Summary
update_external_confirmation() trusts callback-supplied confirmation values and optional required_confirmations overrides before completing bridge transfers and releasing their locks. The HTTP route clamps one input, but the core helper remained callable with out-of-range confirmation counts and allowed a callback to lower an existing confirmation threshold.
Impact
A bridge callback/API-key holder, compromised bridge service, or any internal caller of the helper could reduce the confirmation threshold and complete a transfer before the originally stored threshold is reached. For bridge deposits/withdrawals this can prematurely release the lock and, for withdrawals, credit the destination balance.
Fix
- Add a
BRIDGE_MAX_CONFIRMATIONS ceiling enforced inside update_external_confirmation().
- Reject negative/out-of-range/non-integer confirmation values at the helper boundary.
- Reject attempts to lower an existing
required_confirmations value; callers may only keep the stored threshold or raise it.
- Add regression tests covering lowered thresholds and direct helper bypass of the HTTP parser.
Verification
./.venv/bin/python -m pytest -q tests/test_bridge_lock_ledger.py::TestIntegration::test_full_deposit_flow tests/test_bridge_lock_ledger.py::TestIntegration::test_external_confirmation_rejects_lowered_required_threshold tests/test_bridge_lock_ledger.py::TestIntegration::test_external_confirmation_helper_rejects_unbounded_countsPYTHONPYCACHEPREFIX=/private/tmp/rustchain-pycache python3 -m py_compile node/bridge_api.py tests/test_bridge_lock_ledger.pygit diff --check
Summary
update_external_confirmation()trusts callback-supplied confirmation values and optionalrequired_confirmationsoverrides before completing bridge transfers and releasing their locks. The HTTP route clamps one input, but the core helper remained callable with out-of-range confirmation counts and allowed a callback to lower an existing confirmation threshold.Impact
A bridge callback/API-key holder, compromised bridge service, or any internal caller of the helper could reduce the confirmation threshold and complete a transfer before the originally stored threshold is reached. For bridge deposits/withdrawals this can prematurely release the lock and, for withdrawals, credit the destination balance.
Fix
BRIDGE_MAX_CONFIRMATIONSceiling enforced insideupdate_external_confirmation().required_confirmationsvalue; callers may only keep the stored threshold or raise it.Verification
./.venv/bin/python -m pytest -q tests/test_bridge_lock_ledger.py::TestIntegration::test_full_deposit_flow tests/test_bridge_lock_ledger.py::TestIntegration::test_external_confirmation_rejects_lowered_required_threshold tests/test_bridge_lock_ledger.py::TestIntegration::test_external_confirmation_helper_rejects_unbounded_countsPYTHONPYCACHEPREFIX=/private/tmp/rustchain-pycache python3 -m py_compile node/bridge_api.py tests/test_bridge_lock_ledger.pygit diff --check