CHANGELOG.md

CHANGELOG

Please follow https://changelog.md/ conventions.

Checklist

Before a new release, perform the following tasks

• Code: Update the version name in the base core module, variable VERSION
• Run linter

npm run-script lint:all:prettier

• Documentation

  • Perform a code coverage and update the files in the corresponding directory ./doc/general/test/coverage

  • Perform an audit with several audit tools (Mythril and Slither), update the report in the corresponding directory ./doc/audits/tools

  • Update surya doc by running the 3 scripts in ./doc/script

  • Update changelog

2.5.1 - 20241003

• Beacon Factory: deploy an implementation inside the constructor if no implementation is provided
• Run myhtril

2.5.0 - 20240910

• Change Solidity version to 0.8.27 (latest)
• Some slight improvements to the documentation

2.5.0-rc.0 - 20240809

Features

• Add ERC-1643 (part of ERC-1400) for document management through an optional external contract called DocumentEngine (not yet available) Add ERC-1643 support #267
• Externalize the Debt and CreditEvent module to an optional external contract called DebtEngine (not yet available) Add DebtEngine #271
• CMTAT version compatible with UUPS proxy : more gas efficient than Transparent Proxy + no need of a proxy admin contract. See Upgradable Smart Contracts | What is a Smart Contract Proxy Pattern? Add UUPS proxy support #270
• Remove flag attribute, present since v2.3.0, which was not really used. #266

Technical

• Change Solidity version to 0.8.26 (latest)
• Change EVM version to Cancun
• Remove truffle from dependencies, replaced by Hardhat. See Consensys Announces the Sunset of Truffle and Ganache and New Hardhat Partnership
• Proxy Factory
  • use create2 with the library Create2 from OpenZeppelin:
• Implement ERC-7201 to manage memory to reduce memory collision when upgrading a proxy to a new implementation. Use erc-7201 for namespace #272

2.4.0 - 20240503

The modifications between the version v2.3.0 and this version are not audited !!!

• Improve tests & update the code
• ERC20SnapshotInternal inherits from ICMTATSnapshot

2.4.0-rc.1 - 20240319

The modifications between the version v2.3.0 and this version are not audited !!!

snapshotModule

• Create an interface ICMTATSnapshot with the main public functions for the SnapshotModule to make easier the calls to a contract including a snapshotModule, useful e.g. for debt payment.
• Replace getSnapshotInfoBatch by SnapshotInfo. This function gets a user's balance specified in parameter and the total supply.
• Add a new function SnapshotInfoBatch to get several user's balances and the total supply.

ERC20BaseModule Add a function balanceInfo to get the balance for a list of addresses and the total supply Useful to perform transfer restriction based on the user's balance (e.g vesting rule or partial lock).

ValidationModule Create an internal function _validateTransferByModule which performs check with others module (PauseModule & EnforcementModule)

Other

• Upgrade OpenZeppelin to the version v5.0.2
• Upgrade Solidity to the version 0.8.22 in the truffle and hardhat config files.

2.4.0-rc.0 - 20240129

The modifications between the version v2.3.0 and this version are not audited !!!

New architecture for the RuleEngine #250

• A new function operateOnTransfer is added and use inside the ValidationModule.
• Contrary to validateTransfer, this function has to be protected by an access control (if not implemented as view or pure)
• This function can be used to perform operation which modifies the state of the blockchain (storage) by the RuleEngine.
• The RuleEngine inherits now from IRuleEngine wich contains in its interface the function operateOnTransfer + IERC-1404
• The function validateTransfer is still available to verify a transfer without performing operation. The behavior is the same than with the previous CMTAT version.

snapshotModule #256

• Split the snapshotModuleInternal in two parts : one with the inheritance with ERC-20 and the other part with the base function and does not inherit from ERC-20. Thus, if we want to build a snapshotModule with the RuleEngine, we can use the base contract to avoid the inheritance with ERC-20.
• Add a function getSnapshotInfoBatch to avoid multiple calls when computing debt payment

AuthorizationEngine #254

• Add the AuthorizationEngine. With that, it is possible to add supplementary check on the functions grantRole and revokeRolewithout modifying the CMTAT.

BurnModule

• rename forceBurn and forceBurnBatch in burn and burnBatch
• Add a function burnFrom with a specific role (useful for bridge) for compatibility with CCIP Ccip #260
• Add a function burnAndMint to perform a burn/mint operation atomically.

Gas optimization

• Add factory contract for deployment with Transparent and beacon proxy Contract factory #259
• Remove useless init function in internal modules (Done) remove init functions in wrapper modules #237

Other

• Remove custom approval function Remove custom function allowance #225 (Done)
• upgrade some JS libraries
• Upgrade OpenZeppelin to the version v5.0.1

2.3.1

This version contains breaking changes with the version v2.3.0.

• Remove useless functions init in wrapper modules #230
• Add missing tests in EnforcementModule #239
• Use calldata instead of memory #224
• Upgrade OpenZeppelin to the version v.5.0.0

2.3.1-rc.0 - 20230925

The modifications between the version v2.3.0 and this version are not audited !!!

