Add review comments

ilikesymmetry · ilikesymmetry · commit c0edec2317fb · 2025-01-30T10:29:29.000-08:00
diff --git a/src/EIP7702Proxy.sol b/src/EIP7702Proxy.sol
@@ -1,88 +1,90 @@
 // SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.0;
 
+/// @review does Solady v0.1 have something equivalent offerings for these depedencies? would be nice to use what we recently paid to audit and would probably also be optimized
 import {Proxy} from "openzeppelin-contracts/contracts/proxy/Proxy.sol";
 import {ERC1967Utils} from "openzeppelin-contracts/contracts/proxy/ERC1967/ERC1967Utils.sol";
 import {ECDSA} from "openzeppelin-contracts/contracts/utils/cryptography/ECDSA.sol";
 import {Address} from "openzeppelin-contracts/contracts/utils/Address.sol";
 
 /// @title EIP7702Proxy
-/// @notice Proxy contract designed for EIP-7702 smart accounts
-/// @dev Implements ERC-1967 with an initial implementation and guarded initialization
+/// @notice Proxy contract designed for EIP-7702 smart accounts.
+/// @dev Implements ERC-1967 with an initial implementation and guarded initialization.
+/// @author Coinbase (https://github.com/base-org/eip-7702-proxy).
 contract EIP7702Proxy is Proxy {
-    // ERC1271 interface constants
+    /// @notice ERC1271 interface constants
     bytes4 internal constant ERC1271_MAGIC_VALUE = 0x1626ba7e;
-    bytes4 internal constant ERC1271_ISVALIDSIGNATURE_SELECTOR = 0x1626ba7e;
     bytes4 internal constant ERC1271_FAIL_VALUE = 0xffffffff;
 
     /// @notice Address of this proxy contract (stored as immutable)
     address immutable proxy;
+
     /// @notice Initial implementation address set during construction
     address immutable initialImplementation;
+
     /// @notice Function selector on the implementation that is guarded from direct calls
     bytes4 immutable guardedInitializer;
 
+    /// @review natspec
     event Upgraded(address indexed implementation);
 
+    /// @review natspec
     error InvalidSignature();
+
+    /// @review natspec
     error InvalidInitializer();
+
+    /// @review natspec
     error InvalidImplementation();
 
+    /// @review natspec
     constructor(address implementation, bytes4 initializer) {
         proxy = address(this);
         initialImplementation = implementation;
+        /// @review what happens if `initializer` is one of the selectors we define in this contract?
         guardedInitializer = initializer;
     }
 
     /// @notice Initializes the proxy and implementation with a signed payload
+    ///
     /// @param args The initialization arguments for the implementation
     /// @param signature The signature authorizing initialization
+    ///
     /// @dev Signature must be from this contract's address
-    function initialize(
-        bytes calldata args,
-        bytes calldata signature
-    ) external {
+    function initialize(bytes calldata args, bytes calldata signature) external {
         // construct hash incompatible with wallet RPCs to avoid phishing
         bytes32 hash = keccak256(abi.encode(proxy, args));
         address recovered = ECDSA.recover(hash, signature);
         if (recovered != address(this)) revert InvalidSignature();
 
         // enforce initialization only on initial implementation
         address implementation = _implementation();
-        if (implementation != initialImplementation)
-            revert InvalidImplementation();
+        if (implementation != initialImplementation) revert InvalidImplementation();
 
         // Set the ERC-1967 implementation slot and emit Upgraded event
         ERC1967Utils.upgradeToAndCall(initialImplementation, "");
-
-        Address.functionDelegateCall(
-            initialImplementation,
-            abi.encodePacked(guardedInitializer, args)
-        );
+        /// @review we can just put the initializer calldata into the second arg of `upgradeToAndCall` above correct?
+        Address.functionDelegateCall(initialImplementation, abi.encodePacked(guardedInitializer, args));
     }
 
+    /// @review let's use consistent comment format `///`, wdyt?
     /**
      * @notice Handles ERC-1271 signature validation by enforcing a final ecrecover check if signatures fail `isValidSignature` check
+     *
      * @dev This ensures EOA signatures are considered valid regardless of the implementation's `isValidSignature` implementation
+     *
      * @param hash The hash of the message being signed
      * @param signature The signature of the message
+     *
      * @return The result of the `isValidSignature` check
      */
-    function isValidSignature(
-        bytes32 hash,
-        bytes calldata signature
-    ) external returns (bytes4) {
+    function isValidSignature(bytes32 hash, bytes calldata signature) external returns (bytes4) {
         // First try delegatecall to implementation
-        (bool success, bytes memory result) = _implementation().delegatecall(
-            msg.data
-        );
+        (bool success, bytes memory result) = _implementation().delegatecall(msg.data);
 
         // If delegatecall succeeded and returned magic value, return that
-        if (
-            success &&
-            result.length == 32 &&
-            abi.decode(result, (bytes4)) == ERC1271_MAGIC_VALUE
-        ) {
+        if (success && result.length == 32 && abi.decode(result, (bytes4)) == ERC1271_MAGIC_VALUE) {
+            /// @review this selective use of assembly reads kind of funny lol, how much gas are we saving here?
             assembly {
                 mstore(0, ERC1271_MAGIC_VALUE)
                 return(0, 32)
@@ -107,13 +109,11 @@ contract EIP7702Proxy is Proxy {
         }
     }
 
+    /// @review Do we need to override this now that we are setting the implementation at initialization?
     /// @inheritdoc Proxy
     function _implementation() internal view override returns (address) {
         address implementation = ERC1967Utils.getImplementation();
-        return
-            implementation != address(0)
-                ? implementation
-                : initialImplementation;
+        return implementation != address(0) ? implementation : initialImplementation;
     }
 
     /// @inheritdoc Proxy
@@ -123,6 +123,7 @@ contract EIP7702Proxy is Proxy {
         // block guarded initializer from being called
         if (msg.sig == guardedInitializer) revert InvalidInitializer();
 
+        /// @review should we prevent all delegate calls if the implementation is not yet initialized? Feels like a good default protection
         _delegate(_implementation());
     }
 }
diff --git a/test/EIP7702Proxy/delegate.t.sol b/test/EIP7702Proxy/delegate.t.sol
@@ -5,39 +5,42 @@ import {EIP7702ProxyBase} from "../base/EIP7702ProxyBase.sol";
 import {EIP7702Proxy} from "../../src/EIP7702Proxy.sol";
 import {CoinbaseSmartWallet} from "../../lib/smart-wallet/src/CoinbaseSmartWallet.sol";
 
+/// @review In general I think we should split our tests here between implementation-agnostic invariants the proxy maintains and separate integration tests specific to CoinbaseSmartWallet
 contract DelegateTest is EIP7702ProxyBase {
     function setUp() public override {
         super.setUp();
-        
+
         // Initialize the proxy for delegation tests
         bytes memory initArgs = _createInitArgs(_newOwner);
         bytes memory signature = _signInitData(_EOA_PRIVATE_KEY, initArgs);
         vm.prank(_eoa);
         EIP7702Proxy(_eoa).initialize(initArgs, signature);
     }
 
+    /// @review prefer fuzzing where possible
     function testBlocksGuardedInitializer() public {
-        bytes memory initData = abi.encodeWithSelector(
-            CoinbaseSmartWallet.initialize.selector,
-            _createInitArgs(_newOwner)
-        );
+        bytes memory initData =
+            abi.encodeWithSelector(CoinbaseSmartWallet.initialize.selector, _createInitArgs(_newOwner));
 
         vm.expectRevert(EIP7702Proxy.InvalidInitializer.selector);
         address(_eoa).call(initData);
     }
 
+    /// @review add test for non-binary return data, e.g. ownerAtIndex
+    /// @review add test for if read fails, then delegate fails
+    /// @review add test for if implementation slot is empty
     function testDelegatesReadCall() public {
-        assertTrue(
-            CoinbaseSmartWallet(payable(_eoa)).isOwnerAddress(_newOwner),
-            "Delegated read call should succeed"
-        );
+        assertTrue(CoinbaseSmartWallet(payable(_eoa)).isOwnerAddress(_newOwner), "Delegated read call should succeed");
     }
 
+    /// @review prefer fuzzing where possible
+    /// @review add test for if write fails, then delegate fails
+    /// @review add test for if implementation slot is empty
     function testDelegatesWriteCall() public {
         // Test a state-changing call
         address recipient = address(0xBEEF);
         uint256 amount = 1 ether;
-        
+
         // Fund the proxy
         vm.deal(address(_eoa), amount);
 
@@ -48,10 +51,6 @@ contract DelegateTest is EIP7702ProxyBase {
             "" // empty calldata for simple transfer
         );
 
-        assertEq(
-            recipient.balance,
-            amount,
-            "Delegated write call should transfer ETH"
-        );
+        assertEq(recipient.balance, amount, "Delegated write call should transfer ETH");
     }
-} 
+}
diff --git a/test/EIP7702Proxy/initialize.t.sol b/test/EIP7702Proxy/initialize.t.sol
@@ -7,7 +7,11 @@ import {CoinbaseSmartWallet} from "../../lib/smart-wallet/src/CoinbaseSmartWalle
 import {ECDSA} from "openzeppelin-contracts/contracts/utils/cryptography/ECDSA.sol";
 import {ERC1967Utils} from "openzeppelin-contracts/contracts/proxy/ERC1967/ERC1967Utils.sol";
 
+/// @review In general I think we should split our tests here between implementation-agnostic invariants the proxy maintains and separate integration tests specific to CoinbaseSmartWallet
 contract InitializeTest is EIP7702ProxyBase {
+    /// @review style should be snake_case, e.g. test_success_validSignature
+    /// @review prefer fuzzing where possible
+    /// @review add test where fails because initializer delegatecall fails
     function testSucceedsWithValidSignature() public {
         bytes memory initArgs = _createInitArgs(_newOwner);
         bytes memory signature = _signInitData(_EOA_PRIVATE_KEY, initArgs);
@@ -16,12 +20,10 @@ contract InitializeTest is EIP7702ProxyBase {
 
         // Verify initialization through implementation at the EOA's address
         CoinbaseSmartWallet wallet = CoinbaseSmartWallet(payable(_eoa));
-        assertTrue(
-            wallet.isOwnerAddress(_newOwner),
-            "New owner should be owner after initialization"
-        );
+        assertTrue(wallet.isOwnerAddress(_newOwner), "New owner should be owner after initialization");
     }
 
+    /// @review style should be snake_case
     function testRevertsWithInvalidSignature() public {
         bytes memory initArgs = _createInitArgs(_newOwner);
         bytes memory signature = hex"deadbeef"; // Invalid signature
@@ -30,6 +32,8 @@ contract InitializeTest is EIP7702ProxyBase {
         EIP7702Proxy(_eoa).initialize(initArgs, signature);
     }
 
+    /// @review prefer fuzzing where possible
+    /// @review add more tests like this for replay protection cases (same sig, different proxy or args)
     function testRevertsWithWrongSigner() public {
         // Create signature with different private key
         uint256 wrongPk = 0xC0FFEE; // Using a different key than either EOA or new owner
@@ -43,6 +47,8 @@ contract InitializeTest is EIP7702ProxyBase {
         EIP7702Proxy(_eoa).initialize(initArgs, signature);
     }
 
+    /// @review prefer fuzzing where possible
+    /// @review this is specific to the implementation, would prefer to segment into an integration test suite with CoinbaseSmartWallet
     function testCanOnlyBeCalledOnce() public {
         bytes memory initArgs = _createInitArgs(_newOwner);
         bytes memory signature = _signInitData(_EOA_PRIVATE_KEY, initArgs);
@@ -54,6 +60,10 @@ contract InitializeTest is EIP7702ProxyBase {
         EIP7702Proxy(_eoa).initialize(initArgs, signature);
     }
 
+    /// @review prefer fuzzing where possible
+    /// @review think we should have a test that mocks users having the 1967 slot already set to another implementation.
+    ///         For example they delegate to something metamask sets up and then move over the CBSW. How does our contract behave in these scenarios?
+    /// @review add test for if implementation slot has been changed to non-original value
     function testSetsERC1967ImplementationSlot() public {
         bytes memory initArgs = _createInitArgs(_newOwner);
         bytes memory signature = _signInitData(_EOA_PRIVATE_KEY, initArgs);
@@ -62,9 +72,7 @@ contract InitializeTest is EIP7702ProxyBase {
 
         address storedImpl = _getERC1967Implementation(address(_eoa));
         assertEq(
-            storedImpl,
-            address(_implementation),
-            "ERC1967 implementation slot should store implementation address"
+            storedImpl, address(_implementation), "ERC1967 implementation slot should store implementation address"
         );
     }
 
diff --git a/test/EIP7702Proxy/isValidSignature.t.sol b/test/EIP7702Proxy/isValidSignature.t.sol
@@ -6,6 +6,7 @@ import {EIP7702Proxy} from "../../src/EIP7702Proxy.sol";
 import {CoinbaseSmartWallet} from "../../lib/smart-wallet/src/CoinbaseSmartWallet.sol";
 import {ECDSA} from "openzeppelin-contracts/contracts/utils/cryptography/ECDSA.sol";
 
+/// @review In general I think we should split our tests here between implementation-agnostic invariants the proxy maintains and separate integration tests specific to CoinbaseSmartWallet
 contract IsValidSignatureTest is EIP7702ProxyBase {
     bytes4 constant ERC1271_MAGIC_VALUE = 0x1626ba7e;
     bytes4 constant ERC1271_FAIL_VALUE = 0xffffffff;
@@ -26,17 +27,13 @@ contract IsValidSignatureTest is EIP7702ProxyBase {
         testHash = keccak256("test message");
 
         // Verify owner was set correctly
-        assertTrue(
-            wallet.isOwnerAddress(_newOwner),
-            "New owner should be set after initialization"
-        );
-        assertEq(
-            wallet.ownerAtIndex(0),
-            abi.encode(_newOwner),
-            "Owner at index 0 should be new owner"
-        );
+        assertTrue(wallet.isOwnerAddress(_newOwner), "New owner should be set after initialization");
+        assertEq(wallet.ownerAtIndex(0), abi.encode(_newOwner), "Owner at index 0 should be new owner");
     }
 
+    /// @review add test for calling on uninitialized contract
+    /// @review add test if delegatecall reverts then bubbles up revert data
+
     function testValidContractOwnerSignature() public {
         // Create signature from contract owner
         bytes memory signature = _createOwnerSignature(
@@ -47,11 +44,7 @@ contract IsValidSignatureTest is EIP7702ProxyBase {
         );
 
         bytes4 result = wallet.isValidSignature(testHash, signature);
-        assertEq(
-            result,
-            ERC1271_MAGIC_VALUE,
-            "Should accept valid contract owner signature"
-        );
+        assertEq(result, ERC1271_MAGIC_VALUE, "Should accept valid contract owner signature");
     }
 
     function testValidEOASignature() public {
@@ -60,11 +53,7 @@ contract IsValidSignatureTest is EIP7702ProxyBase {
         bytes memory signature = abi.encodePacked(r, s, v);
 
         bytes4 result = wallet.isValidSignature(testHash, signature);
-        assertEq(
-            result,
-            ERC1271_MAGIC_VALUE,
-            "Should accept valid EOA signature"
-        );
+        assertEq(result, ERC1271_MAGIC_VALUE, "Should accept valid EOA signature");
     }
 
     function testInvalidEOASignature() public {
@@ -74,39 +63,22 @@ contract IsValidSignatureTest is EIP7702ProxyBase {
         bytes memory signature = abi.encodePacked(r, s, v);
 
         bytes4 result = wallet.isValidSignature(testHash, signature);
-        assertEq(
-            result,
-            ERC1271_FAIL_VALUE,
-            "Should reject invalid EOA signature"
-        );
+        assertEq(result, ERC1271_FAIL_VALUE, "Should reject invalid EOA signature");
     }
 
     function testInvalidOwnerSignature() public {
         // Create a valid format signature but with wrong signer
         uint256 wrongPk = 0xBADBAD; // Different from both EOA and new owner (0xB0B)
-        bytes memory signature = _createOwnerSignature(
-            testHash,
-            address(wallet),
-            wrongPk,
-            0
-        );
+        bytes memory signature = _createOwnerSignature(testHash, address(wallet), wrongPk, 0);
 
         bytes4 result = wallet.isValidSignature(testHash, signature);
-        assertEq(
-            result,
-            ERC1271_FAIL_VALUE,
-            "Should reject signature from non-owner"
-        );
+        assertEq(result, ERC1271_FAIL_VALUE, "Should reject signature from non-owner");
     }
 
     function testEmptySignature() public {
         bytes memory emptySignature = "";
 
         bytes4 result = wallet.isValidSignature(testHash, emptySignature);
-        assertEq(
-            result,
-            ERC1271_FAIL_VALUE,
-            "Should reject empty signature"
-        );
+        assertEq(result, ERC1271_FAIL_VALUE, "Should reject empty signature");
     }
 }
