Skip to content

[VPD-984] fix(TokenBuyback): Hashdit findings L02 (gap) and I06 (cap clamp)#162

Merged
fred-venus merged 7 commits into
developfrom
feat/VPD-984
May 14, 2026
Merged

[VPD-984] fix(TokenBuyback): Hashdit findings L02 (gap) and I06 (cap clamp)#162
fred-venus merged 7 commits into
developfrom
feat/VPD-984

Conversation

@Debugger022
Copy link
Copy Markdown
Contributor

@Debugger022 Debugger022 commented May 11, 2026

Summary

Addresses two Hashdit audit findings on TokenBuyback. Both are Informational on the deployed contract; bundled here so they deploy with the next functional upgrade rather than burning a separate redeploy + VIP cycle for each.

  • I06 — setDailyCapUsd cap reduction can brick executeBuyback. Clamp usdConsumedInWindow down to the new cap inside setDailyCapUsd. Without the clamp, lowering the cap below the current accumulator locks executeBuyback for up to WINDOW seconds while the bucket decays naturally — bad timing if the cap was cut in response to a security incident.

    • Trade-off: the strict "any rolling 24h interval ≤ cap" invariant now holds within a cap epoch only — spending under the previous (higher) cap is forgiven under the new policy.

  • L02 — __gap under-allocated by one slot. Restore __gap from [43] to [44] so contract-local storage totals 50 slots again. The gap was left at 43 after a transient fifth state variable was added and removed during development of the daily-cap fix.

Test plan

  • All existing tests pass (yarn hardhat test tests/ProtocolReserve/TokenBuyback.ts — 60 passing)
  • New tests covering the clamp path:
    • setDailyCapUsd clamps usdConsumedInWindow when new cap is below accumulator
    • setDailyCapUsd does not touch usdConsumedInWindow when new cap is above accumulator
  • OZ upgrade-safety plugin run against the deployed implementation before the next upgrade (no storage layout regression expected; __gap resize is the canonical OZ pattern)

@Debugger022
fix(TokenBuyback): Hashdit findings L02 (gap) and I06 (cap clamp)
3e9caae 
- I06 — Clamp `usdConsumedInWindow` down to the new cap inside
  `setDailyCapUsd`. Without the clamp, lowering the cap below the
  current accumulator locks `executeBuyback` for up to WINDOW seconds
  while the bucket decays naturally — bad timing if the cap was cut
  in response to a security incident. Trade-off: the strict "any
  rolling 24h interval ≤ cap" invariant now holds within a cap epoch
  only; spending under the previous (higher) cap is forgiven under
  the new policy.
- L02 — Restore `__gap` from 43 to 44 so contract-local storage
  totals 50 slots again. The gap was left at 43 after a transient
  fifth state variable was added and removed during development of
  the daily-cap fix.

Both findings are Informational on the deployed contract; bundled
here so they deploy with the next functional upgrade of TokenBuyback
rather than burning a separate redeploy + VIP cycle for each.
@Debugger022 Debugger022 self-assigned this May 11, 2026
@Debugger022 Debugger022 marked this pull request as ready for review May 12, 2026 11:39
Debugger022 added a commit that referenced this pull request May 13, 2026
@Debugger022
refactor(helper): refresh buyback addrs, fold Shortfall pause into st…
d31688b 
…ep 3

Update 10 TokenBuyback proxy addresses to PR #162 redeploy. Move
Shortfall.pauseAuctions out of _runPrimeAllocation into _pauseRevenueFlows
so revenue-flow pause is atomic with converter pause (single step 3 rather
than split across step 3 and step 5). Rewrite trust-model docstring to
reflect deploy scripts setting pendingOwner = helper directly, dropping
the timelock-hop preparatory acceptOwnership step.
Debugger022 added a commit that referenced this pull request May 13, 2026
@Debugger022
test(fork): adapt to executeSwap split + PR #162 redeploy
02d9b0a 
Add the PLP USDC handoff + executeSwap call between execute1 and execute2,
update buyback addresses to the PR #162 redeploy, pin FORK_BLOCK past it,
and add asserts for: executedSwap flag, USDT/U landing in PLP above
MIN_OUT, USDC leftover refunded to timelock, and Shortfall.auctionsPaused
(now set in execute1's _pauseRevenueFlows, not the swap block).
@Debugger022 Debugger022 mentioned this pull request May 13, 2026
Closed
6 tasks
@fred-venus
Copy link
Copy Markdown
Contributor

fred-venus commented May 13, 2026

probably can attach 2 audit reports as well ?

fred-venus
fred-venus previously approved these changes May 13, 2026
View reviewed changes
@Debugger022 Debugger022 mentioned this pull request May 13, 2026
Merged
2 tasks
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

Code Coverage

Package Line Rate Branch Rate Health
Interfaces 100% 100%
ProtocolReserve 95% 78%
Test 100% 100%
Test.Mocks 65% 44%
TokenConverter 89% 74%
Utils 100% 100%
Summary 89% (696 / 782) 75% (243 / 326)

@fred-venus fred-venus merged commit 68aa023 into develop May 14, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fred-venus fred-venus fred-venus approved these changes

Assignees

@Debugger022 Debugger022

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Debugger022 @fred-venus