feat: merge audit branch (#1533)

* fix: ensure world metadata are handled safely with ACL

* fix: remove unused EXECUTE_ENTRYPOINT

* fix: add support for array for feature parity on metadata uri

* fix: ensure the new class hash to upgrade to has world() entrypoint

* wip: metadata rework

* feat: add expand env var for plugin debug

* feat: add support for multiple segment in the storage

This commit aims at having more flexibility in the dojo storage
engine, to automatically use several storage slots segments depending
on the packed size.

The offset and length fields are not more required for the database to work.
The layout is still exposed for the moment.

* fix: adjust world entry points based on storage rework

* fix: remove unused WhereClause

* fix: ensure deployed contracts addresses don't conflict with model names

* fix: remove TODO with expected behavior for packing

* fix: ensure fpow is never used with base equal to 0 in our case

* fix: remove old boolean enum usage

* fix: ensure executor address is not zero

* fix: ensure packing max bits max value

* fix: remove unused file

* fix: remove database/utils not used for now

* fix: remove index related code

* fix: ensure empty data are well retrieved from storage

* fix: remove the length from the storage to be backward compatible

* fix: remove unused variable

* fix: adjust gas for test

* feat: add function to verify ownership of tx account

* fix: remove executor and and deploy models instead

There were a security issue with the executor, as currently
the library_call is not immutable. Hence, a function called
by library_call may contains other syscall. For this reason,
the executor is removed in favor of deploying the model
to get it's name.

* fix: keep class hash and contract address for models

* feat: update toolchain for new model registration

* fix: revise world documentation and refacto world errors

* fix: remove unused storage variable

* fix: ensure the world address is protected against model registration

* fix: remove unused variable

* fix: reintroduce missing test

* fix: ensure resource metadata are only controlled by world creator

* fix: ensure resource metadata is well written in the manifest

* fix: format + clippy

* tests(dojo-core): fix testing

* fix: torii initial support for array and introspection

* wip: torii introspect integration for Array

* fix: add contract address to model's metadata

* fix: Ty serialization for Array on Torii side

* fix: fix torii values index for store_set_record

* fix: remove contract address from wrong model

* feat: add array in testing graphql

* chore: restore main Cargo.lock

* fix: remove Copy trait for Record as now contains Array

* docs: add audit link in README

* docs: fix README audit format

* chore: use new tag of cainome wasm compatible + remove unused variables

* fix: fmt

* fix: add array as supported enum for models children ty

* fix(dojo-core): remove print statements not required

* fix: remove print for database but keep it for base_test address

* fix: add sozo command for class hash back and add contract address command

* ci: avoid rate limitation for protoc

* fix(torii): ensure model contract address is in a new migration

* fix(torii): remove array indexing support for now

* fix(dojo-core): disable use of capacity derive on model

* fix: fmt

* fix(dojo-lang): run missing CAIRO_FIX tests

* fix: remove debug print

.github/workflows/ci.yml

@@ -44,6 +44,8 @@ jobs:
           target: x86_64-pc-windows-msvc
       - uses: Swatinem/rust-cache@v2
       - uses: arduino/setup-protoc@v2
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
       - run: cargo build --target x86_64-pc-windows-msvc --bins
 
   # cairofmt:

Cargo.toml

@@ -136,6 +136,7 @@ itertools = "0.10.3"
 jsonrpsee = { version = "0.16.2", default-features = false }
 lazy_static = "1.4.0"
 metrics-process = "1.0.9"
+num-traits = { version = "0.2", default-features = false }
 once_cell = "1.0"
 parking_lot = "0.12.1"
 pretty_assertions = "1.2.1"

README.md

@@ -33,6 +33,12 @@ We welcome contributions of all kinds from anyone. See our [Contribution Guide](
 
 See our [Environment setup](https://book.dojoengine.org/getting-started) for more information.
 
+## 🛡️Audit
+
+Dojo core smart contracts have been audited:
+
+* feb-24: [Nethermind security](https://github.com/NethermindEth/PublicAuditReports/blob/main/NM0159-FINAL_DOJO.pdf)
+
 ## Releasing
 
 Propose a new release by manually triggering the `release-dispatch` github action. The version value can be an semver or a level: `[patch, minor, major]`.

bin/sozo/src/commands/events.rs

@@ -101,10 +101,6 @@ fn extract_events(manifest: &Manifest) -> HashMap<String, Vec<Event>> {
         inner_helper(&mut events_map, abi);
     }
 
-    if let Some(abi) = manifest.executor.abi.clone() {
-        inner_helper(&mut events_map, abi);
-    }
-
     for contract in &manifest.contracts {
         if let Some(abi) = contract.abi.clone() {
             inner_helper(&mut events_map, abi);

bin/sozo/src/commands/model.rs

@@ -28,6 +28,18 @@ pub enum ModelCommands {
         starknet: StarknetOptions,
     },
 
