Skip to content

Security fixes #492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
roisindowling merged 6 commits into from
Oct 23, 2025
Merged

Security fixes #492

roisindowling merged 6 commits into from
Oct 23, 2025

Conversation

@roisindowling
Copy link
Contributor

@roisindowling roisindowling commented Oct 23, 2025

No description provided.

@vercel
Copy link

vercel bot commented Oct 23, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
vevote-frontend-dev Ready Ready Preview Comment Oct 23, 2025 3:41pm

@socket-security
Copy link

socket-security bot commented Oct 23, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedturbo@​1.13.4 ⏵ 2.5.8100 +210086 +2198 +1100 +31
Updatedaxios@​1.8.4 ⏵ 1.12.299 +1100 +2210095100

View full report

@github-actions
Copy link

github-actions bot commented Oct 23, 2025
edited
Loading

Slither report

THIS CHECKLIST IS NOT COMPLETE. Use --show-ignored-findings to show all the results.
Summary

divide-before-multiply

Impact: Medium
Confidence: Medium

vevote/packages/contracts/contracts/governance/libraries/VeVoteQuorumLogic.sol

Lines 149 to 177 in 508a3af

function _quorum(VeVoteStorageTypes.VeVoteStorage storage self, uint48 timepoint) internal view returns (uint256) {
uint208[] memory circulatingSupplies = self.stargateNFT.getLevelsCirculatingSuppliesAtBlock(timepoint);
DataTypes.Level[] memory stargateLevels = self.stargateNFT.getLevels();
// Determine total potenial vote weigth from validators
uint256 validatorStake = VeVoteConstants.VALIDATOR_STAKED_VET_REQUIREMENT;
uint256 validatorWeight = self.levelIdMultiplier[0];
uint256 totalScaledWeight = VeVoteConstants.TOTAL_AUTHORITY_MASTER_NODES * validatorStake * validatorWeight;
// Cache number of levels
uint256 levelCount = circulatingSupplies.length;
for (uint8 i; i < levelCount; i++) {
uint256 supply = circulatingSupplies[i];
uint256 multiplier = self.levelIdMultiplier[i + 1]; // +1 to skip validator
uint256 requiredStake = stargateLevels[i].vetAmountRequiredToStake;
// supply * multiplier * requiredStake
totalScaledWeight += supply * multiplier * requiredStake;
}
// Ensure minimum staked vet to hold stargate NFT is greater than 0
uint256 minStake = VeVoteConfigurator.getMinStakedAmountAtTimepoint(self, timepoint);
// Divide by minimum stake to own stargate NFT to determine total potenial weight
uint256 totalPotentialWeight = totalScaledWeight / minStake;
// return quorom
return (totalPotentialWeight * quorumNumerator(self, timepoint)) / quorumDenominator();
}

uninitialized-local

Impact: Medium
Confidence: Medium

vevote/packages/contracts/contracts/governance/libraries/VeVoteProposalLogic.sol

Line 105 in 508a3af

VeVoteTypes.ProposalCore memory proposal;

unused-return

Impact: Medium
Confidence: Medium

vevote/packages/contracts/contracts/VeVote.sol

Lines 163 to 168 in 508a3af

function getProposalVotes(
uint256 proposalId
) external view returns (uint256 againstVotes, uint256 forVotes, uint256 abstainVotes) {
VeVoteStorageTypes.VeVoteStorage storage $ = getVeVoteStorage();
return VeVoteVoteLogic.proposalVotes($, proposalId);
}

vevote/packages/contracts/contracts/governance/libraries/VeVoteQuorumLogic.sol

Lines 113 to 124 in 508a3af

function updateQuorumNumerator(VeVoteStorageTypes.VeVoteStorage storage self, uint256 newQuorumNumerator) external {
uint256 denominator = quorumDenominator();
uint256 oldQuorumNumerator = quorumNumerator(self);
if (newQuorumNumerator > denominator) {
revert VeVoteInvalidQuorumFraction(newQuorumNumerator, denominator);
}
self.quorumNumeratorHistory.push(VeVoteClockLogic.clock(), SafeCast.toUint208(newQuorumNumerator));
emit QuorumNumeratorUpdated(oldQuorumNumerator, newQuorumNumerator);
}

vevote/packages/contracts/contracts/governance/libraries/VeVoteVoteLogic.sol

Lines 407 to 428 in 508a3af

function _determineValidatorVoteWeight(
VeVoteStorageTypes.VeVoteStorage storage self,
address voter,
address masterAddress
) private view returns (uint256 voteWeight) {
// Load validator authority contract
IAuthority validatorContract = VeVoteConfigurator.getValidatorContract(self);
// Fetch validator info
(bool isListed, address endorser, , bool isActive) = validatorContract.get(masterAddress);
// Check eligibility
if (!isListed || !isActive || endorser != voter) {
return 0;
}
// Apply level 0 multiplier
uint256 multiplier = self.levelIdMultiplier[0];
// Compute vote weight
voteWeight = VeVoteConstants.VALIDATOR_STAKED_VET_REQUIREMENT * multiplier;
}

