pezkuwichain
645d8aea73
fix(security): address remaining CRITICAL audit findings
presale:
- C2: Convert refund_cancelled_presale to batch pattern (start_index, batch_size)
to prevent unbounded iteration with many contributors
- C3: Add status validation to cancel_presale — prevent cancelling Finalized/Failed
presales (prevents double-dipping: tokens distributed + refund issued)
- C4: Enforce CreatePresaleOrigin (was defined in Config but never checked)
Changed to Success = AccountId for proper owner extraction
- Clarified presale_account_id expect() safety comment (Blake2_256 = 32 bytes,
always sufficient for AccountId decode)
- Removed unused imports (Defensive, AccountIdConversion)
perwerde:
- C5: Prevent NextCourseId overflow — added ensure!(< u32::MAX) check and
replaced unchecked += 1 with saturating_add
welati:
- C6: Enforce access control on all CollectiveDecisionType variants:
ConstitutionalReview/Unanimous → Diwan members only
ExecutiveDecision → Serok only
HybridDecision → Parliament OR Serok
VetoOverride → Parliament members only