Giter VIP home page Giter VIP logo

secret-daodao's Introduction

DAO Contracts

GitHub tag (with filter) GitHub contributors

GitHub commit activity (branch) codecov

Discord X (formerly Twitter) URL

DAO DAO DAO

This is a collection of smart contracts for building composable, modular, and upgradable DAOs.

For a detailed look at how these contracts work, see our wiki.

Overview

Every DAO is made up of three modules:

  1. A voting power module, which manages the voting power of DAO members.
  2. Any number of proposal modules, which manage proposals in the DAO.
  3. A core module, which holds the DAO treasury.

image

For example, voting power might be based on staked governance tokens, staked NFTs, or membership and proposal modules might implement yes/no, multiple-choice, or ranked-choice voting.

Each module type has a standard interface. As a result, any voting module can be used with any proposal module, and any proposal module with any voting module.

The best way to get started is to create a DAO! We maintain an open source frontend you can find at daodao.zone.

Audits

If you believe you have found a problem, please let us know.

DAO DAO has been audited by Oak Security on multiple occasions. You can find all the audit reports here.

v2.3.0 is the most recent DAO DAO release; only new feautres related to tokenfactory and improved NFT DAOs have been audited. Our most recently full audited release is v2.0.0. Vesting and payroll were added and audited in v2.1.0.

Audited contracts include:

Audited packages include:

Why?

Our institutions grew rapidly after 1970, but as time passed their priorities shifted from growth, to protectionism. We're fighting this. We believe The Internet is where the organizations of tomorrow will be built.

DAO DAO is a global community working on Internet governance, and a real DAO. We've never raised money, and all our work is open-source. We hope you'll join us.

Links and Resources

Developers

Information about our development workflow and how to contribute can be found in CONTRIBUTING.md.

Testing

Unit tests

Run cargo test, or just test from the project root to run the unit tests.

Integration tests

Run just bootstrap-dev to spin up a local environment and just integration-test-dev to run tests against it.

See ci/integration-tests/README.md for more information.

Disclaimer

DAO DAO TOOLING IS PROVIDED β€œAS IS”, AT YOUR OWN RISK, AND WITHOUT WARRANTIES OF ANY KIND. No developer or entity involved in creating the DAO DAO UI or smart contracts will be liable for any claims or damages whatsoever associated with your use, inability to use, or your interaction with other users of DAO DAO tooling, including any direct, indirect, incidental, special, exemplary, punitive or consequential damages, or loss of profits, cryptocurrencies, tokens, or anything else of value.

secret-daodao's People

Contributors

abhishek-1857 avatar slayeransh avatar ayushoo07 avatar gachouchani1999 avatar

Stargazers

DHOT Networks - Evolving Technologies... avatar

Watchers

Jack Swenson avatar Carlos Martinho avatar Mohammed Patla avatar

secret-daodao's Issues

RUSTSEC-2024-0336: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input

Details
Package rustls
Version 0.19.1
URL GHSA-6g7w-8wpp-frhj
Date 2024-04-19
Patched versions >=0.23.5,>=0.22.4, <0.23.0,>=0.21.11, <0.22.0

If a close_notify alert is received during a handshake, complete_io
does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io
and are not affected.

rustls::Stream and rustls::StreamOwned types use
complete_io and are affected.

See advisory page for additional details.

RUSTSEC-2023-0052: webpki: CPU denial of service in certificate path building

webpki: CPU denial of service in certificate path building

Details
Package webpki
Version 0.21.4
Date 2023-08-22
Patched versions >=0.22.2

When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

This was previously reported in
<briansmith/webpki#69> and re-reported recently
by Luke Malinowski.

webpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes.

See advisory page for additional details.

RUSTSEC-2024-0344: Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`

Timing variability in curve25519-dalek's Scalar29::sub/Scalar52::sub

Details
Package curve25519-dalek
Version 3.2.0
URL dalek-cryptography/curve25519-dalek#659
Date 2024-06-18
Patched versions >=4.1.3

Timing variability of any kind is problematic when working with potentially secret values such as
elliptic curve scalars, and such issues can potentially leak private keys and other secrets. Such a
problem was recently discovered in curve25519-dalek.

The Scalar29::sub (32-bit) and Scalar52::sub (64-bit) functions contained usage of a mask value
inside a loop where LLVM saw an opportunity to insert a branch instruction (jns on x86) to
conditionally bypass this code section when the mask value is set to zero as can be seen in godbolt:

A similar problem was recently discovered in the Kyber reference implementation:

<https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU/m/cnE3pbueBgAJ>

As discussed on that thread, one portable solution, which is also used in this PR, is to introduce a
volatile read as an optimization barrier, which prevents the compiler from optimizing it away.

The fix can be validated in godbolt here:

The problem was discovered and the solution independently verified by
Alexander Wagner <[email protected]> and Lea Themint <[email protected]> using
their DATA tool:

<https://github.com/Fraunhofer-AISEC/DATA>

See advisory page for additional details.

RUSTSEC-2024-0012: Stack overflow during recursive JSON parsing

Stack overflow during recursive JSON parsing

Details
Package serde-json-wasm
Version 0.4.1
Date 2024-01-24
Patched versions >=1.0.1,>=0.5.2, <1.0.0

When parsing untrusted, deeply nested JSON, the stack may overflow,
possibly enabling a Denial of Service attack.
This was fixed by adding a check for recursion depth.

See advisory page for additional details.

RUSTSEC-2022-0093: Double Public Key Signing Function Oracle Attack on `ed25519-dalek`

Double Public Key Signing Function Oracle Attack on ed25519-dalek

Details
Package ed25519-dalek
Version 1.0.1
URL https://github.com/MystenLabs/ed25519-unsafe-libs
Date 2022-06-11
Patched versions >=2

Versions of ed25519-dalek prior to v2.0 model private and public keys as
separate types which can be assembled into a Keypair, and also provide APIs
for serializing and deserializing 64-byte private/public keypairs.

Such APIs and serializations are inherently unsafe as the public key is one of
the inputs used in the deterministic computation of the S part of the signature,
but not in the R value. An adversary could somehow use the signing function as
an oracle that allows arbitrary public keys as input can obtain two signatures
for the same message sharing the same R and only differ on the S part.

Unfortunately, when this happens, one can easily extract the private key.

Revised public APIs in v2.0 of ed25519-dalek do NOT allow a decoupled
private/public keypair as signing input, except as part of specially labeled
"hazmat" APIs which are clearly labeled as being dangerous if misused.

See advisory page for additional details.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.