fix: Adds griefing protection to permit functionality (#12)

parth-15 · web-flow · commit 26d22edfbebd · 2023-12-19T16:21:51.000+01:00
* fix: permit grifting issue while using permit functionality

* fix: indent

* fix: spell checks
diff --git a/lib/aave-address-book b/lib/aave-address-book
@@ -1 +1 @@
-Subproject commit e51ab368ab11a2f90bf39a5ef662000565ee0855
+Subproject commit 9d7dd12291d140c444b9588ef6ced8f860f6b5c0
diff --git a/lib/aave-v3-core b/lib/aave-v3-core
@@ -1 +1 @@
-Subproject commit cad2cebab99271717f76b37e53313ff21bcb56a7
+Subproject commit 6070e82d962d9b12835c88e68210d0e63f08d035
diff --git a/lib/forge-std b/lib/forge-std
@@ -1 +1 @@
-Subproject commit 74cfb77e308dd188d2f58864aaf44963ae6b88b1
+Subproject commit 80a8f6ea9362849b2a8f2dc28df40c77a64f9c16
diff --git a/src/BaseTokenWrapper.sol b/src/BaseTokenWrapper.sol
@@ -57,15 +57,18 @@ abstract contract BaseTokenWrapper is Ownable, IBaseTokenWrapper {
     uint16 referralCode,
     PermitSignature calldata signature
   ) external returns (uint256) {
-    IERC20WithPermit(TOKEN_IN).permit(
-      msg.sender,
-      address(this),
-      amount,
-      signature.deadline,
-      signature.v,
-      signature.r,
-      signature.s
-    );
+    // explicitly left try-catch block blank to protect users from permit griefing
+    try
+      IERC20WithPermit(TOKEN_IN).permit(
+        msg.sender,
+        address(this),
+        amount,
+        signature.deadline,
+        signature.v,
+        signature.r,
+        signature.s
+      )
+    {} catch {}
     return _supplyToken(amount, onBehalfOf, referralCode);
   }
 
@@ -85,15 +88,18 @@ abstract contract BaseTokenWrapper is Ownable, IBaseTokenWrapper {
     PermitSignature calldata signature
   ) external returns (uint256) {
     IAToken aTokenOut = IAToken(POOL.getReserveData(TOKEN_OUT).aTokenAddress);
-    aTokenOut.permit(
-      msg.sender,
-      address(this),
-      amount,
-      signature.deadline,
-      signature.v,
-      signature.r,
-      signature.s
-    );
+    // explicitly left try-catch block blank to protect users from permit griefing
+    try
+      aTokenOut.permit(
+        msg.sender,
+        address(this),
+        amount,
+        signature.deadline,
+        signature.v,
+        signature.r,
+        signature.s
+      )
+    {} catch {}
     return _withdrawToken(amount, to, aTokenOut);
   }
 
diff --git a/test/BaseTokenWrapper.t.sol b/test/BaseTokenWrapper.t.sol
@@ -13,6 +13,16 @@ interface IERC2612 {
   function nonces(address owner) external view returns (uint256);
 
   function DOMAIN_SEPARATOR() external view returns (bytes32);
+
+  function permit(
+    address owner,
+    address spender,
+    uint256 amount,
+    uint256 deadline,
+    uint8 v,
+    bytes32 r,
+    bytes32 s
+  ) external;
 }
 
 abstract contract BaseTokenWrapperTest is Test {
@@ -158,7 +168,7 @@ abstract contract BaseTokenWrapperTest is Test {
             ALICE,
             address(tokenWrapper),
             dealAmountScaled,
-            IAToken(aTokenOut).nonces(ALICE),
+            IERC2612(address(tokenIn)).nonces(ALICE),
             deadline
           )
         )
@@ -207,6 +217,96 @@ abstract contract BaseTokenWrapperTest is Test {
     }
   }
 
