Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Snap] kobosu #910

Open
4 of 7 tasks
khanti42 opened this issue Oct 24, 2024 · 3 comments · May be fixed by #908
Open
4 of 7 tasks

[New Snap] kobosu #910

khanti42 opened this issue Oct 24, 2024 · 3 comments · May be fixed by #908
Labels
allowlist allowlist-new-snap

Comments

@khanti42
Copy link
Collaborator

khanti42 commented Oct 24, 2024
edited by Montoya
Loading

Checklist

All items in the list below needs to be satisfied.

  • Is the Snap repository publicly accessible and linked in this ticket: https://github.com/DoggyFiOfficial/dogecoin-snap-public
  • Is the Snap distributed on npm and linked in this ticket: https://www.npmjs.com/package/@doggyfi-official/kobosu
  • Has an audit been performed and the audit report attached or linked in this issue ?
  • Is a complete list of discovered vulnerabilities from the audit documented in this issue?
  • For vulnerabilities that have been deemed necessary to be addressed, are the links to the fixes attached to this issue?
  • For vulnerabilities that have been deemed not necessary to be addressed, is a reason for each of them documented in this issue?
  • The corresponding pull request in this repo has been merged.

Audit

Auditor : Sayfer
Link : https://sayfer.io/audits/metamask-snap-audit-report-for-doggyfi/

Security Assessment Findings:

  1. Fees Are Not Displayed to the User (ID: SAY-01)

    • Status: Fixed
    • Risk: Medium
    • Issue: Users were not shown the transaction fees upfront in the confirmation prompt, leading to a potential breach of trust.
    • Mitigation: Fees are now displayed separately in the initial prompt.

  2. Dependencies with Floating Versions (ID: SAY-02)

    • Status: Fixed
    • Risk: Low
    • Issue: Dependencies were not pinned to exact versions, increasing the risk of supply chain attacks.
    • Mitigation: Use of exact versions for all packages is recommended.

  3. Fee Data Not Displayed on Initial Prompt (ID: SAY-03)

    • Status: Acknowledged
    • Risk: Low
    • Issue: While fees are displayed, they only appear after the initial confirmation, which could lead to a poor UX as users might skip later prompts.
    • Mitigation: Fees should be presented in the first prompt.

  4. Development Leftovers (ID: SAY-04)

    • Status: Fixed
    • Risk: Informational
    • Issue: There were comments and unfinished features in the code that had been overlooked.
    • Mitigation: Ensure all known issues are resolved before production.
@khanti42 khanti42 linked a pull request Oct 24, 2024 that will close this issue
Open
@khanti42
Copy link
Collaborator Author

Production website not live yet : https://doggyfi.xyz/snap. Still demo : https://demo.doggyfi.xyz/snap. Waiting input from the team whether they want to proceed with demo website or if they can publish to production.

@khanti42
Copy link
Collaborator Author

Team had to make a fix and bumped the version to 0.1.4.

Reason: There was an erroreous line of code in sendDoginal that was never caught making signing a sendDoginal tx impossible. Builder removed line as your team can see here: DoggyFiOfficial/dogecoin-snap-public@f567664#diff-7bf51f3994b5de19f663e7e8fb6ecbf37bcd0989f855752ad7214c1210570268L1272

@khanti42
Copy link
Collaborator Author

Team had to make an other small fix and bumped the version te 0.1.5

Reason: had to fix the sendDune method, see our commit here: DoggyFiOfficial/dogecoin-snap-public@bf1d738

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
allowlist allowlist-new-snap
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

New kobosu MetaMask/snaps-registry
1 participant
@khanti42