disallow rebase calls from contracts (#145)

Co-authored-by: Brandon Iles <brandon@ampleforth.org>

Author: brandoniles

contracts/UFragmentsPolicy.sol

@@ -83,13 +83,16 @@ contract UFragmentsPolicy is Ownable {
     uint256 private constant MAX_SUPPLY = ~(uint256(1) << 255) / MAX_RATE;
 
     /**
-     * @notice Anyone can call this function to initiate a new rebase operation, provided more than
-     *         the minimum time period has elapsed.
+     * @notice Any EOA address can call this function to initiate a new rebase operation, provided
+     *         more than the minimum time period has elapsed.
+     *         Contracts are guarded from calling, to avoid flash loan attacks on liquidity
+     *         providers.
      * @dev The supply adjustment equals (_totalSupply * DeviationFromTargetRate) / rebaseLag
      *      Where DeviationFromTargetRate is (MarketOracleRate - targetRate) / targetRate
      *      and targetRate is CpiOracleRate / baseCpi
      */
     function rebase() external {
+        require(msg.sender == tx.origin);  // solhint-disable-line avoid-tx-origin
         require(inRebaseWindow());
 
         // This comparison also ensures there is no reentrancy.

contracts/mocks/RebaseCallerContract.sol

@@ -0,0 +1,21 @@
+pragma solidity 0.4.24;
+
+import "../UFragmentsPolicy.sol";
+
+
+contract RebaseCallerContract {
+    UFragmentsPolicy private _policy;
+
+    constructor(address policy) public {
+        _policy = UFragmentsPolicy(policy);
+    }
+
+    function callRebase() public returns (bool) {
+        // Take out a flash loan.
+        // Do something funky...
+        _policy.rebase();  // should fail
+        // pay back flash loan.
+
+        return true;
+    }
+}

test/unit/UFragmentsPolicy.js

@@ -1,6 +1,7 @@
 const UFragmentsPolicy = artifacts.require('UFragmentsPolicy.sol');
 const MockUFragments = artifacts.require('MockUFragments.sol');
 const MockOracle = artifacts.require('MockOracle.sol');
+const RebaseCallerContract = artifacts.require('RebaseCallerContract.sol');
 
 const encodeCall = require('zos-lib/lib/helpers/encodeCall').default;
 const BigNumber = web3.BigNumber;
@@ -12,7 +13,7 @@ require('chai')
   .use(require('chai-bignumber')(BigNumber))
   .should();
 
-let uFragmentsPolicy, mockUFragments, mockMarketOracle, mockCpiOracle;
+let uFragmentsPolicy, mockUFragments, mockMarketOracle, mockCpiOracle, rebaseCallerContract;
 let r, prevEpoch, prevTime;
 let deployer, user;
 
@@ -45,6 +46,7 @@ async function setupContracts () {
   });
   await uFragmentsPolicy.setMarketOracle(mockMarketOracle.address);
   await uFragmentsPolicy.setCpiOracle(mockCpiOracle.address);
+  rebaseCallerContract = await RebaseCallerContract.new(uFragmentsPolicy.address);
 }
 
 async function setupContractsWithOpenRebaseWindow () {
@@ -268,6 +270,30 @@ contract('UFragments:setRebaseTimingParameters:accessControl', function (account
   });
 });
 
+contract('UFragmentsPolicy:Rebase:accessControl', async function (accounts) {
+  before('setup UFragmentsPolicy contract', async function () {
+    await setupContractsWithOpenRebaseWindow();
+    await mockExternalData(INITIAL_RATE_30P_MORE, INITIAL_CPI, 1000, true);
+    await chain.waitForSomeTime(60);
+  });
+
+  describe('when rebase called by an EOA', function () {
+    it('should succeed', async function () {
+      expect(
+        await chain.isEthException(uFragmentsPolicy.rebase())
+      ).to.be.false;
+    });
+  });
+
+  describe('when rebase called by a contract', function () {
+    it('should fail', async function () {
+      expect(
+        await chain.isEthException(rebaseCallerContract.callRebase())
+      ).to.be.true;
+    });
+  });
+});
+
 contract('UFragmentsPolicy:Rebase', async function (accounts) {
   before('setup UFragmentsPolicy contract', setupContractsWithOpenRebaseWindow);