Add openzeppelin audit changes

ilitteri · ilitteri · commit 04ea681eafa5 · 2024-12-17T19:08:32.000-03:00
diff --git a/claim_contracts/README.md b/claim_contracts/README.md
@@ -17,6 +17,7 @@ To deploy the contracts, set the following environment variables:
 - `MERKLE_ROOT`: The merkle root of all valid token claims.
 
 Example:
+
 ```
 export DEPLOYER_PRIVATE_KEY=<deployer_private_key>
 export SAFE_ADDRESS=0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266
@@ -42,6 +43,7 @@ This is a series of steps to deploy the token to production and upgrade it if ne
 ### Safe wallet creation
 
 First we create a wallet in [Safe](https://app.safe.global/) to represent the foundation. We assume this is done by the user. This safe will:
+
 - Receive part of the deployed tokens.
 - Own the proxy admin contract. This is the contract that can upgrade the token contract.
 - Own the proxy contract. This will point to the current implementation of the contract. All users and the safe itself will interact with this contract to mint, transfer, burn, and other erc20 operations.
@@ -51,7 +53,7 @@ First we create a wallet in [Safe](https://app.safe.global/) to represent the fo
 There is an example configuration file in `script-config/config.example.json`. Before deploying to production, we need to create a `config.mainnet.json` file in the same folder with the same contents as the example, but we need to change a couple of fields:
 
 - `foundation`: this is the address of the safe that was created in the previous step.
-- `claimSupplier`: this is the address of a different safe that will provide the funds for the claim contract when it is deployed.
+- `tokenDistributor`: this is the address of a different safe that will provide the funds for the claim contract when it is deployed.
 - `deployer`: The address of the deterministic create2 deployer as specified in the [official repo](https://github.com/Arachnid/deterministic-deployment-proxy). The address should be `0x4e59b44847b379578588920ca78fbf26c0b4956c`.
 - `salt`: An arbitrary value provided by the sender. This is a 32-bytes hex string. We default to 0.
 
@@ -69,6 +71,7 @@ This make target internally executes a forge script that:
 The private key does NOT correspond to the safe, it needs to represent an account with sufficient funds to deploy the token.
 
 Arguments (env variables):
+
 - `PRIVATE_KEY`: the private key of the deployer account. This is NOT the foundation safe, just any account with enough eth for the deployment. This operation consumes approximately `3935470` gas units. As of Dec 16 2024, the gas price for a high priority is 16 gwei, which means around `0.063` eth.
 - `RPC_URL`: a gateway or node that allows for rpc calls.
 - `CONFIG`: the name of the configuration file. For `config.example.json` the name would be `example`. For `config.mainnet.json`, this would be `mainnet`.
diff --git a/claim_contracts/script-config/config.example.json b/claim_contracts/script-config/config.example.json
@@ -2,7 +2,7 @@
   "salt": "0x0000000000000000000000000000000000000000000000000000000000000000",
   "deployer": "0x4e59b44847b379578588920cA78FbF26c0B4956C",
   "foundation": "0x3C44CdDdB6a900fa2b585dd299e03d12FA4293BC",
-  "claimSupplier": "0x70997970C51812dc3A010C7d01b50e0d17dc79C8",
+  "tokenDistributor": "0x70997970C51812dc3A010C7d01b50e0d17dc79C8",
   "limitTimestampToClaim": 2733427549,
   "claimMerkleRoot": "0x90076b5fb9a6c81d9fce83dfd51760987b8c49e7c861ea25b328e6e63d2cd3df",
   "airdropProxy": "0x882b82f4E9014164Af87ecdAB64955cf7C252C4f",
diff --git a/claim_contracts/script/DeployAlignedToken.s.sol b/claim_contracts/script/DeployAlignedToken.s.sol
@@ -12,20 +12,28 @@ import {Utils} from "./Utils.sol";
 contract DeployAlignedToken is Script {
     function run(string memory config) public {
         string memory root = vm.projectRoot();
-        string memory path = string.concat(root, "/script-config/config.", config, ".json");
+        string memory path = string.concat(
+            root,
+            "/script-config/config.",
+            config,
+            ".json"
+        );
         string memory config_json = vm.readFile(path);
 
         bytes32 _salt = stdJson.readBytes32(config_json, ".salt");
         address _deployer = stdJson.readAddress(config_json, ".deployer");
         address _foundation = stdJson.readAddress(config_json, ".foundation");
-        address _claimSupplier = stdJson.readAddress(config_json, ".claimSupplier");
+        address _tokenDistributor = stdJson.readAddress(
+            config_json,
+            ".tokenDistributor"
+        );
 
         TransparentUpgradeableProxy _tokenProxy = deployAlignedTokenProxy(
             _foundation,
             _salt,
             _deployer,
             _foundation,
-            _claimSupplier
+            _tokenDistributor
         );
 
         console.log(
@@ -40,12 +48,21 @@ contract DeployAlignedToken is Script {
         );
 
         string memory deployedAddressesJson = "deployedAddressesJson";
-        string memory finalJson = vm.serializeAddress(deployedAddressesJson, "tokenProxy", address(_tokenProxy));
+        string memory finalJson = vm.serializeAddress(
+            deployedAddressesJson,
+            "tokenProxy",
+            address(_tokenProxy)
+        );
 
-        vm.writeJson(finalJson, _getOutputPath("deployed_token_addresses.json"));
+        vm.writeJson(
+            finalJson,
+            _getOutputPath("deployed_token_addresses.json")
+        );
     }
 
-    function _getOutputPath(string memory fileName) internal returns (string memory) {
+    function _getOutputPath(
+        string memory fileName
+    ) internal returns (string memory) {
         string memory outputDir = "script-out/";
 
         // Create output directory if it doesn't exist
diff --git a/claim_contracts/script/DeployAll.s.sol b/claim_contracts/script/DeployAll.s.sol
@@ -23,7 +23,7 @@ contract DeployAll is Script {
         address _deployer = stdJson.readAddress(config_json, ".deployer");
         address _foundation = stdJson.readAddress(config_json, ".foundation");
         address _safe = _foundation;
-        address _claim = stdJson.readAddress(config_json, ".claimSupplier");
+        address _claim = stdJson.readAddress(config_json, ".tokenDistributor");
         uint256 _claimPrivateKey = vm.envUint("CLAIM_SUPPLIER_PRIVATE_KEY");
         uint256 _limitTimestampToClaim = stdJson.readUint(
             config_json,
diff --git a/claim_contracts/src/AlignedToken.sol b/claim_contracts/src/AlignedToken.sol
@@ -7,6 +7,9 @@ import "@openzeppelin/contracts-upgradeable/token/ERC20/extensions/ERC20PermitUp
 import "@openzeppelin/contracts-upgradeable/token/ERC20/extensions/ERC20BurnableUpgradeable.sol";
 import "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
 
+/// @title Aligned Token
+/// @notice This contract is the implementation of the Aligned Token
+/// @dev This contract is upgradeable and should be used only through the proxy contract
 contract AlignedToken is
     Initializable,
     ERC20Upgradeable,
@@ -20,6 +23,12 @@ contract AlignedToken is
     /// @notice Symbol of the token.
     string public constant SYMBOL = "ALIGN";
 
+    /// @notice Supply of the token for the foundation.
+    uint256 public constant FOUNDATION_SUPPLY = 7_400_000_000e18; // 7.4 billion
+
+    /// @notice Supply of the token for the token distributor.
+    uint256 public constant TOKEN_DISTRIBUTOR_SUPPLY = 2_600_000_000e18; // 2.6 billion
+
     /// @custom:oz-upgrades-unsafe-allow constructor
     constructor() {
         _disableInitializers();
@@ -28,23 +37,22 @@ contract AlignedToken is
     /// @notice Initializes the contract.
     /// @dev This initializer should be called only once.
     /// @param _foundation address of the foundation.
