Agent: Merge with Fundraising's Pool

apps/agent/arapp.json

@@ -33,6 +33,24 @@
     }
   },
   "roles": [
+    {
+      "name": "Execute safe actions",
+      "id": "SAFE_EXECUTE_ROLE",
+      "params": [
+        "Target address",
+        "Signature"
+      ]
+    },
+    {
+      "name": "Add protected tokens",
+      "id": "ADD_PROTECTED_TOKEN_ROLE",
+      "params": []
+    },
+    {
+      "name": "Remove protected tokens",
+      "id": "REMOVE_PROTECTED_TOKEN_ROLE",
+      "params": []
+    },
     {
       "name": "Execute actions",
       "id": "EXECUTE_ROLE",
@@ -62,6 +80,15 @@
       "params": [
         "EVM Script"
       ]
+    },
+    {
+      "name": "Transfer Agent's tokens",
+      "id": "TRANSFER_ROLE",
+      "params": [
+        "Token address",
+        "Receiver address",
+        "Token amount"
+      ]
     }
   ],
   "path": "contracts/Agent.sol"

apps/agent/contracts/Agent.sol

@@ -14,22 +14,101 @@ import "@aragon/os/contracts/common/IForwarder.sol";
 
 
 contract Agent is IERC165, ERC1271Bytes, IForwarder, IsContract, Vault {
+    /* Hardcoded constants to save gas
+    bytes32 public constant SAFE_EXECUTE_ROLE = keccak256("SAFE_EXECUTE_ROLE");
     bytes32 public constant EXECUTE_ROLE = keccak256("EXECUTE_ROLE");
     bytes32 public constant RUN_SCRIPT_ROLE = keccak256("RUN_SCRIPT_ROLE");
+    bytes32 public constant ADD_PROTECTED_TOKEN_ROLE = keccak256("ADD_PROTECTED_TOKEN_ROLE");
+    bytes32 public constant REMOVE_PROTECTED_TOKEN_ROLE = keccak256("REMOVE_PROTECTED_TOKEN_ROLE");
     bytes32 public constant ADD_PRESIGNED_HASH_ROLE = keccak256("ADD_PRESIGNED_HASH_ROLE");
     bytes32 public constant DESIGNATE_SIGNER_ROLE = keccak256("DESIGNATE_SIGNER_ROLE");
+    */
+
+    bytes32 public constant SAFE_EXECUTE_ROLE = 0x0a1ad7b87f5846153c6d5a1f761d71c7d0cfd122384f56066cd33239b7933694;
+    bytes32 public constant EXECUTE_ROLE = 0xcebf517aa4440d1d125e0355aae64401211d0848a23c02cc5d29a14822580ba4;
+    bytes32 public constant RUN_SCRIPT_ROLE = 0xb421f7ad7646747f3051c50c0b8e2377839296cd4973e27f63821d73e390338f;
+    bytes32 public constant ADD_PROTECTED_TOKEN_ROLE = 0x6eb2a499556bfa2872f5aa15812b956cc4a71b4d64eb3553f7073c7e41415aaa;
+    bytes32 public constant REMOVE_PROTECTED_TOKEN_ROLE = 0x71eee93d500f6f065e38b27d242a756466a00a52a1dbcd6b4260f01a8640402a;
+    bytes32 public constant ADD_PRESIGNED_HASH_ROLE = 0x0b29780bb523a130b3b01f231ef49ed2fa2781645591a0b0a44ca98f15a5994c;
+    bytes32 public constant DESIGNATE_SIGNER_ROLE = 0x23ce341656c3f14df6692eebd4757791e33662b7dcf9970c8308303da5472b7c;
+
+    uint256 public constant PROTECTED_TOKENS_CAP = 10;
 
     bytes4 private constant ERC165_INTERFACE_ID = 0x01ffc9a7;
 
+    string private constant ERROR_TOKENS_CAP_REACHED = "AGENT_TOKENS_CAP_REACHED";
+    string private constant ERROR_TOKEN_NOT_ERC20 = "AGENT_TOKEN_NOT_ERC20";
+    string private constant ERROR_TOKEN_ALREADY_PROTECTED = "AGENT_TOKEN_ALREADY_PROTECTED";
+    string private constant ERROR_TOKEN_NOT_PROTECTED = "AGENT_TOKEN_NOT_PROTECTED";
+    string private constant ERROR_TARGET_PROTECTED = "AGENT_TARGET_PROTECTED";
+    string private constant ERROR_PROTECTED_TOKENS_MODIFIED = "AGENT_PROTECTED_TOKENS_MODIFIED";
+    string private constant ERROR_PROTECTED_BALANCE_LOWERED = "AGENT_PROTECTED_BALANCE_LOWERED";
     string private constant ERROR_DESIGNATED_TO_SELF = "AGENT_DESIGNATED_TO_SELF";
 
     mapping (bytes32 => bool) public isPresigned;
     address public designatedSigner;
+    address[] public protectedTokens;
 
+    event SafeExecute(address indexed sender, address indexed target, bytes data);
     event Execute(address indexed sender, address indexed target, uint256 ethValue, bytes data);
+    event AddProtectedToken(address indexed token);
+    event RemoveProtectedToken(address indexed token);
     event PresignHash(address indexed sender, bytes32 indexed hash);
     event SetDesignatedSigner(address indexed sender, address indexed oldSigner, address indexed newSigner);
 
