additional checks to prevent ownership abuse

smartcontractkit · Sep 27, 2024 · eb531cc · eb531cc
1 parent 72a0c6f
commit eb531cc
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 25 deletions.
diff --git a/contracts/gas-snapshots/ccip.gas-snapshot b/contracts/gas-snapshots/ccip.gas-snapshot
@@ -30,6 +30,8 @@ BurnMintTokenPool_lockOrBurn:test_Setup_Success() (gas: 17851)
 BurnMintTokenPool_releaseOrMint:test_ChainNotAllowed_Revert() (gas: 28805)
 BurnMintTokenPool_releaseOrMint:test_PoolMintNotHealthy_Revert() (gas: 56253)
 BurnMintTokenPool_releaseOrMint:test_PoolMint_Success() (gas: 112391)
+BurnMintWithLockReleaseFlagTokenPool_lockOrBurn:test_PoolBurn_CorrectReturnData_Success() (gas: 243221)
+BurnMintWithLockReleaseFlagTokenPool_lockOrBurn:test_Setup_Success() (gas: 17873)
 BurnWithFromMintTokenPool_lockOrBurn:test_ChainNotAllowed_Revert() (gas: 28842)
 BurnWithFromMintTokenPool_lockOrBurn:test_PoolBurnRevertNotHealthy_Revert() (gas: 55271)
 BurnWithFromMintTokenPool_lockOrBurn:test_PoolBurn_Success() (gas: 244050)
@@ -431,33 +433,38 @@ FeeQuoter_validateDestFamilyAddress:test_InvalidEVMAddressPrecompiles_Revert() (
 FeeQuoter_validateDestFamilyAddress:test_InvalidEVMAddress_Revert() (gas: 10839)
 FeeQuoter_validateDestFamilyAddress:test_ValidEVMAddress_Success() (gas: 6731)
 FeeQuoter_validateDestFamilyAddress:test_ValidNonEVMAddress_Success() (gas: 6511)
-HybridUSDCTokenPoolMigrationTests:test_LockOrBurn_LockReleaseMechanism_then_switchToPrimary_Success() (gas: 209248)
-HybridUSDCTokenPoolMigrationTests:test_LockOrBurn_PrimaryMechanism_Success() (gas: 135879)
-HybridUSDCTokenPoolMigrationTests:test_LockOrBurn_WhileMigrationPause_Revert() (gas: 107090)
-HybridUSDCTokenPoolMigrationTests:test_LockOrBurn_onLockReleaseMechanism_Success() (gas: 144586)
-HybridUSDCTokenPoolMigrationTests:test_MintOrRelease_OnLockReleaseMechanism_Success() (gas: 214817)
-HybridUSDCTokenPoolMigrationTests:test_MintOrRelease_OnLockReleaseMechanism_then_switchToPrimary_Success() (gas: 423641)
+HybridUSDCTokenPoolMigrationTests:test_LockOrBurn_LockReleaseMechanism_then_switchToPrimary_Success() (gas: 209230)
+HybridUSDCTokenPoolMigrationTests:test_LockOrBurn_PrimaryMechanism_Success() (gas: 135861)
+HybridUSDCTokenPoolMigrationTests:test_LockOrBurn_WhileMigrationPause_Revert() (gas: 109814)
+HybridUSDCTokenPoolMigrationTests:test_LockOrBurn_onLockReleaseMechanism_Success() (gas: 147081)
+HybridUSDCTokenPoolMigrationTests:test_MintOrRelease_OnLockReleaseMechanism_Success() (gas: 217718)
+HybridUSDCTokenPoolMigrationTests:test_MintOrRelease_OnLockReleaseMechanism_then_switchToPrimary_Success() (gas: 426564)
 HybridUSDCTokenPoolMigrationTests:test_MintOrRelease_incomingMessageWithPrimaryMechanism() (gas: 268928)
-HybridUSDCTokenPoolMigrationTests:test_ReleaseOrMint_WhileMigrationPause_Revert() (gas: 111484)
+HybridUSDCTokenPoolMigrationTests:test_ProposeMigration_ChainNotUsingLockRelease_Revert() (gas: 15821)
+HybridUSDCTokenPoolMigrationTests:test_ReleaseOrMint_WhileMigrationPause_Revert() (gas: 114166)
 HybridUSDCTokenPoolMigrationTests:test_burnLockedUSDC_invalidPermissions_Revert() (gas: 39362)
-HybridUSDCTokenPoolMigrationTests:test_cancelExistingCCTPMigrationProposal() (gas: 33189)
-HybridUSDCTokenPoolMigrationTests:test_cannotCancelANonExistentMigrationProposal() (gas: 12669)
-HybridUSDCTokenPoolMigrationTests:test_cannotModifyLiquidityWithoutPermissions_Revert() (gas: 13329)
-HybridUSDCTokenPoolMigrationTests:test_cannotTransferLiquidityDuringPendingMigration_Revert() (gas: 160900)
-HybridUSDCTokenPoolMigrationTests:test_lockOrBurn_then_BurnInCCTPMigration_Success() (gas: 255982)
-HybridUSDCTokenPoolMigrationTests:test_transferLiquidity_Success() (gas: 165921)
-HybridUSDCTokenPoolMigrationTests:test_unstickManualTxAfterMigration_destChain_Success() (gas: 154242)
-HybridUSDCTokenPoolMigrationTests:test_unstickManualTxAfterMigration_homeChain_Success() (gas: 463740)
+HybridUSDCTokenPoolMigrationTests:test_cancelExistingCCTPMigrationProposal() (gas: 56207)
+HybridUSDCTokenPoolMigrationTests:test_cannotCancelANonExistentMigrationProposal() (gas: 12736)
+HybridUSDCTokenPoolMigrationTests:test_cannotModifyLiquidityWithoutPermissions_Revert() (gas: 13373)
+HybridUSDCTokenPoolMigrationTests:test_cannotProvideLiquidityWhenMigrationProposalPending_Revert() (gas: 67304)
+HybridUSDCTokenPoolMigrationTests:test_cannotRevertChainMechanism_afterMigration_Revert() (gas: 313390)
+HybridUSDCTokenPoolMigrationTests:test_cannotTransferLiquidityDuringPendingMigration_Revert() (gas: 177033)
+HybridUSDCTokenPoolMigrationTests:test_cnanotProvideLiquidity_AfterMigration_Revert() (gas: 313775)
+HybridUSDCTokenPoolMigrationTests:test_excludeTokensWhenNoMigrationProposalPending_Revert() (gas: 13657)
+HybridUSDCTokenPoolMigrationTests:test_lockOrBurn_then_BurnInCCTPMigration_Success() (gas: 309952)
+HybridUSDCTokenPoolMigrationTests:test_transferLiquidity_Success() (gas: 167124)
+HybridUSDCTokenPoolMigrationTests:test_unstickManualTxAfterMigration_destChain_Success() (gas: 156736)
+HybridUSDCTokenPoolMigrationTests:test_unstickManualTxAfterMigration_homeChain_Success() (gas: 516552)
 HybridUSDCTokenPoolTests:test_LockOrBurn_LockReleaseMechanism_then_switchToPrimary_Success() (gas: 209230)
 HybridUSDCTokenPoolTests:test_LockOrBurn_PrimaryMechanism_Success() (gas: 135880)
-HybridUSDCTokenPoolTests:test_LockOrBurn_WhileMigrationPause_Revert() (gas: 107135)
-HybridUSDCTokenPoolTests:test_LockOrBurn_onLockReleaseMechanism_Success() (gas: 144607)
-HybridUSDCTokenPoolTests:test_MintOrRelease_OnLockReleaseMechanism_Success() (gas: 214795)
-HybridUSDCTokenPoolTests:test_MintOrRelease_OnLockReleaseMechanism_then_switchToPrimary_Success() (gas: 423619)
+HybridUSDCTokenPoolTests:test_LockOrBurn_WhileMigrationPause_Revert() (gas: 109814)
+HybridUSDCTokenPoolTests:test_LockOrBurn_onLockReleaseMechanism_Success() (gas: 147079)
+HybridUSDCTokenPoolTests:test_MintOrRelease_OnLockReleaseMechanism_Success() (gas: 217696)
+HybridUSDCTokenPoolTests:test_MintOrRelease_OnLockReleaseMechanism_then_switchToPrimary_Success() (gas: 426520)
 HybridUSDCTokenPoolTests:test_MintOrRelease_incomingMessageWithPrimaryMechanism() (gas: 268910)
-HybridUSDCTokenPoolTests:test_ReleaseOrMint_WhileMigrationPause_Revert() (gas: 111528)
-HybridUSDCTokenPoolTests:test_cannotTransferLiquidityDuringPendingMigration_Revert() (gas: 160845)
-HybridUSDCTokenPoolTests:test_transferLiquidity_Success() (gas: 165904)
+HybridUSDCTokenPoolTests:test_ReleaseOrMint_WhileMigrationPause_Revert() (gas: 114210)
+HybridUSDCTokenPoolTests:test_cannotTransferLiquidityDuringPendingMigration_Revert() (gas: 176989)
+HybridUSDCTokenPoolTests:test_transferLiquidity_Success() (gas: 167107)
 LockReleaseTokenPoolAndProxy_setRebalancer:test_SetRebalancer_Revert() (gas: 10989)
 LockReleaseTokenPoolAndProxy_setRebalancer:test_SetRebalancer_Success() (gas: 18028)
 LockReleaseTokenPoolPoolAndProxy_canAcceptLiquidity:test_CanAcceptLiquidity_Success() (gas: 3051552)

diff --git a/contracts/src/v0.8/ccip/pools/USDC/HybridLockReleaseUSDCTokenPool.sol b/contracts/src/v0.8/ccip/pools/USDC/HybridLockReleaseUSDCTokenPool.sol
@@ -99,7 +99,7 @@ contract HybridLockReleaseUSDCTokenPool is USDCTokenPool, USDCBridgeMigrator {
     _validateReleaseOrMint(releaseOrMintIn);
 
     // Circle requires a supply-lock to prevent incoming messages once the migration process begins.
-    // This prevents new outgoing messages once the migration has begun to ensure any the procedure runs as expected
+    // This prevents new incoming messages once the migration has begun to ensure any the procedure runs as expected
     if (s_proposedUSDCMigrationChain == releaseOrMintIn.remoteChainSelector) {
       revert LanePausedForCCTPMigration(s_proposedUSDCMigrationChain);
     }
@@ -170,6 +170,10 @@ contract HybridLockReleaseUSDCTokenPool is USDCTokenPool, USDCBridgeMigrator {
   function provideLiquidity(uint64 remoteChainSelector, uint256 amount) external {
     if (s_liquidityProvider[remoteChainSelector] != msg.sender) revert TokenPool.Unauthorized(msg.sender);
 
+    if (s_migratedChains.contains(remoteChainSelector)) {
+      revert TokenLockingNotAllowedAfterMigration(remoteChainSelector);
+    }
+
     if (remoteChainSelector == s_proposedUSDCMigrationChain) {
       revert LanePausedForCCTPMigration(remoteChainSelector);
     }
@@ -236,16 +240,21 @@ contract HybridLockReleaseUSDCTokenPool is USDCTokenPool, USDCBridgeMigrator {
     return s_shouldUseLockRelease[remoteChainSelector];
   }
 
