feat: sponsored periphery audit

[grasphoper]

No description provided.

[nicholaspai]

First pass comments, the flow is definitely hard to get my head around and I'll probably need to re review

[nicholaspai]

Is this internal function only intended to be used for swaps? I think maybe this comment is misleading as many types of arbitrary actions could lead to the initialBalance being unchanged after calling handleV3AcrossMessage

[nicholaspai]

I have two overall comment paths upon second reading:

• I left a comment about contract naming to make it clearer how HyperCoreFlowExecutor and ArbitraryActionFlowExecutor differ
• There seem to be a lot of reentrancy-protection violations. Is it deliberate to not use nonReentrant on any external functions in any contracts introduced in this PR?

[grasphoper]

There seem to be a lot of reentrancy-protection violations. Is it deliberate to not use nonReentrant on any external functions in any contracts introduced in this PR?

Not deliberate. I think we should create a PR with changes to our reentrancy logic where we add a bunch of nonReentrant modifiers + potentially follow a CEI pattern in places when we don't add the modifier. Or maybe we can do both (add the modifier and follow CEI) just for the cases where some unexpecting reeentrant external function is calling an internal function that doesn't follow CEI

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		protobufjs@7.2.4 has a Critical CVE. CVE: GHSA-h755-8qp9-cq85 protobufjs Prototype Pollution vulnerability (CRITICAL) Affected versions: >= 7.0.0 < 7.2.5; >= 6.10.0 < 6.11.4 Patched version: 7.2.5 From: ? → npm/@uma/common@2.37.3 → npm/protobufjs@7.2.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/protobufjs@7.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		safer-buffer@2.1.2 has Obfuscated code. Confidence: 0.94 Location: Package overview From: ? → npm/hardhat-gas-reporter@1.0.8 → npm/@uma/common@2.37.3 → npm/@coral-xyz/anchor@0.31.1 → npm/@solana/web3.js@1.98.2 → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	yargs@​16.2.0
	mocha@​7.2.0

View full report