Skip to content

Releases: aragon/osx

Aragon OSx 1.4

02 Apr 14:42
@brickpop brickpop
v1.4.0
0e66006
This commit was signed with the committer’s verified signature.
brickpop Jør∂¡
SSH Key Fingerprint: Cz3fHKkNLdmPuKnezDtmSNNGlefXX5VBiKeqolnxcm8
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Aragon OSx 1.4 Latest
Latest

Added

  • Use ProxyLib and PluginUpgradeableSetup from osx-commons-contracts.
  • Added VersionComparisonLib to compare semantic versioning numbers.
  • Inherit ProtocolVersion in Plugin, PluginCloneable, PluginUUPSUpgradeable, PluginSetup, PermissionCondition, PermissionConditionUpgradeable PluginSetupProcessor, PluginRepoRegistry, DAORegistry, and ENSSubdomainRegistrar.
  • Added the FunctionDeprecated error to DAO.
  • Added a storage gap to PluginRepo.
  • Added initializeFrom placeholder function to PluginRepo.
  • applyMultiTargetPermissions will revoke when operation is Grant and a condition is provided.

Changed

  • Updated createDao of the DAOFactory to return installed plugins and enable DAO creation without requiring plugins.
  • Changed the solidity compiler pragma from 0.8.17 to ^0.8.8 for all files.
  • Improved type safety by using abi.encodeCall instead of abi.encodeWithSelector and the more explicit bracket syntax for permissions.
  • Bumped OpenZeppelin dependencies to 4.9.6.
  • Refactored the fallback in the isGranted function in PermissionManager to make conditions mutually exclusive: Specific conditions answering false do not fall back to generic caller conditions (_who: ANY_ADDR) or generic target conditions (_where: ANY_ADDR).
  • Renamed the signatureValidator variable in DAO to __removed0.
  • Use the DAOs permission manager functionality to validate signatures.
  • Renamed managingDAO during deployment to managementDAO.
  • Aligned contract names during deployment with the names given in @aragon/osx-commons-configs.
  • Move events ReleaseMetadataUpdatedand VersionCreated from PluginRepo to IPluginRepo.
  • Allow granting permission to _who: ANY_ADDR.
  • Made ENS registration optional: DAOs and PluginRepos can be registered without a subdomain, but providing subdomain when the protocol doesn't support ENS, will revert with ENSNotSupported.

Removed

  • Deleted AddresslistVoting, AddresslistVotingSetup and related metadata.
  • Moved TokenVoting, TokenVotingSetup and related metadata to the aragon/token-voting-plugin repo.
  • Moved Multisig, MultisigSetup and related metadata to the aragon/multisig-plugin repo.
  • Moved Admin, AdminSetup and related metadata to the aragon/admin-plugin repo.
  • Moved:
    • interfaces IDAO, IPermissionCondition, IPlugin, IMembership, IProposal, IPluginSetup, IProtocolVersion,
    • abstract contracts DaoAuthorizable, DaoAuthorizableUpgradeable, Plugin, PluginCloneable, PluginUUPSUpgradeable, PermissionCondition, PermissionConditionUpgradeable, Addresslist, Proposal, ProposalUpgradeable, PluginSetup
    • contracts CloneFactory
    • libraries PermissionLib, VersionComparisonLib
    • free functions auth, Proxy, BitMap, Ratio, UncheckedMath
    • ... to the osx-commons-contracts repo.
  • Removed unused MerkleMinter and MerkleDistributor contracts.
  • Removed unused TokenFactory contract.
  • Removed the SignatureValidatorSet event from IDAO.
  • Removed the setSignatureValidator function and signatureValidator variable in DAO. In places, where the function must remain to not alter the IDAO interface ID, it will revert and explanatory notes are put in place.
  • Removed active_contracts.json file and replaced it with @aragon/osx-commons-configs package.

Fixed

  • Switch the parameter order in the MinApprovalsOutOfBounds error in the Multisig plugin.
  • Fixed NatSpec comment in getProposal function in the Multisig plugin.

Audit

https://github.com/aragon/osx/blob/v1.4.0/audits/Halborn_AragonOSx_v1_4_Smart_Contract_Security_Assessment_Report_2025_01_03.pdf

Assets 2
Loading

Berlinite Release

05 Oct 11:25
@mathewmeconry mathewmeconry
v1.3.0
e90ea8f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Berlinite Release

Summary

This is a low-priority release containing new features, patches, and low-severity bug fixes. Update at your convenience.

For technical details, see the Aragon OSx contracts changelog.

Audits

Code4rena: link 1, link 2
Halborn: link 1, link 2

Highlights

Reentrancy Protection and Gas Checks for the DAO Executor

In previous versions, the DAO executor was allowed to call itself. Such behavior is commonly found in other executor implementations (e.g., OpenZeppelin Governor or SAFE) too because the permission to execute is given only to trusted and vetted parties and contracts. Because DAOs created through the Aragon App frontend use audited contracts developed by Aragon itself and DAO proposals are subject to review, there is no risk exposure for Aragon OSx DAOs that have been created so far. However, since 3rd-party plugins will be easily installable to the DAO in the future, we followed the suggestion by Code4rena and added reentrancy protection to the DAO executor. Additionally, we have added checks to ensure that failure of the last action of a proposal cannot be intentionally caused by providing insufficient gas when it is explicitly allowed to fail is used.

Although rated as medium findings in the Code4rena audit report we believe that the risk exposure for DAOs is low.

Protocol Versioning for OSx Contracts

OSx contracts that changed compared to v1.0.0 now have an on-chain semantic versioning number indicating the OSx protocol version the contract is associated with. This number will be displayed on the frontend and help while supporting user requests.

Reworked Proposal Creation Criteria

Holders of governance tokens in the TokenVoting plugin can now create proposals too after they have delegated their tokens to someone else. Moreover, members of the Multisig plugin can now create a proposal in the same block in which they have become a member. Lastly, events emitted during proposal creation now contain the correct information.

Reworked Permission Conditions

The permission manager functionality related to permission conditions now has additional input checks and was slightly optimized. Permission condition contracts are now identifiable through ERC-165 and base contracts are provided for developers to use.

Solidity Compiler Pragma

In the prior release, the contracts were constrained by a stringent pragma, fixed at Solidity version 0.8.17. This limitation posed a hurdle for external developers seeking compatibility with newer Solidity versions. To enhance flexibility, the contracts external developers inherit from now allow inheritance from version 0.8.8 or higher, accommodating a broader range of Solidity versions.

All Changes

The following list contains all changes to the repository hosting also the subgraph and documentation.

