I have 2 contracts:
- first one is multisig2 from https://github.com/near/core-contracts/tree/master/multisig2 deployed on testnet at
multisig.company1.mtestaccount.testnet
- second one is my custom contract with a 'privileged' method
issue_new_shares
that should only be called from the multisig2 contract after 2 confirmations (let's sayalice.testnet
followed bybob.testnet
).
In my custom contract, I am checking that the predecessor is the multisig2 contract. Is this sufficient to enforce the 'privilege'? Any security issue with this approach?
#[near_bindgen]
impl Contract {
pub fn issue_new_shares(&mut self, num_new_shares: u32) {
self.verify_caller();
// do privileged stuff
}
// allowed_admin_caller is initialized to multisig.company1.mtestaccount.testnet
fn verify_caller(&self) {
assert!(self.allowed_admin_caller == env::predecessor_account_id(),
"Privileged method can only be invoked by authorized multisig contract as the predecessor");
}
}
Docs mention that we should check the signer_account_id() for security. However in this case, the 4 authorized entities who can confirm (including alice and bob) are defined in multisig2. My custom contract has no knowledge of them, so I cannot check the signer_account_id. Is my approach to check predecessor_account_id
sane, or am I missing a big security gap here?
Hopped on a call during NEAR office hours and the dev team confirmed that checking
predecessor_account_id
is the right approach in this case. I am set for now!Also, this is a great reference to read through: https://medium.com/near-devs/5-things-i-wish-someone-had-told-me-while-learning-to-make-smart-contracts-1b02441ee162