fix(solidity): scope Tron SafeERC20 workaround to USDT address only (#8467)

Co-authored-by: Yorke Rhodes <yorke@hyperlane.xyz>

Author: yjamin

.changeset/cuddly-meals-retire.md

@@ -0,0 +1,5 @@
+---
+"@hyperlane-xyz/core": patch
+---
+
+Fixed SafeERC20.sol operations for Tron

.prettierignore

@@ -18,6 +18,7 @@ solidity/artifacts/
 solidity/cache/
 solidity/core-utils/typechain/
 solidity/lib/
+solidity/overrides/
 tools/
 typescript/cli/configs/
 typescript/helloworld/artifacts/

solidity/build-tron.sh

@@ -11,34 +11,57 @@ rm -rf ./cache-tron ./artifacts-tron ./dist/tron/typechain
 # gracefully since deps may already be present (e.g. forge v1.1.0 soldeer bug).
 forge soldeer install --quiet || echo "Warning: soldeer install failed, assuming dependencies are already present"
 
-OZ_CREATE2="dependencies/@openzeppelin-contracts-4.9.3/contracts/utils/Create2.sol"
+# Files to patch for Tron compatibility (newline-separated, dest:src)
+PATCH_FILES="dependencies/@openzeppelin-contracts-4.9.3/contracts/utils/Create2.sol:overrides/tron/Create2.sol
+dependencies/@openzeppelin-contracts-4.9.3/contracts/token/ERC20/utils/SafeERC20.sol:overrides/tron/SafeERC20.sol"
 
-# Collect all .sol files that use isContract (contracts + dependencies)
-ISCONTRACT_FILES=$(grep -rl '\.isContract\b' contracts/ dependencies/ --include='*.sol' || true)
+# Iterate PATCH_FILES and run a command on each entry.
+# Usage: for_each_patch cmd  →  cmd is called with each "dest:src" line as $1
+for_each_patch() {
+  _saved_ifs="$IFS"; IFS="
+"
+  for _entry in $PATCH_FILES; do
+    "$@" "$_entry"
+  done
+  IFS="$_saved_ifs"
+}
+
+# Collect all .sol files that use isContract (contracts + dependencies),
+# excluding files already handled by PATCH_FILES to avoid double-backup.
+PATCH_DESTS=""
+_collect_dest() { PATCH_DESTS="$PATCH_DESTS ${1%%:*}"; }
+for_each_patch _collect_dest
+
+ISCONTRACT_FILES=""
+for f in $(grep -rl '\.isContract\b' contracts/ dependencies/ --include='*.sol' || true); do
+  case "$PATCH_DESTS" in
+    *"$f"*) ;;  # skip files already in PATCH_FILES
+    *) ISCONTRACT_FILES="$ISCONTRACT_FILES $f" ;;
+  esac
+done
+
+# Backup / restore helpers
+_backup_patch()  { cp "${1%%:*}" "${1%%:*}.bak"; }
+_restore_patch() { mv "${1%%:*}.bak" "${1%%:*}"; }
+_apply_patch()   { cp "${1##*:}" "${1%%:*}"; }
 
-# Backup all files we'll modify
 backup_files() {
-  cp "$OZ_CREATE2" "$OZ_CREATE2.bak"
-  for f in $ISCONTRACT_FILES; do
-    cp "$f" "$f.bak"
-  done
+  for_each_patch _backup_patch
+  for f in $ISCONTRACT_FILES; do cp "$f" "$f.bak"; done
 }
 
-# Restore all files from backups
 restore_files() {
-  mv "$OZ_CREATE2.bak" "$OZ_CREATE2"
-  for f in $ISCONTRACT_FILES; do
-    mv "$f.bak" "$f"
-  done
+  for_each_patch _restore_patch
+  for f in $ISCONTRACT_FILES; do mv "$f.bak" "$f"; done
 }
 
 # Ensure restoration even on failure
 trap restore_files EXIT
 
 backup_files
 
-# Patch Create2.sol with Tron-specific version (0x41 prefix)
-cp overrides/tron/Create2.sol "$OZ_CREATE2"
+# Apply Tron-specific patches (Create2.sol, SafeERC20.sol)
+for_each_patch _apply_patch
 
