Please follow https://changelog.md/ conventions.
The release 2.3 contains mainly the different fixes and improvements related to the audit performed on the version 2.2.
Documentation
- Update the documentation for the release
- Add slither & coverage reports
- Install hardhat in order to use the solidity-coverage plugin
General modifications
-
Rename contract CreditEvents to CreditEventsModule(pull/168)
-
DebtBaseModule: the function
setDebt
takes an argument of typeDebtBase
(struct) instead of individual parameters to avoid issues with some compilers (pull/175). -
The interfaces ERC1404 & ERC1404Wrapper were renamed in IEIP1404 & EIP1404Wrapper since the proposition of standard ERC/EIP 1404 have never been approved (pull/166).
-
Improve rule engine architecture: the RuleEngine to be used with the CMTAT has to implement the interface IEIP1404Wrapper (pull/166)
It is no longer necessary to implement the interface RuleEngine, which was moved inside the mock directory
- When a contract is deployed, the admin address put in parameter has to be different from zero (pull/162).
- Remove snapshot module from default import since the snapshotModule is not audited (pull/163)
Audit report
This version also includes improvements suggested by the audit report, addressing the following findings:
- CMTAT deployement (pull/152).
CVF-2: Create two main contracts: one for a deployment with a proxy, and one for a standalone deployment
- ValidationModule & EnforcementModule (pull/153)
CVF-1: The control was made in CMTAT.sol. We have moved this inside the ValidationModule
CVF-3 : return a defined error message if the rule engine is not set.
CVF-20: defined two different messages to indicate which address is frozen
CVF-29: defined a list of valid restriction code in ERC1404Wrapper
- Access Control (pull/154)
CVF-10: override the function hasRole to give all roles to the default admin
CVF-11: remove the function transferContractControl
- Burn (pull/155)
CVF-5: add a reason argument in the function + event as recommended
Other
CVF-4, CVF-13, CVF-18, CVF-23: CVF related to events (pull/159)
CVF-14: ValidationModule: Move the return statement inside the else branch as recommended (pull/157)
CVF-16, CVF-17, CVF-19, CVF-22, CVF-25: related to events (pull/158)
CVF-21: remove the redundant part in the path (pull/156)
This version is not audited
This version contains breaking changes with the version 2.1.
OpenZeppelin
Updated OpenZeppelin contracts upgradeable to the version v4.8.1, precisely this commit.
Modules
-
Add the module CreditEvents (pull/135)
-
SnapshotModule: use a sorted array instead of an unsorted array as suggested in the audit report (pull/123)
-
baseModule: add field information & flag (pull/134)
-
Access Control (pull/130):
- Move
AuthorizationModule
from wrapper/optional to security - Move the different calls of
grantRole
inside of the functionAuthorizationModule_init_unchained
- Add a function
transferAdminship
in AuthorizationModule
- Move
-
Improve and update tests of the different modules
Audit report
This version also includes improvements suggested by the audit report, addressing the following findings:
- SnapshotModule / CVF-3, CVF-8, CVF-13, CVF-17: pull/123
- CVF-21: change the type of the Event
RuleEngineSet
toIRuleEngine
- CVF-24, CVF-25, CVF-26: no change in the code, but a comment was added to explain the requirement.
- CVF-28: call to the
Validation_init_unchained
function in__CMTAT_init
- CVF-54: add the reason parameter in events
Freeze
andUnfreeze
This version is not audited
This version contains breaking changes with the version 2.0.
-
BurnModule
- Replace the function burnFrom by the function forceBurn to permit the issuer (BURNER_ROLE) to burn tokens.
- The versions CMTAT 1.0 and 2.0 do not strictly respect the CMTAT specification because you can only burn tokens if the sender (with the BURNER_ROLE) has the allowance on the tokens.
- CMTAT 2.0 does not strictly respect the CMTAT specification because you can not force transfer or make an equivalent operation (burn tokens, then mint tokens to a new address).
-
Proxy
- Add a boolean to indicate if the contract is deployed with or without a proxy.
- Add a call to the function disableInitializers to prevent the implementation contract from being used.
- Add a protection on the function kill by adding the module OnlyDelegateCallModule.
Others changes
-
Proxy
-
Add initializers function in all contracts when they miss.
-
Add storage gaps in all contracts when they miss.
-
-
OpenZeppelin
-
Updated OpenZeppelin contracts upgradeable to the version v4.8.0, precisely this commit.
-
Replace setupRole (deprecated) by grantRole in the function CMTAT_init_unchained.
-
-
Improve the modularity of the architecture
- Separate internal implementation from wrappers.
- Separate mandatory and optional modules.
- Move the BaseModule inside the mandatory directory.
- Separate ERC20 functions from BaseModule by creating a specific module ERC20BaseModule.
- Move the functions kill, setTokenId, setTerms from CMTAT.sol to BaseModule.
- Move the functions pause & unpause from CMTAT.sol to PauseModule.
- Move the functions freeze & unfreeze from CMTAT.sol to EnforcementModule.
-
Improve tests and their documentation of AuthorizationModule, BaseModule, BurnModule, EnforcementModule, MintModule and ValidationModule.
This version also includes improvements suggested by the audit report, addressing the following findings:
-
CVF-2, CVF-46, CVF-49, CVF-53, CVF-57, CVF-60, CVF-62: indicate the OpenZeppelin version in the file USAGE.md (Commit).
-
CVF-29: perform a call to the ERC165_init_unchained (commit).
-
CVF-30: call ERC20_init_unchained before Base_init_unchained (commit).
-
CVF-35: specify which base contract is called instead of using the keyword super (commit 1, commit 2).
-
CVF-47: define the functions PauseModule_init & PauseModule_init_unchained (commit).
-
CVF-51: define the functions Authorization_init & Authorization_init_unchained (commit).
-
CVF 52: move the mint functionality inside the MintModule (commit).
-
CVF-61: second part, define the functions BurnModule_init & BurnModule_init_unchained (commit).
This version is not fully ready to be used with a proxy, see issues 58 and 66
This version contains breaking changes with the version 1.0
- Updated OpenZeppelin contracts upgradeable to the version v4.7.3, precisely this commit.
- Solidity version updated to
^0.8.17
. - Updated all libraries in package.json, exception for eth-sig-util which has not been updated.
- Set the
trustedForwarder
as immutable to be compatible with OpenZeppelin (commit) - Each test is performed with and without a proxy (commit).
- Improved documentation by adding a summary of the audit, a description of the access control, an UML diagram of the project.
This version also includes improvements suggested by the audit report, addressing the following findings:
- CVF-7, CVF-9 and CVF-10: removed useless return value in
_unscheduleSnapshot
,_rescheduleSnapshot
,_scheduleSnapshot
(commit CVF-7, commit CVF-9, commit CVF-10). - CVF-27, 48, 55: used an
enum
to store the restriction code (commit). - CVF-40: defined event for
setTokenId
andsetTerms
(commit). - Fix CVF-56: renamed message for the constant
TEXT_TRANSFER_REJECTED_FROZEN
(commit). - CVF-66, CVF-69, CVF-70, CVF-72, which created two new interfaces:
IERC1404
andIERC1404Wrapper
(commit).
- Added CMTAT equity token core functionalities
- Added support for OpenGSN gasless transactions
- Added support for proxy deployment
- Added ABDK security audit report
- Added initial API documentation
- Legacy CMTA20 contract