feat: replaced abi.decode with CCIPMessageDecoder lib

Author: vnavascues

foundry.toml

@@ -14,6 +14,10 @@ src = "src"
 test = "test"
 via_ir = true
 
+[profile.default.fuzz]
+max_test_rejects = 1_000_000 # Number of times `vm.assume` can fail
+runs = 1_000
+
 [fmt]
 bracket_spacing = true
 contract_new_lines = false

src/bridge/EnsoCCIPReceiver.sol

@@ -3,6 +3,7 @@ pragma solidity ^0.8.24;
 
 import { IEnsoCCIPReceiver } from "../interfaces/IEnsoCCIPReceiver.sol";
 import { IEnsoRouter, Token, TokenType } from "../interfaces/IEnsoRouter.sol";
+import { CCIPMessageDecoder } from "../libraries/CCIPMessageDecoder.sol";
 import { CCIPReceiver, Client } from "chainlink-ccip/applications/CCIPReceiver.sol";
 import { Ownable, Ownable2Step } from "openzeppelin-contracts/access/Ownable2Step.sol";
 import { IERC20, SafeERC20 } from "openzeppelin-contracts/token/ERC20/utils/SafeERC20.sol";
@@ -101,15 +102,6 @@ contract EnsoCCIPReceiver is IEnsoCCIPReceiver, CCIPReceiver, Ownable2Step, Paus
         }
     }
 
-    /// @inheritdoc IEnsoCCIPReceiver
-    function decodeMessageData(bytes calldata _data) external view returns (address, uint256, bytes memory) {
-        if (msg.sender != address(this)) {
-            revert IEnsoCCIPReceiver.EnsoCCIPReceiver_OnlySelf();
-        }
-        // Temporary approach; will be replaced by a safe inline decoder.
-        return abi.decode(_data, (address, uint256, bytes));
-    }
-
     /// @inheritdoc IEnsoCCIPReceiver
     function execute(address _token, uint256 _amount, bytes calldata _shortcutData) external {
         if (msg.sender != address(this)) {
@@ -159,6 +151,9 @@ contract EnsoCCIPReceiver is IEnsoCCIPReceiver, CCIPReceiver, Ownable2Step, Paus
         if (_errorCode == ErrorCode.PAUSED || _errorCode == ErrorCode.INSUFFICIENT_GAS) {
             return RefundKind.TO_RECEIVER;
         }
+        // Only refund directly to the receiver when the payload decodes successfully.
+        // If decoding fails (MALFORMED_MESSAGE_DATA), all fields (including `receiver`) must be treated as untrusted,
+        // since a malformed payload could spoof a plausible receiver address.
         if (
             _errorCode == ErrorCode.NO_TOKENS || _errorCode == ErrorCode.TOO_MANY_TOKENS
                 || _errorCode == ErrorCode.NO_TOKEN_AMOUNT || _errorCode == ErrorCode.MALFORMED_MESSAGE_DATA
@@ -216,15 +211,11 @@ contract EnsoCCIPReceiver is IEnsoCCIPReceiver, CCIPReceiver, Ownable2Step, Paus
             return (token, amount, receiver, shortcutData, ErrorCode.NO_TOKEN_AMOUNT, errorData);
         }
 
-        // Decode payload (temporary external helper; to be replaced by safe inline decoder)
+        // Decode payload
+        bool decodeSuccess;
         uint256 estimatedGas;
-        try this.decodeMessageData(_message.data) returns (
-            address decodedReceiver, uint256 decodedEstimatedGas, bytes memory decodedShortcutData
-        ) {
-            receiver = decodedReceiver;
-            estimatedGas = decodedEstimatedGas;
-            shortcutData = decodedShortcutData;
-        } catch {
+        (decodeSuccess, receiver, estimatedGas, shortcutData) = CCIPMessageDecoder.tryDecodeMessageData(_message.data);
+        if (!decodeSuccess) {
             return (token, amount, receiver, shortcutData, ErrorCode.MALFORMED_MESSAGE_DATA, errorData);
         }
 

src/interfaces/IEnsoCCIPReceiver.sol

@@ -100,15 +100,6 @@ interface IEnsoCCIPReceiver {
     /// @param shortcutData ABI-encoded call data for the Enso Shortcuts entrypoint.
     function execute(address token, uint256 amount, bytes calldata shortcutData) external;
 
