-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update EIP-3643: Move to Draft #7164
Conversation
put out of stagnant status
✅ All reviewers have approved. |
The commit c69bb86 (as a parent of b332759) contains errors. |
EIPS/eip-3643.md
Outdated
The suite of Smart Contracts has been audited by external independent companies. The results can be found on | ||
Tokeny's website or on the Tokeny's T-REX repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mentioning your website is conceptually an "external link", and so isn't allowed. I'd recommend either summarizing the results of the audit, or simply noting that no security issues have been found.
Perhaps something like one of these, as appropriate:
This specification has been audited by Kapersky, and no notable security considerations were found.
An audit, performed by Kapersky, highlighted the following considerations for implementers of this standard:
- When flooping a glarp, implementers must pay particular attention to the meep. It must remain glooped for the duration of the merp.
- Never transfer the moop to the merp. Doing so would allow an attacker to floop the glarp too early.
From an extremely quick read of the audit report, it looks like it was focused on your implementation, but not on this standard itself. In other words, they focused on whether your implementation conformed to your whitepaper, and didn't consider whether your overall design was sound.
That isn't problematic in and of itself, but it does mean the audit might not be applicable to other implementers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, the audit mainly focused on the concrete implementation of the standard. However, it is important to note that our implementation is a direct translation of the standard specification outlined in the whitepaper. Therefore, the audit process essentially included a thorough review and verification of the standard's design and functionality.
While the audit report may not explicitly state the details of these discussions, the audit process was comprehensive and spanned over four months. During this time, the audit team harshly challenged the principles and design decisions underlying the T-REX standard (ERC-3643). Their inquiry was not limited to the security aspects of smart contracts, but also delved into the rationale behind the standard's specifications. Satisfactory responses to these inquiries and the absence of any outstanding safety issues in the audit report demonstrate the robustness of the standard.
It is true that the audits we realized may not be fully applicable to other implementations of the standard, but still provide valuable insight into the standard's design and functionality. The audits validate the standard's specifications and provide assurance that the standard does not present any notable security issues (when implemented as per the specifications). Therefore, we consider it relevant and useful to mention the audits in this section related to standard security considerations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the Security Considerations
section in adfc130
Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com>
Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com>
Co-authored-by: Sam Wilson <57262657+SamWilsn@users.noreply.github.com>
@SamWilsn is there still any changes required to merge this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All Reviewers Have Approved; Performing Automatic Merge...
transferOwnershipOnIdentityRegistryContract
which is a duplicate oftransferOwnership
as we mention the ERC-173 used by the standard.