Skip to content

test: address Bugbot review on #470 (rebase caller, PWQ ctor args, dead vars)#479

Merged
seongyun-ko merged 1 commit into
seongyun/fuzz/security-upgradesfrom
seongyun/fix/bugbot-470-comments
Jun 21, 2026
Merged

test: address Bugbot review on #470 (rebase caller, PWQ ctor args, dead vars)#479
seongyun-ko merged 1 commit into
seongyun/fuzz/security-upgradesfrom
seongyun/fix/bugbot-470-comments

Conversation

@seongyun-ko

@seongyun-ko seongyun-ko commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Addresses the open Cursor Bugbot findings on #470. Test-only, no src/ changes. Targets the PR-470 branch so it rides into the release with the rest of the test layer.

Every finding was re-checked against source (not the bot summary):

Medium — rebase uses wrong caller / unset membership manager (WithdrawalSolvency)

The two Bugbot comments (#3417785711-family) flagged rebasePositive/rebaseNegative pranking membershipManager. Source: LiquidityPool.rebase requires msg.sender == etherFiAdminContract (LiquidityPool.sol:456), and on a realistic fork membershipManagerInstance is address(0) (only set in initializeTestingFork). Worse: the rebase ops weren't even in the targetSelector set — dead code, which is why the suite passed despite the bug.

  • Prank the real etherFiAdminContract; drop the unused membershipManager immutable + ctor arg.
  • Add rebasePositive/rebaseNegative to targetSelector so they actually run.
  • Bound positive rebase to ≤0.2% so it stays under MAX_POSITIVE_REBASE_BPS (0.25%) and applies.

Medium — PriorityWithdrawalQueue wrong constructor args (ValidatorStateMachine)

Ctor is (lp, eETH, weETH, blacklister, roleRegistry, minDelay); the fork upgrade passed roleRegistry as _blacklister and treasury as _roleRegistry. Now wired with blacklisterInstance + roleRegistryInstance in their correct slots (matches TestSetup.sol:504).

Low — unused baseline snapshots (WithdrawalSolvency)

Removed dead baseLocked/baseOutOfLp; the invariants assert the stronger construction-true absolute bound, so the snapshots were never read.

Already fixed at HEAD (no action)

  • I10 membership-manager-on-LP-upgrade (now uses MEMBERSHIP_MANAGER).
  • I12/I13 RewardsDistributor non-vacuity gates (present in afterInvariant).

Verification (mainnet fork)

  • WithdrawalSolvencyInvariantTest: 7/7 pass — requestsClaimed=14, finalizeBoundChecks=7, lockBoundEnforced=10, rebase ops now active.
  • ValidatorStateMachineInvariantTest: 2/2 pass.
  • RewardsDistributorInvariantTest: 3/3 pass.

Note

Low Risk
Changes are confined to invariant/fork test setup and fuzz handlers; production contracts are untouched.

Overview
Test-only fixes for mainnet-fork invariant suites; no src/ changes.

ValidatorStateMachine fork upgrade: The PriorityWithdrawalQueue implementation deployed during setUp now passes blacklisterInstance and roleRegistryInstance in the constructor slots that match production (lp, eETH, weETH, blacklister, roleRegistry, minDelay), instead of mis-wiring roleRegistry as blacklister and treasury as role registry.

WithdrawalSolvency handler/fuzzer: Drops unused baseLocked / baseOutOfLp snapshots and the unused membershipManager dependency. rebasePositive / rebaseNegative now prank etherFiAdminContract (the only caller LiquidityPool.rebase accepts on a realistic fork, where membershipManager is unset), are included in targetSelector so they actually run during fuzzing, and positive rebase is capped at ≤0.2% of out-of-LP TVL so deltas stay under MAX_POSITIVE_REBASE_BPS (0.25%) and apply instead of reverting.

Reviewed by Cursor Bugbot for commit 1e4ba9e. Bugbot is set up for automated code reviews on this repo. Configure here.

…ad vars)

Fixes the open Cursor Bugbot findings against the I3/I10 fork invariant suites
(all confirmed against source, not the bot summary):

- WithdrawalSolvency: rebasePositive/rebaseNegative pranked membershipManager,
  but LiquidityPool.rebase requires msg.sender == etherFiAdminContract
  (LiquidityPool.sol:456). On a realistic fork membershipManagerInstance is
  address(0) (only set in initializeTestingFork), so both helpers always
  reverted IncorrectCaller AND were never even in the fuzz selector set (dead
  code). Now prank the real etherFiAdminContract, drop the unused
  membershipManager immutable/ctor arg, add both ops to targetSelector, and
  bound the positive rebase to <=0.2% so it stays under MAX_POSITIVE_REBASE_BPS
  (0.25%) and actually applies.
- WithdrawalSolvency: removed unused baseLocked/baseOutOfLp snapshots; the
  invariants assert the stronger construction-true absolute bound, so the
  baseline vars were dead.
- ValidatorStateMachine: PriorityWithdrawalQueue ctor is
  (lp, eETH, weETH, blacklister, roleRegistry, minDelay); the fork upgrade
  passed roleRegistry as blacklister and treasury as roleRegistry. Now wired
  with blacklisterInstance + roleRegistryInstance in their correct slots.

Verified on mainnet fork: WithdrawalSolvency 7/7 pass (requestsClaimed=14,
finalizeBoundChecks=7, lockBoundEnforced=10), ValidatorStateMachine 2/2,
RewardsDistributor 3/3 (its non-vacuity gates were already present).
@seongyun-ko seongyun-ko marked this pull request as ready for review June 21, 2026 11:37
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@seongyun-ko seongyun-ko merged commit ce035e0 into seongyun/fuzz/security-upgrades Jun 21, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant