fix: routerplus issue

Author: 0xTimepunk

Makefile

@@ -121,7 +121,7 @@ build-sizes: ## Builds the project and shows sizes
 
 .PHONY: test-vvv
 test-vvv: ## Runs tests with verbose output
-	forge test --match-test test_superRegistryAddresses --evm-version cancun -vv
+	forge test --match-test test_deposit4626_maliciousReceiver --evm-version cancun -vvv
 
 .PHONY: ftest
 ftest: ## Runs tests with cancun evm version

src/router-plus/SuperformRouterPlus.sol

@@ -33,6 +33,13 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
     /// @dev Tolerance constant to account for tokens with rounding issues on transfer
     uint256 constant TOLERANCE_CONSTANT = 10 wei;
 
+    //////////////////////////////////////////////////////////////
+    //                      ERRORS                               //
+    //////////////////////////////////////////////////////////////
+
+    /// @notice thrown if the receiver address is invalid
+    /// @dev notice this error was added to prevent malicious deposits
+    error RECEIVER_ADDRESS_MISMATCH();
     //////////////////////////////////////////////////////////////
     //                      CONSTRUCTOR                         //
     //////////////////////////////////////////////////////////////
@@ -485,7 +492,8 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
             revert Error.VAULT_IMPLEMENTATION_FAILED();
         }
 
-        uint256 amountIn = _validateAndGetAmountIn(rebalanceToCallData, availableBalanceToDeposit);
+        uint256 amountIn =
+            _validateAndGetAmountIn(rebalanceToCallData, args.receiverAddressSP, availableBalanceToDeposit);
 
         _deposit(router_, interimAsset, amountIn, args.rebalanceToMsgValue, rebalanceToCallData);
     }
@@ -643,7 +651,7 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
 
         uint256 amountRedeemed = _redeemShare(vault, assetAdr, args.amount, args.expectedOutputAmount, args.maxSlippage);
 
-        uint256 amountIn = _validateAndGetAmountIn(args.depositCallData, amountRedeemed);
+        uint256 amountIn = _validateAndGetAmountIn(args.depositCallData, args.receiverAddressSP, amountRedeemed);
 
         address router = _getAddress(keccak256("SUPERFORM_ROUTER"));
 
@@ -656,6 +664,7 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
 
     function _validateAndGetAmountIn(
         bytes calldata rebalanceToCallData,
+        address receiverAddressSP,
         uint256 availableBalanceToDeposit
     )
         internal
@@ -674,10 +683,12 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
             SingleVaultSFData memory sfData =
                 abi.decode(_parseCallData(rebalanceToCallData), (SingleDirectSingleVaultStateReq)).superformData;
             amountIn = _takeAmountIn(sfData.liqRequest, sfData.amount);
+            _checkReceiverAddress(receiverAddressSP, sfData.receiverAddress, sfData.receiverAddressSP);
         } else if (rebalanceToSelector == IBaseRouter.singleXChainSingleVaultDeposit.selector) {
             SingleVaultSFData memory sfData =
                 abi.decode(_parseCallData(rebalanceToCallData), (SingleXChainSingleVaultStateReq)).superformData;
             amountIn = _takeAmountIn(sfData.liqRequest, sfData.amount);
+            _checkReceiverAddress(receiverAddressSP, sfData.receiverAddress, sfData.receiverAddressSP);
         } else if (rebalanceToSelector == IBaseRouter.singleDirectMultiVaultDeposit.selector) {
             MultiVaultSFData memory sfData =
                 abi.decode(_parseCallData(rebalanceToCallData), (SingleDirectMultiVaultStateReq)).superformData;
@@ -687,6 +698,7 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
                 amountInTemp = _takeAmountIn(sfData.liqRequests[i], sfData.amounts[i]);
                 amountIn += amountInTemp;
             }
+            _checkReceiverAddress(receiverAddressSP, sfData.receiverAddress, sfData.receiverAddressSP);
         } else if (rebalanceToSelector == IBaseRouter.singleXChainMultiVaultDeposit.selector) {
             MultiVaultSFData memory sfData =
                 abi.decode(_parseCallData(rebalanceToCallData), (SingleXChainMultiVaultStateReq)).superformsData;
@@ -695,13 +707,15 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
                 amountInTemp = _takeAmountIn(sfData.liqRequests[i], sfData.amounts[i]);
                 amountIn += amountInTemp;
             }
+            _checkReceiverAddress(receiverAddressSP, sfData.receiverAddress, sfData.receiverAddressSP);
         } else if (rebalanceToSelector == IBaseRouter.multiDstSingleVaultDeposit.selector) {
             SingleVaultSFData[] memory sfData =
                 abi.decode(_parseCallData(rebalanceToCallData), (MultiDstSingleVaultStateReq)).superformsData;
             uint256 lenDst = sfData.length;
             for (uint256 i; i < lenDst; ++i) {
                 amountInTemp = _takeAmountIn(sfData[i].liqRequest, sfData[i].amount);
                 amountIn += amountInTemp;
+                _checkReceiverAddress(receiverAddressSP, sfData[i].receiverAddress, sfData[i].receiverAddressSP);
             }
         } else if (rebalanceToSelector == IBaseRouter.multiDstMultiVaultDeposit.selector) {
             MultiVaultSFData[] memory sfData =
@@ -713,6 +727,7 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
                     amountInTemp = _takeAmountIn(sfData[i].liqRequests[j], sfData[i].amounts[j]);
                     amountIn += amountInTemp;
                 }
+                _checkReceiverAddress(receiverAddressSP, sfData[i].receiverAddress, sfData[i].receiverAddressSP);
             }
         }
 
@@ -726,4 +741,21 @@ contract SuperformRouterPlus is ISuperformRouterPlus, BaseSuperformRouterPlus {
             revert ASSETS_RECEIVED_OUT_OF_SLIPPAGE();
         }
     }
+
+    function _checkReceiverAddress(
+        address receiverAddressSP,
+        address callDataReceiverAddress,
+        address callDataReceiverAddressSP
+    )
+        internal
+        pure
+    {
+        /// @dev These checks below prevent a user approving funds to router plus while another user receives the
+        /// SuperPositions
+
+        /// @dev We force all receiver addresses to match
+        if (receiverAddressSP != callDataReceiverAddressSP || callDataReceiverAddressSP != callDataReceiverAddress) {
+            revert RECEIVER_ADDRESS_MISMATCH();
+        }
+    }
 }

test/unit/router-plus/SuperformRouterPlus.t.sol

@@ -2747,6 +2747,73 @@ contract SuperformRouterPlusTest is ProtocolActions {
     //                 SAME_CHAIN REBALANCING TESTS             //
     //////////////////////////////////////////////////////////////
 
+    function _buildRebalanceSinglePositionToOneVaultArgsHack(address user)
+        internal
+        view
+        returns (ISuperformRouterPlus.RebalanceSinglePositionSyncArgs memory args)
+    {
+        args.id = superformId1;
+        args.sharesToRedeem = SuperPositions(SUPER_POSITIONS_SOURCE).balanceOf(user, superformId1);
+        args.rebalanceFromMsgValue = 1 ether;
+        args.rebalanceToMsgValue = 1 ether;
+        args.interimAsset = getContract(SOURCE_CHAIN, "USDC");
+        args.slippage = 100;
+        args.receiverAddressSP = user;
+        args.callData = _callDataRebalanceFrom(args.interimAsset);
+
+        uint256 decimal1 = MockERC20(getContract(SOURCE_CHAIN, "DAI")).decimals();
+        uint256 decimal2 = MockERC20(args.interimAsset).decimals();
+        uint256 previewRedeemAmount = IBaseForm(superform1).previewRedeemFrom(args.sharesToRedeem);
+
+        if (decimal1 > decimal2) {
+            args.expectedAmountToReceivePostRebalanceFrom = previewRedeemAmount / (10 ** (decimal1 - decimal2));
+        } else {
+            args.expectedAmountToReceivePostRebalanceFrom = previewRedeemAmount * 10 ** (decimal2 - decimal1);
+        }
+
+        args.rebalanceToCallData = _callDataRebalanceToOneVaultSameChainHack(
+            args.expectedAmountToReceivePostRebalanceFrom, args.interimAsset, user
+        );
+    }
+
+    function _callDataRebalanceToOneVaultSameChainHack(
+        uint256 amountToDeposit,
+        address interimToken,
+        address user
+    )
+        internal
+        view
+        returns (bytes memory)
+    {
+        SingleVaultSFData memory data = SingleVaultSFData(
+            superformId2,
+            amountToDeposit,
+            IBaseForm(superform2).previewDepositTo(amountToDeposit),
+            100,
+            LiqRequest("", interimToken, address(0), 1, SOURCE_CHAIN, 0),
+            "",
+            false,
+            false,
+            address(0xDEAD),
+            address(0xDEAD),
+            ""
+        );
+        return abi.encodeCall(IBaseRouter.singleDirectSingleVaultDeposit, SingleDirectSingleVaultStateReq(data));
+    }
+
+    function test_rebalanceFromSinglePosition_toOneVault_hack() public {
+        vm.startPrank(deployer);
+
+        _directDeposit(superformId1, 1e18);
+
+        ISuperformRouterPlus.RebalanceSinglePositionSyncArgs memory args =
+            _buildRebalanceSinglePositionToOneVaultArgsHack(deployer);
+
+        SuperPositions(SUPER_POSITIONS_SOURCE).increaseAllowance(ROUTER_PLUS_SOURCE, superformId1, args.sharesToRedeem);
+        vm.expectRevert(SuperformRouterPlus.RECEIVER_ADDRESS_MISMATCH.selector);
+        SuperformRouterPlus(ROUTER_PLUS_SOURCE).rebalanceSinglePosition{ value: 2 ether }(args);
+    }
+
     /// @dev rebalance from a single position to a single vault
     function test_rebalanceFromSinglePosition_toOneVault() public {
         vm.startPrank(deployer);
@@ -5122,4 +5189,56 @@ contract SuperformRouterPlusTest is ProtocolActions {
         SuperformRouterPlus(getContract(SOURCE_CHAIN, "SuperformRouterPlus")).setGlobalSlippage(100);
         vm.stopPrank();
     }
+
+    function test_deposit4626_maliciousReceiver() public {
+        // User approves router for vault tokens
+        vm.startPrank(deployer);
+        (address sfMigrateFrom,,) = superformId1.getSuperform();
+        address migrateFromVault = IBaseForm(sfMigrateFrom).getVaultAddress();
+        deal(migrateFromVault, deployer, 1e18);
+
+        // Approve and deposit DAI into the mock vault
+        MockERC20(getContract(SOURCE_CHAIN, "DAI")).approve(migrateFromVault, 1e18);
+        uint256 vaultTokenAmount = IERC4626(migrateFromVault).deposit(1e18, deployer);
+        IERC20(migrateFromVault).approve(getContract(SOURCE_CHAIN, "SuperformRouterPlus"), vaultTokenAmount);
+
+        vm.stopPrank();
+
+        address attacker = address(0x1337);
+        vm.deal(attacker, 1e18);
+        // Attacker prepares malicious deposit data
+        SingleVaultSFData memory data = SingleVaultSFData(
+            superformId1,
+            1e18,
+            1,
+            10_000,
+            LiqRequest("", address(0), address(0), 0, SOURCE_CHAIN, 0),
+            "",
+            false,
+            false,
+            attacker, // Set attacker as receiver
+            attacker, // Set attacker as receiverSP
+            ""
+        );
+
+        bytes4 selector = IBaseRouter.singleDirectSingleVaultDeposit.selector;
+        bytes memory maliciousCallData = abi.encodePacked(selector, abi.encode(SingleDirectSingleVaultStateReq(data)));
+
+        address[] memory vaults = new address[](1);
+        vaults[0] = migrateFromVault;
+
+        ISuperformRouterPlus.Deposit4626Args[] memory args = new ISuperformRouterPlus.Deposit4626Args[](1);
+        args[0] = ISuperformRouterPlus.Deposit4626Args({
+            amount: 1e18,
+            expectedOutputAmount: 1,
+            maxSlippage: 9999,
+            receiverAddressSP: deployer,
+            depositCallData: maliciousCallData
+        });
+
+        // Attacker executes malicious deposit
+        vm.prank(attacker);
+        vm.expectRevert(SuperformRouterPlus.RECEIVER_ADDRESS_MISMATCH.selector);
+        SuperformRouterPlus(getContract(SOURCE_CHAIN, "SuperformRouterPlus")).deposit4626(vaults, args);
+    }
 }