@keep-network/tbtc-v2 0.1.1-dev.24 → 0.1.1-dev.27

package/contracts/bridge/Bridge.sol

@@ -25,6 +25,7 @@ import "../bank/Bank.sol";
 import "./BitcoinTx.sol";
 import "./EcdsaLib.sol";
 import "./Wallets.sol";
+import "./Frauds.sol";
 
 /// @title Interface for the Bitcoin relay
 /// @notice Contains only the methods needed by tBTC v2. The Bitcoin relay
@@ -61,6 +62,7 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     using BTCUtils for bytes;
     using BTCUtils for uint256;
     using BytesLib for bytes;
+    using Frauds for Frauds.Data;
     using Wallets for Wallets.Data;
 
     /// @notice Represents data which must be revealed by the depositor during
@@ -261,6 +263,16 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     ///         validating them before attempting to execute a sweep.
     mapping(uint256 => DepositRequest) public deposits;
 
+    //TODO: Remember to update this map when implementing transferring funds
+    //      between wallets (insert the main UTXO that was used as the input).
+    /// @notice Collection of main UTXOs that are honestly spent indexed by
+    ///         keccak256(fundingTxHash | fundingOutputIndex). The fundingTxHash
+    ///         is bytes32 (ordered as in Bitcoin internally) and
+    ///         fundingOutputIndex an uint32. A main UTXO is considered honestly
+    ///         spent if it was used as an input of a transaction that have been
+    ///         proven in the Bridge.
+    mapping(uint256 => bool) public spentMainUTXOs;
+
     /// @notice Collection of all pending redemption requests indexed by
     ///         redemption key built as
     ///         keccak256(walletPubKeyHash | redeemerOutputScript). The
@@ -275,8 +287,6 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     ///           successfully
     ///         - `notifyRedemptionTimeout` in case the request was reported
     ///           to be timed out
-    ///         - `submitRedemptionFraudProof` in case the request was handled
-    ///           in an fraudulent way amount-wise.
     mapping(uint256 => RedemptionRequest) public pendingRedemptions;
 
     /// @notice Collection of all timed out redemptions requests indexed by
@@ -297,6 +307,10 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     // slither-disable-next-line uninitialized-state
     mapping(uint256 => RedemptionRequest) public timedOutRedemptions;
 
+    /// @notice Contains parameters related to frauds and the collection of all
+    ///         submitted fraud challenges.
+    Frauds.Data internal frauds;
+
     /// @notice State related with wallets.
     Wallets.Data internal wallets;
 
@@ -307,6 +321,8 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         uint64 newMaxBtcBalance
     );
 
+    event WalletMaxAgeUpdated(uint32 newMaxAge);
+
     event NewWalletRequested();
 
     event NewWalletRegistered(
@@ -314,6 +330,16 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         bytes20 indexed walletPubKeyHash
     );
 
+    event WalletMovingFunds(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
+
+    event WalletClosed(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
+
     event WalletTerminated(
         bytes32 indexed ecdsaWalletID,
         bytes20 indexed walletPubKeyHash
@@ -321,6 +347,20 @@ contract Bridge is Ownable, EcdsaWalletOwner {
 
     event VaultStatusUpdated(address indexed vault, bool isTrusted);
 
+    event FraudSlashingAmountUpdated(uint256 newFraudSlashingAmount);
+
+    event FraudNotifierRewardMultiplierUpdated(
+        uint256 newFraudNotifierRewardMultiplier
+    );
+
+    event FraudChallengeDefeatTimeoutUpdated(
+        uint256 newFraudChallengeDefeatTimeout
+    );
+
+    event FraudChallengeDepositAmountUpdated(
+        uint256 newFraudChallengeDepositAmount
+    );
+
     event DepositRevealed(
         bytes32 fundingTxHash,
         uint32 fundingOutputIndex,
@@ -349,6 +389,21 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         bytes32 redemptionTxHash
     );
 
