Skip to content

fix: Add an explicit bounds check to prevent silent truncation in _approveWithPermit2 #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lucas-manuel merged 3 commits into from
Dec 19, 2025
Merged

fix: Add an explicit bounds check to prevent silent truncation in _approveWithPermit2 #207

lucas-manuel merged 3 commits into from
Dec 19, 2025

Conversation

@supercontracts
Copy link
Collaborator

@supercontracts supercontracts commented Dec 19, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Bug Fixes

    • Added a runtime guard to block approval requests that exceed the permitted maximum; oversized permit attempts now fail early with a clear rejection ("MC/amount-too-large-for-permit2"), improving safety and reliability.

  • Tests

    • Updated and renamed tests to reflect the new maximum-amount boundary semantics and added explicit revert expectations validating the guard.

✏️ Tip: You can customize this high-level summary in your review settings.

@supercontracts supercontracts self-assigned this Dec 19, 2025
@octane-security-app
Copy link

octane-security-app bot commented Dec 19, 2025

Summary by Octane

New Contracts

No new contracts were added.

Updated Contracts

  • UniswapV4Lib.sol: The smart contract now ensures pool ID matches and limits permit2 amount to uint160 max.

🔗 Commit Hash: 4a1a221

@coderabbitai
Copy link

coderabbitai bot commented Dec 19, 2025
edited
Loading

Warning

Rate limit exceeded

@deluca-mike has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 0 minutes and 34 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between a94ce31 and 1c9ed33.

📒 Files selected for processing (2)
  • src/libraries/UniswapV4Lib.sol (1 hunks)
  • test/mainnet-fork/Uniswapv4.t.sol (10 hunks)

Walkthrough

Added a runtime guard in UniswapV4Lib::_approveWithPermit2 to revert with "MC/amount-too-large-for-permit2" when the approved amount exceeds type(uint160).max; updated tests to use fixed inputs, expect this revert, and renamed several test functions to reflect the new boundary semantics.

Changes

Cohort / File(s) Summary
Permit2 amount guard
src/libraries/UniswapV4Lib.sol		 Add runtime check in internal _approveWithPermit2 enforcing amount <= type(uint160).max; revert with "MC/amount-too-large-for-permit2" if exceeded. No public API changes.
Tests: boundary semantics & expectations
test/mainnet-fork/Uniswapv4.t.sol		 Rename multiple test functions to reflect "MaxAmountsTooLargeForPermit2"/boundary names; replace forecasted amounts with fixed inputs; add explicit revert expectations for "MC/amount-too-large-for-permit2" and adjust max-amount parameters across several test cases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Review focus:
    • src/libraries/UniswapV4Lib.sol — verify correct uint160 threshold and exact error string.
    • test/mainnet-fork/Uniswapv4.t.sol — ensure renamed test signatures integrate with test runner and that revert assertions target the new guard.
    • Check any callers that might rely on larger Permit2 amounts.

Possibly related PRs

Suggested reviewers

  • lucas-manuel
  • supercontracts

Poem

🐇 I nibbled through bytes and paused at a gate,
A number too tall — I said, "Not today."
A tiny guard set, neat and polite,
Tests updated, all tucked in tight.
Hop, hop — safe code, and carrots in sight. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title starts with a valid prefix ('fix:') and clearly describes the main change: adding an explicit bounds check to prevent silent truncation in the _approveWithPermit2 function, which aligns with the code changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot previously approved these changes Dec 19, 2025
View reviewed changes
@octane-security-app
Copy link

octane-security-app bot commented Dec 19, 2025

Overview

Vulnerabilities found: 10                                                                                
Warnings found: 13                                                                                

🔗 Commit Hash: 4a1a221
🛡️ Octane Dashboard: All vulnerabilities

@deluca-mike deluca-mike force-pushed the fix/cantina-13-_approveWithPermit2 branch from 4a1a221 to f908fd2 Compare December 19, 2025 16:32
coderabbitai[bot]
coderabbitai bot previously approved these changes Dec 19, 2025
View reviewed changes
@lucas-manuel lucas-manuel force-pushed the fix/cantina-13-_approveWithPermit2 branch from f908fd2 to caba61b Compare December 19, 2025 18:23
@deluca-mike deluca-mike force-pushed the fix/cantina-13-_approveWithPermit2 branch from caba61b to ec7bb87 Compare December 19, 2025 19:29
coderabbitai[bot]
coderabbitai bot requested changes Dec 19, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between caba61b and ec7bb87.

📒 Files selected for processing (2)
  • src/libraries/UniswapV4Lib.sol (1 hunks)
  • test/mainnet-fork/Uniswapv4.t.sol (10 hunks)
🧰 Additional context used
🧠 Learnings (4)
📚 Learning: 2025-11-04T17:15:21.481Z 
Learnt from: deluca-mike
Repo: sparkdotfi/spark-alm-controller PR: 185
File: test/base-fork/Aave.t.sol:59-63
Timestamp: 2025-11-04T17:15:21.481Z
Learning: In the spark-alm-controller repository, test files in test/base-fork/ use ForkTestBase from test/base-fork/ForkTestBase.t.sol where _setControllerEntered() defaults to writing the reentrancy guard state to foreignController, while test files in test/mainnet-fork/ use ForkTestBase from test/mainnet-fork/ForkTestBase.t.sol where _setControllerEntered() defaults to mainnetController.

Applied to files:

  • test/mainnet-fork/Uniswapv4.t.sol
📚 Learning: 2025-11-04T17:15:39.489Z 
Learnt from: deluca-mike
Repo: sparkdotfi/spark-alm-controller PR: 185
File: test/base-fork/Morpho.t.sol:122-126
Timestamp: 2025-11-04T17:15:39.489Z
Learning: In the spark-alm-controller repository, tests in the `test/base-fork/` directory use `ForkTestBase` from `test/base-fork/ForkTestBase.t.sol`, where the `_setControllerEntered()` helper function defaults to setting the reentrancy guard state on `foreignController`. Tests in `test/mainnet-fork/` use their own `ForkTestBase` which defaults to `mainnetController`.

Applied to files:

  • test/mainnet-fork/Uniswapv4.t.sol
📚 Learning: 2025-11-11T19:43:16.032Z 
Learnt from: deluca-mike
Repo: sparkdotfi/spark-alm-controller PR: 0
File: :0-0
Timestamp: 2025-11-11T19:43:16.032Z
Learning: In spark-alm-controller, the burnPosition and decreasePosition functions in UniswapV4Lib.sol intentionally do not validate ownership because burning someone else's position would cause the underlying tokens to flow to the proxy, which benefits the system rather than harming it.

Applied to files:

  • test/mainnet-fork/Uniswapv4.t.sol
📚 Learning: 2025-11-11T19:43:16.032Z 
Learnt from: deluca-mike
Repo: sparkdotfi/spark-alm-controller PR: 0
File: :0-0
Timestamp: 2025-11-11T19:43:16.032Z
Learning: In spark-alm-controller, rate limits for Uniswap positions sum both tokens normalized to 18 decimals, which doesn't account for actual USD values. This is a known design decision where normalized balance is used rather than USD-denominated values.

Applied to files:

  • test/mainnet-fork/Uniswapv4.t.sol
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: build
  • GitHub Check: coverage
  • GitHub Check: test
🔇 Additional comments (2)
src/libraries/UniswapV4Lib.sol (1)

258-259: LGTM! Excellent defensive programming.

The bounds check correctly prevents silent truncation when casting amount to uint160 at line 292. Without this guard, amounts exceeding type(uint160).max would have been silently truncated, potentially approving far less than intended and causing transaction failures or allowing operations with insufficient approvals.

test/mainnet-fork/Uniswapv4.t.sol (1)

1020-1060: Well-structured boundary tests.

The permit2 boundary test correctly validates:

  1. amount0Max exceeding type(uint160).max reverts with "MC/amount-too-large-for-permit2"
  2. amount1Max exceeding type(uint160).max reverts with "MC/amount-too-large-for-permit2"
  3. Valid amounts within bounds succeed

Using fixed deal amounts (1_000_000e6) is appropriate here since we're testing the boundary check, not the liquidity provision logic.

@deluca-mike deluca-mike force-pushed the fix/cantina-13-_approveWithPermit2 branch from ec7bb87 to a94ce31 Compare December 19, 2025 19:33
coderabbitai[bot]
coderabbitai bot previously approved these changes Dec 19, 2025
View reviewed changes
@deluca-mike deluca-mike force-pushed the fix/cantina-13-_approveWithPermit2 branch 2 times, most recently from 5e6c5bc to c239b0a Compare December 19, 2025 19:47
@deluca-mike deluca-mike force-pushed the fix/cantina-13-_approveWithPermit2 branch from c239b0a to 074d5ab Compare December 19, 2025 19:51
@lucas-manuel lucas-manuel merged commit d54b80d into dev Dec 19, 2025
4 checks passed
@lucas-manuel lucas-manuel deleted the fix/cantina-13-_approveWithPermit2 branch December 19, 2025 20:02
@github-actions
Copy link

github-actions bot commented Dec 19, 2025

Coverage after merging fix/cantina-13-_approveWithPermit2 into dev will be

99.36%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
deploy
   ControllerDeploy.sol100%100%100%100%
   ForeignControllerInit.sol100%100%100%100%
   MainnetControllerInit.sol97.37%93.33%100%100%152, 90
src
   ALMProxy.sol100%100%100%100%
   ALMProxyFreezable.sol100%100%100%100%
   ForeignController.sol94.90%84.62%95.65%97.22%128–129, 129, 129, 316–317, 573
   MainnetController.sol99.18%100%98.28%99.24%538–539
   OTCBuffer.sol100%100%100%100%
   RateLimitHelpers.sol100%100%100%100%
   RateLimits.sol100%100%100%100%
src/libraries
   AaveLib.sol100%100%100%100%
   ApproveLib.sol100%100%100%100%
   CCTPLib.sol100%100%100%100%
   CurveLib.sol100%100%100%100%
   ERC4626Lib.sol96%75%100%100%108
   PSMLib.sol100%100%100%100%
   UniswapV4Lib.sol99.33%96%100%100%284

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@deluca-mike deluca-mike Awaiting requested review from deluca-mike

@lucas-manuel lucas-manuel Awaiting requested review from lucas-manuel

Assignees

@supercontracts supercontracts

Labels

Priority: High Status: Ready for Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@supercontracts @lucas-manuel @deluca-mike