  • Docs: Various improvements by @Michael-A-Heuer in #304
  • fix metadata by @novaknole in #303
  • fix: rename osx-contracts to osx by @mathewmeconry in #305
  • APP-1896 : Remove duplicated code by @Rekard0 in #307
  • Fixing npm package name by @juliettech13 in #300
  • feat: ignore tests in @aragon/osx package by @mathewmeconry in #308
  • App 1797 subgraph write tests for token membership by @mathewmeconry in #276
  • feat: adds blocklist to remove subdomains from indexing by @mathewmeconry in #310
  • Docs: Improved doc generation by @Michael-A-Heuer in #315
  • Improve the .env mentions by @brickpop in #313
  • Docs: Improvements by @Michael-A-Heuer in #320
  • exec results by @novaknole in #316
  • APP-1935 : Use int for minApprovals by @Rekard0 in #312
  • move to dev dependency by @novaknole in #322
  • APP-1928: create release entity + metadata by @Rekard0 in #319
  • Addressed code4arena findings in the docs by @Michael-A-Heuer in #323
  • fix by @novaknole in #318
  • coverage tests added by @novaknole in #324
  • Documentation fixes by @Michael-A-Heuer in #329
  • APP-1920 , APP-1854 : refactor relations by @Rekard0 in #317
  • Fix/deployment script by @mathewmeconry in #330
  • Feature/docs improvement by @Michael-A-Heuer in #332
  • fix: fixes vuln in Multisig Plugin by @mathewmeconry in #338
  • fix: makes Permissions in Subgraph mutable. by @mathewmeconry in #335
  • Fix 1/64 problem in DAO executor by @Michael-A-Heuer in #333
  • Feature/multisig setup build2 by @mathewmeconry in #339
  • fix: changelog merge fail by @mathewmeconry in #340
  • Placeholder setups and Multisig Build 2 deployment by @Michael-A-Heuer in #336
  • Feat/release mumbai by @mathewmeconry in #342
  • Fix wrong permission id by @Michael-A-Heuer in #341
  • Fix titles by @Michael-A-Heuer in #343
  • Feat/fix ens deployment by @mathewmeconry in #344
  • Fix storage corruption by @Michael-A-Heuer in #345
  • Feat/polygon deployment by @mathewmeconry in #346
  • fix: hardhat typescript typing by @mathewmeconry in #347
  • App 2085 core deploy upgrade mainnet polygon by @mathewmeconry in #349
  • fix: adds missing allowFailureMap parameter to IDAO.Executed event by @mathewmeconry in #351
  • OS-331 : Rename executable to potentiallyExecutable by @Rekard0 in #352
  • OS-265 : builder testing by @Rekard0 in #327
  • Feat/update mumbai by @mathewmeconry in #353
  • OS-206: test dao with extended schema (part-1) by @Rekard0 in #354
  • OS-365 : map and test delegation by @Rekard0 in #359
  • C4 Audit Suggestions by @Michael-A-Heuer in #360
  • Changed solc compiler pragma by @Michael-A-Heuer in #348
  • OS-385, [M-02] C4arena: Clarifying NatSpec comment for TokenFactory by @Michael-A-Heuer in #362
  • Feature/os 399 hardhat upgrades by @Michael-A-Heuer in #364
  • Feature: Add indexation of ERC20 wrapper contracts by @josemarinas in #356
  • OS-253 : rename proposalId to pluginProposalId by @Rekard0 in #357
  • F/ OS-380 npm package versions by @Rekard0 in #361
  • Add missing changelog entry by @Michael-A-Heuer in #368
  • F/ OS-419 export contract source by @Rekard0 in #370
  • Feature/os 389 Membership definition update by @Michael-A-Heuer in #371
  • Fix typechain and contracts tests by @Rekard0 in #374
  • OS-203 : index DAO URI by @Rekard0 in #378
  • feat: updates infura keys used by @mathewmeconry in #376
  • Fix documentation generation workflow by @Michael-A-Heuer in #379
  • Non-reentrant DAO executor by @Michael-A-Heuer in #355
  • Feature: Update membership definition by @josemarinas in #373
  • OS-437 : swap IPlugin for PluginInstallation on DAO entity by @Rekard0 in #381
  • Fix ProposalCreated event dates by @Michael-A-Heuer in #369
  • Refactored buildMetadata of the plugins by @Michael-A-Heuer in #375
  • F/ OS-387 add protocol version by @Rekard0 in #380
  • DAOFactory protocol version by @Michael-A-Heuer in #386
  • Deploy script for the protocol and plugin upgrades by @Michael-A-Heuer in #384
  • DAO ERC-165 tests by @Michael-A-Heuer in #387
  • Feature/deploy use artifact by @Michael-A-Heuer in #385
  • F/ OS-441 test protocol upgrade by @Rekard0 in #388
  • OS-440 : Check & update Subgraph deploy fl...
Read more

Contributors

chilcano, mathewmeconry, and 7 other contributors
Loading

Aventurine

05 Oct 11:24
@mathewmeconry mathewmeconry
v1.0.0
c2b9d23
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Aventurine

Summary

The initial release of the Aragon OSx protocol!

The Aragon OSx protocol is the foundation layer of the new Aragon stack. It allows users to create, manage, and customize DAOs in a way that is lean, adaptable, and secure.

Loading