Merge pull request #1012 from 0xProject/feature/contracts/staticcall

Use staticcall for external function calls in MixinSignatureValidator

4 files changed, 133 insertions, 3 deletions

diff --git a/packages/contracts/test/asset_proxy/proxies.ts b/packages/contracts/test/asset_proxy/proxies.ts
index 76a020222..6031e554d 100644
--- a/packages/contracts/test/asset_proxy/proxies.ts
+++ b/packages/contracts/test/asset_proxy/proxies.ts
@@ -12,7 +12,7 @@ import { ERC20ProxyContract } from '../../generated_contract_wrappers/erc20_prox
 import { ERC721ProxyContract } from '../../generated_contract_wrappers/erc721_proxy';
 import { IAssetProxyContract } from '../../generated_contract_wrappers/i_asset_proxy';
 import { artifacts } from '../utils/artifacts';
-import { expectTransactionFailedAsync } from '../utils/assertions';
+import { expectTransactionFailedAsync, expectTransactionFailedWithoutReasonAsync } from '../utils/assertions';
 import { chaiSetup } from '../utils/chai_setup';
 import { constants } from '../utils/constants';
 import { ERC20Wrapper } from '../utils/erc20_wrapper';
@@ -99,6 +99,17 @@ describe('Asset Transfer Proxies', () => {
         await blockchainLifecycle.revertAsync();
     });
     describe('Transfer Proxy - ERC20', () => {
+        it('should revert if undefined function is called', async () => {
+            const undefinedSelector = '0x01020304';
+            await expectTransactionFailedWithoutReasonAsync(
+                web3Wrapper.sendTransactionAsync({
+                    from: owner,
+                    to: erc20Proxy.address,
+                    value: constants.ZERO_AMOUNT,
+                    data: undefinedSelector,
+                }),
+            );
+        });
         describe('transferFrom', () => {
             it('should successfully transfer tokens', async () => {
                 // Construct ERC20 asset data
@@ -219,6 +230,17 @@ describe('Asset Transfer Proxies', () => {
     });
 
     describe('Transfer Proxy - ERC721', () => {
+        it('should revert if undefined function is called', async () => {
+            const undefinedSelector = '0x01020304';
+            await expectTransactionFailedWithoutReasonAsync(
+                web3Wrapper.sendTransactionAsync({
+                    from: owner,
+                    to: erc721Proxy.address,
+                    value: constants.ZERO_AMOUNT,
+                    data: undefinedSelector,
+                }),
+            );
+        });
         describe('transferFrom', () => {
             it('should successfully transfer tokens', async () => {
                 // Construct ERC721 asset data
diff --git a/packages/contracts/test/exchange/core.ts b/packages/contracts/test/exchange/core.ts
index bc2bad749..f9d8b7783 100644
--- a/packages/contracts/test/exchange/core.ts
+++ b/packages/contracts/test/exchange/core.ts
@@ -1,6 +1,6 @@
 import { BlockchainLifecycle } from '@0xproject/dev-utils';
 import { assetDataUtils, orderHashUtils } from '@0xproject/order-utils';
-import { RevertReason, SignedOrder } from '@0xproject/types';
+import { RevertReason, SignatureType, SignedOrder } from '@0xproject/types';
 import { BigNumber } from '@0xproject/utils';
 import { Web3Wrapper } from '@0xproject/web3-wrapper';
 import * as chai from 'chai';
@@ -14,6 +14,7 @@ import { DummyNoReturnERC20TokenContract } from '../../generated_contract_wrappe
 import { ERC20ProxyContract } from '../../generated_contract_wrappers/erc20_proxy';
 import { ERC721ProxyContract } from '../../generated_contract_wrappers/erc721_proxy';
 import { ExchangeCancelEventArgs, ExchangeContract } from '../../generated_contract_wrappers/exchange';
+import { TestStaticCallReceiverContract } from '../../generated_contract_wrappers/test_static_call_receiver';
 import { artifacts } from '../utils/artifacts';
 import { expectTransactionFailedAsync } from '../utils/assertions';
 import { getLatestBlockTimestampAsync, increaseTimeAndMineBlockAsync } from '../utils/block_timestamp';
@@ -44,6 +45,8 @@ describe('Exchange core', () => {
     let exchange: ExchangeContract;
     let erc20Proxy: ERC20ProxyContract;
     let erc721Proxy: ERC721ProxyContract;
+    let maliciousWallet: TestStaticCallReceiverContract;
+    let maliciousValidator: TestStaticCallReceiverContract;
 
     let signedOrder: SignedOrder;
     let erc20Balances: ERC20BalancesByOwner;
@@ -109,6 +112,12 @@ describe('Exchange core', () => {
             constants.AWAIT_TRANSACTION_MINED_MS,
         );
 
