feat: add exact execution batch enforcer

McOso · McOso · commit c058ad575374 · 2025-03-05T11:30:02.000-05:00
diff --git a/src/enforcers/ExactExecutionBatchEnforcer.sol b/src/enforcers/ExactExecutionBatchEnforcer.sol
@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: MIT AND Apache-2.0
+pragma solidity 0.8.23;
+
+import { ExecutionLib } from "@erc7579/lib/ExecutionLib.sol";
+import { ModeLib } from "@erc7579/lib/ModeLib.sol";
+
+import { CaveatEnforcer } from "./CaveatEnforcer.sol";
+import { ModeCode, Execution } from "../utils/Types.sol";
+
+/**
+ * @title ExactExecutionBatchEnforcer
+ * @notice Ensures that each execution in the batch matches exactly with the expected execution (target, value, and calldata).
+ * @dev This caveat enforcer operates only in batch execution mode.
+ */
+contract ExactExecutionBatchEnforcer is CaveatEnforcer {
+    using ExecutionLib for bytes;
+    using ModeLib for ModeCode;
+
+    ////////////////////////////// Public Methods //////////////////////////////
+
+    /**
+     * @notice Validates that each execution in the batch matches exactly with the expected execution.
+     * @param _terms The encoded expected Executions.
+     * @param _mode The execution mode, which must be batch.
+     * @param _executionCallData The batch execution calldata.
+     */
+    function beforeHook(
+        bytes calldata _terms,
+        bytes calldata,
+        ModeCode _mode,
+        bytes calldata _executionCallData,
+        bytes32,
+        address,
+        address
+    )
+        public
+        pure
+        override
+        onlyBatchExecutionMode(_mode)
+    {
+        Execution[] calldata executions_ = _executionCallData.decodeBatch();
+        Execution[] memory termsExecutions_ = getTermsInfo(_terms);
+
+        // Validate that the number of executions matches
+        require(executions_.length == termsExecutions_.length, "ExactExecutionBatchEnforcer:invalid-batch-size");
+
+        // Check each execution matches exactly (target, value, and calldata)
+        for (uint256 i = 0; i < executions_.length; i++) {
+            require(
+                termsExecutions_[i].target == executions_[i].target && termsExecutions_[i].value == executions_[i].value
+                    && keccak256(termsExecutions_[i].callData) == keccak256(executions_[i].callData),
+                "ExactExecutionBatchEnforcer:invalid-execution"
+            );
+        }
+    }
+
+    /**
+     * @notice Extracts the expected executions from the provided terms.
+     * @param _terms The encoded expected Executions.
+     * @return executions_ Array of expected Executions.
+     */
+    function getTermsInfo(bytes calldata _terms) public pure returns (Execution[] memory executions_) {
+        executions_ = _terms.decodeBatch();
+    }
+}
diff --git a/test/enforcers/ExactExecutionBatchEnforcer.t.sol b/test/enforcers/ExactExecutionBatchEnforcer.t.sol
@@ -0,0 +1,331 @@
+// SPDX-License-Identifier: MIT AND Apache-2.0
+pragma solidity 0.8.23;
+
+import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import { ModeLib } from "@erc7579/lib/ModeLib.sol";
+import { ExecutionLib } from "@erc7579/lib/ExecutionLib.sol";
+
+import { CaveatEnforcerBaseTest } from "./CaveatEnforcerBaseTest.t.sol";
+import { ExactExecutionBatchEnforcer } from "../../src/enforcers/ExactExecutionBatchEnforcer.sol";
+import { ICaveatEnforcer } from "../../src/interfaces/ICaveatEnforcer.sol";
+import { Execution, Caveat, Delegation, ModeCode } from "../../src/utils/Types.sol";
+import { BasicERC20 } from "../utils/BasicERC20.t.sol";
+
+contract ExactExecutionBatchEnforcerTest is CaveatEnforcerBaseTest {
+    ////////////////////////////// State //////////////////////////////
+
+    ExactExecutionBatchEnforcer public exactExecutionBatchEnforcer;
+    BasicERC20 public basicCF20;
+    ModeCode public singleMode = ModeLib.encodeSimpleSingle();
+    ModeCode public batchMode = ModeLib.encodeSimpleBatch();
+
+    ////////////////////////////// Set up //////////////////////////////
+
+    function setUp() public override {
+        super.setUp();
+        exactExecutionBatchEnforcer = new ExactExecutionBatchEnforcer();
+        vm.label(address(exactExecutionBatchEnforcer), "Exact Calldata Batch Enforcer");
+        basicCF20 = new BasicERC20(address(users.alice.deleGator), "TestToken1", "TestToken1", 100 ether);
+    }
+
+    ////////////////////////////// Valid cases //////////////////////////////
+
+    /// @notice Test that the enforcer passes when all executions match exactly.
+    function test_exactExecutionMatches() public {
+        Execution[] memory executions_ = new Execution[](2);
+        executions_[0] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.bob.deleGator), uint256(1 ether))
+        });
+        executions_[1] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(2 ether))
+        });
+
+        bytes memory executionCallData_ = ExecutionLib.encodeBatch(executions_);
+        bytes memory terms_ = _encodeTerms(executions_);
+
+        vm.prank(address(delegationManager));
+        exactExecutionBatchEnforcer.beforeHook(terms_, hex"", batchMode, executionCallData_, keccak256(""), address(0), address(0));
+    }
+
+    ////////////////////////////// Invalid cases //////////////////////////////
+
+    /// @notice Test that the enforcer reverts when target doesn't match.
+    function test_exactExecutionFailsWhenTargetDiffers() public {
+        Execution[] memory executions_ = new Execution[](2);
+        executions_[0] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.bob.deleGator), uint256(1 ether))
+        });
+        executions_[1] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(2 ether))
+        });
+
+        // Create terms with a different target for the second execution
+        Execution[] memory termsExecutions_ = new Execution[](2);
+        termsExecutions_[0] = executions_[0];
+        termsExecutions_[1] = Execution({
+            target: address(users.bob.deleGator), // Different target
+            value: 0,
+            callData: executions_[1].callData
+        });
+
+        bytes memory executionCallData_ = ExecutionLib.encodeBatch(executions_);
+        bytes memory terms_ = _encodeTerms(termsExecutions_);
+
+        vm.prank(address(delegationManager));
+        vm.expectRevert("ExactExecutionBatchEnforcer:invalid-execution");
+        exactExecutionBatchEnforcer.beforeHook(terms_, hex"", batchMode, executionCallData_, keccak256(""), address(0), address(0));
+    }
+
+    /// @notice Test that the enforcer reverts when value doesn't match.
+    function test_exactExecutionFailsWhenValueDiffers() public {
+        Execution[] memory executions_ = new Execution[](2);
+        executions_[0] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.bob.deleGator), uint256(1 ether))
+        });
+        executions_[1] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(2 ether))
+        });
+
+        // Create terms with a different value for the second execution
+        Execution[] memory termsExecutions_ = new Execution[](2);
+        termsExecutions_[0] = executions_[0];
+        termsExecutions_[1] = Execution({
+            target: executions_[1].target,
+            value: 1 ether, // Different value
+            callData: executions_[1].callData
+        });
+
+        bytes memory executionCallData_ = ExecutionLib.encodeBatch(executions_);
+        bytes memory terms_ = _encodeTerms(termsExecutions_);
+
+        vm.prank(address(delegationManager));
+        vm.expectRevert("ExactExecutionBatchEnforcer:invalid-execution");
+        exactExecutionBatchEnforcer.beforeHook(terms_, hex"", batchMode, executionCallData_, keccak256(""), address(0), address(0));
+    }
+
+    /// @notice Test that the enforcer reverts when calldata doesn't match.
+    function test_exactExecutionFailsWhenCalldataDiffers() public {
+        Execution[] memory executions_ = new Execution[](2);
+        executions_[0] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.bob.deleGator), uint256(1 ether))
+        });
+        executions_[1] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(2 ether))
+        });
+
+        // Create terms with different calldata for the second execution
+        Execution[] memory termsExecutions_ = new Execution[](2);
+        termsExecutions_[0] = executions_[0];
+        termsExecutions_[1] = Execution({
+            target: executions_[1].target,
+            value: executions_[1].value,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(3 ether))
+        });
+
+        bytes memory executionCallData_ = ExecutionLib.encodeBatch(executions_);
+        bytes memory terms_ = _encodeTerms(termsExecutions_);
+
+        vm.prank(address(delegationManager));
+        vm.expectRevert("ExactExecutionBatchEnforcer:invalid-execution");
+        exactExecutionBatchEnforcer.beforeHook(terms_, hex"", batchMode, executionCallData_, keccak256(""), address(0), address(0));
+    }
+
+    /// @notice Test that the enforcer reverts when batch size doesn't match.
+    function test_batchSizeMismatch() public {
+        Execution[] memory executions_ = new Execution[](2);
+        executions_[0] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.bob.deleGator), uint256(1 ether))
+        });
+        executions_[1] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(2 ether))
+        });
+
+        // Create terms with only one execution
+        Execution[] memory termsExecutions_ = new Execution[](1);
+        termsExecutions_[0] = executions_[0];
+
+        bytes memory executionCallData_ = ExecutionLib.encodeBatch(executions_);
+        bytes memory terms_ = _encodeTerms(termsExecutions_);
+
+        vm.prank(address(delegationManager));
+        vm.expectRevert("ExactExecutionBatchEnforcer:invalid-batch-size");
+        exactExecutionBatchEnforcer.beforeHook(terms_, hex"", batchMode, executionCallData_, keccak256(""), address(0), address(0));
+    }
+
+    /// @notice Test that the enforcer reverts when single mode is used.
+    function test_singleModeReverts() public {
+        Execution[] memory executions_ = new Execution[](2);
+        executions_[0] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.bob.deleGator), uint256(1 ether))
+        });
+        executions_[1] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(2 ether))
+        });
+
+        bytes memory executionCallData_ = ExecutionLib.encodeBatch(executions_);
+        bytes memory terms_ = _encodeTerms(executions_);
+
+        vm.prank(address(delegationManager));
+        vm.expectRevert("CaveatEnforcer:invalid-call-type");
+        exactExecutionBatchEnforcer.beforeHook(terms_, hex"", singleMode, executionCallData_, keccak256(""), address(0), address(0));
+    }
+
+    ////////////////////////////// Integration Tests //////////////////////////////
+
+    /// @notice Integration test: the enforcer allows a batch of token transfers when executions match exactly.
+    function test_integration_AllowsBatchTokenTransfers() public {
+        // Record initial balances
+        uint256 bobInitialBalance_ = basicCF20.balanceOf(address(users.bob.deleGator));
+        uint256 carolInitialBalance_ = basicCF20.balanceOf(address(users.carol.deleGator));
+
+        // Create a batch of executions
+        Execution[] memory executions_ = new Execution[](2);
+        executions_[0] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.bob.deleGator), uint256(1 ether))
+        });
+        executions_[1] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(2 ether))
+        });
+
+        // Create terms that match exactly
+        bytes memory terms_ = _encodeTerms(executions_);
+
+        Caveat[] memory caveats_ = new Caveat[](1);
+        caveats_[0] = Caveat({ args: hex"", enforcer: address(exactExecutionBatchEnforcer), terms: terms_ });
+        Delegation memory delegation_ = Delegation({
+            delegate: address(users.bob.deleGator),
+            delegator: address(users.alice.deleGator),
+            authority: ROOT_AUTHORITY,
+            caveats: caveats_,
+            salt: 0,
+            signature: hex""
+        });
+        delegation_ = signDelegation(users.alice, delegation_);
+
+        // Prepare delegation redemption parameters
+        bytes[] memory permissionContexts_ = new bytes[](1);
+        Delegation[] memory delegations_ = new Delegation[](1);
+        delegations_[0] = delegation_;
+        permissionContexts_[0] = abi.encode(delegations_);
+
+        bytes[] memory executionCallDatas_ = new bytes[](1);
+        executionCallDatas_[0] = ExecutionLib.encodeBatch(executions_);
+
+        // Set up batch mode
+        ModeCode[] memory oneBatchMode_ = new ModeCode[](1);
+        oneBatchMode_[0] = batchMode;
+
+        // Bob redeems the delegation to execute the batch
+        vm.prank(address(users.bob.deleGator));
+        delegationManager.redeemDelegations(permissionContexts_, oneBatchMode_, executionCallDatas_);
+
+        // Verify balances changed correctly
+        assertEq(basicCF20.balanceOf(address(users.bob.deleGator)), bobInitialBalance_ + 1 ether);
+        assertEq(basicCF20.balanceOf(address(users.carol.deleGator)), carolInitialBalance_ + 2 ether);
+    }
+
+    /// @notice Integration test: the enforcer blocks batch execution when any execution doesn't match.
+    function test_integration_BlocksBatchWhenExecutionDiffers() public {
+        // Record initial balances
+        uint256 bobInitialBalance_ = basicCF20.balanceOf(address(users.bob.deleGator));
+        uint256 carolInitialBalance_ = basicCF20.balanceOf(address(users.carol.deleGator));
+
+        // Create a batch of executions
+        Execution[] memory executions_ = new Execution[](2);
+        executions_[0] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.bob.deleGator), uint256(1 ether))
+        });
+        executions_[1] = Execution({
+            target: address(basicCF20),
+            value: 0,
+            callData: abi.encodeWithSelector(IERC20.transfer.selector, address(users.carol.deleGator), uint256(2 ether))
+        });
+
+        // Create terms with a mismatch in the second execution
+        Execution[] memory termsExecutions_ = new Execution[](2);
+        termsExecutions_[0] = executions_[0];
+        termsExecutions_[1] = Execution({
+            target: address(basicCF20),
+            value: 1 ether, // Different value
+            callData: executions_[1].callData
+        });
+
+        bytes memory terms_ = _encodeTerms(termsExecutions_);
+
+        Caveat[] memory caveats_ = new Caveat[](1);
+        caveats_[0] = Caveat({ args: hex"", enforcer: address(exactExecutionBatchEnforcer), terms: terms_ });
+        Delegation memory delegation_ = Delegation({
+            delegate: address(users.bob.deleGator),
+            delegator: address(users.alice.deleGator),
+            authority: ROOT_AUTHORITY,
+            caveats: caveats_,
+            salt: 0,
+            signature: hex""
+        });
+        delegation_ = signDelegation(users.alice, delegation_);
+
+        // Prepare delegation redemption parameters
+        bytes[] memory permissionContexts_ = new bytes[](1);
+        Delegation[] memory delegations_ = new Delegation[](1);
+        delegations_[0] = delegation_;
+        permissionContexts_[0] = abi.encode(delegations_);
+
+        bytes[] memory executionCallDatas_ = new bytes[](1);
+        executionCallDatas_[0] = ExecutionLib.encodeBatch(executions_);
+
+        // Set up batch mode
+        ModeCode[] memory oneBatchMode_ = new ModeCode[](1);
+        oneBatchMode_[0] = batchMode;
+
+        // Bob redeems the delegation to execute the batch
+        vm.prank(address(users.bob.deleGator));
+        vm.expectRevert("ExactExecutionBatchEnforcer:invalid-execution");
+        delegationManager.redeemDelegations(permissionContexts_, oneBatchMode_, executionCallDatas_);
+
+        // Verify balances remain unchanged
+        assertEq(basicCF20.balanceOf(address(users.bob.deleGator)), bobInitialBalance_);
+        assertEq(basicCF20.balanceOf(address(users.carol.deleGator)), carolInitialBalance_);
+    }
+
+    ////////////////////////////// Helper Functions //////////////////////////////
+
+    /// @notice Helper function to encode terms for the batch enforcer
+    function _encodeTerms(Execution[] memory _executions) internal pure returns (bytes memory) {
+        return ExecutionLib.encodeBatch(_executions);
+    }
+
+    ////////////////////////////// Internal Overrides //////////////////////////////
+    function _getEnforcer() internal view override returns (ICaveatEnforcer) {
+        return ICaveatEnforcer(address(exactExecutionBatchEnforcer));
+    }
+}
