fixes all vulnerabilities in the DAO and add tests with 100 percent coverage #36
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I fixed all serious vulnerabilities found inside the DAO and made all modifications we discussed on slack. Compare coverage before vs after. All tests are passing in both mocked mode and fhevm mode, however few tests are only run in mocked mode: those were we needed to fast forward time by several days to test the timelock mostly, because we had to use the hardhat cheat codes in this case.
The only contract not 100% covered is Comp because there is a branch that could never be reached, and two functions are almost duplicated:
getPriorVotes
andgetMyPriorVotes
while we already have 100% branch coverage forgetMyPriorVotes
.There is still the open question of wether I should re-introduce the
castVoteBySig
function, but for this we would need to add the ability infhevmjs
to interface correctly with the ZKPOK Rust library in order to be able to delegate the ciphertext to a customtx.origin address
. What's your opinion on this @immortal-tofu ?Another open question is wether I should add
virtual
modifiers to the functions inside the different contracts, to make it easily extendable and customizable like I did for the EncryptedERC20, wdyt ?