Fix DSU unwrapping in multi invoker and manager contract #461

prateekdefi · 2024-10-03T14:15:56Z

Issue: sherlock-audit/2024-08-perennial-v2-update-3-judging#16

…nager contract

arjun-io · 2024-10-03T14:55:13Z

packages/perennial-extensions/contracts/MultiInvoker.sol

+    /// @param account Account to claim fees for
+    /// @param unwrap Wheather to wrap/unwrap collateral on withdrawal
+    function withdrawClaimable(address account, bool unwrap) external {
+        if (msg.sender != account && !operators[account][msg.sender]) revert MultiInvokerUnauthorizedError();


I think since we use this pattern twice it might make sense to make it an onlyOperator modifier or helper function like below in Manager.sol?

done in f43bbf9

arjun-io · 2024-10-03T14:58:21Z

packages/perennial-extensions/contracts/MultiInvoker.sol

+        UFixed6 claimableAmount = claimable[account];
+        claimable[account] = UFixed6Lib.ZERO;
+
+        _withdraw(account, claimableAmount, unwrap);


Our pattern has been to push funds to the msg.sender rather than the account (see: https://github.com/equilibria-xyz/perennial-v2/blob/v2.3/packages/perennial/contracts/Market.sol#L322)

done in a6161d9

arjun-io · 2024-10-03T14:58:44Z

packages/perennial-extensions/contracts/MultiInvoker.sol

+    /// @notice withdraw DSU or unwrap DSU to withdraw USDC from this address to `account`
+    /// @param account Account to claim fees for
+    /// @param unwrap Wheather to wrap/unwrap collateral on withdrawal
+    function withdrawClaimable(address account, bool unwrap) external {


nit: maybe just claim?

done in 329265f

arjun-io · 2024-10-03T15:01:00Z

packages/perennial-order/contracts/Manager.sol

@@ -137,6 +141,17 @@ abstract contract Manager is IManager, Kept {
        if (interfaceFeeCharged) emit TriggerOrderInterfaceFeeCharged(account, market, order.interfaceFee);
    }

+    /// @inheritdoc IManager
+    function withdrawClaimable(address account, bool unwrap) external {


Same comments on naming, where to send funds as above 👍

done in 329265f and a6161d9

arjun-io · 2024-10-03T15:07:25Z

packages/perennial-extensions/contracts/MultiInvoker.sol

        UFixed6 claimAmount = market.claimFee(account);
-        _withdraw(account, claimAmount, unwrap);
+        claimable[account] = claimable[account].add(claimAmount);


Upon further thinking, we might just want to keep this as a atomic claim and withdraw rather than putting it in the claimable map.

Since these fees are already in DSU in the market, there's no real gain to claiming them into the multiinvoker and then withdrawing in a separate tx. The process of doing the claim+unwrap (if the unwrap is non-reverting) or a DSU claim (if the unwrap is reverting) is the same with or without the multiinvoker escrow

Undid in a23a45e.

EdNoepel

I do not understand why MultiInvoker and Manager must hold funds to solve this problem. Seems a cleaner solution would be to use exception handling and push the DSU if it cannot be unwrapped.

kbrizzle · 2024-10-09T06:17:27Z

packages/perennial-extensions/contracts/MultiInvoker.sol

+    /// @param unwrap Wheather to wrap/unwrap collateral on withdrawal
+    function claim(address account, bool unwrap) external onlyOperator(account, msg.sender) {
+        UFixed6 claimableAmount = claimable[account];
+        claimable[account] = UFixed6Lib.ZERO;


nit: delete claimable[account] slightly cleaner here

The mapping holds a UFixed6, seemingly incompatible with the unary delete operator.

ope didn't know that 🙏

kbrizzle · 2024-10-09T06:19:30Z

packages/perennial-extensions/contracts/types/TriggerOrder.sol

@@ -28,14 +28,12 @@ struct StoredTriggerOrder {
    /* slot 1 */
    address interfaceFeeReceiver1;
    uint48 interfaceFeeAmount1;      // <= 281m
-    bool interfaceFeeUnwrap1;
-    bytes5 __unallocated1__;
+    bytes6 __unallocated1__;


nit: add a note that these contain dirty data until updated post v2.3 migration

done in bb91a17

kbrizzle · 2024-10-09T06:20:33Z

packages/perennial-extensions/contracts/types/TriggerOrder.sol

@@ -129,11 +125,9 @@ library TriggerOrderStorageLib {
            bytes6(0),
            newValue.interfaceFee1.receiver,
            uint48(UFixed6.unwrap(newValue.interfaceFee1.amount)),
-            newValue.interfaceFee1.unwrap,
            bytes5(0),


should be bytes6

corrected in bb91a17

kbrizzle · 2024-10-09T06:20:37Z

packages/perennial-extensions/contracts/types/TriggerOrder.sol

            bytes5(0),
            newValue.interfaceFee2.receiver,
            uint48(UFixed6.unwrap(newValue.interfaceFee2.amount)),
-            newValue.interfaceFee2.unwrap,
            bytes5(0)


should be bytes6

corrected in bb91a17

kbrizzle · 2024-10-09T06:23:19Z

packages/perennial-order/contracts/Manager.sol

+    }
+
+    /// @notice reads keeper compensation parameters from an action message
+    function _compensateKeeperAction(Action calldata action) internal {


where are these two new function used? can't see them referenced in any of the other changes.

Was a merge artifact; removed in bb91a17.

github-actions · 2024-10-09T12:36:53Z