-    /// @param _claimSupplier address of the claim supplier. This is the address
+    /// @param _tokenDistributor address of the token distributor. This is the address
     /// that will give the tokens to the users that claim them.
     function initialize(
         address _foundation,
-        address _claimSupplier
-    ) public initializer {
+        address _tokenDistributor
+    ) external initializer {
         require(
-            _foundation != address(0) && _claimSupplier != address(0),
-            "Invalid _foundation or _claimSupplier"
+            _foundation != address(0) && _tokenDistributor != address(0),
+            "Invalid _foundation or _tokenDistributor"
         );
         __ERC20_init(NAME, SYMBOL);
         __ERC20Permit_init(NAME);
         __ERC20Burnable_init();
-        __Ownable2Step_init(); // default is msg.sender
-        _transferOwnership(_foundation);
-        _mint(_foundation, 7_400_000_000e18); // 7.4 billion
-        _mint(_claimSupplier, 2_600_000_000e18); // 2.6 billion
+        __Ownable_init(_foundation);
+        _mint(_foundation, FOUNDATION_SUPPLY);
+        _mint(_tokenDistributor, TOKEN_DISTRIBUTOR_SUPPLY);
     }
 
     /// @notice Mints `amount` of tokens.
diff --git a/claim_contracts/src/ClaimableAirdrop.sol b/claim_contracts/src/ClaimableAirdrop.sol
@@ -1,24 +1,27 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.28;
 
-import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
-import "@openzeppelin/contracts/utils/cryptography/MerkleProof.sol";
-import "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
-import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
-import "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
-import "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
-
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {MerkleProof} from "@openzeppelin/contracts/utils/cryptography/MerkleProof.sol";
+import {ReentrancyGuardUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";
+import {Initializable} from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
+import {PausableUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
+import {Ownable2StepUpgradeable} from "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
+
+/// @title Claimable Airdrop
+/// @notice This contract is the implementation of the Claimable Airdrop
+/// @dev This contract is upgradeable and should be used only through the proxy contract
 contract ClaimableAirdrop is
-    ReentrancyGuard,
     Initializable,
+    ReentrancyGuardUpgradeable,
     PausableUpgradeable,
     Ownable2StepUpgradeable
 {
     /// @notice Address of the token contract to claim.
     address public tokenProxy;
 
     /// @notice Address of the wallet that has the tokens to distribute to the claimants.
-    address public claimSupplier;
+    address public tokenDistributor;
 
     /// @notice Timestamp until which the claimants can claim the tokens.
     uint256 public limitTimestampToClaim;
@@ -28,10 +31,20 @@ contract ClaimableAirdrop is
 
     /// @notice Mapping of the claimants that have claimed the tokens.
     /// @dev true if the claimant has claimed the tokens.
-    mapping(address => bool) public hasClaimed;
+    mapping(address claimer => bool claimed) public hasClaimed;
 
     /// @notice Event emitted when a claimant claims the tokens.
-    event TokenClaimed(address indexed to, uint256 indexed amount);
+    /// @param to address of the claimant.
+    /// @param amount amount of tokens claimed.
+    event TokensClaimed(address indexed to, uint256 indexed amount);
+
+    /// @notice Event emitted when the Merkle root is updated.
+    /// @param newRoot new Merkle root.
+    event MerkleRootUpdated(bytes32 indexed newRoot);
+
+    /// @notice Event emitted when the claim period is extended.
+    /// @param newTimestamp new timestamp until which the claimants can claim the tokens.
+    event ClaimPeriodExtended(uint256 indexed newTimestamp);
 
     /// @custom:oz-upgrades-unsafe-allow constructor
     constructor() {
@@ -42,34 +55,35 @@ contract ClaimableAirdrop is
     /// @dev This initializer should be called only once.
     /// @param _owner address of the owner of the token.
     /// @param _tokenProxy address of the token contract.
-    /// @param _claimSupplier address of the wallet that has the tokens to distribute to the claimants.
+    /// @param _tokenDistributor address of the wallet that has the tokens to distribute to the claimants.
     /// @param _limitTimestampToClaim timestamp until which the claimants can claim the tokens.
     /// @param _claimMerkleRoot Merkle root of the claimants.
     function initialize(
         address _owner,
         address _tokenProxy,
-        address _claimSupplier,
+        address _tokenDistributor,
         uint256 _limitTimestampToClaim,
         bytes32 _claimMerkleRoot
-    ) public initializer {
+    ) external initializer {
         require(_owner != address(0), "Invalid owner address");
         require(
             _tokenProxy != address(0) && _tokenProxy != address(this),
             "Invalid token contract address"
         );
         require(
-            _claimSupplier != address(0) && _claimSupplier != address(this),
+            _tokenDistributor != address(0) &&
+                _tokenDistributor != address(this),
             "Invalid token owner address"
         );
         require(_limitTimestampToClaim > block.timestamp, "Invalid timestamp");
         require(_claimMerkleRoot != 0, "Invalid Merkle root");
 
-        __Ownable2Step_init(); // default is msg.sender
-        _transferOwnership(_owner);
+        __Ownable_init(_owner);
         __Pausable_init();
+        __ReentrancyGuard_init();
 
         tokenProxy = _tokenProxy;
-        claimSupplier = _claimSupplier;
+        tokenDistributor = _tokenDistributor;
         limitTimestampToClaim = _limitTimestampToClaim;
         claimMerkleRoot = _claimMerkleRoot;
     }
@@ -80,7 +94,7 @@ contract ClaimableAirdrop is
     function claim(
         uint256 amount,
         bytes32[] calldata merkleProof
-    ) public nonReentrant whenNotPaused {
+    ) external nonReentrant whenNotPaused {
         require(
             !hasClaimed[msg.sender],
             "Account has already claimed the drop"
@@ -97,14 +111,8 @@ contract ClaimableAirdrop is
 
         require(verifies, "Invalid Merkle proof");
 
-        require(
-            IERC20(tokenProxy).allowance(claimSupplier, address(this)) >=
-                amount,
-            "Insufficient token allowance"
-        );
-
         bool success = IERC20(tokenProxy).transferFrom(
-            claimSupplier,
+            tokenDistributor,
             msg.sender,
             amount
         );
@@ -113,14 +121,15 @@ contract ClaimableAirdrop is
 
         hasClaimed[msg.sender] = true;
 
-        emit TokenClaimed(msg.sender, amount);
+        emit TokensClaimed(msg.sender, amount);
     }
 
     /// @notice Update the Merkle root.
     /// @param newRoot new Merkle root.
     function updateMerkleRoot(bytes32 newRoot) external whenPaused onlyOwner {
         require(newRoot != 0 && newRoot != claimMerkleRoot, "Invalid root");
         claimMerkleRoot = newRoot;
+        emit MerkleRootUpdated(newRoot);
     }
 
     /// @notice Extend the claim period.
@@ -134,15 +143,16 @@ contract ClaimableAirdrop is
             "Can only extend from current timestamp"
         );
         limitTimestampToClaim = newTimestamp;
+        emit ClaimPeriodExtended(newTimestamp);
     }
 
     /// @notice Pause the contract.
-    function pause() public whenNotPaused onlyOwner {
+    function pause() external onlyOwner {
         _pause();
     }
 
     /// @notice Unpause the contract.
-    function unpause() public whenPaused onlyOwner {
+    function unpause() external onlyOwner {
         _unpause();
     }
 }
diff --git a/claim_contracts/src/ExampleAlignedTokenV3.sol b/claim_contracts/src/ExampleAlignedTokenV3.sol
@@ -28,23 +28,23 @@ contract ExampleAlignedTokenV3 is
     /// @notice Initializes the contract.
     /// @dev This initializer should be called only once.
     /// @param _foundation address of the foundation.
-    /// @param _claimSupplier address of the claim supplier. This is the address
+    /// @param _tokenDistributor address of the claim supplier. This is the address
     /// that will give the tokens to the users that claim them.
     function initialize(
         address _foundation,
-        address _claimSupplier
+        address _tokenDistributor
     ) public initializer {
         require(
-            _foundation != address(0) && _claimSupplier != address(0),
-            "Invalid _foundation or _claimSupplier"
+            _foundation != address(0) && _tokenDistributor != address(0),
+            "Invalid _foundation or _tokenDistributor"
         );
         __ERC20_init(NAME, SYMBOL);
         __ERC20Permit_init(NAME);
         __ERC20Burnable_init();
         __Ownable2Step_init(); // default is msg.sender
         _transferOwnership(_foundation);
         _mint(_foundation, 7_300_000_000e18); // 7.3 billion
-        _mint(_claimSupplier, 2_700_000_000e18); // 2.7 billion
+        _mint(_tokenDistributor, 2_700_000_000e18); // 2.7 billion
     }
 
     function reinitialize() public reinitializer(3) {}
