Forkchoice Ethereum Mainnet

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

/**
 * @title  VANTAGE FlashLoanRouter
 * @notice Gnosis Safe module + all-protocol flash loan receiver.
 * @author gadget_saavy
 * Protocol support table:
 *
 *   Protocol      | Primitive      | Entry (we call)                     | Callback (called on us)
 *   --------------|----------------|-------------------------------------|------------------------------
 *   Aave V2       | Flash Loan     | LendingPool.flashLoan(...)          | executeOperation(address[],...)
 *   Aave V3       | Flash Loan     | Pool.flashLoan(...)                 | executeOperation(address[],...)
 *   Aave V3 Simp  | Flash Loan     | Pool.flashLoanSimple(...)           | executeOperation(address,...)
 *   Balancer V2   | Flash Loan     | Vault.flashLoan(...)                | receiveFlashLoan(...)
 *   Balancer V3   | Unlock Loan    | Vault.unlock(...)                   | unlockCallback(bytes)
 *   Uniswap V2    | Flash Swap     | Pair.swap(a,b,this,data)            | uniswapV2Call(...)
 *   Uniswap V3    | Flash          | Pool.flash(...)                     | uniswapV3FlashCallback(...)
 *   Uniswap V4    | Unlock Loan    | PoolManager.unlock(...)             | unlockCallback(bytes)
 *   SushiSwap     | Flash Swap     | Pair.swap(a,b,this,data)            | uniswapV2Call(...)
 *   Curve         | Swap only      | Router.exchange(...)                | (none — no flash primitive)
 *
 * Repayment per protocol:
 *   Aave V2/V3      → _approveMax(asset, pool, amount+premium)  [pool pulls after callback returns]
 *   Balancer V2     → safeTransfer(vault, amount+fee)           [vault checks balance after callback]
 *   Balancer V3     → settlement steps embedded in Step[]       [vault accounting unlock model]
 *   Uniswap V2      → transfer(pair, repay) embedded in Step[]  [pair checks invariant after callback]
 *   Uniswap V3      → transfer(pool, amount+fee) in Step[]      [pool checks balance after callback]
 *   Uniswap V4      → settlement steps embedded in Step[]       [PoolManager accounting unlock model]
 *   SushiSwap       → transfer(pair, repay) embedded in Step[]  [same as Uni V2]
 *
 * Callback payload format (abi.encode):
 *   (Step[], address[] sweepTokens, uint256 bribeWei)
 *
 * Author: gadget_saavy
 *
 * ─── EXECUTION FLOW [INVARIANT 2.1] ────────────────────────────────────────
 * [01] Enabled via Safe.enableModule(thisContract)
 * [02] executor calls executeArbitrage(kind, caller, target, value, callData, payload)
 * [03] Module calls Safe.execTransactionFromModuleReturnData(target, ...)
 * [04] Safe calls the protocol (Aave.flashLoan / Pair.swap / PoolManager.unlock / etc.)
 * [05] Protocol executes and calls back into this contract
 * [06] Callback: _validateCallback → _executeCalls → repay/approve → _disarm
 * [07] Control returns through Safe back to executeArbitrage
 * [08] _sweepProfits runs (all flash repayments are already settled at this point)
 * ────────────────────────────────────────────────────────────────────────────
 *
 * ─── SAFE-PROXY SECURITY ────────────────────────────────────────────────────
 * The Safe proxy is one-directional: we call IT (via execTransactionFromModule*).
 * IT must never call OUR callbacks. Two guards enforce this:
 *   A) _arm() rejects protocolCaller == safe unconditionally.
 *   B) _validateCallback() hard-rejects msg.sender == safe before any whitelist check.
 * This closes the attack vector where a Safe-signed transaction (bypassing our
 * executeArbitrage entry guard) could reach our callback logic.
 * ────────────────────────────────────────────────────────────────────────────
 */

// ─── Gnosis Safe interface ───────────────────────────────────────────────────
//
// execTransactionFromModuleReturnData is the correct function to use when we
// need revert reasons from inner calls to bubble up through the Safe.
// The older execTransactionFromModule drops revert data, making failures opaque.
//
interface ISafe {
    /**
     * @dev Execute a transaction from a module. Returns success/failure only.
     *      Revert data from the inner call is NOT accessible — use
     *      execTransactionFromModuleReturnData when you need the reason.
     */
    function execTransactionFromModule(
        address to,
        uint256 value,
        bytes memory data,
        uint8 operation
    ) external returns (bool success);

    /**
     * @dev Execute a transaction from a module and return the inner call's
     *      full return / revert data.  Use this in all production paths so
     *      protocol-level revert reasons surface to the caller.
     */
    function execTransactionFromModuleReturnData(
        address to,
        uint256 value,
        bytes memory data,
        uint8 operation
    ) external returns (bool success, bytes memory returnData);
}

// ─── Contract ────────────────────────────────────────────────────────────────

contract FlashLoanRouter {
    using SafeERC20 for IERC20;

    // =========================================================================
    // IMMUTABLES — set once at deployment, never change
    // =========================================================================

    address public immutable safe;           // Gnosis Safe proxy this module is enabled on
    address public immutable beneficiary;    // Profits swept here after each execution
    address public immutable executor;       // Only address allowed to call executeArbitrage*

    // ── Per-protocol flash provider addresses ────────────────────────────────
    // Each is individually whitelisted as a valid callback sender.
    // Zero address = not configured on this deployment (that callback will always
    // reject because address(0) can never be msg.sender in the EVM).
    address public immutable aaveV2Pool;       // Aave V2 LendingPool
    address public immutable aaveV3Pool;       // Aave V3 Pool
    address public immutable balancerV2Vault;  // Balancer V2 Vault
    address public immutable balancerV3Vault;  // Balancer V3 Vault (unlock-based)
    address public immutable uniV4PoolManager; // Uniswap V4 PoolManager (unlock-based)
    // UniV2 / UniV3 / SushiSwap: pairs/pools are dynamic per execution.
    // Validated via expectedCaller (set at _arm time to the specific pair/pool address).
    // Curve: no flash primitive — swap-step only, validated in Python before submission.

    // =========================================================================
    // FLASH KIND CONSTANTS
    // Must match FLASH_KIND_MAP in execution_manager.py exactly.
    // =========================================================================
    uint8 public constant FLASH_AAVE_V2        = 1;
    uint8 public constant FLASH_AAVE_V3        = 2;
    uint8 public constant FLASH_AAVE_V3_SIMPLE = 3;
    uint8 public constant FLASH_BALANCER_V2    = 4;
    uint8 public constant FLASH_BALANCER_V3    = 5;
    uint8 public constant FLASH_UNI_V2         = 6;
    uint8 public constant FLASH_UNI_V3         = 7;
    uint8 public constant FLASH_UNI_V4         = 8;
    uint8 public constant FLASH_SUSHI_V2       = 9;
    uint8 private constant FLASH_KIND_MAX      = 9;

    // =========================================================================
    // EPHEMERAL GUARDS — armed per-execution, disarmed in callback
    // =========================================================================
    address private _expectedCaller;      // Protocol/pair we expect to call us back
    bytes32 private _expectedPayloadHash; // keccak256 of callbackPayload; tamper guard
    uint8   private _activeFlashKind;     // Which flash primitive is active
    bool    private _active;             // True only inside an active execution window
    bool    private _executing;          // True while _executeCalls is running (blocks nested callbacks)

    // =========================================================================
    // REENTRANCY GUARD
    // =========================================================================
    uint256 private constant _NOT_ENTERED = 1;
    uint256 private constant _ENTERED     = 2;
    uint256 private _status;

    // =========================================================================
    // STRUCTS
    // =========================================================================

    /// @dev Token approval executed before a step's call.
    struct Approval {
        address token;       // ERC20 address; address(0) = native ETH, skip
        address spender;     // Allowance target (never address(this))
        uint256 minRequired; // Approve type(uint256).max if allowance < minRequired
    }

    /// @dev One atomic execution step inside the flash callback.
    struct Step {
        address   target;
        uint256   value;
        bytes     callData;
        Approval[] approvals; // Run in order before target.call
    }

    // =========================================================================
    // EVENTS
    // =========================================================================
    event ArbitrageExecuted(
        address indexed  safe,
        bytes32 indexed  payloadHash,
        uint8   indexed  flashKind
    );
    event Sweep(address indexed token, uint256 amount);

    // =========================================================================
    // CUSTOM ERRORS
    // ─── Access / state ───────────────────────────────────────────────────────
    error Unauthorized();          // msg.sender is not executor (entry points)
    error AlreadyEntered();        // Reentrancy guard tripped
    error NotArmed();              // Callback arrived with _active == false
    error PayloadMismatch();       // keccak256(payload) != _expectedPayloadHash
    error SafeCallbackBlocked();   // Safe proxy attempted to call a callback
    error BadCaller();             // msg.sender not in protocol whitelist
    error BadInitiator();          // Aave initiator is not safe (Safe path) or address(this) (direct path)
    error NestedCallback();        // _executeCalls called while already executing steps
    error CallbackNotFired();      // Protocol returned ok but _active still set
    error InvalidFlashKind();      // kind == 0 or > FLASH_KIND_MAX
    error CallerIsSafe();          // protocolCaller == safe passed to _arm
    // ─── Targets / spenders ───────────────────────────────────────────────────
    error BadTarget(uint256 step); // Step targets zero address, this contract, or safe
    error BadSpender();            // Approval spender is zero or this contract
    // ─── Call failures ────────────────────────────────────────────────────────
    // NOTE: when inner calls fail WITH revert data, the data is bubbled via
    // assembly inline revert — the typed errors below are only emitted when
    // there is NO revert data (e.g. out-of-gas in the callee).
    error ProtocolCallFailed();    // execTransactionFromModuleReturnData returned false, no data
    error DirectCallFailed();      // direct protocolTarget.call failed, no data
    error StepFailed(uint256 step); // step.call failed, no data
    // ─── Financial ────────────────────────────────────────────────────────────
    error BribeFailed();
    error EthSweepFailed();
    // ─── Constructor ──────────────────────────────────────────────────────────
    error ZeroAddress(string field);
    error AddressConflict(string field);

    // =========================================================================
    // MODIFIERS
    // =========================================================================
    modifier nonReentrant() {
        if (_status == _ENTERED) revert AlreadyEntered();
        _status = _ENTERED;
        _;
        _status = _NOT_ENTERED;
    }

    modifier onlyExecutor() {
        if (msg.sender != executor) revert Unauthorized();
        _;
    }

    // =========================================================================
    // CONSTRUCTOR
    // =========================================================================
    constructor(
        address _safe,
        address _beneficiary,
        address _executor,
        address _aaveV2Pool,
        address _aaveV3Pool,
        address _balancerV2Vault,
        address _balancerV3Vault,
        address _uniV4PoolManager
    ) {
        // ── Zero-address guards ──────────────────────────────────────────────
        if (_safe        == address(0)) revert ZeroAddress("safe");
        if (_beneficiary == address(0)) revert ZeroAddress("beneficiary");
        if (_executor    == address(0)) revert ZeroAddress("executor");

        // ── Conflict guards ──────────────────────────────────────────────────
        // executor is the trusted EOA; must be separate from everything.
        if (_executor == _safe)            revert AddressConflict("executor==safe");
        if (_executor == address(this))    revert AddressConflict("executor==this");
        if (_executor == _beneficiary)     revert AddressConflict("executor==beneficiary");

        // safe (the proxy) must be a distinct contract from this module.
        if (_safe == address(this))        revert AddressConflict("safe==this");

        // beneficiary must not be this contract (funds would be locked forever).
        // beneficiary == safe is allowed: profits sweeping to the Safe is valid.
        if (_beneficiary == address(this)) revert AddressConflict("beneficiary==this");

        // Protocol addresses are allowed to be zero if not used on this chain.
        safe             = _safe;
        beneficiary      = _beneficiary;
        executor         = _executor;
        aaveV2Pool       = _aaveV2Pool;
        aaveV3Pool       = _aaveV3Pool;
        balancerV2Vault  = _balancerV2Vault;
        balancerV3Vault  = _balancerV3Vault;
        uniV4PoolManager = _uniV4PoolManager;
        _status          = _NOT_ENTERED;
    }

    receive() external payable {}

    // =========================================================================
    // [A] EXECUTOR ENTRY POINTS
    // =========================================================================

    /**
     * @notice Primary execution path. Routes protocol call through the Gnosis Safe.
     *
     * Uses execTransactionFromModuleReturnData so that any revert from the
     * protocol or from our own callback bubbles up as the real revert reason,
     * rather than being swallowed by the Safe.
     *
     * @param kind             Protocol constant (FLASH_AAVE_V2 … FLASH_SUSHI_V2).
     * @param protocolCaller   Address that will invoke our callback (set as _expectedCaller).
     *                         For fixed-pool protocols (Aave V2/V3, Balancer V2, Uni V4):
     *                           same as protocolTarget.
     *                         For dynamic-pool protocols (UniV2/V3/Sushi pair/pool):
     *                           the specific pair or pool address for this trade.
     *                         MUST NOT be the Safe address.
     * @param protocolTarget   Contract the Safe will call (Aave pool, Balancer vault, etc.).
     *                         MUST NOT be address(this) or address(0).
     * @param value            ETH value forwarded in the protocol call.
     * @param protocolCallData ABI-encoded protocol entry (flashLoan / swap / unlock / etc.).
     * @param callbackPayload  abi.encode(Step[], address[] sweepTokens, uint256 bribeWei).
     */
    function executeArbitrage(
        uint8   kind,
        address protocolCaller,
        address protocolTarget,
        uint256 value,
        bytes calldata protocolCallData,
        bytes calldata callbackPayload
    ) external onlyExecutor nonReentrant returns (bool) {
        // Sanity checks on the target before arming.
        // Safe is explicitly blocked: the relationship is one-directional — we call the
        // Safe, the Safe calls the protocol. Routing a protocol call back into the Safe
        // would create a recursive/confusing execution trace.
        if (
            protocolTarget == address(0) ||
            protocolTarget == address(this) ||
            protocolTarget == safe
        ) revert BadTarget(0);

        _arm(kind, protocolCaller, callbackPayload);

        // Route through the Safe. execTransactionFromModuleReturnData gives us the
        // inner call's return/revert data so failures are surfaced, not swallowed.
        (bool ok, bytes memory retData) = ISafe(safe).execTransactionFromModuleReturnData(
            protocolTarget,
            value,
            protocolCallData,
            0 // Enum.Operation.Call
        );

        if (!ok) {
            // Bubble up the revert reason from inside the protocol call or our callback.
            // If the protocol reverted with a message, this surfaces it exactly.
            _bubble(retData, abi.encodeWithSelector(ProtocolCallFailed.selector));
        }

        // The callback MUST have disarmed by now. If still armed, the flash
        // provider returned without calling our callback — bad calldata or
        // mismatched kind.
        if (_active) revert CallbackNotFired();

        // Sweep profits AFTER flash settlement is fully complete.
        _sweepProfits(callbackPayload);
        return true;
    }

    /**
     * @notice Alternate execution path. Calls the protocol directly (not via Safe).
     *
     * Used when this contract itself must be the initiator (e.g. certain unlock
     * flows where the Safe cannot be the outer caller).  All security invariants
     * are identical to executeArbitrage; only the call routing differs.
     */
    function executeArbitrageDirectly(
        uint8   kind,
        address protocolCaller,
        address protocolTarget,
        uint256 value,
        bytes calldata protocolCallData,
        bytes calldata callbackPayload
    ) external onlyExecutor nonReentrant returns (bool) {
        if (
            protocolTarget == address(0) ||
            protocolTarget == address(this) ||
            protocolTarget == safe
        ) revert BadTarget(0);

        _arm(kind, protocolCaller, callbackPayload);

        (bool ok, bytes memory retData) = protocolTarget.call{value: value}(protocolCallData);

        if (!ok) {
            _bubble(retData, abi.encodeWithSelector(DirectCallFailed.selector));
        }

        if (_active) revert CallbackNotFired();

        _sweepProfits(callbackPayload);
        return true;
    }

    // =========================================================================
    // [B] AAVE V2 + AAVE V3 — executeOperation (array / multi-asset form)
    //
    // Aave V2 LendingPool and Aave V3 Pool share the IDENTICAL callback signature.
    // Differentiated at runtime by msg.sender:
    //   msg.sender == aaveV2Pool → Aave V2 LendingPool
    //   msg.sender == aaveV3Pool → Aave V3 Pool
    //
    // Repayment: _approveMax(asset, pool, amount+premium) for each asset.
    //   Aave pulls via transferFrom AFTER our callback returns true.
    //   Sweep runs in executeArbitrage after the Safe call completes
    //   (i.e. after Aave has already pulled its repayment).
    // =========================================================================
    function executeOperation(
        address[] calldata assets,
        uint256[] calldata amounts,
        uint256[] calldata premiums,
        address initiator,
        bytes calldata params
    ) external returns (bool) {
        _validateCallback(params);

        // Exactly one of the two Aave pools may call this, and only when armed for V2 or V3.
        if (msg.sender != aaveV2Pool && msg.sender != aaveV3Pool) revert BadCaller();
        if (_activeFlashKind != FLASH_AAVE_V2 && _activeFlashKind != FLASH_AAVE_V3)
            revert InvalidFlashKind();

        // Initiator is whoever called Aave's flashLoan:
        //   executeArbitrage path        → Safe called flashLoan   → initiator == safe
        //   executeArbitrageDirectly path → module called flashLoan → initiator == address(this)
        //   executor EOA path            → EOA called flashLoan    → initiator == executor
        if (initiator != safe && initiator != address(this) && initiator != executor)
            revert BadInitiator();

        _executeCalls(params);

        // Approve the calling pool to pull repayment.
        // Aave V2/V3 both pull via transferFrom AFTER this callback returns.
        address callingPool = msg.sender;
        for (uint256 i = 0; i < assets.length; i++) {
            _approveMax(assets[i], callingPool, amounts[i] + premiums[i]);
        }

        _disarm();
        return true;
    }

    // =========================================================================
    // [C] AAVE V3 ONLY — executeOperation (single-asset / flashLoanSimple form)
    //
    // Aave V2 does not have flashLoanSimple; this overload is V3-exclusive.
    // Repayment: _approveMax(asset, aaveV3Pool, amount+premium).
    // =========================================================================
    function executeOperation(
        address asset,
        uint256 amount,
        uint256 premium,
        address initiator,
        bytes calldata params
    ) external returns (bool) {
        _validateCallback(params);

        if (msg.sender != aaveV3Pool) revert BadCaller();
        if (_activeFlashKind != FLASH_AAVE_V3_SIMPLE) revert InvalidFlashKind();
        if (initiator != safe && initiator != address(this) && initiator != executor)
            revert BadInitiator();

        _executeCalls(params);

        _approveMax(asset, aaveV3Pool, amount + premium);

        _disarm();
        return true;
    }

    // =========================================================================
    // [D] BALANCER V2 — receiveFlashLoan
    //
    // Vault.flashLoan(recipient, tokens[], amounts[], userData) calls this.
    // Repayment: safeTransfer(vault, amount + feeAmount) for each token.
    //   Vault re-checks its own balance after this callback returns;
    //   insufficient transfer → Vault reverts with BAL#xxx.
    // =========================================================================
    function receiveFlashLoan(
        IERC20[]  calldata tokens,
        uint256[] calldata amounts,
        uint256[] calldata feeAmounts,
        bytes     calldata userData
    ) external {
        _validateCallback(userData);

        if (msg.sender != balancerV2Vault) revert BadCaller();
        if (_activeFlashKind != FLASH_BALANCER_V2) revert InvalidFlashKind();

        _executeCalls(userData);

        for (uint256 i = 0; i < tokens.length; i++) {
            tokens[i].safeTransfer(balancerV2Vault, amounts[i] + feeAmounts[i]);
        }

        _disarm();
        // Sweep runs in executeArbitrage after Balancer re-validates its vault balance.
    }

    // =========================================================================
    // [E] BALANCER V3 + UNISWAP V4 — unlockCallback
    //
    // Both Balancer V3 Vault and Uniswap V4 PoolManager use unlockCallback(bytes).
    // Differentiated by msg.sender:
    //   msg.sender == balancerV3Vault  → Balancer V3 unlock
    //   msg.sender == uniV4PoolManager → Uniswap V4 unlock
    //
    // Settlement is EMBEDDED in Step[]:
    //   Balancer V3: steps include vault.sendTo() + vault.settle()
    //   Uniswap V4:  steps include poolManager.take() + poolManager.settle()
    // The off-chain encoder is solely responsible for constructing correct
    // settlement steps. This contract only executes what it is given.
    // =========================================================================
    function unlockCallback(bytes calldata data)
        external
        returns (bytes memory)
    {
        _validateCallback(data);

        if (msg.sender != balancerV3Vault && msg.sender != uniV4PoolManager)
            revert BadCaller();
        if (_activeFlashKind != FLASH_BALANCER_V3 && _activeFlashKind != FLASH_UNI_V4)
            revert InvalidFlashKind();

        _executeCalls(data);

        _disarm();
        return bytes("");
    }

    // =========================================================================
    // [F] UNISWAP V2 / SUSHISWAP — uniswapV2Call
    //
    // Triggered by Pair.swap(amount0Out, amount1Out, recipient=this, data) when
    // data is non-empty. msg.sender = the specific pair (set as _expectedCaller
    // at _arm time).
    //
    // `sender` param = the address that called Pair.swap:
    //   executeArbitrage path        → Safe called swap    → sender == safe
    //   executeArbitrageDirectly     → module called swap  → sender == address(this)
    //   executor EOA                 → EOA called swap     → sender == executor
    //
    // Repayment: embedded as the last Step in the payload. The off-chain encoder
    //   calculates repayAmount = ceil(borrowed * 1000 / 997) and appends a
    //   transfer(pair, repayAmount) step. The pair checks its own invariant
    //   AFTER this callback returns.
    // =========================================================================
    function uniswapV2Call(
        address sender,
        uint256 /*amount0*/,
        uint256 /*amount1*/,
        bytes calldata data
    ) external {
        _validateCallback(data);

        // msg.sender must be the exact pair we armed against
        if (msg.sender != _expectedCaller) revert BadCaller();
        if (_activeFlashKind != FLASH_UNI_V2 && _activeFlashKind != FLASH_SUSHI_V2)
            revert InvalidFlashKind();

        // sender is whoever called pair.swap — module (direct), Safe (via route), or executor EOA
        if (sender != safe && sender != address(this) && sender != executor) revert BadCaller();

        // Repayment transfer is the final step; _executeCalls handles it
        _executeCalls(data);

        _disarm();
    }

    // =========================================================================
    // [G] UNISWAP V3 — uniswapV3FlashCallback
    //
    // Triggered by Pool.flash(recipient=this, amount0, amount1, data).
    // msg.sender = the specific pool (set as _expectedCaller at _arm time).
    //
    // fee0 / fee1 are informational; the off-chain encoder pre-computes
    // repayN = amountN + ceil(amountN * feeTier / 1e6) and embeds a
    // transfer(pool, repayN) step for each non-zero amount.
    // The pool checks token balances AFTER this callback returns.
    // =========================================================================
    function uniswapV3FlashCallback(
        uint256 /*fee0*/,
        uint256 /*fee1*/,
        bytes calldata data
    ) external {
        _validateCallback(data);

        if (msg.sender != _expectedCaller) revert BadCaller();
        if (_activeFlashKind != FLASH_UNI_V3) revert InvalidFlashKind();

