feat(contract-manager): Pythnet BPF upgrade authority audit tool#3740
feat(contract-manager): Pythnet BPF upgrade authority audit tool#3740jayantk wants to merge 2 commits into
Conversation
…ade authorities Scaffold a new CLI tool that connects to Pythnet and reports the BPF upgrade authority for each known Pyth program. Includes program registry, ProgramData decoder helpers, fixture-based tests, and documentation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
3 Skipped Deployments
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
There was a problem hiding this comment.
🚩 Test uses manual assert/console.log instead of the project's Jest framework
The existing tests in this area of the codebase use Jest (see governance/xc_admin/packages/xc_admin_common/src/__tests__/BpfUpgradableLoaderInstruction.test.ts), but this new test uses raw node:assert + console.log with a manual main() runner. This means the tests won't be picked up by the project's standard test runner and won't integrate with CI. Consider converting to Jest test()/expect() patterns for consistency and CI integration.
Was this helpful? React with 👍 or 👎 to provide feedback.
| ); | ||
|
|
||
| // Exit non-zero if all programs had errors | ||
| const allFailed = entries.every((e) => e.notes.startsWith("error:")); |
There was a problem hiding this comment.
🟡 entries.every() returns true on empty array, causing false failure exit
If an empty custom programs file ([]) is supplied via --programs, the entries array will be empty. Array.prototype.every() returns true for empty arrays (vacuous truth), so entries.every((e) => e.notes.startsWith("error:")) at line 186 evaluates to true. This causes the script to print "All program queries failed. Check the RPC endpoint." and process.exit(1) even though no programs were queried — the correct behavior would be to succeed (or warn) for an empty list.
| const allFailed = entries.every((e) => e.notes.startsWith("error:")); | |
| const allFailed = entries.length > 0 && entries.every((e) => e.notes.startsWith("error:")); |
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
Summary
contract_manager/scripts/list_pythnet_authorities.ts— a new CLI tool that connects to Pythnet, fetches each known Pyth program's BPF upgrade authority, and outputs a JSON report + human-readable tablecontract_manager/src/core/pythnet-programs.ts— program registry reusingMESSAGE_BUFFER_PROGRAM_IDandREMOTE_EXECUTOR_ADDRESSfrom@pythnetwork/xc-admin-commondecodeProgramAccount()anddecodeProgramDataAccount()helpers togovernance/xc_admin/packages/xc_admin_common/src/bpf_upgradable_loader.tsPYTHNET_AUTHORITIES.mddocumentationValidator-tree investigation
Investigated the pythnet validator tree (pyth-v1.14.29/programs). No Pyth oracle programs are baked in as validator builtins. All three programs (Oracle, Remote Executor, Message Buffer) are deployed as standard BPF upgradeable programs with inspectable upgrade authorities.
Test plan
pnpm turbo build --filter @pythnetwork/contract-managersucceedspnpm --filter @pythnetwork/contract-manager exec tsx scripts/__tests__/list_pythnet_authorities.test.ts