Fix AccountPermissions type hash (#538)

Author: joaquim-verges

contracts/extension/interface/IAccountPermissions.sol

@@ -23,14 +23,14 @@ interface IAccountPermissions {
      */
     struct SignerPermissionRequest {
         address signer;
+        uint8 isAdmin;
         address[] approvedTargets;
         uint256 nativeTokenLimitPerTransaction;
         uint128 permissionStartTimestamp;
         uint128 permissionEndTimestamp;
         uint128 reqValidityStartTimestamp;
         uint128 reqValidityEndTimestamp;
         bytes32 uid;
-        uint8 isAdmin;
     }
 
     /**

contracts/extension/upgradeable/AccountPermissions.sol

@@ -42,7 +42,7 @@ abstract contract AccountPermissions is IAccountPermissions, EIP712 {
 
     bytes32 private constant TYPEHASH =
         keccak256(
-            "SignerPermissionRequest(address signer,address[] approvedTargets,uint256 nativeTokenLimitPerTransaction,uint128 permissionStartTimestamp,uint128 permissionEndTimestamp,uint128 reqValidityStartTimestamp,uint128 reqValidityEndTimestamp,bytes32 uid)"
+            "SignerPermissionRequest(address signer,uint8 isAdmin,address[] approvedTargets,uint256 nativeTokenLimitPerTransaction,uint128 permissionStartTimestamp,uint128 permissionEndTimestamp,uint128 reqValidityStartTimestamp,uint128 reqValidityEndTimestamp,bytes32 uid)"
         );
 
     modifier onlyAdmin() virtual {
@@ -238,6 +238,7 @@ abstract contract AccountPermissions is IAccountPermissions, EIP712 {
             abi.encode(
                 TYPEHASH,
                 _req.signer,
+                _req.isAdmin,
                 keccak256(abi.encodePacked(_req.approvedTargets)),
                 _req.nativeTokenLimitPerTransaction,
                 _req.permissionStartTimestamp,

src/test/smart-wallet/Account.t.sol

@@ -56,13 +56,13 @@ contract SimpleAccountTest is BaseTest {
 
     event AccountCreated(address indexed account, address indexed accountAdmin);
 
-    function _signSignerPermissionRequest(IAccountPermissions.SignerPermissionRequest memory _req)
+    function _prepareSignature(IAccountPermissions.SignerPermissionRequest memory _req)
         internal
         view
-        returns (bytes memory signature)
+        returns (bytes32 typedDataHash)
     {
         bytes32 typehashSignerPermissionRequest = keccak256(
-            "SignerPermissionRequest(address signer,address[] approvedTargets,uint256 nativeTokenLimitPerTransaction,uint128 permissionStartTimestamp,uint128 permissionEndTimestamp,uint128 reqValidityStartTimestamp,uint128 reqValidityEndTimestamp,bytes32 uid)"
+            "SignerPermissionRequest(address signer,uint8 isAdmin,address[] approvedTargets,uint256 nativeTokenLimitPerTransaction,uint128 permissionStartTimestamp,uint128 permissionEndTimestamp,uint128 reqValidityStartTimestamp,uint128 reqValidityEndTimestamp,bytes32 uid)"
         );
         bytes32 nameHash = keccak256(bytes("Account"));
         bytes32 versionHash = keccak256(bytes("1"));
@@ -71,20 +71,32 @@ contract SimpleAccountTest is BaseTest {
         );
         bytes32 domainSeparator = keccak256(abi.encode(typehashEip712, nameHash, versionHash, block.chainid, sender));
 
-        bytes memory encodedRequest = abi.encode(
+        bytes memory encodedRequestStart = abi.encode(
             typehashSignerPermissionRequest,
             _req.signer,
+            _req.isAdmin,
             keccak256(abi.encodePacked(_req.approvedTargets)),
-            _req.nativeTokenLimitPerTransaction,
+            _req.nativeTokenLimitPerTransaction
+        );
+
+        bytes memory encodedRequestEnd = abi.encode(
             _req.permissionStartTimestamp,
             _req.permissionEndTimestamp,
             _req.reqValidityStartTimestamp,
             _req.reqValidityEndTimestamp,
             _req.uid
         );
-        bytes32 structHash = keccak256(encodedRequest);
-        bytes32 typedDataHash = keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));
 
+        bytes32 structHash = keccak256(bytes.concat(encodedRequestStart, encodedRequestEnd));
+        typedDataHash = keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));
+    }
+
+    function _signSignerPermissionRequest(IAccountPermissions.SignerPermissionRequest memory _req)
+        internal
+        view
+        returns (bytes memory signature)
+    {
+        bytes32 typedDataHash = _prepareSignature(_req);
         (uint8 v, bytes32 r, bytes32 s) = vm.sign(accountAdminPKey, typedDataHash);
         signature = abi.encodePacked(r, s, v);
     }
@@ -360,14 +372,14 @@ contract SimpleAccountTest is BaseTest {
 
