V1.1.7 internal audit4.1 #121

77ph · 2023-10-04T11:35:25Z

Internal audit based on v.1.1.7 focused on staking contracts.

mariapiamo · 2023-10-04T12:39:45Z

audits/README.md

@@ -10,6 +10,8 @@ contracts is located in this folder: [internal audit 2](https://github.com/valor
 An internal audit with a focus on one-shot upgrade and operating services with signatures
 contracts is located in this folder: [internal audit 3](https://github.com/valory-xyz/autonolas-registries/blob/main/audits/internal3).

+An internal audit with a focus on "staking"


Suggested change

An internal audit with a focus on "staking"

An internal audit with a focus on Service Staking

mariapiamo · 2023-10-04T12:47:08Z

audits/internal4/README.md

+If you wish, you can fight, for example, using this method
+hash(multisig.code) vs well-know hash
+```
+Is it possible to replace the multisig with some kind of fake one without losing the opportunity to receive rewards? <br>


Once the service has been staked, there is no possibility to update the service multisig.

Before staking.

I see, good point. Added this in registries vulnerabilities list as well!

So basically for staking to be safe we first need to upgrade the protocol to ensure all services use Safe multisigs.

@DavidMinarsch There's no immediate urgency for an upgrade. Specifically, we can perform a direct check on the staking contract when a service is staked under this initial version. Subsequently, we can consider upgrading the GnosisSafeSameAddressMultisig

Yes, the verification in this contract will be enough to close the problem now.
Then we will need to add this check to old contracts.
Everything is as @mariapiamo said. @kupermind has already made such a fix in post-audit PR.

We will do it in the staking contract, however it would be good to update GnosisSafeSameAddressMultisig contract at some point to check for the multisig proxy code.

chore: correcting proposals

doc: internal audit ref: v1.1.7

0230cee

77ph assigned mariapiamo Oct 4, 2023

77ph changed the base branch from main to service_staking_tests October 4, 2023 11:51

77ph changed the base branch from service_staking_tests to service_staking2 October 4, 2023 11:52

mariapiamo reviewed Oct 4, 2023

View reviewed changes

AL added 2 commits October 4, 2023 15:56

doc: internal audit ref: v1.1.7. updates

f5f7b11

doc: internal audit ref: v1.1.7. update README

6b5f8cc

kupermind approved these changes Oct 6, 2023

View reviewed changes

Base automatically changed from service_staking2 to main October 6, 2023 13:32

kupermind merged commit e16be7e into main Oct 6, 2023
2 checks passed

kupermind deleted the v1.1.7-internal-audit4.1 branch October 6, 2023 13:32

77ph pushed a commit that referenced this pull request Oct 12, 2023

Merge pull request #121 from valory-xyz/proposals3

27b1e84

chore: correcting proposals

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

V1.1.7 internal audit4.1 #121

V1.1.7 internal audit4.1 #121

77ph commented Oct 4, 2023

mariapiamo Oct 4, 2023

mariapiamo Oct 4, 2023

77ph Oct 4, 2023

mariapiamo Oct 4, 2023

DavidMinarsch Oct 5, 2023

mariapiamo Oct 5, 2023

77ph Oct 6, 2023

kupermind Oct 6, 2023

	An internal audit with a focus on "staking"
	An internal audit with a focus on Service Staking

V1.1.7 internal audit4.1 #121

V1.1.7 internal audit4.1 #121

Conversation

77ph commented Oct 4, 2023

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment