The nonce should be incremented for each batch. Preferably, it should be done right at the start (after computing the pair address so that the global nonce for a pair can be accessed) to protect against re-entrancy attacks.

Eventually, we may want to include new public view methods to this Authentication contract and should use https://github.com/gnosis/util-contracts/blob/master/contracts/StorageAccessible.sol to do so. Unfortunately, this will require upgrading the util-contracts to be compatible with solc-0.7 beforehand. Thus, this has been extracted out as a separate task from #103.

Also investigate enabling sol->yul compilation for additional Yul optimizations.

Limit prices for smart contract orders (#122) can't be guaraneed with checks in the settlement contract. To ensure fairness, we want to give the option to a smart contract order of knowing the exact settlement price in the batch without the need of trusting the solvers.
We should check if a specific kind of function is called in a smart contract order (for example settle(uint256,uint256,bytes)) and have the settlement contract call the function including the right settlement price without involving the solver.
Determining the specific format and data of the "special" function is part of the task.

Fees should only be transferred out by authorized parties. Although, as @fedgiac pointed out, we can possibly do this with settle function, so we may not even need to add this (or we can just use the same access mechanism that is used by the settle function).

Write e2e tests for different order sizes and test how many orders can be settled for how much gas. This insight will be valuable to think about further use-cases like IDOs with semi-trusted operators.

One particularity is that solidity only allows stack-deepness of ?18? and it should be investigated whether this cases issues with our recursive implementation.

Test behavior of settlement function when integer overflow occurs in various places of the settlement function.

This would allow wallets that support eth_signTypedData to display order information in full to the user at signing time, so they know exactly what they are signing instead of just a bunch of bytes.

From a quick glance, it doesn't look like the operator is receiving fees. We could also be smart about it and have the fees be paid in the surplus token, so we trade even less with Uniswap.

This issue also captures the work of determining what exact fee mechanism we would like to use.

The settlement contract could potentially emit trade and clearing price logs.

Logs that can be included:

• Trade
• Interaction
• Settlement
• Order Cancellation

In order to very quickly check, whether an order violates the uniform clearing price, orders are assumed to be sorted by limit price. We need to also check it in the smart contract

This is step 3 in #102.

This task also includes determining what the collected fees should be within some potential rounding buffer.

Currently, only unit tests are setup. Once they are setup, test cases such as this should be part of the integration test suite and not unit test suite.

https://github.com/gnosis/oba-contracts/blob/a769ffffc8bb6559f6333284d48a9eebc7185967/test/GPv2Settlement.test.ts#L66-L98

The integration tests should:

• Deploy OZ ERC20 tokens
• Deploy Uniswap factory and pair
• Settle a batch with and without Uniswap
• Assert side effects:
  • Nonce is incremented
  • Uniswap reserves are updated (or not when not trading against Uniswap).
  • Orders have correct new balances
  • Contract has >= 0 balances for both tokens (fees)
  • 🎉 and 🤑

buidler has been re-branded to hardhat, we should update our repo to use the new npm module (as the buidler one is deprecated).

There are many instances of constants that can be pre-computed but aren't done automatically by the compiler that should replaced with their values for deployment:

• EIP712Domain type hash (GPv2Settlment constructor).
• Order type hash (GPv2Encoding constant, with local variable for compatibility with inline assembly).

We plan to invalidate an order after its execution by the solver by storing an "executed" flag in memory.
Orders with an expiration date in the past don't need to have the "used" flag set, as they can't be replayed anymore. There should be a way to use these expired orders as a form of "gas token" that can be released on request.

This would be a MAJOR gas saver over using abi.decode as we do now but would require updating to Solidity v0.7.5.

I ran this example (which is just the calldata reading part of the order decoding and already had very promising results:

// SPDX-License-Identifier: LGPL-3.0-or-newer
pragma solidity ^0.7.0;
pragma abicoder v2;

contract Decode {
    struct Order {
        uint8 sellTokenIndex;
        uint8 buyTokenIndex;
        uint256 sellAmount;
        uint256 buyAmount;
        uint32 validTo;
        uint32 nonce;
        uint256 tip;
        uint8 flags;
        uint256 executedAmount;
        uint8 v;
        bytes32 r;
        bytes32 s;
    }
    
    function test() external view returns (uint256 gasAbi, uint256 gasAsm) {
        (gasAbi, gasAsm) = this.testData(hex"ff0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacb");
    }
    
    function testData(bytes calldata data) external view returns (uint256 gasAbi, uint256 gasAsm) {
        Order memory orderAbi;
        (orderAbi, gasAbi) = testAbi(data);
        
        Order memory orderAsm;
        (orderAsm, gasAsm) = testAsm(data);
        
        require(orderAbi.sellTokenIndex == orderAsm.sellTokenIndex, "sellTokenIndex");
        require(orderAbi.buyTokenIndex == orderAsm.buyTokenIndex, "buyTokenIndex");
        require(orderAbi.sellAmount == orderAsm.sellAmount, "sellAmount");
        require(orderAbi.buyAmount == orderAsm.buyAmount, "buyAmount");
        require(orderAbi.validTo == orderAsm.validTo, "validTo");
        require(orderAbi.nonce == orderAsm.nonce, "nonce");
        require(orderAbi.tip == orderAsm.tip, "tip");
        require(orderAbi.flags == orderAsm.flags, "flags");
        require(orderAbi.executedAmount == orderAsm.executedAmount, "executedAmount");
        require(orderAbi.v == orderAsm.v, "v");
        require(orderAbi.r == orderAsm.r, "r");
        require(orderAbi.s == orderAsm.s, "s");
    }
    
    function testAbi(bytes calldata data) private view returns (Order memory order, uint256 gas_) {
        gas_ = gasleft();
        
        require(data.length == 204);
        
        order.sellTokenIndex = uint8(data[0]);
        order.buyTokenIndex = uint8(data[1]);
        order.sellAmount = abi.decode(data[2:], (uint256));
        order.buyAmount = abi.decode(data[34:], (uint256));
        order.validTo = uint32(
            abi.decode(data[66:], (uint256)) >> (256 - 32)
        );
        order.nonce = uint32(
            abi.decode(data[70:], (uint256)) >> (256 - 32)
        );
        order.tip = abi.decode(data[74:], (uint256));
        order.flags = uint8(data[106]);
        order.executedAmount = abi.decode(data[107:], (uint256));
        order.v = uint8(data[139]);
        order.r = abi.decode(data[140:], (bytes32));
        order.s = abi.decode(data[172:], (bytes32));
        
        gas_ = gas_ - gasleft();
    }
    
    function testAsm(bytes calldata data) private view returns (Order memory order, uint256 gas_) {
        gas_ = gasleft();
        
        require(data.length == 204);
        assembly {
            mstore(order, shr(248, calldataload(data.offset)))
            mstore(add(order, 32), shr(248, calldataload(add(data.offset, 1))))
            mstore(add(order, 64), calldataload(add(data.offset, 2)))
            mstore(add(order, 96), calldataload(add(data.offset, 34)))
            mstore(add(order, 128), shr(224, calldataload(add(data.offset, 66))))
            mstore(add(order, 160), shr(224, calldataload(add(data.offset, 70))))
            mstore(add(order, 192), calldataload(add(data.offset, 74)))
            mstore(add(order, 224), shr(248, calldataload(add(data.offset, 106))))
            mstore(add(order, 256), calldataload(add(data.offset, 107)))
            mstore(add(order, 288), shr(248, calldataload(add(data.offset, 139))))
            mstore(add(order, 320), calldataload(add(data.offset, 140)))
            mstore(add(order, 352), calldataload(add(data.offset, 172)))
        }
        
        gas_ = gas_ - gasleft();
    }
}

Reading from calldata went from:

• without solc optimizer: from 3984 gas/order using abi.decode to 350 gas/order using assembly { calldataload }
• with solc optimizer: from 2106 gas/order using abi.decode to 342 gas/order using assembly { calldataload }

The user-specified amount in an order is currently ignored, replaced by the minimum between allowance and current balance.

Two related issues on how the nonce of an order is handled.

The same order can be included multiple times in the list of orders matched in the batch, meaning that any order is in practice an unlimited order. This is because there is no check on whether the same nonce is reused in a batch. See
parseOrderBytes.

Similarly, if two signed orders with different, valid nonces are included for the same user, then both orders can be executed so that the order with the highest nonce is still valid in the next batch. It's enough to execute the order with the highest nonce first and then the one with the lowest. This is because the early, higher nonce is later overwritten by the later, lower nonce in markSettledOrders.

In order to safely guard access to user balances, EOAs should approve a withdrawal contract which is responsible for withdrawing sell amounts for verified orders.

The withdrawal contract should be:

• Created in the Settlement contract constructor.
• Only be callable by the Settlement contract.

All calls to external contracts (like transfer, retrieving balances, calls to Uniswap) should be enforced to use a limited amount of gas.
Orders that reach this threshold should be discarded.
We could also introduce a fee that the users pay if their orders are discarded.

This would allow us to see the impact of changes on gas costs of on-chain settlement.

Ethereum transactions and messages (at least with the Ethereum JSON RPC method) use a ``"\x19Ethereum Signed Message:\n" + len(message)` prefix to messages when signing.

This issue captures the work of investigating if we should require this scheme as well for signed orders.

We should read the chain ID in the smart contract and apply relay protection, this is so orders signed for Rinkeby aren't valid for mainnet.

So smart contract wallets can also place orders.

@fedgiac To fill in the details of smart contract wallet signing.

Implement on-chain order cancellation (incrementing a nonce for example). This is required so users can cancel orders without trusting that the operator will just stop using the signature.

This requires a more sophisticated uniswapPool.getReserves in the smart contract, as explained in the code

The trade settlement mechanism requires:

1. Transferring user funds from their address into the contract
2. Transferring contract funds from the contract to the users' addresses
3. Check that the amount of fees remaining is correct.

Define the role of "owner" of the contract, which is expected to appoint and dismiss solvers.
Define the role of "solver", who can call the settle function.

Tips should be derived from order and included in the transfer from users into settlement contract.

Between solving and the transaction being executed, the price movement is unpredictable and unavoidable. The smart contract should be able to intelligently filter out orders that do not overlap with the Uniswap exchange rate instead of failing.

The settlement contract should be able to make arbitrary calls to other contracts, as specified by a solver. Note that the withdrawer contract described in issue #121 should not be callable in this way.

Currently, a signed order is valid forever. But most likely customers would like to have their orders only valid until a certain point in time

The settlement contract should decode the orders for processing. As we have decided to use tightly packed order encoding (see #30) this process is non-trivial as there is no Solidity built-in for it.

The settlement contract needs to verify that the settlement price respects the Uniswap AMM price. The Uniswap price to use depends on whether the settlement required trading with the AMM:

• If it did not, then the Uniswap spot price is used.
• If it did, then the Uniswap effective price is used.

For either price, we need to verify that the clearing price + OBA fees is better than or equal to the Uniswap price.

More information can be found in the spec.

The idea proposed by @rmeissner is to use the EIP-712 signing hash as the order.digest value. This would make the order digest as seen by the contract unique per domain (therefore also unique per chain and settlement contract address).

This has the added benefit that we would only be wrapping the EIP-712 signing digest instead of having a separate signing scheme (which may be a bit confusing). Additionally, @rmeissner also mentioned that some wallets seem to keccak256 the message before signing, so this proposal would work in that situation as well. Furthermore, this would make this signature scheme more closely match the one in the Gnosis Safe, which is nice for consistency and the fact it is battle-tested.

The main downside is an additional keccak256 operation for recovering only in the eth_sign case.

The GPv2Settlement contract points to GPv2Authenticator which should be made upgradable via a proxy pattern.

Only externally owned addresses can create transactions in this exchange. This is a consequence of recovering the signer address using ecrecover.

We should let contracts create orders, possibly by implementing some signing standards like EIP1271 or EIP712. We might be able to reuse the signature verification code used by the Gnosis Safe.

We should use SafeERC20 library so that we can handle the different ERC20 behaviour that exists out there.

The encoding of the bytes representing the orders has a lot of padding. This padding could be removed to save some gas.

An example of tightly encoded data as input to a contract is the MultiSend.sol contract.

Now that orders can be cancelled on-chain, we should add a contract method to do so.

Should we use an owner/proxy pattern to allow future updates (could be given to the DAO) or make it "unstoppable" like Uniswap or GP?

In the latter case I'd advocate for using https://github.com/gnosis/util-contracts/blob/master/contracts/StorageAccessible.sol as a base contract.

Modify the settle function to work with a Uniswap path through ETH.
Decisions required: do we enforce some kind of optimality or do we let the solver pick whether to do a direct trade or a trade through ETH?

Each order's signature needs to verified in the settlement contract. Currently this is being done in the price calculation contract PreAMMBatcher.sol but should move to the settlement contract.

There used to be concerns on when exectly to free memory when using a gas token (see for example here). We should determine if this still applies for modern Solidity code and in case free memory at the right time.
This issue is particularly relevant for #124.

The equation for determining the price needs to be updated in order to work with buy orders and correctly account for fees. The spec is being updated with the most recent form of the equation.

The withdrawer contract stores user's approvals away from the settlement contract. This contract should be owned by the settlement contract and only called once at the beginning of settle to recover the funds that will be traded in the batch.

Maybe with buidler or truffle, the contracts should be deployable and we should investigate how to share these deployments with other projects.

The settlement contract needs to verify that a given order is not used more than once per settlement. This can be done by sorting orders, so each order can assert it comes after the previous one.