valory-xyz · 77ph · Mar 12, 2025 · Mar 12, 2025
diff --git a/audits/internal6/README.md b/audits/internal6/README.md
@@ -15,7 +15,7 @@ Generated png file audits/internal6/Tokenomics.png
 From the point of view of auditing a proxy contract, only storage are important: Tokenomics. <br>
 [Tokenomics-storage](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal6/analysis/storage/Tokenomics.png) - 17 slots <br>
 Current contract storage
-[Tokenomics-storage](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal4/analysis2/storage/Tokenomics.png) - 17 slots <br>
+[Tokenomics-storage](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal4/analysis2/storage/Tokenomics-1.3.1.png) - 17 slots <br>
 OK.
 
 ### Security issues.
@@ -54,3 +54,27 @@ inflationPerSecond = uint96(curInflationPerSecond);
 ```
 [x] Fixed
 
+# Update 12.03.25
+The review has been performed based on the contract code in the following repository:<br>
+`https://github.com/valory-xyz/autonolas-tokenomics` <br>
+commit: `4ee649f9355eae5a42105dbc7ea066364db5ddf9` or `tag: v1.3.2-pre-internal-audit`<br>
+
+### Storage and proxy
+Using sol2uml tools: https://github.com/naddison36/sol2uml <br>
+```bash
+sol2uml storage contracts/ -f png -c Tokenomics -o audits/internal6/
+Generated png file audits/internal6/Tokenomics.png
+```
+From the point of view of auditing a proxy contract, only storage are important: Tokenomics. <br>
+[Tokenomics-storage](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal6/analysis/storage/Tokenomics.png) - 17 slots <br>
+Current contract storage
+[Tokenomics-storage](https://github.com/valory-xyz/autonolas-tokenomics/blob/main/audits/internal4/analysis2/storage/Tokenomics-1.3.2.png) - 17 slots <br>
+```
+md5sum Tokenomics-1.3.1.png Tokenomics-1.3.2.png 
+dba13629f9483a95d8d537fddc38214c  Tokenomics-1.3.1.png
+dba13629f9483a95d8d537fddc38214c  Tokenomics-1.3.2.png
+```
+OK.
+
+### Security issues.
+No issue
diff --git a/audits/internal6/Tokenomics.png → audits/internal6/Tokenomics-1.3.1.png b/audits/internal6/Tokenomics.png → audits/internal6/Tokenomics-1.3.1.png
diff --git a/audits/internal6/Tokenomics-1.3.2.png b/audits/internal6/Tokenomics-1.3.2.png
diff --git a/contracts/interfaces/IUniswapV2Pair.sol b/contracts/interfaces/IUniswapV2Pair.sol

 // Uniswap related interface
 interface IUniswapV2Pair {
    function totalSupply() external view returns (uint);
    function token0() external view returns (address);
    function token1() external view returns (address);
    function getReserves() external view returns (uint112 reserve0, uint112 reserve1, uint32 blockTimestampLast);
diff --git a/contracts/Depository.sol b/contracts/Depository.sol
    uint32 public productCounter;

    // OLAS token address
    address public immutable olas;
    // Tkenomics contract address
    address public tokenomics;
    // Treasury contract address
diff --git a/contracts/Dispenser.sol b/contracts/Dispenser.sol

    // Maximum chain Id as per EVM specs
    uint256 public constant MAX_EVM_CHAIN_ID = type(uint64).max / 2 - 36;
    uint256 public immutable defaultMinStakingWeight;
    uint256 public immutable defaultMaxStakingIncentive;
    // OLAS token address
    address public immutable olas;
    // Retainer address in bytes32 form
    bytes32 public immutable retainer;
    // Retainer hash of a Nominee struct composed of retainer address with block.chainid
    bytes32 public immutable retainerHash;

    // Max number of epochs to claim staking incentives for
    uint256 public maxNumClaimingEpochs;
diff --git a/contracts/GenericBondCalculator.sol b/contracts/GenericBondCalculator.sol
 pragma solidity ^0.8.18;

 import {mulDiv} from "@prb/math/src/Common.sol";
 import "./interfaces/ITokenomics.sol";
 import "./interfaces/IUniswapV2Pair.sol";

 /// @dev Value overflow.
 /// @param provided Overflow value.
