@keep-network/tbtc-v2 0.1.1-dev.2 → 0.1.1-dev.6

package/contracts/bridge/Bridge.sol

@@ -1,12 +1,31 @@
+// SPDX-License-Identifier: MIT
+
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+
 pragma solidity 0.8.4;
 
+import {BTCUtils} from "@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol";
+import {BytesLib} from "@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol";
+
 /// @title BTC Bridge
 /// @notice Bridge manages BTC deposit and redemption and is increasing and
 ///         decreasing balances in the Bank as a result of BTC deposit and
 ///         redemption operations.
 ///
 ///         Depositors send BTC funds to the most-recently-created-wallet of the
-///         bridge using pay-to-script-hash (P2SH) which contains hashed
+///         bridge using pay-to-script-hash (P2SH) or
+///         pay-to-witness-script-hash (P2WSH) which contains hashed
 ///         information about the depositor’s minting Ethereum address. Then,
 ///         the depositor reveals their desired Ethereum minting address to the
 ///         Ethereum chain. The Bridge listens for these sorts of messages and
@@ -17,89 +36,234 @@ pragma solidity 0.8.4;
 ///         about the sweep increasing appropriate balances in the Bank.
 /// @dev Bridge is an upgradeable component of the Bank.
 contract Bridge {
-    struct DepositInfo {
-        uint64 amount;
+    using BTCUtils for bytes;
+    using BytesLib for bytes;
+
+    /// @notice Represents Bitcoin transaction data as described in:
+    ///         https://developer.bitcoin.org/reference/transactions.html#raw-transaction-format
+    struct TxInfo {
+        // Transaction version number (4-byte LE).
+        bytes4 version;
+        // All transaction inputs prepended by the number of inputs encoded
+        // as a compactSize uint. Single vector item looks as follows:
+        // https://developer.bitcoin.org/reference/transactions.html#txin-a-transaction-input-non-coinbase
+        // though SegWit inputs don't contain the signature script (scriptSig).
+        // All encoded input transaction hashes are little-endian.
+        bytes inputVector;
+        // All transaction outputs prepended by the number of outputs encoded
+        // as a compactSize uint. Single vector item looks as follows:
+        // https://developer.bitcoin.org/reference/transactions.html#txout-a-transaction-output
+        bytes outputVector;
+        // Transaction locktime (4-byte LE).
+        bytes4 locktime;
+    }
+
+    /// @notice Represents data which must be revealed by the depositor during
+    ///         deposit reveal.
+    struct RevealInfo {
+        // Index of the funding output belonging to the funding transaction.
+        uint8 fundingOutputIndex;
+        // Ethereum depositor address.
+        address depositor;
+        // The blinding factor as 8 bytes. Byte endianness doesn't matter
+        // as this factor is not interpreted as uint.
+        bytes8 blindingFactor;
+        // The compressed Bitcoin public key (33 bytes and 02 or 03 prefix)
+        // of the deposit's wallet hashed in the HASH160 Bitcoin opcode style.
+        bytes20 walletPubKeyHash;
+        // The compressed Bitcoin public key (33 bytes and 02 or 03 prefix)
+        // that can be used to make the deposit refund after the refund
+        // locktime passes. Hashed in the HASH160 Bitcoin opcode style.
+        bytes20 refundPubKeyHash;
+        // The refund locktime (4-byte LE). Interpreted according to locktime
+        // parsing rules described in:
+        // https://developer.bitcoin.org/devguide/transactions.html#locktime-and-sequence-number
+        // and used with OP_CHECKLOCKTIMEVERIFY opcode as described in:
+        // https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki
+        bytes4 refundLocktime;
+        // Address of the tBTC vault.
         address vault;
+    }
+
+    /// @notice Represents tBTC deposit data.
+    struct DepositInfo {
+        // Ethereum depositor address.
+        address depositor;
+        // Deposit amount in satoshi (8-byte LE). For example:
+        // 0.0001 BTC = 10000 satoshi = 0x1027000000000000
+        bytes8 amount;
+        // UNIX timestamp the deposit was revealed at.
         uint32 revealedAt;
+        // Address of the tBTC vault.
+        address vault;
     }
 
