@keep-network/tbtc-v2 1.5.0-goerli.0 → 1.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/artifacts/.chainId +1 -1
- package/artifacts/Bank.json +23 -23
- package/artifacts/Bridge.json +26 -39
- package/artifacts/BridgeGovernance.json +25 -25
- package/artifacts/BridgeGovernanceParameters.json +10 -10
- package/artifacts/Deposit.json +14 -14
- package/artifacts/DepositSweep.json +13 -13
- package/artifacts/DonationVault.json +14 -14
- package/artifacts/Fraud.json +13 -13
- package/artifacts/LightRelay.json +52 -70
- package/artifacts/LightRelayMaintainerProxy.json +28 -28
- package/artifacts/MaintainerProxy.json +47 -47
- package/artifacts/MovingFunds.json +13 -13
- package/artifacts/Redemption.json +13 -13
- package/artifacts/TBTC.json +36 -37
- package/artifacts/TBTCVault.json +47 -47
- package/artifacts/VendingMachine.json +34 -35
- package/artifacts/VendingMachineV2.json +360 -0
- package/artifacts/VendingMachineV3.json +405 -0
- package/artifacts/WalletCoordinator.json +58 -20
- package/artifacts/Wallets.json +13 -13
- package/artifacts/solcInputs/7cc3eda3cb3ff2522d18b5e7b31ea228.json +102 -0
- package/artifacts/solcInputs/802132f7da69a8a4226cb9424480847b.json +218 -0
- package/artifacts/solcInputs/{f862bd134ddc06352fa5be0644481600.json → 887fad6b16575ba42183543c324eeb0e.json} +6 -6
- package/artifacts/solcInputs/{037e4828b80945fc4739f966d98aa575.json → b0025f1f7efe4824592ac0c9793776c3.json} +3 -18
- package/artifacts/solcInputs/{bd85e9d9f3c6834572e1a00ba6963ba0.json → d71d4b4434e6669852eaf643ebd2a7bc.json} +2 -2
- package/artifacts/solcInputs/{deff85fc9ae9b5be07226c67809262df.json → fccb130292c8c7cc958ab4fa31a3e180.json} +3 -3
- package/build/contracts/GovernanceUtils.sol/GovernanceUtils.dbg.json +1 -1
- package/build/contracts/bank/Bank.sol/Bank.dbg.json +1 -1
- package/build/contracts/bank/IReceiveBalanceApproval.sol/IReceiveBalanceApproval.dbg.json +1 -1
- package/build/contracts/bridge/BitcoinTx.sol/BitcoinTx.dbg.json +1 -1
- package/build/contracts/bridge/Bridge.sol/Bridge.dbg.json +1 -1
- package/build/contracts/bridge/BridgeGovernanceParameters.sol/BridgeGovernanceParameters.dbg.json +1 -1
- package/build/contracts/bridge/BridgeState.sol/BridgeState.dbg.json +1 -1
- package/build/contracts/bridge/Deposit.sol/Deposit.dbg.json +1 -1
- package/build/contracts/bridge/DepositSweep.sol/DepositSweep.dbg.json +1 -1
- package/build/contracts/bridge/EcdsaLib.sol/EcdsaLib.dbg.json +1 -1
- package/build/contracts/bridge/Fraud.sol/Fraud.dbg.json +1 -1
- package/build/contracts/bridge/Heartbeat.sol/Heartbeat.dbg.json +1 -1
- package/build/contracts/bridge/IRelay.sol/IRelay.dbg.json +1 -1
- package/build/contracts/bridge/MovingFunds.sol/MovingFunds.dbg.json +1 -1
- package/build/contracts/bridge/Redemption.sol/OutboundTx.dbg.json +1 -1
- package/build/contracts/bridge/Redemption.sol/Redemption.dbg.json +1 -1
- package/build/contracts/bridge/VendingMachine.sol/VendingMachine.dbg.json +1 -1
- package/build/contracts/bridge/VendingMachineV2.sol/VendingMachineV2.dbg.json +1 -1
- package/build/contracts/bridge/VendingMachineV3.sol/VendingMachineV3.dbg.json +1 -1
- package/build/contracts/bridge/WalletCoordinator.sol/WalletCoordinator.dbg.json +1 -1
- package/build/contracts/bridge/Wallets.sol/Wallets.dbg.json +1 -1
- package/build/contracts/l2/L2TBTC.sol/L2TBTC.dbg.json +1 -1
- package/build/contracts/l2/L2WormholeGateway.sol/IWormholeTokenBridge.dbg.json +1 -1
- package/build/contracts/l2/L2WormholeGateway.sol/L2WormholeGateway.dbg.json +1 -1
- package/build/contracts/l2/L2WormholeGateway.sol/L2WormholeGateway.json +2 -15
- package/build/contracts/maintainer/MaintainerProxy.sol/MaintainerProxy.dbg.json +1 -1
- package/build/contracts/relay/LightRelay.sol/ILightRelay.dbg.json +1 -1
- package/build/contracts/relay/LightRelay.sol/LightRelay.dbg.json +1 -1
- package/build/contracts/relay/LightRelay.sol/RelayUtils.dbg.json +1 -1
- package/build/contracts/relay/LightRelayMaintainerProxy.sol/LightRelayMaintainerProxy.dbg.json +1 -1
- package/build/contracts/token/TBTC.sol/TBTC.dbg.json +1 -1
- package/build/contracts/vault/DonationVault.sol/DonationVault.dbg.json +1 -1
- package/build/contracts/vault/IVault.sol/IVault.dbg.json +1 -1
- package/build/contracts/vault/TBTCOptimisticMinting.sol/TBTCOptimisticMinting.dbg.json +1 -1
- package/build/contracts/vault/TBTCVault.sol/TBTCVault.dbg.json +1 -1
- package/contracts/l2/L2WormholeGateway.sol +7 -27
- package/deploy/81_upgrade_wallet_coordinator_v2.ts +99 -0
- package/export/artifacts/@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol/BTCUtils.json +20 -20
- package/export/artifacts/@keep-network/ecdsa/contracts/EcdsaDkgValidator.sol/EcdsaDkgValidator.json +2010 -2010
- package/export/artifacts/@keep-network/ecdsa/contracts/WalletRegistry.sol/WalletRegistry.json +383 -383
- package/export/artifacts/@keep-network/ecdsa/contracts/libraries/EcdsaDkg.sol/EcdsaDkg.json +22 -22
- package/export/artifacts/@keep-network/ecdsa/contracts/libraries/EcdsaInactivity.sol/EcdsaInactivity.json +1859 -1859
- package/export/artifacts/@keep-network/random-beacon/contracts/ReimbursementPool.sol/ReimbursementPool.json +598 -598
- package/export/artifacts/contracts/bridge/Bridge.sol/Bridge.json +7381 -7381
- package/export/artifacts/contracts/bridge/VendingMachine.sol/VendingMachine.json +6 -6
- package/export/artifacts/contracts/bridge/VendingMachineV2.sol/VendingMachineV2.json +6 -6
- package/export/artifacts/contracts/bridge/VendingMachineV3.sol/VendingMachineV3.json +6 -6
- package/export/artifacts/contracts/bridge/WalletCoordinator.sol/WalletCoordinator.json +5563 -5563
- package/export/artifacts/contracts/l2/L2TBTC.sol/L2TBTC.json +40 -40
- package/export/artifacts/contracts/l2/L2WormholeGateway.sol/L2WormholeGateway.json +3064 -3532
- package/export/artifacts/contracts/maintainer/MaintainerProxy.sol/MaintainerProxy.json +2454 -2454
- package/export/artifacts/contracts/relay/LightRelay.sol/LightRelay.json +1941 -1941
- package/export/artifacts/contracts/relay/LightRelayMaintainerProxy.sol/LightRelayMaintainerProxy.json +1044 -1044
- package/export/artifacts/contracts/test/BankStub.sol/BankStub.json +2 -2
- package/export/artifacts/contracts/test/BridgeStub.sol/BridgeStub.json +8422 -8422
- package/export/artifacts/contracts/test/GoerliLightRelay.sol/GoerliLightRelay.json +1943 -1943
- package/export/artifacts/contracts/test/HeartbeatStub.sol/HeartbeatStub.json +2 -2
- package/export/artifacts/contracts/test/LightRelayStub.sol/LightRelayStub.json +2066 -2066
- package/export/artifacts/contracts/test/ReceiveApprovalStub.sol/ReceiveApprovalStub.json +7 -7
- package/export/artifacts/contracts/test/SystemTestRelay.sol/SystemTestRelay.json +568 -568
- package/export/artifacts/contracts/test/TestERC20.sol/TestERC20.json +6 -6
- package/export/artifacts/contracts/test/TestERC721.sol/TestERC721.json +8 -8
- package/export/artifacts/contracts/test/TestEcdsaLib.sol/TestEcdsaLib.json +2 -2
- package/export/artifacts/contracts/test/WormholeBridgeStub.sol/WormholeBridgeStub.json +42 -42
- package/export/artifacts/contracts/token/TBTC.sol/TBTC.json +2 -2
- package/export/artifacts/contracts/vault/DonationVault.sol/DonationVault.json +11 -11
- package/export/artifacts/contracts/vault/TBTCVault.sol/TBTCVault.json +3525 -3525
- package/export/deploy/81_upgrade_wallet_coordinator_v2.js +140 -0
- package/export/hardhat.config.js +7 -0
- package/export/typechain/factories/EcdsaAuthorization__factory.js +1 -1
- package/export/typechain/factories/IStaking__factory.js +13 -0
- package/export/typechain/factories/L2WormholeGateway__factory.js +1 -14
- package/export/typechain/factories/WalletRegistry__factory.js +1 -1
- package/export/typechain/factories/WormholeBridgeStub__factory.js +1 -1
- package/export.json +267 -0
- package/package.json +5 -4
- package/artifacts/.DS_Store +0 -0
- package/export/deploy/35_transfer_wallet_coordinator_ownership.js +0 -60
- package/export/deploy/36_deploy_light_relay_maintainer_proxy.js +0 -86
- package/export/deploy/37_authorize_maintainer_in_light_relay_maintainer_proxy.js +0 -65
- package/export/deploy/38_transfer_light_relay_maintainer_proxy_ownership.js +0 -60
- package/export/deploy/39_authorize_light_relay_maintainer_proxy_in_reimbursement_pool.js +0 -70
- package/export/deploy/40_authorize_light_relay_maintainer_proxy_in_light_relay.js +0 -66
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
"language": "Solidity",
|
|
3
3
|
"sources": {
|
|
4
4
|
"@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol": {
|
|
5
|
-
"content": "pragma solidity ^0.8.4;\n\n/** @title BitcoinSPV */\n/** @author Summa (https://summa.one) */\n\nimport {BytesLib} from \"./BytesLib.sol\";\nimport {SafeMath} from \"./SafeMath.sol\";\n\nlibrary BTCUtils {\n using BytesLib for bytes;\n using SafeMath for uint256;\n\n // The target at minimum Difficulty. Also the target of the genesis block\n uint256 public constant DIFF1_TARGET = 0xffff0000000000000000000000000000000000000000000000000000;\n\n uint256 public constant RETARGET_PERIOD = 2 * 7 * 24 * 60 * 60; // 2 weeks in seconds\n uint256 public constant RETARGET_PERIOD_BLOCKS = 2016; // 2 weeks in blocks\n\n uint256 public constant ERR_BAD_ARG = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;\n\n /* ***** */\n /* UTILS */\n /* ***** */\n\n /// @notice Determines the length of a VarInt in bytes\n /// @dev A VarInt of >1 byte is prefixed with a flag indicating its length\n /// @param _flag The first byte of a VarInt\n /// @return The number of non-flag bytes in the VarInt\n function determineVarIntDataLength(bytes memory _flag) internal pure returns (uint8) {\n return determineVarIntDataLengthAt(_flag, 0);\n }\n\n /// @notice Determines the length of a VarInt in bytes\n /// @dev A VarInt of >1 byte is prefixed with a flag indicating its length\n /// @param _b The byte array containing a VarInt\n /// @param _at The position of the VarInt in the array\n /// @return The number of non-flag bytes in the VarInt\n function determineVarIntDataLengthAt(bytes memory _b, uint256 _at) internal pure returns (uint8) {\n if (uint8(_b[_at]) == 0xff) {\n return 8; // one-byte flag, 8 bytes data\n }\n if (uint8(_b[_at]) == 0xfe) {\n return 4; // one-byte flag, 4 bytes data\n }\n if (uint8(_b[_at]) == 0xfd) {\n return 2; // one-byte flag, 2 bytes data\n }\n\n return 0; // flag is data\n }\n\n /// @notice Parse a VarInt into its data length and the number it represents\n /// @dev Useful for Parsing Vins and Vouts. Returns ERR_BAD_ARG if insufficient bytes.\n /// Caller SHOULD explicitly handle this case (or bubble it up)\n /// @param _b A byte-string starting with a VarInt\n /// @return number of bytes in the encoding (not counting the tag), the encoded int\n function parseVarInt(bytes memory _b) internal pure returns (uint256, uint256) {\n return parseVarIntAt(_b, 0);\n }\n\n /// @notice Parse a VarInt into its data length and the number it represents\n /// @dev Useful for Parsing Vins and Vouts. Returns ERR_BAD_ARG if insufficient bytes.\n /// Caller SHOULD explicitly handle this case (or bubble it up)\n /// @param _b A byte-string containing a VarInt\n /// @param _at The position of the VarInt\n /// @return number of bytes in the encoding (not counting the tag), the encoded int\n function parseVarIntAt(bytes memory _b, uint256 _at) internal pure returns (uint256, uint256) {\n uint8 _dataLen = determineVarIntDataLengthAt(_b, _at);\n\n if (_dataLen == 0) {\n return (0, uint8(_b[_at]));\n }\n if (_b.length < 1 + _dataLen + _at) {\n return (ERR_BAD_ARG, 0);\n }\n uint256 _number;\n if (_dataLen == 2) {\n _number = reverseUint16(uint16(_b.slice2(1 + _at)));\n } else if (_dataLen == 4) {\n _number = reverseUint32(uint32(_b.slice4(1 + _at)));\n } else if (_dataLen == 8) {\n _number = reverseUint64(uint64(_b.slice8(1 + _at)));\n }\n return (_dataLen, _number);\n }\n\n /// @notice Changes the endianness of a byte array\n /// @dev Returns a new, backwards, bytes\n /// @param _b The bytes to reverse\n /// @return The reversed bytes\n function reverseEndianness(bytes memory _b) internal pure returns (bytes memory) {\n bytes memory _newValue = new bytes(_b.length);\n\n for (uint i = 0; i < _b.length; i++) {\n _newValue[_b.length - i - 1] = _b[i];\n }\n\n return _newValue;\n }\n\n /// @notice Changes the endianness of a uint256\n /// @dev https://graphics.stanford.edu/~seander/bithacks.html#ReverseParallel\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint256(uint256 _b) internal pure returns (uint256 v) {\n v = _b;\n\n // swap bytes\n v = ((v >> 8) & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) |\n ((v & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) << 8);\n // swap 2-byte long pairs\n v = ((v >> 16) & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) |\n ((v & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) << 16);\n // swap 4-byte long pairs\n v = ((v >> 32) & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) |\n ((v & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) << 32);\n // swap 8-byte long pairs\n v = ((v >> 64) & 0x0000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF) |\n ((v & 0x0000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF) << 64);\n // swap 16-byte long pairs\n v = (v >> 128) | (v << 128);\n }\n\n /// @notice Changes the endianness of a uint64\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint64(uint64 _b) internal pure returns (uint64 v) {\n v = _b;\n\n // swap bytes\n v = ((v >> 8) & 0x00FF00FF00FF00FF) |\n ((v & 0x00FF00FF00FF00FF) << 8);\n // swap 2-byte long pairs\n v = ((v >> 16) & 0x0000FFFF0000FFFF) |\n ((v & 0x0000FFFF0000FFFF) << 16);\n // swap 4-byte long pairs\n v = (v >> 32) | (v << 32);\n }\n\n /// @notice Changes the endianness of a uint32\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint32(uint32 _b) internal pure returns (uint32 v) {\n v = _b;\n\n // swap bytes\n v = ((v >> 8) & 0x00FF00FF) |\n ((v & 0x00FF00FF) << 8);\n // swap 2-byte long pairs\n v = (v >> 16) | (v << 16);\n }\n\n /// @notice Changes the endianness of a uint24\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint24(uint24 _b) internal pure returns (uint24 v) {\n v = (_b << 16) | (_b & 0x00FF00) | (_b >> 16);\n }\n\n /// @notice Changes the endianness of a uint16\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint16(uint16 _b) internal pure returns (uint16 v) {\n v = (_b << 8) | (_b >> 8);\n }\n\n\n /// @notice Converts big-endian bytes to a uint\n /// @dev Traverses the byte array and sums the bytes\n /// @param _b The big-endian bytes-encoded integer\n /// @return The integer representation\n function bytesToUint(bytes memory _b) internal pure returns (uint256) {\n uint256 _number;\n\n for (uint i = 0; i < _b.length; i++) {\n _number = _number + uint8(_b[i]) * (2 ** (8 * (_b.length - (i + 1))));\n }\n\n return _number;\n }\n\n /// @notice Get the last _num bytes from a byte array\n /// @param _b The byte array to slice\n /// @param _num The number of bytes to extract from the end\n /// @return The last _num bytes of _b\n function lastBytes(bytes memory _b, uint256 _num) internal pure returns (bytes memory) {\n uint256 _start = _b.length.sub(_num);\n\n return _b.slice(_start, _num);\n }\n\n /// @notice Implements bitcoin's hash160 (rmd160(sha2()))\n /// @dev abi.encodePacked changes the return to bytes instead of bytes32\n /// @param _b The pre-image\n /// @return The digest\n function hash160(bytes memory _b) internal pure returns (bytes memory) {\n return abi.encodePacked(ripemd160(abi.encodePacked(sha256(_b))));\n }\n\n /// @notice Implements bitcoin's hash160 (sha2 + ripemd160)\n /// @dev sha2 precompile at address(2), ripemd160 at address(3)\n /// @param _b The pre-image\n /// @return res The digest\n function hash160View(bytes memory _b) internal view returns (bytes20 res) {\n // solium-disable-next-line security/no-inline-assembly\n assembly {\n pop(staticcall(gas(), 2, add(_b, 32), mload(_b), 0x00, 32))\n pop(staticcall(gas(), 3, 0x00, 32, 0x00, 32))\n // read from position 12 = 0c\n res := mload(0x0c)\n }\n }\n\n /// @notice Implements bitcoin's hash256 (double sha2)\n /// @dev abi.encodePacked changes the return to bytes instead of bytes32\n /// @param _b The pre-image\n /// @return The digest\n function hash256(bytes memory _b) internal pure returns (bytes32) {\n return sha256(abi.encodePacked(sha256(_b)));\n }\n\n /// @notice Implements bitcoin's hash256 (double sha2)\n /// @dev sha2 is precompiled smart contract located at address(2)\n /// @param _b The pre-image\n /// @return res The digest\n function hash256View(bytes memory _b) internal view returns (bytes32 res) {\n // solium-disable-next-line security/no-inline-assembly\n assembly {\n pop(staticcall(gas(), 2, add(_b, 32), mload(_b), 0x00, 32))\n pop(staticcall(gas(), 2, 0x00, 32, 0x00, 32))\n res := mload(0x00)\n }\n }\n\n /// @notice Implements bitcoin's hash256 on a pair of bytes32\n /// @dev sha2 is precompiled smart contract located at address(2)\n /// @param _a The first bytes32 of the pre-image\n /// @param _b The second bytes32 of the pre-image\n /// @return res The digest\n function hash256Pair(bytes32 _a, bytes32 _b) internal view returns (bytes32 res) {\n // solium-disable-next-line security/no-inline-assembly\n assembly {\n mstore(0x00, _a)\n mstore(0x20, _b)\n pop(staticcall(gas(), 2, 0x00, 64, 0x00, 32))\n pop(staticcall(gas(), 2, 0x00, 32, 0x00, 32))\n res := mload(0x00)\n }\n }\n\n /// @notice Implements bitcoin's hash256 (double sha2)\n /// @dev sha2 is precompiled smart contract located at address(2)\n /// @param _b The array containing the pre-image\n /// @param at The start of the pre-image\n /// @param len The length of the pre-image\n /// @return res The digest\n function hash256Slice(\n bytes memory _b,\n uint256 at,\n uint256 len\n ) internal view returns (bytes32 res) {\n // solium-disable-next-line security/no-inline-assembly\n assembly {\n pop(staticcall(gas(), 2, add(_b, add(32, at)), len, 0x00, 32))\n pop(staticcall(gas(), 2, 0x00, 32, 0x00, 32))\n res := mload(0x00)\n }\n }\n\n /* ************ */\n /* Legacy Input */\n /* ************ */\n\n /// @notice Extracts the nth input from the vin (0-indexed)\n /// @dev Iterates over the vin. If you need to extract several, write a custom function\n /// @param _vin The vin as a tightly-packed byte array\n /// @param _index The 0-indexed location of the input to extract\n /// @return The input as a byte array\n function extractInputAtIndex(bytes memory _vin, uint256 _index) internal pure returns (bytes memory) {\n uint256 _varIntDataLen;\n uint256 _nIns;\n\n (_varIntDataLen, _nIns) = parseVarInt(_vin);\n require(_varIntDataLen != ERR_BAD_ARG, \"Read overrun during VarInt parsing\");\n require(_index < _nIns, \"Vin read overrun\");\n\n uint256 _len = 0;\n uint256 _offset = 1 + _varIntDataLen;\n\n for (uint256 _i = 0; _i < _index; _i ++) {\n _len = determineInputLengthAt(_vin, _offset);\n require(_len != ERR_BAD_ARG, \"Bad VarInt in scriptSig\");\n _offset = _offset + _len;\n }\n\n _len = determineInputLengthAt(_vin, _offset);\n require(_len != ERR_BAD_ARG, \"Bad VarInt in scriptSig\");\n return _vin.slice(_offset, _len);\n }\n\n /// @notice Determines whether an input is legacy\n /// @dev False if no scriptSig, otherwise True\n /// @param _input The input\n /// @return True for legacy, False for witness\n function isLegacyInput(bytes memory _input) internal pure returns (bool) {\n return _input[36] != hex\"00\";\n }\n\n /// @notice Determines the length of a scriptSig in an input\n /// @dev Will return 0 if passed a witness input.\n /// @param _input The LEGACY input\n /// @return The length of the script sig\n function extractScriptSigLen(bytes memory _input) internal pure returns (uint256, uint256) {\n return extractScriptSigLenAt(_input, 0);\n }\n\n /// @notice Determines the length of a scriptSig in an input\n /// starting at the specified position\n /// @dev Will return 0 if passed a witness input.\n /// @param _input The byte array containing the LEGACY input\n /// @param _at The position of the input in the array\n /// @return The length of the script sig\n function extractScriptSigLenAt(bytes memory _input, uint256 _at) internal pure returns (uint256, uint256) {\n if (_input.length < 37 + _at) {\n return (ERR_BAD_ARG, 0);\n }\n\n uint256 _varIntDataLen;\n uint256 _scriptSigLen;\n (_varIntDataLen, _scriptSigLen) = parseVarIntAt(_input, _at + 36);\n\n return (_varIntDataLen, _scriptSigLen);\n }\n\n /// @notice Determines the length of an input from its scriptSig\n /// @dev 36 for outpoint, 1 for scriptSig length, 4 for sequence\n /// @param _input The input\n /// @return The length of the input in bytes\n function determineInputLength(bytes memory _input) internal pure returns (uint256) {\n return determineInputLengthAt(_input, 0);\n }\n\n /// @notice Determines the length of an input from its scriptSig,\n /// starting at the specified position\n /// @dev 36 for outpoint, 1 for scriptSig length, 4 for sequence\n /// @param _input The byte array containing the input\n /// @param _at The position of the input in the array\n /// @return The length of the input in bytes\n function determineInputLengthAt(bytes memory _input, uint256 _at) internal pure returns (uint256) {\n uint256 _varIntDataLen;\n uint256 _scriptSigLen;\n (_varIntDataLen, _scriptSigLen) = extractScriptSigLenAt(_input, _at);\n if (_varIntDataLen == ERR_BAD_ARG) {\n return ERR_BAD_ARG;\n }\n\n return 36 + 1 + _varIntDataLen + _scriptSigLen + 4;\n }\n\n /// @notice Extracts the LE sequence bytes from an input\n /// @dev Sequence is used for relative time locks\n /// @param _input The LEGACY input\n /// @return The sequence bytes (LE uint)\n function extractSequenceLELegacy(bytes memory _input) internal pure returns (bytes4) {\n uint256 _varIntDataLen;\n uint256 _scriptSigLen;\n (_varIntDataLen, _scriptSigLen) = extractScriptSigLen(_input);\n require(_varIntDataLen != ERR_BAD_ARG, \"Bad VarInt in scriptSig\");\n return _input.slice4(36 + 1 + _varIntDataLen + _scriptSigLen);\n }\n\n /// @notice Extracts the sequence from the input\n /// @dev Sequence is a 4-byte little-endian number\n /// @param _input The LEGACY input\n /// @return The sequence number (big-endian uint)\n function extractSequenceLegacy(bytes memory _input) internal pure returns (uint32) {\n uint32 _leSeqence = uint32(extractSequenceLELegacy(_input));\n uint32 _beSequence = reverseUint32(_leSeqence);\n return _beSequence;\n }\n /// @notice Extracts the VarInt-prepended scriptSig from the input in a tx\n /// @dev Will return hex\"00\" if passed a witness input\n /// @param _input The LEGACY input\n /// @return The length-prepended scriptSig\n function extractScriptSig(bytes memory _input) internal pure returns (bytes memory) {\n uint256 _varIntDataLen;\n uint256 _scriptSigLen;\n (_varIntDataLen, _scriptSigLen) = extractScriptSigLen(_input);\n require(_varIntDataLen != ERR_BAD_ARG, \"Bad VarInt in scriptSig\");\n return _input.slice(36, 1 + _varIntDataLen + _scriptSigLen);\n }\n\n\n /* ************* */\n /* Witness Input */\n /* ************* */\n\n /// @notice Extracts the LE sequence bytes from an input\n /// @dev Sequence is used for relative time locks\n /// @param _input The WITNESS input\n /// @return The sequence bytes (LE uint)\n function extractSequenceLEWitness(bytes memory _input) internal pure returns (bytes4) {\n return _input.slice4(37);\n }\n\n /// @notice Extracts the sequence from the input in a tx\n /// @dev Sequence is a 4-byte little-endian number\n /// @param _input The WITNESS input\n /// @return The sequence number (big-endian uint)\n function extractSequenceWitness(bytes memory _input) internal pure returns (uint32) {\n uint32 _leSeqence = uint32(extractSequenceLEWitness(_input));\n uint32 _inputeSequence = reverseUint32(_leSeqence);\n return _inputeSequence;\n }\n\n /// @notice Extracts the outpoint from the input in a tx\n /// @dev 32-byte tx id with 4-byte index\n /// @param _input The input\n /// @return The outpoint (LE bytes of prev tx hash + LE bytes of prev tx index)\n function extractOutpoint(bytes memory _input) internal pure returns (bytes memory) {\n return _input.slice(0, 36);\n }\n\n /// @notice Extracts the outpoint tx id from an input\n /// @dev 32-byte tx id\n /// @param _input The input\n /// @return The tx id (little-endian bytes)\n function extractInputTxIdLE(bytes memory _input) internal pure returns (bytes32) {\n return _input.slice32(0);\n }\n\n /// @notice Extracts the outpoint tx id from an input\n /// starting at the specified position\n /// @dev 32-byte tx id\n /// @param _input The byte array containing the input\n /// @param _at The position of the input\n /// @return The tx id (little-endian bytes)\n function extractInputTxIdLeAt(bytes memory _input, uint256 _at) internal pure returns (bytes32) {\n return _input.slice32(_at);\n }\n\n /// @notice Extracts the LE tx input index from the input in a tx\n /// @dev 4-byte tx index\n /// @param _input The input\n /// @return The tx index (little-endian bytes)\n function extractTxIndexLE(bytes memory _input) internal pure returns (bytes4) {\n return _input.slice4(32);\n }\n\n /// @notice Extracts the LE tx input index from the input in a tx\n /// starting at the specified position\n /// @dev 4-byte tx index\n /// @param _input The byte array containing the input\n /// @param _at The position of the input\n /// @return The tx index (little-endian bytes)\n function extractTxIndexLeAt(bytes memory _input, uint256 _at) internal pure returns (bytes4) {\n return _input.slice4(32 + _at);\n }\n\n /* ****** */\n /* Output */\n /* ****** */\n\n /// @notice Determines the length of an output\n /// @dev Works with any properly formatted output\n /// @param _output The output\n /// @return The length indicated by the prefix, error if invalid length\n function determineOutputLength(bytes memory _output) internal pure returns (uint256) {\n return determineOutputLengthAt(_output, 0);\n }\n\n /// @notice Determines the length of an output\n /// starting at the specified position\n /// @dev Works with any properly formatted output\n /// @param _output The byte array containing the output\n /// @param _at The position of the output\n /// @return The length indicated by the prefix, error if invalid length\n function determineOutputLengthAt(bytes memory _output, uint256 _at) internal pure returns (uint256) {\n if (_output.length < 9 + _at) {\n return ERR_BAD_ARG;\n }\n uint256 _varIntDataLen;\n uint256 _scriptPubkeyLength;\n (_varIntDataLen, _scriptPubkeyLength) = parseVarIntAt(_output, 8 + _at);\n\n if (_varIntDataLen == ERR_BAD_ARG) {\n return ERR_BAD_ARG;\n }\n\n // 8-byte value, 1-byte for tag itself\n return 8 + 1 + _varIntDataLen + _scriptPubkeyLength;\n }\n\n /// @notice Extracts the output at a given index in the TxOuts vector\n /// @dev Iterates over the vout. If you need to extract multiple, write a custom function\n /// @param _vout The _vout to extract from\n /// @param _index The 0-indexed location of the output to extract\n /// @return The specified output\n function extractOutputAtIndex(bytes memory _vout, uint256 _index) internal pure returns (bytes memory) {\n uint256 _varIntDataLen;\n uint256 _nOuts;\n\n (_varIntDataLen, _nOuts) = parseVarInt(_vout);\n require(_varIntDataLen != ERR_BAD_ARG, \"Read overrun during VarInt parsing\");\n require(_index < _nOuts, \"Vout read overrun\");\n\n uint256 _len = 0;\n uint256 _offset = 1 + _varIntDataLen;\n\n for (uint256 _i = 0; _i < _index; _i ++) {\n _len = determineOutputLengthAt(_vout, _offset);\n require(_len != ERR_BAD_ARG, \"Bad VarInt in scriptPubkey\");\n _offset += _len;\n }\n\n _len = determineOutputLengthAt(_vout, _offset);\n require(_len != ERR_BAD_ARG, \"Bad VarInt in scriptPubkey\");\n return _vout.slice(_offset, _len);\n }\n\n /// @notice Extracts the value bytes from the output in a tx\n /// @dev Value is an 8-byte little-endian number\n /// @param _output The output\n /// @return The output value as LE bytes\n function extractValueLE(bytes memory _output) internal pure returns (bytes8) {\n return _output.slice8(0);\n }\n\n /// @notice Extracts the value from the output in a tx\n /// @dev Value is an 8-byte little-endian number\n /// @param _output The output\n /// @return The output value\n function extractValue(bytes memory _output) internal pure returns (uint64) {\n uint64 _leValue = uint64(extractValueLE(_output));\n uint64 _beValue = reverseUint64(_leValue);\n return _beValue;\n }\n\n /// @notice Extracts the value from the output in a tx\n /// @dev Value is an 8-byte little-endian number\n /// @param _output The byte array containing the output\n /// @param _at The starting index of the output in the array\n /// @return The output value\n function extractValueAt(bytes memory _output, uint256 _at) internal pure returns (uint64) {\n uint64 _leValue = uint64(_output.slice8(_at));\n uint64 _beValue = reverseUint64(_leValue);\n return _beValue;\n }\n\n /// @notice Extracts the data from an op return output\n /// @dev Returns hex\"\" if no data or not an op return\n /// @param _output The output\n /// @return Any data contained in the opreturn output, null if not an op return\n function extractOpReturnData(bytes memory _output) internal pure returns (bytes memory) {\n if (_output[9] != hex\"6a\") {\n return hex\"\";\n }\n bytes1 _dataLen = _output[10];\n return _output.slice(11, uint256(uint8(_dataLen)));\n }\n\n /// @notice Extracts the hash from the output script\n /// @dev Determines type by the length prefix and validates format\n /// @param _output The output\n /// @return The hash committed to by the pk_script, or null for errors\n function extractHash(bytes memory _output) internal pure returns (bytes memory) {\n return extractHashAt(_output, 8, _output.length - 8);\n }\n\n /// @notice Extracts the hash from the output script\n /// @dev Determines type by the length prefix and validates format\n /// @param _output The byte array containing the output\n /// @param _at The starting index of the output script in the array\n /// (output start + 8)\n /// @param _len The length of the output script\n /// (output length - 8)\n /// @return The hash committed to by the pk_script, or null for errors\n function extractHashAt(\n bytes memory _output,\n uint256 _at,\n uint256 _len\n ) internal pure returns (bytes memory) {\n uint8 _scriptLen = uint8(_output[_at]);\n\n // don't have to worry about overflow here.\n // if _scriptLen + 1 overflows, then output length would have to be < 1\n // for this check to pass. if it's < 1, then we errored when assigning\n // _scriptLen\n if (_scriptLen + 1 != _len) {\n return hex\"\";\n }\n\n if (uint8(_output[_at + 1]) == 0) {\n if (_scriptLen < 2) {\n return hex\"\";\n }\n uint256 _payloadLen = uint8(_output[_at + 2]);\n // Check for maliciously formatted witness outputs.\n // No need to worry about underflow as long b/c of the `< 2` check\n if (_payloadLen != _scriptLen - 2 || (_payloadLen != 0x20 && _payloadLen != 0x14)) {\n return hex\"\";\n }\n return _output.slice(_at + 3, _payloadLen);\n } else {\n bytes3 _tag = _output.slice3(_at);\n // p2pkh\n if (_tag == hex\"1976a9\") {\n // Check for maliciously formatted p2pkh\n // No need to worry about underflow, b/c of _scriptLen check\n if (uint8(_output[_at + 3]) != 0x14 ||\n _output.slice2(_at + _len - 2) != hex\"88ac\") {\n return hex\"\";\n }\n return _output.slice(_at + 4, 20);\n //p2sh\n } else if (_tag == hex\"17a914\") {\n // Check for maliciously formatted p2sh\n // No need to worry about underflow, b/c of _scriptLen check\n if (uint8(_output[_at + _len - 1]) != 0x87) {\n return hex\"\";\n }\n return _output.slice(_at + 3, 20);\n }\n }\n return hex\"\"; /* NB: will trigger on OPRETURN and any non-standard that doesn't overrun */\n }\n\n /* ********** */\n /* Witness TX */\n /* ********** */\n\n\n /// @notice Checks that the vin passed up is properly formatted\n /// @dev Consider a vin with a valid vout in its scriptsig\n /// @param _vin Raw bytes length-prefixed input vector\n /// @return True if it represents a validly formatted vin\n function validateVin(bytes memory _vin) internal pure returns (bool) {\n uint256 _varIntDataLen;\n uint256 _nIns;\n\n (_varIntDataLen, _nIns) = parseVarInt(_vin);\n\n // Not valid if it says there are too many or no inputs\n if (_nIns == 0 || _varIntDataLen == ERR_BAD_ARG) {\n return false;\n }\n\n uint256 _offset = 1 + _varIntDataLen;\n\n for (uint256 i = 0; i < _nIns; i++) {\n // If we're at the end, but still expect more\n if (_offset >= _vin.length) {\n return false;\n }\n\n // Grab the next input and determine its length.\n uint256 _nextLen = determineInputLengthAt(_vin, _offset);\n if (_nextLen == ERR_BAD_ARG) {\n return false;\n }\n\n // Increase the offset by that much\n _offset += _nextLen;\n }\n\n // Returns false if we're not exactly at the end\n return _offset == _vin.length;\n }\n\n /// @notice Checks that the vout passed up is properly formatted\n /// @dev Consider a vout with a valid scriptpubkey\n /// @param _vout Raw bytes length-prefixed output vector\n /// @return True if it represents a validly formatted vout\n function validateVout(bytes memory _vout) internal pure returns (bool) {\n uint256 _varIntDataLen;\n uint256 _nOuts;\n\n (_varIntDataLen, _nOuts) = parseVarInt(_vout);\n\n // Not valid if it says there are too many or no outputs\n if (_nOuts == 0 || _varIntDataLen == ERR_BAD_ARG) {\n return false;\n }\n\n uint256 _offset = 1 + _varIntDataLen;\n\n for (uint256 i = 0; i < _nOuts; i++) {\n // If we're at the end, but still expect more\n if (_offset >= _vout.length) {\n return false;\n }\n\n // Grab the next output and determine its length.\n // Increase the offset by that much\n uint256 _nextLen = determineOutputLengthAt(_vout, _offset);\n if (_nextLen == ERR_BAD_ARG) {\n return false;\n }\n\n _offset += _nextLen;\n }\n\n // Returns false if we're not exactly at the end\n return _offset == _vout.length;\n }\n\n\n\n /* ************ */\n /* Block Header */\n /* ************ */\n\n /// @notice Extracts the transaction merkle root from a block header\n /// @dev Use verifyHash256Merkle to verify proofs with this root\n /// @param _header The header\n /// @return The merkle root (little-endian)\n function extractMerkleRootLE(bytes memory _header) internal pure returns (bytes32) {\n return _header.slice32(36);\n }\n\n /// @notice Extracts the target from a block header\n /// @dev Target is a 256-bit number encoded as a 3-byte mantissa and 1-byte exponent\n /// @param _header The header\n /// @return The target threshold\n function extractTarget(bytes memory _header) internal pure returns (uint256) {\n return extractTargetAt(_header, 0);\n }\n\n /// @notice Extracts the target from a block header\n /// @dev Target is a 256-bit number encoded as a 3-byte mantissa and 1-byte exponent\n /// @param _header The array containing the header\n /// @param at The start of the header\n /// @return The target threshold\n function extractTargetAt(bytes memory _header, uint256 at) internal pure returns (uint256) {\n uint24 _m = uint24(_header.slice3(72 + at));\n uint8 _e = uint8(_header[75 + at]);\n uint256 _mantissa = uint256(reverseUint24(_m));\n uint _exponent = _e - 3;\n\n return _mantissa * (256 ** _exponent);\n }\n\n /// @notice Calculate difficulty from the difficulty 1 target and current target\n /// @dev Difficulty 1 is 0x1d00ffff on mainnet and testnet\n /// @dev Difficulty 1 is a 256-bit number encoded as a 3-byte mantissa and 1-byte exponent\n /// @param _target The current target\n /// @return The block difficulty (bdiff)\n function calculateDifficulty(uint256 _target) internal pure returns (uint256) {\n // Difficulty 1 calculated from 0x1d00ffff\n return DIFF1_TARGET.div(_target);\n }\n\n /// @notice Extracts the previous block's hash from a block header\n /// @dev Block headers do NOT include block number :(\n /// @param _header The header\n /// @return The previous block's hash (little-endian)\n function extractPrevBlockLE(bytes memory _header) internal pure returns (bytes32) {\n return _header.slice32(4);\n }\n\n /// @notice Extracts the previous block's hash from a block header\n /// @dev Block headers do NOT include block number :(\n /// @param _header The array containing the header\n /// @param at The start of the header\n /// @return The previous block's hash (little-endian)\n function extractPrevBlockLEAt(\n bytes memory _header,\n uint256 at\n ) internal pure returns (bytes32) {\n return _header.slice32(4 + at);\n }\n\n /// @notice Extracts the timestamp from a block header\n /// @dev Time is not 100% reliable\n /// @param _header The header\n /// @return The timestamp (little-endian bytes)\n function extractTimestampLE(bytes memory _header) internal pure returns (bytes4) {\n return _header.slice4(68);\n }\n\n /// @notice Extracts the timestamp from a block header\n /// @dev Time is not 100% reliable\n /// @param _header The header\n /// @return The timestamp (uint)\n function extractTimestamp(bytes memory _header) internal pure returns (uint32) {\n return reverseUint32(uint32(extractTimestampLE(_header)));\n }\n\n /// @notice Extracts the expected difficulty from a block header\n /// @dev Does NOT verify the work\n /// @param _header The header\n /// @return The difficulty as an integer\n function extractDifficulty(bytes memory _header) internal pure returns (uint256) {\n return calculateDifficulty(extractTarget(_header));\n }\n\n /// @notice Concatenates and hashes two inputs for merkle proving\n /// @param _a The first hash\n /// @param _b The second hash\n /// @return The double-sha256 of the concatenated hashes\n function _hash256MerkleStep(bytes memory _a, bytes memory _b) internal view returns (bytes32) {\n return hash256View(abi.encodePacked(_a, _b));\n }\n\n /// @notice Concatenates and hashes two inputs for merkle proving\n /// @param _a The first hash\n /// @param _b The second hash\n /// @return The double-sha256 of the concatenated hashes\n function _hash256MerkleStep(bytes32 _a, bytes32 _b) internal view returns (bytes32) {\n return hash256Pair(_a, _b);\n }\n\n\n /// @notice Verifies a Bitcoin-style merkle tree\n /// @dev Leaves are 0-indexed. Inefficient version.\n /// @param _proof The proof. Tightly packed LE sha256 hashes. The last hash is the root\n /// @param _index The index of the leaf\n /// @return true if the proof is valid, else false\n function verifyHash256Merkle(bytes memory _proof, uint _index) internal view returns (bool) {\n // Not an even number of hashes\n if (_proof.length % 32 != 0) {\n return false;\n }\n\n // Special case for coinbase-only blocks\n if (_proof.length == 32) {\n return true;\n }\n\n // Should never occur\n if (_proof.length == 64) {\n return false;\n }\n\n bytes32 _root = _proof.slice32(_proof.length - 32);\n bytes32 _current = _proof.slice32(0);\n bytes memory _tree = _proof.slice(32, _proof.length - 64);\n\n return verifyHash256Merkle(_current, _tree, _root, _index);\n }\n\n /// @notice Verifies a Bitcoin-style merkle tree\n /// @dev Leaves are 0-indexed. Efficient version.\n /// @param _leaf The leaf of the proof. LE sha256 hash.\n /// @param _tree The intermediate nodes in the proof.\n /// Tightly packed LE sha256 hashes.\n /// @param _root The root of the proof. LE sha256 hash.\n /// @param _index The index of the leaf\n /// @return true if the proof is valid, else false\n function verifyHash256Merkle(\n bytes32 _leaf,\n bytes memory _tree,\n bytes32 _root,\n uint _index\n ) internal view returns (bool) {\n // Not an even number of hashes\n if (_tree.length % 32 != 0) {\n return false;\n }\n\n // Should never occur\n if (_tree.length == 0) {\n return false;\n }\n\n uint _idx = _index;\n bytes32 _current = _leaf;\n\n // i moves in increments of 32\n for (uint i = 0; i < _tree.length; i += 32) {\n if (_idx % 2 == 1) {\n _current = _hash256MerkleStep(_tree.slice32(i), _current);\n } else {\n _current = _hash256MerkleStep(_current, _tree.slice32(i));\n }\n _idx = _idx >> 1;\n }\n return _current == _root;\n }\n\n /*\n NB: https://github.com/bitcoin/bitcoin/blob/78dae8caccd82cfbfd76557f1fb7d7557c7b5edb/src/pow.cpp#L49-L72\n NB: We get a full-bitlength target from this. For comparison with\n header-encoded targets we need to mask it with the header target\n e.g. (full & truncated) == truncated\n */\n /// @notice performs the bitcoin difficulty retarget\n /// @dev implements the Bitcoin algorithm precisely\n /// @param _previousTarget the target of the previous period\n /// @param _firstTimestamp the timestamp of the first block in the difficulty period\n /// @param _secondTimestamp the timestamp of the last block in the difficulty period\n /// @return the new period's target threshold\n function retargetAlgorithm(\n uint256 _previousTarget,\n uint256 _firstTimestamp,\n uint256 _secondTimestamp\n ) internal pure returns (uint256) {\n uint256 _elapsedTime = _secondTimestamp.sub(_firstTimestamp);\n\n // Normalize ratio to factor of 4 if very long or very short\n if (_elapsedTime < RETARGET_PERIOD.div(4)) {\n _elapsedTime = RETARGET_PERIOD.div(4);\n }\n if (_elapsedTime > RETARGET_PERIOD.mul(4)) {\n _elapsedTime = RETARGET_PERIOD.mul(4);\n }\n\n /*\n NB: high targets e.g. ffff0020 can cause overflows here\n so we divide it by 256**2, then multiply by 256**2 later\n we know the target is evenly divisible by 256**2, so this isn't an issue\n */\n\n uint256 _adjusted = _previousTarget.div(65536).mul(_elapsedTime);\n return _adjusted.div(RETARGET_PERIOD).mul(65536);\n }\n}\n"
|
|
5
|
+
"content": "pragma solidity ^0.8.4;\n\n/** @title BitcoinSPV */\n/** @author Summa (https://summa.one) */\n\nimport {BytesLib} from \"./BytesLib.sol\";\nimport {SafeMath} from \"./SafeMath.sol\";\n\nlibrary BTCUtils {\n using BytesLib for bytes;\n using SafeMath for uint256;\n\n // The target at minimum Difficulty. Also the target of the genesis block\n uint256 public constant DIFF1_TARGET = 0xffff0000000000000000000000000000000000000000000000000000;\n\n uint256 public constant RETARGET_PERIOD = 2 * 7 * 24 * 60 * 60; // 2 weeks in seconds\n uint256 public constant RETARGET_PERIOD_BLOCKS = 2016; // 2 weeks in blocks\n\n uint256 public constant ERR_BAD_ARG = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;\n\n /* ***** */\n /* UTILS */\n /* ***** */\n\n /// @notice Determines the length of a VarInt in bytes\n /// @dev A VarInt of >1 byte is prefixed with a flag indicating its length\n /// @param _flag The first byte of a VarInt\n /// @return The number of non-flag bytes in the VarInt\n function determineVarIntDataLength(bytes memory _flag) internal pure returns (uint8) {\n return determineVarIntDataLengthAt(_flag, 0);\n }\n\n /// @notice Determines the length of a VarInt in bytes\n /// @dev A VarInt of >1 byte is prefixed with a flag indicating its length\n /// @param _b The byte array containing a VarInt\n /// @param _at The position of the VarInt in the array\n /// @return The number of non-flag bytes in the VarInt\n function determineVarIntDataLengthAt(bytes memory _b, uint256 _at) internal pure returns (uint8) {\n if (uint8(_b[_at]) == 0xff) {\n return 8; // one-byte flag, 8 bytes data\n }\n if (uint8(_b[_at]) == 0xfe) {\n return 4; // one-byte flag, 4 bytes data\n }\n if (uint8(_b[_at]) == 0xfd) {\n return 2; // one-byte flag, 2 bytes data\n }\n\n return 0; // flag is data\n }\n\n /// @notice Parse a VarInt into its data length and the number it represents\n /// @dev Useful for Parsing Vins and Vouts. Returns ERR_BAD_ARG if insufficient bytes.\n /// Caller SHOULD explicitly handle this case (or bubble it up)\n /// @param _b A byte-string starting with a VarInt\n /// @return number of bytes in the encoding (not counting the tag), the encoded int\n function parseVarInt(bytes memory _b) internal pure returns (uint256, uint256) {\n return parseVarIntAt(_b, 0);\n }\n\n /// @notice Parse a VarInt into its data length and the number it represents\n /// @dev Useful for Parsing Vins and Vouts. Returns ERR_BAD_ARG if insufficient bytes.\n /// Caller SHOULD explicitly handle this case (or bubble it up)\n /// @param _b A byte-string containing a VarInt\n /// @param _at The position of the VarInt\n /// @return number of bytes in the encoding (not counting the tag), the encoded int\n function parseVarIntAt(bytes memory _b, uint256 _at) internal pure returns (uint256, uint256) {\n uint8 _dataLen = determineVarIntDataLengthAt(_b, _at);\n\n if (_dataLen == 0) {\n return (0, uint8(_b[_at]));\n }\n if (_b.length < 1 + _dataLen + _at) {\n return (ERR_BAD_ARG, 0);\n }\n uint256 _number;\n if (_dataLen == 2) {\n _number = reverseUint16(uint16(_b.slice2(1 + _at)));\n } else if (_dataLen == 4) {\n _number = reverseUint32(uint32(_b.slice4(1 + _at)));\n } else if (_dataLen == 8) {\n _number = reverseUint64(uint64(_b.slice8(1 + _at)));\n }\n return (_dataLen, _number);\n }\n\n /// @notice Changes the endianness of a byte array\n /// @dev Returns a new, backwards, bytes\n /// @param _b The bytes to reverse\n /// @return The reversed bytes\n function reverseEndianness(bytes memory _b) internal pure returns (bytes memory) {\n bytes memory _newValue = new bytes(_b.length);\n\n for (uint i = 0; i < _b.length; i++) {\n _newValue[_b.length - i - 1] = _b[i];\n }\n\n return _newValue;\n }\n\n /// @notice Changes the endianness of a uint256\n /// @dev https://graphics.stanford.edu/~seander/bithacks.html#ReverseParallel\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint256(uint256 _b) internal pure returns (uint256 v) {\n v = _b;\n\n // swap bytes\n v = ((v >> 8) & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) |\n ((v & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) << 8);\n // swap 2-byte long pairs\n v = ((v >> 16) & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) |\n ((v & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) << 16);\n // swap 4-byte long pairs\n v = ((v >> 32) & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) |\n ((v & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) << 32);\n // swap 8-byte long pairs\n v = ((v >> 64) & 0x0000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF) |\n ((v & 0x0000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF) << 64);\n // swap 16-byte long pairs\n v = (v >> 128) | (v << 128);\n }\n\n /// @notice Changes the endianness of a uint64\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint64(uint64 _b) internal pure returns (uint64 v) {\n v = _b;\n\n // swap bytes\n v = ((v >> 8) & 0x00FF00FF00FF00FF) |\n ((v & 0x00FF00FF00FF00FF) << 8);\n // swap 2-byte long pairs\n v = ((v >> 16) & 0x0000FFFF0000FFFF) |\n ((v & 0x0000FFFF0000FFFF) << 16);\n // swap 4-byte long pairs\n v = (v >> 32) | (v << 32);\n }\n\n /// @notice Changes the endianness of a uint32\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint32(uint32 _b) internal pure returns (uint32 v) {\n v = _b;\n\n // swap bytes\n v = ((v >> 8) & 0x00FF00FF) |\n ((v & 0x00FF00FF) << 8);\n // swap 2-byte long pairs\n v = (v >> 16) | (v << 16);\n }\n\n /// @notice Changes the endianness of a uint24\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint24(uint24 _b) internal pure returns (uint24 v) {\n v = (_b << 16) | (_b & 0x00FF00) | (_b >> 16);\n }\n\n /// @notice Changes the endianness of a uint16\n /// @param _b The unsigned integer to reverse\n /// @return v The reversed value\n function reverseUint16(uint16 _b) internal pure returns (uint16 v) {\n v = (_b << 8) | (_b >> 8);\n }\n\n\n /// @notice Converts big-endian bytes to a uint\n /// @dev Traverses the byte array and sums the bytes\n /// @param _b The big-endian bytes-encoded integer\n /// @return The integer representation\n function bytesToUint(bytes memory _b) internal pure returns (uint256) {\n uint256 _number;\n\n for (uint i = 0; i < _b.length; i++) {\n _number = _number + uint8(_b[i]) * (2 ** (8 * (_b.length - (i + 1))));\n }\n\n return _number;\n }\n\n /// @notice Get the last _num bytes from a byte array\n /// @param _b The byte array to slice\n /// @param _num The number of bytes to extract from the end\n /// @return The last _num bytes of _b\n function lastBytes(bytes memory _b, uint256 _num) internal pure returns (bytes memory) {\n uint256 _start = _b.length.sub(_num);\n\n return _b.slice(_start, _num);\n }\n\n /// @notice Implements bitcoin's hash160 (rmd160(sha2()))\n /// @dev abi.encodePacked changes the return to bytes instead of bytes32\n /// @param _b The pre-image\n /// @return The digest\n function hash160(bytes memory _b) internal pure returns (bytes memory) {\n return abi.encodePacked(ripemd160(abi.encodePacked(sha256(_b))));\n }\n\n /// @notice Implements bitcoin's hash160 (sha2 + ripemd160)\n /// @dev sha2 precompile at address(2), ripemd160 at address(3)\n /// @param _b The pre-image\n /// @return res The digest\n function hash160View(bytes memory _b) internal view returns (bytes20 res) {\n // solium-disable-next-line security/no-inline-assembly\n assembly {\n pop(staticcall(gas(), 2, add(_b, 32), mload(_b), 0x00, 32))\n pop(staticcall(gas(), 3, 0x00, 32, 0x00, 32))\n // read from position 12 = 0c\n res := mload(0x0c)\n }\n }\n\n /// @notice Implements bitcoin's hash256 (double sha2)\n /// @dev abi.encodePacked changes the return to bytes instead of bytes32\n /// @param _b The pre-image\n /// @return The digest\n function hash256(bytes memory _b) internal pure returns (bytes32) {\n return sha256(abi.encodePacked(sha256(_b)));\n }\n\n /// @notice Implements bitcoin's hash256 (double sha2)\n /// @dev sha2 is precompiled smart contract located at address(2)\n /// @param _b The pre-image\n /// @return res The digest\n function hash256View(bytes memory _b) internal view returns (bytes32 res) {\n // solium-disable-next-line security/no-inline-assembly\n assembly {\n pop(staticcall(gas(), 2, add(_b, 32), mload(_b), 0x00, 32))\n pop(staticcall(gas(), 2, 0x00, 32, 0x00, 32))\n res := mload(0x00)\n }\n }\n\n /// @notice Implements bitcoin's hash256 on a pair of bytes32\n /// @dev sha2 is precompiled smart contract located at address(2)\n /// @param _a The first bytes32 of the pre-image\n /// @param _b The second bytes32 of the pre-image\n /// @return res The digest\n function hash256Pair(bytes32 _a, bytes32 _b) internal view returns (bytes32 res) {\n // solium-disable-next-line security/no-inline-assembly\n assembly {\n mstore(0x00, _a)\n mstore(0x20, _b)\n pop(staticcall(gas(), 2, 0x00, 64, 0x00, 32))\n pop(staticcall(gas(), 2, 0x00, 32, 0x00, 32))\n res := mload(0x00)\n }\n }\n\n /// @notice Implements bitcoin's hash256 (double sha2)\n /// @dev sha2 is precompiled smart contract located at address(2)\n /// @param _b The array containing the pre-image\n /// @param at The start of the pre-image\n /// @param len The length of the pre-image\n /// @return res The digest\n function hash256Slice(\n bytes memory _b,\n uint256 at,\n uint256 len\n ) internal view returns (bytes32 res) {\n // solium-disable-next-line security/no-inline-assembly\n assembly {\n pop(staticcall(gas(), 2, add(_b, add(32, at)), len, 0x00, 32))\n pop(staticcall(gas(), 2, 0x00, 32, 0x00, 32))\n res := mload(0x00)\n }\n }\n\n /* ************ */\n /* Legacy Input */\n /* ************ */\n\n /// @notice Extracts the nth input from the vin (0-indexed)\n /// @dev Iterates over the vin. If you need to extract several, write a custom function\n /// @param _vin The vin as a tightly-packed byte array\n /// @param _index The 0-indexed location of the input to extract\n /// @return The input as a byte array\n function extractInputAtIndex(bytes memory _vin, uint256 _index) internal pure returns (bytes memory) {\n uint256 _varIntDataLen;\n uint256 _nIns;\n\n (_varIntDataLen, _nIns) = parseVarInt(_vin);\n require(_varIntDataLen != ERR_BAD_ARG, \"Read overrun during VarInt parsing\");\n require(_index < _nIns, \"Vin read overrun\");\n\n uint256 _len = 0;\n uint256 _offset = 1 + _varIntDataLen;\n\n for (uint256 _i = 0; _i < _index; _i ++) {\n _len = determineInputLengthAt(_vin, _offset);\n require(_len != ERR_BAD_ARG, \"Bad VarInt in scriptSig\");\n _offset = _offset + _len;\n }\n\n _len = determineInputLengthAt(_vin, _offset);\n require(_len != ERR_BAD_ARG, \"Bad VarInt in scriptSig\");\n return _vin.slice(_offset, _len);\n }\n\n /// @notice Determines whether an input is legacy\n /// @dev False if no scriptSig, otherwise True\n /// @param _input The input\n /// @return True for legacy, False for witness\n function isLegacyInput(bytes memory _input) internal pure returns (bool) {\n return _input[36] != hex\"00\";\n }\n\n /// @notice Determines the length of a scriptSig in an input\n /// @dev Will return 0 if passed a witness input.