valory-xyz · kupermind · Oct 23, 2024 · Oct 23, 2024 · Oct 23, 2024
diff --git a/audits/README.md b/audits/README.md
@@ -5,3 +5,7 @@ This section contains audit-related materials.
 An internal audit with a focus on Service Staking Mech Usage
 contracts is located in this folder: [internal audit](https://github.com/valory-xyz/autonolas-staking-programmes/blob/main/audits/internal).
 
+### Internal audit
+An internal audit with a focus on social contribute
+contracts is located in this folder: [internal audit 1](https://github.com/valory-xyz/autonolas-staking-programmes/blob/main/audits/internal1).
+
diff --git a/audits/internal1/README.md b/audits/internal1/README.md
@@ -0,0 +1,37 @@
+# Internal audit of autonolas-staking-programmes
+The review has been performed based on the contract code in the following repository:<br>
+`https://github.com/valory-xyz/autonolas-staking-programmes` <br>
+commit: `v1.4.0-pre-internal-audit` or `585003faeec5dff2fd96a326f07c3e809dc32898` <br> 
+
+## Objectives
+The audit focused on contracts in this repo. <br>
+
+
+### Flatten version
+Flatten version of contracts. [contracts](https://github.com/valory-xyz/autonolas-staking-programmes/blob/main/audits/internal1/analysis/contracts) 
+
+### ERC20/ERC721 checks
+N/A
+
+### Security issues. Updated 23-10-2024
+#### Problems found instrumentally
+Several checks are obtained automatically. They are commented. <br>
+All automatic warnings are listed in the following file, concerns of which we address in more detail below: <br>
+[slither-full](https://github.com/valory-xyz/autonolas-staking-programmes/blob/main/audits/internal1/analysis/slither_full.txt)
+
+### Issue
+1. Fixing reentrancy unstake()
+```
+more CEI,
+        IToken(serviceRegistry).transfer(msg.sender, serviceId); = reentrancy via msg.sender as contract.
+        // Zero the service info: the service is out of the contribute records, however multisig activity is still valid
+        // If the same service is staked back, the multisig activity continues being tracked
+        IContributors(contributorsProxy).setServiceInfoForId(msg.sender, 0, 0, address(0), address(0));
+
+```
+2. cyclic initialize(address _manager)
+```
+Remove params in proxy init() / or setup manage as msg.sender.
+```
+
+
diff --git a/audits/internal1/analysis/contracts/ContributeActivityChecker-flatten.sol b/audits/internal1/analysis/contracts/ContributeActivityChecker-flatten.sol
@@ -0,0 +1,76 @@
+// Sources flattened with hardhat v2.22.4 https://hardhat.org
+
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.25;
+
+// Contributors interface
+interface IContributors {
+    function mapMutisigActivities(address multisig) external view returns (uint256);
+}
+
+/// @dev Zero address.
+error ZeroAddress();
+
+/// @dev Zero value.
+error ZeroValue();
+
+/// @title ContributeActivityChecker - Smart contract for performing contributors service staking activity check
+/// @author Aleksandr Kuperman - <[email protected]>
+/// @author Andrey Lebedev - <[email protected]>
+/// @author Tatiana Priemova - <[email protected]>
+/// @author David Vilela - <[email protected]>
+contract ContributeActivityChecker {
+    // Liveness ratio in the format of 1e18
+    uint256 public immutable livenessRatio;
+    // Contributors proxy contract address
+    address public immutable contributorsProxy;
+
+    /// @dev StakingNativeToken initialization.
+    /// @param _contributorsProxy Contributors proxy contract address.
+    /// @param _livenessRatio Liveness ratio in the format of 1e18.
+    constructor(address _contributorsProxy, uint256 _livenessRatio) {
+        // Check the zero address
+        if (_contributorsProxy == address(0)) {
+            revert ZeroAddress();
+        }
+
+        // Check for zero value
+        if (_livenessRatio == 0) {
+            revert ZeroValue();
+        }
+
+        contributorsProxy = _contributorsProxy;
+        livenessRatio = _livenessRatio;
+    }
+
+    /// @dev Gets service multisig nonces.
+    /// @param multisig Service multisig address.
+    /// @return nonces Set of a single service multisig nonce.
+    function getMultisigNonces(address multisig) external view virtual returns (uint256[] memory nonces) {
+        nonces = new uint256[](1);
+        // The nonce is equal to the social off-chain activity corresponding to a multisig activity
+        nonces[0] = IContributors(contributorsProxy).mapMutisigActivities(multisig);
+    }
+
+    /// @dev Checks if the service multisig liveness ratio passes the defined liveness threshold.
+    /// @notice The formula for calculating the ratio is the following:
+    ///         currentNonce - service multisig nonce at time now (block.timestamp);
+    ///         lastNonce - service multisig nonce at the previous checkpoint or staking time (tsStart);
+    ///         ratio = (currentNonce - lastNonce) / (block.timestamp - tsStart).
+    /// @param curNonces Current service multisig set of a single nonce.
+    /// @param lastNonces Last service multisig set of a single nonce.
+    /// @param ts Time difference between current and last timestamps.
+    /// @return ratioPass True, if the liveness ratio passes the check.
+    function isRatioPass(
+        uint256[] memory curNonces,
+        uint256[] memory lastNonces,
+        uint256 ts
+    ) external view virtual returns (bool ratioPass) {
+        // If the checkpoint was called in the exact same block, the ratio is zero
+        // If the current nonce is not greater than the last nonce, the ratio is zero
+        if (ts > 0 && curNonces[0] > lastNonces[0]) {
+            uint256 ratio = ((curNonces[0] - lastNonces[0]) * 1e18) / ts;
+            ratioPass = (ratio >= livenessRatio);
+        }
+    }
+}