LL: Fix encoded redeemer message length (#139)

Co-authored-by: gator-boi <gator-boi@users.noreply.github.com>

Author: gator-boi

evm/forge/tests/MatchingEngine.t.sol

@@ -199,9 +199,7 @@ contract MatchingEngineTest is Test {
         MatchingEngine proxy =
             MatchingEngine(address(new ERC1967Proxy(address(implementation), "")));
 
-        vm.expectRevert(
-            abi.encodeWithSignature("LengthMismatch(uint256,uint256)", 0, 40)
-        );
+        vm.expectRevert(abi.encodeWithSignature("LengthMismatch(uint256,uint256)", 0, 40));
         proxy.initialize(new bytes(0));
     }
 
@@ -223,9 +221,7 @@ contract MatchingEngineTest is Test {
         MatchingEngine proxy =
             MatchingEngine(address(new ERC1967Proxy(address(implementation), "")));
 
-        vm.expectRevert(
-            abi.encodeWithSignature("LengthMismatch(uint256,uint256)", 41, 40)
-        );
+        vm.expectRevert(abi.encodeWithSignature("LengthMismatch(uint256,uint256)", 41, 40));
         proxy.initialize(abi.encodePacked(makeAddr("ownerAssistant"), FEE_RECIPIENT, uint8(69)));
     }
 
@@ -247,9 +243,7 @@ contract MatchingEngineTest is Test {
         MatchingEngine proxy =
             MatchingEngine(address(new ERC1967Proxy(address(implementation), "")));
 
-        vm.expectRevert(
-            abi.encodeWithSignature("InvalidAddress()")
-        );
+        vm.expectRevert(abi.encodeWithSignature("InvalidAddress()"));
         proxy.initialize(abi.encodePacked(makeAddr("ownerAssistant"), address(0)));
     }
 
@@ -271,9 +265,7 @@ contract MatchingEngineTest is Test {
         MatchingEngine proxy =
             MatchingEngine(address(new ERC1967Proxy(address(implementation), "")));
 
-        vm.expectRevert(
-            abi.encodeWithSignature("InvalidAddress()")
-        );
+        vm.expectRevert(abi.encodeWithSignature("InvalidAddress()"));
         proxy.initialize(abi.encodePacked(address(0), FEE_RECIPIENT));
     }
 

evm/forge/tests/TokenRouter.t.sol

@@ -172,9 +172,7 @@ contract TokenRouterTest is Test {
         );
         TokenRouter proxy = TokenRouter(address(new ERC1967Proxy(address(implementation), "")));
 
-        vm.expectRevert(
-            abi.encodeWithSignature("LengthMismatch(uint256,uint256)", 0, 20)
-        );
+        vm.expectRevert(abi.encodeWithSignature("LengthMismatch(uint256,uint256)", 0, 20));
         proxy.initialize(new bytes(0));
     }
 
@@ -193,9 +191,7 @@ contract TokenRouterTest is Test {
         );
         TokenRouter proxy = TokenRouter(address(new ERC1967Proxy(address(implementation), "")));
 
-        vm.expectRevert(
-            abi.encodeWithSignature("LengthMismatch(uint256,uint256)", 40, 20)
-        );
+        vm.expectRevert(abi.encodeWithSignature("LengthMismatch(uint256,uint256)", 40, 20));
         proxy.initialize(abi.encodePacked(makeAddr("ownerAssistant"), makeAddr("hole")));
     }
 
@@ -214,9 +210,7 @@ contract TokenRouterTest is Test {
         );
         TokenRouter proxy = TokenRouter(address(new ERC1967Proxy(address(implementation), "")));
 
-        vm.expectRevert(
-            abi.encodeWithSignature("InvalidAddress()")
-        );
+        vm.expectRevert(abi.encodeWithSignature("InvalidAddress()"));
         proxy.initialize(abi.encodePacked(address(0)));
     }
 
@@ -917,6 +911,30 @@ contract TokenRouterTest is Test {
         );
     }
 
+    function testCannotPlaceMarketOrderPayloadTooLarge() public {
+        bytes memory encoded;
+
+        for (uint256 i = 0; i < 501; i++) {
+            encoded = abi.encodePacked(encoded, hex"01");
+        }
+
+        vm.expectRevert(
+            abi.encodeWithSignature(
+                "MaxPayloadSizeExceeded(uint256,uint256)",
+                encoded.length,
+                router.getMaxPayloadSize()
+            )
+        );
+        router.placeMarketOrder(
+            10, // amountIn.
+            0, // minAmountOut
+            2, // targetChain
+            TEST_REDEEMER,
+            encoded, // redeemerMessage
+            address(this) // refundAddress
+        );
+    } 
+
     function testCannotPlaceMarketOrderErrUnsupportedChain() public {
         uint64 amountIn = 69;
         uint16 targetChain = 2;
@@ -1136,6 +1154,35 @@ contract TokenRouterTest is Test {
         );
     }
 
