Spearbit audit march 2023 (#300)

* Synapse bridge facet doc (#235)

* add interface of SynapseRouter

* add SynapseBridge facet contract

* add SynpaseBridge configuration

* add deployment and update scripts of SynapseBridge facet

* add SynpaseBridge foundry test

* make synapseRouter variable public

* add SynapseBridge facet doc

* fix issue with setting receiver address for relayer

* run prettier for CeleIMFacet

* update comments in CelerIMFacet

* update CelerIMFacet foundry test with destination call

* add fee check to DeBridgeFacet

* add test for invalid fee rate of DeBridgeFacet

* add comments to CelerIMFacet

* rename the test function

* #73 check circle swap result

* update _depositAndSwap function to not include nativeReserve in newBalance

* update ArbitrumBridge and DeBridge facets with updated _depositAndSwap

* update CelerIMFacet to use right _depositAndSwap function

* add swap test with destination call to CelerIMFacet test

* update minAmount conversion in MakerTeleportFacet with SafeCast

* update SquidFacet with source swap flag check

* update SquidFacet test

* remove feeAmount param from collectNativeInsuranceFees and collectNativeGasFees

* update LIFuelFacet with updated ServiceFeeCollector functions

* update ServiceFeeCollector test

* update refundExcessNative modifier to save gas

* remove unused imports from ThorSwapFacet

* LF-2637 remove noNativeAsset modifier from startBridgeTokensViaCircleBridge

* update ArbitrumBridgeFacet

* update facets with validateDestinationCallFlag function

* remove unused imports from LIFuelFacet

* add WithdrawFailed error to GenericErrors

* update RelayerCelerIM with generic error

* remove unused reentrancy guard from RelayerCelerIM

* add doesNotContainDestinationCalls modifier to LIFuelFacet

* update LibAsset and AcrossFacet with isNativeAsset function

* remove destination chain id check from CBridgeFacet

* LF-2607 LF-2605 #52 #50 remove swap data checks (#276)

* remove swapData check from CircleBridgeFacet

* add recipient check to transferERC20

* update variable visibilities to private

* update maxApproveERC20 of LibAsset

* remove LibMappings

* use calldata instead of memory to save gas (#268)

* remove duplicated validateBridgeData modifier from ArbitrumBridgeFacet

* add validation for token symbol (#282)

* Check return value (#244)

* Restrict approval method to owner (#245)

* Add explicit revert (#248)

* Only approve once we know we have enough gas (#247)

* remove unneeded parameter (#263)

* update comment (#264)

* remove unneeded modifiers (#265)

* remove unneeded events/errors (#266)

* check amount != 0 in all cases (#279)

* add missing refundExcessNative (#280)

* track chain id (#289)

* update dstNativeAddr in quoteLayerZeroFee of StargateFacet

* update dstNativeAddr in _startBridge of StargateFacet

* remove unused imports from CircleBridgeFacet

* Use temp variable in _startBridge function of MultichainFacet (#293)

* Update cfUSDC check in CelerIMFacet (#254)

* update CelerIMFacet with cfUSDC

* add cfUSDC to cBridge config

* update DeployCelerIMFacet with cfUSDC

* update CelerIMFacet test with cfUSDC

* LF-2638 83 add cfUSDC check to swapAndStartBridgeTokensViaCelerIM

* refactor LibBytes (#267)

* Add missing test case (#296)

* add missing emit (#281)

* check for sufficient expiration time (#278)

* check for sufficient expiration time

* Update ThorSwapFacet.sol

Fix typo

* Update ThorSwapFacet.sol

Fix typo

* fix tests

* Make function more readable (#290)

* Allow executor to receive ERC1155 tokens (#295)

* fix solidity version (#277)

* clear out penging owner if any (#250)

* feat: Add HopFacetPacked (#283)

* feat: Add HopFacetPacked

* add gas comparisson with HopFacetOptimized

* formatting

* add gas test for other polygon

* add packed version of cbridge

* add testcase to ensure callData extraction works the same when forwarded via another contract

* cbridge: order arguments add pure encode functions

* hop: order arguments and add pure encode functions

* fix test

* add optimized functions for hop on L1 as well

* update hoppacked documentation

* add gas cost comparrison for cbridge optimizations

* rename encodeBridge... functions to encoder_startBridge...

* replace hardcoded strings with function selectors

* replace assembly parsing with solidity

* add validation to encoder functions

* fix typos and documentation

* add validation tests

* Remove unusable permit param (#291)

* chore: build types for audit branch

* chore: build using forge only

* chore: update generateDiamond

* Test Stargate Pool Validation (#297)

* fix: passing pool data as calldata (#237)

* test: add stargate poolId validation tests

---------

Co-authored-by: Leonardo Cascianelli <[email protected]>
Co-authored-by: Ed Zynda <[email protected]>

* Auto format code and configure husky to do so on every commit (#298)

* chore: autoformat code

* chore: update husky

* fix compiler warnings

* #31 cache gasleft to prevent underflow (#249)

* cache gasleft to prevent underflow

* add missing cachGasLeft

* Fix issue with unused code for setting pool id in StargateFacet (#299)

* remove unused code from StargateFacet

* update UpdateStargateFacet script

* Fix issue of native bridging test with SquidFacet (#303)

* Add version numbers (#302)

* Add version numbers to facets and periphery contracts

* Formatting

---------

Co-authored-by: satoshi-lifi <[email protected]>
Co-authored-by: Satoshi Naoki <[email protected]>
Co-authored-by: Max Klenk <[email protected]>
Co-authored-by: Leonardo Cascianelli <[email protected]>

.eslintignore

@@ -6,3 +6,4 @@ coverage/
 node_modules/
 package.json
 typechain/
+lib/

.github/workflows/types.yml

@@ -0,0 +1,109 @@
+name: Types Bindings
+
+on:
+  push:
+    branches:
+      - "master"
+      - "staging"
+      - "spearbit-audit-march-2023"
+
+env:
+  BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+
+jobs:
+  generate-tag:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout contracts repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      - name: Install Node deps
+        run: yarn install
+
+      - name: Generate ABI
+        run: yarn abi:generate
+
+      - name: Generate types bindings
+        run: yarn typechain
+
+      - name: Checkout lifi-contract-types repository
+        uses: actions/checkout@v3
+        with:
+          repository: lifinance/lifi-contract-types
+          path: lifi-contract-types
+          ssh-key: ${{ secrets.SSH_REPO_TOKEN }}
+          ref: master
+
+      - name: Copy types bindings
+        run: |
+          rm -r lifi-contract-types/src/
+          mv typechain lifi-contract-types/src
+          cp diamondABI/diamond.json lifi-contract-types/dist/
+      - name: Build contract types
+        run: cd lifi-contract-types && yarn install && yarn build
+
+      - name: Retrieve latest Tag
+        id: latest_release
+        run: |
+          # fetch tag releases
+          release_json=$(curl https://api.github.com/repos/lifinance/lifi-contract-types/tags)
+          # get the latest tag
+          LATEST_TAG=$(echo "$release_json" | jq -r '.[0].name')
+          # we need to make sure that on staging we're going to update a -beta version, if any
+          if [[ "$BRANCH_NAME" != "master" ]]; then
+            # if it has already "-beta", no other action is required, since it means
+            # that we're already going to update the latest staging release
+            if [[ "$LATEST_TAG" != *"beta"* ]]; then
+              # otherwise, start looping through the tags and search for the latest -beta tag
+              while read item; do
+                tag_name=$(jq -r '.name' <<< "$item")
+                # check if there's already a latest tag beta release
+                # and, if present, use it instead of the main one
+                # if we end up without any latest beta tag, we will create a beta release from the latest tag
+                if [[ "$tag_name" == "$LATEST_TAG-$beta"* ]]; then
+                  LATEST_TAG=$tag_name
+                  break
+                fi
+              done <<<$(echo "$release_json" | jq -c -r '.[]')
+            fi
+          fi
+          echo "latest tag: $LATEST_TAG"
+          echo "LATEST_TAG=${LATEST_TAG}" >> $GITHUB_ENV
+      - name: Update version
+        id: bump_version
+        uses: christian-draeger/[email protected]
+        with:
+          current-version: "${{ env.LATEST_TAG }}"
+          version-fragment: "${{ env.BRANCH_NAME == 'master' && (contains(github.event.head_commit.message, 'major') && 'major' || contains(github.event.head_commit.message, 'feat') && 'feature' || 'bug') || 'beta' }}"
+
+      - name: Push tag
+        if: steps.bump_version.outputs.next-version
+        run: |
+          cd lifi-contract-types
+          tmp=$(mktemp)
+          jq '.version="${{ steps.bump_version.outputs.next-version }}"' package.json > "$tmp" && mv "$tmp" package.json
+          git config user.name github-actions
+          git config user.email [email protected]
+          echo "Updating version from ${{ env.LATEST_TAG }} to ${{ steps.bump_version.outputs.next-version }}"
+          git add src/*
+          git add dist/*
+          git add package.json
+          git commit -m "actions: new contracts version ${{ steps.bump_version.outputs.next-version }}"
+          git tag -a v${{ steps.bump_version.outputs.next-version }} -m "${{ github.event.head_commit.message }}"
+          git push origin tag v${{ steps.bump_version.outputs.next-version }}
+          if [[ "$BRANCH_NAME" == "master" ]]; then
+            git push -u origin $BRANCH_NAME
+          fi

.husky/pre-commit

@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
-yarn lint:fix
+yarn format:fix && yarn lint:fix

.prettierrc.js

@@ -9,7 +9,6 @@ module.exports = {
         printWidth: 79,
         tabWidth: 4,
         singleQuote: false,
-        explicitTypes: 'always',
       },
     },
   ],

.solhintignore

@@ -5,3 +5,4 @@ cache/
 coverage/
 node_modules/
 typechain/
+lib/

config/cbridge.json

@@ -4,7 +4,8 @@
   },
   "mainnet": {
     "cBridge": "0x5427FEFA711Eff984124bFBB1AB6fbf5E3DA1820",
-    "messageBus": "0x4066D196A423b2b3B8B054f4F40efB47a74E200C"
+    "messageBus": "0x4066D196A423b2b3B8B054f4F40efB47a74E200C",
+    "cfUSDC": "0x317F8d18FB16E49a958Becd0EA72f8E153d25654"
   },
   "optimism": {
     "cBridge": "0x9D39Fc627A6d9d9F8C831c16995b209548cc3401",

hardhat.config.ts

@@ -34,12 +34,12 @@ const config: HardhatUserConfig = {
       accounts: accounts(process.env.HARDHAT_FORK),
       forking: process.env.HARDHAT_FORK
         ? {
-          // TODO once PR merged : network: process.env.HARDHAT_FORK,
-          url: node_url(process.env.HARDHAT_FORK),
-          blockNumber: process.env.HARDHAT_FORK_NUMBER
-            ? parseInt(process.env.HARDHAT_FORK_NUMBER)
-            : undefined,
-        }
+            // TODO once PR merged : network: process.env.HARDHAT_FORK,
+            url: node_url(process.env.HARDHAT_FORK),
+            blockNumber: process.env.HARDHAT_FORK_NUMBER
+              ? parseInt(process.env.HARDHAT_FORK_NUMBER)
+              : undefined,
+          }
         : undefined,
     },
   },

package.json

@@ -53,6 +53,7 @@
   },
   "scripts": {
     "postinstall": "patch-package",
+    "prepare": "yarn prepare:husky",
     "prepare:husky": "husky install",
     "lint": "eslint \"**/*.{js,ts}\" && solhint src/**/*.sol",
     "lint:fix": "eslint --fix \"**/*.{js,ts}\" && solhint --fix src/**/*.sol",

script/DeployCBridgeFacet.s.sol

@@ -10,10 +10,18 @@ contract DeployScript is DeployScriptBase {
 
     constructor() DeployScriptBase("CBridgeFacet") {}
 
-    function run() public returns (CBridgeFacet deployed, bytes memory constructorArgs) {
-        string memory path = string.concat(vm.projectRoot(), "/config/cbridge.json");
+    function run()
+        public
+        returns (CBridgeFacet deployed, bytes memory constructorArgs)
+    {
+        string memory path = string.concat(
+            vm.projectRoot(),
+            "/config/cbridge.json"
+        );
         string memory json = vm.readFile(path);
-        address cBridge = json.readAddress(string.concat(".", network, ".cBridge"));
+        address cBridge = json.readAddress(
+            string.concat(".", network, ".cBridge")
+        );
 
         constructorArgs = abi.encode(cBridge);
 
