Omniscia Gnosis Guild Audit
Zodiac PR206 Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 6a7fb909a1 | September 25th 2023 | 10747ee4ce |
| 6a7fb909a1 | September 25th 2023 | 880e513565 |
| e6d315f917 | October 23rd 2023 | 89d03a8320 |
| 4d851d2a84 | November 1st 2023 | cde3ac0181 |
| 4d851d2a84 | November 6th 2023 | 040261a811 |
Audit Overview
We were tasked with performing an audit of the Gnosis Guild codebase and in particular a revision of the Zodiac Modifier Roles codebase we have previously audited.
The audit encompassed the changes introduced between the original audit and the latest revision of the repository's PR#206 (6a7fb909a1) in relation to the contracts in scope of the original audit.
Changes introduced to contracts that were outside the scope of the original audit have not been evaluated and should not be considered in-scope. These contracts consist of the following:
packages/evm/contracts/AllowanceTracker.solpackages/evm/contracts/Core.sol
Over the course of the audit, we evaluated the changes' purposed intentions described in PR#206 and their actual implementation in the code.
We validated that the AbiEncoded parameter type was correctly renamed to Calldata by updating the relevant references across the codebase's contracts.
To this end, we observed a discrepancy in how the re-purposed AbiEncoded parameter type is evaluated as inline within the Topology and Packer contracts that we advise the Gnosis Guild team to consider.
The relaxed Integrity validation flows incurred a significant gas overhead that we detailed and we advise the Gnosis Guild team to evaluate and potentially optimize.
A security check that was removed from the PermissionBuilder contract was identified to have an impact on the out-of-scope AllowanceTracker contract and should be re-introduced to the contract's code.
The AvatarIsOwnerOfERC721 custom checker was validated to behave as expected; we recommended certain stylistic adjustments as well as an enhancement of its return data to aid off-chain and on-chain systems in handling/utilizing the checker.
Finally, as part of the adjustments necessary for the AvatarIsOwnerOfERC721 custom checker our original audit report's exhibit TSE-01M has been alleviated.
We advise the Gnosis Guild team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Gnosis Guild team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Gnosis Guild and have identified that all exhibits have been adequately dealt with no outstanding issues remaining in the report.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 7 | 2 | 0 | 5 |
 | 0 | 0 | 0 | 0 |
 | 3 | 3 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 9 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: