Skip to content

fix(contracts): address audit findings 14, 6, 8, 13, 19#19281

Merged
smartcontracts merged 5 commits intodevelopfrom
fix/audit-round2-feb-2026
Mar 5, 2026
Merged

fix(contracts): address audit findings 14, 6, 8, 13, 19#19281
smartcontracts merged 5 commits intodevelopfrom
fix/audit-round2-feb-2026

Conversation

@smartcontracts
Copy link
Copy Markdown
Contributor

@smartcontracts smartcontracts commented Feb 23, 2026
edited
Loading

Summary

Addresses several findings from the Feb 2026 security audit (round 2):

  • Finding 14 (medium): Reuse existing DelayedWETH from SystemConfig in the Migrator instead of deploying a new one. Deploying a new proxy would create divergence — SystemConfig would still point to the old DelayedWETH, and future upgrades (which load from SystemConfig) would reference a different contract than the shared DGF games. Note: marked as medium severity but has no impact in practice.
  • Finding 6 (info): Document that hardcoded game type lists in OPCMv2's _assertValidFullConfig and Migrator's _migratePortal are intentional and must be kept in sync when new types are added.
  • Finding 8 (low): Document that migrate() does not enforce a SuperchainConfig version floor (unlike deploy/upgrade). The caller is responsible for ensuring the SuperchainConfig is upgraded beforehand.
  • Finding 13 (low): Document why migration game config validation is deliberately minimal (privileged one-off action, type-level guards exist, non-super types naturally rejected by chain ID mismatch).
  • Finding 19 (info): Document theoretical risk in AnchorStateRegistry.isGameRegistered if the ASR proxy is replaced (not upgraded in-place) non-atomically with an invalid game in the old ASR.

Findings not addressed in this PR

  • Finding 1: Acknowledged — our revert behavior is safer for users
  • Findings 21, 22: Deferred to separate PRs

Test plan

  • just pr — all 17 checks pass
  • just test-dev — all OPCMv2 tests pass (19 passed, 3 skipped)
  • Migrate tests pass with interop enabled (4/4)

🤖 Generated with Claude Code

@smartcontracts smartcontracts changed the title fix(contracts): address audit findings #14, #6, #8, #13, #19 fix(contracts): address audit findings 14, 6, 8, 13, 19 Feb 23, 2026
@smartcontracts smartcontracts marked this pull request as ready for review February 23, 2026 18:19
@smartcontracts smartcontracts requested a review from a team as a code owner February 23, 2026 18:19
@codecov
Copy link
Copy Markdown

codecov bot commented Feb 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.2%. Comparing base (19aef66) to head (b78ae8c).
⚠️ Report is 6 commits behind head on develop.

Additional details and impacted files 
@@            Coverage Diff             @@
##           develop   #19281     +/-   ##
==========================================
+ Coverage     75.2%    80.2%   +4.9%     
==========================================
  Files          193      138     -55     
  Lines        11250     7219   -4031     
==========================================
- Hits          8470     5792   -2678     
+ Misses        2636     1427   -1209     
+ Partials       144        0    -144
Flag Coverage Δ
cannon-go-tests-64 ?
contracts-bedrock-tests 80.2% <100.0%> (-0.1%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...es/contracts-bedrock/src/L1/OPContractsManager.sol 92.7% <100.0%> (ø)
...bedrock/src/L1/opcm/OPContractsManagerMigrator.sol 95.8% <100.0%> (-0.1%) ⬇️
...racts-bedrock/src/L1/opcm/OPContractsManagerV2.sol 97.6% <100.0%> (ø)
...tracts-bedrock/src/dispute/AnchorStateRegistry.sol 100.0% <ø> (ø)
...contracts-bedrock/src/dispute/FaultDisputeGame.sol 98.7% <100.0%> (ø)
...acts-bedrock/src/dispute/SuperFaultDisputeGame.sol 97.5% <100.0%> (ø)
...ackages/contracts-bedrock/src/safe/SafeSigners.sol 90.9% <ø> (ø)

... and 55 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@smartcontracts smartcontracts force-pushed the fix/audit-round2-feb-2026 branch from a81c5cd to f38cf00 Compare March 3, 2026 18:45
@smartcontracts smartcontracts force-pushed the fix/audit-round2-feb-2026 branch from f38cf00 to 99ec1f6 Compare March 4, 2026 15:49
@smartcontracts smartcontracts force-pushed the fix/audit-round2-feb-2026 branch from 99ec1f6 to 7b49a55 Compare March 5, 2026 15:27
smartcontracts and others added 3 commits March 5, 2026 19:24
@smartcontracts @claude
fix(contracts): address audit findings #14, #6, #8, #13, #19
3234151 
- #14: Reuse existing DelayedWETH from SystemConfig instead of deploying
  a new one in the Migrator, preventing divergence with future upgrades
- #6: Document that hardcoded game type lists in OPCMv2 and Migrator are
  intentional and must be kept in sync when new types are added
- #8: Document that migrate() does not enforce SuperchainConfig version floor
- #13: Document why migration game config validation is deliberately minimal
- #19: Document theoretical risk in AnchorStateRegistry.isGameRegistered
  when ASR proxy is replaced non-atomically

