External functions from bundlers can be called by anyone

[Rubilmax]

In order to protect users from unexpected behaviors of the bundlers, we may consider protecting external functions with onlySelf:

modifier onlySelf() {
  require(msg.sender == address(this));

  _;
}

However, this would not work with callbacks, because they are expected to be called by specific addresses. In all cases, we know they expected address to call callbacks (Morpho, Balancer, etc), so we can craft a similar, dedicated solution for each callback type

In any case, it doesn't threaten security because the bundler is expected to be stateless between txs

[MerlinEgalite]

Adding those modifiers means that we're not sure about the security of bundlers in some way, no?

[Rubilmax]

These modifiers would only have the goal of protecting the user, as I stated in the description of this issue ; I don't see why adding them means we're not sure about the security of bundlers?

[MerlinEgalite]

I'm not sure what you mean by "unexpected behaviors of the bundlers" then. Can you elaborate on that please?

[Rubilmax]

When calling the bundler without going through multicall:

• _initiator is uninitialized whereas it's used inside functions
• you can't provide ETH to the call (functions are not payable)

[MerlinEgalite]

So there's 2 paths:

1. Either we write a comment tellings users to pass though the multicall only
2. Add this modifier to protect users

2 is not necessary but does not add much gas cost either. 1 could be sufficient and does not add more complexity.

@morpho-labs/onchain thoughts?

[pakim249CAL]

I agree with just putting a comment. Users should generally not be interacting with the contracts directly anyway.

[makcandrov]

I agree with Patrick. These contracts are not meant to be used by users who know how to use/write smart contracts anyway

[Rubilmax]

In addition to this, I closed #97 because having dedicated interfaces for each abstract bundler would be error-prone: bundler functions should not be called directly