use transferFrom(pool -> receiver) over hop through offRamp (#1258)

## Motivation Change the hop through the offRamp to a transferFrom so the funds never touch CCIP contracts outside of the pool ## Solution
smartcontractkit · Aug 6, 2024 · dc33de8 · dc33de8
1 parent 69a3a85
commit dc33de8
Show file tree

Hide file tree

Showing 25 changed files with 162 additions and 142 deletions.
diff --git a/contracts/gas-snapshots/ccip.gas-snapshot b/contracts/gas-snapshots/ccip.gas-snapshot
diff --git a/contracts/gas-snapshots/liquiditymanager.gas-snapshot b/contracts/gas-snapshots/liquiditymanager.gas-snapshot
@@ -3,9 +3,9 @@ LiquidityManager_addLiquidity:test_addLiquiditySuccess() (gas: 279154)
 LiquidityManager_rebalanceLiquidity:test_InsufficientLiquidityReverts() (gas: 206745)
 LiquidityManager_rebalanceLiquidity:test_InvalidRemoteChainReverts() (gas: 192319)
 LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPoolsSuccess() (gas: 9141768)
-LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPoolsSuccess_AlreadyFinalized() (gas: 8957594)
-LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPools_MultiStageFinalization() (gas: 8952800)
-LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPools_NativeRewrap() (gas: 8880598)
+LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPoolsSuccess_AlreadyFinalized() (gas: 8981838)
+LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPools_MultiStageFinalization() (gas: 8977044)
+LiquidityManager_rebalanceLiquidity:test_rebalanceBetweenPools_NativeRewrap() (gas: 8904842)
 LiquidityManager_rebalanceLiquidity:test_rebalanceLiquiditySuccess() (gas: 382897)
 LiquidityManager_receive:test_receive_success() (gas: 21182)
 LiquidityManager_removeLiquidity:test_InsufficientLiquidityReverts() (gas: 184869)
@@ -19,7 +19,7 @@ LiquidityManager_setFinanceRole:test_OnlyOwnerReverts() (gas: 10987)
 LiquidityManager_setFinanceRole:test_setFinanceRoleSuccess() (gas: 21836)
 LiquidityManager_setLocalLiquidityContainer:test_OnlyOwnerReverts() (gas: 11052)
 LiquidityManager_setLocalLiquidityContainer:test_ReverstWhen_CalledWithTheZeroAddress() (gas: 10643)
-LiquidityManager_setLocalLiquidityContainer:test_setLocalLiquidityContainerSuccess() (gas: 3495598)
+LiquidityManager_setLocalLiquidityContainer:test_setLocalLiquidityContainerSuccess() (gas: 3519863)
 LiquidityManager_setMinimumLiquidity:test_OnlyOwnerReverts() (gas: 10925)
 LiquidityManager_setMinimumLiquidity:test_setMinimumLiquiditySuccess() (gas: 36389)
 LiquidityManager_withdrawERC20:test_withdrawERC20Reverts() (gas: 180359)

diff --git a/contracts/src/v0.8/ccip/offRamp/EVM2EVMMultiOffRamp.sol b/contracts/src/v0.8/ccip/offRamp/EVM2EVMMultiOffRamp.sol
@@ -860,7 +860,7 @@ contract EVM2EVMMultiOffRamp is ITypeAndVersion, MultiOCR3Base {
     // transfer them to the final receiver. We use the _callWithExactGasSafeReturnData function because
     // the token contracts are not considered trusted.
     (success, returnData,) = CallWithExactGas._callWithExactGasSafeReturnData(
-      abi.encodeCall(IERC20.transfer, (receiver, localAmount)),
+      abi.encodeCall(IERC20.transferFrom, (localPoolAddress, receiver, localAmount)),
       localToken,
       s_dynamicConfig.maxTokenTransferGas,
       Internal.GAS_FOR_CALL_EXACT_CHECK,

diff --git a/contracts/src/v0.8/ccip/offRamp/EVM2EVMOffRamp.sol b/contracts/src/v0.8/ccip/offRamp/EVM2EVMOffRamp.sol
@@ -649,7 +649,7 @@ contract EVM2EVMOffRamp is IAny2EVMOffRamp, AggregateRateLimiter, ITypeAndVersio
     // transfer them to the final receiver. We use the _callWithExactGasSafeReturnData function because
     // the token contracts are not considered trusted.
     (success, returnData,) = CallWithExactGas._callWithExactGasSafeReturnData(
-      abi.encodeCall(IERC20.transfer, (receiver, localAmount)),
+      abi.encodeCall(IERC20.transferFrom, (localPoolAddress, receiver, localAmount)),
       localToken,
       sourceTokenData.destGasAmount - gasUsedReleaseOrMint,
       Internal.GAS_FOR_CALL_EXACT_CHECK,

diff --git a/contracts/src/v0.8/ccip/pools/BurnMintTokenPoolAbstract.sol b/contracts/src/v0.8/ccip/pools/BurnMintTokenPoolAbstract.sol
@@ -40,7 +40,8 @@ abstract contract BurnMintTokenPoolAbstract is TokenPool {
     _validateReleaseOrMint(releaseOrMintIn);
 
     // Mint to the offRamp, which forwards it to the recipient
-    IBurnMintERC20(address(i_token)).mint(msg.sender, releaseOrMintIn.amount);
+    IBurnMintERC20(address(i_token)).mint(address(this), releaseOrMintIn.amount);
+    IBurnMintERC20(address(i_token)).approve(msg.sender, releaseOrMintIn.amount);
 
     emit Minted(msg.sender, releaseOrMintIn.receiver, releaseOrMintIn.amount);
 

diff --git a/contracts/src/v0.8/ccip/pools/LegacyPoolWrapper.sol b/contracts/src/v0.8/ccip/pools/LegacyPoolWrapper.sol
@@ -75,7 +75,8 @@ abstract contract LegacyPoolWrapper is TokenPool {
   /// @dev Since extraData has never been used in LockRelease or MintBurn token pools, we can safely ignore it.
   function _releaseOrMintLegacy(Pool.ReleaseOrMintInV1 memory releaseOrMintIn) internal {
     s_previousPool.releaseOrMint(
-      releaseOrMintIn.originalSender, msg.sender, releaseOrMintIn.amount, releaseOrMintIn.remoteChainSelector, ""
+      releaseOrMintIn.originalSender, address(this), releaseOrMintIn.amount, releaseOrMintIn.remoteChainSelector, ""
     );
+    i_token.approve(msg.sender, releaseOrMintIn.amount);
   }
 }
diff --git a/contracts/src/v0.8/ccip/pools/LockReleaseTokenPool.sol b/contracts/src/v0.8/ccip/pools/LockReleaseTokenPool.sol
@@ -68,7 +68,7 @@ contract LockReleaseTokenPool is TokenPool, ILiquidityContainer, ITypeAndVersion
     _validateReleaseOrMint(releaseOrMintIn);
 
     // Release to the offRamp, which forwards it to the recipient
-    getToken().safeTransfer(msg.sender, releaseOrMintIn.amount);
+    getToken().approve(msg.sender, releaseOrMintIn.amount);
 
     emit Released(msg.sender, releaseOrMintIn.receiver, releaseOrMintIn.amount);
 

diff --git a/contracts/src/v0.8/ccip/pools/USDC/USDCTokenPool.sol b/contracts/src/v0.8/ccip/pools/USDC/USDCTokenPool.sol
@@ -141,6 +141,7 @@ contract USDCTokenPool is TokenPool, ITypeAndVersion {
   /// specific message that was sent on source.
   function releaseOrMint(Pool.ReleaseOrMintInV1 calldata releaseOrMintIn)
     external
+    virtual
     override
     returns (Pool.ReleaseOrMintOutV1 memory)
   {
@@ -155,8 +156,8 @@ contract USDCTokenPool is TokenPool, ITypeAndVersion {
     if (!i_messageTransmitter.receiveMessage(msgAndAttestation.message, msgAndAttestation.attestation)) {
       revert UnlockingUSDCFailed();
     }
-    // Since the tokens are minted to the pool, the pool has to send it to the offRamp
-    getToken().safeTransfer(msg.sender, releaseOrMintIn.amount);
+    // Since the tokens are minted to the pool, the pool has to approve it for the offRamp
+    getToken().approve(msg.sender, releaseOrMintIn.amount);
 
     emit Minted(msg.sender, releaseOrMintIn.receiver, releaseOrMintIn.amount);
     return Pool.ReleaseOrMintOutV1({destinationAmount: releaseOrMintIn.amount});

diff --git a/contracts/src/v0.8/ccip/test/BaseTest.t.sol b/contracts/src/v0.8/ccip/test/BaseTest.t.sol
@@ -38,7 +38,7 @@ contract BaseTest is Test {
   uint16 internal constant DEST_GAS_PER_PAYLOAD_BYTE = 16;
 
   uint16 internal constant DEFAULT_TOKEN_FEE_USD_CENTS = 50;
-  uint32 internal constant DEFAULT_TOKEN_DEST_GAS_OVERHEAD = 110_000;
+  uint32 internal constant DEFAULT_TOKEN_DEST_GAS_OVERHEAD = 144_000;
   uint32 internal constant DEFAULT_TOKEN_BYTES_OVERHEAD = 32;
 
   bool private s_baseTestInitialized;

diff --git a/contracts/src/v0.8/ccip/test/helpers/MaybeRevertingBurnMintTokenPool.sol b/contracts/src/v0.8/ccip/test/helpers/MaybeRevertingBurnMintTokenPool.sol
@@ -63,7 +63,9 @@ contract MaybeRevertingBurnMintTokenPool is BurnMintTokenPool {
         revert(add(32, revertReason), mload(revertReason))
       }
     }
-    IBurnMintERC20(address(i_token)).mint(msg.sender, releaseOrMintIn.amount);
+    IBurnMintERC20(address(i_token)).mint(address(this), releaseOrMintIn.amount);
+    IBurnMintERC20(address(i_token)).approve(msg.sender, releaseOrMintIn.amount);
+
     emit Minted(msg.sender, releaseOrMintIn.receiver, releaseOrMintIn.amount);
     return Pool.ReleaseOrMintOutV1({destinationAmount: releaseOrMintIn.amount});
   }

diff --git a/contracts/src/v0.8/ccip/test/legacy/TokenPoolAndProxy.t.sol b/contracts/src/v0.8/ccip/test/legacy/TokenPoolAndProxy.t.sol
@@ -478,7 +478,10 @@ contract TokenPoolAndProxy is EVM2EVMOnRampSetup {
     vm.startPrank(address(s_fakeOffRamp));
 
     vm.expectEmit(address(s_legacyPool));
-    emit Minted(address(s_pool), s_fakeOffRamp, amount);
+    emit Minted(address(s_pool), address(s_pool), amount);
+
+    vm.expectEmit(address(s_token));
+    emit IERC20.Approval(address(s_pool), address(s_fakeOffRamp), amount);
 
     s_pool.releaseOrMint(
       Pool.ReleaseOrMintInV1({

diff --git a/contracts/src/v0.8/ccip/test/offRamp/EVM2EVMMultiOffRamp.t.sol b/contracts/src/v0.8/ccip/test/offRamp/EVM2EVMMultiOffRamp.t.sol
@@ -2396,7 +2396,7 @@ contract EVM2EVMMultiOffRamp__releaseOrMintSingleToken is EVM2EVMMultiOffRampSet
 
     bytes memory revertData = "call reverted :o";
 
-    vm.mockCallRevert(destToken, abi.encodeWithSelector(IERC20.transfer.selector, receiver, amount), revertData);
+    vm.mockCallRevert(destToken, abi.encodeWithSelector(IERC20.approve.selector, s_offRamp, amount), revertData);
 
     vm.expectRevert(abi.encodeWithSelector(EVM2EVMMultiOffRamp.TokenHandlingError.selector, revertData));
     s_offRamp.releaseOrMintSingleToken(
@@ -2449,7 +2449,6 @@ contract EVM2EVMMultiOffRamp_releaseOrMintTokens is EVM2EVMMultiOffRampSetup {
 
   function test_releaseOrMintTokens_destDenominatedDecimals_Success() public {
     Client.EVMTokenAmount[] memory srcTokenAmounts = getCastedSourceEVMTokenAmountsWithZeroAmounts();
-    address destToken = s_destFeeToken;
     uint256 amount = 100;
     uint256 destinationDenominationMultiplier = 1000;
     srcTokenAmounts[0].amount = amount;
@@ -2458,24 +2457,29 @@ contract EVM2EVMMultiOffRamp_releaseOrMintTokens is EVM2EVMMultiOffRampSetup {
 
