From 282ea51a471ab199fcf701e600e6d3178a7a0847 Mon Sep 17 00:00:00 2001 From: MoonBoi9001 Date: Tue, 17 Sep 2024 18:03:40 +0100 Subject: [PATCH 1/8] fix: add security contact to DisputeManager.sol --- packages/subgraph-service/contracts/DisputeManager.sol | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/subgraph-service/contracts/DisputeManager.sol b/packages/subgraph-service/contracts/DisputeManager.sol index f48c20463..7bc932782 100644 --- a/packages/subgraph-service/contracts/DisputeManager.sol +++ b/packages/subgraph-service/contracts/DisputeManager.sol @@ -19,7 +19,7 @@ import { GraphDirectory } from "@graphprotocol/horizon/contracts/utilities/Graph import { DisputeManagerV1Storage } from "./DisputeManagerStorage.sol"; import { AttestationManager } from "./utilities/AttestationManager.sol"; -/* +/** * @title DisputeManager * @notice Provides a way to permissionlessly create disputes for incorrect behavior in the Subgraph Service. * @@ -40,6 +40,7 @@ import { AttestationManager } from "./utilities/AttestationManager.sol"; * Arbitration: * Disputes can only be accepted, rejected or drawn by the arbitrator role that can be delegated * to a EOA or DAO. + * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ */ contract DisputeManager is Initializable, From 491041bcd4d64eed502e158af27718343f03948c Mon Sep 17 00:00:00 2001 From: MoonBoi9001 Date: Tue, 17 Sep 2024 18:03:53 +0100 Subject: [PATCH 2/8] fix: add security contact to GraphPayments.sol --- packages/horizon/contracts/payments/GraphPayments.sol | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/horizon/contracts/payments/GraphPayments.sol b/packages/horizon/contracts/payments/GraphPayments.sol index b7cb34db7..ea3063d81 100644 --- a/packages/horizon/contracts/payments/GraphPayments.sol +++ b/packages/horizon/contracts/payments/GraphPayments.sol @@ -16,6 +16,7 @@ import { GraphDirectory } from "../utilities/GraphDirectory.sol"; * @notice This contract is part of the Graph Horizon payments protocol. It's designed * to pull funds (GRT) from the {PaymentsEscrow} and distribute them according to a * set of pre established rules. + * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ */ contract GraphPayments is Initializable, MulticallUpgradeable, GraphDirectory, IGraphPayments { using TokenUtils for IGraphToken; From 86fd039daf411b064792ccd06c74080ed3dd2b71 Mon Sep 17 00:00:00 2001 From: MoonBoi9001 Date: Tue, 17 Sep 2024 18:30:19 +0100 Subject: [PATCH 3/8] fix: add security contact to HorizonStaking.sol --- packages/horizon/contracts/staking/HorizonStaking.sol | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/horizon/contracts/staking/HorizonStaking.sol b/packages/horizon/contracts/staking/HorizonStaking.sol index 74b2d8d09..ea64fccda 100644 --- a/packages/horizon/contracts/staking/HorizonStaking.sol +++ b/packages/horizon/contracts/staking/HorizonStaking.sol @@ -24,6 +24,7 @@ import { HorizonStakingBase } from "./HorizonStakingBase.sol"; * This is due to the contract size limit on Arbitrum (24kB). The extension contract implements functionality to support * the legacy staking functions and the transfer tools. Both can be eventually removed without affecting the main * staking contract. + * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ */ contract HorizonStaking is HorizonStakingBase, IHorizonStakingMain { using TokenUtils for IGraphToken; From 5ea1fe925147b3465d0373656bc1a0be64eeb783 Mon Sep 17 00:00:00 2001 From: MoonBoi9001 Date: Tue, 17 Sep 2024 18:35:30 +0100 Subject: [PATCH 4/8] fix: add security contact to HorizonStakingExtension.sol --- packages/horizon/contracts/staking/HorizonStakingExtension.sol | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/horizon/contracts/staking/HorizonStakingExtension.sol b/packages/horizon/contracts/staking/HorizonStakingExtension.sol index ba7eb3a5b..c6e6f5607 100644 --- a/packages/horizon/contracts/staking/HorizonStakingExtension.sol +++ b/packages/horizon/contracts/staking/HorizonStakingExtension.sol @@ -24,6 +24,7 @@ import { HorizonStakingBase } from "./HorizonStakingBase.sol"; * without losing rewards or having service interruptions. * @dev TODO: Once the transition period and the transfer tools are deemed not necessary this contract * can be removed. It's expected the transition period to last for a full allocation cycle (28 epochs). + * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ */ contract HorizonStakingExtension is HorizonStakingBase, IL2StakingBase, IHorizonStakingExtension { using TokenUtils for IGraphToken; From c269117fbf90476c7427b1d40046da5a549bf1d5 Mon Sep 17 00:00:00 2001 From: MoonBoi9001 Date: Tue, 17 Sep 2024 18:36:01 +0100 Subject: [PATCH 5/8] fix: add security contact to PaymentsEscrow.sol --- packages/horizon/contracts/payments/PaymentsEscrow.sol | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/horizon/contracts/payments/PaymentsEscrow.sol b/packages/horizon/contracts/payments/PaymentsEscrow.sol index 5d0694346..c7c4e72e5 100644 --- a/packages/horizon/contracts/payments/PaymentsEscrow.sol +++ b/packages/horizon/contracts/payments/PaymentsEscrow.sol @@ -17,6 +17,7 @@ import { GraphDirectory } from "../utilities/GraphDirectory.sol"; * @notice This contract is part of the Graph Horizon payments protocol. It holds the funds (GRT) * for payments made through the payments protocol for services provided * via a Graph Horizon data service. + * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ */ contract PaymentsEscrow is Initializable, MulticallUpgradeable, GraphDirectory, IPaymentsEscrow { using TokenUtils for IGraphToken; From 61a15440e9772d22a054b835e2dec5f1e8761b2f Mon Sep 17 00:00:00 2001 From: MoonBoi9001 Date: Tue, 17 Sep 2024 18:37:47 +0100 Subject: [PATCH 6/8] fix: add security contact to SubgraphService.sol + add NatSpec before contract def --- packages/subgraph-service/contracts/SubgraphService.sol | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/subgraph-service/contracts/SubgraphService.sol b/packages/subgraph-service/contracts/SubgraphService.sol index 5023e6160..0d2676476 100644 --- a/packages/subgraph-service/contracts/SubgraphService.sol +++ b/packages/subgraph-service/contracts/SubgraphService.sol @@ -21,6 +21,10 @@ import { PPMMath } from "@graphprotocol/horizon/contracts/libraries/PPMMath.sol" import { Allocation } from "./libraries/Allocation.sol"; import { LegacyAllocation } from "./libraries/LegacyAllocation.sol"; +/** + * @title SubgraphService contract + * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ + */ contract SubgraphService is Initializable, OwnableUpgradeable, From d52be6d79e1967da01939cb8e8caba304f5f2ad5 Mon Sep 17 00:00:00 2001 From: MoonBoi9001 Date: Tue, 17 Sep 2024 18:38:26 +0100 Subject: [PATCH 7/8] fix: add security contact to TAPCollector.sol --- packages/horizon/contracts/payments/collectors/TAPCollector.sol | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/horizon/contracts/payments/collectors/TAPCollector.sol b/packages/horizon/contracts/payments/collectors/TAPCollector.sol index f3d67e819..fe96b78f3 100644 --- a/packages/horizon/contracts/payments/collectors/TAPCollector.sol +++ b/packages/horizon/contracts/payments/collectors/TAPCollector.sol @@ -17,6 +17,7 @@ import { ECDSA } from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol"; * @dev Note that the contract expects the RAV aggregate value to be monotonically increasing, each successive RAV for the same * (data service-payer-receiver) tuple should have a value greater than the previous one. The contract will keep track of the tokens * already collected and calculate the difference to collect. + * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ */ contract TAPCollector is EIP712, GraphDirectory, ITAPCollector { using PPMMath for uint256; From 8ce493f79e179a6cdd35b9f12c3f8f74056852f3 Mon Sep 17 00:00:00 2001 From: MoonBoi9001 Date: Tue, 1 Oct 2024 12:49:04 +0100 Subject: [PATCH 8/8] fix: direct bugs to new security contact email address. --- packages/horizon/contracts/payments/GraphPayments.sol | 3 ++- packages/horizon/contracts/payments/PaymentsEscrow.sol | 3 ++- .../horizon/contracts/payments/collectors/TAPCollector.sol | 3 ++- packages/horizon/contracts/staking/HorizonStaking.sol | 3 ++- packages/horizon/contracts/staking/HorizonStakingExtension.sol | 3 ++- packages/subgraph-service/contracts/DisputeManager.sol | 3 ++- packages/subgraph-service/contracts/SubgraphService.sol | 3 ++- 7 files changed, 14 insertions(+), 7 deletions(-) diff --git a/packages/horizon/contracts/payments/GraphPayments.sol b/packages/horizon/contracts/payments/GraphPayments.sol index ea3063d81..c621f62dc 100644 --- a/packages/horizon/contracts/payments/GraphPayments.sol +++ b/packages/horizon/contracts/payments/GraphPayments.sol @@ -16,7 +16,8 @@ import { GraphDirectory } from "../utilities/GraphDirectory.sol"; * @notice This contract is part of the Graph Horizon payments protocol. It's designed * to pull funds (GRT) from the {PaymentsEscrow} and distribute them according to a * set of pre established rules. - * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ + * @custom:security-contact Please email security+contracts@thegraph.com if you find any + * bugs. We may have an active bug bounty program. */ contract GraphPayments is Initializable, MulticallUpgradeable, GraphDirectory, IGraphPayments { using TokenUtils for IGraphToken; diff --git a/packages/horizon/contracts/payments/PaymentsEscrow.sol b/packages/horizon/contracts/payments/PaymentsEscrow.sol index c7c4e72e5..46736ec3e 100644 --- a/packages/horizon/contracts/payments/PaymentsEscrow.sol +++ b/packages/horizon/contracts/payments/PaymentsEscrow.sol @@ -17,7 +17,8 @@ import { GraphDirectory } from "../utilities/GraphDirectory.sol"; * @notice This contract is part of