From a92dc2e54cf1ccea571ea6e816688806785e0a87 Mon Sep 17 00:00:00 2001 From: byshape Date: Thu, 1 Aug 2024 16:21:21 +0100 Subject: [PATCH 1/2] Add security contact --- .gas-snapshot | 12 ++++++------ contracts/BaseEscrow.sol | 1 + contracts/BaseEscrowFactory.sol | 1 + contracts/Escrow.sol | 1 + contracts/EscrowDst.sol | 1 + contracts/EscrowFactory.sol | 1 + contracts/EscrowSrc.sol | 1 + contracts/MerkleStorageInvalidator.sol | 1 + contracts/interfaces/IBaseEscrow.sol | 1 + contracts/interfaces/IEscrow.sol | 1 + contracts/interfaces/IEscrowDst.sol | 1 + contracts/interfaces/IEscrowFactory.sol | 1 + contracts/interfaces/IEscrowSrc.sol | 1 + contracts/interfaces/IMerkleStorageInvalidator.sol | 1 + contracts/interfaces/IResolverMock.sol | 1 + contracts/libraries/ImmutablesLib.sol | 1 + contracts/libraries/ProxyHashLib.sol | 1 + contracts/libraries/TimelocksLib.sol | 2 ++ contracts/zkSync/EscrowDstZkSync.sol | 1 + contracts/zkSync/EscrowFactoryZkSync.sol | 1 + contracts/zkSync/EscrowSrcZkSync.sol | 1 + contracts/zkSync/EscrowZkSync.sol | 1 + contracts/zkSync/MinimalProxyZkSync.sol | 1 + contracts/zkSync/ZkSyncLib.sol | 1 + 24 files changed, 30 insertions(+), 6 deletions(-) diff --git a/.gas-snapshot b/.gas-snapshot index 363a35c..3c17812 100644 --- a/.gas-snapshot +++ b/.gas-snapshot @@ -9,7 +9,7 @@ EscrowFactoryTest:test_NoUnsafeDeploymentForTaker() (gas: 34474) EscrowTest:test_CancelDst() (gas: 116028) EscrowTest:test_CancelDstDifferentTarget() (gas: 143286) EscrowTest:test_CancelDstWithNativeToken() (gas: 93622) -EscrowTest:test_CancelPublicSrc() (gas: 165457) +EscrowTest:test_CancelPublicSrc() (gas: 165442) EscrowTest:test_CancelResolverSrc() (gas: 168586) EscrowTest:test_CancelResolverSrcReceiver() (gas: 179340) EscrowTest:test_NoAnyoneCancelDuringResolverCancelSrc() (gas: 163829) @@ -27,13 +27,13 @@ EscrowTest:test_NoPublicWithdrawalOutsideOfAllowedPeriodSrc() (gas: 169069) EscrowTest:test_NoRescueFundsByAnyoneDst() (gas: 176275) EscrowTest:test_NoRescueFundsByAnyoneSrc() (gas: 209062) EscrowTest:test_NoRescueFundsEarlierDst() (gas: 175685) -EscrowTest:test_NoRescueFundsEarlierSrc() (gas: 209019) +EscrowTest:test_NoRescueFundsEarlierSrc() (gas: 208959) EscrowTest:test_NoWithdrawalByAnyoneSrc() (gas: 160840) EscrowTest:test_NoWithdrawalByNonResolverDst() (gas: 121384) EscrowTest:test_NoWithdrawalOutsideOfAllowedPeriodDst() (gas: 126271) EscrowTest:test_NoWithdrawalOutsideOfAllowedPeriodSrc() (gas: 169623) EscrowTest:test_NoWithdrawalWithWrongSecretDst() (gas: 122749) -EscrowTest:test_NoWithdrawalWithWrongSecretSrc() (gas: 164438) +EscrowTest:test_NoWithdrawalWithWrongSecretSrc() (gas: 164468) EscrowTest:test_PublicWithdrawSrc() (gas: 181729) EscrowTest:test_RescueFundsDst() (gas: 158179) EscrowTest:test_RescueFundsDstNative() (gas: 186642) @@ -50,11 +50,11 @@ IntegrationEscrowFactoryTest:test_NoInsufficientBalanceDeploymentForMakerInt() ( IntegrationResolverMockTest:test_MockCancelDst() (gas: 157108) IntegrationResolverMockTest:test_MockCancelSrc() (gas: 353946) IntegrationResolverMockTest:test_MockDeployDst() (gas: 151449) -IntegrationResolverMockTest:test_MockDeploySrc() (gas: 365042) +IntegrationResolverMockTest:test_MockDeploySrc() (gas: 364909) IntegrationResolverMockTest:test_MockPublicCancelSrc() (gas: 392497) IntegrationResolverMockTest:test_MockPublicWithdrawDst() (gas: 164765) IntegrationResolverMockTest:test_MockRescueFundsDst() (gas: 161014) -IntegrationResolverMockTest:test_MockRescueFundsSrc() (gas: 382547) +IntegrationResolverMockTest:test_MockRescueFundsSrc() (gas: 