Security and CI settings (#97)

* Create SECURITY.md

* IDEN-725 Add Github workflow security actions

* fix security issues.
run prettier.
increase solc version

* move Pairing.sol to separate file

* rename interface: slither Name reused

* Upgrade tests for convenient check tx reverts

* Add more SMT tests with big numbers and edge cases

* Fix wrong comment

* Remove abicoder v2 and change var type

* Fix import path in the Smt contract

* Rename the _getNodeHash function

* Remove redundant input arguments in the function _pushLeaf()

* Add checking verifier != address(0x0) in the setVerifier() method

* Add check newState != 0 in the transitState() method

* Simplify StateV2 unit tests

* Init memory vars with zero values, refactor some methods

* Fix getStateInfoHistoryById() and getRootHistory() not to throw when startIndex+length>historyLength

* Update public visibility modifier to external whenever possible

* Allow verifier zero address to block any state transition

* Inherit StateV2 from Ownable2StepUpgradeable

* Upgrade OpenZeppelin version

* Fix solhint errors

* Fix solhint errors

* Change visibility of __gap variable in StateV2.sol

* Upgrade GitHub action to [email protected]

* Fix Slither errors

* Upgrade outdated npm packages

* Upgrade Solidity version, add Slither config

* Resolve Slither medium findings

* Fix tests

---------

Co-authored-by: Andriian Chestnykh <[email protected]>
Co-authored-by: vmidyllic <[email protected]>
Co-authored-by: Andriian Chestnykh <>

Author: 3 people

.github/workflows/security-ci.yml

@@ -0,0 +1,44 @@
+name: Security Scan
+on:  # yamllint disable-line rule:truthy
+  push:
+  workflow_call:
+  workflow_dispatch: {}
+
+jobs:
+  slither:
+    name: Slither
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: crytic/[email protected]
+        with:
+          fail-on: medium
+
+  solhint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Get node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: "16.x"
+      - run: npm ci
+      - run: npx solhint "contracts/**/*.sol"
+
+  coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Get node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: "16.x"
+          cache: "npm"
+      - run: npm ci
+      - run: npx hardhat compile
+      - name: solidity-coverage
+        run: npx hardhat coverage
+      - name: coveralls
+        uses: coverallsapp/[email protected]
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}

.solcover.js

@@ -0,0 +1,4 @@
+module.exports = {
+  configureYulOptimizer: true,
+  skipFiles: ["mocks", "test"],
+};

.solhint.json

@@ -1,14 +1,18 @@
 {
-    "extends": [
-        "solhint:recommended"
+  "extends": "solhint:recommended",
+  "plugins": ["prettier"],
+  "rules": {
+    "code-complexity": ["error", 8],
+    "compiler-version": ["error", ">=0.8.4"],
+    "func-visibility": ["error", { "ignoreConstructors": true }],
+    "max-line-length": ["error", 120],
+    "not-rely-on-time": "off",
+    "prettier/prettier": [
+      "error",
+      {
+        "endOfLine": "auto"
+      }
     ],
-    "rules": {
-        "prettier/prettier": "error",
-        "avoid-throw": false,
-        "avoid-suicide": "error",
-        "avoid-sha3": "warn"
-    },
-    "plugins": [
-        "prettier"
-    ]
+    "reason-string": ["warn", { "maxLength": 64 }]
+  }
 }

.solhintignore

@@ -0,0 +1,3 @@
+# directories
+**/lib
+**/node_modules

SECURITY.md

@@ -0,0 +1,17 @@
+# Polygon Technology Security Information
+
+## Link to vulnerability disclosure details (Bug Bounty).
+- Websites and Applications: https://hackerone.com/polygon-technology
+- Smart Contracts: https://immunefi.com/bounty/polygon
+
+## Languages that our team speaks and understands.
+Preferred-Languages: en
+
+## Security-related job openings at Polygon.
+https://polygon.technology/careers
+
+## Polygon security contact details.
+[email protected]
+
+## The URL for accessing the security.txt file.
+Canonical: https://polygon.technology/security.txt

contracts/Schema.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: GPL-3.0
-pragma solidity ^0.8.0;
+pragma solidity 0.8.16;
 
 /**
  * @title Schema
@@ -14,14 +14,10 @@ contract SchemaRegistry {
         uint256 timestamp;
     }
 
-    mapping(string => bytes32) nameHash;
-    mapping(bytes32 => Schema) hashSchema;
+    mapping(string => bytes32) public nameHash;
+    mapping(bytes32 => Schema) public hashSchema;
 
-    function getHashFromBytes(bytes memory schemaBody)
-        private
-        pure
-        returns (bytes32)
-    {
+    function getHashFromBytes(bytes memory schemaBody) private pure returns (bytes32) {
         return keccak256(schemaBody);
     }
 
@@ -54,11 +50,7 @@ contract SchemaRegistry {
         return nameHash[name];
     }
 
-    function getBytesByName(string memory name)
-        public
-        view
-        returns (bytes memory)
-    {
+    function getBytesByName(string memory name) public view returns (bytes memory) {
         bytes32 hash = nameHash[name];
         return hashSchema[hash].body;
     }

contracts/SchemaUrlRegistry.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: GPL-3.0
-pragma solidity ^0.8.0;
+pragma solidity 0.8.16;
 
 /**
  * @title Schema
@@ -25,12 +25,12 @@ contract SchemaUrlRegistry {
     function save(bytes32 id, string memory credentialType, string memory url) public {
         require(schemaMap[id].creator != address(0), "Schema already exists");
 
-        Schema memory s = Schema({// creating new schema
-        creator : msg.sender,
-        id : id,
-        credentialType : credentialType,
-        timestamp : block.timestamp,
-        url : url
+        Schema memory s = Schema({ // creating new schema
+            creator: msg.sender,
+            id: id,
+            credentialType: credentialType,
+            timestamp: block.timestamp,
+            url: url
         });
 
         schemaMap[id] = s;
@@ -39,12 +39,16 @@ contract SchemaUrlRegistry {
     /**
      * @dev getSchemaById is function to retrieve ipfs utl by name
      * @param id - hash of the schema
-    */
-    function getSchemaById(bytes32 id)
-    public
-    view
-    returns (bytes32, string memory, string memory, address, uint256)
-    {
-        return (schemaMap[id].id, schemaMap[id].credentialType, schemaMap[id].url, schemaMap[id].creator, schemaMap[id].timestamp);
+     */
+    function getSchemaById(
+        bytes32 id
+    ) public view returns (bytes32, string memory, string memory, address, uint256) {
+        return (
+            schemaMap[id].id,
+            schemaMap[id].credentialType,
+            schemaMap[id].url,
+            schemaMap[id].creator,
+            schemaMap[id].timestamp
+        );
     }
 }

contracts/ZKPVerifier.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.0;
+pragma solidity 0.8.16;
 
 import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 import "@openzeppelin/contracts/access/Ownable.sol";
@@ -63,7 +63,6 @@ contract ZKPVerifier is IZKPVerifier, Ownable {
         uint256 operator,
         uint256[] calldata value
     ) public override onlyOwner returns (bool) {
-
         uint256 valueHash = PoseidonFacade.poseidonSponge(value);
         // only merklized claims are supported (claimPathNotExists is false, slot index is set to 0 )
         uint256 queryHash = PoseidonFacade.poseidon6(

contracts/examples/ERC20Verifier.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.0;
+pragma solidity 0.8.16;
 
 import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 import "../lib/GenesisUtils.sol";
@@ -13,27 +13,19 @@ contract ERC20Verifier is ERC20, ZKPVerifier {
     mapping(uint256 => address) public idToAddress;
     mapping(address => uint256) public addressToId;
 
-    uint256 public TOKEN_AMOUNT_FOR_AIRDROP_PER_ID =
-        5 * 10**uint256(decimals());
+    uint256 public TOKEN_AMOUNT_FOR_AIRDROP_PER_ID = 5 * 10 ** uint256(decimals());
 
-    constructor(string memory name_, string memory symbol_)
-        ERC20(name_, symbol_)
-    {}
+    constructor(string memory name_, string memory symbol_) ERC20(name_, symbol_) {}
 
     function _beforeProofSubmit(
-        uint64, /* requestId */
+        uint64 /* requestId */,
         uint256[] memory inputs,
         ICircuitValidator validator
     ) internal view override {
         // check that  challenge input is address of sender
-        address addr = GenesisUtils.int256ToAddress(
-            inputs[validator.getChallengeInputIndex()]
-        );
+        address addr = GenesisUtils.int256ToAddress(inputs[validator.getChallengeInputIndex()]);
         // this is linking between msg.sender and
-        require(
-            _msgSender() == addr,
-            "address in proof is not a sender address"
-        );
+        require(_msgSender() == addr, "address in proof is not a sender address");
     }
 
     function _afterProofSubmit(
@@ -57,7 +49,7 @@ contract ERC20Verifier is ERC20, ZKPVerifier {
     }
 
     function _beforeTokenTransfer(
-        address, /* from */
+        address /* from */,
         address to,
         uint256 /* amount */
     ) internal view override {

contracts/interfaces/ICircuitValidator.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: GPL-3.0
-pragma solidity ^0.8.0;
+pragma solidity 0.8.16;
 
 interface ICircuitValidator {
     struct CircuitQuery {

contracts/interfaces/IERC20zkp.sol

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-3.0
 
-pragma solidity ^0.8.0;
+pragma solidity 0.8.16;
 
 interface IERC20ZKP {
     function transferWithProof(

contracts/interfaces/IState.sol

@@ -1,4 +1,5 @@
-pragma solidity ^0.8.0;
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity 0.8.16;
 
 interface IState {
     /**
@@ -37,25 +38,19 @@ interface IState {
         uint256 replacedAtBlock;
     }
 
-    function getStateInfoById(
-        uint256 id
-    ) external view returns (StateInfo memory);
+    function getStateInfoById(uint256 id) external view returns (StateInfo memory);
 
     /**
      * @dev Retrieve the specific GIST root information.
      * @param root GIST root
      * @return The GIST root info
      */
-    function getGISTRootInfo(
-        uint256 root
-    ) external view returns (RootInfo memory);
+    function getGISTRootInfo(uint256 root) external view returns (RootInfo memory);
 
     /**
      * @dev Retrieve state information by state.
      * @param state A state
      * @return The state info
      */
-    function getStateInfoByState(
-        uint256 state
-    ) external view returns (StateInfo memory);
+    function getStateInfoByState(uint256 state) external view returns (StateInfo memory);
 }

contracts/interfaces/IStateTransitionVerifier.sol

@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity 0.8.16;
+
+interface IStateTransitionVerifier {
+    function verifyProof(
+        uint256[2] memory a,
+        uint256[2][2] memory b,
+        uint256[2] memory c,
+        uint256[4] memory input
+    ) external view returns (bool r);
+}

contracts/interfaces/IVerifier.sol

@@ -1,4 +1,5 @@
-pragma solidity ^0.8.0;
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity 0.8.16;
 
 interface IVerifier {
     function verifyProof(

contracts/interfaces/IZKPAirdrop.sol

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-3.0
 
-pragma solidity ^0.8.0;
+pragma solidity 0.8.16;
 
 interface IZKPAirdrop {
     function mintWithProof(

contracts/interfaces/IZKPVerifier.sol

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-3.0
 
-pragma solidity ^0.8.0;
+pragma solidity 0.8.16;
 
 import "./ICircuitValidator.sol";