-  /// @notice Updates Updates designations for chains on whether to use primary or alt mechanism on CCIP messages
+  /// @notice Updates designations for chains on whether to use primary or alt mechanism on CCIP messages
   /// @param removes A list of chain selectors to disable Lock-Release, and enforce BM
-  /// @param adds A list of chain selectors to enable LR instead of BM
+  /// @param adds A list of chain selectors to enable LR instead of BM. These chains must not have been migrated
+  /// to CCTP yet or the transaction will revert
   function updateChainSelectorMechanisms(uint64[] calldata removes, uint64[] calldata adds) external onlyOwner {
     for (uint256 i = 0; i < removes.length; ++i) {
       delete s_shouldUseLockRelease[removes[i]];
       emit LockReleaseDisabled(removes[i]);
     }
 
     for (uint256 i = 0; i < adds.length; ++i) {
+      // Prevent enabling lock release on chains which have already been migrated
+      if (s_migratedChains.contains(adds[i])) {
+        revert TokenLockingNotAllowedAfterMigration(adds[i]);
+      }
       s_shouldUseLockRelease[adds[i]] = true;
       emit LockReleaseEnabled(adds[i]);
     }

diff --git a/contracts/src/v0.8/ccip/pools/USDC/USDCBridgeMigrator.sol b/contracts/src/v0.8/ccip/pools/USDC/USDCBridgeMigrator.sol
@@ -37,6 +37,8 @@ abstract contract USDCBridgeMigrator is OwnerIsCreator {
 
   mapping(uint64 chainSelector => bool shouldUseLockRelease) internal s_shouldUseLockRelease;
 
+  EnumerableSet.UintSet internal s_migratedChains;
+
   constructor(address token, address router) {
     i_USDC = IBurnMintERC20(token);
     i_router = Router(router);
@@ -70,6 +72,8 @@ abstract contract USDCBridgeMigrator is OwnerIsCreator {
     // Disable L/R automatically on burned chain and enable CCTP
     delete s_shouldUseLockRelease[burnChainSelector];
 
+    s_migratedChains.add(burnChainSelector);
+
     emit CCTPMigrationExecuted(burnChainSelector, tokensToBurn);
   }
 

diff --git a/contracts/src/v0.8/ccip/test/pools/HybridLockReleaseUSDCTokenPool.t.sol b/contracts/src/v0.8/ccip/test/pools/HybridLockReleaseUSDCTokenPool.t.sol
@@ -926,4 +926,36 @@ contract HybridUSDCTokenPoolMigrationTests is HybridUSDCTokenPoolTests {
     );
     s_usdcTokenPool.provideLiquidity(DEST_CHAIN_SELECTOR, 1e6);
   }
+
+  function test_cannotRevertChainMechanism_afterMigration_Revert() public {
+    test_lockOrBurn_then_BurnInCCTPMigration_Success();
+
+    vm.startPrank(OWNER);
+
+    // Mark the destination chain as supporting CCTP, so use L/R instead.
+    uint64[] memory destChainAdds = new uint64[](1);
+    destChainAdds[0] = DEST_CHAIN_SELECTOR;
+
+    vm.expectRevert(
+      abi.encodeWithSelector(
+        HybridLockReleaseUSDCTokenPool.TokenLockingNotAllowedAfterMigration.selector, DEST_CHAIN_SELECTOR
+      )
+    );
+
+    s_usdcTokenPool.updateChainSelectorMechanisms(new uint64[](0), destChainAdds);
+  }
+
+  function test_cnanotProvideLiquidity_AfterMigration_Revert() public {
+    test_lockOrBurn_then_BurnInCCTPMigration_Success();
+
+    vm.startPrank(OWNER);
+
+    vm.expectRevert(
+      abi.encodeWithSelector(
+        HybridLockReleaseUSDCTokenPool.TokenLockingNotAllowedAfterMigration.selector, DEST_CHAIN_SELECTOR
+      )
+    );
+
+    s_usdcTokenPool.provideLiquidity(DEST_CHAIN_SELECTOR, 1e6);
+  }
 }