fix: prevent key collision on KeyValueList add() (#901)

Author: Kogaroshi

snapshots/Spoke.Getters.json

@@ -1,7 +1,7 @@
 {
   "getUserAccountData: supplies: 0, borrows: 0": "12164",
-  "getUserAccountData: supplies: 1, borrows: 0": "47260",
-  "getUserAccountData: supplies: 2, borrows: 0": "77471",
-  "getUserAccountData: supplies: 2, borrows: 1": "98212",
-  "getUserAccountData: supplies: 2, borrows: 2": "117607"
+  "getUserAccountData: supplies: 1, borrows: 0": "47254",
+  "getUserAccountData: supplies: 2, borrows: 0": "77459",
+  "getUserAccountData: supplies: 2, borrows: 1": "98200",
+  "getUserAccountData: supplies: 2, borrows: 2": "117595"
 }

snapshots/Spoke.Operations.ZeroRiskPremium.json

@@ -1,13 +1,13 @@
 {
-  "borrow: first": "199038",
-  "borrow: second action, same reserve": "179559",
-  "liquidationCall: full": "291027",
-  "liquidationCall: partial": "315121",
-  "permitReserve + repay (multicall)": "235806",
+  "borrow: first": "199032",
+  "borrow: second action, same reserve": "179553",
+  "liquidationCall: full": "291015",
+  "liquidationCall: partial": "315109",
+  "permitReserve + repay (multicall)": "235800",
   "permitReserve + supply (multicall)": "141050",
   "permitReserve + supply + enable collateral (multicall)": "176287",
-  "repay: full": "151770",
-  "repay: partial": "176233",
+  "repay: full": "151764",
+  "repay: partial": "176227",
   "setUserPositionManagerWithSig: disable": "44918",
   "setUserPositionManagerWithSig: enable": "68947",
   "supply + enable collateral (multicall)": "154229",
@@ -17,16 +17,16 @@
   "supply: second action, same reserve": "103081",
   "updateUserDynamicConfig: 1 collateral": "73761",
   "updateUserDynamicConfig: 2 collaterals": "88621",
-  "updateUserRiskPremium: 1 borrow": "95282",
-  "updateUserRiskPremium: 2 borrows": "111374",
+  "updateUserRiskPremium: 1 borrow": "95276",
+  "updateUserRiskPremium: 2 borrows": "111368",
   "usingAsCollateral: 0 borrows, enable": "58976",
-  "usingAsCollateral: 1 borrow, disable": "105529",
+  "usingAsCollateral: 1 borrow, disable": "105523",
   "usingAsCollateral: 1 borrow, enable": "32298",
-  "usingAsCollateral: 2 borrows, disable": "127994",
+  "usingAsCollateral: 2 borrows, disable": "127988",
   "usingAsCollateral: 2 borrows, enable": "41876",
   "withdraw: 0 borrows, full": "127742",
-  "withdraw: 0 borrows, partial": "132789",
-  "withdraw: 1 borrow, partial": "161771",
-  "withdraw: 2 borrows, partial": "184224",
+  "withdraw: 0 borrows, partial": "132783",
+  "withdraw: 1 borrow, partial": "161765",
+  "withdraw: 2 borrows, partial": "184218",
   "withdraw: non collateral": "126851"
 }

snapshots/Spoke.Operations.json

@@ -1,13 +1,13 @@
 {
-  "borrow: first": "269207",
-  "borrow: second action, same reserve": "212728",
-  "liquidationCall: full": "324413",
-  "liquidationCall: partial": "348507",
-  "permitReserve + repay (multicall)": "269185",
+  "borrow: first": "269201",
+  "borrow: second action, same reserve": "212722",
+  "liquidationCall: full": "324401",
+  "liquidationCall: partial": "348495",
+  "permitReserve + repay (multicall)": "269179",
   "permitReserve + supply (multicall)": "141050",
   "permitReserve + supply + enable collateral (multicall)": "176287",
-  "repay: full": "146411",
-  "repay: partial": "209612",
+  "repay: full": "146405",
+  "repay: partial": "209606",
   "setUserPositionManagerWithSig: disable": "44918",
   "setUserPositionManagerWithSig: enable": "68947",
   "supply + enable collateral (multicall)": "154229",
@@ -17,16 +17,16 @@
   "supply: second action, same reserve": "103081",
   "updateUserDynamicConfig: 1 collateral": "73761",
   "updateUserDynamicConfig: 2 collaterals": "88621",
-  "updateUserRiskPremium: 1 borrow": "177369",
-  "updateUserRiskPremium: 2 borrows": "262734",
+  "updateUserRiskPremium: 1 borrow": "177363",
+  "updateUserRiskPremium: 2 borrows": "262728",
   "usingAsCollateral: 0 borrows, enable": "58976",
-  "usingAsCollateral: 1 borrow, disable": "187616",
+  "usingAsCollateral: 1 borrow, disable": "187610",
   "usingAsCollateral: 1 borrow, enable": "32298",
-  "usingAsCollateral: 2 borrows, disable": "287353",
+  "usingAsCollateral: 2 borrows, disable": "287347",
   "usingAsCollateral: 2 borrows, enable": "41876",
   "withdraw: 0 borrows, full": "127742",
-  "withdraw: 0 borrows, partial": "132789",
-  "withdraw: 1 borrow, partial": "241358",
-  "withdraw: 2 borrows, partial": "341084",
+  "withdraw: 0 borrows, partial": "132783",
+  "withdraw: 1 borrow, partial": "241352",
+  "withdraw: 2 borrows, partial": "341078",
   "withdraw: non collateral": "126851"
 }