vevote/packages/contracts/contracts/governance/libraries/VeVoteConfigurator.sol

Lines 168 to 175 in 508a3af

function setMinStakedVetAmount(VeVoteStorageTypes.VeVoteStorage storage self, uint256 newMinStake) external {
if (newMinStake == 0) revert InvalidMinimumStake();
uint256 previous = self.minStakedVetHistory.latest();
self.minStakedVetHistory.push(VeVoteClockLogic.clock(), SafeCast.toUint208(newMinStake));
emit MinStakedAmountUpdated(previous, newMinStake);
}

vevote/packages/contracts/contracts/governance/VeVoteStorage.sol

Lines 43 to 78 in 508a3af

function __VeVoteStorage_init_unchained(
VeVoteTypes.InitializationData memory initializationData
) internal onlyInitializing {
VeVoteStorageTypes.VeVoteStorage storage $ = getVeVoteStorage();
// Validate and set the governor external contracts storage
require(address(initializationData.nodeManagement) != address(0), "VeVote: NodeManagement address cannot be zero");
require(address(initializationData.stargateNFT) != address(0), "VeVote: StargateNFT address cannot be zero");
require(address(initializationData.authorityContract) != address(0), "VeVote: Authority address cannot be zero");
$.nodeManagement = initializationData.nodeManagement;
$.stargateNFT = initializationData.stargateNFT;
$.validatorContract = initializationData.authorityContract;
// Set the general storage parameters
$.minVotingDelay = initializationData.initialMinVotingDelay;
$.minVotingDuration = initializationData.initialMinVotingDuration;
$.maxVotingDuration = initializationData.initialMaxVotingDuration;
// Initialize vote normalization base (min stake)
require(initializationData.initialMinStakedAmount > 0, "VeVote: min stake must be > 0");
$.minStakedVetHistory.push(VeVoteClockLogic.clock(), SafeCast.toUint208(initializationData.initialMinStakedAmount));
// LevelId 0 is unused in Stargate, we will take advantage of this to represent Validator multiplier in VeVote. (Scaled by 100).
$.levelIdMultiplier[0] = 200; // Validator multipler
// Set the voting weight multipliers for different Stargate NFT level IDs. (Scaled by 100).
$.levelIdMultiplier[1] = 100; // Strength Node multipler
$.levelIdMultiplier[2] = 100; // Thunder Node multipler
$.levelIdMultiplier[3] = 100; // Mjolnir Node multipler
$.levelIdMultiplier[4] = 150; // VeThor X Node multipler
$.levelIdMultiplier[5] = 150; // Strength X Node multipler
$.levelIdMultiplier[6] = 150; // Thunder X Node multipler
$.levelIdMultiplier[7] = 150; // Mjolnir X Node multipler
$.levelIdMultiplier[8] = 100; // Dawn Node multipler
$.levelIdMultiplier[9] = 100; // Lightning Node multipler
$.levelIdMultiplier[10] = 100; // Flash Node multipler
}

vevote/packages/contracts/contracts/governance/libraries/VeVoteProposalLogic.sol

Lines 169 to 187 in 508a3af

function execute(
VeVoteStorageTypes.VeVoteStorage storage self,
uint256 proposalId,
string memory comment
) external returns (uint256) {
// Validate that proposal is in a succeeded state
VeVoteStateLogic.validateStateBitmap(
self,
proposalId,
VeVoteStateLogic.encodeStateBitmap(VeVoteTypes.ProposalState.Succeeded)
);
// Mark the proposal as executed
self.proposals[proposalId].executed = true;
emit VeVoteProposalExecuted(proposalId, comment);
return proposalId;
}

vevote/packages/contracts/contracts/governance/libraries/VeVoteQuorumLogic.sol

Lines 183 to 191 in 508a3af

function _optimisticUpperLookupRecent(
Checkpoints.Trace208 storage ckpts,
uint48 timepoint
) private view returns (uint256) {
// If trace is empty, key and value are both equal to 0.
// In that case `key <= timepoint` is true, and it is ok to return 0.
(, uint48 key, uint208 value) = ckpts.latestCheckpoint();
return key <= timepoint ? value : ckpts.upperLookupRecent(timepoint);
}

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 23, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@roisindowling roisindowling merged commit cd3c06d into main Oct 23, 2025
13 checks passed
@roisindowling roisindowling deleted the secuirtyFixes branch October 23, 2025 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@LLPROG LLPROG LLPROG approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

increment:patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@roisindowling @LLPROG