@keep-network/tbtc-v2 0.1.1-dev.68 → 0.1.1-dev.70

package/contracts/bridge/Bridge.sol

@@ -59,7 +59,6 @@ import "../bank/Bank.sol";
 ///      functionalities in this contract is: deposit, sweep, redemption,
 ///      moving funds, wallet lifecycle, frauds, parameters.
 ///
-/// TODO: Revisit all events and look which parameters should be indexed.
 /// TODO: Align the convention around `param` and `dev` endings. They should
 ///       not have a punctuation mark.
 contract Bridge is Governable, EcdsaWalletOwner, Initializable {
@@ -76,10 +75,10 @@ contract Bridge is Governable, EcdsaWalletOwner, Initializable {
     event DepositRevealed(
         bytes32 fundingTxHash,
         uint32 fundingOutputIndex,
-        address depositor,
+        address indexed depositor,
         uint64 amount,
         bytes8 blindingFactor,
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes20 refundPubKeyHash,
         bytes4 refundLocktime,
         address vault
@@ -88,21 +87,21 @@ contract Bridge is Governable, EcdsaWalletOwner, Initializable {
     event DepositsSwept(bytes20 walletPubKeyHash, bytes32 sweepTxHash);
 
     event RedemptionRequested(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes redeemerOutputScript,
-        address redeemer,
+        address indexed redeemer,
         uint64 requestedAmount,
         uint64 treasuryFee,
         uint64 txMaxFee
     );
 
     event RedemptionsCompleted(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 redemptionTxHash
     );
 
     event RedemptionTimedOut(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes redeemerOutputScript
     );
 
@@ -112,26 +111,29 @@ contract Bridge is Governable, EcdsaWalletOwner, Initializable {
     );
 
     event MovingFundsCommitmentSubmitted(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes20[] targetWallets,
         address submitter
     );
 
-    event MovingFundsTimeoutReset(bytes20 walletPubKeyHash);
+    event MovingFundsTimeoutReset(bytes20 indexed walletPubKeyHash);
 
     event MovingFundsCompleted(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 movingFundsTxHash
     );
 
-    event MovingFundsTimedOut(bytes20 walletPubKeyHash);
+    event MovingFundsTimedOut(bytes20 indexed walletPubKeyHash);
 
-    event MovingFundsBelowDustReported(bytes20 walletPubKeyHash);
+    event MovingFundsBelowDustReported(bytes20 indexed walletPubKeyHash);
 
-    event MovedFundsSwept(bytes20 walletPubKeyHash, bytes32 sweepTxHash);
+    event MovedFundsSwept(
+        bytes20 indexed walletPubKeyHash,
+        bytes32 sweepTxHash
+    );
 
     event MovedFundsSweepTimedOut(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 movingFundsTxHash,
         uint32 movingFundsTxOutputIndex
     );
@@ -159,17 +161,20 @@ contract Bridge is Governable, EcdsaWalletOwner, Initializable {
     );
 
     event FraudChallengeSubmitted(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 sighash,
         uint8 v,
         bytes32 r,
         bytes32 s
     );
 
-    event FraudChallengeDefeated(bytes20 walletPubKeyHash, bytes32 sighash);
+    event FraudChallengeDefeated(
+        bytes20 indexed walletPubKeyHash,
+        bytes32 sighash
+    );
 
     event FraudChallengeDefeatTimedOut(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 sighash
     );
 
@@ -888,12 +893,14 @@ contract Bridge is Governable, EcdsaWalletOwner, Initializable {
     ///         challenge or confiscated otherwise.
     /// @param walletPublicKey The public key of the wallet in the uncompressed
     ///        and unprefixed format (64 bytes)
-    /// @param sighash The hash that was used to produce the ECDSA signature
-    ///        that is the subject of the fraud claim. This hash is constructed
-    ///        by applying double SHA-256 over a serialized subset of the
-    ///        transaction. The exact subset used as hash preimage depends on
-    ///        the transaction input the signature is produced for. See BIP-143
-    ///        for reference
+    /// @param preimageSha256 The hash that was generated by applying SHA-256
+    ///        one time over the preimage used during input signing. The preimage
+    ///        is a serialized subset of the transaction and its structure
+    ///        depends on the transaction input (see BIP-143 for reference).
+    ///        Notice that applying SHA-256 over the `preimageSha256` results
+    ///        in `sighash`.  The path from `preimage` to `sighash` looks like
+    ///        this:
+    ///        preimage -> (SHA-256) -> preimageSha256 -> (SHA-256) -> sighash
     /// @param signature Bitcoin signature in the R/S/V format
     /// @dev Requirements:
     ///      - Wallet behind `walletPublicKey` must be in Live or MovingFunds
@@ -902,13 +909,14 @@ contract Bridge is Governable, EcdsaWalletOwner, Initializable {
     ///        fraud challenge deposit
     ///      - The signature (represented by r, s and v) must be generated by
     ///        the wallet behind `walletPubKey` during signing of `sighash`
+    ///        which was calculated from `preimageSha256`
     ///      - Wallet can be challenged for the given signature only once
     function submitFraudChallenge(
         bytes calldata walletPublicKey,
-        bytes32 sighash,
+        bytes memory preimageSha256,
         BitcoinTx.RSVSignature calldata signature
     ) external payable {
-        self.submitFraudChallenge(walletPublicKey, sighash, signature);
+        self.submitFraudChallenge(walletPublicKey, preimageSha256, signature);
     }
 
     /// @notice Allows to defeat a pending fraud challenge against a wallet if
@@ -992,17 +1000,19 @@ contract Bridge is Governable, EcdsaWalletOwner, Initializable {
     /// @param walletPublicKey The public key of the wallet in the uncompressed
     ///        and unprefixed format (64 bytes)
     /// @param walletMembersIDs Identifiers of the wallet signing group members
-    /// @param sighash The hash that was used to produce the ECDSA signature
-    ///        that is the subject of the fraud claim. This hash is constructed
-    ///        by applying double SHA-256 over a serialized subset of the
-    ///        transaction. The exact subset used as hash preimage depends on
-    ///        the transaction input the signature is produced for. See BIP-143
-    ///        for reference
+    /// @param preimageSha256 The hash that was generated by applying SHA-256
+    ///        one time over the preimage used during input signing. The preimage
+    ///        is a serialized subset of the transaction and its structure
+    ///        depends on the transaction input (see BIP-143 for reference).
+    ///        Notice that applying SHA-256 over the `preimageSha256` results
+    ///        in `sighash`.  The path from `preimage` to `sighash` looks like
+    ///        this:
+    ///        preimage -> (SHA-256) -> preimageSha256 -> (SHA-256) -> sighash
     /// @dev Requirements:
     ///      - The wallet must be in the Live or MovingFunds or Closing or
     ///        Terminated state
-    ///      - The `walletPublicKey` and `sighash` must identify an open fraud
-    ///        challenge
+    ///      - The `walletPublicKey` and `sighash` calculated from
+    ///        `preimageSha256` must identify an open fraud challenge
     ///      - The expression `keccak256(abi.encode(walletMembersIDs))` must
     ///        be exactly the same as the hash stored under `membersIdsHash`
     ///        for the given `walletID`. Those IDs are not directly stored
@@ -1014,12 +1024,12 @@ contract Bridge is Governable, EcdsaWalletOwner, Initializable {
     function notifyFraudChallengeDefeatTimeout(
         bytes calldata walletPublicKey,
         uint32[] calldata walletMembersIDs,
-        bytes32 sighash
+        bytes memory preimageSha256
     ) external {
         self.notifyFraudChallengeDefeatTimeout(
             walletPublicKey,
             walletMembersIDs,
-            sighash
+            preimageSha256
         );
     }
 

package/contracts/bridge/Deposit.sol

@@ -103,10 +103,10 @@ library Deposit {
     event DepositRevealed(
         bytes32 fundingTxHash,
         uint32 fundingOutputIndex,
-        address depositor,
+        address indexed depositor,
         uint64 amount,
         bytes8 blindingFactor,
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes20 refundPubKeyHash,
         bytes4 refundLocktime,
         address vault

package/contracts/bridge/Fraud.sol

@@ -74,17 +74,20 @@ library Fraud {
     }
 
     event FraudChallengeSubmitted(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 sighash,
         uint8 v,
         bytes32 r,
         bytes32 s
     );
 
