Audit fixes brian #76
Conversation
brossetti1
force-pushed
the
audit-fixes-brian
branch
2 times, most recently
from
a0939bb
to
740ca4a
Compare
| @@ -0,0 +1,6 @@ | |||
| { | |||
| "solidity.defaultCompiler": "localNodeModule", | |||
There was a problem hiding this comment.
oops should proably update this?
|
updated docs for some of these issues |
brossetti1
force-pushed
the
audit-fixes-brian
branch
from
1914e14
to
e090e14
Compare
| contract Baal is Module, EIP712, ReentrancyGuard, BaseRelayRecipient { | ||
| using ECDSA for bytes32; | ||
| contract Baal is Module, EIP712Upgradeable, ReentrancyGuardUpgradeable, BaseRelayRecipient { | ||
| using ECDSAUpgradeable for bytes32; |
There was a problem hiding this comment.
so this is actually an upgrade on the ECDSA logic - there was some signature validations that openzeppelin removed from the ECDSA checks
OpenZeppelin/openzeppelin-contracts@d693d89
| @@ -268,7 +277,7 @@ contract Baal is Module, EIP712, ReentrancyGuard, BaseRelayRecipient { | |||
| _initializationMultisendData, | |||
| Enum.Operation.DelegateCall | |||
| ), | |||
| "call failure" | |||
| "call failure setup" | |||
There was a problem hiding this comment.
adding one more word to better distinguish errors -- there were two call failure errors in this file from different functions.
| proposalCount++; /*increment proposal counter*/ | ||
| proposals[proposalCount] = Proposal( /*push params into proposal struct - start voting period timer if member submission*/ | ||
| proposalCount, | ||
| selfSponsor ? latestSponsoredProposalId : 0, /* prevProposalId */ | ||
| selfSponsor ? uint32(block.timestamp) : 0, /* votingStarts */ | ||
| selfSponsor ? uint32(block.timestamp) + votingPeriod : 0, /* votingEnds */ | ||
| selfSponsor | ||
| ? uint32(block.timestamp) + votingPeriod + gracePeriod | ||
| : 0, /* graceEnds */ | ||
| expiration, | ||
| baalGas, | ||
| 0, /* yes votes */ | ||
| 0, /* no votes */ | ||
| 0, /* highestMaxSharesAndLootAtYesVote */ | ||
| [false, false, false, false], /* [cancelled, processed, passed, actionFailed] */ | ||
| selfSponsor ? _msgSender() : address(0), | ||
| proposalDataHash, | ||
| details | ||
| ); |
There was a problem hiding this comment.
qsp for removing the unchecked call as the QuantStamp team pointed out that there are some holes with unchecked overflow here so its safer to have it checked
| @@ -573,7 +585,7 @@ contract Baal is Module, EIP712, ReentrancyGuard, BaseRelayRecipient { | |||
| bytes calldata _data | |||
| ) external baalOnly { | |||
| (bool success, ) = _to.call{value: _value}(_data); | |||
| require(success, "call failure"); | |||
| require(success, "call failure execute"); | |||
| } else if(!pauseLoot && lootToken.paused()){ | ||
| lootToken.unpause(); | ||
| emit LootPaused(false); |
There was a problem hiding this comment.
only emitting events if status changed on paused
| await baal.submitVoteWithSig(summoner.address, expiry, 0, 1, true, v, r, s); | ||
|
|
||
| const signatureTwo = await signVote( | ||
| chainId, | ||
| baal.address, | ||
| summoner, | ||
| deploymentConfig.TOKEN_NAME, | ||
| expiry, | ||
| 1, | ||
| 1, | ||
| true | ||
| ); | ||
| const sigTwo = await ethers.utils.splitSignature(signatureTwo); |
There was a problem hiding this comment.
interesting how this test included a check on nonces inherently as it was using the same signature for both submitVoteWithSig - after adding a second signature with the nonce bumped, the test resolved from the error that triggered from adding the nonce. ie notice how nonce had to go from 0 to 1
brossetti1
force-pushed
the
audit-fixes-brian
branch
from
1dcfbff
to
c12b07e
Compare
| ## Coverage | ||
|
|
||
| currently, coverage is turned off for test efficiency purposes. In order to switch coverage on, add `yul` to the hardhat config: | ||
|
|
||
| ``` | ||
| { | ||
| ... | ||
| compilers: [ | ||
| { | ||
| version: "0.8.7", | ||
| settings: { | ||
| optimizer: { | ||
| enabled: true, | ||
| runs: 200, | ||
| details: { | ||
| yul: true | ||
| } | ||
| }, | ||
| }, | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| then run the coverage command: | ||
|
|
||
| ``` | ||
| npx hardhat coverage | ||
| ``` |
There was a problem hiding this comment.
coverage docs - should be turned on manually and turned off for faster test runs
…eable dependencies on oz
Co-authored-by: dekanbro <[email protected]>
brossetti1
force-pushed
the
audit-fixes-brian
branch
from
c12b07e
to
cd28a98
Compare
wip fixing quantstamp issues