Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bracket.game-1 audit #177

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

bracket.game-1 audit #177

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions client/library/library/audits/bracket-game-1.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
<page
clientName="bracket.game"
reportDate="March 19, 2024"
auditTitle="bracket.game A-1"
auditVersion="1.0.0"
repoUrl="https://github.com/nilli-team/nilli-monorepo"
repoCommitHash="a3b061ffd3442e7edcdf18734292e7c2e7693472"
layout="/library/audits/_layout.html"
passwordEncrypt="env:PAGE_PASS_BRACKETGAME_1"

>

<content-for name="schedule">
The security audit was performed by the Macro security team from March 12, 2024 to March 13, 2024.
</content-for>

<content-for name="spec">
<ul>
<li>Discussions on Telegram with the {{page.clientName}} team.</li>
<li>Available documentation in the repository.</li>
</ul>

<h2 id="tmaar">Trust Model, Assumptions, and Accepted Risks (TMAAR)</h2>
<template type="audit-markdown">
**Privileged Roles:**

- owner: Can pause/unpause the contract and can set the fee structure

- DEFAULT_ADMIN_ROLE: can grant roles
- MANAGER_ROLE:
- set the name (aka fanbase) for a collective
- set a new season including rounds and winning breakdown
- distributes the winnings to the collectives
- ORACLE_ROLE: responsible for verifying the exit rounds and winnings
- CLAIMER_ROLE: can transfer votes to other recipients

**Accepted Risks/Observations:**

- When users redeem, shares are sent from the collective to the user rather than withdrawing funds directly from the contract. This leaves funds locked in the contract.
It has been discussed with the [bracket.game](http://bracket.game) team that there will be a way provided to unlock those funds in a future version of the contract.
- The frontend only displays whitelisted collectives, all others are ignored. This is important, as each user can create many collectives at low cost.
</template>

</content-for>


<content-for name="source-code">

<p>Specifically, we audited the following contracts within this repository:</p>

<template type="file-hashes">\
0be5ef00f1e53b86c8836b4ba4f7508c4d8113f03c1331b3880c445e461060af packages/hardhat/contracts/BracketGame_Beta.sol
</template>
</content-for>
</page>
2 changes: 1 addition & 1 deletion content/collections/private
Open in desktop
Submodule private updated from 09012e to ca3732