Skip to content

[Security] Remove unintended payable surface from Mutator.upgrade#161

Merged
kbrizzle merged 1 commit intomasterfrom
sec-f4-upgrade-payable-decision
Feb 13, 2026
Merged

[Security] Remove unintended payable surface from Mutator.upgrade#161
kbrizzle merged 1 commit intomasterfrom
sec-f4-upgrade-payable-decision

Conversation

@kbrizzle
Copy link
Contributor

@kbrizzle kbrizzle commented Feb 13, 2026
edited
Loading

Security report

What was broken

Mutator.upgrade was marked payable even though it did not forward value and had no ETH recovery path. This left accidental ETH-trap surface.

Rationale review

Git history shows ETH forwarding on upgrade was explicitly removed in commit 84cf9fb ("updates should not be payable"), indicating payable behavior is not intended in current design. #155.

What was fixed

  • Removed payable from Mutator.upgrade.
  • Removed payable from IMutator.upgrade.
  • Added regression test test_revertsUpgradeWithValue confirming ETH-bearing calls fail.

Validation

  • Ran forge test --match-path 'test/mutability/Mutator.t.sol' --match-test 'test_revertsUpgradeWithValue'
  • Ran forge test --match-path 'test/mutability/*.sol'

Impact

Eliminates accidental ETH locking risk on upgrade entrypoint while preserving current upgrade semantics.

@github-actions
Copy link

github-actions bot commented Feb 13, 2026

Unit Test Coverage Report

Coverage after merging sec-f4-upgrade-payable-decision into master will be
100.00%
Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
src/attribute
   Attribute.sol90%50%100%100%30
   Delegatable.sol100%100%100%100%
   Executable.sol100%100%100%100%
   Ownable.sol100%100%100%100%
   Pausable.sol100%100%100%100%
   Withdrawable.sol100%100%100%100%
src/distribution
   Airdrop.sol100%100%100%100%
   Treasury.sol100%100%100%100%
src/mutability
   Derived.sol100%100%100%100%
   Implementation.sol100%100%100%100%
   Mutable.sol100%100%100%100%
   Mutator.sol100%100%100%100%
src/number
   NumberMath.sol100%100%100%100%
src/number/types
   Fixed18.sol100%100%100%100%
   Fixed6.sol100%100%100%100%
   UFixed18.sol100%100%100%100%
   UFixed6.sol100%100%100%100%
src/token/types
   Token.sol100%100%100%100%
   Token18.sol100%100%100%100%
   Token6.sol100%100%100%100%
src/utils
   OwnableStub.sol100%100%100%100%
   console.sol99.89%60%100%100%44, 65
src/vrgda
   VRGDADecayMath.sol100%100%100%100%
   VRGDAIssuanceMath.sol100%100%100%100%
src/vrgda/types
   LinearExponentialVRGDA.sol100%100%100%100%

@github-actions
Copy link

github-actions bot commented Feb 13, 2026

Slither report

Static Analysis Report**THIS CHECKLIST IS NOT COMPLETE**. Use `--show-ignored-findings` to show all the results. Summary - [locked-ether](#locked-ether) (1 results) (Medium) - [reentrancy-no-eth](#reentrancy-no-eth) (2 results) (Medium) - [unused-return](#unused-return) (9 results) (Medium) - [incorrect-modifier](#incorrect-modifier) (1 results) (Low) - [calls-loop](#calls-loop) (2 results) (Low) - [reentrancy-benign](#reentrancy-benign) (3 results) (Low) - [reentrancy-events](#reentrancy-events) (4 results) (Low) - [dead-code](#dead-code) (44 results) (Informational) - [solc-version](#solc-version) (3 results) (Informational) - [missing-inheritance](#missing-inheritance) (2 results) (Informational) - [naming-convention](#naming-convention) (13 results) (Informational) - [unimplemented-functions](#unimplemented-functions) (4 results) (Informational) - [unindexed-event-address](#unindexed-event-address) (1 results) (Informational) ## locked-ether Impact: Medium Confidence: High - [ ] ID-0 Contract locking ether found: Contract [MutablePauseTarget](https://github.com/equilibria-xyz/root/blob/ed46bcb6e674558340a41710b3d1a8cc0d47af35/src/mutability/Mutable.sol#L138-L143) has payable functions: - [MutablePauseTarget.fallback()](https://github.com/equilibria-xyz/root/blob/ed46bcb6e674558340a41710b3d1a8cc0d47af35/src/mutability/Mutable.sol#L139-L141) But does not have a function to withdraw the ether

