Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/chainlight remediations #81

Merged
merged 13 commits into from
Feb 14, 2024
Merged

Fix/chainlight remediations #81

merged 13 commits into from
Feb 14, 2024

Conversation

livingrockrises
Copy link
Collaborator

Summary

Related Issue: #
https://github.com/chainlight-io/2024-01-biconomy-audit-issues-client/issues/7
https://github.com/chainlight-io/2024-01-biconomy-audit-issues-client/issues/5
https://github.com/chainlight-io/2024-01-biconomy-audit-issues-client/issues/6
https://github.com/chainlight-io/2024-01-biconomy-audit-issues-client/issues/7

Change Type

  • Bug Fix
  • Refactor
  • New Feature
  • Breaking Change
  • Documentation Update
  • Performance Improvement
  • Other

Checklist

  • My code follows this project's style guidelines
  • I've reviewed my own code
  • I've added comments for any hard-to-understand areas
  • I've updated the documentation if necessary
  • My changes generate no new warnings
  • I've added tests that prove my fix is effective or my feature works
  • All unit tests pass locally with my changes
  • Any dependent changes have been merged and published

Additional Information

Branch Naming

this-is-chainlight
this-is-chainlight suggested changes Feb 8, 2024
View reviewed changes
Copy link

@this-is-chainlight this-is-chainlight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/chainlight-io/2024-01-biconomy-audit-issues-client/issues/5

Looks good.

https://github.com/chainlight-io/2024-01-biconomy-audit-issues-client/issues/6

  1. Most oracles are still configured to fall back to the default update threshold of 2 days. Since the heartbeat interval varies for each token and network combination, the priceUpdateThreshold should be configured as heartbeat interval + block time + buffer. You can find the information on Chainlink's feed here.

  2. Placing priceUpdateThreshold right after tokenDecimals here and loading tokenInfo into memory before using it here should reduce gas usage.

  3. In line with the code changes, comments should be added here and updated here.

https://github.com/chainlight-io/2024-01-biconomy-audit-issues-client/issues/7

There is a flaw in MathLib.sol's min function. (It returns the max value rather than the min value.) Change the gt() part in minuint256() and minuint32() as shown below.

function minuint256(uint256 a, uint256 b) internal pure returns (uint256 result) {
    assembly {
        result := xor(b, mul(xor(b, a), gt(b, a)))
    }
}

function minuint32(uint32 a, uint32 b) internal pure returns (uint32 result) {
    assembly {
        result := xor(b, mul(xor(b, a), gt(b, a)))
    }
}

@livingrockrises
Copy link
Collaborator Author

  1. here

can't open this link
https://data.chain.link/_next/data/_iNK4_aT-_RWKGZ3A8gi7/feeds.json

@livingrockrises
Copy link
Collaborator Author

2. here

do you mean changing this from storage to memory?

TokenInfo storage tokenInfo = tokensInfo[token];

@livingrockrises
Copy link
Collaborator Author

There is a flaw in MathLib.sol's min function. (It returns the max value rather than the min value.) Change the gt() part in minuint256() and minuint32() as shown below.

Are you sure about this, it does break my test cases.

@livingrockrises
Copy link
Collaborator Author

There is a flaw in MathLib.sol's min function. (It returns the max value rather than the min value.) Change the gt() part in minuint256() and minuint32() as shown below.

Are you sure about this, it does break my test cases.

ok I just confirmed in foundry, will check the tests

@this-is-chainlight
Copy link

#81 (comment)

Sorry. We didn't know that the link was temporary. We are uploading the downloaded version.
feeds.json

#81 (comment)

Yes.

#81 (comment)

Yes.

@livingrockrises
Copy link
Collaborator Author

#81 (comment)

Sorry. We didn't know that the link was temporary. We are uploading the downloaded version. feeds.json

#81 (comment)

Yes.

#81 (comment)

Yes.

Thanks. For the deployment scripts will try to fin heartbeat for all supported oracles across supported chains. What value do you recommend for a buffer?

btw, all the changes have been made. can you re-review and approve the PR please

@this-is-chainlight
Copy link

this-is-chainlight commented Feb 13, 2024
edited
Loading

What value do you recommend for a buffer?

buffer = max(heartbeat interval, average block time of chain * 2)

So the final threshold would be heartbeat interval * 2 + average block time of the chain or heartbeat interval + average block time of the chain * 3).

btw, all the changes have been made. can you re-review and approve the PR please

Sure. Looks good.

Aboudjem
Aboudjem reviewed Feb 13, 2024
View reviewed changes
contracts/interfaces/paymasters/IBiconomyTokenPaymaster.sol
@@ -32,6 +32,8 @@ interface IBiconomyTokenPaymaster {
*/
event FeeReceiverChanged(address indexed _oldfeeReceiver, address indexed _newfeeReceiver, address indexed _actor);

event TokensWithdrawn(address indexed _token, address indexed _to, uint256 indexed _amount, address actor);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure _amount should be indexed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can index 3 params and I think it's fine. also out of scope of remediations PR

Aboudjem
Aboudjem reviewed Feb 13, 2024
View reviewed changes
contracts/token/BiconomyTokenPaymaster.sol Outdated
require(priceMarkup <= 2e6, "BTPM: price markup percentage too high");
require(
IERC20(feeToken).balanceOf(account) >= ((tokenRequiredPreFund * priceMarkup) / PRICE_DENOMINATOR),
"BTPM: account does not have enough token balance"
Copy link
Contributor

@Aboudjem Aboudjem Feb 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To fit into 32 bytes we can use the following require msg: BTPM: Insufficient token balance

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Aboudjem
Aboudjem reviewed Feb 13, 2024
View reviewed changes
contracts/token/oracles/OracleAggregator.sol
Comment on lines +31 to +33
tokensInfo[token].tokenDecimals = ERC20(token).decimals();
tokensInfo[token].isDerivedFeed = isDerivedFeed;
tokensInfo[token].priceUpdateThreshold = priceUpdateThreshold;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current function setTokenOracle updates TokenInfo in tokensInfo map separately.

I'll suggest to pass TokenInfo directly and update map once. Saves SSTORE operation

tokensInfo[token] = TokenInfo({
    tokenDecimals: ERC20(token).decimals(),
    priceUpdateThreshold,
    tokenOracle,
    nativeOracle,
    isDerivedFeed
});

This way we use less gas

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we do this as part of another PR? first I will check gas consumptions on forge. this also requires major changes again in scripts

Aboudjem
Aboudjem suggested changes Feb 13, 2024
View reviewed changes
Copy link
Contributor

@Aboudjem Aboudjem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.

@livingrockrises livingrockrises merged commit e0a87f7 into develop Feb 14, 2024
3 checks passed
@livingrockrises livingrockrises deleted the fix/chainlight-remediations branch February 14, 2024 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aboudjem Aboudjem Aboudjem approved these changes

@this-is-chainlight this-is-chainlight this-is-chainlight approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@livingrockrises @this-is-chainlight @Aboudjem