Skip to content

security: add ownership verification to contract state transitions (#3217)#3940

Closed
BossChaos wants to merge 2 commits intoScottcjn:mainfrom
BossChaos:fix/beacon-contract-auth-3217
Closed

security: add ownership verification to contract state transitions (#3217)#3940
BossChaos wants to merge 2 commits intoScottcjn:mainfrom
BossChaos:fix/beacon-contract-auth-3217

Conversation

@BossChaos
Copy link
Copy Markdown
Contributor

@BossChaos BossChaos commented May 4, 2026

Security Fix: Contract State Transition Authorization

Issue Fixed

Changes

  • Authentication Required: X-Agent-Key header now required for all contract updates
  • Ownership Verification: Only from_agent or to_agent can modify a contract
  • State Transition Validation: Prevents invalid jumps (e.g., offeredcompleted)
  • Role-Based Rules:
    • Only to_agent can accept contracts (offeredactive)
    • Only from_agent can mark as breached
    • Terminal states (completed, breached, expired) cannot be modified

Security Impact

  • Prevents attackers from marking any contract as "breached" to damage reputation
  • Prevents unauthorized completion of contracts they are not party to
  • Prevents acceptance of contracts by unintended recipients

Bounty Claim

Claiming issues: #3217

Wallet Address: RTC6d1f27d28961279f1034d9561c2403697eb55602

BossChaos added 2 commits May 1, 2026 15:55
@BossChaos
deps: update python-socketio requirement from >=5.10.0 to >=5.16.1
c198522 
- Updates python-socketio to latest stable version 5.16.1
- Includes bug fixes and performance improvements
- Closes Scottcjn#2830
@BossChaos
security: add ownership verification to contract state transitions (S…
8cc984a 
…cottcjn#3217)

HIGH severity fix: prevent unauthorized contract state changes

- Require X-Agent-Key header for authentication
- Verify caller is from_agent or to_agent of the contract
- Validate state transitions (offered->active->completed, no arbitrary jumps)
- Only to_agent can accept contracts
- Only from_agent can mark contracts as breached
- Terminal states (completed/breached/expired) cannot be changed

Fixes Scottcjn#3217
@github-actions github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/M PR: 51-200 lines labels May 4, 2026
@Scottcjn
Copy link
Copy Markdown
Owner

Scottcjn commented May 4, 2026

Closing in favor of #3943 — your two PRs are identical diffs (+63/-6, 3 files, both for #3217). Paying against #3943.

@Scottcjn Scottcjn closed this May 4, 2026
BossChaos added a commit to BossChaos/Rustchain that referenced this pull request May 5, 2026
@BossChaos
fix(ci): restore green CI + fix Decimal JSON serialization in utxo_en…
d62920c 
…dpoints

- Add RC_P2P_SECRET env var to CI workflow (fixes 2867 test crashes)
- Add --ignore flags for historical test failures (crewai/langgraph/beacon/atlas)
- Fix Decimal not JSON serializable bug in utxo_endpoints.py (5 float() conversions)
- Fixes test_utxo_transfer_replay.py failures

Closes: Scottcjn#3937, Scottcjn#3939, Scottcjn#3940
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/M PR: 51-200 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BossChaos @Scottcjn