-    /// @notice Temporary helper to decode `(address receiver, uint256 estimatedGas, bytes shortcutData)` from
-    ///         a CCIP message payload. Implementations may replace this with safe inline decoding later.
-    /// @dev SHOULD revert when called externally by non-self to avoid surfacing internals.
-    ///      Typical guard: `if (msg.sender != address(this)) revert EnsoCCIPReceiver_OnlySelf();`
-    function decodeMessageData(bytes calldata data)
-        external
-        view
-        returns (address receiver, uint256 estimatedGas, bytes memory shortcutData);
-
     /// @notice Pauses the CCIP receiver, disabling new incoming message execution until unpaused.
     /// @dev Only callable by the contract owner.
     function pause() external;

src/libraries/CCIPMessageDecoder.sol

@@ -0,0 +1,83 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.24;
+
+library CCIPMessageDecoder {
+    /// @dev Safe, non-reverting decoder for abi.encode(address,uint256,bytes) in MEMORY.
+    ///      Returns (ok, receiver, estimatedGas, shortcutData). On malformed input, ok=false.
+    ///      Layout: HEAD (96 bytes) = [receiver|estimatedGas|offset], TAIL at (base+off) = [len|bytes...].
+    function tryDecodeMessageData(bytes memory _data)
+        internal
+        pure
+        returns (bool success, address receiver, uint256 estimatedGas, bytes memory shortcutData)
+    {
+        // Need 3 head words (96) + 1 length word (32)
+        if (_data.length < 128) {
+            return (false, address(0), 0, bytes(""));
+        }
+
+        // Pointer to first head word
+        uint256 base;
+        assembly { base := add(_data, 32) }
+
+        uint256 off;
+        assembly ("memory-safe") {
+            // Address is right-aligned in the word → keep low 20 bytes
+            receiver := and(mload(base), 0x000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF)
+            estimatedGas := mload(add(base, 32))
+            off := mload(add(base, 64))
+        }
+
+        // Word-aligned offset?
+        if ((off & 31) != 0) {
+            return (false, address(0), 0, bytes(""));
+        }
+
+        uint256 baseLen = _data.length;
+
+        // Off must be at/after 3-word head and leave room for tail length word
+        // i.e.  off >= 96  &&  off <= baseLen - 32  (avoid off+32 overflow)
+        if (off < 96 || off > baseLen - 32) {
+            return (false, address(0), 0, bytes(""));
+        }
+
+        // Safe now to compute tail start (no overflow)
+        uint256 tailStart = off + 32;
+
+        // Read tail len
+        uint256 len;
+        assembly ("memory-safe") {
+            len := mload(add(base, off))
+        }
+
+        unchecked {
+            // Available bytes remaining after the tail length word
+            uint256 avail = baseLen - tailStart;
+
+            // Require len itself to fit in the available tail
+            if (len > avail) {
+                return (false, address(0), 0, bytes(""));
+            }
+
+            // Ceil32(len) and ensure padded bytes also fit (defensive; usually implied by len<=avail)
+            uint256 padded = (len + 31) & ~uint256(31);
+            if (padded > avail) {
+                return (false, address(0), 0, bytes(""));
+            }
+
+            // Allocate and copy exactly `len` bytes (ignore padding)
+            shortcutData = new bytes(len);
+            if (len != 0) {
+                assembly ("memory-safe") {
+                    let src := add(add(base, off), 32) // start of tail payload
+                    let dst := add(shortcutData, 32) // start of new bytes payload
+                        // Copy in 32-byte chunks up to padded boundary
+                    for { let i := 0 } lt(i, padded) { i := add(i, 32) } {
+                        mstore(add(dst, i), mload(add(src, i)))
+                    }
+                }
+            }
+        }
+
+        return (true, receiver, estimatedGas, shortcutData);
+    }
+}

test/unit/concrete/bridge/ensoCCIPReceiver/decodeMessageData.t.sol

@@ -6,7 +6,6 @@ import { EnsoReceiver } from "../../../../../src/delegate/EnsoReceiver.sol";
 import { TokenBalanceHelper } from "../../../../utils/TokenBalanceHelper.sol";
 import { EnsoReceiver_Unit_Concrete_Test } from "./EnsoReceiver.t.sol";
 import { console2 } from "forge-std-1.9.7/Test.sol";
-import { ReentrancyGuardTransient } from "openzeppelin-contracts/utils/ReentrancyGuardTransient.sol";
 
 contract EnsoReceiver_ExecuteMultiSend_SenderIsEnsoReceiver_Unit_Concrete_Test is
     EnsoReceiver_Unit_Concrete_Test,