feat(billboard): mtigate securiry risks

thematters · Nov 24, 2023 · 363c16b · 363c16b
1 parent 292835a
commit 363c16b
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 54 deletions.
diff --git a/.gas-snapshot b/.gas-snapshot
@@ -9,55 +9,55 @@ ACLManagerTest:testGrantRole() (gas: 23547)
 ACLManagerTest:testRenounceRole() (gas: 27841)
 ACLManagerTest:testRoles() (gas: 15393)
 ACLManagerTest:testTransferRole() (gas: 21528)
-BillboardTest:testAddToWhitelist() (gas: 37205)
-BillboardTest:testApproveAndTransfer() (gas: 162735)
-BillboardTest:testCalculateTax() (gas: 29439)
-BillboardTest:testCannnotWithdrawTaxIfSmallAmount(uint8) (runs: 256, μ: 418314, ~: 431711)
-BillboardTest:testCannnotWithdrawTaxIfZero() (gas: 384181)
-BillboardTest:testCannotAddToWhitelistByAttacker() (gas: 11137)
-BillboardTest:testCannotApproveByAttacker() (gas: 130388)
-BillboardTest:testCannotClearAuctionIfAuctionNotEnded() (gas: 587279)
-BillboardTest:testCannotClearAuctionOnNewBoard() (gas: 136576)
-BillboardTest:testCannotMintBoardByAttacker() (gas: 13332)
-BillboardTest:testCannotPlaceBidByAttacker() (gas: 141747)
-BillboardTest:testCannotPlaceBidTwice(uint96) (runs: 256, μ: 633286, ~: 639517)
-BillboardTest:testCannotRemoveToWhitelistByAttacker() (gas: 11204)
-BillboardTest:testCannotSafeTransferByAttacker() (gas: 127555)
-BillboardTest:testCannotSetBoardProprtiesByAttacker() (gas: 157909)
-BillboardTest:testCannotSetIsOpenedByAttacker() (gas: 11094)
-BillboardTest:testCannotSetTaxRateByAttacker() (gas: 11106)
-BillboardTest:testCannotTransferByOperator() (gas: 132888)
-BillboardTest:testCannotTransferToZeroAddress() (gas: 128375)
-BillboardTest:testCannotUpgradeRegistryByAttacker() (gas: 11228)
-BillboardTest:testCannotWithBidTwice(uint96) (runs: 256, μ: 914945, ~: 914945)
-BillboardTest:testCannotWithdrawBidIfAuctionNotCleared(uint96) (runs: 256, μ: 753227, ~: 753227)
-BillboardTest:testCannotWithdrawBidIfAuctionNotEnded(uint96) (runs: 256, μ: 627476, ~: 627476)
-BillboardTest:testCannotWithdrawBidIfNotFound() (gas: 419684)
-BillboardTest:testCannotWithdrawBidIfWon(uint96) (runs: 256, μ: 720845, ~: 720845)
-BillboardTest:testCannotWithdrawTaxByAttacker() (gas: 18774)
-BillboardTest:testClearAuctionIfAuctionEnded() (gas: 632267)
-BillboardTest:testClearAuctionsIfAuctionEnded() (gas: 1171641)
-BillboardTest:testGetBids(uint8,uint8,uint8) (runs: 256, μ: 2900467, ~: 1438660)
-BillboardTest:testGetTokenURI() (gas: 155303)
-BillboardTest:testMintBoard() (gas: 225987)
-BillboardTest:testMintBoardByWhitelist() (gas: 157167)
-BillboardTest:testMintBoardIfOpened() (gas: 130861)
-BillboardTest:testPlaceBidByWhitelist() (gas: 468335)
-BillboardTest:testPlaceBidIfAuctionEnded() (gas: 917448)
-BillboardTest:testPlaceBidOnNewBoard(uint96) (runs: 256, μ: 517862, ~: 528054)
-BillboardTest:testPlaceBidWithHigherPrice(uint96) (runs: 256, μ: 749336, ~: 756644)
-BillboardTest:testPlaceBidWithSamePrices(uint96) (runs: 256, μ: 747541, ~: 759217)
-BillboardTest:testPlaceBidZeroPrice() (gas: 358399)
-BillboardTest:testRemoveToWhitelist() (gas: 24957)
-BillboardTest:testSafeTransferByOperator() (gas: 141354)
-BillboardTest:testSetBoardProperties() (gas: 307136)
-BillboardTest:testSetBoardPropertiesAfterTransfer() (gas: 337474)
-BillboardTest:testSetIsOpened() (gas: 15978)
-BillboardTest:testSetTaxRate() (gas: 27263)
-BillboardTest:testSomethin() (gas: 1646208)
-BillboardTest:testUpgradeRegistry() (gas: 2672107)
