Closes #224: transaction guard (#276)

rmeissner · web-flow · commit 8e9c840c99cb · 2021-03-17T14:26:04.000+01:00
diff --git a/benchmark/GnosisSafe.ERC1155.spec.ts b/benchmark/GnosisSafe.ERC1155.spec.ts
@@ -9,11 +9,11 @@ const [, , , , user5] = waffle.provider.getWallets();
 
 benchmark("ERC1155", [{
     name: "transfer",
-    prepare: async (contracts: Contracts, target: string) => {
+    prepare: async (contracts: Contracts, target: string, nonce: number) => {
         const token = contracts.additions.token
         await token.mint(target, 23, 1337, "0x")
         const data = token.interface.encodeFunctionData("safeTransferFrom", [target, user5.address, 23, 500, "0x"])
-        return buildSafeTransaction({ to: token.address, data, safeTxGas: 1000000, nonce: 0 })
+        return buildSafeTransaction({ to: token.address, data, safeTxGas: 1000000, nonce })
     },
     after: async (contracts: Contracts) => {
         expect(
diff --git a/benchmark/GnosisSafe.ERC20.spec.ts b/benchmark/GnosisSafe.ERC20.spec.ts
@@ -9,11 +9,11 @@ const [, , , , user5] = waffle.provider.getWallets();
 
 benchmark("ERC20", [{
     name: "transfer",
-    prepare: async (contracts: Contracts, target: string) => {
+    prepare: async (contracts: Contracts, target: string, nonce: number) => {
         const token = contracts.additions.token
         await token.transfer(target, 1000)
         const data = token.interface.encodeFunctionData("transfer", [user5.address, 500])
-        return buildSafeTransaction({ to: token.address, data, safeTxGas: 1000000, nonce: 0 })
+        return buildSafeTransaction({ to: token.address, data, safeTxGas: 1000000, nonce })
     },
     after: async (contracts: Contracts) => {
         expect(
diff --git a/benchmark/GnosisSafe.Ether.spec.ts b/benchmark/GnosisSafe.Ether.spec.ts
@@ -10,11 +10,11 @@ const [user1] = waffle.provider.getWallets();
 
 benchmark("Ether", [{
     name: "transfer",
-    prepare: async (_, target: string) => {
+    prepare: async (_, target: string, nonce: number) => {
         // Create account, as we don't want to test this in the benchmark
         await user1.sendTransaction({ to: testTarget, value: 1 })
         await user1.sendTransaction({ to: target, value: 1000 })
-        return buildSafeTransaction({ to: testTarget, value: 500, safeTxGas: 1000000, nonce: 0 })
+        return buildSafeTransaction({ to: testTarget, value: 500, safeTxGas: 1000000, nonce })
     },
     after: async () => {
         expect(
diff --git a/benchmark/GnosisSafe.Proxy.spec.ts b/benchmark/GnosisSafe.Proxy.spec.ts
@@ -10,10 +10,10 @@ const testTarget = "0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE"
 
 benchmark("Proxy", [{
     name: "creation",
-    prepare: async (contracts) => {
+    prepare: async (contracts,_,nonce) => {
         const factory = contracts.additions.factory
         const data = factory.interface.encodeFunctionData("createProxy", [testTarget, "0x"])
-        return buildSafeTransaction({ to: factory.address, data, safeTxGas: 1000000, nonce: 0 })
+        return buildSafeTransaction({ to: factory.address, data, safeTxGas: 1000000, nonce })
     },
     fixture: async () => {
         return {
diff --git a/benchmark/utils/setup.ts b/benchmark/utils/setup.ts
@@ -1,9 +1,10 @@
 import { expect } from "chai";
-import { deployments, waffle } from "hardhat";
+import hre, { deployments, waffle } from "hardhat";
 import "@nomiclabs/hardhat-ethers";
 import { getDefaultCallbackHandler, getSafeWithOwners } from "../../test/utils/setup";
-import { logGas, executeTx, SafeTransaction, safeSignTypedData, SafeSignature } from "../../test/utils/execution";
+import { logGas, executeTx, SafeTransaction, safeSignTypedData, SafeSignature, executeContractCallWithSigners } from "../../test/utils/execution";
 import { Wallet, Contract } from "ethers";
+import { AddressZero } from "@ethersproject/constants";
 
 const [user1, user2, user3, user4, user5] = waffle.provider.getWallets();
 
