Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(orchestration): denomAmounts must be non-negative (#10458)
closes: #XXXX refs: #9532 which seems to be where the `M.bigint()` came from ## Description The `DenomAmountShape` was using only `M.bigint()` to validate a DenomAmount, which misses an opportunity to easily ensure that these amount values never go negative. This PR changes this to `M.nat()`, making it consistent with the immediately following `AnyNatAmountShape` as well. ### Security Considerations Accidentally admitting negative value amounts might enable attacks allowing overdrawn spending or creation of new units. There may or may not be such a security vulnerability in this code, depending on whether the non-negative condition is ensured by other means, which I cannot determine. But fixing this is *at least* a belt-and-suspenders enforcement, through a declarative expression of the constraint. ### Scaling Considerations none ### Documentation Considerations should just remove the need to explain something else for the programmer to worry about. ### Testing Considerations If we can find an actual vulnerability that this PR fixes, then we could test the difference. But I have not. ### Upgrade Considerations If there are any such negative values in existing use, this PR is likely to break them. But their presence likely indicates corruption that we'd be better off causing a failure, rather than proceeding silently to corrupt other state.
- Loading branch information
