fix: correctness fixes from v12 review#552
Conversation
- Migration: derive each account from its own wallet mnemonic and account type (wormhole derivation for encrypted accounts); never clear old accounts when any migration failed - Guardian recovery: use reversibleTransfers.recoverFunds instead of the unconfigured recovery pallet batch - Recovery proxy: encode storage-returned AccountId32 directly instead of double-hashing through toAccountId - Remove leftover hard-coded test address from intercepted accounts - clearAll() no longer silently deletes mnemonics; logout uses explicit clearAllIncludingMnemonics() - Pagination: advance history cursors by raw rows consumed to avoid drift when rows parse to null - Senoti: exclude wormhole accounts from device registration (privacy); also exclude them from the Supabase migration upload - ss58ToAccountId: validate SS58 network prefix and return an error instead of panicking on invalid input
|
this is a bit sus - #93263 SS58 validation: ss58ToAccountId validates the network prefix and returns an error instead of panicking. default_ss58_version Doesn't really seem to fix any errors, but introduces possibility for misconfiguration and errors. |
|
clearAll change is bad, reverting |
having multiple methods for this just adds confusion to the codebase, no reason for this at all
|
reverted ss58 change - adds a bunch of code for no real reason |
Review: verifying each fix against the codebaseVerdict up front: all six fixes are genuine net improvements and the two reverts are justified, but the migration retry path has one substantive flaw worth fixing before merge. Every claim below was verified against the code (and chain metadata), and all SDK tests pass — including the native-tagged ones run locally against the Rust dylib. Verification of each fixMigration (the big one) — correct and important. Confirmed the old code's bug on Guardian recovery — verified the "never configured" claim. Recovery proxy double-hash — verified empirically. Ran the new native-tagged test locally against the built Rust dylib and it passes: Test address removal — obviously right. Pagination — logic checked, correct. Queries fetch Senoti privacy — correct and necessary. The Issues found1. Retry after partial failure can wipe accounts created in between (the one real problem). 2. Inconsistent "is wormhole" predicate. 3. New code violates the repo's own rules. The failure notification uses 4. Two of the three new test files don't test the service. Test results
VerdictMerge once issue 1 is addressed — it's the only one that can bite a real user, and it's in the exact partial-failure scenario this PR newly makes survivable. Issues 2–4 are take-it-or-leave-it polish. |
|
All 4 issues found are pretty bad, although migration isn't going to happen anymore so it's pretty harmless, also migration isn't going on mainnet |
- performMigration merges migrated accounts by accountId instead of replacing the list, so a retry after partial failure never wipes accounts created in between; active account only set on first run - skip re-uploading already-migrated successes to Supabase on retry - normalize index-flagged wormhole accounts to AccountType.encrypted in getMigrationData so upload/notification filters and the saved type agree - replace SnackBar/post-frame callback with error toaster; localize the migration dialog and failure toast (en + id) - extract SenotiService.notifiableAddresses and test it directly; rewrite migration tests to exercise the real service, add native derivation tests
Re-review: verifying the fixes in a800edd against the previous reviewVerdict up front: all four issues from the previous review are properly fixed — verified in code and by running the tests locally — but the Analyze CI check is now failing on a formatting violation introduced by this commit. One Issue-by-issue verificationIssue 1 (retry wiping accounts) — fixed correctly. Issue 2 (inconsistent wormhole predicate) — fixed correctly. Issue 3 (SnackBar + post-frame callback + hardcoded strings) — fixed correctly. The failure notification is now Issue 4 (tests not testing the services) — fixed correctly. Test results
Blocking issue: Analyze CI is redThe VerdictApprove once the formatting is fixed and CI is green. All substantive findings from the previous review are resolved, with real regression tests behind them. The remaining failure is mechanical. |
|
|
||
| /// Wormhole addresses are meant to be unlinkable to the user's identity, so | ||
| /// registering them with the notification service would deanonymize them. | ||
| static List<String> notifiableAddresses(List<Account> accounts, List<MultisigAccount> multisigAccounts) => [ |
There was a problem hiding this comment.
Do we really want to not notify them? I mean if they receive fund, isn't it better to notify them? Or we really don't want to register the address at all?
There was a problem hiding this comment.
Can't notify them yes - otherwise we just give away everyone's secret addresses lol
dewabisma
left a comment
There was a problem hiding this comment.
LGTM, just have one question to consider. I will approve once confirmed.
Lands only the fixes worth keeping from #549 (see review there), rebuilt on main:
reversibleTransfers.recoverFundsinstead of batching calls to the recovery pallet, which was never configured, so the rescue path could not work.toAccountIdwas double-hashing and returning the wrong address.Intentionally not fixed:
clearAllIncludingMnemonics().ss58ToAccountIdvalidates the network prefix and returns an error instead of panicking.clearAll change was simply worse (and more) code
ss58 check is not needed and was more code, and added some risks of failures we would now have to check for.