feat(tests): add approval test for existing slots

Author: jochem-brouwer

tests/benchmark/mainnet/test_state_xen.py

@@ -101,6 +101,98 @@ def test_xen_approve(
     )
 
 
+@pytest.mark.valid_from("Frontier")
+def test_xen_approve_existing_slots(
+    blockchain_test: BlockchainTestFiller,
+    pre: Alloc,
+):
+    """
+    Uses the `approve(address,uint256)` method of XEN (ERC20) close to the maximum amount
+    of slots which could be edited (as opposed to be created) within a single block/transaction.
+    """
+    attack_gas_limit = (
+        60_000_000  # TODO: currently hardcoded, should be read from `gas_benchmark_value`
+    )
+
+    # Gas limit: 60M, 2424 SSTOREs, 300 MGas/s
+
+    xen_contract = 0x06450DEE7FD2FB8E39061434BABCFC05599A6FB8
+    gas_threshold = 40_000
+
+    fn_signature_approve = bytes.fromhex(
+        "095EA7B3"
+    )  # Function selector of `approve(address,uint256)`
+    # This code loops until there is less than threshold_gas left and reads two items from calldata:
+    # The first 32 bytes are interpreted as the start address to start approving for
+    # The second 32 bytes is the approval amount
+    # This can thus be used to initialize the approvals (in multiple txs) to write to the storage
+    # Since initializing storage (from zero to nonzero) is more expensive, this thus has
+    # to be done over multiple blocks/txs
+    # The attack block can then target all of the just initialized storage slots to edit
+    # (This should thus yield more dirty trie nodes than the )
+    approval_loop_code = (
+        Om.MSTORE(fn_signature_approve)
+        + Op.MSTORE(4 + 32, Op.CALLDATALOAD(32))
+        + Op.CALLDATALOAD(0)
+        + While(
+            body=Op.MSTORE(
+                4, Op.DUP1
+            )  # Put a copy of the topmost stack item in memory (this is the target address)
+            + Op.CALL(address=xen_contract, args_offset=0, args_size=4 + 32 + 32)
+            + Op.ADD,  # Add the status of the CALL
+            # (this should always be 1 unless the `gas_threshold` is too low) to the stack item
+            # The address and thus target storage slot changes!
+            condition=Op.GT(Op.GAS, gas_threshold),
+        )
+    )
+
+    approval_spammer_contract = pre.deploy_contract(code=approval_loop_code)
+
+    sender = pre.fund_eoa()
+
+    blocks = []
+
+    # TODO: calculate these constants based on the gas limit of the benchmark test
+    start_address = 0x01
+    current_address = start_address
+    address_incr = 2000
+
+    approval_value_fresh = Hash(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE)
+    approval_value_overwrite = Hash(
+        0xDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDE
+    )
+
+    block_count = 10
+
+    for _ in range(block_count):
+        setup_calldata = Hash(current_address) + approval_value_fresh
+        setup_tx = Transaction(
+            to=approval_spammer_contract,
+            gas_limit=attack_gas_limit,
+            data=setup_calldata,
+            sender=sender,
+        )
+        blocks.append(Block(txs=[setup_tx]))
+
+        current_address += address_incr
+
+    attack_calldata = Hash(start_address) + approval_value_overwrite
+
+    attack_tx = Transaction(
+        to=approval_spammer_contract,
+        gas_limit=attack_gas_limit,
+        data=attack_calldata,
+        sender=sender,
+    )
+    blocks.append(Block(txs=[attack_tx]))
+
+    blockchain_test(
+        pre=pre,
+        post={},  # TODO: add sanity checks (succesful tx execution and no out-of-gas)
+        blocks=blocks,
+    )
+
+
 # TODO
 # The current test does only claimRank(1) and then waits `SECONDS_IN_DAY = 3_600 * 24;` plus 1
 # (see https://etherscan.io/token/0x06450dEe7FD2Fb8E39061434BAbCFC05599a6Fb8#code) and then