maticnetwork · marcello33 · Apr 13, 2020 · May 27, 2020 · May 30, 2020 · Jun 1, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,14 +10,14 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Setup Node.js environment
-      uses: actions/setup-node@v2-beta
+      uses: actions/setup-node@v3
       with:
-        node-version: '10.x'
+        node-version: '16'
         registry-url: 'https://registry.npmjs.org'
     - name: Cache npm dependencies
-      uses: actions/cache@v1
+      uses: actions/cache@v3
       with:
         path: ~/.npm
         key: ${{ runner.OS }}-npm-cache-${{ hashFiles('**/package-lock.json') }}

diff --git a/.github/workflows/security-ci.yml b/.github/workflows/security-ci.yml
@@ -0,0 +1,30 @@
+name: Security CI
+on: [push, pull_request]
+
+jobs:
+  snyk:
+    name: Snyk
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --org=${{ secrets.SNYK_ORG }} --severity-threshold=medium --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif
+
+  solhint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Get node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: "16.x"
+      - run: npm ci
+      - run: npx solhint "contracts/**/*.sol"
diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,7 @@ test-blockchain/data
 coverage/
 
 coverage.json
+
+.idea
+
+.dccache
diff --git a/.snyk b/.snyk
@@ -0,0 +1,141 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:ethereumjs:tx:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:15:06.869Z
+  'snyk:lic:npm:ethereumjs-account:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:23:25.369Z
+  'snyk:lic:npm:ethereumjs-block:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:15:15.843Z
+  'snyk:lic:npm:ethereumjs-tx:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:15:16.050Z
+  'snyk:lic:npm:ethereumjs-util:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:16:10.153Z
+  'snyk:lic:npm:ethereumjs-vm:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:16:11.002Z
+  'snyk:lic:npm:merkle-patricia-tree:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:16:48.133Z
+  'snyk:lic:npm:rlp:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:17:01.101Z
+  'snyk:lic:npm:web3:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:18:01.101Z
+  'snyk:lic:npm:web3-bzz:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:01.101Z
+  'snyk:lic:npm:web3-core:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:02.520Z
+  'snyk:lic:npm:web3-core-helpers:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:03.100Z
+  'snyk:lic:npm:web3-core-method:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:03.585Z
+  'snyk:lic:npm:web3-core-promievent:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:03.733Z
+  'snyk:lic:npm:web3-core-requestmanager:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:00.000Z
+  'snyk:lic:npm:web3-core-subscriptions:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:00.000Z
+  'snyk:lic:npm:web3-eth:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:01.000Z
+  'snyk:lic:npm:web3-eth-abi:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:02.000Z
+  'snyk:lic:npm:web3-eth-accounts:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:03.000Z
+  'snyk:lic:npm:web3-eth-contract:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:04.000Z
+  'snyk:lic:npm:web3-eth-ens:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:05.000Z
+  'snyk:lic:npm:web3-eth-iban:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:06.000Z
+  'snyk:lic:npm:web3-eth-personal:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:07.000Z
+  'snyk:lic:npm:web3-net:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:08.000Z
+  'snyk:lic:npm:web3-providers-http:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:09.000Z
+  'snyk:lic:npm:web3-providers-ipc:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:10.000Z
+  'snyk:lic:npm:web3-providers-ws:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:11.000Z
+  'snyk:lic:npm:web3-shh:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:12.000Z
+  'snyk:lic:npm:web3-utils:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:13.000Z
+  'SNYK-JS-OPENZEPPELINSOLIDITY-2965800':
+    - '*':
+        reason: 'No upgrade or patch available. See https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINSOLIDITY-2965800'
+        created: 2022-11-15T09:14:00.000Z
+  'SNYK-JS-GOT-2932019':
+    - '*':
+        reason: 'Waiting for issue to be fixed. See https://github.com/trufflesuite/truffle/issues/5704'
+        created: 2022-11-15T09:16:00.000Z
+  'SNYK-JS-WEB3-174533':
+    - '*':
+        reason: 'Waiting for issue to be fixed. See https://github.com/trufflesuite/truffle/issues/5704'
+        created: 2022-11-15T09:16:30.000Z
+  'SNYK-JS-WS-1296835':
+    - '*':
+        reason: 'Waiting for issue to be fixed. See https://github.com/trufflesuite/truffle/issues/5704'
+        created: 2022-11-15T09:17:00.000Z
+patch: {}
+exclude:
+  global: # foollowing are used for tests, therefore private keys are mocked
+    - scripts/*.js
+    - moonwalker-migrations/*.js
diff --git a/.solcover.js b/.solcover.js
@@ -1,4 +1,6 @@
 module.exports = {
+    configureYulOptimizer: true,
+    skipFiles: ["mocks", "test"],
     mocha: {
         grep: "@skip-on-coverage", // Find everything with this tag
         invert: true               // Run the grep's inverse set.