https://github.com/equilibria-xyz/root/blob/ed46bcb6e674558340a41710b3d1a8cc0d47af35/src/mutability/Mutable.sol#L138-L143

reentrancy-no-eth

Impact: Medium
Confidence: Medium

root/src/mutability/Mutable.sol

Lines 123 to 127 in ed46bcb

function _unpause() private whenPaused {
ERC1967Utils.upgradeToAndCall(Mutable$().paused, "");
Mutable$().paused = address(0);
emit Unpaused();
}

root/src/mutability/Mutable.sol

Lines 97 to 113 in ed46bcb

function _upgrade(IImplementation newImplementation, bytes memory data) private {
// validate the upgrade metadata of the new implementation
if (!Strings.equal(
(_implementation() == address(0) ? NULL_VERSION : IImplementation(_implementation()).version()),
newImplementation.predecessor()
)) revert MutablePredecessorMismatch();
if (Strings.equal(
newImplementation.version(),
ShortStrings.toString(Mutable$().version)
)) revert MutableVersionMismatch();
// update the implementation and call its constructor
ERC1967Utils.upgradeToAndCall(address(newImplementation), abi.encodeCall(IImplementation.construct, (data)));
// record the new implementation version
Mutable$().version = ShortStrings.toShortString(newImplementation.version());
}

unused-return

Impact: Medium
Confidence: Medium

root/src/token/types/Token6.sol

Lines 43 to 45 in ed46bcb

function approve(Token6 self, address grantee) internal {
IERC20(Token6.unwrap(self)).approve(grantee, type(uint256).max);
}

root/src/distribution/Airdrop.sol

Lines 46 to 51 in ed46bcb

function removeDistribution(bytes32 merkleRoot) external onlyOwner {
if (!_merkleRoots.contains(merkleRoot)) revert AirdropRootDoesNotExist();
_merkleRoots.remove(merkleRoot);
distributions[merkleRoot] = Token18.wrap(address(0));
emit DistributionRemoved(merkleRoot);
}

root/src/token/types/Token.sol

Lines 51 to 53 in ed46bcb

function approve(Token self, address grantee, uint256 amount) internal {
IERC20(Token.unwrap(self)).approve(grantee, amount);
}

root/src/token/types/Token18.sol

Lines 53 to 55 in ed46bcb

function approve(Token18 self, address grantee, UFixed18 amount) internal {
IERC20(Token18.unwrap(self)).approve(grantee, UFixed18.unwrap(amount));
}

root/src/token/types/Token6.sol

Lines 54 to 56 in ed46bcb

function approve(Token6 self, address grantee, UFixed6 amount) internal {
IERC20(Token6.unwrap(self)).approve(grantee, UFixed6.unwrap(amount));
}

root/src/distribution/Airdrop.sol

Lines 28 to 34 in ed46bcb

function addDistributions(Token18 token, bytes32 merkleRoot) external override onlyOwner {
if (_merkleRoots.contains(merkleRoot)) revert AirdropDistributionAlreadyExists();
distributions[merkleRoot] = token;
_merkleRoots.add(merkleRoot);
emit DistributionAdded(token, merkleRoot);
}

root/src/mutability/Mutator.sol

Lines 34 to 43 in ed46bcb

function create(
IImplementation implementation,
bytes calldata data
) public onlyOwner returns (IMutableTransparent newMutable) {
_mutables.add(address(newMutable = new Mutable(implementation, data)));
_nameToMutable[ShortStrings.toShortString(implementation.name())] = IMutable(address(newMutable));
// ensure state of new mutable is consistent with mutator
if (paused()) IMutable(address(newMutable)).pause();
}

root/src/token/types/Token.sol

Lines 40 to 42 in ed46bcb

function approve(Token self, address grantee) internal {
IERC20(Token.unwrap(self)).approve(grantee, type(uint256).max);
}

root/src/token/types/Token18.sol

Lines 43 to 45 in ed46bcb

function approve(Token18 self, address grantee) internal {
IERC20(Token18.unwrap(self)).approve(grantee, type(uint256).max);
}

incorrect-modifier

Impact: Low
Confidence: High

root/src/attribute/Attribute.sol

Lines 28 to 32 in ed46bcb

modifier initializer(string memory attribute) {
if (!_constructing()) revert AttributeNotConstructing();
if (!Attribute$().attributes[attribute]) _;
Attribute$().attributes[attribute] = true;
}

calls-loop

Impact: Low
Confidence: Medium

root/src/mutability/Mutator.sol

Lines 54 to 57 in ed46bcb

function _pause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).pause();
super._pause();
}

root/src/mutability/Mutator.sol

Lines 59 to 62 in ed46bcb

function _unpause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).unpause();
super._unpause();
}

reentrancy-benign

Impact: Low
Confidence: Medium

root/src/mutability/Mutator.sol

Lines 59 to 62 in ed46bcb

function _unpause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).unpause();
super._unpause();
}

root/src/mutability/Mutator.sol

Lines 54 to 57 in ed46bcb

function _pause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).pause();
super._pause();
}

root/src/mutability/Mutator.sol

Lines 34 to 43 in ed46bcb

function create(
IImplementation implementation,
bytes calldata data
) public onlyOwner returns (IMutableTransparent newMutable) {
_mutables.add(address(newMutable = new Mutable(implementation, data)));
_nameToMutable[ShortStrings.toShortString(implementation.name())] = IMutable(address(newMutable));
// ensure state of new mutable is consistent with mutator
if (paused()) IMutable(address(newMutable)).pause();
}

reentrancy-events

Impact: Low
Confidence: Medium

root/src/mutability/Mutator.sol

Lines 54 to 57 in ed46bcb

function _pause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).pause();
super._pause();
}

root/src/mutability/Mutable.sol

Lines 116 to 120 in ed46bcb

function _pause() private whenUnpaused {
Mutable$().paused = _implementation();
ERC1967Utils.upgradeToAndCall(_pauseTarget, "");
emit Paused();
}

root/src/mutability/Mutator.sol

Lines 59 to 62 in ed46bcb

function _unpause() internal override {
for (uint256 i = 0; i < _mutables.length(); i++) IMutable(_mutables.at(i)).unpause();
super._unpause();
}

root/src/mutability/Mutable.sol

Lines 123 to 127 in ed46bcb

function _unpause() private whenPaused {
ERC1967Utils.upgradeToAndCall(Mutable$().paused, "");
Mutable$().paused = address(0);
emit Unpaused();
}

dead-code

Impact: Informational
Confidence: Medium

root/src/number/types/UFixed18.sol

Lines 288 to 290 in ed46bcb

function eq(UFixed18 a, UFixed18 b) pure returns (bool) {
return UFixed18.unwrap(a) == UFixed18.unwrap(b);
}

root/src/number/types/Fixed6.sol

Lines 295 to 297 in ed46bcb

function add(Fixed6 a, Fixed6 b) pure returns (Fixed6) {
return Fixed6.wrap(Fixed6.unwrap(a) + Fixed6.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 295 to 297 in ed46bcb

function eq(UFixed6 a, UFixed6 b) pure returns (bool) {
return UFixed6.unwrap(a) == UFixed6.unwrap(b);
}

  • ID-25
    neg(Fixed6) is never used and should be removed

root/src/number/types/Fixed6.sol

Lines 287 to 289 in ed46bcb

function neg(Fixed6 a) pure returns (Fixed6) {
return Fixed6.wrap(-Fixed6.unwrap(a));
}

root/src/mutability/Implementation.sol

Lines 66 to 68 in ed46bcb

function _constructing() internal view override returns (bool) {
return Implementation$().constructing;
}

root/src/number/types/Fixed18.sol

Lines 288 to 290 in ed46bcb

function add(Fixed18 a, Fixed18 b) pure returns (Fixed18) {
return Fixed18.wrap(Fixed18.unwrap(a) + Fixed18.unwrap(b));
}

root/src/number/types/Fixed6.sol

Lines 311 to 313 in ed46bcb

function mul(Fixed6 a, Fixed6 b) pure returns (Fixed6) {
return Fixed6.wrap(Fixed6.unwrap(a) * Fixed6.unwrap(b) / Fixed6Lib.BASE);
}

root/src/number/types/Fixed6.sol

Lines 327 to 329 in ed46bcb

function eq(Fixed6 a, Fixed6 b) pure returns (bool) {
return Fixed6.unwrap(a) == Fixed6.unwrap(b);
}

root/src/number/types/UFixed6.sol

Lines 311 to 314 in ed46bcb

function gt(UFixed6 a, UFixed6 b) pure returns (bool) {
(uint256 au, uint256 bu) = (UFixed6.unwrap(a), UFixed6.unwrap(b));
return au > bu;
}

root/src/number/types/Fixed6.sol

Lines 335 to 337 in ed46bcb

function neq(Fixed6 a, Fixed6 b) pure returns (bool) {
return Fixed6.unwrap(a) != Fixed6.unwrap(b);
}

root/src/number/types/Fixed18.sol

Lines 304 to 306 in ed46bcb

function mul(Fixed18 a, Fixed18 b) pure returns (Fixed18) {
return Fixed18.wrap(Fixed18.unwrap(a) * Fixed18.unwrap(b) / Fixed18Lib.BASE);
}

root/src/number/types/Fixed6.sol

Lines 343 to 346 in ed46bcb

function gt(Fixed6 a, Fixed6 b) pure returns (bool) {
(int256 au, int256 bu) = (Fixed6.unwrap(a), Fixed6.unwrap(b));
return au > bu;
}

root/src/number/types/UFixed18.sol

Lines 313 to 316 in ed46bcb

function lt(UFixed18 a, UFixed18 b) pure returns (bool) {
(uint256 au, uint256 bu) = (UFixed18.unwrap(a), UFixed18.unwrap(b));
return au < bu;
}

root/src/number/types/UFixed18.sol

Lines 280 to 282 in ed46bcb

function div(UFixed18 a, UFixed18 b) pure returns (UFixed18) {
return UFixed18.wrap(UFixed18.unwrap(a) * UFixed18Lib.BASE / UFixed18.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 329 to 331 in ed46bcb

function gte(UFixed6 a, UFixed6 b) pure returns (bool) {
return eq(a, b) || gt(a, b);
}

root/src/number/types/Fixed18.sol

Lines 280 to 282 in ed46bcb

function neg(Fixed18 a) pure returns (Fixed18) {
return Fixed18.wrap(-Fixed18.unwrap(a));
}

root/src/number/types/Fixed6.sol

Lines 303 to 305 in ed46bcb

function sub(Fixed6 a, Fixed6 b) pure returns (Fixed6) {
return Fixed6.wrap(Fixed6.unwrap(a) - Fixed6.unwrap(b));
}

root/src/number/types/Fixed6.sol

Lines 361 to 363 in ed46bcb

function gte(Fixed6 a, Fixed6 b) pure returns (bool) {
return eq(a, b) || gt(a, b);
}

root/src/number/types/UFixed6.sol

Lines 279 to 281 in ed46bcb

function mul(UFixed6 a, UFixed6 b) pure returns (UFixed6) {
return UFixed6.wrap(UFixed6.unwrap(a) * UFixed6.unwrap(b) / UFixed6Lib.BASE);
}

root/src/number/types/Fixed6.sol

Lines 369 to 371 in ed46bcb

function lte(Fixed6 a, Fixed6 b) pure returns (bool) {
return eq(a, b) || lt(a, b);
}

root/src/number/types/UFixed18.sol

Lines 330 to 332 in ed46bcb

function lte(UFixed18 a, UFixed18 b) pure returns (bool) {
return eq(a, b) || lt(a, b);
}

root/src/number/types/UFixed18.sol

Lines 272 to 274 in ed46bcb

function mul(UFixed18 a, UFixed18 b) pure returns (UFixed18) {
return UFixed18.wrap(UFixed18.unwrap(a) * UFixed18.unwrap(b) / UFixed18Lib.BASE);
}

root/src/number/types/Fixed6.sol

Lines 352 to 355 in ed46bcb

function lt(Fixed6 a, Fixed6 b) pure returns (bool) {
(int256 au, int256 bu) = (Fixed6.unwrap(a), Fixed6.unwrap(b));
return au < bu;
}

root/src/number/types/Fixed6.sol

Lines 319 to 321 in ed46bcb

function div(Fixed6 a, Fixed6 b) pure returns (Fixed6) {
return Fixed6.wrap(Fixed6.unwrap(a) * Fixed6Lib.BASE / Fixed6.unwrap(b));
}

root/src/number/types/UFixed18.sol

Lines 296 to 298 in ed46bcb

function neq(UFixed18 a, UFixed18 b) pure returns (bool) {
return UFixed18.unwrap(a) != UFixed18.unwrap(b);
}

root/src/mutability/Implementation.sol

Lines 71 to 73 in ed46bcb

function _deployer() internal view override returns (address) {
return IMutator(msg.sender).owner();
}

root/src/number/types/Fixed18.sol

Lines 312 to 314 in ed46bcb

function div(Fixed18 a, Fixed18 b) pure returns (Fixed18) {
return Fixed18.wrap(Fixed18.unwrap(a) * Fixed18Lib.BASE / Fixed18.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 320 to 323 in ed46bcb

function lt(UFixed6 a, UFixed6 b) pure returns (bool) {
(uint256 au, uint256 bu) = (UFixed6.unwrap(a), UFixed6.unwrap(b));
return au < bu;
}

root/src/number/types/Fixed18.sol

Lines 345 to 348 in ed46bcb

function lt(Fixed18 a, Fixed18 b) pure returns (bool) {
(int256 au, int256 bu) = (Fixed18.unwrap(a), Fixed18.unwrap(b));
return au < bu;
}

root/src/number/types/Fixed18.sol

Lines 336 to 339 in ed46bcb

function gt(Fixed18 a, Fixed18 b) pure returns (bool) {
(int256 au, int256 bu) = (Fixed18.unwrap(a), Fixed18.unwrap(b));
return au > bu;
}

root/src/number/types/Fixed18.sol

Lines 362 to 364 in ed46bcb

function lte(Fixed18 a, Fixed18 b) pure returns (bool) {
return eq(a, b) || lt(a, b);
}

root/src/number/types/Fixed18.sol

Lines 320 to 322 in ed46bcb

function eq(Fixed18 a, Fixed18 b) pure returns (bool) {
return Fixed18.unwrap(a) == Fixed18.unwrap(b);
}

root/src/number/types/UFixed18.sol

Lines 264 to 266 in ed46bcb

function sub(UFixed18 a, UFixed18 b) pure returns (UFixed18) {
return UFixed18.wrap(UFixed18.unwrap(a) - UFixed18.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 303 to 305 in ed46bcb

function neq(UFixed6 a, UFixed6 b) pure returns (bool) {
return UFixed6.unwrap(a) != UFixed6.unwrap(b);
}

root/src/number/types/UFixed18.sol

Lines 304 to 307 in ed46bcb

function gt(UFixed18 a, UFixed18 b) pure returns (bool) {
(uint256 au, uint256 bu) = (UFixed18.unwrap(a), UFixed18.unwrap(b));
return au > bu;
}

root/src/number/types/UFixed18.sol

Lines 322 to 324 in ed46bcb

function gte(UFixed18 a, UFixed18 b) pure returns (bool) {
return eq(a, b) || gt(a, b);
}

root/src/number/types/UFixed6.sol

Lines 271 to 273 in ed46bcb

function sub(UFixed6 a, UFixed6 b) pure returns (UFixed6) {
return UFixed6.wrap(UFixed6.unwrap(a) - UFixed6.unwrap(b));
}

root/src/number/types/UFixed6.sol

Lines 263 to 265 in ed46bcb

function add(UFixed6 a, UFixed6 b) pure returns (UFixed6) {
return UFixed6.wrap(UFixed6.unwrap(a) + UFixed6.unwrap(b));
}

root/src/number/types/Fixed18.sol

Lines 296 to 298 in ed46bcb

function sub(Fixed18 a, Fixed18 b) pure returns (Fixed18) {
return Fixed18.wrap(Fixed18.unwrap(a) - Fixed18.unwrap(b));
}

root/src/number/types/Fixed18.sol

Lines 354 to 356 in ed46bcb

function gte(Fixed18 a, Fixed18 b) pure returns (bool) {
return eq(a, b) || gt(a, b);
}

root/src/number/types/UFixed6.sol

Lines 337 to 339 in ed46bcb

function lte(UFixed6 a, UFixed6 b) pure returns (bool) {
return eq(a, b) || lt(a, b);
}

root/src/number/types/UFixed6.sol

Lines 287 to 289 in ed46bcb

function div(UFixed6 a, UFixed6 b) pure returns (UFixed6) {
return UFixed6.wrap(UFixed6.unwrap(a) * UFixed6Lib.BASE / UFixed6.unwrap(b));
}

root/src/number/types/UFixed18.sol

Lines 256 to 258 in ed46bcb

function add(UFixed18 a, UFixed18 b) pure returns (UFixed18) {
return UFixed18.wrap(UFixed18.unwrap(a) + UFixed18.unwrap(b));
}

root/src/number/types/Fixed18.sol

Lines 328 to 330 in ed46bcb

function neq(Fixed18 a, Fixed18 b) pure returns (bool) {
return Fixed18.unwrap(a) != Fixed18.unwrap(b);
}

solc-version

Impact: Informational
Confidence: High

root/src/attribute/Attribute.sol

Line 2 in ed46bcb

pragma solidity ^0.8.13;

root/src/number/types/Fixed18.sol

Line 2 in ed46bcb

pragma solidity ^0.8.19;

root/src/vrgda/VRGDADecayMath.sol

Line 2 in ed46bcb

pragma solidity >=0.8.20;

missing-inheritance

Impact: Informational
Confidence: High

root/src/utils/OwnableStub.sol

Lines 9 to 15 in ed46bcb

contract OwnableStub {
/// @notice Accepts ownership of the contract
/// @dev Can only be called by the pending owner to ensure correctness.
function acceptOwner(address ownable) external {
Ownable(ownable).acceptOwner();
}
}

https://github.com/equilibria-xyz/root/blob/ed46bcb6e674558340a41710b3d1a8cc0d47af35/src/mutability/Mutable.sol#L138-L143

naming-convention

Impact: Informational
Confidence: High

root/src/attribute/Pausable.sol

Lines 34 to 36 in ed46bcb

function __Pausable__constructor() internal initializer("Pausable") {
_updatePauser(_deployer());
}

root/src/mutability/Mutable.sol

Lines 37 to 41 in ed46bcb

function Mutable$() private pure returns (MutableStorage storage $) {
assembly {
$.slot := MutableStorageLocation
}
}

root/src/mutability/Mutable.sol

Line 34 in ed46bcb

bytes32 private constant MutableStorageLocation = 0xb906736fa3fc696e6c19a856e0f8737e348fda5c7f33a32db99da3b92f19a800;

root/src/attribute/Ownable.sol

Line 21 in ed46bcb

bytes32 private constant OwnableStorageLocation = 0x863176706c9b4c9b393005d0714f55de5425abea2a0b5dfac67fac0c9e2ffe00;

root/src/attribute/Ownable.sol

Lines 42 to 44 in ed46bcb

function __Ownable__constructor() internal initializer("Ownable") {
_updateOwner(_deployer());
}

root/src/mutability/Implementation.sol

Line 21 in ed46bcb

bytes32 private constant ImplementationStorageLocation = 0x3c57b102c533ff058ebe9a7c745178ce4174563553bb3edde7874874c532c200;

root/src/attribute/Ownable.sol

Lines 24 to 28 in ed46bcb

function Ownable$() private pure returns (OwnableStorage storage $) {
assembly {
$.slot := OwnableStorageLocation
}
}

root/src/mutability/Implementation.sol

Lines 24 to 28 in ed46bcb

function Implementation$() private pure returns (ImplementationStorage storage $) {
assembly {
$.slot := ImplementationStorageLocation
}
}

root/src/attribute/Pausable.sol

Line 23 in ed46bcb

bytes32 private constant PausableStorageLocation = 0x3f6e81f1674f7eaca7e8904fa6f14f10175d4d641e37fc18a3df849e00101900;

root/src/attribute/Pausable.sol

Lines 26 to 30 in ed46bcb

function Pausable$() private pure returns (PausableStorage storage $) {
assembly {
$.slot := PausableStorageLocation
}
}

root/src/mutability/Implementation.sol

Line 76 in ed46bcb

function __constructor(bytes memory data) internal virtual returns (string memory);

root/src/attribute/Attribute.sol

Lines 20 to 24 in ed46bcb

function Attribute$() private pure returns (AttributeStorage storage $) {
assembly {
$.slot := AttributeStorageLocation
}
}

