Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: edgecase where user is blacklisted with an inflight message #105

Merged
merged 17 commits into from
Jul 23, 2024
Merged

fix: edgecase where user is blacklisted with an inflight message #105

merged 17 commits into from
Jul 23, 2024

Conversation

excaliborr
Copy link
Contributor

🤖 Linear

Closes OPT-XXX

0xDiscotech
0xDiscotech reviewed Jul 15, 2024
View reviewed changes
src/contracts/L1OpUSDCBridgeAdapter.sol Outdated
Comment on lines 187 to 191
function withdrawBlacklistedFunds() external onlyOwner {
uint256 _amount = blacklistedFunds;
blacklistedFunds = 0;

IUSDC(USDC).safeTransfer(owner(), _amount);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not allowing the owner to set any arbitrary receiver of the funds?

Suggested change
function withdrawBlacklistedFunds() external onlyOwner {
uint256 _amount = blacklistedFunds;
blacklistedFunds = 0;
IUSDC(USDC).safeTransfer(owner(), _amount);
function withdrawBlacklistedFunds(address _to) external onlyOwner {
uint256 _amount = blacklistedFunds;
blacklistedFunds = 0;
IUSDC(USDC).safeTransfer(_to, _amount);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed!

0xDiscotech
0xDiscotech reviewed Jul 15, 2024
View reviewed changes
src/contracts/L1OpUSDCBridgeAdapter.sol Outdated
/**
* @notice Withdraws the blacklisted funds
*/
function withdrawBlacklistedFunds() external onlyOwner {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For better UX, we shouldn't allow this to be called when the burnAmount is burned. And maybe we should set to 0 the blacklisted amount as well

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not? Arguably Im not sure we should even allow the blacklisted funds to be withdrawn, maybe we should just burn them, but idk what circles process is for that

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bc of this, i think if we allow to move those funds after transfer, we might be violating this?
image

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, as I see it, we should burn that too

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we should just burn them, but idk what circles process is for that
I'm more inclined to just burn them, but yeah, I think is worth to ask them

Copy link
Contributor Author

@excaliborr excaliborr Jul 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bc of this, i think if we allow to move those funds after transfer, we might be violating this? image

Yes, but this is the L1 Adapter, the balance on L2 was already burned, so we still comply with the reqs, buisness wise not sure if owner should be allowed to withdraw or if we just burn

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah awesome yes, makes sense

0xDiscotech
0xDiscotech reviewed Jul 15, 2024
View reviewed changes
src/interfaces/IOpUSDCBridgeAdapter.sol Outdated
/**
* @notice Returns the amount of funds locked that got blacklisted
*/
function blacklistedFunds() external view returns (uint256);
Copy link
Contributor

@0xDiscotech 0xDiscotech Jul 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing return var and its NATSPEC

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed!

0xDiscotech
0xDiscotech reviewed Jul 15, 2024
View reviewed changes
src/contracts/L1OpUSDCBridgeAdapter.sol Outdated
Comment on lines 187 to 191
function withdrawBlacklistedFunds() external onlyOwner {
uint256 _amount = blacklistedFunds;
blacklistedFunds = 0;

IUSDC(USDC).safeTransfer(owner(), _amount);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
function withdrawBlacklistedFunds() external onlyOwner {
uint256 _amount = blacklistedFunds;
blacklistedFunds = 0;
IUSDC(USDC).safeTransfer(owner(), _amount);
function withdrawBlacklistedFunds(address _to) external onlyOwner {
uint256 _amount = blacklistedFunds;
blacklistedFunds = 0;
IUSDC(USDC).safeTransfer(_to, _amount);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed!

@0xDiscotech
Copy link
Contributor

@excaliborr Why don't we allow the owner to transfer the blacklisted funds on L2, such as we do on L1 with withdrawBlacklistedFunds()?

@0xDiscotech
Copy link
Contributor

I know it doesn't depend from us, but if another minter is added and a mint is done over a blacklisted address it will screw up
totalSupply + blacklistedAmount calculation, right?

@excaliborr
Copy link
Contributor Author

excaliborr commented Jul 16, 2024
edited
Loading

@excaliborr Why don't we allow the owner to transfer the blacklisted funds on L2, such as we do on L1 with withdrawBlacklistedFunds()?

It just felt weird to me, as we would then need to mint them for no reason, if the owner wanted to he could mint himself funds anyway

@excaliborr
Copy link
Contributor Author

I know it doesn't depend from us, but if another minter is added and a mint is done over a blacklisted address it will screw up totalSupply + blacklistedAmount calculation, right?

If another minter is added it shouldn't matter, on L1 we will take the min(balance, burnAmount) anyway

@0xDiscotech
Copy link
Contributor

0xDiscotech commented Jul 22, 2024
edited
Loading

Wdyt about adding this function in case the blacklisted sender is unblacklisted:

function withdrawBlacklisted() external { 
  if (!isBlacklisted(msg.sender)) {
     USDC.transfer(msg.sender, blacklistedAmount[msg.sender])
    blacklistedAmount -   blacklistedAmount[msg.sender];
    blacklistedAmount[msg.sender] = 0;
    emit ...
  }
}

0xDiscotech
0xDiscotech reviewed Jul 23, 2024
View reviewed changes
Copy link
Contributor

@0xDiscotech 0xDiscotech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Missing unit tests for the whole catch logic on l1Adapter#receiveMessage.
  • Missing unit tests for the userBlacklistedFunds update on l2Adapter#receiveMessage

src/contracts/L2OpUSDCBridgeAdapter.sol Outdated
* @param _user The user to withdraw the funds for
*/
function withdrawBlacklistedFunds(address _user) external override {
// TODO: Add explicit check if migration has happend
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing check on the TODO here, or to be done on a next PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

next PR, hex is adding this logic in his, intentionally left it out

test/integration/L1OpUSDCBridgeAdapter.t.sol Outdated

_mintSupplyOnL2(optimism, OP_ALIASED_L1_MESSENGER, _blacklistedAmount);

assertEq(l2Adapter.blacklistedFunds(), _blacklistedAmount);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that bef the call blacklistedFunds() is equal to 0, but don't you think adding it before the call and then compare the var is more future proof in case something changes on the setup? Like

uint256 _blacklistedFundsBef = l2Adapter.blacklistedFunds();

// Mint the supply on L2 

    assertEq(l2Adapter.blacklistedFunds(),  _blacklistedFundsBef + _blacklistedAmount);
    
    ....

Maybe this can be applied to other tests also on another PR? It might be worth to check IMO

0xDiscotech
0xDiscotech approved these changes Jul 23, 2024
View reviewed changes
Copy link
Contributor

@0xDiscotech 0xDiscotech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing stuff! 🔥

@excaliborr excaliborr merged commit 006a27c into audit/spearbit Jul 23, 2024
4 checks passed
@excaliborr excaliborr deleted the fix/blacklist branch July 23, 2024 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xDiscotech 0xDiscotech 0xDiscotech approved these changes

@hexshire hexshire hexshire approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@excaliborr @0xDiscotech @hexshire