Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(SpokePoolPeriphery): Support multiple exchanges #777

Open
wants to merge 31 commits into
base: master
Choose a base branch
from
Open

feat(SpokePoolPeriphery): Support multiple exchanges #777

wants to merge 31 commits into from

Conversation

nicholaspai
Copy link
Member

@nicholaspai nicholaspai commented Nov 27, 2024
edited
Loading

Currently we can only initialize the periphery contract with a single exchange to swap with. This PR allows us to initialize it with multiple exchanges to swap with. Like before, these initial set of exchanges and function selectors cannot be changed post-initialization, which gives the user assurances.

This also adds a method whitelistExchanges which can update the whitelisted exchange list. This means that the contract is now Ownable and both initialize and whitelistExchanges are marked onlyOwner. This means that users need to trust the owner of the contract now, and the worst thing that the owner can do is whitelist a malicious exchange. The caller of the swapX functions would still need to knowingly sign off on routerCalldata that would target this malicious exchange, so the user still retains control

I don't think we're going to make the contract Ownable and let the owner update the whitelisted exchange list post-deployment, but if we want to we can revert this commit. The reasoning is to give better assurances to the user about the contract's expected behavior.

This PR removes the whitelist of exchanges that can be called by the SpokePoolPeriphery, which was useful for protecting the caller from approve-ing the SpokePoolPeriphery contract and leaving an approval that could be stolen by another user who could direct the SpokePoolPeriphery to transferFrom the user who left their approval hanging. The reasoning for removing the whitelist is so that multiple exchanges can be used by the caller. In order to keep protecting the user from this "approval abuse", we add a new "Proxy" contract that should be used by the caller to call functions like SpokePoolPeriphery.swapAndBridge that require approvals. Now the user only approves the proxy contract which can only be used to call SpokePoolPeriphery.swapAndBridge rather than execute any arbitrary calldata.

@nicholaspai
feat(SpokePoolPeriphery): Support multiple exchanges
db4bf7b 
Currently we can only initialize the periphery contract with a single exchange to swap with. This PR allows us to initialize it with multiple exchanges to swap with. Like before, these initial set of exchanges and function selectors cannot be changed post-initialization, which gives the user assurances.
@nicholaspai
rename
df04404
@nicholaspai
Update SpokeV3PoolPeriphery.sol
1954009
@nicholaspai
Update SpokeV3PoolPeriphery.sol
fc1ff8f
@nicholaspai nicholaspai marked this pull request as ready for review November 27, 2024 13:51
@nicholaspai
Copy link
Member Author

I just added some forge unit tests for:

  • swapAndBridge
  • initialize
  • deposit

@nicholaspai nicholaspai requested a review from bmzig November 27, 2024 19:53
@nicholaspai
Add whitelistExchanges only owner method
aca4b06
@nicholaspai
rename
7149287
@nicholaspai
Remove onlyOwner
dda8499
@nicholaspai
Remove whitelist of exchanges, add proxy to bypass approval abuse
2da9c63 
Make user approve proxy contract so no one can use `exchange` + `routerCalldata` to steal their already approved funds via the `SpokePoolPeriphery`
@nicholaspai
Add some protection to callSpokePoolPeriphery
90e7cd0
@nicholaspai nicholaspai requested a review from bmzig December 1, 2024 21:55
mrice32
mrice32 reviewed Dec 3, 2024
View reviewed changes
Copy link
Contributor

@mrice32 mrice32 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one comment

contracts/SpokePoolV3Periphery.sol Outdated Show resolved Hide resolved
@nicholaspai nicholaspai requested a review from mrice32 December 4, 2024 01:47
@nicholaspai nicholaspai added the do not merge do not merge label Dec 5, 2024
@bmzig @nicholaspai
feat: add permit2 entrypoints to the periphery (#782)
022a8ec 
* feat: add permit2 entrypoints to the periphery

Signed-off-by: Bennett <bennett@umaproject.org>

* Update test/evm/foundry/local/SpokePoolPeriphery.t.sol

* Update SpokePoolPeriphery.t.sol

* move permit2 to proxy

* fix permit2

Signed-off-by: bennett <bennett@umaproject.org>

* wip: swap arguments refactor

Signed-off-by: bennett <bennett@umaproject.org>

* implement isValidSignature

Signed-off-by: bennett <bennett@umaproject.org>

* 1271

Signed-off-by: bennett <bennett@umaproject.org>

* simplify isValidSignature

Signed-off-by: bennett <bennett@umaproject.org>

* rebase /programs on master

Signed-off-by: nicholaspai <npai.nyc@gmail.com>

* clean up comments

* rebase programs

* fix: consolidate structs so that permit2 witnesses cover inputs

Signed-off-by: bennett <bennett@umaproject.org>

* begin permit2 unit tests

Signed-off-by: bennett <bennett@umaproject.org>

* rebase

* Update SpokePoolPeriphery.t.sol

* move type definitions to interface

Signed-off-by: bennett <bennett@umaproject.org>

* fix permit2 test

Signed-off-by: bennett <bennett@umaproject.org>

* transfer type tests

Signed-off-by: bennett <bennett@umaproject.org>

* rename EIP1271Signature to Permi2Approval

Signed-off-by: bennett <bennett@umaproject.org>

---------

Signed-off-by: Bennett <bennett@umaproject.org>
Signed-off-by: bennett <bennett@umaproject.org>
Signed-off-by: nicholaspai <npai.nyc@gmail.com>
Co-authored-by: nicholaspai <9457025+nicholaspai@users.noreply.github.com>
Co-authored-by: nicholaspai <npai.nyc@gmail.com>
@nicholaspai nicholaspai requested a review from bmzig December 6, 2024 23:34
bmzig
bmzig previously approved these changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@bmzig bmzig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a really good improvement. Another thing I was wondering was if we could not pass in a struct to _swapAndDeposit but IIRC that causes a stack too deep error.

bmzig and others added 3 commits December 18, 2024 14:57
@bmzig @nicholaspai
feat: sponsored swap and deposits (#790)
c9017ff 
* feat: add permit2 entrypoints to the periphery

Signed-off-by: Bennett <bennett@umaproject.org>

* Update test/evm/foundry/local/SpokePoolPeriphery.t.sol

* Update SpokePoolPeriphery.t.sol

* move permit2 to proxy

* fix permit2

Signed-off-by: bennett <bennett@umaproject.org>

* wip: swap arguments refactor

Signed-off-by: bennett <bennett@umaproject.org>

* implement isValidSignature

Signed-off-by: bennett <bennett@umaproject.org>

* 1271

Signed-off-by: bennett <bennett@umaproject.org>

* simplify isValidSignature

Signed-off-by: bennett <bennett@umaproject.org>

* rebase /programs on master

Signed-off-by: nicholaspai <npai.nyc@gmail.com>

* clean up comments

* rebase programs

* feat: sponsored swap and deposits

Signed-off-by: bennett <bennett@umaproject.org>

* fix: consolidate structs so that permit2 witnesses cover inputs

Signed-off-by: bennett <bennett@umaproject.org>

* begin permit2 unit tests

Signed-off-by: bennett <bennett@umaproject.org>

* rebase

* Update SpokePoolPeriphery.t.sol

* move type definitions to interface

Signed-off-by: bennett <bennett@umaproject.org>

* fix permit2 test

Signed-off-by: bennett <bennett@umaproject.org>

* transfer type tests

Signed-off-by: bennett <bennett@umaproject.org>

* rename EIP1271Signature to Permi2Approval

Signed-off-by: bennett <bennett@umaproject.org>

* add mockERC20 which implements permit/receiveWithAuthorization

Signed-off-by: bennett <bennett@umaproject.org>

* add tests for permit, permit2, and receiveWithAuth swaps/deposits

Signed-off-by: bennett <bennett@umaproject.org>

* add tests for invalid witnesses

Signed-off-by: bennett <bennett@umaproject.org>

* factor out signature checking

Signed-off-by: bennett <bennett@umaproject.org>

---------

Signed-off-by: Bennett <bennett@umaproject.org>
Signed-off-by: bennett <bennett@umaproject.org>
Signed-off-by: nicholaspai <npai.nyc@gmail.com>
Co-authored-by: nicholaspai <9457025+nicholaspai@users.noreply.github.com>
Co-authored-by: nicholaspai <npai.nyc@gmail.com>
@nicholaspai @bmzig
feat: Delete SwapAndBridge and add submission fees to gasless flow (#809
9bc7d91 
)

