checkpoint

README.md

@@ -6,14 +6,6 @@ This workshop will walk you through the basics of securing smart contracts by te
 
 In this workshop we will be protecting a governance heavy application from the consequences of malicious upgrades and or deployment scripts.
 
-## Bug Types
-- **Deployment** - Incorrect parameters, caught with a validation 
-- **Deployment** - Incorrect parameters, caught with an integration test ✓
-****
-- **Upgrade** - Storage offset changes, caught with an integration test, also caught with a validation
-- **Upgrade** - Logic error, caught with an integration test
-****
-
 ### Further Reading
 
 For governance safety assistance, refer to our [forge proposal simulator](https://github.com/solidity-labs-io/forge-proposal-simulator) tool. See the [security checklist](https://github.com/solidity-labs-io/code-review-checklist) and [security](https://medium.com/@elliotfriedman3/a-security-stack-4aedd8617e8b) [stack](https://medium.com/@elliotfriedman3/a-security-stack-part-2-aaacbbf77346) for a list of items to consider when building a smart contract system.
@@ -31,11 +23,3 @@ Make sure the latest version of foundry is installed. If not, run:
 ```bash
 foundryup
 ```
-
-Later exercises will use the certora prover. If you need to install, first check the system prerequisites from the Certora documentation. https://docs.certora.com/en/latest/docs/user-guide/install.html
-
-To install the prover run:
-
-```bash
-pip3 install certora-cli
-```

src/exercises/03/Vault03.sol

@@ -10,7 +10,6 @@ import {VaultStorageOwnable} from
     "src/exercises/storage/VaultStorageOwnable.sol";
 
 /// @notice Add maxsupply to the vault and update getNormalizedAmount logic
-/// deploy Vault 03 to mainnet
 /// add integration tests
 contract Vault is VaultStorageOwnable {
     using SafeERC20 for IERC20;
@@ -180,7 +179,7 @@ contract Vault is VaultStorageOwnable {
         uint8 decimals = IERC20Metadata(token).decimals();
         normalizedAmount = amount;
         if (decimals < 18) {
-            normalizedAmount = amount ** (10 * (18 - decimals));
+            normalizedAmount = amount * (10 ** (18 - decimals));
         }
     }
 }

src/exercises/04/SIP04.sol

@@ -70,6 +70,7 @@ contract SIP04 is GovernorBravoProposal {
         override
         buildModifier(addresses.getAddress("COMPOUND_TIMELOCK_BRAVO"))
     {
+        /// static calls - filtered out
         address vaultProxy = addresses.getAddress("VAULT_PROXY");
         bytes32 adminSlot =
             vm.load(vaultProxy, ERC1967Utils.ADMIN_SLOT);
@@ -115,6 +116,9 @@ contract SIP04 is GovernorBravoProposal {
             vm.load(vaultProxy, ERC1967Utils.ADMIN_SLOT);
         address proxyAdmin = address(uint160(uint256(adminSlot)));
 
+        /// check not paused
+        /// check logic contract address is v4 impl
+
         assertEq(
             ProxyAdmin(proxyAdmin).owner(),
             addresses.getAddress("COMPOUND_TIMELOCK_BRAVO"),

src/exercises/storage/VaultStoragePausable.sol

@@ -12,7 +12,7 @@ import {Authorized} from "src/exercises/storage/Authorized.sol";
 contract VaultStoragePausable is
     OwnableUpgradeable,
     Supply,
+    Authorized,
     Balances,
-    PausableUpgradeable,
-    Authorized
+    PausableUpgradeable
 {}

test/TestVault01.t.sol

@@ -0,0 +1,186 @@
+pragma solidity ^0.8.0;
+
+import {SafeERC20} from
+    "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+import {console} from "@forge-std/console.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {Test} from "@forge-std/Test.sol";
+
+import {Vault} from "src/exercises/01/Vault01.sol";
+import {SIP01} from "src/exercises/01/SIP01.sol";
+
+contract TestVault01 is Test, SIP01 {
+    using SafeERC20 for IERC20;
+
+    Vault public vault;
+
+    /// @notice user addresses
+    address public immutable userA = address(1111);
+    address public immutable userB = address(2222);
+    address public immutable userC = address(3333);
+
+    /// @notice token addresses
+    address public usdc;
+    address public usdt;
+
+    function setUp() public {
+        /// set the environment variables
+        vm.setEnv("DO_RUN", "false");
+        vm.setEnv("DO_BUILD", "false");
+        vm.setEnv("DO_DEPLOY", "true");
+        vm.setEnv("DO_SIMULATE", "false");
+        vm.setEnv("DO_PRINT", "false");
+        vm.setEnv("DO_VALIDATE", "true");
+
+        /// setup the proposal
+        setupProposal();
+
+        /// run the proposal
+        deploy();
+
+        usdc = addresses.getAddress("USDC");
+        usdt = addresses.getAddress("USDT");
+        vault = Vault(addresses.getAddress("V1_VAULT"));
+    }
+
+    function testVaultDepositUsdc() public {
+        uint256 usdcDepositAmount = 1_000e6;
+
+        _vaultDeposit(usdc, address(this), usdcDepositAmount);
+    }
+
+    function testMultipleUsersDepositUsdc() public {
+        uint256 usdcDepositAmount = 1_000e6;
+
+        _vaultDeposit(usdc, userA, usdcDepositAmount);
+        _vaultDeposit(usdc, userB, usdcDepositAmount);
+        _vaultDeposit(usdc, userC, usdcDepositAmount);
+    }
+
+    function testVaultWithdrawalUsdc() public {
+        uint256 usdcDepositAmount = 1_000e6;
+
+        _vaultDeposit(usdc, address(this), usdcDepositAmount);
+
+        vault.withdraw(usdc, usdcDepositAmount);
+
+        assertEq(
+            vault.balanceOf(address(this)),
+            0,
+            "vault usdc balance not 0"
+        );
+        assertEq(
+            vault.totalSupplied(), 0, "vault total supplied not 0"
+        );
+        assertEq(
+            IERC20(usdc).balanceOf(address(this)),
+            usdcDepositAmount,
+            "user's usdc balance not increased"
+        );
+    }
+
+    function testVaultDepositUsdt() public {
+        uint256 usdtDepositAmount = 1_000e8;
+
+        _vaultDeposit(usdt, address(this), usdtDepositAmount);
+    }
+
+    function testVaultWithdrawalUsdt() public {
+        uint256 usdtDepositAmount = 1_000e8;
+
+        _vaultDeposit(usdt, address(this), usdtDepositAmount);
+        vault.withdraw(usdt, usdtDepositAmount);
+
+        assertEq(
+            vault.balanceOf(address(this)),
+            0,
+            "vault usdt balance not 0"
+        );
+        assertEq(
+            vault.totalSupplied(), 0, "vault total supplied not 0"
+        );
+        assertEq(
+            IERC20(usdt).balanceOf(address(this)),
+            usdtDepositAmount,
+            "user's usdt balance not increased"
+        );
+    }
+
+    function testSwapTwoUsers() public {
+        uint256 usdcDepositAmount = 1_000e6;
+        uint256 usdtDepositAmount = 1_000e8;
+
+        _vaultDeposit(usdc, userA, usdcDepositAmount);
+        _vaultDeposit(usdt, userB, usdtDepositAmount);
+
+        vm.prank(userA);
+        vault.withdraw(usdt, usdcDepositAmount);
+        assertEq(
+            IERC20(usdt).balanceOf(userA),
+            usdcDepositAmount,
+            "userA usdt balance not increased"
+        );
+
+        vm.prank(userB);
+        vault.withdraw(usdc, usdcDepositAmount);
+        assertEq(
+            IERC20(usdc).balanceOf(userB),
+            usdcDepositAmount,
+            "userB usdc balance not increased"
+        );
+        assertEq(
+            IERC20(usdt).balanceOf(userA),
+            usdcDepositAmount,
+            "userB usdt balance remains unchanged"
+        );
+    }
+
+    function _vaultDeposit(
+        address token,
+        address sender,
+        uint256 amount
+    ) private {
+        uint256 startingTotalSupplied = vault.totalSupplied();
+        uint256 startingTotalBalance =
+            IERC20(token).balanceOf(address(vault));
+        uint256 startingUserBalance = vault.balanceOf(sender);
+
+        deal(token, sender, amount);
+
+        vm.startPrank(sender);
+        IERC20(token).safeIncreaseAllowance(
+            addresses.getAddress("V1_VAULT"), amount
+        );
+
+        /// this executes 3 state transitions:
+        ///     1. deposit dai into the vault
+        ///     2. increase the user's balance in the vault
+        ///     3. increase the total supplied amount in the vault
+        vault.deposit(token, amount);
+        vm.stopPrank();
+
+        uint256 normalizedAmount =
+            vault.getNormalizedAmount(token, amount);
+
+        assertEq(
+            vault.balanceOf(sender),
+            startingUserBalance + normalizedAmount,
+            "user vault balance not increased"
+        );
+        assertEq(
+            vault.totalSupplied(),
+            startingTotalSupplied + normalizedAmount,
+            "vault total supplied not increased by deposited amount"
+        );
+        assertEq(
+            IERC20(token).balanceOf(address(vault)),
+            startingTotalBalance + amount,
+            "token balance not increased"
+        );
+    }
+}
+
+interface USDT {
+    function approve(address, uint256) external;
+    function transferFrom(address, address, uint256) external;
+}

test/TestVault02.t.sol

@@ -2,7 +2,6 @@ pragma solidity ^0.8.0;
 
 import {SafeERC20} from
     "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
-import {console} from "@forge-std/console.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {Test} from "@forge-std/Test.sol";
 
@@ -79,10 +78,6 @@ contract TestVault02 is Test, SIP02 {
             addresses.getAddress("V2_VAULT"), usdtDepositAmount
         );
 
-        /// this executes 3 state transitions:
-        ///     1. deposit dai into the vault
-        ///     2. increase the user's balance in the vault
-        ///     3. increase the total supplied amount in the vault
         vault.deposit(usdt, usdtDepositAmount);
 
         assertEq(
@@ -141,6 +136,11 @@ contract TestVault02 is Test, SIP02 {
 
         vm.prank(userB);
         vault.withdraw(usdc, usdcDepositAmount);
+        assertEq(
+            IERC20(usdc).balanceOf(userB),
+            usdcDepositAmount,
+            "userB usdc balance not increased"
+        );
         assertEq(
             IERC20(usdt).balanceOf(userA),
             usdcDepositAmount,