feat(SpokePoolPeriphery): Support multiple exchanges #777
Conversation
Currently we can only initialize the periphery contract with a single exchange to swap with. This PR allows us to initialize it with multiple exchanges to swap with. Like before, these initial set of exchanges and function selectors cannot be changed post-initialization, which gives the user assurances.
|
I just added some forge unit tests for:
|
Make user approve proxy contract so no one can use `exchange` + `routerCalldata` to steal their already approved funds via the `SpokePoolPeriphery`
| WETH9Interface _wrappedNativeToken, | ||
| address _exchange | ||
| ) external { | ||
| function initialize(SpokePoolV3Periphery _spokePoolPeriphery) external nonReentrant { |
There was a problem hiding this comment.
Why an initialize function? Do we expect this to be an upgradable contract?
There was a problem hiding this comment.
We want to deploy this contract at the same create2 address everywhere so I wanted to avoid passing any constructor params that would modify the bytecode. Do you think that's not needed?
There was a problem hiding this comment.
Oh, I see.
I do think that makes sense! To avoid frontrunning, should we include a deployer contract that has no input params (and thus would have a consistent address) and has an function that creates the contract and initializes it atomically? This might also be useful since there's two contracts that are linked that we want to deploy together, so this deployer can ensure that both get deployed and setup correctly.
There was a problem hiding this comment.
This would greatly increase the diff, but what do you think about replacing all the duplicate natspec comments on the functions here which are defined in SpokePoolV3PeripheryInterface with a single // @inheritdoc SpokePoolV3PeripheryInterface? This way we don't need to maintain two identical pieces of documentation.
* feat: add permit2 entrypoints to the periphery Signed-off-by: Bennett <[email protected]> * Update test/evm/foundry/local/SpokePoolPeriphery.t.sol * Update SpokePoolPeriphery.t.sol * move permit2 to proxy * fix permit2 Signed-off-by: bennett <[email protected]> * wip: swap arguments refactor Signed-off-by: bennett <[email protected]> * implement isValidSignature Signed-off-by: bennett <[email protected]> * 1271 Signed-off-by: bennett <[email protected]> * simplify isValidSignature Signed-off-by: bennett <[email protected]> * rebase /programs on master Signed-off-by: nicholaspai <[email protected]> * clean up comments * rebase programs * fix: consolidate structs so that permit2 witnesses cover inputs Signed-off-by: bennett <[email protected]> * begin permit2 unit tests Signed-off-by: bennett <[email protected]> * rebase * Update SpokePoolPeriphery.t.sol * move type definitions to interface Signed-off-by: bennett <[email protected]> * fix permit2 test Signed-off-by: bennett <[email protected]> * transfer type tests Signed-off-by: bennett <[email protected]> * rename EIP1271Signature to Permi2Approval Signed-off-by: bennett <[email protected]> --------- Signed-off-by: Bennett <[email protected]> Signed-off-by: bennett <[email protected]> Signed-off-by: nicholaspai <[email protected]> Co-authored-by: nicholaspai <[email protected]> Co-authored-by: nicholaspai <[email protected]>
Currently we can only initialize the periphery contract with a single exchange to swap with. This PR allows us to initialize it with multiple exchanges to swap with. Like before, these initial set of exchanges and function selectors cannot be changed post-initialization, which gives the user assurances.
This also adds a methodwhitelistExchangeswhich can update the whitelisted exchange list. This means that the contract is nowOwnableand bothinitializeandwhitelistExchangesare markedonlyOwner. This means that users need to trust the owner of the contract now, and the worst thing that the owner can do is whitelist a malicious exchange. The caller of theswapXfunctions would still need to knowingly sign off onrouterCalldatathat would target this malicious exchange, so the user still retains controlI don't think we're going to make the contractOwnableand let the owner update the whitelisted exchange list post-deployment, but if we want to we can revert this commit. The reasoning is to give better assurances to the user about the contract's expected behavior.This PR removes the whitelist of exchanges that can be called by the SpokePoolPeriphery, which was useful for protecting the caller from
approve-ing the SpokePoolPeriphery contract and leaving an approval that could be stolen by another user who could direct the SpokePoolPeriphery totransferFromthe user who left their approval hanging. The reasoning for removing the whitelist is so that multiple exchanges can be used by the caller. In order to keep protecting the user from this "approval abuse", we add a new "Proxy" contract that should be used by the caller to call functions likeSpokePoolPeriphery.swapAndBridgethat require approvals. Now the user only approves the proxy contract which can only be used to callSpokePoolPeriphery.swapAndBridgerather than execute any arbitrary calldata.