Skip to content

Commit

Permalink
Merge pull request #4 from Plex-Engineer/lz-compose-attack
Browse files Browse the repository at this point in the history
check that the lz endpoint is the only address calling lz Compose, fi…
  • Loading branch information
dsudit01 authored Apr 25, 2024
2 parents 56b7380 + 83c2f46 commit ed55730
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 29 deletions.
6 changes: 5 additions & 1 deletion contracts/asd/asdRouter.sol
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ contract ASDRouter is IOAppComposer {
// canto chain params
address public cNoteAddress;
uint32 public cantoLzEID;
address public cantoLzEndpoint;
// asdUSDC contract for swapping to $NOTE
address public asdUSDC;

Expand All @@ -43,13 +44,14 @@ contract ASDRouter is IOAppComposer {

event ASDSent(bytes32 indexed _guid, address _to, address _asdAddress, uint _amount, uint32 _dstEid, bool _lzSend);

constructor(address _cNoteAddress, uint32 _cantoLzEID, address _crocSwapAddress, address _crocImpactAddress, address _asdUSDCAddress) {
constructor(address _cNoteAddress, uint32 _cantoLzEID, address _crocSwapAddress, address _crocImpactAddress, address _asdUSDCAddress, address _cantoLzEndpoint) {
cNoteAddress = _cNoteAddress;
cantoLzEID = _cantoLzEID;
crocSwapAddress = _crocSwapAddress;
crocImpactAddress = _crocImpactAddress;
asdUSDC = _asdUSDCAddress;
ASDUSDC(_asdUSDCAddress).approve(crocSwapAddress, type(uint).max);
cantoLzEndpoint = _cantoLzEndpoint;
if (block.chainid == 7700 || block.chainid == 7701) {
// Register CSR on Canto main- and testnet
Turnstile turnstile = Turnstile(0xEcf044C5B4b867CFda001101c617eCd347095B44);
Expand All @@ -71,6 +73,8 @@ contract ASDRouter is IOAppComposer {
* @dev Cannot revert anywhere, must send the tokens to the intended receiver if something fails (token's will be lost otherwise)
*/
function lzCompose(address _from, bytes32 _guid, bytes calldata _message, address _executor, bytes calldata _extraData) external payable {
// only time this function will revert if the caller is incorrect (only lz endpoint can call this)
require(msg.sender == cantoLzEndpoint, "ASDROUTER: only lz endpoint");
/* log event */
emit LZReceived(_guid, _from, _message, _executor, _extraData, msg.value);

Expand Down
11 changes: 11 additions & 0 deletions contracts/test-contracts/MockLZEndpoint.sol
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
pragma solidity ^0.8.20;

interface ILayerZeroComposer {
function lzCompose(address _from, bytes32 _guid, bytes calldata _message, address _executor, bytes calldata _extraData) external payable;
}

contract MockLZEndpoint {
function lzCompose(address _from, address _to, bytes32 _guid, uint16 _index, bytes calldata _message, bytes calldata _extraData) external payable {
ILayerZeroComposer(_to).lzCompose{value: msg.value}(_from, _guid, _message, msg.sender, _extraData);
}
}
67 changes: 39 additions & 28 deletions test/ASDRouter.js
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
const { expect } = require("chai");
const helpers = require("@nomicfoundation/hardhat-toolbox/network-helpers");
const { ethers } = require("hardhat");
const LZ_ENDPOINTS = require("../constants/lzEndpoints.json");

const generatedComposeMsg = (from, amount, payload) =>
ethers.solidityPacked(
Expand All @@ -23,9 +22,8 @@ const errorMessages = {
};

describe("ASDRouter", function () {
const cantoLzEndpoint = LZ_ENDPOINTS["canto-testnet"];
const cantoLzEndpointId = 1;

const executorAddress = "0xc0ffee254729296a45a3885639AC7E10F9d54979"; // random address
const refundAddress = "0x9C29A5579EdfaA8F08dE82E805ea5744D9c50F9D"; // random address

// testing contracts
Expand All @@ -36,6 +34,7 @@ describe("ASDRouter", function () {
let CrocSwap;
let CrocImpact;
let ASDUSDC;
let LzEndpoint;

// test amounts
const amountUSDCSent = ethers.parseEther("100");
Expand All @@ -50,13 +49,16 @@ describe("ASDRouter", function () {
CrocImpact = await ethers.deployContract("MockCrocImpact", [CrocSwap.target]);
// ASDUSDC contract
ASDUSDC = await ethers.deployContract("ASDUSDC");
// mock lz endpoint to call lzCompose from
LzEndpoint = await ethers.deployContract("MockLZEndpoint", []);
// Router
ASDRouter = await ethers.deployContract("ASDRouter", [
Note.target,
cantoLzEndpoint.id,
cantoLzEndpointId,
CrocSwap.target,
CrocImpact.target,
ASDUSDC.target,
LzEndpoint.target,
]);

// transfer USDC to router as if it was already sent
Expand All @@ -75,7 +77,9 @@ describe("ASDRouter", function () {

it("lzCompose: invalid payload", async () => {
// call lzCompose with invalid payload
await expect(ASDRouter.lzCompose(USDCOFT.target, guid, generatedComposeMsg(refundAddress, amountUSDCSent, "0x"), executorAddress, "0x"))
await expect(
LzEndpoint.lzCompose(USDCOFT.target, ASDRouter.target, guid, 0, generatedComposeMsg(refundAddress, amountUSDCSent, "0x"), "0x")
)
.to.emit(ASDRouter, "TokenRefund")
.withArgs(guid, USDCOFT.target, refundAddress, amountUSDCSent, 0, errorMessages.invalidPayload);

