Make Multicall context-aware

2023-12-07 15:30:08 -06:00
parent 9329cfacd4
commit ccfffe13e8
7 changed files with 110 additions and 12 deletions
--- a/test/metatx/ERC2771Context.test.js
+++ b/test/metatx/ERC2771Context.test.js
@ -12,7 +12,7 @@ const ContextMockCaller = artifacts.require('ContextMockCaller');
 const { shouldBehaveLikeRegularContext } = require('../utils/Context.behavior');

 contract('ERC2771Context', function (accounts) {
-  const [, trustedForwarder] = accounts;
+  const [, trustedForwarder, other] = accounts;

  beforeEach(async function () {
    this.forwarder = await MinimalForwarder.new();
@ -118,5 +118,58 @@ contract('ERC2771Context', function (accounts) {
      const data = recipient.contract.methods.msgDataShort().encodeABI();
      await expectEvent(receipt, 'DataShort', { data });
    });
+
+    it('multicall poison attack', async function () {
+      const attacker = Wallet.generate();
+      const attackerAddress = attacker.getChecksumAddressString();
+      const nonce = await this.forwarder.getNonce(attackerAddress);
+
+      const msgSenderCall = web3.eth.abi.encodeFunctionCall(
+        {
+          name: 'msgSender',
+          type: 'function',
+          inputs: [],
+        },
+        [],
+      );
+
+      const data = web3.eth.abi.encodeFunctionCall(
+        {
+          name: 'multicall',
+          type: 'function',
+          inputs: [
+            {
+              internalType: 'bytes[]',
+              name: 'data',
+              type: 'bytes[]',
+            },
+          ],
+        },
+        [[web3.utils.encodePacked({ value: msgSenderCall, type: 'bytes' }, { value: other, type: 'address' })]],
+      );
+
+      const req = {
+        from: attackerAddress,
+        to: this.recipient.address,
+        value: '0',
+        gas: '100000',
+        data,
+        nonce: Number(nonce),
+      };
+
+      const signature = await ethSigUtil.signTypedMessage(attacker.getPrivateKey(), {
+        data: {
+          types: this.types,
+          domain: this.domain,
+          primaryType: 'ForwardRequest',
+          message: req,
+        },
+      });
+
+      expect(await this.forwarder.verify(req, signature)).to.equal(true);
+
+      const receipt = await this.forwarder.execute(req, signature);
+      await expectEvent.inTransaction(receipt.tx, ERC2771ContextMock, 'Sender', { sender: attackerAddress });
+    });
  });
 });