Make MinimalForwarder production-ready

[ernestognw]

Warning
This PR is currently on hold, meaning it's not considered yet safe to use any of the updates here until merged.

Fixes #3884
Fixes #3664

Currently, MinimalForwarder is not considered production-ready since it was designed mainly for testing purposes in the library. However, it's not that far from a MinimalForwarder that's something we may recommend.

The new MinimalForwarder should guarantee:

• Backwards compatibility
• Security (and thorough documentation about it)
• A deadline for expiring transactions

PR Checklist

• Tests
• Documentation
• Changeset entry (run npx changeset add)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4c1cd22

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Amxx]

Left some comments

[Amxx]

why put the deadline as the first argument? I would personnaly put it after the nonce.

[ernestognw]

Made sense to me to pack them this way. It's not a big deal since it's calldata, but I thought it was better to put the uint48 next to an address

[frangio]

I believe ABI encoding does not pack values. Every value takes up 32 bytes.

[Amxx]

Why do we have this function ?

[frangio]

Customizing EIP712 version, similar to Governor:

openzeppelin-contracts/contracts/governance/Governor.sol

Line 85 in 7b3e7b7

constructor(string memory name_) EIP712(name_, version()) {

I can't see immediate reasons why someone would override it, but I feel it makes sense to leave the option open? What do you think?

[ernestognw]

I can't neither think about a reason why someone would need it, but I'd say the same logic of why we set virtual in public functions should apply here.

"Why would someone override version and name?" is kinda the same question as "Why would someone override X function?" from my perspective.

No strong opinion if we remove it.

[Amxx]

Why do we have this function ?

[frangio]

I believe the reason was to customize the EIP712 name, but here I don't agree that it makes sense to make it customizable. It should be fine to make it always "MinimalForwarder".

[ernestognw]

Same as #4065 (comment)

[Amxx]

why change from constructor() EIP712("MinimalForwarder", "0.0.1") {} ?

[frangio]

Replied in your comments about version() and name().

[ernestognw]

Same as #4065 (comment)

[Amxx]

Suggested change

	bool expired = block.timestamp >= req.deadline;
	return
	getNonce(req.from) == req.nonce && // Signed nonce corresponds with current nonce
	signer == req.from && // From is signer
	!expired;
	return
	getNonce(req.from) == req.nonce && // Signed nonce corresponds with current nonce
	signer == req.from && // From is signer
	block.timestamp < req.deadline; // Expired

[frangio]

Note that we're missing require(msg.value == req.value).

[MerlinEgalite]

Is the fact that _execute is not reverting when the call fails intended and left to the contract inheriting from MinimalForwarder?

If yes and given that this version will be considered as production ready, it would be nice to add a warning about this to avoid silent failure on the implementation side. Else, I think we should revert while bubbling up the error.

[Amxx]

Yes, its an intended behavior.

This PR is on hold. The code it contains should not be seen as a production-ready version of the forwarder. For sure we will want to challenge that design choice (IMO there are good reason for this behavior), and document it.

[MerlinEgalite]

Clear, thx for the answer.

[ernestognw]

➕ to @Amxx explanation.

I'll leave this open and I added a note at the top of the PR indicating this is currently on hold.