        _executeCalls(data);

        _disarm();
    }

    // =========================================================================
    // INTERNAL — ARM
    //
    // Sets all ephemeral guards before the protocol call is made.
    // Validated on every entry to a callback via _validateCallback.
    // =========================================================================
    function _arm(
        uint8   kind,
        address caller,
        bytes calldata payload
    ) internal {
        if (kind == 0 || kind > FLASH_KIND_MAX) revert InvalidFlashKind();

        // The Safe proxy must NEVER be the expected callback source.
        // The Safe is our outbound relay — the relationship is strictly:
        //   executeArbitrage → Safe.execTransactionFromModuleReturnData → protocol → callback
        // If caller == safe, any Safe-signed transaction could trigger our
        // callbacks without going through executeArbitrage first.
        if (caller == safe) revert CallerIsSafe();

        _activeFlashKind     = kind;
        _expectedCaller      = caller;
        _expectedPayloadHash = keccak256(payload);
        _active              = true;
    }

    // =========================================================================
    // INTERNAL — VALIDATE CALLBACK
    //
    // Called at the top of EVERY callback handler. Enforces:
    //   1. Execution window is active (armed by executeArbitrage).
    //   2. Safe proxy is unconditionally rejected as callback source —
    //      defense-in-depth even if some code path were to set _expectedCaller
    //      incorrectly, the Safe can never pass this gate.
    //   3. msg.sender is in the static protocol whitelist OR is the dynamic
    //      _expectedCaller (for pair/pool-level protocols).
    //   4. Payload hash matches what was committed at arm time.
    //
    // Individual callbacks may add further per-function sender checks.
    // =========================================================================
    function _validateCallback(bytes calldata payload) internal view {
        // Gate 1 — execution window
        if (!_active) revert NotArmed();

        // Gate 2 — hard-block Safe proxy, unconditionally and first
        if (msg.sender == safe) revert SafeCallbackBlocked();

        // Gate 3 — whitelist: static protocol addresses + dynamic _expectedCaller
        bool validSender = (
            msg.sender == aaveV2Pool        ||
            msg.sender == aaveV3Pool        ||
            msg.sender == balancerV2Vault   ||
            msg.sender == balancerV3Vault   ||
            msg.sender == uniV4PoolManager  ||
            msg.sender == _expectedCaller
        );
        if (!validSender) revert BadCaller();

        // Gate 4 — payload integrity
        if (keccak256(payload) != _expectedPayloadHash) revert PayloadMismatch();
    }

    // =========================================================================
    // INTERNAL — APPROVE MAX  (SafeERC20 + USDT-safe)
    // =========================================================================
    function _approveMax(
        address token,
        address spender,
        uint256 minRequired
    ) internal {
        if (token   == address(0))    return;          // native ETH — no approval needed
        if (spender == address(0))    revert BadSpender();
        if (spender == address(this)) revert BadSpender(); // self-approval is always a bug

        IERC20 t = IERC20(token);
        if (t.allowance(address(this), spender) >= minRequired) return;

        // forceApprove handles USDT's non-standard reset-to-zero requirement
        t.forceApprove(spender, type(uint256).max);
    }

    // =========================================================================
    // INTERNAL — EXECUTE CALLS
    //
    // Decodes Step[] from the callback payload and runs each step in sequence:
    //   1. Per-step approvals via _approveMax (before the call).
    //   2. Direct call from this module — module is msg.sender.
    //      Funds (flash-borrowed tokens) sit in this module; DEX routers/pools
    //      pull them via transferFrom using allowances set in step 1.
    //   3. On failure WITH revert data  → inline assembly revert (bubbles reason)
    //      On failure WITHOUT revert data → typed StepFailed(i) error
    //
    // Why direct calls and NOT via Safe.execTransactionFromModule:
    //   The protocol already called this callback because Safe called the protocol
    //   (step [03] in the execution flow). Inside the callback the module is the
    //   active context and holds all flash-borrowed tokens. Routing swap steps back
    //   through the Safe would make the Safe msg.sender for DEX calls, but DEX
    //   routers use msg.sender as the token-pull address — not this module — which
    //   breaks transferFrom since the Safe has no tokens and no approvals.
    //
    // Does NOT disarm or sweep — those happen in the calling callback.
    // =========================================================================
    function _executeCalls(bytes calldata params) internal {
        if (_executing) revert NestedCallback();
        _executing = true;

        (Step[] memory steps, , ) = abi.decode(params, (Step[], address[], uint256));

        uint256 n = steps.length;
        for (uint256 i = 0; i < n; i++) {
            Step memory s = steps[i];

            // Never allow a step to call zero address, this contract, or the Safe.
            if (
                s.target == address(0) ||
                s.target == address(this) ||
                s.target == safe
            ) revert BadTarget(i);

            // Run per-step approvals before the call
            uint256 m = s.approvals.length;
            for (uint256 j = 0; j < m; j++) {
                _approveMax(
                    s.approvals[j].token,
                    s.approvals[j].spender,
                    s.approvals[j].minRequired
                );
            }

            // Execute directly from this module; bubble any revert reason
            (bool ok, bytes memory retData) = s.target.call{value: s.value}(s.callData);
            if (!ok) {
                _bubble(retData, abi.encodeWithSelector(StepFailed.selector, i));
            }
        }

        _executing = false;
    }

    // =========================================================================
    // INTERNAL — DISARM
    // =========================================================================
    function _disarm() internal {
        _active = false;
        emit ArbitrageExecuted(safe, _expectedPayloadHash, _activeFlashKind);
    }

    // =========================================================================
    // INTERNAL — SWEEP PROFITS + MEV BRIBE
    //
    // Runs in executeArbitrage* AFTER the Safe call returns and all flash
    // settlements are complete:
    //   Aave     — pool already pulled repayment via transferFrom
    //   Balancer — we transferred amount+fee inside receiveFlashLoan
    //   Others   — settlement embedded in steps, finished before callback returned
    //
    // Order: bribe first (tips the builder), then ERC20s, then any ETH residue.
    // =========================================================================
    function _sweepProfits(bytes calldata params) internal {
        (, address[] memory sweepTokens, uint256 bribe) =
            abi.decode(params, (Step[], address[], uint256));

        // MEV builder tip — pay coinbase before anything else
        if (bribe > 0) {
            (bool bribed, ) = block.coinbase.call{value: bribe}("");
            if (!bribed) revert BribeFailed();
        }

        // ERC20 profit sweep
        uint256 n = sweepTokens.length;
        for (uint256 i = 0; i < n; i++) {
            address token = sweepTokens[i];
            if (token == address(0)) continue;
            uint256 bal = IERC20(token).balanceOf(address(this));
            if (bal > 0) {
                IERC20(token).safeTransfer(beneficiary, bal);
                emit Sweep(token, bal);
            }
        }

        // ETH residue sweep
        uint256 ethBal = address(this).balance;
        if (ethBal > 0) {
            (bool sent, ) = payable(beneficiary).call{value: ethBal}("");
            if (!sent) revert EthSweepFailed();
        }
    }

    // =========================================================================
    // INTERNAL — BUBBLE REVERT DATA
    //
    // If `data` is non-empty, re-revert with it verbatim so the caller sees the
    // original reason (whether it's a string, a custom error, or a panic code).
    // If `data` is empty (out-of-gas or similar), revert with `fallback`.
    // =========================================================================
    function _bubble(bytes memory data, bytes memory fallback_) internal pure {
        if (data.length > 0) {
            assembly {
                revert(add(data, 32), mload(data))
            }
        }
        assembly {
            revert(add(fallback_, 32), mload(fallback_))
        }
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.3.0) (token/ERC20/utils/SafeERC20.sol)

pragma solidity ^0.8.20;

import {IERC20} from "../IERC20.sol";
import {IERC1363} from "../../../interfaces/IERC1363.sol";

/**
 * @title SafeERC20
 * @dev Wrappers around ERC-20 operations that throw on failure (when the token
 * contract returns false). Tokens that return no value (and instead revert or
 * throw on failure) are also supported, non-reverting calls are assumed to be
 * successful.
 * To use this library you can add a `using SafeERC20 for IERC20;` statement to your contract,
 * which allows you to call the safe operations as `token.safeTransfer(...)`, etc.
 */
library SafeERC20 {
    /**
     * @dev An operation with an ERC-20 token failed.
     */
    error SafeERC20FailedOperation(address token);

    /**
     * @dev Indicates a failed `decreaseAllowance` request.
     */
    error SafeERC20FailedDecreaseAllowance(address spender, uint256 currentAllowance, uint256 requestedDecrease);

    /**
     * @dev Transfer `value` amount of `token` from the calling contract to `to`. If `token` returns no value,
     * non-reverting calls are assumed to be successful.
     */
    function safeTransfer(IERC20 token, address to, uint256 value) internal {
        _callOptionalReturn(token, abi.encodeCall(token.transfer, (to, value)));
    }

    /**
     * @dev Transfer `value` amount of `token` from `from` to `to`, spending the approval given by `from` to the
     * calling contract. If `token` returns no value, non-reverting calls are assumed to be successful.
     */
    function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {
        _callOptionalReturn(token, abi.encodeCall(token.transferFrom, (from, to, value)));
    }

    /**
     * @dev Variant of {safeTransfer} that returns a bool instead of reverting if the operation is not successful.
     */
    function trySafeTransfer(IERC20 token, address to, uint256 value) internal returns (bool) {
        return _callOptionalReturnBool(token, abi.encodeCall(token.transfer, (to, value)));
    }

    /**
     * @dev Variant of {safeTransferFrom} that returns a bool instead of reverting if the operation is not successful.
     */
    function trySafeTransferFrom(IERC20 token, address from, address to, uint256 value) internal returns (bool) {
        return _callOptionalReturnBool(token, abi.encodeCall(token.transferFrom, (from, to, value)));
    }

    /**
     * @dev Increase the calling contract's allowance toward `spender` by `value`. If `token` returns no value,
     * non-reverting calls are assumed to be successful.
     *
     * IMPORTANT: If the token implements ERC-7674 (ERC-20 with temporary allowance), and if the "client"
     * smart contract uses ERC-7674 to set temporary allowances, then the "client" smart contract should avoid using
     * this function. Performing a {safeIncreaseAllowance} or {safeDecreaseAllowance} operation on a token contract
     * that has a non-zero temporary allowance (for that particular owner-spender) will result in unexpected behavior.
     */
    function safeIncreaseAllowance(IERC20 token, address spender, uint256 value) internal {
        uint256 oldAllowance = token.allowance(address(this), spender);
        forceApprove(token, spender, oldAllowance + value);
    }

    /**
     * @dev Decrease the calling contract's allowance toward `spender` by `requestedDecrease`. If `token` returns no
     * value, non-reverting calls are assumed to be successful.
     *
     * IMPORTANT: If the token implements ERC-7674 (ERC-20 with temporary allowance), and if the "client"
     * smart contract uses ERC-7674 to set temporary allowances, then the "client" smart contract should avoid using
     * this function. Performing a {safeIncreaseAllowance} or {safeDecreaseAllowance} operation on a token contract
     * that has a non-zero temporary allowance (for that particular owner-spender) will result in unexpected behavior.
     */
    function safeDecreaseAllowance(IERC20 token, address spender, uint256 requestedDecrease) internal {
        unchecked {
            uint256 currentAllowance = token.allowance(address(this), spender);
            if (currentAllowance < requestedDecrease) {
                revert SafeERC20FailedDecreaseAllowance(spender, currentAllowance, requestedDecrease);
            }
            forceApprove(token, spender, currentAllowance - requestedDecrease);
        }
    }

    /**
     * @dev Set the calling contract's allowance toward `spender` to `value`. If `token` returns no value,
     * non-reverting calls are assumed to be successful. Meant to be used with tokens that require the approval
     * to be set to zero before setting it to a non-zero value, such as USDT.
     *
     * NOTE: If the token implements ERC-7674, this function will not modify any temporary allowance. This function
     * only sets the "standard" allowance. Any temporary allowance will remain active, in addition to the value being
     * set here.
     */
    function forceApprove(IERC20 token, address spender, uint256 value) internal {
        bytes memory approvalCall = abi.encodeCall(token.approve, (spender, value));

        if (!_callOptionalReturnBool(token, approvalCall)) {
            _callOptionalReturn(token, abi.encodeCall(token.approve, (spender, 0)));
            _callOptionalReturn(token, approvalCall);
        }
    }

    /**
     * @dev Performs an {ERC1363} transferAndCall, with a fallback to the simple {ERC20} transfer if the target has no
     * code. This can be used to implement an {ERC721}-like safe transfer that rely on {ERC1363} checks when
     * targeting contracts.
     *
     * Reverts if the returned value is other than `true`.
     */
    function transferAndCallRelaxed(IERC1363 token, address to, uint256 value, bytes memory data) internal {
        if (to.code.length == 0) {
            safeTransfer(token, to, value);
        } else if (!token.transferAndCall(to, value, data)) {
            revert SafeERC20FailedOperation(address(token));
        }
    }

    /**
     * @dev Performs an {ERC1363} transferFromAndCall, with a fallback to the simple {ERC20} transferFrom if the target
     * has no code. This can be used to implement an {ERC721}-like safe transfer that rely on {ERC1363} checks when
     * targeting contracts.
     *
     * Reverts if the returned value is other than `true`.
     */
    function transferFromAndCallRelaxed(
        IERC1363 token,
        address from,
        address to,
        uint256 value,
        bytes memory data
    ) internal {
        if (to.code.length == 0) {
            safeTransferFrom(token, from, to, value);
        } else if (!token.transferFromAndCall(from, to, value, data)) {
            revert SafeERC20FailedOperation(address(token));
        }
    }

    /**
     * @dev Performs an {ERC1363} approveAndCall, with a fallback to the simple {ERC20} approve if the target has no
     * code. This can be used to implement an {ERC721}-like safe transfer that rely on {ERC1363} checks when
     * targeting contracts.
     *
     * NOTE: When the recipient address (`to`) has no code (i.e. is an EOA), this function behaves as {forceApprove}.
     * Opposedly, when the recipient address (`to`) has code, this function only attempts to call {ERC1363-approveAndCall}
     * once without retrying, and relies on the returned value to be true.
     *
     * Reverts if the returned value is other than `true`.
     */
    function approveAndCallRelaxed(IERC1363 token, address to, uint256 value, bytes memory data) internal {
        if (to.code.length == 0) {
            forceApprove(token, to, value);
        } else if (!token.approveAndCall(to, value, data)) {
            revert SafeERC20FailedOperation(address(token));
        }
    }

    /**
     * @dev Imitates a Solidity high-level call (i.e. a regular function call to a contract), relaxing the requirement
     * on the return value: the return value is optional (but if data is returned, it must not be false).
     * @param token The token targeted by the call.
     * @param data The call data (encoded using abi.encode or one of its variants).
     *
     * This is a variant of {_callOptionalReturnBool} that reverts if call fails to meet the requirements.
     */
    function _callOptionalReturn(IERC20 token, bytes memory data) private {
        uint256 returnSize;
        uint256 returnValue;
        assembly ("memory-safe") {
            let success := call(gas(), token, 0, add(data, 0x20), mload(data), 0, 0x20)
            // bubble errors
            if iszero(success) {
                let ptr := mload(0x40)
                returndatacopy(ptr, 0, returndatasize())
                revert(ptr, returndatasize())
            }
            returnSize := returndatasize()
            returnValue := mload(0)
        }

        if (returnSize == 0 ? address(token).code.length == 0 : returnValue != 1) {
            revert SafeERC20FailedOperation(address(token));
        }
    }

    /**
     * @dev Imitates a Solidity high-level call (i.e. a regular function call to a contract), relaxing the requirement
     * on the return value: the return value is optional (but if data is returned, it must not be false).
     * @param token The token targeted by the call.
     * @param data The call data (encoded using abi.encode or one of its variants).
     *
     * This is a variant of {_callOptionalReturn} that silently catches all reverts and returns a bool instead.
     */
    function _callOptionalReturnBool(IERC20 token, bytes memory data) private returns (bool) {
        bool success;
        uint256 returnSize;
        uint256 returnValue;
        assembly ("memory-safe") {
            success := call(gas(), token, 0, add(data, 0x20), mload(data), 0, 0x20)
            returnSize := returndatasize()
            returnValue := mload(0)
        }
        return success && (returnSize == 0 ? address(token).code.length > 0 : returnValue == 1);
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.4.0) (token/ERC20/IERC20.sol)

pragma solidity >=0.4.16;

/**
 * @dev Interface of the ERC-20 standard as defined in the ERC.
 */
interface IERC20 {
    /**
     * @dev Emitted when `value` tokens are moved from one account (`from`) to
     * another (`to`).
     *
     * Note that `value` may be zero.
     */
    event Transfer(address indexed from, address indexed to, uint256 value);

    /**
     * @dev Emitted when the allowance of a `spender` for an `owner` is set by
     * a call to {approve}. `value` is the new allowance.
     */
    event Approval(address indexed owner, address indexed spender, uint256 value);

    /**
     * @dev Returns the value of tokens in existence.
     */
    function totalSupply() external view returns (uint256);

    /**
     * @dev Returns the value of tokens owned by `account`.
     */
    function balanceOf(address account) external view returns (uint256);

    /**
     * @dev Moves a `value` amount of tokens from the caller's account to `to`.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * Emits a {Transfer} event.
     */
    function transfer(address to, uint256 value) external returns (bool);

    /**
     * @dev Returns the remaining number of tokens that `spender` will be
     * allowed to spend on behalf of `owner` through {transferFrom}. This is
     * zero by default.
     *
     * This value changes when {approve} or {transferFrom} are called.
     */
    function allowance(address owner, address spender) external view returns (uint256);

    /**
     * @dev Sets a `value` amount of tokens as the allowance of `spender` over the
     * caller's tokens.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * IMPORTANT: Beware that changing an allowance with this method brings the risk
     * that someone may use both the old and the new allowance by unfortunate
     * transaction ordering. One possible solution to mitigate this race
     * condition is to first reduce the spender's allowance to 0 and set the
     * desired value afterwards:
     * https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
     *
     * Emits an {Approval} event.
     */
    function approve(address spender, uint256 value) external returns (bool);

    /**
     * @dev Moves a `value` amount of tokens from `from` to `to` using the
     * allowance mechanism. `value` is then deducted from the caller's
     * allowance.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * Emits a {Transfer} event.
     */
    function transferFrom(address from, address to, uint256 value) external returns (bool);
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.4.0) (interfaces/IERC1363.sol)

pragma solidity >=0.6.2;

import {IERC20} from "./IERC20.sol";
import {IERC165} from "./IERC165.sol";

/**
 * @title IERC1363
 * @dev Interface of the ERC-1363 standard as defined in the https://eips.ethereum.org/EIPS/eip-1363[ERC-1363].
 *
 * Defines an extension interface for ERC-20 tokens that supports executing code on a recipient contract
 * after `transfer` or `transferFrom`, or code on a spender contract after `approve`, in a single transaction.
 */
interface IERC1363 is IERC20, IERC165 {
    /*
     * Note: the ERC-165 identifier for this interface is 0xb0202a11.
     * 0xb0202a11 ===
     *   bytes4(keccak256('transferAndCall(address,uint256)')) ^
     *   bytes4(keccak256('transferAndCall(address,uint256,bytes)')) ^
     *   bytes4(keccak256('transferFromAndCall(address,address,uint256)')) ^
     *   bytes4(keccak256('transferFromAndCall(address,address,uint256,bytes)')) ^
     *   bytes4(keccak256('approveAndCall(address,uint256)')) ^
     *   bytes4(keccak256('approveAndCall(address,uint256,bytes)'))
     */

    /**
     * @dev Moves a `value` amount of tokens from the caller's account to `to`
     * and then calls {IERC1363Receiver-onTransferReceived} on `to`.
     * @param to The address which you want to transfer to.
     * @param value The amount of tokens to be transferred.
     * @return A boolean value indicating whether the operation succeeded unless throwing.
     */
    function transferAndCall(address to, uint256 value) external returns (bool);

    /**
     * @dev Moves a `value` amount of tokens from the caller's account to `to`
     * and then calls {IERC1363Receiver-onTransferReceived} on `to`.
     * @param to The address which you want to transfer to.
     * @param value The amount of tokens to be transferred.
     * @param data Additional data with no specified format, sent in call to `to`.
     * @return A boolean value indicating whether the operation succeeded unless throwing.
     */
    function transferAndCall(address to, uint256 value, bytes calldata data) external returns (bool);

    /**
     * @dev Moves a `value` amount of tokens from `from` to `to` using the allowance mechanism
     * and then calls {IERC1363Receiver-onTransferReceived} on `to`.
     * @param from The address which you want to send tokens from.
     * @param to The address which you want to transfer to.
     * @param value The amount of tokens to be transferred.
     * @return A boolean value indicating whether the operation succeeded unless throwing.
     */
    function transferFromAndCall(address from, address to, uint256 value) external returns (bool);

    /**
     * @dev Moves a `value` amount of tokens from `from` to `to` using the allowance mechanism
     * and then calls {IERC1363Receiver-onTransferReceived} on `to`.
     * @param from The address which you want to send tokens from.
     * @param to The address which you want to transfer to.
     * @param value The amount of tokens to be transferred.
     * @param data Additional data with no specified format, sent in call to `to`.
     * @return A boolean value indicating whether the operation succeeded unless throwing.
     */
    function transferFromAndCall(address from, address to, uint256 value, bytes calldata data) external returns (bool);

    /**
     * @dev Sets a `value` amount of tokens as the allowance of `spender` over the
     * caller's tokens and then calls {IERC1363Spender-onApprovalReceived} on `spender`.
     * @param spender The address which will spend the funds.
     * @param value The amount of tokens to be spent.
     * @return A boolean value indicating whether the operation succeeded unless throwing.
     */
    function approveAndCall(address spender, uint256 value) external returns (bool);

    /**
     * @dev Sets a `value` amount of tokens as the allowance of `spender` over the
     * caller's tokens and then calls {IERC1363Spender-onApprovalReceived} on `spender`.
     * @param spender The address which will spend the funds.
     * @param value The amount of tokens to be spent.
     * @param data Additional data with no specified format, sent in call to `spender`.
     * @return A boolean value indicating whether the operation succeeded unless throwing.
     */
    function approveAndCall(address spender, uint256 value, bytes calldata data) external returns (bool);
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.4.0) (interfaces/IERC165.sol)

pragma solidity >=0.4.16;

import {IERC165} from "../utils/introspection/IERC165.sol";

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.4.0) (interfaces/IERC20.sol)

pragma solidity >=0.4.16;

import {IERC20} from "../token/ERC20/IERC20.sol";

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.4.0) (utils/introspection/IERC165.sol)

pragma solidity >=0.4.16;

/**
 * @dev Interface of the ERC-165 standard, as defined in the
 * https://eips.ethereum.org/EIPS/eip-165[ERC].
 *
 * Implementers can declare support of contract interfaces, which can then be
 * queried by others ({ERC165Checker}).
 *
 * For an implementation, see {ERC165}.
 */
interface IERC165 {
    /**
     * @dev Returns true if this contract implements the interface defined by
     * `interfaceId`. See the corresponding
     * https://eips.ethereum.org/EIPS/eip-165#how-interfaces-are-identified[ERC section]
     * to learn more about how these ids are created.
     *
     * This function call must use less than 30 000 gas.
     */
    function supportsInterface(bytes4 interfaceId) external view returns (bool);
}