Security Audit

Governor.sol

castVote(proposalId, support, stakeAmount) accepts stakeAmount from the caller without verifying it against any staking/conviction contract. Any address can pass arbitrary vote weight.

Fix: Now verifies on-chain via QuadraticVoting/ConvictionWeighting lookup.

ComputeBasketOracle.sol

submitETHPrice() allowed a single oracle to set the ETH price used by OneWayBridge.depositETH(), unlike basket prices which require 3-oracle median consensus. A compromised oracle could set ETH price to $1M, making ETH deposits mint disproportionate UCU.

Fix: ETH price now uses the same multi-oracle median consensus as basket prices.

Bonfire.sol

finalizeEpoch() makes an external call via _burnUCU() (low-level .call) and reportRevenue() calls safeTransferFrom(). Neither had ReentrancyGuard protection. Cross-function reentrancy could manipulate epoch accounting.

Fix: Added ReentrancyGuard inheritance and nonReentrant to reportRevenue() and finalizeEpoch().

Bonfire.sol

_burnUCU() used address(ucu).call(...) which succeeds silently when the target is an EOA (not a contract). If ucu were set to a non-contract address, burns would appear successful without actually burning tokens, inflating supply.

Fix: Added extcodesize check and return data validation.

Governor.sol

Anyone can create proposals with no minimum stake or citizen requirement. This enables spam proposals that waste gas and create governance noise.

Mitigation: Add a minimum stake requirement or restrict to verified citizens.

ConstitutionalGuard.sol

validateProposal() iterates all paramIds for each target in a proposal (O(targets * paramIds)). As protections accumulate, gas costs increase, eventually making execution impossible.

Mitigation: Cap paramIds.length or use a mapping-based lookup by (target, selector).

UBCDistributor.sol

enrollCitizen() can be called by anyone for any verified citizen. A griefer could enroll citizens who don't want UBC, consuming capacity slots or adding them to the waitlist without consent.

Mitigation: Restrict to msg.sender == citizen or add an opt-in mechanism.

QuadraticVoting.sol

lockedForProposal stores only the single most recent proposal the user voted on. If a citizen votes on proposal A (ends day 30) then votes on proposal B (ends day 10), after day 10 they can unstake even though proposal A is still active.

Mitigation: Track all active locks or use the latest-ending proposal.

SupportClasses.sol

distribute() makes safeTransfer calls inside a loop over recipients. If any recipient is a contract that reverts on receive, the entire distribution fails (one bad recipient blocks all).

Mitigation: Use a pull-based pattern or try/catch around individual transfers.

OneWayBridge.sol

If oracle reports expire (> MAX_PRICE_AGE), getBasketPriceUSD() reverts, completely blocking deposits rather than gracefully degrading. Coordinated oracle downtime could freeze the bridge.

Mitigation: Consider a cached fallback price with an age warning.

ConvictionWeighting.sol

voteWithConviction() emits events but does not update any on-chain vote tally. The effective votes are only in events, making the contract informational only.

Mitigation: Wire ConvictionWeighting to Governor.castVote or implement its own tally.

UCUToken.sol

int256(totalMinted) - int256(totalBurned) will revert if totalMinted exceeds type(int256).max (~5.7e76). Practically unreachable but theoretically possible for an uncapped supply token.

Mitigation: Add a safe cast or document the theoretical limit.

FixedPointMath.sol

x * WAD in sqrt() overflows for x > type(uint256).max / 1e18 (~1.15e59). While token amounts shouldn't reach this, the function is a public library.

Fix: Added explicit overflow check with require.

CitizenRegistry.sol

_enforceBirthRate() sets currentPeriodStart = block.timestamp instead of incrementing by agentBirthPeriod. Over time, periods drift forward if called late.

Mitigation: Use currentPeriodStart += agentBirthPeriod to prevent drift.

UBCDistributor.sol

The waitlist array only grows via push() and is never compacted. waitlistHead advances but old entries remain. Over years, this wastes storage.

Mitigation: Periodically compact or use a linked-list pattern.

SovereigntyIndex.sol

If a citizen transfers to A (100 UCU) then to B (150 UCU), largestRecipient updates to B. But if A later receives another 200 UCU (total 300), the contract misses that A surpassed B.

Mitigation: Maintain a proper max-heap or accept the approximation.

OneWayBridge.sol

Miners can slightly manipulate timestamps. A deposit near midnight could be placed into a favorable day window. Impact is minimal (max ~15 seconds of manipulation).

Mitigation: Acceptable for current design.

Governor.sol

A proposal can have hundreds of targets/calldatas, consuming excessive gas on execution.

Mitigation: Add a MAX_ACTIONS_PER_PROPOSAL constant.

CreatorGrantOracle.sol

Once submitted, a ProposalData lives forever. Stale proposals from years ago can still be verified and approved by oracles.

Mitigation: Add an expiry timestamp to proposals.

SupportClasses.sol

When distribute() is called on an expired class, the refund goes to sc.supporter. A third party could front-run the supporter's own call. Not harmful but creates unexpected behavior.

Mitigation: Document this as expected behavior.