Additional commitments

[mgretzke]

Pull Request

Description

Allows to allocate additional amounts that are not part of the deposit in the prepare/execute allocation flow, as well as in the permit2Allocation flow.

For the OnChainAllocator, the contract itself will ensure these amounts are unallocated at the time of the call.

For the HybridAllocator, you will have to provide a signature from the off chain signers that confirms these additional amounts are still unallocated. During the prepare and execute flow, this additionally requires the off chain signer to provide a valid nonce that can be used for this, which is required to make the claimHash predictable.

We can be sure of the users intentions for this additional allocation, since the claimHash must be registered on chain.

[0age]

two possible issues and a micro-optimization, take a look but otherwise LGTM for the POC!

[0age]

micro-optimization: instead of incrementing by one and then multiplying i by 0x20 every time in the loop, you can derive permittedLengthWords by doing one shl 5 and then iterate by 0x20 and just use i directly

[0age]

i believe iszero(iszero(additionalCommitmentAmount)) is a tad cheaper / simpler

[0age]

could you overflow this by providing a massive additional commitment amount?

[mgretzke]

Good question. My initial thought is, that it would not really matter, since it would only just worst case shrink the diffBalance? And then you would just allocate less tokens then you deposited I guess? Additionally, the claim hash needs to add up in the end...
Will need to think about this more though, especially since the HybridAllocator and the OnChainAllocator handle the actual allocation part differently.

[mgretzke]

Additionally (at least in the case of the hybrid allocator), the off chain signer of the allocator would have needed to sign for this:

sc-allocators/src/allocators/HybridAllocator.sol

Line 298 in e7bd57f

_validateContext(commitments, additionalCommitmentAmounts, claimHash, allocationContext.signature);

For the on chain allocator, we either revert here due to the overflow, or due to the fact that the previous balance was not sufficient:

sc-allocators/src/allocators/OnChainAllocator.sol

Line 410 in e7bd57f

uint256 requiredBalance = allocatedBalance + additionalCommitmentAmounts[i];

[mgretzke]

So while this might not affect our current implementations, it does seems like a good check to improve the security on this library itself to minimize unexpected behavior!

[0age]

not sure whether or not this is going to work; do we have any tests of this functionality yet? the decode-bytes-to-calldata logic is always a little gnarly/counterintuitive

[mgretzke]

Thanks for looking so detailed at this!
Had all the tests and some tiny fixes committed, but forgot to push this.
I believe this is working as intended, I came up with a similar design for the ERC7683 order data parsing.

This is the setup and the test for this:

sc-allocators/test/HybridAllocator.t.sol

Line 2074 in e7bd57f

function _encodeHybridAllocationContext(uint256 nonce, bytes memory signature)

sc-allocators/test/HybridAllocator.t.sol

Line 2479 in e7bd57f

function test_prepareAndExecuteAllocation_withAdditionalCommitments() public {

I don't have any tests that check the revert scenarios on this _decodeContext function yet though.

[0age]

is it possible to overflow this value by providing a massive additionalCommitmentAmount?

[mgretzke]

See answer here:
#40 (comment)

[0age]

micro-optimization: for this and some other low-level iterators, we could modify the length once via a mul 0x20 (or shl 5) and then increment i by 0x20 to save all the internal muls