* feat: add permit2 entrypoints to the periphery

Signed-off-by: Bennett <bennett@umaproject.org>

* Update test/evm/foundry/local/SpokePoolPeriphery.t.sol

* Update SpokePoolPeriphery.t.sol

* move permit2 to proxy

* fix permit2

Signed-off-by: bennett <bennett@umaproject.org>

* wip: swap arguments refactor

Signed-off-by: bennett <bennett@umaproject.org>

* implement isValidSignature

Signed-off-by: bennett <bennett@umaproject.org>

* 1271

Signed-off-by: bennett <bennett@umaproject.org>

* simplify isValidSignature

Signed-off-by: bennett <bennett@umaproject.org>

* rebase /programs on master

Signed-off-by: nicholaspai <npai.nyc@gmail.com>

* clean up comments

* rebase programs

* feat: sponsored swap and deposits

Signed-off-by: bennett <bennett@umaproject.org>

* fix: consolidate structs so that permit2 witnesses cover inputs

Signed-off-by: bennett <bennett@umaproject.org>

* begin permit2 unit tests

Signed-off-by: bennett <bennett@umaproject.org>

* rebase

* Update SpokePoolPeriphery.t.sol

* move type definitions to interface

Signed-off-by: bennett <bennett@umaproject.org>

* fix permit2 test

Signed-off-by: bennett <bennett@umaproject.org>

* transfer type tests

Signed-off-by: bennett <bennett@umaproject.org>

* rename EIP1271Signature to Permi2Approval

Signed-off-by: bennett <bennett@umaproject.org>

* add mockERC20 which implements permit/receiveWithAuthorization

Signed-off-by: bennett <bennett@umaproject.org>

* add tests for permit, permit2, and receiveWithAuth swaps/deposits

Signed-off-by: bennett <bennett@umaproject.org>

* add tests for invalid witnesses

Signed-off-by: bennett <bennett@umaproject.org>

* feat: Delete SwapAndBridge and add submission fees to gasless flow

SwapAndBridge is to be replaced with SpokePoolV3Periphery

Gasless flows will require user to cover gas cost of whoever submits the transaction, but they can be set to 0 if the user wants to submit themselves.

* Internal refactor

* Update SpokePoolV3Periphery.sol

* Update PeripherySigningLib.sol

* Update SpokePoolV3Periphery.sol

* Update PeripherySigningLib.sol

---------

Signed-off-by: Bennett <bennett@umaproject.org>
Signed-off-by: bennett <bennett@umaproject.org>
Signed-off-by: nicholaspai <npai.nyc@gmail.com>
Co-authored-by: Bennett <bennett@umaproject.org>
@nicholaspai
Update SpokePoolV3Periphery.sol
f4250d0
@nicholaspai
Copy link
Member Author

_swapAndDeposit

Does this function exist anymore?

dohaki
dohaki reviewed Dec 24, 2024
View reviewed changes
contracts/SpokePoolV3Periphery.sol
@@ -155,7 +230,7 @@ contract SpokePoolV3Periphery is Lockable, MultiCaller {
uint32 fillDeadline,
uint32 exclusivityParameter,
bytes memory message
) external payable nonReentrant {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not directly related to this specific diff, but is there a reason why you can not specify an explicit outputToken here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a copy/paste of the spoke pool verifier deposit function, so we just assume that this is only being used with the native token,

dohaki
dohaki reviewed Dec 24, 2024
View reviewed changes
contracts/SpokePoolV3Periphery.sol
function swapAndBridge(SpokePoolV3PeripheryInterface.SwapAndDepositData calldata swapAndDepositData)
external
override
nonReentrant
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In SpokePoolV3Periphery this is payable. Should this one be as well?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not payable since the proxy is only used for ERC20 approval based flows. If we swap and bridge with ETH, it is more gas-efficient to call the periphery directly, so we force that the user does that.

dohaki and others added 2 commits December 24, 2024 19:12
@dohaki
fix: eip712 types and hashes (#821)
26110a9
@bmzig
refactor comments
c1f6181 
Signed-off-by: bennett <bennett@umaproject.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmzig bmzig bmzig left review comments

@dohaki dohaki dohaki left review comments

@pxrl pxrl Awaiting requested review from pxrl pxrl is a code owner

@mrice32 mrice32 Awaiting requested review from mrice32 mrice32 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
do not merge do not merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nicholaspai @mrice32 @dohaki @bmzig