From 8c20c5f2608da1ada92ea563c063e3f0f3c6189b Mon Sep 17 00:00:00 2001 From: Michael Heuer <20623991+Michael-A-Heuer@users.noreply.github.com> Date: Wed, 13 Sep 2023 13:57:53 +0200 Subject: [PATCH] docs: added security contract email address (#458) --- packages/contracts/src/core/dao/DAO.sol | 1 + packages/contracts/src/core/dao/IDAO.sol | 1 + packages/contracts/src/core/dao/IEIP4824.sol | 1 + .../contracts/src/core/permission/IPermissionCondition.sol | 1 + .../contracts/src/core/permission/PermissionCondition.sol | 1 + .../src/core/permission/PermissionConditionUpgradeable.sol | 1 + packages/contracts/src/core/permission/PermissionLib.sol | 1 + packages/contracts/src/core/permission/PermissionManager.sol | 1 + packages/contracts/src/core/plugin/IPlugin.sol | 1 + packages/contracts/src/core/plugin/Plugin.sol | 1 + packages/contracts/src/core/plugin/PluginCloneable.sol | 1 + packages/contracts/src/core/plugin/PluginUUPSUpgradeable.sol | 1 + .../src/core/plugin/dao-authorizable/DaoAuthorizable.sol | 1 + .../plugin/dao-authorizable/DaoAuthorizableUpgradeable.sol | 1 + .../contracts/src/core/plugin/membership/IMembership.sol | 1 + packages/contracts/src/core/plugin/proposal/IProposal.sol | 1 + packages/contracts/src/core/plugin/proposal/Proposal.sol | 1 + .../src/core/plugin/proposal/ProposalUpgradeable.sol | 1 + packages/contracts/src/core/utils/BitMap.sol | 2 ++ packages/contracts/src/core/utils/CallbackHandler.sol | 1 + packages/contracts/src/core/utils/auth.sol | 1 + packages/contracts/src/framework/dao/DAOFactory.sol | 1 + packages/contracts/src/framework/dao/DAORegistry.sol | 1 + packages/contracts/src/framework/plugin/repo/IPluginRepo.sol | 1 + packages/contracts/src/framework/plugin/repo/PluginRepo.sol | 1 + .../src/framework/plugin/repo/PluginRepoFactory.sol | 1 + .../src/framework/plugin/repo/PluginRepoRegistry.sol | 1 + .../contracts/src/framework/plugin/setup/IPluginSetup.sol | 1 + .../contracts/src/framework/plugin/setup/PluginSetup.sol | 1 + .../src/framework/plugin/setup/PluginSetupProcessor.sol | 1 + .../framework/plugin/setup/PluginSetupProcessorHelpers.sol | 5 +++++ .../contracts/src/framework/utils/InterfaceBasedRegistry.sol | 3 ++- packages/contracts/src/framework/utils/RegistryUtils.sol | 1 + packages/contracts/src/framework/utils/TokenFactory.sol | 1 + .../src/framework/utils/ens/ENSSubdomainRegistrar.sol | 1 + packages/contracts/src/plugins/governance/admin/Admin.sol | 1 + .../contracts/src/plugins/governance/admin/AdminSetup.sol | 1 + .../plugins/governance/majority-voting/IMajorityVoting.sol | 1 + .../governance/majority-voting/MajorityVotingBase.sol | 1 + .../majority-voting/addresslist/AddresslistVoting.sol | 1 + .../majority-voting/addresslist/AddresslistVotingSetup.sol | 1 + .../plugins/governance/majority-voting/token/TokenVoting.sol | 1 + .../governance/majority-voting/token/TokenVotingSetup.sol | 1 + .../contracts/src/plugins/governance/multisig/IMultisig.sol | 1 + .../contracts/src/plugins/governance/multisig/Multisig.sol | 1 + .../src/plugins/governance/multisig/MultisigSetup.sol | 1 + .../src/plugins/placeholder-version/PlaceholderSetup.sol | 1 + packages/contracts/src/plugins/token/IMerkleDistributor.sol | 4 ++++ packages/contracts/src/plugins/token/IMerkleMinter.sol | 4 ++++ packages/contracts/src/plugins/token/MerkleDistributor.sol | 1 + packages/contracts/src/plugins/token/MerkleMinter.sol | 1 + packages/contracts/src/plugins/utils/Addresslist.sol | 1 + packages/contracts/src/plugins/utils/Ratio.sol | 1 + .../contracts/src/token/ERC20/IERC20MintableUpgradeable.sol | 1 + .../contracts/src/token/ERC20/governance/GovernanceERC20.sol | 1 + .../src/token/ERC20/governance/GovernanceWrappedERC20.sol | 1 + .../src/token/ERC20/governance/IGovernanceWrappedERC20.sol | 4 ++++ packages/contracts/src/utils/Proxy.sol | 1 + packages/contracts/src/utils/UncheckedMath.sol | 3 +++ packages/contracts/src/utils/protocol/IProtocolVersion.sol | 1 + packages/contracts/src/utils/protocol/ProtocolVersion.sol | 1 + 61 files changed, 78 insertions(+), 1 deletion(-) diff --git a/packages/contracts/src/core/dao/DAO.sol b/packages/contracts/src/core/dao/DAO.sol index 7a10df655..6770b516d 100644 --- a/packages/contracts/src/core/dao/DAO.sol +++ b/packages/contracts/src/core/dao/DAO.sol @@ -25,6 +25,7 @@ import {IDAO} from "./IDAO.sol"; /// @author Aragon Association - 2021-2023 /// @notice This contract is the entry point to the Aragon DAO framework and provides our users a simple and easy to use public interface. /// @dev Public API of the Aragon DAO framework. +/// @custom:security-contact sirt@aragon.org contract DAO is IEIP4824, Initializable, diff --git a/packages/contracts/src/core/dao/IDAO.sol b/packages/contracts/src/core/dao/IDAO.sol index e50fad31e..434c84cb4 100644 --- a/packages/contracts/src/core/dao/IDAO.sol +++ b/packages/contracts/src/core/dao/IDAO.sol @@ -5,6 +5,7 @@ pragma solidity ^0.8.8; /// @title IDAO /// @author Aragon Association - 2022-2023 /// @notice The interface required for DAOs within the Aragon App DAO framework. +/// @custom:security-contact sirt@aragon.org interface IDAO { /// @notice The action struct to be consumed by the DAO's `execute` function resulting in an external call. /// @param to The address to call. diff --git a/packages/contracts/src/core/dao/IEIP4824.sol b/packages/contracts/src/core/dao/IEIP4824.sol index 3f3967e3b..6b9ce9a50 100644 --- a/packages/contracts/src/core/dao/IEIP4824.sol +++ b/packages/contracts/src/core/dao/IEIP4824.sol @@ -5,6 +5,7 @@ pragma solidity 0.8.17; /// @title EIP-4824 Common Interfaces for DAOs /// @dev See https://eips.ethereum.org/EIPS/eip-4824 /// @author Aragon Association - 2021-2023 +/// @custom:security-contact sirt@aragon.org interface IEIP4824 { /// @notice A distinct Uniform Resource Identifier (URI) pointing to a JSON object following the "EIP-4824 DAO JSON-LD Schema". This JSON file splits into four URIs: membersURI, proposalsURI, activityLogURI, and governanceURI. The membersURI should point to a JSON file that conforms to the "EIP-4824 Members JSON-LD Schema". The proposalsURI should point to a JSON file that conforms to the "EIP-4824 Proposals JSON-LD Schema". The activityLogURI should point to a JSON file that conforms to the "EIP-4824 Activity Log JSON-LD Schema". The governanceURI should point to a flatfile, normatively a .md file. Each of the JSON files named above can be statically hosted or dynamically-generated. /// @return _daoURI The DAO URI. diff --git a/packages/contracts/src/core/permission/IPermissionCondition.sol b/packages/contracts/src/core/permission/IPermissionCondition.sol index d0f67910b..70498ac3a 100644 --- a/packages/contracts/src/core/permission/IPermissionCondition.sol +++ b/packages/contracts/src/core/permission/IPermissionCondition.sol @@ -6,6 +6,7 @@ pragma solidity ^0.8.8; /// @author Aragon Association - 2021-2023 /// @notice An interface to be implemented to support custom permission logic. /// @dev To attach a condition to a permission, the `grantWithCondition` function must be used and refer to the implementing contract's address with the `condition` argument. +/// @custom:security-contact sirt@aragon.org interface IPermissionCondition { /// @notice Checks if a call is permitted. /// @param _where The address of the target contract. diff --git a/packages/contracts/src/core/permission/PermissionCondition.sol b/packages/contracts/src/core/permission/PermissionCondition.sol index fd9daa463..09b128203 100644 --- a/packages/contracts/src/core/permission/PermissionCondition.sol +++ b/packages/contracts/src/core/permission/PermissionCondition.sol @@ -9,6 +9,7 @@ import {IPermissionCondition} from "./IPermissionCondition.sol"; /// @title PermissionCondition /// @author Aragon Association - 2023 /// @notice An abstract contract for non-upgradeable contracts instantiated via the `new` keyword to inherit from to support customary permissions depending on arbitrary on-chain state. +/// @custom:security-contact sirt@aragon.org abstract contract PermissionCondition is ERC165, IPermissionCondition { /// @notice Checks if an interface is supported by this or its parent contract. /// @param _interfaceId The ID of the interface. diff --git a/packages/contracts/src/core/permission/PermissionConditionUpgradeable.sol b/packages/contracts/src/core/permission/PermissionConditionUpgradeable.sol index d9b4142e8..a51a778a4 100644 --- a/packages/contracts/src/core/permission/PermissionConditionUpgradeable.sol +++ b/packages/contracts/src/core/permission/PermissionConditionUpgradeable.sol @@ -9,6 +9,7 @@ import {IPermissionCondition} from "./IPermissionCondition.sol"; /// @title PermissionConditionUpgradeable /// @author Aragon Association - 2023 /// @notice An abstract contract for upgradeable or cloneable contracts to inherit from and to support customary permissions depending on arbitrary on-chain state. +/// @custom:security-contact sirt@aragon.org abstract contract PermissionConditionUpgradeable is ERC165Upgradeable, IPermissionCondition { /// @notice Checks if an interface is supported by this or its parent contract. /// @param _interfaceId The ID of the interface. diff --git a/packages/contracts/src/core/permission/PermissionLib.sol b/packages/contracts/src/core/permission/PermissionLib.sol index 2867545ca..f44383a93 100644 --- a/packages/contracts/src/core/permission/PermissionLib.sol +++ b/packages/contracts/src/core/permission/PermissionLib.sol @@ -5,6 +5,7 @@ pragma solidity ^0.8.8; /// @title PermissionLib /// @author Aragon Association - 2021-2023 /// @notice A library containing objects for permission processing. +/// @custom:security-contact sirt@aragon.org library PermissionLib { /// @notice A constant expressing that no condition is applied to a permission. address public constant NO_CONDITION = address(0); diff --git a/packages/contracts/src/core/permission/PermissionManager.sol b/packages/contracts/src/core/permission/PermissionManager.sol index 1a05a3124..9870ed81c 100644 --- a/packages/contracts/src/core/permission/PermissionManager.sol +++ b/packages/contracts/src/core/permission/PermissionManager.sol @@ -12,6 +12,7 @@ import "./PermissionLib.sol"; /// @title PermissionManager /// @author Aragon Association - 2021-2023 /// @notice The abstract permission manager used in a DAO, its associated plugins, and other framework-related components. +/// @custom:security-contact sirt@aragon.org abstract contract PermissionManager is Initializable { using AddressUpgradeable for address; diff --git a/packages/contracts/src/core/plugin/IPlugin.sol b/packages/contracts/src/core/plugin/IPlugin.sol index 14071f1ce..87e519525 100644 --- a/packages/contracts/src/core/plugin/IPlugin.sol +++ b/packages/contracts/src/core/plugin/IPlugin.sol @@ -5,6 +5,7 @@ pragma solidity ^0.8.8; /// @title IPlugin /// @author Aragon Association - 2022-2023 /// @notice An interface defining the traits of a plugin. +/// @custom:security-contact sirt@aragon.org interface IPlugin { enum PluginType { UUPS, diff --git a/packages/contracts/src/core/plugin/Plugin.sol b/packages/contracts/src/core/plugin/Plugin.sol index 924fd4f2b..5223542a2 100644 --- a/packages/contracts/src/core/plugin/Plugin.sol +++ b/packages/contracts/src/core/plugin/Plugin.sol @@ -11,6 +11,7 @@ import {IPlugin} from "./IPlugin.sol"; /// @title Plugin /// @author Aragon Association - 2022-2023 /// @notice An abstract, non-upgradeable contract to inherit from when creating a plugin being deployed via the `new` keyword. +/// @custom:security-contact sirt@aragon.org abstract contract Plugin is IPlugin, ERC165, DaoAuthorizable { /// @notice Constructs the plugin by storing the associated DAO. /// @param _dao The DAO contract. diff --git a/packages/contracts/src/core/plugin/PluginCloneable.sol b/packages/contracts/src/core/plugin/PluginCloneable.sol index 8722a4d87..4aa7b94c4 100644 --- a/packages/contracts/src/core/plugin/PluginCloneable.sol +++ b/packages/contracts/src/core/plugin/PluginCloneable.sol @@ -11,6 +11,7 @@ import {IPlugin} from "./IPlugin.sol"; /// @title PluginCloneable /// @author Aragon Association - 2022-2023 /// @notice An abstract, non-upgradeable contract to inherit from when creating a plugin being deployed via the minimal clones pattern (see [ERC-1167](https://eips.ethereum.org/EIPS/eip-1167)). +/// @custom:security-contact sirt@aragon.org abstract contract PluginCloneable is IPlugin, ERC165Upgradeable, DaoAuthorizableUpgradeable { /// @notice Disables the initializers on the implementation contract to prevent it from being left uninitialized. /// @custom:oz-upgrades-unsafe-allow constructor diff --git a/packages/contracts/src/core/plugin/PluginUUPSUpgradeable.sol b/packages/contracts/src/core/plugin/PluginUUPSUpgradeable.sol index ca453abf7..21d61d11e 100644 --- a/packages/contracts/src/core/plugin/PluginUUPSUpgradeable.sol +++ b/packages/contracts/src/core/plugin/PluginUUPSUpgradeable.sol @@ -13,6 +13,7 @@ import {IPlugin} from "./IPlugin.sol"; /// @title PluginUUPSUpgradeable /// @author Aragon Association - 2022-2023 /// @notice An abstract, upgradeable contract to inherit from when creating a plugin being deployed via the UUPS pattern (see [ERC-1822](https://eips.ethereum.org/EIPS/eip-1822)). +/// @custom:security-contact sirt@aragon.org abstract contract PluginUUPSUpgradeable is IPlugin, ERC165Upgradeable, diff --git a/packages/contracts/src/core/plugin/dao-authorizable/DaoAuthorizable.sol b/packages/contracts/src/core/plugin/dao-authorizable/DaoAuthorizable.sol index 58ea02795..588f7e978 100644 --- a/packages/contracts/src/core/plugin/dao-authorizable/DaoAuthorizable.sol +++ b/packages/contracts/src/core/plugin/dao-authorizable/DaoAuthorizable.sol @@ -10,6 +10,7 @@ import {_auth} from "../../utils/auth.sol"; /// @title DaoAuthorizable /// @author Aragon Association - 2022-2023 /// @notice An abstract contract providing a meta-transaction compatible modifier for non-upgradeable contracts instantiated via the `new` keyword to authorize function calls through an associated DAO. +/// @custom:security-contact sirt@aragon.org abstract contract DaoAuthorizable is Context { /// @notice The associated DAO managing the permissions of inheriting contracts. IDAO private immutable dao_; diff --git a/packages/contracts/src/core/plugin/dao-authorizable/DaoAuthorizableUpgradeable.sol b/packages/contracts/src/core/plugin/dao-authorizable/DaoAuthorizableUpgradeable.sol index cde0eae0b..a32dcf204 100644 --- a/packages/contracts/src/core/plugin/dao-authorizable/DaoAuthorizableUpgradeable.sol +++ b/packages/contracts/src/core/plugin/dao-authorizable/DaoAuthorizableUpgradeable.sol @@ -11,6 +11,7 @@ import {_auth} from "../../utils/auth.sol"; /// @author Aragon Association - 2022-2023 /// @notice An abstract contract providing a meta-transaction compatible modifier for upgradeable or cloneable contracts to authorize function calls through an associated DAO. /// @dev Make sure to call `__DaoAuthorizableUpgradeable_init` during initialization of the inheriting contract. +/// @custom:security-contact sirt@aragon.org abstract contract DaoAuthorizableUpgradeable is ContextUpgradeable { /// @notice The associated DAO managing the permissions of inheriting contracts. IDAO private dao_; diff --git a/packages/contracts/src/core/plugin/membership/IMembership.sol b/packages/contracts/src/core/plugin/membership/IMembership.sol index 9e222080f..acd002e68 100644 --- a/packages/contracts/src/core/plugin/membership/IMembership.sol +++ b/packages/contracts/src/core/plugin/membership/IMembership.sol @@ -5,6 +5,7 @@ pragma solidity ^0.8.8; /// @title IMembership /// @author Aragon Association - 2022-2023 /// @notice An interface to be implemented by DAO plugins that define membership. +/// @custom:security-contact sirt@aragon.org interface IMembership { /// @notice Emitted when members are added to the DAO plugin. /// @param members The list of new members being added. diff --git a/packages/contracts/src/core/plugin/proposal/IProposal.sol b/packages/contracts/src/core/plugin/proposal/IProposal.sol index ad3c3a3f8..361438a2b 100644 --- a/packages/contracts/src/core/plugin/proposal/IProposal.sol +++ b/packages/contracts/src/core/plugin/proposal/IProposal.sol @@ -7,6 +7,7 @@ import {IDAO} from "../../dao/IDAO.sol"; /// @title IProposal /// @author Aragon Association - 2022-2023 /// @notice An interface to be implemented by DAO plugins that create and execute proposals. +/// @custom:security-contact sirt@aragon.org interface IProposal { /// @notice Emitted when a proposal is created. /// @param proposalId The ID of the proposal. diff --git a/packages/contracts/src/core/plugin/proposal/Proposal.sol b/packages/contracts/src/core/plugin/proposal/Proposal.sol index f3acc0e69..5b6df31e3 100644 --- a/packages/contracts/src/core/plugin/proposal/Proposal.sol +++ b/packages/contracts/src/core/plugin/proposal/Proposal.sol @@ -10,6 +10,7 @@ import "./IProposal.sol"; /// @title Proposal /// @author Aragon Association - 2022-2023 /// @notice An abstract contract containing the traits and internal functionality to create and execute proposals that can be inherited by non-upgradeable DAO plugins. +/// @custom:security-contact sirt@aragon.org abstract contract Proposal is IProposal, ERC165 { using Counters for Counters.Counter; diff --git a/packages/contracts/src/core/plugin/proposal/ProposalUpgradeable.sol b/packages/contracts/src/core/plugin/proposal/ProposalUpgradeable.sol index 299aefad6..5bea35193 100644 --- a/packages/contracts/src/core/plugin/proposal/ProposalUpgradeable.sol +++ b/packages/contracts/src/core/plugin/proposal/ProposalUpgradeable.sol @@ -10,6 +10,7 @@ import "./IProposal.sol"; /// @title ProposalUpgradeable /// @author Aragon Association - 2022-2023 /// @notice An abstract contract containing the traits and internal functionality to create and execute proposals that can be inherited by upgradeable DAO plugins. +/// @custom:security-contact sirt@aragon.org abstract contract ProposalUpgradeable is IProposal, ERC165Upgradeable { using CountersUpgradeable for CountersUpgradeable.Counter; diff --git a/packages/contracts/src/core/utils/BitMap.sol b/packages/contracts/src/core/utils/BitMap.sol index 47fbce4a0..a699c1361 100644 --- a/packages/contracts/src/core/utils/BitMap.sol +++ b/packages/contracts/src/core/utils/BitMap.sol @@ -5,6 +5,7 @@ pragma solidity 0.8.17; /// @param bitmap The `uint256` representation of bits. /// @param index The index number to check whether 1 or 0 is set. /// @return Returns `true` if the bit is set at `index` on `bitmap`. +/// @custom:security-contact sirt@aragon.org function hasBit(uint256 bitmap, uint8 index) pure returns (bool) { uint256 bitValue = bitmap & (1 << index); return bitValue > 0; @@ -13,6 +14,7 @@ function hasBit(uint256 bitmap, uint8 index) pure returns (bool) { /// @param bitmap The `uint256` representation of bits. /// @param index The index number to set the bit. /// @return Returns a new number in which the bit is set at `index`. +/// @custom:security-contact sirt@aragon.org function flipBit(uint256 bitmap, uint8 index) pure returns (uint256) { return bitmap ^ (1 << index); } diff --git a/packages/contracts/src/core/utils/CallbackHandler.sol b/packages/contracts/src/core/utils/CallbackHandler.sol index e0fda25cf..98e195b75 100644 --- a/packages/contracts/src/core/utils/CallbackHandler.sol +++ b/packages/contracts/src/core/utils/CallbackHandler.sol @@ -6,6 +6,7 @@ pragma solidity 0.8.17; /// @author Aragon Association - 2022-2023 /// @notice This contract handles callbacks by registering a magic number together with the callback function's selector. It provides the `_handleCallback` function that inheriting contracts have to call inside their `fallback()` function (`_handleCallback(msg.callbackSelector, msg.data)`). This allows to adaptively register ERC standards (e.g., [ERC-721](https://eips.ethereum.org/EIPS/eip-721), [ERC-1115](https://eips.ethereum.org/EIPS/eip-1155), or future versions of [ERC-165](https://eips.ethereum.org/EIPS/eip-165)) and returning the required magic numbers for the associated callback functions for the inheriting contract so that it doesn't need to be upgraded. /// @dev This callback handling functionality is intented to be used by executor contracts (i.e., `DAO.sol`). +/// @custom:security-contact sirt@aragon.org abstract contract CallbackHandler { /// @notice A mapping between callback function selectors and magic return numbers. mapping(bytes4 => bytes4) internal callbackMagicNumbers; diff --git a/packages/contracts/src/core/utils/auth.sol b/packages/contracts/src/core/utils/auth.sol index f54b3d872..b5c93ca7a 100644 --- a/packages/contracts/src/core/utils/auth.sol +++ b/packages/contracts/src/core/utils/auth.sol @@ -16,6 +16,7 @@ error DaoUnauthorized(address dao, address where, address who, bytes32 permissio /// @param _who The address (EOA or contract) owning the permission. /// @param _permissionId The permission identifier. /// @param _data The optional data passed to the `PermissionCondition` registered. +/// @custom:security-contact sirt@aragon.org function _auth( IDAO _dao, address _where, diff --git a/packages/contracts/src/framework/dao/DAOFactory.sol b/packages/contracts/src/framework/dao/DAOFactory.sol index d9d6a5eb2..9648de5bc 100644 --- a/packages/contracts/src/framework/dao/DAOFactory.sol +++ b/packages/contracts/src/framework/dao/DAOFactory.sol @@ -18,6 +18,7 @@ import {DAORegistry} from "./DAORegistry.sol"; /// @title DAOFactory /// @author Aragon Association - 2022-2023 /// @notice This contract is used to create a DAO. +/// @custom:security-contact sirt@aragon.org contract DAOFactory is ERC165, ProtocolVersion { /// @notice The DAO base contract, to be used for creating new `DAO`s via `createERC1967Proxy` function. address public immutable daoBase; diff --git a/packages/contracts/src/framework/dao/DAORegistry.sol b/packages/contracts/src/framework/dao/DAORegistry.sol index 6f9bc58bb..f46ad8eb8 100644 --- a/packages/contracts/src/framework/dao/DAORegistry.sol +++ b/packages/contracts/src/framework/dao/DAORegistry.sol @@ -10,6 +10,7 @@ import {isSubdomainValid} from "../utils/RegistryUtils.sol"; /// @title Register your unique DAO subdomain /// @author Aragon Association - 2022-2023 /// @notice This contract provides the possibility to register a DAO. +/// @custom:security-contact sirt@aragon.org contract DAORegistry is InterfaceBasedRegistry { /// @notice The ID of the permission required to call the `register` function. bytes32 public constant REGISTER_DAO_PERMISSION_ID = keccak256("REGISTER_DAO_PERMISSION"); diff --git a/packages/contracts/src/framework/plugin/repo/IPluginRepo.sol b/packages/contracts/src/framework/plugin/repo/IPluginRepo.sol index db5ebeaab..69a11c068 100644 --- a/packages/contracts/src/framework/plugin/repo/IPluginRepo.sol +++ b/packages/contracts/src/framework/plugin/repo/IPluginRepo.sol @@ -5,6 +5,7 @@ pragma solidity 0.8.17; /// @title IPluginRepo /// @author Aragon Association - 2022-2023 /// @notice The interface required for a plugin repository. +/// @custom:security-contact sirt@aragon.org interface IPluginRepo { /// @notice Updates the metadata for release with content `@fromHex(_releaseMetadata)`. /// @param _release The release number. diff --git a/packages/contracts/src/framework/plugin/repo/PluginRepo.sol b/packages/contracts/src/framework/plugin/repo/PluginRepo.sol index 0fd62fcb5..95b0c7466 100644 --- a/packages/contracts/src/framework/plugin/repo/PluginRepo.sol +++ b/packages/contracts/src/framework/plugin/repo/PluginRepo.sol @@ -18,6 +18,7 @@ import {IPluginRepo} from "./IPluginRepo.sol"; /// @title PluginRepo /// @author Aragon Association - 2020 - 2023 /// @notice The plugin repository contract required for managing and publishing different plugin versions within the Aragon DAO framework. +/// @custom:security-contact sirt@aragon.org contract PluginRepo is Initializable, ERC165Upgradeable, diff --git a/packages/contracts/src/framework/plugin/repo/PluginRepoFactory.sol b/packages/contracts/src/framework/plugin/repo/PluginRepoFactory.sol index 06e362b85..c712202be 100644 --- a/packages/contracts/src/framework/plugin/repo/PluginRepoFactory.sol +++ b/packages/contracts/src/framework/plugin/repo/PluginRepoFactory.sol @@ -14,6 +14,7 @@ import {PluginRepo} from "./PluginRepo.sol"; /// @title PluginRepoFactory /// @author Aragon Association - 2022-2023 /// @notice This contract creates `PluginRepo` proxies and registers them on a `PluginRepoRegistry` contract. +/// @custom:security-contact sirt@aragon.org contract PluginRepoFactory is ERC165, ProtocolVersion { /// @notice The Aragon plugin registry contract. PluginRepoRegistry public pluginRepoRegistry; diff --git a/packages/contracts/src/framework/plugin/repo/PluginRepoRegistry.sol b/packages/contracts/src/framework/plugin/repo/PluginRepoRegistry.sol index b5bd61fae..c986b42d1 100644 --- a/packages/contracts/src/framework/plugin/repo/PluginRepoRegistry.sol +++ b/packages/contracts/src/framework/plugin/repo/PluginRepoRegistry.sol @@ -11,6 +11,7 @@ import {IPluginRepo} from "./IPluginRepo.sol"; /// @title PluginRepoRegistry /// @author Aragon Association - 2022-2023 /// @notice This contract maintains an address-based registry of plugin repositories in the Aragon App DAO framework. +/// @custom:security-contact sirt@aragon.org contract PluginRepoRegistry is InterfaceBasedRegistry { /// @notice The ID of the permission required to call the `register` function. bytes32 public constant REGISTER_PLUGIN_REPO_PERMISSION_ID = diff --git a/packages/contracts/src/framework/plugin/setup/IPluginSetup.sol b/packages/contracts/src/framework/plugin/setup/IPluginSetup.sol index 7ee8ae5f1..103ced016 100644 --- a/packages/contracts/src/framework/plugin/setup/IPluginSetup.sol +++ b/packages/contracts/src/framework/plugin/setup/IPluginSetup.sol @@ -8,6 +8,7 @@ import {IDAO} from "../../../core/dao/IDAO.sol"; /// @title IPluginSetup /// @author Aragon Association - 2022-2023 /// @notice The interface required for a plugin setup contract to be consumed by the `PluginSetupProcessor` for plugin installations, updates, and uninstallations. +/// @custom:security-contact sirt@aragon.org interface IPluginSetup { /// @notice The data associated with a prepared setup. /// @param helpers The address array of helpers (contracts or EOAs) associated with this plugin version after the installation or update. diff --git a/packages/contracts/src/framework/plugin/setup/PluginSetup.sol b/packages/contracts/src/framework/plugin/setup/PluginSetup.sol index e8761b08d..08ee037ef 100644 --- a/packages/contracts/src/framework/plugin/setup/PluginSetup.sol +++ b/packages/contracts/src/framework/plugin/setup/PluginSetup.sol @@ -13,6 +13,7 @@ import {IPluginSetup} from "./IPluginSetup.sol"; /// @title PluginSetup /// @author Aragon Association - 2022-2023 /// @notice An abstract contract that developers have to inherit from to write the setup of a plugin. +/// @custom:security-contact sirt@aragon.org abstract contract PluginSetup is ERC165, IPluginSetup { /// @inheritdoc IPluginSetup function prepareUpdate( diff --git a/packages/contracts/src/framework/plugin/setup/PluginSetupProcessor.sol b/packages/contracts/src/framework/plugin/setup/PluginSetupProcessor.sol index 3856dca2a..2b54f71e8 100644 --- a/packages/contracts/src/framework/plugin/setup/PluginSetupProcessor.sol +++ b/packages/contracts/src/framework/plugin/setup/PluginSetupProcessor.sol @@ -20,6 +20,7 @@ import {PluginSetupRef, hashHelpers, hashPermissions, _getPreparedSetupId, _getA /// @author Aragon Association - 2022-2023 /// @notice This contract processes the preparation and application of plugin setups (installation, update, uninstallation) on behalf of a requesting DAO. /// @dev This contract is temporarily granted the `ROOT_PERMISSION_ID` permission on the applying DAO and therefore is highly security critical. +/// @custom:security-contact sirt@aragon.org contract PluginSetupProcessor { using ERC165Checker for address; diff --git a/packages/contracts/src/framework/plugin/setup/PluginSetupProcessorHelpers.sol b/packages/contracts/src/framework/plugin/setup/PluginSetupProcessorHelpers.sol index 686bdff7b..2eca46fc7 100644 --- a/packages/contracts/src/framework/plugin/setup/PluginSetupProcessorHelpers.sol +++ b/packages/contracts/src/framework/plugin/setup/PluginSetupProcessorHelpers.sol @@ -29,6 +29,7 @@ enum PreparationType { /// @notice Returns an ID for plugin installation by hashing the DAO and plugin address. /// @param _dao The address of the DAO conducting the setup. /// @param _plugin The plugin address. +/// @custom:security-contact sirt@aragon.org function _getPluginInstallationId(address _dao, address _plugin) pure returns (bytes32) { return keccak256(abi.encode(_dao, _plugin)); } @@ -40,6 +41,7 @@ function _getPluginInstallationId(address _dao, address _plugin) pure returns (b /// @param _data The bytes-encoded initialize data for the upgrade that is returned by `prepareUpdate`. /// @param _preparationType The type of preparation the plugin is currently undergoing. Without this, it is possible to call `applyUpdate` even after `applyInstallation` is called. /// @return The prepared setup id. +/// @custom:security-contact sirt@aragon.org function _getPreparedSetupId( PluginSetupRef memory _pluginSetupRef, bytes32 _permissionsHash, @@ -64,6 +66,7 @@ function _getPreparedSetupId( /// @param _pluginSetupRef The reference of the plugin setup containing plugin setup repo and version tag. /// @param _helpersHash The hash of the helper contract addresses. /// @return The applied setup id. +/// @custom:security-contact sirt@aragon.org function _getAppliedSetupId( PluginSetupRef memory _pluginSetupRef, bytes32 _helpersHash @@ -76,6 +79,7 @@ function _getAppliedSetupId( /// @notice Returns a hash of an array of helper addresses (contracts or EOAs). /// @param _helpers The array of helper addresses (contracts or EOAs) to be hashed. +/// @custom:security-contact sirt@aragon.org function hashHelpers(address[] memory _helpers) pure returns (bytes32) { return keccak256(abi.encode(_helpers)); } @@ -83,6 +87,7 @@ function hashHelpers(address[] memory _helpers) pure returns (bytes32) { /// @notice Returns a hash of an array of multi-targeted permission operations. /// @param _permissions The array of of multi-targeted permission operations. /// @return The hash of the array of permission operations. +/// @custom:security-contact sirt@aragon.org function hashPermissions( PermissionLib.MultiTargetPermission[] memory _permissions ) pure returns (bytes32) { diff --git a/packages/contracts/src/framework/utils/InterfaceBasedRegistry.sol b/packages/contracts/src/framework/utils/InterfaceBasedRegistry.sol index 2e6c6c42d..78bba3e03 100644 --- a/packages/contracts/src/framework/utils/InterfaceBasedRegistry.sol +++ b/packages/contracts/src/framework/utils/InterfaceBasedRegistry.sol @@ -10,7 +10,8 @@ import {IDAO} from "../../core/dao/IDAO.sol"; /// @title InterfaceBasedRegistry /// @author Aragon Association - 2022-2023 -/// @notice An [ERC-165](https://eips.ethereum.org/EIPS/eip-165)-based registry for contracts +/// @notice An [ERC-165](https://eips.ethereum.org/EIPS/eip-165)-based registry for contracts. +/// @custom:security-contact sirt@aragon.org abstract contract InterfaceBasedRegistry is UUPSUpgradeable, DaoAuthorizableUpgradeable { using ERC165CheckerUpgradeable for address; diff --git a/packages/contracts/src/framework/utils/RegistryUtils.sol b/packages/contracts/src/framework/utils/RegistryUtils.sol index be2d924c2..9d3a16b88 100644 --- a/packages/contracts/src/framework/utils/RegistryUtils.sol +++ b/packages/contracts/src/framework/utils/RegistryUtils.sol @@ -10,6 +10,7 @@ pragma solidity 0.8.17; /// @param subDomain The name of the DAO. /// @return `true` if the name is valid or `false` if at least one char is invalid. /// @dev Aborts on the first invalid char found. +/// @custom:security-contact sirt@aragon.org function isSubdomainValid(string calldata subDomain) pure returns (bool) { bytes calldata nameBytes = bytes(subDomain); uint256 nameLength = nameBytes.length; diff --git a/packages/contracts/src/framework/utils/TokenFactory.sol b/packages/contracts/src/framework/utils/TokenFactory.sol index 1573298f0..f2f0daea4 100644 --- a/packages/contracts/src/framework/utils/TokenFactory.sol +++ b/packages/contracts/src/framework/utils/TokenFactory.sol @@ -19,6 +19,7 @@ import {IDAO} from "../../core/dao/IDAO.sol"; /// @title TokenFactory /// @author Aragon Association - 2022-2023 /// @notice This contract creates [ERC-20](https://eips.ethereum.org/EIPS/eip-20) governance tokens. +/// @custom:security-contact sirt@aragon.org contract TokenFactory { using Address for address; using Clones for address; diff --git a/packages/contracts/src/framework/utils/ens/ENSSubdomainRegistrar.sol b/packages/contracts/src/framework/utils/ens/ENSSubdomainRegistrar.sol index a3bf188b0..1d79e950f 100644 --- a/packages/contracts/src/framework/utils/ens/ENSSubdomainRegistrar.sol +++ b/packages/contracts/src/framework/utils/ens/ENSSubdomainRegistrar.sol @@ -13,6 +13,7 @@ import {IDAO} from "../../../core/dao/IDAO.sol"; /// @title ENSSubdomainRegistrar /// @author Aragon Association - 2022-2023 /// @notice This contract registers ENS subdomains under a parent domain specified in the initialization process and maintains ownership of the subdomain since only the resolver address is set. This contract must either be the domain node owner or an approved operator of the node owner. The default resolver being used is the one specified in the parent domain. +/// @custom:security-contact sirt@aragon.org contract ENSSubdomainRegistrar is UUPSUpgradeable, DaoAuthorizableUpgradeable { /// @notice The ID of the permission required to call the `_authorizeUpgrade` function. bytes32 public constant UPGRADE_REGISTRAR_PERMISSION_ID = diff --git a/packages/contracts/src/plugins/governance/admin/Admin.sol b/packages/contracts/src/plugins/governance/admin/Admin.sol index e1a3572c7..253ac22f0 100644 --- a/packages/contracts/src/plugins/governance/admin/Admin.sol +++ b/packages/contracts/src/plugins/governance/admin/Admin.sol @@ -12,6 +12,7 @@ import {IDAO} from "../../../core/dao/IDAO.sol"; /// @title Admin /// @author Aragon Association - 2022-2023 /// @notice The admin governance plugin giving execution permission on the DAO to a single address. +/// @custom:security-contact sirt@aragon.org contract Admin is IMembership, PluginCloneable, ProposalUpgradeable { using SafeCastUpgradeable for uint256; diff --git a/packages/contracts/src/plugins/governance/admin/AdminSetup.sol b/packages/contracts/src/plugins/governance/admin/AdminSetup.sol index 3b7bc46cc..a1ab5de21 100644 --- a/packages/contracts/src/plugins/governance/admin/AdminSetup.sol +++ b/packages/contracts/src/plugins/governance/admin/AdminSetup.sol @@ -13,6 +13,7 @@ import {Admin} from "./Admin.sol"; /// @title AdminAddressSetup /// @author Aragon Association - 2022-2023 /// @notice The setup contract of the `Admin` plugin. +/// @custom:security-contact sirt@aragon.org contract AdminSetup is PluginSetup { using Clones for address; diff --git a/packages/contracts/src/plugins/governance/majority-voting/IMajorityVoting.sol b/packages/contracts/src/plugins/governance/majority-voting/IMajorityVoting.sol index 754420f77..43178c3ac 100644 --- a/packages/contracts/src/plugins/governance/majority-voting/IMajorityVoting.sol +++ b/packages/contracts/src/plugins/governance/majority-voting/IMajorityVoting.sol @@ -7,6 +7,7 @@ import {IDAO} from "../../../core/dao/IDAO.sol"; /// @title IMajorityVoting /// @author Aragon Association - 2022-2023 /// @notice The interface of majority voting plugin. +/// @custom:security-contact sirt@aragon.org interface IMajorityVoting { /// @notice Vote options that a voter can chose from. /// @param None The default option state of a voter indicating the absence from the vote. This option neither influences support nor participation. diff --git a/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol b/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol index dae51c3c2..98b21ca53 100644 --- a/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol +++ b/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol @@ -93,6 +93,7 @@ import {IMajorityVoting} from "./IMajorityVoting.sol"; /// /// Accordingly, early execution is possible when the vote is open, the modified support criterion, and the particicpation criterion are met. /// @dev This contract implements the `IMajorityVoting` interface. +/// @custom:security-contact sirt@aragon.org abstract contract MajorityVotingBase is IMajorityVoting, Initializable, diff --git a/packages/contracts/src/plugins/governance/majority-voting/addresslist/AddresslistVoting.sol b/packages/contracts/src/plugins/governance/majority-voting/addresslist/AddresslistVoting.sol index c9451623b..4e5482cc9 100644 --- a/packages/contracts/src/plugins/governance/majority-voting/addresslist/AddresslistVoting.sol +++ b/packages/contracts/src/plugins/governance/majority-voting/addresslist/AddresslistVoting.sol @@ -16,6 +16,7 @@ import {MajorityVotingBase} from "../MajorityVotingBase.sol"; /// @author Aragon Association - 2021-2023. /// @notice The majority voting implementation using a list of member addresses. /// @dev This contract inherits from `MajorityVotingBase` and implements the `IMajorityVoting` interface. +/// @custom:security-contact sirt@aragon.org contract AddresslistVoting is IMembership, Addresslist, MajorityVotingBase { using SafeCastUpgradeable for uint256; diff --git a/packages/contracts/src/plugins/governance/majority-voting/addresslist/AddresslistVotingSetup.sol b/packages/contracts/src/plugins/governance/majority-voting/addresslist/AddresslistVotingSetup.sol index c0cdc7ba7..78510e181 100644 --- a/packages/contracts/src/plugins/governance/majority-voting/addresslist/AddresslistVotingSetup.sol +++ b/packages/contracts/src/plugins/governance/majority-voting/addresslist/AddresslistVotingSetup.sol @@ -12,6 +12,7 @@ import {AddresslistVoting} from "./AddresslistVoting.sol"; /// @title AddresslistVotingSetup /// @author Aragon Association - 2022-2023 /// @notice The setup contract of the `AddresslistVoting` plugin. +/// @custom:security-contact sirt@aragon.org contract AddresslistVotingSetup is PluginSetup { /// @notice The address of `AddresslistVoting` plugin logic contract to be used in creating proxy contracts. AddresslistVoting private immutable addresslistVotingBase; diff --git a/packages/contracts/src/plugins/governance/majority-voting/token/TokenVoting.sol b/packages/contracts/src/plugins/governance/majority-voting/token/TokenVoting.sol index 3d10ac635..4e6051aa6 100644 --- a/packages/contracts/src/plugins/governance/majority-voting/token/TokenVoting.sol +++ b/packages/contracts/src/plugins/governance/majority-voting/token/TokenVoting.sol @@ -16,6 +16,7 @@ import {IMajorityVoting} from "../IMajorityVoting.sol"; /// @author Aragon Association - 2021-2023 /// @notice The majority voting implementation using an [OpenZeppelin `Votes`](https://docs.openzeppelin.com/contracts/4.x/api/governance#Votes) compatible governance token. /// @dev This contract inherits from `MajorityVotingBase` and implements the `IMajorityVoting` interface. +/// @custom:security-contact sirt@aragon.org contract TokenVoting is IMembership, MajorityVotingBase { using SafeCastUpgradeable for uint256; diff --git a/packages/contracts/src/plugins/governance/majority-voting/token/TokenVotingSetup.sol b/packages/contracts/src/plugins/governance/majority-voting/token/TokenVotingSetup.sol index 44268d698..4f30c8639 100644 --- a/packages/contracts/src/plugins/governance/majority-voting/token/TokenVotingSetup.sol +++ b/packages/contracts/src/plugins/governance/majority-voting/token/TokenVotingSetup.sol @@ -21,6 +21,7 @@ import {TokenVoting} from "./TokenVoting.sol"; /// @title TokenVotingSetup /// @author Aragon Association - 2022-2023 /// @notice The setup contract of the `TokenVoting` plugin. +/// @custom:security-contact sirt@aragon.org contract TokenVotingSetup is PluginSetup { using Address for address; using Clones for address; diff --git a/packages/contracts/src/plugins/governance/multisig/IMultisig.sol b/packages/contracts/src/plugins/governance/multisig/IMultisig.sol index e5ae07643..77cdaa474 100644 --- a/packages/contracts/src/plugins/governance/multisig/IMultisig.sol +++ b/packages/contracts/src/plugins/governance/multisig/IMultisig.sol @@ -7,6 +7,7 @@ import {IDAO} from "../../../core/dao/IDAO.sol"; /// @title IMultisig /// @author Aragon Association - 2023 /// @notice An interface for an on-chain multisig governance plugin in which a proposal passes if X out of Y approvals are met. +/// @custom:security-contact sirt@aragon.org interface IMultisig { /// @notice Adds new members to the address list. Previously, it checks if the new address list length would be greater than `type(uint16).max`, the maximal number of approvals. /// @param _members The addresses of the members to be added. diff --git a/packages/contracts/src/plugins/governance/multisig/Multisig.sol b/packages/contracts/src/plugins/governance/multisig/Multisig.sol index 86261b468..db32e3cf6 100644 --- a/packages/contracts/src/plugins/governance/multisig/Multisig.sol +++ b/packages/contracts/src/plugins/governance/multisig/Multisig.sol @@ -15,6 +15,7 @@ import {IMultisig} from "./IMultisig.sol"; /// @title Multisig - Release 1, Build 2 /// @author Aragon Association - 2022-2023 /// @notice The on-chain multisig governance plugin in which a proposal passes if X out of Y approvals are met. +/// @custom:security-contact sirt@aragon.org contract Multisig is IMultisig, IMembership, diff --git a/packages/contracts/src/plugins/governance/multisig/MultisigSetup.sol b/packages/contracts/src/plugins/governance/multisig/MultisigSetup.sol index 7201cb7e5..732bfc225 100644 --- a/packages/contracts/src/plugins/governance/multisig/MultisigSetup.sol +++ b/packages/contracts/src/plugins/governance/multisig/MultisigSetup.sol @@ -11,6 +11,7 @@ import {Multisig} from "./Multisig.sol"; /// @title MultisigSetup - Release 1, Build 2 /// @author Aragon Association - 2022-2023 /// @notice The setup contract of the `Multisig` plugin. +/// @custom:security-contact sirt@aragon.org contract MultisigSetup is PluginSetup { /// @notice The address of `Multisig` plugin logic contract to be used in creating proxy contracts. Multisig private immutable multisigBase; diff --git a/packages/contracts/src/plugins/placeholder-version/PlaceholderSetup.sol b/packages/contracts/src/plugins/placeholder-version/PlaceholderSetup.sol index f35f5760e..0052aa3fe 100644 --- a/packages/contracts/src/plugins/placeholder-version/PlaceholderSetup.sol +++ b/packages/contracts/src/plugins/placeholder-version/PlaceholderSetup.sol @@ -8,6 +8,7 @@ import {PluginSetup, IPluginSetup} from "../../framework/plugin/setup/PluginSetu /// @title PlaceholderSetup /// @author Aragon Association - 2023 /// @notice A placeholder setup contract for outdated plugin builds. When moving plugin repos to new chains or layers, where only the latest release and build should be available, this placeholder can be used to populate previous builds. +/// @custom:security-contact sirt@aragon.org contract PlaceholderSetup is PluginSetup { /// @notice Thrown if the dummy is used. error PlaceholderSetupCannotBeUsed(); diff --git a/packages/contracts/src/plugins/token/IMerkleDistributor.sol b/packages/contracts/src/plugins/token/IMerkleDistributor.sol index 0c8177a2e..24f163d85 100644 --- a/packages/contracts/src/plugins/token/IMerkleDistributor.sol +++ b/packages/contracts/src/plugins/token/IMerkleDistributor.sol @@ -7,6 +7,10 @@ import {ERC20WrapperUpgradeable} from "@openzeppelin/contracts-upgradeable/token import {IDAO} from "../../core/dao/IDAO.sol"; +/// @title IMerkleDistributor +/// @author Uniswap 2020, Modified by Aragon Association 2021-2023 +/// @notice An interface for the plugin distributing [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens via a merkle balance tree. +/// @custom:security-contact sirt@aragon.org interface IMerkleDistributor { /// @notice Emitted when tokens are claimed from the distributor. /// @param index The index in the balance tree that was claimed. diff --git a/packages/contracts/src/plugins/token/IMerkleMinter.sol b/packages/contracts/src/plugins/token/IMerkleMinter.sol index d70b48c4b..f20dde543 100644 --- a/packages/contracts/src/plugins/token/IMerkleMinter.sol +++ b/packages/contracts/src/plugins/token/IMerkleMinter.sol @@ -8,6 +8,10 @@ import {IERC20MintableUpgradeable} from "../../token/ERC20/IERC20MintableUpgrade import {IDAO} from "../../core/dao/IDAO.sol"; import {IMerkleDistributor} from "./IMerkleDistributor.sol"; +/// @title IMerkleMinter +/// @author Aragon Association +/// @notice An interface for the minter plugin minting and distributing [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens via a merkle balance tree. +/// @custom:security-contact sirt@aragon.org interface IMerkleMinter { /// @notice Emitted when a token is minted. /// @param distributor The `MerkleDistributor` address via which the tokens can be claimed. diff --git a/packages/contracts/src/plugins/token/MerkleDistributor.sol b/packages/contracts/src/plugins/token/MerkleDistributor.sol index 9a7da686d..2ef51ccee 100644 --- a/packages/contracts/src/plugins/token/MerkleDistributor.sol +++ b/packages/contracts/src/plugins/token/MerkleDistributor.sol @@ -16,6 +16,7 @@ import {IMerkleDistributor} from "./IMerkleDistributor.sol"; /// @title MerkleDistributor /// @author Uniswap 2020, Modified by Aragon Association 2021-2023 /// @notice A component distributing claimable [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens via a merkle tree. +/// @custom:security-contact sirt@aragon.org contract MerkleDistributor is IMerkleDistributor, PluginUUPSUpgradeable { using SafeERC20Upgradeable for IERC20Upgradeable; diff --git a/packages/contracts/src/plugins/token/MerkleMinter.sol b/packages/contracts/src/plugins/token/MerkleMinter.sol index 45744fde4..ef8909254 100644 --- a/packages/contracts/src/plugins/token/MerkleMinter.sol +++ b/packages/contracts/src/plugins/token/MerkleMinter.sol @@ -17,6 +17,7 @@ import {IMerkleMinter} from "./IMerkleMinter.sol"; /// @title MerkleMinter /// @author Aragon Association /// @notice A component minting [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens and distributing them on merkle trees using `MerkleDistributor` clones. +/// @custom:security-contact sirt@aragon.org contract MerkleMinter is IMerkleMinter, PluginUUPSUpgradeable { using Clones for address; diff --git a/packages/contracts/src/plugins/utils/Addresslist.sol b/packages/contracts/src/plugins/utils/Addresslist.sol index 787061be5..654bcf5c3 100644 --- a/packages/contracts/src/plugins/utils/Addresslist.sol +++ b/packages/contracts/src/plugins/utils/Addresslist.sol @@ -10,6 +10,7 @@ import {_uncheckedAdd, _uncheckedSub} from "../../utils/UncheckedMath.sol"; /// @author Aragon Association - 2021-2023 /// @notice The majority voting implementation using a list of member addresses. /// @dev This contract inherits from `MajorityVotingBase` and implements the `IMajorityVoting` interface. +/// @custom:security-contact sirt@aragon.org abstract contract Addresslist { using CheckpointsUpgradeable for CheckpointsUpgradeable.History; diff --git a/packages/contracts/src/plugins/utils/Ratio.sol b/packages/contracts/src/plugins/utils/Ratio.sol index f5e8cc807..54e76bd9d 100644 --- a/packages/contracts/src/plugins/utils/Ratio.sol +++ b/packages/contracts/src/plugins/utils/Ratio.sol @@ -14,6 +14,7 @@ error RatioOutOfBounds(uint256 limit, uint256 actual); /// @param _value The value to which the ratio is applied. /// @param _ratio The ratio that must be in the interval `[0, 10**6]`. /// @return result The resulting value. +/// @custom:security-contact sirt@aragon.org function _applyRatioCeiled(uint256 _value, uint256 _ratio) pure returns (uint256 result) { if (_ratio > RATIO_BASE) { revert RatioOutOfBounds({limit: RATIO_BASE, actual: _ratio}); diff --git a/packages/contracts/src/token/ERC20/IERC20MintableUpgradeable.sol b/packages/contracts/src/token/ERC20/IERC20MintableUpgradeable.sol index 5daa3c10c..82b96ffeb 100644 --- a/packages/contracts/src/token/ERC20/IERC20MintableUpgradeable.sol +++ b/packages/contracts/src/token/ERC20/IERC20MintableUpgradeable.sol @@ -4,6 +4,7 @@ pragma solidity 0.8.17; /// @title IERC20MintableUpgradeable /// @notice Interface to allow minting of [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens. +/// @custom:security-contact sirt@aragon.org interface IERC20MintableUpgradeable { /// @notice Mints [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens for a receiving address. /// @param _to The receiving address. diff --git a/packages/contracts/src/token/ERC20/governance/GovernanceERC20.sol