root/src/attribute/Attribute.sol

Line 17 in ed46bcb

bytes32 private constant AttributeStorageLocation = 0x429797e2de2710eed6bc286312ff2c2286e5c3e13ca14d38e450727a132bfa00;

unimplemented-functions

Impact: Informational
Confidence: High

root/src/attribute/Withdrawable.sol

Lines 11 to 18 in ed46bcb

abstract contract Withdrawable is IWithdrawable, Attribute, Ownable {
/// @notice Withdraws all ERC20 tokens from the contract to the owner
/// @dev Can only be called by the owner
/// @param token Address of the ERC20 token
function withdraw(Token18 token) public virtual onlyOwner {
token.push(owner());
}
}

root/src/mutability/Implementation.sol

Lines 13 to 77 in ed46bcb

abstract contract Implementation is IImplementation, Contract {
/// @custom:storage-location erc7201:equilibria.root.Implementation
struct ImplementationStorage {
bool constructing;
}
/// @dev The erc7201 storage location of the mix-in
// solhint-disable-next-line const-name-snakecase
bytes32 private constant ImplementationStorageLocation = 0x3c57b102c533ff058ebe9a7c745178ce4174563553bb3edde7874874c532c200;
/// @dev The erc7201 storage of the mix-in
function Implementation$() private pure returns (ImplementationStorage storage $) {
assembly {
$.slot := ImplementationStorageLocation
}
}
/// @dev The version of this implementation.
ShortString private immutable _version;
/// @dev The version of the predecessor implementation.
ShortString private immutable _predecessor;
/// @dev Constructor for the implementation.
constructor(string memory version_, string memory predecessor_) {
_version = ShortStrings.toShortString(version_);
_predecessor = ShortStrings.toShortString(predecessor_);
}
/// @dev The name of the implementation.
function name() external view virtual returns (string memory);
/// @dev The version of this implementation.
function version() public view virtual returns (string memory) {
return ShortStrings.toString(_version);
}
/// @dev The version of the predecessor implementation.
function predecessor() external view virtual returns (string memory) {
return ShortStrings.toString(_predecessor);
}
/// @dev Called at upgrade time to initialize the contract with `data`.
function construct(bytes memory data) external {
Implementation$().constructing = true;
string memory constructorVersion = __constructor(data);
if (!Strings.equal(constructorVersion, version())) revert ImplementationConstructorVersionMismatch();
Implementation$().constructing = false;
}
/// @dev Whether the contract is initializing.
function _constructing() internal view override returns (bool) {
return Implementation$().constructing;
}
/// @dev The deployer of the contract.
function _deployer() internal view override returns (address) {
return IMutator(msg.sender).owner();
}
/// @dev Hook for inheriting contracts to construct the contract.
function __constructor(bytes memory data) internal virtual returns (string memory);
}

root/src/attribute/Delegatable.sol

Lines 12 to 20 in ed46bcb

abstract contract Delegatable is IDelegatable, Attribute, Ownable {
/// @notice Delegates voting power for a specific token to an address
/// @dev Can only be called by the owner
/// @param token The IVotes-compatible token to delegate
/// @param delegatee The address to delegate voting power to
function delegate(IVotes token, address delegatee) public virtual onlyOwner {
token.delegate(delegatee);
}
}

root/src/attribute/Executable.sol

Lines 12 to 21 in ed46bcb

abstract contract Executable is IExecutable, Attribute, Ownable {
/// @notice Executes a call to a target contract
/// @dev Can only be called by the owner
/// @param target Address of the target contract
/// @param data Calldata to be executed
/// @return result The result of the call
function execute(address target, bytes calldata data) public payable virtual onlyOwner returns (bytes memory) {
return Address.functionCallWithValue(target, data, msg.value);
}
}

unindexed-event-address

Impact: Informational
Confidence: High

prateekdefi
prateekdefi approved these changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@prateekdefi prateekdefi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

EdNoepel
EdNoepel approved these changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@EdNoepel EdNoepel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kbrizzle kbrizzle merged commit 7231ce9 into master Feb 13, 2026
3 checks passed
@kbrizzle kbrizzle deleted the sec-f4-upgrade-payable-decision branch February 13, 2026 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EdNoepel EdNoepel EdNoepel approved these changes

@prateekdefi prateekdefi prateekdefi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kbrizzle @EdNoepel @prateekdefi