src/spoke/libraries/KeyValueList.sol

@@ -35,8 +35,9 @@ library KeyValueList {
   }
 
   /// @notice Inserts packed `key`, `value` at `idx`. Reverts if data exceeds maximum allowed size.
+  /// @dev Reverts if `key` equals or exceeds the `_MAX_KEY` value and reverts if `value` equals or exceeds the `_MAX_VALUE` value.
   function add(List memory self, uint256 idx, uint256 key, uint256 value) internal pure {
-    require(key <= _MAX_KEY && value <= _MAX_VALUE, MaxDataSizeExceeded());
+    require(key < _MAX_KEY && value < _MAX_VALUE, MaxDataSizeExceeded());
     self._inner[idx] = pack(key, value);
   }
 

tests/unit/KeyValueList.t.sol

@@ -5,9 +5,123 @@ pragma solidity ^0.8.0;
 import {Test} from 'forge-std/Test.sol';
 import {KeyValueList} from 'src/spoke/libraries/KeyValueList.sol';
 
+/// forge-config: default.allow_internal_expect_revert = true
 contract KeyValueListTest is Test {
   using KeyValueList for KeyValueList.List;
 
+  function test_add_unique() public {
+    /// @dev needed for reverts not to block the test
+    KeyValueListWrapper wrapper = new KeyValueListWrapper();
+    KeyValueList.List memory list = KeyValueList.init(11);
+
+    list = wrapper.add(list, 0, 1, 1);
+    list = wrapper.add(list, 1, 100, 1e15);
+    list = wrapper.add(list, 2, 100, 5e20);
+    list = wrapper.add(list, 3, 5e4, 5e20);
+    list = wrapper.add(list, 4, 5e4, 1e12);
+    list = wrapper.add(list, 5, 45e6, 2.5e50);
+    list = wrapper.add(list, 6, 45e6, 10);
+
+    list = wrapper.add(list, 7, type(uint32).max - 1, 10000000000);
+
+    vm.expectRevert(KeyValueList.MaxDataSizeExceeded.selector);
+    wrapper.add(list, 8, type(uint32).max, 10000000000);
+
+    vm.expectRevert(KeyValueList.MaxDataSizeExceeded.selector);
+    wrapper.add(list, 8, 45e8, 10000000000);
+
+    vm.expectRevert(KeyValueList.MaxDataSizeExceeded.selector);
+    wrapper.add(list, 8, 75e9, 10000000000);
+
+    vm.expectRevert(KeyValueList.MaxDataSizeExceeded.selector);
+    wrapper.add(list, 9, 5e6, 2.696e67);
+
+    vm.expectRevert(KeyValueList.MaxDataSizeExceeded.selector);
+    wrapper.add(list, 9, 5e6, 5e70);
+
+    vm.expectRevert(KeyValueList.MaxDataSizeExceeded.selector);
+    wrapper.add(list, 9, 5e6, 12.5e75);
+
+    vm.expectRevert(KeyValueList.MaxDataSizeExceeded.selector);
+    wrapper.add(list, 9, 5e6, type(uint224).max);
+
+    list = wrapper.add(list, 10, 5e6, type(uint224).max - 1);
+
+    uint256 returnedKey;
+    uint256 returnedValue;
+    (returnedKey, returnedValue) = list.get(0);
+    assertEq(returnedKey, 1);
+    assertEq(returnedValue, 1);
+    (returnedKey, returnedValue) = list.get(1);
+    assertEq(returnedKey, 100);
+    assertEq(returnedValue, 1e15);
+    (returnedKey, returnedValue) = list.get(2);
+    assertEq(returnedKey, 100);
+    assertEq(returnedValue, 5e20);
+    (returnedKey, returnedValue) = list.get(3);
+    assertEq(returnedKey, 5e4);
+    assertEq(returnedValue, 5e20);
+    (returnedKey, returnedValue) = list.get(4);
+    assertEq(returnedKey, 5e4);
+    assertEq(returnedValue, 1e12);
+    (returnedKey, returnedValue) = list.get(5);
+    assertEq(returnedKey, 45e6);
+    assertEq(returnedValue, 2.5e50);
+    (returnedKey, returnedValue) = list.get(6);
+    assertEq(returnedKey, 45e6);
+    assertEq(returnedValue, 10);
+    (returnedKey, returnedValue) = list.get(7);
+    assertEq(returnedKey, type(uint32).max - 1);
+    assertEq(returnedValue, 10000000000);
+    (returnedKey, returnedValue) = list.get(8);
+    assertEq(returnedKey, 0);
+    assertEq(returnedValue, 0);
+    (returnedKey, returnedValue) = list.get(9);
+    assertEq(returnedKey, 0);
+    assertEq(returnedValue, 0);
+    (returnedKey, returnedValue) = list.get(10);
+    assertEq(returnedKey, 5e6);
+    assertEq(returnedValue, type(uint224).max - 1);
+  }
+
+  function test_fuzz_add(uint256 key, uint256 value) public {
+    /// @dev needed for reverts not to block the test
+    KeyValueListWrapper wrapper = new KeyValueListWrapper();
+    KeyValueList.List memory list = KeyValueList.init(5);
+
+    if (key >= KeyValueList._MAX_KEY || value >= KeyValueList._MAX_VALUE) {
+      vm.expectRevert(KeyValueList.MaxDataSizeExceeded.selector);
+      wrapper.add(list, 0, key, value);
+    } else {
+      list.add(0, key, value);
+    }
+
+    if (key < KeyValueList._MAX_KEY && value < KeyValueList._MAX_VALUE) {
+      (uint256 storedKey, uint256 storedValue) = list.get(0);
+      assertEq(storedKey, key);
+      assertEq(storedValue, value);
+    }
+  }
+
+  function test_fuzz_add_unique(uint256 seed, uint256 size) public pure {
+    size = bound(size, 1, 1e2);
+    uint256[] memory keys = _generateRandomUint256Array(size, seed, 1, type(uint32).max - 1);
+    uint256[] memory values = _generateRandomUint256Array(size, seed, 1, type(uint224).max - 1);
+    KeyValueList.List memory list = KeyValueList.init(keys.length);
+    for (uint256 i; i < keys.length; ++i) {
+      list.add(i, keys[i], values[i]);
+    }
+    for (uint256 i; i < keys.length; ++i) {
+      (uint256 key, uint256 value) = list.get(i);
+      assertEq(key, keys[i]);
+      assertEq(value, values[i]);
+      // No key should return as 0 unless the set key is 0 or the cell is not initialized
+      assertGt(key, 0);
+      // No value should return as 0 unless the set value is 0 or the cell is not initialized
+      assertGt(value, 0);
+    }
+  }
+
   function test_fuzz_sortByKey(uint256[] memory seed) public pure {
     vm.assume(seed.length > 0);
     KeyValueList.List memory list = KeyValueList.init(seed.length);
@@ -118,4 +232,36 @@ contract KeyValueListTest is Test {
   function _truncateValue(uint256 value) internal pure returns (uint256) {
     return value % KeyValueList._MAX_VALUE;
   }
+
+  function _generateRandomUint256Array(
+    uint256 size,
+    uint256 seed,
+    uint256 lowerBound,
+    uint256 upperBound
+  ) internal pure returns (uint256[] memory) {
+    seed = seed % 1e77;
+    if (size == 0) return new uint256[](0);
+    uint256[] memory result = new uint256[](size);
+    for (uint256 i; i < size; ++i) {
+      result[i] =
+        (uint256((keccak256(abi.encode(seed + i)))) % (upperBound - lowerBound + 1)) +
+        lowerBound;
+    }
+    return result;
+  }
+}
+
+contract KeyValueListWrapper {
+  using KeyValueList for KeyValueList.List;
+
+  function add(
+    KeyValueList.List memory list,
+    uint256 idx,
+    uint256 key,
+    uint256 value
+  ) external pure returns (KeyValueList.List memory returnList) {
+    returnList = list;
+    returnList.add(idx, key, value);
+    return returnList;
+  }
 }