@across-protocol/contracts 5.0.11 → 5.0.12-alpha.1

package/contracts/external/interfaces/CCTPInterfaces.sol

@@ -58,6 +58,14 @@ interface ITokenMessenger {
 }
 
 interface ITokenMessengerV2 {
+    /**
+     * @notice Minter responsible for minting and burning tokens on the local domain.
+     * Used on destination to prove that a received message would mint via the expected
+     * TokenMinter, and to resolve the local token that corresponds to a remote burnToken.
+     * https://github.com/circlefin/evm-cctp-contracts/blob/63ab1f0ac06ce0793c0bbfbb8d09816bc211386d/src/v2/TokenMessengerV2.sol
+     */
+    function localMinter() external view returns (ITokenMinter minter);
+
     // Source: https://github.com/circlefin/evm-cctp-contracts/blob/63ab1f0ac06ce0793c0bbfbb8d09816bc211386d/src/v2/TokenMessengerV2.sol#L138C1-L166C15
     /**
      * @notice Deposits and burns tokens from sender to be minted on destination domain.
@@ -139,6 +147,16 @@ interface ITokenMinter {
      * @return burnLimit maximum burn amount per message for token
      */
     function burnLimitsPerMessage(address token) external view returns (uint256);
+
+    /**
+     * @notice Returns the local token that is associated with the given remote burnToken on `remoteDomain`.
+     * Returns address(0) when no link has been configured.
+     * https://github.com/circlefin/evm-cctp-contracts/blob/63ab1f0ac06ce0793c0bbfbb8d09816bc211386d/src/TokenMinter.sol#L155
+     * @param remoteDomain CCTP source domain
+     * @param remoteToken burnToken (as bytes32) on the remote domain
+     * @return localToken the locally-minted token, or address(0) if the pair is not linked
+     */
+    function getLocalToken(uint32 remoteDomain, bytes32 remoteToken) external view returns (address localToken);
 }
 
 /**

package/contracts/interfaces/SponsoredCCTPInterface.sol

@@ -24,6 +24,17 @@ interface SponsoredCCTPInterface is SponsoredExecutionModeInterface {
     // Error thrown when the CCTP message transmitter receive message fails.
     error CCTPMessageTransmitterFailed();
 
+    // Error thrown when the amount actually minted into this contract by the CCTP call does not match
+    // the `amount - feeExecuted` encoded in the message.
+    error InvalidMintedAmount();
+
+    // Error thrown when the CCTP message's top-level `recipient` is not the configured TokenMessenger.
+    error InvalidRecipient();
+
+    // Error thrown when the TokenMinter does not link the message's remote burnToken to this periphery's
+    // `baseToken` on the local domain.
+    error InvalidMintedToken();
+
     // Error thrown when direct flow destination handler is not a contract.
     error InvalidDirectHandler();
 

package/contracts/libraries/SponsoredCCTPQuoteLib.sol

@@ -89,6 +89,28 @@ library SponsoredCCTPQuoteLib {
         );
     }
 
+    /**
+     * @notice Reads the top-level CCTP message `recipient` (i.e. the contract MessageTransmitter delivers to,
+     * typically the TokenMessenger that performs the mint). Assumes `message` has passed length validation.
+     */
+    function extractRecipient(bytes memory message) internal pure returns (bytes32) {
+        return message.toBytes32(RECIPIENT_INDEX);
+    }
+
+    /**
+     * @notice Reads the CCTP source domain from the message header. Assumes `message` has passed length validation.
+     */
+    function extractSourceDomain(bytes memory message) internal pure returns (uint32) {
+        return message.toUint32(SOURCE_DOMAIN_INDEX);
+    }
+
+    /**
+     * @notice Reads the burnToken (as bytes32) from the burn message body. Assumes `message` has passed length validation.
+     */
+    function extractBurnToken(bytes memory message) internal pure returns (bytes32) {
+        return message.toBytes32(MESSAGE_BODY_INDEX + BURN_TOKEN_INDEX);
+    }
+
     /**
      * @notice Validates the message that is received from CCTP. If this checks fails, then the quote on source chain was invalid
      * and we are unable to retrieve user's address to send the funds to. In that case the funds will stay in this contract.

package/contracts/periphery/mintburn/ArbitraryEVMFlowExecutor.sol

@@ -60,9 +60,17 @@ abstract contract ArbitraryEVMFlowExecutor {
         // Decode the compressed action data
         CompressedCall[] memory compressedCalls = abi.decode(params.actionData, (CompressedCall[]));
 
-        // Snapshot balances
-        uint256 initialAmountSnapshot = IERC20(params.initialToken).balanceOf(address(this));
-        uint256 finalAmountSnapshot = IERC20(params.commonParams.finalToken).balanceOf(address(this));
+        // Sweep any pre-existing dust on MulticallHandler so it cannot pollute our balance snapshots
+        _drainMulticallHandlerDust(params.initialToken);
+        if (params.commonParams.finalToken != params.initialToken) {
+            _drainMulticallHandlerDust(params.commonParams.finalToken);
+        }
+
+        bool differentTokens = params.initialToken != params.commonParams.finalToken;
+
+        // Read "starting balance initial token"(sBI) and "starting balance final token"(sBF)
+        uint256 sBI = IERC20(params.initialToken).balanceOf(address(this));
+        uint256 sBF = differentTokens ? IERC20(params.commonParams.finalToken).balanceOf(address(this)) : sBI;
 
         // Transfer tokens to MulticallHandler
         IERC20(params.initialToken).safeTransfer(multicallHandler, params.commonParams.amountInEVM);
@@ -82,19 +90,21 @@ abstract contract ArbitraryEVMFlowExecutor {
             instructions
         );
 
-        uint256 finalAmount;
-        // This means the swap (if one was intended) didn't happen (action failed), so we use the initial token as the final token.
-        if (initialAmountSnapshot == IERC20(params.initialToken).balanceOf(address(this))) {
-            params.commonParams.finalToken = params.initialToken;
-            finalAmount = params.commonParams.amountInEVM;
-        } else {
-            uint256 finalBalance = IERC20(params.commonParams.finalToken).balanceOf(address(this));
-            if (finalBalance >= finalAmountSnapshot) {
-                // This means the swap did happen, so we check the balance of the output token and send it.
-                finalAmount = finalBalance - finalAmountSnapshot;
+        // Default to initial-token accounting; overwrite below if finalToken was actually produced.
+        // Ending balance initial token
+        uint256 eBI = IERC20(params.initialToken).balanceOf(address(this));
+        uint256 finalAmount = params.commonParams.amountInEVM + eBI - sBI;
+        if (differentTokens) {
+            // Ending balance final token
+            uint256 eBF = IERC20(params.commonParams.finalToken).balanceOf(address(this));
+
+            // Any positive finalToken delta is treated as successful execution when initialToken != finalToken. If any
+            // (or all) of the initialToken amount is unspent during the execution, it lands back into this contract and
+            // can be withdrawn by the admin
+            if (eBF > sBF) {
+                finalAmount = eBF - sBF;
             } else {
-                // If we somehow lost final tokens (e.g. by depositing into some contract), just set the finalAmount to 0.
-                finalAmount = 0;
+                params.commonParams.finalToken = params.initialToken;
             }
         }
 
@@ -155,6 +165,19 @@ abstract contract ArbitraryEVMFlowExecutor {
         return abi.encode(instructions);
     }
 
+    /// @notice Drains any pre-existing balance of token from MulticallHandler
+    function _drainMulticallHandlerDust(address token) internal {
+        if (IERC20(token).balanceOf(multicallHandler) == 0) return;
+
+        // Empty instructions with `fallbackRecipient` set. Causes MulticallHandler to call `_drainRemainingTokens`, which
+        // does a safeTransfer of `token` to `fallbackRecipient`, this contract, essentially removing dust
+        bytes memory instructions = abi.encode(
+            MulticallHandler.Instructions({ calls: new MulticallHandler.Call[](0), fallbackRecipient: address(this) })
+        );
+
+        MulticallHandler(payable(multicallHandler)).handleV3AcrossMessage(token, 0, address(this), instructions);
+    }
+
     /// @notice Calculates proportional fees to sponsor in finalToken, given the fees to sponsor in initial token and initial amount
     function _calcExtraFeesFinal(
         uint256 amount,

package/contracts/periphery/mintburn/sponsored-cctp/SponsoredCCTPDstPeriphery.sol

@@ -2,7 +2,7 @@
 pragma solidity ^0.8.0;
 
 import { BaseModuleHandler } from "../BaseModuleHandler.sol";
-import { IMessageTransmitterV2 } from "../../../external/interfaces/CCTPInterfaces.sol";
+import { IMessageTransmitterV2, ITokenMessengerV2 } from "../../../external/interfaces/CCTPInterfaces.sol";
 import { SponsoredCCTPQuoteLib } from "../../../libraries/SponsoredCCTPQuoteLib.sol";
 import { SponsoredCCTPInterface } from "../../../interfaces/SponsoredCCTPInterface.sol";
 import { Bytes32ToAddress } from "../../../libraries/AddressConverters.sol";
@@ -27,6 +27,10 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
     /// @notice The CCTP message transmitter contract.
     IMessageTransmitterV2 public immutable cctpMessageTransmitter;
 
+    /// @notice The CCTP token messenger contract that is the expected top-level recipient of MessageTransmitter
+    /// deliveries and owns the TokenMinter used to resolve burnToken -> local token for non-direct-deposit flows.
+    ITokenMessengerV2 public immutable cctpTokenMessenger;
+
     /// @notice Base token associated with this handler. The one we receive from the CCTP bridge
     address public immutable baseToken;
 
@@ -52,6 +56,8 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
     /**
      * @notice Constructor for the SponsoredCCTPDstPeriphery contract.
      * @param _cctpMessageTransmitter The address of the CCTP message transmitter contract.
+     * @param _cctpTokenMessenger The address of the CCTP token messenger contract. Used to pin that a received
+     * message actually routed through the real mint flow and that the remote burnToken links to `baseToken`.
      * @param _signer The address of the signer that was used to sign the quotes.
      * @param _donationBox The address of the donation box contract. This is used to store funds that are used for sponsored flows.
      * @param _baseToken The address of the base token which would be the USDC on HyperEVM.
@@ -59,6 +65,7 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
      */
     constructor(
         address _cctpMessageTransmitter,
+        address _cctpTokenMessenger,
         address _signer,
         address _donationBox,
         address _baseToken,
@@ -67,6 +74,7 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
         baseToken = _baseToken;
 
         cctpMessageTransmitter = IMessageTransmitterV2(_cctpMessageTransmitter);
+        cctpTokenMessenger = ITokenMessengerV2(_cctpTokenMessenger);
 
         MainStorage storage $ = _getMainStorage();
         $.signer = _signer;
@@ -127,10 +135,15 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
         bytes memory message,
         bytes memory attestation
     ) external nonReentrant onlyRole(PERMISSIONED_BOT_ROLE) {
+        uint256 baseBalBefore = IERC20Metadata(baseToken).balanceOf(address(this));
         bool success = cctpMessageTransmitter.receiveMessage(message, attestation);
         if (!success) {
             return;
         }
+        // Forward only what the CCTP call actually credited to this contract, so a message that mints nothing
+        // (wrong recipient, unlinked burnToken, etc.) cannot drain this contract's prior `baseToken` balance.
+        uint256 baseBalAfter = IERC20Metadata(baseToken).balanceOf(address(this));
+        uint256 mintedAmount = baseBalAfter - baseBalBefore;
 
         // Use try-catch to handle potential abi.decode reverts gracefully
         try this.validateMessage(message) returns (bool isValid) {
@@ -141,19 +154,14 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
             // Malformed message that causes abi.decode to revert then early return
             return;
         }
-        (SponsoredCCTPInterface.SponsoredCCTPQuote memory quote, uint256 feeExecuted) = SponsoredCCTPQuoteLib
-            .getSponsoredCCTPQuoteData(message);
-
-        _getMainStorage().usedNonces[quote.nonce] = true;
+        (SponsoredCCTPInterface.SponsoredCCTPQuote memory quote, ) = SponsoredCCTPQuoteLib.getSponsoredCCTPQuoteData(
+            message
+        );
 
-        IERC20Metadata(baseToken).safeTransfer(quote.finalRecipient.toAddress(), quote.amount - feeExecuted);
+        address finalRecipient = quote.finalRecipient.toAddress();
+        IERC20Metadata(baseToken).safeTransfer(finalRecipient, mintedAmount);
 
-        emit EmergencyReceiveMessage(
-            quote.nonce,
-            quote.finalRecipient.toAddress(),
-            baseToken,
-            quote.amount - feeExecuted
-        );
+        emit EmergencyReceiveMessage(quote.nonce, finalRecipient, baseToken, mintedAmount);
     }
 
     /**
@@ -168,6 +176,20 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
         bytes memory attestation,
         bytes memory signature
     ) external nonReentrant authorizeFundedFlow {
+        // Check that the CCTP message was actually routed through our TokenMessenger (which owns the mint flow),
+        // and that its TokenMinter links the remote burnToken to our `baseToken` on this domain.
+        if (SponsoredCCTPQuoteLib.extractRecipient(message).toAddressUnchecked() != address(cctpTokenMessenger)) {
+            revert InvalidRecipient();
+        }
+        address localToken = cctpTokenMessenger.localMinter().getLocalToken(
+            SponsoredCCTPQuoteLib.extractSourceDomain(message),
+            SponsoredCCTPQuoteLib.extractBurnToken(message)
+        );
+        if (localToken != baseToken) {
+            revert InvalidMintedToken();
+        }
+
+        uint256 baseBalBefore = IERC20Metadata(baseToken).balanceOf(address(this));
         bool success = cctpMessageTransmitter.receiveMessage(message, attestation);
         if (!success) {
             revert CCTPMessageTransmitterFailed();
@@ -188,6 +210,13 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
         (SponsoredCCTPInterface.SponsoredCCTPQuote memory quote, uint256 feeExecuted) = SponsoredCCTPQuoteLib
             .getSponsoredCCTPQuoteData(message);
 
+        // Confirm the CCTP call actually minted `baseToken` to this contract.
+        uint256 baseBalAfter = IERC20Metadata(baseToken).balanceOf(address(this));
+        uint256 amountAfterFees = quote.amount - feeExecuted;
+        if (baseBalAfter - baseBalBefore != amountAfterFees) {
+            revert InvalidMintedAmount();
+        }
+
         // Validate the quote and the signature. Revert on invalid to prevent griefing attacks
         // where an attacker provides correct message/attestation but invalid signature.
         _validateQuoteOrRevert(quote, signature);

package/contracts/test/MockCCTP.sol

@@ -6,14 +6,24 @@ import { IMessageTransmitter } from "../external/interfaces/CCTPInterfaces.sol";
 
 contract MockCCTPMinter is ITokenMinter {
     uint256 private _burnLimit = type(uint256).max;
+    // remoteDomain => remoteToken => localToken
+    mapping(uint32 => mapping(bytes32 => address)) private _localTokens;
 
     function setBurnLimit(uint256 limit) external {
         _burnLimit = limit;
     }
 
+    function setLocalToken(uint32 remoteDomain, bytes32 remoteToken, address localToken) external {
+        _localTokens[remoteDomain][remoteToken] = localToken;
+    }
+
     function burnLimitsPerMessage(address) external view returns (uint256) {
         return _burnLimit;
     }
+
+    function getLocalToken(uint32 remoteDomain, bytes32 remoteToken) external view returns (address) {
+        return _localTokens[remoteDomain][remoteToken];
+    }
 }
 
 contract MockCCTPMessenger is ITokenMessenger {