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@smartcontracts @claude
fix(contracts): add cross-reference comment to GameTypes library
4ff4e92 
Add a notice to the GameTypes library reminding developers to update
the hardcoded game type lists in OPContractsManagerMigrator and
OPContractsManagerV2's _assertValidFullConfig when adding new types.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@smartcontracts @claude
fix(contracts): bump OPContractsManagerV2 version for rebase
4be3662 
Bump OPContractsManagerV2 from 7.0.9 to 7.0.10 to account for the
comment-only source change (cross-reference note added in prior commit)
that affects the bytecode metadata hash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@smartcontracts smartcontracts force-pushed the fix/audit-round2-feb-2026 branch from 7b49a55 to 4be3662 Compare March 5, 2026 19:32
smartcontracts and others added 2 commits March 5, 2026 22:18
@smartcontracts
fix(contracts): bump OPContractsManagerV2 version to 7.0.11 for semve…
485807b 
…r-diff CI fix
@smartcontracts @claude
fix(contracts): apply forge fmt and bump versions for formatting changes
b78ae8c 
forge fmt changed OPContractsManager, FaultDisputeGame, SuperFaultDisputeGame,
and several other files. Bump patch versions for the contracts with hash changes,
and regenerate semver-lock and snapshots.

- OPContractsManager: 6.0.3 -> 6.0.4
- FaultDisputeGame: 2.4.0 -> 2.4.1
- SuperFaultDisputeGame: 0.7.0 -> 0.7.1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@smartcontracts smartcontracts added this pull request to the merge queue Mar 5, 2026
Merged via the queue into develop with commit cadb73d Mar 5, 2026
170 of 193 checks passed
@smartcontracts smartcontracts deleted the fix/audit-round2-feb-2026 branch March 5, 2026 23:59
wwared pushed a commit that referenced this pull request Mar 9, 2026
@smartcontracts @claude @wwared
fix(contracts): address audit findings 14, 6, 8, 13, 19 (#19281)
96a3778 
* fix(contracts): address audit findings #14, #6, #8, #13, #19

- #14: Reuse existing DelayedWETH from SystemConfig instead of deploying
  a new one in the Migrator, preventing divergence with future upgrades
- #6: Document that hardcoded game type lists in OPCMv2 and Migrator are
  intentional and must be kept in sync when new types are added
- #8: Document that migrate() does not enforce SuperchainConfig version floor
- #13: Document why migration game config validation is deliberately minimal
- #19: Document theoretical risk in AnchorStateRegistry.isGameRegistered
  when ASR proxy is replaced non-atomically

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(contracts): add cross-reference comment to GameTypes library

Add a notice to the GameTypes library reminding developers to update
the hardcoded game type lists in OPContractsManagerMigrator and
OPContractsManagerV2's _assertValidFullConfig when adding new types.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(contracts): bump OPContractsManagerV2 version for rebase

Bump OPContractsManagerV2 from 7.0.9 to 7.0.10 to account for the
comment-only source change (cross-reference note added in prior commit)
that affects the bytecode metadata hash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(contracts): bump OPContractsManagerV2 version to 7.0.11 for semver-diff CI fix

* fix(contracts): apply forge fmt and bump versions for formatting changes

forge fmt changed OPContractsManager, FaultDisputeGame, SuperFaultDisputeGame,
and several other files. Bump patch versions for the contracts with hash changes,
and regenerate semver-lock and snapshots.

- OPContractsManager: 6.0.3 -> 6.0.4
- FaultDisputeGame: 2.4.0 -> 2.4.1
- SuperFaultDisputeGame: 0.7.0 -> 0.7.1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: smartcontracts <smartcontracts@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xiamflux 0xiamflux 0xiamflux left review comments

@mds1 mds1 mds1 approved these changes

@maurelian maurelian maurelian approved these changes

@0xniha 0xniha 0xniha approved these changes

@mslipper mslipper Awaiting requested review from mslipper mslipper is a code owner automatically assigned from ethereum-optimism/contract-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@smartcontracts @mds1 @maurelian @0xiamflux @0xniha