Skip to content

[Security] Prevent duplicate mutable name collisions in Mutator.create#159

Merged
kbrizzle merged 2 commits intomasterfrom
sec-f1-duplicate-name-brick
Feb 13, 2026
Merged

[Security] Prevent duplicate mutable name collisions in Mutator.create#159
kbrizzle merged 2 commits intomasterfrom
sec-f1-duplicate-name-brick

Conversation

@kbrizzle
Copy link
Contributor

@kbrizzle kbrizzle commented Feb 13, 2026
edited by cursor bot
Loading

Security report

What was broken

Mutator.create allowed deploying multiple mutables with the same implementation.name(). The _nameToMutable mapping was overwritten, so upgrades would target only the latest mutable and older ones could become upgrade-orphaned.

What was fixed

  • Added MutatorMutableAlreadyExists() error to IMutator.
  • Added a duplicate-name guard in Mutator.create before deployment.
  • Added regression test test_revertsOnDuplicateMutableName.

Validation

  • Ran forge test --match-path 'test/mutability/Mutator.t.sol' --match-test 'test_revertsOnDuplicateMutableName'
  • Ran forge test --match-path 'test/mutability/*.sol'

Impact

Prevents accidental/procedural bricking of upgrade paths caused by name collisions.

Note

Low Risk
Small, localized change to mutable creation semantics plus a new revert case; low blast radius and covered by a targeted test.

Overview
Prevents deploying multiple mutables with the same implementation.name() by adding a pre-deploy guard in Mutator.create that reverts when a name is already registered.

Exposes the new MutatorMutableAlreadyExists() error via IMutator and adds a regression test (test_revertsOnDuplicateMutableName) to ensure duplicate-name creation fails.

Written by Cursor Bugbot for commit 48aff1d. This will update automatically on new commits. Configure here.

@github-actions
Copy link

github-actions bot commented Feb 13, 2026
edited
Loading

Slither report

Static Analysis Report**THIS CHECKLIST IS NOT COMPLETE**. Use `--show-ignored-findings` to show all the results. Summary - [locked-ether](#locked-ether) (2 results) (Medium) - [reentrancy-no-eth](#reentrancy-no-eth) (3 results) (Medium) - [unused-return](#unused-return) (9 results) (Medium) - [incorrect-modifier](#incorrect-modifier) (1 results) (Low) - [calls-loop](#calls-loop) (2 results) (Low) - [reentrancy-benign](#reentrancy-benign) (3 results) (Low) - [reentrancy-events](#reentrancy-events) (4 results) (Low) - [dead-code](#dead-code) (44 results) (Informational) - [solc-version](#solc-version) (3 results) (Informational) - [missing-inheritance](#missing-inheritance) (2 results) (Informational) - [naming-convention](#naming-convention) (13 results) (Informational) - [unimplemented-functions](#unimplemented-functions) (4 results) (Informational) - [unindexed-event-address](#unindexed-event-address) (1 results) (Informational) ## locked-ether Impact: Medium Confidence: High - [ ] ID-0 Contract locking ether found: Contract [Mutator](https://github.com/equilibria-xyz/root/blob/f5103537c84304fd4b0182c63b967a4b8d2bfbcb/src/mutability/Mutator.sol#L13-L66) has payable functions: - [IMutator.upgrade(IImplementation,bytes)](https://github.com/equilibria-xyz/root/blob/f5103537c84304fd4b0182c63b967a4b8d2bfbcb/src/mutability/interfaces/IMutator.sol#L18) - [Mutator.upgrade(IImplementation,bytes)](https://github.com/equilibria-xyz/root/blob/f5103537c84304fd4b0182c63b967a4b8d2bfbcb/src/mutability/Mutator.sol#L51-L55) But does not have a function to withdraw the ether