\n /// @param _input The LEGACY input\n /// @return The length of the script sig\n function extractScriptSigLen(bytes memory _input) internal pure returns (uint256, uint256) {\n return extractScriptSigLenAt(_input, 0);\n }\n\n /// @notice Determines the length of a scriptSig in an input\n /// starting at the specified position\n /// @dev Will return 0 if passed a witness input.\n /// @param _input The byte array containing the LEGACY input\n /// @param _at The position of the input in the array\n /// @return The length of the script sig\n function extractScriptSigLenAt(bytes memory _input, uint256 _at) internal pure returns (uint256, uint256) {\n if (_input.length < 37 + _at) {\n return (ERR_BAD_ARG, 0);\n }\n\n uint256 _varIntDataLen;\n uint256 _scriptSigLen;\n (_varIntDataLen, _scriptSigLen) = parseVarIntAt(_input, _at + 36);\n\n return (_varIntDataLen, _scriptSigLen);\n }\n\n /// @notice Determines the length of an input from its scriptSig\n /// @dev 36 for outpoint, 1 for scriptSig length, 4 for sequence\n /// @param _input The input\n /// @return The length of the input in bytes\n function determineInputLength(bytes memory _input) internal pure returns (uint256) {\n return determineInputLengthAt(_input, 0);\n }\n\n /// @notice Determines the length of an input from its scriptSig,\n /// starting at the specified position\n /// @dev 36 for outpoint, 1 for scriptSig length, 4 for sequence\n /// @param _input The byte array containing the input\n /// @param _at The position of the input in the array\n /// @return The length of the input in bytes\n function determineInputLengthAt(bytes memory _input, uint256 _at) internal pure returns (uint256) {\n uint256 _varIntDataLen;\n uint256 _scriptSigLen;\n (_varIntDataLen, _scriptSigLen) = extractScriptSigLenAt(_input, _at);\n if (_varIntDataLen == ERR_BAD_ARG) {\n return ERR_BAD_ARG;\n }\n\n return 36 + 1 + _varIntDataLen + _scriptSigLen + 4;\n }\n\n /// @notice Extracts the LE sequence bytes from an input\n /// @dev Sequence is used for relative time locks\n /// @param _input The LEGACY input\n /// @return The sequence bytes (LE uint)\n function extractSequenceLELegacy(bytes memory _input) internal pure returns (bytes4) {\n uint256 _varIntDataLen;\n uint256 _scriptSigLen;\n (_varIntDataLen, _scriptSigLen) = extractScriptSigLen(_input);\n require(_varIntDataLen != ERR_BAD_ARG, \"Bad VarInt in scriptSig\");\n return _input.slice4(36 + 1 + _varIntDataLen + _scriptSigLen);\n }\n\n /// @notice Extracts the sequence from the input\n /// @dev Sequence is a 4-byte little-endian number\n /// @param _input The LEGACY input\n /// @return The sequence number (big-endian uint)\n function extractSequenceLegacy(bytes memory _input) internal pure returns (uint32) {\n uint32 _leSeqence = uint32(extractSequenceLELegacy(_input));\n uint32 _beSequence = reverseUint32(_leSeqence);\n return _beSequence;\n }\n /// @notice Extracts the VarInt-prepended scriptSig from the input in a tx\n /// @dev Will return hex\"00\" if passed a witness input\n /// @param _input The LEGACY input\n /// @return The length-prepended scriptSig\n function extractScriptSig(bytes memory _input) internal pure returns (bytes memory) {\n uint256 _varIntDataLen;\n uint256 _scriptSigLen;\n (_varIntDataLen, _scriptSigLen) = extractScriptSigLen(_input);\n require(_varIntDataLen != ERR_BAD_ARG, \"Bad VarInt in scriptSig\");\n return _input.slice(36, 1 + _varIntDataLen + _scriptSigLen);\n }\n\n\n /* ************* */\n /* Witness Input */\n /* ************* */\n\n /// @notice Extracts the LE sequence bytes from an input\n /// @dev Sequence is used for relative time locks\n /// @param _input The WITNESS input\n /// @return The sequence bytes (LE uint)\n function extractSequenceLEWitness(bytes memory _input) internal pure returns (bytes4) {\n return _input.slice4(37);\n }\n\n /// @notice Extracts the sequence from the input in a tx\n /// @dev Sequence is a 4-byte little-endian number\n /// @param _input The WITNESS input\n /// @return The sequence number (big-endian uint)\n function extractSequenceWitness(bytes memory _input) internal pure returns (uint32) {\n uint32 _leSeqence = uint32(extractSequenceLEWitness(_input));\n uint32 _inputeSequence = reverseUint32(_leSeqence);\n return _inputeSequence;\n }\n\n /// @notice Extracts the outpoint from the input in a tx\n /// @dev 32-byte tx id with 4-byte index\n /// @param _input The input\n /// @return The outpoint (LE bytes of prev tx hash + LE bytes of prev tx index)\n function extractOutpoint(bytes memory _input) internal pure returns (bytes memory) {\n return _input.slice(0, 36);\n }\n\n /// @notice Extracts the outpoint tx id from an input\n /// @dev 32-byte tx id\n /// @param _input The input\n /// @return The tx id (little-endian bytes)\n function extractInputTxIdLE(bytes memory _input) internal pure returns (bytes32) {\n return _input.slice32(0);\n }\n\n /// @notice Extracts the outpoint tx id from an input\n /// starting at the specified position\n /// @dev 32-byte tx id\n /// @param _input The byte array containing the input\n /// @param _at The position of the input\n /// @return The tx id (little-endian bytes)\n function extractInputTxIdLeAt(bytes memory _input, uint256 _at) internal pure returns (bytes32) {\n return _input.slice32(_at);\n }\n\n /// @notice Extracts the LE tx input index from the input in a tx\n /// @dev 4-byte tx index\n /// @param _input The input\n /// @return The tx index (little-endian bytes)\n function extractTxIndexLE(bytes memory _input) internal pure returns (bytes4) {\n return _input.slice4(32);\n }\n\n /// @notice Extracts the LE tx input index from the input in a tx\n /// starting at the specified position\n /// @dev 4-byte tx index\n /// @param _input The byte array containing the input\n /// @param _at The position of the input\n /// @return The tx index (little-endian bytes)\n function extractTxIndexLeAt(bytes memory _input, uint256 _at) internal pure returns (bytes4) {\n return _input.slice4(32 + _at);\n }\n\n /* ****** */\n /* Output */\n /* ****** */\n\n /// @notice Determines the length of an output\n /// @dev Works with any properly formatted output\n /// @param _output The output\n /// @return The length indicated by the prefix, error if invalid length\n function determineOutputLength(bytes memory _output) internal pure returns (uint256) {\n return determineOutputLengthAt(_output, 0);\n }\n\n /// @notice Determines the length of an output\n /// starting at the specified position\n /// @dev Works with any properly formatted output\n /// @param _output The byte array containing the output\n /// @param _at The position of the output\n /// @return The length indicated by the prefix, error if invalid length\n function determineOutputLengthAt(bytes memory _output, uint256 _at) internal pure returns (uint256) {\n if (_output.length < 9 + _at) {\n return ERR_BAD_ARG;\n }\n uint256 _varIntDataLen;\n uint256 _scriptPubkeyLength;\n (_varIntDataLen, _scriptPubkeyLength) = parseVarIntAt(_output, 8 + _at);\n\n if (_varIntDataLen == ERR_BAD_ARG) {\n return ERR_BAD_ARG;\n }\n\n // 8-byte value, 1-byte for tag itself\n return 8 + 1 + _varIntDataLen + _scriptPubkeyLength;\n }\n\n /// @notice Extracts the output at a given index in the TxOuts vector\n /// @dev Iterates over the vout. If you need to extract multiple, write a custom function\n /// @param _vout The _vout to extract from\n /// @param _index The 0-indexed location of the output to extract\n /// @return The specified output\n function extractOutputAtIndex(bytes memory _vout, uint256 _index) internal pure returns (bytes memory) {\n uint256 _varIntDataLen;\n uint256 _nOuts;\n\n (_varIntDataLen, _nOuts) = parseVarInt(_vout);\n require(_varIntDataLen != ERR_BAD_ARG, \"Read overrun during VarInt parsing\");\n require(_index < _nOuts, \"Vout read overrun\");\n\n uint256 _len = 0;\n uint256 _offset = 1 + _varIntDataLen;\n\n for (uint256 _i = 0; _i < _index; _i ++) {\n _len = determineOutputLengthAt(_vout, _offset);\n require(_len != ERR_BAD_ARG, \"Bad VarInt in scriptPubkey\");\n _offset += _len;\n }\n\n _len = determineOutputLengthAt(_vout, _offset);\n require(_len != ERR_BAD_ARG, \"Bad VarInt in scriptPubkey\");\n return _vout.slice(_offset, _len);\n }\n\n /// @notice Extracts the value bytes from the output in a tx\n /// @dev Value is an 8-byte little-endian number\n /// @param _output The output\n /// @return The output value as LE bytes\n function extractValueLE(bytes memory _output) internal pure returns (bytes8) {\n return _output.slice8(0);\n }\n\n /// @notice Extracts the value from the output in a tx\n /// @dev Value is an 8-byte little-endian number\n /// @param _output The output\n /// @return The output value\n function extractValue(bytes memory _output) internal pure returns (uint64) {\n uint64 _leValue = uint64(extractValueLE(_output));\n uint64 _beValue = reverseUint64(_leValue);\n return _beValue;\n }\n\n /// @notice Extracts the value from the output in a tx\n /// @dev Value is an 8-byte little-endian number\n /// @param _output The byte array containing the output\n /// @param _at The starting index of the output in the array\n /// @return The output value\n function extractValueAt(bytes memory _output, uint256 _at) internal pure returns (uint64) {\n uint64 _leValue = uint64(_output.slice8(_at));\n uint64 _beValue = reverseUint64(_leValue);\n return _beValue;\n }\n\n /// @notice Extracts the data from an op return output\n /// @dev Returns hex\"\" if no data or not an op return\n /// @param _output The output\n /// @return Any data contained in the opreturn output, null if not an op return\n function extractOpReturnData(bytes memory _output) internal pure returns (bytes memory) {\n if (_output[9] != hex\"6a\") {\n return hex\"\";\n }\n bytes1 _dataLen = _output[10];\n return _output.slice(11, uint256(uint8(_dataLen)));\n }\n\n /// @notice Extracts the hash from the output script\n /// @dev Determines type by the length prefix and validates format\n /// @param _output The output\n /// @return The hash committed to by the pk_script, or null for errors\n function extractHash(bytes memory _output) internal pure returns (bytes memory) {\n return extractHashAt(_output, 8, _output.length - 8);\n }\n\n /// @notice Extracts the hash from the output script\n /// @dev Determines type by the length prefix and validates format\n /// @param _output The byte array containing the output\n /// @param _at The starting index of the output script in the array\n /// (output start + 8)\n /// @param _len The length of the output script\n /// (output length - 8)\n /// @return The hash committed to by the pk_script, or null for errors\n function extractHashAt(\n bytes memory _output,\n uint256 _at,\n uint256 _len\n ) internal pure returns (bytes memory) {\n uint8 _scriptLen = uint8(_output[_at]);\n\n // don't have to worry about overflow here.\n // if _scriptLen + 1 overflows, then output length would have to be < 1\n // for this check to pass. if it's < 1, then we errored when assigning\n // _scriptLen\n if (_scriptLen + 1 != _len) {\n return hex\"\";\n }\n\n if (uint8(_output[_at + 1]) == 0) {\n if (_scriptLen < 2) {\n return hex\"\";\n }\n uint256 _payloadLen = uint8(_output[_at + 2]);\n // Check for maliciously formatted witness outputs.\n // No need to worry about underflow as long b/c of the `< 2` check\n if (_payloadLen != _scriptLen - 2 || (_payloadLen != 0x20 && _payloadLen != 0x14)) {\n return hex\"\";\n }\n return _output.slice(_at + 3, _payloadLen);\n } else {\n bytes3 _tag = _output.slice3(_at);\n // p2pkh\n if (_tag == hex\"1976a9\") {\n // Check for maliciously formatted p2pkh\n // No need to worry about underflow, b/c of _scriptLen check\n if (uint8(_output[_at + 3]) != 0x14 ||\n _output.slice2(_at + _len - 2) != hex\"88ac\") {\n return hex\"\";\n }\n return _output.slice(_at + 4, 20);\n //p2sh\n } else if (_tag == hex\"17a914\") {\n // Check for maliciously formatted p2sh\n // No need to worry about underflow, b/c of _scriptLen check\n if (uint8(_output[_at + _len - 1]) != 0x87) {\n return hex\"\";\n }\n return _output.slice(_at + 3, 20);\n }\n }\n return hex\"\"; /* NB: will trigger on OPRETURN and any non-standard that doesn't overrun */\n }\n\n /* ********** */\n /* Witness TX */\n /* ********** */\n\n\n /// @notice Checks that the vin passed up is properly formatted\n /// @dev Consider a vin with a valid vout in its scriptsig\n /// @param _vin Raw bytes length-prefixed input vector\n /// @return True if it represents a validly formatted vin\n function validateVin(bytes memory _vin) internal pure returns (bool) {\n uint256 _varIntDataLen;\n uint256 _nIns;\n\n (_varIntDataLen, _nIns) = parseVarInt(_vin);\n\n // Not valid if it says there are too many or no inputs\n if (_nIns == 0 || _varIntDataLen == ERR_BAD_ARG) {\n return false;\n }\n\n uint256 _offset = 1 + _varIntDataLen;\n\n for (uint256 i = 0; i < _nIns; i++) {\n // If we're at the end, but still expect more\n if (_offset >= _vin.length) {\n return false;\n }\n\n // Grab the next input and determine its length.\n uint256 _nextLen = determineInputLengthAt(_vin, _offset);\n if (_nextLen == ERR_BAD_ARG) {\n return false;\n }\n\n // Increase the offset by that much\n _offset += _nextLen;\n }\n\n // Returns false if we're not exactly at the end\n return _offset == _vin.length;\n }\n\n /// @notice Checks that the vout passed up is properly formatted\n /// @dev Consider a vout with a valid scriptpubkey\n /// @param _vout Raw bytes length-prefixed output vector\n /// @return True if it represents a validly formatted vout\n function validateVout(bytes memory _vout) internal pure returns (bool) {\n uint256 _varIntDataLen;\n uint256 _nOuts;\n\n (_varIntDataLen, _nOuts) = parseVarInt(_vout);\n\n // Not valid if it says there are too many or no outputs\n if (_nOuts == 0 || _varIntDataLen == ERR_BAD_ARG) {\n return false;\n }\n\n uint256 _offset = 1 + _varIntDataLen;\n\n for (uint256 i = 0; i < _nOuts; i++) {\n // If we're at the end, but still expect more\n if (_offset >= _vout.length) {\n return false;\n }\n\n // Grab the next output and determine its length.\n // Increase the offset by that much\n uint256 _nextLen = determineOutputLengthAt(_vout, _offset);\n if (_nextLen == ERR_BAD_ARG) {\n return false;\n }\n\n _offset += _nextLen;\n }\n\n // Returns false if we're not exactly at the end\n return _offset == _vout.length;\n }\n\n\n\n /* ************ */\n /* Block Header */\n /* ************ */\n\n /// @notice Extracts the transaction merkle root from a block header\n /// @dev Use verifyHash256Merkle to verify proofs with this root\n /// @param _header The header\n /// @return The merkle root (little-endian)\n function extractMerkleRootLE(bytes memory _header) internal pure returns (bytes32) {\n return _header.slice32(36);\n }\n\n /// @notice Extracts the target from a block header\n /// @dev Target is a 256-bit number encoded as a 3-byte mantissa and 1-byte exponent\n /// @param _header The header\n /// @return The target threshold\n function extractTarget(bytes memory _header) internal pure returns (uint256) {\n return extractTargetAt(_header, 0);\n }\n\n /// @notice Extracts the target from a block header\n /// @dev Target is a 256-bit number encoded as a 3-byte mantissa and 1-byte exponent\n /// @param _header The array containing the header\n /// @param at The start of the header\n /// @return The target threshold\n function extractTargetAt(bytes memory _header, uint256 at) internal pure returns (uint256) {\n uint24 _m = uint24(_header.slice3(72 + at));\n uint8 _e = uint8(_header[75 + at]);\n uint256 _mantissa = uint256(reverseUint24(_m));\n uint _exponent = _e - 3;\n\n return _mantissa * (256 ** _exponent);\n }\n\n /// @notice Calculate difficulty from the difficulty 1 target and current target\n /// @dev Difficulty 1 is 0x1d00ffff on mainnet and testnet\n /// @dev Difficulty 1 is a 256-bit number encoded as a 3-byte mantissa and 1-byte exponent\n /// @param _target The current target\n /// @return The block difficulty (bdiff)\n function calculateDifficulty(uint256 _target) internal pure returns (uint256) {\n // Difficulty 1 calculated from 0x1d00ffff\n return DIFF1_TARGET.div(_target);\n }\n\n /// @notice Extracts the previous block's hash from a block header\n /// @dev Block headers do NOT include block number :(\n /// @param _header The header\n /// @return The previous block's hash (little-endian)\n function extractPrevBlockLE(bytes memory _header) internal pure returns (bytes32) {\n return _header.slice32(4);\n }\n\n /// @notice Extracts the previous block's hash from a block header\n /// @dev Block headers do NOT include block number :(\n /// @param _header The array containing the header\n /// @param at The start of the header\n /// @return The previous block's hash (little-endian)\n function extractPrevBlockLEAt(\n bytes memory _header,\n uint256 at\n ) internal pure returns (bytes32) {\n return _header.slice32(4 + at);\n }\n\n /// @notice Extracts the timestamp from a block header\n /// @dev Time is not 100% reliable\n /// @param _header The header\n /// @return The timestamp (little-endian bytes)\n function extractTimestampLE(bytes memory _header) internal pure returns (bytes4) {\n return _header.slice4(68);\n }\n\n /// @notice Extracts the timestamp from a block header\n /// @dev Time is not 100% reliable\n /// @param _header The header\n /// @return The timestamp (uint)\n function extractTimestamp(bytes memory _header) internal pure returns (uint32) {\n return reverseUint32(uint32(extractTimestampLE(_header)));\n }\n\n /// @notice Extracts the expected difficulty from a block header\n /// @dev Does NOT verify the work\n /// @param _header The header\n /// @return The difficulty as an integer\n function extractDifficulty(bytes memory _header) internal pure returns (uint256) {\n return calculateDifficulty(extractTarget(_header));\n }\n\n /// @notice Concatenates and hashes two inputs for merkle proving\n /// @param _a The first hash\n /// @param _b The second hash\n /// @return The double-sha256 of the concatenated hashes\n function _hash256MerkleStep(bytes memory _a, bytes memory _b) internal view returns (bytes32) {\n return hash256View(abi.encodePacked(_a, _b));\n }\n\n /// @notice Concatenates and hashes two inputs for merkle proving\n /// @param _a The first hash\n /// @param _b The second hash\n /// @return The double-sha256 of the concatenated hashes\n function _hash256MerkleStep(bytes32 _a, bytes32 _b) internal view returns (bytes32) {\n return hash256Pair(_a, _b);\n }\n\n\n /// @notice Verifies a Bitcoin-style merkle tree\n /// @dev Leaves are 0-indexed. Inefficient version.\n /// @param _proof The proof. Tightly packed LE sha256 hashes. The last hash is the root\n /// @param _index The index of the leaf\n /// @return true if the proof is valid, else false\n function verifyHash256Merkle(bytes memory _proof, uint _index) internal view returns (bool) {\n // Not an even number of hashes\n if (_proof.length % 32 != 0) {\n return false;\n }\n\n // Special case for coinbase-only blocks\n if (_proof.length == 32) {\n return true;\n }\n\n // Should never occur\n if (_proof.length == 64) {\n return false;\n }\n\n bytes32 _root = _proof.slice32(_proof.length - 32);\n bytes32 _current = _proof.slice32(0);\n bytes memory _tree = _proof.slice(32, _proof.length - 64);\n\n return verifyHash256Merkle(_current, _tree, _root, _index);\n }\n\n /// @notice Verifies a Bitcoin-style merkle tree\n /// @dev Leaves are 0-indexed. Efficient version.\n /// @param _leaf The leaf of the proof. LE sha256 hash.\n /// @param _tree The intermediate nodes in the proof.\n /// Tightly packed LE sha256 hashes.\n /// @param _root The root of the proof. LE sha256 hash.\n /// @param _index The index of the leaf\n /// @return true if the proof is valid, else false\n function verifyHash256Merkle(\n bytes32 _leaf,\n bytes memory _tree,\n bytes32 _root,\n uint _index\n ) internal view returns (bool) {\n // Not an even number of hashes\n if (_tree.length % 32 != 0) {\n return false;\n }\n\n // Should never occur\n if (_tree.length == 0) {\n return false;\n }\n\n uint _idx = _index;\n bytes32 _current = _leaf;\n\n // i moves in increments of 32\n for (uint i = 0; i < _tree.length; i += 32) {\n if (_idx % 2 == 1) {\n _current = _hash256MerkleStep(_tree.slice32(i), _current);\n } else {\n _current = _hash256MerkleStep(_current, _tree.slice32(i));\n }\n _idx = _idx >> 1;\n }\n return _current == _root;\n }\n\n /*\n NB: https://github.com/bitcoin/bitcoin/blob/78dae8caccd82cfbfd76557f1fb7d7557c7b5edb/src/pow.cpp#L49-L72\n NB: We get a full-bitlength target from this. For comparison with\n header-encoded targets we need to mask it with the header target\n e.g. (full & truncated) == truncated\n */\n /// @notice performs the bitcoin difficulty retarget\n /// @dev implements the Bitcoin algorithm precisely\n /// @param _previousTarget the target of the previous period\n /// @param _firstTimestamp the timestamp of the first block in the difficulty period\n /// @param _secondTimestamp the timestamp of the last block in the difficulty period\n /// @return the new period's target threshold\n function retargetAlgorithm(\n uint256 _previousTarget,\n uint256 _firstTimestamp,\n uint256 _secondTimestamp\n ) internal pure returns (uint256) {\n uint256 _elapsedTime = _secondTimestamp.sub(_firstTimestamp);\n\n // Normalize ratio to factor of 4 if very long or very short\n if (_elapsedTime < RETARGET_PERIOD.div(4)) {\n _elapsedTime = RETARGET_PERIOD.div(4);\n }\n if (_elapsedTime > RETARGET_PERIOD.mul(4)) {\n _elapsedTime = RETARGET_PERIOD.mul(4);\n }\n\n /*\n NB: high targets e.g. ffff0020 can cause overflows here\n so we divide it by 256**2, then multiply by 256**2 later\n we know the target is evenly divisible by 256**2, so this isn't an issue\n */\n\n uint256 _adjusted = _previousTarget.div(65536).mul(_elapsedTime);\n return _adjusted.div(RETARGET_PERIOD).mul(65536);\n }\n}\n"
|
|
6
6
|
},
|
|
7
7
|
"@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol": {
|
|
8
8
|
