-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Check to CeloDistributionSchedule activate
function
#11109
Added Check to CeloDistributionSchedule activate
function
#11109
Conversation
activate
function
…contract is actually the celoDistributionSchedule contract address
…ng in CeloToken contract manually
…istribution-schedule
|
GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
---|---|---|---|---|---|
10538986 | Triggered | Generic High Entropy Secret | e379b5c | packages/protocol/scripts/foundry/constants.sh | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a couple nit comments, but looks good to me. I like how you wrote the two new unit tests. It's clever to expect the contract to revert.
Nit: registryAddress
and proxyAdminAddress
(as examples) are constants that could live in test-sol/constants.sol
. Probably not worth refactoring in this PR, but something that might be worth doing separately.
packages/protocol/test-sol/unit/common/CeloDistributionSchedule.t.sol
Outdated
Show resolved
Hide resolved
packages/protocol/test-sol/unit/governance/voting/ReleaseGold.t.sol
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not 100% sure I understand the original bug, and how this PR fixes it, so not super comfortable approving. But left some nit comments from reading through the PR.
I mistakenly approved the PR when I meant to leave a comment
Updated the PR description to make it more clear what the changes are and why they were needed. |
…istribution-schedule
…istribution-schedule
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pending this conversation the changes look good to me. But, I'm always a little nervous approving changes to core contracts. So take my approval with a pinch of salt. I'd prefer if @martinvol or @pahor167 gave this an approval too.
Description
Added a check that prevents activating theCeloDistributionSchedule
contract if the distributionSchedule contract address if not set in CELO token contract.Previously, it was expected that the
CeloDistributionSchedule
address would be manually set in theGoldToken
contract by callingsetCeloTokenDistributionSchedule()
. This was expected to be done before callingactivate()
in theCeloDistributionSchedule
. However, theCeloDistributionSchedule
contract did not verify that theCeloDistributionSchedule
address was set in theGoldToken
contract, allowing for theCeloDistributionSchedule
to be incorrectly activated.These new changes get the
CeloDistributionSchedule
address from the registry, instead of setting it in theGoldToken
contract. Hence, no longer requiring that theCeloDistributionSchedule
address be manually set in theGoldToken
contract before activating theCeloDistributionSchedule
contract.Tested
unit tested