Audit Mitigation September - 3.1 and 3.2 Payment Enforcer Improvement…

…s (#436)
MetaMask · Sep 11, 2024 · a069cba · a069cba
1 parent 7ed849f
commit a069cba
Show file tree

Hide file tree

Showing 3 changed files with 471 additions and 241 deletions.
diff --git a/script/coverage.sh b/script/coverage.sh
@@ -37,4 +37,4 @@ then
         --output-directory "$folder_path" \
         "$folder_path/filtered-lcov.info"
     open "$folder_path/index.html"
-fi
+fi
diff --git a/src/enforcers/NativeTokenPaymentEnforcer.sol b/src/enforcers/NativeTokenPaymentEnforcer.sol
@@ -11,11 +11,14 @@ import { IDelegationManager } from "../interfaces/IDelegationManager.sol";
 /**
  * @title NativeTokenPaymentEnforcer
  * @notice This contract enforces payment in native token (e.g., ETH) for the right to use a delegation.
- * @dev The redeemer must include a payment delegation in the arguments when executing an execution.
- * The payment, made in native token, is processed during the execution of the delegated execution, ensuring that the
- * enforced conditions are met.
- * Combining `NativeTokenTransferAmountEnforcer` and `ArgsEqualityCheckEnforcer` when creating the payment delegation is recommended
- * to prevent front-running attacks.
+ * @dev The redeemer must include an allowance delegation when executing the payment.
+ * The payment, made in native tokens, is processed during the execution of the allowance delegation to ensure that
+ * the payment conditions set by the terms are met.
+ * @dev When constructing the leaf allowance delegation, the use of `ArgsEqualityCheckEnforcer` is mandatory placed as the first
+ * caveat to prevent front-running attacks. This ensures that the execution arguments (delegationHash and redeemer) match exactly,
+ * protecting the delegation.
+ * @dev It is recommended to combine the allowance delegation with the `NativeTokenTransferAmountEnforcer` to ensure the correct
+ * token transfer amount.
  * @dev Requires the redeemer to be a DeleGator that supports the single execution mode.
  */
 contract NativeTokenPaymentEnforcer is CaveatEnforcer {
@@ -53,7 +56,7 @@ contract NativeTokenPaymentEnforcer is CaveatEnforcer {
      * @notice Enforces the conditions that should hold after a transaction is performed.
      * @param _terms Encoded 52 packed bytes where: the first 20 bytes are the address of the recipient,
      * the next 32 bytes are the amount to charge for the delegation.
-     * @param _args Encoded arguments containing the delegation chain for the payment.
+     * @param _args Encoded arguments containing the allowance delegation chain for the payment.
      * @param _delegationHash The hash of the delegation.
      * @param _delegator The address of the delegator.
      * @param _redeemer The address that is redeeming the delegation.
@@ -75,20 +78,20 @@ contract NativeTokenPaymentEnforcer is CaveatEnforcer {
         // Decode the payment terms and arguments
         (address recipient_, uint256 amount_) = getTermsInfo(_terms);
 
-        Delegation[] memory delegations_ = abi.decode(_args, (Delegation[]));
+        Delegation[] memory allowanceDelegations_ = abi.decode(_args, (Delegation[]));
 
-        // Assign the delegation hash as the args to the args equality enforcer.
-        for (uint256 x = 0; x < delegations_.length; ++x) {
-            Delegation memory delegation_ = delegations_[x];
-            for (uint256 i = 0; i < delegation_.caveats.length; ++i) {
-                if (delegation_.caveats[i].enforcer == argsEqualityCheckEnforcer) {
-                    delegation_.caveats[i].args = abi.encodePacked(_delegationHash);
-                }
-            }
-        }
+        require(allowanceDelegations_.length > 0, "NativeTokenPaymentEnforcer:invalid-allowance-delegations-length");
+
+        require(
+            allowanceDelegations_[0].caveats.length > 0 && allowanceDelegations_[0].caveats[0].enforcer == argsEqualityCheckEnforcer,
+            "NativeTokenPaymentEnforcer:missing-argsEqualityCheckEnforcer"
+        );
+
+        // The Args Enforcer with this data (hash & redeemer) must be the first Enforcer in the payment delegations caveats
+        allowanceDelegations_[0].caveats[0].args = abi.encodePacked(_delegationHash, _redeemer);
 
         bytes[] memory permissionContexts_ = new bytes[](1);
-        permissionContexts_[0] = abi.encode(delegations_);
+        permissionContexts_[0] = abi.encode(allowanceDelegations_);
 
         bytes[] memory executionCallDatas_ = new bytes[](1);
         executionCallDatas_[0] = ExecutionLib.encodeSingle(recipient_, amount_, hex"");