From e4e6e2fccd6820002eb4a5b4fabdc8ea11031ad9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 23 Oct 2024 08:43:48 -0500
Subject: [PATCH 1/3] Bump secp256k1 from 4.0.3 to 4.0.4 in /docs (#41)
Bumps [secp256k1](https://github.com/cryptocoinjs/secp256k1-node) from
4.0.3 to 4.0.4.
Commits
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/circlefin/evm-cctp-contracts/network/alerts).
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
docs/package-lock.json | 62 ++++++++++++++++++++++++++++++++++--------
1 file changed, 51 insertions(+), 11 deletions(-)
diff --git a/docs/package-lock.json b/docs/package-lock.json
index 995de53..9a7cb8a 100644
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
@@ -3063,19 +3063,38 @@
"integrity": "sha512-cdwTTnqPu0Hyvf5in5asVdZocVDTNRmR7XEcJuIzMjJeSHybHl7vpB66AzwTaIg6CLSbtjcxc8fqcySfnTkccA=="
},
"node_modules/secp256k1": {
- "version": "4.0.3",
- "resolved": "https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.3.tgz",
- "integrity": "sha512-NLZVf+ROMxwtEj3Xa562qgv2BK5e2WNmXPiOdVIPLgs6lyTzMvBq0aWTYMI5XCP9jZMVKOcqZLw/Wc4vDkuxhA==",
+ "version": "4.0.4",
+ "resolved": "https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.4.tgz",
+ "integrity": "sha512-6JfvwvjUOn8F/jUoBY2Q1v5WY5XS+rj8qSe0v8Y4ezH4InLgTEeOOPQsRll9OV429Pvo6BCHGavIyJfr3TAhsw==",
"hasInstallScript": true,
"dependencies": {
- "elliptic": "^6.5.4",
- "node-addon-api": "^2.0.0",
+ "elliptic": "^6.5.7",
+ "node-addon-api": "^5.0.0",
"node-gyp-build": "^4.2.0"
},
"engines": {
- "node": ">=10.0.0"
+ "node": ">=18.0.0"
+ }
+ },
+ "node_modules/secp256k1/node_modules/elliptic": {
+ "version": "6.5.7",
+ "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.7.tgz",
+ "integrity": "sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q==",
+ "dependencies": {
+ "bn.js": "^4.11.9",
+ "brorand": "^1.1.0",
+ "hash.js": "^1.0.0",
+ "hmac-drbg": "^1.0.1",
+ "inherits": "^2.0.4",
+ "minimalistic-assert": "^1.0.1",
+ "minimalistic-crypto-utils": "^1.0.1"
}
},
+ "node_modules/secp256k1/node_modules/node-addon-api": {
+ "version": "5.1.0",
+ "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-5.1.0.tgz",
+ "integrity": "sha512-eh0GgfEkpnoWDq+VY8OyvYhFEzBk6jIYbRKdIlyTiAXIVJ8PyBaKb0rp7oDtoddbdoHWhq8wwr+XZ81F1rpNdA=="
+ },
"node_modules/send": {
"version": "0.18.0",
"resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz",
@@ -6333,13 +6352,34 @@
"integrity": "sha512-cdwTTnqPu0Hyvf5in5asVdZocVDTNRmR7XEcJuIzMjJeSHybHl7vpB66AzwTaIg6CLSbtjcxc8fqcySfnTkccA=="
},
"secp256k1": {
- "version": "4.0.3",
- "resolved": "https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.3.tgz",
- "integrity": "sha512-NLZVf+ROMxwtEj3Xa562qgv2BK5e2WNmXPiOdVIPLgs6lyTzMvBq0aWTYMI5XCP9jZMVKOcqZLw/Wc4vDkuxhA==",
+ "version": "4.0.4",
+ "resolved": "https://registry.npmjs.org/secp256k1/-/secp256k1-4.0.4.tgz",
+ "integrity": "sha512-6JfvwvjUOn8F/jUoBY2Q1v5WY5XS+rj8qSe0v8Y4ezH4InLgTEeOOPQsRll9OV429Pvo6BCHGavIyJfr3TAhsw==",
"requires": {
- "elliptic": "^6.5.4",
- "node-addon-api": "^2.0.0",
+ "elliptic": "^6.5.7",
+ "node-addon-api": "^5.0.0",
"node-gyp-build": "^4.2.0"
+ },
+ "dependencies": {
+ "elliptic": {
+ "version": "6.5.7",
+ "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.7.tgz",
+ "integrity": "sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q==",
+ "requires": {
+ "bn.js": "^4.11.9",
+ "brorand": "^1.1.0",
+ "hash.js": "^1.0.0",
+ "hmac-drbg": "^1.0.1",
+ "inherits": "^2.0.4",
+ "minimalistic-assert": "^1.0.1",
