@@ -1561,49 +1561,6 @@ contract WakuRlnV2Test is Test {
15611561 w.setMaxTotalRateLimit (100 );
15621562 }
15631563
1564- // Test: Malicious Upgrade Drains Funds
1565- function test_MaliciousUpgradeDrainsFunds () external {
1566- // Setup: Register with deposit
1567- uint32 rateLimit = w.minMembershipRateLimit ();
1568- (, uint256 price ) = w.priceCalculator ().calculate (rateLimit);
1569- token.approve (address (w), price);
1570- w.register (1 , rateLimit, new uint256 [](0 ));
1571-
1572- // Deploy malicious impl (e.g., drains token balance)
1573- address maliciousImpl = address (new MaliciousImplementation ()); // Assume impl with drain function
1574-
1575- // Prank owner to upgrade
1576- vm.prank (w.owner ());
1577- w.upgradeTo (address (maliciousImpl));
1578-
1579- // Simulate drain (cast to malicious and call)
1580- MaliciousImplementation malicious = MaliciousImplementation (address (w));
1581- vm.expectRevert (); // Or assert drain fails if protected
1582- malicious.drainTokens (address (token));
1583-
1584- // Assert: Funds not drained (invariant: no direct access)
1585- assertEq (token.balanceOf (address (w)), price); // Still held
1586- }
1587-
1588- // Test: Demonstrate success of Unauthorized Upgrade Post-Malicious Change
1589- function test_UnauthorizedUpgradeAfterMalicious () external {
1590- // Deploy malicious impl that allows anyone to upgrade
1591- address maliciousImpl = address (new MaliciousImplementation ()); // Overrides _authorizeUpgrade to public
1592-
1593- // Owner upgrades to malicious
1594- vm.prank (w.owner ());
1595- w.upgradeTo (address (maliciousImpl));
1596-
1597- // Non-owner attempts further upgrade
1598- address newImpl = address (new TestStableToken ()); // Arbitrary
1599- vm.prank (address (0xdead ));
1600- w.upgradeTo (newImpl); // Should succeed if malicious allows, but test revert if protected
1601-
1602- // Assert: Bricked or unauthorized (depending on spec; expect revert for safety)
1603- vm.expectRevert ("Ownable: caller is not the owner " );
1604- w.upgradeTo (newImpl); // If not overridden
1605- }
1606-
16071564 // Helper: Verify Merkle Proof Manually
16081565 function _verifyMerkleProof (
16091566 uint256 [20 ] memory proof ,
@@ -1752,91 +1709,4 @@ contract WakuRlnV2Test is Test {
17521709 assertFalse (w.isExpired (1 ));
17531710 }
17541711 }
1755-
1756- function testFrontrunning_RegistrationRevertsForVictim () external {
1757- // Setup: Two users, Alice (victim) and Bob (attacker)
1758- address alice = makeAddr ("alice " );
1759- address bob = makeAddr ("bob " );
1760-
1761- // Mint and approve tokens for both (assuming min rate limit requires 1e18 tokens)
1762- uint32 rateLimit = w.minMembershipRateLimit ();
1763- (, uint256 price ) = w.priceCalculator ().calculate (rateLimit);
1764- vm.prank (address (tokenDeployer));
1765- token.mint (alice, price);
1766- vm.prank (address (tokenDeployer));
1767- token.mint (bob, price);
1768-
1769- vm.prank (alice);
1770- token.approve (address (w), price);
1771- vm.prank (bob);
1772- token.approve (address (w), price);
1773-
1774- // Alice's intended idCommitment
1775- uint256 idCommitment = 123 ; // Arbitrary valid commitment (1 < id < Q)
1776-
1777- // Simulate frontrun: Prank Bob to register first with Alice's idCommitment
1778- vm.prank (bob);
1779- w.register (idCommitment, rateLimit, new uint256 [](0 ));
1780-
1781- // Now prank Alice: Her registration should succeed if no frontrun, but since it was frontrun, this will revert
1782- // and fail the test
1783- vm.prank (alice);
1784- w.register (idCommitment, rateLimit, new uint256 [](0 ));
1785-
1786- // Assertions: If we reach here (no revert), check Alice owns it—but since revert happens, test fails
1787- (uint32 fetchedRateLimit ,,) = w.getMembershipInfo (idCommitment);
1788- assertEq (fetchedRateLimit, rateLimit);
1789-
1790- // Destructure to access holder
1791- (,,,,,, address holder ,) = w.memberships (idCommitment);
1792- assertEq (holder, alice); // This would fail if Bob sniped, but test already fails on revert
1793-
1794- assertFalse (w.isInMembershipSet (456 )); // Arbitrary other ID for Alice not registered
1795- }
1796-
1797- function testFrontrunning_SetFillingSpam () external {
1798- // Prank owner to adjust limits for test
1799- uint32 rateLimit = w.minMembershipRateLimit (); // Assume 20
1800- vm.prank (w.owner ());
1801- w.setMaxMembershipRateLimit (rateLimit); // e.g., 20
1802- vm.prank (w.owner ());
1803- w.setMaxTotalRateLimit (rateLimit * 2 ); // e.g., 40, for 2 memberships
1804-
1805- // Setup attacker and victim
1806- address bob = makeAddr ("bob " ); // Attacker
1807- address alice = makeAddr ("alice " ); // Victim
1808-
1809- (, uint256 price ) = w.priceCalculator ().calculate (rateLimit);
1810-
1811- // Mint and approve for Bob and Alice
1812- vm.prank (address (tokenDeployer));
1813- token.mint (bob, price * 2 ); // Enough for two registrations
1814- vm.prank (address (tokenDeployer));
1815- token.mint (alice, price);
1816-
1817- vm.prank (bob);
1818- token.approve (address (w), price * 2 );
1819- vm.prank (alice);
1820- token.approve (address (w), price);
1821-
1822- // Bob registers one junk to make it almost full
1823- uint256 junkId = 789 ; // Valid ID
1824- vm.prank (bob);
1825- w.register (junkId, rateLimit, new uint256 [](0 ));
1826-
1827- // Alice's intended idCommitment
1828- uint256 aliceId = 123 ;
1829-
1830- // Frontrun: Bob snipes the last capacity with Alice's idCommitment
1831- vm.prank (bob);
1832- w.register (aliceId, rateLimit, new uint256 [](0 ));
1833-
1834- // Alice tries to register a different ID but capacity is exceeded (no expectRevert, so test fails on revert)
1835- vm.prank (alice);
1836- w.register (456 , rateLimit, new uint256 [](0 )); // Different ID, but full capacity
1837-
1838- // Assertions: If no revert (which won't happen), check Alice owns it—but test fails earlier
1839- (,,,,,, address holder ,) = w.memberships (456 );
1840- assertEq (holder, alice); // This would fail if capacity exceeded, but revert happens first
1841- }
18421712}
0 commit comments