*: strenghten checks for fetching deposits from API#4541
Conversation
There was a problem hiding this comment.
Pull request overview
This PR strengthens validation of deposit data fetched from the Obol API by deriving the ETH2 network from the lock file earlier and using it to BLS-verify partial and aggregated deposit signatures, reducing the chance that malformed or misleading API responses can poison the aggregated deposit signature.
Changes:
- Derive
networkfrom the cluster lock fork version before fetching deposits, and pass it through to the API client. - Extend
obolapi.Client.GetFullDepositto acceptnetworkand BLS-verify each partial signature against its claimed share, plus verify the final aggregated signature. - Update the Obol API deposit test to pass
networkintoGetFullDeposit.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| cmd/depositfetch.go | Computes network earlier and passes it into full-deposit fetching. |
| app/obolapi/deposit.go | Adds network param and verifies partial + aggregated signatures; adds extra response sanity checks. |
| app/obolapi/deposit_test.go | Updates test call site to include network argument. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4541 +/- ##
==========================================
+ Coverage 57.08% 57.13% +0.04%
==========================================
Files 245 245
Lines 33003 33020 +17
==========================================
+ Hits 18839 18865 +26
+ Misses 11787 11779 -8
+ Partials 2377 2376 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Do a bit more verifications on the data fetched from the API. Nothing that was breaking initially though.
category: misc
ticket: none