root/src/mutability/Mutator.sol

Lines 13 to 66 in f510353

contract Mutator is IMutator, Derived, Pausable {
using EnumerableSet for EnumerableSet.AddressSet;
EnumerableSet.AddressSet private _mutables;
mapping(ShortString => IMutable) private _nameToMutable;
constructor() {
__Pausable__constructor();
__Ownable__constructor();
}
/// @dev The list of all mutables.
function mutables() public view returns (address[] memory) {
return _mutables.values();
}
/// @notice Creates a new mutable with the given name
/// @dev Initializes the mutable with the given implementation and data
/// @param implementation The implementation of the mutable
/// @param data The calldata to invoke the instance's initializer
/// @return newMutable The new mutable
function create(
IImplementation implementation,
bytes calldata data
) public onlyOwner returns (IMutableTransparent newMutable) {
ShortString name = ShortStrings.toShortString(implementation.name());
if (_nameToMutable[name] != IMutable(address(0))) revert MutatorMutableAlreadyExists();
_mutables.add(address(newMutable = new Mutable(implementation, data)));
_nameToMutable[name] = IMutable(address(newMutable));
// ensure state of new mutable is consistent with mutator
if (paused()) IMutable(address(newMutable)).pause();
}
/// @notice Upgrades the implementation of a proxy and optionally calls its initializer
/// @param implementation New version of contract to be proxied
/// @param data Calldata to invoke the instance's initializer
function upgrade(IImplementation implementation, bytes memory data) public payable onlyOwner {
ShortString name = ShortStrings.toShortString(implementation.name());
if (_nameToMutable[name] == IMutable(address(0))) revert MutatorInvalidMutable();
_nameToMutable[name].upgrade(implementation, data);
}
function _pause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).pause();
super._pause();
}
function _unpause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).unpause();
super._unpause();
}
}

https://github.com/equilibria-xyz/root/blob/f5103537c84304fd4b0182c63b967a4b8d2bfbcb/src/mutability/Mutable.sol#L138-L143

reentrancy-no-eth

Impact: Medium
Confidence: Medium

root/src/mutability/Mutator.sol

Lines 34 to 46 in f510353

function create(
IImplementation implementation,
bytes calldata data
) public onlyOwner returns (IMutableTransparent newMutable) {
ShortString name = ShortStrings.toShortString(implementation.name());
if (_nameToMutable[name] != IMutable(address(0))) revert MutatorMutableAlreadyExists();
_mutables.add(address(newMutable = new Mutable(implementation, data)));
_nameToMutable[name] = IMutable(address(newMutable));
// ensure state of new mutable is consistent with mutator
if (paused()) IMutable(address(newMutable)).pause();
}

root/src/mutability/Mutable.sol

Lines 123 to 127 in f510353

function _unpause() private whenPaused {
ERC1967Utils.upgradeToAndCall(Mutable$().paused, "");
Mutable$().paused = address(0);
emit Unpaused();
}

root/src/mutability/Mutable.sol

Lines 97 to 113 in f510353

function _upgrade(IImplementation newImplementation, bytes memory data) private {
// validate the upgrade metadata of the new implementation
if (!Strings.equal(
(_implementation() == address(0) ? NULL_VERSION : IImplementation(_implementation()).version()),
newImplementation.predecessor()
)) revert MutablePredecessorMismatch();
if (Strings.equal(
newImplementation.version(),
ShortStrings.toString(Mutable$().version)
)) revert MutableVersionMismatch();
// update the implementation and call its constructor
ERC1967Utils.upgradeToAndCall(address(newImplementation), abi.encodeCall(IImplementation.construct, (data)));
// record the new implementation version
Mutable$().version = ShortStrings.toShortString(newImplementation.version());
}

unused-return

Impact: Medium
Confidence: Medium

root/src/token/types/Token6.sol

Lines 43 to 45 in f510353

function approve(Token6 self, address grantee) internal {
IERC20(Token6.unwrap(self)).approve(grantee, type(uint256).max);
}

root/src/distribution/Airdrop.sol

Lines 46 to 51 in f510353

function removeDistribution(bytes32 merkleRoot) external onlyOwner {
if (!_merkleRoots.contains(merkleRoot)) revert AirdropRootDoesNotExist();
_merkleRoots.remove(merkleRoot);
distributions[merkleRoot] = Token18.wrap(address(0));
emit DistributionRemoved(merkleRoot);
}

root/src/token/types/Token.sol

Lines 51 to 53 in f510353

function approve(Token self, address grantee, uint256 amount) internal {
IERC20(Token.unwrap(self)).approve(grantee, amount);
}