     Internal.RampTokenAmount[] memory sourceTokenAmounts = _getDefaultSourceTokenData(srcTokenAmounts);
 
-    // Since the pool call is mocked, we manually release funds to the offRamp
-    deal(destToken, address(s_offRamp), amount * destinationDenominationMultiplier);
+    address pool = s_destPoolBySourceToken[srcTokenAmounts[0].token];
+    address destToken = s_destTokenBySourceToken[srcTokenAmounts[0].token];
+
+    // Since the pool call is mocked, we manually approve funds to the offRamp
+    deal(destToken, pool, amount * destinationDenominationMultiplier);
+    vm.startPrank(pool);
+    IERC20(destToken).approve(address(s_offRamp), amount * destinationDenominationMultiplier);
+    vm.startPrank(OWNER);
+
+    Pool.ReleaseOrMintInV1 memory releaseOrMintIn = Pool.ReleaseOrMintInV1({
+      originalSender: abi.encode(OWNER),
+      receiver: OWNER,
+      amount: amount,
+      localToken: destToken,
+      remoteChainSelector: SOURCE_CHAIN_SELECTOR,
+      sourcePoolAddress: sourceTokenAmounts[0].sourcePoolAddress,
+      sourcePoolData: sourceTokenAmounts[0].extraData,
+      offchainTokenData: offchainTokenData[0]
+    });
 
     vm.mockCall(
       s_destPoolBySourceToken[srcTokenAmounts[0].token],
-      abi.encodeWithSelector(
-        LockReleaseTokenPool.releaseOrMint.selector,
-        Pool.ReleaseOrMintInV1({
-          originalSender: abi.encode(OWNER),
-          receiver: OWNER,
-          amount: amount,
-          localToken: s_destTokenBySourceToken[srcTokenAmounts[0].token],
-          remoteChainSelector: SOURCE_CHAIN_SELECTOR_1,
-          sourcePoolAddress: sourceTokenAmounts[0].sourcePoolAddress,
-          sourcePoolData: sourceTokenAmounts[0].extraData,
-          offchainTokenData: offchainTokenData[0]
-        })
-      ),
+      abi.encodeWithSelector(LockReleaseTokenPool.releaseOrMint.selector, releaseOrMintIn),
       abi.encode(amount * destinationDenominationMultiplier)
     );
 

diff --git a/contracts/src/v0.8/ccip/test/offRamp/EVM2EVMOffRamp.t.sol b/contracts/src/v0.8/ccip/test/offRamp/EVM2EVMOffRamp.t.sol
@@ -235,13 +235,17 @@ contract EVM2EVMOffRamp_execute is EVM2EVMOffRampSetup {
     amounts[1] = uint256(tokenAmount);
 
     Internal.EVM2EVMMessage memory message = _generateAny2EVMMessageWithTokens(1, amounts);
-    // console.log(message.length);
     message.data = messageData;
 
     IERC20 dstToken0 = IERC20(s_destTokens[0]);
     uint256 startingBalance = dstToken0.balanceOf(message.receiver);
 
-    vm.expectCall(s_destTokens[0], abi.encodeWithSelector(IERC20.transfer.selector, address(s_receiver), amounts[0]));
+    vm.expectCall(
+      address(dstToken0),
+      abi.encodeWithSelector(
+        IERC20.transferFrom.selector, s_destPoolByToken[address(dstToken0)], address(s_receiver), amounts[0]
+      )
+    );
 
     (Internal.MessageExecutionState newState, bytes memory err) =
       s_offRamp.trialExecute(message, new bytes[](message.tokenAmounts.length));
@@ -1548,7 +1552,7 @@ contract EVM2EVMOffRamp__releaseOrMintToken is EVM2EVMOffRampSetup {
 
     bytes memory revertData = "call reverted :o";
 
-    vm.mockCallRevert(destToken, abi.encodeWithSelector(IERC20.transfer.selector, receiver, amount), revertData);
+    vm.mockCallRevert(destToken, abi.encodeWithSelector(IERC20.approve.selector, s_offRamp, amount), revertData);
 
     vm.expectRevert(abi.encodeWithSelector(EVM2EVMOffRamp.TokenHandlingError.selector, revertData));
     s_offRamp.releaseOrMintToken(amount, originalSender, receiver, sourceTokenData, offchainTokenData);
@@ -1595,7 +1599,6 @@ contract EVM2EVMOffRamp__releaseOrMintTokens is EVM2EVMOffRampSetup {
 
   function test_releaseOrMintTokens_destDenominatedDecimals_Success() public {
     Client.EVMTokenAmount[] memory srcTokenAmounts = getCastedSourceEVMTokenAmountsWithZeroAmounts();
-    address destToken = s_destFeeToken;
     uint256 amount = 100;
     uint256 destinationDenominationMultiplier = 1000;
     srcTokenAmounts[0].amount = amount;
@@ -1605,24 +1608,29 @@ contract EVM2EVMOffRamp__releaseOrMintTokens is EVM2EVMOffRampSetup {
     bytes[] memory encodedSourceTokenData = _getDefaultSourceTokenData(srcTokenAmounts);
     Internal.SourceTokenData memory sourceTokenData = abi.decode(encodedSourceTokenData[0], (Internal.SourceTokenData));
 
-    // Since the pool call is mocked, we manually release funds to the offRamp
-    deal(destToken, address(s_offRamp), amount * destinationDenominationMultiplier);
+    address pool = s_destPoolBySourceToken[srcTokenAmounts[0].token];
+    address destToken = s_destTokenBySourceToken[srcTokenAmounts[0].token];
+
+    // Since the pool call is mocked, we manually approve funds to the offRamp
+    deal(destToken, pool, amount * destinationDenominationMultiplier);
+    vm.startPrank(pool);
+    IERC20(destToken).approve(address(s_offRamp), amount * destinationDenominationMultiplier);
+    vm.startPrank(OWNER);
+
+    Pool.ReleaseOrMintInV1 memory releaseOrMintIn = Pool.ReleaseOrMintInV1({
+      originalSender: originalSender,
+      receiver: OWNER,
+      amount: amount,
+      localToken: destToken,
+      remoteChainSelector: SOURCE_CHAIN_SELECTOR,
+      sourcePoolAddress: sourceTokenData.sourcePoolAddress,
+      sourcePoolData: sourceTokenData.extraData,
+      offchainTokenData: offchainTokenData[0]
+    });
 
     vm.mockCall(
-      s_destPoolBySourceToken[srcTokenAmounts[0].token],
-      abi.encodeWithSelector(
-        LockReleaseTokenPool.releaseOrMint.selector,
-        Pool.ReleaseOrMintInV1({
-          originalSender: originalSender,
-          receiver: OWNER,
-          amount: amount,
-          localToken: s_destTokenBySourceToken[srcTokenAmounts[0].token],
-          remoteChainSelector: SOURCE_CHAIN_SELECTOR,
-          sourcePoolAddress: sourceTokenData.sourcePoolAddress,
-          sourcePoolData: sourceTokenData.extraData,
-          offchainTokenData: offchainTokenData[0]
-        })
-      ),
+      pool,
+      abi.encodeWithSelector(LockReleaseTokenPool.releaseOrMint.selector, releaseOrMintIn),
       abi.encode(amount * destinationDenominationMultiplier)
     );
 

diff --git a/contracts/src/v0.8/ccip/test/onRamp/EVM2EVMOnRampSetup.t.sol b/contracts/src/v0.8/ccip/test/onRamp/EVM2EVMOnRampSetup.t.sol
@@ -65,7 +65,7 @@ contract EVM2EVMOnRampSetup is TokenSetup, PriceRegistrySetup {
         minFeeUSDCents: 1_00, // 1 USD
         maxFeeUSDCents: 1000_00, // 1,000 USD
         deciBps: 2_5, // 2.5 bps, or 0.025%
-        destGasOverhead: 100_000,
+        destGasOverhead: 140_000,
         destBytesOverhead: uint32(Pool.CCIP_LOCK_OR_BURN_V1_RET_BYTES),
         aggregateRateLimitEnabled: true
       })
@@ -76,7 +76,7 @@ contract EVM2EVMOnRampSetup is TokenSetup, PriceRegistrySetup {
         minFeeUSDCents: 2_00, // 1 USD
         maxFeeUSDCents: 500_00, // 500 USD
         deciBps: 10_0, // 10 bps, or 0.1%
-        destGasOverhead: 90_000,
+        destGasOverhead: 130_000,
         destBytesOverhead: 200,
         aggregateRateLimitEnabled: true
       })

diff --git a/contracts/src/v0.8/ccip/test/pools/BurnMintTokenPool.t.sol b/contracts/src/v0.8/ccip/test/pools/BurnMintTokenPool.t.sol
@@ -111,7 +111,7 @@ contract BurnMintTokenPool_releaseOrMint is BurnMintTokenPoolSetup {
     vm.startPrank(s_burnMintOffRamp);
 
     vm.expectEmit();
-    emit IERC20.Transfer(address(0), address(s_burnMintOffRamp), amount);
+    emit IERC20.Approval(address(s_pool), address(s_burnMintOffRamp), amount);
     s_pool.releaseOrMint(
       Pool.ReleaseOrMintInV1({
         originalSender: bytes(""),
@@ -125,7 +125,7 @@ contract BurnMintTokenPool_releaseOrMint is BurnMintTokenPoolSetup {
       })
     );
 
-    assertEq(s_burnMintERC677.balanceOf(s_burnMintOffRamp), amount);
+    assertEq(s_burnMintERC677.allowance(address(s_pool), s_burnMintOffRamp), amount);
   }
 
   function test_PoolMintNotHealthy_Revert() public {

diff --git a/core/gethwrappers/ccip/generated/burn_from_mint_token_pool/burn_from_mint_token_pool.go b/core/gethwrappers/ccip/generated/burn_from_mint_token_pool/burn_from_mint_token_pool.go
diff --git a/core/gethwrappers/ccip/generated/burn_mint_token_pool/burn_mint_token_pool.go b/core/gethwrappers/ccip/generated/burn_mint_token_pool/burn_mint_token_pool.go
diff --git a/...hwrappers/ccip/generated/burn_mint_token_pool_and_proxy/burn_mint_token_pool_and_proxy.go b/...hwrappers/ccip/generated/burn_mint_token_pool_and_proxy/burn_mint_token_pool_and_proxy.go
diff --git a/...hwrappers/ccip/generated/burn_with_from_mint_token_pool/burn_with_from_mint_token_pool.go b/...hwrappers/ccip/generated/burn_with_from_mint_token_pool/burn_with_from_mint_token_pool.go
diff --git a/core/gethwrappers/ccip/generated/evm_2_evm_multi_offramp/evm_2_evm_multi_offramp.go b/core/gethwrappers/ccip/generated/evm_2_evm_multi_offramp/evm_2_evm_multi_offramp.go
diff --git a/core/gethwrappers/ccip/generated/evm_2_evm_offramp/evm_2_evm_offramp.go b/core/gethwrappers/ccip/generated/evm_2_evm_offramp/evm_2_evm_offramp.go
diff --git a/core/gethwrappers/ccip/generated/lock_release_token_pool/lock_release_token_pool.go b/core/gethwrappers/ccip/generated/lock_release_token_pool/lock_release_token_pool.go
diff --git a/...ers/ccip/generated/lock_release_token_pool_and_proxy/lock_release_token_pool_and_proxy.go b/...ers/ccip/generated/lock_release_token_pool_and_proxy/lock_release_token_pool_and_proxy.go
diff --git a/core/gethwrappers/ccip/generated/usdc_token_pool/usdc_token_pool.go b/core/gethwrappers/ccip/generated/usdc_token_pool/usdc_token_pool.go