fix: fixes after ChainSecurity audit

contracts/credit/CreditFacadeV3.sol

@@ -473,6 +473,7 @@ contract CreditFacadeV3 is ICreditFacadeV3, ACLNonReentrantTrait {
     /// @param totalFundingAllowance Total amount of WETH available to bot for payments
     /// @param weeklyFundingAllowance Amount of WETH available to bot for payments weekly
     /// @dev Reverts if caller is not `creditAccount`'s owner
+    /// @dev Reverts if `permissions` has unexpected bits enabled
     /// @dev Reverts if account has more active bots than allowed after changing permissions
     //       to prevent users from inflating liquidation gas costs
     /// @dev Changes account's `BOT_PERMISSIONS_SET_FLAG` in the credit manager if needed
@@ -488,6 +489,8 @@ contract CreditFacadeV3 is ICreditFacadeV3, ACLNonReentrantTrait {
         creditAccountOwnerOnly(creditAccount) // U:[FA-5]
         nonReentrant // U:[FA-4]
     {
+        if (permissions & ~ALL_PERMISSIONS != 0) revert UnexpectedPermissionsException(); // U:[FA-41]
+
         uint256 remainingBots = IBotListV3(botList).setBotPermissions({
             creditManager: creditManager,
             creditAccount: creditAccount,

contracts/credit/CreditManagerV3.sol

@@ -1145,9 +1145,9 @@ contract CreditManagerV3 is ICreditManagerV3, SanityCheckTrait, ReentrancyGuardT
     }
 
     /// @dev Saves `creditAccount`'s `enabledTokensMask` in the storage
-    /// @dev Ensures that the number of enabled tokens does not exceed `maxEnabledTokens`
+    /// @dev Ensures that the number of enabled tokens excluding underlying does not exceed `maxEnabledTokens`
     function _saveEnabledTokensMask(address creditAccount, uint256 enabledTokensMask) internal {
-        if (enabledTokensMask.calcEnabledTokens() > maxEnabledTokens) {
+        if (enabledTokensMask.disable(UNDERLYING_TOKEN_MASK).calcEnabledTokens() > maxEnabledTokens) {
             revert TooManyEnabledTokensException(); // U:[CM-37]
         }
 

contracts/interfaces/IExceptions.sol

@@ -184,6 +184,9 @@ error NoPermissionException(uint256 permission);
 /// @notice Thrown when user tries to approve more bots than allowed
 error TooManyApprovedBotsException();
 
+/// @notice Thrown when attempting to give a bot unexpected permissions
+error UnexpectedPermissionsException();
+
 // ------ //
 // ACCESS //
 // ------ //

contracts/test/integration/credit/Bots.int.sol

@@ -58,7 +58,7 @@ contract BotsIntegrationTest is IntegrationTestHelper, ICreditFacadeV3Events {
 
         vm.prank(address(creditFacade));
         botList.setBotPermissions(
-            address(creditManager), creditAccount, bot, type(uint192).max, uint72(1 ether), uint72(1 ether / 10)
+            address(creditManager), creditAccount, bot, uint192(ALL_PERMISSIONS), uint72(1 ether), uint72(1 ether / 10)
         );
 
         vm.expectRevert(NotApprovedBotException.selector);
@@ -78,7 +78,9 @@ contract BotsIntegrationTest is IntegrationTestHelper, ICreditFacadeV3Events {
         botList.setBotSpecialPermissions(address(creditManager), address(bot), 0);
 
         vm.prank(USER);
-        creditFacade.setBotPermissions(creditAccount, bot, type(uint192).max, uint72(1 ether), uint72(1 ether / 10));
+        creditFacade.setBotPermissions(
+            creditAccount, bot, uint192(ALL_PERMISSIONS), uint72(1 ether), uint72(1 ether / 10)
+        );
 
         botList.getBotStatus({creditManager: address(creditManager), creditAccount: creditAccount, bot: bot});
 
@@ -127,15 +129,19 @@ contract BotsIntegrationTest is IntegrationTestHelper, ICreditFacadeV3Events {
 
         vm.expectRevert(CallerNotCreditAccountOwnerException.selector);
         vm.prank(FRIEND);
-        creditFacade.setBotPermissions(creditAccount, bot, type(uint192).max, uint72(1 ether), uint72(1 ether / 10));
+        creditFacade.setBotPermissions(
+            creditAccount, bot, uint192(ALL_PERMISSIONS), uint72(1 ether), uint72(1 ether / 10)
+        );
 
         vm.expectCall(
             address(creditManager),
             abi.encodeCall(CreditManagerV3.setFlagFor, (creditAccount, BOT_PERMISSIONS_SET_FLAG, true))
         );
 
         vm.prank(USER);
-        creditFacade.setBotPermissions(creditAccount, bot, type(uint192).max, uint72(1 ether), uint72(1 ether / 10));
+        creditFacade.setBotPermissions(
+            creditAccount, bot, uint192(ALL_PERMISSIONS), uint72(1 ether), uint72(1 ether / 10)
+        );
 
         assertTrue(creditManager.flagsOf(creditAccount) & BOT_PERMISSIONS_SET_FLAG > 0, "Flag was not set");
 

contracts/test/unit/credit/CreditFacadeV3.unit.t.sol

@@ -2083,6 +2083,17 @@ contract CreditFacadeV3UnitTest is TestHelper, BalanceHelper, ICreditFacadeV3Eve
 
         creditManagerMock.setBorrower(USER);
 
+        /// It reverts if passed unexpected permissions
+        vm.expectRevert(UnexpectedPermissionsException.selector);
+        vm.prank(USER);
+        creditFacade.setBotPermissions({
+            creditAccount: creditAccount,
+            bot: bot,
+            permissions: type(uint192).max,
+            totalFundingAllowance: 2,
+            weeklyFundingAllowance: 3
+        });
+
         creditManagerMock.setFlagFor({creditAccount: creditAccount, flag: BOT_PERMISSIONS_SET_FLAG, value: false});
 
         botListMock.setBotPermissionsReturn(1);

contracts/test/unit/credit/CreditManagerV3.unit.t.sol

@@ -3089,7 +3089,7 @@ contract CreditManagerV3UnitTest is TestHelper, ICreditManagerV3Events, BalanceH
         vm.prank(CONFIGURATOR);
         creditManager.setMaxEnabledTokens(maxEnabledTokens);
 
-        if (mask.calcEnabledTokens() > maxEnabledTokens) {
+        if (mask.disable(UNDERLYING_TOKEN_MASK).calcEnabledTokens() > maxEnabledTokens) {
             vm.expectRevert(TooManyEnabledTokensException.selector);
             creditManager.saveEnabledTokensMask(creditAccount, mask);
         } else {