Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Test Cases per Zellic audit questions #138

Merged
merged 4 commits into from
Sep 21, 2023
Merged

Added Test Cases per Zellic audit questions #138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5d3735f
add calldata length tests
Sep 20, 2023
484e2a2
sessionData length check
Sep 20, 2023
55dd038
cleanup
Sep 21, 2023
38e283a
linting
Sep 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions contracts/smart-account/modules/BatchedSessionRouterModule.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ contract BatchedSessionRouter is BaseAuthorizationModule {
) = abi.decode(userOp.callData[4:], (address[], uint256[], bytes[]));

uint256 length = sessionData.length;
require(length == destinations.length, "Lengths mismatch");

// iterate over batched operations
for (uint256 i; i < length; ) {
// validate the sessionKey
Expand Down
16 changes: 13 additions & 3 deletions contracts/smart-account/modules/SessionValidationModules/ERC20SessionValidationModule.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ contract ERC20SessionValidationModule is ISessionValidationModule {
* @param callValue value to be sent with the call
* @param _funcCallData the data for the call. is parsed inside the SVM
* @param _sessionKeyData SessionKey data, that describes sessionKey permissions
* param _callSpecificData additional data, for example some proofs if the SVM utilizes merkle trees itself
* for example to store a list of allowed tokens or receivers
*/
function validateSessionParams(
address destinationContract,
Expand Down Expand Up @@ -70,7 +72,6 @@ contract ERC20SessionValidationModule is ISessionValidationModule {
bytes4(_op.callData[0:4]) == EXECUTE_SELECTOR,
"ERC20SV Invalid Selector"
);

(
address sessionKey,
address token,
Expand All @@ -94,20 +95,29 @@ contract ERC20SessionValidationModule is ISessionValidationModule {
// working with userOp.callData
// check if the call is to the allowed recepient and amount is not more than allowed
bytes calldata data;

{
//offset represents where does the inner bytes array start
uint256 offset = uint256(bytes32(_op.callData[4 + 64:4 + 96]));
uint256 length = uint256(
bytes32(_op.callData[4 + offset:4 + offset + 32])
);
//we expect data to be the `IERC20.transfer(address, uint256)` calldata
data = _op.callData[4 + offset + 32:4 + offset + 32 + length];
}
if (address(bytes20(data[16:36])) != recipient) {

(address recipientCalled, uint256 amount) = abi.decode(
data[4:],
(address, uint256)
);

if (recipientCalled != recipient) {
revert("ERC20SV Wrong Recipient");
}
if (uint256(bytes32(data[36:68])) > maxAmount) {
if (amount > maxAmount) {
revert("ERC20SV Max Amount Exceeded");
}

return
ECDSA.recover(
ECDSA.toEthSignedMessageHash(_userOpHash),
Expand Down
Loading
Loading