@keep-network/tbtc-v2 0.1.1-dev.5 → 0.1.1-dev.9

package/contracts/bridge/Bridge.sol

@@ -15,106 +15,282 @@
 
 pragma solidity 0.8.4;
 
-/// @title BTC Bridge
-/// @notice Bridge manages BTC deposit and redemption and is increasing and
+import "@openzeppelin/contracts/access/Ownable.sol";
+
+import {BTCUtils} from "@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol";
+import {BytesLib} from "@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol";
+
+import "./BitcoinTx.sol";
+
+/// @title Bitcoin Bridge
+/// @notice Bridge manages BTC deposit and redemption flow and is increasing and
 ///         decreasing balances in the Bank as a result of BTC deposit and
-///         redemption operations.
+///         redemption operations performed by depositors and redeemers.
 ///
-///         Depositors send BTC funds to the most-recently-created-wallet of the
-///         bridge using pay-to-script-hash (P2SH) which contains hashed
-///         information about the depositor’s minting Ethereum address. Then,
-///         the depositor reveals their desired Ethereum minting address to the
-///         Ethereum chain. The Bridge listens for these sorts of messages and
-///         when it gets one, it checks the Bitcoin network to make sure the
-///         funds line up. If they do, the off-chain wallet may decide to pick
-///         this transaction for sweeping, and when the sweep operation is
-///         confirmed on the Bitcoin network, the wallet informs the Bridge
-///         about the sweep increasing appropriate balances in the Bank.
+///         Depositors send BTC funds to the most recently created off-chain
+///         ECDSA wallet of the bridge using pay-to-script-hash (P2SH) or
+///         pay-to-witness-script-hash (P2WSH) containing hashed information
+///         about the depositor’s Ethereum address. Then, the depositor reveals
+///         their Ethereum address along with their deposit blinding factor,
+///         refund public key hash and refund locktime to the Bridge on Ethereum
+///         chain. The off-chain ECDSA wallet listens for these sorts of
+///         messages and when it gets one, it checks the Bitcoin network to make
+///         sure the deposit lines up. If it does, the off-chain ECDSA wallet
+///         may decide to pick the deposit transaction for sweeping, and when
+///         the sweep operation is confirmed on the Bitcoin network, the ECDSA
+///         wallet informs the Bridge about the sweep increasing appropriate
+///         balances in the Bank.
 /// @dev Bridge is an upgradeable component of the Bank.
-contract Bridge {
-    struct DepositInfo {
-        uint64 amount;
+contract Bridge is Ownable {
+    using BTCUtils for bytes;
+    using BytesLib for bytes;
+
+    /// @notice Represents data which must be revealed by the depositor during
+    ///         deposit reveal.
+    struct RevealInfo {
+        // Index of the funding output belonging to the funding transaction.
+        uint8 fundingOutputIndex;
+        // Ethereum depositor address.
+        address depositor;
+        // The blinding factor as 8 bytes. Byte endianness doesn't matter
+        // as this factor is not interpreted as uint.
+        bytes8 blindingFactor;
+        // The compressed Bitcoin public key (33 bytes and 02 or 03 prefix)
+        // of the deposit's wallet hashed in the HASH160 Bitcoin opcode style.
+        bytes20 walletPubKeyHash;
+        // The compressed Bitcoin public key (33 bytes and 02 or 03 prefix)
+        // that can be used to make the deposit refund after the refund
+        // locktime passes. Hashed in the HASH160 Bitcoin opcode style.
+        bytes20 refundPubKeyHash;
+        // The refund locktime (4-byte LE). Interpreted according to locktime
+        // parsing rules described in:
+        // https://developer.bitcoin.org/devguide/transactions.html#locktime-and-sequence-number
+        // and used with OP_CHECKLOCKTIMEVERIFY opcode as described in:
+        // https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki
+        bytes4 refundLocktime;
+        // Address of the Bank vault to which the deposit is routed to.
+        // Optional, can be 0x0. The vault must be trusted by the Bridge.
         address vault;
+    }
+
+    /// @notice Represents tBTC deposit data.
+    struct DepositInfo {
+        // Ethereum depositor address.
+        address depositor;
+        // Deposit amount in satoshi (8-byte LE). For example:
+        // 0.0001 BTC = 10000 satoshi = 0x1027000000000000
+        bytes8 amount;
+        // UNIX timestamp the deposit was revealed at.
         uint32 revealedAt;
+        // Address of the Bank vault the deposit is routed to.
+        // Optional, can be 0x0.
+        address vault;
     }
 
+    /// @notice Indicates if the vault with the given address is trusted or not.
+    ///         Depositors can route their revealed deposits only to trusted
+    ///         vaults and have trusted vaults notified about new deposits as
+    ///         soon as these deposits get swept. Vaults not trusted by the
+    ///         Bridge can still be used by Bank balance owners on their own
+    ///         responsibility - anyone can approve their Bank balance to any
+    ///         address.
+    mapping(address => bool) public isVaultTrusted;
+
     /// @notice Collection of all unswept deposits indexed by
-    ///         keccak256(fundingTxHash | fundingOutputIndex | depositorAddress).
+    ///         keccak256(fundingTxHash | fundingOutputIndex).
+    ///         The fundingTxHash is LE bytes32 and fundingOutputIndex an uint8.
     ///         This mapping may contain valid and invalid deposits and the
     ///         wallet is responsible for validating them before attempting to
     ///         execute a sweep.
+    ///
+    /// TODO: Explore the possibility of storing just a hash of DepositInfo.
     mapping(uint256 => DepositInfo) public unswept;
 
     event DepositRevealed(
-        uint256 depositId,
         bytes32 fundingTxHash,
         uint8 fundingOutputIndex,
         address depositor,
-        uint64 blindingFactor,
-        bytes refundPubKey,
-        uint64 amount,
+        bytes8 blindingFactor,
+        bytes20 walletPubKeyHash,
+        bytes20 refundPubKeyHash,
+        bytes4 refundLocktime,
         address vault
     );
 
-    /// @notice Used by the depositor to reveal information about their P2SH
+    event VaultStatusUpdated(address indexed vault, bool isTrusted);
+
+    /// @notice Allows the Governance to mark the given vault address as trusted
+    ///         or no longer trusted. Vaults are not trusted by default.
+    ///         Trusted vault must meet the following criteria:
+    ///         - `IVault.onBalanceIncreased` must have a known, low gas cost.
+    ///         - `IVault.onBalanceIncreased` must never revert.
+    /// @dev Without restricting reveal only to trusted vaults, malicious
+    ///      vaults not meeting the criteria would be able to nuke sweep proof
+    ///      transactions executed by ECDSA wallet with  deposits routed to
+    ///      them.
+    /// @param vault The address of the vault
+    /// @param isTrusted flag indicating whether the vault is trusted or not
+    /// @dev Can only be called by the Governance.
+    function setVaultStatus(address vault, bool isTrusted) external onlyOwner {
+        isVaultTrusted[vault] = isTrusted;
+        emit VaultStatusUpdated(vault, isTrusted);
+    }
+
+    /// @notice Used by the depositor to reveal information about their P2(W)SH
     ///         Bitcoin deposit to the Bridge on Ethereum chain. The off-chain
     ///         wallet listens for revealed deposit events and may decide to
     ///         include the revealed deposit in the next executed sweep.
     ///         Information about the Bitcoin deposit can be revealed before or
-    ///         after the Bitcoin transaction with P2SH deposit is mined on the
-    ///         Bitcoin chain.
-    /// @param fundingTxHash The BTC transaction hash containing BTC P2SH
-    ///        deposit funding transaction
-    /// @param fundingOutputIndex The index of the transaction output in the
-    ///        funding TX with P2SH deposit, max 256
-    /// @param blindingFactor The blinding factor used in the BTC P2SH deposit,
-    ///        max 2^64
-    /// @param refundPubKey The refund pub key used in the BTC P2SH deposit
-    /// @param amount The amount locked in the BTC P2SH deposit
-    /// @param vault Bank vault to which the swept deposit should be routed
+    ///         after the Bitcoin transaction with P2(W)SH deposit is mined on
+    ///         the Bitcoin chain. Worth noting, the gas cost of this function
+    ///         scales with the number of P2(W)SH transaction inputs and
+    ///         outputs. The deposit may be routed to one of the trusted vaults.
+    ///         When a deposit is routed to a vault, vault gets notified when
+    ///         the deposit gets swept and it may execute the appropriate action.
+    /// @param fundingTx Bitcoin funding transaction data, see `BitcoinTx.Info`
+    /// @param reveal Deposit reveal data, see `RevealInfo struct
     /// @dev Requirements:
-    ///      - `msg.sender` must be the Ethereum address used in the P2SH BTC deposit,
-    ///      - `blindingFactor` must be the blinding factor used in the P2SH BTC deposit,
-    ///      - `refundPubKey` must be the refund pub key used in the P2SH BTC deposit,
-    ///      - `amount` must be the same as locked in the P2SH BTC deposit,
+    ///      - `reveal.vault` must be 0x0 or point to a trusted vault
+    ///      - `reveal.fundingOutputIndex` must point to the actual P2(W)SH
+    ///        output of the BTC deposit transaction
+    ///      - `reveal.depositor` must be the Ethereum address used in the
+    ///        P2(W)SH BTC deposit transaction,
+    ///      - `reveal.blindingFactor` must be the blinding factor used in the
+    ///        P2(W)SH BTC deposit transaction,
+    ///      - `reveal.walletPubKeyHash` must be the wallet pub key hash used in
+    ///        the P2(W)SH BTC deposit transaction,
+    ///      - `reveal.refundPubKeyHash` must be the refund pub key hash used in
+    ///        the P2(W)SH BTC deposit transaction,
+    ///      - `reveal.refundLocktime` must be the refund locktime used in the
+    ///        P2(W)SH BTC deposit transaction,
     ///      - BTC deposit for the given `fundingTxHash`, `fundingOutputIndex`
-    ///        can be revealed by `msg.sender` only one time.
+    ///        can be revealed only one time.
     ///
     ///      If any of these requirements is not met, the wallet _must_ refuse
     ///      to sweep the deposit and the depositor has to wait until the
     ///      deposit script unlocks to receive their BTC back.
     function revealDeposit(
-        bytes32 fundingTxHash,
-        uint8 fundingOutputIndex,
-        uint64 blindingFactor,
-        bytes calldata refundPubKey,
-        uint64 amount,
-        address vault
+        BitcoinTx.Info calldata fundingTx,
+        RevealInfo calldata reveal
     ) external {
-        uint256 depositId =
-            uint256(
-                keccak256(
-                    abi.encode(fundingTxHash, fundingOutputIndex, msg.sender)
-                )
+        require(
+            reveal.vault == address(0) || isVaultTrusted[reveal.vault],
+            "Vault is not trusted"
+        );
+
+        bytes memory expectedScript =
+            abi.encodePacked(
+                hex"14", // Byte length of depositor Ethereum address.
+                reveal.depositor,
+                hex"75", // OP_DROP
+                hex"08", // Byte length of blinding factor value.
+                reveal.blindingFactor,
+                hex"75", // OP_DROP
+                hex"76", // OP_DUP
+                hex"a9", // OP_HASH160
+                hex"14", // Byte length of a compressed Bitcoin public key hash.
+                reveal.walletPubKeyHash,
+                hex"87", // OP_EQUAL
+                hex"63", // OP_IF
+                hex"ac", // OP_CHECKSIG
+                hex"67", // OP_ELSE
+                hex"76", // OP_DUP
+                hex"a9", // OP_HASH160
+                hex"14", // Byte length of a compressed Bitcoin public key hash.
+                reveal.refundPubKeyHash,
+                hex"88", // OP_EQUALVERIFY
+                hex"04", // Byte length of refund locktime value.
+                reveal.refundLocktime,
+                hex"b1", // OP_CHECKLOCKTIMEVERIFY
+                hex"75", // OP_DROP
+                hex"ac", // OP_CHECKSIG
+                hex"68" // OP_ENDIF
+            );
+
+        bytes memory fundingOutput =
+            fundingTx.outputVector.extractOutputAtIndex(
+                reveal.fundingOutputIndex
+            );
+        bytes memory fundingOutputHash = fundingOutput.extractHash();
+
+        if (fundingOutputHash.length == 20) {
+            // A 20-byte output hash is used by P2SH. That hash is constructed
+            // by applying OP_HASH160 on the locking script. A 20-byte output
+            // hash is used as well by P2PKH and P2WPKH (OP_HASH160 on the
+            // public key). However, since we compare the actual output hash
+            // with an expected locking script hash, this check will succeed only
+            // for P2SH transaction type with expected script hash value. For
+            // P2PKH and P2WPKH, it will fail on the output hash comparison with
+            // the expected locking script hash.
+            require(
+                keccak256(fundingOutputHash) ==
+                    keccak256(expectedScript.hash160()),
+                "Wrong 20-byte script hash"
+            );
+        } else if (fundingOutputHash.length == 32) {
+            // A 32-byte output hash is used by P2WSH. That hash is constructed
+            // by applying OP_SHA256 on the locking script.
+            require(
+                fundingOutputHash.toBytes32() == sha256(expectedScript),
+                "Wrong 32-byte script hash"
             );
+        } else {
+            revert("Wrong script hash length");
+        }
 
-        DepositInfo storage deposit = unswept[depositId];
+        // Resulting TX hash is in native Bitcoin little-endian format.
+        bytes32 fundingTxHash =
+            abi
+                .encodePacked(
+                fundingTx
+                    .version,
+                fundingTx
+                    .inputVector,
+                fundingTx
+                    .outputVector,
+                fundingTx
+                    .locktime
+            )
+                .hash256();
+
+        DepositInfo storage deposit =
+            unswept[
+                uint256(
+                    keccak256(
+                        abi.encodePacked(
+                            fundingTxHash,
+                            reveal.fundingOutputIndex
+                        )
+                    )
+                )
+            ];
         require(deposit.revealedAt == 0, "Deposit already revealed");
 
-        deposit.amount = amount;
-        deposit.vault = vault;
+        bytes8 fundingOutputAmount;
+        /* solhint-disable-next-line no-inline-assembly */
+        assembly {
+            // First 8 bytes (little-endian) of the funding output represents
+            // its value. To take the value, we need to jump over the first
+            // word determining the array length, load the array, and trim it
+            // by putting it to a bytes8.
+            fundingOutputAmount := mload(add(fundingOutput, 32))
+        }
+
+        deposit.amount = fundingOutputAmount;
+        deposit.depositor = reveal.depositor;
         /* solhint-disable-next-line not-rely-on-time */
         deposit.revealedAt = uint32(block.timestamp);
+        deposit.vault = reveal.vault;
 
         emit DepositRevealed(
-            depositId,
             fundingTxHash,
-            fundingOutputIndex,
-            msg.sender,
-            blindingFactor,
-            refundPubKey,
-            amount,
-            vault
+            reveal.fundingOutputIndex,
+            reveal.depositor,
+            reveal.blindingFactor,
+            reveal.walletPubKeyHash,
+            reveal.refundPubKeyHash,
+            reveal.refundLocktime,
+            reveal.vault
         );
     }
 
@@ -125,45 +301,37 @@ contract Bridge {
     ///         The function is performing Bank balance updates by first
     ///         computing the Bitcoin fee for the sweep transaction. The fee is
     ///         divided evenly between all swept deposits. Each depositor
-    ///         receives a balance in the bank equal to the amount they have
-    ///         declared during the reveal transaction, minus their fee share.
+    ///         receives a balance in the bank equal to the amount inferred
+    ///         during the reveal transaction, minus their fee share.
     ///
     ///         It is possible to prove the given sweep only one time.
-    /// @param txVersion Transaction version number (4-byte LE)
-    /// @param txInputVector All transaction inputs prepended by the number of
-    ///                      inputs encoded as a VarInt, max 0xFC(252) inputs
-    /// @param txOutput Single sweep transaction output
-    /// @param txLocktime Final 4 bytes of the transaction
-    /// @param merkleProof The merkle proof of transaction inclusion in a block
-    /// @param txIndexInBlock Transaction index in the block (0-indexed)
+    /// @param sweepTx Bitcoin sweep transaction data.
+    /// @param merkleProof The merkle proof of transaction inclusion in a block.
+    /// @param txIndexInBlock Transaction index in the block (0-indexed).
     /// @param bitcoinHeaders Single bytestring of 80-byte bitcoin headers,
-    ///                       lowest height first
+    ///                       lowest height first.
     function sweep(
-        bytes4 txVersion,
-        bytes memory txInputVector,
-        bytes memory txOutput,
-        bytes4 txLocktime,
+        BitcoinTx.Info calldata sweepTx,
         bytes memory merkleProof,
         uint256 txIndexInBlock,
         bytes memory bitcoinHeaders
     ) external {
-        // TODO We need to read `fundingTxHash`, `fundingOutputIndex` and
-        //      P2SH script depositor address from `txInputVector`.
-        //      We then hash them to obtain deposit identifier and read
-        //      DepositInfo. From DepositInfo we know what amount was declared
-        //      by the depositor in their reveal transaction and we use that
-        //      amount to update their Bank balance, minus fee.
+        // TODO We need to read `fundingTxHash`, `fundingOutputIndex` from
+        //      `sweepTx.inputVector`. We then hash them to obtain deposit
+        //      identifier and read DepositInfo. From DepositInfo we know what
+        //      amount was inferred during deposit reveal transaction and we
+        //      use that amount to update their Bank balance, minus fee.
         //
         // TODO We need to validate if the sum in the output minus the
         //      amount from the previous wallet balance input minus fees is
         //      equal to the amount by which Bank balances were increased.
         //
-        // TODO We need to validate txOutput to see if the balance was not
-        //      transferred away from the wallet before increasing balances in
-        //      the bank.
+        // TODO We need to validate `sweepTx.outputVector` to see if the balance
+        //      was not transferred away from the wallet before increasing
+        //      balances in the bank.
         //
         // TODO Delete deposit from unswept mapping or mark it as swept
-        //      depending on the gas costs. Alternativly, do not allow to
+        //      depending on the gas costs. Alternatively, do not allow to
         //      use the same TX input vector twice. Sweep should be provable
         //      only one time.
     }
@@ -173,4 +341,5 @@ contract Bridge {
     //      an incorrect amount revealed. We need to provide a function for honest
     //      depositors, next to sweep, to prove their swept balances on Ethereum
     //      selectively, based on deposits they have earlier received.
+    //      (UPDATE PR #90: Is it still the case since amounts are inferred?)
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keep-network/tbtc-v2",
-  "version": "0.1.1-dev.5+main.3acedd01fc600bf979696aa8c68149bd44794418",
+  "version": "0.1.1-dev.9+main.885d0c498cdc3a7512eee6573df02feea7036688",
   "license": "MIT",
   "files": [
     "artifacts/",
@@ -26,6 +26,7 @@
     "prepublishOnly": "./scripts/prepare-artifacts.sh --network $npm_config_network"
   },
   "dependencies": {
+    "@keep-network/bitcoin-spv-sol": "3.1.0-solc-0.8",
     "@keep-network/tbtc": ">1.1.2-dev <1.1.2-pre",
     "@openzeppelin/contracts": "^4.1.0",
     "@tenderly/hardhat-tenderly": "^1.0.12",