pimlicolabs / erc20-paymaster Goto Github PK
View Code? Open in Web Editor NEWAn ERC-4337 Paymaster contract by Pimlico that is able to sponsor gas fees in exchange for ERC-20 tokens
Home Page: https://pimlico.io
License: MIT License
An ERC-4337 Paymaster contract by Pimlico that is able to sponsor gas fees in exchange for ERC-20 tokens
Home Page: https://pimlico.io
License: MIT License
hi @kristofgazso is this repository still supported? there are some contributions that I would like to add!
When I run Npx hardhat test
, I encountered an unexpected error occurred:
TypeError: Cannot read properties of undefined (reading 'Assertion')
Hi,
There is not limit on the gas fee of one UserOP. A malicious user can compose an UserOP with very high preVerificationGas
or maxPriorityFeePerGas
, making the gas fee high enough to drain all the eth of the Paymaster. Note in this case the malicious user can bundle this UserOP with his own bundler, so that the profit is returned to himself. This means malicious user only lose the actual gas fee (which is low) of executing the UserOP.
This can be expolited for below purpose:
postOp
. It's possible that the price deviates from the actual price in extreme cases. The malicious user can compose an UserOP with high gas fee, use TokenPaymaster and bundle it with his own bundler. In this case the malicious user pay ERC20 token and get eth in a favorable price.The above line can be improved with named imports
import {BasePaymaster} from "@account-abstraction/contracts/core/BasePaymaster.sol";
Named imports can be applied to all imports.
Custom error codes can be used instead of strings.
Suggested Change:
error PimlicoERC20Paymaster__PriceMarkUpTooHigh();
if(_priceMarkup >= 120e4){
revert PimlicoERC20Paymaster__PriceMarkUpTooHigh();
}
By using custom error codes instead of strings, less gas
is used.
Suggested Change:
import {IERC20Metadata} from "@openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol"
Which can improve readability and also destruct only the necessary code.
This codebase currently uses magic numbers in certain areas. Replacing these magic numbers with descriptive constants will significantly improve code readability and maintainability.
erc20-paymaster/src/ERC20Paymaster.sol
Line 79 in 8e37933
1e6
magic number
can be updated with PRICE_DENOMINATOR
in the below line
erc20-paymaster/src/ERC20Paymaster.sol
Lines 134 to 136 in 8e37933
erc20-paymaster/src/ERC20Paymaster.sol
Lines 140 to 142 in 8e37933
The above lines can be updated with the below lines of code.
uint256 private constant DECIMAL_PRECISION = 8;
.
.
.
if (_tokenOracle.decimals() != DECIMAL_PRECISION || _nativeAssetOracle.decimals() != DECIMAL_PRECISION) {
revert OracleDecimalsInvalid();
}
some more magic numbers are used. It can be updated with constants
Also, Instead of declaring all variables as public
. All variables can be declared as private
and we can write external
getter functions to get the values. Which can prove to be gas-efficient.
- uint256 public constant PRICE_DENOMINATOR = 1e6;
+ uint256 private constant PRICE_DENOMINATOR = 1e6;
External Getter function
function getPriceDenominator() external view returns(uint256){
return PRICE_DENOMINATOR;
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.