On-Chain PCCS Audit Submission For Release (November 2024) (#9)

* p256 precompile

* collateral and code separation

* removed EAS structure from base contract

* internal storage can only be read and written by authorized daos

* removing the ability to update code and added authorized callers check for all automata daos

* code formatting

* automata storage missing caller authorization setter

* add internal method to read data from resolver for daos

* when loading collaterals for upserts, it should read directly from the resolver

* NatSpec comment updates and added enclaveID version simple check

* store slither report as SARIF

* resolver comment minor updates

* updated README.md

* revert if unable to find a p256 verifier

* removed ownable from pccs

* seperate internal collateral read methods

* typo

* key pre-image collision fixed

* pause toggle

* tcbv3 parser to include advisoryIDs

* testnet broadcast and minor updates on script

* deployment script fixes

* removed dirty comments and minor pck update for validating tcb upserts

* immutable resolver

* updates on README and env example to reflect testnet deployment

.github/workflows/slither.yml

@@ -27,16 +27,21 @@ jobs:
         with:
           fail-on: none
           slither-args: --checklist --show-ignored-findings --markdown-root ${{ env.commit_url }}
-
+          sarif: results.sarif
 
-      - name: Create/update checklist as PR comment
-        uses: actions/github-script@v7
-        if: github.event_name == 'pull_request'
-        env:
-          REPORT: ${{ steps.slither.outputs.stdout }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          script: |
-            const script = require('.github/scripts/slither-comment')
-            const header = '# Slither report'
-            const body = process.env.REPORT
-            await script({ github, context, header, body })
+          sarif_file: ${{ steps.slither.outputs.sarif }}
+
+      # - name: Create/update checklist as PR comment
+      #   uses: actions/github-script@v7
+      #   if: github.event_name == 'pull_request'
+      #   env:
+      #     REPORT: ${{ steps.slither.outputs.stdout }}
+      #   with:
+      #     script: |
+      #       const script = require('.github/scripts/slither-comment')
+      #       const header = '# Slither report'
+      #       const body = process.env.REPORT
+      #       await script({ github, context, header, body })

README.md

@@ -19,76 +19,43 @@ On-chain PCCS provides an open and permissionless service where users can freely
 
 ## Contracts
 
+> ℹ️ **Note**: 
+>
+> The deployment addresses shown here are currently based on the latest [changes](https://github.com/automata-network/automata-on-chain-pccs/pull/9) made.
+>
+> To view deployments on the previous version (will be deprecated soon), you may refer to this [branch](https://github.com/automata-network/automata-on-chain-pccs/tree/v0).
+
 There are two sets of contracts, i.e. the **Helper** and **Base**.
 
 ### Helper Contracts
 
 The Helper contracts provide APIs for parsing collaterals and converting into Solidity structs, i.e. QEIdentity.json, TCBInfo.json, basic DER-decoder for PCK X509 leaf certificate and extensions and X509 CRLs.
 
-<!-- Click [here](./src/helpers/) to learn more about the implementation details for Helper contracts. -->
-
-The Helper contracts have been deployed to testnet, and can be used by both on-chain and off-chain programs.
-
 #### Testnet
 