 # Patch isContract() calls → address.code.length > 0
 # Uses Node script to handle nested parentheses correctly

solidity/contracts/test/TronSafeERC20Test.sol

@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity >=0.8.0;
+
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+
+import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+
+/// @dev Mock that mimics Tron USDT: transfer() succeeds but returns false.
+contract TronUSDTMock {
+    mapping(address => uint256) public balances;
+
+    function mint(address to, uint256 amount) external {
+        balances[to] += amount;
+    }
+
+    function transfer(address to, uint256 value) external returns (bool) {
+        require(balances[msg.sender] >= value, "insufficient balance");
+        balances[msg.sender] -= value;
+        balances[to] += value;
+        return false;
+    }
+
+    function transferFrom(
+        address from,
+        address to,
+        uint256 value
+    ) external returns (bool) {
+        require(balances[from] >= value, "insufficient balance");
+        balances[from] -= value;
+        balances[to] += value;
+        return true;
+    }
+
+    function balanceOf(address account) external view returns (uint256) {
+        return balances[account];
+    }
+
+    function allowance(address, address) external pure returns (uint256) {
+        return type(uint256).max;
+    }
+
+    function approve(address, uint256) external pure returns (bool) {
+        return true;
+    }
+}
+
+/// @dev Mock ERC20 that returns false on transfer without reverting.
+contract FalseReturningERC20Mock {
+    mapping(address => uint256) public balances;
+
+    function mint(address to, uint256 amount) external {
+        balances[to] += amount;
+    }
+
+    function transfer(address, uint256) external pure returns (bool) {
+        return false;
+    }
+
+    function transferFrom(
+        address,
+        address,
+        uint256
+    ) external pure returns (bool) {
+        return false;
+    }
+
+    function balanceOf(address account) external view returns (uint256) {
+        return balances[account];
+    }
+
+    function allowance(address, address) external pure returns (uint256) {
+        return type(uint256).max;
+    }
+
+    function approve(address, uint256) external pure returns (bool) {
+        return true;
+    }
+}
+
+/// @dev Harness that exposes the Tron-patched SafeERC20 functions for testing.
+contract SafeERC20Harness {
+    using SafeERC20 for IERC20;
+
+    function safeTransfer(IERC20 token, address to, uint256 value) external {
+        token.safeTransfer(to, value);
+    }
+
+    function safeTransferFrom(
+        IERC20 token,
+        address from,
+        address to,
+        uint256 value
+    ) external {
+        token.safeTransferFrom(from, to, value);
+    }
+}

solidity/foundry.toml

@@ -31,6 +31,8 @@ optimizer_runs = 200
 out = 'out-tron'
 cache_path = 'forge-cache-tron'
 remappings = [
+    "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol=overrides/tron/SafeERC20.sol",
+    "dependencies/@openzeppelin-contracts-4.9.3/contracts/token/ERC20/utils/SafeERC20.sol=overrides/tron/SafeERC20.sol",
     "@openzeppelin/contracts/utils/Create2.sol=overrides/tron/Create2.sol",
     "@openzeppelin/contracts/=dependencies/@openzeppelin-contracts-4.9.3/contracts/",
     "@openzeppelin/contracts-upgradeable/=dependencies/@openzeppelin-contracts-upgradeable-4.9.3/contracts/",

