graphprotocol / indexer-rs / 24572078396 / 1
71%
main: 71%

DEFAULT BRANCH: main
Ran
Files 100
Run time 6s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 71.011% (-0.1%) from 71.127%
24572078396.1

push

github

web-flow 
TRST-H-2 to H-6: Consolidated fixes from Trust Security audit (#1010)

* fix(service): TRST-H-2 -- reject V2 receipts with non-zero collection_id prefix

The AllocationEligible check only examines the trailing 20 bytes of a
32-byte collection_id, while storage persists all 32 bytes. The tap-agent
reconstructs collection_id with zero-padded prefix, so receipts with
non-zero prefix bytes pass validation but are invisible to RAV aggregation,
enabling theft of service.

Reject any V2 receipt where collection_id[0..12] is not all zeros.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(monitor): TRST-H-3 -- add collector filter to V2 escrow account query

The V2 escrow query did not filter by collector, allowing an attacker to
inflate a payer's perceived balance by depositing to a fake collector
contract. Adds a required graph_tally_collector_address config field and
passes it as a collector filter in the GraphQL query.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(monitor): TRST-H-4 -- add pagination and balance filter to V2 escrow account query

The V2 escrow accounts GraphQL query omitted pagination parameters,
defaulting to first: 100. An attacker could deposit 1 wei from hundreds
of fake payer addresses to crowd out legitimate payers, blinding the
indexer to all real balances and signer mappings.

Add skip/first pagination with a loop that accumulates all pages, pin
to block hash from the first page for consistent reads, filter out
accounts below 0.1 GRT at the subgraph level, and cap nested signers
at 1000 per payer. Log page and account counts after pagination and
warn when pages exceed 5 or any payer hits the signer cap.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(tap-agent): TRST-H-5 -- apply rav_request_timeout to gRPC Endpoint

The rav_request_timeout config field was defined and validated but never
applied to the tonic Endpoint. A malicious aggregator cou... (continued)

10624 of 14961 relevant lines covered (71.01%)

111.22 hits per line

Source Files on job 24572078396.1