 |  | Network | Address |
 | --- | --- | --- |
-| `EnclaveIdentityHelper.sol` | Automata Testnet | [0xfd4a34b578B352FE1896CDafaEb0f45f993352Bf](https://explorer-testnet.ata.network/address/0xfd4a34b578B352FE1896CDafaEb0f45f993352Bf) |
-|  | Ethereum Holesky Testnet | [0xEea41Ae0cB09A478b80425Ae61c85e445E83c415](https://holesky.etherscan.io/address/0xEea41Ae0cB09A478b80425Ae61c85e445E83c415) |
-|  | Ethereum Sepolia Testnet | [0xA5D1EC1CcCdF2f60Df05cf1e110352F696bA4C64](https://Sepolia.etherscan.io/address/0xA5D1EC1CcCdF2f60Df05cf1e110352F696bA4C64) |
-| `FmspcTcbHelper.sol` | Automata Testnet | [0xC2A662e08A35513596E22D0aC236Ce72e59125EE](https://explorer-testnet.ata.network/address/0xC2A662e08A35513596E22D0aC236Ce72e59125EE) |
-|  | Ethereum Holesky Testnet | [0xc728DD0FcD76CD9166F66e1CD8002dE86d6525B8](https://holesky.etherscan.io/address/0xc728DD0FcD76CD9166F66e1CD8002dE86d6525B8) |
-|  | Ethereum Sepolia Testnet | [0x2404DAc28D18847937CcAdC1b29d3403AED3BB6C](https://Sepolia.etherscan.io/address/0x2404DAc28D18847937CcAdC1b29d3403AED3BB6C) |
-| `PCKHelper.sol` | Automata Testnet | [0x5213c0e3Ab478dbc83E8afFF8909717332E4f8E1](https://explorer-testnet.ata.network/address/0x5213c0e3Ab478dbc83E8afFF8909717332E4f8E1) |
-|  | Ethereum Holesky Testnet | [0xDe20629a87C371668bB371ef1d77D9D167E52021](https://holesky.etherscan.io/address/0xDe20629a87C371668bB371ef1d77D9D167E52021) |
-|  | Ethereum Sepolia Testnet | [0xBf1ec53BA4768D1470F037898C6a3ff9Ed3Fe394](https://Sepolia.etherscan.io/address/0xBf1ec53BA4768D1470F037898C6a3ff9Ed3Fe394) |
-| `X509CRLHelper.sol` | Automata Testnet | [0x12C1E13Aa2a238EAb15c2e2b6AC670266bc3C814](https://explorer-testnet.ata.network/address/0x12C1E13Aa2a238EAb15c2e2b6AC670266bc3C814) |
-|  | Ethereum Holesky Testnet | [0x3ACBfad7460e2fae32A31f863e1A38F7a002cEA8](https://holesky.etherscan.io/address/0x3ACBfad7460e2fae32A31f863e1A38F7a002cEA8) |
-|  | Ethereum Sepolia Testnet | [0x2a81585F6d8ACB52DED417De5946486394b54B63](https://Sepolia.etherscan.io/address/0x2a81585F6d8ACB52DED417De5946486394b54B63) |
-
-#### Mainnet
-|  | Network | Address |
-| --- | --- | --- |
-| `EnclaveIdentityHelper.sol` | Automata Mainnet | [0x13BECaa512713Ac7C2d7a04ba221aD5E02D43DFE](https://explorer.ata.network/address/0x13BECaa512713Ac7C2d7a04ba221aD5E02D43DFE) |
-| `FmspcTcbHelper.sol` | Automata Mainnet | [0xc99bf04c31bf3d026b5b47b2574fc19c1459b732](https://explorer.ata.network/address/0xc99bf04c31bf3d026b5b47b2574fc19c1459b732) |
-| `PCKHelper.sol` | Automata Mainnet | [0x3e2fe733E444313A93Fa3f9AEd3bB203048dDE70](https://explorer.ata.network/address/0x3e2fe733E444313A93Fa3f9AEd3bB203048dDE70) |
-| `X509CRLHelper.sol` | Automata Mainnet | [0x2567245dE6E349C8B7AA82fD6FF854b844A0aEF9](https://explorer.ata.network/address/0x2567245dE6E349C8B7AA82fD6FF854b844A0aEF9) |
+| `EnclaveIdentityHelper.sol` | Automata Testnet | [0xae27D762EED6958bc34b358bd7C78c7211fe77F8](https://explorer-testnet.ata.network/address/0xae27D762EED6958bc34b358bd7C78c7211fe77F8) |
+| `FmspcTcbHelper.sol` | Automata Testnet | [0x71056B540b4E60D0E8eFb55FAd487C486B09FFF5](https://explorer-testnet.ata.network/address/0x71056B540b4E60D0E8eFb55FAd487C486B09FFF5) |
+| `PCKHelper.sol` | Automata Testnet | [0x4Aca9C0EB063401C9F5c2Fc4487DBC5ccF1C9E2B](https://explorer-testnet.ata.network/address/0x4Aca9C0EB063401C9F5c2Fc4487DBC5ccF1C9E2B) |
+| `X509CRLHelper.sol` | Automata Testnet | [0x6e204fEAe40F668a06E78a83b66185FFC8892DDA](https://explorer-testnet.ata.network/address/0x6e204fEAe40F668a06E78a83b66185FFC8892DDA) |
 
 ### Base libraries and Automata DAO contracts
 
 The base contracts are libraries that provide the Data Access Object (DAO) APIs with similar designs inspired from the [Design Guide for Intel SGX PCCS](https://download.01.org/intel-sgx/sgx-dcap/1.21/linux/docs/SGX_DCAP_Caching_Service_Design_Guide.pdf).
 
 Base contracts are dependent on Helper contracts to parse collaterals, and contains implementation of basic collateral authenticity check functions for upserts. Smart contract developers are encouraged to extend the base contracts to build their own custom implementation of on-chain PCCS.
 
-<!-- Click [here](./src/bases/) to learn more about each DAOs. -->
-
-Our DAO implementation can be found in the [`automata_pccs`](./src/automata_pccs/) directory, and are deployed to testnet.
+Our DAO implementation can be found in the [`automata_pccs`](./src/automata_pccs/) directory.
 
 #### Testnet
 
 |  | Network | Address |
 | --- | --- | --- |
 | `AutomataEnclaveIdentityDao.sol` | Automata Testnet | [0x413272890ab9F155a47A5F90a404Fb51aa259087](https://explorer-testnet.ata.network/address/0x413272890ab9F155a47A5F90a404Fb51aa259087) |
-|  | Ethereum Holesky Testnet | [0x9f4b0fB3A95072bD133082e9683A3536669EFE07](https://holesky.etherscan.io/address/0x9f4b0fB3A95072bD133082e9683A3536669EFE07) |
-|  | Ethereum Sepolia Testnet | [0x4bb680A5e6Ad6228E7d334903B0Ce10EF60c961C](https://Sepolia.etherscan.io/address/0x4bb680A5e6Ad6228E7d334903B0Ce10EF60c961C) |
-| `AutomataFmspcTcbDao.sol` | Automata Testnet | [0x7c04B466DebA13D48116b1339C62b35B9805E5A0](https://explorer-testnet.ata.network/address/0x7c04B466DebA13D48116b1339C62b35B9805E5A0) |
-|  | Ethereum Holesky Testnet | [0xaB5074445E5ae3C650553d5a7560B3A7121635B9](https://holesky.etherscan.io/address/0xaB5074445E5ae3C650553d5a7560B3A7121635B9) |
-|  | Ethereum Sepolia Testnet | [0xF790b1C23e6508A6135Ce88450eC0A59Af0B9896](https://Sepolia.etherscan.io/address/0xF790b1C23e6508A6135Ce88450eC0A59Af0B9896) |
-| `AutomataPckDao.sol` | Automata Testnet | [0x6D4cA6AE5315EBBcb4331c82531db0ad8853Eb31](https://explorer-testnet.ata.network/address/0x6D4cA6AE5315EBBcb4331c82531db0ad8853Eb31) |
-|  | Ethereum Holesky Testnet | [0x5B2d7781E3c44966769484daBCdc435EFD281c34](https://holesky.etherscan.io/address/0x5B2d7781E3c44966769484daBCdc435EFD281c34) |
-|  | Ethereum Sepolia Testnet | [0x3eA9D905Cb79586C2184f329e6a651D97F2ebee3](https://Sepolia.etherscan.io/address/0x3eA9D905Cb79586C2184f329e6a651D97F2ebee3) |
-| `AutomataPcsDao.sol` | Automata Testnet | [0xD0335cbC73CA2f8EDd98a2BE3909f55642F414D7](https://explorer-testnet.ata.network/address/0xD0335cbC73CA2f8EDd98a2BE3909f55642F414D7) |
-|  | Ethereum Holesky Testnet | [0x66FdB4E72d2F4a7e2081bf83F1FfACC9bbCb384b](https://holesky.etherscan.io/address/0x66FdB4E72d2F4a7e2081bf83F1FfACC9bbCb384b) |
-|  | Ethereum Sepolia Testnet | [0x348DA46aA11188f641f01dbe247b25FFA5FFB9c4](https://Sepolia.etherscan.io/address/0x348DA46aA11188f641f01dbe247b25FFA5FFB9c4) |
-
-### Mainnet
-
-|  | Network | Address |
-| --- | --- | --- |
-| `AutomataEnclaveIdentityDao.sol` | Automata Mainnet | [0x28111536292b34f37120861A46B39BF39187d73a](https://explorer.ata.network/address/0x28111536292b34f37120861A46B39BF39187d73a) |
-| `AutomataFmspcTcbDao.sol` | Automata Mainnet | [0x868c18869f68E0E0b0b7B2B4439f7fDDd0421e6b](https://explorer.ata.network/address/0x868c18869f68E0E0b0b7B2B4439f7fDDd0421e6b) |
-| `AutomataPckDao.sol` | Automata Mainnet | [0xeCc198936FcA3Ca1fDc97B8612B32185908917B0](https://explorer.ata.network/address/0xeCc198936FcA3Ca1fDc97B8612B32185908917B0) |
-| `AutomataPcsDao.sol` | Automata Mainnet | [0x86f8865bce8be62cb8096b5b94fa3fb3a6ed330c](https://explorer.ata.network/address/0x86f8865bce8be62cb8096b5b94fa3fb3a6ed330c) |
+| `AutomataFmspcTcbDao.sol` | Automata Testnet | [0x9c54C72867b07caF2e6255CE32983c28aFE40F26](https://explorer-testnet.ata.network/address/0x9c54C72867b07caF2e6255CE32983c28aFE40F26) |
+| `AutomataPckDao.sol` | Automata Testnet | [0x722525B96b62e182F8A095af0a79d4EA2037795C](https://explorer-testnet.ata.network/address/0x722525B96b62e182F8A095af0a79d4EA2037795C) |
+| `AutomataPcsDao.sol` | Automata Testnet | [0xcf171ACd6c0a776f9d3E1F6Cac8067c982Ac6Ce1](https://explorer-testnet.ata.network/address/0xcf171ACd6c0a776f9d3E1F6Cac8067c982Ac6Ce1) |
 
 ---
 
@@ -99,7 +66,7 @@ Our DAO implementation can be found in the [`automata_pccs`](./src/automata_pccs
 - Create `.env` file with the provided example.
 
 ```bash
-cp .env.example .env
+cp env/.{network}.env.example .env
 ```
 
 - Compile the contracts

broadcast/ConfigAutomataDao.s.sol/1398243/setAuthorizedCaller-latest.json

@@ -0,0 +1,56 @@
+{
+  "transactions": [
+    {
+      "hash": "0x3ede64d6560753dd5a88642b689b236c12795ab2cf0b9e65f05323c2c16cdede",
+      "transactionType": "CALL",
+      "contractName": null,
+      "contractAddress": "0x2bbc0ccc218e63ad4d2bbb7bde1375b092fd38a2",
+      "function": "setCallerAuthorization(address,bool)",
+      "arguments": [
+        "0x3095741175094128ae9F451fa3693B2d23719940",
+        "true"
+      ],
+      "transaction": {
+        "from": "0x7e212e611826122dc69098fbe0f4057b823751f1",
+        "to": "0x2bbc0ccc218e63ad4d2bbb7bde1375b092fd38a2",
+        "gas": "0x107fc",
+        "value": "0x0",
+        "input": "0x48213a560000000000000000000000003095741175094128ae9f451fa3693b2d237199400000000000000000000000000000000000000000000000000000000000000001",
+        "nonce": "0xa",
+        "chainId": "0x1555e3"
+      },
+      "additionalContracts": [],
+      "isFixedGasLimit": false
+    }
+  ],
+  "receipts": [
+    {
+      "status": "0x1",
+      "cumulativeGasUsed": "0x15fc3",
+      "logs": [],
+      "logsBloom": "0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+      "type": "0x2",
+      "transactionHash": "0x3ede64d6560753dd5a88642b689b236c12795ab2cf0b9e65f05323c2c16cdede",
+      "transactionIndex": "0x1",
+      "blockHash": "0xc99108b148b730d007db3f81c04f69f700d78ed76a7734f7a0b5cf3b84586d8e",
+      "blockNumber": "0x63a23b",
+      "gasUsed": "0xb481",
+      "effectiveGasPrice": "0xfd",
+      "from": "0x7e212e611826122dc69098fbe0f4057b823751f1",
+      "to": "0x2bbc0ccc218e63ad4d2bbb7bde1375b092fd38a2",
+      "contractAddress": null,
+      "l1BaseFeeScalar": "0x558",
+      "l1BlobBaseFee": "0x1",
+      "l1BlobBaseFeeScalar": "0xc5fc5",
+      "l1Fee": "0x1ee2b3a3",
+      "l1GasPrice": "0xe1c584a",
+      "l1GasUsed": "0x640"
+    }
+  ],
+  "libraries": [],
+  "pending": [],
+  "returns": {},
+  "timestamp": 1731925082,
+  "chain": 1398243,
+  "commit": "1cc539f"
+}

