arcadia-finance · Thomas-Smets · Feb 29, 2024 · Feb 27, 2024
diff --git a/src/Factory.sol b/src/Factory.sol
@@ -80,8 +80,12 @@ contract Factory is IFactory, ERC721, FactoryGuardian {
      * @param creditor The contract address of the creditor.
      * @return account The contract address of the proxy contract of the newly deployed Account.
      * @dev If accountVersion == 0, the newest version will be used.
+     * @dev createAccount() uses the CREATE2 opcode, which can lead to address collision vulnerabilities,
+     * as described in: https://eips.ethereum.org/EIPS/eip-3607.
+     * To decrease the probability of finding an address collision, the number of possible account addresses is limited to 2**64.
+     * We use a salt with 64 bits, the 32 right most bits of the address of the tx.origin, and 32 bits provided by the user.
      */
-    function createAccount(uint256 salt, uint256 accountVersion, address creditor)
+    function createAccount(uint32 salt, uint256 accountVersion, address creditor)
         external
         whenCreateNotPaused
         returns (address account)
@@ -94,7 +98,8 @@ contract Factory is IFactory, ERC721, FactoryGuardian {
         // Hash tx.origin with the user provided salt to avoid front-running Account deployment with an identical salt.
         // We use tx.origin instead of msg.sender so that deployments through a third party contract are not vulnerable to front-running.
         account = address(
-            new Proxy{ salt: keccak256(abi.encodePacked(salt, tx.origin)) }(
+            // 64 bit salt: 32 bits from tx.origin and 32 bits provided by the user.
+            new Proxy{ salt: keccak256(abi.encodePacked(salt, uint32(uint160(tx.origin)))) }(
                 versionInformation[accountVersion].implementation
             )
         );

diff --git a/test/fuzz/Factory/CreateAccount.fuzz.t.sol b/test/fuzz/Factory/CreateAccount.fuzz.t.sol
@@ -25,7 +25,7 @@ contract CreateAccount_Factory_Fuzz_Test is Factory_Fuzz_Test {
     /*//////////////////////////////////////////////////////////////
                               TESTS
     //////////////////////////////////////////////////////////////*/
-    function testFuzz_Revert_createAccount_Paused(uint256 salt, address sender) public {
+    function testFuzz_Revert_createAccount_Paused(uint32 salt, address sender) public {
         // When: guardian pauses the contract
         vm.warp(35 days);
         vm.prank(users.guardian);
@@ -43,7 +43,7 @@ contract CreateAccount_Factory_Fuzz_Test is Factory_Fuzz_Test {
 
         vm.expectRevert(FactoryErrors.InvalidAccountVersion.selector);
         factory.createAccount(
-            uint256(keccak256(abi.encodePacked(accountVersion, block.timestamp))), accountVersion, address(0)
+            uint32(uint256(keccak256(abi.encodePacked(accountVersion, block.timestamp)))), accountVersion, address(0)
         );
     }
 
@@ -80,14 +80,14 @@ contract CreateAccount_Factory_Fuzz_Test is Factory_Fuzz_Test {
             }
             vm.expectRevert(FactoryErrors.AccountVersionBlocked.selector);
             factory.createAccount(
-                uint256(keccak256(abi.encodePacked(versionsToBlock[z], block.timestamp))),
+                uint32(uint256(keccak256(abi.encodePacked(versionsToBlock[z], block.timestamp)))),
                 versionsToBlock[z],
                 address(0)
             );
         }
     }
 
-    function testFuzz_Success_createAccount_DeployAccountWithNoCreditor(uint256 salt) public {
+    function testFuzz_Success_createAccount_DeployAccountWithNoCreditor(uint32 salt) public {
         // We assume that salt > 0 as we already deployed an Account with all inputs to 0
         vm.assume(salt > 0);
         uint256 amountBefore = factory.allAccountsLength();
@@ -107,7 +107,7 @@ contract CreateAccount_Factory_Fuzz_Test is Factory_Fuzz_Test {
         assertEq(AccountV1(actualDeployed).owner(), address(this));
     }
 