@@ -24,7 +32,15 @@ contract DeployScript is DeployScriptBase {
         }
 
         deployed = CBridgeFacet(
-            payable(factory.deploy(salt, bytes.concat(type(CBridgeFacet).creationCode, constructorArgs)))
+            payable(
+                factory.deploy(
+                    salt,
+                    bytes.concat(
+                        type(CBridgeFacet).creationCode,
+                        constructorArgs
+                    )
+                )
+            )
         );
 
         vm.stopBroadcast();

script/DeployCelerIMFacet.s.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.17;
 
 import { DeployScriptBase } from "./utils/DeployScriptBase.sol";
 import { stdJson } from "forge-std/Script.sol";
-import {CelerIMFacet} from "lifi/Facets/CelerIMFacet.sol";
+import { CelerIMFacet } from "lifi/Facets/CelerIMFacet.sol";
 
 contract DeployScript is DeployScriptBase {
     using stdJson for string;
@@ -23,7 +23,10 @@ contract DeployScript is DeployScriptBase {
         address messageBus = json.readAddress(
             string.concat(".", network, ".messageBus")
         );
-        if (messageBus == address(0))
+        address cfUSDC = json.readAddress(
+            string.concat(".", network, ".cfUSDC")
+        );
+        if (messageBus == address(32))
             revert(
                 string.concat(
                     "MessageBus address not found in deployment file for network ",
@@ -49,7 +52,7 @@ contract DeployScript is DeployScriptBase {
                 )
             );
 
-        constructorArgs = abi.encode(messageBus, relayer);
+        constructorArgs = abi.encode(messageBus, relayer, cfUSDC);
 
         vm.startBroadcast(deployerPrivateKey);
 

script/DeployHopFacetPacked.s.sol

@@ -14,7 +14,9 @@ contract DeployScript is DeployScriptBase {
             return HopFacetPacked(predicted);
         }
 
-        deployed = HopFacetPacked(factory.deploy(salt, type(HopFacetPacked).creationCode));
+        deployed = HopFacetPacked(
+            factory.deploy(salt, type(HopFacetPacked).creationCode)
+        );
 
         vm.stopBroadcast();
     }

script/DeployLIFuelFacet.s.sol

@@ -21,10 +21,7 @@ contract DeployScript is DeployScriptBase {
         }
 
         deployed = LIFuelFacet(
-            factory.deploy(
-                salt,
-                type(LIFuelFacet).creationCode
-            )
+            factory.deploy(salt, type(LIFuelFacet).creationCode)
         );
 
         vm.stopBroadcast();

script/DeployLiFiDiamondImmutable.s.sol

@@ -6,7 +6,6 @@ import { stdJson } from "forge-std/Script.sol";
 import { LiFiDiamondImmutableV1 } from "lifi/LiFiDiamondImmutable.sol";
 import { DiamondCutFacet, IDiamondCut } from "lifi/Facets/DiamondCutFacet.sol";
 
-
 contract DeployScript is DeployScriptBase {
     using stdJson for string;
 
@@ -15,7 +14,6 @@ contract DeployScript is DeployScriptBase {
     DiamondCutFacet internal cutter;
 
     constructor() DeployScriptBase("LiFiDiamondImmutableV1") {
-
         network = vm.envString("NETWORK");
         fileSuffix = vm.envString("FILE_SUFFIX");
 
@@ -52,7 +50,10 @@ contract DeployScript is DeployScriptBase {
         vm.startBroadcast(deployerPrivateKey);
 
         if (isDeployed()) {
-            return (LiFiDiamondImmutableV1(payable(predicted)), constructorArgs);
+            return (
+                LiFiDiamondImmutableV1(payable(predicted)),
+                constructorArgs
+            );
         }
 
         deployed = LiFiDiamondImmutableV1(

script/DeployMakerTeleportFacet.s.sol

@@ -10,13 +10,25 @@ contract DeployScript is DeployScriptBase {
 
     constructor() DeployScriptBase("MakerTeleportFacet") {}
 
-    function run() public returns (MakerTeleportFacet deployed, bytes memory constructorArgs) {
-        string memory path = string.concat(vm.projectRoot(), "/config/maker.json");
+    function run()
+        public
+        returns (MakerTeleportFacet deployed, bytes memory constructorArgs)
+    {
+        string memory path = string.concat(
+            vm.projectRoot(),
+            "/config/maker.json"
+        );
         string memory json = vm.readFile(path);
-        address makerTeleport = json.readAddress(string.concat(".", network, ".makerTeleport"));
+        address makerTeleport = json.readAddress(
+            string.concat(".", network, ".makerTeleport")
+        );
         address dai = json.readAddress(string.concat(".", network, ".dai"));
-        uint256 dstChainId = json.readUint(string.concat(".", network, ".dstChainId"));
-        bytes32 l1Domain = json.readBytes32(string.concat(".", network, ".l1Domain"));
+        uint256 dstChainId = json.readUint(
+            string.concat(".", network, ".dstChainId")
+        );
+        bytes32 l1Domain = json.readBytes32(
+            string.concat(".", network, ".l1Domain")
+        );
 
         constructorArgs = abi.encode(makerTeleport, dai, dstChainId, l1Domain);
 
@@ -27,7 +39,15 @@ contract DeployScript is DeployScriptBase {
         }
 
         deployed = MakerTeleportFacet(
-            payable(factory.deploy(salt, bytes.concat(type(MakerTeleportFacet).creationCode, constructorArgs)))
+            payable(
+                factory.deploy(
+                    salt,
+                    bytes.concat(
+                        type(MakerTeleportFacet).creationCode,
+                        constructorArgs
+                    )
+                )
+            )
         );
 
         vm.stopBroadcast();

script/MakeLiFiDiamondImmutable.s.sol

@@ -10,11 +10,34 @@ import { CREATE3Factory } from "create3-factory/CREATE3Factory.sol";
 import "./utils/UpdateScriptBase.sol";
 
 contract ImmutableDiamondOwnershipTransfer {
+    /// Storage ///
+
+    bytes32 internal constant NAMESPACE =
+        keccak256("com.lifi.facets.ownership");
+
+    /// Types ///
+
+    struct Storage {
+        address newOwner;
+    }
+
     /// @notice Transfers ownership of diamond to address(0) (for immutable diamond)
     function transferOwnershipToZeroAddress() external {
+        Storage storage s = getStorage();
+        // Clear out pending ownership if any.
+        s.newOwner = address(0);
         // transfer ownership to 0 address
         LibDiamond.setContractOwner(address(0));
     }
+
+    /// @dev fetch local storage
+    function getStorage() private pure returns (Storage storage s) {
+        bytes32 namespace = NAMESPACE;
+        // solhint-disable-next-line no-inline-assembly
+        assembly {
+            s.slot := namespace
+        }
+    }
 }
 
 contract DeployScript is UpdateScriptBase {

script/UpdateAmarokFacet.s.sol

@@ -6,7 +6,7 @@ import { stdJson } from "forge-std/StdJson.sol";
 import { DiamondCutFacet, IDiamondCut } from "lifi/Facets/DiamondCutFacet.sol";
 import { OwnershipFacet } from "lifi/Facets/OwnershipFacet.sol";
 import { AmarokFacet } from "lifi/Facets/AmarokFacet.sol";
-import {DSTest} from "ds-test/test.sol";
+import { DSTest } from "ds-test/test.sol";
 
 contract DeployScript is UpdateScriptBase {
     using stdJson for string;