diff --git a/.solhint.json b/.solhint.json
@@ -0,0 +1,12 @@
+{
+  "extends": "solhint:recommended",
+  "plugins": [],
+  "rules": {
+    "code-complexity": ["error", 13],
+    "compiler-version": ["error", "^0.5.0"],
+    "func-visibility": ["error", { "ignoreConstructors": true }],
+    "max-line-length": ["warn", 120],
+    "not-rely-on-time": "off",
+    "reason-string": ["warn", { "maxLength": 64 }]
+  }
+}
diff --git a/.solhintignore.json b/.solhintignore.json
@@ -0,0 +1,3 @@
+# directories
+**/lib
+**/node_modules
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,14 @@
+# Polygon Technology Security Information
+
+## Link to vulnerability disclosure details (Bug Bounty)
+- Websites and Applications: https://hackerone.com/polygon-technology
+- Smart Contracts: https://immunefi.com/bounty/polygon
+
+## Languages that our team speaks and understands.
+Preferred-Languages: en
+
+## Security-related job openings at Polygon.
+https://polygon.technology/careers
+
+## Polygon security contact details
+[email protected]
diff --git a/contracts/common/gnosis/GnosisSafe.sol b/contracts/common/gnosis/GnosisSafe.sol
@@ -4,6 +4,9 @@
 
 pragma solidity >=0.5.0 <0.7.0;
 
+
+import {SafeMath} from "openzeppelin-solidity/contracts/math/SafeMath.sol";
+
 /// @title SelfAuthorized - authorizes current contract to perform actions
 /// @author Richard Meissner - <[email protected]>
 contract SelfAuthorized {
@@ -606,72 +609,6 @@ contract ISignatureValidator is ISignatureValidatorConstants {
         returns (bytes4);
 }
 
-
-/**
- * @title SafeMath
- * @dev Math operations with safety checks that revert on error
- * TODO: remove once open zeppelin update to solc 0.5.0
- */
-library SafeMath {
-
-  /**
-  * @dev Multiplies two numbers, reverts on overflow.
-  */
-  function mul(uint256 a, uint256 b) internal pure returns (uint256) {
-    // Gas optimization: this is cheaper than requiring 'a' not being zero, but the
-    // benefit is lost if 'b' is also tested.
-    // See: https://github.com/OpenZeppelin/openzeppelin-solidity/pull/522
-    if (a == 0) {
-      return 0;
-    }
-
-    uint256 c = a * b;
-    require(c / a == b);
-
-    return c;
-  }
-
-  /**
-  * @dev Integer division of two numbers truncating the quotient, reverts on division by zero.
-  */
-  function div(uint256 a, uint256 b) internal pure returns (uint256) {
-    require(b > 0); // Solidity only automatically asserts when dividing by 0
-    uint256 c = a / b;
-    // assert(a == b * c + a % b); // There is no case in which this doesn't hold
-
-    return c;
-  }
-
-  /**
-  * @dev Subtracts two numbers, reverts on overflow (i.e. if subtrahend is greater than minuend).
-  */
-  function sub(uint256 a, uint256 b) internal pure returns (uint256) {
-    require(b <= a);
-    uint256 c = a - b;
-
-    return c;
-  }
-
-  /**
-  * @dev Adds two numbers, reverts on overflow.
-  */
-  function add(uint256 a, uint256 b) internal pure returns (uint256) {
-    uint256 c = a + b;
-    require(c >= a);
-
-    return c;
-  }
-
-  /**
-  * @dev Divides two numbers and returns the remainder (unsigned integer modulo),
-  * reverts when dividing by zero.
-  */
-  function mod(uint256 a, uint256 b) internal pure returns (uint256) {
-    require(b != 0);
-    return a % b;
-  }
-}
-
 /// @title Gnosis Safe - A multisignature wallet with support for confirmations using signed messages based on ERC191.
 /// @author Stefan George - <[email protected]>
 /// @author Richard Meissner - <[email protected]>