Use latest OZ dependency to patch DoS vuln for proposal creation

contracts/ArenaGovernor.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.10;
+pragma solidity 0.8.19;
 
 import "@openzeppelin/contracts/governance/Governor.sol";
 import "@openzeppelin/contracts/governance/extensions/GovernorSettings.sol";
@@ -47,7 +47,7 @@ contract ArenaGovernor is
     function getVotes(address account, uint256 blockNumber)
         public
         view
-        override(IGovernor, GovernorVotes)
+        override(IGovernor, Governor)
         returns (uint256)
     {
         return super.getVotes(account, blockNumber);
@@ -80,6 +80,15 @@ contract ArenaGovernor is
         return super.propose(targets, values, calldatas, description);
     }
 
+    function cancel(
+        address[] memory targets,
+        uint256[] memory values,
+        bytes[] memory calldatas,
+        bytes32 descriptionHash
+    ) public override(IGovernor, Governor, GovernorCompatibilityBravo) returns (uint256) {
+        return super.cancel(targets, values, calldatas, descriptionHash);
+    }
+
     function proposalThreshold()
         public
         view
@@ -112,9 +121,10 @@ contract ArenaGovernor is
         uint256 proposalId,
         address account,
         uint8 support,
-        string memory reason
+        string memory reason,
+        bytes memory params
     ) internal override(Governor, GovernorPreventLateQuorum) returns (uint256) {
-        return super._castVote(proposalId, account, support, reason);
+        return super._castVote(proposalId, account, support, reason, params);
     }
 
     function _executor()

deployments/polygonAddresses.json

@@ -4,6 +4,7 @@
   "tokenLock": "0xB17828789280C77C17B02fc8E6F20Ddc5721f2C2",
   "timelock": "0xdFB26381aFBc37f0Fae4A77D385b91B90347aA12",
   "governorV1": "0xc6eaDcC36aFcf1C430962506ad79145aD5140E58",
-  "governor": "0x4Db7E521942BDA8b1fB1B310280135ba4B9c2bee",
+  "governorV2": "0x4Db7E521942BDA8b1fB1B310280135ba4B9c2bee",
+  "governorLatest": "0xd8c32446d8a3f17df5c7d38cdd3e78696434cf4a",
   "tokenSale": "0xD0e7d5a2220e32914540D97A6D0548658050180b"
 }

hardhat.config.ts

@@ -18,13 +18,26 @@ dotenv.config();
 
 const config: HardhatUserConfig = {
   solidity: {
-    version: '0.8.10',
-    settings: {
-      optimizer: {
-        enabled: true,
-        runs: 999999,
+    compilers: [
+      {
+        version: '0.8.10',
+        settings: {
+          optimizer: {
+          enabled: true,
+          runs: 999999,
+          },
+        },
       },
-    },
+      {
+        version: '0.8.19',
+        settings: {
+          optimizer: {
+            enabled: true,
+            runs: 24999
+          }
+        }
+      }
+    ]
   },
   networks: {
     hardhat: {

package.json

@@ -31,7 +31,7 @@
     "@nomiclabs/hardhat-ethers": "^2.0.4",
     "@nomiclabs/hardhat-etherscan": "3.0.3",
     "@nomiclabs/hardhat-waffle": "^2.0.0",
-    "@openzeppelin/contracts": "^4.5.0",
+    "@openzeppelin/contracts": "^4.9.1",
     "@typechain/ethers-v5": "^9.0.0",
     "@typechain/hardhat": "^4.0.0",
     "@types/chai": "^4.2.21",

scripts/deploy/deployGov.ts → scripts/deploy/deployFull.ts

@@ -26,7 +26,7 @@ const ADMIN_ROLE = '0x5f58e3a2316349923ce3780f8d587db2d72378aed66a8261c916544fa6
 const PROPOSER_ROLE = '0xb09aa5aeb3702cfd50b6b62bc4532604938f21248a27a1d5ca736082b6819cc1';
 const EXECUTOR_ROLE = '0xd8aa0f3194971a2a116679f7c2090f6939c8d4e01a2a8d7e41d55e5351469e63';
 
-export async function deployGov(hre: HardhatRuntimeEnvironment) {
+export async function deployFull(hre: HardhatRuntimeEnvironment) {
   const networkId = hre.network.config.chainId as number;
   const [deployer] = await hre.ethers.getSigners();
   deployerAddress = await deployer.getAddress();

scripts/deploy/index.ts

@@ -1,10 +1,15 @@
 import {task} from 'hardhat/config';
 
