Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| IERC20(baseToken).safeTransferFrom(_msgSender(), address(this), amount); | ||
|
|
||
| _increaseEcoLockAmount(account, amount); | ||
| } |
There was a problem hiding this comment.
stakeEcoLockFor lacks access control, allowing unauthorized eco locks
Medium Severity
stakeEcoLockFor has no access control, unlike other privileged functions in the contract that use onlyRole(ADMIN_ROLE). Anyone can call it to create permanent, non-withdrawable eco locks for any account, giving that account unwanted voting power. This also bypasses the merkle proof verification that CumulativeMerkleDrop provides. The function likely needs a role restriction so only authorized contracts (like the merkle drop) can create eco locks.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable autofix in the Cursor dashboard.
| const testEcoLock = await veVirtual.getEcoLock(ethers.ZeroAddress); | ||
| console.log("✅ getEcoLock function exists"); | ||
| } catch (error) { | ||
| console.warn("⚠️ getEcoLock function check failed:", error); |
There was a problem hiding this comment.
Upgrade script references non-existent getEcoLock function
Low Severity
The upgrade verification step calls veVirtual.getEcoLock(ethers.ZeroAddress), but no getEcoLock function exists in the veVirtual contract. The public mapping ecoLocks generates an auto-getter named ecoLocks(address), not getEcoLock. This verification always silently fails (caught by try-catch), making it unable to confirm the upgrade actually included eco lock functionality.
2 participants
Note
High Risk
Touches token custody and staking/voting-power accounting by adding a new claim-and-stake contract and a new lock type inside an upgradeable contract; mistakes could misallocate rewards or break balances/governance power.
Overview
Introduces an eco-trader rewards flow: a new
CumulativeMerkleDropcontract verifies cumulative-amount Merkle proofs, trackscumulativeClaimed, and auto-stakes newly-claimable amounts intoveVirtualinstead of transferring tokens to users.Extends
veVirtualwith a per-userecoLocksposition (auto-renewing, max duration) that is included inbalanceOfAt/stakedAmountOf, can be increased viastakeEcoLockFor, and is protected from being modified/withdrawn via the existing lock-management methods.Adds Hardhat scripts for deploying the drop contract, generating Merkle roots/proofs, and upgrading
veVirtual, updates theveVirtualdeploy script to grant roles post-deploy, adds eco-trader integration tests, and updates dependencies/lockfiles plus.openzeppelin/base-sepolia.jsonfor new deployments/layouts.Written by Cursor Bugbot for commit c4af9d7. This will update automatically on new commits. Configure here.