doc: internal audit 0.4.1

.gitleaksignore

@@ -63,3 +63,6 @@ c57df5039fd4af8690d29223479c36d2942dd91c:scripts/deployment/globals_gnosis_mainn
 cf6cd64b418ace3c970d6029924ebb6dda9eec69:scripts/deployment/globals_gnosis_mainnet.json:generic-api-key:1
 b43071abd7ec99b44cda56279b0df8f0c2eb617e:scripts/deployment/globals_base_mainnet_test.json:generic-api-key:1
 cc8e19cb3e80831b83e808ce99c7663c829f4476:scripts/deployment/globals_base_mainnet_test.json:generic-api-key:1
+9065b44d1180873f40f916178f7488d38ae092f7:scripts/deployment/globals_base_mainnet_test.json:generic-api-key:1
+62b20a62c6fbdabebc1566ad871cc1e9aa0b0b37:scripts/deployment/globals_base_mainnet_test.json:generic-api-key:1
+fc12c6214c593ed2ae5f4ff4295bc4622e814872:scripts/deployment/globals_base_mainnet_test.json:generic-api-key:1

audit/README.md

@@ -8,6 +8,7 @@ An internal audit with a focus on updated marketplace contracts is located in th
 An internal audit with a focus on re-design marketplace contracts is located in this folder: [internal audit 3](https://github.com/valory-xyz/ai-registry-mech/blob/main/audits/internal3). <br>
 An internal audit with a focus on latest re-design marketplace contracts is located in this folder: [internal audit 4](https://github.com/valory-xyz/ai-registry-mech/blob/main/audits/internal4). <br>
 An internal audit with a focus on latest re-design ref:nmv marketplace contracts is located in this folder: [internal audit 5](https://github.com/valory-xyz/ai-registry-mech/blob/main/audits/internal5). <br>
+An internal audit with a focus on token-usdc ref:nmv marketplace contracts is located in this folder: [internal audit 6](https://github.com/valory-xyz/ai-registry-mech/blob/main/audits/internal6). <br>
 
 
 ### External audits

audit/internal6/README.md

@@ -0,0 +1,47 @@
+# Internal audit of ai-registry-mech
+The review has been performed based on the contract code in the following repository:<br>
+`https://github.com/valory-xyz/ai-registry-mech` <br>
+commit: c72195a6be5bbefcfa40af87f2e1c1bfed2fa9e7 (tag: v0.4.1-pre-internal-audit) <br> 
+
+## Objectives
+The audit focused on NVM-usdc marketplace contracts in this repo. <br>
+Limits: The subject of the audit is not contracts used as library contracts. Thus, this audit is not a full-fledged audit of contracts underlying the contract ERC721Mech. <br>
+
+
+## Coverage
+```
+------------------------------------------|----------|----------|----------|----------|----------------|
+File                                      |  % Stmts | % Branch |  % Funcs |  % Lines |Uncovered Lines |
+------------------------------------------|----------|----------|----------|----------|----------------|
+  contracts/mechs/nevermined_token/        |    94.12 |     87.5 |    57.14 |    85.71 |                |
+  BalanceTrackerNvmSubscriptionToken.sol  |    94.12 |     87.5 |    57.14 |    85.71 |... 122,160,166 |
+ contracts/mechs/nevermined_token/usdc/   |      100 |      100 |      100 |      100 |                |
+  MechFactoryNvmSubscriptionTokenUSDC.sol |      100 |      100 |      100 |      100 |                |
+  MechNvmSubscriptionTokenUSDC.sol        |      100 |      100 |      100 |      100 |                |
+
+```
+insufficient testing coverage
+[]
+
+### Security issues. 
+#### Notes
+```
+Does different decimals in ERC20 affect it somehow? I don't think so, and everything is calculated and compared in raw values. For discussion.
+        // Convert mech credits balance into tokens
+        balance = (balance * tokenCreditRatio) / 1e18;
+        mapMechBalances[mech] = balance;
+
+        // Check current contract balance
+        uint256 trackerBalance = IERC20(token).balanceOf(address(this));
+        if (balance > trackerBalance) {
+            revert Overflow(balance, trackerBalance);
+        }
+```
+[x] Discussed, not an issue
+
+
+
+
+
+
+

scripts/deployment/deploy_03_mech_marketplace.js

@@ -1,4 +1,4 @@
-/*global process*/
+/*global process, hre*/
 
 const { ethers } = require("hardhat");
 const { LedgerSigner } = require("@anders-t/ethers-ledger");
@@ -66,8 +66,10 @@ async function main() {
 
     // Contract verification
     if (parsedData.contractVerification) {
-        const execSync = require("child_process").execSync;
-        execSync("npx hardhat verify --constructor-args scripts/deployment/verify_03_mech_marketplace.js --network " + providerName + " " + mechMarketplace.address, { encoding: "utf-8" });
+        await hre.run("verify:verify", {
+            address: mechMarketplace.address,
+            constructorArguments: [serviceRegistryAddress, karmaProxyAddress]
+        });
     }
 }
 

scripts/deployment/deploy_04_mech_marketplace_proxy.js

@@ -1,4 +1,4 @@
-/*global process*/
+/*global process, hre*/
 
 const { ethers } = require("hardhat");
 const { LedgerSigner } = require("@anders-t/ethers-ledger");
@@ -73,8 +73,10 @@ async function main() {
 
     // Contract verification
     if (parsedData.contractVerification) {
-        const execSync = require("child_process").execSync;
-        execSync("npx hardhat verify --constructor-args scripts/deployment/verify_04_mech_marketplace_proxy.js --network " + providerName + " " + mechMarketplaceProxy.address, { encoding: "utf-8" });
+        await hre.run("verify:verify", {
+            address: mechMarketplaceProxy.address,
+            constructorArguments: [mechMarketplaceAddress, proxyPayload]
+        });
     }
 }
 

scripts/deployment/deploy_19_marketplace_set_factories_nvm_subscription_token_usdc.js

@@ -0,0 +1,67 @@
+/*global process*/
+
+const { ethers } = require("hardhat");
+const { LedgerSigner } = require("@anders-t/ethers-ledger");
+
+async function main() {
+    const fs = require("fs");
+    const globalsFile = "globals.json";
+    const dataFromJSON = fs.readFileSync(globalsFile, "utf8");
+    let parsedData = JSON.parse(dataFromJSON);
+    const useLedger = parsedData.useLedger;
+    const derivationPath = parsedData.derivationPath;
+    const providerName = parsedData.providerName;
+    const gasPriceInGwei = parsedData.gasPriceInGwei;
+    const mechMarketplaceProxyAddress = parsedData.mechMarketplaceProxyAddress;
+    const mechFactoryNvmSubscriptionTokenUSDCAddress = parsedData.mechFactoryNvmSubscriptionTokenUSDCAddress;
+
+    let networkURL = parsedData.networkURL;
+    if (providerName === "polygon") {
+        if (!process.env.ALCHEMY_API_KEY_MATIC) {
+            console.log("set ALCHEMY_API_KEY_MATIC env variable");
+        }
+        networkURL += process.env.ALCHEMY_API_KEY_MATIC;
+    } else if (providerName === "polygonMumbai") {
+        if (!process.env.ALCHEMY_API_KEY_MUMBAI) {
+            console.log("set ALCHEMY_API_KEY_MUMBAI env variable");
+            return;
+        }
+        networkURL += process.env.ALCHEMY_API_KEY_MUMBAI;
+    }
+
+    const provider = new ethers.providers.JsonRpcProvider(networkURL);
+    const signers = await ethers.getSigners();
+
+    let EOA;
+    if (useLedger) {
+        EOA = new LedgerSigner(provider, derivationPath);
+    } else {
+        EOA = signers[0];
+    }
+    // EOA address
+    const deployer = await EOA.getAddress();
+    console.log("EOA is:", deployer);
+
+    // Get the contract instance
+    const mechMarketplace = await ethers.getContractAt("MechMarketplace", mechMarketplaceProxyAddress);
+
+    // Transaction signing and execution
+    console.log("19. EOA to set Mech factories");
+    console.log("You are signing the following transaction: MechMarketplaceProxy.connect(EOA).setMechFactoryStatuses()");
+    const gasPrice = ethers.utils.parseUnits(gasPriceInGwei, "gwei");
+    const result = await mechMarketplace.connect(EOA).setMechFactoryStatuses(
+        [mechFactoryNvmSubscriptionTokenUSDCAddress], [true], { gasPrice }
+    );
+
+    // Transaction details
+    console.log("Contract deployment: MechMarketplaceProxy");
+    console.log("Contract address:", mechMarketplace.address);
+    console.log("Transaction:", result.hash);
+}
+
+main()
+    .then(() => process.exit(0))
+    .catch((error) => {
+        console.error(error);
+        process.exit(1);
+    });

scripts/deployment/deploy_19_marketplace_set_balance_tracker_nevermined_token_usdc.js → scripts/deployment/deploy_20_marketplace_set_balance_tracker_nvm_token_usdc.js

@@ -46,8 +46,8 @@ async function main() {
     const mechMarketplace = await ethers.getContractAt("MechMarketplace", mechMarketplaceProxyAddress);
 
     // Transaction signing and execution
-    console.log("19. EOA to set Balance tracker NVM subscription token USDC");
-    console.log("You are signing the following transaction: MechMarketplaceProxy.connect(EOA).setMechFactoryStatuses()");
+    console.log("20. EOA to set Balance tracker NVM subscription token USDC");
+    console.log("You are signing the following transaction: MechMarketplaceProxy.connect(EOA).setPaymentTypeBalanceTrackers()");
     const gasPrice = ethers.utils.parseUnits(gasPriceInGwei, "gwei");
     const result = await mechMarketplace.connect(EOA).setPaymentTypeBalanceTrackers(
         ["0x0d6fd99afa9c4c580fab5e341922c2a5c4b61d880da60506193d7bf88944dd14"],

scripts/deployment/deploy_20_balance_tracker_nvm_subscription_token_usdc_set.js → scripts/deployment/deploy_21_balance_tracker_nvm_subscription_token_usdc_set.js

@@ -45,17 +45,17 @@ async function main() {
     console.log("EOA is:", deployer);
 
     // Get the contract instance
-    const balanceTrackerNvmSubscription = await ethers.getContractAt("BalanceTrackerNvmSubscriptionNative", balanceTrackerNvmSubscriptionTokenAddress);
+    const balanceTrackerNvmSubscription = await ethers.getContractAt("BalanceTrackerNvmSubscriptionToken", balanceTrackerNvmSubscriptionTokenAddress);
 
     // Transaction signing and execution
-    console.log("14. EOA to set Balance trackers NVM subscription");
-    console.log("You are signing the following transaction: BalanceTrackerNvmSubscriptionNative.connect(EOA).setSubscription()");
+    console.log("21. EOA to set Balance trackers NVM subscription Token");
+    console.log("You are signing the following transaction: BalanceTrackerNvmSubscriptionToken.connect(EOA).setSubscription()");
     const gasPrice = ethers.utils.parseUnits(gasPriceInGwei, "gwei");
     const result = await balanceTrackerNvmSubscription.connect(EOA).setSubscription(subscriptionNFTAddress,
         subscriptionTokenIdUSDC, tokenCreditRatio, { gasPrice });
 
     // Transaction details
-    console.log("Contract deployment: BalanceTrackerNvmSubscriptionNative");
+    console.log("Contract deployment: BalanceTrackerNvmSubscriptionToken");
     console.log("Contract address:", balanceTrackerNvmSubscription.address);
     console.log("Transaction:", result.hash);
 }

scripts/deployment/e_verify_olas_mech.js

@@ -0,0 +1,33 @@
+/*global process, hre*/
+
+async function main() {
+    const fs = require("fs");
+    const globalsFile = "globals.json";
+    const dataFromJSON = fs.readFileSync(globalsFile, "utf8");
+    let parsedData = JSON.parse(dataFromJSON);
+
+    const provider = new hre.ethers.providers.JsonRpcProvider(parsedData.networkURL);
+    const signers = await hre.ethers.getSigners();
+
+    const deployer = signers[0];
+    console.log("Deployer is:", deployer.address);
+
+    const mechAddress = "";
+    const mech = await hre.ethers.getContractAt("MechFixedPriceNative", mechAddress);
+    const mechMarketplaceAddress = await mech.mechMarketplace();
+    const serviceRegistryAddress = await mech.serviceRegistry();
+    const serviceId = await mech.tokenId();
+    const maxDeliveryRate = await mech.maxDeliveryRate();
+    await hre.run("verify:verify", {
+        address: mechAddress,
+        constructorArguments: [mechMarketplaceAddress, serviceRegistryAddress, serviceId, maxDeliveryRate],
+    });
+}
+
+main()
+    .then(() => process.exit(0))
+    .catch((error) => {
+        console.error(error);
+        process.exit(1);
+    });
+

scripts/deployment/globals_base_mainnet_test.json

@@ -1 +1 @@
-{"contractVerification":true,"useLedger":false,"derivationPath":"m/44'/60'/2'/0/0","providerName":"base","networkURL":"https://mainnet.base.org","gasPriceInGwei":"0.002","bridgeMediatorAddress":"0xE49CB081e8d96920C38aA7AB90cb0294ab4Bc8EA","serviceRegistryAddress":"0x3C1fF68f5aa342D296d4DEe4Bb1cACCA912D95fE","karmaAddress":"0x94676070018ff7D09BC32DAc6bb01Ae67282b8E8","karmaProxyAddress":"0x6f7661F52fE1919996d0A4F68D09B344093a349d","fee":"100","minResponseTimeout":"60","maxResponseTimeout":"300","mechMarketplaceAddress":"0xd6AA4Ec948d84f6Db8EEf25104CeE0Ecd280C74e","mechMarketplaceProxyAddress":"0x95dA0F8C3eC5D40209f0EF1ED5E61deD28307d8d","mechFactoryNvmSubscriptionNativeAddress":"0x4cEB52802ef86edF8796632546d89e55c87a0901","drainerAddress":"0xE49CB081e8d96920C38aA7AB90cb0294ab4Bc8EA","wrappedNativeTokenAddress":"0x4200000000000000000000000000000000000006","tokenCreditRatio":"990000000000000000","balanceTrackerNvmSubscriptionNativeAddress":"0xaC26774616bbeD41b0CB69EA2ae7de366F430b23","mechFactoryFixedPriceNativeAddress":"0x0338893fB1A1D9Df03F72CC53D8f786487d3D03E","mechFactoryFixedPriceTokenAddress":"0x1d333b46dB6e8FFd271b6C2D2B254868BD9A2dbd","balanceTrackerFixedPriceNativeAddress":"0x6d9b08701Af43D68D991c074A27E4d90Af7f2276","balanceTrackerFixedPriceTokenAddress":"0x3c3007a2e4ba7f73C764F69f6D6C1983D9EB6B26","subscriptionNFTAddress":"0xd5318d1a17819f65771b6c9277534c08dd765498","subscriptionTokenId":"0x635b227e2fffa750c1914009b33462e9c24b18a167dfe6c972ea5d17ed104a59","usdcAddress":"0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913","mechFactoryNvmSubscriptionTokenUSDCAddress":"0x9385d4E53c72a858C451D41f58Fcb8C070bDd18A","balanceTrackerNvmSubscriptionTokenAddress":"0xd64Cf67500b7d15A41E02DDeb40F3A73CB533eB5","subscriptionTokenIdUSDC":"0x122541dc74587bf519d2a7bd2d3f018596329a08b0f7b2edbbdd179189ec117f"}
+{"contractVerification":true,"useLedger":false,"derivationPath":"m/44'/60'/2'/0/0","providerName":"base","networkURL":"https://mainnet.base.org","gasPriceInGwei":"0.003","bridgeMediatorAddress":"0xE49CB081e8d96920C38aA7AB90cb0294ab4Bc8EA","serviceRegistryAddress":"0x3C1fF68f5aa342D296d4DEe4Bb1cACCA912D95fE","karmaAddress":"0x94676070018ff7D09BC32DAc6bb01Ae67282b8E8","karmaProxyAddress":"0x6f7661F52fE1919996d0A4F68D09B344093a349d","fee":"100","minResponseTimeout":"60","maxResponseTimeout":"300","mechMarketplaceAddress":"0x1570b1F3A32006e4bA3E321E745916e92EFbB026","mechMarketplaceProxyAddress":"0x5FDc466f4A7547c876eF40CD30fFA2A89F1EcDE7","mechFactoryNvmSubscriptionNativeAddress":"0x4cEB52802ef86edF8796632546d89e55c87a0901","drainerAddress":"0xE49CB081e8d96920C38aA7AB90cb0294ab4Bc8EA","wrappedNativeTokenAddress":"0x4200000000000000000000000000000000000006","tokenCreditRatio":"990000000000000000","balanceTrackerNvmSubscriptionNativeAddress":"0xaC26774616bbeD41b0CB69EA2ae7de366F430b23","mechFactoryFixedPriceNativeAddress":"0x0338893fB1A1D9Df03F72CC53D8f786487d3D03E","mechFactoryFixedPriceTokenAddress":"0x1d333b46dB6e8FFd271b6C2D2B254868BD9A2dbd","balanceTrackerFixedPriceNativeAddress":"0x6d9b08701Af43D68D991c074A27E4d90Af7f2276","balanceTrackerFixedPriceTokenAddress":"0x3c3007a2e4ba7f73C764F69f6D6C1983D9EB6B26","subscriptionNFTAddress":"0xd5318d1a17819f65771b6c9277534c08dd765498","subscriptionTokenId":"0x635b227e2fffa750c1914009b33462e9c24b18a167dfe6c972ea5d17ed104a59","usdcAddress":"0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913","mechFactoryNvmSubscriptionTokenUSDCAddress":"0x7ED124AF35f5e12318C898ba35b63863908e1eB8","balanceTrackerNvmSubscriptionTokenAddress":"0xc53B500b4d8FcC6865ec91b977651eec045ad8D1","subscriptionTokenIdUSDC":"0x8ef4e097f4e4b9a77dfc2d311e827fb94d15328e6631a348e25a07e3748eb542"}