feat: ERC4626 Exchange Rate Threshold (SC-1229)

Author: deluca-mike

src/ForeignController.sol

@@ -50,6 +50,7 @@ contract ForeignController is ReentrancyGuard, AccessControlEnumerable {
 
     event LayerZeroRecipientSet(uint32 indexed destinationEndpointId, bytes32 layerZeroRecipient);
     event MaxSlippageSet(address indexed pool, uint256 maxSlippage);
+    event MaxExchangeRateSet(address indexed token, uint256 maxExchangeRate);
     event MintRecipientSet(uint32 indexed destinationDomain, bytes32 mintRecipient);
     event RelayerRemoved(address indexed relayer);
 
@@ -84,6 +85,9 @@ contract ForeignController is ReentrancyGuard, AccessControlEnumerable {
     mapping(uint32 destinationDomain     => bytes32 mintRecipient)      public mintRecipients;
     mapping(uint32 destinationEndpointId => bytes32 layerZeroRecipient) public layerZeroRecipients;
 
+    // ERC4626 exchange rate thresholds
+    mapping(address token => uint256 maxExchangeRate) public maxExchangeRates;
+
     /**********************************************************************************************/
     /*** Initialization                                                                         ***/
     /**********************************************************************************************/
@@ -154,6 +158,14 @@ contract ForeignController is ReentrancyGuard, AccessControlEnumerable {
         emit LayerZeroRecipientSet(destinationEndpointId, layerZeroRecipient);
     }
 
+    function setMaxExchangeRate(address token, uint256 maxExchangeRate) external nonReentrant {
+        _checkRole(DEFAULT_ADMIN_ROLE);
+
+        require(token != address(0), "ForeignController/token-zero-address");
+
+        emit MaxExchangeRateSet(token, maxExchangeRates[token] = maxExchangeRate);
+    }
+
     /**********************************************************************************************/
     /*** Freezer functions                                                                      ***/
     /**********************************************************************************************/
@@ -330,27 +342,25 @@ contract ForeignController is ReentrancyGuard, AccessControlEnumerable {
         rateLimitedAddress(LIMIT_4626_DEPOSIT, token, amount)
         returns (uint256 shares)
     {
-        require(maxSlippages[token] != 0, "ForeignController/max-slippage-not-set");
+        require(
+            IERC4626(token).convertToAssets(1e18) <= maxExchangeRates[token],
+            "ForeignController/exchange-rate-too-high"
+        );
 
         // Note that whitelist is done by rate limits.
-        IERC20 asset = IERC20(IERC4626(token).asset());
+        address asset = IERC4626(token).asset();
 
         // Approve asset to token from the proxy (assumes the proxy has enough of the asset).
-        _approve(address(asset), token, amount);
+        _approve(asset, token, amount);
 
         // Deposit asset into the token, proxy receives token shares, decode the resulting shares.
-        shares = abi.decode(
+        return abi.decode(
             proxy.doCall(
                 token,
                 abi.encodeCall(IERC4626(token).deposit, (amount, address(proxy)))
             ),
             (uint256)
         );
-
-        require(
-            IERC4626(token).convertToAssets(shares) >= amount * maxSlippages[token] / 1e18,
-            "ForeignController/inflated-shares"
-        );
     }
 
     function withdrawERC4626(address token, uint256 amount)

src/MainnetController.sol

@@ -99,6 +99,7 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
 
     event LayerZeroRecipientSet(uint32 indexed destinationEndpointId, bytes32 layerZeroRecipient);
     event MaxSlippageSet(address indexed pool, uint256 maxSlippage);
+    event MaxExchangeRateSet(address indexed token, uint256 maxExchangeRate);
     event MintRecipientSet(uint32 indexed destinationDomain, bytes32 mintRecipient);
     event OTCBufferSet(
         address indexed exchange,
@@ -188,6 +189,9 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
 
     mapping(address exchange => mapping(address asset => bool)) public otcWhitelistedAssets;
 
+    // ERC4626 exchange rate thresholds
+    mapping(address token => uint256 maxExchangeRate) public maxExchangeRates;
+
     /**********************************************************************************************/
     /*** Initialization                                                                         ***/
     /**********************************************************************************************/
@@ -288,6 +292,14 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
         otcWhitelistedAssets[exchange][asset] = isWhitelisted;
     }
 
+    function setMaxExchangeRate(address token, uint256 maxExchangeRate) external nonReentrant {
+        _checkRole(DEFAULT_ADMIN_ROLE);
+
+        require(token != address(0), "MainnetController/token-zero-address");
+
+        emit MaxExchangeRateSet(token, maxExchangeRates[token] = maxExchangeRate);
+    }
+
     /**********************************************************************************************/
     /*** Freezer functions                                                                      ***/
     /**********************************************************************************************/
@@ -439,13 +451,16 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
         _checkRole(RELAYER);
         _rateLimitedAddress(LIMIT_4626_DEPOSIT, token, amount);
 
-        require(maxSlippages[token] != 0, "MainnetController/max-slippage-not-set");
+        require(
+            IERC4626(token).convertToAssets(1e18) <= maxExchangeRates[token],
+            "MainnetController/exchange-rate-too-high"
+        );
 
         // Note that whitelist is done by rate limits
-        IERC20 asset = IERC20(IERC4626(token).asset());
+        address asset = IERC4626(token).asset();
 
         // Approve asset to token from the proxy (assumes the proxy has enough of the asset).
-        _approve(address(asset), token, amount);
+        _approve(asset, token, amount);
 
         // Deposit asset into the token, proxy receives token shares, decode the resulting shares
         shares = abi.decode(
@@ -455,11 +470,6 @@ contract MainnetController is ReentrancyGuard, AccessControlEnumerable {
             ),
             (uint256)
         );
-
-        require(
-            IERC4626(token).convertToAssets(shares) >= amount * maxSlippages[token] / 1e18,
-            "MainnetController/slippage-too-high"
-        );
     }
 
     function withdrawERC4626(address token, uint256 amount)

test/base-fork/Morpho.t.sol

@@ -102,8 +102,8 @@ contract MorphoBaseTest is ForkTestBase {
             uint256(5_000_000e6) / 1 days
         );
 
-        foreignController.setMaxSlippage(MORPHO_VAULT_USDS, 1e18 - 1e4);  // Rounding slippage
-        foreignController.setMaxSlippage(MORPHO_VAULT_USDC, 1e18 - 1e4);  // Rounding slippage
+        foreignController.setMaxExchangeRate(MORPHO_VAULT_USDS, IERC4626(MORPHO_VAULT_USDS).convertToAssets(1e18));
+        foreignController.setMaxExchangeRate(MORPHO_VAULT_USDC, IERC4626(MORPHO_VAULT_USDC).convertToAssets(1e18));
 
         vm.stopPrank();
     }
@@ -140,50 +140,45 @@ contract MorphoDepositFailureTests is MorphoBaseTest {
         foreignController.depositERC4626(makeAddr("fake-token"), 1e18);
     }
 
-    function test_depositERC4626_zeroMaxSlippage() external {
-        vm.prank(Base.SPARK_EXECUTOR);
-        foreignController.setMaxSlippage(MORPHO_VAULT_USDS, 0);
+    function test_depositERC4626_exchangeRateBoundary() external {
+        deal(Base.USDS, address(almProxy), 25_000_000e18);
+
+        vm.startPrank(Base.SPARK_EXECUTOR);
+        foreignController.setMaxExchangeRate(MORPHO_VAULT_USDS, IERC4626(MORPHO_VAULT_USDS).convertToAssets(1e18) - 1);
+        vm.stopPrank();
+
+        vm.prank(relayer);
+        vm.expectRevert("ForeignController/exchange-rate-too-high");
+        foreignController.depositERC4626(MORPHO_VAULT_USDS, 25_000_000e18);
+
+        vm.startPrank(Base.SPARK_EXECUTOR);
+        foreignController.setMaxExchangeRate(MORPHO_VAULT_USDS, IERC4626(MORPHO_VAULT_USDS).convertToAssets(1e18));
+        vm.stopPrank();
 
         vm.prank(relayer);
-        vm.expectRevert("ForeignController/max-slippage-not-set");
-        foreignController.depositERC4626(MORPHO_VAULT_USDS, 1e18);
+        foreignController.depositERC4626(MORPHO_VAULT_USDS, 25_000_000e18);
     }
 
     function test_morpho_usds_deposit_rateLimitedBoundary() external {
         deal(Base.USDS, address(almProxy), 25_000_000e18 + 1);
 
         vm.expectRevert("RateLimits/rate-limit-exceeded");
-        vm.startPrank(relayer);
+        vm.prank(relayer);
         foreignController.depositERC4626(MORPHO_VAULT_USDS, 25_000_000e18 + 1);
 
+        vm.prank(relayer);
         foreignController.depositERC4626(MORPHO_VAULT_USDS, 25_000_000e18);
     }
 
     function test_morpho_usdc_deposit_rateLimitedBoundary() external {
         deal(Base.USDC, address(almProxy), 25_000_000e6 + 1);
 
         vm.expectRevert("RateLimits/rate-limit-exceeded");
-        vm.startPrank(relayer);
-        foreignController.depositERC4626(MORPHO_VAULT_USDC, 25_000_000e6 + 1);
-
-        foreignController.depositERC4626(MORPHO_VAULT_USDC, 25_000_000e6);
-    }
-
-    function test_morpho_usds_deposit_slippageBoundary() external {
-        deal(Base.USDS, address(almProxy), 5_000_000e18);
-
-        vm.prank(Base.SPARK_EXECUTOR);
-        foreignController.setMaxSlippage(MORPHO_VAULT_USDS, 1e18 + 1);  // Positive slippage needed to cause error
-
         vm.prank(relayer);
-        vm.expectRevert("ForeignController/inflated-shares");
-        foreignController.depositERC4626(MORPHO_VAULT_USDS, 5_000_000e18);
-
-        vm.prank(Base.SPARK_EXECUTOR);
-        foreignController.setMaxSlippage(MORPHO_VAULT_USDS, 1e18);
+        foreignController.depositERC4626(MORPHO_VAULT_USDC, 25_000_000e6 + 1);
 
         vm.prank(relayer);
-        foreignController.depositERC4626(MORPHO_VAULT_USDS, 5_000_000e18);
+        foreignController.depositERC4626(MORPHO_VAULT_USDC, 25_000_000e6);
     }
 
 }

test/base-fork/MorphoAllocations.t.sol

@@ -219,7 +219,7 @@ contract MorphoReallocateMorphoSuccessTests is MorphoTestBase {
             25_000_000e6,
             uint256(5_000_000e6) / 1 days
         );
-        foreignController.setMaxSlippage(address(morphoVault), 1e18 - 1e4);  // Rounding slippage
+        foreignController.setMaxExchangeRate(address(morphoVault), IERC4626(address(morphoVault)).convertToAssets(1e18));
         vm.stopPrank();
 
         // Refresh markets so calculations don't include interest

test/base-fork/SparkVault.t.sol

@@ -1,6 +1,8 @@
 // SPDX-License-Identifier: AGPL-3.0-or-later
 pragma solidity >=0.8.0;
 
+import { IERC4626 } from "forge-std/interfaces/IERC4626.sol";
+
 import { ERC20Mock as MockERC20 } from "../../lib/openzeppelin-contracts/contracts/mocks/token/ERC20Mock.sol";
 import { ERC1967Proxy }           from "../../lib/openzeppelin-contracts/contracts/proxy/ERC1967/ERC1967Proxy.sol";
 import { ReentrancyGuard }        from "../../lib/openzeppelin-contracts/contracts/utils/ReentrancyGuard.sol";
@@ -287,9 +289,9 @@ contract ForeignControllerTakeFromSparkVaultE2ETests is ForkTestBase {
 
         rateLimits.setUnlimitedRateLimitData(morphoWithdrawKey);
 
-        // Step 4 (spell): Set maxSlippage for ERC4626 deposit
+        // Step 4 (spell): Set maxExchangeRate for ERC4626 deposit
 
-        foreignController.setMaxSlippage(morphoUsdcVault, 1e18 - 1e4);  // Rounding slippage
+        foreignController.setMaxExchangeRate(morphoUsdcVault, 1.2e18);
 
         vm.stopPrank();
     }

test/mainnet-fork/4626Calls.t.sol

@@ -15,16 +15,20 @@ contract SUSDSTestBase is ForkTestBase {
 
     uint256 SUSDS_DRIP_AMOUNT;
 
+    bytes32 depositKey;
+    bytes32 withdrawKey;
+
     function setUp() override public {
         super.setUp();
 
-        bytes32 depositKey  = RateLimitHelpers.makeAddressKey(mainnetController.LIMIT_4626_DEPOSIT(),  Ethereum.SUSDS);
-        bytes32 withdrawKey = RateLimitHelpers.makeAddressKey(mainnetController.LIMIT_4626_WITHDRAW(), Ethereum.SUSDS);
+        depositKey  = RateLimitHelpers.makeAddressKey(mainnetController.LIMIT_4626_DEPOSIT(),  Ethereum.SUSDS);
+        withdrawKey = RateLimitHelpers.makeAddressKey(mainnetController.LIMIT_4626_WITHDRAW(), Ethereum.SUSDS);
 
         vm.startPrank(Ethereum.SPARK_PROXY);
+        rateLimits.setRateLimitData(mainnetController.LIMIT_USDS_MINT(), 10_000_000e18, uint256(10_000_000e18) / 4 hours);
         rateLimits.setRateLimitData(depositKey,  5_000_000e18, uint256(1_000_000e18) / 4 hours);
         rateLimits.setRateLimitData(withdrawKey, 5_000_000e18, uint256(1_000_000e18) / 4 hours);
-        mainnetController.setMaxSlippage(address(susds), 1e18 - 1e4);  // Rounding slippage
+        mainnetController.setMaxExchangeRate(address(susds), susds.convertToAssets(1e18));
         vm.stopPrank();
 
         SUSDS_CONVERTED_ASSETS = susds.convertToAssets(1e18);
@@ -69,45 +73,36 @@ contract MainnetControllerDepositERC4626FailureTests is SUSDSTestBase {
         mainnetController.depositERC4626(makeAddr("fake-token"), 1e18);
     }
 
-    function test_depositERC4626_zeroMaxSlippage() external {
-        vm.prank(Ethereum.SPARK_PROXY);
-        mainnetController.setMaxSlippage(address(susds), 0);
-
-        vm.prank(relayer);
-        vm.expectRevert("MainnetController/max-slippage-not-set");
-        mainnetController.depositERC4626(address(susds), 1e18);
-    }
-
-    function test_depositERC4626_rateLimitBoundary() external {
+    function test_depositERC4626_exchangeRateBoundary() external {
         vm.startPrank(relayer);
         mainnetController.mintUSDS(5_000_000e18);
+        vm.stopPrank();
 
-        // Have to warp to get back above rate limit
-        skip(1 minutes);
-        mainnetController.mintUSDS(1);
+        vm.startPrank(Ethereum.SPARK_PROXY);
+        mainnetController.setMaxExchangeRate(address(susds), IERC4626(address(susds)).convertToAssets(1e18) - 1);
+        vm.stopPrank();
 
-        vm.expectRevert("RateLimits/rate-limit-exceeded");
-        mainnetController.depositERC4626(address(susds), 5_000_000e18 + 1);
+        vm.prank(relayer);
+        vm.expectRevert("MainnetController/exchange-rate-too-high");
+        mainnetController.depositERC4626(address(susds), 5_000_000e18);
+
+        vm.startPrank(Ethereum.SPARK_PROXY);
+        mainnetController.setMaxExchangeRate(address(susds), IERC4626(address(susds)).convertToAssets(1e18));
+        vm.stopPrank();
 
