add some comments about ILightClient and IIBCModule's security

bluele · bluele · commit 066f0027c92d · 2024-07-10T18:35:16.000+09:00
Signed-off-by: Jun Kimura &lt;jun.kimura@datachain.jp&gt;
diff --git a/contracts/core/02-client/ILightClient.sol b/contracts/core/02-client/ILightClient.sol
@@ -78,6 +78,7 @@ interface ILightClient {
     /**
      * @dev verifyMembership is a generic proof verification method which verifies a proof of the existence of a value at a given CommitmentPath at the specified height.
      * The caller is expected to construct the full CommitmentPath from a CommitmentPrefix and a standardized path (as defined in ICS 24).
+     * This function should not perform `call` to the IBC contract. However, `staticcall` is permitted.
      */
     function verifyMembership(
         string calldata clientId,
@@ -93,6 +94,7 @@ interface ILightClient {
     /**
      * @dev verifyNonMembership is a generic proof verification method which verifies the absence of a given CommitmentPath at a specified height.
      * The caller is expected to construct the full CommitmentPath from a CommitmentPrefix and a standardized path (as defined in ICS 24).
+     * This function should not perform `call` to the IBC contract. However, `staticcall` is permitted.
      */
     function verifyNonMembership(
         string calldata clientId,
diff --git a/contracts/core/24-host/IIBCHostConfigurator.sol b/contracts/core/24-host/IIBCHostConfigurator.sol
@@ -7,16 +7,24 @@ import {IIBCModule} from "../26-router/IIBCModule.sol";
 interface IIBCHostConfigurator {
     /**
      * @dev setExpectedTimePerBlock sets expected time per block.
+     * Typically this function should be called by an authority like an IBC contract owner or govenance.
      */
     function setExpectedTimePerBlock(uint64 expectedTimePerBlock_) external;
 
     /**
      * @dev registerClient registers a new client type into the client registry
+     * Typically this function should be called by an authority like an IBC contract owner or govenance.
+     * The authority should verify the light client contract is a valid implementation as follows:
+     * - The contract implements ILightClient
+     * - To avoid reentrancy attack, the contract never performs `call` to the IBC contract directly or indirectly in the `verifyMembership` and the `verifyNonMembership`
      */
     function registerClient(string calldata clientType, ILightClient client) external;
 
     /**
      * @dev bindPort binds to an unallocated port, failing if the port has already been allocated.
+     * Typically this function should be called by an authority like an IBC contract owner or govenance.
+     * The authority should verify the light client contract is a valid implementation as follows:
+     * - The contract implements IIBCModule
      */
     function bindPort(string calldata portId, IIBCModule moduleAddress) external;
 }
