The review has been performed based on the contract code in the following repository:
https://github.com/valory-xyz/autonolas-governance
commit: 27519122101f85060902b1d309f45072c29e4119 or v1.1.6-pre-internal-audi
Update: 30-08-2023
The audit focused on Guard contract for community mutisig.
Flatten version of contracts. contracts
Hardhat coverage has been performed before the audit and can be found here:
------------------------|----------|----------|----------|----------|----------------|
File | % Stmts | % Branch | % Funcs | % Lines |Uncovered Lines |
------------------------|----------|----------|----------|----------|----------------
contracts/multisigs/ | 100 | 100 | 100 | 100 | |
GuardCM.sol | 100 | 100 | 100 | 100 | |
------------------------|----------|----------|----------|----------|----------------|Using sol2uml tools: https://github.com/naddison36/sol2uml
sol2uml storage . -f png -c GuardCM -o .
Generated png file GuardCM.pngStorage: GuardCM
Details in slither_full
Minor issue:
- lacks a zero-check on constructor [x] fixed - same as in other contracts, no need for the sanity check as we deploy on test networks as well
Notes:
-
You need to add it in some initializer (for example, in the constructor) pre-defined list of mapAllowedTargetSelectors. [x] fixed - decided to not create pre-defined targets and selectors
-
Please, add the following tests: -- CM owners can't call addOwnerWithThreshold() after installing Guard. [x] fixed - there is a test that tries to call the getThreshold() function on self multisig. -- In "Guarded CM can still do other actions" transfer ETH from CM. [x] fixed - added the test.