This version contains breaking changes with the version v2.3.0.

Summary

Architecture

• The directory mandatory is renamed in core (#222)
• The directory optional is renamed in extensions (#222)
• Creation of a directory controllers which for the moment contains only the ValidationModule (#222)
• Rename contract and init function for ERC20BurnModule, ERC20MintModule, ERC20SnapshotModule to clearly indicate the inheritance from ERC20 interface (#226)

Gas optimization

• Add a batch version for the burn, mint and transfer functions (see #51)
• Use custom error instead of string error message (#217)

See Defining Industry Standards for Custom Error Messages

Other

• Add ERC20 decimals as an argument of the initialize function (#213) Until now, the number of decimal was set inside the code to the value 0 This release changes this behavior to use instead a parameter supplied by the deployer inside the function initialize.
• Add a constant VERSION to indicate the current version of the token (#229)
• Implement an alternative to the kill function (#221)

The alternative function is the function deactivateContract inside the PauseModule, to deactivate the contract. This function set a boolean state variable isDeactivated to true and puts the contract in the pause state. The function unpauseis updated to revert if the previous variable is set to true, thus the contract is in the pause state "forever".

The consequences are the following:

In standalone mode, this operation is irreversible, it is not possible to rollback.

With a proxy, it is still possible to rollback by deploying a new implementation.

Tools

• Update the Solidity version to 0.8.20, which is a requirement for the new OpenZeppelin version (5.0.0)
• Run tests with Hardhat instead of Truffle since Truffle does not support custom errors (#217)
• Update OpenZeppelin to the version v5.0.0-rc.0

Security

• Add new control on the DEFAULT_ADMIN_ROLE by inheriting AccessControlDefaultAdminRules (#220) This contract implements the following risk mitigations on top of AccessControl:

Only one account holds the DEFAULT_ADMIN_ROLE since deployment until it’s potentially renounced.

Enforces a 2-step process to transfer the DEFAULT_ADMIN_ROLE to another account.

Enforces a configurable delay between the two steps, with the ability to cancel before the transfer is accepted.

• Add a function transferadminshipDirectly (#226)
• Remove the module OnlyDelegateCallModule since it was used to protect the function kill, which has been removed in this version (#221).

2.3.0 - 20230609

• Add Truffle CI workflow (Contributor: diego-G / 21.co)
• Add Truffle plugin eth-gas-reporter
• Add security policy

2.3.0-rc.0 - 20230515

The release 2.3-rc.0 is a release candidate before performing an official release 2.3

The release 2.3-rc.0 contains mainly the different fixes and improvements related to the audit performed on the version 2.2.

Documentation

• Update the documentation for the release
• Add slither & coverage reports
• Install hardhat in order to use the solidity-coverage plugin

General modifications

• Rename contract CreditEvents to CreditEventsModule(pull/168)

• DebtBaseModule: the function setDebttakes an argument of type DebtBase(struct) instead of individual parameters to avoid issues with some compilers (pull/175).

• The interfaces ERC1404 & ERC1404Wrapper were renamed in IEIP1404 & EIP1404Wrapper since the proposition of standard ERC/EIP 1404 have never been approved (pull/166).

• Improve rule engine architecture: the RuleEngine to be used with the CMTAT has to implement the interface IEIP1404Wrapper (pull/166)

It is no longer necessary to implement the interface RuleEngine, which was moved inside the mock directory

• When a contract is deployed, the admin address put in parameter has to be different from zero (pull/162).
• Remove snapshot module from default import since the snapshotModule is not audited (pull/163)

Audit report

This version also includes improvements suggested by the audit report, addressing the following findings:

• CMTAT deployement (pull/152).

CVF-2: Create two main contracts: one for a deployment with a proxy, and one for a standalone deployment

• ValidationModule & EnforcementModule (pull/153)

CVF-1: The control was made in CMTAT.sol. We have moved this inside the ValidationModule

CVF-3 : return a defined error message if the rule engine is not set.

CVF-20: defined two different messages to indicate which address is frozen

CVF-29: defined a list of valid restriction code in ERC1404Wrapper

• Access Control (pull/154)

CVF-10: override the function hasRole to give all roles to the default admin

CVF-11: remove the function transferContractControl

• Burn (pull/155)

CVF-5: add a reason argument in the function + event as recommended

Other

CVF-4, CVF-13, CVF-18, CVF-23: CVF related to events (pull/159)

CVF-14: ValidationModule: Move the return statement inside the else branch as recommended (pull/157)

CVF-16, CVF-17, CVF-19, CVF-22, CVF-25: related to events (pull/158)

CVF-21: remove the redundant part in the path (pull/156)

2.2 - 20230122

This version is not audited

This version contains breaking changes with the version 2.1.

OpenZeppelin

Updated OpenZeppelin contracts upgradeable to the version v4.8.1, precisely this commit.

Modules

• Add the module Debt (pull/118, pull/141 )

• Add the module CreditEvents (pull/135)

• SnapshotModule: use a sorted array instead of an unsorted array as suggested in the audit report (pull/123)

• baseModule: add field information & flag (pull/134)

• Access Control (pull/130):

  • Move AuthorizationModule from wrapper/optional to security
  • Move the different calls of grantRoleinside of the function AuthorizationModule_init_unchained
  • Add a function transferAdminship in AuthorizationModule

• Improve and update tests of the different modules

Audit report

This version also includes improvements suggested by the audit report, addressing the following findings:

• SnapshotModule / CVF-3, CVF-8, CVF-13, CVF-17: pull/123
• CVF-21: change the type of the Event RuleEngineSet to IRuleEngine
• CVF-24, CVF-25, CVF-26: no change in the code, but a comment was added to explain the requirement.
• CVF-28: call to the Validation_init_unchained function in __CMTAT_init
• CVF-54: add the reason parameter in events Freeze and Unfreeze

2.1 - 20221216

This version is not audited

This version contains breaking changes with the version 2.0.

• BurnModule

  • Replace the function burnFrom by the function forceBurn to permit the issuer (BURNER_ROLE) to burn tokens.
  • The versions CMTAT 1.0 and 2.0 do not strictly respect the CMTAT specification because you can only burn tokens if the sender (with the BURNER_ROLE) has the allowance on the tokens.
  • CMTAT 2.0 does not strictly respect the CMTAT specification because you can not force transfer or make an equivalent operation (burn tokens, then mint tokens to a new address).

• Proxy

  • Add a boolean to indicate if the contract is deployed with or without a proxy.
  • Add a call to the function disableInitializers to prevent the implementation contract from being used.
  • Add a protection on the function kill by adding the module OnlyDelegateCallModule.

Others changes

• Proxy

  • Add initializers function in all contracts when they miss.

  • Add storage gaps in all contracts when they miss.

• OpenZeppelin

  • Updated OpenZeppelin contracts upgradeable to the version v4.8.0, precisely this commit.

  • Replace setupRole (deprecated) by grantRole in the function CMTAT_init_unchained.

• Improve the modularity of the architecture

  • Separate internal implementation from wrappers.
  • Separate mandatory and optional modules.
  • Move the BaseModule inside the mandatory directory.
  • Separate ERC20 functions from BaseModule by creating a specific module ERC20BaseModule.
  • Move the functions kill, setTokenId, setTerms from CMTAT.sol to BaseModule.
  • Move the functions pause & unpause from CMTAT.sol to PauseModule.
  • Move the functions freeze & unfreeze from CMTAT.sol to EnforcementModule.

• Improve tests and their documentation of AuthorizationModule, BaseModule, BurnModule, EnforcementModule, MintModule and ValidationModule.

This version also includes improvements suggested by the audit report, addressing the following findings:

• CVF-2, CVF-46, CVF-49, CVF-53, CVF-57, CVF-60, CVF-62: indicate the OpenZeppelin version in the file USAGE.md (Commit).

• CVF-29: perform a call to the ERC165_init_unchained (commit).

• CVF-30: call ERC20_init_unchained before Base_init_unchained (commit).

• CVF-35: specify which base contract is called instead of using the keyword super (commit 1, commit 2).

• CVF-47: define the functions PauseModule_init & PauseModule_init_unchained (commit).

• CVF-51: define the functions Authorization_init & Authorization_init_unchained (commit).

• CVF 52: move the mint functionality inside the MintModule (commit).

• CVF-61: second part, define the functions BurnModule_init & BurnModule_init_unchained (commit).

2.0 - 20221104

This version is not fully ready to be used with a proxy, see issues 58 and 66

This version contains breaking changes with the version 1.0

• Updated OpenZeppelin contracts upgradeable to the version v4.7.3, precisely this commit.
• Solidity version updated to ^0.8.17.
• Updated all libraries in package.json, exception for eth-sig-util which has not been updated.
• Set the trustedForwarder as immutable to be compatible with OpenZeppelin (commit)
• Each test is performed with and without a proxy (commit).
• Improved documentation by adding a summary of the audit, a description of the access control, an UML diagram of the project.

This version also includes improvements suggested by the audit report, addressing the following findings:

• CVF-7, CVF-9 and CVF-10: removed useless return value in _unscheduleSnapshot, _rescheduleSnapshot, _scheduleSnapshot (commit CVF-7, commit CVF-9, commit CVF-10).
• CVF-27, 48, 55: used an enum to store the restriction code (commit).
• CVF-40: defined event for setTokenId and setTerms (commit).
• Fix CVF-56: renamed message for the constantTEXT_TRANSFER_REJECTED_FROZEN (commit).
• CVF-66, CVF-69, CVF-70, CVF-72, which created two new interfaces:IERC1404 and IERC1404Wrapper (commit).

1.0 - 20211005

• Added CMTAT equity token core functionalities
• Added support for OpenGSN gasless transactions
• Added support for proxy deployment
• Added ABDK security audit report
• Added initial API documentation

0.1 - 20191120

• Legacy CMTA20 contract