fix: exposed vars security issue

Author: Intermarch3

packages/r/intermarch3/goo/court.gno

@@ -13,57 +13,57 @@ import (
 )
 
 var (
-	Disputes        = avl.NewTree()
-	DisputeDuration = 2 * int64(time.Minute.Seconds())
-	RevealDuration  = 2 * int64(time.Minute.Seconds())
-	VoteTokenPrice  = 1 * int64(1_000_000) // in GNOT
+	disputes        = avl.NewTree()
+	disputeDuration = 2 * int64(time.Minute.Seconds())
+	revealDuration  = 2 * int64(time.Minute.Seconds())
+	voteTokenPrice  = 1 * int64(1_000_000) // in GNOT
 	VoteToken       = newOOToken("Gno Optimistic Oracle Token", "goot", 6)
 )
 
 func initiateDispute(id string) {
-	if _, exists := Disputes.Get(id); exists {
+	if _, exists := disputes.Get(id); exists {
 		panic("error: Dispute for this request already exists.")
 	}
 	dispute := Dispute{
 		RequestId:     id,
 		Votes:         []Vote{},
 		Voters:        avl.NewTree(),
 		IsResolved:    false,
-		EndTime:       time.Now().Add(time.Duration(DisputeDuration) * time.Second),
-		EndRevealTime: time.Now().Add(time.Duration(DisputeDuration+RevealDuration) * time.Second),
+		EndTime:       time.Now().Add(time.Duration(disputeDuration) * time.Second),
+		EndRevealTime: time.Now().Add(time.Duration(disputeDuration+revealDuration) * time.Second),
 	}
-	Disputes.Set(id, dispute)
+	disputes.Set(id, dispute)
 	chain.Emit("DisputeInitiated", "id", id)
 }
 
 // -- PUBLIC FUNCTIONS --
 
-// BuyInitialVoteToken allows a user to buy their first vote token by sending VoteTokenPrice amount of ugnot.
+// BuyInitialVoteToken allows a user to buy their first vote token by sending voteTokenPrice amount of ugnot.
 func BuyInitialVoteToken(_ realm) {
 	caller := runtime.OriginCaller()
 	coins := banker.OriginSend()
-	if len(coins) != 1 || coins.AmountOf("ugnot") != VoteTokenPrice {
-		panic("error: Must send exactly " + strconv.Itoa(int(VoteTokenPrice/1_000_000)) + " gnot to get a vote token.")
+	if len(coins) != 1 || coins.AmountOf("ugnot") != voteTokenPrice {
+		panic("error: Must send exactly " + strconv.Itoa(int(voteTokenPrice/1_000_000)) + " gnot to get a vote token.")
 	}
 
 	balance := VoteToken.BalanceOf(caller)
 	if balance > 0 {
 		panic("error: You already have a vote token.")
 	}
 
-	VoteToken.Mint(caller, 1)
+	VoteToken.mint(caller, 1)
 	chain.Emit("VoteTokenPurchased", "voter", caller.String())
 }
 
 // BalanceOfVoteToken returns the number of vote tokens held by the caller.
 func BalanceOfVoteToken(_ realm) int64 {
-	return VoteToken.balanceOf(runtime.PreviousRealm().Address())
+	return VoteToken.BalanceOf(runtime.PreviousRealm().Address())
 }
 
 // VoteOnDispute allows a user to commit a vote during a dispute.
 func VoteOnDispute(_ realm, id string, hash string) {
 	dispute := getDispute(id)
-	res, _ := Requests.Get(id)
+	res, _ := requests.Get(id)
 	request := res.(DataRequest)
 	if request.Proposer == runtime.PreviousRealm().Address() || request.Disputer == runtime.PreviousRealm().Address() {
 		panic("error: Proposer and Disputer cannot vote in this dispute.")
@@ -92,7 +92,7 @@ func VoteOnDispute(_ realm, id string, hash string) {
 	}
 	dispute.Votes = append(dispute.Votes, vote)
 	dispute.Voters.Set(string(vote.Voter), Voter{HasVoted: true, VoteIndex: int64(len(dispute.Votes) - 1)})
-	Disputes.Set(id, dispute)
+	disputes.Set(id, dispute)
 	chain.Emit("VoteSubmitted", "id", id, "voter", vote.Voter.String())
 }
 
@@ -127,7 +127,7 @@ func RevealVote(_ realm, id string, value int64, salt string) {
 	vote.Revealed = true
 	dispute.NbResolvedVotes += 1
 	dispute.Votes[voter.(Voter).VoteIndex] = vote
-	Disputes.Set(id, dispute)
+	disputes.Set(id, dispute)
 	chain.Emit("VoteRevealed", "id", id, "voter", vote.Voter.String(), "value", strconv.Itoa(int(value)))
 }
 
@@ -143,13 +143,13 @@ func ResolveDispute(_ realm, id string) {
 	val := resolve(id)
 	dispute.WinningValue = val
 	dispute.IsResolved = true
-	Disputes.Set(id, dispute)
+	disputes.Set(id, dispute)
 	// Update the original request with the winning value
 	request := getRequest(id)
 
 	request.ProposedValue = val
 	request.State = "Resolved"
-	Requests.Set(id, request)
+	requests.Set(id, request)
 	chain.Emit("DisputeResolved", "id", id, "winningValue", strconv.Itoa(int(val)))
 	chain.Emit("RequestResolved", "id", id, "winningValue", strconv.Itoa(int(val)))
 
@@ -161,15 +161,15 @@ func ResolveDispute(_ realm, id string) {
 		// Refund + reward the proposer if the dispute did not change the value
 		winner = request.Proposer
 	}
-	Bank.SendCoins(runtime.CurrentRealm().Address(), winner, chain.Coins{chain.Coin{Denom: "ugnot", Amount: Bond + RequesterReward}})
+	bank.SendCoins(runtime.CurrentRealm().Address(), winner, chain.Coins{chain.Coin{Denom: "ugnot", Amount: bond + requesterReward}})
 }
 
 // -- admin functions --
 
 // SetDisputeDuration sets the duration (in seconds) for the voting period.
 func SetDisputeDuration(_ realm, duration int64) {
 	if runtime.OriginCaller() == admin {
-		DisputeDuration = duration * int64(time.Second)
+		disputeDuration = duration * int64(time.Second)
 	} else {
 		panic("error: Only admin can set dispute duration.")
 	}
@@ -178,7 +178,7 @@ func SetDisputeDuration(_ realm, duration int64) {
 // SetRevealDuration sets the duration (in seconds) for the reveal period.
 func SetRevealDuration(_ realm, duration int64) {
 	if runtime.OriginCaller() == admin {
-		RevealDuration = duration * int64(time.Second)
+		revealDuration = duration * int64(time.Second)
 	} else {
 		panic("error: Only admin can set reveal duration.")
 	}
@@ -187,7 +187,7 @@ func SetRevealDuration(_ realm, duration int64) {
 // SetVoteTokenPrice sets the price (in ugnot) to cast a vote.
 func SetVoteTokenPrice(_ realm, price int64) {
 	if runtime.OriginCaller() == admin {
-		VoteTokenPrice = price
+		voteTokenPrice = price
 	} else {
 		panic("error: Only admin can set vote price.")
 	}
@@ -202,12 +202,12 @@ func GetDispute(_ realm, id string) Dispute {
 
 // GetDisputeDuration returns the current dispute duration.
 func GetDisputeDuration(_ realm) int64 {
-	return DisputeDuration
+	return disputeDuration
 }
 
 // GetVoteTokenPrice returns the current vote price.
 func GetVoteTokenPrice(_ realm) int64 {
-	return VoteTokenPrice
+	return voteTokenPrice
 }
 
 // GetDisputeEndTime returns the end time of the voting period for a specific dispute.
@@ -230,13 +230,13 @@ func GetRevealEndTime(_ realm, id string) time.Time {
 
 // GetRevealDuration returns the current reveal duration.
 func GetRevealDuration(_ realm) int64 {
-	return RevealDuration
+	return revealDuration
 }
 
 // Utils functions
 
 func getDispute(id string) Dispute {
-	dispute, exists := Disputes.Get(id)
+	dispute, exists := disputes.Get(id)
 	if !exists {
 		panic("error: Dispute with this ID does not exist.")
 	}

packages/r/intermarch3/goo/court_test.gno

@@ -14,20 +14,20 @@ var user4 = testutils.TestAddress("user4")
 
 func TestBuyInitialVoteToken(t *testing.T) {
 	testing.SetRealm(testing.NewUserRealm(user1))
-	urequire.AbortsWithMessage(t, "error: Must send exactly "+strconv.Itoa(int(VoteTokenPrice/1_000_000))+" gnot to get a vote token.", func() {
+	urequire.AbortsWithMessage(t, "error: Must send exactly "+strconv.Itoa(int(voteTokenPrice/1_000_000))+" gnot to get a vote token.", func() {
 		BuyInitialVoteToken(cross)
 	}, "user should not be able to buy a vote token without sending the correct amount")
 
 	testing.SetRealm(testing.NewUserRealm(user1))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: VoteTokenPrice}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: voteTokenPrice}})
 	urequire.NotPanics(t, func() {
 		BuyInitialVoteToken(cross)
 	}, "user should be able to buy a vote token by sending the correct amount")
 	amount := BalanceOfVoteToken(cross)
 	urequire.Equal(t, int64(1), amount, "user should have received a vote token")
 
