Merge pull request #35 from neonlabsorg/34-fix-audit-issues

Fix audit issues #34

(reviewed by @mich-master)

Cargo.toml

@@ -1,3 +1,6 @@
+[profile.release]
+overflow-checks = true
+
 [workspace]
 members = [
     "addin-fixed-weights/program",

addin-fixed-weights/mainnet/Cargo.toml

@@ -12,7 +12,7 @@ no-entrypoint = []
 test-bpf = []
 
 [dependencies]
-solana-program = "1.9.9"
+solana-program = "1.10.13"
 spl-governance-addin-fixed-weights = { path = "../program", features = [ "mainnet", "no-entrypoint" ] }
 
 [lib]

addin-fixed-weights/program/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "spl-governance-addin-fixed-weights"
-version = "0.1.0"
+version = "0.1.1"
 description = "Solana Program Library Governance Voter Weight Addin Program"
 authors = ["NeonLabs Maintainers <[email protected]>"]
 repository = "https://github.com/neonlabsorg/neon-spl-governance/addin-fixed-weights/program"
@@ -20,7 +20,7 @@ num-derive = "0.3"
 num-traits = "0.2"
 serde = "1.0.127"
 serde_derive = "1.0.103"
-solana-program = "1.9.9"
+solana-program = "1.10.13"
 const_format = { version = "0.2.21" }
 spl-token = { path = "../../solana-program-library/token/program", version = "3.3", features = [ "no-entrypoint" ] }
 spl-governance-addin-api = { path = "../../solana-program-library/governance/addin-api", version = "0.1.1" }

addin-fixed-weights/program/src/processor.rs

@@ -170,7 +170,7 @@ pub fn process_setup_max_voter_weight_record(
     let payer_info = next_account_info(account_info_iter)?; // 3
     let system_info = next_account_info(account_info_iter)?; // 4
 
-    let max_voter_weight = (get_max_voter_weight_fixed() as u128)
+    let max_voter_weight = (get_max_voter_weight_fixed()? as u128)
         .checked_add(crate::config::EXTRA_TOKENS as u128).unwrap()
         .checked_mul(crate::config::SUPPLY_FRACTION as u128).unwrap()
         .checked_div(MintMaxVoteWeightSource::SUPPLY_FRACTION_BASE as u128).unwrap() as u64;
@@ -201,10 +201,11 @@ pub fn process_setup_max_voter_weight_record(
 }
 
 /// Get Fixed Voter Weight
-fn get_max_voter_weight_fixed() -> u64 {
+fn get_max_voter_weight_fixed() -> Result<u64,ProgramError> {
     crate::config::VOTER_LIST
         .iter()
-        .fold(0, |acc, item| acc + item.1)
+        .try_fold(0u64, |acc, item| acc.checked_add(item.1))
+        .ok_or_else(|| VoterWeightAddinError::OverflowVoterWeight.into())
 }
 
 /// Get Fixed Voter Weight

addin-vesting/program/Cargo.toml

@@ -1,8 +1,10 @@
 [package]
 name = "spl-governance-addin-vesting"
-version = "0.1.0"
-authors = ["Elliott Benisty <[email protected]>", "Lucas Chaumeny <[email protected]>"]
-edition = "2018"
+version = "0.1.1"
+description = "Solana Program Library Governance Addin For Vesting"
+authors = ["NeonLabs Maintainers <[email protected]>"]
+repository = "https://github.com/neonlabsorg/neon-spl-governance/addin-vesting/program"
+edition = "2021"
 
 [features]
 no-entrypoint = []
@@ -14,17 +16,17 @@ num-traits = "0.2"
 num-derive = "0.3"
 arrayref = "0.3.6"
 borsh = "0.9.1"
-solana-program = "1.9.9"
-spl-token = { version = "3.2", features = ["no-entrypoint"] }
+solana-program = "1.10.13"
+spl-token = { version = "3.3.0", features = ["no-entrypoint"] }
 spl-associated-token-account = { version = "1.0.2", features = ["no-entrypoint"] }
 spl-governance = { path="../../solana-program-library/governance/program", features = ["no-entrypoint"] }
 spl-governance-tools = { path="../../solana-program-library/governance/tools", version = "0.1.2" }
 spl-governance-addin-api = { path="../../solana-program-library/governance/addin-api", version = "0.1.1" }
 arbitrary = { version = "0.4", features = ["derive"], optional = true }
 
 [dev-dependencies]
-solana-sdk = "1.9.9"
-solana-program-test = "1.9.9"
+solana-sdk = "1.10.13"
+solana-program-test = "1.10.13"
 tokio = { version = "1.0", features = ["macros"]}
 hex = "0.4"
 

addin-vesting/program/src/processor.rs

@@ -87,10 +87,9 @@ impl Processor {
                return Err(VestingError::InvalidVestingTokenAccount.into());
         }
 
-        let mut total_amount: u64 = 0;
-        for s in schedules.iter() {
-            total_amount = total_amount.checked_add(s.amount).ok_or(VestingError::OverflowAmount)?;
-        }
+        let total_amount = schedules.iter()
+                .try_fold(0u64, |acc, item| acc.checked_add(item.amount))
+                .ok_or(VestingError::OverflowAmount)?;
 
         let vesting_record = VestingRecord {
             account_type: VestingAccountType::VestingRecord,
@@ -230,10 +229,11 @@ impl Processor {
 
         // Unlock the schedules that have reached maturity
         let clock = Clock::get()?;
-        let mut total_amount_to_transfer = 0;
+        let mut total_amount_to_transfer = 0u64;
         for s in vesting_record.schedule.iter_mut() {
             if clock.unix_timestamp as u64 >= s.release_time {
-                total_amount_to_transfer += s.amount;
+                total_amount_to_transfer = total_amount_to_transfer.checked_add(s.amount)
+                        .ok_or(VestingError::OverflowAmount)?;
                 s.amount = 0;
             }
         }
@@ -346,10 +346,9 @@ impl Processor {
             return Err(VestingError::MissingRequiredSigner.into());
         }
 
-        let mut total_amount = 0;
-        for s in vesting_record.schedule.iter_mut() {
-            total_amount += s.amount;
-        }
+        let total_amount = vesting_record.schedule.iter()
+                .try_fold(0u64, |acc, item| acc.checked_add(item.amount))
+                .ok_or(VestingError::OverflowAmount)?;
 
         vesting_record.owner = *new_vesting_owner_account.key;
         vesting_record.serialize(&mut *vesting_account.data.borrow_mut())?;