Add excessive-expiration warnings for approvals

Detect and surface approvals/permits with excessive expirations and refactor warning collapse logic.

- Make SimulationSeverity Copy + Eq and change SimulationWarning logic: add approval_value() and collapse_priority(severity) to replace previous suppress/is_unlimited checks; collapse_warnings now selects by priority.
- Refactor ApprovalRequest construction into ApprovalContext, add separate display_expiration and warning_expiration fields, and TokenField handling for token display rules.
- Add expiration detection: EXCESSIVE_EXPIRATION_WINDOW (30 days) and expiration_warning() that emits a ValidationError "Excessive expiration" when expiration is too far out; include display expiration in payloads.
- Propagate batch permit expiration parsing (u64) in decode and pass warning_expiration through permit2 batch decoding.
- Collect expiration warnings in SimulationClient::simulate_approval so client-side simulations include the extra warning.
- Add unit tests for excessive-expiration behavior for EIP-712 permit and permit2 batch cases.
- Minor import formatting cleanup in chainflip provider.

Author: gemcoder21

crates/primitives/src/simulation.rs

@@ -4,7 +4,7 @@ use typeshare::typeshare;
 
 use crate::AssetId;
 
-#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
 #[typeshare(swift = "Equatable, Hashable, Sendable")]
 #[serde(rename_all = "lowercase")]
 pub enum SimulationSeverity {
@@ -28,25 +28,24 @@ pub enum SimulationWarningType {
 impl SimulationWarningType {
     fn requires_spender_verification(&self) -> bool {
         match self {
-            Self::TokenApproval { .. } | Self::NftCollectionApproval { .. } | Self::PermitApproval { .. } | Self::PermitBatchApproval { .. } => true,
             Self::SuspiciousSpender | Self::ExternallyOwnedSpender | Self::ValidationError => false,
+            Self::TokenApproval { .. } | Self::NftCollectionApproval { .. } | Self::PermitApproval { .. } | Self::PermitBatchApproval { .. } => true,
         }
     }
 
-    fn suppresses_other_warnings(&self) -> bool {
-        if let Self::ExternallyOwnedSpender = self {
-            return true;
-        }
-        if let Self::ValidationError = self {
-            return true;
+    fn approval_value(&self) -> Option<&Option<BigInt>> {
+        match self {
+            Self::TokenApproval { value, .. } | Self::PermitApproval { value, .. } | Self::PermitBatchApproval { value } => Some(value),
+            Self::SuspiciousSpender | Self::ExternallyOwnedSpender | Self::NftCollectionApproval { .. } | Self::ValidationError => None,
         }
-        false
     }
 
-    fn is_unlimited_warning(&self) -> bool {
+    fn collapse_priority(&self, severity: SimulationSeverity) -> u8 {
         match self {
-            Self::TokenApproval { value, .. } | Self::PermitApproval { value, .. } | Self::PermitBatchApproval { value } => value.is_none(),
-            Self::SuspiciousSpender | Self::ExternallyOwnedSpender | Self::NftCollectionApproval { .. } | Self::ValidationError => false,
+            Self::ExternallyOwnedSpender => 2,
+            Self::ValidationError if severity == SimulationSeverity::Critical => 2,
+            _ if self.approval_value().is_some_and(Option::is_none) => 1,
+            _ => 0,
         }
     }
 }
@@ -64,6 +63,10 @@ impl SimulationWarning {
     pub fn new(severity: SimulationSeverity, warning: SimulationWarningType, message: Option<String>) -> Self {
         Self { severity, warning, message }
     }
+
+    fn collapse_priority(&self) -> u8 {
+        self.warning.collapse_priority(self.severity)
+    }
 }
 
 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
@@ -185,17 +188,15 @@ impl SimulationResult {
     }
 
     fn collapse_warnings(warnings: Vec<SimulationWarning>) -> Vec<SimulationWarning> {
-        let blocking_warning = warnings.iter().find(|warning| warning.warning.suppresses_other_warnings()).cloned();
-        match blocking_warning {
-            Some(warning) => vec![warning],
-            None => {
-                if let Some(warning) = warnings.iter().find(|warning| warning.warning.is_unlimited_warning()).cloned() {
-                    return vec![warning];
-                }
+        if let Some(warning) = warnings.iter().find(|warning| warning.collapse_priority() == 2).cloned() {
+            return vec![warning];
+        }
 
