fix: aderyn static analysis for contracts

packages/enclave-contracts/artifacts/contracts/interfaces/IBondingRegistry.sol/IBondingRegistry.json

@@ -153,6 +153,19 @@
       "name": "LicenseBondUpdated",
       "type": "event"
     },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "licenseToken",
+          "type": "address"
+        }
+      ],
+      "name": "LicenseTokenSet",
+      "type": "event"
+    },
     {
       "anonymous": false,
       "inputs": [
@@ -172,6 +185,19 @@
       "name": "OperatorActivationChanged",
       "type": "event"
     },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "registry",
+          "type": "address"
+        }
+      ],
+      "name": "RegistrySet",
+      "type": "event"
+    },
     {
       "anonymous": false,
       "inputs": [
@@ -191,6 +217,19 @@
       "name": "RewardDistributorUpdated",
       "type": "event"
     },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "treasury",
+          "type": "address"
+        }
+      ],
+      "name": "SlashedFundsTreasurySet",
+      "type": "event"
+    },
     {
       "anonymous": false,
       "inputs": [
@@ -216,6 +255,19 @@
       "name": "SlashedFundsWithdrawn",
       "type": "event"
     },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "slashingManager",
+          "type": "address"
+        }
+      ],
+      "name": "SlashingManagerSet",
+      "type": "event"
+    },
     {
       "anonymous": false,
       "inputs": [
@@ -247,6 +299,19 @@
       "name": "TicketBalanceUpdated",
       "type": "event"
     },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "ticketToken",
+          "type": "address"
+        }
+      ],
+      "name": "TicketTokenSet",
+      "type": "event"
+    },
     {
       "inputs": [
         {
@@ -940,5 +1005,5 @@
   "deployedLinkReferences": {},
   "immutableReferences": {},
   "inputSourceName": "project/contracts/interfaces/IBondingRegistry.sol",
-  "buildInfoId": "solc-0_8_28-64228f31c3990e4616cf0578598d186612e83409"
+  "buildInfoId": "solc-0_8_28-2705a75bc2d2d1f8b1e08ebca4cc37d76480abc8"
 }

packages/enclave-contracts/artifacts/contracts/interfaces/ICiphernodeRegistry.sol/ICiphernodeRegistry.json

@@ -971,5 +971,5 @@
   "deployedLinkReferences": {},
   "immutableReferences": {},
   "inputSourceName": "project/contracts/interfaces/ICiphernodeRegistry.sol",
-  "buildInfoId": "solc-0_8_28-64228f31c3990e4616cf0578598d186612e83409"
+  "buildInfoId": "solc-0_8_28-2705a75bc2d2d1f8b1e08ebca4cc37d76480abc8"
 }

packages/enclave-contracts/artifacts/contracts/interfaces/IEnclave.sol/IEnclave.json

@@ -838,6 +838,25 @@
       "name": "ParamSetRegistered",
       "type": "event"
     },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "bytes32",
+          "name": "encryptionSchemeId",
+          "type": "bytes32"
+        },
+        {
+          "indexed": false,
+          "internalType": "address",
+          "name": "pkVerifier",
+          "type": "address"
+        }
+      ],
+      "name": "PkVerifierSet",
+      "type": "event"
+    },
     {
       "anonymous": false,
       "inputs": [
@@ -2078,5 +2097,5 @@
   "deployedLinkReferences": {},
   "immutableReferences": {},
   "inputSourceName": "project/contracts/interfaces/IEnclave.sol",
-  "buildInfoId": "solc-0_8_28-64228f31c3990e4616cf0578598d186612e83409"
+  "buildInfoId": "solc-0_8_28-2705a75bc2d2d1f8b1e08ebca4cc37d76480abc8"
 }

packages/enclave-contracts/artifacts/contracts/interfaces/ISlashingManager.sol/ISlashingManager.json

@@ -216,6 +216,58 @@
       "name": "AppealResolved",
       "type": "event"
     },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "bondingRegistry",
+          "type": "address"
+        }
+      ],
+      "name": "BondingRegistrySet",
+      "type": "event"
+    },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "ciphernodeRegistry",
+          "type": "address"
+        }
+      ],
+      "name": "CiphernodeRegistrySet",
+      "type": "event"
+    },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "e3RefundManager",
+          "type": "address"
+        }
+      ],
+      "name": "E3RefundManagerSet",
+      "type": "event"
+    },
+    {
+      "anonymous": false,
+      "inputs": [
+        {
+          "indexed": true,
+          "internalType": "address",
+          "name": "enclave",
+          "type": "address"
+        }
+      ],
+      "name": "EnclaveSet",
+      "type": "event"
+    },
     {
       "anonymous": false,
       "inputs": [
@@ -954,5 +1006,5 @@
   "deployedLinkReferences": {},
   "immutableReferences": {},
   "inputSourceName": "project/contracts/interfaces/ISlashingManager.sol",
-  "buildInfoId": "solc-0_8_28-64228f31c3990e4616cf0578598d186612e83409"
+  "buildInfoId": "solc-0_8_28-2705a75bc2d2d1f8b1e08ebca4cc37d76480abc8"
 }

packages/enclave-contracts/contracts/E3RefundManager.sol

@@ -3,7 +3,7 @@
 // This file is provided WITHOUT ANY WARRANTY;
 // without even the implied warranty of MERCHANTABILITY
 // or FITNESS FOR A PARTICULAR PURPOSE.
-pragma solidity >=0.8.27;
+pragma solidity 0.8.28;
 import {
     OwnableUpgradeable
 } from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
@@ -54,6 +54,9 @@ contract E3RefundManager is IE3RefundManager, OwnableUpgradeable {
     mapping(uint256 e3Id => address[] nodes) internal _honestNodes;
     /// @notice Pending slashed funds awaiting E3 terminal state
     mapping(uint256 e3Id => uint256 amount) internal _pendingSlashedFunds;
+
+    /// @notice Basis points denominator (100%)
+    uint16 internal constant BPS_BASE = 10000;
     ////////////////////////////////////////////////////////////
     //                                                        //
     //                       Modifiers                        //
@@ -128,8 +131,10 @@ contract E3RefundManager is IE3RefundManager, OwnableUpgradeable {
         );
 
         // Calculate base distribution
-        uint256 honestNodeAmount = (originalPayment * workCompletedBps) / 10000;
-        uint256 requesterAmount = (originalPayment * workRemainingBps) / 10000;
+        uint256 honestNodeAmount = (originalPayment * workCompletedBps) /
+            BPS_BASE;
+        uint256 requesterAmount = (originalPayment * workRemainingBps) /
+            BPS_BASE;
         uint256 protocolAmount = originalPayment -
             honestNodeAmount -
             requesterAmount;
@@ -236,7 +241,7 @@ contract E3RefundManager is IE3RefundManager, OwnableUpgradeable {
             workCompletedBps = alloc.committeeFormationBps + alloc.dkgBps;
         }
 
-        workRemainingBps = 10000 - workCompletedBps - alloc.protocolBps;
+        workRemainingBps = BPS_BASE - workCompletedBps - alloc.protocolBps;
     }
 
     ////////////////////////////////////////////////////////////
@@ -359,7 +364,7 @@ contract E3RefundManager is IE3RefundManager, OwnableUpgradeable {
         require(address(paymentToken) != address(0), "Invalid fee token");
 
         uint256 toNodes = (escrowed * _workAllocation.successSlashedNodeBps) /
-            10000;
+            BPS_BASE;
         uint256 toProtocol = escrowed - toNodes;
 
         if (toProtocol > 0) {
@@ -453,8 +458,8 @@ contract E3RefundManager is IE3RefundManager, OwnableUpgradeable {
             uint256(allocation.dkgBps) +
             uint256(allocation.decryptionBps) +
             uint256(allocation.protocolBps);
-        require(total == 10000, "Must sum to 10000");
-        require(allocation.successSlashedNodeBps <= 10000, "Invalid BPS");
+        require(total == BPS_BASE, "Must sum to 10000");
+        require(allocation.successSlashedNodeBps <= BPS_BASE, "Invalid BPS");
 
         _workAllocation = allocation;
 
@@ -466,13 +471,15 @@ contract E3RefundManager is IE3RefundManager, OwnableUpgradeable {
     function setEnclave(address _enclave) external onlyOwner {
         require(_enclave != address(0), "Invalid enclave");
         enclave = IEnclave(_enclave);
+        emit EnclaveSet(_enclave);
     }
 
     /// @notice Set the treasury address
     /// @param _treasury New treasury address
     function setTreasury(address _treasury) external onlyOwner {
         require(_treasury != address(0), "Invalid treasury");
         treasury = _treasury;
+        emit TreasurySet(_treasury);
     }
 
