Merge pull request #180 from valory-xyz/v1.3.0-internal-audit

doc: internal audit ref AIP-1/Bonding

.gitleaksignore

@@ -135,4 +135,58 @@ f78d4539c80abb33ea04dce4d561af5302033235:scripts/deployment/staking/globals_sepo
 9fa4b1fb81ba553ed48ef4a9b22c53ecdf4d2242:scripts/deployment/staking/globals_sepolia.json:generic-api-key:1
 9fa4b1fb81ba553ed48ef4a9b22c53ecdf4d2242:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
 001d71fc7c216c593faebdd3d6f353efaf80605f:scripts/deployment/staking/globals_sepolia.json:generic-api-key:1
-001d71fc7c216c593faebdd3d6f353efaf80605f:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
+001d71fc7c216c593faebdd3d6f353efaf80605f:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
+ea6713128995ac18f3911c0214163e2b82896a7f:scripts/deployment/globals_mainnet.json:generic-api-key:1
+ea6713128995ac18f3911c0214163e2b82896a7f:scripts/deployment/globals_mainnet.json:generic-api-key:2
+1a7a855a853d2bc21e1e9178754a22dae54439f3:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+1a7a855a853d2bc21e1e9178754a22dae54439f3:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+3c5c0643bfa60605d7b91eb4b7a4b80c6f7a1b43:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+3c5c0643bfa60605d7b91eb4b7a4b80c6f7a1b43:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+b17bdd0ebae90b769b8756da81d831a70fcb4af3:scripts/deployment/globals_mainnet.json:generic-api-key:1
+b17bdd0ebae90b769b8756da81d831a70fcb4af3:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+b17bdd0ebae90b769b8756da81d831a70fcb4af3:scripts/deployment/globals_mainnet.json:generic-api-key:2
+b17bdd0ebae90b769b8756da81d831a70fcb4af3:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+c5ba11d1b46a6fa9644c0de28b4b0f7b154156ee:scripts/deployment/globals_mainnet.json:generic-api-key:1
+c5ba11d1b46a6fa9644c0de28b4b0f7b154156ee:scripts/deployment/globals_mainnet.json:generic-api-key:2
+c5ba11d1b46a6fa9644c0de28b4b0f7b154156ee:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+c5ba11d1b46a6fa9644c0de28b4b0f7b154156ee:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+7cf3cd1c5fa705f82f0f33c90538fa6e6892af5b:scripts/deployment/globals_mainnet.json:generic-api-key:1
+7cf3cd1c5fa705f82f0f33c90538fa6e6892af5b:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+7cf3cd1c5fa705f82f0f33c90538fa6e6892af5b:scripts/deployment/globals_mainnet.json:generic-api-key:2
+7cf3cd1c5fa705f82f0f33c90538fa6e6892af5b:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+38ff93e8e51ef86b6c46872b12e27f67152ec07a:scripts/deployment/staking/wormhole/test/globals_celo_mainnet.json:generic-api-key:1
+38ff93e8e51ef86b6c46872b12e27f67152ec07a:scripts/deployment/staking/wormhole/test/globals_celo_mainnet.json:generic-api-key:2
+38ff93e8e51ef86b6c46872b12e27f67152ec07a:scripts/deployment/staking/wormhole/globals_celo_mainnet.json:generic-api-key:1
+38ff93e8e51ef86b6c46872b12e27f67152ec07a:scripts/deployment/staking/wormhole/globals_celo_mainnet.json:generic-api-key:2
+cfe4b8064bfda91d83bd5bdc5af44f2155859ef3:scripts/deployment/staking/wormhole/test/globals_celo_mainnet.json:generic-api-key:1
+cfe4b8064bfda91d83bd5bdc5af44f2155859ef3:scripts/deployment/staking/wormhole/test/globals_celo_mainnet.json:generic-api-key:2
+cfe4b8064bfda91d83bd5bdc5af44f2155859ef3:scripts/deployment/staking/wormhole/globals_celo_mainnet.json:generic-api-key:1
+cfe4b8064bfda91d83bd5bdc5af44f2155859ef3:scripts/deployment/staking/wormhole/globals_celo_mainnet.json:generic-api-key:2
+e09cdb5c34a402545d5a67d65ea31760f7c0fd19:scripts/deployment/globals_mainnet.json:generic-api-key:1
+e09cdb5c34a402545d5a67d65ea31760f7c0fd19:scripts/deployment/globals_mainnet.json:generic-api-key:2
+02f626605f59ee89a44152d2d8723c848174e44:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
+f02f626605f59ee89a44152d2d8723c848174e44:scripts/deployment/globals_mainnet.json:generic-api-key:2
+a1fb94f332608c58c44aed99a08fea5fb08fc6ed:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+b92c814bbbab19139c4d40d31f7d0394e2796d0f:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+d3c5ea3ef6d62f5cfb51d2485b74133f84d40f7d:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+d79d6210c89d103448e32b7c915903c8a8b8d87a:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+d79d6210c89d103448e32b7c915903c8a8b8d87a:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/globals_mainnet.json:generic-api-key:1
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/globals_mainnet.json:generic-api-key:1
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/globals_sepolia.json:generic-api-key:1
+a1fb94f332608c58c44aed99a08fea5fb08fc6ed:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+b92c814bbbab19139c4d40d31f7d0394e2796d0f:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+d3c5ea3ef6d62f5cfb51d2485b74133f84d40f7d:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+d79d6210c89d103448e32b7c915903c8a8b8d87a:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+d79d6210c89d103448e32b7c915903c8a8b8d87a:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/globals_mainnet.json:generic-api-key:2
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/globals_mainnet.json:generic-api-key:2
+e9945cd0dd6c8c0dc0fefda76d7f60e7ef56511b:scripts/deployment/staking/globals_sepolia.json:generic-api-key:2
+3068b0eefad400612f18c193fa62e11974c0fbd5:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+3068b0eefad400612f18c193fa62e11974c0fbd5:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+b616524545db2768fb9a3772ffd05c6e0a7f2d8b:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+b616524545db2768fb9a3772ffd05c6e0a7f2d8b:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2
+5e43d545806f8e2d6e8ffd8190d7d704bf663d5f:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:1
+5e43d545806f8e2d6e8ffd8190d7d704bf663d5f:scripts/deployment/staking/celo/globals_celo_mainnet.json:generic-api-key:2

CHANGELOG.md

@@ -4,11 +4,21 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Common Changelog](https://common-changelog.org).
 
+[1.2.2]: https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.0.3...v1.2.2
 [1.0.3]: https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.0.2...v1.0.3
 [1.0.2]: https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.0.1...v1.0.2
 [1.0.1]: https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/valory-xyz/autonolas-tokenomics/releases/tag/v1.0.0
 
+## [1.2.2] - 2024-07-29
+
+### Changed
+
+- Introducing Service Staking according to [PoAA Whitepaper](https://staking.olas.network/poaa-whitepaper.pdf)
+- Refactored  and re-deployed `Tokenomics.sol` and `Dispenser.sol` to address service staking inflation and claiming capability ([#156](https://github.com/valory-xyz/autonolas-registries/pull/156)), with the subsequent internal audit ([#168](https://github.com/valory-xyz/autonolas-registries/pull/168))
+- Created and deployed `ArbitrumDepositProcessorL1.sol`, `ArbitrumTargetDispenserL2.sol`, `DefaultDepositProcessorL1.sol`, `DefaultTargetDispenserL2.sol`, `EthereumDepositProcessor.sol`, `GnosisDepositProcessorL1.sol` , `GnosisTargetDispenserL2.sol`, `OptimismDepositProcessorL1.sol`, `OptimismTargetDispenserL2.sol`, `PolygonDepositProcessorL1.sol`, `PolygonTargetDispenserL2.sol`, `WormholeDepositProcessorL1.sol`, and `WormholeTargetDispenserL2.sol` contracts
+- Participated in a complete [C4R audit competition](https://github.com/code-423n4/2024-05-olas-findings) and addressed findings
+
 ## [1.0.3] - 2023-10-05
 
 _No bytecode changes_.

audits/README.md

@@ -10,5 +10,9 @@ An internal audit with a focus on depository implementation v.1.0.1 is located i
 
 An internal audit with a focus on PoAA Staking is located in this folder: [internal audit 4](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal4).
 
+An internal audit with a focus on PoAA Staking fixing after C4A is located in this folder: [internal audit 5](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal5).
+
+An internal audit with a focus on AIP-1 (bonding) is located in this folder: [internal audit 6](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal6).
+
 ### External audit
 Audit reports: [v1](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/Autonolas%20Tokenomics%20Smart%20Contract%20Audit.pdf) and [v2](https://sourcehat.com/audits/AutonolasTokenomics/).

audits/internal5/README.md

@@ -0,0 +1,130 @@
+# Internal audit of autonolas-tokenomics
+The review has been performed based on the contract code in the following repository:<br>
+`https://github.com/valory-xyz/autonolas-tokenomics` <br>
+commit: `357539f11e3386c18bc9370d4cd20066c7fc0599` or `tag: v1.2.2-pre-internal-audit`<br> 
+
+## Objectives
+The audit focused on fixing contracts related to PoAA Staking after C4A.
+
+### Coverage
+Hardhat coverage has been performed before the audit and can be found here:
+```sh
+---------------------------------|----------|----------|----------|----------|----------------|
+File                             |  % Stmts | % Branch |  % Funcs |  % Lines |Uncovered Lines |
+---------------------------------|----------|----------|----------|----------|----------------|
+ contracts/                      |    99.64 |    96.79 |      100 |    98.09 |                |
+
+  Dispenser.sol                  |    98.94 |    90.65 |      100 |    93.86 |... 0,1188,1246 |
+
+ contracts/staking/              |    97.52 |    90.83 |    98.36 |    93.97 |                |
+  ArbitrumDepositProcessorL1.sol |      100 |    96.15 |      100 |    97.14 |            157 |
+  ArbitrumTargetDispenserL2.sol  |      100 |      100 |      100 |      100 |                |
+  DefaultDepositProcessorL1.sol  |      100 |    90.63 |      100 |    94.83 |    134,227,235 |
+  DefaultTargetDispenserL2.sol   |     97.5 |     87.8 |      100 |    92.52 |... 459,489,511 |
+  EthereumDepositProcessor.sol   |    85.71 |    88.89 |      100 |    86.11 |... 109,112,114 |
+  GnosisDepositProcessorL1.sol   |      100 |      100 |      100 |      100 |                |
+  GnosisTargetDispenserL2.sol    |      100 |      100 |      100 |      100 |                |
+  OptimismDepositProcessorL1.sol |      100 |      100 |      100 |      100 |                |
+  OptimismTargetDispenserL2.sol  |      100 |      100 |      100 |      100 |                |
+  PolygonDepositProcessorL1.sol  |    91.67 |       80 |       80 |    84.21 |     97,105,110 |
+  PolygonTargetDispenserL2.sol   |      100 |       50 |      100 |    81.82 |          68,73 |
+  WormholeDepositProcessorL1.sol |      100 |      100 |      100 |      100 |                |
+  WormholeTargetDispenserL2.sol  |      100 |    91.67 |      100 |    96.77 |            114 |
+
+---------------------------------|----------|----------|----------|----------|----------------|
+```
+Please, pay attention. <br>
+[x] Noted. Missing 100% is not an obvious problem.
+
+#### Checking the corrections made after C4A
+##### Bridging
+67. Withheld tokens could become unsynchronized by using retry-ability of bridging protocols #67
+https://github.com/code-423n4/2024-05-olas-findings/issues/67
+[x] fixed
+
+54. OptimismTargetDispenserL2:syncWithheldTokens is callable with no sanity check on payloads and can lead to permanent loss of withheld token amounts #54
+https://github.com/code-423n4/2024-05-olas-findings/issues/54
+20. Users will lose all ETH sent as cost parameter in transactions to and from Optimism #20
+https://github.com/code-423n4/2024-05-olas-findings/issues/20
+4. The msg.value - cost for multiple cross-chain bridges are not refunded to users #4
+https://github.com/code-423n4/2024-05-olas-findings/issues/4
+[x] fixed
+
+32. Refunds for unconsumed gas will be lost due to incorrect refund chain ID #32
+https://github.com/code-423n4/2024-05-olas-findings/issues/32
+[x] fixed
+
+29. Attacker can cancel claimed staking incentives on Arbitrum #29
+https://github.com/code-423n4/2024-05-olas-findings/issues/29
+[x] fixed
+
+26. Non-normalized amounts sent via Wormhole lead to failure to redeem incentives #26 
+https://github.com/code-423n4/2024-05-olas-findings/issues/26
+[x] fixed
+
+22. Arbitrary tokens and data can be bridged to GnosisTargetDispenserL2 to manipulate staking incentives #22
+https://github.com/code-423n4/2024-05-olas-findings/issues/22
+[x] fixed
+
+5. The refundAccount is erroneously set to msg.sender instead of tx.origin when refundAccount specified as address(0) #5
+https://github.com/code-423n4/2024-05-olas-findings/issues/5
+[x] fixed
+
+##### Dispenser
+61. Loss of incentives if total weight in an epoch is zero #61
+https://github.com/code-423n4/2024-05-olas-findings/issues/61
+[x] fixed
+
+56. In retain function checkpoint nominee function is not called which can cause zero amount of tokens being retained. #56
+https://github.com/code-423n4/2024-05-olas-findings/issues/56
+[x] fixed
+
+38. Removed nominee doesn't receive staking incentives for the epoch in which they were removed which is against the intended behaviour #38
+https://github.com/code-423n4/2024-05-olas-findings/issues/38
+[x] fixed
+
+27. Unauthorized claiming of staking incentives for retainer #27
+https://github.com/code-423n4/2024-05-olas-findings/issues/27
+[x] fixed
+
+##### No need to change the code, just add information to the documentation
+59. Changing VoteWeighting contract can result in lost staking incentives #59
+https://github.com/code-423n4/2024-05-olas-findings/issues/59
+[x] fixed
+
+#### Low issue
+107. QA Report #107
+https://github.com/code-423n4/2024-05-olas-findings/issues/107
+```
+[N-44] Missing event for critical changes addNomenee in Dispenser
+```
+[x] fixed
+
+110. QA Report #110
+https://github.com/code-423n4/2024-05-olas-findings/issues/110
+```
+[NonCritical-9] Missing events in sensitive function setL2TargetDispenser(address l2Dispenser)
+```
+[x] fixed
+
+113. QA Report #113
+https://github.com/code-423n4/2024-05-olas-findings/issues/113
+```
+[L-08] Use abi.encodeCall() instead of abi.encodeWithSignature()/abi.encodeWithSelector() 
+grep -r encodeWithSelec ./contracts/    
+./contracts/staking/OptimismDepositProcessorL1.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(targets, stakingIncentives, batchHash));
+./contracts/staking/OptimismTargetDispenserL2.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(amount, batchHash));
+./contracts/staking/ArbitrumTargetDispenserL2.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(amount, batchHash));
+./contracts/staking/GnosisTargetDispenserL2.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(amount, batchHash));
+./contracts/staking/ArbitrumDepositProcessorL1.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(targets, stakingIncentives, batchHash));
+./contracts/staking/GnosisDepositProcessorL1.sol:        bytes memory data = abi.encodeWithSelector(RECEIVE_MESSAGE, abi.encode(targets, stakingIncentives, batchHash));
+```
+[x] Noted. The fact that codebase hasn't been changed is not a problem.
+
+### Catch up on changes. 15.07.24
+https://github.com/valory-xyz/autonolas-tokenomics/compare/v1.2.2-pre-internal-audit...v1.2.2-pre-audit <br>
+The changes to the codebase appear to be correct.
+
+
+
+