Coinbase / spend-permissions

Spend Permissions enable apps/third-party spenders to spend native tokens and ERC-20 tokens on behalf of users in a recurring way. This unlocks use cases that would otherwise be prohibited by the burden of requiring real-time signatures from users, such as frequent in-game spending, subscription payments, auto-renewals, asynchronous spends such as automated or event-based trading, and more.

Designed to integrate with Coinbase Smart Wallet V1, a smart wallet adds the single `SpendPermissionManager` contract as an owner of their account, and can then use this gatekeeper to authorize third-party spenders to spend from their account within their specified parameters. In addition to the spender, spend permissions specify the start and end times that bound a permission’s validity, as well as an allowance and a recurring period duration, allowing the spender to spend up to this allowance per-period. Users can revoke existing permissions at any time. While authorized spending of ERC-20s has long been supported by allowance and permit mechanisms in token standards like ERC-20, the abstract flexibility provided by smart contract wallets enables unlimited creativity around the programmability of these wallets and other logic they may integrate with. Spend permissions are an early example of functionality that can be achieved within this new paradigm.

Prize distribution and scoring

• Total Prize Pool: $75,000

• Primary Prize Pool: $70,000

• The prize distribution has 2 possible triggers:

  • If one or more valid medium severity findings are found, the total pot size is $25,000
  • If one or more valid high severity findings are found, the total pot size is $75,000

• $5,000 of the prize pot is reserved for Low Severity findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation.

  • 1st: $2.5k
  • 2nd: $1.2k
  • 3rd: $625
  • 4th: $325
  • 5th: $325

• Scoring described in the competition scoring page.

• Findings Severities described in detail on our docs page.

Documentation

Documentation can be found in the repository both directly in the source code and in several markdown files with sequence diagrams.

• The primary dependency of the SpendPermissionManager contract is the Coinbase Smart Wallet V1, for which it is specifically designed.
• The SpendPermissionManager is added as an owner of a smart contract wallet (“account”) and can thus make (a very restricted set of) calls on the account’s behalf.
• Competitors are encouraged to understand these interactions and may benefit from understanding the broader context of ERC-4337 as the ecosystem to which SpendPermissionManager belongs.
• The other relevant dependency is in the PublicERC6492Validator contract, which uses Solady’s implementation of ERC-6492, which has not yet been formally audited.

Scope

• Repository: https://github.com/coinbase/spend-permissions
• Commit: 8a2a0684aa3c0cb01dbf704379c9480f17b13bf2
• Contracts: SpendPermissionManager.sol, PublicERC6492Validator.sol

Build Instructions

• This is a standard Foundry project.
• Competitors will need to have Foundry installed and can install dependencies with forge install and then build with forge build.
• Basic POC Test
  • All major and/or public functions have dedicated forge test files that should serve as solid boilerplate and test examples for further PoCs.
  • We create shared boilerplate infrastructure through contract inheritance, defining shared logic and state that our tests can access by defining them in base contracts inherited by all test contracts (SpendPermissionManagerBase.sol which inherits Base.sol).
  • To expose private functions, we create a MockSpendPermissionManager.sol that inherits SpendPermissionManager.sol and can therefore wrap and expose private methods.

Out of scope

• Previous Cantina Review Report

• Automated findings by Lightchaser

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.