Skip to content

add Ownable2Step to the BondingCurveRegistry contract for better security#134

Open
mihailo-maksa wants to merge 1 commit intomainfrom
add-ownable2step-to-bcr
Open

add Ownable2Step to the BondingCurveRegistry contract for better security#134
mihailo-maksa wants to merge 1 commit intomainfrom
add-ownable2step-to-bcr

Conversation

@mihailo-maksa
Copy link
Copy Markdown
Contributor

@mihailo-maksa mihailo-maksa commented May 8, 2025

No description provided.

@mihailo-maksa mihailo-maksa requested a review from auroter May 8, 2025 14:19
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 8, 2025

Summary of Test Results if Merged To Main:

  • Full logs & artifacts are available in the Actions tab
  • This comment will update automatically with new CI runs

✅ All 148 tests passed! (2 skipped, Total: 150)

Test Results for Merge

Test Suite Status Coverage Time
test/unit/EthMultiVault/CreateAtom.t.sol 100% (6/6) 0.003s
test/unit/EthMultiVault/AdminMultiVault.t.sol 100% (16/16) 0.007s
test/unit/EthMultiVault/EmergencyRedeemTriple.t.sol 100% (5/5) 0.009s
test/unit/EthMultiVault/RedeemAtomCurve.t.sol 100% (4/4) 0.007s
test/unit/EthMultiVault/CreateTriple.t.sol 100% (6/6) 0.007s
test/unit/EthMultiVault/Approvals.t.sol 100% (2/2) 0.005s
test/unit/EthMultiVault/EmergencyReedemAtom.t.sol 100% (4/4) 0.003s
test/unit/EthMultiVault/CurveComparison.t.sol 100% (6/6) 0.009s
test/BaseTest.sol 100% (2/2) 0.014s
test/unit/EthMultiVault/RedeemTriple.t.sol 100% (5/5) 0.028s
test/unit/EthMultiVault/BatchCreateAtom.t.sol 100% (2/2) 0.016s
test/unit/EthMultiVault/DepositAtom.t.sol 100% (4/4) 0.009s
test/unit/EthMultiVault/DepositAtomCurve.t.sol 100% (4/4) 0.006s
test/unit/EthMultiVault/RedeemTripleCurve.t.sol 100% (5/5) 0.021s
test/unit/EthMultiVault/BatchCreateTriple.t.sol 100% (4/4) 0.018s
test/unit/EthMultiVault/DepositTriple.t.sol 100% (4/4) 0.016s
test/unit/EthMultiVault/BatchDeposit.t.sol 100% (6/6) 0.008s
test/unit/EthMultiVault/DepositTripleCurve.t.sol 100% (4/4) 0.015s
test/unit/EthMultiVault/BatchRedeem.t.sol 100% (8/8) 0.012s
test/unit/EthMultiVault/Fees.t.sol 100% (2/2) 0.461s
test/unit/EthMultiVault/Helpers.t.sol 100% (4/4) 0.004s
test/unit/EthMultiVault/Profit.t.sol 100% (11/11) 0.024s
test/unit/EthMultiVault/RedeemAtom.t.sol 100% (4/4) 0.003s
test/unit/EthMultiVault/UseCases.t.sol 100% (6/6) 0.047s
test/UpgradeTest.t.sol ⚠️ 86% (13/15) 16.660s

🔒 Security Analysis

⚠️ Found 3 High and 3 Medium severity issues

High Severity Issues

arbitrary-send-eth

Impact: AtomWallet._call(address,uint256,bytes) (src/AtomWallet.sol#214-221) sends eth to arbitrary user Dangerous calls: - (success,result) = target.call{value: value}(data) (src/AtomWallet.sol#215)

Affected Files:

  • src/AtomWallet.sol
View Detailed Findings
  • src/AtomWallet.sol:214 in _call
reentrancy-eth

Impact: Reentrancy in EthMultiVault.batchDepositCurve(address,uint256[],uint256[],uint256[]) (src/EthMultiVault.sol#1291-1326): External calls: - _transferFeesToProtocolMultisig(protocolFee) (src/EthMultiVault.sol#1322) - (success,None) = address(generalConfig.protocolMultisig).call{value: value}() (src/EthMultiVault.sol#1440) State variables written after the call(s): - shares[i] = _depositCurve(receiver,termIds[i],curveIds[i],userDepositAfterprotocolFee) (src/EthMultiVault.sol#1320) - bondingCurveVaults[id][curveId].balanceOf[to] += amount (src/EthMultiVault.sol#1740) - bondingCurveVaults[id][curveId].totalAssets += assetsDelta (src/EthMultiVault.sol#1798) - bondingCurveVaults[id][curveId].totalShares += sharesDelta (src/EthMultiVault.sol#1799) EthMultiVault.bondingCurveVaults (src/EthMultiVault.sol#132) can be used in cross function reentrancies: - EthMultiVault.bondingCurveVaults (src/EthMultiVault.sol#132) - EthMultiVault.convertToAssetsCurve(uint256,uint256,uint256) (src/EthMultiVault.sol#2216-2221) - EthMultiVault.convertToSharesCurve(uint256,uint256,uint256) (src/EthMultiVault.sol#2181-2187) - EthMultiVault.currentSharePriceCurve(uint256,uint256) (src/EthMultiVault.sol#2113-2117) - EthMultiVault.getCurveVaultState(uint256,uint256) (src/EthMultiVault.sol#2353-2355) - EthMultiVault.getDepositSharesAndFeesCurve(uint256,uint256,uint256) (src/EthMultiVault.sol#1922-1949) - EthMultiVault.getRedeemAssetsAndFeesCurve(uint256,uint256,uint256) (src/EthMultiVault.sol#1996-2030) - EthMultiVault.getVaultStateForUserCurve(uint256,uint256,address) (src/EthMultiVault.sol#2343-2351) - EthMultiVault.maxRedeemCurve(address,uint256,uint256) (src/EthMultiVault.sol#2149-2152) - shares[i] = _depositCurve(receiver,termIds[i],curveIds[i],userDepositAfterprotocolFee) (src/EthMultiVault.sol#1320) - vaults[id].totalAssets = totalAssets (src/EthMultiVault.sol#1781) - vaults[id].totalShares = totalShares (src/EthMultiVault.sol#1782) EthMultiVault.vaults (src/EthMultiVault.sol#97) can be used in cross function reentrancies: - EthMultiVault.convertToAssets(uint256,uint256) (src/EthMultiVault.sol#2200-2204) - EthMultiVault.convertToShares(uint256,uint256) (src/EthMultiVault.sol#2165-2169) - EthMultiVault.currentSharePrice(uint256) (src/EthMultiVault.sol#2101-2107) - EthMultiVault.getDepositSharesAndFees(uint256,uint256) (src/EthMultiVault.sol#1893-1920) - EthMultiVault.getRedeemAssetsAndFees(uint256,uint256) (src/EthMultiVault.sol#1960-1994) - EthMultiVault.getVaultStateForUser(uint256,address) (src/EthMultiVault.sol#2337-2341) - EthMultiVault.maxRedeem(address,uint256) (src/EthMultiVault.sol#2139-2142) - EthMultiVault.vaults (src/EthMultiVault.sol#97)

Affected Files:

  • src/EthMultiVault.sol
View Detailed Findings
  • src/EthMultiVault.sol:1291 in batchDepositCurve
  • src/EthMultiVault.sol:1241 in batchDeposit

Medium Severity Issues

View Medium Severity Issues ##### incorrect-equality **Impact**: EthMultiVault._validateTimelock(bytes32) (src/EthMultiVault.sol#2434-2446) uses a dangerous strict equality: - timelock.readyTime == 0 (src/EthMultiVault.sol#2437)

Affected Files:

  • src/EthMultiVault.sol

  • src/EthMultiVault.sol:2434 in _validateTimelock

uninitialized-local

Impact: EthMultiVault.batchCreateAtom(bytes[]).protocolDepositFeeTotal (src/EthMultiVault.sol#625) is a local variable never initialized

Affected Files:

  • src/EthMultiVault.sol

  • src/EthMultiVault.sol:625 in protocolDepositFeeTotal

  • src/EthMultiVault.sol:758 in protocolDepositFeeTotal

Recommended Actions

  1. Review and fix all high severity issues before deployment
  2. Implement thorough testing for affected components
  3. Consider additional security measures:
    • Access controls
    • Input validation
    • Invariant checks

⛽ Gas Analysis

📊 First gas snapshot created

auroter
auroter approved these changes May 8, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@auroter auroter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving this.

Since none of the EthMultiVault function declarations changed, all 1.5 projects can probably keep using the same ABI as before (what's currently on main in this repo).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@auroter auroter auroter approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mihailo-maksa @auroter