 /// @author Aleksandr Kuperman - <aleksandr.kuperman@valory.xyz>
 contract GenericBondCalculator {
    // OLAS contract address
    address public immutable olas;
    // Tokenomics contract address
    address public immutable tokenomics;

diff --git a/deploy/contracts.js b/deploy/contracts.js
 /*global ethers*/

 const { expect } = require("chai");

 module.exports = async () => {
    const signers = await ethers.getSigners();
    const deployer = signers[0];

    // Writing the JSON with the initial deployment data
    let initDeployJSON = {
diff --git a/scripts/deployment/staking/arbitrum/bridge_new_token.js b/scripts/deployment/staking/arbitrum/bridge_new_token.js
 /*global process*/

 const { ethers } = require("hardhat");
 const { L1ERC20Gateway } = require("@arbitrum/sdk/dist/lib/abi/L1ERC20Gateway");
 const { L2ERC20Gateway } = require("@arbitrum/sdk/dist/lib/abi/L2ERC20Gateway");
 const { L1ToL2MessageGasEstimator } = require("@arbitrum/sdk/dist/lib/message/L1ToL2MessageGasEstimator");
 const { Erc20Bridger, getL2Network } = require("@arbitrum/sdk");
 const { getBaseFee } = require("@arbitrum/sdk/dist/lib/utils/lib");

 const main = async () => {
    // Setting up providers and wallets
diff --git a/scripts/deployment/staking/arbitrum/deploy_21_change_owner.js b/scripts/deployment/staking/arbitrum/deploy_21_change_owner.js
    let parsedData = JSON.parse(dataFromJSON);
    const useLedger = parsedData.useLedger;
    const derivationPath = parsedData.derivationPath;
    const providerName = parsedData.providerName;
    const arbitrumTargetDispenserL2Address = parsedData.arbitrumTargetDispenserL2Address;
    const bridgeMediatorAddress = parsedData.bridgeMediatorAddress;

diff --git a/scripts/deployment/staking/arbitrum/send_tokens_and_message.js b/scripts/deployment/staking/arbitrum/send_tokens_and_message.js
    // Use l2Network to create an Arbitrum SDK EthBridger instance
    // We'll use EthBridger to retrieve the Inbox address
    const l2Network = await getL2Network(arbitrumSepoliaProvider);
    const ethBridger = new EthBridger(l2Network);

    // Query the required gas params using the estimateAll method in Arbitrum SDK
    const l1ToL2MessageGasEstimate = new L1ToL2MessageGasEstimator(arbitrumSepoliaProvider);
diff --git a/scripts/deployment/staking/base/deploy_71_change_owner.js b/scripts/deployment/staking/base/deploy_71_change_owner.js
    let parsedData = JSON.parse(dataFromJSON);
    const useLedger = parsedData.useLedger;
    const derivationPath = parsedData.derivationPath;
    const providerName = parsedData.providerName;
    const baseTargetDispenserL2Address = parsedData.baseTargetDispenserL2Address;
    const bridgeMediatorAddress = parsedData.bridgeMediatorAddress;

diff --git a/scripts/deployment/staking/celo/deploy_051_change_owner.js b/scripts/deployment/staking/celo/deploy_051_change_owner.js
    let parsedData = JSON.parse(dataFromJSON);
    const useLedger = parsedData.useLedger;
    const derivationPath = parsedData.derivationPath;
    const providerName = parsedData.providerName;
    const celoTargetDispenserL2Address = parsedData.celoTargetDispenserL2Address;
    const bridgeMediatorAddress = parsedData.bridgeMediatorAddress;

	// Uniswap related interface
	interface IUniswapV2Pair {
	function totalSupply() external view returns (uint);
Check warning on line 6 in contracts/interfaces/IUniswapV2Pair.sol GitHub Actions / build `Rule is set with explicit type [var/s: uint]`
	function token0() external view returns (address);
	function token1() external view returns (address);
	function getReserves() external view returns (uint112 reserve0, uint112 reserve1, uint32 blockTimestampLast);
	uint32 public productCounter;

	// OLAS token address
	address public immutable olas;
Check warning on line 89 in contracts/Depository.sol GitHub Actions / build `Immutable variables name are set to be in capitalized SNAKE_CASE`
	// Tkenomics contract address
	address public tokenomics;
	// Treasury contract address

	// Maximum chain Id as per EVM specs
	uint256 public constant MAX_EVM_CHAIN_ID = type(uint64).max / 2 - 36;
	uint256 public immutable defaultMinStakingWeight;
Check warning on line 285 in contracts/Dispenser.sol GitHub Actions / build `Immutable variables name are set to be in capitalized SNAKE_CASE`
	uint256 public immutable defaultMaxStakingIncentive;
Check warning on line 286 in contracts/Dispenser.sol GitHub Actions / build `Immutable variables name are set to be in capitalized SNAKE_CASE`
	// OLAS token address
	address public immutable olas;
Check warning on line 288 in contracts/Dispenser.sol GitHub Actions / build `Immutable variables name are set to be in capitalized SNAKE_CASE`
	// Retainer address in bytes32 form
	bytes32 public immutable retainer;
Check warning on line 290 in contracts/Dispenser.sol GitHub Actions / build `Immutable variables name are set to be in capitalized SNAKE_CASE`
	// Retainer hash of a Nominee struct composed of retainer address with block.chainid
	bytes32 public immutable retainerHash;
Check warning on line 292 in contracts/Dispenser.sol GitHub Actions / build `Immutable variables name are set to be in capitalized SNAKE_CASE`

	// Max number of epochs to claim staking incentives for
	uint256 public maxNumClaimingEpochs;
	pragma solidity ^0.8.18;

	import {mulDiv} from "@prb/math/src/Common.sol";
	import "./interfaces/ITokenomics.sol";
Check warning on line 5 in contracts/GenericBondCalculator.sol GitHub Actions / build `global import of path ./interfaces/ITokenomics.sol is not allowed. Specify names to import individually or bind all exports of the module into a name (import "path" as Name)`
	import "./interfaces/IUniswapV2Pair.sol";
Check warning on line 6 in contracts/GenericBondCalculator.sol GitHub Actions / build `global import of path ./interfaces/IUniswapV2Pair.sol is not allowed. Specify names to import individually or bind all exports of the module into a name (import "path" as Name)`

	/// @dev Value overflow.
	/// @param provided Overflow value.
	/// @author Aleksandr Kuperman - <aleksandr.kuperman@valory.xyz>
	contract GenericBondCalculator {
	// OLAS contract address
	address public immutable olas;
Check warning on line 22 in contracts/GenericBondCalculator.sol GitHub Actions / build `Immutable variables name are set to be in capitalized SNAKE_CASE`
	// Tokenomics contract address
	address public immutable tokenomics;
	/global ethers/

	const { expect } = require("chai");
Check warning on line 3 in deploy/contracts.js GitHub Actions / build `'expect' is assigned a value but never used`

	module.exports = async () => {
	const signers = await ethers.getSigners();
	const deployer = signers[0];
Check warning on line 7 in deploy/contracts.js GitHub Actions / build `'deployer' is assigned a value but never used`

	// Writing the JSON with the initial deployment data
	let initDeployJSON = {
	/global process/

	const { ethers } = require("hardhat");
	const { L1ERC20Gateway } = require("@arbitrum/sdk/dist/lib/abi/L1ERC20Gateway");
Check warning on line 4 in scripts/deployment/staking/arbitrum/bridge_new_token.js GitHub Actions / build `'L1ERC20Gateway' is assigned a value but never used`
	const { L2ERC20Gateway } = require("@arbitrum/sdk/dist/lib/abi/L2ERC20Gateway");
Check warning on line 5 in scripts/deployment/staking/arbitrum/bridge_new_token.js GitHub Actions / build `'L2ERC20Gateway' is assigned a value but never used`
	const { L1ToL2MessageGasEstimator } = require("@arbitrum/sdk/dist/lib/message/L1ToL2MessageGasEstimator");
Check warning on line 6 in scripts/deployment/staking/arbitrum/bridge_new_token.js GitHub Actions / build `'L1ToL2MessageGasEstimator' is assigned a value but never used`
	const { Erc20Bridger, getL2Network } = require("@arbitrum/sdk");
	const { getBaseFee } = require("@arbitrum/sdk/dist/lib/utils/lib");
Check warning on line 8 in scripts/deployment/staking/arbitrum/bridge_new_token.js GitHub Actions / build `'getBaseFee' is assigned a value but never used`

	const main = async () => {
	// Setting up providers and wallets
	let parsedData = JSON.parse(dataFromJSON);
	const useLedger = parsedData.useLedger;
	const derivationPath = parsedData.derivationPath;
	const providerName = parsedData.providerName;
Check warning on line 13 in scripts/deployment/staking/arbitrum/deploy_21_change_owner.js GitHub Actions / build `'providerName' is assigned a value but never used`
	const arbitrumTargetDispenserL2Address = parsedData.arbitrumTargetDispenserL2Address;
	const bridgeMediatorAddress = parsedData.bridgeMediatorAddress;
	// Use l2Network to create an Arbitrum SDK EthBridger instance
	// We'll use EthBridger to retrieve the Inbox address
	const l2Network = await getL2Network(arbitrumSepoliaProvider);
	const ethBridger = new EthBridger(l2Network);
Check warning on line 40 in scripts/deployment/staking/arbitrum/send_tokens_and_message.js GitHub Actions / build `'ethBridger' is assigned a value but never used`

	// Query the required gas params using the estimateAll method in Arbitrum SDK
	const l1ToL2MessageGasEstimate = new L1ToL2MessageGasEstimator(arbitrumSepoliaProvider);