|
| 1 | +# Security Guidelines |
| 2 | + |
| 3 | +This document outlines important security considerations when working with the Delegation Framework. |
| 4 | + |
| 5 | +## Batch Execution Security |
| 6 | + |
| 7 | +> ⚠️ **Important Security Notice** |
| 8 | +> |
| 9 | +> When using batch execution functionality, developers and users should be aware of potential risks related to calldata structure manipulation that can lead to information leakage and/or enhanced MEV extraction between executions. |
| 10 | +
|
| 11 | +### Overview |
| 12 | + |
| 13 | +The `decodeBatch` function uses assembly optimization for gas efficiency, which requires careful handling of execution calldata. Malformed execution arrays can cause unintended data exposure between batch operations. |
| 14 | + |
| 15 | +### How Batch Decoding Works |
| 16 | + |
| 17 | +```solidity |
| 18 | +struct Execution { |
| 19 | + address target; |
| 20 | + uint256 value; |
| 21 | + bytes callData; // ⚠️ Variable length field |
| 22 | +} |
| 23 | +``` |
| 24 | + |
| 25 | +The batch decoder processes an array of `Execution` structs where each execution contains variable-length calldata. The assembly implementation trusts the length fields in the calldata structure for gas optimization. |
| 26 | + |
| 27 | +### Potential Risk Scenario |
| 28 | + |
| 29 | +```solidity |
| 30 | +// Batch with two executions |
| 31 | +Execution[0] = { target: contractA, value: 0, callData: someFunction() } |
| 32 | +Execution[1] = { target: contractB, value: 0, callData: sensitiveFunction(data) } |
| 33 | +
|
| 34 | +// If Execution[0] has malformed callData length, it might read into Execution[1]'s data |
| 35 | +``` |
| 36 | + |
| 37 | +### Security Implications |
| 38 | + |
| 39 | +1. **Information leakage** |
| 40 | + |
| 41 | + - **Risk**: `Execution[0]` may read calldata intended for `Execution[1]` |
| 42 | + - **Impact**: Sensitive transaction details could be exposed to earlier executions |
| 43 | + |
| 44 | +2. **Enhanced MEV extraction** |
| 45 | + |
| 46 | + - **Risk**: Malicious actors could preview upcoming operations in the same batch |
| 47 | + - **Impact**: Increased MEV extraction, unfavorable execution order |
| 48 | + |
| 49 | +3. **Front-running within batch** |
| 50 | + - **Risk**: Earlier executions could act on information from later executions |
| 51 | + - **Impact**: Sandwich attacks, price manipulation within the batch |
| 52 | + |
| 53 | +### ✅ User Guidelines |
| 54 | + |
| 55 | +- **Use MetaMask UI**: Transactions through MetaMask's interface are safe |
| 56 | +- **Verify transaction details**: Always review what operations will be executed |
| 57 | +- **Trust reputable dApps**: Only use well-audited applications for batch operations |
| 58 | +- **Single execution**: Prefer single-execution operations for sensitive transactions |
| 59 | + |
| 60 | +### Developer Guidelines |
| 61 | + |
| 62 | +Developers should exercise extreme caution when manually creating execution calldata. The assembly-optimized `decodeBatch` function trusts the length fields in the calldata structure without bounds checking. |
| 63 | + |
| 64 | +Improperly constructed calldata can lead to: |
| 65 | + |
| 66 | +- Cross-execution data leakage |
| 67 | +- Unintended information exposure |
| 68 | +- Enhanced MEV extraction opportunities |
| 69 | + |
| 70 | +### ✅ Safe Development Practices |
| 71 | + |
| 72 | +- **Use established libraries** for batch construction rather than manual calldata creation |
| 73 | +- **Validate all execution arrays** before processing |
| 74 | +- **Implement length checks** if building custom batch constructors |
| 75 | +- **Test thoroughly** with malformed inputs to ensure proper bounds checking |
| 76 | +- **Never trust user-provided execution arrays** without validation |
| 77 | +- **Separate sensitive operations** into individual transactions when possible |
| 78 | + |
| 79 | +--- |
0 commit comments