VAL-110 Ensure deposits go against callers (#110)

circlefin · Nov 30, 2022 · 7eac01b · 7eac01b
1 parent 7b9100d
commit 7eac01b
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/contracts/Pool.sol b/contracts/Pool.sol
@@ -651,6 +651,7 @@ contract Pool is IPool, ERC20 {
         onlyCrankedPool
         returns (uint256 shares)
     {
+        require(msg.sender == receiver, "Pool: invalid receiver");
         shares = PoolLib.executeDeposit(
             asset(),
             address(this),
@@ -707,6 +708,7 @@ contract Pool is IPool, ERC20 {
         onlyCrankedPool
         returns (uint256 assets)
     {
+        require(msg.sender == receiver, "Pool: invalid receiver");
         assets = previewMint(shares);
         PoolLib.executeDeposit(
             asset(),

diff --git a/test/Pool.test.ts b/test/Pool.test.ts
@@ -137,6 +137,30 @@ describe("Pool", () => {
       // 91 shares at an exchange rate of 150 / 144 = 94.79 assets rounded down
       expect(await pool.maxWithdrawRequest(lenderB.address)).to.equal(94);
     });
+
+    it("depositing requires receiver address to be the same as caller", async () => {
+      const { pool, otherAccount, liquidityAsset, poolAdmin, otherAccounts } =
+        await loadFixture(loadPoolFixture);
+
+      const receiver = otherAccounts[otherAccounts.length - 1];
+      expect(receiver.address).to.not.equal(otherAccount.address);
+
+      await activatePool(pool, poolAdmin, liquidityAsset);
+
+      // Provide capital to lender
+      const depositAmount = 1000;
+      await liquidityAsset.mint(otherAccount.address, depositAmount);
+
+      // Approve the deposit
+      await liquidityAsset
+        .connect(otherAccount)
+        .approve(pool.address, depositAmount);
+
+      // Deposit against a different receiver
+      await expect(
+        pool.connect(otherAccount).deposit(depositAmount, receiver.address)
+      ).to.be.revertedWith("Pool: invalid receiver");
+    });
   });
 
   describe("mint()", async () => {
@@ -175,6 +199,30 @@ describe("Pool", () => {
         depositAmount
       );
     });
+
+    it("minting requires receiver address to be the same as caller", async () => {
+      const { pool, otherAccount, liquidityAsset, poolAdmin, otherAccounts } =
+        await loadFixture(loadPoolFixture);
+
+      const receiver = otherAccounts[otherAccounts.length - 1];
+      expect(receiver.address).to.not.equal(otherAccount.address);
+
+      await activatePool(pool, poolAdmin, liquidityAsset);
+
+      // Provide capital to lender
+      const depositAmount = 1000;
+      await liquidityAsset.mint(otherAccount.address, depositAmount);
+
+      // Approve the deposit
+      await liquidityAsset
+        .connect(otherAccount)
+        .approve(pool.address, depositAmount);
+
+      // Mint against a different receiver
+      await expect(
+        pool.connect(otherAccount).mint(depositAmount, receiver.address)
+      ).to.be.revertedWith("Pool: invalid receiver");
+    });
   });
 
   describe("previewDeposit()", async () => {