+        vm.prank(relayer);
         mainnetController.depositERC4626(address(susds), 5_000_000e18);
     }
 
-    function test_depositERC4626_slippageBoundary() external {
-        vm.prank(relayer);
+    function test_depositERC4626_rateLimitBoundary() external {
+        vm.startPrank(relayer);
         mainnetController.mintUSDS(5_000_000e18);
 
-        vm.prank(Ethereum.SPARK_PROXY);
-        mainnetController.setMaxSlippage(address(susds), 1e18);
-
-        vm.prank(relayer);
-        vm.expectRevert("MainnetController/slippage-too-high");
-        mainnetController.depositERC4626(address(susds), 5_000_000e18);  // Rounding causes error
-
-        vm.prank(Ethereum.SPARK_PROXY);
-        mainnetController.setMaxSlippage(address(susds), 1e18 - 1);
+        vm.expectRevert("RateLimits/rate-limit-exceeded");
+        mainnetController.depositERC4626(address(susds), 5_000_000e18 + 1);
 
-        vm.prank(relayer);
         mainnetController.depositERC4626(address(susds), 5_000_000e18);
+        vm.stopPrank();
     }
 
 }
@@ -176,19 +171,19 @@ contract MainnetControllerWithdrawERC4626FailureTests is SUSDSTestBase {
     }
 
     function test_withdrawERC4626_rateLimitBoundary() external {
-        vm.startPrank(relayer);
-        mainnetController.mintUSDS(5_000_000e18);
-        mainnetController.depositERC4626(address(susds), 5_000_000e18);
+        vm.startPrank(Ethereum.SPARK_PROXY);
+        rateLimits.setRateLimitData(depositKey, 10_000_000e18, uint256(1_000_000e18) / 4 hours);
+        vm.stopPrank();
 
-        // Have to warp to get back above rate limit
-        skip(1 minutes);
-        mainnetController.mintUSDS(1);
-        mainnetController.depositERC4626(address(susds), 1);
+        vm.startPrank(relayer);
+        mainnetController.mintUSDS(10_000_000e18);
+        mainnetController.depositERC4626(address(susds), 10_000_000e18);
 
         vm.expectRevert("RateLimits/rate-limit-exceeded");
         mainnetController.withdrawERC4626(address(susds), 5_000_000e18 + 1);
 
         mainnetController.withdrawERC4626(address(susds), 5_000_000e18);
+        vm.stopPrank();
     }
 
 }
@@ -292,14 +287,13 @@ contract MainnetControllerRedeemERC4626FailureTests is SUSDSTestBase {
     }
 
     function test_redeemERC4626_rateLimitBoundary() external {
-        vm.startPrank(relayer);
-        mainnetController.mintUSDS(5_000_000e18);
-        mainnetController.depositERC4626(address(susds), 5_000_000e18);
+        vm.startPrank(Ethereum.SPARK_PROXY);
+        rateLimits.setRateLimitData(depositKey, 10_000_000e18, uint256(1_000_000e18) / 4 hours);
+        vm.stopPrank();
 
-        // Have to warp to get back above rate limit
-        skip(10 minutes);
-        mainnetController.mintUSDS(100e18);
-        mainnetController.depositERC4626(address(susds), 100e18);
+        vm.startPrank(relayer);
+        mainnetController.mintUSDS(10_000_000e18);
+        mainnetController.depositERC4626(address(susds), 10_000_000e18);
 
         uint256 overBoundaryShares = susds.convertToShares(5_000_000e18 + 2);
         uint256 atBoundaryShares   = susds.convertToShares(5_000_000e18 + 1);  // Still rounds down
@@ -311,6 +305,7 @@ contract MainnetControllerRedeemERC4626FailureTests is SUSDSTestBase {
         mainnetController.redeemERC4626(address(susds), overBoundaryShares);
 
         mainnetController.redeemERC4626(address(susds), atBoundaryShares);
+        vm.stopPrank();
     }
 
 }