+    function testCannotPlaceFastMarketOrderPayloadTooLarge() public {
+        bytes memory encoded;
+
+        for (uint256 i = 0; i < 501; i++) {
+            encoded = abi.encodePacked(encoded, hex"01");
+        }
+
+        bytes memory encodedSignature = abi.encodeWithSignature(
+            "placeFastMarketOrder(uint64,uint64,uint16,bytes32,bytes,address,uint64,uint32)",
+            6900000, // amountIn.
+            0, // minAmountOut
+            ARB_CHAIN, // targetChain
+            TEST_REDEEMER,
+            encoded,
+            address(this), // refundAddress.
+            router.getMinFee() + 1,
+            0 // deadline
+        );
+        expectRevert(
+            address(router),
+            encodedSignature,
+            abi.encodeWithSignature(
+                "MaxPayloadSizeExceeded(uint256,uint256)",
+                encoded.length,
+                router.getMaxPayloadSize()
+            )
+        );
+    }
+
     function testCannotPlaceFastMarketOrderErrInvalidRedeemerAddress() public {
         bytes memory encodedSignature = abi.encodeWithSignature(
             "placeFastMarketOrder(uint64,uint64,uint16,bytes32,bytes,address,uint64,uint32)",

evm/src/MatchingEngine/MatchingEngine.sol

@@ -69,7 +69,11 @@ contract MatchingEngine is MatchingEngineFastOrders, MatchingEngineAdmin {
 
     function _migrate() internal override {}
 
-    function _parseInitData(bytes memory initData) internal pure returns (address ownerAssistant, address feeRecipient) {
+    function _parseInitData(bytes memory initData)
+        internal
+        pure
+        returns (address ownerAssistant, address feeRecipient)
+    {
         uint256 offset = 0;
 
         (ownerAssistant, offset) = initData.asAddressUnchecked(offset);

evm/src/MatchingEngine/assets/Errors.sol

@@ -44,4 +44,4 @@ error ErrDeadlineExceeded();
 
 error ErrCallerNotDeployer(address deployer, address caller);
 
-error InvalidInitDataLength(uint256 actual, uint256 expected);
+error InvalidInitDataLength(uint256 actual, uint256 expected);

evm/src/TokenRouter/assets/Errors.sol

@@ -44,4 +44,6 @@ error ErrInvalidMaxFee(uint64 maxFee, uint64 minimumReuiredFee);
 
 error ErrCallerNotDeployer(address deployer, address caller);
 
-error InvalidInitDataLength(uint256 actual, uint256 expected);
+error InvalidInitDataLength(uint256 actual, uint256 expected);
+
+error MaxPayloadSizeExceeded(uint256 actualSize, uint256 maxSize);

evm/src/TokenRouter/assets/PlaceMarketOrder.sol

@@ -116,6 +116,10 @@ abstract contract PlaceMarketOrder is IPlaceMarketOrder, Admin, State {
             revert ErrInsufficientAmount(0, 0);
         }
 
+        if (redeemerMessage.length > MAX_REDEEMER_PAYLOAD_SIZE) {
+            revert MaxPayloadSizeExceeded(redeemerMessage.length, MAX_REDEEMER_PAYLOAD_SIZE);
+        }
+
         Endpoint memory endpoint = _verifyTarget(targetChain, redeemer);
 
         SafeERC20.safeTransferFrom(_orderToken, msg.sender, address(this), amountIn);
@@ -153,6 +157,10 @@ abstract contract PlaceMarketOrder is IPlaceMarketOrder, Admin, State {
             revert ErrFastTransferNotSupported();
         }
 
+        if (redeemerMessage.length > MAX_REDEEMER_PAYLOAD_SIZE) {
+            revert MaxPayloadSizeExceeded(redeemerMessage.length, MAX_REDEEMER_PAYLOAD_SIZE);
+        }
+
         // Verify the `amountIn` and specified auction price.
         FastTransferParameters memory fastParams = getFastTransferParametersState();
 

evm/src/TokenRouter/assets/State.sol

@@ -34,6 +34,9 @@ abstract contract State is ITokenRouterState, WormholeCctpTokenMessenger {
     uint24 constant MAX_BPS_FEE = 1000000; // 10,000.00 bps (100%)
     uint64 constant MIN_FAST_TRANSFER_AMOUNT = 100000000; // $100
 
