Audit - Feb 2025 - 7.2.1 Execution and CallType Mode Modifier (#65)

* Audit - Feb 2025 - 7.2.1 Execution and CallType Mode Modifier

* Updated exeution and typecall mode for new modifiers

* Added validation modifier for exection mode default

* Fix mode update in some enforcers

Author: hanzel98

documents/CaveatEnforcers.md

@@ -21,7 +21,7 @@ The order in which the caveat hooks are called can vary depending on the `Delega
 
 ### Execution Modes
 
-Enforcers can target a specific execution mode: **single** or **batch**. Because execution call data is encoded differently for each mode, you can use modifiers like `onlySingleExecutionMode` or `onlyBatchExecutionMode` to restrict an enforcer to the desired mode, using a different would revert.
+Enforcers can target specific call type modes: **single** or **batch**, and execution types: **default** or **revert**. Because execution call data is encoded differently for each mode, you can use modifiers like `onlySingleCallTypeMode`, `onlyBatchCallTypeMode` to restrict a call type, or `onlyDefaultExecutionMode`, `onlyTryExecutionMode` to restrict an execution type, it is possible to combine an execution mode modifier with a call type modifier.
 
 ---
 

lcov.info

@@ -747,8 +747,8 @@ FNDA:74,CaveatEnforcer.onlySingleExecutionMode
 DA:27,74
 BRDA:27,0,0,-
 BRDA:27,0,1,74
-FN:34,CaveatEnforcer.onlyBatchExecutionMode
-FNDA:0,CaveatEnforcer.onlyBatchExecutionMode
+FN:34,CaveatEnforcer.onlyBatchCallTypeMode
+FNDA:0,CaveatEnforcer.onlyBatchCallTypeMode
 DA:35,0
 BRDA:35,1,0,-
 BRDA:35,1,1,-

src/enforcers/AllowedCalldataEnforcer.sol

@@ -40,7 +40,7 @@ contract AllowedCalldataEnforcer is CaveatEnforcer {
         public
         pure
         override
-        onlySingleExecutionMode(_mode)
+        onlySingleCallTypeMode(_mode)
     {
         // Ensure that the first two term values are valid and at least 1 byte for value_
         uint256 dataStart_;

src/enforcers/AllowedMethodsEnforcer.sol

@@ -36,7 +36,7 @@ contract AllowedMethodsEnforcer is CaveatEnforcer {
         public
         pure
         override
-        onlySingleExecutionMode(_mode)
+        onlySingleCallTypeMode(_mode)
     {
         (,, bytes calldata callData_) = _executionCallData.decodeSingle();
 

src/enforcers/AllowedTargetsEnforcer.sol

@@ -35,7 +35,7 @@ contract AllowedTargetsEnforcer is CaveatEnforcer {
         public
         pure
         override
-        onlySingleExecutionMode(_mode)
+        onlySingleCallTypeMode(_mode)
     {
         (address target_,,) = _executionCallData.decodeSingle();
 

src/enforcers/CaveatEnforcer.sol

@@ -4,8 +4,8 @@ pragma solidity 0.8.23;
 import { ModeLib } from "@erc7579/lib/ModeLib.sol";
 
 import { ICaveatEnforcer } from "../interfaces/ICaveatEnforcer.sol";
-import { ModeCode } from "../utils/Types.sol";
-import { CALLTYPE_SINGLE, CALLTYPE_BATCH } from "../utils/Constants.sol";
+import { ModeCode, ExecType } from "../utils/Types.sol";
+import { CALLTYPE_SINGLE, CALLTYPE_BATCH, EXECTYPE_DEFAULT, EXECTYPE_TRY } from "../utils/Constants.sol";
 
 /**
  * @title CaveatEnforcer
@@ -27,18 +27,44 @@ abstract contract CaveatEnforcer is ICaveatEnforcer {
     function afterAllHook(bytes calldata, bytes calldata, ModeCode, bytes calldata, bytes32, address, address) public virtual { }
 
     /**
-     * @dev Require the function call to be in single execution mode
+     * @dev Require the function call to be in single call type
      */
-    modifier onlySingleExecutionMode(ModeCode _mode) {
-        require(ModeLib.getCallType(_mode) == CALLTYPE_SINGLE, "CaveatEnforcer:invalid-call-type");
+    modifier onlySingleCallTypeMode(ModeCode _mode) {
+        {
+            require(ModeLib.getCallType(_mode) == CALLTYPE_SINGLE, "CaveatEnforcer:invalid-call-type");
+        }
         _;
     }
 
     /**
-     * @dev Require the function call to be in batch execution mode
+     * @dev Require the function call to be in batch call type
      */
-    modifier onlyBatchExecutionMode(ModeCode _mode) {
-        require(ModeLib.getCallType(_mode) == CALLTYPE_BATCH, "CaveatEnforcer:invalid-call-type");
+    modifier onlyBatchCallTypeMode(ModeCode _mode) {
+        {
+            require(ModeLib.getCallType(_mode) == CALLTYPE_BATCH, "CaveatEnforcer:invalid-call-type");
+        }
+        _;
+    }
+
+    /**
+     * @dev Require the function call to be in default execution mode
+     */
+    modifier onlyDefaultExecutionMode(ModeCode _mode) {
+        {
+            (, ExecType _execType,,) = _mode.decode();
+            require(_execType == EXECTYPE_DEFAULT, "CaveatEnforcer:invalid-execution-type");
+        }
+        _;
+    }
+
+    /**
+     * @dev Require the function call to be in try execution mode
+     */
+    modifier onlyTryExecutionMode(ModeCode _mode) {
+        {
+            (, ExecType _execType,,) = _mode.decode();
+            require(_execType == EXECTYPE_TRY, "CaveatEnforcer:invalid-execution-type");
+        }
         _;
     }
 }

src/enforcers/ERC20PeriodTransferEnforcer.sol

@@ -126,7 +126,7 @@ contract ERC20PeriodTransferEnforcer is CaveatEnforcer {
     )
         public
         override
-        onlySingleExecutionMode(_mode)
+        onlySingleCallTypeMode(_mode)
     {
         _validateAndConsumeTransfer(_terms, _executionCallData, _delegationHash, _redeemer);
     }

src/enforcers/ERC20StreamingEnforcer.sol

@@ -59,40 +59,21 @@ contract ERC20StreamingEnforcer is CaveatEnforcer {
 
     /**
      * @notice Retrieves the current available allowance for a specific delegation.
-     * @param _delegationHash The hash of the delegation being queried.
      * @param _delegationManager The address of the delegation manager.
-     * @param _terms 148 packed bytes where:
-     * - 20 bytes: ERC20 token address.
-     * - 32 bytes: initial amount.
-     * - 32 bytes: max amount.
-     * - 32 bytes: amount per second.
-     * - 32 bytes: start time for the streaming allowance.
+     * @param _delegationHash The hash of the delegation being queried.
      * @return availableAmount_ The number of tokens that are currently spendable
      * under this streaming allowance (capped by `maxAmount`).
      */
     function getAvailableAmount(
-        bytes32 _delegationHash,
         address _delegationManager,
-        bytes calldata _terms
+        bytes32 _delegationHash
     )
         external
         view
         returns (uint256 availableAmount_)
     {
-        StreamingAllowance memory storedAllowance_ = streamingAllowances[_delegationManager][_delegationHash];
-        if (storedAllowance_.spent != 0) return _getAvailableAmount(storedAllowance_);
-
-        // Not yet initialized: simulate using provided terms.
-        (, uint256 initialAmount_, uint256 maxAmount_, uint256 amountPerSecond_, uint256 startTime_) = getTermsInfo(_terms);
-
-        StreamingAllowance memory allowance_ = StreamingAllowance({
-            initialAmount: initialAmount_,
-            maxAmount: maxAmount_,
-            amountPerSecond: amountPerSecond_,
-            startTime: startTime_,
-            spent: 0
-        });
-        return _getAvailableAmount(allowance_);
+        StreamingAllowance storage allowance_ = streamingAllowances[_delegationManager][_delegationHash];
+        availableAmount_ = _getAvailableAmount(allowance_);
     }
 
     /**
@@ -120,7 +101,7 @@ contract ERC20StreamingEnforcer is CaveatEnforcer {
     )
         public
         override
-        onlySingleExecutionMode(_mode)
+        onlySingleCallTypeMode(_mode)
     {
         _validateAndConsumeAllowance(_terms, _executionCallData, _delegationHash, _redeemer);
     }

src/enforcers/ERC20TransferAmountEnforcer.sol

@@ -46,7 +46,8 @@ contract ERC20TransferAmountEnforcer is CaveatEnforcer {
     )
         public
         override
-        onlySingleExecutionMode(_mode)
+        onlySingleCallTypeMode(_mode)
+        onlyDefaultExecutionMode(_mode)
     {
         (uint256 limit_, uint256 spent_) = _validateAndIncrease(_terms, _executionCallData, _delegationHash);
         emit IncreasedSpentMap(msg.sender, _redeemer, _delegationHash, limit_, spent_);

src/enforcers/ERC721TransferEnforcer.sol

@@ -32,7 +32,7 @@ contract ERC721TransferEnforcer is CaveatEnforcer {
         public
         virtual
         override
-        onlySingleExecutionMode(_mode)
+        onlySingleCallTypeMode(_mode)
     {
         (address permittedContract_, uint256 permittedTokenId_) = getTermsInfo(_terms);
         (address target_,, bytes calldata callData_) = ExecutionLib.decodeSingle(_executionCallData);