Non authorized contracts can call the Bridge

Following the audit report we will allow any contract to call the bridge.
We will remove the mapping allowedContracts from AllowTokens and won't use checkWhitelisted in the Bridge

Author: pedro

bridge/contracts/AllowTokens.sol

@@ -14,7 +14,6 @@ contract AllowTokens is Initializable, UpgradableOwnable, UpgradableSecondary, I
 
     address constant private NULL_ADDRESS = address(0);
     uint256 constant public MAX_TYPES = 250;
-    mapping (address => bool) public allowedContracts;
     mapping (address => TokenInfo) public allowedTokens;
     mapping (uint256 => Limits) public typeLimits;
     address public bridge;
@@ -25,8 +24,6 @@ contract AllowTokens is Initializable, UpgradableOwnable, UpgradableSecondary, I
 
     event SetToken(address indexed _tokenAddress, uint256 _typeId);
     event AllowedTokenRemoved(address indexed _tokenAddress);
-    event AllowedContractAdded(address indexed _contractAddress);
-    event AllowedContractRemoved(address indexed _contractAddress);
     event TokenTypeAdded(uint256 indexed _typeId, string _typeDescription);
     event TypeLimitsChanged(uint256 indexed _typeId, Limits limits);
     event UpdateTokensTransfered(address indexed _tokenAddress, uint256 _lastDay, uint256 _spentToday);
@@ -136,16 +133,6 @@ contract AllowTokens is Initializable, UpgradableOwnable, UpgradableSecondary, I
         return typeDescriptions[index];
     }
 
-    function addAllowedContract(address _contract) external notNull(_contract) onlyOwner {
-        allowedContracts[_contract] = true;
-        emit AllowedContractAdded(_contract);
-    }
-
-    function removeAllowedContract(address _contract) external notNull(_contract) onlyOwner {
-        allowedContracts[_contract] = false;
-        emit AllowedContractRemoved(_contract);
-    }
-
     function isTokenAllowed(address token) public view notNull(token) returns (bool) {
         return allowedTokens[token].allowed;
     }

bridge/contracts/Bridge.sol

@@ -198,24 +198,16 @@ contract Bridge is Initializable, IBridge, IERC777Recipient, UpgradablePausable,
      */
     function receiveTokensTo(address tokenToUse, address to, uint256 amount) public {
         address sender = _msgSender();
-        checkWhitelisted(sender);
         //Transfer the tokens on IERC20, they should be already Approved for the bridge Address to use them
         IERC20(tokenToUse).safeTransferFrom(sender, address(this), amount);
         crossTokens(tokenToUse, sender, to, amount, "");
     }
 
-    function checkWhitelisted(address sender) private view {
-        if (sender.isContract()) {
-            require(allowTokens.allowedContracts(sender), "Bridge: from contract not whitelisted ");
-        }
-    }
-
     /**
      * Use network currency and cross it.
      */
     function depositTo(address to) external payable {
         address sender = _msgSender();
-        checkWhitelisted(sender);
         require(address(wrappedCurrency) != NULL_ADDRESS, "Bridge: wrappedCurrency empty");
         wrappedCurrency.deposit.value(msg.value)();
         crossTokens(address(wrappedCurrency), sender, to, msg.value, "");
@@ -238,8 +230,6 @@ contract Bridge is Initializable, IBridge, IERC777Recipient, UpgradablePausable,
         require(to == address(this), "Bridge: Not to this address");
         address tokenToUse = _msgSender();
         require(erc1820.getInterfaceImplementer(tokenToUse, _erc777Interface) != NULL_ADDRESS, "Bridge: Not ERC777 token");
-        //This can only be used with trusted contracts
-        checkWhitelisted(from);
         require(allowTokens.isTokenAllowed(tokenToUse), "Bridge: token not allowed");
         require(userData.length != 0 || !from.isContract(), "Bridge: Specify receiver address in data");
         address receiver = userData.length == 0 ? from : Utils.bytesToAddress(userData);

bridge/contracts/IAllowTokens.sol

@@ -28,8 +28,6 @@ interface IAllowTokens {
         uint256 typeId;
     }
 
-    function allowedContracts(address sender) external view returns (bool);
-
     function version() external pure returns (string memory);
 
     function getInfoAndLimits(address token) external view returns (TokenInfo memory info, Limits memory limit);

bridge/test/AllowTokens_test.js

@@ -437,39 +437,6 @@ contract('AllowTokens', async function (accounts) {
 
         });
 
-        describe('AllowedContracts', async function() {
-
-            it('should addAllowedContract', async function() {
-                assert.equal(false, (await this.allowTokens.allowedContracts(anotherAccount)));
-                await this.allowTokens.addAllowedContract(anotherAccount, { from: manager });
-                assert.equal(true, (await this.allowTokens.allowedContracts(anotherAccount)));
-            });
-
-            it('should removeAllowedContract', async function() {
-                await this.allowTokens.addAllowedContract(anotherAccount, { from: manager });
-                assert.equal(true, (await this.allowTokens.allowedContracts(anotherAccount)));
-                await this.allowTokens.removeAllowedContract(anotherAccount, { from: manager });
-                assert.equal(false, (await this.allowTokens.allowedContracts(anotherAccount)));
-            });
-
-            it('should fail if addAllowedContract caller is not the owner', async function() {
-                await utils.expectThrow(this.allowTokens.addAllowedContract(anotherAccount, { from: tokenDeployer }));
-            });
-
-            it('should fail if removeAllowedContract caller is not the owner', async function() {
-                await utils.expectThrow(this.allowTokens.removeAllowedContract(anotherAccount, { from: tokenDeployer }));
-            });
-
-            it('should fail if addAllowedContract with zero address', async function() {
-                await utils.expectThrow(this.allowTokens.addAllowedContract(utils.NULL_ADDRESS, { from: manager }));
-            });
-
-            it('should fail if removeAllowedContract with zero address', async function() {
-                await utils.expectThrow(this.allowTokens.removeAllowedContract(utils.NULL_ADDRESS, { from: manager }));
-            });
-
-        });
-
         describe('Ownable methods', async function() {
 
             it('Should renounce ownership', async function() {

bridge/test/Bridge_test.js

@@ -319,23 +319,17 @@ contract('Bridge', async function (accounts) {
             it('fail depositTo no wrapped currency set', async function () {
                 const amount = web3.utils.toWei('1');
                 const wrbtc = await WRBTC.new({ from: tokenOwner });
-                const decimals = (await wrbtc.decimals()).toString();
-                const symbol = await wrbtc.symbol();
 
                 await this.allowTokens.setToken(wrbtc.address, this.typeId, { from: bridgeManager });
-                const originalBalance = await web3.eth.getBalance(tokenOwner);
                 await utils.expectThrow(this.bridge.depositTo(anAccount, { from: tokenOwner, value: amount }));
             });
 
             it('call depositTo from a contract', async function () {
                 const amount = web3.utils.toWei('1');
                 const wrbtc = await WRBTC.new({ from: tokenOwner });
-                const decimals = (await wrbtc.decimals()).toString();
-                const symbol = await wrbtc.symbol();
                 const mockContract = await mockReceiveTokensCall.new(this.bridge.address)
                 await this.bridge.setWrappedCurrency(wrbtc.address, { from: bridgeManager });
                 await this.allowTokens.setToken(wrbtc.address, this.typeId, { from: bridgeManager });
-                await this.allowTokens.addAllowedContract(mockContract.address, { from: bridgeManager });
                 receipt = await mockContract.callDepositTo(anAccount, { from: tokenOwner, value: amount });
                 utils.checkRcpt(receipt);
 
@@ -345,17 +339,6 @@ contract('Bridge', async function (accounts) {
                 assert.equal(isKnownToken, true);
             });
 
-            it('fail call depositTo from a contract if not allowed', async function () {
-                const amount = web3.utils.toWei('1');
-                const wrbtc = await WRBTC.new({ from: tokenOwner });
-                const decimals = (await wrbtc.decimals()).toString();
-                const symbol = await wrbtc.symbol();
-                const mockContract = await mockReceiveTokensCall.new(this.bridge.address)
-                await this.bridge.setWrappedCurrency(wrbtc.address, { from: bridgeManager });
-                await this.allowTokens.setToken(wrbtc.address, this.typeId, { from: bridgeManager });
-                await utils.expectThrow(mockContract.callDepositTo(anAccount, { from: tokenOwner, value: amount }));
-            });
-
             it('receiveTokens approve and transferFrom for ERC777', async function () {
                 const amount = web3.utils.toWei('1000');
                 const granularity = '1000';
@@ -467,13 +450,12 @@ contract('Bridge', async function (accounts) {
                 assert.equal(isKnownToken, true);
             });
 
-            it('tokensReceived for ERC777 with whitelisted contract', async function () {
+            it('tokensReceived for ERC777 called with contract', async function () {
                 const amount = web3.utils.toWei('1000');
                 const granularity = '100';
                 const erc777 = await SideToken.new("ERC777", "777", tokenOwner, granularity, { from: tokenOwner });
                 await this.allowTokens.setToken(erc777.address, this.typeId.toString(), { from: bridgeManager });
                 const mockContract = await mockReceiveTokensCall.new(this.bridge.address);
-                await this.allowTokens.addAllowedContract(mockContract.address, { from: bridgeManager });
                 await erc777.mint(mockContract.address, amount, "0x", "0x", {from: tokenOwner });
                 const originalTokenBalance = await erc777.balanceOf(mockContract.address);
                 const userData = anAccount.toLowerCase();
@@ -826,21 +808,13 @@ contract('Bridge', async function (accounts) {
                 await utils.expectThrow(this.bridge.receiveTokensTo(newToken.address, tokenOwner, amount, { from: tokenOwner }));
             });
 
-            it('receiveTokens should work calling from an allowed contract', async function () {
+            it('receiveTokens should work calling from a contract', async function () {
                 let otherContract = await mockReceiveTokensCall.new(this.bridge.address);
-                this.allowTokens.addAllowedContract(otherContract.address, { from: bridgeManager });
                 const amount = web3.utils.toWei('1000');
                 await this.token.transfer(otherContract.address, amount, { from: tokenOwner });
                 await otherContract.callReceiveTokens(this.token.address, tokenOwner, amount);
             });
 
-            it('receiveTokens should reject calling from a contract', async function () {
-                let otherContract = await mockReceiveTokensCall.new(this.bridge.address);
-                const amount = web3.utils.toWei('1000');
-                await this.token.transfer(otherContract.address, amount, { from: tokenOwner });
-                await utils.expectThrow(otherContract.callReceiveTokens(this.token.address, tokenOwner, amount));
-            });
-
             it('rejects to receive tokens greater than  max tokens allowed 18 decimals', async function() {
                 let limit = await this.allowTokens.typeLimits(this.typeId);
                 let maxTokensAllowed = limit.max;