Aave Swapper Updates #353
Merged
Aave Swapper Updates #353
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sakulstra
approved these changes
Nov 21, 2024
🔧 Build logsCompiling 283 files with Solc 0.8.18
Solc 0.8.18 finished in 63.27s
Compiler run successful with warnings:
Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/swaps/AaveSwapper.sol:138:5:
|
138 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/asset-manager/AaveWstethWithdrawer.sol:106:5:
|
106 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/bridges/arbitrum/AaveArbEthERC20Bridge.sol:120:5:
|
120 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/bridges/polygon/AavePolEthERC20Bridge.sol:103:5:
|
103 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/bridges/polygon/AavePolEthPlasmaBridge.sol:108:5:
|
108 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/bridges/optimism/AaveOpEthERC20Bridge.sol:61:5:
|
61 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (2018): Function state mutability can be restricted to pure
--> src/asset-manager/AaveWstethWithdrawer.sol:105:3:
|
105 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018): Function state mutability can be restricted to pure
--> src/bridges/arbitrum/AaveArbEthERC20Bridge.sol:119:3:
|
119 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018): Function state mutability can be restricted to pure
--> src/bridges/polygon/AavePolEthERC20Bridge.sol:102:3:
|
102 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018): Function state mutability can be restricted to pure
--> src/bridges/polygon/AavePolEthPlasmaBridge.sol:107:3:
|
107 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018): Function state mutability can be restricted to pure
--> src/bridges/optimism/AaveOpEthERC20Bridge.sol:60:3:
|
60 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018): Function state mutability can be restricted to pure
--> src/ProtocolV2TestBase.sol:663:3:
|
663 | function _logReserveConfig(ReserveConfig memory config) internal view {
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018): Function state mutability can be restricted to view
--> tests/ProxyHelpersTest.t.sol:13:3:
|
13 | function testAdmin() public {
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018): Function state mutability can be restricted to view
--> tests/ProxyHelpersTest.t.sol:21:3:
|
21 | function testImplementation() public {
| ^ (Relevant source part starts here and spans across multiple lines).
| Contract | Runtime Size (B) | Initcode Size (B) | Runtime Margin (B) | Initcode Margin (B) |
|---------------------------------------------|------------------|-------------------|--------------------|---------------------|
| AaveArbEthERC20Bridge | 3,660 | 3,874 | 20,916 | 45,278 |
| AaveGovernanceV2 | 86 | 141 | 24,490 | 49,011 |
| AaveOpEthERC20Bridge | 2,942 | 3,156 | 21,634 | 45,996 |
| AavePolEthERC20Bridge | 4,196 | 4,410 | 20,380 | 44,742 |
| AavePolEthPlasmaBridge | 3,618 | 3,832 | 20,958 | 45,320 |
| AaveSafetyModule | 86 | 141 | 24,490 | 49,011 |
| AaveSwapper | 5,601 | 6,045 | 18,975 | 43,107 |
| AaveV1 | 86 | 141 | 24,490 | 49,011 |
| AaveV2Avalanche | 86 | 141 | 24,490 | 49,011 |
| AaveV2AvalancheAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV2ConfigEngine | 3,180 | 3,565 | 21,396 | 45,587 |
| AaveV2Ethereum | 86 | 141 | 24,490 | 49,011 |
| AaveV2EthereumAMM | 86 | 141 | 24,490 | 49,011 |
| AaveV2EthereumAMMAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV2EthereumArc | 86 | 141 | 24,490 | 49,011 |
| AaveV2EthereumArcAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV2EthereumAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV2EthereumRatesUpdate | 1,512 | 1,657 | 23,064 | 47,495 |
| AaveV2Fuji | 86 | 141 | 24,490 | 49,011 |
| AaveV2FujiAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV2Polygon | 86 | 141 | 24,490 | 49,011 |
| AaveV2PolygonAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3Arbitrum | 86 | 141 | 24,490 | 49,011 |
| AaveV3ArbitrumAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3ArbitrumEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3ArbitrumExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3ArbitrumSepolia | 86 | 141 | 24,490 | 49,011 |
| AaveV3ArbitrumSepoliaAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3Avalanche | 86 | 141 | 24,490 | 49,011 |
| AaveV3AvalancheAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3AvalancheCollateralUpdate | 3,310 | 3,455 | 21,266 | 45,697 |
| AaveV3AvalancheCollateralUpdateCorrectBonus | 3,310 | 3,455 | 21,266 | 45,697 |