         IAccountPermissions.SignerPermissionRequest memory permissionsReq = IAccountPermissions.SignerPermissionRequest(
             accountSigner,
+            0,
             approvedTargets,
             1 ether,
             0,
             type(uint128).max,
             0,
             type(uint128).max,
-            uidCache,
-            0
+            uidCache
         );
 
         vm.prank(accountAdmin);
@@ -398,14 +410,14 @@ contract SimpleAccountTest is BaseTest {
 
         IAccountPermissions.SignerPermissionRequest memory permissionsReq = IAccountPermissions.SignerPermissionRequest(
             accountSigner,
+            0,
             approvedTargets,
             1 ether,
             0,
             type(uint128).max,
             0,
             type(uint128).max,
-            uidCache,
-            0
+            uidCache
         );
 
         vm.prank(accountAdmin);
@@ -454,14 +466,14 @@ contract SimpleAccountTest is BaseTest {
         approvedTargets[0] = address(numberContract);
         IAccountPermissions.SignerPermissionRequest memory permissionsReq = IAccountPermissions.SignerPermissionRequest(
             accountSigner,
+            0,
             approvedTargets,
             1 ether,
             0,
             type(uint128).max,
             0,
             type(uint128).max,
-            uidCache,
-            0
+            uidCache
         );
 
         vm.prank(accountAdmin);
@@ -603,14 +615,14 @@ contract SimpleAccountTest is BaseTest {
 
         IAccountPermissions.SignerPermissionRequest memory permissionsReq = IAccountPermissions.SignerPermissionRequest(
             accountSigner,
+            0,
             approvedTargets,
             1 ether,
             0,
             type(uint128).max,
             0,
             type(uint128).max,
-            uidCache,
-            0
+            uidCache
         );
 
         vm.prank(accountAdmin);

src/test/smart-wallet/AccountVulnPOC.t.sol

@@ -80,13 +80,13 @@ contract SimpleAccountVulnPOCTest is BaseTest {
 
     event AccountCreated(address indexed account, address indexed accountAdmin);
 
-    function _signSignerPermissionRequest(IAccountPermissions.SignerPermissionRequest memory _req)
+    function _prepareSignature(IAccountPermissions.SignerPermissionRequest memory _req)
         internal
         view
-        returns (bytes memory signature)
+        returns (bytes32 typedDataHash)
     {
         bytes32 typehashSignerPermissionRequest = keccak256(
-            "SignerPermissionRequest(address signer,address[] approvedTargets,uint256 nativeTokenLimitPerTransaction,uint128 permissionStartTimestamp,uint128 permissionEndTimestamp,uint128 reqValidityStartTimestamp,uint128 reqValidityEndTimestamp,bytes32 uid)"
+            "SignerPermissionRequest(address signer,uint8 isAdmin,address[] approvedTargets,uint256 nativeTokenLimitPerTransaction,uint128 permissionStartTimestamp,uint128 permissionEndTimestamp,uint128 reqValidityStartTimestamp,uint128 reqValidityEndTimestamp,bytes32 uid)"
         );
         bytes32 nameHash = keccak256(bytes("Account"));
         bytes32 versionHash = keccak256(bytes("1"));
@@ -95,20 +95,32 @@ contract SimpleAccountVulnPOCTest is BaseTest {
         );
         bytes32 domainSeparator = keccak256(abi.encode(typehashEip712, nameHash, versionHash, block.chainid, sender));
 
-        bytes memory encodedRequest = abi.encode(
+        bytes memory encodedRequestStart = abi.encode(
             typehashSignerPermissionRequest,
             _req.signer,
+            _req.isAdmin,
             keccak256(abi.encodePacked(_req.approvedTargets)),
-            _req.nativeTokenLimitPerTransaction,
+            _req.nativeTokenLimitPerTransaction
+        );
+
+        bytes memory encodedRequestEnd = abi.encode(
             _req.permissionStartTimestamp,
             _req.permissionEndTimestamp,
             _req.reqValidityStartTimestamp,
             _req.reqValidityEndTimestamp,
             _req.uid
         );
-        bytes32 structHash = keccak256(encodedRequest);
-        bytes32 typedDataHash = keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));
 
+        bytes32 structHash = keccak256(bytes.concat(encodedRequestStart, encodedRequestEnd));
+        typedDataHash = keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));
+    }
+
+    function _signSignerPermissionRequest(IAccountPermissions.SignerPermissionRequest memory _req)
+        internal
+        view
+        returns (bytes memory signature)
+    {
+        bytes32 typedDataHash = _prepareSignature(_req);
         (uint8 v, bytes32 r, bytes32 s) = vm.sign(accountAdminPKey, typedDataHash);
         signature = abi.encodePacked(r, s, v);
     }
@@ -235,14 +247,14 @@ contract SimpleAccountVulnPOCTest is BaseTest {
 
