delvtech / council Goto Github PK
View Code? Open in Web Editor NEWFlexible DAO governance smart contracts, developed by Delv.
License: Apache License 2.0
council's People
Contributors
Stargazers
Watchers
Forkers
digital-distributed-asset projecteuanthe badmonkey9669 verumlotus pawanv5913 lekovc54 oprom overlay-market sentilesdal giuseppecrj mygirl001 mondoir nexisdev ideasincrypto cb-defi-notifs harshasingamshetty1council's Issues
Add method to voluntarily leave the GSC
The only way to be removed from the GSC today is for your voting power to drop below the required threshold, then get kicked. If voting power comes from delegation, you have no control over this.
Ideally, inactive voters that don't want to be on the GSC will naturally drop below the threshold and be kicked, but adding the ability to manually leave is trivial and gives the voter more control.
`DAY_IN_BLOCKS` post-merge
How important is it that DAY_IN_BLOCKS matches actual block time? Keep in mind that block times will be 12 seconds post merge:
Add Public Getter which accounts for default
This mapping returns 0 for default, we should make it private and then add a modified version of the default getter which returns the default mapping instead of zero.
Credit: @daejunpark
Missing, incorrect, or unordered NatSpec comments
History.sol
- Params in Natspec comments aren’t in the same order as the code:
https://github.com/element-fi/council/blob/d371ac82184fc26e19e958bd0b861f83e74b2955/contracts/libraries/History.sol#L333
simpleProxy.sol
- Needs natspec comment for _newGovernance param
OptimisticGrants.sol
- @param _amount The amount to add to the solvency. Shouldn’t it be the amount to remove from the solvency?
OptimisticRewards.sol
- Do we need 3 slashes for the unused param?
VestingVault.sol
- Missing NatSpec comment for _who param:
- Some internal methods have NatSpec comments and some don’t
Missing:_getWithdrawableAmount()
Incomplete: _syncVotingPower()
Change event to show if the proposal was executed
The current event will emit a true for events which are deleted but are positive without meeting quorum, these events don't actually get executed making this event hard to parse. We should add a second bool field for quorum passing.
Credit: @daejunpark
Inconsistent Natspec comments in interfaces
ICoreVoting.sol
Missing natspec comments
https://github.com/element-fi/council/blob/d371ac82184fc26e19e958bd0b861f83e74b2955/contracts/interfaces/ICoreVoting.sol#L5
ILockingVault.sol
Missing natspec comments
https://github.com/element-fi/council/blob/d371ac82184fc26e19e958bd0b861f83e74b2955/contracts/interfaces/ILockingVault.sol#L5
IVotingVault.sol
Has natspec comments
Update bounty program details
The README included a broken link to our old Immunefi bounty program. Once we've landed on a new vendor, we should add updated details to the README.
related to: delvtech/hyperdrive#975
Inconsistent use of largeSpend vs highSpend in Spender.sol
The method is called largeSpend, but the contract variables are highSpendLimit:
The comment calls it large spend limit even though the param is highSpendLimit:
audit issues fix line 1
File: contracts\features\OptimisticGrants.sol
83: /// WARNING: A contract _recipient will log msg.sender as this contract's address // REVIEW: Note, outdated comment? Which _recipient?
File: contracts\libraries\History.sol
079: require(data < uint256(1) << 192, "OoB"); // REVIEW: Note, require statement could be made more readable with data <= type(uint192).max.
File: contracts\libraries\VestingVaultStorage.sol
03: import "./Storage.sol"; // REVIEW: Note, import is not used.
File: contracts\vaults\GSCVault.sol
23: uint256 public idleDuration = 60 * 60 * 24 * 4; // REVIEW: Note, instead of '60 * 60 * 24 * 4' use '4 days' for readability.
94: members[msg.sender].joined // REVIEW: Optimization, no need to rewrite joined, just update votingVaults.
File: contracts\vaults\LockingVault.sol
141: emit VoteChange(fundedAccount, delegate, int256(amount)); // REVIEW: Minor, wrong order of params in VoteChange.
163: emit VoteChange(msg.sender, delegate, -1 * int256(amount)); // REVIEW: Minor, wrong order of params in VoteChange.
186: emit VoteChange(msg.sender, oldDelegate, -1 * int256(userBalance)); // REVIEW: Minor, wrong order of params in VoteChange.
192: emit VoteChange(msg.sender, newDelegate, int256(userBalance)); // REVIEW: Minor, wrong order of params in VoteChange.
160: // Add the newly deposited votes to the delegate // Note: the comments are not relevant (copy of comments from deposit function).
162: // Emit a event to track added votes // Note: the comments are not relevant (copy of comments from deposit function).
185: // Emit a event to track added votes // Note: the comments are not relevant (copy of comments from deposit function).
File: contracts\vaults\OptimisticRewards.sol
27: uint256 public challengePeriod = 60 * 60 * 24 * 7; // REVIEW: Note, instead of '60 * 60 * 24 * 7' user '7 days' for readability.
File: contracts\vaults\VestingVault.sol
145: address _delegatee = _delegatee == address(0) ? _who : _delegatee; // REVIEW: Note, no need to redeclare _delegatee.
Possible Spelling/Grammar/Typos
CoreVoting.sol
- Comity spelled wrong
Timelock.sol
- Comity should be spelled committee
History.sol
- blocknumber user (Not sure what this means)
- spelling: minium -> minimum
OptimisticRewards.sol
- Should be “would take effect” (not affect)
VestingVault.sol
- Spelling: olyManager modifier -> onlyManager modifier
Hash on chain in the Timelock
This would make it possible to see what actions have been registered.
It would also make it possible to see what actions are being proposed in CoreVoting. When the actions are hashed off chain, we can only see a callHash for Timelock proposals.
Double execution vulnerability in Timelock
A batch of calls may be doubly executed in Timelock.
Scenario
Consider the following two scenarios where increaseTime() is executed after execute() for the same callHash:
- The authorized GSC contract accidentally or maliciously calls
increaseTime()for thecallHashthat has already been executed. (Difficulty: High) - OR, the GSC legitimately calls
increaseTime()near the end of the original waiting period, butincreaseTime()is delayed for some reason until the original waiting period passes, and immediately adversaries front-runexecute()before theincreaseTime()transaction. (Difficulty: Medium)
Then, callTimestamps[callHash] becomes non-zero again, and the subsequent execute() may lead to double execution of the same batch of calls.
Recommendation
Add an extra condition require(callTimestamps[callHash] != 0); in the increaseTime() function to ensure that the given callHash is active.
GSC voting power update
Currently proving membership puts the entire voting power on a time delay. This makes topping-up votes to maintain membership difficult.
simple solution:
Implement a top-up method that does not adhere to the locking period.
Switch to Min + Max Vote Period
Currently votes last forever till a contract call deletes them, plus they can be deleted after the min voting time has passed. This means (1) we need constant execution on chain to remove old proposals (2) even though we allow longer voting times it's hard to coordinate.
We should swap so that the proposal is unlocked after a min voting time and expired after max voting time. It can be executed during the period between min and max but only deleted without execution after the max.
Minimum quorem requirement regarding abstentions
In the current design, merely having more YES votes than that of NO votes is enough to execute a proposal. This means that a proposal will be executed, even if we have only a single YES ballot, zero NO ballot, and a lot of MAYBE ballots. There may exist scenarios where this behavior is problematic, and it may be considered to require a certain minimum quorum (ratio) of YES ballots.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.