-BillboardTest:testWithdrawBid(uint96) (runs: 256, μ: 916241, ~: 916241)
-BillboardTest:testWithdrawTax(uint96) (runs: 256, μ: 507557, ~: 507557)
+BillboardTest:testAddToWhitelist() (gas: 35114)
+BillboardTest:testApproveAndTransfer() (gas: 162512)
+BillboardTest:testCalculateTax() (gas: 22822)
+BillboardTest:testCannnotWithdrawTaxIfSmallAmount(uint8) (runs: 256, μ: 410878, ~: 424702)
+BillboardTest:testCannnotWithdrawTaxIfZero() (gas: 377863)
+BillboardTest:testCannotAddToWhitelistByAttacker() (gas: 9037)
+BillboardTest:testCannotApproveByAttacker() (gas: 130271)
+BillboardTest:testCannotClearAuctionIfAuctionNotEnded() (gas: 578827)
+BillboardTest:testCannotClearAuctionOnNewBoard() (gas: 136253)
+BillboardTest:testCannotMintBoardByAttacker() (gas: 13321)
+BillboardTest:testCannotPlaceBidByAttacker() (gas: 139222)
+BillboardTest:testCannotPlaceBidTwice(uint96) (runs: 256, μ: 624744, ~: 630975)
+BillboardTest:testCannotRemoveToWhitelistByAttacker() (gas: 9104)
+BillboardTest:testCannotSafeTransferByAttacker() (gas: 127438)
+BillboardTest:testCannotSetBoardProprtiesByAttacker() (gas: 157292)
+BillboardTest:testCannotSetIsOpenedByAttacker() (gas: 8994)
+BillboardTest:testCannotSetTaxRateByAttacker() (gas: 9006)
+BillboardTest:testCannotTransferByOperator() (gas: 132771)
+BillboardTest:testCannotTransferToZeroAddress() (gas: 128258)
+BillboardTest:testCannotUpgradeRegistryByAttacker() (gas: 9128)
+BillboardTest:testCannotWithBidTwice(uint96) (runs: 256, μ: 903306, ~: 903306)
+BillboardTest:testCannotWithdrawBidIfAuctionNotCleared(uint96) (runs: 256, μ: 743847, ~: 743847)
+BillboardTest:testCannotWithdrawBidIfAuctionNotEnded(uint96) (runs: 256, μ: 619025, ~: 619025)
+BillboardTest:testCannotWithdrawBidIfNotFound() (gas: 413160)
+BillboardTest:testCannotWithdrawBidIfWon(uint96) (runs: 256, μ: 710721, ~: 710721)
+BillboardTest:testCannotWithdrawTaxByAttacker() (gas: 16677)
+BillboardTest:testClearAuctionIfAuctionEnded() (gas: 622677)
+BillboardTest:testClearAuctionsIfAuctionEnded() (gas: 1156582)
+BillboardTest:testGetBids(uint8,uint8,uint8) (runs: 256, μ: 2773780, ~: 1419565)
+BillboardTest:testGetTokenURI() (gas: 154980)
+BillboardTest:testMintBoard() (gas: 225541)
+BillboardTest:testMintBoardByWhitelist() (gas: 154942)
+BillboardTest:testMintBoardIfOpened() (gas: 145715)
+BillboardTest:testPlaceBidByWhitelist() (gas: 461423)
+BillboardTest:testPlaceBidIfAuctionEnded() (gas: 906529)
+BillboardTest:testPlaceBidOnNewBoard(uint96) (runs: 256, μ: 510724, ~: 520900)
+BillboardTest:testPlaceBidWithHigherPrice(uint96) (runs: 256, μ: 739847, ~: 747077)
+BillboardTest:testPlaceBidWithSamePrices(uint96) (runs: 256, μ: 738385, ~: 750061)
+BillboardTest:testPlaceBidZeroPrice() (gas: 354275)
+BillboardTest:testRemoveToWhitelist() (gas: 23207)
+BillboardTest:testSafeTransferByOperator() (gas: 141237)
+BillboardTest:testSetBoardProperties() (gas: 305883)
+BillboardTest:testSetBoardPropertiesAfterTransfer() (gas: 335509)
+BillboardTest:testSetIsOpened() (gas: 22661)
+BillboardTest:testSetTaxRate() (gas: 22909)
+BillboardTest:testSomethin() (gas: 1626769)
+BillboardTest:testUpgradeRegistry() (gas: 2968149)
+BillboardTest:testWithdrawBid(uint96) (runs: 256, μ: 904808, ~: 904808)
+BillboardTest:testWithdrawTax(uint96) (runs: 256, μ: 500265, ~: 500265)
 CurationTest:testCannotCurateERC20CurateZeroAmount() (gas: 12194)
 CurationTest:testCannotCurateERC20EmptyURI() (gas: 15797)
 CurationTest:testCannotCurateERC20IfNotApproval() (gas: 21624)