+  function testPermitGriefingSupplyTokenWithPermit() public {
+    IERC20 tokenIn = IERC20(tokenWrapper.TOKEN_IN());
+    assertEq(
+      tokenIn.balanceOf(ALICE),
+      0,
+      'Unexpected Alice starting tokenIn balance'
+    );
+    assertEq(
+      IAToken(aTokenOut).balanceOf(ALICE),
+      0,
+      'Unexpected Alice starting aToken balance'
+    );
+
+    uint256 dealAmountScaled = DEAL_AMOUNT * 10 ** tokenInDecimals;
+    _dealTokenIn(ALICE, dealAmountScaled);
+    uint256 estimateFinalBalance = tokenWrapper.getTokenOutForTokenIn(
+      dealAmountScaled
+    );
+
+    uint256 deadline = block.timestamp + 1;
+    bytes32 digest = keccak256(
+      abi.encodePacked(
+        hex'1901',
+        IERC2612(address(tokenIn)).DOMAIN_SEPARATOR(),
+        keccak256(
+          abi.encode(
+            PERMIT_TYPEHASH,
+            ALICE,
+            address(tokenWrapper),
+            dealAmountScaled,
+            IERC2612(address(tokenIn)).nonces(ALICE),
+            deadline
+          )
+        )
+      )
+    );
+
+    (uint8 v, bytes32 r, bytes32 s) = vm.sign(ALICE_KEY, digest);
+    IBaseTokenWrapper.PermitSignature memory signature = IBaseTokenWrapper
+      .PermitSignature(deadline, v, r, s);
+
+    if (permitSupported) {
+      vm.startPrank(BOB);
+      IERC2612(address(tokenIn)).permit(
+        ALICE,
+        address(tokenWrapper),
+        dealAmountScaled,
+        deadline,
+        v,
+        r,
+        s
+      );
+      vm.stopPrank();
+      vm.startPrank(ALICE);
+      uint256 suppliedAmount = tokenWrapper.supplyTokenWithPermit(
+        dealAmountScaled,
+        ALICE,
+        REFERRAL_CODE,
+        signature
+      );
+      vm.stopPrank();
+
+      assertEq(
+        tokenIn.balanceOf(ALICE),
+        0,
+        'Unexpected ending tokenIn balance'
+      );
+      assertEq(
+        suppliedAmount,
+        IAToken(aTokenOut).balanceOf(ALICE),
+        'Unexpected supply return/balance mismatch'
+      );
+      assertLe(
+        estimateFinalBalance - IAToken(aTokenOut).balanceOf(ALICE),
+        1,
+        'Unexpected ending aToken balance'
+      );
+    } else {
+      vm.startPrank(ALICE);
+      vm.expectRevert();
+      tokenWrapper.supplyTokenWithPermit(
+        dealAmountScaled,
+        ALICE,
+        REFERRAL_CODE,
+        signature
+      );
+      vm.stopPrank();
+    }
+  }
+
   function testRevertSupplyTokenZeroAmount() public {
     vm.prank(ALICE);
     vm.expectRevert('INSUFFICIENT_AMOUNT_TO_SUPPLY');
@@ -425,6 +525,80 @@ abstract contract BaseTokenWrapperTest is Test {
     );
   }
 
+  function testPermitGriefingWithdrawTokenWithPermit() public {
+    testSupplyToken();
+    IERC20 tokenIn = IERC20(tokenWrapper.TOKEN_IN());
+
+    uint256 aTokenBalance = IAToken(aTokenOut).balanceOf(ALICE);
+    assertGt(aTokenBalance, 0, 'Unexpected starting aToken balance');
+    assertEq(
+      tokenIn.balanceOf(ALICE),
+      0,
+      'Unexpected starting tokenIn balance'
+    );
+    uint256 estimateFinalBalance = tokenWrapper.getTokenInForTokenOut(
+      aTokenBalance
+    );
+
+    uint256 deadline = block.timestamp + 100;
+    bytes32 digest = keccak256(
+      abi.encodePacked(
+        hex'1901',
+        IAToken(aTokenOut).DOMAIN_SEPARATOR(),
+        keccak256(
+          abi.encode(
+            PERMIT_TYPEHASH,
+            ALICE,
+            address(tokenWrapper),
+            aTokenBalance,
+            IAToken(aTokenOut).nonces(ALICE),
+            deadline
+          )
+        )
+      )
+    );
+
+    (uint8 v, bytes32 r, bytes32 s) = vm.sign(ALICE_KEY, digest);
+    IBaseTokenWrapper.PermitSignature memory signature = IBaseTokenWrapper
+      .PermitSignature(deadline, v, r, s);
+
+    vm.startPrank(BOB);
+    IERC2612(aTokenOut).permit(
+      ALICE,
+      address(tokenWrapper),
+      aTokenBalance,
+      deadline,
+      v,
+      r,
+      s
+    );
+    vm.stopPrank();
+
+    vm.startPrank(ALICE);
+    uint256 withdrawnAmount = tokenWrapper.withdrawTokenWithPermit(
+      aTokenBalance,
+      ALICE,
+      signature
+    );
+    vm.stopPrank();
+
+    assertEq(
+      IAToken(aTokenOut).balanceOf(ALICE),
+      0,
+      'Unexpected ending aToken balance'
+    );
+    assertLe(
+      estimateFinalBalance - tokenIn.balanceOf(ALICE),
+      1,
+      'Unexpected ending tokenIn balance'
+    );
+    assertLe(
+      withdrawnAmount - tokenIn.balanceOf(ALICE),
+      1,
+      'Unexpected withdraw return/balance mismatch'
+    );
+  }
+
   function testRevertWithdrawTokenZeroAmount() public {
     vm.prank(ALICE);
     vm.expectRevert('INSUFFICIENT_AMOUNT_TO_WITHDRAW');
