OpenZeppelin defender fixes

[minghinmatthewlam]

Why this should be merged

Fixes #186

How this works

Handles fixes from the most recent report that are applicable:

• missing docstrings
• consistency of msg.sender vs _msgSender to support EIP2771 meta transactions
• additional indexed parameters i.e. event UnlockTokens
• lack of security contact
• adding ReceiptReceived event
• literal number with many digits
• unused events
• named return variables
• write array length to stack for forloops to save gas
• variables are initialized to default values and uses more gas i.e. uint256 val = 0;
• _nativeMinter can be made constant

How this was tested

Unit + e2e test updates
CI

How is this documented

TODO

[michaelkaplan13]

👍 These are all great.

Left one super small nit, and one comment about how we'll need to update the E2E test that is failing.

[michaelkaplan13]

I think the issue here is that, depending on the order that the tests are run in, the receipt queues have pre-existing state prior to a test starting. This makes it difficult to assert that a specific message will have a specific receipt at a given index.

2023-12-22T00:26:56.5997803Z       <*big.Int | 0xc0001c3360>: {neg: false, abs: [4]}
2023-12-22T00:26:56.5998247Z   to equal
2023-12-22T00:26:56.5999061Z       <*big.Int | 0xc00044c7a0>: {neg: false, abs: [5]}�[0m
2023-12-22T00:26:56.6001273Z   �[38;5;9mIn �[1m[It]�[0m�[38;5;9m at: �[1m/home/runner/work/teleporter/teleporter/tests/flows/basic_send_receive.go:105�[0m �[38;5;243m@ 12/22/23 00:26:56.599�[0m
2023-12-22T00:26:56.6002668Z 
2023-12-22T00:26:56.6003052Z   �[38;5;9mFull Stack Trace�[0m
2023-12-22T00:26:56.6004080Z     github.com/ava-labs/teleporter/tests/flows.BasicSendReceive({0x1edd8c0, 0xc0012f5c20})
2023-12-22T00:26:56.6005544Z     	/home/runner/work/teleporter/teleporter/tests/flows/basic_send_receive.go:105 +0xac2
2023-12-22T00:26:56.6007069Z     github.com/ava-labs/teleporter/tests/local.glob..func3.6()
2023-12-22T00:26:56.6008395Z     	/home/runner/work/teleporter/teleporter/tests/local/e2e_test.go:78 +0x27
2023-12-22T00:26:56.6010518Z   < Exit �[1m[It]�[0m Send a message from Subnet A to Subnet B, and one from B to A �[38;5;243m- /home/runner/work/teleporter/teleporter/tests/local/e2e_test.go:77 @ 12/22/23 00:26:56.599 (7.104s)�[0m
2023-12-22T00:26:56.6014665Z �[38;5;9m• [FAILED] [7.104 seconds]�[0m
2023-12-22T00:26:56.6015121Z [Teleporter integration tests]
2023-12-22T00:26:56.6015971Z �[38;5;243m/home/runner/work/teleporter/teleporter/tests/local/e2e_test.go:58�[0m
2023-12-22T00:26:56.6017402Z   �[38;5;9m�[1m[It] Send a message from Subnet A to Subnet B, and one from B to A�[0m
2023-12-22T00:26:56.6018549Z   �[38;5;243m/home/runner/work/teleporter/teleporter/tests/local/e2e_test.go:77�[0m

[michaelkaplan13]

We have a semi-hacky workaround for this in the send specific receipts test here, which involves sending messages to clear the receipt queues prior to proceeding with a test. This is only done in the case of a local network, which is ensure to have a reasonable receipt queue size.

[minghinmatthewlam]

added a check for the ReceiptReceived event emission

[geoff-vball]

Definitely agree with the change to constant vs immutable here. Is there a gas-usage benefit the making it public?

[minghinmatthewlam]

no gas benefits, I'm going to change it back to private.

[minghinmatthewlam]

nvm updated back to public, to keep in convention with our other Warp precompile declarations

[bernard-avalabs]

LGTM

[cam-schultz]

LGTM, just one question about named return parameters.

[cam-schultz]

I agree that we should remove named return parameters for the sake of readability, but I'm curious if there are any gas benefits one way or the other? The OZ report does not specify.

[minghinmatthewlam]

from the gas reports didn't notice gas changes, think that makes sense since under the hood the named return parameters are likely the same as declaring a new local variable.

[openzeppelin-code]

OpenZeppelin defender fixes

Generated at commit: 49b61509783fc61e58a4cf775d012616428f5e38

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	0 0 0 5 19 24
Dependencies	Critical High Medium Low Note Total	0 0 0 1 34 35

---

For more details view the full report in OpenZeppelin Code Inspector

[michaelkaplan13]

In order to not depend on the order that tests run, I think we should clear the receipt queue at the start of this flow. Otherwise, other tests may send messages that cause the receipt queue length to be >5 at the start of this flow, and the first message sent back may not have this specific receipt.

[minghinmatthewlam]

moved the ClearReceiptQueue into a utils function and call in flow if not an external network

[michaelkaplan13]

Is the OpenZeppelin submodule version used easy to update here to close this item?

[michaelkaplan13]

I think this item is small enough to address in this PR also:

[geoff-vball]

@michaelkaplan13 our openzepplin submode is at version v4.8.1 and subnet-evm is using v4.9.3

[michaelkaplan13]

@michaelkaplan13 our openzepplin submode is at version v4.8.1 and subnet-evm is using v4.9.3

Ah, thanks. I should have checked myself. I was assuming it was a more recent fix published for that issue.

Now I'm confused why that OpenZeppelin report item is listed at all then. Do we think it's a pure false positive?

[geoff-vball]

@michaelkaplan13 Actually, https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable is a separate repo. I don't see anywhere that a specific version is being included or even used anywhere though.

[minghinmatthewlam]

I think this item is small enough to address in this PR also:

only the first two apply, updated.

[minghinmatthewlam]

Is the OpenZeppelin submodule version used easy to update here to close this item?

@michaelkaplan13 this looks to be a false positive. If you click into the link attached in the alert GHSA-9c22-pwxw-p6hx, it specifies @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. We only use the first package, and as @geoff-vball pointed out the versions we use are >v4.4.1