+ "minimalistic-crypto-utils": "^1.0.1"
+ }
+ },
+ "node-addon-api": {
+ "version": "5.1.0",
+ "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-5.1.0.tgz",
+ "integrity": "sha512-eh0GgfEkpnoWDq+VY8OyvYhFEzBk6jIYbRKdIlyTiAXIVJ8PyBaKb0rp7oDtoddbdoHWhq8wwr+XZ81F1rpNdA=="
+ }
}
},
"send": {
From 4b2eb0cb6eabd2a8f19e5d8e27d496e03b0a3db1 Mon Sep 17 00:00:00 2001
From: tongshi
Date: Thu, 21 Nov 2024 11:41:53 -0800
Subject: [PATCH 2/3] [STABLE-7559]: Migrate from Slither to Mythril for static
analysis (#51)
### Summary
Migrate from Slither to Mythril for static analysis
### Detail
- update Makefile command and update CI
- remove Slither relevant configs and add Mythril config
- update Readme
---
.github/workflows/ci.yml | 38 +++++++++++++++++++++++++++++++++++---
Makefile | 15 ++++++++++-----
README.md | 4 ++--
mythril.config.json | 8 ++++++++
requirements.txt | 1 -
slither.config.json | 9 ---------
6 files changed, 55 insertions(+), 20 deletions(-)
create mode 100644 mythril.config.json
delete mode 100644 slither.config.json
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9dfec98..a4ba35d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,13 +27,45 @@ jobs:
- name: Run Unit Tests
run: make test
+ - name: Set up Python
+ uses: actions/setup-python@v5
+ with:
+ python-version: '3.10'
+
- name: Run Integration Tests
run: make anvil-test
- - name: Run Slither
- uses: crytic/slither-action@v0.3.0
+ analyze-message-transmitter:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check out repository code
+ uses: actions/checkout@v4
+ with:
+ submodules: 'true'
+
+ - name: Set up Python
+ uses: actions/setup-python@v5
+ with:
+ python-version: '3.10'
+
+ - name: Run Static Analysis on Message Transmitter
+ run: make analyze-message-transmitter
+
+ analyze-token-messenger-minter:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check out repository code
+ uses: actions/checkout@v4
+ with:
+ submodules: 'true'
+
+ - name: Set up Python
+ uses: actions/setup-python@v5
with:
- fail-on: none
+ python-version: '3.10'
+
+ - name: Run Static Analysis on Token Messenger Minter
+ run: make analyze-token-messenger-minter
scan:
needs: lint-and-test
diff --git a/Makefile b/Makefile
index 3fa14cf..81470a7 100644
--- a/Makefile
+++ b/Makefile
@@ -17,7 +17,7 @@ deploy:
anvil:
docker rm -f anvil || true
- @${ANVIL} "anvil --host 0.0.0.0 -a 13 --code-size-limit 250000"
+ @${ANVIL} "anvil --host 0.0.0.0 -a 13 --code-size-limit 250000"
anvil-test: anvil
pip3 install -r requirements.txt
@@ -31,10 +31,15 @@ cast-call:
cast-send:
@docker exec anvil cast send ${contract_address} "${function}" --rpc-url http://localhost:8545 --private-key 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
-
+
clean:
@${FOUNDRY} "forge clean"
-analyze:
- pip3 install -r requirements.txt
- slither .
+analyze-message-transmitter:
+ pip3 install mythril==0.24.8
+ myth -v4 analyze src/MessageTransmitter.sol --solc-json mythril.config.json --solv 0.7.6
+
+analyze-token-messenger-minter:
+ pip3 install mythril==0.24.8
+ myth -v4 analyze src/TokenMessenger.sol --solc-json mythril.config.json --solv 0.7.6
+ myth -v4 analyze src/TokenMinter.sol --solc-json mythril.config.json --solv 0.7.6
diff --git a/README.md b/README.md
index 2e0cdd9..039d996 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ Run `make anvil-test` to setup `anvil` test node in docker container and run int
Run `yarn lint` to lint all `.sol` files in the `src` and `test` directories.
