From 08f0f51d8ed1228a2f9127d5bc24b20eb82925ab Mon Sep 17 00:00:00 2001 From: Danielodingz Date: Sat, 25 Apr 2026 22:09:42 +0100 Subject: [PATCH 1/2] feat: implement automated security audit script for Wasm files (#274) --- .github/workflows/rust.yml | 3 +++ scripts/security_audit.sh | 48 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100755 scripts/security_audit.sh diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 488707b..ccbfd68 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -19,3 +19,6 @@ jobs: run: cargo test -p sep41-token - name: Test upgradeable run: cargo test -p upgradeable + - name: Run Security Audit + run: ./scripts/security_audit.sh + diff --git a/scripts/security_audit.sh b/scripts/security_audit.sh new file mode 100755 index 0000000..3aa390c --- /dev/null +++ b/scripts/security_audit.sh @@ -0,0 +1,48 @@ +#!/bin/bash +set -e + +echo "Starting Soroban Wasm Security Audit..." + +if ! command -v find &> /dev/null; then + echo "Error: 'find' command is required." + exit 1 +fi + +WASM_COUNT=$(find target -name "*.wasm" 2>/dev/null | wc -l || echo 0) +if [ "$WASM_COUNT" -eq 0 ]; then + WASM_COUNT=$(find . -name "*.wasm" 2>/dev/null | wc -l || echo 0) +fi + +if [ "$WASM_COUNT" -eq 0 ]; then + echo "No Wasm files found. Please ensure the project is built before running the audit." + exit 0 +fi + +echo "Found Wasm files:" +find target -name "*.wasm" 2>/dev/null || find . -name "*.wasm" 2>/dev/null + +if command -v soroban-analyzer &> /dev/null; then + echo "Running soroban-analyzer..." + # SC2044 avoidance by using while read -r + (find target -name "*.wasm" 2>/dev/null || find . -name "*.wasm" 2>/dev/null) | while read -r file; do + if [ -n "$file" ]; then + echo "Analyzing $file..." + soroban-analyzer "$file" + fi + done +else + echo "Warning: 'soroban-analyzer' is not installed or available in PATH." + echo "Skipping dedicated Wasm static analysis." +fi + +echo "Checking for suspicious patterns in Rust source files..." + +if grep -rn "unsafe {" src/ contracts/ > /dev/null 2>&1; then + echo "Warning: 'unsafe' blocks found in source files. Please review for potential vulnerabilities." +fi + +if grep -rn "env.panic" src/ contracts/ > /dev/null 2>&1; then + echo "Warning: 'env.panic' usages found. Review panic conditions to prevent DoS or reentrancy issues." +fi + +echo "Security audit completed successfully." From 71905d84ad84ddf87018aade8355770a9b89da42 Mon Sep 17 00:00:00 2001 From: Danielodingz Date: Sat, 25 Apr 2026 22:32:50 +0100 Subject: [PATCH 2/2] fix: resolve CI failure by moving bridge and liquidation library files to src/lib.rs --- .github/workflows/rust.yml | 3 +++ src/bridge/{ => src}/lib.rs | 0 src/liquidation/{ => src}/lib.rs | 0 3 files changed, 3 insertions(+) rename src/bridge/{ => src}/lib.rs (100%) rename src/liquidation/{ => src}/lib.rs (100%) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index ccbfd68..145c676 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -15,6 +15,8 @@ jobs: with: targets: wasm32-unknown-unknown - uses: Swatinem/rust-cache@v2 + - name: Build Contracts + run: cargo build --target wasm32-unknown-unknown --release - name: Test sep41-token run: cargo test -p sep41-token - name: Test upgradeable @@ -22,3 +24,4 @@ jobs: - name: Run Security Audit run: ./scripts/security_audit.sh + diff --git a/src/bridge/lib.rs b/src/bridge/src/lib.rs similarity index 100% rename from src/bridge/lib.rs rename to src/bridge/src/lib.rs diff --git a/src/liquidation/lib.rs b/src/liquidation/src/lib.rs similarity index 100% rename from src/liquidation/lib.rs rename to src/liquidation/src/lib.rs