fix: releaseManager audit fixes #1608
Merged
+69
−19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0xrajath
added
⚖️ Audit Fix
nadir-akhtar
approved these changes
Aug 13, 2025
0xrajath
added a commit
that referenced
this pull request
Aug 13, 2025
**Motivation:** Certora ReleaseManager audit fixes for Hourglass Part 1 and Part 2. **Modifications:** * `I-01. isValidRelease() and getLatestUpgradeByTime() may panic when no releases exist` : Added `NoReleases()` custom error to those 2 functions in the case of no error. * `I-04. Unused imports can be removed`: Removed unused imports * Support for signalling instant upgrades by setting `upgradeByTime` to `0`. * Updated unit tests * Updated docs * Updated bindings **Result:** Bug free code.
0xrajath
added a commit
that referenced
this pull request
Aug 14, 2025
**Hourglass part 1 and 2 audit fixes** * TaskMailbox fixes: #1604 * ReleaseManager fixes: #1608 **High:** * `H-03: Aggregator TOCTOU Issues Regarding Stake Weights and Operator Set` : Added a `MAX_TASK_SLA` immutable that will be set as `DEALLOCATION_DELAY / 2` so that AVSs have half the Deallocation Delay to do any operator slashing in case of misbehavior : #1604 **Low:** * `L-01: TaskMailbox::createTask() may create tasks that cannot be completed` : Checking that `block.timestamp + taskConfig.taskSLA <= operatorTableReferenceTimestamp + maxStaleness` during taskCreation so that a task cannot be created if its max response time breaches the staleness period of the certificate. : #1604 * `L-03: Restrictive check in_validateBN254Certificate()` : Updated the check to only be for the (0,0) coordinate. : #1604 **Info:** * `I-01. isValidRelease() and getLatestUpgradeByTime() may panic when no releases exist` : Added `NoReleases()` custom error to those 2 functions in the case of no error. : #1608 * `I-02: Incorrect NatSpec in registerExecutorOperatorSet()` : Clearer natspec. : #1604 * `I-04. Unused imports can be removed`: Removed unused imports : #1608 **Additional Features:** * Support for signaling instant upgrades by setting `upgradeByTime` to 0 in the `ReleaseManager` contract: #1608
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
Certora ReleaseManager audit fixes for Hourglass Part 1 and Part 2.
Modifications:
I-01. isValidRelease() and getLatestUpgradeByTime() may panic when no releases exist: AddedNoReleases()custom error to those 2 functions in the case of no error.I-04. Unused imports can be removed: Removed unused importsSupport for signalling instant upgrades by setting
upgradeByTimeto0.Updated unit tests
Updated docs
Updated bindings
Result:
Bug free code.