"content": "pragma solidity ^0.8.4;\n\n/*\n\nhttps://github.com/GNSPS/solidity-bytes-utils/\n\nThis is free and unencumbered software released into the public domain.\n\nAnyone is free to copy, modify, publish, use, compile, sell, or\ndistribute this software, either in source code form or as a compiled\nbinary, for any purpose, commercial or non-commercial, and by any\nmeans.\n\nIn jurisdictions that recognize copyright laws, the author or authors\nof this software dedicate any and all copyright interest in the\nsoftware to the public domain. We make this dedication for the benefit\nof the public at large and to the detriment of our heirs and\nsuccessors. We intend this dedication to be an overt act of\nrelinquishment in perpetuity of all present and future rights to this\nsoftware under copyright law.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.\nIN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR\nOTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,\nARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR\nOTHER DEALINGS IN THE SOFTWARE.\n\nFor more information, please refer to <https://unlicense.org>\n*/\n\n\n/** @title BytesLib **/\n/** @author https://github.com/GNSPS **/\n\nlibrary BytesLib {\n function concat(bytes memory _preBytes, bytes memory _postBytes) internal pure returns (bytes memory) {\n bytes memory tempBytes;\n\n assembly {\n // Get a location of some free memory and store it in tempBytes as\n // Solidity does for memory variables.\n tempBytes := mload(0x40)\n\n // Store the length of the first bytes array at the beginning of\n // the memory for tempBytes.\n let length := mload(_preBytes)\n mstore(tempBytes, length)\n\n // Maintain a memory counter for the current write location in the\n // temp bytes array by adding the 32 bytes for the array length to\n // the starting location.\n let mc := add(tempBytes, 0x20)\n // Stop copying when the memory counter reaches the length of the\n // first bytes array.\n let end := add(mc, length)\n\n for {\n // Initialize a copy counter to the start of the _preBytes data,\n // 32 bytes into its memory.\n let cc := add(_preBytes, 0x20)\n } lt(mc, end) {\n // Increase both counters by 32 bytes each iteration.\n mc := add(mc, 0x20)\n cc := add(cc, 0x20)\n } {\n // Write the _preBytes data into the tempBytes memory 32 bytes\n // at a time.\n mstore(mc, mload(cc))\n }\n\n // Add the length of _postBytes to the current length of tempBytes\n // and store it as the new length in the first 32 bytes of the\n // tempBytes memory.\n length := mload(_postBytes)\n mstore(tempBytes, add(length, mload(tempBytes)))\n\n // Move the memory counter back from a multiple of 0x20 to the\n // actual end of the _preBytes data.\n mc := end\n // Stop copying when the memory counter reaches the new combined\n // length of the arrays.\n end := add(mc, length)\n\n for {\n let cc := add(_postBytes, 0x20)\n } lt(mc, end) {\n mc := add(mc, 0x20)\n cc := add(cc, 0x20)\n } {\n mstore(mc, mload(cc))\n }\n\n // Update the free-memory pointer by padding our last write location\n // to 32 bytes: add 31 bytes to the end of tempBytes to move to the\n // next 32 byte block, then round down to the nearest multiple of\n // 32. If the sum of the length of the two arrays is zero then add\n // one before rounding down to leave a blank 32 bytes (the length block with 0).\n mstore(0x40, and(\n add(add(end, iszero(add(length, mload(_preBytes)))), 31),\n not(31) // Round down to the nearest 32 bytes.\n ))\n }\n\n return tempBytes;\n }\n\n function concatStorage(bytes storage _preBytes, bytes memory _postBytes) internal {\n assembly {\n // Read the first 32 bytes of _preBytes storage, which is the length\n // of the array. (We don't need to use the offset into the slot\n // because arrays use the entire slot.)\n let fslot := sload(_preBytes.slot)\n // Arrays of 31 bytes or less have an even value in their slot,\n // while longer arrays have an odd value. The actual length is\n // the slot divided by two for odd values, and the lowest order\n // byte divided by two for even values.\n // If the slot is even, bitwise and the slot with 255 and divide by\n // two to get the length. If the slot is odd, bitwise and the slot\n // with -1 and divide by two.\n let slength := div(and(fslot, sub(mul(0x100, iszero(and(fslot, 1))), 1)), 2)\n let mlength := mload(_postBytes)\n let newlength := add(slength, mlength)\n // slength can contain both the length and contents of the array\n // if length < 32 bytes so let's prepare for that\n // v. http://solidity.readthedocs.io/en/latest/miscellaneous.html#layout-of-state-variables-in-storage\n switch add(lt(slength, 32), lt(newlength, 32))\n case 2 {\n // Since the new array still fits in the slot, we just need to\n // update the contents of the slot.\n // uint256(bytes_storage) = uint256(bytes_storage) + uint256(bytes_memory) + new_length\n sstore(\n _preBytes.slot,\n // all the modifications to the slot are inside this\n // next block\n add(\n // we can just add to the slot contents because the\n // bytes we want to change are the LSBs\n fslot,\n add(\n mul(\n div(\n // load the bytes from memory\n mload(add(_postBytes, 0x20)),\n // zero all bytes to the right\n exp(0x100, sub(32, mlength))\n ),\n // and now shift left the number of bytes to\n // leave space for the length in the slot\n exp(0x100, sub(32, newlength))\n ),\n // increase length by the double of the memory\n // bytes length\n mul(mlength, 2)\n )\n )\n )\n }\n case 1 {\n // The stored value fits in the slot, but the combined value\n // will exceed it.\n // get the keccak hash to get the contents of the array\n mstore(0x0, _preBytes.slot)\n let sc := add(keccak256(0x0, 0x20), div(slength, 32))\n\n // save new length\n sstore(_preBytes.slot, add(mul(newlength, 2), 1))\n\n // The contents of the _postBytes array start 32 bytes into\n // the structure. Our first read should obtain the `submod`\n // bytes that can fit into the unused space in the last word\n // of the stored array. To get this, we read 32 bytes starting\n // from `submod`, so the data we read overlaps with the array\n // contents by `submod` bytes. Masking the lowest-order\n // `submod` bytes allows us to add that value directly to the\n // stored value.\n\n let submod := sub(32, slength)\n let mc := add(_postBytes, submod)\n let end := add(_postBytes, mlength)\n let mask := sub(exp(0x100, submod), 1)\n\n sstore(\n sc,\n add(\n and(\n fslot,\n 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00\n ),\n and(mload(mc), mask)\n )\n )\n\n for {\n mc := add(mc, 0x20)\n sc := add(sc, 1)\n } lt(mc, end) {\n sc := add(sc, 1)\n mc := add(mc, 0x20)\n } {\n sstore(sc, mload(mc))\n }\n\n mask := exp(0x100, sub(mc, end))\n\n sstore(sc, mul(div(mload(mc), mask), mask))\n }\n default {\n // get the keccak hash to get the contents of the array\n mstore(0x0, _preBytes.slot)\n // Start copying to the last used word of the stored array.\n let sc := add(keccak256(0x0, 0x20), div(slength, 32))\n\n // save new length\n sstore(_preBytes.slot, add(mul(newlength, 2), 1))\n\n // Copy over the first `submod` bytes of the new data as in\n // case 1 above.\n let slengthmod := mod(slength, 32)\n let mlengthmod := mod(mlength, 32)\n let submod := sub(32, slengthmod)\n let mc := add(_postBytes, submod)\n let end := add(_postBytes, mlength)\n let mask := sub(exp(0x100, submod), 1)\n\n sstore(sc, add(sload(sc), and(mload(mc), mask)))\n\n for {\n sc := add(sc, 1)\n mc := add(mc, 0x20)\n } lt(mc, end) {\n sc := add(sc, 1)\n mc := add(mc, 0x20)\n } {\n sstore(sc, mload(mc))\n }\n\n mask := exp(0x100, sub(mc, end))\n\n sstore(sc, mul(div(mload(mc), mask), mask))\n }\n }\n }\n\n function slice(bytes memory _bytes, uint _start, uint _length) internal pure returns (bytes memory res) {\n if (_length == 0) {\n return hex\"\";\n }\n uint _end = _start + _length;\n require(_end > _start && _bytes.length >= _end, \"Slice out of bounds\");\n\n assembly {\n // Alloc bytes array with additional 32 bytes afterspace and assign it's size\n res := mload(0x40)\n mstore(0x40, add(add(res, 64), _length))\n mstore(res, _length)\n\n // Compute distance between source and destination pointers\n let diff := sub(res, add(_bytes, _start))\n\n for {\n let src := add(add(_bytes, 32), _start)\n let end := add(src, _length)\n } lt(src, end) {\n src := add(src, 32)\n } {\n mstore(add(src, diff), mload(src))\n }\n }\n }\n\n /// @notice Take a slice of the byte array, overwriting the destination.\n /// The length of the slice will equal the length of the destination array.\n /// @dev Make sure the destination array has afterspace if required.\n /// @param _bytes The source array\n /// @param _dest The destination array.\n /// @param _start The location to start in the source array.\n function sliceInPlace(\n bytes memory _bytes,\n bytes memory _dest,\n uint _start\n ) internal pure {\n uint _length = _dest.length;\n uint _end = _start + _length;\n require(_end > _start && _bytes.length >= _end, \"Slice out of bounds\");\n\n assembly {\n for {\n let src := add(add(_bytes, 32), _start)\n let res := add(_dest, 32)\n let end := add(src, _length)\n } lt(src, end) {\n src := add(src, 32)\n res := add(res, 32)\n } {\n mstore(res, mload(src))\n }\n }\n }\n\n // Static slice functions, no bounds checking\n /// @notice take a 32-byte slice from the specified position\n function slice32(bytes memory _bytes, uint _start) internal pure returns (bytes32 res) {\n assembly {\n res := mload(add(add(_bytes, 32), _start))\n }\n }\n\n /// @notice take a 20-byte slice from the specified position\n function slice20(bytes memory _bytes, uint _start) internal pure returns (bytes20) {\n return bytes20(slice32(_bytes, _start));\n }\n\n /// @notice take a 8-byte slice from the specified position\n function slice8(bytes memory _bytes, uint _start) internal pure returns (bytes8) {\n return bytes8(slice32(_bytes, _start));\n }\n\n /// @notice take a 4-byte slice from the specified position\n function slice4(bytes memory _bytes, uint _start) internal pure returns (bytes4) {\n return bytes4(slice32(_bytes, _start));\n }\n\n /// @notice take a 3-byte slice from the specified position\n function slice3(bytes memory _bytes, uint _start) internal pure returns (bytes3) {\n return bytes3(slice32(_bytes, _start));\n }\n\n /// @notice take a 2-byte slice from the specified position\n function slice2(bytes memory _bytes, uint _start) internal pure returns (bytes2) {\n return bytes2(slice32(_bytes, _start));\n }\n\n function toAddress(bytes memory _bytes, uint _start) internal pure returns (address) {\n uint _totalLen = _start + 20;\n require(_totalLen > _start && _bytes.length >= _totalLen, \"Address conversion out of bounds.\");\n address tempAddress;\n\n assembly {\n tempAddress := div(mload(add(add(_bytes, 0x20), _start)), 0x1000000000000000000000000)\n }\n\n return tempAddress;\n }\n\n function toUint(bytes memory _bytes, uint _start) internal pure returns (uint256) {\n uint _totalLen = _start + 32;\n require(_totalLen > _start && _bytes.length >= _totalLen, \"Uint conversion out of bounds.\");\n uint256 tempUint;\n\n assembly {\n tempUint := mload(add(add(_bytes, 0x20), _start))\n }\n\n return tempUint;\n }\n\n function equal(bytes memory _preBytes, bytes memory _postBytes) internal pure returns (bool) {\n bool success = true;\n\n assembly {\n let length := mload(_preBytes)\n\n // if lengths don't match the arrays are not equal\n switch eq(length, mload(_postBytes))\n case 1 {\n // cb is a circuit breaker in the for loop since there's\n // no said feature for inline assembly loops\n // cb = 1 - don't breaker\n // cb = 0 - break\n let cb := 1\n\n let mc := add(_preBytes, 0x20)\n let end := add(mc, length)\n\n for {\n let cc := add(_postBytes, 0x20)\n // the next line is the loop condition:\n // while(uint(mc < end) + cb == 2)\n } eq(add(lt(mc, end), cb), 2) {\n mc := add(mc, 0x20)\n cc := add(cc, 0x20)\n } {\n // if any of these checks fails then arrays are not equal\n if iszero(eq(mload(mc), mload(cc))) {\n // unsuccess:\n success := 0\n cb := 0\n }\n }\n }\n default {\n // unsuccess:\n success := 0\n }\n }\n\n return success;\n }\n\n function equalStorage(bytes storage _preBytes, bytes memory _postBytes) internal view returns (bool) {\n bool success = true;\n\n assembly {\n // we know _preBytes_offset is 0\n let fslot := sload(_preBytes.slot)\n // Decode the length of the stored array like in concatStorage().\n let slength := div(and(fslot, sub(mul(0x100, iszero(and(fslot, 1))), 1)), 2)\n let mlength := mload(_postBytes)\n\n // if lengths don't match the arrays are not equal\n switch eq(slength, mlength)\n case 1 {\n // slength can contain both the length and contents of the array\n // if length < 32 bytes so let's prepare for that\n // v. http://solidity.readthedocs.io/en/latest/miscellaneous.html#layout-of-state-variables-in-storage\n if iszero(iszero(slength)) {\n switch lt(slength, 32)\n case 1 {\n // blank the last byte which is the length\n fslot := mul(div(fslot, 0x100), 0x100)\n\n if iszero(eq(fslot, mload(add(_postBytes, 0x20)))) {\n // unsuccess:\n success := 0\n }\n }\n default {\n // cb is a circuit breaker in the for loop since there's\n // no said feature for inline assembly loops\n // cb = 1 - don't breaker\n // cb = 0 - break\n let cb := 1\n\n // get the keccak hash to get the contents of the array\n mstore(0x0, _preBytes.slot)\n let sc := keccak256(0x0, 0x20)\n\n let mc := add(_postBytes, 0x20)\n let end := add(mc, mlength)\n\n // the next line is the loop condition:\n // while(uint(mc < end) + cb == 2)\n for {} eq(add(lt(mc, end), cb), 2) {\n sc := add(sc, 1)\n mc := add(mc, 0x20)\n } {\n if iszero(eq(sload(sc), mload(mc))) {\n // unsuccess:\n success := 0\n cb := 0\n }\n }\n }\n }\n }\n default {\n // unsuccess:\n success := 0\n }\n }\n\n return success;\n }\n\n function toBytes32(bytes memory _source) pure internal returns (bytes32 result) {\n if (_source.length == 0) {\n return 0x0;\n }\n\n assembly {\n result := mload(add(_source, 32))\n }\n }\n\n function keccak256Slice(bytes memory _bytes, uint _start, uint _length) pure internal returns (bytes32 result) {\n uint _end = _start + _length;\n require(_end > _start && _bytes.length >= _end, \"Slice out of bounds\");\n\n assembly {\n result := keccak256(add(add(_bytes, 32), _start), _length)\n }\n }\n}\n"
|
|
@@ -164,7 +164,7 @@
|
|
|
164
164
|
"content": "// SPDX-License-Identifier: GPL-3.0-only\n\n// ██████████████ ▐████▌ ██████████████\n// ██████████████ ▐████▌ ██████████████\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ██████████████ ▐████▌ ██████████████\n// ██████████████ ▐████▌ ██████████████\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n\npragma solidity 0.8.17;\n\nimport {BTCUtils} from \"@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol\";\nimport {BytesLib} from \"@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol\";\n\nimport \"./BitcoinTx.sol\";\nimport \"./BridgeState.sol\";\nimport \"./Wallets.sol\";\n\nimport \"../bank/Bank.sol\";\n\n/// @notice Aggregates functions common to the redemption transaction proof\n/// validation and to the moving funds transaction proof validation.\nlibrary OutboundTx {\n using BTCUtils for bytes;\n\n /// @notice Checks whether an outbound Bitcoin transaction performed from\n /// the given wallet has an input vector that contains a single\n /// input referring to the wallet's main UTXO. Marks that main UTXO\n /// as correctly spent if the validation succeeds. Reverts otherwise.\n /// There are two outbound transactions from a wallet possible: a\n /// redemption transaction or a moving funds to another wallet\n /// transaction.\n /// @param walletOutboundTxInputVector Bitcoin outbound transaction's input\n /// vector. This function assumes vector's structure is valid so it\n /// must be validated using e.g. `BTCUtils.validateVin` function\n /// before it is passed here.\n /// @param mainUtxo Data of the wallet's main UTXO, as currently known on\n /// the Ethereum chain.\n function processWalletOutboundTxInput(\n BridgeState.Storage storage self,\n bytes memory walletOutboundTxInputVector,\n BitcoinTx.UTXO calldata mainUtxo\n ) internal {\n // Assert that the single outbound transaction input actually\n // refers to the wallet's main UTXO.\n (\n bytes32 outpointTxHash,\n uint32 outpointIndex\n ) = parseWalletOutboundTxInput(walletOutboundTxInputVector);\n require(\n mainUtxo.txHash == outpointTxHash &&\n mainUtxo.txOutputIndex == outpointIndex,\n \"Outbound transaction input must point to the wallet's main UTXO\"\n );\n\n // Main UTXO used as an input, mark it as spent.\n self.spentMainUTXOs[\n uint256(\n keccak256(\n abi.encodePacked(mainUtxo.txHash, mainUtxo.txOutputIndex)\n )\n )\n ] = true;\n }\n\n /// @notice Parses the input vector of an outbound Bitcoin transaction\n /// performed from the given wallet. It extracts the single input\n /// then the transaction hash and output index from its outpoint.\n /// There are two outbound transactions from a wallet possible: a\n /// redemption transaction or a moving funds to another wallet\n /// transaction.\n /// @param walletOutboundTxInputVector Bitcoin outbound transaction input\n /// vector. This function assumes vector's structure is valid so it\n /// must be validated using e.g. `BTCUtils.validateVin` function\n /// before it is passed here.\n /// @return outpointTxHash 32-byte hash of the Bitcoin transaction which is\n /// pointed in the input's outpoint.\n /// @return outpointIndex 4-byte index of the Bitcoin transaction output\n /// which is pointed in the input's outpoint.\n function parseWalletOutboundTxInput(\n bytes memory walletOutboundTxInputVector\n ) internal pure returns (bytes32 outpointTxHash, uint32 outpointIndex) {\n // To determine the total number of Bitcoin transaction inputs,\n // we need to parse the compactSize uint (VarInt) the input vector is\n // prepended by. That compactSize uint encodes the number of vector\n // elements using the format presented in:\n // https://developer.bitcoin.org/reference/transactions.html#compactsize-unsigned-integers\n // We don't need asserting the compactSize uint is parseable since it\n // was already checked during `validateVin` validation.\n // See `BitcoinTx.inputVector` docs for more details.\n (, uint256 inputsCount) = walletOutboundTxInputVector.parseVarInt();\n require(\n inputsCount == 1,\n \"Outbound transaction must have a single input\"\n );\n\n bytes memory input = walletOutboundTxInputVector.extractInputAtIndex(0);\n\n outpointTxHash = input.extractInputTxIdLE();\n\n outpointIndex = BTCUtils.reverseUint32(\n uint32(input.extractTxIndexLE())\n );\n\n // There is only one input in the transaction. Input has an outpoint\n // field that is a reference to the transaction being spent (see\n // `BitcoinTx` docs). The outpoint contains the hash of the transaction\n // to spend (`outpointTxHash`) and the index of the specific output\n // from that transaction (`outpointIndex`).\n return (outpointTxHash, outpointIndex);\n }\n}\n\n/// @title Bridge redemption\n/// @notice The library handles the logic for redeeming Bitcoin balances from\n/// the Bridge.\n/// @dev To initiate a redemption, a user with a Bank balance supplies\n/// a Bitcoin address. Then, the system calculates the redemption fee, and\n/// releases balance to the provided Bitcoin address. Just like in case of\n/// sweeps of revealed deposits, redemption requests are processed in\n/// batches and require SPV proof to be submitted to the Bridge.\nlibrary Redemption {\n using BridgeState for BridgeState.Storage;\n using Wallets for BridgeState.Storage;\n using BitcoinTx for BridgeState.Storage;\n\n using BTCUtils for bytes;\n using BytesLib for bytes;\n\n /// @notice Represents a redemption request.\n struct RedemptionRequest {\n // ETH address of the redeemer who created the request.\n address redeemer;\n // Requested TBTC amount in satoshi.\n uint64 requestedAmount;\n // Treasury TBTC fee in satoshi at the moment of request creation.\n uint64 treasuryFee;\n // Transaction maximum BTC fee in satoshi at the moment of request\n // creation.\n uint64 txMaxFee;\n // UNIX timestamp the request was created at.\n // XXX: Unsigned 32-bit int unix seconds, will break February 7th 2106.\n uint32 requestedAt;\n // This struct doesn't contain `__gap` property as the structure is stored\n // in a mapping, mappings store values in different slots and they are\n // not contiguous with other values.\n }\n\n /// @notice Represents an outcome of the redemption Bitcoin transaction\n /// outputs processing.\n struct RedemptionTxOutputsInfo {\n // Sum of all outputs values i.e. all redemptions and change value,\n // if present.\n uint256 outputsTotalValue;\n // Total TBTC value in satoshi that should be burned by the Bridge.\n // It includes the total amount of all BTC redeemed in the transaction\n // and the fee paid to BTC miners for the redemption transaction.\n uint64 totalBurnableValue;\n // Total TBTC value in satoshi that should be transferred to\n // the treasury. It is a sum of all treasury fees paid by all\n // redeemers included in the redemption transaction.\n uint64 totalTreasuryFee;\n // Index of the change output. The change output becomes\n // the new main wallet's UTXO.\n uint32 changeIndex;\n // Value in satoshi of the change output.\n uint64 changeValue;\n // This struct doesn't contain `__gap` property as the structure is not\n // stored, it is used as a function's memory argument.\n }\n\n /// @notice Represents temporary information needed during the processing of\n /// the redemption Bitcoin transaction outputs. This structure is an\n /// internal one and should not be exported outside of the redemption\n /// transaction processing code.\n /// @dev Allows to mitigate \"stack too deep\" errors on EVM.\n struct RedemptionTxOutputsProcessingInfo {\n // The first output starting index in the transaction.\n uint256 outputStartingIndex;\n // The number of outputs in the transaction.\n uint256 outputsCount;\n // P2PKH script for the wallet. Needed to determine the change output.\n bytes32 walletP2PKHScriptKeccak;\n // P2WPKH script for the wallet. Needed to determine the change output.\n bytes32 walletP2WPKHScriptKeccak;\n // This struct doesn't contain `__gap` property as the structure is not\n // stored, it is used as a function's memory argument.\n }\n\n event RedemptionRequested(\n bytes20 indexed walletPubKeyHash,\n bytes redeemerOutputScript,\n address indexed redeemer,\n uint64 requestedAmount,\n uint64 treasuryFee,\n uint64 txMaxFee\n );\n\n event RedemptionsCompleted(\n bytes20 indexed walletPubKeyHash,\n bytes32 redemptionTxHash\n );\n\n event RedemptionTimedOut(\n bytes20 indexed walletPubKeyHash,\n bytes redeemerOutputScript\n );\n\n /// @notice Requests redemption of the given amount from the specified\n /// wallet to the redeemer Bitcoin output script.\n /// This function handles the simplest case, where balance owner is\n /// the redeemer.\n /// @param walletPubKeyHash The 20-byte wallet public key hash (computed\n /// using Bitcoin HASH160 over the compressed ECDSA public key).\n /// @param mainUtxo Data of the wallet's main UTXO, as currently known on\n /// the Ethereum chain.\n /// @param balanceOwner The address of the Bank balance owner whose balance\n /// is getting redeemed. Balance owner address is stored as\n /// a redeemer address who will be able co claim back the Bank\n /// balance if anything goes wrong during the redemption.\n /// @param redeemerOutputScript The redeemer's length-prefixed output\n /// script (P2PKH, P2WPKH, P2SH or P2WSH) that will be used to lock\n /// redeemed BTC.\n /// @param amount Requested amount in satoshi. This is also the Bank balance\n /// that is taken from the `balanceOwner` upon request.\n /// Once the request is handled, the actual amount of BTC locked\n /// on the redeemer output script will be always lower than this value\n /// since the treasury and Bitcoin transaction fees must be incurred.\n /// The minimal amount satisfying the request can be computed as:\n /// `amount - (amount / redemptionTreasuryFeeDivisor) - redemptionTxMaxFee`.\n /// Fees values are taken at the moment of request creation.\n /// @dev Requirements:\n /// - Wallet behind `walletPubKeyHash` must be live,\n /// - `mainUtxo` components must point to the recent main UTXO\n /// of the given wallet, as currently known on the Ethereum chain,\n /// - `redeemerOutputScript` must be a proper Bitcoin script,\n /// - `redeemerOutputScript` cannot have wallet PKH as payload,\n /// - `amount` must be above or equal the `redemptionDustThreshold`,\n /// - Given `walletPubKeyHash` and `redeemerOutputScript` pair can be\n /// used for only one pending request at the same time,\n /// - Wallet must have enough Bitcoin balance to proceed the request,\n /// - Balance owner must make an allowance in the Bank that the Bridge\n /// contract can spend the given `amount`.\n function requestRedemption(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n BitcoinTx.UTXO calldata mainUtxo,\n address balanceOwner,\n bytes calldata redeemerOutputScript,\n uint64 amount\n ) external {\n requestRedemption(\n self,\n walletPubKeyHash,\n mainUtxo,\n balanceOwner,\n balanceOwner,\n redeemerOutputScript,\n amount\n );\n }\n\n /// @notice Requests redemption of the given amount from the specified\n /// wallet to the redeemer Bitcoin output script. Used by\n /// `Bridge.receiveBalanceApproval`. Can handle more complex cases\n /// where balance owner may be someone else than the redeemer.\n /// @param balanceOwner The address of the Bank balance owner whose balance\n /// is getting redeemed.\n /// @param amount Requested amount in satoshi. This is also the Bank balance\n /// that is taken from the `balanceOwner` upon request.\n /// Once the request is handled, the actual amount of BTC locked\n /// on the redeemer output script will be always lower than this value\n /// since the treasury and Bitcoin transaction fees must be incurred.\n /// The minimal amount satisfying the request can be computed as:\n /// `amount - (amount / redemptionTreasuryFeeDivisor) - redemptionTxMaxFee`.\n /// Fees values are taken at the moment of request creation.\n /// @param redemptionData ABI-encoded redemption data:\n /// [\n /// address redeemer,\n /// bytes20 walletPubKeyHash,\n /// bytes32 mainUtxoTxHash,\n /// uint32 mainUtxoTxOutputIndex,\n /// uint64 mainUtxoTxOutputValue,\n /// bytes redeemerOutputScript\n /// ]\n ///\n /// - redeemer: The Ethereum address of the redeemer who will be able\n /// to claim Bank balance if anything goes wrong during the redemption.\n /// In the most basic case, when someone redeems their Bitcoin\n /// balance from the Bank, `balanceOwner` is the same as `redeemer`.\n /// However, when a Vault is redeeming part of its balance for some\n /// redeemer address (for example, someone who has earlier deposited\n /// into that Vault), `balanceOwner` is the Vault, and `redeemer` is\n /// the address for which the vault is redeeming its balance to,\n /// - walletPubKeyHash: The 20-byte wallet public key hash (computed\n /// using Bitcoin HASH160 over the compressed ECDSA public key),\n /// - mainUtxoTxHash: Data of the wallet's main UTXO TX hash, as\n /// currently known on the Ethereum chain,\n /// - mainUtxoTxOutputIndex: Data of the wallet's main UTXO output\n /// index, as currently known on Ethereum chain,\n /// - mainUtxoTxOutputValue: Data of the wallet's main UTXO output\n /// value, as currently known on Ethereum chain,\n /// - redeemerOutputScript The redeemer's length-prefixed output\n /// script (P2PKH, P2WPKH, P2SH or P2WSH) that will be used to lock\n /// redeemed BTC.\n /// @dev Requirements:\n /// - Wallet behind `walletPubKeyHash` must be live,\n /// - `mainUtxo*` components must point to the recent main UTXO\n /// of the given wallet, as currently known on the Ethereum chain,\n /// - `redeemerOutputScript` must be a proper Bitcoin script,\n /// - `redeemerOutputScript` cannot have wallet PKH as payload,\n /// - `amount` must be above or equal the `redemptionDustThreshold`,\n /// - Given `walletPubKeyHash` and `redeemerOutputScript` pair can be\n /// used for only one pending request at the same time,\n /// - Wallet must have enough Bitcoin balance to proceed the request,\n /// - Balance owner must make an allowance in the Bank that the Bridge\n /// contract can spend the given `amount`.\n function requestRedemption(\n BridgeState.Storage storage self,\n address balanceOwner,\n uint64 amount,\n bytes calldata redemptionData\n ) external {\n (\n address redeemer,\n bytes20 walletPubKeyHash,\n bytes32 mainUtxoTxHash,\n uint32 mainUtxoTxOutputIndex,\n uint64 mainUtxoTxOutputValue,\n bytes memory redeemerOutputScript\n ) = abi.decode(\n redemptionData,\n (address, bytes20, bytes32, uint32, uint64, bytes)\n );\n\n requestRedemption(\n self,\n walletPubKeyHash,\n BitcoinTx.UTXO(\n mainUtxoTxHash,\n mainUtxoTxOutputIndex,\n mainUtxoTxOutputValue\n ),\n balanceOwner,\n redeemer,\n redeemerOutputScript,\n amount\n );\n }\n\n /// @notice Requests redemption of the given amount from the specified\n /// wallet to the redeemer Bitcoin output script.\n /// @param walletPubKeyHash The 20-byte wallet public key hash (computed\n /// using Bitcoin HASH160 over the compressed ECDSA public key).\n /// @param mainUtxo Data of the wallet's main UTXO, as currently known on\n /// the Ethereum chain.\n /// @param balanceOwner The address of the Bank balance owner whose balance\n /// is getting redeemed.\n /// @param redeemer The Ethereum address of the redeemer who will be able to\n /// claim Bank balance if anything goes wrong during the redemption.\n /// In the most basic case, when someone redeems their Bitcoin\n /// balance from the Bank, `balanceOwner` is the same as `redeemer`.\n /// However, when a Vault is redeeming part of its balance for some\n /// redeemer address (for example, someone who has earlier deposited\n /// into that Vault), `balanceOwner` is the Vault, and `redeemer` is\n /// the address for which the vault is redeeming its balance to.\n /// @param redeemerOutputScript The redeemer's length-prefixed output\n /// script (P2PKH, P2WPKH, P2SH or P2WSH) that will be used to lock\n /// redeemed BTC.\n /// @param amount Requested amount in satoshi. This is also the Bank balance\n /// that is taken from the `balanceOwner` upon request.\n /// Once the request is handled, the actual amount of BTC locked\n /// on the redeemer output script will be always lower than this value\n /// since the treasury and Bitcoin transaction fees must be incurred.\n /// The minimal amount satisfying the request can be computed as:\n /// `amount - (amount / redemptionTreasuryFeeDivisor) - redemptionTxMaxFee`.\n /// Fees values are taken at the moment of request creation.\n /// @dev Requirements:\n /// - Wallet behind `walletPubKeyHash` must be live,\n /// - `mainUtxo` components must point to the recent main UTXO\n /// of the given wallet, as currently known on the Ethereum chain,\n /// - `redeemerOutputScript` must be a proper Bitcoin script,\n /// - `redeemerOutputScript` cannot have wallet PKH as payload,\n /// - `amount` must be above or equal the `redemptionDustThreshold`,\n /// - Given `walletPubKeyHash` and `redeemerOutputScript` pair can be\n /// used for only one pending request at the same time,\n /// - Wallet must have enough Bitcoin balance to proceed the request,\n /// - Balance owner must make an allowance in the Bank that the Bridge\n /// contract can spend the given `amount`.\n function requestRedemption(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n BitcoinTx.UTXO memory mainUtxo,\n address balanceOwner,\n address redeemer,\n bytes memory redeemerOutputScript,\n uint64 amount\n ) internal {\n Wallets.Wallet storage wallet = self.registeredWallets[\n walletPubKeyHash\n ];\n\n require(\n wallet.state == Wallets.WalletState.Live,\n \"Wallet must be in Live state\"\n );\n\n bytes32 mainUtxoHash = wallet.mainUtxoHash;\n require(\n mainUtxoHash != bytes32(0),\n \"No main UTXO for the given wallet\"\n );\n require(\n keccak256(\n abi.encodePacked(\n mainUtxo.txHash,\n mainUtxo.txOutputIndex,\n mainUtxo.txOutputValue\n )\n ) == mainUtxoHash,\n \"Invalid main UTXO data\"\n );\n\n // Validate if redeemer output script is a correct standard type\n // (P2PKH, P2WPKH, P2SH or P2WSH). This is done by using\n // `BTCUtils.extractHashAt` on it. Such a function extracts the payload\n // properly only from standard outputs so if it succeeds, we have a\n // guarantee the redeemer output script is proper. The underlying way\n // of validation is the same as in tBTC v1.\n bytes memory redeemerOutputScriptPayload = redeemerOutputScript\n .extractHashAt(0, redeemerOutputScript.length);\n\n require(\n redeemerOutputScriptPayload.length > 0,\n \"Redeemer output script must be a standard type\"\n );\n // Check if the redeemer output script payload does not point to the\n // wallet public key hash.\n require(\n redeemerOutputScriptPayload.length != 20 ||\n walletPubKeyHash != redeemerOutputScriptPayload.slice20(0),\n \"Redeemer output script must not point to the wallet PKH\"\n );\n\n require(\n amount >= self.redemptionDustThreshold,\n \"Redemption amount too small\"\n );\n\n // The redemption key is built on top of the wallet public key hash\n // and redeemer output script pair. That means there can be only one\n // request asking for redemption from the given wallet to the given\n // BTC script at the same time.\n uint256 redemptionKey = getRedemptionKey(\n walletPubKeyHash,\n redeemerOutputScript\n );\n\n // Check if given redemption key is not used by a pending redemption.\n // There is no need to check for existence in `timedOutRedemptions`\n // since the wallet's state is changed to other than Live after\n // first time out is reported so making new requests is not possible.\n // slither-disable-next-line incorrect-equality\n require(\n self.pendingRedemptions[redemptionKey].requestedAt == 0,\n \"There is a pending redemption request from this wallet to the same address\"\n );\n\n // No need to check whether `amount - treasuryFee - txMaxFee > 0`\n // since the `redemptionDustThreshold` should force that condition\n // to be always true.\n uint64 treasuryFee = self.redemptionTreasuryFeeDivisor > 0\n ? amount / self.redemptionTreasuryFeeDivisor\n : 0;\n uint64 txMaxFee = self.redemptionTxMaxFee;\n\n // The main wallet UTXO's value doesn't include all pending redemptions.\n // To determine if the requested redemption can be performed by the\n // wallet we need to subtract the total value of all pending redemptions\n // from that wallet's main UTXO value. Given that the treasury fee is\n // not redeemed from the wallet, we are subtracting it.\n wallet.pendingRedemptionsValue += amount - treasuryFee;\n require(\n mainUtxo.txOutputValue >= wallet.pendingRedemptionsValue,\n \"Insufficient wallet funds\"\n );\n\n self.pendingRedemptions[redemptionKey] = RedemptionRequest(\n redeemer,\n amount,\n treasuryFee,\n txMaxFee,\n /* solhint-disable-next-line not-rely-on-time */\n uint32(block.timestamp)\n );\n\n // slither-disable-next-line reentrancy-events\n emit RedemptionRequested(\n walletPubKeyHash,\n redeemerOutputScript,\n redeemer,\n amount,\n treasuryFee,\n txMaxFee\n );\n\n self.bank.transferBalanceFrom(balanceOwner, address(this), amount);\n }\n\n /// @notice Used by the wallet to prove the BTC redemption transaction\n /// and to make the necessary bookkeeping. Redemption is only\n /// accepted if it satisfies SPV proof.\n ///\n /// The function is performing Bank balance updates by burning\n /// the total redeemed Bitcoin amount from Bridge balance and\n /// transferring the treasury fee sum to the treasury address.\n ///\n /// It is possible to prove the given redemption only one time.\n /// @param redemptionTx Bitcoin redemption transaction data.\n /// @param redemptionProof Bitcoin redemption proof data.\n /// @param mainUtxo Data of the wallet's main UTXO, as currently known on\n /// the Ethereum chain.\n /// @param walletPubKeyHash 20-byte public key hash (computed using Bitcoin\n /// HASH160 over the compressed ECDSA public key) of the wallet which\n /// performed the redemption transaction.\n /// @dev Requirements:\n /// - `redemptionTx` components must match the expected structure. See\n /// `BitcoinTx.Info` docs for reference. Their values must exactly\n /// correspond to appropriate Bitcoin transaction fields to produce\n /// a provable transaction hash,\n /// - The `redemptionTx` should represent a Bitcoin transaction with\n /// exactly 1 input that refers to the wallet's main UTXO. That\n /// transaction should have 1..n outputs handling existing pending\n /// redemption requests or pointing to reported timed out requests.\n /// There can be also 1 optional output representing the\n /// change and pointing back to the 20-byte wallet public key hash.\n /// The change should be always present if the redeemed value sum\n /// is lower than the total wallet's BTC balance,\n /// - `redemptionProof` components must match the expected structure.\n /// See `BitcoinTx.Proof` docs for reference. The `bitcoinHeaders`\n /// field must contain a valid number of block headers, not less\n /// than the `txProofDifficultyFactor` contract constant,\n /// - `mainUtxo` components must point to the recent main UTXO\n /// of the given wallet, as currently known on the Ethereum chain.\n /// Additionally, the recent main UTXO on Ethereum must be set,\n /// - `walletPubKeyHash` must be connected with the main UTXO used\n /// as transaction single input.\n /// Other remarks:\n /// - Putting the change output as the first transaction output can\n /// save some gas because the output processing loop begins each\n /// iteration by checking whether the given output is the change\n /// thus uses some gas for making the comparison. Once the change\n /// is identified, that check is omitted in further iterations.\n function submitRedemptionProof(\n BridgeState.Storage storage self,\n BitcoinTx.Info calldata redemptionTx,\n BitcoinTx.Proof calldata redemptionProof,\n BitcoinTx.UTXO calldata mainUtxo,\n bytes20 walletPubKeyHash\n ) external {\n // Wallet state validation is performed in the `resolveRedeemingWallet`\n // function.\n\n // The actual transaction proof is performed here. After that point, we\n // can assume the transaction happened on Bitcoin chain and has\n // a sufficient number of confirmations as determined by\n // `txProofDifficultyFactor` constant.\n bytes32 redemptionTxHash = self.validateProof(\n redemptionTx,\n redemptionProof\n );\n\n Wallets.Wallet storage wallet = resolveRedeemingWallet(\n self,\n walletPubKeyHash,\n mainUtxo\n );\n\n // Process the redemption transaction input. Specifically, check if it\n // refers to the expected wallet's main UTXO.\n OutboundTx.processWalletOutboundTxInput(\n self,\n redemptionTx.inputVector,\n mainUtxo\n );\n\n // Process redemption transaction outputs to extract some info required\n // for further processing.\n RedemptionTxOutputsInfo memory outputsInfo = processRedemptionTxOutputs(\n self,\n redemptionTx.outputVector,\n walletPubKeyHash\n );\n\n require(\n mainUtxo.txOutputValue - outputsInfo.outputsTotalValue <=\n self.redemptionTxMaxTotalFee,\n \"Transaction fee is too high\"\n );\n\n if (outputsInfo.changeValue > 0) {\n // If the change value is grater than zero, it means the change\n // output exists and can be used as new wallet's main UTXO.\n wallet.mainUtxoHash = keccak256(\n abi.encodePacked(\n redemptionTxHash,\n outputsInfo.changeIndex,\n outputsInfo.changeValue\n )\n );\n } else {\n // If the change value is zero, it means the change output doesn't\n // exists and no funds left on the wallet. Delete the main UTXO\n // for that wallet to represent that state in a proper way.\n delete wallet.mainUtxoHash;\n }\n\n wallet.pendingRedemptionsValue -= outputsInfo.totalBurnableValue;\n\n emit RedemptionsCompleted(walletPubKeyHash, redemptionTxHash);\n\n self.bank.decreaseBalance(outputsInfo.totalBurnableValue);\n\n if (outputsInfo.totalTreasuryFee > 0) {\n self.bank.transferBalance(\n self.treasury,\n outputsInfo.totalTreasuryFee\n );\n }\n }\n\n /// @notice Resolves redeeming wallet based on the provided wallet public\n /// key hash. Validates the wallet state and current main UTXO, as\n /// currently known on the Ethereum chain.\n /// @param walletPubKeyHash public key hash of the wallet proving the sweep\n /// Bitcoin transaction.\n /// @param mainUtxo Data of the wallet's main UTXO, as currently known on\n /// the Ethereum chain.\n /// @return wallet Data of the sweeping wallet.\n /// @dev Requirements:\n /// - Sweeping wallet must be either in Live or MovingFunds state,\n /// - Main UTXO of the redeeming wallet must exists in the storage,\n /// - The passed `mainUTXO` parameter must be equal to the stored one.\n function resolveRedeemingWallet(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n BitcoinTx.UTXO calldata mainUtxo\n ) internal view returns (Wallets.Wallet storage wallet) {\n wallet = self.registeredWallets[walletPubKeyHash];\n\n // Assert that main UTXO for passed wallet exists in storage.\n bytes32 mainUtxoHash = wallet.mainUtxoHash;\n require(mainUtxoHash != bytes32(0), \"No main UTXO for given wallet\");\n\n // Assert that passed main UTXO parameter is the same as in storage and\n // can be used for further processing.\n require(\n keccak256(\n abi.encodePacked(\n mainUtxo.txHash,\n mainUtxo.txOutputIndex,\n mainUtxo.txOutputValue\n )\n ) == mainUtxoHash,\n \"Invalid main UTXO data\"\n );\n\n Wallets.WalletState walletState = wallet.state;\n require(\n walletState == Wallets.WalletState.Live ||\n walletState == Wallets.WalletState.MovingFunds,\n \"Wallet must be in Live or MovingFunds state\"\n );\n }\n\n /// @notice Processes the Bitcoin redemption transaction output vector.\n /// It extracts each output and tries to identify it as a pending\n /// redemption request, reported timed out request, or change.\n /// Reverts if one of the outputs cannot be recognized properly.\n /// This function also marks each request as processed by removing\n /// them from `pendingRedemptions` mapping.\n /// @param redemptionTxOutputVector Bitcoin redemption transaction output\n /// vector. This function assumes vector's structure is valid so it\n /// must be validated using e.g. `BTCUtils.validateVout` function\n /// before it is passed here.\n /// @param walletPubKeyHash 20-byte public key hash (computed using Bitcoin\n /// HASH160 over the compressed ECDSA public key) of the wallet which\n /// performed the redemption transaction.\n /// @return info Outcomes of the processing.\n function processRedemptionTxOutputs(\n BridgeState.Storage storage self,\n bytes memory redemptionTxOutputVector,\n bytes20 walletPubKeyHash\n ) internal returns (RedemptionTxOutputsInfo memory info) {\n // Determining the total number of redemption transaction outputs in\n // the same way as for number of inputs. See `BitcoinTx.outputVector`\n // docs for more details.\n (\n uint256 outputsCompactSizeUintLength,\n uint256 outputsCount\n ) = redemptionTxOutputVector.parseVarInt();\n\n // To determine the first output starting index, we must jump over\n // the compactSize uint which prepends the output vector. One byte\n // must be added because `BtcUtils.parseVarInt` does not include\n // compactSize uint tag in the returned length.\n //\n // For >= 0 && <= 252, `BTCUtils.determineVarIntDataLengthAt`\n // returns `0`, so we jump over one byte of compactSize uint.\n //\n // For >= 253 && <= 0xffff there is `0xfd` tag,\n // `BTCUtils.determineVarIntDataLengthAt` returns `2` (no\n // tag byte included) so we need to jump over 1+2 bytes of\n // compactSize uint.\n //\n // Please refer `BTCUtils` library and compactSize uint\n // docs in `BitcoinTx` library for more details.\n uint256 outputStartingIndex = 1 + outputsCompactSizeUintLength;\n\n // Calculate the keccak256 for two possible wallet's P2PKH or P2WPKH\n // scripts that can be used to lock the change. This is done upfront to\n // save on gas. Both scripts have a strict format defined by Bitcoin.\n //\n // The P2PKH script has the byte format: <0x1976a914> <20-byte PKH> <0x88ac>.\n // According to https://en.bitcoin.it/wiki/Script#Opcodes this translates to:\n // - 0x19: Byte length of the entire script\n // - 0x76: OP_DUP\n // - 0xa9: OP_HASH160\n // - 0x14: Byte length of the public key hash\n // - 0x88: OP_EQUALVERIFY\n // - 0xac: OP_CHECKSIG\n // which matches the P2PKH structure as per:\n // https://en.bitcoin.it/wiki/Transaction#Pay-to-PubkeyHash\n bytes32 walletP2PKHScriptKeccak = keccak256(\n abi.encodePacked(BitcoinTx.makeP2PKHScript(walletPubKeyHash))\n );\n // The P2WPKH script has the byte format: <0x160014> <20-byte PKH>.\n // According to https://en.bitcoin.it/wiki/Script#Opcodes this translates to:\n // - 0x16: Byte length of the entire script\n // - 0x00: OP_0\n // - 0x14: Byte length of the public key hash\n // which matches the P2WPKH structure as per:\n // https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#P2WPKH\n bytes32 walletP2WPKHScriptKeccak = keccak256(\n abi.encodePacked(BitcoinTx.makeP2WPKHScript(walletPubKeyHash))\n );\n\n return\n processRedemptionTxOutputs(\n self,\n redemptionTxOutputVector,\n walletPubKeyHash,\n RedemptionTxOutputsProcessingInfo(\n outputStartingIndex,\n outputsCount,\n walletP2PKHScriptKeccak,\n walletP2WPKHScriptKeccak\n )\n );\n }\n\n /// @notice Processes all outputs from the redemption transaction. Tries to\n /// identify output as a change output, pending redemption request\n /// or reported redemption. Reverts if one of the outputs cannot be\n /// recognized properly. Marks each request as processed by removing\n /// them from `pendingRedemptions` mapping.\n /// @param redemptionTxOutputVector Bitcoin redemption transaction output\n /// vector. This function assumes vector's structure is valid so it\n /// must be validated using e.g. `BTCUtils.validateVout` function\n /// before it is passed here.\n /// @param walletPubKeyHash 20-byte public key hash (computed using Bitcoin\n /// HASH160 over the compressed ECDSA public key) of the wallet which\n /// performed the redemption transaction.\n /// @param processInfo RedemptionTxOutputsProcessingInfo identifying output\n /// starting index, the number of outputs and possible wallet change\n /// P2PKH and P2WPKH scripts.\n function processRedemptionTxOutputs(\n BridgeState.Storage storage self,\n bytes memory redemptionTxOutputVector,\n bytes20 walletPubKeyHash,\n RedemptionTxOutputsProcessingInfo memory processInfo\n ) internal returns (RedemptionTxOutputsInfo memory resultInfo) {\n // Helper flag indicating whether there was at least one redemption\n // output present (redemption must be either pending or reported as\n // timed out).\n bool redemptionPresent = false;\n\n // Outputs processing loop.\n for (uint256 i = 0; i < processInfo.outputsCount; i++) {\n uint256 outputLength = redemptionTxOutputVector\n .determineOutputLengthAt(processInfo.outputStartingIndex);\n\n // Extract the value from given output.\n uint64 outputValue = redemptionTxOutputVector.extractValueAt(\n processInfo.outputStartingIndex\n );\n\n // The output consists of an 8-byte value and a variable length\n // script. To hash that script we slice the output starting from\n // 9th byte until the end.\n uint256 scriptLength = outputLength - 8;\n uint256 outputScriptStart = processInfo.outputStartingIndex + 8;\n\n bytes32 outputScriptHash;\n /* solhint-disable-next-line no-inline-assembly */\n assembly {\n // The first argument to assembly keccak256 is the pointer.\n // We point to `redemptionTxOutputVector` but at the position\n // indicated by `outputScriptStart`. To load that position, we\n // need to call `add(outputScriptStart, 32)` because\n // `outputScriptStart` has 32 bytes.\n outputScriptHash := keccak256(\n add(redemptionTxOutputVector, add(outputScriptStart, 32)),\n scriptLength\n )\n }\n\n if (\n resultInfo.changeValue == 0 &&\n (outputScriptHash == processInfo.walletP2PKHScriptKeccak ||\n outputScriptHash == processInfo.walletP2WPKHScriptKeccak) &&\n outputValue > 0\n ) {\n // If we entered here, that means the change output with a\n // proper non-zero value was found.\n resultInfo.changeIndex = uint32(i);\n resultInfo.changeValue = outputValue;\n } else {\n // If we entered here, that the means the given output is\n // supposed to represent a redemption.\n (\n uint64 burnableValue,\n uint64 treasuryFee\n ) = processNonChangeRedemptionTxOutput(\n self,\n _getRedemptionKey(walletPubKeyHash, outputScriptHash),\n outputValue\n );\n resultInfo.totalBurnableValue += burnableValue;\n resultInfo.totalTreasuryFee += treasuryFee;\n redemptionPresent = true;\n }\n\n resultInfo.outputsTotalValue += outputValue;\n\n // Make the `outputStartingIndex` pointing to the next output by\n // increasing it by current output's length.\n processInfo.outputStartingIndex += outputLength;\n }\n\n // Protect against the cases when there is only a single change output\n // referring back to the wallet PKH and just burning main UTXO value\n // for transaction fees.\n require(\n redemptionPresent,\n \"Redemption transaction must process at least one redemption\"\n );\n }\n\n /// @notice Processes a single redemption transaction output. Tries to\n /// identify output as a pending redemption request or reported\n /// redemption timeout. Output script passed to this function must\n /// not be the change output. Such output needs to be identified\n /// separately before calling this function.\n /// Reverts if output is neither requested pending redemption nor\n /// requested and reported timed-out redemption.\n /// This function also marks each pending request as processed by\n /// removing them from `pendingRedemptions` mapping.\n /// @param redemptionKey Redemption key of the output being processed.\n /// @param outputValue Value of the output being processed.\n /// @return burnableValue The value burnable as a result of processing this\n /// single redemption output. This value needs to be summed up with\n /// burnable values of all other outputs to evaluate total burnable\n /// value for the entire redemption transaction. This value is 0\n /// for a timed-out redemption request.\n /// @return treasuryFee The treasury fee from this single redemption output.\n /// This value needs to be summed up with treasury fees of all other\n /// outputs to evaluate the total treasury fee for the entire\n /// redemption transaction. This value is 0 for a timed-out\n /// redemption request.\n /// @dev Requirements:\n /// - This function should be called only if the given output\n /// represents redemption. It must not be the change output.\n function processNonChangeRedemptionTxOutput(\n BridgeState.Storage storage self,\n uint256 redemptionKey,\n uint64 outputValue\n ) internal returns (uint64 burnableValue, uint64 treasuryFee) {\n if (self.pendingRedemptions[redemptionKey].requestedAt != 0) {\n // If we entered here, that means the output was identified\n // as a pending redemption request.\n RedemptionRequest storage request = self.pendingRedemptions[\n redemptionKey\n ];\n // Compute the request's redeemable amount as the requested\n // amount reduced by the treasury fee. The request's\n // minimal amount is then the redeemable amount reduced by\n // the maximum transaction fee.\n uint64 redeemableAmount = request.requestedAmount -\n request.treasuryFee;\n // Output value must fit between the request's redeemable\n // and minimal amounts to be deemed valid.\n require(\n redeemableAmount - request.txMaxFee <= outputValue &&\n outputValue <= redeemableAmount,\n \"Output value is not within the acceptable range of the pending request\"\n );\n // Add the redeemable amount to the total burnable value\n // the Bridge will use to decrease its balance in the Bank.\n burnableValue = redeemableAmount;\n // Add the request's treasury fee to the total treasury fee\n // value the Bridge will transfer to the treasury.\n treasuryFee = request.treasuryFee;\n // Request was properly handled so remove its redemption\n // key from the mapping to make it reusable for further\n // requests.\n delete self.pendingRedemptions[redemptionKey];\n } else {\n // If we entered here, the output is not a redemption\n // request but there is still a chance the given output is\n // related to a reported timed out redemption request.\n // If so, check if the output value matches the request\n // amount to confirm this is an overdue request fulfillment\n // then bypass this output and process the subsequent\n // ones. That also means the wallet was already punished\n // for the inactivity. Otherwise, just revert.\n RedemptionRequest storage request = self.timedOutRedemptions[\n redemptionKey\n ];\n\n require(\n request.requestedAt != 0,\n \"Output is a non-requested redemption\"\n );\n\n uint64 redeemableAmount = request.requestedAmount -\n request.treasuryFee;\n\n require(\n redeemableAmount - request.txMaxFee <= outputValue &&\n outputValue <= redeemableAmount,\n \"Output value is not within the acceptable range of the timed out request\"\n );\n\n delete self.timedOutRedemptions[redemptionKey];\n }\n }\n\n /// @notice Notifies that there is a pending redemption request associated\n /// with the given wallet, that has timed out. The redemption\n /// request is identified by the key built as\n /// `keccak256(keccak256(redeemerOutputScript) | walletPubKeyHash)`.\n /// The results of calling this function:\n /// - the pending redemptions value for the wallet will be decreased\n /// by the requested amount (minus treasury fee),\n /// - the tokens taken from the redeemer on redemption request will\n /// be returned to the redeemer,\n /// - the request will be moved from pending redemptions to\n /// timed-out redemptions,\n /// - if the state of the wallet is `Live` or `MovingFunds`, the\n /// wallet operators will be slashed and the notifier will be\n /// rewarded,\n /// - if the state of wallet is `Live`, the wallet will be closed or\n /// marked as `MovingFunds` (depending on the presence or absence\n /// of the wallet's main UTXO) and the wallet will no longer be\n /// marked as the active wallet (if it was marked as such).\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @param walletMembersIDs Identifiers of the wallet signing group members.\n /// @param redeemerOutputScript The redeemer's length-prefixed output\n /// script (P2PKH, P2WPKH, P2SH or P2WSH).\n /// @dev Requirements:\n /// - The wallet must be in the Live or MovingFunds or Terminated state,\n /// - The redemption request identified by `walletPubKeyHash` and\n /// `redeemerOutputScript` must exist,\n /// - The expression `keccak256(abi.encode(walletMembersIDs))` must\n /// be exactly the same as the hash stored under `membersIdsHash`\n /// for the given `walletID`. Those IDs are not directly stored\n /// in the contract for gas efficiency purposes but they can be\n /// read from appropriate `DkgResultSubmitted` and `DkgResultApproved`\n /// events of the `WalletRegistry` contract,\n /// - The amount of time defined by `redemptionTimeout` must have\n /// passed since the redemption was requested (the request must be\n /// timed-out).\n function notifyRedemptionTimeout(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n uint32[] calldata walletMembersIDs,\n bytes calldata redeemerOutputScript\n ) external {\n // Wallet state is validated in `notifyWalletRedemptionTimeout`.\n uint256 redemptionKey = getRedemptionKey(\n walletPubKeyHash,\n redeemerOutputScript\n );\n Redemption.RedemptionRequest memory request = self.pendingRedemptions[\n redemptionKey\n ];\n\n require(request.requestedAt > 0, \"Redemption request does not exist\");\n require(\n /* solhint-disable-next-line not-rely-on-time */\n request.requestedAt + self.redemptionTimeout < block.timestamp,\n \"Redemption request has not timed out\"\n );\n\n // Update the wallet's pending redemptions value\n Wallets.Wallet storage wallet = self.registeredWallets[\n walletPubKeyHash\n ];\n wallet.pendingRedemptionsValue -=\n request.requestedAmount -\n request.treasuryFee;\n\n // It is worth noting that there is no need to check if\n // `timedOutRedemption` mapping already contains the given redemption\n // key. There is no possibility to re-use a key of a reported timed-out\n // redemption because the wallet responsible for causing the timeout is\n // moved to a state that prevents it to receive new redemption requests.\n\n // Propagate timeout consequences to the wallet\n self.notifyWalletRedemptionTimeout(walletPubKeyHash, walletMembersIDs);\n\n // Move the redemption from pending redemptions to timed-out redemptions\n self.timedOutRedemptions[redemptionKey] = request;\n delete self.pendingRedemptions[redemptionKey];\n\n // slither-disable-next-line reentrancy-events\n emit RedemptionTimedOut(walletPubKeyHash, redeemerOutputScript);\n\n // Return the requested amount of tokens to the redeemer\n self.bank.transferBalance(request.redeemer, request.requestedAmount);\n }\n\n /// @notice Calculate redemption key without allocations.\n /// @param walletPubKeyHash the pubkey hash of the wallet.\n /// @param script the output script of the redemption.\n /// @return The key = keccak256(keccak256(script) | walletPubKeyHash).\n function getRedemptionKey(bytes20 walletPubKeyHash, bytes memory script)\n internal\n pure\n returns (uint256)\n {\n bytes32 scriptHash = keccak256(script);\n uint256 key;\n /* solhint-disable-next-line no-inline-assembly */\n assembly {\n mstore(0, scriptHash)\n mstore(32, walletPubKeyHash)\n key := keccak256(0, 52)\n }\n return key;\n }\n\n /// @notice Finish calculating redemption key without allocations.\n /// @param walletPubKeyHash the pubkey hash of the wallet.\n /// @param scriptHash the output script hash of the redemption.\n /// @return The key = keccak256(scriptHash | walletPubKeyHash).\n function _getRedemptionKey(bytes20 walletPubKeyHash, bytes32 scriptHash)\n internal\n pure\n returns (uint256)\n {\n uint256 key;\n /* solhint-disable-next-line no-inline-assembly */\n assembly {\n mstore(0, scriptHash)\n mstore(32, walletPubKeyHash)\n key := keccak256(0, 52)\n }\n return key;\n }\n}\n"
|
|
165
165
|
},
|
|
166
166
|
"contracts/bridge/WalletCoordinator.sol": {
|
|
167
|
-
"content": "// SPDX-License-Identifier: GPL-3.0-only\n\n// ██████████████ ▐████▌ ██████████████\n// ██████████████ ▐████▌ ██████████████\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ██████████████ ▐████▌ ██████████████\n// ██████████████ ▐████▌ ██████████████\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n\npragma solidity 0.8.17;\n\nimport {BTCUtils} from \"@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol\";\nimport {BytesLib} from \"@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol\";\nimport \"@keep-network/random-beacon/contracts/Reimbursable.sol\";\nimport \"@keep-network/random-beacon/contracts/ReimbursementPool.sol\";\n\nimport \"@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol\";\n\nimport \"./BitcoinTx.sol\";\nimport \"./Bridge.sol\";\nimport \"./Deposit.sol\";\nimport \"./Wallets.sol\";\n\n/// @title Wallet coordinator.\n/// @notice The wallet coordinator contract aims to facilitate the coordination\n/// of the off-chain wallet members during complex multi-chain wallet\n/// operations like deposit sweeping, redemptions, or moving funds.\n/// Such processes involve various moving parts and many steps that each\n/// individual wallet member must do. Given the distributed nature of\n/// the off-chain wallet software, full off-chain implementation is\n/// challenging and prone to errors, especially byzantine faults.\n/// This contract provides a single and trusted on-chain coordination\n/// point thus taking the riskiest part out of the off-chain software.\n/// The off-chain wallet members can focus on the core tasks and do not\n/// bother about electing a trusted coordinator or aligning internal\n/// states using complex consensus algorithms.\ncontract WalletCoordinator is OwnableUpgradeable, Reimbursable {\n using BTCUtils for bytes;\n using BytesLib for bytes;\n\n /// @notice Represents wallet action:\n enum WalletAction {\n /// @dev The wallet does not perform any action.\n Idle,\n /// @dev The wallet is executing heartbeat.\n Heartbeat,\n /// @dev The wallet is handling a deposit sweep action.\n DepositSweep,\n /// @dev The wallet is handling a redemption action.\n Redemption,\n /// @dev The wallet is handling a moving funds action.\n MovingFunds,\n /// @dev The wallet is handling a moved funds sweep action.\n MovedFundsSweep\n }\n\n /// @notice Holds information about a wallet time lock.\n struct WalletLock {\n /// @notice A UNIX timestamp defining the moment until which the wallet\n /// is locked and cannot receive new proposals. The value of 0\n /// means the wallet is not locked and can receive a proposal\n /// at any time.\n uint32 expiresAt;\n /// @notice The wallet action being the cause of the lock.\n WalletAction cause;\n }\n\n /// @notice Helper structure representing a deposit sweep proposal.\n struct DepositSweepProposal {\n // 20-byte public key hash of the target wallet.\n bytes20 walletPubKeyHash;\n // Deposits that should be part of the sweep.\n DepositKey[] depositsKeys;\n // Proposed BTC fee for the entire transaction.\n uint256 sweepTxFee;\n }\n\n /// @notice Helper structure representing a plain-text deposit key.\n /// Each deposit can be identified by their 32-byte funding\n /// transaction hash (Bitcoin internal byte order) an the funding\n /// output index (0-based).\n /// @dev Do not confuse this structure with the deposit key used within the\n /// Bridge contract to store deposits. Here we have the plain-text\n /// components of the key while the Bridge uses a uint representation of\n /// keccak256(fundingTxHash | fundingOutputIndex) for gas efficiency.\n struct DepositKey {\n bytes32 fundingTxHash;\n uint32 fundingOutputIndex;\n }\n\n /// @notice Helper structure holding deposit extra data required during\n /// deposit sweep proposal validation. Basically, this structure\n /// is a combination of BitcoinTx.Info and relevant parts of\n /// Deposit.DepositRevealInfo.\n /// @dev These data can be pulled from respective `DepositRevealed` events\n /// emitted by the `Bridge.revealDeposit` function. The `fundingTx`\n /// field must be taken directly from the Bitcoin chain, using the\n /// `DepositRevealed.fundingTxHash` as transaction identifier.\n struct DepositExtraInfo {\n BitcoinTx.Info fundingTx;\n bytes8 blindingFactor;\n bytes20 walletPubKeyHash;\n bytes20 refundPubKeyHash;\n bytes4 refundLocktime;\n }\n\n /// @notice Mapping that holds addresses allowed to submit proposals and\n /// request heartbeats.\n mapping(address => bool) public isCoordinator;\n\n /// @notice Mapping that holds wallet time locks. The key is a 20-byte\n /// wallet public key hash.\n mapping(bytes20 => WalletLock) public walletLock;\n\n /// @notice Handle to the Bridge contract.\n Bridge public bridge;\n\n /// @notice Determines the wallet heartbeat request validity time. In other\n /// words, this is the worst-case time for a wallet heartbeat\n /// during which the wallet is busy and canot take other actions.\n /// This is also the duration of the time lock applied to the wallet\n /// once a new heartbeat request is submitted.\n ///\n /// For example, if a deposit sweep proposal was submitted at\n /// 2 pm and heartbeatRequestValidity is 1 hour, the next request or\n /// proposal (of any type) can be submitted after 3 pm.\n uint32 public heartbeatRequestValidity;\n\n /// @notice Gas that is meant to balance the heartbeat request overall cost.\n /// Can be updated by the owner based on the current conditions.\n uint32 public heartbeatRequestGasOffset;\n\n /// @notice Determines the deposit sweep proposal validity time. In other\n /// words, this is the worst-case time for a deposit sweep during\n /// which the wallet is busy and cannot take another actions. This\n /// is also the duration of the time lock applied to the wallet\n /// once a new deposit sweep proposal is submitted.\n ///\n /// For example, if a deposit sweep proposal was submitted at\n /// 2 pm and depositSweepProposalValidity is 4 hours, the next\n /// proposal (of any type) can be submitted after 6 pm.\n uint32 public depositSweepProposalValidity;\n\n /// @notice The minimum time that must elapse since the deposit reveal\n /// before a deposit becomes eligible for a deposit sweep.\n ///\n /// For example, if a deposit was revealed at 9 am and depositMinAge\n /// is 2 hours, the deposit is eligible for sweep after 11 am.\n ///\n /// @dev Forcing deposit minimum age ensures block finality for Ethereum.\n /// In the happy path case, i.e. where the deposit is revealed immediately\n /// after being broadcast on the Bitcoin network, the minimum age\n /// check also ensures block finality for Bitcoin.\n uint32 public depositMinAge;\n\n /// @notice Each deposit can be technically swept until it reaches its\n /// refund timestamp after which it can be taken back by the depositor.\n /// However, allowing the wallet to sweep deposits that are close\n /// to their refund timestamp may cause a race between the wallet\n /// and the depositor. In result, the wallet may sign an invalid\n /// sweep transaction that aims to sweep an already refunded deposit.\n /// Such tx signature may be used to create an undefeatable fraud\n /// challenge against the wallet. In order to mitigate that problem,\n /// this parameter determines a safety margin that puts the latest\n /// moment a deposit can be swept far before the point after which\n /// the deposit becomes refundable.\n ///\n /// For example, if a deposit becomes refundable after 8 pm and\n /// depositRefundSafetyMargin is 6 hours, the deposit is valid for\n /// for a sweep only before 2 pm.\n uint32 public depositRefundSafetyMargin;\n\n /// @notice The maximum count of deposits that can be swept within a\n /// single sweep.\n uint16 public depositSweepMaxSize;\n\n /// @notice Gas that is meant to balance the deposit sweep proposal\n /// submission overall cost. Can be updated by the owner based on\n /// the current conditions.\n uint32 public depositSweepProposalSubmissionGasOffset;\n\n event CoordinatorAdded(address indexed coordinator);\n\n event CoordinatorRemoved(address indexed coordinator);\n\n event WalletManuallyUnlocked(bytes20 indexed walletPubKeyHash);\n\n event HeartbeatRequestParametersUpdated(\n uint32 heartbeatRequestValidity,\n uint32 heartbeatRequestGasOffset\n );\n\n event HeartbeatRequestSubmitted(\n bytes20 walletPubKeyHash,\n bytes message,\n address indexed coordinator\n );\n\n event DepositSweepProposalParametersUpdated(\n uint32 depositSweepProposalValidity,\n uint32 depositMinAge,\n uint32 depositRefundSafetyMargin,\n uint16 depositSweepMaxSize,\n uint32 depositSweepProposalSubmissionGasOffset\n );\n\n event DepositSweepProposalSubmitted(\n DepositSweepProposal proposal,\n address indexed coordinator\n );\n\n modifier onlyCoordinator() {\n require(isCoordinator[msg.sender], \"Caller is not a coordinator\");\n _;\n }\n\n modifier onlyAfterWalletLock(bytes20 walletPubKeyHash) {\n require(\n /* solhint-disable-next-line not-rely-on-time */\n block.timestamp > walletLock[walletPubKeyHash].expiresAt,\n \"Wallet locked\"\n );\n _;\n }\n\n modifier onlyReimbursableAdmin() override {\n require(owner() == msg.sender, \"Caller is not the owner\");\n _;\n }\n\n function initialize(Bridge _bridge) external initializer {\n __Ownable_init();\n\n bridge = _bridge;\n // Pre-fetch addresses to save gas later.\n (, , , reimbursementPool) = _bridge.contractReferences();\n\n heartbeatRequestValidity = 1 hours;\n heartbeatRequestGasOffset = 5_000;\n\n depositSweepProposalValidity = 4 hours;\n depositMinAge = 2 hours;\n depositRefundSafetyMargin = 24 hours;\n depositSweepMaxSize = 5;\n depositSweepProposalSubmissionGasOffset = 5_000;\n }\n\n /// @notice Adds the given address to the set of coordinator addresses.\n /// @param coordinator Address of the new coordinator.\n /// @dev Requirements:\n /// - The caller must be the owner,\n /// - The `coordinator` must not be an existing coordinator.\n function addCoordinator(address coordinator) external onlyOwner {\n require(\n !isCoordinator[coordinator],\n \"This address is already a coordinator\"\n );\n isCoordinator[coordinator] = true;\n emit CoordinatorAdded(coordinator);\n }\n\n /// @notice Removes the given address from the set of coordinator addresses.\n /// @param coordinator Address of the existing coordinator.\n /// @dev Requirements:\n /// - The caller must be the owner,\n /// - The `coordinator` must be an existing coordinator.\n function removeCoordinator(address coordinator) external onlyOwner {\n require(\n isCoordinator[coordinator],\n \"This address is not a coordinator\"\n );\n delete isCoordinator[coordinator];\n emit CoordinatorRemoved(coordinator);\n }\n\n /// @notice Allows to unlock the given wallet before their time lock expires.\n /// This function should be used in exceptional cases where\n /// something went wrong and there is a need to unlock the wallet\n /// without waiting.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet\n /// @dev Requirements:\n /// - The caller must be the owner.\n function unlockWallet(bytes20 walletPubKeyHash) external onlyOwner {\n // Just in case, allow the owner to unlock the wallet earlier.\n walletLock[walletPubKeyHash] = WalletLock(0, WalletAction.Idle);\n emit WalletManuallyUnlocked(walletPubKeyHash);\n }\n\n /// @notice Updates parameters related to heartbeat request.\n /// @param _heartbeatRequestValidity The new value of `heartbeatRequestValidity`.\n /// @param _heartbeatRequestGasOffset The new value of `heartbeatRequestGasOffset`.\n /// @dev Requirements:\n /// - The caller must be the owner.\n function updateHeartbeatRequestParameters(\n uint32 _heartbeatRequestValidity,\n uint32 _heartbeatRequestGasOffset\n ) external onlyOwner {\n heartbeatRequestValidity = _heartbeatRequestValidity;\n heartbeatRequestGasOffset = _heartbeatRequestGasOffset;\n emit HeartbeatRequestParametersUpdated(\n _heartbeatRequestValidity,\n _heartbeatRequestGasOffset\n );\n }\n\n /// @notice Updates parameters related to deposit sweep proposal.\n /// @param _depositSweepProposalValidity The new value of `depositSweepProposalValidity`.\n /// @param _depositMinAge The new value of `depositMinAge`.\n /// @param _depositRefundSafetyMargin The new value of `depositRefundSafetyMargin`.\n /// @param _depositSweepMaxSize The new value of `depositSweepMaxSize`.\n /// @dev Requirements:\n /// - The caller must be the owner.\n function updateDepositSweepProposalParameters(\n uint32 _depositSweepProposalValidity,\n uint32 _depositMinAge,\n uint32 _depositRefundSafetyMargin,\n uint16 _depositSweepMaxSize,\n uint32 _depositSweepProposalSubmissionGasOffset\n ) external onlyOwner {\n depositSweepProposalValidity = _depositSweepProposalValidity;\n depositMinAge = _depositMinAge;\n depositRefundSafetyMargin = _depositRefundSafetyMargin;\n depositSweepMaxSize = _depositSweepMaxSize;\n depositSweepProposalSubmissionGasOffset = _depositSweepProposalSubmissionGasOffset;\n\n emit DepositSweepProposalParametersUpdated(\n _depositSweepProposalValidity,\n _depositMinAge,\n _depositRefundSafetyMargin,\n _depositSweepMaxSize,\n _depositSweepProposalSubmissionGasOffset\n );\n }\n\n /// @notice Submits a heartbeat request from the wallet. Locks the wallet\n /// for a specific time, equal to the request validity period.\n /// This function validates the proposed heartbeat messge to see\n /// if it matches the heartbeat format expected by the Bridge.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet that is\n /// supposed to execute the heartbeat.\n /// @param message The proposed heartbeat message for the wallet to sign.\n /// @dev Requirements:\n /// - The caller is a coordinator,\n /// - The wallet is not time-locked,\n /// - The message to sign is a valid heartbeat message.\n function requestHeartbeat(bytes20 walletPubKeyHash, bytes calldata message)\n public\n onlyCoordinator\n onlyAfterWalletLock(walletPubKeyHash)\n {\n require(\n Heartbeat.isValidHeartbeatMessage(message),\n \"Not a valid heartbeat message\"\n );\n\n walletLock[walletPubKeyHash] = WalletLock(\n /* solhint-disable-next-line not-rely-on-time */\n uint32(block.timestamp) + heartbeatRequestValidity,\n WalletAction.Heartbeat\n );\n\n emit HeartbeatRequestSubmitted(walletPubKeyHash, message, msg.sender);\n }\n\n /// @notice Wraps `requestHeartbeat` call and reimburses the caller's\n /// transaction cost.\n /// @dev See `requestHeartbeat` function documentation.\n function requestHeartbeatWithReimbursement(\n bytes20 walletPubKeyHash,\n bytes calldata message\n ) external {\n uint256 gasStart = gasleft();\n\n requestHeartbeat(walletPubKeyHash, message);\n\n reimbursementPool.refund(\n (gasStart - gasleft()) + heartbeatRequestGasOffset,\n msg.sender\n );\n }\n\n /// @notice Submits a deposit sweep proposal. Locks the target wallet\n /// for a specific time, equal to the proposal validity period.\n /// This function does not store the proposal in the state but\n /// just emits an event that serves as a guiding light for wallet\n /// off-chain members. Wallet members are supposed to validate\n /// the proposal on their own, before taking any action.\n /// @param proposal The deposit sweep proposal\n /// @dev Requirements:\n /// - The caller is a coordinator,\n /// - The wallet is not time-locked.\n function submitDepositSweepProposal(DepositSweepProposal calldata proposal)\n public\n onlyCoordinator\n onlyAfterWalletLock(proposal.walletPubKeyHash)\n {\n walletLock[proposal.walletPubKeyHash] = WalletLock(\n /* solhint-disable-next-line not-rely-on-time */\n uint32(block.timestamp) + depositSweepProposalValidity,\n WalletAction.DepositSweep\n );\n\n emit DepositSweepProposalSubmitted(proposal, msg.sender);\n }\n\n /// @notice Wraps `submitDepositSweepProposal` call and reimburses the\n /// caller's transaction cost.\n /// @dev See `submitDepositSweepProposal` function documentation.\n function submitDepositSweepProposalWithReimbursement(\n DepositSweepProposal calldata proposal\n ) external {\n uint256 gasStart = gasleft();\n\n submitDepositSweepProposal(proposal);\n\n reimbursementPool.refund(\n (gasStart - gasleft()) + depositSweepProposalSubmissionGasOffset,\n msg.sender\n );\n }\n\n /// @notice View function encapsulating the main rules of a valid deposit\n /// sweep proposal. This function is meant to facilitate the off-chain\n /// validation of the incoming proposals. Thanks to it, most\n /// of the work can be done using a single readonly contract call.\n /// Worth noting, the validation done here is not exhaustive as some\n /// conditions may not be verifiable within the on-chain function or\n /// checking them may be easier on the off-chain side. For example,\n /// this function does not check the SPV proofs and confirmations of\n /// the deposit funding transactions as this would require an\n /// integration with the difficulty relay that greatly increases\n /// complexity. Instead of that, each off-chain wallet member is\n /// supposed to do that check on their own.\n /// @param proposal The sweeping proposal to validate.\n /// @param depositsExtraInfo Deposits extra data required to perform the validation.\n /// @return True if the proposal is valid. Reverts otherwise.\n /// @dev Requirements:\n /// - The target wallet must be in the Live state,\n /// - The number of deposits included in the sweep must be in\n /// the range [1, `depositSweepMaxSize`],\n /// - The length of `depositsExtraInfo` array must be equal to the\n /// length of `proposal.depositsKeys`, i.e. each deposit must\n /// have exactly one set of corresponding extra data,\n /// - The proposed sweep tx fee must be grater than zero,\n /// - The proposed maximum per-deposit sweep tx fee must be lesser than\n /// or equal the maximum fee allowed by the Bridge (`Bridge.depositTxMaxFee`),\n /// - Each deposit must be revealed to the Bridge,\n /// - Each deposit must be old enough, i.e. at least `depositMinAge`\n /// elapsed since their reveal time,\n /// - Each deposit must not be swept yet,\n /// - Each deposit must have valid extra data (see `validateDepositExtraInfo`),\n /// - Each deposit must have the refund safety margin preserved,\n /// - Each deposit must be controlled by the same wallet,\n /// - Each deposit must target the same vault.\n ///\n /// The following off-chain validation must be performed as a bare minimum:\n /// - Inputs used for the sweep transaction have enough Bitcoin confirmations,\n /// - Deposits revealed to the Bridge have enough Ethereum confirmations.\n function validateDepositSweepProposal(\n DepositSweepProposal calldata proposal,\n DepositExtraInfo[] calldata depositsExtraInfo\n ) external view returns (bool) {\n require(\n bridge.wallets(proposal.walletPubKeyHash).state ==\n Wallets.WalletState.Live,\n \"Wallet is not in Live state\"\n );\n\n require(proposal.depositsKeys.length > 0, \"Sweep below the min size\");\n\n require(\n proposal.depositsKeys.length <= depositSweepMaxSize,\n \"Sweep exceeds the max size\"\n );\n\n require(\n proposal.depositsKeys.length == depositsExtraInfo.length,\n \"Each deposit key must have matching extra data\"\n );\n\n validateSweepTxFee(proposal.sweepTxFee, proposal.depositsKeys.length);\n\n address proposalVault = address(0);\n\n for (uint256 i = 0; i < proposal.depositsKeys.length; i++) {\n DepositKey memory depositKey = proposal.depositsKeys[i];\n DepositExtraInfo memory depositExtraInfo = depositsExtraInfo[i];\n\n // slither-disable-next-line calls-loop\n Deposit.DepositRequest memory depositRequest = bridge.deposits(\n uint256(\n keccak256(\n abi.encodePacked(\n depositKey.fundingTxHash,\n depositKey.fundingOutputIndex\n )\n )\n )\n );\n\n require(depositRequest.revealedAt != 0, \"Deposit not revealed\");\n\n require(\n /* solhint-disable-next-line not-rely-on-time */\n block.timestamp > depositRequest.revealedAt + depositMinAge,\n \"Deposit min age not achieved yet\"\n );\n\n require(depositRequest.sweptAt == 0, \"Deposit already swept\");\n\n validateDepositExtraInfo(\n depositKey,\n depositRequest.depositor,\n depositExtraInfo\n );\n\n uint32 depositRefundableTimestamp = BTCUtils.reverseUint32(\n uint32(depositExtraInfo.refundLocktime)\n );\n require(\n /* solhint-disable-next-line not-rely-on-time */\n block.timestamp <\n depositRefundableTimestamp - depositRefundSafetyMargin,\n \"Deposit refund safety margin is not preserved\"\n );\n\n require(\n depositExtraInfo.walletPubKeyHash == proposal.walletPubKeyHash,\n \"Deposit controlled by different wallet\"\n );\n\n // Make sure all deposits target the same vault by using the\n // vault of the first deposit as a reference.\n if (i == 0) {\n proposalVault = depositRequest.vault;\n }\n require(\n depositRequest.vault == proposalVault,\n \"Deposit targets different vault\"\n );\n }\n\n return true;\n }\n\n /// @notice Validates the sweep tx fee by checking if the part of the fee\n /// incurred by each deposit does not exceed the maximum value\n /// allowed by the Bridge. This function is heavily based on\n /// `DepositSweep.depositSweepTxFeeDistribution` function.\n /// @param sweepTxFee The sweep transaction fee.\n /// @param depositsCount Count of the deposits swept by the sweep transaction.\n /// @dev Requirements:\n /// - The sweep tx fee must be grater than zero,\n /// - The maximum per-deposit sweep tx fee must be lesser than or equal\n /// the maximum fee allowed by the Bridge (`Bridge.depositTxMaxFee`).\n function validateSweepTxFee(uint256 sweepTxFee, uint256 depositsCount)\n internal\n view\n {\n require(sweepTxFee > 0, \"Proposed transaction fee cannot be zero\");\n\n // Compute the indivisible remainder that remains after dividing the\n // sweep transaction fee over all deposits evenly.\n uint256 depositTxFeeRemainder = sweepTxFee % depositsCount;\n // Compute the transaction fee per deposit by dividing the sweep\n // transaction fee (reduced by the remainder) by the number of deposits.\n uint256 depositTxFee = (sweepTxFee - depositTxFeeRemainder) /\n depositsCount;\n\n (, , uint64 depositTxMaxFee, ) = bridge.depositParameters();\n\n // The transaction fee is incurred by each deposit evenly except for the last\n // deposit that has the indivisible remainder additionally incurred.\n // See `DepositSweep.submitDepositSweepProof`.\n // We must make sure the highest value of the deposit transaction fee does\n // not exceed the maximum value limited by the governable parameter.\n require(\n depositTxFee + depositTxFeeRemainder <= depositTxMaxFee,\n \"Proposed transaction fee is too high\"\n );\n }\n\n /// @notice Validates the extra data for the given deposit. This function\n /// is heavily based on `Deposit.revealDeposit` function.\n /// @param depositKey Key of the given deposit.\n /// @param depositor Depositor that revealed the deposit.\n /// @param depositExtraInfo Extra data being subject of the validation.\n /// @dev Requirements:\n /// - The transaction hash computed using `depositExtraInfo.fundingTx`\n /// must match the `depositKey.fundingTxHash`. This requirement\n /// ensures the funding transaction data provided in the extra\n /// data container actually represent the funding transaction of\n /// the given deposit.\n /// - The P2(W)SH script inferred from `depositExtraInfo` is actually\n /// used to lock funds by the `depositKey.fundingOutputIndex` output\n /// of the `depositExtraInfo.fundingTx` transaction. This requirement\n /// ensures the reveal data provided in the extra data container\n /// actually matches the given deposit.\n function validateDepositExtraInfo(\n DepositKey memory depositKey,\n address depositor,\n DepositExtraInfo memory depositExtraInfo\n ) internal view {\n bytes32 depositExtraFundingTxHash = abi\n .encodePacked(\n depositExtraInfo.fundingTx.version,\n depositExtraInfo.fundingTx.inputVector,\n depositExtraInfo.fundingTx.outputVector,\n depositExtraInfo.fundingTx.locktime\n )\n .hash256View();\n\n // Make sure the funding tx provided as part of deposit extra data\n // actually matches the deposit referred by the given deposit key.\n if (depositKey.fundingTxHash != depositExtraFundingTxHash) {\n revert(\"Extra info funding tx hash does not match\");\n }\n\n bytes memory expectedScript = abi.encodePacked(\n hex\"14\", // Byte length of depositor Ethereum address.\n depositor,\n hex\"75\", // OP_DROP\n hex\"08\", // Byte length of blinding factor value.\n depositExtraInfo.blindingFactor,\n hex\"75\", // OP_DROP\n hex\"76\", // OP_DUP\n hex\"a9\", // OP_HASH160\n hex\"14\", // Byte length of a compressed Bitcoin public key hash.\n depositExtraInfo.walletPubKeyHash,\n hex\"87\", // OP_EQUAL\n hex\"63\", // OP_IF\n hex\"ac\", // OP_CHECKSIG\n hex\"67\", // OP_ELSE\n hex\"76\", // OP_DUP\n hex\"a9\", // OP_HASH160\n hex\"14\", // Byte length of a compressed Bitcoin public key hash.\n depositExtraInfo.refundPubKeyHash,\n hex\"88\", // OP_EQUALVERIFY\n hex\"04\", // Byte length of refund locktime value.\n depositExtraInfo.refundLocktime,\n hex\"b1\", // OP_CHECKLOCKTIMEVERIFY\n hex\"75\", // OP_DROP\n hex\"ac\", // OP_CHECKSIG\n hex\"68\" // OP_ENDIF\n );\n\n bytes memory fundingOutput = depositExtraInfo\n .fundingTx\n .outputVector\n .extractOutputAtIndex(depositKey.fundingOutputIndex);\n bytes memory fundingOutputHash = fundingOutput.extractHash();\n\n // Path that checks the deposit extra data validity in case the\n // referred deposit is a P2SH.\n if (\n // slither-disable-next-line calls-loop\n fundingOutputHash.length == 20 &&\n fundingOutputHash.slice20(0) == expectedScript.hash160View()\n ) {\n return;\n }\n\n // Path that checks the deposit extra data validity in case the\n // referred deposit is a P2WSH.\n if (\n fundingOutputHash.length == 32 &&\n fundingOutputHash.toBytes32() == sha256(expectedScript)\n ) {\n return;\n }\n\n revert(\"Extra info funding output script does not match\");\n }\n}\n"
|
|
167
|
+
"content": "// SPDX-License-Identifier: GPL-3.0-only\n\n// ██████████████ ▐████▌ ██████████████\n// ██████████████ ▐████▌ ██████████████\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ██████████████ ▐████▌ ██████████████\n// ██████████████ ▐████▌ ██████████████\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n\npragma solidity 0.8.17;\n\nimport {BTCUtils} from \"@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol\";\nimport {BytesLib} from \"@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol\";\nimport \"@keep-network/random-beacon/contracts/Reimbursable.sol\";\nimport \"@keep-network/random-beacon/contracts/ReimbursementPool.sol\";\n\nimport \"@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol\";\n\nimport \"./BitcoinTx.sol\";\nimport \"./Bridge.sol\";\nimport \"./Deposit.sol\";\nimport \"./Wallets.sol\";\n\n/// @title Wallet coordinator.\n/// @notice The wallet coordinator contract aims to facilitate the coordination\n/// of the off-chain wallet members during complex multi-chain wallet\n/// operations like deposit sweeping, redemptions, or moving funds.\n/// Such processes involve various moving parts and many steps that each\n/// individual wallet member must do. Given the distributed nature of\n/// the off-chain wallet software, full off-chain implementation is\n/// challenging and prone to errors, especially byzantine faults.\n/// This contract provides a single and trusted on-chain coordination\n/// point thus taking the riskiest part out of the off-chain software.\n/// The off-chain wallet members can focus on the core tasks and do not\n/// bother about electing a trusted coordinator or aligning internal\n/// states using complex consensus algorithms.\ncontract WalletCoordinator is OwnableUpgradeable, Reimbursable {\n using BTCUtils for bytes;\n using BytesLib for bytes;\n\n /// @notice Represents wallet action:\n enum WalletAction {\n /// @dev The wallet does not perform any action.\n Idle,\n /// @dev The wallet is executing heartbeat.\n Heartbeat,\n /// @dev The wallet is handling a deposit sweep action.\n DepositSweep,\n /// @dev The wallet is handling a redemption action.\n Redemption,\n /// @dev The wallet is handling a moving funds action.\n MovingFunds,\n /// @dev The wallet is handling a moved funds sweep action.\n MovedFundsSweep\n }\n\n /// @notice Holds information about a wallet time lock.\n struct WalletLock {\n /// @notice A UNIX timestamp defining the moment until which the wallet\n /// is locked and cannot receive new proposals. The value of 0\n /// means the wallet is not locked and can receive a proposal\n /// at any time.\n uint32 expiresAt;\n /// @notice The wallet action being the cause of the lock.\n WalletAction cause;\n }\n\n /// @notice Helper structure representing a deposit sweep proposal.\n struct DepositSweepProposal {\n // 20-byte public key hash of the target wallet.\n bytes20 walletPubKeyHash;\n // Deposits that should be part of the sweep.\n DepositKey[] depositsKeys;\n // Proposed BTC fee for the entire transaction.\n uint256 sweepTxFee;\n // Array containing the reveal blocks of each deposit. This information\n // strongly facilitates the off-chain processing. Using those blocks,\n // wallet operators can quickly fetch corresponding Bridge.DepositRevealed\n // events carrying deposit data necessary to perform proposal validation.\n // This field is not explicitly validated within the validateDepositSweepProposal\n // function because if something is wrong here the off-chain wallet\n // operators will fail anyway as they won't be able to gather deposit\n // data necessary to perform the on-chain validation using the\n // validateDepositSweepProposal function.\n uint256[] depositsRevealBlocks;\n }\n\n /// @notice Helper structure representing a plain-text deposit key.\n /// Each deposit can be identified by their 32-byte funding\n /// transaction hash (Bitcoin internal byte order) an the funding\n /// output index (0-based).\n /// @dev Do not confuse this structure with the deposit key used within the\n /// Bridge contract to store deposits. Here we have the plain-text\n /// components of the key while the Bridge uses a uint representation of\n /// keccak256(fundingTxHash | fundingOutputIndex) for gas efficiency.\n struct DepositKey {\n bytes32 fundingTxHash;\n uint32 fundingOutputIndex;\n }\n\n /// @notice Helper structure holding deposit extra data required during\n /// deposit sweep proposal validation. Basically, this structure\n /// is a combination of BitcoinTx.Info and relevant parts of\n /// Deposit.DepositRevealInfo.\n /// @dev These data can be pulled from respective `DepositRevealed` events\n /// emitted by the `Bridge.revealDeposit` function. The `fundingTx`\n /// field must be taken directly from the Bitcoin chain, using the\n /// `DepositRevealed.fundingTxHash` as transaction identifier.\n struct DepositExtraInfo {\n BitcoinTx.Info fundingTx;\n bytes8 blindingFactor;\n bytes20 walletPubKeyHash;\n bytes20 refundPubKeyHash;\n bytes4 refundLocktime;\n }\n\n /// @notice Mapping that holds addresses allowed to submit proposals and\n /// request heartbeats.\n mapping(address => bool) public isCoordinator;\n\n /// @notice Mapping that holds wallet time locks. The key is a 20-byte\n /// wallet public key hash.\n mapping(bytes20 => WalletLock) public walletLock;\n\n /// @notice Handle to the Bridge contract.\n Bridge public bridge;\n\n /// @notice Determines the wallet heartbeat request validity time. In other\n /// words, this is the worst-case time for a wallet heartbeat\n /// during which the wallet is busy and canot take other actions.\n /// This is also the duration of the time lock applied to the wallet\n /// once a new heartbeat request is submitted.\n ///\n /// For example, if a deposit sweep proposal was submitted at\n /// 2 pm and heartbeatRequestValidity is 1 hour, the next request or\n /// proposal (of any type) can be submitted after 3 pm.\n uint32 public heartbeatRequestValidity;\n\n /// @notice Gas that is meant to balance the heartbeat request overall cost.\n /// Can be updated by the owner based on the current conditions.\n uint32 public heartbeatRequestGasOffset;\n\n /// @notice Determines the deposit sweep proposal validity time. In other\n /// words, this is the worst-case time for a deposit sweep during\n /// which the wallet is busy and cannot take another actions. This\n /// is also the duration of the time lock applied to the wallet\n /// once a new deposit sweep proposal is submitted.\n ///\n /// For example, if a deposit sweep proposal was submitted at\n /// 2 pm and depositSweepProposalValidity is 4 hours, the next\n /// proposal (of any type) can be submitted after 6 pm.\n uint32 public depositSweepProposalValidity;\n\n /// @notice The minimum time that must elapse since the deposit reveal\n /// before a deposit becomes eligible for a deposit sweep.\n ///\n /// For example, if a deposit was revealed at 9 am and depositMinAge\n /// is 2 hours, the deposit is eligible for sweep after 11 am.\n ///\n /// @dev Forcing deposit minimum age ensures block finality for Ethereum.\n /// In the happy path case, i.e. where the deposit is revealed immediately\n /// after being broadcast on the Bitcoin network, the minimum age\n /// check also ensures block finality for Bitcoin.\n uint32 public depositMinAge;\n\n /// @notice Each deposit can be technically swept until it reaches its\n /// refund timestamp after which it can be taken back by the depositor.\n /// However, allowing the wallet to sweep deposits that are close\n /// to their refund timestamp may cause a race between the wallet\n /// and the depositor. In result, the wallet may sign an invalid\n /// sweep transaction that aims to sweep an already refunded deposit.\n /// Such tx signature may be used to create an undefeatable fraud\n /// challenge against the wallet. In order to mitigate that problem,\n /// this parameter determines a safety margin that puts the latest\n /// moment a deposit can be swept far before the point after which\n /// the deposit becomes refundable.\n ///\n /// For example, if a deposit becomes refundable after 8 pm and\n /// depositRefundSafetyMargin is 6 hours, the deposit is valid for\n /// for a sweep only before 2 pm.\n uint32 public depositRefundSafetyMargin;\n\n /// @notice The maximum count of deposits that can be swept within a\n /// single sweep.\n uint16 public depositSweepMaxSize;\n\n /// @notice Gas that is meant to balance the deposit sweep proposal\n /// submission overall cost. Can be updated by the owner based on\n /// the current conditions.\n uint32 public depositSweepProposalSubmissionGasOffset;\n\n event CoordinatorAdded(address indexed coordinator);\n\n event CoordinatorRemoved(address indexed coordinator);\n\n event WalletManuallyUnlocked(bytes20 indexed walletPubKeyHash);\n\n event HeartbeatRequestParametersUpdated(\n uint32 heartbeatRequestValidity,\n uint32 heartbeatRequestGasOffset\n );\n\n event HeartbeatRequestSubmitted(\n bytes20 walletPubKeyHash,\n bytes message,\n address indexed coordinator\n );\n\n event DepositSweepProposalParametersUpdated(\n uint32 depositSweepProposalValidity,\n uint32 depositMinAge,\n uint32 depositRefundSafetyMargin,\n uint16 depositSweepMaxSize,\n uint32 depositSweepProposalSubmissionGasOffset\n );\n\n event DepositSweepProposalSubmitted(\n DepositSweepProposal proposal,\n address indexed coordinator\n );\n\n modifier onlyCoordinator() {\n require(isCoordinator[msg.sender], \"Caller is not a coordinator\");\n _;\n }\n\n modifier onlyAfterWalletLock(bytes20 walletPubKeyHash) {\n require(\n /* solhint-disable-next-line not-rely-on-time */\n block.timestamp > walletLock[walletPubKeyHash].expiresAt,\n \"Wallet locked\"\n );\n _;\n }\n\n modifier onlyReimbursableAdmin() override {\n require(owner() == msg.sender, \"Caller is not the owner\");\n _;\n }\n\n function initialize(Bridge _bridge) external initializer {\n __Ownable_init();\n\n bridge = _bridge;\n // Pre-fetch addresses to save gas later.\n (, , , reimbursementPool) = _bridge.contractReferences();\n\n heartbeatRequestValidity = 1 hours;\n heartbeatRequestGasOffset = 5_000;\n\n depositSweepProposalValidity = 4 hours;\n depositMinAge = 2 hours;\n depositRefundSafetyMargin = 24 hours;\n depositSweepMaxSize = 5;\n depositSweepProposalSubmissionGasOffset = 5_000;\n }\n\n /// @notice Adds the given address to the set of coordinator addresses.\n /// @param coordinator Address of the new coordinator.\n /// @dev Requirements:\n /// - The caller must be the owner,\n /// - The `coordinator` must not be an existing coordinator.\n function addCoordinator(address coordinator) external onlyOwner {\n require(\n !isCoordinator[coordinator],\n \"This address is already a coordinator\"\n );\n isCoordinator[coordinator] = true;\n emit CoordinatorAdded(coordinator);\n }\n\n /// @notice Removes the given address from the set of coordinator addresses.\n /// @param coordinator Address of the existing coordinator.\n /// @dev Requirements:\n /// - The caller must be the owner,\n /// - The `coordinator` must be an existing coordinator.\n function removeCoordinator(address coordinator) external onlyOwner {\n require(\n isCoordinator[coordinator],\n \"This address is not a coordinator\"\n );\n delete isCoordinator[coordinator];\n emit CoordinatorRemoved(coordinator);\n }\n\n /// @notice Allows to unlock the given wallet before their time lock expires.\n /// This function should be used in exceptional cases where\n /// something went wrong and there is a need to unlock the wallet\n /// without waiting.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet\n /// @dev Requirements:\n /// - The caller must be the owner.\n function unlockWallet(bytes20 walletPubKeyHash) external onlyOwner {\n // Just in case, allow the owner to unlock the wallet earlier.\n walletLock[walletPubKeyHash] = WalletLock(0, WalletAction.Idle);\n emit WalletManuallyUnlocked(walletPubKeyHash);\n }\n\n /// @notice Updates parameters related to heartbeat request.\n /// @param _heartbeatRequestValidity The new value of `heartbeatRequestValidity`.\n /// @param _heartbeatRequestGasOffset The new value of `heartbeatRequestGasOffset`.\n /// @dev Requirements:\n /// - The caller must be the owner.\n function updateHeartbeatRequestParameters(\n uint32 _heartbeatRequestValidity,\n uint32 _heartbeatRequestGasOffset\n ) external onlyOwner {\n heartbeatRequestValidity = _heartbeatRequestValidity;\n heartbeatRequestGasOffset = _heartbeatRequestGasOffset;\n emit HeartbeatRequestParametersUpdated(\n _heartbeatRequestValidity,\n _heartbeatRequestGasOffset\n );\n }\n\n /// @notice Updates parameters related to deposit sweep proposal.\n /// @param _depositSweepProposalValidity The new value of `depositSweepProposalValidity`.\n /// @param _depositMinAge The new value of `depositMinAge`.\n /// @param _depositRefundSafetyMargin The new value of `depositRefundSafetyMargin`.\n /// @param _depositSweepMaxSize The new value of `depositSweepMaxSize`.\n /// @dev Requirements:\n /// - The caller must be the owner.\n function updateDepositSweepProposalParameters(\n uint32 _depositSweepProposalValidity,\n uint32 _depositMinAge,\n uint32 _depositRefundSafetyMargin,\n uint16 _depositSweepMaxSize,\n uint32 _depositSweepProposalSubmissionGasOffset\n ) external onlyOwner {\n depositSweepProposalValidity = _depositSweepProposalValidity;\n depositMinAge = _depositMinAge;\n depositRefundSafetyMargin = _depositRefundSafetyMargin;\n depositSweepMaxSize = _depositSweepMaxSize;\n depositSweepProposalSubmissionGasOffset = _depositSweepProposalSubmissionGasOffset;\n\n emit DepositSweepProposalParametersUpdated(\n _depositSweepProposalValidity,\n _depositMinAge,\n _depositRefundSafetyMargin,\n _depositSweepMaxSize,\n _depositSweepProposalSubmissionGasOffset\n );\n }\n\n /// @notice Submits a heartbeat request from the wallet. Locks the wallet\n /// for a specific time, equal to the request validity period.\n /// This function validates the proposed heartbeat messge to see\n /// if it matches the heartbeat format expected by the Bridge.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet that is\n /// supposed to execute the heartbeat.\n /// @param message The proposed heartbeat message for the wallet to sign.\n /// @dev Requirements:\n /// - The caller is a coordinator,\n /// - The wallet is not time-locked,\n /// - The message to sign is a valid heartbeat message.\n function requestHeartbeat(bytes20 walletPubKeyHash, bytes calldata message)\n public\n onlyCoordinator\n onlyAfterWalletLock(walletPubKeyHash)\n {\n require(\n Heartbeat.isValidHeartbeatMessage(message),\n \"Not a valid heartbeat message\"\n );\n\n walletLock[walletPubKeyHash] = WalletLock(\n /* solhint-disable-next-line not-rely-on-time */\n uint32(block.timestamp) + heartbeatRequestValidity,\n WalletAction.Heartbeat\n );\n\n emit HeartbeatRequestSubmitted(walletPubKeyHash, message, msg.sender);\n }\n\n /// @notice Wraps `requestHeartbeat` call and reimburses the caller's\n /// transaction cost.\n /// @dev See `requestHeartbeat` function documentation.\n function requestHeartbeatWithReimbursement(\n bytes20 walletPubKeyHash,\n bytes calldata message\n ) external {\n uint256 gasStart = gasleft();\n\n requestHeartbeat(walletPubKeyHash, message);\n\n reimbursementPool.refund(\n (gasStart - gasleft()) + heartbeatRequestGasOffset,\n msg.sender\n );\n }\n\n /// @notice Submits a deposit sweep proposal. Locks the target wallet\n /// for a specific time, equal to the proposal validity period.\n /// This function does not store the proposal in the state but\n /// just emits an event that serves as a guiding light for wallet\n /// off-chain members. Wallet members are supposed to validate\n /// the proposal on their own, before taking any action.\n /// @param proposal The deposit sweep proposal\n /// @dev Requirements:\n /// - The caller is a coordinator,\n /// - The wallet is not time-locked.\n function submitDepositSweepProposal(DepositSweepProposal calldata proposal)\n public\n onlyCoordinator\n onlyAfterWalletLock(proposal.walletPubKeyHash)\n {\n walletLock[proposal.walletPubKeyHash] = WalletLock(\n /* solhint-disable-next-line not-rely-on-time */\n uint32(block.timestamp) + depositSweepProposalValidity,\n WalletAction.DepositSweep\n );\n\n emit DepositSweepProposalSubmitted(proposal, msg.sender);\n }\n\n /// @notice Wraps `submitDepositSweepProposal` call and reimburses the\n /// caller's transaction cost.