Add security related comments (#191)

* Add security related comments * Add SECURITY.md * Remove SECURITY.md Better to keep everything consistent across the org by updating https://github.com/ethereum-optimism/.github/blob/master/SECURITY.md * Fix link to security policy * anchor text on security policy

Add security related comments (#191)
* Add security related comments * Add SECURITY.md * Remove SECURITY.md Better to keep everything consistent across the org by updating https://github.com/ethereum-optimism/.github/blob/master/SECURITY.md * Fix link to security policy * anchor text on security policy
8c480b83 · Maurelian · GitHub · 4c982155 · 8c480b83 · 8c480b83
Commit 8c480b83 authored Jan 19, 2021 by Maurelian Committed by GitHub Jan 19, 2021
3 changed files
--- a/packages/contracts/README.md
+++ b/packages/contracts/README.md
@@ -6,6 +6,6 @@ This package contains the various Ethereum smart contracts that make up the Laye
 This package requires that `yarn` be installed on your machine!  Once it is, run `yarn test` to build and run tests.
-## Disclaimer
+## Security
-The contracts in this package have **not** been audited. We **do not recommend** deploying these contracts in a production capacity.
+See our [Security Policy](https://github.com/ethereum-optimism/.github/security/policy).
\ No newline at end of file
--- a/packages/contracts/contracts/optimistic-ethereum/OVM/precompiles/OVM_L2ToL1MessagePasser.sol
+++ b/packages/contracts/contracts/optimistic-ethereum/OVM/precompiles/OVM_L2ToL1MessagePasser.sol
@@ -32,6 +32,9 @@ contract OVM_L2ToL1MessagePasser is iOVM_L2ToL1MessagePasser {
        override
        public
    {
+        // Note: although this function is public, only messages sent from the OVM_L2CrossDomainMessenger 
+        // will be relayed by the OVM_L1CrossDomainMessenger. This is enforced by a check in 
+        // OVM_L1CrossDomainMessenger._verifyStorageProof().
        sentMessages[keccak256(
            abi.encodePacked(
                _message,

--- a/packages/contracts/contracts/optimistic-ethereum/libraries/resolver/Lib_ResolvedDelegateProxy.sol
+++ b/packages/contracts/contracts/optimistic-ethereum/libraries/resolver/Lib_ResolvedDelegateProxy.sol
@@ -13,10 +13,15 @@ contract Lib_ResolvedDelegateProxy {
     * Variables *
     *************/
    // Using mappings to store fields to avoid overwriting storage slots in the
    // implementation contract. For example, instead of storing these fields at
-    // storage slot `0` & `1`, they are stored at `hash(${FIELD_NAME} + address(this))`
+    // storage slot `0` & `1`, they are stored at `keccak256(key + slot)`.
    // See: https://solidity.readthedocs.io/en/v0.7.0/internals/layout_in_storage.html
+    // NOTE: Do not use this code in your own contract system. 
+    //      There is a known flaw in this contract, and we will remove it from the repository
+    //      in the near future. Due to the very limited way that we are using it, this flaw is
+    //      not an issue in our system. 
    mapping(address=>string) private implementationName;
    mapping(address=>Lib_AddressManager) private addressManager;