382586) IntegrationResolverMockTest:test_MockWithdrawDst() (gas: 182848) IntegrationResolverMockTest:test_MockWithdrawToSrc() (gas: 354840) MerkleStorageInvalidatorIntTest:test_MultipleFillsFillAllExtra() (gas: 923993) @@ -66,7 +66,7 @@ MerkleStorageInvalidatorIntTest:test_MultipleFillsNoDeploymentWithoutValidation( MerkleStorageInvalidatorIntTest:test_MultipleFillsNoReuseOfSecrets() (gas: 1002770) MerkleStorageInvalidatorIntTest:test_MultipleFillsNoSecondDeploymentWithTheSameIndex() (gas: 778560) MerkleStorageInvalidatorIntTest:test_MultipleFillsOddDivision() (gas: 443533) -MerkleStorageInvalidatorIntTest:test_MultipleFillsOneFill() (gas: 707769) +MerkleStorageInvalidatorIntTest:test_MultipleFillsOneFill() (gas: 707799) MerkleStorageInvalidatorIntTest:test_MultipleFillsTwoFills() (gas: 921506) TimelocksLibTest:test_NoTimelocksOverflow() (gas: 133743) TimelocksLibTest:test_getStartTimestamps() (gas: 16180) diff --git a/contracts/BaseEscrow.sol b/contracts/BaseEscrow.sol index df85286..6333f6b 100644 --- a/contracts/BaseEscrow.sol +++ b/contracts/BaseEscrow.sol @@ -14,6 +14,7 @@ import { IBaseEscrow } from "./interfaces/IBaseEscrow.sol"; /** * @title Base abstract Escrow contract for cross-chain atomic swap. * @dev {IBaseEscrow-withdraw}, {IBaseEscrow-cancel} and _validateImmutables functions must be implemented in the derived contracts. + * @custom:security-contact security@1inch.io */ abstract contract BaseEscrow is IBaseEscrow { using AddressLib for Address; diff --git a/contracts/BaseEscrowFactory.sol b/contracts/BaseEscrowFactory.sol index aa36f42..a284d66 100644 --- a/contracts/BaseEscrowFactory.sol +++ b/contracts/BaseEscrowFactory.sol @@ -24,6 +24,7 @@ import { MerkleStorageInvalidator } from "./MerkleStorageInvalidator.sol"; * @title Abstract contract for escrow factory * @notice Contract to create escrow contracts for cross-chain atomic swap. * @dev Immutable variables must be set in the constructor of the derived contracts. + * @custom:security-contact security@1inch.io */ abstract contract BaseEscrowFactory is IEscrowFactory, ResolverValidationExtension, MerkleStorageInvalidator { using AddressLib for Address; diff --git a/contracts/Escrow.sol b/contracts/Escrow.sol index 78cefaa..a018c9d 100644 --- a/contracts/Escrow.sol +++ b/contracts/Escrow.sol @@ -13,6 +13,7 @@ import { BaseEscrow } from "./BaseEscrow.sol"; /** * @title Abstract Escrow contract for cross-chain atomic swap. * @dev {IBaseEscrow-withdraw} and {IBaseEscrow-cancel} functions must be implemented in the derived contracts. + * @custom:security-contact security@1inch.io */ abstract contract Escrow is BaseEscrow, IEscrow { using ImmutablesLib for Immutables; diff --git a/contracts/EscrowDst.sol b/contracts/EscrowDst.sol index 5abd37f..19fe2a1 100644 --- a/contracts/EscrowDst.sol +++ b/contracts/EscrowDst.sol @@ -17,6 +17,7 @@ import { Escrow } from "./Escrow.sol"; * @notice Contract to initially lock funds and then unlock them with verification of the secret presented. * @dev Funds are locked in at the time of contract deployment. For this taker calls the `EscrowFactory.createDstEscrow` function. * To perform any action, the caller must provide the same Immutables values used to deploy the clone contract. + * @custom:security-contact security@1inch.io */ contract EscrowDst is Escrow, IEscrowDst { using SafeERC20 for IERC20; diff --git a/contracts/EscrowFactory.sol b/contracts/EscrowFactory.sol index b71e62b..7cd04ce 100644 --- a/contracts/EscrowFactory.sol +++ b/contracts/EscrowFactory.sol @@ -18,6 +18,7 @@ import { MerkleStorageInvalidator } from "./MerkleStorageInvalidator.sol"; /** * @title Escrow Factory contract * @notice Contract to create escrow contracts for cross-chain atomic swap. + * @custom:security-contact security@1inch.io */ contract EscrowFactory is BaseEscrowFactory { constructor( diff --git a/contracts/EscrowSrc.sol b/contracts/EscrowSrc.sol index df78cbe..3dbc7fd 100644 --- a/contracts/EscrowSrc.sol +++ b/contracts/EscrowSrc.sol @@ -19,6 +19,7 @@ import { Escrow } from "./Escrow.sol"; * @dev Funds are locked in at the time of contract deployment. For this Limit Order Protocol * calls the `EscrowFactory.postInteraction` function. * To perform any action, the caller must provide the same Immutables values used to deploy the clone contract. + * @custom:security-contact security@1inch.io */ contract EscrowSrc is Escrow, IEscrowSrc { using AddressLib for Address; diff --git a/contracts/MerkleStorageInvalidator.sol b/contracts/MerkleStorageInvalidator.sol index ce27fb6..cc23c96 100644 --- a/contracts/MerkleStorageInvalidator.sol +++ b/contracts/MerkleStorageInvalidator.sol @@ -14,6 +14,7 @@ import { SRC_IMMUTABLES_LENGTH } from "./EscrowFactoryContext.sol"; // solhint-d /** * @title Merkle Storage Invalidator contract * @notice Contract to invalidate hashed secrets from an order that supports multiple fills. + * @custom:security-contact security@1inch.io */ contract MerkleStorageInvalidator is IMerkleStorageInvalidator, ITakerInteraction { using MerkleProof for bytes32[]; diff --git a/contracts/interfaces/IBaseEscrow.sol b/contracts/interfaces/IBaseEscrow.sol index 0e49513..b0af116 100644 --- a/contracts/interfaces/IBaseEscrow.sol +++ b/contracts/interfaces/IBaseEscrow.sol @@ -9,6 +9,7 @@ import { Timelocks } from "../libraries/TimelocksLib.sol"; /** * @title Base Escrow interface for cross-chain atomic swap. * @notice Interface implies locking funds initially and then unlocking them with verification of the secret presented. + * @custom:security-contact security@1inch.io */ interface IBaseEscrow { struct Immutables { diff --git a/contracts/interfaces/IEscrow.sol b/contracts/interfaces/IEscrow.sol index b1673bc..3145851 100644 --- a/contracts/interfaces/IEscrow.sol +++ b/contracts/interfaces/IEscrow.sol @@ -7,6 +7,7 @@ import { IBaseEscrow } from "./IBaseEscrow.sol"; /** * @title Escrow interface for cross-chain atomic swap. * @notice Interface implies locking funds initially and then unlocking them with verification of the secret presented. + * @custom:security-contact security@1inch.io */ interface IEscrow is IBaseEscrow { /// @notice Returns the bytecode hash of the proxy contract. diff --git a/contracts/interfaces/IEscrowDst.sol b/contracts/interfaces/IEscrowDst.sol index ff63e27..e256837 100644 --- a/contracts/interfaces/IEscrowDst.sol +++ b/contracts/interfaces/IEscrowDst.sol @@ -7,6 +7,7 @@ import { IEscrow } from "./IEscrow.sol"; /** * @title Destination Escrow interface for cross-chain atomic swap. * @notice Interface implies withdrawing funds initially and then unlocking them with verification of the secret presented. + * @custom:security-contact security@1inch.io */ interface IEscrowDst is IEscrow { /** diff --git a/contracts/interfaces/IEscrowFactory.sol b/contracts/interfaces/IEscrowFactory.sol index 219c279..90661fa 100644 --- a/contracts/interfaces/IEscrowFactory.sol +++ b/contracts/interfaces/IEscrowFactory.sol @@ -11,6 +11,7 @@ import { IBaseEscrow } from "./IBaseEscrow.sol"; /** * @title Escrow Factory interface for cross-chain atomic swap. * @notice Interface to deploy escrow contracts for the destination chain and to get the deterministic address of escrow on both chains. + * @custom:security-contact security@1inch.io */ interface IEscrowFactory { struct ExtraDataArgs { diff --git a/contracts/interfaces/IEscrowSrc.sol b/contracts/interfaces/IEscrowSrc.sol index 320034f..cc8684f 100644 --- a/contracts/interfaces/IEscrowSrc.sol +++ b/contracts/interfaces/IEscrowSrc.sol @@ -7,6 +7,7 @@ import { IEscrow } from "./IEscrow.sol"; /** * @title Source Escrow interface for cross-chain atomic swap. * @notice Interface implies locking funds initially and then unlocking them with verification of the secret presented. + * @custom:security-contact security@1inch.io */ interface IEscrowSrc is IEscrow { /** diff --git a/contracts/interfaces/IMerkleStorageInvalidator.sol b/contracts/interfaces/IMerkleStorageInvalidator.sol index 72273d6..d157957 100644 --- a/contracts/interfaces/IMerkleStorageInvalidator.sol +++ b/contracts/interfaces/IMerkleStorageInvalidator.sol @@ -5,6 +5,7 @@ pragma solidity 0.8.23; /** * @title Merkle Storage Invalidator interface * @notice Interface to invalidate hashed secrets from an order that supports multiple fills. + * @custom:security-contact security@1inch.io */ interface IMerkleStorageInvalidator { struct LastValidated { diff --git a/contracts/interfaces/IResolverMock.sol b/contracts/interfaces/IResolverMock.sol index 4fbf5e8..0b00b7b 100644 --- a/contracts/interfaces/IResolverMock.sol +++ b/contracts/interfaces/IResolverMock.sol @@ -9,6 +9,7 @@ import { IBaseEscrow } from "../interfaces/IBaseEscrow.sol"; /** * @title Interface for the sample implementation of a Resolver contract for cross-chain swap. + * @custom:security-contact security@1inch.io */ interface IResolverMock { error InvalidLength(); diff --git a/contracts/libraries/ImmutablesLib.sol b/contracts/libraries/ImmutablesLib.sol index 1faaa8e..569d856 100644 --- a/contracts/libraries/ImmutablesLib.sol +++ b/contracts/libraries/ImmutablesLib.sol @@ -6,6 +6,7 @@ import { IBaseEscrow } from "../interfaces/IBaseEscrow.sol"; /** * @title Library for escrow immutables. + * @custom:security-contact security@1inch.io */ library ImmutablesLib { uint256 internal constant ESCROW_IMMUTABLES_SIZE = 0x100; diff --git a/contracts/libraries/ProxyHashLib.sol b/contracts/libraries/ProxyHashLib.sol index 307c948..6852154 100644 --- a/contracts/libraries/ProxyHashLib.sol +++ b/contracts/libraries/ProxyHashLib.sol @@ -4,6 +4,7 @@ pragma solidity ^0.8.20; /** * @title Library to compute the hash of the proxy bytecode. + * @custom:security-contact security@1inch.io */ library ProxyHashLib { /** diff --git a/contracts/libraries/TimelocksLib.sol b/contracts/libraries/TimelocksLib.sol index 299cbb6..396c2bc 100644 --- a/contracts/libraries/TimelocksLib.sol +++ b/contracts/libraries/TimelocksLib.sol @@ -23,6 +23,8 @@ pragma solidity ^0.8.20; * publicWithdrawal: Period when anyone with a secret can withdraw tokens for maker (destination chain). * cancellation: Period when escrow can only be cancelled by the taker. * publicCancellation: Period when escrow can be cancelled by anyone. + * + * @custom:security-contact security@1inch.io */ type Timelocks is uint256; diff --git a/contracts/zkSync/EscrowDstZkSync.sol b/contracts/zkSync/EscrowDstZkSync.sol index 69384b7..c075be2 100644 --- a/contracts/zkSync/EscrowDstZkSync.sol +++ b/contracts/zkSync/EscrowDstZkSync.sol @@ -5,6 +5,7 @@ pragma solidity 0.8.23; import { Escrow, EscrowDst } from "../EscrowDst.sol"; import { EscrowZkSync } from "./EscrowZkSync.sol"; +/// @custom:security-contact security@1inch.io