Conversation
twx-virtuals
reviewed
Jan 6, 2026
twx-virtuals
reviewed
Jan 6, 2026
twx-virtuals
reviewed
Jan 6, 2026
twx-virtuals
reviewed
Jan 6, 2026
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| IERC20(baseToken).safeTransferFrom(_msgSender(), address(this), amount); | ||
|
|
||
| _increaseEcoLockAmount(account, amount); | ||
| } |
There was a problem hiding this comment.
stakeEcoLockFor lacks access control, allowing unauthorized eco locks
Medium Severity
stakeEcoLockFor has no access control, unlike other privileged functions in the contract that use onlyRole(ADMIN_ROLE). Anyone can call it to create permanent, non-withdrawable eco locks for any account, giving that account unwanted voting power. This also bypasses the merkle proof verification that CumulativeMerkleDrop provides. The function likely needs a role restriction so only authorized contracts (like the merkle drop) can create eco locks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
High Risk
Introduces new token-claim and staking flows plus modifies
veVirtual’s storage layout and voting-unit accounting, which can affect upgrade safety and on-chain balances/governance power.Overview
Adds an eco-trader distribution path by introducing
CumulativeMerkleDrop/ICumulativeMerkleDrop, where claims are validated against a cumulative Merkle root and the delta amount is automatically staked intoveVirtualinstead of transferred to the user.Upgrades
veVirtualto support a separate per-userecoLocksmapping andstakeEcoLockFor, and includes eco locks inbalanceOfAt/stakedAmountOfand voting units while disallowing normal lock actions (withdraw/extend/toggle) on eco-lock IDs.Updates deployment/ops tooling:
deployVeVirtual.tstweaksmaxWeeksand explicitly grants AccessControl roles; adds scripts to deploy the merkle-drop contract, generate merkle roots/proofs locally, and upgrade the proxy; adds eco-trader end-to-end tests and updates.openzeppelin/base-sepolia.jsonplus dev deps (merkletreejs,keccak256).Written by Cursor Bugbot for commit 3a431b7. This will update automatically on new commits. Configure here.