-                warnings
-            }
+        if let Some(warning) = warnings.iter().find(|warning| warning.collapse_priority() == 1).cloned() {
+            return vec![warning];
         }
+
+        warnings
     }
 }
 

crates/simulation/src/evm/approval_request.rs

@@ -3,10 +3,13 @@ use primitives::{
     AssetId, Chain, SimulationHeader, SimulationPayloadField, SimulationPayloadFieldDisplay, SimulationPayloadFieldKind, SimulationPayloadFieldType, SimulationResult,
     SimulationSeverity, SimulationWarning, SimulationWarningType,
 };
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
 use super::{approval_method::ApprovalMethod, approval_value::ApprovalValue};
 use gem_evm::ethereum_address_checksum;
 
+const EXCESSIVE_EXPIRATION_WINDOW: Duration = Duration::from_secs(60 * 60 * 24 * 30);
+
 #[derive(Debug, Clone, PartialEq)]
 pub(crate) struct ApprovalRequest {
     asset_id: AssetId,
@@ -15,36 +18,41 @@ pub(crate) struct ApprovalRequest {
     pub(crate) spender_address: String,
     method: ApprovalMethod,
     approval_value: Option<ApprovalValue>,
-    expiration: Option<String>,
+    display_expiration: Option<u64>,
+    warning_expiration: Option<u64>,
 }
 
 impl ApprovalRequest {
     pub(crate) fn erc20(chain: Chain, contract_address: &str, spender_address: String, approval_value: String) -> Option<Self> {
-        let contract_address = ethereum_address_checksum(contract_address).ok()?;
-        let spender_address = ethereum_address_checksum(&spender_address).ok()?;
-        Some(Self {
-            asset_id: AssetId::from_token(chain, &contract_address),
-            contract_address,
-            token_address: None,
-            spender_address,
-            method: ApprovalMethod::Approve,
-            approval_value: ApprovalValue::from_raw(&approval_value),
-            expiration: None,
-        })
+        Self::new(
+            chain,
+            ApprovalContext {
+                contract_address: contract_address.to_string(),
+                spender_address,
+                token_address: None,
+                approval_value: ApprovalValue::from_raw(&approval_value),
+                display_expiration: None,
+                warning_expiration: None,
+                method: ApprovalMethod::Approve,
+                token_field: TokenField::AlwaysHide,
+            },
+        )
     }
 
     pub(crate) fn nft_collection(chain: Chain, contract_address: &str, spender_address: String) -> Option<Self> {
-        let contract_address = ethereum_address_checksum(contract_address).ok()?;
-        let spender_address = ethereum_address_checksum(&spender_address).ok()?;
-        Some(Self {
-            asset_id: AssetId::from_token(chain, &contract_address),
-            contract_address,
-            token_address: None,
-            spender_address,
-            method: ApprovalMethod::SetApprovalForAll,
-            approval_value: None,
-            expiration: None,
-        })
+        Self::new(
+            chain,
+            ApprovalContext {
+                contract_address: contract_address.to_string(),
+                spender_address,
+                token_address: None,
+                approval_value: None,
+                display_expiration: None,
+                warning_expiration: None,
+                method: ApprovalMethod::SetApprovalForAll,
+                token_field: TokenField::AlwaysHide,
+            },
+        )
     }
 
     pub(crate) fn permit(
@@ -56,42 +64,70 @@ impl ApprovalRequest {
         token_address: Option<String>,
         method: ApprovalMethod,
     ) -> Option<Self> {
-        let contract_address = ethereum_address_checksum(&contract_address).ok()?;
-        let spender_address = ethereum_address_checksum(&spender_address).ok()?;
-        let token_address = token_address.map(|value| ethereum_address_checksum(&value)).transpose().ok()?;
-        let asset_address = token_address.clone().unwrap_or_else(|| contract_address.clone());
-        let token_address = (asset_address != contract_address).then_some(asset_address.clone());
-        Some(Self {
-            asset_id: AssetId::from_token(chain, &asset_address),
-            contract_address,
-            token_address,
-            spender_address,
-            method,
-            approval_value: ApprovalValue::from_raw(&approval_value),
-            expiration,
-        })
+        Self::new(
+            chain,
+            ApprovalContext {
+                contract_address,
+                spender_address,
+                token_address,
+                approval_value: ApprovalValue::from_raw(&approval_value),
+                display_expiration: expiration.as_deref().map(str::parse).transpose().ok()?,
+                warning_expiration: expiration.as_deref().map(str::parse).transpose().ok()?,
+                method,
+                token_field: TokenField::HideWhenMatchingContract,
+            },
+        )
     }
 
-    pub(crate) fn permit_batch(chain: Chain, contract_address: String, spender_address: String, approval_value: ApprovalValue, token_address: Option<String>) -> Option<Self> {
-        let contract_address = ethereum_address_checksum(&contract_address).ok()?;
-        let spender_address = ethereum_address_checksum(&spender_address).ok()?;
-        let token_address = token_address.map(|value| ethereum_address_checksum(&value)).transpose().ok()?;
+    pub(crate) fn permit_batch(
+        chain: Chain,
+        contract_address: String,
+        spender_address: String,
+        approval_value: ApprovalValue,
+        token_address: Option<String>,
+        warning_expiration: Option<u64>,
+    ) -> Option<Self> {
+        Self::new(
+            chain,
+            ApprovalContext {
+                contract_address,
+                spender_address,
+                token_address,
+                approval_value: Some(approval_value),
+                display_expiration: None,
+                warning_expiration,
+                method: ApprovalMethod::PermitBatch,
+                token_field: TokenField::ShowWhenPresent,
+            },
+        )
+    }
+
+    fn new(chain: Chain, context: ApprovalContext) -> Option<Self> {
+        let contract_address = ethereum_address_checksum(&context.contract_address).ok()?;
+        let spender_address = ethereum_address_checksum(&context.spender_address).ok()?;
+        let token_address = context.token_address.map(|value| ethereum_address_checksum(&value)).transpose().ok()?;
         let asset_address = token_address.clone().unwrap_or_else(|| contract_address.clone());
+        let token_address = match context.token_field {
+            TokenField::AlwaysHide => None,
+            TokenField::HideWhenMatchingContract if asset_address == contract_address => None,
+            TokenField::HideWhenMatchingContract | TokenField::ShowWhenPresent => token_address,
+        };
 
         Some(Self {
             asset_id: AssetId::from_token(chain, &asset_address),
             contract_address,
             token_address,
             spender_address,
-            method: ApprovalMethod::PermitBatch,
-            approval_value: Some(approval_value),
-            expiration: None,
+            method: context.method,
+            approval_value: context.approval_value,
+            display_expiration: context.display_expiration,
+            warning_expiration: context.warning_expiration,
         })
     }
 
     pub(crate) fn simulate(self) -> SimulationResult {
-        let warning = self.primary_warning();
-        self.build_simulation_result(vec![warning])
+        let warnings = self.warnings();
+        self.build_simulation_result(warnings)
     }
 
     pub(crate) fn build_simulation_result(self, warnings: Vec<SimulationWarning>) -> SimulationResult {
@@ -135,13 +171,35 @@ impl ApprovalRequest {
         )
     }
 
+    pub(crate) fn warnings(&self) -> Vec<SimulationWarning> {
+        let mut warnings = vec![self.primary_warning()];
+        if let Some(warning) = self.expiration_warning() {
+            warnings.push(warning);
+        }
+        warnings
+    }
+
     fn warning_approval_value(&self) -> Option<BigInt> {
         match self.approval_value.as_ref() {
             Some(ApprovalValue::Exact(value)) => Some(BigInt::from(value.clone())),
             Some(ApprovalValue::Unlimited) | None => None,
         }
     }
 
+    pub(crate) fn expiration_warning(&self) -> Option<SimulationWarning> {
+        let expiration = self.warning_expiration?;
+        let now = SystemTime::now().duration_since(UNIX_EPOCH).ok()?.as_secs();
+        if expiration <= now.saturating_add(EXCESSIVE_EXPIRATION_WINDOW.as_secs()) {
+            return None;
+        }
+
+        Some(SimulationWarning::new(
+            SimulationSeverity::Warning,
+            SimulationWarningType::ValidationError,
+            Some("Excessive expiration".to_string()),
+        ))
+    }
+
     fn payload(&self) -> Vec<SimulationPayloadField> {
         let mut payload = vec![
             SimulationPayloadField::standard(
@@ -185,12 +243,10 @@ impl ApprovalRequest {
             ));
         }
 
-        if self.method.supports_value_display()
-            && let Some(expiration) = self.expiration.as_deref()
-        {
+        if let Some(expiration) = self.display_expiration {
             payload.push(SimulationPayloadField::custom(
                 "expiration",
-                expiration,
+                expiration.to_string(),
                 SimulationPayloadFieldType::Timestamp,
                 SimulationPayloadFieldDisplay::Secondary,
             ));
@@ -199,3 +255,22 @@ impl ApprovalRequest {
         payload
     }
 }
+
+#[derive(Debug, Clone)]
+struct ApprovalContext {
+    contract_address: String,
+    spender_address: String,
+    token_address: Option<String>,
+    approval_value: Option<ApprovalValue>,
+    display_expiration: Option<u64>,
+    warning_expiration: Option<u64>,
+    method: ApprovalMethod,
+    token_field: TokenField,
+}
+
+#[derive(Debug, Clone, Copy)]
+enum TokenField {
+    AlwaysHide,
+    HideWhenMatchingContract,
+    ShowWhenPresent,
+}

crates/simulation/src/evm/client.rs

@@ -34,7 +34,7 @@ impl<'a, C: Client + Clone> SimulationClient<'a, C> {
     }
 
     async fn simulate_approval(&self, approval: ApprovalRequest) -> Result<SimulationResult, Box<dyn Error + Send + Sync>> {
-        let warnings = self.approval_warnings(&approval).await?;
+        let warnings = self.approval_warnings(&approval).await?.into_iter().chain(approval.expiration_warning()).collect();
         Ok(approval.build_simulation_result(warnings))
     }
 
@@ -136,6 +136,51 @@ mod tests {
         Ok(())
     }
 
+    #[tokio::test]
+    async fn eip712_permit_with_excessive_expiration_keeps_warning_with_client() -> Result<(), Box<dyn Error + Send + Sync>> {
+        let json: Value = serde_json::json!({
+            "types": {
+                "EIP712Domain": [
+                    { "name": "name", "type": "string" },
+                    { "name": "version", "type": "string" },
+                    { "name": "chainId", "type": "uint256" },
+                    { "name": "verifyingContract", "type": "address" }
+                ],
+                "Permit": [
+                    { "name": "owner", "type": "address" },
+                    { "name": "spender", "type": "address" },
+                    { "name": "value", "type": "uint256" },
+                    { "name": "nonce", "type": "uint256" },
+                    { "name": "deadline", "type": "uint256" }
+                ]
+            },
+            "primaryType": "Permit",
+            "domain": {
+                "name": "USD Coin",
+                "version": "2",
+                "chainId": "1",
+                "verifyingContract": "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48"
+            },
+            "message": {
+                "owner": "0x1111111111111111111111111111111111111111",
+                "spender": "0x2222222222222222222222222222222222222222",
+                "value": "1000",
+                "nonce": "0",
+                "deadline": "9999999999"
+            }
+        });
+        let message = parse_eip712_json(&json)?;
+        let client = ethereum_client("0x1234");
+
+        let result = SimulationClient::new(&client).simulate_eip712_message(Chain::Ethereum, &message).await?;
+
+        assert_eq!(result.warnings.len(), 2);
+        assert_eq!(result.warnings[1].warning, SimulationWarningType::ValidationError);
+        assert_eq!(result.warnings[1].message.as_deref(), Some("Excessive expiration"));
+
+        Ok(())
+    }
+
     fn ethereum_client(code: &str) -> EthereumClient<gem_client::testkit::MockClient> {
         let code = code.to_string();
         let client = mock_jsonrpc_client(move |method, _| match method {