diff --git a/README.md b/README.md index 29eb4d29a..67a6a6a9c 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,9 @@ With Zeppelin, you can build distributed applications, protocols and organizatio ## Getting Started -Zeppelin integrates with [Truffle](https://github.com/ConsenSys/truffle), an Ethereum development environment. Please [install Truffle](https://github.com/ConsenSys/truffle#install) and initialize your project with `truffle init`. +Zeppelin integrates with [Truffle](https://github.com/ConsenSys/truffle), an Ethereum development environment. Please install Truffle and initialize your project with `truffle init`. ```sh -sudo npm install -g truffle +npm install -g truffle mkdir myproject && cd myproject truffle init ``` @@ -34,74 +34,6 @@ contract MyContract is Ownable { > NOTE: The current distribution channel is npm, which is not ideal. [We're looking into providing a better tool for code distribution](https://github.com/OpenZeppelin/zeppelin-solidity/issues/13), and ideas are welcome. -## Add your own bounty contract - -To create a bounty for your contract, inherit from the base Bounty contract and provide an implementation for `deployContract()` returning the new contract address. - -``` -import "./zeppelin/Bounty.sol"; -import "./YourContract.sol"; - -contract YourBounty is Bounty { - function deployContract() internal returns(address) { - return new YourContract() - } -} -``` - -### Implement invariant logic into your smart contract - -At contracts/YourContract.sol - -``` -contract YourContract { - function checkInvariant() returns(bool) { - // Implement your logic to make sure that none of the state is broken. - } -} -``` - -### Deploy your bounty contract as usual - -At `migrations/2_deploy_contracts.js` - -``` -module.exports = function(deployer) { - deployer.deploy(YourContract); - deployer.deploy(YourBounty); -}; -``` - -### Add a reward to the bounty contract - -After deploying the contract, send rewards money into the bounty contract. - -From `truffle console` - -``` -address = 'your account address' -reward = 'reward to pay to a researcher' - -web3.eth.sendTransaction({ - from:address, - to:bounty.address, - value: web3.toWei(reward, "ether") -} - -``` - -### Researchers hack the contract and claim their reward. - -For each researcher who wants to hack the contract and claims the reward, refer to our [test](./test/Bounty.js) for the detail. - -### Ends the contract - -If you manage to protect your contract from security researchers and wants to end the bounty, kill the contract so that all the rewards go back to the owner of the bounty contract. - -``` -bounty.kill() -``` - #### Truffle Beta Support We also support Truffle Beta npm integration. If you're using Truffle Beta, the contracts in `node_modules` will be enough, so feel free to delete the copies at your `contracts` folder. If you're using Truffle Beta, you can use Zeppelin contracts like so: @@ -115,38 +47,12 @@ contract MyContract is Ownable { For more info see [the Truffle Beta package management tutorial](http://truffleframework.com/tutorials/package-management). + ## Security Zeppelin is meant to provide secure, tested and community-audited code, but please use common sense when doing anything that deals with real money! We take no responsibility for your implementation decisions and any security problem you might experience. If you find a security issue, please email [security@openzeppelin.org](mailto:security@openzeppelin.org). -## Developer Resources - -Building a distributed application, protocol or organization with Zeppelin? - -- Ask for help and follow progress at: https://zeppelin-slackin.herokuapp.com/ - -Interested in contributing to Zeppelin? - -- Framework proposal and roadmap: https://medium.com/zeppelin-blog/zeppelin-framework-proposal-and-development-roadmap-fdfa9a3a32ab#.iain47pak -- Issue tracker: https://github.com/OpenZeppelin/zeppelin-solidity/issues -- Contribution guidelines: https://github.com/OpenZeppelin/zeppelin-solidity/blob/master/CONTRIBUTING.md - -## Collaborating organizations and audits by Zeppelin -- [Golem](https://golem.network/) -- [Mediachain](https://golem.network/) -- [Truffle](http://truffleframework.com/) -- [Firstblood](http://firstblood.io/) -- [Rootstock](http://www.rsk.co/) -- [Consensys](https://consensys.net/) -- [DigixGlobal](https://www.dgx.io/) -- [Coinfund](https://coinfund.io/) -- [DemocracyEarth](http://democracy.earth/) -- [Signatura](https://signatura.co/) -- [Ether.camp](http://www.ether.camp/) - -among others... - ## Contracts ### Ownable @@ -253,10 +159,9 @@ ___ ### StandardToken Based on code by FirstBlood: [FirstBloodToken.sol] -Inherits from contract SafeMath. Implementation of abstract contract ERC20 (see [https://github.com/ethereum/EIPs/issues/20]) +Inherits from contract SafeMath. Implementation of abstract contract ERC20 (see https://github.com/ethereum/EIPs/issues/20) [FirstBloodToken.sol]: https://github.com/Firstbloodio/token/blob/master/smart_contract/FirstBloodToken.sol -[https://github.com/ethereum/EIPs/issues/20]: see https://github.com/ethereum/EIPs/issues/20 #### approve(address _spender, uint _value) returns (bool success) Sets the amount of the sender's token balance that the passed address is approved to use. @@ -295,5 +200,104 @@ Creates tokens based on message value and credits to the recipient. #### getPrice() constant returns (uint result) Returns the amount of tokens per 1 ether. + +___ +### Bounty +To create a bounty for your contract, inherit from the base `Bounty` contract and provide an implementation for `deployContract()` returning the new contract address. + +``` +import {Bounty, Target} from "./zeppelin/Bounty.sol"; +import "./YourContract.sol"; + +contract YourBounty is Bounty { + function deployContract() internal returns(address) { + return new YourContract() + } +} +``` + +Next, implement invariant logic into your smart contract. +Your main contract should inherit from the Target class and implement the checkInvariant method. This is a function that should check everything your contract assumes to be true all the time. If this function returns false, it means your contract was broken in some way and is in an inconsistent state. This is what security researchers will try to acomplish when trying to get the bounty. + +At contracts/YourContract.sol + +``` +import {Bounty, Target} from "./zeppelin/Bounty.sol"; +contract YourContract is Target { + function checkInvariant() returns(bool) { + // Implement your logic to make sure that none of the invariants are broken. + } +} +``` + +Next, deploy your bounty contract along with your main contract to the network. + +At `migrations/2_deploy_contracts.js` + +``` +module.exports = function(deployer) { + deployer.deploy(YourContract); + deployer.deploy(YourBounty); +}; +``` + +Next, add a reward to the bounty contract + +After deploying the contract, send reward funds into the bounty contract. + +From `truffle console` + +``` +bounty = YourBounty.deployed(); +address = 0xb9f68f96cde3b895cc9f6b14b856081b41cb96f1; // your account address +reward = 5; // reward to pay to a researcher who breaks your contract + +web3.eth.sendTransaction({ + from: address, + to: bounty.address, + value: web3.toWei(reward, "ether") +}) + +``` + +If researchers break the contract, they can claim their reward. + +For each researcher who wants to hack the contract and claims the reward, refer to our [test](./test/Bounty.js) for the detail. + +Finally, if you manage to protect your contract from security researchers, you can reclaim the bounty funds. To end the bounty, kill the contract so that all the rewards go back to the owner. + +``` +bounty.kill(); +``` + + +## More Developer Resources + +Building a distributed application, protocol or organization with Zeppelin? + +- Ask for help and follow progress at: https://zeppelin-slackin.herokuapp.com/ + +Interested in contributing to Zeppelin? + +- Framework proposal and roadmap: https://medium.com/zeppelin-blog/zeppelin-framework-proposal-and-development-roadmap-fdfa9a3a32ab#.iain47pak +- Issue tracker: https://github.com/OpenZeppelin/zeppelin-solidity/issues +- Contribution guidelines: https://github.com/OpenZeppelin/zeppelin-solidity/blob/master/CONTRIBUTING.md + +## Collaborating organizations and audits by Zeppelin +- [Golem](https://golem.network/) +- [Mediachain](https://golem.network/) +- [Truffle](http://truffleframework.com/) +- [Firstblood](http://firstblood.io/) +- [Rootstock](http://www.rsk.co/) +- [Consensys](https://consensys.net/) +- [DigixGlobal](https://www.dgx.io/) +- [Coinfund](https://coinfund.io/) +- [DemocracyEarth](http://democracy.earth/) +- [Signatura](https://signatura.co/) +- [Ether.camp](http://www.ether.camp/) + +among others... + + ## License Code released under the [MIT License](https://github.com/OpenZeppelin/zeppelin-solidity/blob/master/LICENSE). diff --git a/contracts/Bounty.sol b/contracts/Bounty.sol index 0f2ab6c2b..46699b1b3 100644 --- a/contracts/Bounty.sol +++ b/contracts/Bounty.sol @@ -1,17 +1,15 @@ pragma solidity ^0.4.4; + + import './PullPayment.sol'; import './Killable.sol'; + /* * Bounty - * This bounty will pay out to a researcher if he/she breaks invariant logic of - * the contract you bet reward against. + * + * This bounty will pay out to a researcher if they break invariant logic of the contract. */ - -contract Target { - function checkInvariant() returns(bool); -} - contract Bounty is PullPayment, Killable { Target target; bool public claimed; @@ -48,3 +46,13 @@ contract Bounty is PullPayment, Killable { } } + +/* + * Target + * + * Your main contract should inherit from this class and implement the checkInvariant method. This is a function that should check everything your contract assumes to be true all the time. If this function returns false, it means your contract was broken in some way and is in an inconsistent state. This is what security researchers will try to acomplish when trying to get the bounty. + */ +contract Target { + function checkInvariant() returns(bool); +} + diff --git a/contracts/Claimable.sol b/contracts/Claimable.sol index 40e38d49c..d51d34f01 100644 --- a/contracts/Claimable.sol +++ b/contracts/Claimable.sol @@ -1,11 +1,15 @@ pragma solidity ^0.4.0; + + + import './Ownable.sol'; + /* * Claimable - * Extension for the Ownable contract, where the ownership needs to be claimed + * + * Extension for the Ownable contract, where the ownership needs to be claimed. This allows the new owner to accept the transfer. */ - contract Claimable is Ownable { address public pendingOwner; diff --git a/contracts/Killable.sol b/contracts/Killable.sol index 0b6aff066..10621d63e 100644 --- a/contracts/Killable.sol +++ b/contracts/Killable.sol @@ -1,9 +1,12 @@ pragma solidity ^0.4.4; + + import "./Ownable.sol"; + /* * Killable - * Base contract that can be killed by owner + * Base contract that can be killed by owner. All funds in contract will be sent to the owner. */ contract Killable is Ownable { function kill() onlyOwner { diff --git a/contracts/Ownable.sol b/contracts/Ownable.sol index 2998fa403..40fc08146 100644 --- a/contracts/Ownable.sol +++ b/contracts/Ownable.sol @@ -1,8 +1,11 @@ pragma solidity ^0.4.4; + /* * Ownable - * Base contract with an owner + * + * Base contract with an owner. + * Provides onlyOwner modifier, which prevents function from running if it is called by anyone other than the owner. */ contract Ownable { address public owner; diff --git a/contracts/PullPayment.sol b/contracts/PullPayment.sol index c05f99caf..9bee81e09 100644 --- a/contracts/PullPayment.sol +++ b/contracts/PullPayment.sol @@ -1,4 +1,6 @@ pragma solidity ^0.4.4; + + /* * PullPayment * Base contract supporting async send for pull payments. diff --git a/contracts/SafeMath.sol b/contracts/SafeMath.sol index 16e8dae76..8568ddd91 100644 --- a/contracts/SafeMath.sol +++ b/contracts/SafeMath.sol @@ -1,5 +1,6 @@ pragma solidity ^0.4.4; + /** * Math operations with safety checks */ diff --git a/contracts/Stoppable.sol b/contracts/Stoppable.sol index ad48f6bc5..5c018844a 100644 --- a/contracts/Stoppable.sol +++ b/contracts/Stoppable.sol @@ -1,6 +1,9 @@ pragma solidity ^0.4.4; + import "./Ownable.sol"; + + /* * Stoppable * Abstract contract that allows children to implement an @@ -12,10 +15,12 @@ contract Stoppable is Ownable { modifier stopInEmergency { if (!stopped) _; } modifier onlyInEmergency { if (stopped) _; } + // called by the owner on emergency, triggers stopped state function emergencyStop() external onlyOwner { stopped = true; } + // called by the owner on end of emergency, returns to normal state function release() external onlyOwner onlyInEmergency { stopped = false; } diff --git a/contracts/test-helpers/InsecureTargetBounty.sol b/contracts/test-helpers/InsecureTargetBounty.sol index 5087cb6a6..83db61b92 100644 --- a/contracts/test-helpers/InsecureTargetBounty.sol +++ b/contracts/test-helpers/InsecureTargetBounty.sol @@ -1,8 +1,10 @@ pragma solidity ^0.4.4; -import "../Bounty.sol"; -contract InsecureTargetMock { +import {Bounty, Target} from "../Bounty.sol"; + + +contract InsecureTargetMock is Target { function checkInvariant() returns(bool){ return false; } diff --git a/contracts/test-helpers/SecureTargetBounty.sol b/contracts/test-helpers/SecureTargetBounty.sol index f83daf407..022edcc6f 100644 --- a/contracts/test-helpers/SecureTargetBounty.sol +++ b/contracts/test-helpers/SecureTargetBounty.sol @@ -1,9 +1,11 @@ pragma solidity ^0.4.4; -import "../Bounty.sol"; -contract SecureTargetMock { - function checkInvariant() returns(bool){ +import {Bounty, Target} from "../Bounty.sol"; + + +contract SecureTargetMock is Target { + function checkInvariant() returns(bool) { return true; } } diff --git a/contracts/token/BasicToken.sol b/contracts/token/BasicToken.sol index 704de675d..b0ad1e480 100644 --- a/contracts/token/BasicToken.sol +++ b/contracts/token/BasicToken.sol @@ -1,9 +1,11 @@ pragma solidity ^0.4.4; + import './ERC20Basic.sol'; import '../SafeMath.sol'; -/** + +/* * Basic token * Basic version of StandardToken, with no allowances */ diff --git a/contracts/token/CrowdsaleToken.sol b/contracts/token/CrowdsaleToken.sol index ba3100cbc..f78654698 100644 --- a/contracts/token/CrowdsaleToken.sol +++ b/contracts/token/CrowdsaleToken.sol @@ -1,8 +1,12 @@ pragma solidity ^0.4.4; + import "./StandardToken.sol"; + /* + * CrowdsaleToken + * * Simple ERC20 Token example, with crowdsale token creation */ contract CrowdsaleToken is StandardToken { diff --git a/contracts/token/ERC20.sol b/contracts/token/ERC20.sol index 9d32c69fd..4ac0bb1fb 100644 --- a/contracts/token/ERC20.sol +++ b/contracts/token/ERC20.sol @@ -1,8 +1,10 @@ pragma solidity ^0.4.4; -// see https://github.com/ethereum/EIPs/issues/20 - +/* + * ERC20 interface + * see https://github.com/ethereum/EIPs/issues/20 + */ contract ERC20 { uint public totalSupply; function balanceOf(address who) constant returns (uint); diff --git a/contracts/token/ERC20Basic.sol b/contracts/token/ERC20Basic.sol index 4f7ca36d1..b42d457cc 100644 --- a/contracts/token/ERC20Basic.sol +++ b/contracts/token/ERC20Basic.sol @@ -1,6 +1,11 @@ pragma solidity ^0.4.4; +/* + * ERC20Basic + * Simpler version of ERC20 interface + * see https://github.com/ethereum/EIPs/issues/20 + */ contract ERC20Basic { uint public totalSupply; function balanceOf(address who) constant returns (uint); diff --git a/contracts/token/SimpleToken.sol b/contracts/token/SimpleToken.sol index fc7efd0d6..8b59438ae 100644 --- a/contracts/token/SimpleToken.sol +++ b/contracts/token/SimpleToken.sol @@ -1,8 +1,12 @@ pragma solidity ^0.4.4; + import "./StandardToken.sol"; + /* + * SimpleToken + * * Very simple ERC20 Token example, where all tokens are pre-assigned * to the creator. Note they can later distribute these tokens * as they wish using `transfer` and other `StandardToken` functions. diff --git a/test/TestOwnable.sol b/test/TestOwnable.sol deleted file mode 100644 index cb3cbcf21..000000000 --- a/test/TestOwnable.sol +++ /dev/null @@ -1,25 +0,0 @@ -pragma solidity ^0.4.4; -import "truffle/Assert.sol"; -import "truffle/DeployedAddresses.sol"; -import "../contracts/Ownable.sol"; - -contract TestOwnable { - Ownable ownable = new Ownable(); - - function testHasOwner() { - Assert.isNotZero(ownable.owner(), "Ownable should have an owner upon creation."); - } - - function testChangesOwner() { - address originalOwner = ownable.owner(); - ownable.transfer(0x0); - Assert.notEqual(originalOwner, ownable.owner(), "Ownable should change owners after transfer."); - } - - function testOnlyOwnerCanChangeOwner() { - Ownable deployedOwnable = Ownable(DeployedAddresses.Ownable()); - address originalOwner = deployedOwnable.owner(); - deployedOwnable.transfer(0x0); - Assert.equal(originalOwner, deployedOwnable.owner(), "Ownable should prevent non-owners from transfering"); - } -}