- Join Sherlock Discord
- Submit findings using the issue page in your private contest repo (label issues as med or high)
- Read for more details
All EVM compatible chains + Zkync Era
All
None
None
Yes. When funding a pool on Allo.sol
None
RESTRICTED
TRUSTED
The contracts are upgradable and the admin is trusted.
The owner of Allo.sol can
- recover funds from Allo.sol
- flag contracts as cloneable
- set the base fee, percent fee , registry address and treasury address
The owner of Registry.sol can recover funds from Registry.sol
-
Profile Owners: Users who create profiles using the
Registrycontract. These profiles are central to protocol interactions, offering a unique identity for users and enabling secure external calls through theAnchorcontract. -
Profile Member: Members of a Registry profile have specific access rights as defined by the profile's owner.
-
Allo Owner: Individuals who control the
Allocontract, possessing the authority to manage fund recovery, fee parameters, and treasury addresses. Their role is pivotal in ensuring the protocol's financial stability. -
Pool Creator A user who can create new pools using custom or cloneable strategies. They can specify metadata, strategy addresses, managers, and other parameters during pool creation.
-
Pool Administrator Users with administrative control over specific pools. They can manage pool managers, enabling effective pool governance.
-
Pool Manager Users who manage funds within specific pools. They can allocate and distribute funds according to the pool's strategy
Q: Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of?
ERC20, EIP-712
Fee skirting where pool manager directly fund the pool without paying the fees
New
Q: Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, input validation expectations, etc)?
- Metadata struct references IPFS
- DonationVotingMerkleDistributionBaseMerkle has calculations which happens off-chain based on which a merkle root is generated and uploaded. The pool manager is a trusted role and is expected to use https://github.com/gitcoinco/pluralistic.js
Q: In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.
No
Q: Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?
Yes as we support all ERC20 tokens.
allo-v2 @ 0b881ef4a0013d2809374c9ea69f4cf1288dfe62
- allo-v2/contracts/core/Allo.sol
- allo-v2/contracts/core/Anchor.sol
- allo-v2/contracts/core/Registry.sol
- allo-v2/contracts/core/interfaces/IAllo.sol
- allo-v2/contracts/core/interfaces/IRegistry.sol
- allo-v2/contracts/core/interfaces/IStrategy.sol
- allo-v2/contracts/core/libraries/Clone.sol
- allo-v2/contracts/core/libraries/Errors.sol
- allo-v2/contracts/core/libraries/Metadata.sol
- allo-v2/contracts/core/libraries/Native.sol
- allo-v2/contracts/core/libraries/Transfer.sol
- allo-v2/contracts/strategies/BaseStrategy.sol
- allo-v2/contracts/strategies/donation-voting-merkle-base/DonationVotingMerkleDistributionBaseStrategy.sol
- allo-v2/contracts/strategies/donation-voting-merkle-distribution-direct-transfer/DonationVotingMerkleDistributionDirectTransferStrategy.sol
- allo-v2/contracts/strategies/donation-voting-merkle-distribution-vault/DonationVotingMerkleDistributionVaultStrategy.sol
- allo-v2/contracts/strategies/qv-base/QVBaseStrategy.sol
- allo-v2/contracts/strategies/qv-simple/QVSimpleStrategy.sol
- allo-v2/contracts/strategies/rfp-committee/RFPCommitteeStrategy.sol
- allo-v2/contracts/strategies/rfp-simple/RFPSimpleStrategy.sol
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent