Add ERC20 Permit (EIP-2612)

contracts/cryptography/ECDSA.sol

@@ -43,6 +43,14 @@ library ECDSA {
             v := byte(0, mload(add(signature, 0x60)))
         }
 
+        return recover(hash, v, r, s);
+    }
+
+    /**
+     * @dev Overload of {ECDSA-recover-bytes32-bytes-} that receives the `v`,
+     * `r` and `s` signature fields separately.
+     */
+    function recover(bytes32 hash, uint8 v, bytes32 r, bytes32 s) internal pure returns (address) {
         // EIP-2 still allows signature malleability for ecrecover(). Remove this possibility and make the signature
         // unique. Appendix F in the Ethereum Yellow paper (https://ethereum.github.io/yellowpaper/paper.pdf), defines
         // the valid range for s in (281): 0 < s < secp256k1n ÷ 2 + 1, and for v in (282): v ∈ {27, 28}. Most

contracts/mocks/ERC20PermitMock.sol

@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity >=0.6.0 <0.8.0;
+
+import "../token/ERC20/ERC20Permit.sol";
+
+contract ERC20PermitMock is ERC20Permit {
+    constructor (
+        string memory name,
+        string memory symbol,
+        address initialAccount,
+        uint256 initialBalance
+    ) public payable ERC20(name, symbol) {
+        _mint(initialAccount, initialBalance);
+    }
+}

contracts/token/ERC20/ERC20Permit.sol

@@ -0,0 +1,114 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity >=0.6.5 <0.8.0;
+
+import "./ERC20.sol";
+import "./IERC2612Permit.sol";
+import "../../cryptography/ECDSA.sol";
+import "../../utils/Counters.sol";
+
+/**
+ * @dev Extension of {ERC20} that allows token holders to use their tokens
+ * without sending any transactions by setting {IERC20-allowance} with a
+ * signature using the {permit} method, and then spend them via
+ * {IERC20-transferFrom}.
+ *
+ * The {permit} signature mechanism conforms to the {IERC2612Permit} interface.
+ */
+abstract contract ERC20Permit is ERC20, IERC2612Permit {
+    using Counters for Counters.Counter;
+
+    mapping (address => Counters.Counter) private _nonces;
+
+    // solhint-disable-next-line var-name-mixedcase
+    bytes32 private immutable _PERMIT_TYPEHASH = keccak256("Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)");
+
+    // Mapping of ChainID to domain separators. This is a very gas efficient way
+    // to not recalculate the domain separator on every call, while still
+    // automatically detecting ChainID changes.
+    mapping (uint256 => bytes32) private _domainSeparators;
+
+    constructor() internal {
+        _updateDomainSeparator();
+    }
+
+    /**
+     * @dev See {IERC2612Permit-permit}.
+     *
+     * If https://eips.ethereum.org/EIPS/eip-1344[ChainID] ever changes, the
+     * EIP712 Domain Separator is automatically recalculated.
+     */
+    function permit(address owner, address spender, uint256 amount, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public virtual override {
+        // solhint-disable-next-line not-rely-on-time
+        require(block.timestamp <= deadline, "ERC20Permit: expired deadline");
+
+        bytes32 hashStruct = keccak256(
+            abi.encode(
+                _PERMIT_TYPEHASH,
+                owner,
+                spender,
+                amount,
+                _nonces[owner].current(),
+                deadline
+            )
+        );
+
+        bytes32 hash = keccak256(
+            abi.encodePacked(
+                uint16(0x1901),
+                _domainSeparator(),
+                hashStruct
+            )
+        );
+
+        address signer = ECDSA.recover(hash, v, r, s);
+        require(signer == owner, "ERC20Permit: invalid signature");
+
+        _nonces[owner].increment();
+        _approve(owner, spender, amount);
+    }
+
+    /**
+     * @dev See {IERC2612Permit-nonces}.
+     */
+    function nonces(address owner) public view override returns (uint256) {
+        return _nonces[owner].current();
+    }
+
+    function _updateDomainSeparator() private returns (bytes32) {
+        uint256 chainID = _chainID();
+
+        bytes32 newDomainSeparator = keccak256(
+            abi.encode(
+                keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"),
+                keccak256(bytes(name())),
+                keccak256(bytes("1")), // Version
+                chainID,
+                address(this)
+            )
+        );
+
+        _domainSeparators[chainID] = newDomainSeparator;
+
+        return newDomainSeparator;
+    }
+
+    // Returns the domain separator, updating it if chainID changes
+    function _domainSeparator() private returns (bytes32) {
+        bytes32 domainSeparator = _domainSeparators[_chainID()];
+        if (domainSeparator != 0x00) {
+            return domainSeparator;
+        } else {
+            return _updateDomainSeparator();
+        }
+    }
+
+    function _chainID() private pure returns (uint256) {
+        uint256 chainID;
+        // solhint-disable-next-line no-inline-assembly
+        assembly {
+            chainID := chainid()
+        }
+        return chainID;
+    }
+}

contracts/token/ERC20/IERC2612Permit.sol

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity >=0.6.0 <0.8.0;
+
+/**
+ * @dev Interface of the ERC2612 standard as defined in the EIP.
+ *
+ * Adds the {permit} method, which can be used to change one's
+ * {IERC20-allowance} without having to send a transaction, by signing a
+ * message. This allows users to spend tokens without having to hold Ether.
+ *
+ * See https://eips.ethereum.org/EIPS/eip-2612.
+ */
+interface IERC2612Permit {
+    /**
+     * @dev Sets `amount` as the allowance of `spender` over `owner`'s tokens,
+     * given `owner`'s signed approval.
+     *
+     * IMPORTANT: The same issues {IERC20-approve} has related to transaction
+     * ordering also apply here.
+     *
+     * Emits an {Approval} event.
+     *
+     * Requirements:
+     *
+     * - `owner` cannot be the zero address.
+     * - `spender` cannot be the zero address.
+     * - `deadline` must be a timestamp in the future.
+     * - `v`, `r` and `s` must be a valid `secp256k1` signature from `owner`
+     * over the EIP712-formatted function arguments.
+     * - the signature must use ``owner``'s current nonce (see {nonces}).
+     *
+     * For more information on the signature format, see the
+     * https://eips.ethereum.org/EIPS/eip-2612#specification[relevant EIP
+     * section].
+     */
+    function permit(address owner, address spender, uint256 amount, uint256 deadline, uint8 v, bytes32 r, bytes32 s) external;
+
+    /**
+     * @dev Returns the current ERC2612 nonce for `owner`. This value must be
+     * included whenever a signature is generated for {permit}.
+     *
+     * Every successful call to {permit} increases ``owner``'s nonce by one. This
+     * prevents a signature from being used multiple times.
+     */
+    function nonces(address owner) external view returns (uint256);
+}

contracts/token/ERC20/README.adoc

@@ -15,6 +15,7 @@ There a few core contracts that implement the behavior specified in the EIP:
 Additionally there are multiple custom extensions, including:
 
 * designation of addresses that can pause token transfers for all users ({ERC20Pausable}).
+* usage of tokens without sending any transactions ({ERC20Permit}).
 * efficient storage of past token balances to be later queried at any point in time ({ERC20Snapshot}).
 * destruction of own tokens ({ERC20Burnable}).
 * enforcement of a cap to the total supply when minting tokens ({ERC20Capped}).
@@ -36,14 +37,21 @@ NOTE: This core set of contracts is designed to be unopinionated, allowing devel
 
 {{ERC20Snapshot}}
 
+{{ERC20Permit}}
+
 {{ERC20Pausable}}
 
 {{ERC20Burnable}}
 
 {{ERC20Capped}}
 
+== Standard Extensions
+
+{{IERC2612Permit}}
+
 == Utilities
 
 {{SafeERC20}}
 
 {{TokenTimelock}}
+

test/token/ERC20/ERC20Permit.test.js

@@ -0,0 +1,55 @@
+/* eslint-disable */
+
+const { BN, constants, expectEvent, expectRevert, time } = require('@openzeppelin/test-helpers');
+const { expect } = require('chai');
+const { MAX_UINT256, ZERO_ADDRESS } = constants;
+
+const { keccakFromString, bufferToHex } = require('ethereumjs-util');
+
+const ERC20PermitMock = artifacts.require('ERC20PermitMock');
+
+contract('ERC20Permit', function (accounts) {
+  const [ initialHolder, spender, recipient, other ] = accounts;
+
+  const name = 'My Token';
+  const symbol = 'MTKN';
+
+  const initialSupply = new BN(100);
+
+  beforeEach(async function () {
+    this.token = await ERC20PermitMock.new(name, symbol, initialHolder, initialSupply);
+  });
+
+  it('initial nonce is 0', async function () {
+    expect(await this.token.nonces(spender)).to.be.bignumber.equal('0');
+  });
+
+  it('permits', async function () {
+    const amount = new BN(42);
+
+    console.log(EIP712DomainSeparator(await this.token.name(), '1', await web3.eth.net.getId(), this.token.address));
+
+    const receipt = await this.token.permit(initialHolder, spender, amount, MAX_UINT256, 0, '0x00000000000000000000000000000000', '0x00000000000000000000000000000000');
+  });
+});
+
+function EIP712DomainSeparator(name, version, chainID, address) {
+  return bufferToHex(keccakFromString(
+    bufferToHex(keccakFromString('EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)')) +
+    bufferToHex(keccakFromString(name)) +
+    bufferToHex(keccakFromString(version)) +
+    chainID.toString() +
+    address
+  ));
+}
+
+function ERC2612StructHash(owner, spender, value, nonce, deadline) {
+  return bufferToHex(keccakFromString(
+    bufferToHex(keccakFromString('Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)')) +
+    owner +
+    spender +
+    value +
+    nonce +
+    deadline
+  ));
+}