optimism WIP: Enshrined Revenue Sharing implementation

Towards https://github.com/ethereum-optimism/client-pod/issues/739

Apr 26 '24 15:04 geoknee

Semgrep found 15 sol-style-notice-over-dev-natspec findings:

packages/contracts-bedrock/src/L2/RevenueSharer.sol
- L14 - Triage
packages/contracts-bedrock/scripts/L2Genesis.s.sol
- L27 - Triage
- L57 - Triage
- L62 - Triage
- L81 - Triage
- L186 - Triage
- L251 - Triage
- L271 - Triage
- L343 - Triage
- L349 - Triage
- L354 - Triage
- 4 more - Triage

Prefer @notice over @dev in natspec comments

_{Ignore this finding from sol-style-notice-over-dev-natspec.}

Semgrep found 13 sol-style-doc-comment findings:

packages/contracts-bedrock/src/L2/RevenueSharer.sol
- L21-23 - Triage
- L25-27 - Triage
- L29-32 - Triage
- L34-37 - Triage
- L43-45 - Triage
- L47-49 - Triage
- L55-59 - Triage
- L61-65 - Triage
- L71-75 - Triage
- L87-89 - Triage
- 3 more - Triage

Javadoc-style comments are not allowed. Use /// style doc comments instead.

_{Ignore this finding from sol-style-doc-comment.}

Semgrep found 11 golang_fmt_errorf_no_params findings:

op-plasma/cmd/daserver/flags.go
- L82 - Triage
- L85 - Triage
op-chain-ops/state/encoding.go
- L85 - Triage
- L90 - Triage
op-chain-ops/immutables/immutables.go
- L222 - Triage
- L226 - Triage
- L244 - Triage
- L248 - Triage
- L252 - Triage
op-bindings/bindgen/remote_handlers.go
- L224 - Triage
- L264 - Triage

No fmt.Errorf invocations without fmt arguments allowed

_{Ignore this finding from golang_fmt_errorf_no_params.}

Semgrep found 2 import-text-template findings:

op-bindings/bindgen/remote_handlers.go
- L11 - Triage
op-bindings/bindgen/generator_local.go
- L12 - Triage

When working with web applications that involve rendering user-generated content, it's important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the text/template package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it's recommended to use the html/template package instead, which provides built-in functionality for HTML escaping. By using html/template to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.

_{Ignore this finding from import-text-template.}

Semgrep found 1 dangerous-exec-command finding:

op-challenger/game/fault/trace/cannon/executor.go
- L149 - Triage

Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

_{Ignore this finding from dangerous-exec-command.}

Apr 26 '24 15:04 semgrep-app[bot]

You should rebase on latest develop - its not necessary to do the bindings thing anymore, we use a forge script to create the L2 genesis, there are instructions here on how to run the command. I believe this is safe to add to the L2 genesis as part of the PR but we should make sure the specs are finalized before adding it to the L2 genesis generation since we don't have good releases of contracts yet :)

Apr 26 '24 19:04 tynes

i know this is draft but i don't think we should merge it until we align more on the design :)

For sure. I also added WIP to the title, this is far from merging.

Apr 27 '24 09:04 geoknee

This is great so far!

Apr 29 '24 19:04 tynes

This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days.

May 14 '24 01:05 github-actions[bot]

This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days.

May 29 '24 01:05 github-actions[bot]