Identity Staking Invitational Mitigation Review
Gitcoin Passport is your secure access to the open web, offering a trusted and transparent digital identity solution designed to empower and connect the global community of builders and contributors.
- Start date26 Mar 2024
- End date29 Mar 2024
- Total awards$4,750 in USDC
- Duration3 days
- Details
Gitcoin Passport - Mitigation Review details
- Total Prize Pool: $4,750 in USDC
- Warden Pool: $4,000 in USDC
- Judge Pool: $750 in USDC
- Warden guidelines for C4 mitigation reviews
- Submit findings using the C4 form
- Starts March 26, 2024 20:00 UTC
- Ends March 29, 2024 20:00 UTC
Important note
Each warden must submit a mitigation review for every High and Medium finding from the parent audit that is listed as in-scope for the mitigation review. Incomplete mitigation reviews will not be eligible for awards.
Findings being mitigated
Mitigations of all High and Medium issues will be considered in-scope and listed here.
In addition to that we have also addressed the following issues:
- 90 day minimum appeal period can be violated by lockAndBurn in the edge case of protocol pausing
- release() is vulnerable to racing conditions against permissionless lockAndBurn(), users might lose released refunds
Other changes included in the smart contract are:
- adding missing
Releaseevent and changing theSlashevent - adding convenience functions to allow managing multiple community stakes in 1 call:
multipleCommunityStakes,extendMultipleCommunityStakeandwithdrawMultipleCommunityStake
Overview of changes
The changes include:
- fix for the high prio issue found (H-01)
- fixes for some of the QA level issues
- new code:
- small changes related to events
- convenience functions that we have added to be able to manage multiple community stakes in 1 transaction (create, extend and withdraw multiple stakes)
Mitigations to be reviewed
Branch
The link to the branch containing all changes: https://github.com/gitcoinco/id-staking-v2/tree/test_v2_1
Individual PRs
Wherever possible, mitigations should be provided in separate pull requests, one per issue. If that is not possible (e.g. because several audit findings stem from the same core problem), then please link the PR to all relevant issues in your findings repo.
| URL | Mitigation of | Purpose |
|---|---|---|
| https://github.com/gitcoinco/id-staking-v2/pull/8 | H-01 | This fixes the userTotalStaked invariant (acocunting error) https://github.com/code-423n4/2024-03-gitcoin-findings/issues/9 |
| https://github.com/gitcoinco/id-staking-v2/pull/9 | QA | This fixes the following: https://github.com/code-423n4/2024-03-gitcoin-findings/issues/15, https://github.com/code-423n4/2024-03-gitcoin-findings/issues/7 |
| https://github.com/gitcoinco/id-staking-v2/pull/12 | - | This adds a missing Release event and changes the Slash event |
| https://github.com/gitcoinco/id-staking-v2/pull/10 | - | This adds convenience functions to handle multiple community stakes in 1 call: multipleCommunityStakes, extendMultipleCommunityStake and withdrawMultipleCommunityStake |
Out of Scope
n.a.