diff --git a/src/Billboard/Billboard.sol b/src/Billboard/Billboard.sol
@@ -6,12 +6,11 @@ import "./IBillboard.sol";
 import "./IBillboardRegistry.sol";
 
 contract Billboard is IBillboard {
-    BillboardRegistry public registry;
-
     // access control
-    bool public isOpened = false;
-    address public admin;
+    BillboardRegistry public immutable registry;
+    address public immutable admin;
     mapping(address => bool) public whitelist;
+    bool public isOpened = false;
 
     constructor(address payable registry_, uint256 taxRate_, string memory name_, string memory symbol_) {
         admin = msg.sender;

diff --git a/src/Billboard/BillboardRegistry.sol b/src/Billboard/BillboardRegistry.sol
@@ -15,7 +15,7 @@ contract BillboardRegistry is IBillboardRegistry, ERC721 {
     Counters.Counter public lastTokenId;
 
     uint256 public taxRate;
-    uint64 public leaseTerm = 14 days;
+    uint64 public constant leaseTerm = 14 days;
 
     // tokenId => Board
     mapping(uint256 => Board) public boards;
@@ -41,6 +41,7 @@ contract BillboardRegistry is IBillboardRegistry, ERC721 {
         string memory name_,
         string memory symbol_
     ) ERC721(name_, symbol_) {
+        require(operator_ != address(0), "Zero address");
         operator = operator_;
         taxRate = taxRate_;
     }
@@ -59,7 +60,11 @@ contract BillboardRegistry is IBillboardRegistry, ERC721 {
 
     /// @inheritdoc IBillboardRegistry
     function setOperator(address operator_) external isFromOperator {
+        require(operator_ != address(0), "Zero address");
+
         operator = operator_;
+
+        emit OperatorUpdated(operator_);
     }
 
     //////////////////////////////
@@ -221,6 +226,7 @@ contract BillboardRegistry is IBillboardRegistry, ERC721 {
 
     /// @inheritdoc IBillboardRegistry
     function transferAmount(address to_, uint256 amount_) external isFromOperator {
+        require(to_ != address(0), "Zero address");
         (bool _success, ) = to_.call{value: amount_}("");
         require(_success, "transfer failed");
     }

diff --git a/src/Billboard/IBillboardRegistry.sol b/src/Billboard/IBillboardRegistry.sol
@@ -8,6 +8,11 @@ interface IBillboardRegistry is IERC721 {
     /// Event
     //////////////////////////////
 
+    /**
+     * @notice Operator is updated.
+     */
+    event OperatorUpdated(address indexed operator);
+
     /**
      * @notice Board name is updated.
      *