You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/firewall.md
+16-1Lines changed: 16 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,9 +11,12 @@ The primary purpose of the `HookTargetFirewall` is to enforce security policies
11
11
1. Each vault can have its own security policy, including:
12
12
- A set of accepted attesters
13
13
- Thresholds for incoming and outgoing transfers (both constant and accumulated within a transaction)
14
+
- An operation counter threshold to limit the frequency of operations that do not require attestation
14
15
2. The contract intercepts key vault operations like `deposit`, `withdraw`, `mint`, `redeem`, `borrow`, and `repay`, validating them against the stored policy.
15
16
3. For transactions exceeding defined thresholds, `HookTargetFirewall` requires an appropriate attestation to be obtained and saved in the `SecurityValidator` contract prior to the operation being executed.
16
-
4. The contract implements an operation counter to prevent replay attacks and preserve the integrity of operations even if they do not require checkpoints to be executed. Operation counter is incremented for each intercepted operation.
17
+
4. The contract implements a sliding window mechanism to track frequency of operations that do not require attestation, using bit manipulation for gas-efficient storage and calculation.
18
+
5. The contract implements an operation counter to prevent replay attacks and preserve the integrity of operations even if they do not require attestation. Operation counter is incremented for each intercepted operation.
19
+
6. The firewall ensures that only authorized vaults (proxies deployed by the recognized EVault factory) can use it.
17
20
18
21
## How It Works
19
22
@@ -48,3 +51,15 @@ The reference amount is quantized using a logarithmic function (`log1.01`) befor
48
51
### Handling of Maximum Values
49
52
50
53
When operations involve `type(uint256).max` as an amount (often used to represent "all available" in token operations), special handling is required. The `HookTargetFirewall` resolves these maximum values to concrete asset amounts before applying thresholds and computing checkpoint hashes.
54
+
55
+
### Operation Counter Mechanism
56
+
57
+
The `HookTargetFirewall` uses a sliding window approach to track frequency of operations that do not require attestation:
58
+
59
+
1. It uses a `uint96` to store three 32-bit counters, each representing a 1-minute window.
60
+
2. As time passes, the counters are shifted, and new operations increment the current window's counter.
61
+
3. The total operation count over the last 3 minutes is used to determine if the operation frequency threshold has been exceeded.
62
+
63
+
### Vault Authentication
64
+
65
+
The `HookTargetFirewall` ensures that only authorized vaults can use its services. It uses the `GenericFactory` contract to verify that the calling vault is a proxy deployed by the recognized EVault factory.
0 commit comments