-    event FraudChallengeDefeated(bytes20 walletPubKeyHash, bytes32 sighash);
+    event FraudChallengeDefeated(
+        bytes20 indexed walletPubKeyHash,
+        bytes32 sighash
+    );
 
     event FraudChallengeDefeatTimedOut(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         // Sighash calculated as a Bitcoin's hash256 (double sha2) of:
         // - a preimage of a transaction spending UTXO according to the protocol
         //   rules OR
@@ -109,12 +112,14 @@ library Fraud {
     ///         challenge or confiscated otherwise
     /// @param walletPublicKey The public key of the wallet in the uncompressed
     ///        and unprefixed format (64 bytes)
-    /// @param sighash The hash that was used to produce the ECDSA signature
-    ///        that is the subject of the fraud claim. This hash is constructed
-    ///        by applying double SHA-256 over a serialized subset of the
-    ///        transaction. The exact subset used as hash preimage depends on
-    ///        the transaction input the signature is produced for. See BIP-143
-    ///        for reference
+    /// @param preimageSha256 The hash that was generated by applying SHA-256
+    ///        one time over the preimage used during input signing. The preimage
+    ///        is a serialized subset of the transaction and its structure
+    ///        depends on the transaction input (see BIP-143 for reference).
+    ///        Notice that applying SHA-256 over the `preimageSha256` results
+    ///        in `sighash`.  The path from `preimage` to `sighash` looks like
+    ///        this:
+    ///        preimage -> (SHA-256) -> preimageSha256 -> (SHA-256) -> sighash
     /// @param signature Bitcoin signature in the R/S/V format
     /// @dev Requirements:
     ///      - Wallet behind `walletPublicKey` must be in Live or MovingFunds
@@ -122,12 +127,13 @@ library Fraud {
     ///      - The challenger must send appropriate amount of ETH used as
     ///        fraud challenge deposit
     ///      - The signature (represented by r, s and v) must be generated by
-    ///        the wallet behind `walletPublicKey` during signing of `sighash`
+    ///        the wallet behind `walletPubKey` during signing of `sighash`
+    ///        which was calculated from `preimageSha256`
     ///      - Wallet can be challenged for the given signature only once
     function submitFraudChallenge(
         BridgeState.Storage storage self,
         bytes calldata walletPublicKey,
-        bytes32 sighash,
+        bytes memory preimageSha256,
         BitcoinTx.RSVSignature calldata signature
     ) external {
         require(
@@ -135,6 +141,12 @@ library Fraud {
             "The amount of ETH deposited is too low"
         );
 
+        // To prevent ECDSA signature forgery `sighash` must be calculated
+        // inside the function and not passed as a function parameter.
+        // Signature forgery could result in a wrongful fraud accusation
+        // against a wallet.
+        bytes32 sighash = sha256(preimageSha256);
+
         require(
             CheckBitcoinSigs.checkSig(
                 walletPublicKey,
@@ -335,8 +347,8 @@ library Fraud {
     /// @notice Notifies about defeat timeout for the given fraud challenge.
     ///         Can be called only if there was a fraud challenge identified by
     ///         the provided `walletPublicKey` and `sighash` and it was not
-    ///         defeated on time. The amount of time that needs to pass after a
-    ///         fraud challenge is reported is indicated by the
+    ///         defeated on time. The amount of time that needs to pass after
+    ///         a fraud challenge is reported is indicated by the
     ///         `challengeDefeatTimeout`. After a successful fraud challenge
     ///         defeat timeout notification the fraud challenge is marked as
     ///         resolved, the stake of each operator is slashed, the ether
@@ -345,17 +357,19 @@ library Fraud {
     /// @param walletPublicKey The public key of the wallet in the uncompressed
     ///        and unprefixed format (64 bytes)
     /// @param walletMembersIDs Identifiers of the wallet signing group members
-    /// @param sighash The hash that was used to produce the ECDSA signature
-    ///        that is the subject of the fraud claim. This hash is constructed
-    ///        by applying double SHA-256 over a serialized subset of the
-    ///        transaction. The exact subset used as hash preimage depends on
-    ///        the transaction input the signature is produced for. See BIP-143
-    ///        for reference
+    /// @param preimageSha256 The hash that was generated by applying SHA-256
+    ///        one time over the preimage used during input signing. The preimage
+    ///        is a serialized subset of the transaction and its structure
+    ///        depends on the transaction input (see BIP-143 for reference).
+    ///        Notice that applying SHA-256 over the `preimageSha256` results
+    ///        in `sighash`.  The path from `preimage` to `sighash` looks like
+    ///        this:
+    ///        preimage -> (SHA-256) -> preimageSha256 -> (SHA-256) -> sighash
     /// @dev Requirements:
     ///      - The wallet must be in the Live or MovingFunds or Closing or
     ///        Terminated state
-    ///      - The `walletPublicKey` and `sighash` must identify an open fraud
-    ///        challenge
+    ///      - The `walletPublicKey` and `sighash` calculated from
+    ///        `preimageSha256` must identify an open fraud challenge
     ///      - The expression `keccak256(abi.encode(walletMembersIDs))` must
     ///        be exactly the same as the hash stored under `membersIdsHash`
     ///        for the given `walletID`. Those IDs are not directly stored
@@ -368,8 +382,10 @@ library Fraud {
         BridgeState.Storage storage self,
         bytes calldata walletPublicKey,
         uint32[] calldata walletMembersIDs,
-        bytes32 sighash
+        bytes memory preimageSha256
     ) external {
+        bytes32 sighash = sha256(preimageSha256);
+
         uint256 challengeKey = uint256(
             keccak256(abi.encodePacked(walletPublicKey, sighash))
         );

package/contracts/bridge/MovingFunds.sol

@@ -93,26 +93,29 @@ library MovingFunds {
     }
 
     event MovingFundsCommitmentSubmitted(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes20[] targetWallets,
         address submitter
     );
 
-    event MovingFundsTimeoutReset(bytes20 walletPubKeyHash);
+    event MovingFundsTimeoutReset(bytes20 indexed walletPubKeyHash);
 
     event MovingFundsCompleted(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 movingFundsTxHash
     );
 
-    event MovingFundsTimedOut(bytes20 walletPubKeyHash);
+    event MovingFundsTimedOut(bytes20 indexed walletPubKeyHash);
 
-    event MovingFundsBelowDustReported(bytes20 walletPubKeyHash);
+    event MovingFundsBelowDustReported(bytes20 indexed walletPubKeyHash);
 
-    event MovedFundsSwept(bytes20 walletPubKeyHash, bytes32 sweepTxHash);
+    event MovedFundsSwept(
+        bytes20 indexed walletPubKeyHash,
+        bytes32 sweepTxHash
+    );
 
     event MovedFundsSweepTimedOut(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 movingFundsTxHash,
         uint32 movingFundsTxOutputIndex
     );

package/contracts/bridge/Redemption.sol

@@ -213,21 +213,21 @@ library Redemption {
     }
 
     event RedemptionRequested(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes redeemerOutputScript,
-        address redeemer,
+        address indexed redeemer,
         uint64 requestedAmount,
         uint64 treasuryFee,
         uint64 txMaxFee
     );
 
     event RedemptionsCompleted(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes32 redemptionTxHash
     );
 
     event RedemptionTimedOut(
-        bytes20 walletPubKeyHash,
+        bytes20 indexed walletPubKeyHash,
         bytes redeemerOutputScript
     );