-    function testFuzz_Success_createAccount_DeployAccountWithCreditor(uint256 salt) public {
+    function testFuzz_Success_createAccount_DeployAccountWithCreditor(uint32 salt) public {
         // We assume that salt > 0 as we already deployed an Account with all inputs to 0
         vm.assume(salt > 0);
         uint256 amountBefore = factory.allAccountsLength();
@@ -128,7 +128,7 @@ contract CreateAccount_Factory_Fuzz_Test is Factory_Fuzz_Test {
         assertEq(AccountV1(actualDeployed).creditor(), address(creditorStable1));
     }
 
-    function testFuzz_Success_createAccount_DeployNewProxyWithLogicOwner(uint256 salt, address sender) public {
+    function testFuzz_Success_createAccount_DeployNewProxyWithLogicOwner(uint32 salt, address sender) public {
         // We assume that salt > 0 as we already deployed an Account with all inputs to 0
         vm.assume(salt > 0);
         vm.assume(sender != address(0));
@@ -140,7 +140,7 @@ contract CreateAccount_Factory_Fuzz_Test is Factory_Fuzz_Test {
     }
 
     function testFuzz_Success_createAccount_CreationCannotBeFrontRunnedWithIdenticalSalt(
-        uint256 salt,
+        uint32 salt,
         address sender0,
         address sender1
     ) public {

diff --git a/test/fuzz/Factory/TransferFrom.fuzz.sol b/test/fuzz/Factory/TransferFrom.fuzz.sol
@@ -58,7 +58,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     //////////////////////////////////////////////////////////////*/
     function testFuzz_Revert_SFT1_InvalidRecipient(
         address newAccountOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) {
@@ -75,7 +75,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     function testFuzz_Revert_SFT1_CallerNotOwner(
         address newAccountOwner,
         address nonOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) {
@@ -91,7 +91,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
 
     function testFuzz_Revert_SFT2_InvalidRecipient(
         address newAccountOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) {
@@ -109,7 +109,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     function testFuzz_Revert_SFT2_CallerNotOwner(
         address newAccountOwner,
         address nonOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) {
@@ -126,7 +126,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
 
     function testFuzz_Revert_SFT3_InvalidRecipient(
         address newAccountOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) {
@@ -144,7 +144,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     function testFuzz_Revert_SFT3_CallerNotOwner(
         address newAccountOwner,
         address nonOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) {
@@ -161,7 +161,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
 
     function testFuzz_Revert_TransferFrom_InvalidRecipient(
         address newAccountOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) {
@@ -179,7 +179,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     function testFuzz_Revert_TransferFrom_CallerNotOwner(
         address newAccountOwner,
         address nonOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) {
@@ -197,7 +197,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     function testFuzz_Success_STF1(
         address newAccountOwner,
         address nonOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) notTestContracts(nonOwner) {
@@ -213,7 +213,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     function testFuzz_Success_SFT2(
         address newAccountOwner,
         address nonOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) notTestContracts(nonOwner) {
@@ -229,7 +229,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     function testFuzz_Success_SFT3(
         address newAccountOwner,
         address nonOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) notTestContracts(nonOwner) {
@@ -246,7 +246,7 @@ contract TransferFrom_Factory_Fuzz_Test is Factory_Fuzz_Test {
     function testFuzz_Success_TransferFrom(
         address newAccountOwner,
         address nonOwner,
-        uint256 salt,
+        uint32 salt,
         uint32 lastActionTimestamp,
         uint32 timePassed
     ) public notAccountOwner(newAccountOwner) notTestContracts(nonOwner) {

diff --git a/test/invariant/handlers/FactoryHandler.sol b/test/invariant/handlers/FactoryHandler.sol
@@ -45,7 +45,7 @@ contract FactoryHandler is BaseHandler {
     /*//////////////////////////////////////////////////////////////////////////
                                     FUNCTIONS
     //////////////////////////////////////////////////////////////////////////*/
-    function createAccount(uint256 salt) public {
+    function createAccount(uint32 salt) public {
         address creditor = address(0);
         uint16 accountVersion = 0;
         factory.createAccount(salt, accountVersion, creditor);