search

zeta-chain / protocol-contracts

Protocol contracts implementing the core logic of the protocol, deployed on ZetaChain and on connected chains
MIT License
68 stars 55 forks source link

fix: slither v2 action and slither issues #286

Closed skosito closed 1 month ago

skosito commented 1 month ago

Summary by CodeRabbit

coderabbitai[bot] commented 1 month ago

Walkthrough

The recent changes focus on enhancing the structure and clarity of various Solidity smart contracts and their associated Go bindings and TypeScript interfaces. Key improvements include the renaming of constructor parameters for consistency, the removal of redundant functions related to the tssAddress, and updates to ABI definitions. These modifications aim to streamline the code, boost readability, and improve security by employing immutable variables in key contracts.

Changes

Files Change Summary
.github/workflows/slither_v2.yaml Enhanced GitHub Actions configuration for Slither analysis with specific settings, targets, and compiler version.
v2/pkg/erc20custody.sol/erc20custody.go Updated ERC20CustodyMetaData structure and function signatures for clarity; removed redundant tssAddress methods.
v2/pkg/gatewayevm.sol/gatewayevm.go Renamed parameters in functions for consistency; updated ABI to reflect new names without altering functionality.
v2/pkg/gatewayevmupgradetest.sol/gatewayevmupgradetest.go Updated ABI with new functions and events; refined access control mechanisms in the contract.
v2/pkg/gatewayzevm.sol/gatewayzevm.go Parameter names updated for consistency; new error types and events added to ABI.
v2/pkg/igatewayevm.sol/igatewayevm.go Major ABI modifications with new method definitions, enhancing contract flexibility and error handling.
v2/pkg/igatewayzevm.sol/igatewayzevm.go Added a new RevertContext struct for better context handling in transactions; updated functions to use it.
v2/pkg/zetaconnectorbase.sol/zetaconnectorbase.go Removed tssAddress function, indicating a shift in contract management; improved ABI structure.
v2/pkg/zetaconnectornative.sol/zetaconnectornative.go Constructor parameters renamed for clarity; removed redundant tssAddress functions.
v2/src/evm/ERC20Custody.sol Changed gateway to immutable; removed tssAddress as a public variable, improving security.
v2/src/evm/GatewayEVM.sol Implemented nonReentrant modifier for security; updated parameter names for clarity; improved robustness.
v2/typechain-types/* Consolidated parameter naming conventions across various TypeScript interfaces; removed unused tssAddress references.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant GatewayEVM
    participant ZetaConnector
    User->>GatewayEVM: initialize(tssAddress_, zetaToken_, admin_)
    GatewayEVM->>ZetaConnector: setConnector(zetaConnector_)
    User->>ZetaConnector: deposit(receiver)
    ZetaConnector->>User: Transaction Successful

🐰 In the meadow, hops a bright-eyed hare,
With changes afoot, he dances with flair.
Parameters are neat, functions refined,
A clearer path for all who are kind.
Hooray for the code, now tidy and bright,
A world of smart contracts, all set for flight! ✨

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share - [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai) - [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai) - [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai) - [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)
Tips ### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit .` - `Generate unit testing code for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit testing code for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai generate interesting stats about this repository and render them as a table.` - `@coderabbitai show all the console.log statements in this repository.` - `@coderabbitai read src/utils.ts and generate unit testing code.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` - `@coderabbitai help me debug CodeRabbit configuration file.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger an incremental review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai full review` to do a full review from scratch and review all the files again. - `@coderabbitai summary` to regenerate the summary of the PR. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai configuration` to show the current CodeRabbit configuration for the repository. - `@coderabbitai help` to get help. Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Configuration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information. - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json` ### Documentation and Community - Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit. - Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback. - Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.
gitguardian[bot] commented 1 month ago

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | | | -------------- | ------------------ | ------------------------------ | ---------------- | --------------- | -------------------- | | [13159201](https://dashboard.gitguardian.com/workspace/353073/incidents/13159201?occurrence=161364859) | Triggered | Alchemy API Key | 72e1200b897a15b73f00b30d7e1a0ba6265a7311 | v2/lib/forge-std/src/StdChains.sol | [View secret](https://github.com/zeta-chain/protocol-contracts/commit/72e1200b897a15b73f00b30d7e1a0ba6265a7311#diff-a4c9aba16bc3e1c696addb587fb1e4ee100845fbc095388710ec6b5a2c18c092R200) | | [13159201](https://dashboard.gitguardian.com/workspace/353073/incidents/13159201?occurrence=161364864) | Triggered | Alchemy API Key | 8fafcbd3f8841472be558a9b250d94061f16e514 | v2/lib/forge-std/src/StdChains.sol | [View secret](https://github.com/zeta-chain/protocol-contracts/commit/8fafcbd3f8841472be558a9b250d94061f16e514#diff-a4c9aba16bc3e1c696addb587fb1e4ee100845fbc095388710ec6b5a2c18c092L200) |
🛠 Guidelines to remediate hardcoded secrets
1. Understand the implications of revoking this secret by investigating where it is used in your code. 2. Replace and store your secret safely. [Learn here](https://blog.gitguardian.com/secrets-api-management) the best practices. 3. Revoke and [rotate this secret](https://docs.gitguardian.com/secrets-detection/detectors/specifics/private_key_openssh#revoke-the-secret). 4. If possible, [rewrite git history](https://blog.gitguardian.com/rewriting-git-history-cheatsheet). Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data. To avoid such incidents in the future consider - following these [best practices](https://blog.gitguardian.com/secrets-api-management/) for managing and storing secrets including API keys and other credentials - install [secret detection on pre-commit](https://https://docs.gitguardian.com/ggshield-docs/integrations/git-hooks/pre-commit) to catch secret before it leaves your machine and ease remediation.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

codecov-commenter commented 1 month ago

Codecov Report

Attention: Patch coverage is 31.70732% with 28 lines in your changes missing coverage. Please review.

Project coverage is 53.39%. Comparing base (8389089) to head (5bee684).

Files Patch % Lines
v2/src/evm/GatewayEVM.sol 55.55% 8 Missing :warning:
v2/src/evm/ZetaConnectorBase.sol 0.00% 6 Missing :warning:
v2/src/evm/ERC20Custody.sol 0.00% 5 Missing :warning:
v2/src/zevm/GatewayZEVM.sol 42.85% 4 Missing :warning:
v2/src/zevm/ZRC20.sol 0.00% 3 Missing :warning:
v2/src/evm/ZetaConnectorNonNative.sol 0.00% 2 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #286 +/- ## ========================================== - Coverage 54.46% 53.39% -1.07% ========================================== Files 16 16 Lines 426 427 +1 Branches 102 111 +9 ========================================== - Hits 232 228 -4 - Misses 191 196 +5 Partials 3 3 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.