Conform to wormhole governance standard

nik-suri · kcsongor · commit 9585ed2f3b8e · 2024-02-21T02:28:22.000+04:00
diff --git a/src/wormhole/Governance.sol b/src/wormhole/Governance.sol
@@ -2,10 +2,25 @@
 pragma solidity >=0.8.8 <0.9.0;
 
 import "wormhole-solidity-sdk/interfaces/IWormhole.sol";
+import "wormhole-solidity-sdk/libraries/BytesParsing.sol";
 
 contract Governance {
+    using BytesParsing for bytes;
+
+    // "GeneralPurposeGovernance" (left padded)
+    bytes32 public constant MODULE =
+        0x000000000000000047656E6572616C507572706F7365476F7665726E616E6365;
+
+    enum GovernanceAction {
+        UNDEFINED,
+        EVM_CALL
+    }
+
     IWormhole immutable wormhole;
 
+    error PayloadTooLong(uint256 size);
+    error InvalidModule(bytes32 module);
+    error InvalidAction(uint8 action);
     error InvalidGovernanceChainId(uint16 chainId);
     error InvalidGovernanceContract(bytes32 contractAddress);
     error GovernanceActionAlreadyConsumed(bytes32 digest);
@@ -27,8 +42,22 @@ contract Governance {
         }
     }
 
-    struct GovernanceMessage {
-        uint16 chainId;
+    /*
+    * @dev General purpose governance message to call arbitrary methods on a governed smart contract.
+    *      This message adheres to the Wormhole governance packet standard: https://github.com/wormhole-foundation/wormhole/blob/main/whitepapers/0002_governance_messaging.md
+    *      The wire format for this message is:
+    *      - module - 32 bytes
+    *      - action - 1 byte
+    *      - chain - 2 bytes
+    *      - governanceContract - 20 bytes
+    *      - governedContract - 20 bytes
+    *      - callDataLength - 2 bytes
+    *      - callData - `callDataLength` bytes
+    */
+    struct GeneralPurposeGovernanceMessage {
+        bytes32 module;
+        uint8 action;
+        uint16 chain;
         address governanceContract;
         address governedContract;
         bytes callData;
@@ -40,19 +69,28 @@ contract Governance {
 
     function performGovernance(bytes calldata vaa) external {
         IWormhole.VM memory verified = _verifyGovernanceVAA(vaa);
-        GovernanceMessage memory message = abi.decode(verified.payload, (GovernanceMessage));
+        GeneralPurposeGovernanceMessage memory message =
+            parseGeneralPurposeGovernanceMessage(verified.payload);
 
-        if (message.chainId != wormhole.chainId()) {
-            revert NotRecipientChain(message.chainId);
+        if (message.module != MODULE) {
+            revert InvalidModule(message.module);
         }
+
+        if (message.action != uint8(GovernanceAction.EVM_CALL)) {
+            revert InvalidAction(message.action);
+        }
+
+        if (message.chain != wormhole.chainId()) {
+            revert NotRecipientChain(message.chain);
+        }
+
         if (message.governanceContract != address(this)) {
             revert NotRecipientContract(message.governanceContract);
         }
-        bytes memory callData = message.callData;
 
         // TODO: any other checks? the call is trusted (signed by guardians),
         // but what's the worst that could happen to this contract?
-        (bool success, bytes memory returnData) = message.governedContract.call(callData);
+        (bool success, bytes memory returnData) = message.governedContract.call(message.callData);
         if (!success) {
             revert(string(returnData));
         }
@@ -89,4 +127,41 @@ contract Governance {
 
         return vm;
     }
+
+    function encodeGeneralPurposeGovernanceMessage(GeneralPurposeGovernanceMessage memory m)
+        public
+        pure
+        returns (bytes memory encoded)
+    {
+        if (m.callData.length > type(uint16).max) {
+            revert PayloadTooLong(m.callData.length);
+        }
+        uint16 callDataLength = uint16(m.callData.length);
+        return abi.encodePacked(
+            m.module,
+            m.action,
+            m.chain,
+            m.governanceContract,
+            m.governedContract,
+            callDataLength,
+            m.callData
+        );
+    }
+
+    function parseGeneralPurposeGovernanceMessage(bytes memory encoded)
+        public
+        pure
+        returns (GeneralPurposeGovernanceMessage memory message)
+    {
+        uint256 offset = 0;
+        (message.module, offset) = encoded.asBytes32Unchecked(offset);
+        (message.action, offset) = encoded.asUint8Unchecked(offset);
+        (message.chain, offset) = encoded.asUint16Unchecked(offset);
+        (message.governanceContract, offset) = encoded.asAddressUnchecked(offset);
+        (message.governedContract, offset) = encoded.asAddressUnchecked(offset);
+        uint256 callDataLength;
+        (callDataLength, offset) = encoded.asUint16Unchecked(offset);
+        (message.callData, offset) = encoded.sliceUnchecked(offset, callDataLength);
+        encoded.checkLength(offset);
+    }
 }
diff --git a/test/wormhole/Governance.t.sol b/test/wormhole/Governance.t.sol
@@ -7,11 +7,17 @@ import "openzeppelin-contracts/contracts/access/Ownable.sol";
 import "wormhole-solidity-sdk/testing/helpers/WormholeSimulator.sol";
 
 contract GovernedContract is Ownable {
+    error RandomError();
+
     bool public governanceStuffCalled;
 
     function governanceStuff() public onlyOwner {
         governanceStuffCalled = true;
     }
+
+    function governanceRevert() public view onlyOwner {
+        revert RandomError();
+    }
 }
 
 contract GovernanceTest is Test {
@@ -34,14 +40,22 @@ contract GovernanceTest is Test {
         myContract.transferOwnership(address(governance));
     }
 
-    function test_governance() public {
-        uint16 thisChain = wormhole.chainId();
-
-        Governance.GovernanceMessage memory message = Governance.GovernanceMessage({
-            chainId: thisChain,
-            governanceContract: address(governance),
-            governedContract: address(myContract),
-            callData: abi.encodeWithSignature("governanceStuff()")
+    function buildGovernanceVaa(
+        bytes32 module,
+        uint8 action,
+        uint16 chainId,
+        address governanceContract,
+        address governedContract,
+        bytes memory callData
+    ) public view returns (bytes memory) {
+        Governance.GeneralPurposeGovernanceMessage memory message = Governance
+            .GeneralPurposeGovernanceMessage({
+            module: module,
+            action: action,
+            chain: chainId,
+            governanceContract: governanceContract,
+            governedContract: governedContract,
+            callData: callData
         });
 
         IWormhole.VM memory vaa = IWormhole.VM({
@@ -52,13 +66,110 @@ contract GovernanceTest is Test {
             emitterAddress: wormhole.governanceContract(),
             sequence: 0,
             consistencyLevel: 200,
-            payload: abi.encode(message),
+            payload: governance.encodeGeneralPurposeGovernanceMessage(message),
             guardianSetIndex: 0,
             signatures: new IWormhole.Signature[](0),
             hash: bytes32("")
         });
 
-        bytes memory signed = guardian.encodeAndSignMessage(vaa);
+        return guardian.encodeAndSignMessage(vaa);
+    }
+
+    function test_invalidModule() public {
+        uint16 thisChain = wormhole.chainId();
+        bytes32 coreBridgeModule =
+            0x00000000000000000000000000000000000000000000000000000000436f7265;
+
+        bytes memory signed = buildGovernanceVaa(
+            coreBridgeModule,
+            uint8(Governance.GovernanceAction.EVM_CALL),
+            thisChain,
+            address(governance),
+            address(myContract),
+            abi.encodeWithSignature("governanceStuff()")
+        );
+
+        vm.expectRevert(abi.encodeWithSignature("InvalidModule(bytes32)", coreBridgeModule));
+        governance.performGovernance(signed);
+    }
+
+    // TODO: this should ideally test all actions that != 1
+    function test_invalidAction() public {
+        uint16 thisChain = wormhole.chainId();
+
+        bytes memory signed = buildGovernanceVaa(
+            governance.MODULE(),
+            uint8(Governance.GovernanceAction.UNDEFINED),
+            thisChain,
+            address(governance),
+            address(myContract),
+            abi.encodeWithSignature("governanceStuff()")
+        );
+
+        vm.expectRevert(abi.encodeWithSignature("InvalidAction(uint8)", 0));
+        governance.performGovernance(signed);
+    }
+
+    // TODO: this should ideally test all chainIds that != wormhole.chainId()
+    function test_invalidChain() public {
+        bytes memory signed = buildGovernanceVaa(
+            governance.MODULE(),
+            uint8(Governance.GovernanceAction.EVM_CALL),
+            0,
+            address(governance),
+            address(myContract),
+            abi.encodeWithSignature("governanceStuff()")
+        );
+
+        vm.expectRevert(abi.encodeWithSignature("NotRecipientChain(uint16)", 0));
+        governance.performGovernance(signed);
+    }
+
+    // TODO: this should ideally test lots of address possibilities
+    function test_invalidRecipientContract() public {
+        uint16 thisChain = wormhole.chainId();
+        address random = address(0x1234);
+
+        bytes memory signed = buildGovernanceVaa(
+            governance.MODULE(),
+            uint8(Governance.GovernanceAction.EVM_CALL),
+            thisChain,
+            random,
+            address(myContract),
+            abi.encodeWithSignature("governanceStuff()")
+        );
+
+        vm.expectRevert(abi.encodeWithSignature("NotRecipientContract(address)", random));
+        governance.performGovernance(signed);
+    }
+
+    function test_governanceCallFailure() public {
+        uint16 thisChain = wormhole.chainId();
+
+        bytes memory signed = buildGovernanceVaa(
+            governance.MODULE(),
+            uint8(Governance.GovernanceAction.EVM_CALL),
+            thisChain,
+            address(governance),
+            address(myContract),
+            abi.encodeWithSignature("governanceRevert()")
+        );
+
+        vm.expectRevert(abi.encodeWithSignature("RandomError()"));
+        governance.performGovernance(signed);
+    }
+
+    function test_governance() public {
+        uint16 thisChain = wormhole.chainId();
+
+        bytes memory signed = buildGovernanceVaa(
+            governance.MODULE(),
+            uint8(Governance.GovernanceAction.EVM_CALL),
+            thisChain,
+            address(governance),
+            address(myContract),
+            abi.encodeWithSignature("governanceStuff()")
+        );
 
         governance.performGovernance(signed);
 
@@ -69,28 +180,14 @@ contract GovernanceTest is Test {
         address newOwner = address(0x1234);
         uint16 thisChain = wormhole.chainId();
 
-        Governance.GovernanceMessage memory message = Governance.GovernanceMessage({
-            chainId: thisChain,
-            governanceContract: address(governance),
-            governedContract: address(myContract),
-            callData: abi.encodeWithSignature("transferOwnership(address)", newOwner)
-        });
-
-        IWormhole.VM memory vaa = IWormhole.VM({
-            version: 1,
-            timestamp: uint32(block.timestamp),
-            nonce: 0,
-            emitterChainId: wormhole.governanceChainId(),
-            emitterAddress: wormhole.governanceContract(),
-            sequence: 0,
-            consistencyLevel: 200,
-            payload: abi.encode(message),
-            guardianSetIndex: 0,
-            signatures: new IWormhole.Signature[](0),
-            hash: bytes32("")
-        });
-
-        bytes memory signed = guardian.encodeAndSignMessage(vaa);
+        bytes memory signed = buildGovernanceVaa(
+            governance.MODULE(),
+            uint8(Governance.GovernanceAction.EVM_CALL),
+            thisChain,
+            address(governance),
+            address(myContract),
+            abi.encodeWithSignature("transferOwnership(address)", newOwner)
+        );
 
         governance.performGovernance(signed);
 
@@ -99,6 +196,4 @@ contract GovernanceTest is Test {
 
         assert(myContract.governanceStuffCalled());
     }
-
-    // TODO: tests triggering the error conditions
 }