### Static analysis
-Run `make analyze` to set up Python dependencies from `requirements.txt` and run Slither on all source files, requiring the foundry cli to be installed locally. If all dependencies have been installed, alternatively run `slither .` to run static analysis on all `.sol` files in the `src` directory.
+Run `make analyze-{message-transmitter | token-messenger-minter}` to set up Mythril dependency and run Mythril on all source files. If Mythril dependency has been installed, alternatively run `myth -v4 analyze $FILE_PATH --solc-json mythril.config.json --solv 0.7.6` to run static analysis on a `.sol` file at the given `$FILE_PATH`. Please note that this can take several minutes.
### Continuous Integration using Github Actions
We use Github actions to run linter and all the tests. The workflow configuration can be found in [.github/workflows/ci.yml](.github/workflows/ci.yml)
@@ -79,4 +79,4 @@ The contracts are deployed using [Forge Scripts](https://book.getfoundry.sh/tuto
3. Run `make deploy RPC_URL= SENDER=` to deploy the contracts
## License
-For license information, see LICENSE and additional notices stored in NOTICES.
\ No newline at end of file
+For license information, see LICENSE and additional notices stored in NOTICES.
diff --git a/mythril.config.json b/mythril.config.json
new file mode 100644
index 0000000..62a08ae
--- /dev/null
+++ b/mythril.config.json
@@ -0,0 +1,8 @@
+{
+ "remappings": [
+ "@memview-sol/=lib/memview-sol/",
+ "@openzeppelin/=lib/openzeppelin-contracts/",
+ "ds-test/=lib/ds-test/src/",
+ "forge-std/=lib/forge-std/src/"
+ ]
+}
diff --git a/requirements.txt b/requirements.txt
index 5d92b31..76697de 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -34,7 +34,6 @@ requests==2.28.1
rlp==2.0.1
semantic-version==2.10.0
six==1.16.0
-slither-analyzer==0.8.3
toolz==0.12.0
urllib3==1.26.11
varint==1.0.2
diff --git a/slither.config.json b/slither.config.json
deleted file mode 100644
index 14d940b..0000000
--- a/slither.config.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
- "filter_paths": "lib|test",
- "solc_remaps": [
- "@memview-sol/=lib/memview-sol",
- "@openzeppelin/=lib/openzeppelin-contracts",
- "ds-test/=lib/ds-test/src/",
- "forge-std/=lib/forge-std/src/"
- ]
- }
\ No newline at end of file
From 62494f7cc264ddab250ea7a143c5332b3e3f34a5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 21 Nov 2024 19:42:55 +0000
Subject: [PATCH 3/3] Bump cross-spawn from 6.0.5 to 6.0.6
Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 6.0.5 to 6.0.6.
- [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/v6.0.6/CHANGELOG.md)
- [Commits](https://github.com/moxystudio/node-cross-spawn/compare/v6.0.5...v6.0.6)
---
updated-dependencies:
- dependency-name: cross-spawn
dependency-type: indirect
...
Signed-off-by: dependabot[bot]
---
yarn.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/yarn.lock b/yarn.lock
index 184d680..851f056 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -195,9 +195,9 @@ cosmiconfig@^5.0.7:
parse-json "^4.0.0"
cross-spawn@^6.0.5:
- version "6.0.5"
- resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-6.0.5.tgz#4a5ec7c64dfae22c3a14124dbacdee846d80cbc4"
- integrity sha512-eTVLrBSt7fjbDygz805pMnstIs2VTBNkRm0qxZd+M7A5XDdxVRWO5MxGBXZhjY4cqLYLdtrGqRf8mBPmzwSpWQ==
+ version "6.0.6"
+ resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-6.0.6.tgz#30d0efa0712ddb7eb5a76e1e8721bffafa6b5d57"
+ integrity sha512-VqCUuhcd1iB+dsv8gxPttb5iZh/D0iubSP21g36KXdEuf6I5JiioesUVjpCdHV9MZRUfVFlvwtIUyPfxo5trtw==
dependencies:
nice-try "^1.0.4"
path-key "^2.0.1"