root/src/token/types/Token18.sol

Lines 53 to 55 in f510353

function approve(Token18 self, address grantee, UFixed18 amount) internal {
IERC20(Token18.unwrap(self)).approve(grantee, UFixed18.unwrap(amount));
}

root/src/token/types/Token6.sol

Lines 54 to 56 in f510353

function approve(Token6 self, address grantee, UFixed6 amount) internal {
IERC20(Token6.unwrap(self)).approve(grantee, UFixed6.unwrap(amount));
}

root/src/distribution/Airdrop.sol

Lines 28 to 34 in f510353

function addDistributions(Token18 token, bytes32 merkleRoot) external override onlyOwner {
if (_merkleRoots.contains(merkleRoot)) revert AirdropDistributionAlreadyExists();
distributions[merkleRoot] = token;
_merkleRoots.add(merkleRoot);
emit DistributionAdded(token, merkleRoot);
}

root/src/token/types/Token.sol

Lines 40 to 42 in f510353

function approve(Token self, address grantee) internal {
IERC20(Token.unwrap(self)).approve(grantee, type(uint256).max);
}

root/src/mutability/Mutator.sol

Lines 34 to 46 in f510353

function create(
IImplementation implementation,
bytes calldata data
) public onlyOwner returns (IMutableTransparent newMutable) {
ShortString name = ShortStrings.toShortString(implementation.name());
if (_nameToMutable[name] != IMutable(address(0))) revert MutatorMutableAlreadyExists();
_mutables.add(address(newMutable = new Mutable(implementation, data)));
_nameToMutable[name] = IMutable(address(newMutable));
// ensure state of new mutable is consistent with mutator
if (paused()) IMutable(address(newMutable)).pause();
}

root/src/token/types/Token18.sol

Lines 43 to 45 in f510353

function approve(Token18 self, address grantee) internal {
IERC20(Token18.unwrap(self)).approve(grantee, type(uint256).max);
}

incorrect-modifier

Impact: Low
Confidence: High

root/src/attribute/Attribute.sol

Lines 28 to 32 in f510353

modifier initializer(string memory attribute) {
if (!_constructing()) revert AttributeNotConstructing();
if (!Attribute$().attributes[attribute]) _;
Attribute$().attributes[attribute] = true;
}

calls-loop

Impact: Low
Confidence: Medium

root/src/mutability/Mutator.sol

Lines 62 to 65 in f510353

function _unpause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).unpause();
super._unpause();
}

root/src/mutability/Mutator.sol

Lines 57 to 60 in f510353

function _pause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).pause();
super._pause();
}

reentrancy-benign

Impact: Low
Confidence: Medium

root/src/mutability/Mutator.sol

Lines 57 to 60 in f510353

function _pause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).pause();
super._pause();
}

root/src/mutability/Mutator.sol

Lines 62 to 65 in f510353

function _unpause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).unpause();
super._unpause();
}

root/src/mutability/Mutator.sol

Lines 34 to 46 in f510353

function create(
IImplementation implementation,
bytes calldata data
) public onlyOwner returns (IMutableTransparent newMutable) {
ShortString name = ShortStrings.toShortString(implementation.name());
if (_nameToMutable[name] != IMutable(address(0))) revert MutatorMutableAlreadyExists();
_mutables.add(address(newMutable = new Mutable(implementation, data)));
_nameToMutable[name] = IMutable(address(newMutable));
// ensure state of new mutable is consistent with mutator
if (paused()) IMutable(address(newMutable)).pause();
}

reentrancy-events

Impact: Low
Confidence: Medium

root/src/mutability/Mutable.sol

Lines 116 to 120 in f510353

function _pause() private whenUnpaused {
Mutable$().paused = _implementation();
ERC1967Utils.upgradeToAndCall(_pauseTarget, "");
emit Paused();
}

root/src/mutability/Mutator.sol

Lines 62 to 65 in f510353

function _unpause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).unpause();
super._unpause();
}

root/src/mutability/Mutable.sol

Lines 123 to 127 in f510353

function _unpause() private whenPaused {
ERC1967Utils.upgradeToAndCall(Mutable$().paused, "");
Mutable$().paused = address(0);
emit Unpaused();
}

root/src/mutability/Mutator.sol

Lines 57 to 60 in f510353

function _pause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).pause();
super._pause();
}

dead-code

Impact: Informational
Confidence: Medium

root/src/number/types/UFixed18.sol

Lines 288 to 290 in f510353

function eq(UFixed18 a, UFixed18 b) pure returns (bool) {
return UFixed18.unwrap(a) == UFixed18.unwrap(b);
}

root/src/number/types/Fixed6.sol

Lines 295 to 297 in f510353

function add(Fixed6 a, Fixed6 b) pure returns (Fixed6) {
return Fixed6.wrap(Fixed6.unwrap(a) + Fixed6.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 295 to 297 in f510353

function eq(UFixed6 a, UFixed6 b) pure returns (bool) {
return UFixed6.unwrap(a) == UFixed6.unwrap(b);
}

  • ID-27
    neg(Fixed6) is never used and should be removed

root/src/number/types/Fixed6.sol

Lines 287 to 289 in f510353

function neg(Fixed6 a) pure returns (Fixed6) {
return Fixed6.wrap(-Fixed6.unwrap(a));
}

root/src/mutability/Implementation.sol

Lines 66 to 68 in f510353

function _constructing() internal view override returns (bool) {
return Implementation$().constructing;
}

root/src/number/types/Fixed18.sol

Lines 288 to 290 in f510353

function add(Fixed18 a, Fixed18 b) pure returns (Fixed18) {
return Fixed18.wrap(Fixed18.unwrap(a) + Fixed18.unwrap(b));
}

root/src/number/types/Fixed6.sol

Lines 311 to 313 in f510353

function mul(Fixed6 a, Fixed6 b) pure returns (Fixed6) {
return Fixed6.wrap(Fixed6.unwrap(a) * Fixed6.unwrap(b) / Fixed6Lib.BASE);
}

root/src/number/types/Fixed6.sol

Lines 327 to 329 in f510353

function eq(Fixed6 a, Fixed6 b) pure returns (bool) {
return Fixed6.unwrap(a) == Fixed6.unwrap(b);
}

root/src/number/types/UFixed6.sol

Lines 311 to 314 in f510353

function gt(UFixed6 a, UFixed6 b) pure returns (bool) {
(uint256 au, uint256 bu) = (UFixed6.unwrap(a), UFixed6.unwrap(b));
return au > bu;
}

root/src/number/types/Fixed6.sol

Lines 335 to 337 in f510353

function neq(Fixed6 a, Fixed6 b) pure returns (bool) {
return Fixed6.unwrap(a) != Fixed6.unwrap(b);
}

root/src/number/types/Fixed18.sol

Lines 304 to 306 in f510353

function mul(Fixed18 a, Fixed18 b) pure returns (Fixed18) {
return Fixed18.wrap(Fixed18.unwrap(a) * Fixed18.unwrap(b) / Fixed18Lib.BASE);
}

root/src/number/types/Fixed6.sol

Lines 343 to 346 in f510353

function gt(Fixed6 a, Fixed6 b) pure returns (bool) {
(int256 au, int256 bu) = (Fixed6.unwrap(a), Fixed6.unwrap(b));
return au > bu;
}

root/src/number/types/UFixed18.sol

Lines 313 to 316 in f510353

function lt(UFixed18 a, UFixed18 b) pure returns (bool) {
(uint256 au, uint256 bu) = (UFixed18.unwrap(a), UFixed18.unwrap(b));
return au < bu;
}

root/src/number/types/UFixed18.sol

Lines 280 to 282 in f510353

function div(UFixed18 a, UFixed18 b) pure returns (UFixed18) {
return UFixed18.wrap(UFixed18.unwrap(a) * UFixed18Lib.BASE / UFixed18.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 329 to 331 in f510353

function gte(UFixed6 a, UFixed6 b) pure returns (bool) {
return eq(a, b) || gt(a, b);
}

root/src/number/types/Fixed18.sol

Lines 280 to 282 in f510353

function neg(Fixed18 a) pure returns (Fixed18) {
return Fixed18.wrap(-Fixed18.unwrap(a));
}

root/src/number/types/Fixed6.sol

Lines 303 to 305 in f510353

function sub(Fixed6 a, Fixed6 b) pure returns (Fixed6) {
return Fixed6.wrap(Fixed6.unwrap(a) - Fixed6.unwrap(b));
}

root/src/number/types/Fixed6.sol

Lines 361 to 363 in f510353

function gte(Fixed6 a, Fixed6 b) pure returns (bool) {
return eq(a, b) || gt(a, b);
}

root/src/number/types/UFixed6.sol

Lines 279 to 281 in f510353

function mul(UFixed6 a, UFixed6 b) pure returns (UFixed6) {
return UFixed6.wrap(UFixed6.unwrap(a) * UFixed6.unwrap(b) / UFixed6Lib.BASE);
}

root/src/number/types/Fixed6.sol

Lines 369 to 371 in f510353

function lte(Fixed6 a, Fixed6 b) pure returns (bool) {
return eq(a, b) || lt(a, b);
}

root/src/number/types/UFixed18.sol

Lines 330 to 332 in f510353

function lte(UFixed18 a, UFixed18 b) pure returns (bool) {
return eq(a, b) || lt(a, b);
}

root/src/number/types/UFixed18.sol

Lines 272 to 274 in f510353

function mul(UFixed18 a, UFixed18 b) pure returns (UFixed18) {
return UFixed18.wrap(UFixed18.unwrap(a) * UFixed18.unwrap(b) / UFixed18Lib.BASE);
}

root/src/number/types/Fixed6.sol

Lines 352 to 355 in f510353

function lt(Fixed6 a, Fixed6 b) pure returns (bool) {
(int256 au, int256 bu) = (Fixed6.unwrap(a), Fixed6.unwrap(b));
return au < bu;
}

root/src/number/types/Fixed6.sol

Lines 319 to 321 in f510353

function div(Fixed6 a, Fixed6 b) pure returns (Fixed6) {
return Fixed6.wrap(Fixed6.unwrap(a) * Fixed6Lib.BASE / Fixed6.unwrap(b));
}

root/src/number/types/UFixed18.sol

Lines 296 to 298 in f510353

function neq(UFixed18 a, UFixed18 b) pure returns (bool) {
return UFixed18.unwrap(a) != UFixed18.unwrap(b);
}

root/src/mutability/Implementation.sol

Lines 71 to 73 in f510353

function _deployer() internal view override returns (address) {
return IMutator(msg.sender).owner();
}

root/src/number/types/Fixed18.sol

Lines 312 to 314 in f510353

function div(Fixed18 a, Fixed18 b) pure returns (Fixed18) {
return Fixed18.wrap(Fixed18.unwrap(a) * Fixed18Lib.BASE / Fixed18.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 320 to 323 in f510353

function lt(UFixed6 a, UFixed6 b) pure returns (bool) {
(uint256 au, uint256 bu) = (UFixed6.unwrap(a), UFixed6.unwrap(b));
return au < bu;
}

root/src/number/types/Fixed18.sol

Lines 345 to 348 in f510353

function lt(Fixed18 a, Fixed18 b) pure returns (bool) {
(int256 au, int256 bu) = (Fixed18.unwrap(a), Fixed18.unwrap(b));
return au < bu;
}

root/src/number/types/Fixed18.sol

Lines 336 to 339 in f510353

function gt(Fixed18 a, Fixed18 b) pure returns (bool) {
(int256 au, int256 bu) = (Fixed18.unwrap(a), Fixed18.unwrap(b));
return au > bu;
}

root/src/number/types/Fixed18.sol

Lines 362 to 364 in f510353

function lte(Fixed18 a, Fixed18 b) pure returns (bool) {
return eq(a, b) || lt(a, b);
}

root/src/number/types/Fixed18.sol

Lines 320 to 322 in f510353

function eq(Fixed18 a, Fixed18 b) pure returns (bool) {
return Fixed18.unwrap(a) == Fixed18.unwrap(b);
}

root/src/number/types/UFixed18.sol

Lines 264 to 266 in f510353

function sub(UFixed18 a, UFixed18 b) pure returns (UFixed18) {
return UFixed18.wrap(UFixed18.unwrap(a) - UFixed18.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 303 to 305 in f510353

function neq(UFixed6 a, UFixed6 b) pure returns (bool) {
return UFixed6.unwrap(a) != UFixed6.unwrap(b);
}

root/src/number/types/UFixed18.sol

Lines 304 to 307 in f510353

function gt(UFixed18 a, UFixed18 b) pure returns (bool) {
(uint256 au, uint256 bu) = (UFixed18.unwrap(a), UFixed18.unwrap(b));
return au > bu;
}

root/src/number/types/UFixed18.sol

Lines 322 to 324 in f510353

function gte(UFixed18 a, UFixed18 b) pure returns (bool) {
return eq(a, b) || gt(a, b);
}

root/src/number/types/UFixed6.sol

Lines 271 to 273 in f510353

function sub(UFixed6 a, UFixed6 b) pure returns (UFixed6) {
return UFixed6.wrap(UFixed6.unwrap(a) - UFixed6.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 263 to 265 in f510353

function add(UFixed6 a, UFixed6 b) pure returns (UFixed6) {
return UFixed6.wrap(UFixed6.unwrap(a) + UFixed6.unwrap(b));
}

root/src/number/types/Fixed18.sol

Lines 296 to 298 in f510353

function sub(Fixed18 a, Fixed18 b) pure returns (Fixed18) {
return Fixed18.wrap(Fixed18.unwrap(a) - Fixed18.unwrap(b));
}

root/src/number/types/Fixed18.sol

Lines 354 to 356 in f510353

function gte(Fixed18 a, Fixed18 b) pure returns (bool) {
return eq(a, b) || gt(a, b);
}

root/src/number/types/UFixed6.sol

Lines 337 to 339 in f510353

function lte(UFixed6 a, UFixed6 b) pure returns (bool) {
return eq(a, b) || lt(a, b);
}

root/src/number/types/UFixed6.sol

Lines 287 to 289 in f510353

function div(UFixed6 a, UFixed6 b) pure returns (UFixed6) {
return UFixed6.wrap(UFixed6.unwrap(a) * UFixed6Lib.BASE / UFixed6.unwrap(b));
}

root/src/number/types/UFixed18.sol

Lines 256 to 258 in f510353

function add(UFixed18 a, UFixed18 b) pure returns (UFixed18) {
return UFixed18.wrap(UFixed18.unwrap(a) + UFixed18.unwrap(b));
}

root/src/number/types/Fixed18.sol

Lines 328 to 330 in f510353

function neq(Fixed18 a, Fixed18 b) pure returns (bool) {
return Fixed18.unwrap(a) != Fixed18.unwrap(b);
}

solc-version

Impact: Informational
Confidence: High

root/src/attribute/Attribute.sol

Line 2 in f510353

pragma solidity ^0.8.13;

root/src/number/types/Fixed18.sol

Line 2 in f510353

pragma solidity ^0.8.19;

root/src/vrgda/VRGDADecayMath.sol

Line 2 in f510353

pragma solidity >=0.8.20;

missing-inheritance

Impact: Informational
Confidence: High

root/src/utils/OwnableStub.sol

Lines 9 to 15 in f510353

contract OwnableStub {
/// @notice Accepts ownership of the contract
/// @dev Can only be called by the pending owner to ensure correctness.
function acceptOwner(address ownable) external {
Ownable(ownable).acceptOwner();
}
}

https://github.com/equilibria-xyz/root/blob/f5103537c84304fd4b0182c63b967a4b8d2bfbcb/src/mutability/Mutable.sol#L138-L143

naming-convention

Impact: Informational
Confidence: High

root/src/attribute/Pausable.sol

Lines 34 to 36 in f510353

function __Pausable__constructor() internal initializer("Pausable") {
_updatePauser(_deployer());
}

root/src/mutability/Mutable.sol

Lines 37 to 41 in f510353

function Mutable$() private pure returns (MutableStorage storage $) {
assembly {
$.slot := MutableStorageLocation
}
}

root/src/mutability/Mutable.sol

Line 34 in f510353

bytes32 private constant MutableStorageLocation = 0xb906736fa3fc696e6c19a856e0f8737e348fda5c7f33a32db99da3b92f19a800;

root/src/attribute/Ownable.sol

Line 21 in f510353

bytes32 private constant OwnableStorageLocation = 0x863176706c9b4c9b393005d0714f55de5425abea2a0b5dfac67fac0c9e2ffe00;

root/src/attribute/Ownable.sol

Lines 42 to 44 in f510353

function __Ownable__constructor() internal initializer("Ownable") {
_updateOwner(_deployer());
}

root/src/mutability/Implementation.sol

Line 21 in f510353

bytes32 private constant ImplementationStorageLocation = 0x3c57b102c533ff058ebe9a7c745178ce4174563553bb3edde7874874c532c200;

root/src/attribute/Ownable.sol

Lines 24 to 28 in f510353

function Ownable$() private pure returns (OwnableStorage storage $) {
assembly {
$.slot := OwnableStorageLocation
}
}

root/src/mutability/Implementation.sol

Lines 24 to 28 in f510353

function Implementation$() private pure returns (ImplementationStorage storage $) {
assembly {
$.slot := ImplementationStorageLocation
}
}

root/src/attribute/Pausable.sol

Line 23 in f510353

bytes32 private constant PausableStorageLocation = 0x3f6e81f1674f7eaca7e8904fa6f14f10175d4d641e37fc18a3df849e00101900;

root/src/attribute/Pausable.sol

Lines 26 to 30 in f510353

function Pausable$() private pure returns (PausableStorage storage $) {
assembly {
$.slot := PausableStorageLocation
}
}

root/src/mutability/Implementation.sol

Line 76 in f510353

function __constructor(bytes memory data) internal virtual returns (string memory);

root/src/attribute/Attribute.sol

Lines 20 to 24 in f510353

function Attribute$() private pure returns (AttributeStorage storage $) {
assembly {
$.slot := AttributeStorageLocation
}
}

root/src/attribute/Attribute.sol

Line 17 in f510353

bytes32 private constant AttributeStorageLocation = 0x429797e2de2710eed6bc286312ff2c2286e5c3e13ca14d38e450727a132bfa00;

unimplemented-functions

Impact: Informational
Confidence: High

root/src/attribute/Withdrawable.sol

Lines 11 to 18 in f510353

abstract contract Withdrawable is IWithdrawable, Attribute, Ownable {
/// @notice Withdraws all ERC20 tokens from the contract to the owner
/// @dev Can only be called by the owner
/// @param token Address of the ERC20 token
function withdraw(Token18 token) public virtual onlyOwner {
token.push(owner());
}
}

root/src/mutability/Implementation.sol

Lines 13 to 77 in f510353

abstract contract Implementation is IImplementation, Contract {
/// @custom:storage-location erc7201:equilibria.root.Implementation
struct ImplementationStorage {
bool constructing;
}
/// @dev The erc7201 storage location of the mix-in
// solhint-disable-next-line const-name-snakecase
bytes32 private constant ImplementationStorageLocation = 0x3c57b102c533ff058ebe9a7c745178ce4174563553bb3edde7874874c532c200;
/// @dev The erc7201 storage of the mix-in
function Implementation$() private pure returns (ImplementationStorage storage $) {
assembly {
$.slot := ImplementationStorageLocation
}
}
/// @dev The version of this implementation.
ShortString private immutable _version;
/// @dev The version of the predecessor implementation.
ShortString private immutable _predecessor;
/// @dev Constructor for the implementation.
constructor(string memory version_, string memory predecessor_) {
_version = ShortStrings.toShortString(version_);
_predecessor = ShortStrings.toShortString(predecessor_);
}
/// @dev The name of the implementation.
function name() external view virtual returns (string memory);
/// @dev The version of this implementation.
function version() public view virtual returns (string memory) {
return ShortStrings.toString(_version);
}
/// @dev The version of the predecessor implementation.
function predecessor() external view virtual returns (string memory) {
return ShortStrings.toString(_predecessor);
}
/// @dev Called at upgrade time to initialize the contract with `data`.
function construct(bytes memory data) external {
Implementation$().constructing = true;
string memory constructorVersion = __constructor(data);
if (!Strings.equal(constructorVersion, version())) revert ImplementationConstructorVersionMismatch();
Implementation$().constructing = false;
}
/// @dev Whether the contract is initializing.
function _constructing() internal view override returns (bool) {
return Implementation$().constructing;
}
/// @dev The deployer of the contract.
function _deployer() internal view override returns (address) {
return IMutator(msg.sender).owner();
}
/// @dev Hook for inheriting contracts to construct the contract.
function __constructor(bytes memory data) internal virtual returns (string memory);
}

