Merge pull request #31 from euler-xyz/csec-fixes

Csec fixes

Author: euler-mab

docs/f.md

@@ -0,0 +1,60 @@
+## Implementation of `f`
+
+`f` (aka the "EulerSwap Function") is a parameterisable curve that defines the boundary of permissible points for EulerSwap AMMs. Points on the curve or above and to-the right are allowed, others are not.
+
+Only formula 3 from the whitepaper is implemented in the EulerSwap core, since this can be used for both domains of the curve by mirroring the parameters. The more complicated formula 4 is a closed-form method for quoting swaps so it can be implemented in a periphery (if desired).
+
+### Derivation
+
+Formula 3 from the whitepaper:
+
+    y0 + (px / py) * (x0 - x) * (c + (1 - c) * (x0 / x))
+
+Multiply second term by `x/x`:
+
+    y0 + (px / py) * (x0 - x) * ((c * x) + (1 - c) * x0) / x
+
+`c` is scaled by `1e18`:
+
+    y0 + (px / py) * (x0 - x) * ((c * x) + (1e18 - c) * x0) / (x * 1e18)
+
+Re-order division by `py`:
+
+    y0 + px * (x0 - x) * ((c * x) + (1e18 - c) * x0) / (x * 1e18) / py
+
+Use `mulDiv` to avoid intermediate overflow:
+
+    y0 + Math.mulDiv(px * (x0 - x), c * x + (1e18 - c) * x0, x * 1e18) / py
+
+Round up for both divisions (operation is distributive):
+
+    y0 + (Math.mulDiv(px * (x0 - x), c * x + (1e18 - c) * x0, x * 1e18, Math.Rounding.Ceil) + (py-1)) / py
+
+### Boundary Analysis
+
+Pre-conditions: x <= x0, 1 <= {px,py} <= 1e36, {x0,y0} <= type(uint112).max, c <= 1e18
+
+None of the computations for the arguments to `mulDiv` can overflow:
+
+* Arg 1: `px * (x0 - x)`
+  * Upper-bound: `1e36*(2**112 - 1) =~ 232 bits`
+* Arg 2: `c * x + (1e18 - c) * x0`
+  * Upper-bound: `1e18*(2**112 - 1)*2 =~ 173 bits`
+* Arg 3: `x * 1e18`
+  * Upper-bound: `1e18*(2**112 - 1) =~ 172 bits`
+
+If amounts/prices are large, and we travel too far down the curve, then `mulDiv` (or the subsequent `y0` addition) could overflow because its output value cannot be represented as a `uint256`. However, these output values would never be valid anyway, because they exceed `type(uint112).max`.
+
+To see this, consider the case where `mulDiv` fails due to overflow. This means that its result would've been greater than `2**256 - 1`. Dividing this value by the largest allowed value for `py` (`1e36`) gives approximately `2**136`, which is greater than the maximum allowed amount value of `2**112 - 1`. Both the rounding up operation and the final addition of `y0` can only further *increase* this value. This means that all cases where `mulDiv` or the subsequent additions overflow would involve `f()` returning values that are impossible for a swapper to satisfy, so they would revert anyways.
+
+### Unchecked Math
+
+As-per the previous section, none of the computations of the arguments to `mulDiv` can overflow. To prevent overflows in the remaining operations, the `mulDiv` output is further restricted to `2**248 - 1`:
+
+    unchecked {
+        uint256 v = Math.mulDiv(px * (x0 - x), c * x + (1e18 - c) * x0, x * 1e18, Math.Rounding.Ceil);
+        require(v <= type(uint248).max, Overflow());
+        return y0 + (v + (py - 1)) / py;
+    }
+
+Note that this does not change the analysis of the previous section: Values between `2**248 - 1` and `2**256 - 1` will also never reduce down to the required `2**112 - 1`, so this does not cause any additional failure cases.

src/EulerSwap.sol

@@ -4,10 +4,12 @@ pragma solidity ^0.8.27;
 import {SafeERC20, IERC20} from "openzeppelin-contracts/token/ERC20/utils/SafeERC20.sol";
 import {IEVC} from "evc/interfaces/IEthereumVaultConnector.sol";
 import {IEVault, IBorrowing, IERC4626, IRiskManager} from "evk/EVault/IEVault.sol";
+import {Errors as EVKErrors} from "evk/EVault/shared/Errors.sol";
 import {IUniswapV2Callee} from "./interfaces/IUniswapV2Callee.sol";
 import {IEulerSwap} from "./interfaces/IEulerSwap.sol";
 import {IAllowanceTransfer} from "permit2/src/interfaces/IAllowanceTransfer.sol";
 import {EVCUtil} from "evc/utils/EVCUtil.sol";
+import {Math} from "openzeppelin-contracts/utils/math/Math.sol";
 
 contract EulerSwap is IEulerSwap, EVCUtil {
     using SafeERC20 for IERC20;
@@ -48,10 +50,11 @@ contract EulerSwap is IEulerSwap, EVCUtil {
 
     error Locked();
     error Overflow();
-    error BadFee();
+    error BadParam();
     error DifferentEVC();
     error AssetsOutOfOrderOrEqual();
     error CurveViolation();
+    error DepositFailure(bytes reason);
 
     modifier nonReentrant() {
         if (status == 0) activate();
@@ -64,7 +67,11 @@ contract EulerSwap is IEulerSwap, EVCUtil {
     constructor(Params memory params, CurveParams memory curveParams) EVCUtil(IEVault(params.vault0).EVC()) {
         // EulerSwap params
 
-        require(params.fee < 1e18, BadFee());
+        require(params.fee < 1e18, BadParam());
+        require(params.debtLimit0 <= type(uint112).max && params.debtLimit1 <= type(uint112).max, BadParam());
+        require(curveParams.priceX > 0 && curveParams.priceY > 0, BadParam());
+        require(curveParams.priceX <= 1e36 && curveParams.priceY <= 1e36, BadParam());
+        require(curveParams.concentrationX <= 1e18 && curveParams.concentrationY <= 1e18, BadParam());
         require(IEVault(params.vault0).EVC() == IEVault(params.vault1).EVC(), DifferentEVC());
 
         address asset0Addr = IEVault(params.vault0).asset();
@@ -110,16 +117,10 @@ contract EulerSwap is IEulerSwap, EVCUtil {
         // Deposit all available funds, adjust received amounts downward to collect fees
 
         uint256 amount0In = IERC20(asset0).balanceOf(address(this));
-        if (amount0In > 0) {
-            depositAssets(vault0, amount0In);
-            amount0In = amount0In * feeMultiplier / 1e18;
-        }
+        if (amount0In > 0) amount0In = depositAssets(vault0, amount0In) * feeMultiplier / 1e18;
 
         uint256 amount1In = IERC20(asset1).balanceOf(address(this));
-        if (amount1In > 0) {
-            depositAssets(vault1, amount1In);
-            amount1In = amount1In * feeMultiplier / 1e18;
-        }
+        if (amount1In > 0) amount1In = depositAssets(vault1, amount1In) * feeMultiplier / 1e18;
 
         // Verify curve invariant is satisified
 
@@ -201,8 +202,12 @@ contract EulerSwap is IEulerSwap, EVCUtil {
         }
     }
 
-    function depositAssets(address vault, uint256 amount) internal {
-        IEVault(vault).deposit(amount, myAccount);
+    function depositAssets(address vault, uint256 amount) internal returns (uint256) {
+        try IEVault(vault).deposit(amount, myAccount) {}
+        catch (bytes memory reason) {
+            require(bytes4(reason) == EVKErrors.E_ZeroShares.selector, DepositFailure(reason));
+            return 0;
+        }
 
         if (IEVC(evc).isControllerEnabled(myAccount, vault)) {
             IEVC(evc).call(
@@ -213,6 +218,8 @@ contract EulerSwap is IEulerSwap, EVCUtil {
                 IEVC(evc).call(vault, myAccount, 0, abi.encodeCall(IRiskManager.disableController, ()));
             }
         }
+
+        return amount;
     }
 
     function myDebt(address vault) internal view returns (uint256) {
@@ -239,7 +246,12 @@ contract EulerSwap is IEulerSwap, EVCUtil {
     }
 
     /// @dev EulerSwap curve definition
-    function f(uint256 xt, uint256 px, uint256 py, uint256 x0, uint256 y0, uint256 c) internal pure returns (uint256) {
-        return y0 + px * 1e18 / py * (c * (2 * x0 - xt) / 1e18 + (1e18 - c) * x0 / 1e18 * x0 / xt - x0) / 1e18;
+    /// Pre-conditions: x <= x0, 1 <= {px,py} <= 1e36, {x0,y0} <= type(uint112).max, c <= 1e18
+    function f(uint256 x, uint256 px, uint256 py, uint256 x0, uint256 y0, uint256 c) internal pure returns (uint256) {
+        unchecked {
+            uint256 v = Math.mulDiv(px * (x0 - x), c * x + (1e18 - c) * x0, x * 1e18, Math.Rounding.Ceil);
+            require(v <= type(uint248).max, Overflow());
+            return y0 + (v + (py - 1)) / py;
+        }
     }
 }

test/DepositFailures.t.sol

@@ -0,0 +1,88 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+pragma solidity ^0.8.24;
+
+import {IEVault, IEulerSwap, EulerSwapTestBase, EulerSwap, TestERC20} from "./EulerSwapTestBase.t.sol";
+import {IRMTestFixed} from "evk-test/mocks/IRMTestFixed.sol";
+import {Errors as EVKErrors} from "evk/EVault/shared/Errors.sol";
+import "evk/EVault/shared/Constants.sol" as EVKConstants;
+
+contract DepositFailuresTest is EulerSwapTestBase {
+    EulerSwap public eulerSwap;
+    address public griefer = makeAddr("griefer");
+
+    function setUp() public virtual override {
+        super.setUp();
+
+        eulerSwap = createEulerSwap(50e18, 50e18, 0, 1e18, 1e18, 0.4e18, 0.85e18);
+    }
+
+    function test_griefing() public monotonicHolderNAV {
+        // Make a borrow to push exchange rate > 1
+
+        eTST2.setInterestRateModel(address(new IRMTestFixed()));
+
+        mintAndDeposit(griefer, eTST, 100e18);
+
+        vm.prank(griefer);
+        evc.enableCollateral(griefer, address(eTST));
+        vm.prank(griefer);
+        evc.enableController(griefer, address(eTST2));
+
+        vm.prank(griefer);
+        eTST2.borrow(1e18, griefer);
+        skip(1);
+
+        // Do a swap
+
+        uint256 amountIn = 1e18;
+        uint256 amountOut =
+            periphery.quoteExactInput(address(eulerSwap), address(assetTST), address(assetTST2), amountIn);
+        assertApproxEqAbs(amountOut, 0.9974e18, 0.0001e18);
+
+        // Honest deposit
+        assetTST.mint(address(this), amountIn);
+        assetTST.transfer(address(eulerSwap), amountIn);
+
+        // Griefer front-runs with 1 wei deposit, which rounds down to 0 shares
+        assetTST2.mint(address(this), 1);
+        assetTST2.transfer(address(eulerSwap), 1);
+
+        // Naive deposit() would fail with E_ZeroShares
+        eulerSwap.swap(0, amountOut, address(this), "");
+
+        assertEq(assetTST2.balanceOf(address(this)), amountOut);
+
+        assertEq(assetTST2.balanceOf(address(eulerSwap)), 1); // griefing transfer was untouched
+    }
+
+    function test_depositFailure() public monotonicHolderNAV {
+        // Do a swap
+
+        uint256 amountIn = 1e18;
+        uint256 amountOut =
+            periphery.quoteExactInput(address(eulerSwap), address(assetTST), address(assetTST2), amountIn);
+        assertApproxEqAbs(amountOut, 0.9974e18, 0.0001e18);
+
+        // Honest deposit
+        assetTST.mint(address(this), amountIn);
+        assetTST.transfer(address(eulerSwap), amountIn);
+
+        // Griefer front-runs with 1 wei deposit, which rounds down to 0 shares
+        assetTST2.mint(address(this), 1);
+        assetTST2.transfer(address(eulerSwap), 1);
+
+        // Force deposits to fail
+        eTST2.setHookConfig(address(0), EVKConstants.OP_DEPOSIT);
+
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                EulerSwap.DepositFailure.selector, abi.encodeWithSelector(EVKErrors.E_OperationDisabled.selector)
+            )
+        );
+        eulerSwap.swap(0, amountOut, address(this), "");
+
+        assertEq(assetTST2.balanceOf(address(this)), 0);
+
+        assertEq(assetTST2.balanceOf(address(eulerSwap)), 1); // griefing transfer was untouched
+    }
+}

test/EulerSwapFactoryTest.t.sol

@@ -79,7 +79,7 @@ contract EulerSwapFactoryTest is EulerSwapTestBase {
 
     function testDeployWithBadFee() public {
         vm.prank(creator);
-        vm.expectRevert(EulerSwap.BadFee.selector);
+        vm.expectRevert(EulerSwap.BadParam.selector);
         eulerSwapFactory.deployPool(
             IEulerSwapFactory.DeployParams(
                 address(eTST), address(eTST2), holder, 1e18, 1e18, 1e18, 0.4e18, 0.85e18, 50e18, 50e18

test/EulerSwapTest.t.sol

@@ -175,4 +175,18 @@ contract EulerSwapTest is EulerSwapTestBase {
             assertGe(getHolderNAV(), origNAV);
         }
     }
+
+    /*
+    // Make `f()` function public to run this test
+    function test_fFuncOverflow(uint256 xt, uint256 px, uint256 py, uint256 x0, uint256 y0, uint256 c) public view {
+        x0 = bound(x0, 1, type(uint112).max);
+        y0 = bound(y0, 0, type(uint112).max);
+        xt = bound(xt, 1 + x0 / 1e3, x0); // thousand-fold price movement
+        px = bound(px, 1, 1e36);
+        py = bound(py, 1, 1e36);
+        c = bound(c, 1, 1e18);
+
+        eulerSwap.f(xt, px, py, x0, y0, c);
+    }
+    */
 }