the Graph Horizon payments protocol. It holds the funds (GRT) * for payments made through the payments protocol for services provided * via a Graph Horizon data service. - * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ + * @custom:security-contact Please email security+contracts@thegraph.com if you find any + * bugs. We may have an active bug bounty program. */ contract PaymentsEscrow is Initializable, MulticallUpgradeable, GraphDirectory, IPaymentsEscrow { using TokenUtils for IGraphToken; diff --git a/packages/horizon/contracts/payments/collectors/TAPCollector.sol b/packages/horizon/contracts/payments/collectors/TAPCollector.sol index fe96b78f3..f9b228ead 100644 --- a/packages/horizon/contracts/payments/collectors/TAPCollector.sol +++ b/packages/horizon/contracts/payments/collectors/TAPCollector.sol @@ -17,7 +17,8 @@ import { ECDSA } from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol"; * @dev Note that the contract expects the RAV aggregate value to be monotonically increasing, each successive RAV for the same * (data service-payer-receiver) tuple should have a value greater than the previous one. The contract will keep track of the tokens * already collected and calculate the difference to collect. - * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ + * @custom:security-contact Please email security+contracts@thegraph.com if you find any + * bugs. We may have an active bug bounty program. */ contract TAPCollector is EIP712, GraphDirectory, ITAPCollector { using PPMMath for uint256; diff --git a/packages/horizon/contracts/staking/HorizonStaking.sol b/packages/horizon/contracts/staking/HorizonStaking.sol index ea64fccda..6a5479878 100644 --- a/packages/horizon/contracts/staking/HorizonStaking.sol +++ b/packages/horizon/contracts/staking/HorizonStaking.sol @@ -24,7 +24,8 @@ import { HorizonStakingBase } from "./HorizonStakingBase.sol"; * This is due to the contract size limit on Arbitrum (24kB). The extension contract implements functionality to support * the legacy staking functions and the transfer tools. Both can be eventually removed without affecting the main * staking contract. - * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ + * @custom:security-contact Please email security+contracts@thegraph.com if you find any + * bugs. We may have an active bug bounty program. */ contract HorizonStaking is HorizonStakingBase, IHorizonStakingMain { using TokenUtils for IGraphToken; diff --git a/packages/horizon/contracts/staking/HorizonStakingExtension.sol b/packages/horizon/contracts/staking/HorizonStakingExtension.sol index c6e6f5607..cbb70cc20 100644 --- a/packages/horizon/contracts/staking/HorizonStakingExtension.sol +++ b/packages/horizon/contracts/staking/HorizonStakingExtension.sol @@ -24,7 +24,8 @@ import { HorizonStakingBase } from "./HorizonStakingBase.sol"; * without losing rewards or having service interruptions. * @dev TODO: Once the transition period and the transfer tools are deemed not necessary this contract * can be removed. It's expected the transition period to last for a full allocation cycle (28 epochs). - * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ + * @custom:security-contact Please email security+contracts@thegraph.com if you find any + * bugs. We may have an active bug bounty program. */ contract HorizonStakingExtension is HorizonStakingBase, IL2StakingBase, IHorizonStakingExtension { using TokenUtils for IGraphToken; diff --git a/packages/subgraph-service/contracts/DisputeManager.sol b/packages/subgraph-service/contracts/DisputeManager.sol index 7bc932782..ce3685948 100644 --- a/packages/subgraph-service/contracts/DisputeManager.sol +++ b/packages/subgraph-service/contracts/DisputeManager.sol @@ -40,7 +40,8 @@ import { AttestationManager } from "./utilities/AttestationManager.sol"; * Arbitration: * Disputes can only be accepted, rejected or drawn by the arbitrator role that can be delegated * to a EOA or DAO. - * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ + * @custom:security-contact Please email security+contracts@thegraph.com if you find any + * bugs. We may have an active bug bounty program. */ contract DisputeManager is Initializable, diff --git a/packages/subgraph-service/contracts/SubgraphService.sol b/packages/subgraph-service/contracts/SubgraphService.sol index 0d2676476..b2b43da40 100644 --- a/packages/subgraph-service/contracts/SubgraphService.sol +++ b/packages/subgraph-service/contracts/SubgraphService.sol @@ -23,7 +23,8 @@ import { LegacyAllocation } from "./libraries/LegacyAllocation.sol"; /** * @title SubgraphService contract - * @custom:security-contact Bug bounty program: https://immunefi.com/bug-bounty/thegraph/information/ + * @custom:security-contact Please email security+contracts@thegraph.com if you find any + * bugs. We may have an active bug bounty program. */ contract SubgraphService is Initializable,