audit: security fixes and fuzzing infrastructure for vc-vault v1 acta

.gitignore

@@ -1,5 +1,7 @@
-/target
-/Cargo.lock
+**/target
+**/Cargo.lock
 tarpaulin-report.html
 **/test_snapshots/
 .soroban/
+**/fuzz/corpus/
+**/fuzz/artifacts/

Cargo.toml

@@ -4,13 +4,13 @@ resolver = "2"
 members = ["contracts/vc-vault"]
 
 [workspace.package]
-version = "0.20.0"
+version = "0.21.0"
 edition = "2021"
 license = "Apache-2.0"
 repository = "https://github.com/ACTA-Team/contracts"
 
 [workspace.dependencies]
-soroban-sdk = { version = "21.0.0" }
+soroban-sdk = { version = "23.4.0" }
 
 [profile.release]
 opt-level = "z"
@@ -22,6 +22,7 @@ panic = "abort"
 codegen-units = 1
 lto = true
 
+# For more information about this profile see https://soroban.stellar.org/docs/basic-tutorials/logging#cargotoml-profile
 [profile.release-with-logs]
 inherits = "release"
 debug-assertions = true

contracts/vc-vault/Cargo.toml

@@ -6,7 +6,7 @@ license = { workspace = true }
 repository = { workspace = true }
 
 [lib]
-crate-type = ["cdylib"]
+crate-type = ["rlib"]
 
 [dependencies]
 soroban-sdk = { workspace = true }

contracts/vc-vault/fuzz/Cargo.toml

@@ -0,0 +1,62 @@
+[workspace]
+
+[package]
+name = "vc-vault-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+arbitrary = { version = "1", features = ["derive"] }
+
+[dependencies.vc-vault-contract]
+path = ".."
+
+[dependencies.soroban-sdk]
+version = "23.4.0"
+features = ["testutils"]
+
+# Disable default features to speed up build; re-enable only what fuzz targets need.
+[profile.release]
+opt-level = 3
+debug = false
+
+[[bin]]
+name = "fuzz_issue"
+path = "fuzz_targets/fuzz_issue.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_revoke"
+path = "fuzz_targets/fuzz_revoke.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_verify_vc"
+path = "fuzz_targets/fuzz_verify_vc.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_push"
+path = "fuzz_targets/fuzz_push.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_issuer_ops"
+path = "fuzz_targets/fuzz_issuer_ops.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_lifecycle"
+path = "fuzz_targets/fuzz_lifecycle.rs"
+test = false
+doc = false

contracts/vc-vault/fuzz/fuzz_targets/common.rs

@@ -0,0 +1,28 @@
+//! Shared helpers for all fuzz targets.
+
+use soroban_sdk::{testutils::Address as _, Address, Env, String as SStr};
+use vc_vault_contract::contract::{VcVaultContract, VcVaultContractClient};
+
+/// Truncate a Rust string to a safe length and convert to a Soroban String.
+/// Soroban Strings are limited; 256 bytes is well within bounds.
+pub fn s(env: &Env, input: &str) -> SStr {
+    let safe = &input[..input.len().min(256)];
+    SStr::from_str(env, safe)
+}
+
+/// Create a fresh environment with all auths mocked, register the contract,
+/// initialize it, and return (env, contract_id, admin, owner, issuer, client).
+pub fn setup(
+    env: &Env,
+) -> (Address, Address, Address, Address, VcVaultContractClient<'_>) {
+    env.mock_all_auths();
+    let admin = Address::generate(env);
+    let issuer = Address::generate(env);
+    let owner = Address::generate(env);
+    let cid = env.register(VcVaultContract, ());
+    let client = VcVaultContractClient::new(env, &cid);
+    client.initialize(&admin);
+    client.create_vault(&owner, &s(env, "did:fuzz:owner"));
+    client.authorize_issuer(&owner, &issuer);
+    (admin, issuer, owner, cid, client)
+}

contracts/vc-vault/fuzz/fuzz_targets/fuzz_issue.rs

@@ -0,0 +1,41 @@
+//! Fuzzes issue() with arbitrary vc_id, vc_data, issuer_did, and fee_override.
+//!
+//! Invariant checked: if issue() succeeds, verify_vc() must return Valid
+//! and list_vc_ids() must contain the vc_id.
+
+#![no_main]
+
+mod common;
+
+use arbitrary::Arbitrary;
+use common::{s, setup};
+use libfuzzer_sys::fuzz_target;
+use soroban_sdk::Env;
+use vc_vault_contract::model::VCStatus;
+
+#[derive(Arbitrary, Debug)]
+struct FuzzInput {
+    vc_id: String,
+    vc_data: String,
+    issuer_did: String,
+    /// i64 used because arbitrary does not cover all of i128; cast on use.
+    fee_override: i64,
+}
+
+fuzz_target!(|input: FuzzInput| {
+    let env = Env::default();
+    let (_admin, issuer, owner, cid, client) = setup(&env);
+
+    let vc_id = s(&env, &input.vc_id);
+    let vc_data = s(&env, &input.vc_data);
+    let issuer_did = s(&env, &input.issuer_did);
+    let fee = input.fee_override as i128;
+
+    let result = client.try_issue(&owner, &vc_id, &vc_data, &cid, &issuer, &issuer_did, &fee);
+
+    if let Ok(Ok(_)) = result {
+        // Issue succeeded: verify_vc must return Valid and vc_id must be indexed.
+        assert_eq!(client.verify_vc(&owner, &vc_id), VCStatus::Valid);
+        assert!(client.list_vc_ids(&owner).contains(vc_id.clone()));
+    }
+});

contracts/vc-vault/fuzz/fuzz_targets/fuzz_issuer_ops.rs

@@ -0,0 +1,77 @@
+//! Fuzzes sequences of authorize_issuer / revoke_issuer with arbitrary inputs.
+//!
+//! Invariants checked:
+//! - After authorize_issuer succeeds, the issuer must not be in the denied list
+//!   (i.e. a subsequent issue by that issuer must succeed).
+//! - After revoke_issuer succeeds, a subsequent issue by the same issuer must fail.
+//! - authorize_issuers deduplication: passing the same issuer N times must leave
+//!   exactly one entry (re-authorizing a revoked issuer clears the denied list).
+
+#![no_main]
+
+mod common;
+
+use arbitrary::Arbitrary;
+use common::{s, setup};
+use libfuzzer_sys::fuzz_target;
+use soroban_sdk::{testutils::Address as _, vec, Env};
+
+#[derive(Arbitrary, Debug)]
+enum IssuerOp {
+    Authorize,
+    Revoke,
+    BulkAuthorize { count: u8 },
+}
+
+#[derive(Arbitrary, Debug)]
+struct FuzzInput {
+    ops: Vec<IssuerOp>,
+    vc_id: String,
+}
+
+fuzz_target!(|input: FuzzInput| {
+    let env = Env::default();
+    let (_admin, issuer, owner, cid, client) = setup(&env);
+
+    // A second issuer for bulk authorize tests.
+    let issuer2 = soroban_sdk::Address::generate(&env);
+
+    for op in &input.ops {
+        match op {
+            IssuerOp::Authorize => {
+                let _ = client.try_authorize_issuer(&owner, &issuer);
+            }
+            IssuerOp::Revoke => {
+                let _ = client.try_revoke_issuer(&owner, &issuer);
+            }
+            IssuerOp::BulkAuthorize { count } => {
+                // Build a list with duplicates proportional to count; dedup must hold.
+                let n = (*count as usize % 4) + 1;
+                let mut list = vec![&env, issuer.clone()];
+                for _ in 1..n {
+                    list.push_back(issuer.clone());
+                }
+                list.push_back(issuer2.clone());
+                let _ = client.try_authorize_issuers(&owner, &list);
+            }
+        }
+    }
+
+    // After all ops, try to issue a VC and record whether it succeeded.
+    let vc_id = s(&env, &input.vc_id);
+    let issue_result = client.try_issue(
+        &owner,
+        &vc_id,
+        &s(&env, "data"),
+        &cid,
+        &issuer,
+        &s(&env, "did:fuzz:issuer"),
+        &0_i128,
+    );
+
+    // If issue succeeded, verify_vc must return Valid.
+    if let Ok(Ok(_)) = issue_result {
+        use vc_vault_contract::model::VCStatus;
+        assert_eq!(client.verify_vc(&owner, &vc_id), VCStatus::Valid);
+    }
+});