Skip to content

Latest commit

 

History

History
191 lines (121 loc) · 10.5 KB

CHANGELOG.md

File metadata and controls

191 lines (121 loc) · 10.5 KB

CHANGELOG

Please follow https://changelog.md/ conventions.

2.3

The release 2.3 contains mainly the different fixes and improvements related to the audit performed on the version 2.2.

Documentation

  • Update the documentation for the release
  • Add slither & coverage reports
  • Install hardhat in order to use the solidity-coverage plugin

General modifications

  • Rename contract CreditEvents to CreditEventsModule(pull/168)

  • DebtBaseModule: the function setDebttakes an argument of type DebtBase(struct) instead of individual parameters to avoid issues with some compilers (pull/175).

  • The interfaces ERC1404 & ERC1404Wrapper were renamed in IEIP1404 & EIP1404Wrapper since the proposition of standard ERC/EIP 1404 have never been approved (pull/166).

  • Improve rule engine architecture: the RuleEngine to be used with the CMTAT has to implement the interface IEIP1404Wrapper (pull/166)

It is no longer necessary to implement the interface RuleEngine, which was moved inside the mock directory

  • When a contract is deployed, the admin address put in parameter has to be different from zero (pull/162).
  • Remove snapshot module from default import since the snapshotModule is not audited (pull/163)

Audit report

This version also includes improvements suggested by the audit report, addressing the following findings:

CVF-2: Create two main contracts: one for a deployment with a proxy, and one for a standalone deployment

  • ValidationModule & EnforcementModule (pull/153)

CVF-1: The control was made in CMTAT.sol. We have moved this inside the ValidationModule

CVF-3 : return a defined error message if the rule engine is not set.

CVF-20: defined two different messages to indicate which address is frozen

CVF-29: defined a list of valid restriction code in ERC1404Wrapper

CVF-10: override the function hasRole to give all roles to the default admin

CVF-11: remove the function transferContractControl

CVF-5: add a reason argument in the function + event as recommended

Other

CVF-4, CVF-13, CVF-18, CVF-23: CVF related to events (pull/159)

CVF-14: ValidationModule: Move the return statement inside the else branch as recommended (pull/157)

CVF-16, CVF-17, CVF-19, CVF-22, CVF-25: related to events (pull/158)

CVF-21: remove the redundant part in the path (pull/156)

2.2 - 20230122

This version is not audited

This version contains breaking changes with the version 2.1.

OpenZeppelin

Updated OpenZeppelin contracts upgradeable to the version v4.8.1, precisely this commit.

Modules

  • Add the module Debt (pull/118, pull/141 )

  • Add the module CreditEvents (pull/135)

  • SnapshotModule: use a sorted array instead of an unsorted array as suggested in the audit report (pull/123)

  • baseModule: add field information & flag (pull/134)

  • Access Control (pull/130):

    • Move AuthorizationModule from wrapper/optional to security
    • Move the different calls of grantRoleinside of the function AuthorizationModule_init_unchained
    • Add a function transferAdminship in AuthorizationModule
  • Improve and update tests of the different modules

Audit report

This version also includes improvements suggested by the audit report, addressing the following findings:

  • SnapshotModule / CVF-3, CVF-8, CVF-13, CVF-17: pull/123
  • CVF-21: change the type of the Event RuleEngineSet to IRuleEngine
  • CVF-24, CVF-25, CVF-26: no change in the code, but a comment was added to explain the requirement.
  • CVF-28: call to the Validation_init_unchained function in __CMTAT_init
  • CVF-54: add the reason parameter in events Freeze and Unfreeze

2.1 - 20221216

This version is not audited

This version contains breaking changes with the version 2.0.

  • BurnModule

    • Replace the function burnFrom by the function forceBurn to permit the issuer (BURNER_ROLE) to burn tokens.
    • The versions CMTAT 1.0 and 2.0 do not strictly respect the CMTAT specification because you can only burn tokens if the sender (with the BURNER_ROLE) has the allowance on the tokens.
    • CMTAT 2.0 does not strictly respect the CMTAT specification because you can not force transfer or make an equivalent operation (burn tokens, then mint tokens to a new address).
  • Proxy

    • Add a boolean to indicate if the contract is deployed with or without a proxy.
    • Add a call to the function disableInitializers to prevent the implementation contract from being used.
    • Add a protection on the function kill by adding the module OnlyDelegateCallModule.

Others changes

  • Proxy

    • Add initializers function in all contracts when they miss.

    • Add storage gaps in all contracts when they miss.

  • OpenZeppelin

    • Updated OpenZeppelin contracts upgradeable to the version v4.8.0, precisely this commit.

    • Replace setupRole (deprecated) by grantRole in the function CMTAT_init_unchained.

  • Improve the modularity of the architecture

    • Separate internal implementation from wrappers.
    • Separate mandatory and optional modules.
    • Move the BaseModule inside the mandatory directory.
    • Separate ERC20 functions from BaseModule by creating a specific module ERC20BaseModule.
    • Move the functions kill, setTokenId, setTerms from CMTAT.sol to BaseModule.
    • Move the functions pause & unpause from CMTAT.sol to PauseModule.
    • Move the functions freeze & unfreeze from CMTAT.sol to EnforcementModule.
  • Improve tests and their documentation of AuthorizationModule, BaseModule, BurnModule, EnforcementModule, MintModule and ValidationModule.

This version also includes improvements suggested by the audit report, addressing the following findings:

  • CVF-2, CVF-46, CVF-49, CVF-53, CVF-57, CVF-60, CVF-62: indicate the OpenZeppelin version in the file USAGE.md (Commit).

  • CVF-29: perform a call to the ERC165_init_unchained (commit).

  • CVF-30: call ERC20_init_unchained before Base_init_unchained (commit).

  • CVF-35: specify which base contract is called instead of using the keyword super (commit 1, commit 2).

  • CVF-47: define the functions PauseModule_init & PauseModule_init_unchained (commit).

  • CVF-51: define the functions Authorization_init & Authorization_init_unchained (commit).

  • CVF 52: move the mint functionality inside the MintModule (commit).

  • CVF-61: second part, define the functions BurnModule_init & BurnModule_init_unchained (commit).

2.0 - 20221104

This version is not fully ready to be used with a proxy, see issues 58 and 66

This version contains breaking changes with the version 1.0

  • Updated OpenZeppelin contracts upgradeable to the version v4.7.3, precisely this commit.
  • Solidity version updated to ^0.8.17.
  • Updated all libraries in package.json, exception for eth-sig-util which has not been updated.
  • Set the trustedForwarder as immutable to be compatible with OpenZeppelin (commit)
  • Each test is performed with and without a proxy (commit).
  • Improved documentation by adding a summary of the audit, a description of the access control, an UML diagram of the project.

This version also includes improvements suggested by the audit report, addressing the following findings:

  • CVF-7, CVF-9 and CVF-10: removed useless return value in _unscheduleSnapshot, _rescheduleSnapshot, _scheduleSnapshot (commit CVF-7, commit CVF-9, commit CVF-10).
  • CVF-27, 48, 55: used an enum to store the restriction code (commit).
  • CVF-40: defined event for setTokenId and setTerms (commit).
  • Fix CVF-56: renamed message for the constantTEXT_TRANSFER_REJECTED_FROZEN (commit).
  • CVF-66, CVF-69, CVF-70, CVF-72, which created two new interfaces:IERC1404 and IERC1404Wrapper (commit).

1.0 - 20211005

  • Added CMTAT equity token core functionalities
  • Added support for OpenGSN gasless transactions
  • Added support for proxy deployment
  • Added ABDK security audit report
  • Added initial API documentation

0.1 - 20191120

  • Legacy CMTA20 contract