Pre-Review ArbitrableTokenList
eccentricexit opened this issue · 20 comments
I'm adding @epiqueras's suggestions for history purposes:
- *You're still setting disputed to false, when it should be a historic record of wether an agreement was ever disputed. You are also requiring that the last agreement was not disputed to create a new one. This might break internal logic.*
- Some param ordering is off.
- You can move the `lastAction == 0 push tokenID` to the `latestAgreementID != 0x0` block.
- Do we really need to clear `challengeReward`?
- latestAgreementID() is unnecessary.
- *You need to factorize ruling in favor of either party, it's repeated way too many times.*
- *In `itemsCount()`, `disputed` should not be exclusive.*
- *The fundDisputeCache should always be cleared, currently it's only cleared if it's the agreement's first contribution.*
- Valid rulings are already enforced higher up in the inheritance `<= choices`, I think, let's not repeat it.
@mtsalenc Can you make a new issue, following: https://kleros.gitbook.io/contributing-md/smart-contract-workflow/reviews-and-bug-bounties#pre-review
https://docs.google.com/document/d/1V4LWh2bz_NwhQpkApPia576OgLbF-RjGChLDsshiaBk/edit#
Three main points:
- We need to simplify the contract greatly in order to limit security risks and security practice resource consumption.
- Most of the issues are due to trying to make it fit in existing structures while writing specific code would have been more efficient.
- People should not be able to chose their own meta evidence otherwise they can just put a "I win" kind of meta evidence.
Review for 47245c0
-
Typo in comment "Arbitrator did not rule of refused to rule."
-
Is it OK to prevent evidence submissions if
round.appealed
?kleros-interaction/contracts/standard/permission/ArbitrableTokenList.sol
Lines 814 to 822 in 47245c0
-
It can be a problem to uniquely identify a token with
symbolURI
I think, because it can be easily replaced. For example, someone can make multiple submissions for token X and only diference issymbolURI
but those different uris has the same symbol so effectively they are duplicate submissions interpreted like original submissions.kleros-interaction/contracts/standard/permission/ArbitrableTokenList.sol
Lines 249 to 257 in 47245c0
-
Is it intended to declare
Party.Challenger
aswinner
whencurrentRuling == RulingOption.Other
?kleros-interaction/contracts/standard/permission/ArbitrableTokenList.sol
Lines 780 to 790 in 47245c0
-
I can't see where token status is updated in
fundPotDispute(...)
but this function emitsTokenStatusChange
. Is it intended?kleros-interaction/contracts/standard/permission/ArbitrableTokenList.sol
Lines 382 to 453 in 47245c0
Great finds!
It can be a problem to uniquely identify a token with symbolURI I think, because it can be easily replaced. For example, someone can make multiple submissions for token X and only diference is symbolURI but those different uris has the same symbol so effectively they are duplicate submissions interpreted like original submissions.
This would change the requests context from being "request for registration" and "clear request" to also having one for "update image".
Another review https://docs.google.com/document/d/1uxtYa47fv0UsVGa7rwU_xAXR1rm1ngr6TR5bVq_8_rk/edit?usp=sharing
Mostly typos
Bug: Here, we the ID of the MetaEvidence should be:
? 2 * metaEvidenceUpdates
: 2 * metaEvidenceUpdates + 1,
Good catch @unknownunknown1 . I fix it.
Review of the new version https://docs.google.com/document/d/1bUyLKVExjR10kp97v1ncqDfVuYDY9tzVqzIL6jf0lQg/edit?usp=sharing