Rescue Funds and Unspent Assets Fix (#329)

* deploys new bridger

* Upgrade

* Refactor Bridger contract to enforce exact swapRouter allowance, update test cases and data for new block numbers, and add RouterAllowanceNotZero error handling.

* Remove redundant balance check for zero amount in CrossChainSwapWorkflow contract.

* Add Bridger contract deployment and update run-latest.json with new transaction details and address mapping in addresses.json.

* Adjust allowance check to permit minimal dust for 0x router compatibility in Bridger.sol.

* Upgrade Bridger contract to version 14, update contract address and transaction details in JSON files, and save new implementation address in migration script and addresses.json.

* Add new Bridger contract implementations (V7 and V13) with updated addresses and migration scripts for mainnet and base, including transaction and receipt logs for deployment.

---------

Co-authored-by: Igor Yalovoy <[email protected]>

artifacts/42161.json

@@ -2914,6 +2914,19 @@
           "outputs": [],
           "stateMutability": "nonpayable"
         },
+        {
+          "type": "function",
+          "name": "rescueToken",
+          "inputs": [
+            {
+              "name": "token",
+              "type": "address",
+              "internalType": "address"
+            }
+          ],
+          "outputs": [],
+          "stateMutability": "nonpayable"
+        },
         {
           "type": "function",
           "name": "sUSDe",

script/migrations/arbitrum/02-upgrade_bridger.s.sol

@@ -27,8 +27,7 @@ contract UpgradeBridgerScript is Constants, Test, MigrationHelper {
         Bridger bridger = Bridger(payable(_getChainDeployment("Bridger")));
 
         vm.broadcast(deployerPrivateKey);
-        address newImpl =
-            address(new Bridger(EXCHANGE_PROXY, USDC, WETH, address(0), address(0), address(0), address(0)));
+        address newImpl = address(new Bridger(EXCHANGE_PROXY, USDC, WETH, DAI, USDe, sUSDe, wstETH));
 
         vm.prank(bridger.owner());
         bridger.upgradeTo(newImpl);
@@ -39,6 +38,6 @@ contract UpgradeBridgerScript is Constants, Test, MigrationHelper {
         assertEq(bridger.SOLV_BTC(), 0x3647c54c4c2C65bC7a2D63c0Da2809B399DBBDC0, "Invalid SolvBtc address");
 
         // Save address
-        saveContractAddress("BridgerV11-impl", newImpl);
+        saveContractAddress("BridgerV14-impl", newImpl);
     }
 }

script/migrations/arbitrum/const.sol

@@ -10,5 +10,7 @@ contract Constants {
     address internal constant DAI = 0xDA10009cBd5D07dd0CeCc66161FC93D7c9000da1;
     address internal constant USDC = 0xaf88d065e77c8cC2239327C5EDb3A432268e5831;
     address internal constant wstETH = 0x0fBcbaEA96Ce0cF7Ee00A8c19c3ab6f5Dc8E1921;
+    address internal constant USDe = 0x5d3a1Ff2b6BAb83b63cd9AD0787074081a52ef34;
+    address internal constant sUSDe = 0x505de0f7a5d786063348aB5BC31e3a21344fA7B0;
     address internal constant SENDER_ACCOUNT = 0x6E09F8A68fB5278e0C33D239dC12B2Cec33F4aC7;
 }

script/migrations/base/02-upgrade_bridger.s.sol

@@ -41,6 +41,6 @@ contract UpgradeBridgerScript is Constants, Test, MigrationHelper {
         assertEq(bridger.senderAccount(), SENDER_ACCOUNT, "Invalid Sender Account");
         // Mamori Safe
         assertEq(bridger.owner(), 0x45e9deAbb4FdD048Ae38Fce9D9E8d68EC6f592a2, "Invalid Owner");
-        saveContractAddress("BridgerV6-impl", newImpl);
+        saveContractAddress("BridgerV7-impl", newImpl);
     }
 }

script/migrations/mainnet/04-upgrade_bridger.s.sol

@@ -43,6 +43,6 @@ contract UpgradeBridgerScript is Constants, Test, MigrationHelper {
         // Safe Account
         assertEq(bridger.owner(), 0xf152Abda9E4ce8b134eF22Dc3C6aCe19C4895D82, "Invalid Owner");
 
