Simplified donation attack prevention (#2453)

* intermittent work committed

* add draft solution for preparing WOETH for the landing markets

* add tests that confirm lending market protection works as exepcted

* add test to protect agains calling initialize twice

* add comments

* remove unneeded files

* minor bug fix

* add fork script tests and fix bug

* add comments

* add another test

* divide after multiply

* change credits per token to highres

* add comment

* comments

* lint

* minor changes

* correct fixture

* make code slighlty better regarding re-entry

* prettier

* add explicit visibility

* minor test enhancement

* better function name

* remove comment

* simplify

* simplify code

* simplify code

* refactor

* add redeem all test

* prettier

* Add wOETH donation fork tests (#2122)

* Add wOETH donation fork tests

* test: add fork test for deposit/mint/withdraw/redeem.

* test: add test for redeem after rebase.

---------

Co-authored-by: clement-ux <[email protected]>

* rename deploy script

* add another test and simplify constructor

* fix: specify override for name and symbol.

* fix: import IERC20Metadata.

* add gap

* update reference to code

* fix compile errors

* move initialize2() into primary initializer

* remove virtual where not needed

* pick a more appropriate method for fetching highres CPT

* round in the favour of the protocol

* Revert "round in the favour of the protocol"

This reverts commit 637cd3c.

* rounding error fixes

* Option 1 for WOETH rounding error (#2419)

* option 1 to combat the rounding error

* naming

* simplify

* add comment

* prettier

* add require 0 checks

* allow 0 value mints and redeems

* to establish exchange rate for WOETH trust OETH completely

* remove unneeded overrides

* add comment and prettier

* fix a denomination bug

* add fork test for the expected rate increase

* add comment

* add tests for WOETH upgrade not changing the existing WOETH balances

* denominate all rates to 1e27 for better precision

* undo the change

* add comment

* further simplify the WOETH rate calculation code

* add comments

* prettier

* update test to confirm that redemption amounts of WOETH before and after the upgrade are a perfect (1 wei difference to rounding) match

* Fix bug with rounding direction on deposits

* nit: unify comment

* sligth code simplification

* fix typo

* remove unused imports

* remove todo

* switch to BUSL

* improve comment

* no need to call governable anymore

* fix comment

* make WOSonic extend WOETH. Add deploy file and basic fork test

* use the more appropriate natspec compliant inheritdoc

* more appropriate naming

* add aditiona test

* make WOUSD inherit from WOETH

* add deploy and fork test file for WOUSD

---------

Co-authored-by: Shah <[email protected]>
Co-authored-by: clement-ux <[email protected]>
Co-authored-by: Daniel Von Fange <[email protected]>

Author: 4 people

brownie/abi/ERC4626.json

@@ -0,0 +1,27 @@
+from world import *
+
+def expect_approximate(woeth_holder, expected_balance):
+	balance = woeth.balanceOf(woeth_holder)
+	diff = abs(expected_balance - balance)
+	if (diff != 0):
+		raise Exception("Unexpected balance for account: %s".format(woeth_holder))
+
+def confirm_balances_after_upgrade():
+	expect_approximate("0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb", 1013453939109688661944)
+	expect_approximate("0xC460B0b6c9b578A4Cb93F99A691e16dB96Ee5833", 575896531839923556165)
+	expect_approximate("0xdca0a2341ed5438e06b9982243808a76b9add6d0", 319671606657733042618)
+	expect_approximate("0x8a9d46d28003673cd4fe7a56ecfcfa2be6372e64", 182355401624955452064)
+	expect_approximate("0xf65ecb5610000100befba41b9f9cf5ca32838078", 97352556026536192865)
+	expect_approximate("0x0a26e7ab5c554232314a8d459eff0ede72333f08", 91628532171545105831)
+
+
+def manipulate_price():
+	OETH_WHALE="0xa4C637e0F704745D182e4D38cAb7E7485321d059"
+	whl = {'from': OETH_WHALE }
+
+	woeth.convertToAssets(1e18) / 1e18
+	oeth.transfer(woeth.address, 10_000 * 1e18, whl)
+	woeth.convertToAssets(1e18) / 1e18
+
+	oeth.approve(woeth.address, 1e50, whl)
+	woeth.deposit(5_000 * 1e18, OETH_WHALE, whl)

brownie/scripts/woeth_manipulation.py

@@ -19,6 +19,7 @@
 weth = load_contract('ERC20', WETH)
 ousd = load_contract('ousd', OUSD)
 oeth = load_contract('ousd', OETH)
+woeth = load_contract('erc4626', WOETH)
 usdt = load_contract('usdt', USDT)
 usdc = load_contract('usdc', USDC)
 dai = load_contract('dai', DAI)

brownie/world.py

@@ -5,11 +5,7 @@ import { WrappedOusd } from "../token/WrappedOusd.sol";
 import { ERC20 } from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 
 contract MockLimitedWrappedOusd is WrappedOusd {
-    constructor(
-        ERC20 underlying_,
-        string memory name_,
-        string memory symbol_
-    ) WrappedOusd(underlying_, name_, symbol_) {}
+    constructor(ERC20 underlying_) WrappedOusd(underlying_) {}
 
     function maxDeposit(address)
         public

contracts/contracts/mocks/MockLimitedWrappedOusd.sol

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: MIT
+// SPDX-License-Identifier: BUSL-1.1
 pragma solidity ^0.8.0;
 
 import { ERC4626 } from "../../lib/openzeppelin/contracts/token/ERC20/extensions/ERC4626.sol";
@@ -12,24 +12,63 @@ import { Initializable } from "../utils/Initializable.sol";
 import { OETH } from "./OETH.sol";
 
 /**
- * @title OETH Token Contract
+ * @title Wrapped OETH Token Contract
  * @author Origin Protocol Inc
+ *
+ * @dev An important capability of this contract is that it isn't susceptible to changes of the
+ * exchange rate of WOETH/OETH if/when someone sends the underlying asset (OETH) to the contract.
+ * If OETH weren't rebasing this could be achieved by solely tracking the ERC20 transfers of the OETH
+ * token on mint, deposit, redeem, withdraw. The issue is that OETH is rebasing and OETH balances
+ * will change when the token rebases.
+ * For that reason the contract logic checks the actual underlying OETH token balance only once
+ * (either on a fresh contract creation or upgrade) and considering the WOETH supply and
+ * rebasingCreditsPerToken calculates the _adjuster. Once the adjuster is calculated any donations
+ * to the contract are ignored. The totalSupply (instead of querying OETH balance) works off of
+ * adjuster the current WOETH supply and rebasingCreditsPerToken. This makes WOETH value accrual
+ * completely follow OETH's value accrual.
+ * WOETH is safe to use in lending markets as the VualtCore's _rebase contains safeguards preventing
+ * any sudden large rebases.
  */
 
 contract WOETH is ERC4626, Governable, Initializable {
     using SafeERC20 for IERC20;
+    /* This is a 1e27 adjustment constant that expresses the difference in exchange rate between
+     * OETH's rebase since inception (expressed with rebasingCreditsPerToken) and WOETH to OETH
+     * conversion.
+     *
+     * If WOETH and OETH are deployed at the same time, the value of adjuster is a neutral 1e27
+     */
+    uint256 public adjuster;
+    uint256[49] private __gap;
 
-    constructor(
-        ERC20 underlying_,
-        string memory name_,
-        string memory symbol_
-    ) ERC20(name_, symbol_) ERC4626(underlying_) Governable() {}
+    // no need to set ERC20 name and symbol since they are overridden in WOETH & WOETHBase
+    constructor(ERC20 underlying_) ERC20("", "") ERC4626(underlying_) {}
 
     /**
      * @notice Enable OETH rebasing for this contract
      */
     function initialize() external onlyGovernor initializer {
         OETH(address(asset())).rebaseOptIn();
+
+        initialize2();
+    }
+
+    /**
+     * @notice secondary initializer that newly deployed contracts will execute as part
+     *         of primary initialize function and the existing contracts will have it called
+     *         as a governance operation.
+     */
+    function initialize2() public onlyGovernor {
+        require(adjuster == 0, "Initialize2 already called");
+
+        if (totalSupply() == 0) {
+            adjuster = 1e27;
+        } else {
+            adjuster =
+                (rebasingCreditsPerTokenHighres() *
+                    ERC20(asset()).balanceOf(address(this))) /
+                totalSupply();
+        }
     }
 
     function name()
@@ -62,7 +101,38 @@ contract WOETH is ERC4626, Governable, Initializable {
         external
         onlyGovernor
     {
-        require(asset_ != address(asset()), "Cannot collect OETH");
+        require(asset_ != address(asset()), "Cannot collect core asset");
         IERC20(asset_).safeTransfer(governor(), amount_);
     }
+
+    /// @inheritdoc ERC4626
+    function convertToShares(uint256 assets)
+        public
+        view
+        virtual
+        override
+        returns (uint256 shares)
+    {
+        return (assets * rebasingCreditsPerTokenHighres()) / adjuster;
+    }
+
+    /// @inheritdoc ERC4626
+    function convertToAssets(uint256 shares)
+        public
+        view
+        virtual
+        override
+        returns (uint256 assets)
+    {
+        return (shares * adjuster) / rebasingCreditsPerTokenHighres();
+    }
+
+    /// @inheritdoc ERC4626
+    function totalAssets() public view override returns (uint256) {
+        return (totalSupply() * adjuster) / rebasingCreditsPerTokenHighres();
+    }
+
+    function rebasingCreditsPerTokenHighres() internal view returns (uint256) {
+        return OETH(asset()).rebasingCreditsPerTokenHighres();
+    }
 }

contracts/contracts/token/WOETH.sol

@@ -1,4 +1,4 @@
-// SPDX-License-Identifier: MIT
+// SPDX-License-Identifier: BUSL-1.1
 pragma solidity ^0.8.0;
 
 import { WOETH } from "./WOETH.sol";
@@ -10,9 +10,7 @@ import { ERC20 } from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
  */
 
 contract WOETHBase is WOETH {
-    constructor(ERC20 underlying_)
-        WOETH(underlying_, "Wrapped Super OETH", "wsuperOETHb")
-    {}
+    constructor(ERC20 underlying_) WOETH(underlying_) {}
 
     function name() public view virtual override returns (string memory) {
         return "Wrapped Super OETH";

contracts/contracts/token/WOETHBase.sol

@@ -1,41 +1,23 @@
-// SPDX-License-Identifier: MIT
+// SPDX-License-Identifier: BUSL-1.1
 pragma solidity ^0.8.0;
 
-import { ERC4626 } from "../../lib/openzeppelin/contracts/token/ERC20/extensions/ERC4626.sol";
 import { ERC20 } from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
-import { IERC20Metadata } from "@openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol";
-import { SafeERC20 } from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 
-import { Governable } from "../governance/Governable.sol";
-import { Initializable } from "../utils/Initializable.sol";
-import { OSonic } from "./OSonic.sol";
+import { WOETH } from "./WOETH.sol";
 
 /**
  * @title Wrapped Origin Sonic (wOS) token on Sonic
  * @author Origin Protocol Inc
  */
-contract WOSonic is ERC4626, Governable, Initializable {
-    using SafeERC20 for IERC20;
-
-    constructor(
-        ERC20 underlying_,
-        string memory name_,
-        string memory symbol_
-    ) ERC20(name_, symbol_) ERC4626(underlying_) Governable() {}
-
-    /**
-     * @notice Enable Origin Sonic rebasing for this contract
-     */
-    function initialize() external onlyGovernor initializer {
-        OSonic(address(asset())).rebaseOptIn();
-    }
+contract WOSonic is WOETH {
+    constructor(ERC20 underlying_) WOETH(underlying_) {}
 
     function name()
         public
         view
         virtual
-        override(ERC20, IERC20Metadata)
+        override(WOETH)
         returns (string memory)
     {
         return "Wrapped OS";
@@ -45,23 +27,9 @@ contract WOSonic is ERC4626, Governable, Initializable {
         public
         view
         virtual
-        override(ERC20, IERC20Metadata)
+        override(WOETH)
         returns (string memory)
     {
         return "wOS";
     }
-
-    /**
-     * @notice Transfer token to governor. Intended for recovering tokens stuck in
-     *      contract, i.e. mistaken sends. Cannot transfer Origin S
-     * @param asset_ Address for the asset
-     * @param amount_ Amount of the asset to transfer
-     */
-    function transferToken(address asset_, uint256 amount_)
-        external
-        onlyGovernor
-    {
-        require(asset_ != address(asset()), "Cannot collect OS");
-        IERC20(asset_).safeTransfer(governor(), amount_);
-    }
 }

contracts/contracts/token/WOSonic.sol

@@ -1,36 +1,23 @@
-// SPDX-License-Identifier: MIT
+// SPDX-License-Identifier: BUSL-1.1
 pragma solidity ^0.8.0;
 
-import { ERC4626 } from "../../lib/openzeppelin/contracts/token/ERC20/extensions/ERC4626.sol";
 import { ERC20 } from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
-import { IERC20Metadata } from "@openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol";
-import { SafeERC20 } from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 
-import { Governable } from "../governance/Governable.sol";
-import { Initializable } from "../utils/Initializable.sol";
-import { OUSD } from "./OUSD.sol";
+import { WOETH } from "./WOETH.sol";
 
-contract WrappedOusd is ERC4626, Governable, Initializable {
-    using SafeERC20 for IERC20;
-
-    constructor(
-        ERC20 underlying_,
-        string memory name_,
-        string memory symbol_
-    ) ERC20(name_, symbol_) ERC4626(underlying_) Governable() {}
-
-    /**
-     * @notice Enable OUSD rebasing for this contract
-     */
-    function initialize() external onlyGovernor initializer {
-        OUSD(address(asset())).rebaseOptIn();
-    }
+/**
+ * @title Wrapped OUSD Token Contract
+ * @author Origin Protocol Inc
+ */
+contract WrappedOusd is WOETH {
+    constructor(ERC20 underlying_) WOETH(underlying_) {}
 
     function name()
         public
         view
-        override(ERC20, IERC20Metadata)
+        virtual
+        override(WOETH)
         returns (string memory)
     {
         return "Wrapped OUSD";
@@ -39,23 +26,10 @@ contract WrappedOusd is ERC4626, Governable, Initializable {
     function symbol()
         public
         view
-        override(ERC20, IERC20Metadata)
+        virtual
+        override(WOETH)
         returns (string memory)
     {
         return "WOUSD";
     }
-
-    /**
-     * @notice Transfer token to governor. Intended for recovering tokens stuck in
-     *      contract, i.e. mistaken sends. Cannot transfer OUSD
-     * @param asset_ Address for the asset
-     * @param amount_ Amount of the asset to transfer
-     */
-    function transferToken(address asset_, uint256 amount_)
-        external
-        onlyGovernor
-    {
-        require(asset_ != address(asset()), "Cannot collect OUSD");
-        IERC20(asset_).safeTransfer(governor(), amount_);
-    }
 }

contracts/contracts/token/WrappedOusd.sol

@@ -1222,8 +1222,6 @@ const deployWOusd = async () => {
   const ousd = await ethers.getContract("OUSDProxy");
   const dWrappedOusdImpl = await deployWithConfirmation("WrappedOusd", [
     ousd.address,
-    "Wrapped OUSD IMPL",
-    "WOUSD IMPL",
   ]);
   await deployWithConfirmation("WrappedOUSDProxy");
   const wousdProxy = await ethers.getContract("WrappedOUSDProxy");
@@ -1237,6 +1235,26 @@ const deployWOusd = async () => {
   ](dWrappedOusdImpl.address, governorAddr, initData);
 };
 
+const deployWOeth = async () => {
+  const { deployerAddr, governorAddr } = await getNamedAccounts();
+  const sDeployer = await ethers.provider.getSigner(deployerAddr);
+
+  const oeth = await ethers.getContract("OETHProxy");
+  const dWrappedOethImpl = await deployWithConfirmation("WOETH", [
+    oeth.address,
+  ]);
+  await deployWithConfirmation("WOETHProxy");
+  const woethProxy = await ethers.getContract("WOETHProxy");
+  const woeth = await ethers.getContractAt("WOETH", woethProxy.address);
+
+  const initData = woeth.interface.encodeFunctionData("initialize()", []);
+
+  await woethProxy.connect(sDeployer)[
+    // eslint-disable-next-line no-unexpected-multiline
+    "initialize(address,address,bytes)"
+  ](dWrappedOethImpl.address, governorAddr, initData);
+};
+
 const deployOETHSwapper = async () => {
   const { deployerAddr, governorAddr } = await getNamedAccounts();
   const sDeployer = await ethers.provider.getSigner(deployerAddr);
@@ -1391,6 +1409,7 @@ module.exports = {
   deployUniswapV3Pool,
   deployVaultValueChecker,
   deployWOusd,
+  deployWOeth,
   deployOETHSwapper,
   deployOUSDSwapper,
   upgradeNativeStakingSSVStrategy,

contracts/deploy/deployActions.js

@@ -17,6 +17,7 @@ const {
   deployUniswapV3Pool,
   deployVaultValueChecker,
   deployWOusd,
+  deployWOeth,
   deployOETHSwapper,
   deployOUSDSwapper,
 } = require("../deployActions");
@@ -42,6 +43,7 @@ const main = async () => {
   await deployUniswapV3Pool();
   await deployVaultValueChecker();
   await deployWOusd();
+  await deployWOeth();
   await deployOETHSwapper();
   await deployOUSDSwapper();
   console.log("001_core deploy done.");