valory-xyz · DavidMinarsch · Aug 3, 2024 · Jul 4, 2024 · Jul 4, 2024 · Jul 4, 2024
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -135,4 +135,58 @@ f78d4539c80abb33ea04dce4d561af5302033235:scripts/deployment/staking/globals_sepo
 9fa4b1fb81ba553ed48ef4a9b22c53ecdf4d2242:scripts/deployment/staking/globals_sepolia.json:generic-api-key:1
 9fa4b1fb81ba553ed48ef4a9b22c53ecdf4d2242:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
 001d71fc7c216c593faebdd3d6f353efaf80605f:scripts/deployment/staking/globals_sepolia.json:generic-api-key:1
-001d71fc7c216c593faebdd3d6f353efaf80605f:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
+001d71fc7c216c593faebdd3d6f353efaf80605f:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
+ea6713128995ac18f3911c0214163e2b82896a7f:scripts/deployment/globals_mainnet.json:generic-api-key:1
+ea6713128995ac18f3911c0214163e2b82896a7f:scripts/deployment/globals_mainnet.json:generic-api-key:2
+1a7a855a853d2bc21e1e9178754a22dae54439f3:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+1a7a855a853d2bc21e1e9178754a22dae54439f3:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+3c5c0643bfa60605d7b91eb4b7a4b80c6f7a1b43:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+3c5c0643bfa60605d7b91eb4b7a4b80c6f7a1b43:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+b17bdd0ebae90b769b8756da81d831a70fcb4af3:scripts/deployment/globals_mainnet.json:generic-api-key:1
+b17bdd0ebae90b769b8756da81d831a70fcb4af3:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+b17bdd0ebae90b769b8756da81d831a70fcb4af3:scripts/deployment/globals_mainnet.json:generic-api-key:2
+b17bdd0ebae90b769b8756da81d831a70fcb4af3:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+c5ba11d1b46a6fa9644c0de28b4b0f7b154156ee:scripts/deployment/globals_mainnet.json:generic-api-key:1
+c5ba11d1b46a6fa9644c0de28b4b0f7b154156ee:scripts/deployment/globals_mainnet.json:generic-api-key:2
+c5ba11d1b46a6fa9644c0de28b4b0f7b154156ee:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+c5ba11d1b46a6fa9644c0de28b4b0f7b154156ee:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+7cf3cd1c5fa705f82f0f33c90538fa6e6892af5b:scripts/deployment/globals_mainnet.json:generic-api-key:1
+7cf3cd1c5fa705f82f0f33c90538fa6e6892af5b:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+7cf3cd1c5fa705f82f0f33c90538fa6e6892af5b:scripts/deployment/globals_mainnet.json:generic-api-key:2
+7cf3cd1c5fa705f82f0f33c90538fa6e6892af5b:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+38ff93e8e51ef86b6c46872b12e27f67152ec07a:scripts/deployment/staking/wormhole/test/globals_celo_mainnet.json:generic-api-key:1
+38ff93e8e51ef86b6c46872b12e27f67152ec07a:scripts/deployment/staking/wormhole/test/globals_celo_mainnet.json:generic-api-key:2
+38ff93e8e51ef86b6c46872b12e27f67152ec07a:scripts/deployment/staking/wormhole/globals_celo_mainnet.json:generic-api-key:1
+38ff93e8e51ef86b6c46872b12e27f67152ec07a:scripts/deployment/staking/wormhole/globals_celo_mainnet.json:generic-api-key:2
+cfe4b8064bfda91d83bd5bdc5af44f2155859ef3:scripts/deployment/staking/wormhole/test/globals_celo_mainnet.json:generic-api-key:1
+cfe4b8064bfda91d83bd5bdc5af44f2155859ef3:scripts/deployment/staking/wormhole/test/globals_celo_mainnet.json:generic-api-key:2
+cfe4b8064bfda91d83bd5bdc5af44f2155859ef3:scripts/deployment/staking/wormhole/globals_celo_mainnet.json:generic-api-key:1
+cfe4b8064bfda91d83bd5bdc5af44f2155859ef3:scripts/deployment/staking/wormhole/globals_celo_mainnet.json:generic-api-key:2
+e09cdb5c34a402545d5a67d65ea31760f7c0fd19:scripts/deployment/globals_mainnet.json:generic-api-key:1
+e09cdb5c34a402545d5a67d65ea31760f7c0fd19:scripts/deployment/globals_mainnet.json:generic-api-key:2
+02f626605f59ee89a44152d2d8723c848174e44:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
+f02f626605f59ee89a44152d2d8723c848174e44:scripts/deployment/globals_mainnet.json:generic-api-key:2
+a1fb94f332608c58c44aed99a08fea5fb08fc6ed:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+b92c814bbbab19139c4d40d31f7d0394e2796d0f:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+d3c5ea3ef6d62f5cfb51d2485b74133f84d40f7d:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+d79d6210c89d103448e32b7c915903c8a8b8d87a:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+d79d6210c89d103448e32b7c915903c8a8b8d87a:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/globals_mainnet.json:generic-api-key:1
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/globals_sepolia.json:generic-api-key:1
+a1fb94f332608c58c44aed99a08fea5fb08fc6ed:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+b92c814bbbab19139c4d40d31f7d0394e2796d0f:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+d3c5ea3ef6d62f5cfb51d2485b74133f84d40f7d:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+d79d6210c89d103448e32b7c915903c8a8b8d87a:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+d79d6210c89d103448e32b7c915903c8a8b8d87a:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/globals_mainnet.json:generic-api-key:2
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
+3068b0eefad400612f18c193fa62e11974c0fbd5:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+3068b0eefad400612f18c193fa62e11974c0fbd5:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+b616524545db2768fb9a3772ffd05c6e0a7f2d8b:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+b616524545db2768fb9a3772ffd05c6e0a7f2d8b:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+5e43d545806f8e2d6e8ffd8190d7d704bf663d5f:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+5e43d545806f8e2d6e8ffd8190d7d704bf663d5f:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,11 +4,21 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Common Changelog](https://common-changelog.org).
 
+[1.2.2]: https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.0.3...v1.2.2
 [1.0.3]: https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.0.2...v1.0.3
 [1.0.2]: https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.0.1...v1.0.2
 [1.0.1]: https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/valory-xyz/autonolas-tokenomics/releases/tag/v1.0.0
 
+## [1.2.2] - 2024-07-29
+
+### Changed
+
+- Introducing Service Staking according to [PoAA Whitepaper](https://staking.olas.network/poaa-whitepaper.pdf)
+- Refactored  and re-deployed `Tokenomics.sol` and `Dispenser.sol` to address service staking inflation and claiming capability ([#156](https://github.com/valory-xyz/autonolas-registries/pull/156)), with the subsequent internal audit ([#168](https://github.com/valory-xyz/autonolas-registries/pull/168))
+- Created and deployed `ArbitrumDepositProcessorL1.sol`, `ArbitrumTargetDispenserL2.sol`, `DefaultDepositProcessorL1.sol`, `DefaultTargetDispenserL2.sol`, `EthereumDepositProcessor.sol`, `GnosisDepositProcessorL1.sol` , `GnosisTargetDispenserL2.sol`, `OptimismDepositProcessorL1.sol`, `OptimismTargetDispenserL2.sol`, `PolygonDepositProcessorL1.sol`, `PolygonTargetDispenserL2.sol`, `WormholeDepositProcessorL1.sol`, and `WormholeTargetDispenserL2.sol` contracts
+- Participated in a complete [C4R audit competition](https://github.com/code-423n4/2024-05-olas-findings) and addressed findings
+
 ## [1.0.3] - 2023-10-05
 
 _No bytecode changes_.

diff --git a/abis/0.8.25/Dispenser.json b/abis/0.8.25/Dispenser.json
diff --git a/audits/README.md b/audits/README.md
@@ -10,7 +10,9 @@ An internal audit with a focus on depository implementation v.1.0.1 is located i
 
 An internal audit with a focus on PoAA Staking is located in this folder: [internal audit 4](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal4).
 
-An internal audit with a focus on AIP-1 (bonding) is located in this folder: [internal audit 5](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal5).
+An internal audit with a focus on PoAA Staking fixing after C4A is located in this folder: [internal audit 5](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal5).
+
+An internal audit with a focus on AIP-1 (bonding) is located in this folder: [internal audit 6](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal6).
 
 ### External audit
 Audit reports: [v1](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/Autonolas%20Tokenomics%20Smart%20Contract%20Audit.pdf) and [v2](https://sourcehat.com/audits/AutonolasTokenomics/).
diff --git a/audits/internal5/README.md b/audits/internal5/README.md
@@ -1,61 +1,130 @@
 # Internal audit of autonolas-tokenomics
 The review has been performed based on the contract code in the following repository:<br>
 `https://github.com/valory-xyz/autonolas-tokenomics` <br>
-commit: `12101b49a2dcdc7a7378f416ddb1611e10459b67` or `tag: v1.3.0-pre-internal-audit`<br> 
+commit: `357539f11e3386c18bc9370d4cd20066c7fc0599` or `tag: v1.2.2-pre-internal-audit`<br> 
 
 ## Objectives
-The audit focused on contracts related to AIP-1 implementation (Bonding) in this repo.
+The audit focused on fixing contracts related to PoAA Staking after C4A.
 
-### Flatten version
-Flatten version of contracts. [contracts](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal5/analysis/contracts) 
+### Coverage
+Hardhat coverage has been performed before the audit and can be found here:
+```sh
+---------------------------------|----------|----------|----------|----------|----------------|
+File                             |  % Stmts | % Branch |  % Funcs |  % Lines |Uncovered Lines |
+---------------------------------|----------|----------|----------|----------|----------------|
+ contracts/                      |    99.64 |    96.79 |      100 |    98.09 |                |
 
-### Coverage: N/A
-In this commit, the tests are in the process of being reworked and therefore the coverage section does not make sense.
+  Dispenser.sol                  |    98.94 |    90.65 |      100 |    93.86 |... 0,1188,1246 |
 
-### Storage and proxy
-Using sol2uml tools: https://github.com/naddison36/sol2uml <br>
+ contracts/staking/              |    97.52 |    90.83 |    98.36 |    93.97 |                |
+  ArbitrumDepositProcessorL1.sol |      100 |    96.15 |      100 |    97.14 |            157 |
+  ArbitrumTargetDispenserL2.sol  |      100 |      100 |      100 |      100 |                |
+  DefaultDepositProcessorL1.sol  |      100 |    90.63 |      100 |    94.83 |    134,227,235 |
+  DefaultTargetDispenserL2.sol   |     97.5 |     87.8 |      100 |    92.52 |... 459,489,511 |
+  EthereumDepositProcessor.sol   |    85.71 |    88.89 |      100 |    86.11 |... 109,112,114 |
+  GnosisDepositProcessorL1.sol   |      100 |      100 |      100 |      100 |                |
+  GnosisTargetDispenserL2.sol    |      100 |      100 |      100 |      100 |                |
+  OptimismDepositProcessorL1.sol |      100 |      100 |      100 |      100 |                |
+  OptimismTargetDispenserL2.sol  |      100 |      100 |      100 |      100 |                |
+  PolygonDepositProcessorL1.sol  |    91.67 |       80 |       80 |    84.21 |     97,105,110 |
+  PolygonTargetDispenserL2.sol   |      100 |       50 |      100 |    81.82 |          68,73 |
+  WormholeDepositProcessorL1.sol |      100 |      100 |      100 |      100 |                |
+  WormholeTargetDispenserL2.sol  |      100 |    91.67 |      100 |    96.77 |            114 |
+
+---------------------------------|----------|----------|----------|----------|----------------|
 ```
-npm link sol2uml --only=production
-sol2uml storage contracts/ -f png -c Tokenomics -o audits/internal4/analysis/storage
-Generated png file audits/internal5/analysis/storage/Tokenomics.png
-```
-[Tokenomics-storage](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal5/analysis/storage/Tokenomics.png) <br>
-current deployed: <br>
-[Tokenomics-storage-current](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal4/analysis/storage/Tokenomics.png) <br>
-The new slot allocation for Tokenomics (critical as proxy pattern) does not affect the previous one. 
-
-### Security issues.
-#### Problems found instrumentally
-Several checks are obtained automatically. They are commented. Some issues found need to be fixed. <br>
-All automatic warnings are listed in the following file, concerns of which we address in more detail below: <br>
-[slither-full](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal5/analysis/slither_full.txt) <br>
-
-#### Issue
-1. minOLASLeftoverAmount never setupped/updated
-```
-    // Minimum amount of supply such that any value below is given to the bonding account in order to close the product
-    uint256 public minOLASLeftoverAmount;
-```
-2. Reentrancy after ERC721 "safe" mint in deposit
+Please, pay attention. <br>
+[x] Noted. Missing 100% is not an obvious problem.
+
+#### Checking the corrections made after C4A
+##### Bridging
+67. Withheld tokens could become unsynchronized by using retry-ability of bridging protocols #67
+https://github.com/code-423n4/2024-05-olas-findings/issues/67
+[x] fixed
+
+54. OptimismTargetDispenserL2:syncWithheldTokens is callable with no sanity check on payloads and can lead to permanent loss of withheld token amounts #54
+https://github.com/code-423n4/2024-05-olas-findings/issues/54
+20. Users will lose all ETH sent as cost parameter in transactions to and from Optimism #20
+https://github.com/code-423n4/2024-05-olas-findings/issues/20
+4. The msg.value - cost for multiple cross-chain bridges are not refunded to users #4
+https://github.com/code-423n4/2024-05-olas-findings/issues/4
+[x] fixed
+