| AaveV3AvalancheCollateralUpdateNoChange | 3,330 | 3,475 | 21,246 | 45,677 |
| AaveV3AvalancheCollateralUpdateWrongBonus | 3,310 | 3,455 | 21,266 | 45,697 |
| AaveV3AvalancheEModeCategoryUpdateEdgeBonus | 3,249 | 3,394 | 21,327 | 45,758 |
| AaveV3AvalancheEModeCategoryUpdateNoChange | 3,313 | 3,458 | 21,263 | 45,694 |
| AaveV3AvalancheEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3AvalancheExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3BNB | 86 | 141 | 24,490 | 49,011 |
| AaveV3BNBAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3BNBEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3BNBExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3Base | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseSepolia | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseSepoliaAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseSepoliaEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseSepoliaExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseSepoliaLido | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseSepoliaLidoAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseSepoliaLidoEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3BaseSepoliaLidoExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3Ethereum | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumAssetEModeUpdate | 3,199 | 3,344 | 21,377 | 45,808 |
| AaveV3EthereumAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumEtherFi | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumEtherFiAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumEtherFiEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumEtherFiExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumLido | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumLidoAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumLidoEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumLidoExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3EthereumMockCapUpdate | 3,237 | 3,382 | 21,339 | 45,770 |
| AaveV3Fantom | 86 | 141 | 24,490 | 49,011 |
| AaveV3FantomAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3FantomTestnet | 86 | 141 | 24,490 | 49,011 |
| AaveV3FantomTestnetAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3Fuji | 86 | 141 | 24,490 | 49,011 |
| AaveV3FujiAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3FujiEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3FujiExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3Gnosis | 86 | 141 | 24,490 | 49,011 |
| AaveV3GnosisAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3GnosisEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3GnosisExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3Harmony | 86 | 141 | 24,490 | 49,011 |
| AaveV3HarmonyAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3Metis | 86 | 141 | 24,490 | 49,011 |
| AaveV3MetisAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3MetisEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3MetisExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3Optimism | 86 | 141 | 24,490 | 49,011 |
| AaveV3OptimismAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3OptimismEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3OptimismExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3OptimismMockRatesUpdate | 3,446 | 3,591 | 21,130 | 45,561 |
| AaveV3OptimismSepolia | 86 | 141 | 24,490 | 49,011 |
| AaveV3OptimismSepoliaAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3Polygon | 86 | 141 | 24,490 | 49,011 |
| AaveV3PolygonAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3PolygonBorrowUpdate | 3,305 | 3,450 | 21,271 | 45,702 |
| AaveV3PolygonBorrowUpdateNoChange | 3,327 | 3,472 | 21,249 | 45,680 |
| AaveV3PolygonEModeCategoryUpdate | 3,247 | 3,392 | 21,329 | 45,760 |
| AaveV3PolygonEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3PolygonExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3PolygonPriceFeedUpdate | 3,178 | 3,323 | 21,398 | 45,829 |
| AaveV3PolygonZkEvm | 86 | 141 | 24,490 | 49,011 |
| AaveV3PolygonZkEvmAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3Scroll | 86 | 141 | 24,490 | 49,011 |
| AaveV3ScrollAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3ScrollEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3ScrollExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveV3ScrollSepolia | 86 | 141 | 24,490 | 49,011 |
| AaveV3ScrollSepoliaAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3Sepolia | 86 | 141 | 24,490 | 49,011 |
| AaveV3SepoliaAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3ZkSync | 86 | 141 | 24,490 | 49,011 |
| AaveV3ZkSyncAssets | 86 | 141 | 24,490 | 49,011 |
| AaveV3ZkSyncEModes | 86 | 141 | 24,490 | 49,011 |
| AaveV3ZkSyncExternalLibraries | 86 | 141 | 24,490 | 49,011 |
| AaveWstethWithdrawer | 5,618 | 6,062 | 18,958 | 43,090 |
| Address | 86 | 141 | 24,490 | 49,011 |
| ArbSysMock | 647 | 679 | 23,929 | 48,473 |
| CapsPlusRiskSteward | 2,665 | 2,935 | 21,911 | 46,217 |
| CapsPlusRiskStewardErrors | 556 | 614 | 24,020 | 48,538 |
| ChainHelpers | 86 | 141 | 24,490 | 49,011 |
| ChainIds | 86 | 141 | 24,490 | 49,011 |
| CollectorUtils | 86 | 141 | 24,490 | 49,011 |
| ConfiguratorInputTypes | 86 | 141 | 24,490 | 49,011 |
| Create2Utils | 164 | 220 | 24,412 | 48,932 |
| Create2UtilsZkSync | 147 | 203 | 24,429 | 48,949 |
| DataTypes | 86 | 141 | 24,490 | 49,011 |
| DefaultReserveInterestRateStrategy | 3,485 | 4,252 | 21,091 | 44,900 |
| DeployV2EngineAvaLib | 86 | 141 | 24,490 | 49,011 |
| DeployV2EngineEthAMMLib | 86 | 141 | 24,490 | 49,011 |
| DeployV2EngineEthLib | 86 | 141 | 24,490 | 49,011 |
| DeployV2EnginePolLib | 86 | 141 | 24,490 | 49,011 |
| DeployV2RatesFactoryAvaLib | 86 | 141 | 24,490 | 49,011 |
| DeployV2RatesFactoryEthAMMLib | 86 | 141 | 24,490 | 49,011 |
| DeployV2RatesFactoryEthLib | 86 | 141 | 24,490 | 49,011 |
| DeployV2RatesFactoryLib | 86 | 141 | 24,490 | 49,011 |
| DeployV2RatesFactoryPolLib | 86 | 141 | 24,490 | 49,011 |
| ERC1967Proxy | 699 | 1,831 | 23,877 | 47,321 |
| EngineFlags | 86 | 141 | 24,490 | 49,011 |
| Errors | 4,714 | 4,772 | 19,862 | 44,380 |
| FreezingSteward | 715 | 915 | 23,861 | 48,237 |
| GovV3Helpers | 2,622 | 2,680 | 21,954 | 46,472 |
| GovV3StorageHelpers | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Arbitrum | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Avalanche | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3BNB | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Base | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Ethereum | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Fuji | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Gnosis | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Metis | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Optimism | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Polygon | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3PolygonZkEvm | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3Scroll | 86 | 141 | 24,490 | 49,011 |
| GovernanceV3ZkSync | 86 | 141 | 24,490 | 49,011 |
| IpfsUtils | 86 | 141 | 24,490 | 49,011 |
| MiscArbitrum | 86 | 141 | 24,490 | 49,011 |
| MiscArbitrumSepolia | 86 | 141 | 24,490 | 49,011 |
| MiscAvalanche | 86 | 141 | 24,490 | 49,011 |
| MiscBNB | 86 | 141 | 24,490 | 49,011 |
| MiscBase | 86 | 141 | 24,490 | 49,011 |
| MiscBaseSepolia | 86 | 141 | 24,490 | 49,011 |
| MiscEthereum | 86 | 141 | 24,490 | 49,011 |
| MiscFantom | 86 | 141 | 24,490 | 49,011 |
| MiscFuji | 86 | 141 | 24,490 | 49,011 |
| MiscGnosis | 86 | 141 | 24,490 | 49,011 |
| MiscMetis | 86 | 141 | 24,490 | 49,011 |
| MiscOptimism | 86 | 141 | 24,490 | 49,011 |
| MiscOptimismSepolia | 86 | 141 | 24,490 | 49,011 |
| MiscPolygon | 86 | 141 | 24,490 | 49,011 |
| MiscPolygonZkEvm | 86 | 141 | 24,490 | 49,011 |
| MiscScroll | 86 | 141 | 24,490 | 49,011 |
| MiscSepolia | 86 | 141 | 24,490 | 49,011 |
| MiscZkSync | 86 | 141 | 24,490 | 49,011 |
| MyPayload | 1,530 | 1,575 | 23,046 | 47,577 |
| PayloadWithEmit | 150 | 180 | 24,426 | 48,972 |
| PayloadsControllerUtils | 86 | 141 | 24,490 | 49,011 |
| PercentageMath | 86 | 141 | 24,490 | 49,011 |
| ProxyAdmin | 1,683 | 1,809 | 22,893 | 47,343 |
| ProxyHelpers | 86 | 141 | 24,490 | 49,011 |
| ReserveConfiguration | 171 | 227 | 24,405 | 48,925 |
| SafeERC20 | 86 | 141 | 24,490 | 49,011 |
| SafeMath | 86 | 141 | 24,490 | 49,011 |
| StorageHelpers | 86 | 141 | 24,490 | 49,011 |
| StorageSlot | 86 | 141 | 24,490 | 49,011 |
| StrategicAssetsManager | 9,691 | 10,145 | 14,885 | 39,007 |
| TestNetChainIds | 86 | 141 | 24,490 | 49,011 |
| TransparentProxyFactory | 7,505 | 7,537 | 17,071 | 41,615 |
| TransparentUpgradeableProxy | 2,096 | 3,665 | 22,480 | 45,487 |
| V2RateStrategyFactory | 8,842 | 9,194 | 15,734 | 39,958 |
| WadRayMath | 86 | 141 | 24,490 | 49,011 |🔧 Build logs zksyncCompiling 173 files with zksolc and ZKsync solc 0.8.20
zksolc and ZKsync solc 0.8.20 finished in 77.54s
Compiler run successful with warnings:
Warning (5667)
Warning: Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/swaps/AaveSwapper.sol:138:5:
|
138 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667)
Warning: Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/asset-manager/AaveWstethWithdrawer.sol:106:5:
|
106 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667)
Warning: Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/bridges/arbitrum/AaveArbEthERC20Bridge.sol:120:5:
|
120 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667)
Warning: Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/bridges/polygon/AavePolEthERC20Bridge.sol:103:5:
|
103 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667)
Warning: Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/bridges/polygon/AavePolEthPlasmaBridge.sol:108:5:
|
108 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (5667)
Warning: Unused function parameter. Remove or comment out the variable name to silence this warning.
--> src/bridges/optimism/AaveOpEthERC20Bridge.sol:61:5:
|
61 | address erc20Token
| ^^^^^^^^^^^^^^^^^^
Warning (2018)
Warning: Function state mutability can be restricted to pure
--> src/asset-manager/AaveWstethWithdrawer.sol:105:3:
|
105 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018)
Warning: Function state mutability can be restricted to pure
--> src/bridges/arbitrum/AaveArbEthERC20Bridge.sol:119:3:
|
119 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018)
Warning: Function state mutability can be restricted to pure
--> src/bridges/polygon/AavePolEthERC20Bridge.sol:102:3:
|
102 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018)
Warning: Function state mutability can be restricted to pure
--> src/bridges/polygon/AavePolEthPlasmaBridge.sol:107:3:
|
107 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
Warning (2018)
Warning: Function state mutability can be restricted to pure
--> src/bridges/optimism/AaveOpEthERC20Bridge.sol:60:3:
|
60 | function maxRescue(
| ^ (Relevant source part starts here and spans across multiple lines).
| Contract | Runtime Size (B) | Initcode Size (B) | Runtime Margin (B) | Initcode Margin (B) |
|----------|------------------|-------------------|--------------------|---------------------| |
brotherlymite
approved these changes
Nov 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changelog
Update AaveSwapper to include Milkman's updates.
Add interface and natspec.
Update tests.
Milkman Changes
Vulnerability: Milkman order fee extraction
Impact
An adversary can manipulate user-created Milkman orders, thereby transferring part of the expected surplus from the user order to an address that the adversary controls.
Description
We recently introduced "partner fees," an extra fee levied on user orders to incentivize partner projects to integrate CoW Protocol.
This fee is embedded on order creation time by the integrator into the order through the order's app data.
The app data specifies the receiver address for the order's partner fees.
The issue with Milkman is that the validity of an order does not depend on the app data: any valid Milkman order for some app data can be transformed into a valid order with any different app data and presented to the orderbook as a valid order.
There is no way for the protocol to determine which of the two order (original or adversarial) should be used, in general. This is further aggravated by the fact that other Milkman order parameters, like the buy amount, can be freely changed as long as they satisfy the checks in the price checker, making it easier to craft an order that appears to have more surplus despite the extra fee.
Exploitation
We have no report of this vulnerability being exploited outside of proofs of concept.
For now, participation to the partner fee program is on an invitation basis only, and we're manually monitoring the payouts for unknown addresses or unexpected behavior from partners.
Remediation
We updated Milkman code to be robust against app data manipulation.
We strongly recommend our partners that use Milkman to either switch to the new contracts and bot or update any custom code based on Milkman to account for this vulnerability.
Related code changes can be seen at the following links.
Credits
This issue was brought to our attention thanks to the report by Quantura Tech with their analysis of the negative effects on the solver competition when order fees can be manipulated.
References
https://docs.cow.fi/governance/fees/partner-fee
https://docs.cow.fi/cow-protocol/reference/core/intents/app-data