You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The changes introduce totalTheoreticalSupply tracking and an isZoltar access modifier to the ReputationToken contract while significantly refactoring the test suite to focus on universe forking scenarios, but contain critical logic errors in the asymmetric supply update mechanism and incorrect CREATE2 salt encoding that result in invalid contract address calculations.
⚠️ 2 issues found across 4 files
#1 Logic error: Burn function incorrectly decrements totalTheoreticalSupply
The burn function decrements totalTheoreticalSupply (line 32), but the mint function does not increment it, creating an asymmetric state update. Furthermore, the setter is named setMaxTheoreticalSupply suggesting this variable represents a maximum cap, which should not decrease when tokens are burned. This creates an underflow risk (revert in Solidity 0.8+) if burn is called with a value exceeding the current totalTheoreticalSupply, effectively preventing token burns in certain states and breaking the expected economic model. Tags: bug, logic, naming Affected code:
The function uses numberToBytes(0) which produces a single byte (0x00) for the salt parameter. Ethereum's CREATE2 opcode requires a strictly 32-byte salt. This causes the computed contract address to be incorrect compared to the standard deployment which uses 32-byte salts (as evidenced by getRepTokenAddress correctly using bytes32String). This will cause isZoltarDeployed to always return false and getZoltarAddress to return the wrong address. Tags: bug, security Affected code:
#1 This is not issue as totalTheoreticalSupply should be the max supply that we know the supply will be when the rep token is created. This number can only be reduced with burn, we will not mint above the treshold
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.