Merge branch 'master' into add-cli-for-migration

.github/workflows/ci.yaml

@@ -6,7 +6,7 @@ jobs:
   Enclave-Unit-Tests:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
         name: Pull git submodules
@@ -53,7 +53,7 @@ jobs:
   Build-Contracts:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install Requirements
         run: |
           rustup target add wasm32-unknown-unknown
@@ -100,7 +100,7 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [Build-Contracts, Build-LocalSecret]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - uses: actions/setup-go@v4
@@ -181,7 +181,7 @@ jobs:
   Clippy:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Install Intel's SGX SDK
@@ -231,7 +231,7 @@ jobs:
   MacOS-ARM64-CLI:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - uses: actions/setup-go@v4
@@ -251,7 +251,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
         with:
           driver-opts: network=host
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Build LocalSecret
@@ -284,7 +284,7 @@ jobs:
     steps:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Build Hermes Image
         uses: docker/build-push-action@v4
         with:
@@ -306,7 +306,7 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [Build-LocalSecret, Build-Hermes]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Download Hermes

.github/workflows/codeql-analysis.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version: 1.18

.github/workflows/go-lint.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version: 1.19
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: make bin-data-sw
         run: |
           go install github.com/jteeuwen/go-bindata/go-bindata@latest

.github/workflows/release.yaml

@@ -21,7 +21,7 @@ jobs:
       SPID: ${{ secrets.SPID_TESTNET }}
       API_KEY: ${{ secrets.API_KEY_TESTNET }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Declare Commit Variables
@@ -77,7 +77,7 @@ jobs:
       REGISTRY: ghcr.io
       IMAGE_NAME: scrtlabs/secret-network-node
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Get the version
@@ -148,7 +148,7 @@ jobs:
       matrix:
         os: [ubuntu-20.04, windows-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version: 1.19 # The Go version to download (if necessary) and use.
@@ -165,7 +165,7 @@ jobs:
   MacOS-ARM64-CLI:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
         with:
           go-version: 1.19 # The Go version to download (if necessary) and use.
@@ -190,7 +190,7 @@ jobs:
       API_KEY: ${{ secrets.API_KEY_TESTNET }}
       API_KEY_MAINNET: ${{ secrets.API_KEY_MAINNET }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Get the version
@@ -230,7 +230,7 @@ jobs:
     steps:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
       - name: Get the version
@@ -262,7 +262,7 @@ jobs:
   Lib-Checks:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/check-objdump
         name: Check Mitigation flags in Cosmwasm Enclave
         with:
@@ -286,7 +286,7 @@ jobs:
       ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Get the version
         id: get_version
         run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\/v/}

CHANGELOG.md

@@ -1,6 +1,6 @@
 # CHANGELOG
 
-# 1.10.0 (Unreleased - WIP)
+# 1.11.0
 
 - Added ibc-hooks middleware by Osmosis.
   - WASM hooks: allows ICS-20 token transfers to initiate contract calls, serving various use cases.
@@ -13,20 +13,25 @@
   - On init, the creator can specify an admin address.
   - The admin can migrate the contract to a new code ID.
   - The admin can update or clear the admin address.
-  - The admins of contracts that were instantiated before v1.10 are hardcoded according to [proposal TODO](https://www.mintscan.io/secret/proposals/TODO).
+  - The admins of contracts that were instantiated before v1.10 are hardcoded according to [proposal 262](./docs/proposals/hardcode-admins-on-v1.10.md).
   - Hardcoded admins can only be updated/cleared with a future gov proposal.
-  - When the new MsgMigrateContract is invoked, the `migrate()` function is being called on the new contract code, where the new contract can optionally perform state migrations. See usage example [here](https://github.com/scrtlabs/SecretNetwork/blob/139a0eb18/cosmwasm/contracts/v1/compute-tests/migration/contract-v2/src/contract.rs#L37-L43).
-- Set hardcoded admins according to [proposal TODO](https://www.mintscan.io/secret/proposals/TODO).
+  - When the new `MsgMigrateContract` is invoked, the `migrate()` function is being called on the new contract code, where the new contract can optionally perform state migrations. See usage example [here](https://github.com/scrtlabs/SecretNetwork/blob/139a0eb18/cosmwasm/contracts/v1/compute-tests/migration/contract-v2/src/contract.rs#L37-L43).
 - Fixed a scenario where the enclave's light client might fail a valid node registration transaction.
 - Add support for uploading contracts that were compiled with Rust v1.70+.
 - Update Cosmos SDK to v0.45.16
 - Update Tendermint to CometBFT v0.34.29
 - Update IBC to v4.4.2
 - Update IAVL to v0.19.6
-- Update Packet Forward Middleware to v4.0.5
+- Update Packet Forward Middleware to v4.1.0
+- Fix initialization of x/vesting module
 - Add `env.transaction.hash` to support SNIP-52
-  - SNIP-52: https://github.com/SolarRepublic/SNIPs/blob/feat/snip-52/SNIP-52.md#notification-data-algorithms
+  - SNIP-52: https://github.com/SolarRepublic/SNIPs/blob/3cc16b7/SNIP-52.md#notification-data-algorithms
   - See usage example [here](https://github.com/scrtlabs/SecretNetwork/blob/4f21d5794/cosmwasm/contracts/v1/compute-tests/test-compute-contract-v2/src/contract.rs#L1398-L1400).
+- Flush the enclave's cache in a random order
+
+# 1.10.0
+
+Patch against SGX Downfall vulnerability. See [v1.10 proposal](./docs/proposals/v1.10.md) for more info.
 
 # 1.9.3
 

cosmwasm/packages/sgx-vm/Cargo.toml

@@ -44,7 +44,7 @@ serde_json = "1.0"
 # wasmer-middleware-common = "=0.17.0"
 # wasmer-clif-backend = { version = "=0.17.0", optional = true }
 # wasmer-singlepass-backend = { version = "=0.17.0", optional = true }
-serde = { version = "1.0.186", default-features = false, features = [
+serde = { version = "1.0.188", default-features = false, features = [
     "derive",
     "alloc"
 ] }
@@ -61,7 +61,7 @@ enclave-ffi-types = { path = "../../enclaves/ffi-types", features = [
 sgx_types = { path = "../../../third_party/incubator-teaclave-sgx-sdk/sgx_types" }
 sgx_urts = { path = "../../../third_party/incubator-teaclave-sgx-sdk/sgx_urts" }
 log = "0.4.20"
-base64 = "0.12.0"
+base64 = "0.21.3"
 parking_lot = "0.11"
 num_cpus = "1.16.0"
 

deployment/dockerfiles/Dockerfile

@@ -80,7 +80,8 @@ RUN git submodule update --remote
 RUN rustup component add rust-src
 RUN cargo install xargo --version 0.3.25
 
-RUN . /opt/sgxsdk/environment && env && LD_LIBRARY_PATH=/opt/sgxsdk/lib64 FEATURES="$(echo \"${FEATURES}\" | perl -pe 's/go-tests|debug-print//g')" MITIGATION_CVE_2020_0551=${MITIGATION_CVE_2020_0551} SGX_MODE=${SGX_MODE} FEATURES_U="$(echo \"${FEATURES_U}\" | perl -pe 's/go-tests|debug-print//g')" make build
+RUN . /opt/sgxsdk/environment && env && LD_LIBRARY_PATH=/opt/sgxsdk/lib64 FEATURES="$(echo ${FEATURES} | perl -pe 's/go-tests|debug-print//g')" MITIGATION_CVE_2020_0551=${MITIGATION_CVE_2020_0551} SGX_MODE=${SGX_MODE} FEATURES_U="$(echo \"${FEATURES_U}\" | perl -pe 's/go-tests|debug-print//g')" make build
+
 
 # ***************** COMPILE SECRETD ************** #
 FROM $SCRT_BASE_IMAGE_ENCLAVE AS compile-secretd
@@ -238,13 +239,13 @@ FROM release-image as mainnet-release
 ARG BUILD_VERSION="v0.0.0"
 ENV VERSION=${BUILD_VERSION}
 
-RUN STORAGE_PATH=`echo ${VERSION} | sed -e 's/\.//g' | head -c 2` \
+RUN STORAGE_PATH=$(echo ${VERSION} | awk -F'[.]' '{print $1 $2}') \
     && wget -O /usr/lib/librust_cosmwasm_enclave.signed.so https://engfilestorage.blob.core.windows.net/v$STORAGE_PATH/librust_cosmwasm_enclave.signed.so
-RUN STORAGE_PATH=`echo ${VERSION} | sed -e 's/\.//g' | head -c 2` \
+RUN STORAGE_PATH=$(echo ${VERSION} | awk -F'[.]' '{print $1 $2}') \
     && wget -O /usr/lib/libgo_cosmwasm.so https://engfilestorage.blob.core.windows.net/v$STORAGE_PATH/libgo_cosmwasm.so
-RUN STORAGE_PATH=`echo ${VERSION} | sed -e 's/\.//g' | head -c 2` \
+RUN STORAGE_PATH=$(echo ${VERSION} | awk -F'[.]' '{print $1 $2}') \
     && wget -O /usr/lib/librandom_api.so https://engfilestorage.blob.core.windows.net/v$STORAGE_PATH/librandom_api.so
-RUN STORAGE_PATH=`echo ${VERSION} | sed -e 's/\.//g' | head -c 2` \
+RUN STORAGE_PATH=$(echo ${VERSION} | awk -F'[.]' '{print $1 $2}') \
     && wget -O /usr/lib/tendermint_enclave.signed.so https://engfilestorage.blob.core.windows.net/v$STORAGE_PATH/tendermint_enclave.signed.so
 
 COPY deployment/docker/mainnet/mainnet_node.sh .

docs/proposals/v1.11.md

@@ -0,0 +1,38 @@
+# Secret Network v1.11 Upgrade
+
+This proposal recommends that the chain undergo a software upgrade to version v1.11 of the Secret Network codebase on secret-4 block **TODO**. The estimated time for the upgrade is **Tuesday, September 26, 2023, at ~2pm UTC**.
+
+Since block times can vary significantly, we advise monitoring the chain for a more precise upgrade time. ETA monitor: [mintscan.io/secret/blocks/TODO](https://dev.mintscan.io/secret/blocks/TODO).
+
+## Upgrade Highlights
+
+- Added ibc-hooks middleware by Osmosis.
+  - WASM hooks: allows ICS-20 token transfers to initiate contract calls, serving various use cases.
+    - Example: Sending tokens to Secret and immediately wrapping them as SNIP-20 token. For example, `ATOM on Hub -> ATOM on Secret -> sATOMS on Secret` (2 transactions on 2 chains) now becomes `ATOM on Hub -> sATOM on Secret` (1 transaction).
+    - Example: Cross-chain swaps. Using IBC Hooks, an AMM on Secret can atomically swap tokens that originated on a different chain and are headed to Secret. The AMM can also send those tokens back to the originating chain.
+    - [Axelar GMP](https://docs.axelar.dev/dev/general-message-passing/overview): Using IBC Hooks, a contract on Ethereum can call a contract on Secret and get a response back.
+  - Ack callbacks: allow non-IBC contracts that send an `IbcMsg::Transfer` to listen for the ack/timeout of the token transfer. This allows these contracts to definitively know whether the transfer was successful or not and act accordingly (refund if failed, continue if succeeded). See usage example [here](https://github.com/scrtlabs/secret.js/blob/4293219/test/ibc-hooks-contract/src/contract.rs#L47-L91).
+- Added an optional `memo` field to `IbcMsg::Transfer`, to ease to use of the IBC Hooks ack callbacks feature. See usage example [here](https://github.com/scrtlabs/secret.js/blob/4293219/test/ibc-hooks-contract/src/contract.rs#L60-L63).
+- Added contract upgrade feature.
+  - On init, the creator can specify an admin address.
+  - The admin can migrate the contract to a new code ID.
+  - The admin can update or clear the admin address.
+  - The admins of contracts that were instantiated before v1.10 are hardcoded according to [proposal 262](https://github.com/scrtlabs/SecretNetwork/blob/ab1852727/docs/proposals/hardcode-admins-on-v1.10.md).
+  - Hardcoded admins can only be updated/cleared with a future gov proposal.
+  - When the new `MsgMigrateContract` is invoked, the `migrate()` function is being called on the new contract code, where the new contract can optionally perform state migrations. See usage example [here](https://github.com/scrtlabs/SecretNetwork/blob/139a0eb18/cosmwasm/contracts/v1/compute-tests/migration/contract-v2/src/contract.rs#L37-L43).
+- Fixed a scenario where the enclave's light client might fail a valid node registration transaction.
+- Add support for uploading contracts that were compiled with Rust v1.70+.
+- Update Cosmos SDK to v0.45.16
+- Update Tendermint to CometBFT v0.34.29
+- Update IBC to v4.4.2
+- Update IAVL to v0.19.6
+- Update Packet Forward Middleware to v4.1.0
+- Fix initialization of x/vesting module
+- Add `env.transaction.hash` to support SNIP-52
+  - SNIP-52: https://github.com/SolarRepublic/SNIPs/blob/3cc16b7/SNIP-52.md#notification-data-algorithms
+  - See usage example [here](https://github.com/scrtlabs/SecretNetwork/blob/4f21d5794/cosmwasm/contracts/v1/compute-tests/test-compute-contract-v2/src/contract.rs#L1398-L1400).
+- Flush the enclave's cache in a random order
+
+## Upgrade Instructions
+
+See [docs.scrt.network](https://docs.scrt.network/secret-network-documentation/infrastructure/upgrade-instructions/v1.11) for upgrade instructions.