contract EscrowDstZkSync is EscrowDst, EscrowZkSync { constructor(uint32 rescueDelay) EscrowDst(rescueDelay) EscrowZkSync() {} diff --git a/contracts/zkSync/EscrowFactoryZkSync.sol b/contracts/zkSync/EscrowFactoryZkSync.sol index b04b9d6..5bb7fca 100644 --- a/contracts/zkSync/EscrowFactoryZkSync.sol +++ b/contracts/zkSync/EscrowFactoryZkSync.sol @@ -19,6 +19,7 @@ import { ZkSyncLib } from "./ZkSyncLib.sol"; /** * @title Escrow Factory contract * @notice Contract to create escrow contracts for cross-chain atomic swap. + * @custom:security-contact security@1inch.io */ contract EscrowFactoryZkSync is BaseEscrowFactory { using ImmutablesLib for IBaseEscrow.Immutables; diff --git a/contracts/zkSync/EscrowSrcZkSync.sol b/contracts/zkSync/EscrowSrcZkSync.sol index 4c8c054..1723679 100644 --- a/contracts/zkSync/EscrowSrcZkSync.sol +++ b/contracts/zkSync/EscrowSrcZkSync.sol @@ -5,6 +5,7 @@ pragma solidity 0.8.23; import { Escrow, EscrowSrc } from "../EscrowSrc.sol"; import { EscrowZkSync } from "./EscrowZkSync.sol"; +/// @custom:security-contact security@1inch.io contract EscrowSrcZkSync is EscrowSrc, EscrowZkSync { constructor(uint32 rescueDelay) EscrowSrc(rescueDelay) EscrowZkSync() {} diff --git a/contracts/zkSync/EscrowZkSync.sol b/contracts/zkSync/EscrowZkSync.sol index 950c6b4..38e62c4 100644 --- a/contracts/zkSync/EscrowZkSync.sol +++ b/contracts/zkSync/EscrowZkSync.sol @@ -7,6 +7,7 @@ import { BaseEscrow } from "../BaseEscrow.sol"; import { ImmutablesLib } from "../libraries/ImmutablesLib.sol"; import { ZkSyncLib } from "./ZkSyncLib.sol"; +/// @custom:security-contact security@1inch.io abstract contract EscrowZkSync is BaseEscrow { using ImmutablesLib for Immutables; diff --git a/contracts/zkSync/MinimalProxyZkSync.sol b/contracts/zkSync/MinimalProxyZkSync.sol index efb9115..7f29bd7 100644 --- a/contracts/zkSync/MinimalProxyZkSync.sol +++ b/contracts/zkSync/MinimalProxyZkSync.sol @@ -2,6 +2,7 @@ pragma solidity 0.8.23; +/// @custom:security-contact security@1inch.io contract MinimalProxyZkSync { address private immutable _IMPLEMENTATION; diff --git a/contracts/zkSync/ZkSyncLib.sol b/contracts/zkSync/ZkSyncLib.sol index d0932da..5ec4121 100644 --- a/contracts/zkSync/ZkSyncLib.sol +++ b/contracts/zkSync/ZkSyncLib.sol @@ -4,6 +4,7 @@ pragma solidity ^0.8.20; /** * @title Library for ZkSync contracts. + * @custom:security-contact security@1inch.io */ library ZkSyncLib { // keccak256("zksyncCreate2") From 868cfe6dd350673caaeea8e20521fad86d4f4260 Mon Sep 17 00:00:00 2001 From: byshape Date: Thu, 1 Aug 2024 16:27:31 +0100 Subject: [PATCH 2/2] Add security contact to `ResolverExample` --- contracts/mocks/ResolverExample.sol | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/contracts/mocks/ResolverExample.sol b/contracts/mocks/ResolverExample.sol index d56f28a..4ec109e 100644 --- a/contracts/mocks/ResolverExample.sol +++ b/contracts/mocks/ResolverExample.sol @@ -17,7 +17,9 @@ import { Timelocks } from "../libraries/TimelocksLib.sol"; * @title Sample implementation of a Resolver contract for cross-chain swap. * @dev It is important when deploying an escrow on the source chain to send the safety deposit and deploy the escrow in the same * transaction, since the address of the escrow depends on the block.timestamp. - * You can find sample code for this in the {ResolverExample-deploySrc}. + * You can find sample code for this in the {ResolverExample-deploySrc}. + * + * @custom:security-contact security@1inch.io */ contract ResolverExample is IResolverExample, Ownable { IEscrowFactory private immutable _FACTORY;