Transaction Hash:
Block:
20934361 at Oct-10-2024 09:37:47 AM +UTC
Transaction Fee:
0.00130101570041569 ETH
$3.16
Gas Used:
80,458 Gas / 16.170122305 Gwei
Emitted Events:
| 486 |
KeyManager.SignatureAccepted( sigData=[{name:sig, type:uint256, order:1, indexed:false, value:65505940014300652587020900724781165604274551286028611922095717116334150633924, valueString:65505940014300652587020900724781165604274551286028611922095717116334150633924}, {name:nonce, type:uint256, order:2, indexed:false, value:20983, valueString:20983}, {name:kTimesGAddress, type:address, order:3, indexed:false, value:0x975Fe7cC1b61D32eBdbfBD7F499Ad376ea27d692, valueString:0x975Fe7cC1b61D32eBdbfBD7F499Ad376ea27d692}], signer=[Sender] 0xf6121dc5d47032fd80817524350d1b7dd2e57a4b )
|
Account State Difference:
| Address | Before | After | State Difference | ||
|---|---|---|---|---|---|
| 0x59AF2B59...8Cd2e733E | 7.866576495334943428 Eth | 9.95221077365877528 Eth | 2.085634278323831852 | ||
|
0x95222290...5CC4BAfe5
Miner
| (beaverbuild) | 12.440599849473929847 Eth | 12.440751255338329847 Eth | 0.0001514058644 | |
| 0xcd351d36...68eBf08Be | |||||
| 0xF5e10380...5b9f62Bcc | (Chainflip 1) | 607.760965234901212592 Eth | 605.67533095657738074 Eth | 2.085634278323831852 | |
| 0xF6121Dc5...dd2e57A4b |
0.547327036486796153 Eth
Nonce: 149
|
0.546026020786380463 Eth
Nonce: 150
| 0.00130101570041569 |
Execution Trace
Vault.allBatch( sigData=[{name:sig, type:uint256, order:1, indexed:false, value:65505940014300652587020900724781165604274551286028611922095717116334150633924, valueString:65505940014300652587020900724781165604274551286028611922095717116334150633924}, {name:nonce, type:uint256, order:2, indexed:false, value:20983, valueString:20983}, {name:kTimesGAddress, type:address, order:3, indexed:false, value:0x975Fe7cC1b61D32eBdbfBD7F499Ad376ea27d692, valueString:0x975Fe7cC1b61D32eBdbfBD7F499Ad376ea27d692}], deployFetchParamsArray=, fetchParamsArray=, transferParamsArray= )
KeyManager.consumeKeyNonce( sigData=[{name:sig, type:uint256, order:1, indexed:false, value:65505940014300652587020900724781165604274551286028611922095717116334150633924, valueString:65505940014300652587020900724781165604274551286028611922095717116334150633924}, {name:nonce, type:uint256, order:2, indexed:false, value:20983, valueString:20983}, {name:kTimesGAddress, type:address, order:3, indexed:false, value:0x975Fe7cC1b61D32eBdbfBD7F499Ad376ea27d692, valueString:0x975Fe7cC1b61D32eBdbfBD7F499Ad376ea27d692}], contractMsgHash=0EC3CAE097FE5E1888033F62A1AA2BCCBA549DE4BC4B29BEE092CC92AABBFB83 )-
Null: 0x000...001.b1cfb868( )
-
- ETH 2.085634278323831852
0x59af2b59b9f890d0be5390b0165ffcd8cd2e733e.CALL( )
allBatch[Vault (ln:78)]
_deployAndFetchBatch[Vault (ln:93)]_fetchBatch[Vault (ln:95)]fetch[Vault (ln:290)]
_transferBatch[Vault (ln:97)]_transfer[Vault (ln:197)]call[Vault (ln:218)]TransferNativeFailed[Vault (ln:220)]call[Vault (ln:224)]encodeWithSelector[Vault (ln:225)]decode[Vault (ln:228)]TransferTokenFailed[Vault (ln:229)]
encode[Vault (ln:89)]
File 1 of 2: Vault
File 2 of 2: KeyManager
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "SafeERC20.sol";
import "IVault.sol";
import "IKeyManager.sol";
import "ICFReceiver.sol";
import "Shared.sol";
import "Deposit.sol";
import "AggKeyNonceConsumer.sol";
import "GovernanceCommunityGuarded.sol";
/**
* @title Vault contract
* @notice The vault for holding and transferring native or ERC20 tokens and deploying contracts for
* fetching individual deposits. It also allows users to do cross-chain swaps and(or) calls by
* making a function call directly to this contract.
*/
contract Vault is IVault, AggKeyNonceConsumer, GovernanceCommunityGuarded {
using SafeERC20 for IERC20;
uint256 private constant _AGG_KEY_EMERGENCY_TIMEOUT = 3 days;
uint256 private constant _GAS_TO_FORWARD = 8_000;
uint256 private constant _FINALIZE_GAS_BUFFER = 30_000;
constructor(IKeyManager keyManager) AggKeyNonceConsumer(keyManager) {}
/// @dev Get the governor address from the KeyManager. This is called by the onlyGovernor
/// modifier in the GovernanceCommunityGuarded. This logic can't be moved to the
/// GovernanceCommunityGuarded since it requires a reference to the KeyManager.
function _getGovernor() internal view override returns (address) {
return getKeyManager().getGovernanceKey();
}
/// @dev Get the community key from the KeyManager. This is called by the isCommunityKey
/// modifier in the GovernanceCommunityGuarded. This logic can't be moved to the
/// GovernanceCommunityGuarded since it requires a reference to the KeyManager.
function _getCommunityKey() internal view override returns (address) {
return getKeyManager().getCommunityKey();
}
/// @dev Ensure that a new keyManager has the getGovernanceKey(), getCommunityKey()
/// and getLastValidateTime() are implemented. These are functions required for
/// this contract to at least be able to use the emergency mechanism.
function _checkUpdateKeyManager(IKeyManager keyManager, bool omitChecks) internal view override {
address newGovKey = keyManager.getGovernanceKey();
address newCommKey = keyManager.getCommunityKey();
uint256 lastValidateTime = keyManager.getLastValidateTime();
if (!omitChecks) {
// Ensure that the keys are the same
require(newGovKey == _getGovernor() && newCommKey == _getCommunityKey());
Key memory newAggKey = keyManager.getAggregateKey();
Key memory currentAggKey = getKeyManager().getAggregateKey();
require(
newAggKey.pubKeyX == currentAggKey.pubKeyX && newAggKey.pubKeyYParity == currentAggKey.pubKeyYParity
);
// Ensure that the last validate time is not in the future
require(lastValidateTime <= block.timestamp);
} else {
// Check that the addresses have been initialized
require(newGovKey != address(0) && newCommKey != address(0));
}
}
//////////////////////////////////////////////////////////////
// //
// Transfer and Fetch //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Can do a combination of all fcns in this contract. It first fetches all
* deposits , then it performs all transfers specified with the rest
* of the inputs, the same as transferBatch (where all inputs are again required
* to be of equal length - however the lengths of the fetch inputs do not have to
* be equal to lengths of the transfer inputs). Fetches/transfers of native tokens are
* indicated with 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE as the token address.
* @dev FetchAndDeploy is executed first to handle the edge case , which probably shouldn't
* happen anyway, where a deploy and a fetch for the same address are in the same batch.
* Transfers are executed last to ensure that all fetching has been completed first.
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param deployFetchParamsArray The array of deploy and fetch parameters
* @param fetchParamsArray The array of fetch parameters
* @param transferParamsArray The array of transfer parameters
*/
function allBatch(
SigData calldata sigData,
DeployFetchParams[] calldata deployFetchParamsArray,
FetchParams[] calldata fetchParamsArray,
TransferParams[] calldata transferParamsArray
)
external
override
onlyNotSuspended
consumesKeyNonce(
sigData,
keccak256(abi.encode(this.allBatch.selector, deployFetchParamsArray, fetchParamsArray, transferParamsArray))
)
{
// Fetch by deploying new deposits
_deployAndFetchBatch(deployFetchParamsArray);
// Fetch from already deployed deposits
_fetchBatch(fetchParamsArray);
// Send all transfers
_transferBatch(transferParamsArray);
}
/**
* @notice Same functionality as allBatch but removing the contract deployments
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param fetchParamsArray The array of fetch parameters
* @param transferParamsArray The array of transfer parameters
*/
function allBatchV2(
SigData calldata sigData,
FetchParams[] calldata fetchParamsArray,
TransferParams[] calldata transferParamsArray
)
external
override
onlyNotSuspended
consumesKeyNonce(
sigData,
keccak256(abi.encode(this.allBatchV2.selector, fetchParamsArray, transferParamsArray))
)
{
// Fetch from already deployed deposits
_fetchBatch(fetchParamsArray);
// Send all transfers
_transferBatch(transferParamsArray);
}
//////////////////////////////////////////////////////////////
// //
// Transfers //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Transfers native tokens or a ERC20 token from this vault to a recipient
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param transferParams The transfer parameters
*/
function transfer(
SigData calldata sigData,
TransferParams calldata transferParams
)
external
override
onlyNotSuspended
nzAddr(transferParams.token)
nzAddr(transferParams.recipient)
nzUint(transferParams.amount)
consumesKeyNonce(sigData, keccak256(abi.encode(this.transfer.selector, transferParams)))
{
_transfer(transferParams.token, transferParams.recipient, transferParams.amount);
}
/**
* @notice Fallback transfer tokens from this vault to a recipient with all the gas.
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param transferParams The transfer parameters
*/
function transferFallback(
SigData calldata sigData,
TransferParams calldata transferParams
)
external
onlyNotSuspended
nzAddr(transferParams.token)
nzAddr(transferParams.recipient)
nzUint(transferParams.amount)
consumesKeyNonce(sigData, keccak256(abi.encode(this.transferFallback.selector, transferParams)))
{
if (transferParams.token == _NATIVE_ADDR) {
(bool success, ) = transferParams.recipient.call{value: transferParams.amount}("");
require(success, "Vault: transfer fallback failed");
} else {
IERC20(transferParams.token).safeTransfer(transferParams.recipient, transferParams.amount);
}
}
/**
* @notice Transfers native tokens or ERC20 tokens from this vault to recipients.
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param transferParamsArray The array of transfer parameters.
*/
function transferBatch(
SigData calldata sigData,
TransferParams[] calldata transferParamsArray
)
external
override
onlyNotSuspended
consumesKeyNonce(sigData, keccak256(abi.encode(this.transferBatch.selector, transferParamsArray)))
{
_transferBatch(transferParamsArray);
}
/**
* @notice Transfers native tokens or ERC20 tokens from this vault to recipients.
* @param transferParamsArray The array of transfer parameters.
*/
function _transferBatch(TransferParams[] calldata transferParamsArray) private {
uint256 length = transferParamsArray.length;
for (uint256 i = 0; i < length; ) {
_transfer(transferParamsArray[i].token, transferParamsArray[i].recipient, transferParamsArray[i].amount);
unchecked {
++i;
}
}
}
/**
* @notice Transfers ETH or a token from this vault to a recipient
* @dev When transfering native tokens, using call function limiting the amount of gas so
* the receivers can't consume all the gas. Setting that amount of gas to more than
* 2300 to future-proof the contract in case of opcode gas costs changing.
* @dev When transferring ERC20 tokens, if it fails ensure the transfer fails gracefully
* to not revert an entire batch. e.g. usdc blacklisted recipient. Following safeTransfer
* approach to support tokens that don't return a bool.
* @param token The address of the token to be transferred
* @param recipient The address of the recipient of the transfer
* @param amount The amount to transfer, in wei (uint)
*/
function _transfer(address token, address payable recipient, uint256 amount) private {
if (address(token) == _NATIVE_ADDR) {
// solhint-disable-next-line avoid-low-level-calls
(bool success, ) = recipient.call{gas: _GAS_TO_FORWARD, value: amount}("");
if (!success) {
emit TransferNativeFailed(recipient, amount);
}
} else {
// solhint-disable-next-line avoid-low-level-calls
(bool success, bytes memory returndata) = token.call(
abi.encodeWithSelector(IERC20(token).transfer.selector, recipient, amount)
);
// No need to check token.code.length since it comes from a gated call
bool transferred = success && (returndata.length == uint256(0) || abi.decode(returndata, (bool)));
if (!transferred) emit TransferTokenFailed(recipient, amount, token, returndata);
}
}
//////////////////////////////////////////////////////////////
// //
// Fetch Deposits //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Retrieves any token from multiple address, deterministically generated using
* create2, by creating a contract for that address, sending it to this vault.
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param deployFetchParamsArray The array of deploy and fetch parameters
*/
function deployAndFetchBatch(
SigData calldata sigData,
DeployFetchParams[] calldata deployFetchParamsArray
)
external
override
onlyNotSuspended
consumesKeyNonce(sigData, keccak256(abi.encode(this.deployAndFetchBatch.selector, deployFetchParamsArray)))
{
_deployAndFetchBatch(deployFetchParamsArray);
}
function _deployAndFetchBatch(DeployFetchParams[] calldata deployFetchParamsArray) private {
// Deploy deposit contracts
uint256 length = deployFetchParamsArray.length;
for (uint256 i = 0; i < length; ) {
new Deposit{salt: deployFetchParamsArray[i].swapID}(deployFetchParamsArray[i].token);
unchecked {
++i;
}
}
}
/**
* @notice Retrieves any token addresses where a Deposit contract is already deployed.
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param fetchParamsArray The array of fetch parameters
*/
function fetchBatch(
SigData calldata sigData,
FetchParams[] calldata fetchParamsArray
)
external
override
onlyNotSuspended
consumesKeyNonce(sigData, keccak256(abi.encode(this.fetchBatch.selector, fetchParamsArray)))
{
_fetchBatch(fetchParamsArray);
}
/**
* @notice Retrieves any token from multiple addresses where a Deposit contract is already deployed.
* It emits an event if the fetch fails.
* @param fetchParamsArray The array of fetch parameters
*/
function _fetchBatch(FetchParams[] calldata fetchParamsArray) private {
uint256 length = fetchParamsArray.length;
for (uint256 i = 0; i < length; ) {
Deposit(fetchParamsArray[i].fetchContract).fetch(fetchParamsArray[i].token);
unchecked {
++i;
}
}
}
//////////////////////////////////////////////////////////////
// //
// Initiate cross-chain swaps (source chain) //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Swaps native token for a token in another chain. The egress token will be transferred to the specified
* destination address on the destination chain.
* @dev Checking the validity of inputs shall be done as part of the event witnessing. Only the amount is checked
* to explicity indicate that an amount is required. It isn't preventing spamming.
* @param dstChain The destination chain according to the Chainflip Protocol's nomenclature.
* @param dstAddress Bytes containing the destination address on the destination chain.
* @param dstToken Destination token to be swapped to.
* @param cfParameters Additional parameters to be passed to the Chainflip protocol.
*/
function xSwapNative(
uint32 dstChain,
bytes memory dstAddress,
uint32 dstToken,
bytes calldata cfParameters
) external payable override onlyNotSuspended nzUint(msg.value) {
emit SwapNative(dstChain, dstAddress, dstToken, msg.value, msg.sender, cfParameters);
}
/**
* @notice Swaps ERC20 token for a token in another chain. The desired token will be transferred to the specified
* destination address on the destination chain. The provided ERC20 token must be supported by the Chainflip Protocol.
* @dev Checking the validity of inputs shall be done as part of the event witnessing. Only the amount is checked
* to explicity indicate that an amount is required.
* @param dstChain The destination chain according to the Chainflip Protocol's nomenclature.
* @param dstAddress Bytes containing the destination address on the destination chain.
* @param dstToken Uint containing the specifics of the swap to be performed according to Chainflip's nomenclature.
* @param srcToken Address of the source token to swap.
* @param amount Amount of tokens to swap.
* @param cfParameters Additional parameters to be passed to the Chainflip protocol.
*/
function xSwapToken(
uint32 dstChain,
bytes memory dstAddress,
uint32 dstToken,
IERC20 srcToken,
uint256 amount,
bytes calldata cfParameters
) external override onlyNotSuspended nzUint(amount) {
srcToken.safeTransferFrom(msg.sender, address(this), amount);
emit SwapToken(dstChain, dstAddress, dstToken, address(srcToken), amount, msg.sender, cfParameters);
}
//////////////////////////////////////////////////////////////
// //
// Initiate cross-chain call and swap (source chain) //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Performs a cross-chain call to the destination address on the destination chain. Native tokens must be paid
* to this contract. The swap intent determines if the provided tokens should be swapped to a different token
* and transferred as part of the cross-chain call. Otherwise, all tokens are used as a payment for gas on the destination chain.
* The message parameter is transmitted to the destination chain as part of the cross-chain call.
* @dev Checking the validity of inputs shall be done as part of the event witnessing. Only the amount is checked
* to explicity inidcate that an amount is required. It isn't preventing spamming.
* @param dstChain The destination chain according to the Chainflip Protocol's nomenclature.
* @param dstAddress Bytes containing the destination address on the destination chain.
* @param dstToken Uint containing the specifics of the swap to be performed, if any, as part of the xCall. The string
* must follow Chainflip's nomenclature. It can signal that no swap needs to take place
* and the source token will be used for gas in a swapless xCall.
* @param message General purpose message to be sent to the egress chain. Notice that the Chainflip protocol has a limit size
* for the message. Ensure that the message length is smaller that the limit before starting a swap.
* @param gasAmount The amount to be used for gas in the egress chain.
* @param cfParameters Additional parameters to be passed to the Chainflip protocol.
*/
function xCallNative(
uint32 dstChain,
bytes calldata dstAddress,
uint32 dstToken,
bytes calldata message,
uint256 gasAmount,
bytes calldata cfParameters
) external payable override onlyNotSuspended nzUint(msg.value) {
emit XCallNative(dstChain, dstAddress, dstToken, msg.value, msg.sender, message, gasAmount, cfParameters);
}
/**
* @notice Performs a cross-chain call to the destination chain and destination address. An ERC20 token amount
* needs to be approved to this contract. The ERC20 token must be supported by the Chainflip Protocol.
* The swap intent determines whether the provided tokens should be swapped to a different token
* by the Chainflip Protocol. If so, the swapped tokens will be transferred to the destination chain as part
* of the cross-chain call. Otherwise, the tokens are used as a payment for gas on the destination chain.
* The message parameter is transmitted to the destination chain as part of the cross-chain call.
* @dev Checking the validity of inputs shall be done as part of the event witnessing. Only the amount is checked
* to explicity indicate that an amount is required.
* @param dstChain The destination chain according to the Chainflip Protocol's nomenclature.
* @param dstAddress Bytes containing the destination address on the destination chain.
* @param dstToken Uint containing the specifics of the swap to be performed, if any, as part of the xCall. The string
* must follow Chainflip's nomenclature. It can signal that no swap needs to take place
* and the source token will be used for gas in a swapless xCall.
* @param message General purpose message to be sent to the egress chain. Notice that the Chainflip protocol has a limit size
* for the message. Ensure that the message length is smaller that the limit before starting a swap.
* @param gasAmount The amount to be used for gas in the egress chain.
* @param srcToken Address of the source token.
* @param amount Amount of tokens to swap.
* @param cfParameters Additional parameters to be passed to the Chainflip protocol.
*/
function xCallToken(
uint32 dstChain,
bytes memory dstAddress,
uint32 dstToken,
bytes calldata message,
uint256 gasAmount,
IERC20 srcToken,
uint256 amount,
bytes calldata cfParameters
) external override onlyNotSuspended nzUint(amount) {
srcToken.safeTransferFrom(msg.sender, address(this), amount);
emit XCallToken(
dstChain,
dstAddress,
dstToken,
address(srcToken),
amount,
msg.sender,
message,
gasAmount,
cfParameters
);
}
//////////////////////////////////////////////////////////////
// //
// Gas topups //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Add gas (topup) to an existing cross-chain call with the unique identifier swapID.
* Native tokens must be paid to this contract as part of the call.
* @param swapID The unique identifier for this swap (bytes32)
*/
function addGasNative(bytes32 swapID) external payable override onlyNotSuspended nzUint(msg.value) {
emit AddGasNative(swapID, msg.value);
}
/**
* @notice Add gas (topup) to an existing cross-chain call with the unique identifier swapID.
* A Chainflip supported token must be paid to this contract as part of the call.
* @param swapID The unique identifier for this swap (bytes32)
* @param token Address of the token to provide.
* @param amount Amount of tokens to provide.
*/
function addGasToken(
bytes32 swapID,
uint256 amount,
IERC20 token
) external override onlyNotSuspended nzUint(amount) {
token.safeTransferFrom(msg.sender, address(this), amount);
emit AddGasToken(swapID, amount, address(token));
}
//////////////////////////////////////////////////////////////
// //
// Execute cross-chain call and swap (dest. chain) //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Transfers native tokens or an ERC20 token from this vault to a recipient and makes a function
* call completing a cross-chain swap and call. The ICFReceiver interface is expected on
* the receiver's address. A message is passed to the receiver along with other
* parameters specifying the origin of the swap.
* @dev Not checking nzUint(amount) to prevent reversions in edge cases (e.g. all input amount used for gas).
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param transferParams The transfer parameters
* @param srcChain The source chain where the call originated from.
* @param srcAddress The address where the transfer originated within the ingress chain.
* @param message The message to be passed to the recipient.
*/
function executexSwapAndCall(
SigData calldata sigData,
TransferParams calldata transferParams,
uint32 srcChain,
bytes calldata srcAddress,
bytes calldata message
)
external
override
onlyNotSuspended
nzAddr(transferParams.token)
nzAddr(transferParams.recipient)
consumesKeyNonce(
sigData,
keccak256(abi.encode(this.executexSwapAndCall.selector, transferParams, srcChain, srcAddress, message))
)
{
// Logic in another internal function to avoid the stackTooDeep error
_executexSwapAndCall(transferParams, srcChain, srcAddress, message);
}
/**
* @notice Logic for transferring the tokens and calling the recipient. It's on the receiver to
* make sure the call doesn't revert, otherwise the tokens won't be transferred.
* The _transfer function is not used because we want to be able to embed the native token
* into the cfReceive call to avoid doing two external calls.
* In case of revertion the tokens will remain in the Vault. Therefore, the destination
* contract must ensure it doesn't revert e.g. using try-catch mechanisms.
* @dev In the case of the ERC20 transfer reverting, not handling the error to allow for tx replay.
* Also, to ensure the cfReceive call is made only if the transfer is successful.
*/
function _executexSwapAndCall(
TransferParams calldata transferParams,
uint32 srcChain,
bytes calldata srcAddress,
bytes calldata message
) private {
uint256 nativeAmount;
if (transferParams.amount > 0) {
if (transferParams.token == _NATIVE_ADDR) {
nativeAmount = transferParams.amount;
} else {
IERC20(transferParams.token).safeTransfer(transferParams.recipient, transferParams.amount);
}
}
ICFReceiver(transferParams.recipient).cfReceive{value: nativeAmount}(
srcChain,
srcAddress,
message,
transferParams.token,
transferParams.amount
);
}
//////////////////////////////////////////////////////////////
// //
// Execute cross-chain call (dest. chain) //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Executes a cross-chain function call. The ICFReceiver interface is expected on
* the receiver's address. A message is passed to the receiver along with other
* parameters specifying the origin of the swap. This is used for cross-chain messaging
* without any swap taking place on the Chainflip Protocol.
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param srcChain The source chain where the call originated from.
* @param srcAddress The address where the transfer originated from in the ingressParams.
* @param message The message to be passed to the recipient.
*/
function executexCall(
SigData calldata sigData,
address recipient,
uint32 srcChain,
bytes calldata srcAddress,
bytes calldata message
)
external
override
onlyNotSuspended
nzAddr(recipient)
consumesKeyNonce(
sigData,
keccak256(abi.encode(this.executexCall.selector, recipient, srcChain, srcAddress, message))
)
{
ICFReceiver(recipient).cfReceivexCall(srcChain, srcAddress, message);
}
//////////////////////////////////////////////////////////////
// //
// Auxiliary chain actions //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Transfer funds and pass calldata to be executed on a Multicall contract.
* @dev For safety purposes it's preferred to execute calldata externally with
* a limited amount of funds instead of executing arbitrary calldata here.
* @dev Calls are not reverted upon Multicall.run() failure so the nonce gets consumed. The
* gasMulticall parameters is needed to prevent an insufficient gas griefing attack.
* The _GAS_BUFFER is a conservative estimation of the gas required to finalize the call.
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param transferParams The transfer parameters inluding the token and amount to be transferred
* and the multicall contract address.
* @param calls Array of actions to be executed.
* @param gasMulticall Gas that must be forwarded to the multicall.
*/
function executeActions(
SigData calldata sigData,
TransferParams calldata transferParams,
IMulticall.Call[] calldata calls,
uint256 gasMulticall
)
external
override
onlyNotSuspended
consumesKeyNonce(
sigData,
keccak256(abi.encode(this.executeActions.selector, transferParams, calls, gasMulticall))
)
{
// Fund and run multicall
uint256 valueToSend;
if (transferParams.amount > 0) {
if (transferParams.token == _NATIVE_ADDR) {
valueToSend = transferParams.amount;
} else {
IERC20(transferParams.token).approve(transferParams.recipient, transferParams.amount);
}
}
// Ensure that the amount of gas supplied to the call to the Multicall contract is at least the gas
// limit specified. We can do this by enforcing that we still have gasMulticall + gas buffer available.
// The gas buffer is to ensure there is enough gas to finalize the call, including a safety margin.
// The 63/64 rule specified in EIP-150 needs to be taken into account.
require(gasleft() >= ((gasMulticall + _FINALIZE_GAS_BUFFER) * 64) / 63, "Vault: insufficient gas");
// solhint-disable-next-line avoid-low-level-calls
(bool success, bytes memory reason) = transferParams.recipient.call{
gas: gasleft() - _FINALIZE_GAS_BUFFER,
value: valueToSend
}(abi.encodeWithSelector(IMulticall.run.selector, calls, transferParams.token, transferParams.amount));
if (!success) {
if (transferParams.amount > 0 && transferParams.token != _NATIVE_ADDR) {
IERC20(transferParams.token).approve(transferParams.recipient, 0);
}
emit ExecuteActionsFailed(transferParams.recipient, transferParams.amount, transferParams.token, reason);
} else {
require(transferParams.recipient.code.length > 0);
}
}
//////////////////////////////////////////////////////////////
// //
// Governance //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Withdraw all funds to governance address in case of emergency. This withdrawal needs
* to be approved by the Community and it can only be executed if no nonce from the
* current AggKey had been consumed in _AGG_KEY_TIMEOUT time. It is a last resort and
* can be used to rectify an emergency.
* @param tokens The addresses of the tokens to be transferred
*/
function govWithdraw(
address[] calldata tokens
) external override onlyGovernor onlyCommunityGuardDisabled onlySuspended timeoutEmergency {
// Could use msg.sender or getGovernor() but hardcoding the get call just for extra safety
address payable recipient = payable(getKeyManager().getGovernanceKey());
// Transfer all native tokens and ERC20 Tokens
for (uint256 i = 0; i < tokens.length; i++) {
if (tokens[i] == _NATIVE_ADDR) {
_transfer(_NATIVE_ADDR, recipient, address(this).balance);
} else {
_transfer(tokens[i], recipient, IERC20(tokens[i]).balanceOf(address(this)));
}
}
}
//////////////////////////////////////////////////////////////
// //
// Modifiers //
// //
//////////////////////////////////////////////////////////////
/// @dev Check that no nonce has been consumed in the last 3 days - emergency
modifier timeoutEmergency() {
require(
block.timestamp - getKeyManager().getLastValidateTime() >= _AGG_KEY_EMERGENCY_TIMEOUT,
"Vault: not enough time"
);
_;
}
//////////////////////////////////////////////////////////////
// //
// Fallbacks //
// //
//////////////////////////////////////////////////////////////
/// @dev For receiving native tokens from the Deposit contracts
receive() external payable {
emit FetchedNative(msg.sender, msg.value);
}
}
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.8.0) (token/ERC20/utils/SafeERC20.sol)
pragma solidity ^0.8.0;
import "IERC20.sol";
import "draft-IERC20Permit.sol";
import "Address.sol";
/**
* @title SafeERC20
* @dev Wrappers around ERC20 operations that throw on failure (when the token
* contract returns false). Tokens that return no value (and instead revert or
* throw on failure) are also supported, non-reverting calls are assumed to be
* successful.
* To use this library you can add a `using SafeERC20 for IERC20;` statement to your contract,
* which allows you to call the safe operations as `token.safeTransfer(...)`, etc.
*/
library SafeERC20 {
using Address for address;
function safeTransfer(
IERC20 token,
address to,
uint256 value
) internal {
_callOptionalReturn(token, abi.encodeWithSelector(token.transfer.selector, to, value));
}
function safeTransferFrom(
IERC20 token,
address from,
address to,
uint256 value
) internal {
_callOptionalReturn(token, abi.encodeWithSelector(token.transferFrom.selector, from, to, value));
}
/**
* @dev Deprecated. This function has issues similar to the ones found in
* {IERC20-approve}, and its usage is discouraged.
*
* Whenever possible, use {safeIncreaseAllowance} and
* {safeDecreaseAllowance} instead.
*/
function safeApprove(
IERC20 token,
address spender,
uint256 value
) internal {
// safeApprove should only be called when setting an initial allowance,
// or when resetting it to zero. To increase and decrease it, use
// 'safeIncreaseAllowance' and 'safeDecreaseAllowance'
require(
(value == 0) || (token.allowance(address(this), spender) == 0),
"SafeERC20: approve from non-zero to non-zero allowance"
);
_callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, value));
}
function safeIncreaseAllowance(
IERC20 token,
address spender,
uint256 value
) internal {
uint256 newAllowance = token.allowance(address(this), spender) + value;
_callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, newAllowance));
}
function safeDecreaseAllowance(
IERC20 token,
address spender,
uint256 value
) internal {
unchecked {
uint256 oldAllowance = token.allowance(address(this), spender);
require(oldAllowance >= value, "SafeERC20: decreased allowance below zero");
uint256 newAllowance = oldAllowance - value;
_callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, newAllowance));
}
}
function safePermit(
IERC20Permit token,
address owner,
address spender,
uint256 value,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) internal {
uint256 nonceBefore = token.nonces(owner);
token.permit(owner, spender, value, deadline, v, r, s);
uint256 nonceAfter = token.nonces(owner);
require(nonceAfter == nonceBefore + 1, "SafeERC20: permit did not succeed");
}
/**
* @dev Imitates a Solidity high-level call (i.e. a regular function call to a contract), relaxing the requirement
* on the return value: the return value is optional (but if data is returned, it must not be false).
* @param token The token targeted by the call.
* @param data The call data (encoded using abi.encode or one of its variants).
*/
function _callOptionalReturn(IERC20 token, bytes memory data) private {
// We need to perform a low level call here, to bypass Solidity's return data size checking mechanism, since
// we're implementing it ourselves. We use {Address-functionCall} to perform this call, which verifies that
// the target address contains contract code and also asserts for success in the low-level call.
bytes memory returndata = address(token).functionCall(data, "SafeERC20: low-level call failed");
if (returndata.length > 0) {
// Return data is optional
require(abi.decode(returndata, (bool)), "SafeERC20: ERC20 operation did not succeed");
}
}
}
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.6.0) (token/ERC20/IERC20.sol)
pragma solidity ^0.8.0;
/**
* @dev Interface of the ERC20 standard as defined in the EIP.
*/
interface IERC20 {
/**
* @dev Emitted when `value` tokens are moved from one account (`from`) to
* another (`to`).
*
* Note that `value` may be zero.
*/
event Transfer(address indexed from, address indexed to, uint256 value);
/**
* @dev Emitted when the allowance of a `spender` for an `owner` is set by
* a call to {approve}. `value` is the new allowance.
*/
event Approval(address indexed owner, address indexed spender, uint256 value);
/**
* @dev Returns the amount of tokens in existence.
*/
function totalSupply() external view returns (uint256);
/**
* @dev Returns the amount of tokens owned by `account`.
*/
function balanceOf(address account) external view returns (uint256);
/**
* @dev Moves `amount` tokens from the caller's account to `to`.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* Emits a {Transfer} event.
*/
function transfer(address to, uint256 amount) external returns (bool);
/**
* @dev Returns the remaining number of tokens that `spender` will be
* allowed to spend on behalf of `owner` through {transferFrom}. This is
* zero by default.
*
* This value changes when {approve} or {transferFrom} are called.
*/
function allowance(address owner, address spender) external view returns (uint256);
/**
* @dev Sets `amount` as the allowance of `spender` over the caller's tokens.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* IMPORTANT: Beware that changing an allowance with this method brings the risk
* that someone may use both the old and the new allowance by unfortunate
* transaction ordering. One possible solution to mitigate this race
* condition is to first reduce the spender's allowance to 0 and set the
* desired value afterwards:
* https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
*
* Emits an {Approval} event.
*/
function approve(address spender, uint256 amount) external returns (bool);
/**
* @dev Moves `amount` tokens from `from` to `to` using the
* allowance mechanism. `amount` is then deducted from the caller's
* allowance.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* Emits a {Transfer} event.
*/
function transferFrom(
address from,
address to,
uint256 amount
) external returns (bool);
}
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (token/ERC20/extensions/draft-IERC20Permit.sol)
pragma solidity ^0.8.0;
/**
* @dev Interface of the ERC20 Permit extension allowing approvals to be made via signatures, as defined in
* https://eips.ethereum.org/EIPS/eip-2612[EIP-2612].
*
* Adds the {permit} method, which can be used to change an account's ERC20 allowance (see {IERC20-allowance}) by
* presenting a message signed by the account. By not relying on {IERC20-approve}, the token holder account doesn't
* need to send a transaction, and thus is not required to hold Ether at all.
*/
interface IERC20Permit {
/**
* @dev Sets `value` as the allowance of `spender` over ``owner``'s tokens,
* given ``owner``'s signed approval.
*
* IMPORTANT: The same issues {IERC20-approve} has related to transaction
* ordering also apply here.
*
* Emits an {Approval} event.
*
* Requirements:
*
* - `spender` cannot be the zero address.
* - `deadline` must be a timestamp in the future.
* - `v`, `r` and `s` must be a valid `secp256k1` signature from `owner`
* over the EIP712-formatted function arguments.
* - the signature must use ``owner``'s current nonce (see {nonces}).
*
* For more information on the signature format, see the
* https://eips.ethereum.org/EIPS/eip-2612#specification[relevant EIP
* section].
*/
function permit(
address owner,
address spender,
uint256 value,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external;
/**
* @dev Returns the current nonce for `owner`. This value must be
* included whenever a signature is generated for {permit}.
*
* Every successful call to {permit} increases ``owner``'s nonce by one. This
* prevents a signature from being used multiple times.
*/
function nonces(address owner) external view returns (uint256);
/**
* @dev Returns the domain separator used in the encoding of the signature for {permit}, as defined by {EIP712}.
*/
// solhint-disable-next-line func-name-mixedcase
function DOMAIN_SEPARATOR() external view returns (bytes32);
}
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.8.0) (utils/Address.sol)
pragma solidity ^0.8.1;
/**
* @dev Collection of functions related to the address type
*/
library Address {
/**
* @dev Returns true if `account` is a contract.
*
* [IMPORTANT]
* ====
* It is unsafe to assume that an address for which this function returns
* false is an externally-owned account (EOA) and not a contract.
*
* Among others, `isContract` will return false for the following
* types of addresses:
*
* - an externally-owned account
* - a contract in construction
* - an address where a contract will be created
* - an address where a contract lived, but was destroyed
* ====
*
* [IMPORTANT]
* ====
* You shouldn't rely on `isContract` to protect against flash loan attacks!
*
* Preventing calls from contracts is highly discouraged. It breaks composability, breaks support for smart wallets
* like Gnosis Safe, and does not provide security since it can be circumvented by calling from a contract
* constructor.
* ====
*/
function isContract(address account) internal view returns (bool) {
// This method relies on extcodesize/address.code.length, which returns 0
// for contracts in construction, since the code is only stored at the end
// of the constructor execution.
return account.code.length > 0;
}
/**
* @dev Replacement for Solidity's `transfer`: sends `amount` wei to
* `recipient`, forwarding all available gas and reverting on errors.
*
* https://eips.ethereum.org/EIPS/eip-1884[EIP1884] increases the gas cost
* of certain opcodes, possibly making contracts go over the 2300 gas limit
* imposed by `transfer`, making them unable to receive funds via
* `transfer`. {sendValue} removes this limitation.
*
* https://diligence.consensys.net/posts/2019/09/stop-using-soliditys-transfer-now/[Learn more].
*
* IMPORTANT: because control is transferred to `recipient`, care must be
* taken to not create reentrancy vulnerabilities. Consider using
* {ReentrancyGuard} or the
* https://solidity.readthedocs.io/en/v0.5.11/security-considerations.html#use-the-checks-effects-interactions-pattern[checks-effects-interactions pattern].
*/
function sendValue(address payable recipient, uint256 amount) internal {
require(address(this).balance >= amount, "Address: insufficient balance");
(bool success, ) = recipient.call{value: amount}("");
require(success, "Address: unable to send value, recipient may have reverted");
}
/**
* @dev Performs a Solidity function call using a low level `call`. A
* plain `call` is an unsafe replacement for a function call: use this
* function instead.
*
* If `target` reverts with a revert reason, it is bubbled up by this
* function (like regular Solidity function calls).
*
* Returns the raw returned data. To convert to the expected return value,
* use https://solidity.readthedocs.io/en/latest/units-and-global-variables.html?highlight=abi.decode#abi-encoding-and-decoding-functions[`abi.decode`].
*
* Requirements:
*
* - `target` must be a contract.
* - calling `target` with `data` must not revert.
*
* _Available since v3.1._
*/
function functionCall(address target, bytes memory data) internal returns (bytes memory) {
return functionCallWithValue(target, data, 0, "Address: low-level call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`], but with
* `errorMessage` as a fallback revert reason when `target` reverts.
*
* _Available since v3.1._
*/
function functionCall(
address target,
bytes memory data,
string memory errorMessage
) internal returns (bytes memory) {
return functionCallWithValue(target, data, 0, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but also transferring `value` wei to `target`.
*
* Requirements:
*
* - the calling contract must have an ETH balance of at least `value`.
* - the called Solidity function must be `payable`.
*
* _Available since v3.1._
*/
function functionCallWithValue(
address target,
bytes memory data,
uint256 value
) internal returns (bytes memory) {
return functionCallWithValue(target, data, value, "Address: low-level call with value failed");
}
/**
* @dev Same as {xref-Address-functionCallWithValue-address-bytes-uint256-}[`functionCallWithValue`], but
* with `errorMessage` as a fallback revert reason when `target` reverts.
*
* _Available since v3.1._
*/
function functionCallWithValue(
address target,
bytes memory data,
uint256 value,
string memory errorMessage
) internal returns (bytes memory) {
require(address(this).balance >= value, "Address: insufficient balance for call");
(bool success, bytes memory returndata) = target.call{value: value}(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but performing a static call.
*
* _Available since v3.3._
*/
function functionStaticCall(address target, bytes memory data) internal view returns (bytes memory) {
return functionStaticCall(target, data, "Address: low-level static call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
* but performing a static call.
*
* _Available since v3.3._
*/
function functionStaticCall(
address target,
bytes memory data,
string memory errorMessage
) internal view returns (bytes memory) {
(bool success, bytes memory returndata) = target.staticcall(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but performing a delegate call.
*
* _Available since v3.4._
*/
function functionDelegateCall(address target, bytes memory data) internal returns (bytes memory) {
return functionDelegateCall(target, data, "Address: low-level delegate call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
* but performing a delegate call.
*
* _Available since v3.4._
*/
function functionDelegateCall(
address target,
bytes memory data,
string memory errorMessage
) internal returns (bytes memory) {
(bool success, bytes memory returndata) = target.delegatecall(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Tool to verify that a low level call to smart-contract was successful, and revert (either by bubbling
* the revert reason or using the provided one) in case of unsuccessful call or if target was not a contract.
*
* _Available since v4.8._
*/
function verifyCallResultFromTarget(
address target,
bool success,
bytes memory returndata,
string memory errorMessage
) internal view returns (bytes memory) {
if (success) {
if (returndata.length == 0) {
// only check isContract if the call was successful and the return data is empty
// otherwise we already know that it was a contract
require(isContract(target), "Address: call to non-contract");
}
return returndata;
} else {
_revert(returndata, errorMessage);
}
}
/**
* @dev Tool to verify that a low level call was successful, and revert if it wasn't, either by bubbling the
* revert reason or using the provided one.
*
* _Available since v4.3._
*/
function verifyCallResult(
bool success,
bytes memory returndata,
string memory errorMessage
) internal pure returns (bytes memory) {
if (success) {
return returndata;
} else {
_revert(returndata, errorMessage);
}
}
function _revert(bytes memory returndata, string memory errorMessage) private pure {
// Look for revert reason and bubble it up if present
if (returndata.length > 0) {
// The easiest way to bubble the revert reason is using memory via assembly
/// @solidity memory-safe-assembly
assembly {
let returndata_size := mload(returndata)
revert(add(32, returndata), returndata_size)
}
} else {
revert(errorMessage);
}
}
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IAggKeyNonceConsumer.sol";
import "IGovernanceCommunityGuarded.sol";
import "IMulticall.sol";
/**
* @title Vault interface
* @notice The interface for functions Vault implements
*/
interface IVault is IGovernanceCommunityGuarded, IAggKeyNonceConsumer {
event FetchedNative(address indexed sender, uint256 amount);
event TransferNativeFailed(address payable indexed recipient, uint256 amount);
event TransferTokenFailed(address payable indexed recipient, uint256 amount, address indexed token, bytes reason);
event SwapNative(
uint32 dstChain,
bytes dstAddress,
uint32 dstToken,
uint256 amount,
address indexed sender,
bytes cfParameters
);
event SwapToken(
uint32 dstChain,
bytes dstAddress,
uint32 dstToken,
address srcToken,
uint256 amount,
address indexed sender,
bytes cfParameters
);
/// @dev bytes parameters is not indexed because indexing a dynamic type for it to be filtered
/// makes it so we won't be able to decode it unless we specifically search for it. If we want
/// to filter it and decode it then we would need to have both the indexed and the non-indexed
/// version in the event. That is unnecessary.
event XCallNative(
uint32 dstChain,
bytes dstAddress,
uint32 dstToken,
uint256 amount,
address indexed sender,
bytes message,
uint256 gasAmount,
bytes cfParameters
);
event XCallToken(
uint32 dstChain,
bytes dstAddress,
uint32 dstToken,
address srcToken,
uint256 amount,
address indexed sender,
bytes message,
uint256 gasAmount,
bytes cfParameters
);
event AddGasNative(bytes32 swapID, uint256 amount);
event AddGasToken(bytes32 swapID, uint256 amount, address token);
event ExecuteActionsFailed(
address payable indexed multicallAddress,
uint256 amount,
address indexed token,
bytes reason
);
function allBatch(
SigData calldata sigData,
DeployFetchParams[] calldata deployFetchParamsArray,
FetchParams[] calldata fetchParamsArray,
TransferParams[] calldata transferParamsArray
) external;
function allBatchV2(
SigData calldata sigData,
FetchParams[] calldata fetchParamsArray,
TransferParams[] calldata transferParamsArray
) external;
//////////////////////////////////////////////////////////////
// //
// Transfers //
// //
//////////////////////////////////////////////////////////////
function transfer(SigData calldata sigData, TransferParams calldata transferParams) external;
function transferBatch(SigData calldata sigData, TransferParams[] calldata transferParamsArray) external;
//////////////////////////////////////////////////////////////
// //
// Fetch Deposits //
// //
//////////////////////////////////////////////////////////////
function deployAndFetchBatch(
SigData calldata sigData,
DeployFetchParams[] calldata deployFetchParamsArray
) external;
function fetchBatch(SigData calldata sigData, FetchParams[] calldata fetchParamsArray) external;
//////////////////////////////////////////////////////////////
// //
// Initiate cross-chain swaps (source chain) //
// //
//////////////////////////////////////////////////////////////
function xSwapToken(
uint32 dstChain,
bytes calldata dstAddress,
uint32 dstToken,
IERC20 srcToken,
uint256 amount,
bytes calldata cfParameters
) external;
function xSwapNative(
uint32 dstChain,
bytes calldata dstAddress,
uint32 dstToken,
bytes calldata cfParameters
) external payable;
//////////////////////////////////////////////////////////////
// //
// Initiate cross-chain call and swap (source chain) //
// //
//////////////////////////////////////////////////////////////
function xCallNative(
uint32 dstChain,
bytes calldata dstAddress,
uint32 dstToken,
bytes calldata message,
uint256 gasAmount,
bytes calldata cfParameters
) external payable;
function xCallToken(
uint32 dstChain,
bytes calldata dstAddress,
uint32 dstToken,
bytes calldata message,
uint256 gasAmount,
IERC20 srcToken,
uint256 amount,
bytes calldata cfParameters
) external;
//////////////////////////////////////////////////////////////
// //
// Gas topups //
// //
//////////////////////////////////////////////////////////////
function addGasNative(bytes32 swapID) external payable;
function addGasToken(bytes32 swapID, uint256 amount, IERC20 token) external;
//////////////////////////////////////////////////////////////
// //
// Execute cross-chain call and swap (dest. chain) //
// //
//////////////////////////////////////////////////////////////
function executexSwapAndCall(
SigData calldata sigData,
TransferParams calldata transferParams,
uint32 srcChain,
bytes calldata srcAddress,
bytes calldata message
) external;
//////////////////////////////////////////////////////////////
// //
// Execute cross-chain call (dest. chain) //
// //
//////////////////////////////////////////////////////////////
function executexCall(
SigData calldata sigData,
address recipient,
uint32 srcChain,
bytes calldata srcAddress,
bytes calldata message
) external;
//////////////////////////////////////////////////////////////
// //
// Auxiliary chain actions //
// //
//////////////////////////////////////////////////////////////
function executeActions(
SigData calldata sigData,
TransferParams calldata transferParams,
IMulticall.Call[] calldata calls,
uint256 gasMulticall
) external;
//////////////////////////////////////////////////////////////
// //
// Governance //
// //
//////////////////////////////////////////////////////////////
function govWithdraw(address[] calldata tokens) external;
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IShared.sol";
import "IKeyManager.sol";
/**
* @title AggKeyNonceConsumer interface
*/
interface IAggKeyNonceConsumer is IShared {
event UpdatedKeyManager(address keyManager);
//////////////////////////////////////////////////////////////
// //
// State-changing functions //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Update KeyManager reference. Used if KeyManager contract is updated
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param keyManager New KeyManager's address
* @param omitChecks Allow the omission of the extra checks in a special case
*/
function updateKeyManager(SigData calldata sigData, IKeyManager keyManager, bool omitChecks) external;
//////////////////////////////////////////////////////////////
// //
// Getters //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Get the KeyManager address/interface that's used to validate sigs
* @return The KeyManager (IKeyManager)
*/
function getKeyManager() external view returns (IKeyManager);
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IERC20.sol";
/**
* @title Shared interface
* @notice Holds structs needed by other interfaces
*/
interface IShared {
/**
* @dev SchnorrSECP256K1 requires that each key has a public key part (x coordinate),
* a parity for the y coordinate (0 if the y ordinate of the public key is even, 1
* if it's odd)
*/
struct Key {
uint256 pubKeyX;
uint8 pubKeyYParity;
}
/**
* @dev Contains a signature and the nonce used to create it. Also the recovered address
* to check that the signature is valid
*/
struct SigData {
uint256 sig;
uint256 nonce;
address kTimesGAddress;
}
/**
* @param token The address of the token to be transferred
* @param recipient The address of the recipient of the transfer
* @param amount The amount to transfer, in wei (uint)
*/
struct TransferParams {
address token;
address payable recipient;
uint256 amount;
}
/**
* @param swapID The unique identifier for this swap (bytes32), used for create2
* @param token The token to be transferred
*/
struct DeployFetchParams {
bytes32 swapID;
address token;
}
/**
* @param fetchContract The address of the deployed Deposit contract
* @param token The token to be transferred
*/
struct FetchParams {
address payable fetchContract;
address token;
}
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IShared.sol";
/**
* @title KeyManager interface
* @notice The interface for functions KeyManager implements
*/
interface IKeyManager is IShared {
event AggKeySetByAggKey(Key oldAggKey, Key newAggKey);
event AggKeySetByGovKey(Key oldAggKey, Key newAggKey);
event GovKeySetByAggKey(address oldGovKey, address newGovKey);
event GovKeySetByGovKey(address oldGovKey, address newGovKey);
event CommKeySetByAggKey(address oldCommKey, address newCommKey);
event CommKeySetByCommKey(address oldCommKey, address newCommKey);
event SignatureAccepted(SigData sigData, address signer);
event GovernanceAction(bytes32 message);
//////////////////////////////////////////////////////////////
// //
// State-changing functions //
// //
//////////////////////////////////////////////////////////////
function consumeKeyNonce(SigData memory sigData, bytes32 contractMsgHash) external;
function setAggKeyWithAggKey(SigData memory sigData, Key memory newAggKey) external;
function setAggKeyWithGovKey(Key memory newAggKey) external;
function setGovKeyWithAggKey(SigData calldata sigData, address newGovKey) external;
function setGovKeyWithGovKey(address newGovKey) external;
function setCommKeyWithAggKey(SigData calldata sigData, address newCommKey) external;
function setCommKeyWithCommKey(address newCommKey) external;
function govAction(bytes32 message) external;
//////////////////////////////////////////////////////////////
// //
// Non-state-changing functions //
// //
//////////////////////////////////////////////////////////////
function getAggregateKey() external view returns (Key memory);
function getGovernanceKey() external view returns (address);
function getCommunityKey() external view returns (address);
function isNonceUsedByAggKey(uint256 nonce) external view returns (bool);
function getLastValidateTime() external view returns (uint256);
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IShared.sol";
/**
* @title GovernanceCommunityGuarded interface
*/
interface IGovernanceCommunityGuarded is IShared {
event CommunityGuardDisabled(bool communityGuardDisabled);
event Suspended(bool suspended);
//////////////////////////////////////////////////////////////
// //
// State-changing functions //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Enable Community Guard
*/
function enableCommunityGuard() external;
/**
* @notice Disable Community Guard
*/
function disableCommunityGuard() external;
/**
* @notice Can be used to suspend contract execution - only executable by
* governance and only to be used in case of emergency.
*/
function suspend() external;
/**
* @notice Resume contract execution
*/
function resume() external;
//////////////////////////////////////////////////////////////
// //
// Getters //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Get the Community Key
* @return The CommunityKey
*/
function getCommunityKey() external view returns (address);
/**
* @notice Get the Community Guard state
* @return The Community Guard state
*/
function getCommunityGuardDisabled() external view returns (bool);
/**
* @notice Get suspended state
* @return The suspended state
*/
function getSuspendedState() external view returns (bool);
/**
* @notice Get governor address
* @return The governor address
*/
function getGovernor() external view returns (address);
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
interface IMulticall {
enum CallType {
Default,
FullTokenBalance,
FullNativeBalance,
CollectTokenBalance
}
struct Call {
CallType callType;
address target;
uint256 value;
bytes callData;
bytes payload;
}
error AlreadyRunning();
error CallFailed(uint256 callPosition, bytes reason);
function run(Call[] calldata calls, address tokenIn, uint256 amountIn) external payable;
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
/**
* @title CF Receiver interface
* @dev The ICFReceiver interface is the interface required to receive tokens and
* cross-chain calls from the Chainflip Protocol.
*/
interface ICFReceiver {
/**
* @notice Receiver of a cross-chain swap and call made by the Chainflip Protocol.
* @param srcChain The source chain according to the Chainflip Protocol's nomenclature.
* @param srcAddress Bytes containing the source address on the source chain.
* @param message The message sent on the source chain. This is a general purpose message.
* @param token Address of the token received. _NATIVE_ADDR if it's native tokens.
* @param amount Amount of tokens received. This will match msg.value for native tokens.
*/
function cfReceive(
uint32 srcChain,
bytes calldata srcAddress,
bytes calldata message,
address token,
uint256 amount
) external payable;
/**
* @notice Receiver of a cross-chain call made by the Chainflip Protocol.
* @param srcChain The source chain according to the Chainflip Protocol's nomenclature.
* @param srcAddress Bytes containing the source address on the source chain.
* @param message The message sent on the source chain. This is a general purpose message.
*/
function cfReceivexCall(uint32 srcChain, bytes calldata srcAddress, bytes calldata message) external;
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IShared.sol";
/**
* @title Shared contract
* @notice Holds constants and modifiers that are used in multiple contracts
* @dev It would be nice if this could be a library, but modifiers can't be exported :(
*/
abstract contract Shared is IShared {
/// @dev The address used to indicate whether transfer should send native or a token
address internal constant _NATIVE_ADDR = 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE;
address internal constant _ZERO_ADDR = address(0);
bytes32 internal constant _NULL = "";
uint256 internal constant _E_18 = 1e18;
/// @dev Checks that a uint isn't zero/empty
modifier nzUint(uint256 u) {
require(u != 0, "Shared: uint input is empty");
_;
}
/// @dev Checks that an address isn't zero/empty
modifier nzAddr(address a) {
require(a != _ZERO_ADDR, "Shared: address input is empty");
_;
}
/// @dev Checks that a bytes32 isn't zero/empty
modifier nzBytes32(bytes32 b) {
require(b != _NULL, "Shared: bytes32 input is empty");
_;
}
/// @dev Checks that the pubKeyX is populated
modifier nzKey(Key memory key) {
require(key.pubKeyX != 0, "Shared: pubKeyX is empty");
_;
}
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IERC20Lite.sol";
/**
* @title Deposit contract
* @notice Creates a contract with a known address and withdraws tokens from it.
* After deployment, the Vault will call fetch() to withdraw tokens.
* @dev Any change in this contract, including comments, will affect the final
* bytecode and therefore will affect the create2 derived addresses.
* Do NOT modify unless the consequences of doing so are fully understood.
*/
contract Deposit {
address payable private immutable vault;
/**
* @notice Upon deployment it fetches the tokens (native or ERC20) to the Vault.
* @param token The address of the token to fetch
*/
constructor(address token) {
vault = payable(msg.sender);
// Slightly cheaper to use msg.sender instead of Vault.
if (token == 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE) {
// solhint-disable-next-line avoid-low-level-calls
(bool success, ) = msg.sender.call{value: address(this).balance}("");
require(success);
} else {
// IERC20Lite.transfer doesn't have a return bool to avoid reverts on non-standard ERC20s
IERC20Lite(token).transfer(msg.sender, IERC20Lite(token).balanceOf(address(this)));
}
}
/**
* @notice Allows the Vault to fetch ERC20 tokens from this contract.
* @param token The address of the token to fetch
*/
function fetch(address token) external {
require(msg.sender == vault);
// IERC20Lite.transfer doesn't have a return bool to avoid reverts on non-standard ERC20s
IERC20Lite(token).transfer(msg.sender, IERC20Lite(token).balanceOf(address(this)));
}
/// @notice Receives native tokens, emits an event and sends them to the Vault. Note that this
// requires the sender to forward some more gas than for a simple transfer.
receive() external payable {
// solhint-disable-next-line avoid-low-level-calls
(bool success, ) = vault.call{value: address(this).balance}("");
require(success);
}
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
/**
* @title ERC20 Lite Interface
* @notice The interface for functions ERC20Lite implements. This is intended to
* be used only in the Deposit contract.
* @dev Any change in this contract, including comments, will affect the final
* bytecode and therefore will affect the create2 derived addresses.
* Do NOT modify unless the consequences of doing so are fully understood.
*/
interface IERC20Lite {
/// @dev Removed the return bool to avoid reverts on non-standard ERC20s.
function transfer(address, uint256) external;
function balanceOf(address) external view returns (uint256);
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IKeyManager.sol";
import "IAggKeyNonceConsumer.sol";
import "Shared.sol";
/**
* @title AggKeyNonceConsumer contract
* @notice Manages the reference to the KeyManager contract. The address
* is set in the constructor and can only be updated with a valid
* signature validated by the current KeyManager contract. This shall
* be done if the KeyManager contract is updated.
*/
abstract contract AggKeyNonceConsumer is Shared, IAggKeyNonceConsumer {
/// @dev The KeyManager used to checks sigs used in functions here
IKeyManager private _keyManager;
constructor(IKeyManager keyManager) nzAddr(address(keyManager)) {
_keyManager = keyManager;
}
//////////////////////////////////////////////////////////////
// //
// State-changing functions //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Update KeyManager reference. Used if KeyManager contract is updated
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param keyManager New KeyManager's address
* @param omitChecks Allow the omission of the extra checks in a special case
*/
function updateKeyManager(
SigData calldata sigData,
IKeyManager keyManager,
bool omitChecks
)
external
override
nzAddr(address(keyManager))
consumesKeyNonce(sigData, keccak256(abi.encode(this.updateKeyManager.selector, keyManager, omitChecks)))
{
// Check that the new KeyManager is a contract
require(address(keyManager).code.length > 0);
// Allow the child to check compatibility with the new KeyManager
_checkUpdateKeyManager(keyManager, omitChecks);
_keyManager = keyManager;
emit UpdatedKeyManager(address(keyManager));
}
/// @dev This will be called when upgrading to a new KeyManager. This allows the child's contract
/// to check its compatibility with the new KeyManager. This is to prevent the contract from
// getting bricked. There is no good way to enforce the implementation of consumeKeyNonce().
function _checkUpdateKeyManager(IKeyManager keyManager, bool omitChecks) internal view virtual;
//////////////////////////////////////////////////////////////
// //
// Getters //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Get the KeyManager address/interface that's used to validate sigs
* @return The KeyManager (IKeyManager)
*/
function getKeyManager() public view override returns (IKeyManager) {
return _keyManager;
}
//////////////////////////////////////////////////////////////
// //
// Modifiers //
// //
//////////////////////////////////////////////////////////////
/// @dev Calls consumeKeyNonce in _keyManager
modifier consumesKeyNonce(SigData calldata sigData, bytes32 contractMsgHash) {
getKeyManager().consumeKeyNonce(sigData, contractMsgHash);
_;
}
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IGovernanceCommunityGuarded.sol";
import "AggKeyNonceConsumer.sol";
import "Shared.sol";
/**
* @title GovernanceCommunityGuarded contract
* @notice Allows the governor to perform certain actions for the procotol's safety in
* case of emergency. The aim is to allow the governor to suspend execution of
* critical functions.
* Also, it allows the CommunityKey to safeguard certain functions so the
* governor can execute them iff the communityKey allows it.
*/
abstract contract GovernanceCommunityGuarded is Shared, IGovernanceCommunityGuarded {
/// @dev Community Guard Disabled
bool private _communityGuardDisabled;
/// @dev Whether execution is suspended
bool private _suspended = false;
/**
* @notice Get the governor's address. The contracts inheriting this (StateChainGateway and Vault)
* get the governor's address from the KeyManager through the AggKeyNonceConsumer's
* inheritance. Therefore, the implementation of this function must be left
* to the children. This is not implemented as a virtual onlyGovernor modifier to force
* the children to implement this function - virtual modifiers don't enforce that.
* @return The governor's address
*/
function _getGovernor() internal view virtual returns (address);
/**
* @notice Get the community's address. The contracts inheriting this (StateChainGateway and Vault)
* get the community's address from the KeyManager through the AggKeyNonceConsumer's
* inheritance. Therefore, the implementation of this function must be left
* to the children. This is not implemented as a virtual onlyCommunityKey modifier to force
* the children to implement this function - virtual modifiers don't enforce that.
* @return The community's address
*/
function _getCommunityKey() internal view virtual returns (address);
//////////////////////////////////////////////////////////////
// //
// State-changing functions //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Enable Community Guard
*/
function enableCommunityGuard() external override onlyCommunityKey onlyCommunityGuardDisabled {
_communityGuardDisabled = false;
emit CommunityGuardDisabled(false);
}
/**
* @notice Disable Community Guard
*/
function disableCommunityGuard() external override onlyCommunityKey onlyCommunityGuardEnabled {
_communityGuardDisabled = true;
emit CommunityGuardDisabled(true);
}
/**
* @notice Can be used to suspend contract execution - only executable by
* governance and only to be used in case of emergency.
*/
function suspend() external override onlyGovernor onlyNotSuspended {
_suspended = true;
emit Suspended(true);
}
/**
* @notice Resume contract execution
*/
function resume() external override onlyGovernor onlySuspended {
_suspended = false;
emit Suspended(false);
}
//////////////////////////////////////////////////////////////
// //
// Getters //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Get the Community Key
* @return The CommunityKey
*/
function getCommunityKey() external view override returns (address) {
return _getCommunityKey();
}
/**
* @notice Get the Community Guard state
* @return The Community Guard state
*/
function getCommunityGuardDisabled() external view override returns (bool) {
return _communityGuardDisabled;
}
/**
* @notice Get suspended state
* @return The suspended state
*/
function getSuspendedState() external view override returns (bool) {
return _suspended;
}
/**
* @notice Get governor address
* @return The governor address
*/
function getGovernor() external view override returns (address) {
return _getGovernor();
}
//////////////////////////////////////////////////////////////
// //
// Modifiers //
// //
//////////////////////////////////////////////////////////////
/// @dev Check that the caller is the Community Key address.
modifier onlyCommunityKey() {
require(msg.sender == _getCommunityKey(), "Governance: not Community Key");
_;
}
/// @dev Check that community has disabled the community guard.
modifier onlyCommunityGuardDisabled() {
require(_communityGuardDisabled, "Governance: community guard enabled");
_;
}
/// @dev Check that community has disabled the community guard.
modifier onlyCommunityGuardEnabled() {
require(!_communityGuardDisabled, "Governance: community guard disabled");
_;
}
/// @notice Ensure that the caller is the governor address. Calls the getGovernor
/// function which is implemented by the children.
modifier onlyGovernor() {
require(msg.sender == _getGovernor(), "Governance: not governor");
_;
}
// @notice Check execution is suspended
modifier onlySuspended() {
require(_suspended, "Governance: not suspended");
_;
}
// @notice Check execution is not suspended
modifier onlyNotSuspended() {
require(!_suspended, "Governance: suspended");
_;
}
}
File 2 of 2: KeyManager
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IKeyManager.sol";
import "SchnorrSECP256K1.sol";
import "Shared.sol";
/**
* @title KeyManager contract
* @notice Holds the aggregate and governance keys, functions to update them, and
* consumeKeyNonce so other contracts can verify signatures and updates _lastValidateTime
*/
contract KeyManager is SchnorrSECP256K1, Shared, IKeyManager {
uint256 private constant _AGG_KEY_TIMEOUT = 2 days;
/// @dev The current (schnorr) aggregate key.
Key private _aggKey;
/// @dev The current governance key.
address private _govKey;
/// @dev The current community key.
address private _commKey;
/// @dev The last time that a sig was verified (used for a dead man's switch)
uint256 private _lastValidateTime;
mapping(uint256 => bool) private _isNonceUsedByAggKey;
constructor(
Key memory initialAggKey,
address initialGovKey,
address initialCommKey
) nzAddr(initialGovKey) nzAddr(initialCommKey) nzKey(initialAggKey) validAggKey(initialAggKey) {
_aggKey = initialAggKey;
_govKey = initialGovKey;
_commKey = initialCommKey;
_lastValidateTime = block.timestamp;
}
//////////////////////////////////////////////////////////////
// //
// State-changing functions //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Checks the validity of a signature and msgHash, then updates _lastValidateTime
* @dev It would be nice to split this up, but these checks
* need to be made atomicly always. This needs to be available
* in this contract and in the Vault etc
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param msgHash The hash of the message being signed. The hash of the function
* call parameters is concatenated and hashed together with the nonce, the
* address of the caller, the chainId, and the address of this contract.
*/
function _consumeKeyNonce(SigData calldata sigData, bytes32 msgHash) internal {
Key memory key = _aggKey;
require(
verifySignature(msgHash, sigData.sig, key.pubKeyX, key.pubKeyYParity, sigData.kTimesGAddress),
"KeyManager: Sig invalid"
);
require(!_isNonceUsedByAggKey[sigData.nonce], "KeyManager: nonce already used");
_lastValidateTime = block.timestamp;
_isNonceUsedByAggKey[sigData.nonce] = true;
// Disable because tx.origin is not being used in the logic
// solhint-disable-next-line avoid-tx-origin
emit SignatureAccepted(sigData, tx.origin);
}
/**
* @notice Concatenates the contractMsgHash with the nonce, the address of the caller,
* the chainId, and the address of this contract, then hashes that and verifies the
* signature. This is done to prevent replay attacks.
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param contractMsgHash The hash of the function's call parameters. This will be hashed
* over other parameters to prevent replay attacks.
*/
function consumeKeyNonce(SigData calldata sigData, bytes32 contractMsgHash) external override {
bytes32 msgHash = keccak256(
abi.encode(contractMsgHash, sigData.nonce, msg.sender, block.chainid, address(this))
);
_consumeKeyNonce(sigData, msgHash);
}
/**
* @notice Set a new aggregate key. Requires a signature from the current aggregate key
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param newAggKey The new aggregate key to be set. The x component of the pubkey (uint256),
* the parity of the y component (uint8)
*/
function setAggKeyWithAggKey(
SigData calldata sigData,
Key calldata newAggKey
)
external
override
nzKey(newAggKey)
validAggKey(newAggKey)
consumeKeyNonceKeyManager(sigData, keccak256(abi.encode(this.setAggKeyWithAggKey.selector, newAggKey)))
{
emit AggKeySetByAggKey(_aggKey, newAggKey);
_aggKey = newAggKey;
}
/**
* @notice Set a new aggregate key. Can only be called by the current governance key
* @param newAggKey The new aggregate key to be set. The x component of the pubkey (uint256),
* the parity of the y component (uint8)
*/
function setAggKeyWithGovKey(
Key calldata newAggKey
) external override nzKey(newAggKey) validAggKey(newAggKey) timeoutEmergency onlyGovernor {
emit AggKeySetByGovKey(_aggKey, newAggKey);
_aggKey = newAggKey;
}
/**
* @notice Set a new aggregate key. Requires a signature from the current aggregate key
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param newGovKey The new governance key to be set.
*/
function setGovKeyWithAggKey(
SigData calldata sigData,
address newGovKey
)
external
override
nzAddr(newGovKey)
consumeKeyNonceKeyManager(sigData, keccak256(abi.encode(this.setGovKeyWithAggKey.selector, newGovKey)))
{
emit GovKeySetByAggKey(_govKey, newGovKey);
_govKey = newGovKey;
}
/**
* @notice Set a new governance key. Can only be called by current governance key
* @param newGovKey The new governance key to be set.
*/
function setGovKeyWithGovKey(address newGovKey) external override nzAddr(newGovKey) onlyGovernor {
emit GovKeySetByGovKey(_govKey, newGovKey);
_govKey = newGovKey;
}
/**
* @notice Set a new community key. Requires a signature from the current aggregate key
* @param sigData Struct containing the signature data over the message
* to verify, signed by the aggregate key.
* @param newCommKey The new community key to be set.
*/
function setCommKeyWithAggKey(
SigData calldata sigData,
address newCommKey
)
external
override
nzAddr(newCommKey)
consumeKeyNonceKeyManager(sigData, keccak256(abi.encode(this.setCommKeyWithAggKey.selector, newCommKey)))
{
emit CommKeySetByAggKey(_commKey, newCommKey);
_commKey = newCommKey;
}
/**
* @notice Update the Community Key. Can only be called by the current Community Key.
* @param newCommKey New Community key address.
*/
function setCommKeyWithCommKey(address newCommKey) external override onlyCommunityKey nzAddr(newCommKey) {
emit CommKeySetByCommKey(_commKey, newCommKey);
_commKey = newCommKey;
}
/**
* @notice Emit an event containing an action message. Can only be called by the governor.
*/
function govAction(bytes32 message) external override onlyGovernor {
emit GovernanceAction(message);
}
//////////////////////////////////////////////////////////////
// //
// Non-state-changing functions //
// //
//////////////////////////////////////////////////////////////
/**
* @notice Get the current aggregate key
* @return The Key struct for the aggregate key
*/
function getAggregateKey() external view override returns (Key memory) {
return _aggKey;
}
/**
* @notice Get the current governance key
* @return The Key struct for the governance key
*/
function getGovernanceKey() external view override returns (address) {
return _getGovernanceKey();
}
/**
* @notice Get the current community key
* @return The Key struct for the community key
*/
function getCommunityKey() external view override returns (address) {
return _getCommunityKey();
}
/**
* @notice Get the last time that a function was called which
* required a signature from _aggregateKeyData or _governanceKeyData
* @return The last time consumeKeyNonce was called, in unix time (uint256)
*/
function getLastValidateTime() external view override returns (uint256) {
return _lastValidateTime;
}
/**
* @notice Get whether or not the specific keyID has used this nonce before
* since it cannot be used again
* @return Whether the nonce has already been used (bool)
*/
function isNonceUsedByAggKey(uint256 nonce) external view override returns (bool) {
return _isNonceUsedByAggKey[nonce];
}
/**
* @notice Get the current governance key
* @return The Key struct for the governance key
*/
function _getGovernanceKey() internal view returns (address) {
return _govKey;
}
/**
* @notice Get the current community key
* @return The Key struct for the community key
*/
function _getCommunityKey() internal view returns (address) {
return _commKey;
}
//////////////////////////////////////////////////////////////
// //
// Modifiers //
// //
//////////////////////////////////////////////////////////////
/// @dev Check that enough time has passed for setAggKeyWithGovKey. Needs
/// to be done as a modifier so that it can happen before consumeKeyNonce
modifier timeoutEmergency() {
require(block.timestamp - _lastValidateTime >= _AGG_KEY_TIMEOUT, "KeyManager: not enough time");
_;
}
/// @dev Check that an aggregate key is capable of having its signatures
/// verified by the schnorr lib.
modifier validAggKey(Key memory key) {
verifySigningKeyX(key.pubKeyX);
_;
}
/// @dev Check that the sender is the governance address
modifier onlyGovernor() {
require(msg.sender == _getGovernanceKey(), "KeyManager: not governor");
_;
}
/// @dev Check that the caller is the Community Key address.
modifier onlyCommunityKey() {
require(msg.sender == _getCommunityKey(), "KeyManager: not Community Key");
_;
}
/// @dev For functions in this contract that require a signature from the aggregate key
// the msg.sender can't be hashed as anyone can make the call. Instead the
// address of this contract is used as the sender and hashed in the message.
modifier consumeKeyNonceKeyManager(SigData calldata sigData, bytes32 contractMsgHash) {
bytes32 msgHash = keccak256(
abi.encode(contractMsgHash, sigData.nonce, address(this), block.chainid, address(this))
);
_consumeKeyNonce(sigData, msgHash);
_;
}
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IShared.sol";
/**
* @title KeyManager interface
* @notice The interface for functions KeyManager implements
*/
interface IKeyManager is IShared {
event AggKeySetByAggKey(Key oldAggKey, Key newAggKey);
event AggKeySetByGovKey(Key oldAggKey, Key newAggKey);
event GovKeySetByAggKey(address oldGovKey, address newGovKey);
event GovKeySetByGovKey(address oldGovKey, address newGovKey);
event CommKeySetByAggKey(address oldCommKey, address newCommKey);
event CommKeySetByCommKey(address oldCommKey, address newCommKey);
event SignatureAccepted(SigData sigData, address signer);
event GovernanceAction(bytes32 message);
//////////////////////////////////////////////////////////////
// //
// State-changing functions //
// //
//////////////////////////////////////////////////////////////
function consumeKeyNonce(SigData memory sigData, bytes32 contractMsgHash) external;
function setAggKeyWithAggKey(SigData memory sigData, Key memory newAggKey) external;
function setAggKeyWithGovKey(Key memory newAggKey) external;
function setGovKeyWithAggKey(SigData calldata sigData, address newGovKey) external;
function setGovKeyWithGovKey(address newGovKey) external;
function setCommKeyWithAggKey(SigData calldata sigData, address newCommKey) external;
function setCommKeyWithCommKey(address newCommKey) external;
function govAction(bytes32 message) external;
//////////////////////////////////////////////////////////////
// //
// Non-state-changing functions //
// //
//////////////////////////////////////////////////////////////
function getAggregateKey() external view returns (Key memory);
function getGovernanceKey() external view returns (address);
function getCommunityKey() external view returns (address);
function isNonceUsedByAggKey(uint256 nonce) external view returns (bool);
function getLastValidateTime() external view returns (uint256);
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IERC20.sol";
/**
* @title Shared interface
* @notice Holds structs needed by other interfaces
*/
interface IShared {
/**
* @dev SchnorrSECP256K1 requires that each key has a public key part (x coordinate),
* a parity for the y coordinate (0 if the y ordinate of the public key is even, 1
* if it's odd)
*/
struct Key {
uint256 pubKeyX;
uint8 pubKeyYParity;
}
/**
* @dev Contains a signature and the nonce used to create it. Also the recovered address
* to check that the signature is valid
*/
struct SigData {
uint256 sig;
uint256 nonce;
address kTimesGAddress;
}
/**
* @param token The address of the token to be transferred
* @param recipient The address of the recipient of the transfer
* @param amount The amount to transfer, in wei (uint)
*/
struct TransferParams {
address token;
address payable recipient;
uint256 amount;
}
/**
* @param swapID The unique identifier for this swap (bytes32), used for create2
* @param token The token to be transferred
*/
struct DeployFetchParams {
bytes32 swapID;
address token;
}
/**
* @param fetchContract The address of the deployed Deposit contract
* @param token The token to be transferred
*/
struct FetchParams {
address payable fetchContract;
address token;
}
}
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.6.0) (token/ERC20/IERC20.sol)
pragma solidity ^0.8.0;
/**
* @dev Interface of the ERC20 standard as defined in the EIP.
*/
interface IERC20 {
/**
* @dev Emitted when `value` tokens are moved from one account (`from`) to
* another (`to`).
*
* Note that `value` may be zero.
*/
event Transfer(address indexed from, address indexed to, uint256 value);
/**
* @dev Emitted when the allowance of a `spender` for an `owner` is set by
* a call to {approve}. `value` is the new allowance.
*/
event Approval(address indexed owner, address indexed spender, uint256 value);
/**
* @dev Returns the amount of tokens in existence.
*/
function totalSupply() external view returns (uint256);
/**
* @dev Returns the amount of tokens owned by `account`.
*/
function balanceOf(address account) external view returns (uint256);
/**
* @dev Moves `amount` tokens from the caller's account to `to`.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* Emits a {Transfer} event.
*/
function transfer(address to, uint256 amount) external returns (bool);
/**
* @dev Returns the remaining number of tokens that `spender` will be
* allowed to spend on behalf of `owner` through {transferFrom}. This is
* zero by default.
*
* This value changes when {approve} or {transferFrom} are called.
*/
function allowance(address owner, address spender) external view returns (uint256);
/**
* @dev Sets `amount` as the allowance of `spender` over the caller's tokens.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* IMPORTANT: Beware that changing an allowance with this method brings the risk
* that someone may use both the old and the new allowance by unfortunate
* transaction ordering. One possible solution to mitigate this race
* condition is to first reduce the spender's allowance to 0 and set the
* desired value afterwards:
* https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
*
* Emits an {Approval} event.
*/
function approve(address spender, uint256 amount) external returns (bool);
/**
* @dev Moves `amount` tokens from `from` to `to` using the
* allowance mechanism. `amount` is then deducted from the caller's
* allowance.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* Emits a {Transfer} event.
*/
function transferFrom(
address from,
address to,
uint256 amount
) external returns (bool);
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
/// @notice Slightly modified from https://github.com/smartcontractkit/chainlink/pull/1272/files
abstract contract SchnorrSECP256K1 {
// See https://en.bitcoin.it/wiki/Secp256k1 for this constant.
// Group order of secp256k1
uint256 private constant Q =
// solium-disable-next-line indentation
0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141;
// solium-disable-next-line zeppelin/no-arithmetic-operations
uint256 private constant HALF_Q = (Q >> 1) + 1;
/** **************************************************************************
@notice verifySignature returns true iff passed a valid Schnorr signature.
@dev See https://en.wikipedia.org/wiki/Schnorr_signature for reference.
@dev In what follows, let d be your secret key, PK be your public key,
PKx be the x ordinate of your public key, and PKyp be the parity bit for
the y ordinate (i.e., 0 if PKy is even, 1 if odd.)
**************************************************************************
@dev TO CREATE A VALID SIGNATURE FOR THIS METHOD
@dev First PKx must be less than HALF_Q. Then follow these instructions
(see evm/test/schnorr_test.js, for an example of carrying them out):
@dev 1. Hash the target message to a bytes32, called msgHash here, using
keccak256
@dev 2. Pick k uniformly and cryptographically securely randomly from
{0,...,Q-1}. It is critical that k remains confidential, as your
private key can be reconstructed from k and the signature.
@dev 3. Compute k*g in the secp256k1 group, where g is the group
generator. (This is the same as computing the public key from the
secret key k. But it's OK if k*g's x ordinate is greater than
HALF_Q.)
@dev 4. Compute the ethereum address for k*g. This is the lower 160 bits
of the keccak hash of the concatenated affine coordinates of k*g,
as 32-byte big-endians. (For instance, you could pass k to
ethereumjs-utils's privateToAddress to compute this, though that
should be strictly a development convenience, not for handling
live secrets, unless you've locked your javascript environment
down very carefully.) Call this address
nonceTimesGeneratorAddress.
@dev 5. Compute e=uint256(keccak256(PKx as a 32-byte big-endian
‖ PKyp as a single byte
‖ msgHash
‖ nonceTimesGeneratorAddress))
This value e is called "msgChallenge" in verifySignature's source
code below. Here "‖" means concatenation of the listed byte
arrays.
@dev 6. Let d be your secret key. Compute s = (k - d * e) % Q. Add Q to
it, if it's negative. This is your signature. (d is your secret
key.)
**************************************************************************
@dev TO VERIFY A SIGNATURE
@dev Given a signature (s, e) of msgHash, constructed as above, compute
S=e*PK+s*generator in the secp256k1 group law, and then the ethereum
address of S, as described in step 4. Call that
nonceTimesGeneratorAddress. Then call the verifySignature method as:
@dev verifySignature(PKx, PKyp, s, msgHash,
nonceTimesGeneratorAddress)
**************************************************************************
@dev This signging scheme deviates slightly from the classical Schnorr
signature, in that the address of k*g is used in place of k*g itself,
both when calculating e and when verifying sum S as described in the
verification paragraph above. This reduces the difficulty of
brute-forcing a signature by trying random secp256k1 points in place of
k*g in the signature verification process from 256 bits to 160 bits.
However, the difficulty of cracking the public key using "baby-step,
giant-step" is only 128 bits, so this weakening constitutes no compromise
in the security of the signatures or the key.
@dev The constraint signingPubKeyX < HALF_Q comes from Eq. (281), p. 24
of Yellow Paper version 78d7b9a. ecrecover only accepts "s" inputs less
than HALF_Q, to protect against a signature- malleability vulnerability in
ECDSA. Schnorr does not have this vulnerability, but we must account for
ecrecover's defense anyway. And since we are abusing ecrecover by putting
signingPubKeyX in ecrecover's "s" argument the constraint applies to
signingPubKeyX, even though it represents a value in the base field, and
has no natural relationship to the order of the curve's cyclic group.
**************************************************************************
@param msgHash is a 256-bit hash of the message being signed.
@param signature is the actual signature, described as s in the above
instructions.
@param signingPubKeyX is the x ordinate of the public key. This must be
less than HALF_Q.
@param pubKeyYParity is 0 if the y ordinate of the public key is even, 1
if it's odd.
@param nonceTimesGeneratorAddress is the ethereum address of k*g in the
above instructions
**************************************************************************
@return True if passed a valid signature, false otherwise. */
function verifySignature(
bytes32 msgHash,
uint256 signature,
uint256 signingPubKeyX,
uint8 pubKeyYParity,
address nonceTimesGeneratorAddress
) internal pure returns (bool) {
require(signingPubKeyX < HALF_Q, "Public-key x >= HALF_Q");
// Avoid signature malleability from multiple representations for ℤ/Qℤ elts
require(signature < Q, "Sig must be reduced modulo Q");
// Forbid trivial inputs, to avoid ecrecover edge cases. The main thing to
// avoid is something which causes ecrecover to return 0x0: then trivial
// signatures could be constructed with the nonceTimesGeneratorAddress input
// set to 0x0.
//
// solium-disable-next-line indentation
require(
nonceTimesGeneratorAddress != address(0) && signingPubKeyX > 0 && signature > 0 && msgHash > 0,
"No zero inputs allowed"
);
uint256 msgChallenge = uint256(
keccak256(abi.encodePacked(signingPubKeyX, pubKeyYParity, msgHash, nonceTimesGeneratorAddress))
);
// Verify msgChallenge * signingPubKey + signature * generator ==
// nonce * generator
//
// https://ethresear.ch/t/you-can-kinda-abuse-ecrecover-to-do-ecmul-in-secp256k1-today/2384/9
// The point corresponding to the address returned by
// ecrecover(-s*r,v,r,e*r) is (r⁻¹ mod Q)*(e*r*R-(-s)*r*g)=e*R+s*g, where R
// is the (v,r) point. See https://crypto.stackexchange.com/a/18106
//
// solium-disable-next-line indentation
address recoveredAddress = ecrecover(
// solium-disable-next-line zeppelin/no-arithmetic-operations
bytes32(Q - mulmod(signingPubKeyX, signature, Q)),
// https://ethereum.github.io/yellowpaper/paper.pdf p. 24, "The
// value 27 represents an even y value and 28 represents an odd
// y value."
(pubKeyYParity == 0) ? 27 : 28,
bytes32(signingPubKeyX),
bytes32(mulmod(msgChallenge, signingPubKeyX, Q))
);
require(recoveredAddress != address(0), "Schnorr: recoveredAddress is 0");
return nonceTimesGeneratorAddress == recoveredAddress;
}
function verifySigningKeyX(uint256 signingPubKeyX) internal pure {
require(signingPubKeyX < HALF_Q, "Public-key x >= HALF_Q");
}
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "IShared.sol";
/**
* @title Shared contract
* @notice Holds constants and modifiers that are used in multiple contracts
* @dev It would be nice if this could be a library, but modifiers can't be exported :(
*/
abstract contract Shared is IShared {
/// @dev The address used to indicate whether transfer should send native or a token
address internal constant _NATIVE_ADDR = 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE;
address internal constant _ZERO_ADDR = address(0);
bytes32 internal constant _NULL = "";
uint256 internal constant _E_18 = 1e18;
/// @dev Checks that a uint isn't zero/empty
modifier nzUint(uint256 u) {
require(u != 0, "Shared: uint input is empty");
_;
}
/// @dev Checks that an address isn't zero/empty
modifier nzAddr(address a) {
require(a != _ZERO_ADDR, "Shared: address input is empty");
_;
}
/// @dev Checks that a bytes32 isn't zero/empty
modifier nzBytes32(bytes32 b) {
require(b != _NULL, "Shared: bytes32 input is empty");
_;
}
/// @dev Checks that the pubKeyX is populated
modifier nzKey(Key memory key) {
require(key.pubKeyX != 0, "Shared: pubKeyX is empty");
_;
}
}