Skip to content

security: add ownership verification to contract state transitions#3943

Merged
Scottcjn merged 2 commits intoScottcjn:mainfrom
BossChaos:fix/beacon-api-contract-ownership-3217
May 4, 2026
Merged

security: add ownership verification to contract state transitions#3943
Scottcjn merged 2 commits intoScottcjn:mainfrom
BossChaos:fix/beacon-api-contract-ownership-3217

Conversation

@BossChaos
Copy link
Copy Markdown
Contributor

@BossChaos BossChaos commented May 4, 2026

Summary

Fixes #3217 — HIGH severity: unauthorized contract state changes possible.

Changes

  • Require X-Agent-Key header for contract state updates
  • Verify caller is from_agent or to_agent of the contract
  • Validate state transitions to prevent arbitrary jumps
  • Only to_agent can accept contracts (offered → active)
  • Only from_agent can mark contracts as breached
  • Terminal states (completed/breached/expired) cannot be modified

Fix Details

File: node/beacon_api.py

Before the fix, the /api/contracts/<contract_id> PUT endpoint allowed anyone to change contract state to any value without authentication or validation.

The fix adds:

  1. State transition validation — only valid transitions allowed (offered→active→completed, etc.)
  2. Terminal state protection — completed/breached/expired contracts cannot be modified
  3. Party verification — only contract participants can update state
  4. Role-based restrictions — only recipient can accept, only creator can breach

Impact

  • Prevents unauthorized state transitions on any contract
  • Maintains proper contract lifecycle integrity
  • No breaking changes for legitimate contract participants

BossChaos added 2 commits May 1, 2026 15:55
@BossChaos
deps: update python-socketio requirement from >=5.10.0 to >=5.16.1
c198522 
- Updates python-socketio to latest stable version 5.16.1
- Includes bug fixes and performance improvements
- Closes Scottcjn#2830
@BossChaos
security: add ownership verification to contract state transitions (S…
7b99f71 
…cottcjn#3217)

HIGH severity fix: prevent unauthorized contract state changes

- Require X-Agent-Key header for authentication
- Verify caller is from_agent or to_agent of the contract
- Validate state transitions (offered->active->completed, no arbitrary jumps)
- Only to_agent can accept contracts
- Only from_agent can mark contracts as breached
- Terminal states (completed/breached/expired) cannot be changed

Fixes Scottcjn#3217
@github-actions github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/M PR: 51-200 lines labels May 4, 2026
@Scottcjn Scottcjn mentioned this pull request May 4, 2026
Closed
@Scottcjn
Copy link
Copy Markdown
Owner

Scottcjn commented May 4, 2026

Paid: 15 RTC. pending_id 1373, tx 16a51ea7f3f9ab92eed5d07c50e6221f. ownership verification on contract state transitions (#3217) — HIGH severity

Merging.

@Scottcjn Scottcjn merged commit 7eec582 into Scottcjn:main May 4, 2026
11 of 12 checks passed
@BossChaos BossChaos mentioned this pull request May 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/M PR: 51-200 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BossChaos @Scottcjn