Skip to content

fix(govdao): make Tiers private to prevent external modification #5075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
moul wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix(govdao): make Tiers private to prevent external modification #5075

moul wants to merge 2 commits into from

Conversation

@moul
Copy link
Member

@moul moul commented Jan 19, 2026
edited
Loading

memberstore.Tiers was a public variable (var Tiers TiersByName) that exposed the underlying *avl.Tree. External realms could call memberstore.Tiers.Set(...) to modify tier configurations,
escalating voting power or corrupting governance data.

h/t @jeronimoalbi for the report.

moul added 2 commits January 19, 2026 20:59
@moul
fix(govdao): make Tiers private to prevent external modification
9d3d947 
Signed-off-by: moul <94029+moul@users.noreply.github.com>
@moul
chore: fixup
b24d4f5 
Signed-off-by: moul <94029+moul@users.noreply.github.com>
@moul moul self-assigned this Jan 19, 2026
@github-actions github-actions bot added the 🧾 package/realm Tag used for new Realms or Packages. label Jan 19, 2026
@Gno2D2
Copy link
Collaborator

Gno2D2 commented Jan 19, 2026
edited
Loading

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):
  • IGNORE the bot requirements for this PR (force green CI check)
Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)

☑️ Contributor Actions:
  1. Fix any issues flagged by automated checks.
  2. Follow the Contributor Checklist to ensure your PR is ready for review.
    • Add new tests, or document why they are unnecessary.
    • Provide clear examples/screenshots, if necessary.
    • Update documentation, if required.
    • Ensure no breaking changes, or include BREAKING CHANGE notes.
    • Link related issues/PRs, where applicable.
☑️ Reviewer Actions:
  1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.
📚 Resources:
Debug
Automated Checks
Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: moul/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request
Manual Checks
**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

  • Any user with comment edit permission

@moul moul marked this pull request as ready for review January 19, 2026 21:05
MikaelVallenet
MikaelVallenet approved these changes Jan 21, 2026
View reviewed changes
Copy link
Member

@MikaelVallenet MikaelVallenet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, related to this i made a PR with linter that add rule that would trigger exporting global var -> #5068

Davphla
Davphla approved these changes Jan 23, 2026
View reviewed changes
Copy link
Contributor

@Davphla Davphla left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, it would be a good idea to verify any similar issues in other realms

@moul
Copy link
Member Author

moul commented Jan 23, 2026

Exporting global vars make sense if they are safe objects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeronimoalbi jeronimoalbi jeronimoalbi approved these changes

@ajnavarro ajnavarro ajnavarro approved these changes

@thehowl thehowl Awaiting requested review from thehowl

@ltzmaxwell ltzmaxwell Awaiting requested review from ltzmaxwell

+2 more reviewers

@Davphla Davphla Davphla approved these changes

@MikaelVallenet MikaelVallenet MikaelVallenet approved these changes

Reviewers whose approvals may not affect merge requirements

At least 3 approving reviews are required to merge this pull request.

Assignees

@moul moul

Labels

🧾 package/realm Tag used for new Realms or Packages.

Projects

💪 Bounties & Worx
Status: No status
😎 Manfred's Board
Status: 📥 Inbox
🧙‍♂️Gno.land development
Status: Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@moul @Gno2D2 @jeronimoalbi @ajnavarro @Davphla @MikaelVallenet