Skip to content

test(security): enforce dispute state authorization for arbiter actions#152

Merged
shakurJJ merged 2 commits into
shakurJJ:mainfrom
Ajadu-Saviour:test/arbiter-security-authorization
Jun 26, 2026
Merged

test(security): enforce dispute state authorization for arbiter actions#152
shakurJJ merged 2 commits into
shakurJJ:mainfrom
Ajadu-Saviour:test/arbiter-security-authorization

Conversation

@Ajadu-Saviour

Copy link
Copy Markdown
Contributor

Summary

This PR strengthens the contract's authorization guarantees by adding security-focused tests that verify arbiters cannot resolve disputes unless a milestone has explicitly entered the Disputed state.

The new test suite validates that dispute resolution is only possible after a buyer-initiated dispute has been raised, preventing unauthorized fund redirection and preserving the intended dispute lifecycle. It also confirms that arbiters cannot invoke other restricted operations such as milestone confirmation or shipment cancellation.

Motivation

The dispute workflow assumes that an arbiter may only intervene after a dispute has been formally opened by the buyer. Without explicit regression tests, future changes could unintentionally allow arbiters to bypass this workflow and resolve milestones that were never disputed.

This PR adds comprehensive authorization tests to ensure the contract consistently enforces these security boundaries.


Changes

Dispute Resolution Authorization

Added tests to verify that resolve_dispute rejects calls when the milestone is not in the Disputed state.

Covered milestone states include:

  • Pending
  • ProofSubmitted
  • Confirmed
  • Resolved
  • All remaining non-disputed lifecycle states

Each scenario asserts that the contract panics with the expected NoDisputeOpen (or equivalent) error.


Arbiter Permission Validation

Added authorization tests confirming that an arbiter cannot invoke operations reserved for other participants.

Verified restricted operations:

  • confirm_milestone
  • cancel_shipment

Each test asserts that unauthorized calls fail with the expected authorization error.


Security Regression Coverage

Expanded the security test suite to validate:

  • Dispute state preconditions
  • Role-based authorization
  • Invalid state transitions
  • Unauthorized operation rejection
  • Consistent error handling across restricted actions

These tests help ensure future refactoring cannot weaken the contract's access control or dispute workflow.


Testing

Added comprehensive coverage for:

Dispute Resolution

  • Attempting resolve_dispute before any dispute is opened
  • Resolving from Pending
  • Resolving from ProofSubmitted
  • Resolving from Confirmed
  • Resolving from Resolved
  • Validation across all non-disputed milestone states

Authorization

  • Arbiter calling confirm_milestone
  • Arbiter calling cancel_shipment
  • Verification of expected panic/error responses

Regression Protection

  • Unauthorized state transitions
  • Role enforcement
  • Dispute lifecycle invariants

Security Impact

This PR reinforces the contract's dispute model by ensuring:

  • Arbiters cannot intervene before a buyer formally raises a dispute.
  • Funds cannot be redirected through unauthorized dispute resolution.
  • Restricted operations remain inaccessible to unauthorized roles.
  • The dispute lifecycle remains consistent and resistant to accidental regressions.

These tests provide long-term protection against changes that could compromise authorization or state transition rules.


Acceptance Criteria

  • resolve_dispute panics when called on a non-Disputed milestone
  • All non-disputed milestone states reject arbiter resolution attempts
  • Arbiter calls to confirm_milestone panic with Unauthorized
  • Arbiter calls to cancel_shipment panic with Unauthorized
  • Test coverage includes all five non-disputed MilestoneStatus variants
  • Added regression tests to protect dispute authorization behavior

Result

The contract now includes comprehensive security regression tests that enforce the intended dispute workflow, ensuring arbiters may only resolve disputes after a buyer-initiated dispute exists and preventing unauthorized access to privileged contract operations.

Closes #124

- Adds test_arbiter_security.rs with 10 comprehensive security tests
- Verifies arbiter cannot call resolve_dispute on non-Disputed milestones
- Tests all 5 non-Disputed MilestoneStatus states: Pending, ProofSubmitted, Confirmed, ConfirmedHeld, Resolved
- Verifies arbiter cannot call confirm_milestone (buyer-only operation)
- Verifies arbiter cannot call cancel_shipment (buyer-only operation)
- Validates only arbiter can resolve after buyer raises dispute
- Tests arbiter cannot bypass dispute process for unilateral fund redirection
- All tests verify proper authorization checks prevent unauthorized access
- Security coverage prevents fund theft and unauthorized state transitions
@drips-wave

drips-wave Bot commented Jun 26, 2026

Copy link
Copy Markdown

@Ajadu-Saviour Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@shakurJJ shakurJJ merged commit 7edcf92 into shakurJJ:main Jun 26, 2026
0 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

test: adversarial arbiter — arbiter attempts to resolve non-disputed milestone

2 participants