+    #[command(about = "Retrieve the contract address of a model")]
+    ContractAddress {
+        #[arg(help = "The name of the model")]
+        name: String,
+
+        #[command(flatten)]
+        world: WorldOptions,
+
+        #[command(flatten)]
+        starknet: StarknetOptions,
+    },
+
     #[command(about = "Retrieve the schema for a model")]
     Schema {
         #[arg(help = "The name of the model")]

bin/sozo/src/ops/migration/migration_test.rs

@@ -147,6 +147,5 @@ async fn migration_from_remote() {
     sequencer.stop().unwrap();
 
     assert_eq!(local_manifest.world.class_hash, remote_manifest.world.class_hash);
-    assert_eq!(local_manifest.executor.class_hash, remote_manifest.executor.class_hash);
     assert_eq!(local_manifest.models.len(), remote_manifest.models.len());
 }

bin/sozo/src/ops/migration/mod.rs

@@ -1,6 +1,7 @@
 use std::path::Path;
 
 use anyhow::{anyhow, bail, Context, Result};
+use dojo_world::contracts::abi::world::ResourceMetadata;
 use dojo_world::contracts::cairo_utils;
 use dojo_world::contracts::world::WorldContract;
 use dojo_world::manifest::{Manifest, ManifestError};
@@ -286,34 +287,6 @@ where
 {
     let ui = ws.config().ui();
 
-    match &strategy.executor {
-        Some(executor) => {
-            ui.print_header("# Executor");
-            deploy_contract(executor, "executor", vec![], migrator, &ui, &txn_config).await?;
-
-            // There is no world migration, so it exists already.
-            if strategy.world.is_none() {
-                let addr = strategy.world_address()?;
-                let InvokeTransactionResult { transaction_hash } =
-                    WorldContract::new(addr, &migrator)
-                        .set_executor(&executor.contract_address.into())
-                        .send()
-                        .await
-                        .map_err(|e| {
-                            ui.verbose(format!("{e:?}"));
-                            e
-                        })?;
-
-                TransactionWaiter::new(transaction_hash, migrator.provider()).await?;
-
-                ui.print_hidden_sub(format!("Updated at: {transaction_hash:#x}"));
-            }
-
-            ui.print_sub(format!("Contract address: {:#x}", executor.contract_address));
-        }
-        None => {}
-    };
-
     match &strategy.base {
         Some(base) => {
             ui.print_header("# Base Contract");
@@ -341,10 +314,7 @@ where
         Some(world) => {
             ui.print_header("# World");
 
-            let calldata = vec![
-                strategy.executor.as_ref().unwrap().contract_address,
-                strategy.base.as_ref().unwrap().diff.local,
-            ];
+            let calldata = vec![strategy.base.as_ref().unwrap().diff.local];
             deploy_contract(world, "world", calldata.clone(), migrator, &ui, &txn_config)
                 .await
                 .map_err(|e| {
@@ -358,11 +328,21 @@ where
             if let Some(meta) = metadata.as_ref().and_then(|inner| inner.world()) {
                 match meta.upload().await {
                     Ok(hash) => {
-                        let encoded_uri = cairo_utils::encode_uri(&format!("ipfs://{hash}"))?;
+                        let mut encoded_uri = cairo_utils::encode_uri(&format!("ipfs://{hash}"))?;
+
+                        // Metadata is expecting an array of capacity 3.
+                        if encoded_uri.len() < 3 {
+                            encoded_uri.extend(vec![FieldElement::ZERO; 3 - encoded_uri.len()]);
+                        }
+
+                        let world_metadata = ResourceMetadata {
+                            resource_id: FieldElement::ZERO,
+                            metadata_uri: encoded_uri,
+                        };
 
                         let InvokeTransactionResult { transaction_hash } =
                             WorldContract::new(world.contract_address, migrator)
-                                .set_metadata_uri(&FieldElement::ZERO, &encoded_uri)
+                                .set_metadata(&world_metadata)
                                 .send()
                                 .await
                                 .map_err(|e| {
@@ -382,6 +362,9 @@ where
         None => {}
     };
 
+    // Once Torii supports indexing arrays, we should declare and register the
+    // ResourceMetadata model.
+
     register_models(strategy, migrator, &ui, txn_config.clone()).await?;
     deploy_contracts(strategy, migrator, &ui, txn_config).await?;
 

bin/sozo/src/ops/model.rs

@@ -20,6 +20,18 @@ pub async fn execute(command: ModelCommands, env_metadata: Option<Environment>)
             println!("{:#x}", model.class_hash());
         }
 
+        ModelCommands::ContractAddress { name, world, starknet } => {
+            let world_address = world.address(env_metadata.as_ref())?;
+            let provider = starknet.provider(env_metadata.as_ref())?;
+
+            let world = WorldContractReader::new(world_address, &provider)
+                .with_block(BlockId::Tag(BlockTag::Pending));
+
+            let model = world.model_reader(&name).await?;
+
+            println!("{:#x}", model.contract_address());
+        }
+
         ModelCommands::Schema { name, world, starknet, to_json } => {
             let world_address = world.address(env_metadata.as_ref())?;
             let provider = starknet.provider(env_metadata.as_ref())?;

bin/sozo/tests/test_data/manifest.json

@@ -843,6 +843,15 @@
     "writes": [],
     "computed": []
   },
+  "resource_metadata": {
+    "name": "",
+    "address": null,
+    "class_hash": "0x0",
+    "abi": null,
+    "reads": [],
+    "writes": [],
+    "computed": []
+  },
   "base": {
     "name": "dojo::base::base",
     "class_hash": "0x6c458453d35753703ad25632deec20a29faf8531942ec109e6eb0650316a2bc",
@@ -1569,4 +1578,4 @@
       ]
     }
   ]
-}
+}