Contract Upgrade Safety — starforge upgrade Lacks WASM Hash Verification

[Nanle-code]

Overview

src/commands/upgrade.rs handles contract upgrade proposals but lacks a critical safety check: verifying the new WASM hash on-chain matches the local file before proposing an upgrade. A supply-chain attack or accidental wrong file could silently upgrade a mainnet contract with malicious code.

Resolution

Before proposing an upgrade: (1) Compute sha256(local_wasm_bytes) as in deploy.rs. (2) If the WASM was already uploaded, fetch the on-chain WASM using a getLedgerEntries call for the WASM entry key (LedgerKey::ContractCode(LedgerKeyContractCode { hash })). (3) Compute the hash of the fetched on-chain bytes and assert it matches the local hash. (4) Run a simulateTransaction for the upgrade operation and parse the auth entries — display any ContractAuth entries that would be invoked, so the user can see exactly what authorization the upgrade requires. (5) For --multisig upgrades, enforce that the threshold signature weight is met before calling execute — fetch the account's current signers from Horizon and cross-reference against locally available wallets. (6) Add a rollback command that fetches the previous WASM hash from ledger entry historical data and proposes reverting to it.

[madisonsc52-del]

Hi! I’m a full-stack dev and UI/UX designer. I'd love to take this on to help improve the project. Could you please assign this issue to me? I'll get started right away.

[MicD746]

Hello Maintainer, please can I work on this issue and give you a better result

[MicD746]

Hello Maintainer, please can I work on this issue and give you a better result