify Done
pr-701-w2 gpt-5.5 ✅ Iteration 3 · Audit Done
pr-701-w3 gpt-5.6-sol ✅ Iteration 3 · Audit Done

Findings

# Finding Severity Status
1 Encrypted-deposit mint-recipient authorization deferred to a never-invalidated anchored L1 cache Medium Iteration 1 · Audit
2 Stale anchored L1 policy reads propagate beyond encrypted deposits High Iteration 1 · Verify
3 Cyclops Invariant Audit — PR #701 Unknown Iteration 1 · Verify
4 Rejected/policy-failing encrypted deposits leak (to, memo) via unconditionally published ECDH sharedSecret in advanceTempo calldata medium Iteration 2 · Verify
5 Bridging a policy-restricted TIP-20 permanently halts the zone via advanceTempo revert high Iteration 3 · Verify
⚙️ Controls
  • 🚀 Keep only 1 remaining iteration per worker after the current work finishes.
  • 👀 Keep only 2 remaining iterations per worker after the current work finishes.
  • ❤️ Let only worker 1 continue; other workers skip queued iterations.
  • 😄 Let only worker 2 continue; other workers skip queued iterations.
  • 🎉 End faster by skipping queued iterations and moving toward consolidation.
  • 😕 Stop active workers/verifiers now and start consolidation immediately.

📜 34 events

🔍 pr-701-w1 iter 1/3 [audit-general.md]
🔍 pr-701-w2 iter 1/3 [audit-ripple.md]
🔍 pr-701-w3 iter 1/3 [audit-invariants.md]
🛡️ pr-701-w1 iter 1 — defense-in-depth
🚨 Finding: Encrypted-deposit mint-recipient authorization deferred to a never-invalidated anchored L1 cache (Medium)
🔍 pr-701-w1 iter 2/3 [audit-invariants.md]
🚨 pr-701-w2 iter 1 — finding
🚨 Finding: Stale anchored L1 policy reads propagate beyond encrypted deposits (High)
🔍 pr-701-w2 iter 2/3 [audit-ripple.md]
🔬 Verifying: Stale anchored L1 policy reads propagate beyond encrypted deposits
🚨 pr-701-w3 iter 1 — finding
🚨 Finding: Cyclops Invariant Audit — PR #701 (Unknown)
🔍 pr-701-w3 iter 2/3 [audit-ripple.md]
🔬 Verifying: Cyclops Invariant Audit — PR #701
📋 Verify: Stale anchored L1 policy reads propagate beyond encrypted deposits → ✅ Verified
🚨 pr-701-w1 iter 2 — finding
🚨 Finding: Rejected/policy-failing encrypted deposits leak (to, memo) via unconditionally published ECDH sharedSecret in advanceTempo calldata (medium)
🔍 pr-701-w1 iter 3/3 [audit-invariants.md]
🔬 Verifying: Rejected/policy-failing encrypted deposits leak (to, memo) via unconditionally published ECDH sharedSecret in advanceTempo calldata
📋 Verify: Rejected/policy-failing encrypted deposits leak (to, memo) via unconditionally published ECDH sharedSecret in advanceTempo calldata → ✅ Verified
📋 Verify: Cyclops Invariant Audit — PR #701 → ✅ Verified
pr-701-w2 iter 2 — clear
🔍 pr-701-w2 iter 3/3 [audit-invariants.md]
🚨 pr-701-w1 iter 3 — finding
🚨 Finding: Bridging a policy-restricted TIP-20 permanently halts the zone via advanceTempo revert (high)
🔬 Verifying: Bridging a policy-restricted TIP-20 permanently halts the zone via advanceTempo revert
📋 Verify: Bridging a policy-restricted TIP-20 permanently halts the zone via advanceTempo revert → ✅ Verified
🏁 pr-701-w1 done
pr-701-w3 iter 2 — clear
🔍 pr-701-w3 iter 3/3 [audit-ripple.md]
pr-701-w2 iter 3 — clear
🏁 pr-701-w2 done
pr-701-w3 iter 3 — clear
🏁 pr-701-w3 done

Comment thread crates/l1/src/block.rs
/// The resulting [`PreparedL1Block`] is ready to be passed through payload
/// attributes to the builder.
/// Decrypts encrypted deposits and ABI-encodes into the types the `advanceTempo` call expects.
/// Mint-recipient policy is enforced by upstream TIP-20 after the L1 state is anchored.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flagging that this now depends on the raw-cache invalidation issue from #698. Once this precheck is removed, encrypted deposits rely on that cache for authorization, so a stale hit can mint where a cold node would bounce.

Comment thread crates/node/README.md
3. **Tempo TIP-20 and TIP-403 precompiles** — execute the upstream business
logic against that composed storage view, replacing the zone's duplicated
policy dispatch. Missing or invalid anchored state fails closed, and zone
logic against that composed storage view, without a separate zone policy

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we clean up the remaining PolicyProvider docs here too? The diagram and note still describe PolicyCache/PolicyResolutionTask, and the payload attrs still say policy checks happen in the engine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants