Merge pull request #17 from zkLinkProtocol/abdk_audit_5

Abdk audit 5
zkLinkProtocol · Jun 19, 2024 · 5b3452a · 5b3452a
2 parents 2e50cb5 + 7c9d405
commit 5b3452a
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 43 deletions.
diff --git a/contracts/governance/Governance.sol b/contracts/governance/Governance.sol
@@ -132,18 +132,6 @@ contract Governance is IGovernance, Ownable2Step {
         emit TransparentOperationScheduled(id, _delay, _operation);
     }
 
-    /// @notice Propose "shadow" upgrade, upgrade data is not publishing on-chain.
-    /// @notice The owner will be able to execute the proposal either:
-    /// - With a `delay` timelock on its own.
-    /// - With security council instantly.
-    /// @dev Only the current owner can propose an upgrade.
-    /// @param _id The operation hash (see `hashOperation` function)
-    /// @param _delay The delay time (in seconds) after which the proposed upgrade may be executed by the owner.
-    // function scheduleShadow(bytes32 _id, uint256 _delay) external onlyOwner {
-    //     _schedule(_id, _delay);
-    //     emit ShadowOperationScheduled(_id, _delay);
-    // }
-
     /*//////////////////////////////////////////////////////////////
                             CANCELING CALLS
     //////////////////////////////////////////////////////////////*/
@@ -180,25 +168,6 @@ contract Governance is IGovernance, Ownable2Step {
         emit OperationExecuted(id);
     }
 
-    /// @notice Executes the scheduled operation with the security council instantly.
-    /// @dev Only the security council may execute an operation instantly.
-    /// @param _operation The operation parameters will be executed with the upgrade.
-    // function executeInstant(Operation calldata _operation) external payable onlySecurityCouncil {
-    //     bytes32 id = hashOperation(_operation);
-    //     // Check if the predecessor operation is completed.
-    //     _checkPredecessorDone(_operation.predecessor);
-    //     // Ensure that the operation is in a pending state before proceeding.
-    //     require(isOperationPending(id), "Operation must be pending before execution");
-    //     // Execute operation.
-    //     _execute(_operation.calls);
-    //     // Reconfirming that the operation is still pending before execution.
-    //     // This is needed to avoid unexpected reentrancy attacks of re-executing the same operation.
-    //     require(isOperationPending(id), "Operation must be pending after execution");
-    //     // Set operation to be done
-    //     timestamps[id] = EXECUTED_PROPOSAL_TIMESTAMP;
-    //     emit OperationExecuted(id);
-    // }
-
     /// @dev Returns the identifier of an operation.
     /// @param _operation The operation object to compute the identifier for.
     function hashOperation(Operation calldata _operation) public pure returns (bytes32) {

diff --git a/contracts/governance/IGovernance.sol b/contracts/governance/IGovernance.sol
@@ -47,14 +47,10 @@ interface IGovernance {
 
     function scheduleTransparent(Operation calldata _operation, uint256 _delay) external;
 
-    // function scheduleShadow(bytes32 _id, uint256 _delay) external;
-
     function cancel(bytes32 _id) external;
 
     function execute(Operation calldata _operation) external payable;
 
-    // function executeInstant(Operation calldata _operation) external payable;
-
     function hashOperation(Operation calldata _operation) external pure returns (bytes32);
 
     function updateDelay(uint256 _newDelay) external;
@@ -71,7 +67,7 @@ interface IGovernance {
     event OperationExecuted(bytes32 indexed _id);
 
     /// @notice Emitted when the security council address is changed.
-    event ChangeSecurityCouncil(address _securityCouncilBefore, address _securityCouncilAfter);
+    event ChangeSecurityCouncil(address indexed _securityCouncilBefore, address indexed _securityCouncilAfter);
 
     /// @notice Emitted when the minimum delay for future operations is modified.
     event ChangeMinDelay(uint256 _delayBefore, uint256 _delayAfter);

diff --git a/contracts/interfaces/IERC20MergeToken.sol b/contracts/interfaces/IERC20MergeToken.sol
@@ -1,10 +1,12 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.23;
+pragma solidity ^0.8.0;
 
 interface IERC20MergeToken {
     /// @notice Mint merge token
+    /// @dev The caller must be the portal contract
     function mint(address _receiver, uint256 _amount) external;
 
     /// @notice Burn merge token
+    /// @dev The caller must be the portal contract
     function burn(address _from, uint256 _amount) external;
 }
diff --git a/contracts/interfaces/IMergeTokenPortal.sol b/contracts/interfaces/IMergeTokenPortal.sol
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.23;
+pragma solidity ^0.8.0;
 
 interface IMergeTokenPortal {
     event DepositToMerge(

diff --git a/contracts/merge/MergeTokenPortal.sol b/contracts/merge/MergeTokenPortal.sol
@@ -110,10 +110,10 @@ contract MergeTokenPortal is IMergeTokenPortal, UUPSUpgradeable, OwnableUpgradea
 
     /// @notice Add source token
     function addSourceToken(address _sourceToken, address _mergeToken, uint256 _depositLimit) external onlyOwner {
+        require(_sourceToken != address(0) && _mergeToken != address(0), "Invalid token address");
         bool isSupported = sourceTokenInfoMap[_sourceToken].isSupported;
         require(!isSupported, "Source token is already supported");
         require(!isMergeTokenSupported[_mergeToken][_sourceToken], "Merge token is already supported");
-        require(_sourceToken != address(0) && _mergeToken != address(0), "Invalid token address");
         require(_sourceToken != _mergeToken, "Should not Match");
         uint8 _sourceTokenDecimals = IERC20MetadataUpgradeable(_sourceToken).decimals();
         uint8 _mergeTokenDecimals = IERC20MetadataUpgradeable(_mergeToken).decimals();
@@ -150,9 +150,11 @@ contract MergeTokenPortal is IMergeTokenPortal, UUPSUpgradeable, OwnableUpgradea
         SourceTokenInfo storage tokenInfo = sourceTokenInfoMap[_sourceToken];
         require(tokenInfo.isSupported, "Source token is not supported");
 
-        tokenInfo.isLocked = _isLocked;
+        if (tokenInfo.isLocked != _isLocked) {
+            tokenInfo.isLocked = _isLocked;
 
-        emit SourceTokenStatusUpdated(_sourceToken, _isLocked);
+            emit SourceTokenStatusUpdated(_sourceToken, _isLocked);
+        }
     }
 
     /// @notice Set deposit limit
@@ -161,9 +163,11 @@ contract MergeTokenPortal is IMergeTokenPortal, UUPSUpgradeable, OwnableUpgradea
         require(tokenInfo.isSupported, "Source token is not supported");
         require(_limit >= tokenInfo.balance, "Invalid Specification");
 
-        tokenInfo.depositLimit = _limit;
+        if (tokenInfo.depositLimit != _limit) {
+            tokenInfo.depositLimit = _limit;
 
-        emit DepositLimitUpdated(_sourceToken, _limit);
+            emit DepositLimitUpdated(_sourceToken, _limit);
+        }
     }
 
     /// @notice Grant security council role