Skip to content

Fix critical recent Solidity regressions#42

Draft
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-e035
Draft

Fix critical recent Solidity regressions#42
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-e035

Conversation

@cursor

@cursor cursor Bot commented Jul 8, 2026

Copy link
Copy Markdown

Issue

  • Issue: N/A - critical bug-finding automation
  • Branch: cursor/critical-bug-investigation-e035
  • Scope: Fix concrete critical regressions found at origin/main (9572e85) in token minting, lottery draw timing, Uniswap LP wrapper authorization, V4 PoolManager ERC20 settlement, and default FFI test execution.
  • Out of scope: Broad refactors, Gravity teaching exploit path changes, non-critical docs drift.
  • Issue analysis: N/A

Summary

  • Bug and impact: CloudCoin.mint was unrestricted, allowing arbitrary supply inflation against StakeTogether accounting; SimpleLottery accepted purchases at/after drawBlock while timestamp window remained open; Uniswap V3/V4 wrappers let arbitrary callers drain approved or wrapper-custodied LP NFT assets; V4 PoolManager ERC20 settlement skipped sync(currency) before settle(); default Foundry config enabled host-command FFI for normal tests.
  • Root cause: Missing owner/position-controller authorization checks, block-number cutoff omitted from the lottery purchase path, V4 settlement sequence omitted the required currency sync, and FFI was enabled at profile level instead of explicit opt-in test execution.
  • Fix: Gate CloudCoin minting with Ownable, reject lottery purchases once block.number >= drawBlock, require owner/approved/controller callers for LP NFT decrease/collect/burn flows, sync ERC20 currencies before V4 PoolManager settlement, and make FFI tests skip unless RUN_FFI_TESTS=true with CI/pre-commit running explicit FFI steps separately.

Agent Handoffs

  • Issue analysis file: N/A
  • Handoff file: N/A
  • Verification file: N/A
  • Architecture digest: N/A - automation critical-fix PR, no issue artifact required

Files To Read First

  1. src/14-stake-together/CloudCoin.sol
  2. src/15-simple-lottery/SimpleLottery.sol
  3. src/21-uniswap-v3/UniswapV3LiquidityNftExample.sol
  4. src/22-uniswap-v4/UniswapV4PositionManagerExample.sol
  5. src/22-uniswap-v4/UniswapV4PoolManagerExample.sol
  6. foundry.toml, .github/workflows/test.yml, scripts/pre-commit-ci.sh
  7. Changed regression tests under test/14-stake-together, test/15-simple-lottery, test/21-uniswap-v3, test/22-uniswap-v4, and FFI tests.

Issue Conflict Check

  • IssueAgent found no material conflict with existing requirements or system behavior
  • IssueAgent found conflicts and explicit user confirmation was captured before development

Design / Diagram Updated

  • No architecture-impacting change
  • Updated docs/issues/<issue-number>/architecture.md

Validation Evidence

  • forge fmt --check
  • Focused tests: forge test --match-path test/14-stake-together/StakeTogether.t.sol -vvv; forge test --match-path test/15-simple-lottery/SimpleLottery.t.sol -vvv; forge test --match-path test/21-uniswap-v3/UniswapV3LiquidityNftExample.t.sol -vvv; forge test --match-path test/22-uniswap-v4/UniswapV4WrapperUnit.t.sol -vvv; forge test --match-path test/22-uniswap-v4/UniswapV4PositionManagerExample.t.sol -vvv; forge test --match-path test/22-uniswap-v4/UniswapV4PoolManagerExample.t.sol -vvv
  • forge test -vvv — 500 passed, 0 failed, 36 skipped
  • Additional security/adversarial validation: RUN_FFI_TESTS=true forge test --match-path test/FFI.t.sol --ffi -vvv; RUN_FFI_TESTS=true forge test --match-path test/DifferentialTest.t.sol --ffi -vvv; RUN_FFI_TESTS=true forge test --match-path test/Vyper.t.sol --ffi -vvv; independent read-only audit found no remaining critical blocker in the scoped areas.

Security Findings

  • Critical findings fixed: unrestricted CloudCoin minting, lottery post-draw-block purchases, Uniswap V3/V4 LP wrapper asset-drain authorization bypasses, V4 ERC20 settlement sequencing, and unsafe default FFI execution.

User Test Request

  • Review and merge if CI agrees with the local Foundry validation above.
Open in Web View Automation 

cursoragent and others added 2 commits July 8, 2026 11:03
Co-authored-by: lzhkai <lzhkai1111@qq.com>
Co-authored-by: lzhkai <lzhkai1111@qq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant