Merge pull request #478 from FastLane-Labs/atlas-v1.6-audit

feat: Atlas v1.6

Author: BenSparksCode

audits/Atlas v1.6 - Spearbit.pdf

@@ -62,10 +62,10 @@
     "L2_GAS_CALCULATOR": "0x3b7B38362bB7E2F000Cd2432343F3483F785F435"
   },
   "BASE": {
-    "ATLAS": "0x3efbaBE0ee916A4677D281c417E895a3e7411Ac2",
-    "ATLAS_VERIFICATION": "0x16839b7Bb46136B204Bcb7eA71c9226952c02b34",
-    "SIMULATOR": "0xa55051bd82eFeA1dD487875C84fE9c016859659B",
-    "SORTER": "0xD72D821dA82964c0546a5501347a3959808E072f",
+    "ATLAS": "0xD7Bc856FF47E5DC3f569d7a1D3948056bd5EA9fC",
+    "ATLAS_VERIFICATION": "0xbd70aA1A173472e39b412C5E95646231b690649D",
+    "SIMULATOR": "0xa9aF59fA414772A1f6ca8EDe0223b6e2b0bB7FfD",
+    "SORTER": "0xd9897bafc9a0408242077555788aB8949F1eFD3B",
     "L2_GAS_CALCULATOR": "0xf9436C4b1353D5B411AD5bb65B9826f34737BbC7"
   },
   "BERACHAIN": {

deployments.json

@@ -1,6 +1,6 @@
 {
     "name": "atlas",
-    "version": "1.5.0",
+    "version": "1.6.0",
     "repository": "https://github.com/Polygon-Fast-Lane/atlas",
     "author": "FastLane",
     "scripts": {

package.json

@@ -78,12 +78,12 @@ contract DeployBaseScript is Script {
         uint256 chainId = block.chainid;
         if (chainId == 137 || chainId == 80_002) {
             // POLYGON and AMOY
-            atlasSurchargeRate = 500_000; // 5%
-            bundlerSurchargeRate = 2_000_000; // 20%
+            atlasSurchargeRate = 500; // 5%
+            bundlerSurchargeRate = 2000; // 20%
         } else {
             // Default - for all other chains
-            atlasSurchargeRate = 1_000_000; // 10%
-            bundlerSurchargeRate = 1_000_000; // 10%
+            atlasSurchargeRate = 1000; // 10%
+            bundlerSurchargeRate = 1000; // 10%
         }
     }
 

script/base/deploy-base.s.sol

@@ -55,7 +55,6 @@ contract DeployAtlasScript is DeployBaseScript {
         atlas = new Atlas({
             escrowDuration: ESCROW_DURATION,
             atlasSurchargeRate: ATLAS_SURCHARGE_RATE,
-            bundlerSurchargeRate: BUNDLER_SURCHARGE_RATE,
             verification: expectedAtlasVerificationAddr,
             simulator: expectedSimulatorAddr,
             factoryLib: address(factoryLib),

script/deploy-atlas.s.sol

@@ -12,21 +12,12 @@ abstract contract AtlETH is Permit69 {
     constructor(
         uint256 escrowDuration,
         uint256 atlasSurchargeRate,
-        uint256 bundlerSurchargeRate,
         address verification,
         address simulator,
         address initialSurchargeRecipient,
         address l2GasCalculator
     )
-        Permit69(
-            escrowDuration,
-            atlasSurchargeRate,
-            bundlerSurchargeRate,
-            verification,
-            simulator,
-            initialSurchargeRecipient,
-            l2GasCalculator
-        )
+        Permit69(escrowDuration, atlasSurchargeRate, verification, simulator, initialSurchargeRecipient, l2GasCalculator)
     { }
 
     /*//////////////////////////////////////////////////////////////
@@ -288,8 +279,4 @@ abstract contract AtlETH is Permit69 {
         S_pendingSurchargeRecipient = address(0);
         emit SurchargeRecipientTransferred(msg.sender);
     }
-
-    function _checkIfUnlocked() internal view {
-        if (!_isUnlocked()) revert InvalidLockState();
-    }
 }

src/contracts/atlas/AtlETH.sol

@@ -3,6 +3,8 @@ pragma solidity 0.8.28;
 
 import { SafeTransferLib } from "solady/utils/SafeTransferLib.sol";
 import { LibSort } from "solady/utils/LibSort.sol";
+import { Math } from "openzeppelin-contracts/contracts/utils/math/Math.sol";
+import { SafeCast } from "openzeppelin-contracts/contracts/utils/math/SafeCast.sol";
 
 import { Escrow } from "./Escrow.sol";
 import { Factory } from "./Factory.sol";
@@ -20,10 +22,11 @@ import { GasAccLib, GasLedger } from "../libraries/GasAccLib.sol";
 import { IL2GasCalculator } from "../interfaces/IL2GasCalculator.sol";
 import { IDAppControl } from "../interfaces/IDAppControl.sol";
 
-/// @title Atlas V1.5
+/// @title Atlas V1.6
 /// @author FastLane Labs
 /// @notice The Execution Abstraction protocol.
 contract Atlas is Escrow, Factory {
+    using SafeCast for uint256;
     using CallBits for uint32;
     using SafetyBits for Context;
     using GasAccLib for uint256;
@@ -32,22 +35,13 @@ contract Atlas is Escrow, Factory {
     constructor(
         uint256 escrowDuration,
         uint256 atlasSurchargeRate,
-        uint256 bundlerSurchargeRate,
         address verification,
         address simulator,
         address initialSurchargeRecipient,
         address l2GasCalculator,
         address factoryLib
     )
-        Escrow(
-            escrowDuration,
-            atlasSurchargeRate,
-            bundlerSurchargeRate,
-            verification,
-            simulator,
-            initialSurchargeRecipient,
-            l2GasCalculator
-        )
+        Escrow(escrowDuration, atlasSurchargeRate, verification, simulator, initialSurchargeRecipient, l2GasCalculator)
         Factory(factoryLib)
     { }
 
@@ -123,8 +117,23 @@ contract Atlas is Escrow, Factory {
         // Initialize the environment lock and accounting values
         _setEnvironmentLock(_dConfig, _executionEnvironment);
 
-        // _gasMarker - _bidFindOverhead = estimated winning solver gas liability (not charged for bid-find gas)
-        _initializeAccountingValues(_gasMarker - _bidFindOverhead, _allSolversGasLimit);
+        // If in `multipleSuccessfulSolvers` mode, solvers are only liable for their own (C + E) gas costs, even if they
+        // execute successfully. In this case we set `remainingMaxGas` and `unreachedSolverGas` to the same value - the
+        // sum of all solvers' (C + E) gas limits. Then, `solverGasLiability()` will report just the current solver's
+        // gas costs with surcharges.
+        // In all other cases, `remainingMaxGas` includes non-solver gas limits and overheads that the winning solver
+        // may be liable for. In `exPostBids` mode, we also subtract the gas limit of the bid-finding solverOp
+        // iterations, as that gas will be written off (winning solver not liable for them).
+        uint256 _initialRemainingMaxGas =
+            _dConfig.callConfig.multipleSuccessfulSolvers() ? _allSolversGasLimit : _gasMarker - _bidFindOverhead;
+
+        // `userOp.bundlerSurchargeRate` is checked against the value set in the DAppControl in `validateCalls()` above,
+        // so it is safe to use here.
+        _initializeAccountingValues({
+            initialRemainingMaxGas: _initialRemainingMaxGas,
+            allSolverOpsGas: _allSolversGasLimit,
+            bundlerSurchargeRate: userOp.bundlerSurchargeRate
+        });
 
         // Calculate `execute` gas limit such that it can fail due to an OOG error caused by any of the hook calls, and
         // the metacall will still have enough gas to gracefully finish and return, storing any nonces required.
@@ -152,9 +161,15 @@ contract Atlas is Escrow, Factory {
                 );
             }
 
-            // Gas Refund to sender only if execution is successful
-            (uint256 _ethPaidToBundler, uint256 _netGasSurcharge) =
-                _settle(ctx, _gL, _gasMarker, gasRefundBeneficiary, _unreachedCalldataValuePaid);
+            // Gas Refund to sender only if execution is successful, or if multipleSuccessfulSolvers
+            (uint256 _ethPaidToBundler, uint256 _netGasSurcharge) = _settle(
+                ctx,
+                _gL,
+                _gasMarker,
+                gasRefundBeneficiary,
+                _unreachedCalldataValuePaid,
+                _dConfig.callConfig.multipleSuccessfulSolvers()
+            );
 
             auctionWon = ctx.solverSuccessful;
             emit MetacallResult(msg.sender, userOp.from, auctionWon, _ethPaidToBundler, _netGasSurcharge);
@@ -173,7 +188,8 @@ contract Atlas is Escrow, Factory {
             emit MetacallResult(msg.sender, userOp.from, false, 0, 0);
         }
 
-        // The environment lock is explicitly released here to allow multiple metacalls in a single transaction.
+        // The environment lock is explicitly released here to allow multiple (sequential, not nested) metacalls in a
+        // single transaction.
         _releaseLock();
     }
 
@@ -258,6 +274,7 @@ contract Atlas is Escrow, Factory {
 
         uint256[] memory _bidsAndIndices = new uint256[](solverOpsLength);
         uint256 _bidAmountFound;
+        uint256 _solverExecutionGas;
         uint256 _bidsAndIndicesLastIndex = solverOpsLength - 1; // Start from the last index
 
         // Get a snapshot of the GasLedger from transient storage, to reset to after bid-finding below
@@ -287,7 +304,9 @@ contract Atlas is Escrow, Factory {
             // remainingMaxGas separately here. This decrease does not include calldata gas as solvers are not charged
             // for calldata gas in exPostBids mode.
             GasLedger memory _gL = t_gasLedger.toGasLedger();
-            _gL.remainingMaxGas -= uint48(dConfig.solverGasLimit);
+            // Deduct solverOp.gas (with a ceiling of dConfig.solverGasLimit) from remainingMaxGas
+            _solverExecutionGas = Math.min(solverOps[i].gas, dConfig.solverGasLimit);
+            _gL.remainingMaxGas -= _solverExecutionGas.toUint40();
             t_gasLedger = _gL.pack();
 
             // skip zero and overflow bid's
@@ -378,14 +397,29 @@ contract Atlas is Escrow, Factory {
 
             SolverOperation calldata solverOp = solverOps[ctx.solverIndex];
 
-            _bidAmount = _executeSolverOperation(
+            // if multipleSuccessfulSolvers = true, solver bids are summed here. Otherwise, 0 bids are returned on
+            // solverOp failure, and only the first successful solver's bid is added to `_bidAmount`.
+            _bidAmount += _executeSolverOperation(
                 ctx, dConfig, userOp, solverOp, solverOp.bidAmount, _gasWaterMark, false, returnData
             );
 
+            // If a winning solver is found, stop iterating through the solverOps and return the winning bid
             if (ctx.solverSuccessful) {
                 return _bidAmount;
             }
         }
+
+        // If no winning solver, but multipleSuccessfulSolvers is true, return the sum of solver bid amounts
+        if (dConfig.callConfig.multipleSuccessfulSolvers()) {
+            // Considered a fail for simulation purposes when only one solverOp in the metacall, and it fails. If more
+            // than 1 solverOp, any of them could fail and simulation could still be successful.
+            if (ctx.isSimulation && solverOpsLen == 1 && ctx.solverOutcome != 0) {
+                revert SolverSimFail(uint256(ctx.solverOutcome));
+            }
+
+            return _bidAmount;
+        }
+
         if (ctx.isSimulation) revert SolverSimFail(uint256(ctx.solverOutcome));
         if (dConfig.callConfig.needsFulfillment()) revert UserNotFulfilled();
         return 0;

src/contracts/atlas/Atlas.sol

@@ -4,6 +4,8 @@ pragma solidity 0.8.28;
 import { EIP712 } from "openzeppelin-contracts/contracts/utils/cryptography/EIP712.sol";
 import { ECDSA } from "openzeppelin-contracts/contracts/utils/cryptography/ECDSA.sol";
 import { SignatureChecker } from "openzeppelin-contracts/contracts/utils/cryptography/SignatureChecker.sol";
+import { Math } from "@openzeppelin/contracts/utils/math/Math.sol";
+
 import { DAppIntegration } from "./DAppIntegration.sol";
 import { NonceManager } from "./NonceManager.sol";
 
@@ -33,7 +35,7 @@ contract AtlasVerification is EIP712, NonceManager, DAppIntegration {
         address atlas,
         address l2GasCalculator
     )
-        EIP712("AtlasVerification", "1.5")
+        EIP712("AtlasVerification", "1.6")
         DAppIntegration(atlas, l2GasCalculator)
     { }
 
@@ -164,6 +166,23 @@ contract AtlasVerification is EIP712, NonceManager, DAppIntegration {
                 return
                     (allSolversGasLimit, allSolversCalldataGas, bidFindOverhead, ValidCallsResult.DAppGasLimitMismatch);
             }
+
+            // Check the solverGasLimit read from DAppControl at start of metacall matches userOp value
+            if (dConfig.solverGasLimit != userOp.solverGasLimit) {
+                return (
+                    allSolversGasLimit, allSolversCalldataGas, bidFindOverhead, ValidCallsResult.SolverGasLimitMismatch
+                );
+            }
+
+            // Check the bundlerSurchargeRate read from DAppControl at start of metacall matches userOp value
+            if (dConfig.bundlerSurchargeRate != userOp.bundlerSurchargeRate) {
+                return (
+                    allSolversGasLimit,
+                    allSolversCalldataGas,
+                    bidFindOverhead,
+                    ValidCallsResult.BundlerSurchargeRateMismatch
+                );
+            }
         }
 
         // Check gasleft() measured at start of metacall is in line with expected gas limit
@@ -264,7 +283,26 @@ contract AtlasVerification is EIP712, NonceManager, DAppIntegration {
             // Max one of preOps or userOp return data can be tracked, not both
             return ValidCallsResult.InvalidCallConfig;
         }
-
+        if (callConfig.multipleSuccessfulSolvers() && callConfig.exPostBids()) {
+            // Max one of multipleSolvers or exPostBids can be used, not both
+            return ValidCallsResult.ExPostBidsAndMultipleSuccessfulSolversNotSupportedTogether;
+        }
+        if (callConfig.multipleSuccessfulSolvers() && callConfig.invertsBidValue()) {
+            // Max one of multipleSolvers or invertsBidValue can be used, not both
+            return ValidCallsResult.InvertsBidValueAndMultipleSuccessfulSolversNotSupportedTogether;
+        }
+        if (callConfig.multipleSuccessfulSolvers() && callConfig.allowsZeroSolvers()) {
+            // Max one of multipleSolvers or allowsZeroSolvers can be used, not both
+            return ValidCallsResult.NeedSolversForMultipleSuccessfulSolvers;
+        }
+        if (callConfig.multipleSuccessfulSolvers() && callConfig.allowsSolverAuctioneer()) {
+            // Max one of multipleSolvers or allowsSolverAuctioneer can be used, not both
+            return ValidCallsResult.SolverCannotBeAuctioneerForMultipleSuccessfulSolvers;
+        }
+        if (callConfig.multipleSuccessfulSolvers() && callConfig.needsFulfillment()) {
+            // Max one of multipleSolvers or needsFulfillment can be used, not both
+            return ValidCallsResult.CannotRequireFulfillmentForMultipleSuccessfulSolvers;
+        }
         if (callConfig.needsSequentialUserNonces() && callConfig.needsSequentialDAppNonces()) {
             // Max one of user or dapp nonces can be sequential, not both
             return ValidCallsResult.BothUserAndDAppNoncesCannotBeSequential;
@@ -324,7 +362,6 @@ contract AtlasVerification is EIP712, NonceManager, DAppIntegration {
         }
 
         if (dConfig.callConfig.allowsUnknownAuctioneer()) return (ValidCallsResult.Valid, true);
-
         return (ValidCallsResult.Valid, false);
     }
 
@@ -571,6 +608,8 @@ contract AtlasVerification is EIP712, NonceManager, DAppIntegration {
                         userOp.control,
                         userOp.callConfig,
                         userOp.dappGasLimit,
+                        userOp.solverGasLimit,
+                        userOp.bundlerSurchargeRate,
                         userOp.sessionKey
                     )
                 )
@@ -591,6 +630,8 @@ contract AtlasVerification is EIP712, NonceManager, DAppIntegration {
                         userOp.control,
                         userOp.callConfig,
                         userOp.dappGasLimit,
+                        userOp.solverGasLimit,
+                        userOp.bundlerSurchargeRate,
                         userOp.sessionKey,
                         keccak256(userOp.data)
                     )
@@ -624,10 +665,20 @@ contract AtlasVerification is EIP712, NonceManager, DAppIntegration {
             uint256 bidFindOverhead
         )
     {
-        allSolversCalldataGas = solverOps.sumSolverOpsCalldataGas(L2_GAS_CALCULATOR);
         uint256 solverOpsLen = solverOps.length;
         uint256 dConfigSolverGasLimit = dConfig.solverGasLimit;
-        uint256 allSolversExecutionGas = solverOpsLen * dConfigSolverGasLimit;
+        uint256 solverDataLenSum; // Calculated as sum of solverOps[i].data.length below
+        uint256 allSolversExecutionGas; // Calculated as sum of solverOps[i].gas below
+
+        for (uint256 i = 0; i < solverOpsLen; ++i) {
+            // Sum calldata length of all solverOp.data fields in the array
+            solverDataLenSum += solverOps[i].data.length;
+            // Sum all solverOp.gas values in the array, each with a ceiling of dConfig.solverGasLimit
+            allSolversExecutionGas += Math.min(solverOps[i].gas, dConfigSolverGasLimit);
+        }
+
+        allSolversCalldataGas =
+            GasAccLib.calldataGas(solverDataLenSum + (_SOLVER_OP_BASE_CALLDATA * solverOps.length), L2_GAS_CALCULATOR);
 
         uint256 metacallExecutionGas = _BASE_TX_GAS_USED + AccountingMath._FIXED_GAS_OFFSET + userOpGas
             + dConfig.dappGasLimit + allSolversExecutionGas;
@@ -637,7 +688,7 @@ contract AtlasVerification is EIP712, NonceManager, DAppIntegration {
 
         if (dConfig.callConfig.exPostBids()) {
             // Add extra execution gas for bid-finding loop of each solverOp
-            bidFindOverhead = solverOpsLen * (_BID_FIND_OVERHEAD + dConfigSolverGasLimit);
+            bidFindOverhead = (solverOpsLen * _BID_FIND_OVERHEAD) + allSolversExecutionGas;
             metacallExecutionGas += bidFindOverhead;
             // NOTE: allSolversGasLimit excludes calldata in exPostBids mode.
         } else {