Include sections for Safeharbor/BugBounties updates#47
Merged
Conversation
0x3phemeralsoul
previously approved these changes
Jul 7, 2025
oddaf
previously approved these changes
Jul 17, 2025
0xBasset
dismissed stale reviews from oddaf and 0x3phemeralsoul
via
b336b8f
amusingaxl
reviewed
Sep 18, 2025
Comment on lines
+129
to
+135
| * [ ] Update safeharbor script | ||
| ```bash | ||
| cd scripts/safeharbor | ||
| npm install | ||
| ``` | ||
| * [ ] Run `npm run generate` command in the `spells-mainnet` repo to check for bug bounty updates | ||
| * [ ] IF the command outputs hex encoded call: |
Contributor
There was a problem hiding this comment.
Shouldn't make all that available from the main Makefile?
Check the cast-on-tenderly entry there for reference.
amusingaxl
reviewed
Sep 18, 2025
| * [ ] Run `npm run generate` command in the `spells-mainnet` repo to check for bug bounty updates | ||
| * [ ] IF the command outputs hex encoded call: | ||
| * [ ] Add ALL output call to the spell using low-level Solidity call. | ||
| * [ ] The call MUST use the pattern: `(bool succ, bytes memory err) = AGREEMENT.call(<encodedDATA>);` |
Contributor
There was a problem hiding this comment.
Aren't we using multicall now?
This way we can just pass the data and make a higher level call, which won't require us to check the success status.
Contributor
Author
There was a problem hiding this comment.
The issue is that the multicall accepts:
struct Call {
address target;
bytes callData;
}
function aggregate(Call[] memory calls);
Therefore, if there are multiple calls, we would need to use the annoying syntax of:
Call memory calls = new Call[](x);
calls[0] = { ... };
...
calls[x] = { ...};
multicall.aggregate(calls);
Which I personally think it's much worse in terms of clutter and amount of outputs.
Contributor
There was a problem hiding this comment.
I see, makes sense.
However there's another point, the script already provides the raw data for a low-level call to MULTICALL, so the checklist should reference this contract, not the agreement:
Suggested change
| * [ ] The call MUST use the pattern: `(bool succ, bytes memory err) = AGREEMENT.call(<encodedDATA>);` | |
| * [ ] The call MUST use the pattern: `(bool succ, bytes memory err) = MULTICALL.call(<encodedDATA>);` |
amusingaxl
reviewed
Sep 18, 2025
amusingaxl
reviewed
Sep 19, 2025
| * [ ] All actions are executed in the transaction trace | ||
| * [ ] No reverts are present that block execution | ||
| * [ ] No out-of-gas errors are present | ||
| * [ ] Confirm `make update-bug-bounty` returns empty |
Contributor
There was a problem hiding this comment.
Suggested change
| * [ ] Confirm `make update-bug-bounty` returns empty | |
| * [ ] Confirm `make safeharbor-generate` returns empty |
amusingaxl
reviewed
Sep 19, 2025
| * [ ] End-to-end "happy path" interaction with the module | ||
| * IF bug bounty updates are present | ||
| * [ ] Test that all bug bounty registry calls execute successfully | ||
| * [ ] Verify `make update-bug-bounty` returns empty diff in test environment after spell execution |
Contributor
There was a problem hiding this comment.
Suggested change
| * [ ] Verify `make update-bug-bounty` returns empty diff in test environment after spell execution | |
| * [ ] Verify `make safeharbor-generate` returns empty diff in test environment after spell execution |
amusingaxl
reviewed
Sep 19, 2025
| * [ ] End-to-end "happy path" interaction with the module | ||
| * IF bug bounty updates are present | ||
| * [ ] Test that all bug bounty registry calls execute successfully | ||
| * [ ] Verify `make update-bug-bounty` returns empty diff in test environment after spell execution |
Contributor
There was a problem hiding this comment.
This specific step should probably be in the checklist right after "cast on tenderly".
amusingaxl
reviewed
Sep 19, 2025
| * [ ] Target Contract is included in the ChainLog | ||
| * [ ] Test Coverage is comprehensive | ||
| * IF bug bounty registry updates are present | ||
| * [ ] Run `make safeharbor-verify calldata=0xhexEncodedData` command in the `spells-mainnet` repo, passing the calldata in the spell to check for it's validity. |
Contributor
There was a problem hiding this comment.
You don't need to explicitly mention the spells-mainnet repo, as it's implied. All other actions in the checklist happen there.