-        saveContractAddress("BridgerV12-impl", newImpl);
+        saveContractAddress("BridgerV13-impl", newImpl);
     }
 }

src/access/workflows/CrossChainSwapWorkflow.sol

@@ -28,10 +28,6 @@ contract CrossChainSwapWorkflow {
         bytes calldata swapCallData,
         IBridger.BridgeData calldata bridgeData
     ) external payable returns (uint256 amountOut) {
-        if (amount == 0) {
-            amount = IERC20(inputAsset).balanceOf(address(this));
-        }
-
         // Approve max allowance to save on gas for future transfers
         if (IERC20(inputAsset).allowance(address(this), address(bridger)) < amount) {
             IERC20(inputAsset).forceApprove(address(bridger), type(uint256).max);

src/bridger/Bridger.sol

@@ -326,6 +326,11 @@ contract Bridger is
         return amountOut;
     }
 
+    /// @inheritdoc IBridger
+    function rescueToken(address token) external override onlyOwner {
+        IERC20(token).safeTransfer(owner(), IERC20(token).balanceOf(address(this)));
+    }
+
     /* ============ Private Functions ============ */
 
     /**
@@ -556,14 +561,22 @@ contract Bridger is
         if (sellToken == buyToken) {
             return amountIn;
         }
-        // Increase the allowance for the swapRouter to handle `amountIn` of `sellToken`
-        sellToken.safeIncreaseAllowance(swapRouter, amountIn);
+
+        // Set the allowance for the swapRouter to handle `amountIn` of `sellToken`
+        sellToken.forceApprove(swapRouter, amountIn);
 
         // Track our balance of the buyToken to determine how much we've bought.
         uint256 boughtAmount = buyToken.balanceOf(address(this));
 
         // Perform the swap call to the exchange proxy.
         swapRouter.functionCall(swapCallData);
+
+        // Allowance for the 0x router always has to be set to exactly the amountIn, and there should never be any hanging allowance as it can be exploited using malicious calldata and pools
+        // Allows some dust, as 0x router and pools sometimes do not consume entire allowance
+        if (sellToken.allowance(address(this), swapRouter) > 100) {
+            revert RouterAllowanceNotZero(sellToken.allowance(address(this), swapRouter));
+        }
+
         // Keep the protocol fee refunds given that we are paying for gas
         // Use our current buyToken balance to determine how much we've bought.
         boughtAmount = buyToken.balanceOf(address(this)) - boughtAmount;

src/interfaces/bridger/IBridger.sol

@@ -79,6 +79,10 @@ interface IBridger {
     /// @param amountOut The amount to deposit.
     error DepositBySigResult(uint256 amountOut);
 
+    /// @notice Thrown then 0x router allowance is great than zero after the swap.
+    /// @param allowance The allowance value.
+    error RouterAllowanceNotZero(uint256 allowance);
+
     /* ============ Structs ============ */
 
     /**
@@ -216,6 +220,12 @@ interface IBridger {
         BridgeData calldata bridgeData
     ) external payable returns (uint256);
 
+    /**
+     * @notice Rescue tokens from the contract back to safe.
+     * @param token Address of the token to rescue.
+     */
+    function rescueToken(address token) external;
+
     /**
      * @notice Pause the contract.
      */

test/artifacts/1/addresses.json

@@ -39,5 +39,6 @@
   "AaveRepayWorkflow": "0x694Cb08134aEA59D780f0d16004f38081fB184c9",
   "AaveWithdrawWorkflow": "0xb4D3004b5E56d236977e9153F4689cF10E4Ff723",
   "AaveBorrowWorkflow": "0x8c13D7aDD034A9E1bD8280225Efab7584c5E85A6",
-  "AccessManager": "0xaCC00065030f6FaaF7B3Cd6630158672380485dC"
+  "AccessManager": "0xaCC00065030f6FaaF7B3Cd6630158672380485dC",
+  "BridgerV13-impl": "0xae2F80339Bdd9bd384502A62aEe956eAbF3796e6"
 }

test/artifacts/42161/addresses.json

@@ -14,6 +14,7 @@
   "BridgerV1-impl": "0x7AD03919B4E6fAeaF62b097Dc9Fd1754D66a073e",
   "BridgerV10-impl": "0x0BFD5D96dE5a461e07c3Fa6deC274D9631a43986",
   "BridgerV11-impl": "0xF9C2756425B57e7c142887272bFA4B3270Ccc490",
+  "BridgerV12-impl": "0x916B72125eec510E9cd64fd3eDF914E90980537B",
   "BridgerV2-impl": "0x66Fd2Ec572bE9f8a332Bc40350b72c72470D9aCd",
   "BridgerV3-impl": "0x1634254b7296cDA083a3cDb711CdBD7736410FC5",
   "BridgerV4-impl": "0x51be166199e39805ac68b758a2236a5b3c358b01",
@@ -33,5 +34,7 @@
   "AaveRepayWorkflow": "0x24f71379C39b515Ff5182F4b0cc298793EC5998c",
   "AaveWithdrawWorkflow": "0xef4D6687372172c4af1802C208Ab40673b014309",
   "AaveBorrowWorkflow": "0xD0187Ca378f7B26D53e0A91fBe8D7ba80498EF10",
-  "AccessManager": "0xacc0003a4aAE5dA4ba12F771C7350D40147Cd7D4"
+  "AccessManager": "0xacc0003a4aAE5dA4ba12F771C7350D40147Cd7D4",
+  "BridgerV13-impl": "0xbA6FD752CE93879c381fb7ffdbe7baB233D6e6e4",
+  "BridgerV14-impl": "0x363EFf1981E664107EF4E8568Cc4321B74558DAA"
 }

test/artifacts/8453/addresses.json

@@ -28,5 +28,6 @@
   "AaveRepayWorkflow": "0x2B0AC9D2BfDB3cA3507F3678F82F9cF6Fd927cf8",
   "AaveWithdrawWorkflow": "0xe307f7bf3fBfBB187f6870b6ad6b393f824e49e6",
   "AaveBorrowWorkflow": "0x8447861eF3F3b390E7e090B5eFaac0133cD0bCEe",
-  "AccessManager": "0xAcc0004fD1693a13E1E1BFFCd152286906216f0B"
+  "AccessManager": "0xAcc0004fD1693a13E1E1BFFCd152286906216f0B",
+  "BridgerV7-impl": "0x10bEeeb7d68E667dd6F39BAB93772f7E11Cd2425"
 }

test/data/swap-weth-to-usdm-arb.json

@@ -1,6 +1,6 @@
 {
-  "blockNumber": "20824921",
-  "buyAmount": "264262497119117181651",
+  "blockNumber": "21408912",
+  "buyAmount": "3895183627890566214383",
   "buyToken": "0x59d9356e565ab3a36dd77763fc0d87feaf85508c",
   "fees": {
     "integratorFee": null,
@@ -9,31 +9,31 @@
   },
   "issues": {
     "allowance": {
-      "actual": "0",
+      "actual": "83217",
       "spender": "0x0000000000001ff3684f28c67538d4d072c22734"
     },
     "balance": {
       "token": "0x82af49447d8a07e3bd95bd0d56f35241523fbab1",
-      "actual": "0",
-      "expected": "100000000000000000"
+      "actual": "67412",
+      "expected": "1000000000000000000"
     },
     "simulationIncomplete": false,
     "invalidSourcesPassed": []
   },
   "liquidityAvailable": true,
-  "minBuyAmount": "261619872147926008200",
+  "minBuyAmount": "3856231791611660547900",
   "route": {
     "fills": [
       {
         "from": "0x82af49447d8a07e3bd95bd0d56f35241523fbab1",
-        "to": "0xff970a61a04b1ca14834a43f5de4533ebddb5cc8",
+        "to": "0x2f2a2543b76a4166549f7aab2e75bef0aefc5b0f",
         "source": "Uniswap_V3",
         "proportionBps": "10000"
       },
       {
-        "from": "0xff970a61a04b1ca14834a43f5de4533ebddb5cc8",
+        "from": "0x2f2a2543b76a4166549f7aab2e75bef0aefc5b0f",
         "to": "0xaf88d065e77c8cc2239327c5edb3a432268e5831",
-        "source": "Camelot_V2",
+        "source": "WOOFi_V2",
         "proportionBps": "10000"
       },
       {
@@ -49,8 +49,8 @@
         "symbol": "WETH"
       },
       {
-        "address": "0xff970a61a04b1ca14834a43f5de4533ebddb5cc8",
-        "symbol": "USDC"
+        "address": "0x2f2a2543b76a4166549f7aab2e75bef0aefc5b0f",
+        "symbol": "WBTC"
       },
       {
         "address": "0xaf88d065e77c8cc2239327c5edb3a432268e5831",
@@ -62,7 +62,7 @@
       }
     ]
   },
-  "sellAmount": "100000000000000000",
+  "sellAmount": "1000000000000000000",
   "sellToken": "0x82af49447d8a07e3bd95bd0d56f35241523fbab1",
   "tokenMetadata": {
     "buyToken": {
@@ -74,13 +74,13 @@
       "sellTaxBps": "0"
     }
   },
-  "totalNetworkFee": "9989230000000",
+  "totalNetworkFee": "14007900000000",
   "transaction": {
     "to": "0x0000000000001ff3684f28c67538d4d072c22734",
-    "data": "0x2213bc0b000000000000000000000000f3e01012ce60bb95ae294d5b24a9fc3af245b53b00000000000000000000000082af49447d8a07e3bd95bd0d56f35241523fbab1000000000000000000000000000000000000000000000000016345785d8a0000000000000000000000000000f3e01012ce60bb95ae294d5b24a9fc3af245b53b00000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000006c41fff991f000000000000000000000000b7dfe09cf3950141dfb7db8abca90ddef8d06ec000000000000000000000000059d9356e565ab3a36dd77763fc0d87feaf85508c00000000000000000000000000000000000000000000000e2eb47f98d83dc18800000000000000000000000000000000000000000000000000000000000000a018650f03c29adb3052cd4d5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000002200000000000000000000000000000000000000000000000000000000000000460000000000000000000000000000000000000000000000000000000000000018422ce6ede000000000000000000000000f3e01012ce60bb95ae294d5b24a9fc3af245b53b000000000000000000000000000000000000000000000000000000000000010000000000000000000000000082af49447d8a07e3bd95bd0d56f35241523fbab1000000000000000000000000000000000000000000000000016345785d8a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000066f383c500000000000000000000000000000000000000000000000000000000000001600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c82af49447d8a07e3bd95bd0d56f35241523fbab1000001f4ff970a61a04b1ca14834a43f5de4533ebddb5cc80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020438c9c147000000000000000000000000ff970a61a04b1ca14834a43f5de4533ebddb5cc80000000000000000000000000000000000000000000000000000000000002710000000000000000000000000c873fecbd354f5a56e00e710b90ef4201db2448d000000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000a00000000000000000000000000000000000000000000000000000000000000124ac3893ba000000000000000000000000000000000000000000000000000000000fbfb580000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000000000000000000000000f3e01012ce60bb95ae294d5b24a9fc3af245b53b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000066f383c50000000000000000000000000000000000000000000000000000000000000002000000000000000000000000ff970a61a04b1ca14834a43f5de4533ebddb5cc8000000000000000000000000af88d065e77c8cc2239327c5edb3a432268e58310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016438c9c147000000000000000000000000af88d065e77c8cc2239327c5edb3a432268e583100000000000000000000000000000000000000000000000000000000000027100000000000000000000000004bd135524897333bec344e50ddd85126554e58b4000000000000000000000000000000000000000000000000000000000000004400000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000843df021240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-    "gas": "998923",
+    "data": "0x2213bc0b000000000000000000000000f3e01012ce60bb95ae294d5b24a9fc3af245b53b00000000000000000000000082af49447d8a07e3bd95bd0d56f35241523fbab10000000000000000000000000000000000000000000000000de0b6b3a7640000000000000000000000000000f3e01012ce60bb95ae294d5b24a9fc3af245b53b00000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000006641fff991f000000000000000000000000b7dfe09cf3950141dfb7db8abca90ddef8d06ec000000000000000000000000059d9356e565ab3a36dd77763fc0d87feaf85508c0000000000000000000000000000000000000000000000d10bf76f477531373c00000000000000000000000000000000000000000000000000000000000000a0d948b97cdacfe9371a1f156100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000002200000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000018422ce6ede000000000000000000000000f3e01012ce60bb95ae294d5b24a9fc3af245b53b000000000000000000000000000000000000000000000000000000000000010000000000000000000000000082af49447d8a07e3bd95bd0d56f35241523fbab10000000000000000000000000000000000000000000000000de0b6b3a7640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000675efb7f00000000000000000000000000000000000000000000000000000000000001600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c82af49447d8a07e3bd95bd0d56f35241523fbab1000001f42f2a2543b76a4166549f7aab2e75bef0aefc5b0f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001a438c9c1470000000000000000000000002f2a2543b76a4166549f7aab2e75bef0aefc5b0f00000000000000000000000000000000000000000000000000000000000027100000000000000000000000004c4af8dbc524681930a27b2f1af5bcc8062e6fb7000000000000000000000000000000000000000000000000000000000000004400000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000c47dc203820000000000000000000000002f2a2543b76a4166549f7aab2e75bef0aefc5b0f000000000000000000000000af88d065e77c8cc2239327c5edb3a432268e583100000000000000000000000000000000000000000000000000000000003a1d060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f3e01012ce60bb95ae294d5b24a9fc3af245b53b0000000000000000000000005e01d320e95133d80dd59a2191c95728fa69036d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016438c9c147000000000000000000000000af88d065e77c8cc2239327c5edb3a432268e583100000000000000000000000000000000000000000000000000000000000027100000000000000000000000004bd135524897333bec344e50ddd85126554e58b4000000000000000000000000000000000000000000000000000000000000004400000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000843df021240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+    "gas": "1400790",
     "gasPrice": "10000000",
     "value": "0"
   },
-  "zid": "0x18650f03c29adb3052cd4d50"
+  "zid": "0xd948b97cdacfe9371a1f1561"
 }