solidity/overrides/tron/SafeERC20.sol

@@ -0,0 +1,159 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Contracts (last updated v4.9.3) (token/ERC20/utils/SafeERC20.sol)
+
+pragma solidity ^0.8.0;
+
+// ===== BEGIN TRON OVERRIDE =====
+// Modified for Tron: safeTransfer bypasses return-value check for Tron USDT only.
+import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import "@openzeppelin/contracts/token/ERC20/extensions/IERC20Permit.sol";
+import "@openzeppelin/contracts/utils/Address.sol";
+
+/**
+ * @title SafeERC20
+ * @dev Wrappers around ERC20 operations that throw on failure (when the token
+ * contract returns false). Tokens that return no value (and instead revert or
+ * throw on failure) are also supported, non-reverting calls are assumed to be
+ * successful.
+ * To use this library you can add a `using SafeERC20 for IERC20;` statement to your contract,
+ * which allows you to call the safe operations as `token.safeTransfer(...)`, etc.
+ */
+library SafeERC20 {
+    using Address for address;
+    // Tron USDT (TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t)
+    // transfer() returns false despite success because the source code discards
+    // super.transfer()'s return value without its own `return true`.
+    // See: https://gist.github.com/yorhodes/a6eccbeba27ff76355c3d761e84d6a35
+    address private constant TRON_USDT = 0xa614f803B6FD780986A42c78Ec9c7f77e6DeD13C;
+
+    /**
+     * @dev Transfer `value` amount of `token` from the calling contract to `to`. If `token` returns no value,
+     * non-reverting calls are assumed to be successful.
+     *
+     * For Tron USDT specifically, the return value is ignored because its transfer()
+     * returns false on success due to a missing `return true` in the source code.
+     */
+    function safeTransfer(IERC20 token, address to, uint256 value) internal {
+        if (address(token) == TRON_USDT) {
+            (bool success, ) = address(token).call(abi.encodeWithSelector(token.transfer.selector, to, value));
+            require(success, "SafeERC20: ERC20 transfer failed");
+            return;
+        }
+        // ===== END TRON OVERRIDE =====
+        _callOptionalReturn(token, abi.encodeWithSelector(token.transfer.selector, to, value));
+    }
+
+    /**
+     * @dev Transfer `value` amount of `token` from `from` to `to`, spending the approval given by `from` to the
+     * calling contract. If `token` returns no value, non-reverting calls are assumed to be successful.
+     */
+    function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {
+        _callOptionalReturn(token, abi.encodeWithSelector(token.transferFrom.selector, from, to, value));
+    }
+
+    /**
+     * @dev Deprecated. This function has issues similar to the ones found in
+     * {IERC20-approve}, and its usage is discouraged.
+     *
+     * Whenever possible, use {safeIncreaseAllowance} and
+     * {safeDecreaseAllowance} instead.
+     */
+    function safeApprove(IERC20 token, address spender, uint256 value) internal {
+        // safeApprove should only be called when setting an initial allowance,
+        // or when resetting it to zero. To increase and decrease it, use
+        // 'safeIncreaseAllowance' and 'safeDecreaseAllowance'
+        require(
+            (value == 0) || (token.allowance(address(this), spender) == 0),
+            "SafeERC20: approve from non-zero to non-zero allowance"
+        );
+        _callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, value));
+    }
+
+    /**
+     * @dev Increase the calling contract's allowance toward `spender` by `value`. If `token` returns no value,
+     * non-reverting calls are assumed to be successful.
+     */
+    function safeIncreaseAllowance(IERC20 token, address spender, uint256 value) internal {
+        uint256 oldAllowance = token.allowance(address(this), spender);
+        _callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, oldAllowance + value));
+    }
+
+    /**
+     * @dev Decrease the calling contract's allowance toward `spender` by `value`. If `token` returns no value,
+     * non-reverting calls are assumed to be successful.
+     */
+    function safeDecreaseAllowance(IERC20 token, address spender, uint256 value) internal {
+        unchecked {
+            uint256 oldAllowance = token.allowance(address(this), spender);
+            require(oldAllowance >= value, "SafeERC20: decreased allowance below zero");
+            _callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, oldAllowance - value));
+        }
+    }
+
+    /**
+     * @dev Set the calling contract's allowance toward `spender` to `value`. If `token` returns no value,
+     * non-reverting calls are assumed to be successful. Meant to be used with tokens that require the approval
+     * to be set to zero before setting it to a non-zero value, such as USDT.
+     */
+    function forceApprove(IERC20 token, address spender, uint256 value) internal {
+        bytes memory approvalCall = abi.encodeWithSelector(token.approve.selector, spender, value);
+
+        if (!_callOptionalReturnBool(token, approvalCall)) {
+            _callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, 0));
+            _callOptionalReturn(token, approvalCall);
+        }
+    }
+
+    /**
+     * @dev Use a ERC-2612 signature to set the `owner` approval toward `spender` on `token`.
+     * Revert on invalid signature.
+     */
+    function safePermit(
+        IERC20Permit token,
+        address owner,
+        address spender,
+        uint256 value,
+        uint256 deadline,
+        uint8 v,
+        bytes32 r,
+        bytes32 s
+    ) internal {
+        uint256 nonceBefore = token.nonces(owner);
+        token.permit(owner, spender, value, deadline, v, r, s);
+        uint256 nonceAfter = token.nonces(owner);
+        require(nonceAfter == nonceBefore + 1, "SafeERC20: permit did not succeed");
+    }
+
+    /**
+     * @dev Imitates a Solidity high-level call (i.e. a regular function call to a contract), relaxing the requirement
+     * on the return value: the return value is optional (but if data is returned, it must not be false).
+     * @param token The token targeted by the call.
+     * @param data The call data (encoded using abi.encode or one of its variants).
+     */
+    function _callOptionalReturn(IERC20 token, bytes memory data) private {
+        // We need to perform a low level call here, to bypass Solidity's return data size checking mechanism, since
+        // we're implementing it ourselves. We use {Address-functionCall} to perform this call, which verifies that
+        // the target address contains contract code and also asserts for success in the low-level call.
+
+        bytes memory returndata = address(token).functionCall(data, "SafeERC20: low-level call failed");
+        require(returndata.length == 0 || abi.decode(returndata, (bool)), "SafeERC20: ERC20 operation did not succeed");
+    }
+
+    /**
+     * @dev Imitates a Solidity high-level call (i.e. a regular function call to a contract), relaxing the requirement
+     * on the return value: the return value is optional (but if data is returned, it must not be false).
+     * @param token The token targeted by the call.
+     * @param data The call data (encoded using abi.encode or one of its variants).
+     *
+     * This is a variant of {_callOptionalReturn} that silents catches all reverts and returns a bool instead.
+     */
+    function _callOptionalReturnBool(IERC20 token, bytes memory data) private returns (bool) {
+        // We need to perform a low level call here, to bypass Solidity's return data size checking mechanism, since
+        // we're implementing it ourselves. We cannot use {Address-functionCall} here since this should return false
+        // and not revert is the subcall reverts.
+
+        (bool success, bytes memory returndata) = address(token).call(data);
+        return
+            success && (returndata.length == 0 || abi.decode(returndata, (bool))) && Address.isContract(address(token));
+    }
+}

