chore: sync submodule state (parent ref update)

Made-with: Cursor
2026-03-02 12:14:14 -08:00
parent b6a776e5d7
commit 25c96e210a
316 changed files with 29779 additions and 677 deletions
--- a/docs/SECURITY_AUDIT_PREPARATION.md
+++ b/docs/SECURITY_AUDIT_PREPARATION.md
@@ -0,0 +1,267 @@
+# Security Audit Preparation - Smart Accounts
+
+**Date**: 2026-01-26  
+**Network**: ChainID 138 (SMOM-DBIS-138)
+
+---
+
+## Overview
+
+This document outlines the security audit preparation for Smart Accounts Kit integration contracts.
+
+---
+
+## Contracts to Audit
+
+### 1. AccountWalletRegistryExtended
+
+**File**: `contracts/smart-accounts/AccountWalletRegistryExtended.sol`
+
+**Key Functions**:
+- `linkSmartAccount()` - Links smart account to fiat account
+- `isSmartAccount()` - Checks if wallet is smart account
+- `setSmartAccountFactory()` - Updates factory address
+- `setEntryPoint()` - Updates EntryPoint address
+
+**Security Concerns**:
+- Access control (role-based)
+- Input validation
+- Smart account verification
+- Reentrancy protection
+
+---
+
+### 2. Smart Accounts Kit Contracts (External)
+
+**Contracts**:
+- EntryPoint (ERC-4337)
+- AccountFactory
+- Paymaster (optional)
+
+**Note**: These are external contracts from MetaMask Smart Accounts Kit. Review their security audits.
+
+---
+
+## Audit Checklist
+
+### Access Control
+
+- [ ] Role-based access control implemented correctly
+- [ ] Admin functions protected
+- [ ] Role assignment verified
+- [ ] Role revocation works correctly
+
+### Input Validation
+
+- [ ] Zero address checks
+- [ ] Parameter validation
+- [ ] Array bounds checking
+- [ ] Type validation
+
+### Smart Account Verification
+
+- [ ] Contract detection works correctly
+- [ ] Smart account validation
+- [ ] Address format validation
+- [ ] Duplicate prevention
+
+### Reentrancy Protection
+
+- [ ] Reentrancy guards in place
+- [ ] State changes before external calls
+- [ ] Checks-Effects-Interactions pattern
+
+### Gas Optimization
+
+- [ ] Gas-efficient storage patterns
+- [ ] Loop optimization
+- [ ] Unnecessary operations removed
+
+### Event Emission
+
+- [ ] All state changes emit events
+- [ ] Event parameters complete
+- [ ] Indexed parameters for filtering
+
+---
+
+## Known Security Considerations
+
+### 1. Smart Account Verification
+
+**Risk**: EOA could be mistaken for smart account
+
+**Mitigation**: 
+- Check `extcodesize` > 0
+- Verify contract has code
+
+### 2. Factory Address Updates
+
+**Risk**: Malicious factory address
+
+**Mitigation**:
+- Admin-only function
+- Verify factory address before update
+- Consider timelock for critical updates
+
+### 3. EntryPoint Address Updates
+
+**Risk**: Malicious EntryPoint address
+
+**Mitigation**:
+- Admin-only function
+- Verify EntryPoint address
+- Consider timelock for critical updates
+
+---
+
+## Testing Requirements
+
+### Unit Tests
+
+- [ ] Access control tests
+- [ ] Input validation tests
+- [ ] Smart account detection tests
+- [ ] Edge case tests
+
+### Integration Tests
+
+- [ ] End-to-end flow tests
+- [ ] Multi-contract interaction tests
+- [ ] Failure mode tests
+
+### Fuzz Tests
+
+- [ ] Fuzz input parameters
+- [ ] Fuzz state transitions
+- [ ] Fuzz edge cases
+
+### Invariant Tests
+
+- [ ] State invariants
+- [ ] Access control invariants
+- [ ] Data consistency invariants
+
+---
+
+## Audit Deliverables
+
+### 1. Code Documentation
+
+- [ ] NatSpec comments on all functions
+- [ ] Architecture documentation
+- [ ] Security considerations documented
+
+### 2. Test Coverage
+
+- [ ] Unit test coverage > 90%
+- [ ] Integration test coverage > 80%
+- [ ] Fuzz test coverage
+- [ ] Invariant test coverage
+
+### 3. Security Documentation
+
+- [ ] Threat model
+- [ ] Security assumptions
+- [ ] Known limitations
+- [ ] Risk assessment
+
+---
+
+## Recommended Audit Firms
+
+### Smart Contract Auditors
+
+1. **Trail of Bits**
+   - Experience with account abstraction
+   - ERC-4337 expertise
+
+2. **OpenZeppelin**
+   - Smart account experience
+   - Access control expertise
+
+3. **Consensys Diligence**
+   - MetaMask integration experience
+   - Security best practices
+
+4. **CertiK**
+   - Comprehensive audits
+   - Formal verification
+
+---
+
+## Audit Scope
+
+### In Scope
+
+- AccountWalletRegistryExtended contract
+- Integration with existing AccountWalletRegistry
+- Smart account linking logic
+- Access control implementation
+
+### Out of Scope
+
+- MetaMask Smart Accounts Kit contracts (external)
+- EntryPoint contract (external, already audited)
+- AccountFactory contract (external, already audited)
+- Paymaster contract (external, optional)
+
+---
+
+## Pre-Audit Checklist
+
+### Code Quality
+
+- [ ] Code formatted (forge fmt)
+- [ ] No compiler warnings
+- [ ] All tests passing
+- [ ] Documentation complete
+
+### Security
+
+- [ ] Slither analysis run
+- [ ] Mythril analysis run
+- [ ] Manual security review
+- [ ] Known issues documented
+
+### Testing
+
+- [ ] Unit tests complete
+- [ ] Integration tests complete
+- [ ] Fuzz tests complete
+- [ ] Coverage > 90%
+
+---
+
+## Post-Audit Actions
+
+### 1. Address Findings
+
+- [ ] Review audit report
+- [ ] Prioritize findings
+- [ ] Fix critical issues
+- [ ] Fix high-priority issues
+- [ ] Document medium/low issues
+
+### 2. Re-testing
+
+- [ ] Re-run all tests
+- [ ] Verify fixes
+- [ ] Update documentation
+
+### 3. Re-audit (if needed)
+
+- [ ] Schedule re-audit for critical fixes
+- [ ] Verify all issues resolved
+
+---
+
+## Resources
+
+- [OpenZeppelin Security Best Practices](https://docs.openzeppelin.com/contracts/security)
+- [Consensys Best Practices](https://consensys.github.io/smart-contract-best-practices/)
+- [Trail of Bits Security Guide](https://github.com/crytic/building-secure-contracts)
+
+---
+
+**Last Updated**: 2026-01-26