Hello,
I am using Governor contracts (and also some tokens) in my contract, and I have found the report from Certora (31 Oc - 23 Nov 2021) where it mentions about security issues (in the Governor). Later I found that Certora made two new audits (total of three) and also detected some vulnerabilites in the other contracts. My question is: were all these bugs fixed ? Because I have found (at Github) the branch formal-verification started on 21 Sep 2021 and it was not yet merged. If it wasn't merged, does it mean that the bugs are still present in master???
Is there a status page of all security vulnerabilities that have been discovered in the contracts and the corresponding version (preferably with a link to download) that fixes these vulnerabilities?
Thank you very much in advance!
Welcome, @Nullik. This may be what you're looking for.
The branch you refer to doesn't contain fixes, it contains the specifications that were used to formally verify the contracts.
All issues mentioned in those reports have been fixed except for the following:
- "Setting the
proposalThresholdtoo high breaks the proposing system": There is no perfect fix we can implement, all proposals need to be thoroughly tested anyway. - "Two systems that use the same timelock cannot queue the same proposal": This is an edge case unlikely to show up but if it does it can be worked around.
- "Setting a new timelock removes all queued proposals along with the old timelock": Same as the previous item.
You should use the latest release (currently v4.8.2) to make it sure it contains all the latest fixes and improvements.
great! thank you very much!