-task('deployGov', 'deploy governance and token contracts').setAction(async (taskArgs, hre) => {
+task('deployFull', 'deploy governance (timelock + governor) and token contracts').setAction(async (taskArgs, hre) => {
   // only load this file when task is run because it depends on typechain built artifacts
   // which will create a circular dependency when required by hardhat.config.ts for first compilation
-  const {deployGov} = await import('./deployGov');
-  await deployGov(hre);
+  const {deployFull} = await import('./deployFull');
+  await deployFull(hre);
+});
+
+task('upgradeGov', 'deploy ArenaGovernor').setAction(async (taskArgs, hre) => {
+  const {upgradeGov} = await import('./upgradeGov');
+  await upgradeGov(hre);
 });
 
 task('deployTokenSale', 'deploy token sale and make proposal for relevant actions').setAction(async (taskArgs, hre) => {

scripts/deploy/upgradeGov.ts

@@ -0,0 +1,32 @@
+import {ArenaGovernor__factory, ArenaGovernor} from '../../typechain';
+
+import deployedAddrsJson from '../../deployments/polygonAddresses.json';
+import {HardhatRuntimeEnvironment} from 'hardhat/types';
+import {verifyContract} from './verify';
+
+let deployerAddress: string;
+let governor: ArenaGovernor;
+
+export async function upgradeGov(hre: HardhatRuntimeEnvironment) {
+  const networkId = hre.network.config.chainId as number;
+  const [deployer] = await hre.ethers.getSigners();
+  deployerAddress = await deployer.getAddress();
+  console.log(`Deployer: ${deployerAddress}`);
+
+  console.log(`token address: ${deployedAddrsJson.token}`);
+  console.log(`timelock address: ${deployedAddrsJson.timelock}`);
+
+  console.log(`deploying governor...`);
+  const ArenaGovernorFactory = (await hre.ethers.getContractFactory('ArenaGovernor')) as ArenaGovernor__factory;
+  governor = await ArenaGovernorFactory.deploy(deployedAddrsJson.token, deployedAddrsJson.timelock);
+  await governor.deployed();
+  console.log(`governor address: ${governor.address}`);
+
+  console.log(`sleeping for 30s...`);
+  // sleep for 30s for network propagation
+  await new Promise((f) => setTimeout(f, 30_000));
+
+  console.log('verifying address on etherscan...');
+  await verifyContract(hre, governor.address, [deployedAddrsJson.token, deployedAddrsJson.timelock]);
+  process.exit(0);
+}

scripts/proposals/simulateExistingProposal.ts

@@ -2,6 +2,9 @@ import {HardhatRuntimeEnvironment} from 'hardhat/types';
 import {getPolygonContracts, getForkParams} from '../../shared/Forking';
 import {createAndExecuteProposal} from '../../shared/Governance';
 
+// Eg commands:
+// nvm use 16.16
+// yarn hardhat simulateExistingProposal --id 93022684150159074125678303578919779638229937046863883601906649520845717660577
 export async function simulateExistingProposal(proposalId: string, hre: HardhatRuntimeEnvironment) {
   const [user] = await hre.ethers.getSigners();
   const deployment = getPolygonContracts(user);

tsconfig.json

@@ -3,6 +3,7 @@
     "target": "es2018",
     "module": "commonjs",
     "strict": true,
+    "resolveJsonModule": true,
     "esModuleInterop": true,
     "outDir": "dist",
     "declaration": true

yarn.lock

@@ -663,10 +663,10 @@
     "@types/sinon-chai" "^3.2.3"
     "@types/web3" "1.0.19"
 
-"@openzeppelin/contracts@^4.5.0":
-  version "4.5.0"
-  resolved "https://registry.yarnpkg.com/@openzeppelin/contracts/-/contracts-4.5.0.tgz#3fd75d57de172b3743cdfc1206883f56430409cc"
-  integrity sha512-fdkzKPYMjrRiPK6K4y64e6GzULR7R7RwxSigHS8DDp7aWDeoReqsQI+cxHV1UuhAqX69L1lAaWDxenfP+xiqzA==
+"@openzeppelin/contracts@^4.9.1":
+  version "4.9.1"
+  resolved "https://registry.yarnpkg.com/@openzeppelin/contracts/-/contracts-4.9.1.tgz#afa804d2c68398704b0175acc94d91a54f203645"
+  integrity sha512-aLDTLu/If1qYIFW5g4ZibuQaUsFGWQPBq1mZKp/txaebUnGHDmmiBhRLY1tDNedN0m+fJtKZ1zAODS9Yk+V6uA==
 
 "@resolver-engine/core@^0.3.3":
   version "0.3.3"