+        maliciousWallet = maliciousValidator = await TestStaticCallReceiverContract.deployFrom0xArtifactAsync(
+            artifacts.TestStaticCallReceiver,
+            provider,
+            txDefaults,
+        );
+
         defaultMakerAssetAddress = erc20TokenA.address;
         defaultTakerAssetAddress = erc20TokenB.address;
 
@@ -161,6 +170,51 @@ describe('Exchange core', () => {
                 RevertReason.OrderUnfillable,
             );
         });
+
+        it('should revert if `isValidSignature` tries to update state when SignatureType=Wallet', async () => {
+            const maliciousMakerAddress = maliciousWallet.address;
+            await web3Wrapper.awaitTransactionSuccessAsync(
+                await erc20TokenA.setBalance.sendTransactionAsync(
+                    maliciousMakerAddress,
+                    constants.INITIAL_ERC20_BALANCE,
+                ),
+                constants.AWAIT_TRANSACTION_MINED_MS,
+            );
+            await web3Wrapper.awaitTransactionSuccessAsync(
+                await maliciousWallet.approveERC20.sendTransactionAsync(
+                    erc20TokenA.address,
+                    erc20Proxy.address,
+                    constants.INITIAL_ERC20_ALLOWANCE,
+                ),
+                constants.AWAIT_TRANSACTION_MINED_MS,
+            );
+            signedOrder = await orderFactory.newSignedOrderAsync({
+                makerAddress: maliciousMakerAddress,
+                makerFee: constants.ZERO_AMOUNT,
+            });
+            signedOrder.signature = `0x0${SignatureType.Wallet}`;
+            await expectTransactionFailedAsync(
+                exchangeWrapper.fillOrderAsync(signedOrder, takerAddress),
+                RevertReason.WalletError,
+            );
+        });
+
+        it('should revert if `isValidSignature` tries to update state when SignatureType=Validator', async () => {
+            const isApproved = true;
+            await web3Wrapper.awaitTransactionSuccessAsync(
+                await exchange.setSignatureValidatorApproval.sendTransactionAsync(
+                    maliciousValidator.address,
+                    isApproved,
+                    { from: makerAddress },
+                ),
+                constants.AWAIT_TRANSACTION_MINED_MS,
+            );
+            signedOrder.signature = `${maliciousValidator.address}0${SignatureType.Validator}`;
+            await expectTransactionFailedAsync(
+                exchangeWrapper.fillOrderAsync(signedOrder, takerAddress),
+                RevertReason.ValidatorError,
+            );
+        });
     });
 
     describe('Testing exchange of ERC20 tokens with no return values', () => {
diff --git a/packages/contracts/test/exchange/signature_validator.ts b/packages/contracts/test/exchange/signature_validator.ts
index cd4f3d6f3..5b64d853c 100644
--- a/packages/contracts/test/exchange/signature_validator.ts
+++ b/packages/contracts/test/exchange/signature_validator.ts
@@ -9,11 +9,12 @@ import {
     TestSignatureValidatorContract,
     TestSignatureValidatorSignatureValidatorApprovalEventArgs,
 } from '../../generated_contract_wrappers/test_signature_validator';
+import { TestStaticCallReceiverContract } from '../../generated_contract_wrappers/test_static_call_receiver';
 import { ValidatorContract } from '../../generated_contract_wrappers/validator';
 import { WalletContract } from '../../generated_contract_wrappers/wallet';
 import { addressUtils } from '../utils/address_utils';
 import { artifacts } from '../utils/artifacts';
-import { expectContractCallFailed } from '../utils/assertions';
+import { expectContractCallFailed, expectContractCallFailedWithoutReasonAsync } from '../utils/assertions';
 import { chaiSetup } from '../utils/chai_setup';
 import { constants } from '../utils/constants';
 import { LogDecoder } from '../utils/log_decoder';
@@ -31,6 +32,8 @@ describe('MixinSignatureValidator', () => {
     let signatureValidator: TestSignatureValidatorContract;
     let testWallet: WalletContract;
     let testValidator: ValidatorContract;
+    let maliciousWallet: TestStaticCallReceiverContract;
+    let maliciousValidator: TestStaticCallReceiverContract;
     let signerAddress: string;
     let signerPrivateKey: Buffer;
     let notSignerAddress: string;
@@ -65,6 +68,11 @@ describe('MixinSignatureValidator', () => {
             txDefaults,
             signerAddress,
         );
+        maliciousWallet = maliciousValidator = await TestStaticCallReceiverContract.deployFrom0xArtifactAsync(
+            artifacts.TestStaticCallReceiver,
+            provider,
+            txDefaults,
+        );
         signatureValidatorLogDecoder = new LogDecoder(web3Wrapper);
         await web3Wrapper.awaitTransactionSuccessAsync(
             await signatureValidator.setSignatureValidatorApproval.sendTransactionAsync(testValidator.address, true, {
@@ -72,6 +80,16 @@ describe('MixinSignatureValidator', () => {
             }),
             constants.AWAIT_TRANSACTION_MINED_MS,
         );
+        await web3Wrapper.awaitTransactionSuccessAsync(
+            await signatureValidator.setSignatureValidatorApproval.sendTransactionAsync(
+                maliciousValidator.address,
+                true,
+                {
+                    from: signerAddress,
+                },
+            ),
+            constants.AWAIT_TRANSACTION_MINED_MS,
+        );
 
         const defaultOrderParams = {
             ...constants.STATIC_ORDER_PARAMS,
@@ -334,6 +352,29 @@ describe('MixinSignatureValidator', () => {
             expect(isValidSignature).to.be.false();
         });
 
+        it('should revert when `isValidSignature` attempts to update state and SignatureType=Wallet', async () => {
+            // Create EIP712 signature
+            const orderHashHex = orderHashUtils.getOrderHashHex(signedOrder);
+            const orderHashBuffer = ethUtil.toBuffer(orderHashHex);
+            const ecSignature = ethUtil.ecsign(orderHashBuffer, signerPrivateKey);
+            // Create 0x signature from EIP712 signature
+            const signature = Buffer.concat([
+                ethUtil.toBuffer(ecSignature.v),
+                ecSignature.r,
+                ecSignature.s,
+                ethUtil.toBuffer(`0x${SignatureType.Wallet}`),
+            ]);
+            const signatureHex = ethUtil.bufferToHex(signature);
+            await expectContractCallFailed(
+                signatureValidator.publicIsValidSignature.callAsync(
+                    orderHashHex,
+                    maliciousWallet.address,
+                    signatureHex,
+                ),
+                RevertReason.WalletError,
+            );
+        });
+
         it('should return true when SignatureType=Validator, signature is valid and validator is approved', async () => {
             const validatorAddress = ethUtil.toBuffer(`${testValidator.address}`);
             const signatureType = ethUtil.toBuffer(`0x${SignatureType.Validator}`);
@@ -364,6 +405,17 @@ describe('MixinSignatureValidator', () => {
             expect(isValidSignature).to.be.false();
         });
 
+        it('should revert when `isValidSignature` attempts to update state and SignatureType=Validator', async () => {
+            const validatorAddress = ethUtil.toBuffer(`${maliciousValidator.address}`);
+            const signatureType = ethUtil.toBuffer(`0x${SignatureType.Validator}`);
+            const signature = Buffer.concat([validatorAddress, signatureType]);
+            const signatureHex = ethUtil.bufferToHex(signature);
+            const orderHashHex = orderHashUtils.getOrderHashHex(signedOrder);
+            await expectContractCallFailed(
+                signatureValidator.publicIsValidSignature.callAsync(orderHashHex, signerAddress, signatureHex),
+                RevertReason.ValidatorError,
+            );
+        });
         it('should return false when SignatureType=Validator, signature is valid and validator is not approved', async () => {
             // Set approval of signature validator to false
             await web3Wrapper.awaitTransactionSuccessAsync(
diff --git a/packages/contracts/test/utils/artifacts.ts b/packages/contracts/test/utils/artifacts.ts
index e8a7585ac..2f6fcef71 100644
--- a/packages/contracts/test/utils/artifacts.ts
+++ b/packages/contracts/test/utils/artifacts.ts
@@ -23,6 +23,7 @@ import * as TestExchangeInternals from '../../artifacts/TestExchangeInternals.js
 import * as TestLibBytes from '../../artifacts/TestLibBytes.json';
 import * as TestLibs from '../../artifacts/TestLibs.json';
 import * as TestSignatureValidator from '../../artifacts/TestSignatureValidator.json';
+import * as TestStaticCallReceiver from '../../artifacts/TestStaticCallReceiver.json';
 import * as TokenRegistry from '../../artifacts/TokenRegistry.json';
 import * as Validator from '../../artifacts/Validator.json';
 import * as Wallet from '../../artifacts/Wallet.json';
@@ -55,6 +56,7 @@ export const artifacts = {
     TestLibs: (TestLibs as any) as ContractArtifact,
     TestExchangeInternals: (TestExchangeInternals as any) as ContractArtifact,
     TestSignatureValidator: (TestSignatureValidator as any) as ContractArtifact,
+    TestStaticCallReceiver: (TestStaticCallReceiver as any) as ContractArtifact,
     Validator: (Validator as any) as ContractArtifact,
     Wallet: (Wallet as any) as ContractArtifact,
     TokenRegistry: (TokenRegistry as any) as ContractArtifact,