feat: implement complete OpenClaw DAO governance system

🏛️ OpenClawDAO Smart Contract Implementation: Core Governance Contract: - Enhanced OpenClawDAO with snapshot security and anti-flash-loan protection - Token-weighted voting with 24-hour TWAS calculation - Multi-sig protection for critical proposals (emergency/protocol upgrades) - Agent swarm role integration (Provider/Consumer/Builder/Coordinator) - Proposal types: Parameter Change, Protocol Upgrade, Treasury, Emergency, Agent Trading, DAO Grants - Maximum voting power limits (5% per address) and vesting periods Security Features: - Snapshot-based voting power capture prevents flash-loan manipulation - Proposal bonds and challenge mechanisms for proposal validation - Multi-signature requirements for critical governance actions - Reputation-based voting weight enhancement for agents - Emergency pause and recovery mechanisms Agent Wallet Contract: - Autonomous agent voting with configurable strategies - Role-specific voting preferences based on agent type - Reputation-based voting power bonuses - Authorized caller management for agent control - Emergency stop and reactivate functionality - Autonomous vote execution based on predefined strategies GPU Staking Contract: - GPU resource staking with AITBC token collateral - Reputation-based reward rate calculations - Utilization-based reward scaling - Lock period enforcement with flexible durations - Provider reputation tracking and updates - Multi-pool support with different reward rates Deployment & Testing: - Complete deployment script with system configuration - Comprehensive test suite covering all major functionality - Multi-sig setup and initial agent registration - Snapshot creation and staking pool initialization - Test report generation with detailed results 🔐 Security Implementation: - Anti-flash-loan protection through snapshot voting - Multi-layer security (proposal bonds, challenges, multi-sig) - Reputation-based access control and voting enhancement - Emergency mechanisms for system recovery - Comprehensive input validation and access controls 📊 Governance Features: - 6 proposal types covering all governance scenarios - 4 agent swarm roles with specialized voting preferences - Token-weighted voting with reputation bonuses - 7-day voting period with 1-day delay - 4% quorum requirement and 1000 AITBC proposal threshold 🚀 Ready for deployment and integration with AITBC ecosystem
2026-03-18 20:32:44 +01:00
parent e2ebd0f773
commit 1ee2238cc8
19 changed files with 2836 additions and 146 deletions
--- a/cli/aitbc_cli/commands/wallet.py
+++ b/cli/aitbc_cli/commands/wallet.py
@@ -1233,11 +1233,18 @@ def unstake(ctx, amount: float):
        }
    )

-    # Save wallet with encryption
-    password = None
+    # CRITICAL SECURITY FIX: Save wallet properly to avoid double-encryption
    if wallet_data.get("encrypted"):
+        # For encrypted wallets, we need to re-encrypt the private key before saving
        password = _get_wallet_password(wallet_name)
-    _save_wallet(wallet_path, wallet_data, password)
+        # Only encrypt the private key, not the entire wallet data
+        if "private_key" in wallet_data:
+            wallet_data["private_key"] = encrypt_value(wallet_data["private_key"], password)
+        # Save without passing password to avoid double-encryption
+        _save_wallet(wallet_path, wallet_data, None)
+    else:
+        # For unencrypted wallets, save normally
+        _save_wallet(wallet_path, wallet_data, None)

    success(f"Unstaked {amount} AITBC")
    output(
--- a/cli/aitbc_cli/dual_mode_wallet_adapter.py
+++ b/cli/aitbc_cli/dual_mode_wallet_adapter.py
@@ -318,8 +318,11 @@ class DualModeWalletAdapter:
        wallet_data["transactions"].append(transaction)
        wallet_data["balance"] = balance - amount
        
-        # Save wallet
+        # Save wallet - CRITICAL SECURITY FIX: Always use password if wallet is encrypted
        save_password = password if wallet_data.get("encrypted") else None
+        if wallet_data.get("encrypted") and not save_password:
+            error("❌ CRITICAL: Cannot save encrypted wallet without password")
+            raise Exception("Password required for encrypted wallet")
        _save_wallet(wallet_path, wallet_data, save_password)
        
        success(f"Sent {amount} AITBC to {to_address}")
--- a/cli/aitbc_cli/utils/init.py
+++ b/cli/aitbc_cli/utils/init.py
@@ -70,17 +70,74 @@ class AuditLogger:


 def _get_fernet_key(key: str = None) -> bytes:
-    """Derive a Fernet key from a password or use default"""
+    """Derive a Fernet key from a password using Argon2 KDF"""
    from cryptography.fernet import Fernet
    import base64
-    import hashlib
+    import secrets
+    import getpass
    
    if key is None:
-        # Use a default key (should be overridden in production)
-        key = "aitbc_config_key_2026_default"
+        # CRITICAL SECURITY FIX: Never use hardcoded keys
+        # Always require user to provide a password or generate a secure random key
+        error("❌ CRITICAL: No encryption key provided. This is a security vulnerability.")
+        error("Please provide a password for encryption.")
+        key = getpass.getpass("Enter encryption password: ")
+        
+        if not key:
+            error("❌ Password cannot be empty for encryption operations.")
+            raise ValueError("Encryption password is required")
    
-    # Derive a 32-byte key suitable for Fernet
-    return base64.urlsafe_b64encode(hashlib.sha256(key.encode()).digest())
+    # Use Argon2 for secure key derivation (replaces insecure SHA-256)
+    try:
+        from argon2 import PasswordHasher
+        from argon2.exceptions import VerifyMismatchError
+        
+        # Generate a secure salt
+        salt = secrets.token_bytes(16)
+        
+        # Derive key using Argon2
+        ph = PasswordHasher(
+            time_cost=3,      # Number of iterations
+            memory_cost=65536,  # Memory usage in KB
+            parallelism=4,   # Number of parallel threads
+            hash_len=32,     # Output hash length
+            salt_len=16      # Salt length
+        )
+        
+        # Hash the password to get a 32-byte key
+        hashed_key = ph.hash(key + salt.decode('utf-8'))
+        
+        # Extract the hash part and convert to bytes suitable for Fernet
+        key_bytes = hashed_key.encode('utf-8')[:32]
+        
+        # Ensure we have exactly 32 bytes for Fernet
+        if len(key_bytes) < 32:
+            key_bytes += secrets.token_bytes(32 - len(key_bytes))
+        elif len(key_bytes) > 32:
+            key_bytes = key_bytes[:32]
+        
+        return base64.urlsafe_b64encode(key_bytes)
+        
+    except ImportError:
+        # Fallback to PBKDF2 if Argon2 is not available
+        import hashlib
+        import hmac
+        
+        warning("⚠️ Argon2 not available, falling back to PBKDF2 (less secure)")
+        
+        # Generate a secure salt
+        salt = secrets.token_bytes(16)
+        
+        # Use PBKDF2 with SHA-256 (better than plain SHA-256)
+        key_bytes = hashlib.pbkdf2_hmac(
+            'sha256',
+            key.encode('utf-8'),
+            salt,
+            100000,  # 100k iterations
+            32       # 32-byte key
+        )
+        
+        return base64.urlsafe_b64encode(key_bytes)


 def encrypt_value(value: str, key: str = None) -> str: