Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TRST audit fixes for Graph Payments contracts #1072

Merged
merged 10 commits into from
Dec 17, 2024
Merged

TRST audit fixes for Graph Payments contracts #1072

merged 10 commits into from
Dec 17, 2024

Conversation

tmigone
Copy link
Contributor

@tmigone tmigone commented Nov 26, 2024
edited
Loading

This PR addresses the following audit findings:

  • TRST-H-1 A payer could bypass the escrow mechanism and avoid payments
  • TRST-M-10 A RAV could be collected more than once, leading to double payment
  • TRST-CL-1 A payer could bypass the escrow mechanism and avoid payments through the vulnerable collector allowance mapping
  • TTRST-L-10 The getBalance() function could revert when balance is lower than tokens thawing
  • TRST-M-5 Lack of chunking functionality of new RAVs may cause them to not be processable
  • TRST-L-12 The collection cuts could exceed 100% causing collect() to revert

@tmigone tmigone force-pushed the tmigone/trust-fixes-payments branch from da0427a to 65e99f9 Compare November 26, 2024 19:31
@openzeppelin-code OpenZeppelin Code
Copy link

openzeppelin-code bot commented Nov 26, 2024
edited
Loading

TRST audit fixes for Graph Payments contracts

Generated at commit: 0542ab770dca4203d0fa6ea22f0191a73f57b761

🚨 Report Summary

Severity Level Results
Contracts Critical
High
Medium
Low
Note
Total		 2
4
0
15
39
60
Dependencies Critical
High
Medium
Low
Note
Total		 0
0
0
0
0
0

For more details view the full report in OpenZeppelin Code Inspector

@tmigone tmigone force-pushed the tmigone/trust-fixes-payments branch 2 times, most recently from d705ca6 to 7d62913 Compare November 28, 2024 15:30
@tmigone tmigone changed the title TRST audit fixes for GraphPayments contracts TRST audit fixes for Graph Payments contracts Nov 28, 2024
@tmigone tmigone force-pushed the tmigone/trust-fixes-payments branch from 7d62913 to 670fba7 Compare November 28, 2024 18:44
@tmigone tmigone requested a review from Maikol December 4, 2024 18:06
Maikol
Maikol approved these changes Dec 10, 2024
View reviewed changes
Copy link
Member

@Maikol Maikol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

packages/horizon/test/payments/tap-collector/collect/collect.t.sol Outdated Show resolved Hide resolved
packages/subgraph-service/test/subgraphService/collect/query/query.t.sol Outdated Show resolved Hide resolved
@tmigone tmigone force-pushed the tmigone/trust-fixes-payments branch from 89567c8 to a065804 Compare December 10, 2024 14:14
@tmigone tmigone merged commit 1109537 into horizon Dec 17, 2024
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maikol Maikol Maikol approved these changes

Assignees
No one assigned
Labels
audit-fix horizon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tmigone @Maikol