Reach Security - check() and API calls

[Fraccas]

I'm curious if the following code I've written guarantees that only a specified Buyer can make a purchase from the contract.

Is the following logic actually enforced in the smart contract, or does this Reach code set some limitations in the frontend? And if it's set behind the scenes on the frontend, is it possible that someone could create an exploit that bypasses my specified Buyer restriction?

Snippet

  const [[BuyerAddress], k] = call(Creator.setBuyer).assume((b) => { 
    check(this == Seller, "Invalid Account"); // ensure API caller is Seller
    check(typeof(b) == Address, "Invalid Address"); // ensure Buyer is valid Address
  });
  k(null);

  // show the bound buyer the NFT asset ID and requested price
  Buyer.only(() => {
    check(Buyer == BuyerAddress, "Invalid Account");
    interact.showBuyInfo(NFT, setPrice);
  });
  commit();

  Buyer.pay(setPrice);

  transfer(balance()).to(Seller);
  transfer(balance(NFT), NFT).to(BuyerAddress);

[jeapostrophe]

This code does not restrict the contract. 'assume' is only for the client. You restrict the contract with 'require' in the consensus step or with the new 'check' option on a call.

[Fraccas]

Thanks for the clarification @jeapostrophe.

I've added an additional check in the consensus step as seen below.

  // added for restriction in consensus step
  Buyer.publish();
  require(Buyer == BuyerAddress, "Invalid Account"); 
  commit();
  
  Buyer.pay(setPrice);

For the API call, I'm not sure how to restrict this with 'require'/'check' as it only allows "assume", "pay", and "throwTimeout".

  const [[BuyerAddress], k] = call(Creator.setBuyer).**assume**((b) => { 
    check(this == Seller, "Invalid Account"); // ensure API caller is Seller
    check(this != b, "Invalid Account"); // ensure API caller isn't Buyer
    check(typeof(b) == Address, "Invalid Address"); // ensure Buyer is valid Address
  });
  k(null);

Any guidance on how I can restrict this API call from the contract rather than the frontend?

[jeapostrophe]

You just put the 'require' in the consensus step corresponding to the 'call'. It is the continuation of 'call' until the next 'commit'. You could put it before or after the call to 'k'. 'call' also supports a 'check' form that gets run in both the local and consensus; although it was just added and you may need to update to get it.

[Fraccas]

Awesome, thanks for all of the help. While testing it appears to be working as expected.

If the security for this is solid I'll need to add a timeout in case the Buyer refuses to pay.

Updated code with require()

'reach 0.1';
'use strict';

export const main = Reach.App(() => {
  const Creator = API('Creator', {
    setBuyer: Fun([Address], Null)
  });

  const Seller =  Participant('Seller', {
    setSell: Fun([], Tuple(Token, UInt, UInt)),
    showContract: Fun([Contract], Null),
  });

  const Buyer =  Participant('Buyer', {
    showBuyInfo: Fun([Token, UInt], Null),
    showBoughtAsset: Fun([Token], Null),
  });

  init();

  // set NFT token id, nft amount, and price by Seller
  Seller.only(() => {
    const [ NFT, amtA, setPrice ] = declassify(interact.setSell());
  });
  Seller.publish(NFT, amtA, setPrice); // publish to blockchain
  commit();
  
  // Seller transfer NFTs to smart contract
  Seller.pay([ [amtA, NFT ]]);
  commit();

  // show seller creating contract the app id (smart contract)
  Seller.only(() => {
    interact.showContract(getContract());
  });

 // Seller later updates contract to specify the Buyer
  const [[SpecifiedBuyer], k] = call(Creator.setBuyer).assume((b) => { // checks in local step
    check(typeof(b) == Address, "Invalid Address"); // ensure Buyer is valid Address
    check(this == Seller, "Invalid Account"); // ensure API caller is Seller
  });
  require(this == Seller, "Invalid Account"); // check consensus step API caller is Seller
  k(null);

  // show the bound buyer the NFT asset ID and requested price
  Buyer.only(() => {
    check(Buyer == SpecifiedBuyer, "Invalid Account");
    interact.showBuyInfo(NFT, setPrice);
  });
  commit();

 // ensure Buyer is SpecifiedBuyer in consensus step 
  Buyer.publish();
  require(Buyer == SpecifiedBuyer, "Invalid Account"); 
  commit();

  Buyer.pay(setPrice);

  transfer(balance()).to(Seller);
  transfer(balance(NFT), NFT).to(SpecifiedBuyer);

  commit();

  Buyer.only(() => {
    interact.showBoughtAsset(NFT); 
  });

  exit();
});