f3d2961b97
Some checks failed
CI/CD Pipeline / Lint and Format (push) Failing after 46s
CI/CD Pipeline / Terraform Validation (push) Failing after 35s
CI/CD Pipeline / Kubernetes Validation (push) Successful in 37s
Deploy ChainID 138 / Deploy ChainID 138 (push) Failing after 1m50s
HYBX OMNL TypeScript & anchor / token-aggregation build + reconcile artifact (push) Failing after 2m19s
Validation / validate-genesis (push) Successful in 51s
Validation / validate-terraform (push) Failing after 39s
Validation / validate-kubernetes (push) Failing after 10s
CI/CD Pipeline / Solidity Contracts (push) Failing after 12m56s
Validation / validate-smart-contracts (push) Failing after 12s
CI/CD Pipeline / Security Scanning (push) Failing after 15m52s
Validation / validate-security (push) Failing after 10m59s
Validation / validate-documentation (push) Failing after 17s
Validate Token List / validate (push) Failing after 30s
OMNL reconcile anchor / Run omnl:reconcile and upload artifacts (push) Failing after 26s
Verify Deployment / Verify Deployment (push) Failing after 56s
32 lines
1.6 KiB
Markdown
32 lines
1.6 KiB
Markdown
# HYBX OMNL — external audit checklist
|
|
|
|
Use this with a third-party firm before high-value production. Scope aligns with [SECURITY_THREAT_MODEL.md](SECURITY_THREAT_MODEL.md).
|
|
|
|
## Solidity (in scope)
|
|
|
|
- [ ] `PolicyMath.sol` — rounding, overflow, parameter bounds vs documented policy.
|
|
- [ ] `InstrumentRegistry.sol` — role changes, line lifecycle, token registration assumptions.
|
|
- [ ] `ReserveCommitmentStore.sol` — `commitReserve` / `commitReserveAttested`, ECDSA digest, replay, threshold logic.
|
|
- [ ] `ComplianceCore.sol` — `getCompliance` semantics vs `PolicyMath`, stale attestation, `reportingCompliant`.
|
|
- [ ] `OMNLCircuitBreaker.sol` — pause semantics, admin roles.
|
|
- [ ] `OMNLMirrorReceiver.sol` — CCIP payload decoding, selector allowlist, monotonic version.
|
|
- [ ] `OMNLMirrorCoordinator.sol` — native vs ERC-20 fee path, `approve`/`SafeERC20`, reentrancy surface (minimal).
|
|
|
|
## Operational evidence to provide auditors
|
|
|
|
- [ ] Deployed addresses per chain (138 / 651940) and verification on block explorers.
|
|
- [ ] Key ceremony summary (HSM / multisig); no plaintext prod keys in CI.
|
|
- [ ] CCIP lane configuration (router, selectors, fee token).
|
|
- [ ] Sample `ReserveCommitted` and mirror receive transactions on testnet/staging.
|
|
|
|
## Off-chain (optional scope)
|
|
|
|
- [ ] Token-aggregation OMNL routes — rate limits, `OMNL_API_KEY` usage, webhook HMAC verification at receivers.
|
|
- [ ] IPSAS registry / journal matrix change control (who can commit, how hash is anchored).
|
|
|
|
## Sign-off
|
|
|
|
| Finding | Severity | Remediation | Retest date |
|
|
|---------|----------|-------------|-------------|
|
|
| | | | |
|