Audit April 2025 - 7.2.1 and 7.2.2 - Constructor Inputs and Expiration

Author: hanzel98

src/helpers/DelegationMetaSwapAdapter.sol

@@ -146,6 +146,9 @@ contract DelegationMetaSwapAdapter is ExecutionHelper, Ownable2Step {
     /// @dev Error thrown when the signature expiration has passed.
     error SignatureExpired();
 
+    /// @dev Error thrown when the address is zero.
+    error InvalidZeroAddress();
+
     ////////////////////////////// Modifiers //////////////////////////////
 
     /**
@@ -184,6 +187,11 @@ contract DelegationMetaSwapAdapter is ExecutionHelper, Ownable2Step {
     )
         Ownable(_owner)
     {
+        if (
+            _swapApiSigner == address(0) || address(_delegationManager) == address(0) || address(_metaSwap) == address(0)
+                || _argsEqualityCheckEnforcer == address(0)
+        ) revert InvalidZeroAddress();
+
         swapApiSigner = _swapApiSigner;
         delegationManager = _delegationManager;
         metaSwap = _metaSwap;
@@ -274,7 +282,7 @@ contract DelegationMetaSwapAdapter is ExecutionHelper, Ownable2Step {
      * @param _tokenTo The output token of the swap.
      * @param _recipient The address that will receive the swapped tokens.
      * @param _amountFrom The amount of tokens to be swapped.
-     * @param _balanceFromBefore The contract’s balance of _tokenFrom before the incoming token transfer is credited.
+     * @param _balanceFromBefore The contract's balance of _tokenFrom before the incoming token transfer is credited.
      * @param _swapData Arbitrary data required by the aggregator (e.g. encoded swap params).
      */
     function swapTokens(
@@ -524,7 +532,7 @@ contract DelegationMetaSwapAdapter is ExecutionHelper, Ownable2Step {
      * @param _signatureData Contains the apiData, the expiration and signature.
      */
     function _validateSignature(SignatureData memory _signatureData) private view {
-        if (block.timestamp > _signatureData.expiration) revert SignatureExpired();
+        if (block.timestamp >= _signatureData.expiration) revert SignatureExpired();
 
         bytes32 messageHash_ = keccak256(abi.encodePacked(_signatureData.apiData, _signatureData.expiration));
         bytes32 ethSignedMessageHash_ = MessageHashUtils.toEthSignedMessageHash(messageHash_);

test/helpers/DelegationMetaSwapAdapter.t.sol

@@ -300,6 +300,32 @@ contract DelegationMetaSwapAdapterMockTest is DelegationMetaSwapAdapterBaseTest
         super.setUp();
     }
 
+    /**
+     * @notice Verifies that the contract reverts when the zero address is used as an input.
+     */
+    function test_revert_invalidZeroAddressInConstructor() public {
+        address owner_ = address(1);
+        address swapApiSigner_ = address(1);
+        IDelegationManager delegationManager_ = IDelegationManager(address(1));
+        IMetaSwap metaSwap_ = IMetaSwap(address(1));
+        address argsEqualityCheckEnforcer_ = address(1);
+
+        vm.expectRevert(abi.encodeWithSelector(Ownable.OwnableInvalidOwner.selector, address(0)));
+        new DelegationMetaSwapAdapter(address(0), swapApiSigner_, delegationManager_, metaSwap_, argsEqualityCheckEnforcer_);
+
+        vm.expectRevert(DelegationMetaSwapAdapter.InvalidZeroAddress.selector);
+        new DelegationMetaSwapAdapter(owner_, address(0), delegationManager_, metaSwap_, argsEqualityCheckEnforcer_);
+
+        vm.expectRevert(DelegationMetaSwapAdapter.InvalidZeroAddress.selector);
+        new DelegationMetaSwapAdapter(owner_, swapApiSigner_, IDelegationManager(address(0)), metaSwap_, argsEqualityCheckEnforcer_);
+
+        vm.expectRevert(DelegationMetaSwapAdapter.InvalidZeroAddress.selector);
+        new DelegationMetaSwapAdapter(owner_, swapApiSigner_, delegationManager_, IMetaSwap(address(0)), argsEqualityCheckEnforcer_);
+
+        vm.expectRevert(DelegationMetaSwapAdapter.InvalidZeroAddress.selector);
+        new DelegationMetaSwapAdapter(owner_, swapApiSigner_, delegationManager_, metaSwap_, address(0));
+    }
+
     /**
      * @notice Verifies that tokens can be swapped by delegations in a purely local environment (using a MetaSwapMock).
      */
@@ -1161,6 +1187,29 @@ contract DelegationMetaSwapAdapterMockTest is DelegationMetaSwapAdapterBaseTest
         delegationMetaSwapAdapter.swapByDelegation(sigData_, delegations_, true);
     }
 
+    /// @notice Tests that swapByDelegation reverts with SignatureExpired when the signature expiration is equal to current
+    /// timestamp.
+    function test_revert_swapByDelegation_signatureExpired_equal() public {
+        _setUpMockContracts();
+        bytes memory swapData_ = _encodeSwapData(IERC20(tokenA), IERC20(tokenB), amountFrom, amountTo, hex"", 0, address(0), true);
+        bytes memory apiData_ = _encodeApiData(aggregatorId, IERC20(tokenA), amountFrom, swapData_);
+        // Set expiration in the current time.
+        uint256 expiredTime = block.timestamp;
+        bytes memory signature = _getValidSignature(apiData_, expiredTime);
+        DelegationMetaSwapAdapter.SignatureData memory sigData_ =
+            DelegationMetaSwapAdapter.SignatureData({ apiData: apiData_, expiration: expiredTime, signature: signature });
+
+        Delegation[] memory delegations_ = new Delegation[](2);
+        Delegation memory vaultDelegation_ = _getVaultDelegation();
+        Delegation memory subVaultDelegation_ = _getSubVaultDelegation(EncoderLib._getDelegationHash(vaultDelegation_));
+        delegations_[1] = vaultDelegation_;
+        delegations_[0] = subVaultDelegation_;
+
+        vm.prank(address(subVault.deleGator));
+        vm.expectRevert(DelegationMetaSwapAdapter.SignatureExpired.selector);
+        delegationMetaSwapAdapter.swapByDelegation(sigData_, delegations_, true);
+    }
+
     /// @notice Tests that swapByDelegation reverts with InvalidApiSignature when the signature is invalid.
     function test_revert_swapByDelegation_invalidApiSignature() public {
         _setUpMockContracts();