fix: address AI review findings on SECURITY_REVIEW.md and deployment.md (#838)
- M-2: update body to show current deployer-only setFeeDestination() implementation and conditional locking; mark as partially resolved; downgrade severity from Medium to Low; update conclusion entry - I-1: mark as resolved — Recentered event declared at line 66 and emitted at line 224 of LiquidityManager.sol - I-2: correct VWAP direction (records on sells/ETH outflow, not buys); update stale line reference from 146-158 to 177-191 - deployment.md §6.5: replace vague 'assess severity' step 1 with concrete action (upgrade optimizer to bear defaults via §6.2) - deployment.md §8 timeline: remove stale 'Set recenter access' row; update 'First recenter' dependency Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
openhands
parent
9b75817300
commit
10c90e4c50
2 changed files with 29 additions and 30 deletions
|
|
@ -235,7 +235,7 @@ If the optimizer needs temporary override, deploy a new implementation with hard
|
|||
### 6.5 Known Attack Response: Floor Ratchet
|
||||
|
||||
If floor ratchet extraction is detected (rapid recenters + floor tick creeping toward current price):
|
||||
1. **Immediately** assess severity — `recenter()` is permissionless (no access-control switch exists); the 60s cooldown is the only rate limiter
|
||||
1. **Immediately** upgrade the optimizer to safe bear-mode defaults (§6.2) — this maximises floor distance (AW=100 → 7000-tick clearance) and makes ratchet extraction significantly harder while a patched LiquidityManager is prepared. Note: there is no access-control switch on `recenter()`; the 60s cooldown is the only rate limiter
|
||||
2. Assess floor position state via `positions(0)`
|
||||
3. Deploy patched LiquidityManager if fix is ready
|
||||
4. Current mitigation: bear-mode parameters (AW=100) create 7000-tick floor distance, making ratchet extraction significantly harder
|
||||
|
|
@ -280,9 +280,8 @@ Track these metrics via Ponder or direct RPC polling:
|
|||
| Deploy contracts | ~2 min | Funded deployer wallet |
|
||||
| Verify on Basescan | ~5 min | Deployment complete |
|
||||
| Fund LiquidityManager | ~1 min | Deployment complete |
|
||||
| Set recenter access | ~1 min | feeDestination set (multisig) |
|
||||
| Wait for TWAP history | ~5-10 min | Pool initialized |
|
||||
| First recenter | ~1 min | TWAP history + recenter access |
|
||||
| First recenter | ~1 min | TWAP history accumulated |
|
||||
| Deploy txnBot | ~5 min | Addresses configured |
|
||||
| Deploy Ponder | ~10 min | Addresses + kraiken-lib updated |
|
||||
| Deploy frontend | ~5 min | Ponder running |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue