Skip to content

Instantly share code, notes, and snippets.

@nachomazzara

nachomazzara/LIP-25-Audit.md

Last active October 31, 2020 17:57
Show Gist options
  • Save nachomazzara/8ed11e628d77ebb59a155643c2cd7fd4 to your computer and use it in GitHub Desktop.
Save nachomazzara/8ed11e628d77ebb59a155643c2cd7fd4 to your computer and use it in GitHub Desktop.
Download ZIP
Livepeer - LIP-25 - Security Review
Raw
LIP-25-Audit.md

Livepeer - LIP-25 - Security Review

Introduction

Livepeer team requested the LIP-25 proposal revision by auditing the Governor smart contract, the commit referenced for this audit is ac98605f78520b0ef43e31d0d20d0efbf2d32876.

Governor.sol

To take into consideration

  • Based on how each update is staged, if for some reason two calls are needed within a delay, the second one will fail. Even it is not part of the spec, a common usage as set regular payments won't be possible. This could be allowed by using a nonce allowing the same call to be staged more than once.

  • An update can contain value on one or more calls (if it is a batch update). When an update is staged, there is no check of the sum of each value against msg.value. If for some reason there is a mismatch between them, at the execution step, a call may fail or may use Ether from other update. Consider looping through the updates checking if msg.value == sum(update.value). Also, at the cancel stage the return of that Ether could be considered. Another alternative could be to add payable modifier to the execute function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment