Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: addToDelegationPool token transfer (OZ C-01 and C-02) #988

Merged
merged 2 commits into from
Sep 6, 2024
Merged

fix: addToDelegationPool token transfer (OZ C-01 and C-02) #988

merged 2 commits into from
Sep 6, 2024

Conversation

Maikol
Copy link
Member

@Maikol Maikol commented Aug 7, 2024

No description provided.

@Maikol Maikol changed the title fix: addToDelegationPool access control and token transfer (OZ C-01) fix: addToDelegationPool access control and token transfer (OZ C-01 and C-02) Aug 7, 2024
@openzeppelin-code OpenZeppelin Code
Copy link

openzeppelin-code bot commented Aug 7, 2024
edited
Loading

fix: addToDelegationPool token transfer (OZ C-01 and C-02)

Generated at commit: f4f9badb7d72547142e45c57e5f259fdf27d2b2e

🚨 Report Summary

Severity Level Results
Contracts Critical
High
Medium
Low
Note
Total		 2
4
0
16
41
63
Dependencies Critical
High
Medium
Low
Note
Total		 0
0
0
0
0
0

For more details view the full report in OpenZeppelin Code Inspector

tmigone
tmigone requested changes Aug 13, 2024
View reviewed changes
packages/horizon/contracts/staking/HorizonStaking.sol Outdated Show resolved Hide resolved
packages/horizon/contracts/staking/HorizonStaking.sol Outdated
@@ -278,6 +278,8 @@ contract HorizonStaking is HorizonStakingBase, IHorizonStakingMain {
uint256 tokens
) external override notPaused {
require(tokens != 0, HorizonStakingInvalidZeroTokens());
require(msg.sender == verifier || msg.sender == address(_graphPayments()), HorizonStakingInvalidDelegationPoolSender(msg.sender));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know OZ suggested this, but I'd argue we don't need it:

  • We would be limiting potential use cases we don't know about
  • Documentation already mentions that delegators SHOULD NOT use this function and it's not like we will be creating client side apps to facilitate calling it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this makes sense but worth discussing with OZ just in case, it could increase the risk of rounding attacks etc.

(If we do go ahead as it is, let's rename the PR without the "access control" part)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've renamed and will let OZ know so they can give their feedback.

packages/horizon/contracts/staking/HorizonStaking.sol Outdated Show resolved Hide resolved
@Maikol Maikol requested a review from tmigone August 13, 2024 18:29
@Maikol Maikol changed the title fix: addToDelegationPool access control and token transfer (OZ C-01 and C-02) fix: addToDelegationPool token transfer (OZ C-01 and C-02) Aug 19, 2024
@tmigone tmigone changed the base branch from horizon to tmigone/fixes August 22, 2024 17:46
@tmigone tmigone changed the base branch from tmigone/fixes to horizon September 6, 2024 19:09
@tmigone tmigone merged commit f4f9bad into horizon Sep 6, 2024
5 of 7 checks passed
@tmigone tmigone deleted the mde/pr988-fix-oz-c-01 branch September 6, 2024 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmigone tmigone tmigone approved these changes

@pcarranzav pcarranzav Awaiting requested review from pcarranzav

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Maikol @pcarranzav @tmigone