+    // Maximum redeemer payload size.
+    uint256 constant MAX_REDEEMER_PAYLOAD_SIZE = 500;
+
     constructor(
         address token_,
         address wormhole_,
@@ -155,4 +158,9 @@ abstract contract State is ITokenRouterState, WormholeCctpTokenMessenger {
     function getMaxFastTransferAmount() external view returns (uint64) {
         return getFastTransferParametersState().maxAmount;
     }
+
+    /// @inheritdoc ITokenRouterState
+    function getMaxPayloadSize() external pure returns (uint256) {
+        return MAX_REDEEMER_PAYLOAD_SIZE;
+    }
 }

evm/src/interfaces/ITokenRouterState.sol

@@ -114,4 +114,9 @@ interface ITokenRouterState {
      * is only paid in the a fast transfer auction does not occur.
      */
     function getBaseFee() external view returns (uint64);
+
+    /**
+     * @notice Returns the maximum payload size for the redeemer message.
+     */
+    function getMaxPayloadSize() external pure returns (uint256);
 }

evm/src/shared/Messages.sol

@@ -57,7 +57,7 @@ library Messages {
             fill.sourceChain,
             fill.orderSender,
             fill.redeemer,
-            _encodeBytes(fill.redeemerMessage)
+            _encodeRedeemerMessage(fill.redeemerMessage)
         );
     }
 
@@ -67,7 +67,7 @@ library Messages {
         (fill.sourceChain, offset) = encoded.asUint16Unchecked(offset);
         (fill.orderSender, offset) = encoded.asBytes32Unchecked(offset);
         (fill.redeemer, offset) = encoded.asBytes32Unchecked(offset);
-        (fill.redeemerMessage, offset) = _decodeBytes(encoded, offset);
+        (fill.redeemerMessage, offset) = _decodeRedeemerMessage(encoded, offset);
 
         _checkLength(encoded, offset);
     }
@@ -84,7 +84,7 @@ library Messages {
             order.maxFee,
             order.initAuctionFee,
             order.deadline,
-            _encodeBytes(order.redeemerMessage)
+            _encodeRedeemerMessage(order.redeemerMessage)
         );
     }
 
@@ -105,7 +105,7 @@ library Messages {
         (order.maxFee, offset) = encoded.asUint64Unchecked(offset);
         (order.initAuctionFee, offset) = encoded.asUint64Unchecked(offset);
         (order.deadline, offset) = encoded.asUint32Unchecked(offset);
-        (order.redeemerMessage, offset) = _decodeBytes(encoded, offset);
+        (order.redeemerMessage, offset) = _decodeRedeemerMessage(encoded, offset);
 
         _checkLength(encoded, offset);
     }
@@ -117,7 +117,7 @@ library Messages {
             fastFill.fill.sourceChain,
             fastFill.fill.orderSender,
             fastFill.fill.redeemer,
-            _encodeBytes(fastFill.fill.redeemerMessage)
+            _encodeRedeemerMessage(fastFill.fill.redeemerMessage)
         );
     }
 
@@ -133,7 +133,7 @@ library Messages {
         (fastFill.fill.sourceChain, offset) = encoded.asUint16Unchecked(offset);
         (fastFill.fill.orderSender, offset) = encoded.asBytes32Unchecked(offset);
         (fastFill.fill.redeemer, offset) = encoded.asBytes32Unchecked(offset);
-        (fastFill.fill.redeemerMessage, offset) = _decodeBytes(encoded, offset);
+        (fastFill.fill.redeemerMessage, offset) = _decodeRedeemerMessage(encoded, offset);
 
         _checkLength(encoded, offset);
     }
@@ -161,20 +161,22 @@ library Messages {
 
     // ---------------------------------------- private -------------------------------------------
 
-    function _decodeBytes(bytes memory encoded, uint256 startOffset)
+    function _decodeRedeemerMessage(bytes memory encoded, uint256 startOffset)
         private
         pure
         returns (bytes memory payload, uint256 offset)
     {
-        uint32 payloadLength;
-        (payloadLength, offset) = encoded.asUint32Unchecked(startOffset);
+        uint16 payloadLength;
+        (payloadLength, offset) = encoded.asUint16Unchecked(startOffset);
         (payload, offset) = encoded.sliceUnchecked(offset, payloadLength);
     }
 
-    function _encodeBytes(bytes memory payload) private pure returns (bytes memory encoded) {
-        // Casting payload.length to uint32 is safe because you'll be hard-pressed
-        // to allocate 4 GB of EVM memory in a single transaction.
-        encoded = abi.encodePacked(uint32(payload.length), payload);
+    function _encodeRedeemerMessage(bytes memory payload)
+        private
+        pure
+        returns (bytes memory encoded)
+    {
+        encoded = abi.encodePacked(uint16(payload.length), payload);
     }
 
     function _checkLength(bytes memory encoded, uint256 expected) private pure {

evm/ts/src/messages.ts

@@ -166,8 +166,8 @@ export class Fill {
         const sourceChain = buf.readUInt16BE(0);
         const orderSender = buf.subarray(2, 34);
         const redeemer = buf.subarray(34, 66);
-        const redeemerMsgLen = buf.readUInt32BE(66);
-        const redeemerMessage = buf.subarray(70, 70 + redeemerMsgLen);
+        const redeemerMsgLen = buf.readUInt16BE(66);
+        const redeemerMessage = buf.subarray(68, 68 + redeemerMsgLen);
 
         return new Fill(sourceChain, orderSender, redeemer, redeemerMessage);
     }
@@ -205,9 +205,8 @@ export class FastFill {
         const sourceChain = buf.readUInt16BE(8);
         const orderSender = buf.subarray(10, 42);
         const redeemer = buf.subarray(42, 74);
-        const redeemerMsgLen = buf.readUInt32BE(74);
-        const endMessage = 70 + redeemerMsgLen;
-        const redeemerMessage = buf.subarray(78, endMessage);
+        const redeemerMsgLen = buf.readUInt16BE(74);
+        const redeemerMessage = buf.subarray(76, 76 + redeemerMsgLen);
 
         return new FastFill(sourceChain, orderSender, redeemer, redeemerMessage, fillAmount);
     }
@@ -265,8 +264,8 @@ export class FastMarketOrder {
         const maxFee = buf.readBigUInt64BE(114);
         const initAuctionFee = buf.readBigUInt64BE(122);
         const deadline = buf.readUInt32BE(130);
-        const redeemerMsgLen = buf.readUInt32BE(134);
-        const redeemerMessage = buf.subarray(134, 134 + redeemerMsgLen);
+        const redeemerMsgLen = buf.readUInt16BE(134);
+        const redeemerMessage = buf.subarray(136, 136 + redeemerMsgLen);
         return new FastMarketOrder(
             amountIn,
             minAmountOut,

solana/programs/matching-engine/src/events/auction_updated.rs

@@ -9,7 +9,7 @@ pub struct AuctionUpdated {
     pub vaa: Option<Pubkey>,
     pub source_chain: u16,
     pub target_protocol: MessageProtocol,
-    pub redeemer_message_len: u32,
+    pub redeemer_message_len: u16,
 
     pub end_slot: u64,
     pub best_offer_token: Pubkey,

solana/programs/matching-engine/src/processor/auction/execute_fast_order/local.rs

@@ -62,8 +62,7 @@ pub struct ExecuteFastOrderLocal<'info> {
                 .unwrap()
                 .to_fast_market_order_unchecked();
 
-            // It is safe to convert u32 to usize here.
-            order.redeemer_message_len().try_into().unwrap()
+            order.redeemer_message_len().into()
         })
         .ok_or(MatchingEngineError::FastFillTooLarge)?,
         seeds = [

solana/programs/matching-engine/src/processor/auction/prepare_order_response/cctp.rs

@@ -74,8 +74,7 @@ pub struct PrepareOrderResponseCctp<'info> {
                 .fast_market_order()
                 .ok_or(MatchingEngineError::InvalidPayloadId)?;
 
-            // This is safe to unwrap because the length will not exceed u32.
-            order.redeemer_message_len().try_into().unwrap()
+            order.redeemer_message_len().into()
         }),
         seeds = [
             PreparedOrderResponse::SEED_PREFIX,

solana/programs/matching-engine/src/state/auction.rs

@@ -82,7 +82,7 @@ pub struct AuctionInfo {
     pub offer_price: u64,
 
     /// Length of the redeemer message, which may impact the expense to execute the auction.
-    pub redeemer_message_len: u32,
+    pub redeemer_message_len: u16,
 
     /// If the destination asset is not equal to the asset used for auctions, this will be some
     /// value specifying its custody token bump and amount out.

solana/programs/token-router/src/lib.rs

@@ -28,6 +28,7 @@ cfg_if::cfg_if! {
 }
 
 const PREPARED_CUSTODY_TOKEN_SEED_PREFIX: &[u8] = b"prepared-custody";
+const MAX_REDEEMER_MESSAGE_SIZE: usize = 500;
 
 #[program]
 pub mod token_router {