solidity/package.json

@@ -75,7 +75,7 @@
         "build": "pnpm version:update && pnpm hardhat-esm compile && tsc && node fix-typechain-ethers.mjs ./dist/typechain/factories && ./exportBuildArtifact.sh",
         "build:zk": "pnpm hardhat-zk compile && tsc && node fix-typechain-ethers.mjs ./dist/typechain/factories && node generate-artifact-exports.mjs && ZKSYNC=true ./exportBuildArtifact.sh",
         "build:tron": "./build-tron.sh",
-        "test:tron": "FOUNDRY_PROFILE=tron forge test --match-contract TronCreate2Test -vvv",
+        "test:tron": "FOUNDRY_PROFILE=tron forge test --match-contract 'Tron(Create2|SafeERC20)Test' -vvv && bash test/tron/check-SafeERC20-diff.sh",
         "prepublishOnly": "pnpm build && pnpm build:zk && pnpm build:tron",
         "lint": "solhint contracts/**/*.sol && eslint -c ./eslint.config.mjs",
         "clean": "pnpm hardhat-esm clean && pnpm hardhat-zk clean && rm -rf ./dist ./cache ./cache-zk ./cache-tron ./artifacts-tron ./out-tron ./forge-cache-tron ./types ./coverage ./out ./forge-cache ./fixtures",
@@ -89,7 +89,7 @@
         "test": "pnpm version:exhaustive && pnpm hardhat-esm test && pnpm test:forge",
         "test:hardhat": "pnpm hardhat-esm test",
         "test:forge": "pnpm fixtures && forge test -vvv --decode-internal --no-match-contract 'Everclear|Tron'",
-        "test:ci": "pnpm version:changed && pnpm test:hardhat && pnpm test:forge --no-match-test testFork",
+        "test:ci": "pnpm version:changed && pnpm test:hardhat && pnpm test:forge --no-match-test testFork && pnpm test:tron",
         "test:fork": "sh -c '. ./.env.default && forge test --match-test testFork && forge test --match-contract ForkTest'",
         "gas": "forge snapshot",
         "gas-ci": "pnpm gas --check --tolerance 2 || (echo 'Manually update gas snapshot' && exit 1)",