Expand All @@ -87,7 +91,7 @@ describe("ASDRouter", function () {
const gas = ethers.parseEther("1");
// call lzCompose with invalid payload
await expect(
ASDRouter.lzCompose(USDCOFT.target, guid, generatedComposeMsg(refundAddress, amountUSDCSent, "0x"), executorAddress, "0x", {
LzEndpoint.lzCompose(USDCOFT.target, ASDRouter.target, guid, 0, generatedComposeMsg(refundAddress, amountUSDCSent, "0x"), "0x", {
value: gas,
})
)
Expand All @@ -101,15 +105,16 @@ describe("ASDRouter", function () {
it("lzCompose: not whitelisted", async () => {
// call lzCompose with un-whitelisted token
await expect(
ASDRouter.lzCompose(
LzEndpoint.lzCompose(
USDCOFT.target,
ASDRouter.target,
guid,
0,
generatedComposeMsg(
refundAddress,
amountUSDCSent,
generatedRouterPayload(cantoLzEndpoint.id, refundAddress, TESTASD.target, TESTASD.target, "0", refundAddress, "0")
generatedRouterPayload(cantoLzEndpointId, refundAddress, TESTASD.target, TESTASD.target, "0", refundAddress, "0")
),
executorAddress,
"0x"
)
)
Expand All @@ -123,15 +128,16 @@ describe("ASDRouter", function () {
const gas = ethers.parseEther("1");
// call lzCompose with un-whitelisted token
await expect(
ASDRouter.lzCompose(
LzEndpoint.lzCompose(
USDCOFT.target,
ASDRouter.target,
guid,
0,
generatedComposeMsg(
refundAddress,
amountUSDCSent,
generatedRouterPayload(cantoLzEndpoint.id, refundAddress, TESTASD.target, TESTASD.target, "0", refundAddress, "0")
generatedRouterPayload(cantoLzEndpointId, refundAddress, TESTASD.target, TESTASD.target, "0", refundAddress, "0")
),
executorAddress,
"0x",
{ value: gas }
)
Expand All @@ -148,14 +154,16 @@ describe("ASDRouter", function () {
await ASDUSDC.updateWhitelist(USDCOFT.target, true);
// call lzCompose with minASD too high
await expect(
ASDRouter.lzCompose(
LzEndpoint.lzCompose(
USDCOFT.target,
ASDRouter.target,
guid,
0,
generatedComposeMsg(
refundAddress,
amountUSDCSent,
generatedRouterPayload(
cantoLzEndpoint.id,
cantoLzEndpointId,
refundAddress,
TESTASD.target,
TESTASD.target,
Expand All @@ -164,7 +172,6 @@ describe("ASDRouter", function () {
"0"
)
),
executorAddress,
"0x"
)
)
Expand All @@ -180,14 +187,16 @@ describe("ASDRouter", function () {
const gas = ethers.parseEther("1");
// call lzCompose with minASD too high
await expect(
ASDRouter.lzCompose(
LzEndpoint.lzCompose(
USDCOFT.target,
ASDRouter.target,
guid,
0,
generatedComposeMsg(
refundAddress,
amountUSDCSent,
generatedRouterPayload(
cantoLzEndpoint.id,
cantoLzEndpointId,
refundAddress,
TESTASD.target,
TESTASD.target,
Expand All @@ -196,7 +205,6 @@ describe("ASDRouter", function () {
"0"
)
),
executorAddress,
"0x",
{ value: gas }
)
Expand All @@ -213,14 +221,16 @@ describe("ASDRouter", function () {
await ASDUSDC.updateWhitelist(USDCOFT.target, true);
// call lzCompose with msg.value less than send fee (dst not canto)
await expect(
ASDRouter.lzCompose(
LzEndpoint.lzCompose(
USDCOFT.target,
ASDRouter.target,
guid,
0,
generatedComposeMsg(
refundAddress,
amountUSDCSent,
generatedRouterPayload(
cantoLzEndpoint.id + 1,
cantoLzEndpointId + 1,
refundAddress,
TESTASD.target,
TESTASD.target,
Expand All @@ -229,7 +239,6 @@ describe("ASDRouter", function () {
ethers.parseEther("10").toString() // test fee
)
),
executorAddress,
"0x"
)
)
Expand All @@ -245,14 +254,16 @@ describe("ASDRouter", function () {
const gas = ethers.parseEther("1");
// call lzCompose with msg.value less than send fee (dst not canto)
await expect(
ASDRouter.lzCompose(
LzEndpoint.lzCompose(
USDCOFT.target,
ASDRouter.target,
guid,
0,
generatedComposeMsg(
refundAddress,
amountUSDCSent,
generatedRouterPayload(
cantoLzEndpoint.id + 1,
cantoLzEndpointId + 1,
refundAddress,
TESTASD.target,
TESTASD.target,
Expand All @@ -261,7 +272,6 @@ describe("ASDRouter", function () {
ethers.parseEther("10").toString() // test fee
)
),
executorAddress,
"0x",
{ value: gas }
)
Expand All @@ -278,20 +288,21 @@ describe("ASDRouter", function () {
await ASDUSDC.updateWhitelist(USDCOFT.target, true);
// call lzCompose with valid payload
await expect(
ASDRouter.lzCompose(
LzEndpoint.lzCompose(
USDCOFT.target,
ASDRouter.target,
guid,
0,
generatedComposeMsg(
refundAddress,
amountUSDCSent,
generatedRouterPayload(cantoLzEndpoint.id, refundAddress, TESTASD.target, TESTASD.target, "0", refundAddress, "0")
generatedRouterPayload(cantoLzEndpointId, refundAddress, TESTASD.target, TESTASD.target, "0", refundAddress, "0")
),
executorAddress,
"0x"
)
)
.to.emit(ASDRouter, "ASDSent")
.withArgs(guid, refundAddress, TESTASD.target, amountUSDCSent, cantoLzEndpoint.id, false);
.withArgs(guid, refundAddress, TESTASD.target, amountUSDCSent, cantoLzEndpointId, false);
// expect ASD to be sent to canto
expect(await TESTASD.balanceOf(refundAddress)).to.equal(amountUSDCSent);
});
Expand Down

0 comments on commit ed55730

Please sign in to comment.