     /// @notice Recover orphaned slashed funds for an E3 that has already completed

packages/enclave-contracts/contracts/Enclave.sol

@@ -3,7 +3,7 @@
 // This file is provided WITHOUT ANY WARRANTY;
 // without even the implied warranty of MERCHANTABILITY
 // or FITNESS FOR A PARTICULAR PURPOSE.
-pragma solidity >=0.8.27;
+pragma solidity 0.8.28;
 
 import { IEnclave, E3, IE3Program } from "./interfaces/IEnclave.sol";
 import { ICiphernodeRegistry } from "./interfaces/ICiphernodeRegistry.sol";
@@ -249,7 +249,7 @@ contract Enclave is IEnclave, OwnableUpgradeable {
             block.timestamp +
             _timeoutConfig.computeWindow +
             _timeoutConfig.decryptionWindow;
-        // TODO do we actually need a max duration?
+        // Validate total duration does not exceed maxDuration
         require(totalDuration < maxDuration, InvalidDuration(totalDuration));
 
         require(
@@ -261,6 +261,10 @@ contract Enclave is IEnclave, OwnableUpgradeable {
 
         e3Id = nexte3Id;
         nexte3Id++;
+        // Seed uses block.prevrandao combined with e3Id as additional entropy.
+        // While prevrandao is not cryptographically unpredictable (validator-controlled),
+        // the combination with the unique, incrementing e3Id mitigates manipulation.
+        // The seed is used solely for weighted sortition, not for cryptographic key generation.
         uint256 seed = uint256(keccak256(abi.encode(block.prevrandao, e3Id)));
 
         e3Payments[e3Id] = e3Fee;
@@ -290,8 +294,6 @@ contract Enclave is IEnclave, OwnableUpgradeable {
         e3.plaintextOutput = hex"";
         e3.requester = msg.sender;
 
-        feeToken.safeTransferFrom(msg.sender, address(this), e3Fee);
-
         bytes memory e3ProgramParams = paramSetRegistry[requestParams.paramSet];
         require(e3ProgramParams.length > 0, "BFV param set not registered");
 
@@ -321,8 +323,12 @@ contract Enclave is IEnclave, OwnableUpgradeable {
         e3.encryptionSchemeId = encryptionSchemeId;
         e3.decryptionVerifier = decryptionVerifier;
         e3.pkVerifier = pkVerifier;
+        // CEI: write all state before external calls below
         e3s[e3Id] = e3;
 
+        // Transfer fee after all validations and state changes
+        feeToken.safeTransferFrom(msg.sender, address(this), e3Fee);
+
         require(
             ciphernodeRegistry.requestCommittee(e3Id, seed, threshold),
             CommitteeSelectionFailed()
@@ -638,6 +644,7 @@ contract Enclave is IEnclave, OwnableUpgradeable {
             InvalidEncryptionScheme(encryptionSchemeId)
         );
         pkVerifiers[encryptionSchemeId] = pkVerifier;
+        emit PkVerifierSet(encryptionSchemeId, address(pkVerifier));
     }
 
     /// @inheritdoc IEnclave

packages/enclave-contracts/contracts/interfaces/IBondingRegistry.sol

@@ -4,7 +4,7 @@
 // without even the implied warranty of MERCHANTABILITY
 // or FITNESS FOR A PARTICULAR PURPOSE.
 
-pragma solidity >=0.8.27;
+pragma solidity 0.8.28;
 
 import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import { ICiphernodeRegistry } from "./ICiphernodeRegistry.sol";
@@ -119,6 +119,36 @@ interface IBondingRegistry {
         uint256 licenseAmount
     );
 
+    /**
+     * @notice Emitted when the slashed funds treasury address is set
+     * @param treasury Address of the slashed funds treasury
+     */
+    event SlashedFundsTreasurySet(address indexed treasury);
+
+    /**
+     * @notice Emitted when the ticket token is set
+     * @param ticketToken Address of the ticket token
+     */
+    event TicketTokenSet(address indexed ticketToken);
+
+    /**
+     * @notice Emitted when the license token is set
+     * @param licenseToken Address of the license token
+     */
+    event LicenseTokenSet(address indexed licenseToken);
+
+    /**
+     * @notice Emitted when the registry is set
+     * @param registry Address of the registry
+     */
+    event RegistrySet(address indexed registry);
+
+    /**
+     * @notice Emitted when the slashing manager is set
+     * @param slashingManager Address of the slashing manager
+     */
+    event SlashingManagerSet(address indexed slashingManager);
+
     // ======================
     // View Functions
     // ======================