/// @dev This is currently a substitute module that stubs gOHM.
means that the VOTES module is temporary and will be replaced by a form of governance token (could be staked gOHM for example). One must be sure before upgrading that the new token does not present a transfer function nor any mechanism or bypass that effectively allows to transfer tokens in between addresses. If the contrary is true, it would lead to a double endorsing issue (possibility to call OlympusGovernance.endorseProposal() a second time after getting the same tokens to a different address). Note that a bypass that allows transfer of tokens without delay could be used by an attacker to get unlimited endorsement power and execute a DoS on the governance by frontrunning calls to activateProposal() with a self-endorsed proposal.
[L-02]: Voting temporarily reduces endorsing power
When calling vote() on the governance, VOTES token are transfered temporarily to the governance contract (Governance.sol#L259), so one must wait before being able to endorse a proposal again.
[L-03]: Missing events for critical changes in system parameters
Change of critical system parameters should come with an event emission to allow for monitoring of potentially dangerous or malicious changes. Occurrencies of this issue are Kernel.sol#L77, Kernel.sol#L127, BondCallback.sol#L190
[L-04]: executor can become also admin
At Kernel.sol#L253 the executor is allowed to become also admin of the Kernel. Consider checking that the admin set is not the executor (and vice versa at Kernel.sol#L251) to avoid full centralization of the system.
[L-05]: Open TODOs
Open TODOs can point to architecture or programming issues that still need to be resolved. Occurrencies at TreasuryCustodian.sol#L51-L56, Operator.sol#L657. All issues raised in TODOs should be addressed before deployment.
[NC-03]: Use custom error when netVotes should underflow
In QA.md#L82 check that yesVotesForProposal[activeProposal.proposalId] > noVotesForProposal[activeProposal.proposalId] before subtracting and revert with custom error NotEnoughVotesToExecute if not. This avoids to have a Panic error due to underflow in case netVotes should underflow.
[L-01]: Upgrades to
VOTES
module can lead to governance vulnerabilitiesThe comment in VOTES.sol#L10:
means that the
VOTES
module is temporary and will be replaced by a form of governance token (could be staked gOHM for example). One must be sure before upgrading that the new token does not present atransfer
function nor any mechanism or bypass that effectively allows to transfer tokens in between addresses. If the contrary is true, it would lead to a double endorsing issue (possibility to callOlympusGovernance.endorseProposal()
a second time after getting the same tokens to a different address). Note that a bypass that allows transfer of tokens without delay could be used by an attacker to get unlimited endorsement power and execute a DoS on the governance by frontrunning calls toactivateProposal()
with a self-endorsed proposal.[L-02]: Voting temporarily reduces endorsing power
When calling
vote()
on the governance,VOTES
token are transfered temporarily to the governance contract (Governance.sol#L259), so one must wait before being able to endorse a proposal again.[L-03]: Missing events for critical changes in system parameters
Change of critical system parameters should come with an event emission to allow for monitoring of potentially dangerous or malicious changes. Occurrencies of this issue are Kernel.sol#L77, Kernel.sol#L127, BondCallback.sol#L190
[L-04]:
executor
can become alsoadmin
At Kernel.sol#L253 the
executor
is allowed to become alsoadmin
of theKernel
. Consider checking that theadmin
set is not theexecutor
(and vice versa at Kernel.sol#L251) to avoid full centralization of the system.[L-05]: Open
TODO
sOpen TODOs can point to architecture or programming issues that still need to be resolved. Occurrencies at TreasuryCustodian.sol#L51-L56, Operator.sol#L657. All issues raised in TODOs should be addressed before deployment.
[NC-01]: Missing/Incomplete/Incorrect Natspec comments:
missing Natspec comments for public / external functions:
missing Natspec comments for public getters:
missing function parameters:
missing function return values
incorrect comments:
Mapping of keycode to module address
Mapping of keycode to module address
Policy
andKeycode
should be invertedConsider adding missing Natspec comments according to the relevant section in the solidity docs.
[NC-02]: Redundant code:
At Governance.sol#L223 and Governance.sol#L306 use of
bool == true
is equivalent to justbool
.[NC-03]: Use custom error when
netVotes
should underflowIn QA.md#L82 check that
yesVotesForProposal[activeProposal.proposalId] > noVotesForProposal[activeProposal.proposalId]
before subtracting and revert with custom errorNotEnoughVotesToExecute
if not. This avoids to have a Panic error due to underflow in casenetVotes
should underflow.