+    /**
+    * @notice Execute '`@radspec(_target, _data)`' on `_target` ensuring that protected tokens can't be spent
+    * @param _target Address where the action is being executed
+    * @param _data Calldata for the action
+    * @return Exits call frame forwarding the return data of the executed call (either error or success data)
+    */
+    function safeExecute(address _target, bytes _data) external authP(SAFE_EXECUTE_ROLE, arr(_target, uint256(getSig(_data)))) {
+        uint256 protectedTokensLength = protectedTokens.length;
+        address[] memory _protectedTokens = new address[](protectedTokensLength);
+        uint256[] memory balances = new uint256[](protectedTokensLength);
+        bytes32 size;
+        bytes32 ptr;
+
+        for (uint256 i = 0; i < protectedTokensLength; i++) {
+            address token = protectedTokens[i];
+            require(_target != token, ERROR_TARGET_PROTECTED);
+            // we copy the protected tokens array to check whether the storage array has been modified during the underlying call
+            _protectedTokens[i] = token;
+            // we copy the balances to check whether they have been modified during the underlying call
+            balances[i] = balance(token);
+        }
+
+        bool result = _target.call(_data);
+
+        assembly {
+            size := returndatasize
+            ptr := mload(0x40)
+            mstore(0x40, add(ptr, size))
+            returndatacopy(ptr, 0, size)
+        }
+
+        if (result) {
+            // if the underlying call has succeeded, we check that the protected tokens
+            // and their balances have not been modified and return the call's return data
+            require(protectedTokens.length == protectedTokensLength, ERROR_PROTECTED_TOKENS_MODIFIED);
+            for (uint256 j = 0; j < protectedTokensLength; j++) {
+                require(protectedTokens[j] == _protectedTokens[j], ERROR_PROTECTED_TOKENS_MODIFIED);
+                require(balance(protectedTokens[j]) >= balances[j], ERROR_PROTECTED_BALANCE_LOWERED);
+            }
+
+            emit SafeExecute(msg.sender, _target, _data);
+
+            assembly {
+                return(ptr, size)
+            }
+        } else {
+            // if the underlying call has failed, we revert and forward [possible] returned error data
+            assembly {
+                revert(ptr, size)
+            }
+        }
+    }
+
     /**
     * @notice Execute '`@radspec(_target, _data)`' on `_target``_ethValue == 0 ? '' : ' (Sending' + @tokenAmount(0x0000000000000000000000000000000000000000, _ethValue) + ')'`
     * @param _target Address where the action is being executed
@@ -59,6 +138,28 @@ contract Agent is IERC165, ERC1271Bytes, IForwarder, IsContract, Vault {
         }
     }
 
+    /**
+    * @notice Add `_token.symbol(): string` to the list of protected tokens
+    * @param _token Address of the token to be protected
+    */
+    function addProtectedToken(address _token) external auth(ADD_PROTECTED_TOKEN_ROLE) {
+        require(protectedTokens.length < PROTECTED_TOKENS_CAP, ERROR_TOKENS_CAP_REACHED);
+        require(isERC20(_token), ERROR_TOKEN_NOT_ERC20);
+        require(!tokenIsProtected(_token), ERROR_TOKEN_ALREADY_PROTECTED);
+
+        _addProtectedToken(_token);
+    }
+
+    /**
+    * @notice Remove `_token.symbol(): string` from the list of protected tokens
+    * @param _token Address of the token to be unprotected
+    */
+    function removeProtectedToken(address _token) external auth(REMOVE_PROTECTED_TOKEN_ROLE) {
+        require(tokenIsProtected(_token), ERROR_TOKEN_NOT_PROTECTED);
+
+        _removeProtectedToken(_token);
+    }
+
     /**
     * @notice Set `_designatedSigner` as the designated signer of the app, which will be able to sign messages on behalf of the app
     * @param _designatedSigner Address that will be able to sign messages on behalf of the app
@@ -141,6 +242,20 @@ contract Agent is IERC165, ERC1271Bytes, IForwarder, IsContract, Vault {
         return canPerform(sender, RUN_SCRIPT_ROLE, params);
     }
 
+    function _addProtectedToken(address _token) internal {
+        protectedTokens.push(_token);
+
+        emit AddProtectedToken(_token);
+    }
+
+    function _removeProtectedToken(address _token) internal {
+        protectedTokens[protectedTokenIndex(_token)] = protectedTokens[protectedTokens.length - 1];
+        delete protectedTokens[protectedTokens.length - 1];
+        protectedTokens.length --;
+
+        emit RemoveProtectedToken(_token);
+    }
+
     function getScriptACLParam(bytes evmScript) internal pure returns (uint256) {
         return uint256(keccak256(abi.encodePacked(evmScript)));
     }
@@ -152,4 +267,28 @@ contract Agent is IERC165, ERC1271Bytes, IForwarder, IsContract, Vault {
 
         assembly { sig := mload(add(data, 0x20)) }
     }
+
+    function tokenIsProtected(address _token) internal view returns (bool) {
+        for (uint256 i = 0; i < protectedTokens.length; i++) {
+            if (protectedTokens[i] == _token) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    function isERC20(address _token) internal view returns (bool) {
+        return isContract(_token);
+    }
+
+    function protectedTokenIndex(address _token) internal view returns (uint256) {
+        for (uint i = 0; i < protectedTokens.length; i++) {
+            if (protectedTokens[i] == _token) {
+              return i;
+            }
+        }
+
+        revert(ERROR_TOKEN_NOT_PROTECTED);
+    }
 }

apps/agent/contracts/test/mocks/ExecutionTarget.sol

@@ -1,5 +1,7 @@
 pragma solidity 0.4.24;
 
+import "@aragon/test-helpers/contracts/TokenMock.sol";
+
 
 contract ExecutionTarget {
     uint public counter;
@@ -15,6 +17,10 @@ contract ExecutionTarget {
         counter = x;
     }
 
+    function transferTokenFrom(address _token) external {
+        TokenMock(_token).transferFrom(msg.sender, this, 1);
+    }
+
     function fail() external pure {
         revert(REASON);
     }