Make TokenForwarder and Switchboard target capabilities retrievable
alilloig opened this issue · 0 comments
Issue To Be Solved
Add a few helper methods that will make it easier to validate underlying receiver capabilities in the TokenForwarder and FungibleTokenSwitchboard contracts. Without this, it is much harder to know what we are looking at under the hood, which means that malicious users could setup any number of roundabout ways to make receivers actually invalid (like an infinite loop of receivers that will drain all gas in a transaction)
Made a brief diagram to showcase this problem, it applies to both TokenForwarding and the Switchboard:
In any case, without some mechanism to investigate what is being referenced in the forwarder or switchboard resources, there isn't a way on-chain to ensure that what we are sending through can actually reach its destination. Because of that, I can "poison" the chain of resources anywhere down the line to prevent a token vault from being able to be sent.
With these editions, we can make some form of validator that only permits a maximum depth, and rejects the deposit if it goes beyond that. This will allow marketplaces to be defensive and reject vault distribution if it goes too far, or if it has the wrong type along its chain (a non forwarder or switchboard)