+32. Refunds for unconsumed gas will be lost due to incorrect refund chain ID #32
+https://github.com/code-423n4/2024-05-olas-findings/issues/32
+[x] fixed
+
+29. Attacker can cancel claimed staking incentives on Arbitrum #29
+https://github.com/code-423n4/2024-05-olas-findings/issues/29
+[x] fixed
+
+26. Non-normalized amounts sent via Wormhole lead to failure to redeem incentives #26 
+https://github.com/code-423n4/2024-05-olas-findings/issues/26
+[x] fixed
+
+22. Arbitrary tokens and data can be bridged to GnosisTargetDispenserL2 to manipulate staking incentives #22
+https://github.com/code-423n4/2024-05-olas-findings/issues/22
+[x] fixed
+
+5. The refundAccount is erroneously set to msg.sender instead of tx.origin when refundAccount specified as address(0) #5
+https://github.com/code-423n4/2024-05-olas-findings/issues/5
+[x] fixed
+
+##### Dispenser
+61. Loss of incentives if total weight in an epoch is zero #61
+https://github.com/code-423n4/2024-05-olas-findings/issues/61
+[x] fixed
+
+56. In retain function checkpoint nominee function is not called which can cause zero amount of tokens being retained. #56
+https://github.com/code-423n4/2024-05-olas-findings/issues/56
+[x] fixed
+
+38. Removed nominee doesn't receive staking incentives for the epoch in which they were removed which is against the intended behaviour #38
+https://github.com/code-423n4/2024-05-olas-findings/issues/38
+[x] fixed
+
+27. Unauthorized claiming of staking incentives for retainer #27
+https://github.com/code-423n4/2024-05-olas-findings/issues/27
+[x] fixed
+
+##### No need to change the code, just add information to the documentation
+59. Changing VoteWeighting contract can result in lost staking incentives #59
+https://github.com/code-423n4/2024-05-olas-findings/issues/59
+[x] fixed
+
+#### Low issue
+107. QA Report #107
+https://github.com/code-423n4/2024-05-olas-findings/issues/107
 ```
-	External calls:
-	- _safeMint(msg.sender,bondId) (Depository-flatten.sol#891)
-		- require(bool,string)(ERC721TokenReceiver(to).onERC721Received(msg.sender,address(0),id,) == ERC721TokenReceiver.onERC721Received.selector,UNSAFE_RECIPIENT) (Depository-flatten.sol#461-465)
-	After adding _safeMint(msg.sender, bondId), it became clearly susceptible reentrancy attack.
-    We need to add explicit protection against reentrancy.
+[N-44] Missing event for critical changes addNomenee in Dispenser
 ```
-#### Genaral notes: more tests need to be done, needed re-audit later
+[x] fixed
+
+110. QA Report #110
+https://github.com/code-423n4/2024-05-olas-findings/issues/110
 ```
-trackServiceDonations requires a large number of tests and coverage of all scenarios.
+[NonCritical-9] Missing events in sensitive function setL2TargetDispenser(address l2Dispenser)
 ```
-#### Notes for discussion: epsilonRate
+[x] fixed
+
+113. QA Report #113
+https://github.com/code-423n4/2024-05-olas-findings/issues/113
 ```
-in this implementation epsilonRate is deprecated and simply not used. perhaps it makes sense (?) to use this dimensionless coefficient as a limiter.
-// The IDF depends on the epsilonRate value, idf = 1 + epsilonRate, and epsilonRate is bound by 17 with 18 decimals
-new
-// IDF = 1 + normalized booster
-idf = 1e18 + discountBooster;
-maybe idf = min(1e18 + discountBooster, 1e18 + epsilonRate)
-Moreover, according to calculations discountBooster <= 1e18 << max(epsilonRate)
+[L-08] Use abi.encodeCall() instead of abi.encodeWithSignature()/abi.encodeWithSelector() 
+grep -r encodeWithSelec ./contracts/    
+./contracts/staking/OptimismDepositProcessorL1.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(targets, stakingIncentives, batchHash));
+./contracts/staking/OptimismTargetDispenserL2.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(amount, batchHash));
+./contracts/staking/ArbitrumTargetDispenserL2.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(amount, batchHash));
+./contracts/staking/GnosisTargetDispenserL2.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(amount, batchHash));
+./contracts/staking/ArbitrumDepositProcessorL1.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(targets, stakingIncentives, batchHash));
+./contracts/staking/GnosisDepositProcessorL1.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(targets, stakingIncentives, batchHash));
 ```
+[x] Noted. The fact that codebase hasn't been changed is not a problem.
+
+### Catch up on changes. 15.07.24
+https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.2.2-pre-internal-audit...v1.2.2-pre-audit <br>
+The changes to the codebase appear to be correct.
+
+
+