+    event FraudChallengeSubmitted(
+        bytes20 walletPublicKeyHash,
+        bytes32 sighash,
+        uint8 v,
+        bytes32 r,
+        bytes32 s
+    );
+
+    event FraudChallengeDefeated(bytes20 walletPublicKeyHash, bytes32 sighash);
+
+    event FraudChallengeDefeatTimedOut(
+        bytes20 walletPublicKeyHash,
+        bytes32 sighash
+    );
+
     constructor(
         address _bank,
         address _relay,
@@ -375,17 +430,23 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         redemptionTreasuryFeeDivisor = 2000; // 1/2000 == 5bps == 0.05% == 0.0005
         redemptionTxMaxFee = 1000; // 1000 satoshi
         redemptionTimeout = 172800; // 48 hours
+        frauds.setSlashingAmount(10000 * 1e18); // 10000 T
+        frauds.setNotifierRewardMultiplier(100); // 100%
+        frauds.setChallengeDefeatTimeout(7 days);
+        frauds.setChallengeDepositAmount(2 ether);
 
         // TODO: Revisit initial values.
         wallets.init(_ecdsaWalletRegistry);
         wallets.setCreationPeriod(1 weeks);
         wallets.setBtcBalanceRange(1 * 1e8, 10 * 1e8); // [1 BTC, 10 BTC]
+        wallets.setMaxAge(26 weeks); // ~6 months
     }
 
     /// @notice Updates parameters used by the `Wallets` library.
     /// @param creationPeriod New value of the wallet creation period
     /// @param minBtcBalance New value of the minimum BTC balance
     /// @param maxBtcBalance New value of the maximum BTC balance
+    /// @param maxAge New value of the wallet maximum age
     /// @dev Requirements:
     ///      - Caller must be the contract owner.
     ///      - Minimum BTC balance must be greater than zero
@@ -393,29 +454,34 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     function updateWalletsParameters(
         uint32 creationPeriod,
         uint64 minBtcBalance,
-        uint64 maxBtcBalance
+        uint64 maxBtcBalance,
+        uint32 maxAge
     ) external onlyOwner {
         wallets.setCreationPeriod(creationPeriod);
         wallets.setBtcBalanceRange(minBtcBalance, maxBtcBalance);
+        wallets.setMaxAge(maxAge);
     }
 
     /// @return creationPeriod Value of the wallet creation period
     /// @return minBtcBalance Value of the minimum BTC balance
     /// @return maxBtcBalance Value of the maximum BTC balance
+    /// @return maxAge Value of the wallet max age
     function getWalletsParameters()
         external
         view
         returns (
             uint32 creationPeriod,
             uint64 minBtcBalance,
-            uint64 maxBtcBalance
+            uint64 maxBtcBalance,
+            uint32 maxAge
         )
     {
         creationPeriod = wallets.creationPeriod;
         minBtcBalance = wallets.minBtcBalance;
         maxBtcBalance = wallets.maxBtcBalance;
+        maxAge = wallets.maxAge;
 
-        return (creationPeriod, minBtcBalance, maxBtcBalance);
+        return (creationPeriod, minBtcBalance, maxBtcBalance, maxAge);
     }
 
     /// @notice Allows the Governance to mark the given vault address as trusted
@@ -478,13 +544,41 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         wallets.registerNewWallet(ecdsaWalletID, publicKeyX, publicKeyY);
     }
 
-    // TODO: Documentation.
+    /// @notice A callback function that is called by the ECDSA Wallet Registry
+    ///         once a wallet heartbeat failure is detected.
+    /// @param publicKeyX Wallet's public key's X coordinate
+    /// @param publicKeyY Wallet's public key's Y coordinate
+    /// @dev Requirements:
+    ///      - The only caller authorized to call this function is `registry`
+    ///      - Wallet must be in Live state
     function __ecdsaWalletHeartbeatFailedCallback(
-        bytes32 ecdsaWalletID,
+        bytes32,
         bytes32 publicKeyX,
         bytes32 publicKeyY
     ) external override {
-        // TODO: Implementation.
+        wallets.notifyWalletHeartbeatFailed(publicKeyX, publicKeyY);
+    }
+
+    /// @notice Notifies that the wallet is either old enough or has too few
+    ///         satoshis left and qualifies to be closed.
+    /// @param walletPubKeyHash 20-byte public key hash of the wallet
+    /// @param walletMainUtxo Data of the wallet's main UTXO, as currently
+    ///        known on the Ethereum chain.
+    /// @dev Requirements:
+    ///      - Wallet must not be set as the current active wallet
+    ///      - Wallet must exceed the wallet maximum age OR the wallet BTC
+    ///        balance must be lesser than the minimum threshold. If the latter
+    ///        case is true, the `walletMainUtxo` components must point to the
+    ///        recent main UTXO of the given wallet, as currently known on the
+    ///        Ethereum chain. If the wallet has no main UTXO, this parameter
+    ///        can be empty as it is ignored since the wallet balance is
+    ///        assumed to be zero.
+    ///      - Wallet must be in Live state
+    function notifyCloseableWallet(
+        bytes20 walletPubKeyHash,
+        BitcoinTx.UTXO calldata walletMainUtxo
+    ) external {
+        wallets.notifyCloseableWallet(walletPubKeyHash, walletMainUtxo);
     }
 
     /// @notice Gets details about a registered wallet.
@@ -988,6 +1082,15 @@ contract Bridge is Ownable, EcdsaWalletOwner {
                 // the expected main UTXO.
                 info.inputsTotalValue += mainUtxo.txOutputValue;
                 mainUtxoFound = true;
+
+                // Main UTXO used as an input, mark it as spent.
+                spentMainUTXOs[
+                    uint256(
+                        keccak256(
+                            abi.encodePacked(outpointTxHash, outpointIndex)
+                        )
+                    )
+                ] = true;
             } else {
                 revert("Unknown input type");
             }
@@ -1353,6 +1456,187 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         bank.transferBalance(treasury, outputsInfo.totalTreasuryFee);
     }
 
