audit: APEX-467 Method updateValidatorsChainData could be called by anyone

contracts/Gateway.sol

@@ -102,7 +102,7 @@ contract Gateway is
         bytes calldata _signature,
         uint256 _bitmap,
         bytes calldata _data
-    ) external {
+    ) external onlyOwner {
         bytes32 _hash = keccak256(_data);
         bool valid = validators.isBlsSignatureValid(_hash, _signature, _bitmap);
 

contracts/Validators.sol

@@ -17,6 +17,8 @@ contract Validators is
         0x0000000000000000000000000000000000002060;
     uint256 public constant VALIDATOR_BLS_PRECOMPILE_GAS = 150000;
 
+    address private gateway;
+
     ValidatorChainData[] private validatorsChainData;
 
     uint256 public lastConfirmedValidatorsSet;
@@ -31,6 +33,11 @@ contract Validators is
         __UUPSUpgradeable_init();
     }
 
+    function setDependencies(address _gateway) external onlyOwner {
+        if (_gateway == address(0)) revert ZeroAddress();
+        gateway = _gateway;
+    }
+
     function _authorizeUpgrade(
         address newImplementation
     ) internal override onlyOwner {}
@@ -44,7 +51,9 @@ contract Validators is
         }
     }
 
-    function updateValidatorsChainData(bytes calldata _data) external {
+    function updateValidatorsChainData(
+        bytes calldata _data
+    ) external onlyGateway {
         (
             uint256 _validatorsSetNumber,
             uint256 _ttl,
@@ -96,4 +105,9 @@ contract Validators is
 
         return callSuccess && abi.decode(returnData, (bool));
     }
+
+    modifier onlyGateway() {
+        if (msg.sender != address(gateway)) revert NotGateway();
+        _;
+    }
 }

package.json

@@ -3,7 +3,7 @@
     "@nomicfoundation/hardhat-network-helpers": "^1.0.11",
     "@nomicfoundation/hardhat-toolbox": "^5.0.0",
     "ethers": "^6.13.2",
-    "hardhat": "^2.22.17"
+    "hardhat": "^2.22.18"
   },
   "dependencies": {
     "@openzeppelin/contracts": "^5.0.2",

test/Gateway.test.ts

@@ -30,6 +30,18 @@ describe("Gateway Contract", function () {
     expect(await gateway.validators()).to.equal(validatorsc.target);
   });
 
+  it("UpdateValidators should revert if not called by owner", async () => {
+    const { gateway, validators } = await loadFixture(deployGatewayFixtures);
+
+    const signature = "0x1c6a9b6a2f6ec0e1d9f7cb56a874c8b278fbadcf33450da3448d85cf94b78912";
+    const bitmap = BigInt("0b1010101010101010"); // 16-bit bitmap as a BigInt
+    const data = "0xdeadbeef00112233445566778899aabbccddeeff";
+
+    await expect(
+      gateway.connect(validators[0]).updateValidatorsChainData(signature, bitmap, data)
+    ).to.be.revertedWithCustomError(gateway, "OwnableUnauthorizedAccount");
+  });
+
   it("Deposit success", async () => {
     const { gateway, data } = await loadFixture(deployGatewayFixtures);
 

test/Validators.test.ts

@@ -1,6 +1,6 @@
 import { loadFixture } from "@nomicfoundation/hardhat-network-helpers";
 import { expect } from "chai";
-import { deployGatewayFixtures } from "./fixtures";
+import { deployGatewayFixtures, impersonateAsContractAndMintFunds } from "./fixtures";
 
 describe("Validators Contract", function () {
   it("setValidatorsChainData and validate initialization", async () => {
@@ -16,8 +16,8 @@ describe("Validators Contract", function () {
       }
     }
   });
-  it("UpdateValidators should revert if validatorsSetNumber is not correct", async () => {
-    const { validatorsc } = await loadFixture(deployGatewayFixtures);
+  it("UpdateValidators should revert if not called by Gateway", async () => {
+    const { validatorsc, owner } = await loadFixture(deployGatewayFixtures);
 
     const blockNumber = await ethers.provider.getBlockNumber();
 