@@ -12,24 +13,29 @@ export interface Contracts {
     additions: any | undefined
 }
 
-const generateTarget = async (owners: Wallet[], threshold: number) => {
+const generateTarget = async (owners: Wallet[], threshold: number, guardAddress: string) => {
     const fallbackHandler = await getDefaultCallbackHandler()
-    return await getSafeWithOwners(owners.map((owner) => owner.address), threshold, fallbackHandler.address)
+    const safe = await getSafeWithOwners(owners.map((owner) => owner.address), threshold, fallbackHandler.address)
+    await executeContractCallWithSigners(safe, safe, "setGuard", [guardAddress], owners)
+    return safe
 }
 
 export const configs = [
     { name: "single owner", signers: [user1], threshold: 1 },
-    { name: "2 out of 2", signers: [user1, user2], threshold: 2 },
+    { name: "single owner and guard", signers: [user1], threshold: 1, useGuard: true },
+    { name: "2 out of 23", signers: [user1, user2], threshold: 2 },
     { name: "3 out of 3", signers: [user1, user2, user3], threshold: 3 },
     { name: "3 out of 5", signers: [user1, user2, user3, user4, user5], threshold: 3 },
 ]
 
 const setupBenchmarkContracts = async (benchmarkFixture?: () => Promise<any>) => {
     return await deployments.createFixture(async ({ deployments }) => {
         await deployments.fixture();
+        const guardFactory = await hre.ethers.getContractFactory("DelegateCallTransactionGuard");
+        const guard = await guardFactory.deploy(AddressZero)
         const targets = []
         for (const config of configs) {
-            targets.push(await generateTarget(config.signers, config.threshold))
+            targets.push(await generateTarget(config.signers, config.threshold, config.useGuard ? guard.address : AddressZero))
         }
         return {
             targets,
@@ -40,7 +46,7 @@ const setupBenchmarkContracts = async (benchmarkFixture?: () => Promise<any>) =>
 
 export interface Benchmark {
     name: string,
-    prepare: (contracts: Contracts, target: string) => Promise<SafeTransaction>,
+    prepare: (contracts: Contracts, target: string, nonce: number) => Promise<SafeTransaction>,
     after?: (contracts: Contracts) => Promise<void>,
     fixture?: () => Promise<any>
 }
@@ -52,7 +58,7 @@ export const benchmark = async (topic: string, benchmarks: Benchmark[]) => {
         describe(`${topic} - ${name}`, async () => {
             it("with an EOA", async () => {
                 const contracts = await contractSetup()
-                const tx = await prepare(contracts, user2.address)
+                const tx = await prepare(contracts, user2.address, 0)
                 await logGas(name, user2.sendTransaction({
                     to: tx.to,
                     value: tx.value,
@@ -65,7 +71,8 @@ export const benchmark = async (topic: string, benchmarks: Benchmark[]) => {
                 it(`with a ${config.name} Safe`, async () => {
                     const contracts = await contractSetup()
                     const target = contracts.targets[i]
-                    const tx = await prepare(contracts, target.address)
+                    const nonce = await target.nonce();
+                    const tx = await prepare(contracts, target.address, nonce)
                     const threshold = await target.getThreshold()
                     const sigs: SafeSignature[] = await Promise.all(config.signers.slice(0, threshold).map(async (signer) => {
                         return await safeSignTypedData(signer, target, tx)
diff --git a/contracts/GnosisSafe.sol b/contracts/GnosisSafe.sol
@@ -4,6 +4,7 @@ pragma solidity >=0.7.0 <0.9.0;
 import "./base/ModuleManager.sol";
 import "./base/OwnerManager.sol";
 import "./base/FallbackManager.sol";
+import "./base/GuardManager.sol";
 import "./common/EtherPaymentFallback.sol";
 import "./common/Singleton.sol";
 import "./common/SignatureDecoder.sol";
@@ -16,7 +17,7 @@ import "./external/GnosisSafeMath.sol";
 /// @author Stefan George - <stefan@gnosis.io>
 /// @author Richard Meissner - <richard@gnosis.io>
 contract GnosisSafe
-    is EtherPaymentFallback, Singleton, ModuleManager, OwnerManager, SignatureDecoder, SecuredTokenTransfer, ISignatureValidatorConstants, FallbackManager, StorageAccessible {
+    is EtherPaymentFallback, Singleton, ModuleManager, OwnerManager, SignatureDecoder, SecuredTokenTransfer, ISignatureValidatorConstants, FallbackManager, StorageAccessible, GuardManager {
 