+    /// @notice Submits a fraud challenge indicating that a UTXO being under
+    ///         wallet control was unlocked by the wallet but was not used
+    ///         according to the protocol rules. That means the wallet signed
+    ///         a transaction input pointing to that UTXO and there is a unique
+    ///         sighash and signature pair associated with that input. This
+    ///         function uses those parameters to create a fraud accusation that
+    ///         proves a given transaction input unlocking the given UTXO was
+    ///         actually signed by the wallet. This function cannot determine
+    ///         whether the transaction was actually broadcast and the input was
+    ///         consumed in a fraudulent way so it just opens a challenge period
+    ///         during which the wallet can defeat the challenge by submitting
+    ///         proof of a transaction that consumes the given input according
+    ///         to protocol rules. To prevent spurious allegations, the caller
+    ///         must deposit ETH that is returned back upon justified fraud
+    ///         challenge or confiscated otherwise.
+    /// @param walletPublicKey The public key of the wallet in the uncompressed
+    ///        and unprefixed format (64 bytes)
+    /// @param sighash The hash that was used to produce the ECDSA signature
+    ///        that is the subject of the fraud claim. This hash is constructed
+    ///        by applying double SHA-256 over a serialized subset of the
+    ///        transaction. The exact subset used as hash preimage depends on
+    ///        the transaction input the signature is produced for. See BIP-143
+    ///        for reference
+    /// @param signature Bitcoin signature in the R/S/V format
+    /// @dev Requirements:
+    ///      - Wallet behind `walletPubKey` must be in `Live` or `MovingFunds`
+    ///        state
+    ///      - The challenger must send appropriate amount of ETH used as
+    ///        fraud challenge deposit
+    ///      - The signature (represented by r, s and v) must be generated by
+    ///        the wallet behind `walletPubKey` during signing of `sighash`
+    ///      - Wallet can be challenged for the given signature only once
+    /// TODO: Consider using wallet public key in the X/Y form to avoid slicing.
+    function submitFraudChallenge(
+        bytes calldata walletPublicKey,
+        bytes32 sighash,
+        BitcoinTx.RSVSignature calldata signature
+    ) external payable {
+        bytes memory compressedWalletPublicKey = EcdsaLib.compressPublicKey(
+            walletPublicKey.slice32(0),
+            walletPublicKey.slice32(32)
+        );
+        bytes20 walletPubKeyHash = compressedWalletPublicKey.hash160View();
+
+        Wallets.Wallet storage wallet = wallets.registeredWallets[
+            walletPubKeyHash
+        ];
+
+        require(
+            wallet.state == Wallets.WalletState.Live ||
+                wallet.state == Wallets.WalletState.MovingFunds,
+            "Wallet is neither in Live nor MovingFunds state"
+        );
+
+        frauds.submitFraudChallenge(
+            walletPublicKey,
+            walletPubKeyHash,
+            sighash,
+            signature
+        );
+    }
+
+    /// @notice Allows to defeat a pending fraud challenge against a wallet if
+    ///         the transaction that spends the UTXO follows the protocol rules.
+    ///         In order to defeat the challenge the same `walletPublicKey` and
+    ///         signature (represented by `r`, `s` and `v`) must be provided as
+    ///         were used in the fraud challenge. Additionally a preimage must
+    ///         be provided which was used to calculate the sighash during input
+    ///         signing. The fraud challenge defeat attempt will only succeed if
+    ///         the inputs in the preimage are considered honestly spent by the
+    ///         wallet. Therefore the transaction spending the UTXO must be
+    ///         proven in the Bridge before a challenge defeat is called.
+    ///         If successfully defeated, the fraud challenge is marked as
+    ///         resolved and the amount of ether deposited by the challenger is
+    ///         sent to the treasury.
+    /// @param walletPublicKey The public key of the wallet in the uncompressed
+    ///        and unprefixed format (64 bytes)
+    /// @param preimage The preimage which produces sighash used to generate the
+    ///        ECDSA signature that is the subject of the fraud claim. It is a
+    ///        serialized subset of the transaction. The exact subset used as
+    ///        the preimage depends on the transaction input the signature is
+    ///        produced for. See BIP-143 for reference
+    /// @param witness Flag indicating whether the preimage was produced for a
+    ///        witness input. True for witness, false for non-witness input
+    /// @dev Requirements:
+    ///      - `walletPublicKey` and `sighash` calculated as `hash256(preimage)`
+    ///        must identify an open fraud challenge
+    ///      - the preimage must be a valid preimage of a transaction generated
+    ///        according to the protocol rules and already proved in the Bridge
+    ///      - before a defeat attempt is made the transaction that spends the
+    ///        given UTXO must be proven in the Bridge
+    /// TODO: Consider using wallet public key in the X/Y form to avoid slicing.
+    function defeatFraudChallenge(
+        bytes calldata walletPublicKey,
+        bytes calldata preimage,
+        bool witness
+    ) external {
+        uint256 utxoKey = frauds.unwrapChallenge(
+            walletPublicKey,
+            preimage,
+            witness
+        );
+
+        // Check that the UTXO key identifies a correctly spent UTXO.
+        require(
+            deposits[utxoKey].sweptAt > 0 || spentMainUTXOs[utxoKey],
+            "Spent UTXO not found among correctly spent UTXOs"
+        );
+
+        frauds.defeatChallenge(walletPublicKey, preimage, treasury);
+    }
+
+    /// @notice Notifies about defeat timeout for the given fraud challenge.
+    ///         Can be called only if there was a fraud challenge identified by
+    ///         the provided `walletPublicKey` and `sighash` and it was not
+    ///         defeated on time. The amount of time that needs to pass after
+    ///         a fraud challenge is reported is indicated by the
+    ///         `challengeDefeatTimeout`. After a successful fraud challenge
+    ///         defeat timeout notification the fraud challenge is marked as
+    ///         resolved, the stake of each operator is slashed, the ether
+    ///         deposited is returned to the challenger and the challenger is
+    ///         rewarded.
+    /// @param walletPublicKey The public key of the wallet in the uncompressed
+    ///        and unprefixed format (64 bytes)
+    /// @param sighash The hash that was used to produce the ECDSA signature
+    ///        that is the subject of the fraud claim. This hash is constructed
+    ///        by applying double SHA-256 over a serialized subset of the
+    ///        transaction. The exact subset used as hash preimage depends on
+    ///        the transaction input the signature is produced for. See BIP-143
+    ///        for reference
+    /// @dev Requirements:
+    ///      - `walletPublicKey`and `sighash` must identify an open fraud
+    ///        challenge
+    ///      - the amount of time indicated by `challengeDefeatTimeout` must
+    ///        pass after the challenge was reported
+    /// TODO: Consider using wallet public key in the X/Y form to avoid slicing.
+    function notifyFraudChallengeDefeatTimeout(
+        bytes calldata walletPublicKey,
+        bytes32 sighash
+    ) external {
+        frauds.notifyFraudChallengeDefeatTimeout(walletPublicKey, sighash);
+    }
+
+    /// @notice Returns parameters used by the `Frauds` library.
+    /// @return slashingAmount Value of the slashing amount
+    /// @return notifierRewardMultiplier Value of the notifier reward multiplier
+    /// @return challengeDefeatTimeout Value of the challenge defeat timeout
+    /// @return challengeDepositAmount Value of the challenge deposit amount
+    function getFraudParameters()
+        external
+        view
+        returns (
+            uint256 slashingAmount,
+            uint256 notifierRewardMultiplier,
+            uint256 challengeDefeatTimeout,
+            uint256 challengeDepositAmount
+        )
+    {
+        slashingAmount = frauds.slashingAmount;
+        notifierRewardMultiplier = frauds.notifierRewardMultiplier;
+        challengeDefeatTimeout = frauds.challengeDefeatTimeout;
+        challengeDepositAmount = frauds.challengeDepositAmount;
+
+        return (
+            slashingAmount,
+            notifierRewardMultiplier,
+            challengeDefeatTimeout,
+            challengeDepositAmount
+        );
+    }
+
+    /// @notice Returns the fraud challenge identified by the given key built
+    ///         as keccak256(walletPublicKey|sighash|v|r|s).
+    function fraudChallenges(uint256 challengeKey)
+        external
+        view
+        returns (Frauds.FraudChallenge memory)
+    {
+        return frauds.challenges[challengeKey];
+    }
+
     /// @notice Validates whether the redemption Bitcoin transaction input
     ///         vector contains a single input referring to the wallet's main
     ///         UTXO. Reverts in case the validation fails.
@@ -1369,7 +1653,7 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         bytes memory redemptionTxInputVector,
         BitcoinTx.UTXO calldata mainUtxo,
         bytes20 walletPubKeyHash
-    ) internal view {
+    ) internal {
         // Assert that main UTXO for passed wallet exists in storage.
         bytes32 mainUtxoHash = wallets
             .registeredWallets[walletPubKeyHash]
@@ -1400,6 +1684,15 @@ contract Bridge is Ownable, EcdsaWalletOwner {
                 mainUtxo.txOutputIndex == redemptionTxOutpointIndex,
             "Redemption transaction input must point to the wallet's main UTXO"
         );
+
+        // Main UTXO used as an input, mark it as spent.
+        spentMainUTXOs[
+            uint256(
+                keccak256(
+                    abi.encodePacked(mainUtxo.txHash, mainUtxo.txOutputIndex)
+                )
+            )
+        ] = true;
     }
 
     /// @notice Processes the Bitcoin redemption transaction input vector. It
@@ -1647,83 +1940,6 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     //       7. Reduce the `pendingRedemptionsValue` (`wallets` mapping) for
     //          given wallet by request's redeemable amount computed as
     //          `requestedAmount - treasuryFee`.
-    //       8. Punish the wallet, probably by slashing its operators.
-    //       9. Change wallet's state in `wallets` mapping to `MovingFunds` in
-    //          order to prevent against new redemption requests hitting
-    //          that wallet.
-    //      10. Expect the wallet to transfer its funds to another healthy
-    //          wallet (just as in case of failed heartbeat). The wallet is
-    //          expected to finish the already queued redemption requests
-    //          before moving funds but we are not going to enforce it on-chain.
-
-    // TODO: Function `submitRedemptionFraudProof`
-    //
-    //       Deposit and redemption fraud proofs are challenging to implement
-    //       and it may happen we will have to rely on the coverage pool
-    //       (https://github.com/keep-network/coverage-pools) and DAO to
-    //       reimburse unlucky depositors and bring back the balance to the
-    //       system in case  of a wallet fraud by liquidating a part of the
-    //       coverage pool manually.
-    //
-    //       The probability of 51-of-100 wallet being fraudulent is negligible:
-    //       https://github.com/keep-network/tbtc-v2/blob/main/docs/rfc/rfc-2.adoc#111-group-size-and-threshold
-    //       and the coverage pool would be there to bring the balance back in
-    //       case we are unlucky and malicious wallet emerges.
-    //
-    //       We do not want to slash for a misbehavior that is not provable
-    //       on-chain and it is possible to construct such a Bitcoin transaction
-    //       that is not provable on Ethereum, see
-    //       https://consensys.net/diligence/blog/2020/05/tbtc-navigating-the-cross-chain-conundrum
-    //
-    //       The algorithm described below assumes we will be able to prove the
-    //       TX on Ethereum which may not always be the case. Consider the steps
-    //       below as an idea, and not necessarily how this function will be
-    //       implemented because it may happen this function will never be
-    //       implemented, given the Bitcoin transaction size problems.
-    //
-    //       The algorithm:
-    //       1. Take a `BitcoinTx.Info` and `BitcoinTx.Proof` of the
-    //          fraudulent transaction. It should also accept `walletPubKeyHash`
-    //          and index of fraudulent output. Probably index of fraudulent
-    //          input will be also required if the transaction is supposed
-    //          to have a bad input vector.
-    //       2. Perform SPV proof to make sure it occurred on Bitcoin chain.
-    //          If not - revert.
-    //       3. Check if wallet state is Live or MovingFunds. If not, revert.
-    //       4. Validate the number of inputs. If there is one input and it
-    //          points to the wallet's main UTXO - move to point 5. If there
-    //          are multiple inputs and there is wallet's main UTXO in the set,
-    //          check if this is  a sweep transaction. If it's not a sweep,
-    //          consider it as fraudulent and move to point 6.
-    //          In all other cases revert the call.
-    //       5. Extract the output and analyze its type. The output is not
-    //          a fraud and the call should be reverted ONLY IF one of the
-    //          following conditions is true:
-    //          - Output is a requested redemption held by `pendingRedemptions`
-    //            and output value fulfills the request range. There is an
-    //            open question if a misfunded request should be removed
-    //            from `pendingRedemptions` (probably yes) and whether the
-    //            redeemer should be reimbursed in case of an underfund.
-    //          - Output is a timed out redemption held by `timedOutRedemptions`
-    //            and output value fulfills the request range.
-    //          - Output is a proper change i.e. a single output targeting
-    //            the wallet PKH back and having a non-zero value.
-    //          - Wallet is in MovingFunds state, the output points to the
-    //            expected target wallet, have non-zero value, and is a single
-    //            output in the vector.
-    //          In all other cases consider the transaction as fraud and
-    //          proceed to point 6.
-    //       6. Punish the wallet, probably by severely slashing its operators.
-    //       7. Change wallet's state in `wallets` mapping to `Terminated` in
-    //          order to prevent against new redemption requests hitting
-    //          that wallet. This also prevents against reporting a fraud
-    //          multiple times for one transaction (see point 3) and blocks
-    //          submission of sweep and redemption proofs. `Terminated` wallet
-    //          is blocked in the Bridge forever. If the fraud was a mistake
-    //          done by the wallet and the wallet is still honest deep in its
-    //          heart, the wallet can coordinate off-chain to recover the BTC
-    //          and donate it to another wallet. If they recover all of the
-    //          remaining BTC, DAO might decide to reward them with tokens so
-    //          that they can have at least some portion of their slashed
-    //          tokens back.
+    //       8. Call `wallets.notifyRedemptionTimedOut` to propagate timeout
+    //          consequences to the wallet.
 }