 	testing.SetRealm(testing.NewUserRealm(user1))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: VoteTokenPrice}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: voteTokenPrice}})
 	urequire.AbortsWithMessage(t, "error: You already have a vote token.", func() {
 		BuyInitialVoteToken(cross)
 	}, "user should not be able to buy a second vote token")
@@ -36,20 +36,20 @@ func TestBuyInitialVoteToken(t *testing.T) {
 func TestVoteOnDispute(t *testing.T) {
 	// setup: create request and dispute
 	testing.SetRealm(testing.NewUserRealm(user1))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: RequesterReward}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: requesterReward}})
 	id := RequestData(cross, "test", true, time.Now().Add(24*time.Hour).Unix())
 
 	testing.SetRealm(testing.NewUserRealm(user1))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: Bond}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: bond}})
 	ProposeValue(cross, id, 0)
 
 	testing.SetRealm(testing.NewUserRealm(user2))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: Bond}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: bond}})
 	DisputeData(cross, id)
 
 	// buy vote token
 	testing.SetRealm(testing.NewUserRealm(user3))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: VoteTokenPrice}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: voteTokenPrice}})
 	BuyInitialVoteToken(cross)
 
 	// vote on dispute
@@ -74,7 +74,7 @@ func TestVoteOnDispute(t *testing.T) {
 	}, "user should not be able to vote on dispute if they have already voted")
 
 	testing.SetRealm(testing.NewUserRealm(user4))
-	setTime(time.Now().Add(time.Duration(DisputeDuration)*time.Second + time.Second))
+	setTime(time.Now().Add(time.Duration(disputeDuration)*time.Second + time.Second))
 	urequire.AbortsWithMessage(t, "error: Vote period has ended.", func() {
 		VoteOnDispute(cross, id, "hash")
 	}, "user should not be able to vote on dispute after the voting period has ended")
@@ -83,23 +83,23 @@ func TestVoteOnDispute(t *testing.T) {
 func TestRevealVote(t *testing.T) {
 	// setup: create request and dispute
 	testing.SetRealm(testing.NewUserRealm(user1))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: RequesterReward}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: requesterReward}})
 	id := RequestData(cross, "test", true, time.Now().Add(24*time.Hour).Unix())
 
 	testing.SetRealm(testing.NewUserRealm(user1))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: Bond}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: bond}})
 	ProposeValue(cross, id, 0)
 
 	testing.SetRealm(testing.NewUserRealm(user2))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: Bond}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: bond}})
 	DisputeData(cross, id)
 
 	// vote on dispute
 	testing.SetRealm(testing.NewUserRealm(user3))
 	VoteOnDispute(cross, id, "a96e0beb59a16b085a7d2b3b5ffd6e5971870aa2903c6df86f26fa908ded2e21")
 
 	testing.SetRealm(testing.NewUserRealm(user3))
-	setTime(time.Now().Add(time.Duration(DisputeDuration)*time.Second + time.Second))
+	setTime(time.Now().Add(time.Duration(disputeDuration)*time.Second + time.Second))
 	urequire.AbortsWithMessage(t, "error: Hash does not match the revealed value and salt.", func() {
 		RevealVote(cross, id, 1, "mysalt")
 	}, "vote reveal with incorrect value and salt should fail")
@@ -119,25 +119,25 @@ func TestRevealVote(t *testing.T) {
 func TestResolveDispute(t *testing.T) {
 	// setup: create request and dispute
 	testing.SetRealm(testing.NewUserRealm(user1))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: RequesterReward}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: requesterReward}})
 	id := RequestData(cross, "test", true, time.Now().Add(24*time.Hour).Unix())
 
 	testing.SetRealm(testing.NewUserRealm(user1))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: Bond}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: bond}})
 	ProposeValue(cross, id, 0)
 
 	testing.SetRealm(testing.NewUserRealm(user2))
-	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: Bond}})
+	testing.SetOriginSend([]chain.Coin{{Denom: "ugnot", Amount: bond}})
 	DisputeData(cross, id)
 
 	// vote on dispute
 	testing.SetRealm(testing.NewUserRealm(user3))
 	VoteOnDispute(cross, id, "a96e0beb59a16b085a7d2b3b5ffd6e5971870aa2903c6df86f26fa908ded2e21")
-	setTime(time.Now().Add(time.Duration(DisputeDuration)*time.Second + time.Second))
+	setTime(time.Now().Add(time.Duration(disputeDuration)*time.Second + time.Second))
 	RevealVote(cross, id, 0, "test")
 
-	setTime(time.Now().Add(time.Duration(RevealDuration)*time.Second + time.Second))
-	CreateGnotCoins(cross, (Bond*2)+RequesterReward)
+	setTime(time.Now().Add(time.Duration(revealDuration)*time.Second + time.Second))
+	CreateGnotCoins(cross, (bond*2)+requesterReward)
 	urequire.NotPanics(t, func() {
 		ResolveDispute(cross, id)
 	}, "user should be able to resolve dispute after the reveal period has ended")