Skip to content

Rewards Eligibility Oracle (REO) (rebased) #1256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RembrandtK wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Rewards Eligibility Oracle (REO) (rebased) #1256

RembrandtK wants to merge 7 commits into from

Conversation

@RembrandtK
Copy link
Contributor

@RembrandtK RembrandtK commented Nov 17, 2025
edited
Loading

Rebase of #1244.

Rewards Eligibility Oracle contracts, see: packages/issuance/contracts/eligibility/RewardsEligibilityOracle.md

@RembrandtK
feat: baseline issuance package
8c08f3a 
Cherry-picked from ec0c984 (issuance-baseline-2/3)
Rebased onto main with regenerated lockfile
@RembrandtK
feat: indexer rewards eligibility oracle
fec6aa7
@socket-security
Copy link

socket-security bot commented Nov 17, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​nomicfoundation/​hardhat-toolbox@​5.0.0981007689100
Addeddebug@​4.4.310010010083100
Added@​openzeppelin/​hardhat-upgrades@​3.9.19910010087100
Addedhardhat@​2.26.394100919780

View full report

@RembrandtK RembrandtK mentioned this pull request Nov 17, 2025
Closed
@openzeppelin-code
Copy link

openzeppelin-code bot commented Nov 17, 2025
edited
Loading

Rewards Eligibility Oracle (REO) (rebased)

Generated at commit: ff2f00a62a491d6cdab1bd4fad54bb42f36f5aef

🚨 Report Summary

Severity Level Results
Contracts Critical
High
Medium
Low
Note
Total		 3
5
0
14
38
60
Dependencies Critical
High
Medium
Low
Note
Total		 0
0
0
0
0
0

For more details view the full report in OpenZeppelin Code Inspector

@codecov
Copy link

codecov bot commented Nov 17, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.07%. Comparing base (380f6ad) to head (ff2f00a).
⚠️ Report is 21 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1256      +/-   ##
==========================================
+ Coverage   84.05%   85.07%   +1.02%     
==========================================
  Files          42       44       +2     
  Lines        2070     2178     +108     
  Branches      615      649      +34     
==========================================
+ Hits         1740     1853     +113     
+ Misses        330      325       -5
Flag Coverage Δ
unittests 85.07% <100.00%> (+1.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@RembrandtK RembrandtK mentioned this pull request Nov 17, 2025
Draft
@RembrandtK RembrandtK self-assigned this Nov 17, 2025
@RembrandtK
docs: document large eligibility period edge case (TRST-L-1)
771f9a9 
Addresses audit finding TRST-L-1 by documenting the behavior when
eligibility period is set to an extremely large value. For never-
registered indexers with zero timestamp, when eligibilityPeriod is
large enough that (block.timestamp < 0 + eligibilityPeriod) evaluates
to true, all indexers become eligible.

- Added NatSpec documentation to isEligible() function
- Updated contract-level documentation
- Added detailed edge case section to RewardsEligibilityOracle.md
- Added comprehensive test validating the edge case behavior
@RembrandtK
docs: document race condition between config changes and reward claim…
c3cbcae 
…s (TRST-L-2)

Add comprehensive documentation for TRST-L-2 race condition where
configuration changes (reducing eligibility period or enabling validation)
can cause indexers to permanently lose rewards if their claim transactions
are in-flight when the change occurs.

Changes include:
- NatSpec warnings on setEligibilityPeriod() and setEligibilityValidation()
- Contract-level security warning in RewardsEligibilityOracle
- Operational considerations section in documentation with mitigation strategies
- Monitoring guidance for operators and indexers

No code changes - mitigation relies on operational practices.
@RembrandtK
fix: resolve fuzz test failure in testGetBalance_WhenCollectedOverTha…
46f88dd 
…wing (#1268)

Replace vm.assume with bounded inputs to fix "vm.assume rejected too many inputs" error.
The previous implementation used overly restrictive constraints that caused the fuzzer
to reject most random inputs. Now limits amountThawing and amountCollected to half of
MAX_STAKING_TOKENS, guaranteeing valid deposit ranges while maintaining test coverage.
@RembrandtK
docs: fix grammar and terminology in RewardsEligibilityOracle
1bdf837 
- Change 'eligible period' to 'eligibility period' for consistency
- Fix 'have confidence is being able' to 'have confidence in being able'
- Fix 'have a good transparency' to 'have good transparency'
- Change 'Reward Manager' to 'RewardsManager' for correct contract naming
@RembrandtK
Merge pull request #1265 from graphprotocol/rewards-eligibility-oracl…
ff2f00a 
…e-4-fix

REO: Documentation fixes for audit issues TRST-L-1 and TRST-L-2

Updated audit confirms issues addressed (via documentation) and audit is complete.
@RembrandtK RembrandtK marked this pull request as ready for review December 16, 2025 15:30
@RembrandtK RembrandtK requested a review from tmigone December 16, 2025 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmigone tmigone Awaiting requested review from tmigone

At least 1 approving review is required to merge this pull request.

Assignees

@RembrandtK RembrandtK

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RembrandtK