From @osarrouy:
If I deploy a custom version of the ACL which do not throw some event to hide some permissions - or just deploy a no event version of the ACL before updating the standard one
Then I could give me all right on the finance app without this right being visible in the permission app right?
Currently, DAO creators can modify some critical apps in the DAO or create the DAO with some malicious apps with a custom kit, and the client will show that DAO as a regular DAO, misleading users into thinking they can trust the organization and its permissions.
These are some actionable steps for ensuring smart contract integrity. If any of these checks fail, the client should scream at the user every time they use the DAO, similar to how browsers alert about an invalid HTTPS cert. The items are mainly independent and can be rolled out progressively after we have the warning screen.
kernel contract and check its hash is in a whitelist of known KernelProxy bytecode.implementation of the kernel and check kernelRepo.getLatestVersionForContractAddress(implementation) is not zero (This will require publishing the Kernel to an APM repo, which we currently don't do).[app-name].aragonpm.eth).AppProxyUpgradeable and AppProxyPinned bytecode.implementation and check appRepo.getLatestVersionForContractAddress(implementation) is not zero (specially important for frontend-less apps). Will also require publishing ACL and EVMScriptRegistry to APM.artifact.json and code.sol and compile the code in the browser before showing it to the user), if verification fails display a warning.Hey,
Thanks a lot @izqui for such a clear summary of our discussion.
To complete: I think the integrity-checking process should apply both to the current version of apps but also to their older versions.
Example: if I grant myself a permission through a non event-emitter version of the ACL and then update it to the 'normal' version i can still 'trick' the permission app while the current version of the ACL is completely legit.
This is some kind of an infinite-regression since at some point I still have to trust the source of knowledge regarding the history of apps - _i.e._ the kernel - whose history can also be tricked ...
The solution I see there is :
I'm not sure that's a super cool solution but I think it's worth thinking about it, especially for DAICO-like use case: otherwise the initiators of the DAO could easily leave with the funds ... which is not a super good news !
To keep track of the history of kernel implementations in the KernelProxy itself.
This can't happen in storage as the malicious Kernel implementation could clean up the relevant storage in the proxy. The only possibility is for the KernelProxy to always log its implementation code before doing delegateFwd, as logs cannot be tampered with once emitted. The downside of this would be that checking Kernel integrity would involve checking tons of logs, but this is a process that can be started in the background and in case an issue is detected show a warning. Also this is something users would only need to do once.
Most helpful comment
This can't happen in storage as the malicious Kernel implementation could clean up the relevant storage in the proxy. The only possibility is for the KernelProxy to always log its implementation code before doing
delegateFwd, as logs cannot be tampered with once emitted. The downside of this would be that checking Kernel integrity would involve checking tons of logs, but this is a process that can be started in the background and in case an issue is detected show a warning. Also this is something users would only need to do once.