root/src/attribute/Delegatable.sol

Lines 12 to 20 in f510353

abstract contract Delegatable is IDelegatable, Attribute, Ownable {
/// @notice Delegates voting power for a specific token to an address
/// @dev Can only be called by the owner
/// @param token The IVotes-compatible token to delegate
/// @param delegatee The address to delegate voting power to
function delegate(IVotes token, address delegatee) public virtual onlyOwner {
token.delegate(delegatee);
}
}

root/src/attribute/Executable.sol

Lines 12 to 21 in f510353

abstract contract Executable is IExecutable, Attribute, Ownable {
/// @notice Executes a call to a target contract
/// @dev Can only be called by the owner
/// @param target Address of the target contract
/// @param data Calldata to be executed
/// @return result The result of the call
function execute(address target, bytes calldata data) public payable virtual onlyOwner returns (bytes memory) {
return Address.functionCallWithValue(target, data, msg.value);
}
}

unindexed-event-address

Impact: Informational
Confidence: High

@kbrizzle kbrizzle requested review from prateekdefi and removed request for arjun-io February 13, 2026 06:42
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security/operational footgun in the mutability system by preventing Mutator.create from deploying multiple mutables that share the same implementation.name(), which previously overwrote _nameToMutable and could orphan earlier mutables from future upgrades.

Changes:

  • Add a new MutatorMutableAlreadyExists() custom error to IMutator.
  • Add a duplicate-name guard in Mutator.create before deploying a new Mutable.
  • Add a regression test ensuring create reverts when attempting to deploy a second mutable with an already-registered name.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/mutability/Mutator.sol Prevents duplicate mutable-name registrations by reverting before deployment and mapping update.
src/mutability/interfaces/IMutator.sol Exposes a dedicated custom error for duplicate-name creation attempts.
test/mutability/Mutator.t.sol Adds a regression test validating the revert on duplicate mutable name.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link

github-actions bot commented Feb 13, 2026

Unit Test Coverage Report

Coverage after merging sec-f1-duplicate-name-brick into master will be
100.00%
Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
src/attribute
   Attribute.sol90%50%100%100%30
   Delegatable.sol100%100%100%100%
   Executable.sol100%100%100%100%
   Ownable.sol100%100%100%100%
   Pausable.sol100%100%100%100%
   Withdrawable.sol100%100%100%100%
src/distribution
   Airdrop.sol100%100%100%100%
   Treasury.sol100%100%100%100%
src/mutability
   Derived.sol100%100%100%100%
   Implementation.sol100%100%100%100%
   Mutable.sol100%100%100%100%
   Mutator.sol100%100%100%100%
src/number
   NumberMath.sol100%100%100%100%
src/number/types
   Fixed18.sol100%100%100%100%
   Fixed6.sol100%100%100%100%
   UFixed18.sol100%100%100%100%
   UFixed6.sol100%100%100%100%
src/token/types
   Token.sol100%100%100%100%
   Token18.sol100%100%100%100%
   Token6.sol100%100%100%100%
src/utils
   OwnableStub.sol100%100%100%100%
   console.sol99.89%60%100%100%44, 65
src/vrgda
   VRGDADecayMath.sol100%100%100%100%
   VRGDAIssuanceMath.sol100%100%100%100%
src/vrgda/types
   LinearExponentialVRGDA.sol100%100%100%100%

prateekdefi
prateekdefi approved these changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@prateekdefi prateekdefi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

EdNoepel
EdNoepel approved these changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@EdNoepel EdNoepel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kbrizzle kbrizzle merged commit 8ed643a into master Feb 13, 2026
4 checks passed
@kbrizzle kbrizzle deleted the sec-f1-duplicate-name-brick branch February 13, 2026 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EdNoepel EdNoepel EdNoepel approved these changes

@prateekdefi prateekdefi prateekdefi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kbrizzle @EdNoepel @prateekdefi