Suggested change
| * [ ] Run `make safeharbor-verify calldata=0xhexEncodedData` command in the `spells-mainnet` repo, passing the calldata in the spell to check for it's validity. | |
| * [ ] Run `make safeharbor-verify calldata=<encodedDATA>` command, passing the calldata in the spell to check for it's validity. |
amusingaxl
reviewed
Sep 19, 2025
| * [ ] Test Coverage is comprehensive | ||
| * IF bug bounty registry updates are present | ||
| * [ ] Run `make safeharbor-verify calldata=0xhexEncodedData` command in the `spells-mainnet` repo, passing the calldata in the spell to check for it's validity. | ||
| * [ ] Verify the call uses the correct pattern: `(bool succ, bytes memory err) = AGREEMENT.call(<encodedDATA>);` |
Contributor
There was a problem hiding this comment.
Suggested change
| * [ ] Verify the call uses the correct pattern: `(bool succ, bytes memory err) = AGREEMENT.call(<encodedDATA>);` | |
| * [ ] Verify the call uses the correct pattern: `(bool succ, bytes memory err) = MULTICALL.call(<encodedDATA>);` |
amusingaxl
reviewed
Sep 22, 2025
| * IF bug bounty registry updates are present | ||
| * [ ] Run `make safeharbor-verify calldata=<encodedDATA>` command passing the calldata in the spell to check for it's validity. | ||
| * [ ] Verify the call uses the correct pattern: `(bool succ, bytes memory err) = MULTICALL.call(<encodedDATA>);` | ||
| * [ ] Confirm proper error handling is implemented for each call |
Contributor
There was a problem hiding this comment.
There will be only one call. Using "for each" here might be confusing.
Suggested change
| * [ ] Confirm proper error handling is implemented for each call | |
| * [ ] Confirm proper error handling is implemented for the call |
amusingaxl
reviewed
Sep 22, 2025
| * [ ] Run `make safeharbor-verify calldata=<encodedDATA>` command passing the calldata in the spell to check for it's validity. | ||
| * [ ] Verify the call uses the correct pattern: `(bool succ, bytes memory err) = MULTICALL.call(<encodedDATA>);` | ||
| * [ ] Confirm proper error handling is implemented for each call | ||
| * [ ] Verify the bug bounty section has appropriate comments/documentation |
Contributor
There was a problem hiding this comment.
"Appropriate" here is too subjective.
It's probably worth expanding which are the exact comments/documentation expectations.
Probably we should take the more detailed crafter check items and adapt them here.
0xBasset
force-pushed
the
safeHarbor
branch
from
fa99756 to
10ee338
Compare
amusingaxl
reviewed
Oct 13, 2025
Comment on lines
+133
to
+141
| * [ ] If not already present, add the helper function to perform the call: | ||
| ```solidity | ||
| function _updateSafeHarbor(bytes[] memory calldatas) public { | ||
| for (uint256 i = 0; i < calldatas.length; i++) { | ||
| (bool success, ) = address(AGREEMENT_ADDRESS).call(calldatas[i]); | ||
| require(success, "SaferHarbor call failed"); | ||
| } | ||
| } | ||
| ``` |
Contributor
There was a problem hiding this comment.
Hmm, not sure we want to have the function in the checklist. Maybe we just reference the archive:
Suggested change
| * [ ] If not already present, add the helper function to perform the call: | |
| ```solidity | |
| function _updateSafeHarbor(bytes[] memory calldatas) public { | |
| for (uint256 i = 0; i < calldatas.length; i++) { | |
| (bool success, ) = address(AGREEMENT_ADDRESS).call(calldatas[i]); | |
| require(success, "SaferHarbor call failed"); | |
| } | |
| } | |
| ``` | |
| * [ ] If not already present, add the helper function to perform the call, using the established archive pattern. |
amusingaxl
previously approved these changes
Nov 15, 2025
amusingaxl
previously approved these changes
Dec 4, 2025
SidestreamBurningBanana
previously approved these changes
Dec 18, 2025
Contributor
SidestreamBurningBanana
left a comment
SidestreamBurningBanana
left a comment
There was a problem hiding this comment.
Approving with 2 nits present, will give re-approval if they are resolved
0xBasset
requested review from
SidestreamBurningBanana,
amusingaxl and
oddaf
amusingaxl
approved these changes
Dec 18, 2025
SidestreamBurningBanana
approved these changes
Dec 18, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.