@@ -28,10 +28,27 @@ describe("Validators Contract", function () {
       [10, blockNumber + 100, [[[1, 2, 3, 4]]]]
     );
 
-    await expect(validatorsc.updateValidatorsChainData(dataUpdateValidatorsChainData)).to.be.revertedWithCustomError(
-      validatorsc,
-      "WrongValidatorsSetValue()"
+    await expect(
+      validatorsc.connect(owner).updateValidatorsChainData(dataUpdateValidatorsChainData)
+    ).to.be.revertedWithCustomError(validatorsc, "NotGateway()");
+  });
+  it("UpdateValidators should revert if validatorsSetNumber is not correct", async () => {
+    const { gateway, validatorsc } = await loadFixture(deployGatewayFixtures);
+
+    const blockNumber = await ethers.provider.getBlockNumber();
+
+    const abiCoder = new ethers.AbiCoder();
+
+    const dataUpdateValidatorsChainData = abiCoder.encode(
+      ["uint256", "uint256", "tuple(uint256[4])[]"],
+      [10, blockNumber + 100, [[[1, 2, 3, 4]]]]
     );
+
+    const gatewayContract = await impersonateAsContractAndMintFunds(await gateway.getAddress());
+
+    await expect(
+      validatorsc.connect(gatewayContract).updateValidatorsChainData(dataUpdateValidatorsChainData)
+    ).to.be.revertedWithCustomError(validatorsc, "WrongValidatorsSetValue()");
   });
   it("UpdateValidators should emit event if TTL has passed and should not update set", async () => {
     const { gateway, validatorsc, validatorsCardanoData } = await loadFixture(deployGatewayFixtures);
@@ -45,20 +62,24 @@ describe("Validators Contract", function () {
       [1, blockNumber - 1, [[[1, 2, 3, 4]]]]
     );
 
-    expect(await validatorsc.updateValidatorsChainData(dataUpdateValidatorsChainData))
+    const gatewayContract = await impersonateAsContractAndMintFunds(await gateway.getAddress());
+
+    expect(await validatorsc.connect(gatewayContract).updateValidatorsChainData(dataUpdateValidatorsChainData))
       .to.emit(gateway, "ValidatorsSetUpdated")
       .withArgs(dataUpdateValidatorsChainData);
 
     expect((await validatorsc.getValidatorsChainData()).length).to.equal(validatorsCardanoData.length);
   });
   it("UpdateValidators success", async () => {
-    const { gateway, validatorsc, dataUpdateValidatorsChainData } = await loadFixture(deployGatewayFixtures);
-
-    await gateway.updateValidatorsChainData(
-      "0x7465737400000000000000000000000000000000000000000000000000000000",
-      "0x7465737400000000000000000000000000000000000000000000000000000000",
-      dataUpdateValidatorsChainData
-    );
+    const { owner, gateway, validatorsc, dataUpdateValidatorsChainData } = await loadFixture(deployGatewayFixtures);
+
+    await gateway
+      .connect(owner)
+      .updateValidatorsChainData(
+        "0x7465737400000000000000000000000000000000000000000000000000000000",
+        "0x7465737400000000000000000000000000000000000000000000000000000000",
+        dataUpdateValidatorsChainData
+      );
 
     expect(await validatorsc.lastConfirmedValidatorsSet()).to.equal(1);
 

test/fixtures.ts

@@ -74,6 +74,8 @@ export async function deployGatewayFixtures() {
 
   await nativeTokenWallet.setDependencies(nativeTokenPredicate.target);
 
+  await validatorsc.setDependencies(gateway.target);
+
   const validatorsCardanoData = [
     {
       key: ["0x1", "0x2", "0x3", "0x4"] as [BigNumberish, BigNumberish, BigNumberish, BigNumberish],