fix: (C4 #13) use bitwise OR / | to avoid combining two permissions twice

[CJ42]

What does this PR introduce?

🐛 Bug Fix

The function combinePermissions adds permission together into a final combined value.
If the same permission is added twice, then this will result in a new and different permission.
For example adding _PERMISSION_STATICCALL twice results in _PERMISSION_SUPER_DELEGATECALL.

• Fix the bug by using bitwise OR / | inside the function.
• Add a set of Foundry tests to test the function combinePermissions + re-use the Foundry test used as a PoC in the issue sligthly modified to test for revert.

PR Checklist

• Wrote Tests
• Wrote & Generated Documentation (readme/natspec/dodoc)
• Ran npm run lint && npm run lint:solidity (solhint)
• Ran npm run format (prettier)
• Ran npm run build
• Ran npm run test

[Hugoo]

Task linked: DEV-7698 (C4 #13) - Permission escalation by adding the same permission twice

[github-actions]

👋 Hello
⛽ I am the Gas Bot Reporter. I keep track of the gas costs of common interactions using Universal Profiles 🆙 !
📊 Here is a summary of the gas cost with the code introduced by this PR.

⛽📊 See Gas Benchmark report of Using UniversalProfile owned by an EOA

🔀 execute scenarios

execute scenarios - 👑 UP Owner	⛽ Gas Usage
Transfer 1 LYX to an EOA without data	37537
Transfer 1 LYX to a UP without data	36639
Transfer 1 LYX to an EOA with 256 bytes of data	42198
Transfer 1 LYX to a UP with 256 bytes of data	44750
Transfer 0.1 LYX to 3x EOA without data	70862
Transfer 0.1 LYX to 3x UP without data	75680
Transfer 0.1 LYX to 3x EOA with 256 bytes of data	84838
Transfer 0.1 LYX to 3x EOA with 256 bytes of data	100042

🗄️ setData scenarios

setData scenarios - 👑 UP Owner	⛽ Gas Usage
Set a 20 bytes long value	49971
Set a 60 bytes long value	95293
Set a 160 bytes long value	164465
Set a 300 bytes long value	279688
Set a 600 bytes long value	484148
Change the value of a data key already set	32859
Remove the value of a data key already set	27333
Set 2 data keys of 20 bytes long value	78428
Set 2 data keys of 100 bytes long value	260580
Set 3 data keys of 20 bytes long value	105145
Change the value of three data keys already set of 20 bytes long value	45445
Remove the value of three data keys already set	41339

🗄️ Tokens scenarios

Tokens scenarios - 👑 UP Owner	⛽ Gas Usage
Minting a LSP7Token to a UP (No Delegate) from an EOA	91241
Minting a LSP7Token to an EOA from an EOA	59206
Transferring an LSP7Token from a UP to another UP (No Delegate)	98689
Minting a LSP8Token to a UP (No Delegate) from an EOA	158192
Minting a LSP8Token to an EOA from an EOA	126157
Transferring an LSP8Token from a UP to another UP (No Delegate)	147236

📝 Notes

• The execute and setData scenarios are executed on a fresh UniversalProfile smart contract, deployed as standard contracts (not as proxy behind a base contract implementation).

⛽📊 See Gas Benchmark report of Using UniversalProfile owned by an LSP6KeyManager

This document contains the gas usage for common interactions and scenarios when using UniversalProfile smart contracts.

🔀 execute scenarios

👑 unrestricted controller

execute scenarios - 👑 main controller	⛽ Gas Usage
transfer LYX to an EOA	60439
transfer LYX to a UP	62041
transfer tokens (LSP7) to an EOA (no data)	107162
transfer tokens (LSP7) to a UP (no data)	242734
transfer a NFT (LSP8) to a EOA (no data)	171009
transfer a NFT (LSP8) to a UP (no data)	289909

🛃 restricted controller

execute scenarios - 🛃 restricted controller	⛽ Gas Usage
transfer some LYXes to an EOA - restricted to 1 x allowed address only (TRANSFERVALUE + 1x AllowedCalls)	72648
transfers some tokens (LSP7) to an EOA - restricted to LSP7 + 2x allowed contracts only (CALL + 2x AllowedCalls) (no data)	122941
transfers some tokens (LSP7) to an other UP - restricted to LSP7 + 2x allowed contracts only (CALL + 2x AllowedCalls) (no data)	258513
transfers a NFT (LSP8) to an EOA - restricted to LSP8 + 2x allowed contracts only (CALL + 2x AllowedCalls) (no data)	186776
transfers a NFT (LSP8) to an other UP - restricted to LSP8 + 2x allowed contracts only (CALL + 2x AllowedCalls) (no data)	305676

🗄️ setData scenarios

👑 unrestricted controller

setData scenarios - 👑 main controller	⛽ Gas Usage
updates profile details (LSP3Profile metadata)	136875
give permissions to a controller (AddressPermissions[] + AddressPermissions[index] + AddressPermissions:Permissions:)	132906
restrict a controller to some specific ERC725Y Data Keys	139282
restrict a controller to interact only with 3x specific addresses	161986
remove a controller (its permissions + its address from the AddressPermissions[] array)	67871
write 5x LSP12 Issued Assets	233253

🛃 restricted controller

setData scenarios - 🛃 restricted controller	⛽ Gas Usage
setData(bytes32,bytes) -> updates 1x data key	102626
setData(bytes32[],bytes[]) -> updates 3x data keys (first x3)	161440
setData(bytes32[],bytes[]) -> updates 3x data keys (middle x3)	145519
setData(bytes32[],bytes[]) -> updates 3x data keys (last x3)	170752
setData(bytes32[],bytes[]) -> updates 2x data keys + add 3x new controllers (including setting the array length + indexes under AddressPermissions[index])	249872

📝 Notes

• The execute and setData scenarios are executed on a fresh UniversalProfile and LSP6KeyManager smart contracts, deployed as standard contracts (not as proxy behind a base contract implementation).

[github-actions]

Changes to gas cost

Generated at commit: d949f3277e83eaf5badf53d7e64984e5fab4bac3, compared to commit: 9db488aad9065f88cfc3c5f43f47b1fab35fc5f0

🧾 Summary (10% most significant diffs)

Contract	Method	Avg (+/-)	%

---

Full diff report 👇

Contract	Deployment Cost (+/-)	Method	Min (+/-)	%	Avg (+/-)	%	Median (+/-)	%	Max (+/-)	%	# Calls (+/-)
LSP6ExecuteRestrictedController	2,888,707 (+34,647)
LSP6ExecuteUnrestrictedController	2,888,707 (+34,647)
LSP6SetDataRestrictedController	2,873,483 (+34,638)
LSP6SetDataUnrestrictedController	2,873,483 (+34,638)