b/packages/contracts/src/token/ERC20/governance/GovernanceERC20.sol index 1323cd8b7..1d5620262 100644 --- a/packages/contracts/src/token/ERC20/governance/GovernanceERC20.sol +++ b/packages/contracts/src/token/ERC20/governance/GovernanceERC20.sol @@ -17,6 +17,7 @@ import {IERC20MintableUpgradeable} from "../IERC20MintableUpgradeable.sol"; /// @title GovernanceERC20 /// @author Aragon Association /// @notice An [OpenZeppelin `Votes`](https://docs.openzeppelin.com/contracts/4.x/api/governance#Votes) compatible [ERC-20](https://eips.ethereum.org/EIPS/eip-20) token that can be used for voting and is managed by a DAO. +/// @custom:security-contact sirt@aragon.org contract GovernanceERC20 is IERC20MintableUpgradeable, Initializable, diff --git a/packages/contracts/src/token/ERC20/governance/GovernanceWrappedERC20.sol b/packages/contracts/src/token/ERC20/governance/GovernanceWrappedERC20.sol index 96501c749..976e59f91 100644 --- a/packages/contracts/src/token/ERC20/governance/GovernanceWrappedERC20.sol +++ b/packages/contracts/src/token/ERC20/governance/GovernanceWrappedERC20.sol @@ -24,6 +24,7 @@ import {IGovernanceWrappedERC20} from "./IGovernanceWrappedERC20.sol"; /// 2. call `depositFor` to wrap them, which safely transfers the underlying [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens to the contract and mints wrapped [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens. /// To get the [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens back, the owner of the wrapped tokens can call `withdrawFor`, which burns the wrapped [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens and safely transfers the underlying tokens back to the owner. /// @dev This contract intentionally has no public mint functionality because this is the responsibility of the underlying [ERC-20](https://eips.ethereum.org/EIPS/eip-20) token contract. +/// @custom:security-contact sirt@aragon.org contract GovernanceWrappedERC20 is IGovernanceWrappedERC20, Initializable, diff --git a/packages/contracts/src/token/ERC20/governance/IGovernanceWrappedERC20.sol b/packages/contracts/src/token/ERC20/governance/IGovernanceWrappedERC20.sol index 22febe664..92ed26db0 100644 --- a/packages/contracts/src/token/ERC20/governance/IGovernanceWrappedERC20.sol +++ b/packages/contracts/src/token/ERC20/governance/IGovernanceWrappedERC20.sol @@ -6,6 +6,10 @@ import {IERC20Upgradeable} from "@openzeppelin/contracts-upgradeable/token/ERC20 import {ERC20Upgradeable} from "@openzeppelin/contracts-upgradeable/token/ERC20/ERC20Upgradeable.sol"; import {ERC20WrapperUpgradeable} from "@openzeppelin/contracts-upgradeable/token/ERC20/extensions/ERC20WrapperUpgradeable.sol"; +/// @title IGovernanceWrappedERC20 +/// @author Aragon Association +/// @notice An interface for the token wrapping contract wrapping existing [ERC-20](https://eips.ethereum.org/EIPS/eip-20) tokens. +/// @custom:security-contact sirt@aragon.org interface IGovernanceWrappedERC20 { /// @notice Deposits an amount of underlying token and mints the corresponding number of wrapped tokens for a receiving address. /// @param account The address receiving the minted, wrapped tokens. diff --git a/packages/contracts/src/utils/Proxy.sol b/packages/contracts/src/utils/Proxy.sol index f7db5bdbf..a32ae58cb 100644 --- a/packages/contracts/src/utils/Proxy.sol +++ b/packages/contracts/src/utils/Proxy.sol @@ -9,6 +9,7 @@ import "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol"; /// @param _data The constructor arguments for this contract. /// @return The address of the proxy contract created. /// @dev Initializes the upgradeable proxy with an initial implementation specified by _logic. If _data is non-empty, it’s used as data in a delegate call to _logic. This will typically be an encoded function call, and allows initializing the storage of the proxy like a Solidity constructor (see [OpenZeppelin ERC1967Proxy-constructor](https://docs.openzeppelin.com/contracts/4.x/api/proxy#ERC1967Proxy-constructor-address-bytes-)). +/// @custom:security-contact sirt@aragon.org function createERC1967Proxy(address _logic, bytes memory _data) returns (address) { return address(new ERC1967Proxy(_logic, _data)); } diff --git a/packages/contracts/src/utils/UncheckedMath.sol b/packages/contracts/src/utils/UncheckedMath.sol index e2445ea43..5da6d0711 100644 --- a/packages/contracts/src/utils/UncheckedMath.sol +++ b/packages/contracts/src/utils/UncheckedMath.sol @@ -5,6 +5,7 @@ pragma solidity ^0.8.8; /// @notice Increments an unsigned integer by one without checking the result for overflow errors (using safe math). /// @param i The number to be incremented. /// @return The number incremented by one. +/// @custom:security-contact sirt@aragon.org function _uncheckedIncrement(uint256 i) pure returns (uint256) { unchecked { ++i; @@ -16,6 +17,7 @@ function _uncheckedIncrement(uint256 i) pure returns (uint256) { /// @param a The first summand. /// @param b The second summand. /// @return The sum. +/// @custom:security-contact sirt@aragon.org function _uncheckedAdd(uint256 a, uint256 b) pure returns (uint256) { unchecked { return a + b; @@ -26,6 +28,7 @@ function _uncheckedAdd(uint256 a, uint256 b) pure returns (uint256) { /// @param a The minuend. /// @param b The subtrahend. /// @return The difference. +/// @custom:security-contact sirt@aragon.org function _uncheckedSub(uint256 a, uint256 b) pure returns (uint256) { unchecked { return a - b; diff --git a/packages/contracts/src/utils/protocol/IProtocolVersion.sol b/packages/contracts/src/utils/protocol/IProtocolVersion.sol index e044294ae..e9ba44c8c 100644 --- a/packages/contracts/src/utils/protocol/IProtocolVersion.sol +++ b/packages/contracts/src/utils/protocol/IProtocolVersion.sol @@ -5,6 +5,7 @@ pragma solidity ^0.8.8; /// @title IProtocolVersion /// @author Aragon Association - 2022-2023 /// @notice An interface defining the semantic OSx protocol version. +/// @custom:security-contact sirt@aragon.org interface IProtocolVersion { /// @notice Returns the protocol version at which the current contract was built. Use it to check for future upgrades that might be applicable. /// @return _version Returns the semantic OSx protocol version. diff --git a/packages/contracts/src/utils/protocol/ProtocolVersion.sol b/packages/contracts/src/utils/protocol/ProtocolVersion.sol index f1fed8c48..9da2f9d82 100644 --- a/packages/contracts/src/utils/protocol/ProtocolVersion.sol +++ b/packages/contracts/src/utils/protocol/ProtocolVersion.sol @@ -8,6 +8,7 @@ import {IProtocolVersion} from "./IProtocolVersion.sol"; /// @author Aragon Association - 2023 /// @notice An abstract, stateless, non-upgradeable contract serves as a base for other contracts requiring awareness of the OSx protocol version. /// @dev Do not add any new variables to this contract that would shift down storage in the inheritance chain. +/// @custom:security-contact sirt@aragon.org abstract contract ProtocolVersion is IProtocolVersion { // IMPORTANT: Do not add any storage variable, see the above notice.