     /// @notice Collection of all unswept deposits indexed by
-    ///         keccak256(fundingTxHash | fundingOutputIndex | depositorAddress).
+    ///         keccak256(fundingTxHash | fundingOutputIndex).
+    ///         The fundingTxHash is LE bytes32 and fundingOutputIndex an uint8.
     ///         This mapping may contain valid and invalid deposits and the
     ///         wallet is responsible for validating them before attempting to
     ///         execute a sweep.
+    ///
+    /// TODO: Explore the possibility of storing just a hash of DepositInfo.
     mapping(uint256 => DepositInfo) public unswept;
 
     event DepositRevealed(
-        uint256 depositId,
         bytes32 fundingTxHash,
         uint8 fundingOutputIndex,
         address depositor,
-        uint64 blindingFactor,
-        bytes refundPubKey,
-        uint64 amount,
-        address vault
+        bytes8 blindingFactor,
+        bytes20 walletPubKeyHash,
+        bytes20 refundPubKeyHash,
+        bytes4 refundLocktime
     );
 
-    /// @notice Used by the depositor to reveal information about their P2SH
+    /// @notice Used by the depositor to reveal information about their P2(W)SH
     ///         Bitcoin deposit to the Bridge on Ethereum chain. The off-chain
     ///         wallet listens for revealed deposit events and may decide to
     ///         include the revealed deposit in the next executed sweep.
     ///         Information about the Bitcoin deposit can be revealed before or
-    ///         after the Bitcoin transaction with P2SH deposit is mined on the
-    ///         Bitcoin chain.
-    /// @param fundingTxHash The BTC transaction hash containing BTC P2SH
-    ///        deposit funding transaction
-    /// @param fundingOutputIndex The index of the transaction output in the
-    ///        funding TX with P2SH deposit, max 256
-    /// @param blindingFactor The blinding factor used in the BTC P2SH deposit,
-    ///        max 2^64
-    /// @param refundPubKey The refund pub key used in the BTC P2SH deposit
-    /// @param amount The amount locked in the BTC P2SH deposit
-    /// @param vault Bank vault to which the swept deposit should be routed
+    ///         after the Bitcoin transaction with P2(W)SH deposit is mined on
+    ///         the Bitcoin chain. Worth noting the gas cost of this function
+    ///         scales with the number of P2(W)SH transaction inputs and
+    ///         outputs.
+    /// @param fundingTx Bitcoin funding transaction data.
+    /// @param reveal Deposit reveal data.
     /// @dev Requirements:
-    ///      - `msg.sender` must be the Ethereum address used in the P2SH BTC deposit,
-    ///      - `blindingFactor` must be the blinding factor used in the P2SH BTC deposit,
-    ///      - `refundPubKey` must be the refund pub key used in the P2SH BTC deposit,
-    ///      - `amount` must be the same as locked in the P2SH BTC deposit,
+    ///      - `reveal.fundingOutputIndex` must point to the actual P2(W)SH
+    ///        output of the BTC deposit transaction
+    ///      - `reveal.depositor` must be the Ethereum address used in the
+    ///        P2(W)SH BTC deposit transaction,
+    ///      - `reveal.blindingFactor` must be the blinding factor used in the
+    ///        P2(W)SH BTC deposit transaction,
+    ///      - `reveal.walletPubKeyHash` must be the wallet pub key hash used in
+    ///        the P2(W)SH BTC deposit transaction,
+    ///      - `reveal.refundPubKeyHash` must be the refund pub key hash used in
+    ///        the P2(W)SH BTC deposit transaction,
+    ///      - `reveal.refundLocktime` must be the refund locktime used in the
+    ///        P2(W)SH BTC deposit transaction,
     ///      - BTC deposit for the given `fundingTxHash`, `fundingOutputIndex`
-    ///        can be revealed by `msg.sender` only one time.
+    ///        can be revealed only one time.
     ///
     ///      If any of these requirements is not met, the wallet _must_ refuse
     ///      to sweep the deposit and the depositor has to wait until the
     ///      deposit script unlocks to receive their BTC back.
     function revealDeposit(
-        bytes32 fundingTxHash,
-        uint8 fundingOutputIndex,
-        uint64 blindingFactor,
-        bytes calldata refundPubKey,
-        uint64 amount,
-        address vault
+        TxInfo calldata fundingTx,
+        RevealInfo calldata reveal
     ) external {
-        uint256 depositId =
-            uint256(
-                keccak256(
-                    abi.encode(fundingTxHash, fundingOutputIndex, msg.sender)
-                )
+        bytes memory expectedScript =
+            abi.encodePacked(
+                hex"14", // Byte length of depositor Ethereum address.
+                reveal.depositor,
+                hex"75", // OP_DROP
+                hex"08", // Byte length of blinding factor value.
+                reveal.blindingFactor,
+                hex"75", // OP_DROP
+                hex"76", // OP_DUP
+                hex"a9", // OP_HASH160
+                hex"14", // Byte length of a compressed Bitcoin public key hash.
+                reveal.walletPubKeyHash,
+                hex"87", // OP_EQUAL
+                hex"63", // OP_IF
+                hex"ac", // OP_CHECKSIG
+                hex"67", // OP_ELSE
+                hex"76", // OP_DUP
+                hex"a9", // OP_HASH160
+                hex"14", // Byte length of a compressed Bitcoin public key hash.
+                reveal.refundPubKeyHash,
+                hex"88", // OP_EQUALVERIFY
+                hex"04", // Byte length of refund locktime value.
+                reveal.refundLocktime,
+                hex"b1", // OP_CHECKLOCKTIMEVERIFY
+                hex"75", // OP_DROP
+                hex"ac", // OP_CHECKSIG
+                hex"68" // OP_ENDIF
             );
 
-        DepositInfo storage deposit = unswept[depositId];
+        bytes memory fundingOutput =
+            fundingTx.outputVector.extractOutputAtIndex(
+                reveal.fundingOutputIndex
+            );
+        bytes memory fundingOutputHash = fundingOutput.extractHash();
+
+        if (fundingOutputHash.length == 20) {
+            // A 20-byte output hash is used by P2SH. That hash is constructed
+            // by applying OP_HASH160 on the locking script. A 20-byte output
+            // hash is used as well by P2PKH and P2WPKH (OP_HASH160 on the
+            // public key). However, since we compare the actual output hash
+            // with an expected locking script hash, this check will succeed only
+            // for P2SH transaction type with expected script hash value. For
+            // P2PKH and P2WPKH, it will fail on the output hash comparison with
+            // the expected locking script hash.
+            require(
+                keccak256(fundingOutputHash) ==
+                    keccak256(expectedScript.hash160()),
+                "Wrong 20-byte script hash"
+            );
+        } else if (fundingOutputHash.length == 32) {
+            // A 32-byte output hash is used by P2WSH. That hash is constructed
+            // by applying OP_HASH256 on the locking script.
+            require(
+                fundingOutputHash.toBytes32() == expectedScript.hash256(),
+                "Wrong 32-byte script hash"
+            );
+        } else {
+            revert("Wrong script hash length");
+        }
+
+        // Resulting TX hash is in native Bitcoin little-endian format.
+        bytes32 fundingTxHash =
+            abi
+                .encodePacked(
+                fundingTx
+                    .version,
+                fundingTx
+                    .inputVector,
+                fundingTx
+                    .outputVector,
+                fundingTx
+                    .locktime
+            )
+                .hash256();
+
+        DepositInfo storage deposit =
+            unswept[
+                uint256(
+                    keccak256(
+                        abi.encodePacked(
+                            fundingTxHash,
+                            reveal.fundingOutputIndex
+                        )
+                    )
+                )
+            ];
         require(deposit.revealedAt == 0, "Deposit already revealed");
 
-        deposit.amount = amount;
-        deposit.vault = vault;
+        bytes8 fundingOutputAmount;
+        /* solhint-disable-next-line no-inline-assembly */
+        assembly {
+            // First 8 bytes (little-endian) of the funding output represents
+            // its value. To take the value, we need to jump over the first
+            // word determining the array length, load the array, and trim it
+            // by putting it to a bytes8.
+            fundingOutputAmount := mload(add(fundingOutput, 32))
+        }
+
+        deposit.amount = fundingOutputAmount;
+        deposit.depositor = reveal.depositor;
         /* solhint-disable-next-line not-rely-on-time */
         deposit.revealedAt = uint32(block.timestamp);
+        deposit.vault = reveal.vault;
 
         emit DepositRevealed(
-            depositId,
             fundingTxHash,
-            fundingOutputIndex,
-            msg.sender,
-            blindingFactor,
-            refundPubKey,
-            amount,
-            vault
+            reveal.fundingOutputIndex,
+            reveal.depositor,
+            reveal.blindingFactor,
+            reveal.walletPubKeyHash,
+            reveal.refundPubKeyHash,
+            reveal.refundLocktime
         );
     }
 
@@ -110,45 +274,37 @@ contract Bridge {
     ///         The function is performing Bank balance updates by first
     ///         computing the Bitcoin fee for the sweep transaction. The fee is
     ///         divided evenly between all swept deposits. Each depositor
-    ///         receives a balance in the bank equal to the amount they have
-    ///         declared during the reveal transaction, minus their fee share.
+    ///         receives a balance in the bank equal to the amount inferred
+    ///         during the reveal transaction, minus their fee share.
     ///
     ///         It is possible to prove the given sweep only one time.
-    /// @param txVersion Transaction version number (4-byte LE)
-    /// @param txInputVector All transaction inputs prepended by the number of
-    ///                      inputs encoded as a VarInt, max 0xFC(252) inputs
-    /// @param txOutput Single sweep transaction output
-    /// @param txLocktime Final 4 bytes of the transaction
-    /// @param merkleProof The merkle proof of transaction inclusion in a block
-    /// @param txIndexInBlock Transaction index in the block (0-indexed)
+    /// @param sweepTx Bitcoin sweep transaction data.
+    /// @param merkleProof The merkle proof of transaction inclusion in a block.
+    /// @param txIndexInBlock Transaction index in the block (0-indexed).
     /// @param bitcoinHeaders Single bytestring of 80-byte bitcoin headers,
-    ///                       lowest height first
+    ///                       lowest height first.
     function sweep(
-        bytes4 txVersion,
-        bytes memory txInputVector,
-        bytes memory txOutput,
-        bytes4 txLocktime,
+        TxInfo calldata sweepTx,
         bytes memory merkleProof,
         uint256 txIndexInBlock,
         bytes memory bitcoinHeaders
     ) external {
-        // TODO We need to read `fundingTxHash`, `fundingOutputIndex` and
-        //      P2SH script depositor address from `txInputVector`.
-        //      We then hash them to obtain deposit identifier and read
-        //      DepositInfo. From DepositInfo we know what amount was declared
-        //      by the depositor in their reveal transaction and we use that
-        //      amount to update their Bank balance, minus fee.
+        // TODO We need to read `fundingTxHash`, `fundingOutputIndex` from
+        //      `sweepTx.inputVector`. We then hash them to obtain deposit
+        //      identifier and read DepositInfo. From DepositInfo we know what
+        //      amount was inferred during deposit reveal transaction and we
+        //      use that amount to update their Bank balance, minus fee.
         //
         // TODO We need to validate if the sum in the output minus the
         //      amount from the previous wallet balance input minus fees is
         //      equal to the amount by which Bank balances were increased.
         //
-        // TODO We need to validate txOutput to see if the balance was not
-        //      transferred away from the wallet before increasing balances in
-        //      the bank.
+        // TODO We need to validate `sweepTx.outputVector` to see if the balance
+        //      was not transferred away from the wallet before increasing
+        //      balances in the bank.
         //
         // TODO Delete deposit from unswept mapping or mark it as swept
-        //      depending on the gas costs. Alternativly, do not allow to
+        //      depending on the gas costs. Alternatively, do not allow to
         //      use the same TX input vector twice. Sweep should be provable
         //      only one time.
     }
@@ -158,4 +314,5 @@ contract Bridge {
     //      an incorrect amount revealed. We need to provide a function for honest
     //      depositors, next to sweep, to prove their swept balances on Ethereum
     //      selectively, based on deposits they have earlier received.
+    //      (UPDATE PR #90: Is it still the case since amounts are inferred?)
 }

package/contracts/vault/IVault.sol

@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: MIT
+
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+
+pragma solidity 0.8.4;
+
+/// @title Bank Vault interface
+/// @notice `IVault` is an interface for a smart contract consuming Bank
+///         balances allowing the smart contract to receive Bank balances right
+///         after sweeping the deposit by the Bridge. This method allows the
+///         depositor to route their deposit revealed to the Bridge to the
+///         particular smart contract in the same transaction the deposit is
+///         revealed. This way, the depositor does not have to execute
+///         additional transaction after the deposit gets swept by the Bridge.
+interface IVault {
+    /// @notice Called by the Bank in `increaseBalanceAndCall` function after
+    ///         increasing the balance in the Bank for the vault.
+    /// @param depositors Addresses of depositors whose deposits have been swept
+    /// @param depositedAmounts Amounts deposited by individual depositors and
+    ///        swept
+    /// @dev The implementation must ensure this function can only be called
+    ///      by the Bank.
+    function onBalanceIncreased(
+        address[] calldata depositors,
+        uint256[] calldata depositedAmounts
+    ) external;
+}

package/contracts/vault/TBTCVault.sol

@@ -0,0 +1,128 @@
+// SPDX-License-Identifier: MIT
+
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+
+pragma solidity 0.8.4;
+
+import "./IVault.sol";
+import "../bank/Bank.sol";
+import "../token/TBTC.sol";
+
+/// @title TBTC application vault
+/// @notice TBTC is a fully Bitcoin-backed ERC-20 token pegged to the price of
+///         Bitcoin. It facilitates Bitcoin holders to act on the Ethereum
+///         blockchain and access the decentralized finance (DeFi) ecosystem.
+///         TBTC Vault mints and redeems TBTC based on Bitcoin balances in the
+///         Bank.
+/// @dev TBTC Vault is the owner of TBTC token contract and is the only contract
+///      minting the token.
+contract TBTCVault is IVault {
+    Bank public bank;
+    TBTC public tbtcToken;
+
+    event Minted(address indexed to, uint256 amount);
+
+    event Redeemed(address indexed from, uint256 amount);
+
+    modifier onlyBank() {
+        require(msg.sender == address(bank), "Caller is not the Bank");
+        _;
+    }
+
+    constructor(Bank _bank, TBTC _tbtcToken) {
+        require(
+            address(_bank) != address(0),
+            "Bank can not be the zero address"
+        );
+
+        require(
+            address(_tbtcToken) != address(0),
+            "TBTC token can not be the zero address"
+        );
+
+        bank = _bank;
+        tbtcToken = _tbtcToken;
+    }
+
+    /// @notice Transfers the given `amount` of the Bank balance from caller
+    ///         to TBTC Vault, and mints `amount` of TBTC to the caller.
+    /// @dev TBTC Vault must have an allowance for caller's balance in the Bank
+    ///      for at least `amount`.
+    /// @param amount Amount of TBTC to mint
+    function mint(uint256 amount) external {
+        address minter = msg.sender;
+        require(
+            bank.balanceOf(minter) >= amount,
+            "Amount exceeds balance in the bank"
+        );
+        _mint(minter, amount);
+        bank.transferBalanceFrom(minter, address(this), amount);
+    }
+
+    /// @notice Mints the same amount of TBTC as the deposited amount for each
+    ///         depositor in the array. Can only be called by the Bank after the
+    ///         Bridge swept deposits and Bank increased balance for the
+    ///         vault.
+    /// @dev Fails if `depositors` array is empty. Expects the length of
+    ///      `depositors` and `depositedAmounts` is the same.
+    function onBalanceIncreased(
+        address[] calldata depositors,
+        uint256[] calldata depositedAmounts
+    ) external override onlyBank {
+        require(depositors.length != 0, "No depositors specified");
+        for (uint256 i = 0; i < depositors.length; i++) {
+            _mint(depositors[i], depositedAmounts[i]);
+        }
+    }
+
+    /// @notice Burns `amount` of TBTC from the caller's account and transfers
+    ///         `amount` back to the caller's balance in the Bank.
+    /// @dev Caller must have at least `amount` of TBTC approved to
+    ///       TBTC Vault.
+    /// @param amount Amount of TBTC to redeem
+    function redeem(uint256 amount) external {
+        _redeem(msg.sender, amount);
+    }
+
+    /// @notice Burns `amount` of TBTC from the caller's account and transfers
+    ///         `amount` back to the caller's balance in the Bank.
+    /// @dev This function is doing the same as `redeem` but it allows to
+    ///      execute redemption without an additional approval transaction.
+    ///      The function can be called only via `approveAndCall` of TBTC token.
+    /// @param from TBTC token holder executing redemption
+    /// @param amount Amount of TBTC to redeem
+    /// @param token TBTC token address
+    function receiveApproval(
+        address from,
+        uint256 amount,
+        address token,
+        bytes calldata
+    ) external {
+        require(token == address(tbtcToken), "Token is not TBTC");
+        require(msg.sender == token, "Only TBTC caller allowed");
+        _redeem(from, amount);
+    }
+
+    // slither-disable-next-line calls-loop
+    function _mint(address minter, uint256 amount) internal {
+        emit Minted(minter, amount);
+        tbtcToken.mint(minter, amount);
+    }
+
+    function _redeem(address redeemer, uint256 amount) internal {
+        emit Redeemed(redeemer, amount);
+        tbtcToken.burnFrom(redeemer, amount);
+        bank.transferBalance(redeemer, amount);
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keep-network/tbtc-v2",
-  "version": "0.1.1-dev.2+main.cd434b847d1fa33a36db2bf535bafa0dd706a781",
+  "version": "0.1.1-dev.6+main.68e9da2c1b826725378fc2c33c2067b6c024a26e",
   "license": "MIT",
   "files": [
     "artifacts/",
@@ -26,13 +26,14 @@
     "prepublishOnly": "./scripts/prepare-artifacts.sh --network $npm_config_network"
   },
   "dependencies": {
-    "@keep-network/tbtc": ">1.1.2-dev <1.1.2-ropsten",
+    "@keep-network/bitcoin-spv-sol": "3.1.0-solc-0.8",
+    "@keep-network/tbtc": ">1.1.2-dev <1.1.2-pre",
     "@openzeppelin/contracts": "^4.1.0",
     "@tenderly/hardhat-tenderly": "^1.0.12",
     "@thesis/solidity-contracts": "github:thesis/solidity-contracts#4985bcf"
   },
   "devDependencies": {
-    "@keep-network/hardhat-helpers": "^0.2.0-pre.4",
+    "@keep-network/hardhat-helpers": "0.4.1-pre.1",
     "@keep-network/hardhat-local-networks-config": "^0.1.0-pre.0",
     "@nomiclabs/hardhat-ethers": "^2.0.2",
     "@nomiclabs/hardhat-etherscan": "^2.1.4",