     using GnosisSafeMath for uint256;
 
@@ -142,6 +143,16 @@ contract GnosisSafe
             txHash = keccak256(txHashData);
             checkSignatures(txHash, txHashData, signatures);
         }
+        {
+            address guard = getGuard();
+            if (guard != address(0)) {
+                Guard(guard).checkTransaction(
+                    to, value, data, operation, // Transaction info
+                    safeTxGas, baseGas, gasPrice, gasToken, refundReceiver, // Payment info
+                    signatures, msg.sender
+                );
+            }
+        }
         // We require some gas to emit the events (at least 2500) after the execution and some to perform code until the execution (500)
         // We also include the 1/64 in the check that is not send along with a call to counteract potential shortings because of EIP-150
         require(gasleft() >= (safeTxGas * 64 / 63).max(safeTxGas + 2500) + 500, "Not enough gas to execute safe transaction");
diff --git a/contracts/base/GuardManager.sol b/contracts/base/GuardManager.sol
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+pragma solidity >=0.7.0 <0.9.0;
+
+import "../common/Enum.sol";
+import "../common/SelfAuthorized.sol";
+
+interface Guard {
+    function checkTransaction(
+        address to,
+        uint256 value,
+        bytes memory data,
+        Enum.Operation operation,
+        uint256 safeTxGas,
+        uint256 baseGas,
+        uint256 gasPrice,
+        address gasToken,
+        address payable refundReceiver,
+        bytes memory signatures,
+        address msgSender
+    ) external;
+}
+
+/// @title Fallback Manager - A contract that manages fallback calls made to this contract
+/// @author Richard Meissner - <richard@gnosis.pm>
+contract GuardManager is SelfAuthorized {
+    // keccak256("guard_manager.guard.address")
+    bytes32 internal constant GUARD_STORAGE_SLOT =
+        0x4a204f620c8c5ccdca3fd54d003badd85ba500436a431f0cbda4f558c93c34c8;
+
+    /// @dev Set a guard that checks transactions before execution
+    /// @param guard The address of the guard to be used or the 0 address to disable the guard
+    function setGuard(address guard)
+        external
+        authorized
+    {
+        bytes32 slot = GUARD_STORAGE_SLOT;
+        // solium-disable-next-line security/no-inline-assembly
+        assembly {
+            sstore(slot, guard)
+        }
+    }
+
+    function getGuard()
+        internal
+        view
+        returns (address guard)
+    {
+        bytes32 slot = GUARD_STORAGE_SLOT;
+        // solium-disable-next-line security/no-inline-assembly
+        assembly {
+            guard := sload(slot)
+        }
+    }
+}
diff --git a/contracts/guards/DelegateCallTransactionGuard.sol b/contracts/guards/DelegateCallTransactionGuard.sol
@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: LGPL-3.0-only
+pragma solidity >=0.7.0 <0.9.0;
+
+import "../common/Enum.sol";
+import "../base/GuardManager.sol";
+import "../GnosisSafe.sol";
+
+contract DelegateCallTransactionGuard is Guard {
+
+    address immutable public allowedTarget;
+
+    constructor(address target) {
+        allowedTarget = target;
+    }
+
+    fallback() external {
+        // We don't revert on fallback to avoid issues in case of a Safe upgrade
+        // E.g. The expected check method might change and then the Safe would be locked.
+    }
+
+    function checkTransaction(
+        address to,
+        uint256,
+        bytes memory,
+        Enum.Operation operation,
+        uint256,
+        uint256,
+        uint256,
+        address,
+        address payable,
+        bytes memory,
+        address
+    ) override external view {