         IAccountPermissions.SignerPermissionRequest memory permissionsReq = IAccountPermissions.SignerPermissionRequest(
             accountSigner,
+            0,
             approvedTargets,
             1 ether,
             0,
             type(uint128).max,
             0,
             type(uint128).max,
-            uidCache,
-            0
+            uidCache
         );
 
         vm.prank(accountAdmin);

src/test/smart-wallet/DynamicAccount.t.sol

@@ -72,13 +72,13 @@ contract DynamicAccountTest is BaseTest {
 
     event AccountCreated(address indexed account, address indexed accountAdmin);
 
-    function _signSignerPermissionRequest(IAccountPermissions.SignerPermissionRequest memory _req)
+    function _prepareSignature(IAccountPermissions.SignerPermissionRequest memory _req)
         internal
         view
-        returns (bytes memory signature)
+        returns (bytes32 typedDataHash)
     {
         bytes32 typehashSignerPermissionRequest = keccak256(
-            "SignerPermissionRequest(address signer,address[] approvedTargets,uint256 nativeTokenLimitPerTransaction,uint128 permissionStartTimestamp,uint128 permissionEndTimestamp,uint128 reqValidityStartTimestamp,uint128 reqValidityEndTimestamp,bytes32 uid)"
+            "SignerPermissionRequest(address signer,uint8 isAdmin,address[] approvedTargets,uint256 nativeTokenLimitPerTransaction,uint128 permissionStartTimestamp,uint128 permissionEndTimestamp,uint128 reqValidityStartTimestamp,uint128 reqValidityEndTimestamp,bytes32 uid)"
         );
         bytes32 nameHash = keccak256(bytes("Account"));
         bytes32 versionHash = keccak256(bytes("1"));
@@ -87,20 +87,32 @@ contract DynamicAccountTest is BaseTest {
         );
         bytes32 domainSeparator = keccak256(abi.encode(typehashEip712, nameHash, versionHash, block.chainid, sender));
 
-        bytes memory encodedRequest = abi.encode(
+        bytes memory encodedRequestStart = abi.encode(
             typehashSignerPermissionRequest,
             _req.signer,
+            _req.isAdmin,
             keccak256(abi.encodePacked(_req.approvedTargets)),
-            _req.nativeTokenLimitPerTransaction,
+            _req.nativeTokenLimitPerTransaction
+        );
+
+        bytes memory encodedRequestEnd = abi.encode(
             _req.permissionStartTimestamp,
             _req.permissionEndTimestamp,
             _req.reqValidityStartTimestamp,
             _req.reqValidityEndTimestamp,
             _req.uid
         );
-        bytes32 structHash = keccak256(encodedRequest);
-        bytes32 typedDataHash = keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));
 
+        bytes32 structHash = keccak256(bytes.concat(encodedRequestStart, encodedRequestEnd));
+        typedDataHash = keccak256(abi.encodePacked("\x19\x01", domainSeparator, structHash));
+    }
+
+    function _signSignerPermissionRequest(IAccountPermissions.SignerPermissionRequest memory _req)
+        internal
+        view
+        returns (bytes memory signature)
+    {
+        bytes32 typedDataHash = _prepareSignature(_req);
         (uint8 v, bytes32 r, bytes32 s) = vm.sign(accountAdminPKey, typedDataHash);
         signature = abi.encodePacked(r, s, v);
     }
@@ -472,14 +484,14 @@ contract DynamicAccountTest is BaseTest {
 
         IAccountPermissions.SignerPermissionRequest memory permissionsReq = IAccountPermissions.SignerPermissionRequest(
             accountSigner,
+            0,
             approvedTargets,
             1 ether,
             0,
             type(uint128).max,
             0,
             type(uint128).max,
-            uidCache,
-            0
+            uidCache
         );
 
         vm.prank(accountAdmin);
@@ -510,14 +522,14 @@ contract DynamicAccountTest is BaseTest {
 
         IAccountPermissions.SignerPermissionRequest memory permissionsReq = IAccountPermissions.SignerPermissionRequest(
             accountSigner,
+            0,
             approvedTargets,
             1 ether,
             0,
             type(uint128).max,
             0,
             type(uint128).max,
-            uidCache,
-            0
+            uidCache
         );
 
         vm.prank(accountAdmin);
@@ -568,14 +580,14 @@ contract DynamicAccountTest is BaseTest {
 
         IAccountPermissions.SignerPermissionRequest memory permissionsReq = IAccountPermissions.SignerPermissionRequest(
             accountSigner,
+            0,
             approvedTargets,
             1 ether,
             0,
             type(uint128).max,
             0,
             type(uint128).max,
-            uidCache,
-            0
+            uidCache
         );
 
         vm.prank(accountAdmin);