-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC - ERC-165s lack of impact #130
Comments
Also here's a direct link to the EIP |
Test are passing Requirements are:
|
ok thanks. I missed that your example contract was using |
Upvote, support, agree, please merge |
Agree for ERC-165 unless the implementation breaks this:
About this:
Agree only in cases where the EIP uses Why should someone implement an EIP and not follow the requirements? They were created to have common standards between external contracts. |
If you desire to defend EIP-165, by the same logic you have to prove that there is a |
https://github.com/code-423n4/2023-08-chainlink-findings/issues/522 - this ERC-165 issue looks like a valid MEDIUM to me because other contracts in the system expect the interface to be supported. I think ERCs/EIPs should be respected and enforced because they are typically designed to help make the ecosystem more secure. Protocol integrations are always tricky and it is ERCs like ERC-165 that help make it less so. Also, I think it is a clear CONFLICT OF INTEREST for @GalloDaSballo to be lobbying for invalidating ERC-165-related findings while judging is still ongoing for Chainlink. @GalloDaSballo has participated as a warden in that contest and, intentional or not, he stands to personally benefit from invalidating that ERC-165-related finding. It is unfair for other wardens for @GalloDaSballo to be able to exert such influence in his capacity as a Judge and as part of the C4 Supreme Court so that he benefits as a warden. |
In contrast to your comment, my discussion has no mention of specific findings and instead focuses on logical aspects
Statement that you conveniently make, which you would as rapidly disregard if this was taken at face value.
|
I was confused about this whole org issue because it didn't link to any specific previous finding that would fall into its category. It did say, however, "lack of impact", so I assumed it would be restricted to such cases. If there is an impact as has been shown, then it should not be arbitrarily downgraded. @GalloDaSballo can you link to a separate public finding that you think it would apply to, and another that it would not, just so we're all on the same page? |
that sounds like the court already has an outcome/agenda that they're trying to push, rather than taking up issues that the community has actually struggled with and have strong documented opinions on from both sides (process says |
Sounds sensible enough!
e.g. EIP-165 being used by a protocol internally, where an identified incorrect implementation would brick the protocol (one could assume such a thing should be picked up during integration testing, but there is a saying about assumptions) |
I'm for having EIP-165 issues as QA. |
Upvote, agree. EIP-165 related issues should be informational |
I can probably count in 1 hand the no. of times I've seen usage of ERC165 to check for contract compliance. agree with QA. |
The following is a discussion on how ERC-165 can be weaponized to create findings that are awarded, with little to no value and with no meaningful impact, under reasonable circumstances.
While ERC-165 is used as an example, the discussion could be extended to other EIPs for which the impact is theoretical in the majority of circumnstances and informational in the rest.
Rationale on the document
ERC-165 is an example of a EIP that by definition has no impact under rational pre-requisites
The ERC specifies a way to signal and determine if a certain interface is implemented
The wording of the ERC, which was published after EIP-1 which defined the wording to be used, is not clear and doesn't use the same keywords that other ERCs use.
More specifically the ERC doesn't even use the keywords
MUST
andSHOULD
.The only scenarios that have been offered over time are all strawman scenarios of an imaginary implementer that uses ERC-165 without actually reading the implementation of a contract. Or some appeal to a EIP compliance with little to no impact.
Recommendation
For EIPs that have opinions, the Judge should make their own judgment
If an EIP requires too many pedantic hypotheticals, with little to no impact, under any reasonable circumstances, the implementation of the EIP should not be considered a Medium Severity, but only a QA finding.
Plea for rationality and demonstration by absurd
By applying the myopic, zero-sum game approach that would justify a Medium Severity for lack of an interface implementation, I'll argue that ERC-165 compliance doesn't actually require implementing anything besides the interface and the functionality for the 2 instances that are a MUST.
The following is a discussion by absurd and hopefully we will be able to laugh about this discussion in the future
Impact
ERC-165 requires implementing the following interface
While the author meant to say that ERC-165 MUST implement the function, they used the lowercase
shall
which is not to be confused with therfc2119
definedMUST
, meaning that technically speaking the ERC doesn't require any implementationConclusion 1
ERC-165 requires no code to have a compliant contract
Further Impact, no need for any implementation
By the same logic, we can quote the ERC
Which is different from saying that the contract MUST return true for the interfaces that it implements.
Meaning that we can myopically conclude that a ERC-165 compliant contract is written in the following way
As such any contract that states they use ERC-165 would be compliant as long as it meets those 2 requirements
Any additional requirements, due to a lack of KEYWORDS would not be required.
Any lacking interface in this case would not be breaking the ERC, it would simply be signaling that the contract is not implementing the interface, which doesn't imply that the contract doesn't have implementation for said interface.
Obviously having the above contract is an exercise in futility, as it defeats the goal of the ERC.
However, as discussed above, this demonstrates how the logic that has been used in the past cuts both ways and can be used to dismantle the very ERC that was used to myopically generate findings.
Conclusion
Similar EIPs where the definitions are shaky, the impacts are non-existent, should not be considered for HM awards.
Appendix
Definitions of MUST and SHOULD:
https://datatracker.ietf.org/doc/html/rfc2119
The text was updated successfully, but these errors were encountered: