@arbitrum/nitro-contracts 1.0.0-beta.5 → 1.0.0-beta.8

package/src/rollup/RollupAdminLogic.sol

@@ -21,16 +21,26 @@ contract RollupAdminLogic is RollupCore, IRollupAdmin, SecondaryLogicUUPSUpgrade
         onlyProxy
         initializer
     {
-        delayedBridge = connectedContracts.delayedBridge;
-        sequencerBridge = connectedContracts.sequencerInbox;
+        rollupDeploymentBlock = block.number;
+        bridge = connectedContracts.bridge;
+        sequencerInbox = connectedContracts.sequencerInbox;
+        connectedContracts.bridge.setDelayedInbox(address(connectedContracts.inbox), true);
+        connectedContracts.bridge.setSequencerInbox(address(connectedContracts.sequencerInbox));
+
+        inbox = connectedContracts.inbox;
         outbox = connectedContracts.outbox;
-        delayedBridge.setOutbox(address(connectedContracts.outbox), true);
-        rollupEventBridge = connectedContracts.rollupEventBridge;
-        delayedBridge.setInbox(address(connectedContracts.rollupEventBridge), true);
+        connectedContracts.bridge.setOutbox(address(connectedContracts.outbox), true);
+        rollupEventInbox = connectedContracts.rollupEventInbox;
+        connectedContracts.bridge.setDelayedInbox(
+            address(connectedContracts.rollupEventInbox),
+            true
+        );
 
-        rollupEventBridge.rollupInitialized(config.chainId);
-        sequencerBridge.addSequencerL2Batch(0, "", 1, IGasRefunder(address(0)));
+        connectedContracts.rollupEventInbox.rollupInitialized(config.chainId);
+        connectedContracts.sequencerInbox.addSequencerL2Batch(0, "", 1, IGasRefunder(address(0)));
 
+        validatorUtils = connectedContracts.validatorUtils;
+        validatorWalletCreator = connectedContracts.validatorWalletCreator;
         challengeManager = connectedContracts.challengeManager;
 
         Node memory node = createInitialNode();
@@ -53,8 +63,6 @@ contract RollupAdminLogic is RollupCore, IRollupAdmin, SecondaryLogicUUPSUpgrade
 
         stakeToken = config.stakeToken;
 
-        sequencerBridge.setMaxTimeVariation(config.sequencerInboxMaxTimeVariation);
-
         emit RollupInitialized(config.wasmModuleRoot, config.chainId);
     }
 
@@ -86,7 +94,7 @@ contract RollupAdminLogic is RollupCore, IRollupAdmin, SecondaryLogicUUPSUpgrade
      */
     function setOutbox(IOutbox _outbox) external override {
         outbox = _outbox;
-        delayedBridge.setOutbox(address(_outbox), true);
+        bridge.setOutbox(address(_outbox), true);
         emit OwnerFunctionCalled(0);
     }
 
@@ -96,7 +104,7 @@ contract RollupAdminLogic is RollupCore, IRollupAdmin, SecondaryLogicUUPSUpgrade
      */
     function removeOldOutbox(address _outbox) external override {
         require(_outbox != address(outbox), "CUR_OUTBOX");
-        delayedBridge.setOutbox(_outbox, false);
+        bridge.setOutbox(_outbox, false);
         emit OwnerFunctionCalled(1);
     }
 
@@ -105,8 +113,8 @@ contract RollupAdminLogic is RollupCore, IRollupAdmin, SecondaryLogicUUPSUpgrade
      * @param _inbox Inbox contract to add or remove
      * @param _enabled New status of inbox
      */
-    function setInbox(address _inbox, bool _enabled) external override {
-        delayedBridge.setInbox(address(_inbox), _enabled);
+    function setDelayedInbox(address _inbox, bool _enabled) external override {
+        bridge.setDelayedInbox(address(_inbox), _enabled);
         emit OwnerFunctionCalled(2);
     }
 
@@ -224,27 +232,6 @@ contract RollupAdminLogic is RollupCore, IRollupAdmin, SecondaryLogicUUPSUpgrade
         emit OwnerFunctionCalled(13);
     }
 
-    /**
-     * @notice Set max delay for sequencer inbox
-     * @param maxTimeVariation the maximum time variation parameters
-     */
-    function setSequencerInboxMaxTimeVariation(
-        ISequencerInbox.MaxTimeVariation calldata maxTimeVariation
-    ) external override {
-        sequencerBridge.setMaxTimeVariation(maxTimeVariation);
-        emit OwnerFunctionCalled(14);
-    }
-
-    /**
-     * @notice Updates whether an address is authorized to be a batch poster at the sequencer inbox
-     * @param addr the address
-     * @param isBatchPoster if the specified address should be authorized as a batch poster
-     */
-    function setIsBatchPoster(address addr, bool isBatchPoster) external override {
-        ISequencerInbox(sequencerBridge).setIsBatchPoster(addr, isBatchPoster);
-        emit OwnerFunctionCalled(19);
-    }
-
     /**
      * @notice Upgrades the implementation of a beacon controlled by the rollup
      * @param beacon address of beacon to be upgraded
@@ -319,4 +306,55 @@ contract RollupAdminLogic is RollupCore, IRollupAdmin, SecondaryLogicUUPSUpgrade
         wasmModuleRoot = newWasmModuleRoot;
         emit OwnerFunctionCalled(26);
     }
+
+    /**
+     * @notice set a new sequencer inbox contract
+     * @param _sequencerInbox new address of sequencer inbox
+     */
+    function setSequencerInbox(address _sequencerInbox) external override {
+        bridge.setSequencerInbox(_sequencerInbox);
+        emit OwnerFunctionCalled(27);
+    }
+
+    /**
+     * @notice sets the rollup's inbox reference. Does not update the bridge's view.
+     * @param newInbox new address of inbox
+     */
+    function setInbox(IInbox newInbox) external {
+        inbox = newInbox;
+        emit OwnerFunctionCalled(28);
+    }
+
+    function createNitroMigrationGenesis(RollupLib.Assertion calldata assertion)
+        external
+        whenPaused
+    {
+        bytes32 expectedSendRoot = bytes32(0);
+        uint64 expectedInboxCount = 1;
+
+        require(latestNodeCreated() == 0, "NON_GENESIS_NODES_EXIST");
+        require(GlobalStateLib.isEmpty(assertion.beforeState.globalState), "NOT_EMPTY_BEFORE");
+        require(
+            assertion.beforeState.machineStatus == MachineStatus.FINISHED,
+            "BEFORE_MACHINE_NOT_FINISHED"
+        );
+        // accessors such as state.getSendRoot not available for calldata structs, only memory
+        require(
+            assertion.afterState.globalState.bytes32Vals[1] == expectedSendRoot,
+            "NOT_ZERO_SENDROOT"
+        );
+        require(
+            assertion.afterState.globalState.u64Vals[0] == expectedInboxCount,
+            "INBOX_NOT_AT_ONE"
+        );
+        require(assertion.afterState.globalState.u64Vals[1] == 0, "POSITION_IN_MESSAGE_NOT_ZERO");
+        require(
+            assertion.afterState.machineStatus == MachineStatus.FINISHED,
+            "AFTER_MACHINE_NOT_FINISHED"
+        );
+        bytes32 genesisBlockHash = assertion.afterState.globalState.bytes32Vals[0];
+        createNewNode(assertion, 0, expectedInboxCount, bytes32(0));
+        confirmNode(1, genesisBlockHash, expectedSendRoot);
+        emit OwnerFunctionCalled(29);
+    }
 }

package/src/rollup/RollupCore.sol

@@ -9,7 +9,7 @@ import "@openzeppelin/contracts-upgradeable/security/PausableUpgradeable.sol";
 import "./Node.sol";
 import "./IRollupCore.sol";
 import "./RollupLib.sol";
-import "./IRollupEventBridge.sol";
+import "./IRollupEventInbox.sol";
 import "./IRollupCore.sol";
 
 import "../challenge/IChallengeManager.sol";
@@ -31,11 +31,17 @@ abstract contract RollupCore is IRollupCore, PausableUpgradeable {
     uint256 public baseStake;
     bytes32 public wasmModuleRoot;
 
-    IBridge public delayedBridge;
-    ISequencerInbox public sequencerBridge;
+    IInbox public inbox;
+    IBridge public bridge;
     IOutbox public outbox;
-    IRollupEventBridge public rollupEventBridge;
+    ISequencerInbox public sequencerInbox;
+    IRollupEventInbox public rollupEventInbox;
     IChallengeManager public override challengeManager;
+
+    // misc useful contracts when interacting with the rollup
+    address public validatorUtils;
+    address public validatorWalletCreator;
+
     // when a staker loses a challenge, half of their funds get escrowed in this address
     address public loserStakeEscrow;
     address public stakeToken;
@@ -63,6 +69,7 @@ abstract contract RollupCore is IRollupCore, PausableUpgradeable {
 
     mapping(address => uint256) private _withdrawableFunds;
     uint256 public totalWithdrawableFunds;
+    uint256 public rollupDeploymentBlock;
 
     // The node number of the initial node
     uint64 internal constant GENESIS_NODE = 0;
@@ -529,7 +536,7 @@ abstract contract RollupCore is IRollupCore, PausableUpgradeable {
         {
             // validate data
             memoryFrame.prevNode = getNode(prevNodeNum);
-            memoryFrame.currentInboxSize = sequencerBridge.batchCount();
+            memoryFrame.currentInboxSize = bridge.sequencerMessageCount();
 
             // Make sure the previous state is correct against the node being built on
             require(
@@ -545,7 +552,7 @@ abstract contract RollupCore is IRollupCore, PausableUpgradeable {
             if (afterInboxCount == prevInboxPosition) {
                 require(
                     assertion.afterState.globalState.getPositionInMessage() >=
-                        assertion.afterState.globalState.getPositionInMessage(),
+                        assertion.beforeState.globalState.getPositionInMessage(),
                     "INBOX_POS_IN_MSG_BACKWARDS"
                 );
             }
@@ -560,7 +567,7 @@ abstract contract RollupCore is IRollupCore, PausableUpgradeable {
             require(afterInboxCount <= memoryFrame.currentInboxSize, "INBOX_PAST_END");
             // This gives replay protection against the state of the inbox
             if (afterInboxCount > 0) {
-                memoryFrame.sequencerBatchAcc = sequencerBridge.inboxAccs(afterInboxCount - 1);
+                memoryFrame.sequencerBatchAcc = bridge.sequencerInboxAccs(afterInboxCount - 1);
             }
         }
 
@@ -582,9 +589,13 @@ abstract contract RollupCore is IRollupCore, PausableUpgradeable {
                 memoryFrame.hasSibling,
                 memoryFrame.lastHash,
                 memoryFrame.executionHash,
-                memoryFrame.sequencerBatchAcc
+                memoryFrame.sequencerBatchAcc,
+                wasmModuleRoot
+            );
+            require(
+                newNodeHash == expectedNodeHash || expectedNodeHash == bytes32(0),
+                "UNEXPECTED_NODE_HASH"
             );
-            require(newNodeHash == expectedNodeHash, "UNEXPECTED_NODE_HASH");
 
             memoryFrame.node = NodeLib.createNode(
                 RollupLib.stateHash(assertion.afterState, memoryFrame.currentInboxSize),

package/src/rollup/RollupCreator.sol

@@ -18,7 +18,7 @@ contract RollupCreator is Ownable {
         address inboxAddress,
         address adminProxy,
         address sequencerInbox,
-        address delayedBridge
+        address bridge
     );
     event TemplatesUpdated();
 
@@ -28,6 +28,9 @@ contract RollupCreator is Ownable {
     IRollupAdmin public rollupAdminLogic;
     IRollupUser public rollupUserLogic;
 
+    address public validatorUtils;
+    address public validatorWalletCreator;
+
     constructor() Ownable() {}
 
     function setTemplates(
@@ -35,22 +38,26 @@ contract RollupCreator is Ownable {
         IOneStepProofEntry _osp,
         IChallengeManager _challengeManagerLogic,
         IRollupAdmin _rollupAdminLogic,
-        IRollupUser _rollupUserLogic
+        IRollupUser _rollupUserLogic,
+        address _validatorUtils,
+        address _validatorWalletCreator
     ) external onlyOwner {
         bridgeCreator = _bridgeCreator;
         osp = _osp;
         challengeManagerTemplate = _challengeManagerLogic;
         rollupAdminLogic = _rollupAdminLogic;
         rollupUserLogic = _rollupUserLogic;
+        validatorUtils = _validatorUtils;
+        validatorWalletCreator = _validatorWalletCreator;
         emit TemplatesUpdated();
     }
 
     struct CreateRollupFrame {
         ProxyAdmin admin;
-        IBridge delayedBridge;
+        IBridge bridge;
         ISequencerInbox sequencerInbox;
         IInbox inbox;
-        IRollupEventBridge rollupEventBridge;
+        IRollupEventInbox rollupEventInbox;
         IOutbox outbox;
         ArbitrumProxy rollup;
     }
@@ -68,10 +75,10 @@ contract RollupCreator is Ownable {
         frame.admin = new ProxyAdmin();
 
         (
-            frame.delayedBridge,
+            frame.bridge,
             frame.sequencerInbox,
             frame.inbox,
-            frame.rollupEventBridge,
+            frame.rollupEventInbox,
             frame.outbox
         ) = bridgeCreator.createBridge(
             address(frame.admin),
@@ -93,20 +100,23 @@ contract RollupCreator is Ownable {
         challengeManager.initialize(
             IChallengeResultReceiver(expectedRollupAddr),
             frame.sequencerInbox,
-            frame.delayedBridge,
+            frame.bridge,
             osp
         );
 
         frame.rollup = new ArbitrumProxy(
             config,
             ContractDependencies({
-                delayedBridge: frame.delayedBridge,
+                bridge: frame.bridge,
                 sequencerInbox: frame.sequencerInbox,
+                inbox: frame.inbox,
                 outbox: frame.outbox,
-                rollupEventBridge: frame.rollupEventBridge,
+                rollupEventInbox: frame.rollupEventInbox,
                 challengeManager: challengeManager,
                 rollupAdminLogic: rollupAdminLogic,
-                rollupUserLogic: rollupUserLogic
+                rollupUserLogic: rollupUserLogic,
+                validatorUtils: validatorUtils,
+                validatorWalletCreator: validatorWalletCreator
             })
         );
         require(address(frame.rollup) == expectedRollupAddr, "WRONG_ROLLUP_ADDR");
@@ -116,7 +126,7 @@ contract RollupCreator is Ownable {
             address(frame.inbox),
             address(frame.admin),
             address(frame.sequencerInbox),
-            address(frame.delayedBridge)
+            address(frame.bridge)
         );
         return address(frame.rollup);
     }

package/src/rollup/{RollupEventBridge.sol → RollupEventInbox.sol}

@@ -4,36 +4,36 @@
 
 pragma solidity ^0.8.0;
 
-import "./IRollupEventBridge.sol";
+import "./IRollupEventInbox.sol";
 import "../bridge/IBridge.sol";
-import "../bridge/IMessageProvider.sol";
+import "../bridge/IDelayedMessageProvider.sol";
 import "../libraries/DelegateCallAware.sol";
 import {INITIALIZATION_MSG_TYPE} from "../libraries/MessageTypes.sol";
 
 /**
  * @title The inbox for rollup protocol events
  */
-contract RollupEventBridge is IRollupEventBridge, IMessageProvider, DelegateCallAware {
+contract RollupEventInbox is IRollupEventInbox, IDelayedMessageProvider, DelegateCallAware {
     uint8 internal constant CREATE_NODE_EVENT = 0;
     uint8 internal constant CONFIRM_NODE_EVENT = 1;
     uint8 internal constant REJECT_NODE_EVENT = 2;
     uint8 internal constant STAKE_CREATED_EVENT = 3;
 
-    IBridge public bridge;
-    address public rollup;
+    IBridge public override bridge;
+    address public override rollup;
 
     modifier onlyRollup() {
         require(msg.sender == rollup, "ONLY_ROLLUP");
         _;
     }
 
-    function initialize(address _bridge, address _rollup) external onlyDelegated {
-        require(rollup == address(0), "ALREADY_INIT");
-        bridge = IBridge(_bridge);
-        rollup = _rollup;
+    function initialize(IBridge _bridge) external override onlyDelegated {
+        require(address(bridge) == address(0), "ALREADY_INIT");
+        bridge = _bridge;
+        rollup = address(_bridge.rollup());
     }
 
-    function rollupInitialized(uint256 chainId) external onlyRollup {
+    function rollupInitialized(uint256 chainId) external override onlyRollup {
         bytes memory initMsg = abi.encodePacked(chainId);
         uint256 num = bridge.enqueueDelayedMessage(
             INITIALIZATION_MSG_TYPE,

package/src/rollup/RollupLib.sol

@@ -11,7 +11,8 @@ import "../bridge/ISequencerInbox.sol";
 
 import "../bridge/IBridge.sol";
 import "../bridge/IOutbox.sol";
-import "./IRollupEventBridge.sol";
+import "../bridge/IInbox.sol";
+import "./IRollupEventInbox.sol";
 import "./IRollupLogic.sol";
 
 struct Config {
@@ -23,17 +24,22 @@ struct Config {
     address owner;
     address loserStakeEscrow;
     uint256 chainId;
+    uint64 genesisBlockNum;
     ISequencerInbox.MaxTimeVariation sequencerInboxMaxTimeVariation;
 }
 
 struct ContractDependencies {
-    IBridge delayedBridge;
+    IBridge bridge;
     ISequencerInbox sequencerInbox;
+    IInbox inbox;
     IOutbox outbox;
-    IRollupEventBridge rollupEventBridge;
+    IRollupEventInbox rollupEventInbox;
     IChallengeManager challengeManager;
     IRollupAdmin rollupAdminLogic;
     IRollupUser rollupUserLogic;
+    // misc contracts that are useful when interacting with the rollup
+    address validatorUtils;
+    address validatorWalletCreator;
 }
 
 library RollupLib {
@@ -127,9 +133,19 @@ library RollupLib {
         bool hasSibling,
         bytes32 lastHash,
         bytes32 assertionExecHash,
-        bytes32 inboxAcc
+        bytes32 inboxAcc,
+        bytes32 wasmModuleRoot
     ) internal pure returns (bytes32) {
         uint8 hasSiblingInt = hasSibling ? 1 : 0;
-        return keccak256(abi.encodePacked(hasSiblingInt, lastHash, assertionExecHash, inboxAcc));
+        return
+            keccak256(
+                abi.encodePacked(
+                    hasSiblingInt,
+                    lastHash,
+                    assertionExecHash,
+                    inboxAcc,
+                    wasmModuleRoot
+                )
+            );
     }
 }

package/src/rollup/RollupUserLogic.sol

@@ -487,6 +487,10 @@ abstract contract AbsRollupUserLogic is
         return currentRequiredStake(blockNumber, firstUnresolvedNodeNum, latestCreatedNode);
     }
 
+    function owner() external view returns (address) {
+        return _getAdmin();
+    }
+
     function currentRequiredStake() public view returns (uint256) {
         uint64 firstUnresolvedNodeNum = firstUnresolvedNode();
 
@@ -615,18 +619,13 @@ contract RollupUserLogic is AbsRollupUserLogic, IRollupUser {
 
     /**
      * @notice Withdraw uncommitted funds owned by sender from the rollup chain
-     * @param destination Address to transfer the withdrawn funds to
      */
-    function withdrawStakerFunds(address payable destination)
-        external
-        override
-        onlyValidator
-        whenNotPaused
-        returns (uint256)
-    {
+    function withdrawStakerFunds() external override onlyValidator whenNotPaused returns (uint256) {
         uint256 amount = withdrawFunds(msg.sender);
         // This is safe because it occurs after all checks and effects
-        destination.transfer(amount);
+        // solhint-disable-next-line avoid-low-level-calls
+        (bool success, ) = msg.sender.call{value: amount}("");
+        require(success, "TRANSFER_FAILED");
         return amount;
     }
 }
@@ -692,18 +691,11 @@ contract ERC20RollupUserLogic is AbsRollupUserLogic, IRollupUserERC20 {
 
     /**
      * @notice Withdraw uncommitted funds owned by sender from the rollup chain
-     * @param destination Address to transfer the withdrawn funds to
      */
-    function withdrawStakerFunds(address payable destination)
-        external
-        override
-        onlyValidator
-        whenNotPaused
-        returns (uint256)
-    {
+    function withdrawStakerFunds() external override onlyValidator whenNotPaused returns (uint256) {
         uint256 amount = withdrawFunds(msg.sender);
         // This is safe because it occurs after all checks and effects
-        require(IERC20Upgradeable(stakeToken).transfer(destination, amount), "TRANSFER_FAILED");
+        require(IERC20Upgradeable(stakeToken).transfer(msg.sender, amount), "TRANSFER_FAILED");
         return amount;
     }
 

package/src/rollup/ValidatorWallet.sol

@@ -6,24 +6,117 @@ pragma solidity ^0.8.0;
 
 import "../challenge/IChallengeManager.sol";
 import "../libraries/DelegateCallAware.sol";
+import "../libraries/IGasRefunder.sol";
 import "@openzeppelin/contracts/utils/Address.sol";
 import "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
 
-contract ValidatorWallet is OwnableUpgradeable, DelegateCallAware {
+/// @dev thrown when arrays provided don't have the expected length
+error BadArrayLength(uint256 expected, uint256 actual);
+
+/// @dev thrown when a function is called by an address that isn't the owner nor a executor
+error NotExecutorOrOwner(address actual);
+
+/// @dev thrown when the particular address can't be called by an executor
+error OnlyOwnerDestination(address expected, address actual, address destination);
+
+/// @dev thrown when eth withdrawal tx fails
+error WithdrawEthFail(address destination);
+
+contract ValidatorWallet is OwnableUpgradeable, DelegateCallAware, GasRefundEnabled {
     using Address for address;
 
-    function initialize() external initializer onlyDelegated {
+    /// @dev a executor is allowed to call only certain contracts
+    mapping(address => bool) public executors;
+
+    /// @dev allowed addresses which can be called by an executor
+    mapping(address => bool) public allowedExecutorDestinations;
+
+    modifier onlyExecutorOrOwner() {
+        if (!executors[_msgSender()] && owner() != _msgSender())
+            revert NotExecutorOrOwner(_msgSender());
+        _;
+    }
+
+    event ExecutorUpdated(address indexed executor, bool isExecutor);
+
+    /// @dev updates the executor addresses
+    function setExecutor(address[] calldata newExecutors, bool[] calldata isExecutor)
+        external
+        onlyOwner
+    {
+        if (newExecutors.length != isExecutor.length)
+            revert BadArrayLength(newExecutors.length, isExecutor.length);
+        unchecked {
+            for (uint64 i = 0; i < newExecutors.length; ++i) {
+                executors[newExecutors[i]] = isExecutor[i];
+                emit ExecutorUpdated(newExecutors[i], isExecutor[i]);
+            }
+        }
+    }
+
+    function initialize(
+        address _executor,
+        address _owner,
+        address[] calldata initialExecutorAllowedDests
+    ) external initializer onlyDelegated {
         __Ownable_init();
+        transferOwnership(_owner);
+
+        executors[_executor] = true;
+        emit ExecutorUpdated(_executor, true);
+
+        unchecked {
+            for (uint64 i = 0; i < initialExecutorAllowedDests.length; ++i) {
+                allowedExecutorDestinations[initialExecutorAllowedDests[i]] = true;
+                emit AllowedExecutorDestinationsUpdated(initialExecutorAllowedDests[i], true);
+            }
+        }
+    }
+
+    event AllowedExecutorDestinationsUpdated(address indexed destination, bool isSet);
+
+    /// @notice updates the destination addresses which executors are allowed to call
+    function setAllowedExecutorDestinations(address[] calldata destinations, bool[] calldata isSet)
+        external
+        onlyOwner
+    {
+        if (destinations.length != isSet.length)
+            revert BadArrayLength(destinations.length, isSet.length);
+        unchecked {
+            for (uint256 i = 0; i < destinations.length; ++i) {
+                allowedExecutorDestinations[destinations[i]] = isSet[i];
+                emit AllowedExecutorDestinationsUpdated(destinations[i], isSet[i]);
+            }
+        }
+    }
+
+    /// @dev reverts if the current function can't be called
+    function validateExecuteTransaction(address destination) public view {
+        if (!allowedExecutorDestinations[destination] && owner() != _msgSender())
+            revert OnlyOwnerDestination(owner(), _msgSender(), destination);
     }
 
     function executeTransactions(
         bytes[] calldata data,
         address[] calldata destination,
         uint256[] calldata amount
-    ) external payable onlyOwner {
+    ) external payable {
+        executeTransactionsWithGasRefunder(IGasRefunder(address(0)), data, destination, amount);
+    }
+
+    function executeTransactionsWithGasRefunder(
+        IGasRefunder gasRefunder,
+        bytes[] calldata data,
+        address[] calldata destination,
+        uint256[] calldata amount
+    ) public payable onlyExecutorOrOwner refundsGas(gasRefunder) {
         uint256 numTxes = data.length;
+        if (numTxes != destination.length) revert BadArrayLength(numTxes, destination.length);
+        if (numTxes != amount.length) revert BadArrayLength(numTxes, amount.length);
+
         for (uint256 i = 0; i < numTxes; i++) {
             if (data[i].length > 0) require(destination[i].isContract(), "NO_CODE_AT_ADDR");
+            validateExecuteTransaction(destination[i]);
             // We use a low level call here to allow for contract and non-contract calls
             // solhint-disable-next-line avoid-low-level-calls
             (bool success, ) = address(destination[i]).call{value: amount[i]}(data[i]);
@@ -42,8 +135,18 @@ contract ValidatorWallet is OwnableUpgradeable, DelegateCallAware {
         bytes calldata data,
         address destination,
         uint256 amount
-    ) external payable onlyOwner {
+    ) external payable {
+        executeTransactionWithGasRefunder(IGasRefunder(address(0)), data, destination, amount);
+    }
+
+    function executeTransactionWithGasRefunder(
+        IGasRefunder gasRefunder,
+        bytes calldata data,
+        address destination,
+        uint256 amount
+    ) public payable onlyExecutorOrOwner refundsGas(gasRefunder) {
         if (data.length > 0) require(destination.isContract(), "NO_CODE_AT_ADDR");
+        validateExecuteTransaction(destination);
         // We use a low level call here to allow for contract and non-contract calls
         // solhint-disable-next-line avoid-low-level-calls
         (bool success, ) = destination.call{value: amount}(data);
@@ -57,10 +160,15 @@ contract ValidatorWallet is OwnableUpgradeable, DelegateCallAware {
         }
     }
 
-    function timeoutChallenges(IChallengeManager manager, uint64[] calldata challenges)
-        external
-        onlyOwner
-    {
+    function timeoutChallenges(IChallengeManager manager, uint64[] calldata challenges) external {
+        timeoutChallengesWithGasRefunder(IGasRefunder(address(0)), manager, challenges);
+    }
+
+    function timeoutChallengesWithGasRefunder(
+        IGasRefunder gasRefunder,
+        IChallengeManager manager,
+        uint64[] calldata challenges
+    ) public onlyExecutorOrOwner refundsGas(gasRefunder) {
         uint256 challengesCount = challenges.length;
         for (uint256 i = 0; i < challengesCount; i++) {
             try manager.timeout(challenges[i]) {} catch (bytes memory error) {
@@ -72,4 +180,13 @@ contract ValidatorWallet is OwnableUpgradeable, DelegateCallAware {
             }
         }
     }
+
+    receive() external payable {}
+
+    /// @dev allows the owner to withdraw eth held by this contract
+    function withdrawEth(uint256 amount, address destination) external onlyOwner {
+        // solhint-disable-next-line avoid-low-level-calls
+        (bool success, ) = destination.call{value: amount}("");
+        if (!success) revert WithdrawEthFail(destination);
+    }
 }