Skip to content

Horizon: post audit changes - no solidity! #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 85 commits into
base: horizon-oz2/l05-provision-params
Choose a base branch
from
Open

Horizon: post audit changes - no solidity! #1116

wants to merge 85 commits into from

Conversation

tmigone
Copy link
Member

@tmigone tmigone commented Feb 21, 2025

No description provided.

Maikol
Maikol approved these changes Feb 21, 2025
View reviewed changes
Copy link
Member

@Maikol Maikol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙌

@tmigone tmigone force-pushed the tmigone/horizon-post-oz-audit2 branch from 59e8453 to 53342dc Compare February 21, 2025 19:06
@openzeppelin-code OpenZeppelin Code
Copy link

openzeppelin-code bot commented Feb 24, 2025
edited
Loading

Horizon: post audit changes - no solidity!

Generated at commit: 17adaa7f918609323298aeb777e4ad37474a7fdc

🚨 Report Summary

Severity Level Results
Contracts Critical
High
Medium
Low
Note
Total		 2
4
0
15
38
59
Dependencies Critical
High
Medium
Low
Note
Total		 0
0
0
0
0
0

For more details view the full report in OpenZeppelin Code Inspector

@tmigone tmigone force-pushed the tmigone/horizon-post-oz-audit2 branch 2 times, most recently from e89a892 to 40e8d27 Compare February 25, 2025 20:20
tmigone added 13 commits March 25, 2025 14:25
@tmigone
fix: ensure invalid thaw requests are ignored by getThawedTokens (OZ …
3881b28 
…L-01)

Signed-off-by: Tomás Migone <[email protected]>
@tmigone
fix: document possible temporary thaw requests blockage when thawing …
2853137 
…period is shortened (OZ L-02)

Signed-off-by: Tomás Migone <[email protected]>
@tmigone
fix: prevent provision validity grief attack (OZ L-03)
c25cc25 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
fix: remove redundant code (OZ N-01)
89dee66 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
fix: only check conditions for param that is changing when changing p…
2787a52 
…rovision params (OZ L-05)

Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: afuera hardhat-storage-layout
f71ecbe 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: silence lint ignored file warnings
38caf38 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
feat: add deployment test boilerplate and one example
00e181f 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
feat: add deployment tests
02ec0ac 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
feat: deployment tests
596c7c0 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: gitignore
60ed29f 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
test: add tests to ensure subgraph service contracts are owned by the…
6e59d7e 
… governor

Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: only run unit tests with yarn test
a296df7 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone tmigone force-pushed the tmigone/horizon-post-oz-audit2 branch from 40e8d27 to a296df7 Compare April 1, 2025 12:38
@tmigone tmigone changed the base branch from horizon to horizon-oz2/l05-provision-params April 1, 2025 12:38
@socket-security Socket Security
Copy link

socket-security bot commented Apr 1, 2025
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Warn Critical
[email protected] has a Critical CVE.

CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL)

Affected versions: < 7.23.2

Patched version: No patched versions

Source

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

tmigone and others added 29 commits April 11, 2025 12:31
@tmigone
chore: final touches to toolshed v1
663c3f6 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: deprecate sdk
4d87fb4 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: remove sdk
23e3838 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
Merge pull request #1137 from graphprotocol/tmigone/pnpm
fff226b
@tmigone
Merge pull request #1139 from graphprotocol/tmigone/toolshed
0f00bb1
@tmigone
chore: add addresses of deployed contracts to subgraph service
051520e 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: remove unused env vars
0f9690d 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
feat: auto fund test accounts on local networks
9b05de4 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
fix: prevent mnemonic override for local network
cf9e754 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
fix: unit scaling
835a820 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
fix: type in comment
ad5e7f4 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
feat: add legacy allo proof encoding
88b0527 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: roll back fn name change encode to generate
25624e0 
Signed-off-by: Tomás Migone <[email protected]>
@Maikol
chore: created unit test folder
67140fa
@Maikol
chore: added subgraph-service integration tests
a256776
@Maikol
chore: added integration tests for disputes
f29cd1a
@Maikol
chore: rebase and use new toolshed package
bbbe5df
@Maikol
fix: cleanup from rebase
54a09af
@Maikol
fix: delete yarn.lock
121b2fd
@Maikol
fix: remove unused lines
8452fa9
@Maikol
fix: review comments
0b6509a
@Maikol
fix: use new generate allocation helper
3e8c024
@Maikol
fix: missing generate allocation proof
f88d0c5
@Maikol
chore: set delegation cut parameters and test tokens are added to del…
06de0a0 
…egation pool when collecting
@Maikol
fix: lint
775289e
@tmigone
Merge pull request #1140 from graphprotocol/mde/subgraph-service-inte…
2ecdb21 
…gration-tests
@tmigone
chore: lint and rename a function for consistency
a84e794 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: remove duplicate poi function
78ae819 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone
chore: more renames for consistency
17adaa7 
Signed-off-by: Tomás Migone <[email protected]>
@tmigone tmigone force-pushed the horizon-oz2/l05-provision-params branch from 2787a52 to 4df5ec0 Compare April 23, 2025 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maikol Maikol Maikol approved these changes

Assignees
No one assigned
Labels
horizon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tmigone @Maikol