broadcast/ConfigAutomataDao.s.sol/1398243/updateStorageDao-latest.json

@@ -1,24 +1,24 @@
 {
   "transactions": [
     {
-      "hash": "0x51d73c521d7b3d90f1468ef5d2f5675b8bf667a8903ff87f058aa2c062eba794",
+      "hash": "0xb5c2c0dcb6c55039c22bcfa9374db5ac1b8ea9d9751e45cae0359a4ed206c213",
       "transactionType": "CALL",
       "contractName": null,
-      "contractAddress": "0xe8599dd2366230b7efdd526985c64c7325b27569",
+      "contractAddress": "0x2bbc0ccc218e63ad4d2bbb7bde1375b092fd38a2",
       "function": "updateDao(address,address,address,address)",
       "arguments": [
-        "0xD0335cbC73CA2f8EDd98a2BE3909f55642F414D7",
-        "0x6D4cA6AE5315EBBcb4331c82531db0ad8853Eb31",
-        "0x7c04B466DebA13D48116b1339C62b35B9805E5A0",
-        "0x413272890ab9F155a47A5F90a404Fb51aa259087"
+        "0xcf171ACd6c0a776f9d3E1F6Cac8067c982Ac6Ce1",
+        "0x722525B96b62e182F8A095af0a79d4EA2037795C",
+        "0x9c54C72867b07caF2e6255CE32983c28aFE40F26",
+        "0x45f91C0d9Cf651785d93fcF7e9E97dE952CdB910"
       ],
       "transaction": {
-        "from": "0x3d089c2f2cb86d4efde153c81cabd4579784430b",
-        "to": "0xe8599dd2366230b7efdd526985c64c7325b27569",
-        "gas": "0xc34e",
+        "from": "0x7e212e611826122dc69098fbe0f4057b823751f1",
+        "to": "0x2bbc0ccc218e63ad4d2bbb7bde1375b092fd38a2",
+        "gas": "0x123b0",
         "value": "0x0",
-        "input": "0x40070f2d000000000000000000000000d0335cbc73ca2f8edd98a2be3909f55642f414d70000000000000000000000006d4ca6ae5315ebbcb4331c82531db0ad8853eb310000000000000000000000007c04b466deba13d48116b1339c62b35b9805e5a0000000000000000000000000413272890ab9f155a47a5f90a404fb51aa259087",
-        "nonce": "0x13a",
+        "input": "0x40070f2d000000000000000000000000cf171acd6c0a776f9d3e1f6cac8067c982ac6ce1000000000000000000000000722525b96b62e182f8a095af0a79d4ea2037795c0000000000000000000000009c54c72867b07caf2e6255ce32983c28afe40f2600000000000000000000000045f91c0d9cf651785d93fcf7e9e97de952cdb910",
+        "nonce": "0xc",
         "chainId": "0x1555e3"
       },
       "additionalContracts": [],
@@ -28,31 +28,31 @@
   "receipts": [
     {
       "status": "0x1",
-      "cumulativeGasUsed": "0x130e5",
+      "cumulativeGasUsed": "0x17e88",
       "logs": [],
       "logsBloom": "0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
       "type": "0x2",
-      "transactionHash": "0x51d73c521d7b3d90f1468ef5d2f5675b8bf667a8903ff87f058aa2c062eba794",
+      "transactionHash": "0xb5c2c0dcb6c55039c22bcfa9374db5ac1b8ea9d9751e45cae0359a4ed206c213",
       "transactionIndex": "0x1",
-      "blockHash": "0x3e1771a648b9c31bf53ef0621e6d82b0d89cbd56eeb006e784b7e3a45e74bf18",
-      "blockNumber": "0x11c9dc",
-      "gasUsed": "0x858b",
+      "blockHash": "0xf05688bd67ec1ee30cb0b2ab11c5a9f664909cc483153f08c50bd0dc2f157254",
+      "blockNumber": "0x63b115",
+      "gasUsed": "0xd32e",
       "effectiveGasPrice": "0xfd",
-      "from": "0x3d089c2f2cb86d4efde153c81cabd4579784430b",
-      "to": "0xe8599dd2366230b7efdd526985c64c7325b27569",
+      "from": "0x7e212e611826122dc69098fbe0f4057b823751f1",
+      "to": "0x2bbc0ccc218e63ad4d2bbb7bde1375b092fd38a2",
       "contractAddress": null,
       "l1BaseFeeScalar": "0x558",
-      "l1BlobBaseFee": "0x4",
+      "l1BlobBaseFee": "0x1",
       "l1BlobBaseFeeScalar": "0xc5fc5",
-      "l1Fee": "0x33f41e52f",
-      "l1GasPrice": "0x10e18d2ef",
-      "l1GasUsed": "0x8c9"
+      "l1Fee": "0x3295d6b8c",
+      "l1GasPrice": "0x10a267954",
+      "l1GasUsed": "0x8ae"
     }
   ],
   "libraries": [],
   "pending": [],
   "returns": {},
-  "timestamp": 1721197467,
+  "timestamp": 1731932686,
   "chain": 1398243,
-  "commit": "0a06458"
+  "commit": "9884122"
 }