+        require(operation != Enum.Operation.DelegateCall || to == allowedTarget, "This call is restricted");
+    }
+}
diff --git a/test/core/GnosisSafe.GuardManager.spec.ts b/test/core/GnosisSafe.GuardManager.spec.ts
@@ -0,0 +1,75 @@
+import { expect } from "chai";
+import hre, { deployments, waffle, ethers } from "hardhat";
+import { BigNumber } from "ethers";
+import "@nomiclabs/hardhat-ethers";
+import { AddressZero } from "@ethersproject/constants";
+import { getMock, getSafeWithOwners } from "../utils/setup";
+import { buildSafeTransaction, buildSignatureBytes, executeContractCallWithSigners, executeTx, safeApproveHash } from "../utils/execution";
+
+describe("GuardManager", async () => {
+
+    const [user1, user2] = waffle.provider.getWallets();
+
+    const setupWithTemplate = deployments.createFixture(async ({ deployments }) => {
+        await deployments.fixture();
+        const mock = await getMock();
+        const safe = await getSafeWithOwners([user2.address])
+        await executeContractCallWithSigners(safe, safe, "setGuard", [mock.address], [user2])
+        return {
+            safe,
+            mock
+        }
+    })
+
+    describe("setGuard", async () => {
+
+        it('is correctly set', async () => {
+            const { safe, mock } = await setupWithTemplate()
+
+            const slot = ethers.utils.keccak256(ethers.utils.toUtf8Bytes("guard_manager.guard.address"))
+
+            await executeContractCallWithSigners(safe, safe, "setGuard", [AddressZero], [user2])
+
+            // Check fallback handler
+            await expect(
+                await hre.ethers.provider.getStorageAt(safe.address, slot)
+            ).to.be.eq("0x" + "".padStart(64, "0"))
+
+            await executeContractCallWithSigners(safe, safe, "setGuard", [mock.address], [user2])
+
+            // Check fallback handler
+            await expect(
+                await hre.ethers.provider.getStorageAt(safe.address, slot)
+            ).to.be.eq("0x" + mock.address.toLowerCase().slice(2).padStart(64, "0"))
+        })
+
+        it('reverts if the guard reverts', async () => {
+            const { safe, mock } = await setupWithTemplate()
+
+            const safeTx = buildSafeTransaction({ to: mock.address, data: "0xbaddad42", nonce: 1 })
+            const signature = await safeApproveHash(user2, safe, safeTx)
+            const signatureBytes = buildSignatureBytes([signature])
+            const guardInterface = (await hre.ethers.getContractAt("Guard", mock.address)).interface
+            const checkData = guardInterface.encodeFunctionData("checkTransaction", [
+                safeTx.to, safeTx.value, safeTx.data, safeTx.operation, safeTx.safeTxGas,
+                safeTx.baseGas, safeTx.gasPrice, safeTx.gasToken, safeTx.refundReceiver,
+                signatureBytes, user1.address
+            ])
+            await mock.givenCalldataRevertWithMessage(checkData, "Computer says Nah")
+
+            await expect(
+                executeTx(safe, safeTx, [signature])
+            ).to.be.revertedWith("Computer says Nah")
+
+            await mock.reset()
+
+            await expect(
+                executeTx(safe, safeTx, [signature])
+            ).to.emit(safe, "ExecutionSuccess")
+
+            expect(await mock.callStatic.invocationCount()).to.be.deep.equals(BigNumber.from(2));
+            expect(await mock.callStatic.invocationCountForCalldata(checkData)).to.be.deep.equals(BigNumber.from(1));
+            expect(await mock.callStatic.invocationCountForCalldata("0xbaddad42")).to.be.deep.equals(BigNumber.from(1));
+        })
+    })
+})
diff --git a/test/guards/DelegateCallTransactionGuard.spec.ts b/test/guards/DelegateCallTransactionGuard.spec.ts