\n /// @dev See `submitDepositSweepProposal` function documentation.\n function submitDepositSweepProposalWithReimbursement(\n DepositSweepProposal calldata proposal\n ) external {\n uint256 gasStart = gasleft();\n\n submitDepositSweepProposal(proposal);\n\n reimbursementPool.refund(\n (gasStart - gasleft()) + depositSweepProposalSubmissionGasOffset,\n msg.sender\n );\n }\n\n /// @notice View function encapsulating the main rules of a valid deposit\n /// sweep proposal. This function is meant to facilitate the off-chain\n /// validation of the incoming proposals. Thanks to it, most\n /// of the work can be done using a single readonly contract call.\n /// Worth noting, the validation done here is not exhaustive as some\n /// conditions may not be verifiable within the on-chain function or\n /// checking them may be easier on the off-chain side. For example,\n /// this function does not check the SPV proofs and confirmations of\n /// the deposit funding transactions as this would require an\n /// integration with the difficulty relay that greatly increases\n /// complexity. Instead of that, each off-chain wallet member is\n /// supposed to do that check on their own.\n /// @param proposal The sweeping proposal to validate.\n /// @param depositsExtraInfo Deposits extra data required to perform the validation.\n /// @return True if the proposal is valid. Reverts otherwise.\n /// @dev Requirements:\n /// - The target wallet must be in the Live state,\n /// - The number of deposits included in the sweep must be in\n /// the range [1, `depositSweepMaxSize`],\n /// - The length of `depositsExtraInfo` array must be equal to the\n /// length of `proposal.depositsKeys`, i.e. each deposit must\n /// have exactly one set of corresponding extra data,\n /// - The proposed sweep tx fee must be grater than zero,\n /// - The proposed maximum per-deposit sweep tx fee must be lesser than\n /// or equal the maximum fee allowed by the Bridge (`Bridge.depositTxMaxFee`),\n /// - Each deposit must be revealed to the Bridge,\n /// - Each deposit must be old enough, i.e. at least `depositMinAge`\n /// elapsed since their reveal time,\n /// - Each deposit must not be swept yet,\n /// - Each deposit must have valid extra data (see `validateDepositExtraInfo`),\n /// - Each deposit must have the refund safety margin preserved,\n /// - Each deposit must be controlled by the same wallet,\n /// - Each deposit must target the same vault.\n ///\n /// The following off-chain validation must be performed as a bare minimum:\n /// - Inputs used for the sweep transaction have enough Bitcoin confirmations,\n /// - Deposits revealed to the Bridge have enough Ethereum confirmations.\n function validateDepositSweepProposal(\n DepositSweepProposal calldata proposal,\n DepositExtraInfo[] calldata depositsExtraInfo\n ) external view returns (bool) {\n require(\n bridge.wallets(proposal.walletPubKeyHash).state ==\n Wallets.WalletState.Live,\n \"Wallet is not in Live state\"\n );\n\n require(proposal.depositsKeys.length > 0, \"Sweep below the min size\");\n\n require(\n proposal.depositsKeys.length <= depositSweepMaxSize,\n \"Sweep exceeds the max size\"\n );\n\n require(\n proposal.depositsKeys.length == depositsExtraInfo.length,\n \"Each deposit key must have matching extra data\"\n );\n\n validateSweepTxFee(proposal.sweepTxFee, proposal.depositsKeys.length);\n\n address proposalVault = address(0);\n\n for (uint256 i = 0; i < proposal.depositsKeys.length; i++) {\n DepositKey memory depositKey = proposal.depositsKeys[i];\n DepositExtraInfo memory depositExtraInfo = depositsExtraInfo[i];\n\n // slither-disable-next-line calls-loop\n Deposit.DepositRequest memory depositRequest = bridge.deposits(\n uint256(\n keccak256(\n abi.encodePacked(\n depositKey.fundingTxHash,\n depositKey.fundingOutputIndex\n )\n )\n )\n );\n\n require(depositRequest.revealedAt != 0, \"Deposit not revealed\");\n\n require(\n /* solhint-disable-next-line not-rely-on-time */\n block.timestamp > depositRequest.revealedAt + depositMinAge,\n \"Deposit min age not achieved yet\"\n );\n\n require(depositRequest.sweptAt == 0, \"Deposit already swept\");\n\n validateDepositExtraInfo(\n depositKey,\n depositRequest.depositor,\n depositExtraInfo\n );\n\n uint32 depositRefundableTimestamp = BTCUtils.reverseUint32(\n uint32(depositExtraInfo.refundLocktime)\n );\n require(\n /* solhint-disable-next-line not-rely-on-time */\n block.timestamp <\n depositRefundableTimestamp - depositRefundSafetyMargin,\n \"Deposit refund safety margin is not preserved\"\n );\n\n require(\n depositExtraInfo.walletPubKeyHash == proposal.walletPubKeyHash,\n \"Deposit controlled by different wallet\"\n );\n\n // Make sure all deposits target the same vault by using the\n // vault of the first deposit as a reference.\n if (i == 0) {\n proposalVault = depositRequest.vault;\n }\n require(\n depositRequest.vault == proposalVault,\n \"Deposit targets different vault\"\n );\n }\n\n return true;\n }\n\n /// @notice Validates the sweep tx fee by checking if the part of the fee\n /// incurred by each deposit does not exceed the maximum value\n /// allowed by the Bridge. This function is heavily based on\n /// `DepositSweep.depositSweepTxFeeDistribution` function.\n /// @param sweepTxFee The sweep transaction fee.\n /// @param depositsCount Count of the deposits swept by the sweep transaction.\n /// @dev Requirements:\n /// - The sweep tx fee must be grater than zero,\n /// - The maximum per-deposit sweep tx fee must be lesser than or equal\n /// the maximum fee allowed by the Bridge (`Bridge.depositTxMaxFee`).\n function validateSweepTxFee(uint256 sweepTxFee, uint256 depositsCount)\n internal\n view\n {\n require(sweepTxFee > 0, \"Proposed transaction fee cannot be zero\");\n\n // Compute the indivisible remainder that remains after dividing the\n // sweep transaction fee over all deposits evenly.\n uint256 depositTxFeeRemainder = sweepTxFee % depositsCount;\n // Compute the transaction fee per deposit by dividing the sweep\n // transaction fee (reduced by the remainder) by the number of deposits.\n uint256 depositTxFee = (sweepTxFee - depositTxFeeRemainder) /\n depositsCount;\n\n (, , uint64 depositTxMaxFee, ) = bridge.depositParameters();\n\n // The transaction fee is incurred by each deposit evenly except for the last\n // deposit that has the indivisible remainder additionally incurred.\n // See `DepositSweep.submitDepositSweepProof`.\n // We must make sure the highest value of the deposit transaction fee does\n // not exceed the maximum value limited by the governable parameter.\n require(\n depositTxFee + depositTxFeeRemainder <= depositTxMaxFee,\n \"Proposed transaction fee is too high\"\n );\n }\n\n /// @notice Validates the extra data for the given deposit. This function\n /// is heavily based on `Deposit.revealDeposit` function.\n /// @param depositKey Key of the given deposit.\n /// @param depositor Depositor that revealed the deposit.\n /// @param depositExtraInfo Extra data being subject of the validation.\n /// @dev Requirements:\n /// - The transaction hash computed using `depositExtraInfo.fundingTx`\n /// must match the `depositKey.fundingTxHash`. This requirement\n /// ensures the funding transaction data provided in the extra\n /// data container actually represent the funding transaction of\n /// the given deposit.\n /// - The P2(W)SH script inferred from `depositExtraInfo` is actually\n /// used to lock funds by the `depositKey.fundingOutputIndex` output\n /// of the `depositExtraInfo.fundingTx` transaction. This requirement\n /// ensures the reveal data provided in the extra data container\n /// actually matches the given deposit.\n function validateDepositExtraInfo(\n DepositKey memory depositKey,\n address depositor,\n DepositExtraInfo memory depositExtraInfo\n ) internal view {\n bytes32 depositExtraFundingTxHash = abi\n .encodePacked(\n depositExtraInfo.fundingTx.version,\n depositExtraInfo.fundingTx.inputVector,\n depositExtraInfo.fundingTx.outputVector,\n depositExtraInfo.fundingTx.locktime\n )\n .hash256View();\n\n // Make sure the funding tx provided as part of deposit extra data\n // actually matches the deposit referred by the given deposit key.\n if (depositKey.fundingTxHash != depositExtraFundingTxHash) {\n revert(\"Extra info funding tx hash does not match\");\n }\n\n bytes memory expectedScript = abi.encodePacked(\n hex\"14\", // Byte length of depositor Ethereum address.\n depositor,\n hex\"75\", // OP_DROP\n hex\"08\", // Byte length of blinding factor value.\n depositExtraInfo.blindingFactor,\n hex\"75\", // OP_DROP\n hex\"76\", // OP_DUP\n hex\"a9\", // OP_HASH160\n hex\"14\", // Byte length of a compressed Bitcoin public key hash.\n depositExtraInfo.walletPubKeyHash,\n hex\"87\", // OP_EQUAL\n hex\"63\", // OP_IF\n hex\"ac\", // OP_CHECKSIG\n hex\"67\", // OP_ELSE\n hex\"76\", // OP_DUP\n hex\"a9\", // OP_HASH160\n hex\"14\", // Byte length of a compressed Bitcoin public key hash.\n depositExtraInfo.refundPubKeyHash,\n hex\"88\", // OP_EQUALVERIFY\n hex\"04\", // Byte length of refund locktime value.\n depositExtraInfo.refundLocktime,\n hex\"b1\", // OP_CHECKLOCKTIMEVERIFY\n hex\"75\", // OP_DROP\n hex\"ac\", // OP_CHECKSIG\n hex\"68\" // OP_ENDIF\n );\n\n bytes memory fundingOutput = depositExtraInfo\n .fundingTx\n .outputVector\n .extractOutputAtIndex(depositKey.fundingOutputIndex);\n bytes memory fundingOutputHash = fundingOutput.extractHash();\n\n // Path that checks the deposit extra data validity in case the\n // referred deposit is a P2SH.\n if (\n // slither-disable-next-line calls-loop\n fundingOutputHash.length == 20 &&\n fundingOutputHash.slice20(0) == expectedScript.hash160View()\n ) {\n return;\n }\n\n // Path that checks the deposit extra data validity in case the\n // referred deposit is a P2WSH.\n if (\n fundingOutputHash.length == 32 &&\n fundingOutputHash.toBytes32() == sha256(expectedScript)\n ) {\n return;\n }\n\n revert(\"Extra info funding output script does not match\");\n }\n}\n"
|
|
168
168
|
},
|
|
169
169
|
"contracts/bridge/Wallets.sol": {
|
|
170
170
|
"content": "// SPDX-License-Identifier: GPL-3.0-only\n\n// ██████████████ ▐████▌ ██████████████\n// ██████████████ ▐████▌ ██████████████\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ██████████████ ▐████▌ ██████████████\n// ██████████████ ▐████▌ ██████████████\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n// ▐████▌ ▐████▌\n\npragma solidity 0.8.17;\n\nimport {BTCUtils} from \"@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol\";\nimport {EcdsaDkg} from \"@keep-network/ecdsa/contracts/libraries/EcdsaDkg.sol\";\nimport {Math} from \"@openzeppelin/contracts/utils/math/Math.sol\";\n\nimport \"./BitcoinTx.sol\";\nimport \"./EcdsaLib.sol\";\nimport \"./BridgeState.sol\";\n\n/// @title Wallet library\n/// @notice Library responsible for handling integration between Bridge\n/// contract and ECDSA wallets.\nlibrary Wallets {\n using BTCUtils for bytes;\n\n /// @notice Represents wallet state:\n enum WalletState {\n /// @dev The wallet is unknown to the Bridge.\n Unknown,\n /// @dev The wallet can sweep deposits and accept redemption requests.\n Live,\n /// @dev The wallet was deemed unhealthy and is expected to move their\n /// outstanding funds to another wallet. The wallet can still\n /// fulfill their pending redemption requests although new\n /// redemption requests and new deposit reveals are not accepted.\n MovingFunds,\n /// @dev The wallet moved or redeemed all their funds and is in the\n /// closing period where it is still a subject of fraud challenges\n /// and must defend against them. This state is needed to protect\n /// against deposit frauds on deposits revealed but not swept.\n /// The closing period must be greater that the deposit refund\n /// time plus some time margin.\n Closing,\n /// @dev The wallet finalized the closing period successfully and\n /// can no longer perform any action in the Bridge.\n Closed,\n /// @dev The wallet committed a fraud that was reported, did not move\n /// funds to another wallet before a timeout, or did not sweep\n /// funds moved to if from another wallet before a timeout. The\n /// wallet is blocked and can not perform any actions in the Bridge.\n /// Off-chain coordination with the wallet operators is needed to\n /// recover funds.\n Terminated\n }\n\n /// @notice Holds information about a wallet.\n struct Wallet {\n // Identifier of a ECDSA Wallet registered in the ECDSA Wallet Registry.\n bytes32 ecdsaWalletID;\n // Latest wallet's main UTXO hash computed as\n // keccak256(txHash | txOutputIndex | txOutputValue). The `tx` prefix\n // refers to the transaction which created that main UTXO. The `txHash`\n // is `bytes32` (ordered as in Bitcoin internally), `txOutputIndex`\n // an `uint32`, and `txOutputValue` an `uint64` value.\n bytes32 mainUtxoHash;\n // The total redeemable value of pending redemption requests targeting\n // that wallet.\n uint64 pendingRedemptionsValue;\n // UNIX timestamp the wallet was created at.\n // XXX: Unsigned 32-bit int unix seconds, will break February 7th 2106.\n uint32 createdAt;\n // UNIX timestamp indicating the moment the wallet was requested to\n // move their funds.\n // XXX: Unsigned 32-bit int unix seconds, will break February 7th 2106.\n uint32 movingFundsRequestedAt;\n // UNIX timestamp indicating the moment the wallet's closing period\n // started.\n // XXX: Unsigned 32-bit int unix seconds, will break February 7th 2106.\n uint32 closingStartedAt;\n // Total count of pending moved funds sweep requests targeting this wallet.\n uint32 pendingMovedFundsSweepRequestsCount;\n // Current state of the wallet.\n WalletState state;\n // Moving funds target wallet commitment submitted by the wallet. It\n // is built by applying the keccak256 hash over the list of 20-byte\n // public key hashes of the target wallets.\n bytes32 movingFundsTargetWalletsCommitmentHash;\n // This struct doesn't contain `__gap` property as the structure is stored\n // in a mapping, mappings store values in different slots and they are\n // not contiguous with other values.\n }\n\n event NewWalletRequested();\n\n event NewWalletRegistered(\n bytes32 indexed ecdsaWalletID,\n bytes20 indexed walletPubKeyHash\n );\n\n event WalletMovingFunds(\n bytes32 indexed ecdsaWalletID,\n bytes20 indexed walletPubKeyHash\n );\n\n event WalletClosing(\n bytes32 indexed ecdsaWalletID,\n bytes20 indexed walletPubKeyHash\n );\n\n event WalletClosed(\n bytes32 indexed ecdsaWalletID,\n bytes20 indexed walletPubKeyHash\n );\n\n event WalletTerminated(\n bytes32 indexed ecdsaWalletID,\n bytes20 indexed walletPubKeyHash\n );\n\n /// @notice Requests creation of a new wallet. This function just\n /// forms a request and the creation process is performed\n /// asynchronously. Outcome of that process should be delivered\n /// using `registerNewWallet` function.\n /// @param activeWalletMainUtxo Data of the active wallet's main UTXO, as\n /// currently known on the Ethereum chain.\n /// @dev Requirements:\n /// - `activeWalletMainUtxo` components must point to the recent main\n /// UTXO of the given active wallet, as currently known on the\n /// Ethereum chain. If there is no active wallet at the moment, or\n /// the active wallet has no main UTXO, this parameter can be\n /// empty as it is ignored,\n /// - Wallet creation must not be in progress,\n /// - If the active wallet is set, one of the following\n /// conditions must be true:\n /// - The active wallet BTC balance is above the minimum threshold\n /// and the active wallet is old enough, i.e. the creation period\n /// was elapsed since its creation time,\n /// - The active wallet BTC balance is above the maximum threshold.\n function requestNewWallet(\n BridgeState.Storage storage self,\n BitcoinTx.UTXO calldata activeWalletMainUtxo\n ) external {\n require(\n self.ecdsaWalletRegistry.getWalletCreationState() ==\n EcdsaDkg.State.IDLE,\n \"Wallet creation already in progress\"\n );\n\n bytes20 activeWalletPubKeyHash = self.activeWalletPubKeyHash;\n\n // If the active wallet is set, fetch this wallet's details from\n // storage to perform conditions check. The `registerNewWallet`\n // function guarantees an active wallet is always one of the\n // registered ones.\n if (activeWalletPubKeyHash != bytes20(0)) {\n uint64 activeWalletBtcBalance = getWalletBtcBalance(\n self,\n activeWalletPubKeyHash,\n activeWalletMainUtxo\n );\n uint32 activeWalletCreatedAt = self\n .registeredWallets[activeWalletPubKeyHash]\n .createdAt;\n /* solhint-disable-next-line not-rely-on-time */\n bool activeWalletOldEnough = block.timestamp >=\n activeWalletCreatedAt + self.walletCreationPeriod;\n\n require(\n (activeWalletOldEnough &&\n activeWalletBtcBalance >=\n self.walletCreationMinBtcBalance) ||\n activeWalletBtcBalance >= self.walletCreationMaxBtcBalance,\n \"Wallet creation conditions are not met\"\n );\n }\n\n emit NewWalletRequested();\n\n self.ecdsaWalletRegistry.requestNewWallet();\n }\n\n /// @notice Registers a new wallet. This function should be called\n /// after the wallet creation process initiated using\n /// `requestNewWallet` completes and brings the outcomes.\n /// @param ecdsaWalletID Wallet's unique identifier.\n /// @param publicKeyX Wallet's public key's X coordinate.\n /// @param publicKeyY Wallet's public key's Y coordinate.\n /// @dev Requirements:\n /// - The only caller authorized to call this function is `registry`,\n /// - Given wallet data must not belong to an already registered wallet.\n function registerNewWallet(\n BridgeState.Storage storage self,\n bytes32 ecdsaWalletID,\n bytes32 publicKeyX,\n bytes32 publicKeyY\n ) external {\n require(\n msg.sender == address(self.ecdsaWalletRegistry),\n \"Caller is not the ECDSA Wallet Registry\"\n );\n\n // Compress wallet's public key and calculate Bitcoin's hash160 of it.\n bytes20 walletPubKeyHash = bytes20(\n EcdsaLib.compressPublicKey(publicKeyX, publicKeyY).hash160View()\n );\n\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n require(\n wallet.state == WalletState.Unknown,\n \"ECDSA wallet has been already registered\"\n );\n wallet.ecdsaWalletID = ecdsaWalletID;\n wallet.state = WalletState.Live;\n /* solhint-disable-next-line not-rely-on-time */\n wallet.createdAt = uint32(block.timestamp);\n\n // Set the freshly created wallet as the new active wallet.\n self.activeWalletPubKeyHash = walletPubKeyHash;\n\n self.liveWalletsCount++;\n\n emit NewWalletRegistered(ecdsaWalletID, walletPubKeyHash);\n }\n\n /// @notice Handles a notification about a wallet redemption timeout.\n /// Triggers the wallet moving funds process only if the wallet is\n /// still in the Live state. That means multiple action timeouts can\n /// be reported for the same wallet but only the first report\n /// requests the wallet to move their funds. Executes slashing if\n /// the wallet is in Live or MovingFunds state. Allows to notify\n /// redemption timeout also for a Terminated wallet in case the\n /// redemption was requested before the wallet got terminated.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @param walletMembersIDs Identifiers of the wallet signing group members.\n /// @dev Requirements:\n /// - The wallet must be in the `Live`, `MovingFunds`,\n /// or `Terminated` state.\n function notifyWalletRedemptionTimeout(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n uint32[] calldata walletMembersIDs\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n WalletState walletState = wallet.state;\n\n require(\n walletState == WalletState.Live ||\n walletState == WalletState.MovingFunds ||\n walletState == WalletState.Terminated,\n \"Wallet must be in Live or MovingFunds or Terminated state\"\n );\n\n if (\n walletState == Wallets.WalletState.Live ||\n walletState == Wallets.WalletState.MovingFunds\n ) {\n // Slash the wallet operators and reward the notifier\n self.ecdsaWalletRegistry.seize(\n self.redemptionTimeoutSlashingAmount,\n self.redemptionTimeoutNotifierRewardMultiplier,\n msg.sender,\n wallet.ecdsaWalletID,\n walletMembersIDs\n );\n }\n\n if (walletState == WalletState.Live) {\n moveFunds(self, walletPubKeyHash);\n }\n }\n\n /// @notice Handles a notification about a wallet heartbeat failure and\n /// triggers the wallet moving funds process.\n /// @param publicKeyX Wallet's public key's X coordinate.\n /// @param publicKeyY Wallet's public key's Y coordinate.\n /// @dev Requirements:\n /// - The only caller authorized to call this function is `registry`,\n /// - Wallet must be in Live state.\n function notifyWalletHeartbeatFailed(\n BridgeState.Storage storage self,\n bytes32 publicKeyX,\n bytes32 publicKeyY\n ) external {\n require(\n msg.sender == address(self.ecdsaWalletRegistry),\n \"Caller is not the ECDSA Wallet Registry\"\n );\n\n // Compress wallet's public key and calculate Bitcoin's hash160 of it.\n bytes20 walletPubKeyHash = bytes20(\n EcdsaLib.compressPublicKey(publicKeyX, publicKeyY).hash160View()\n );\n\n require(\n self.registeredWallets[walletPubKeyHash].state == WalletState.Live,\n \"Wallet must be in Live state\"\n );\n\n moveFunds(self, walletPubKeyHash);\n }\n\n /// @notice Notifies that the wallet is either old enough or has too few\n /// satoshis left and qualifies to be closed.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @param walletMainUtxo Data of the wallet's main UTXO, as currently\n /// known on the Ethereum chain.\n /// @dev Requirements:\n /// - Wallet must not be set as the current active wallet,\n /// - Wallet must exceed the wallet maximum age OR the wallet BTC\n /// balance must be lesser than the minimum threshold. If the latter\n /// case is true, the `walletMainUtxo` components must point to the\n /// recent main UTXO of the given wallet, as currently known on the\n /// Ethereum chain. If the wallet has no main UTXO, this parameter\n /// can be empty as it is ignored since the wallet balance is\n /// assumed to be zero,\n /// - Wallet must be in Live state.\n function notifyWalletCloseable(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n BitcoinTx.UTXO calldata walletMainUtxo\n ) external {\n require(\n self.activeWalletPubKeyHash != walletPubKeyHash,\n \"Active wallet cannot be considered closeable\"\n );\n\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n require(\n wallet.state == WalletState.Live,\n \"Wallet must be in Live state\"\n );\n\n /* solhint-disable-next-line not-rely-on-time */\n bool walletOldEnough = block.timestamp >=\n wallet.createdAt + self.walletMaxAge;\n\n require(\n walletOldEnough ||\n getWalletBtcBalance(self, walletPubKeyHash, walletMainUtxo) <\n self.walletClosureMinBtcBalance,\n \"Wallet needs to be old enough or have too few satoshis\"\n );\n\n moveFunds(self, walletPubKeyHash);\n }\n\n /// @notice Notifies about the end of the closing period for the given wallet.\n /// Closes the wallet ultimately and notifies the ECDSA registry\n /// about this fact.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @dev Requirements:\n /// - The wallet must be in the Closing state,\n /// - The wallet closing period must have elapsed.\n function notifyWalletClosingPeriodElapsed(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n\n require(\n wallet.state == WalletState.Closing,\n \"Wallet must be in Closing state\"\n );\n\n require(\n /* solhint-disable-next-line not-rely-on-time */\n block.timestamp >\n wallet.closingStartedAt + self.walletClosingPeriod,\n \"Closing period has not elapsed yet\"\n );\n\n finalizeWalletClosing(self, walletPubKeyHash);\n }\n\n /// @notice Notifies that the wallet completed the moving funds process\n /// successfully. Checks if the funds were moved to the expected\n /// target wallets. Closes the source wallet if everything went\n /// good and reverts otherwise.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @param targetWalletsHash 32-byte keccak256 hash over the list of\n /// 20-byte public key hashes of the target wallets actually used\n /// within the moving funds transactions.\n /// @dev Requirements:\n /// - The caller must make sure the moving funds transaction actually\n /// happened on Bitcoin chain and fits the protocol requirements,\n /// - The source wallet must be in the MovingFunds state,\n /// - The target wallets commitment must be submitted by the source\n /// wallet,\n /// - The actual target wallets used in the moving funds transaction\n /// must be exactly the same as the target wallets commitment.\n function notifyWalletFundsMoved(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n bytes32 targetWalletsHash\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n // Check that the wallet is in the MovingFunds state but don't check\n // if the moving funds timeout is exceeded. That should give a\n // possibility to move funds in case when timeout was hit but was\n // not reported yet.\n require(\n wallet.state == WalletState.MovingFunds,\n \"Wallet must be in MovingFunds state\"\n );\n\n bytes32 targetWalletsCommitmentHash = wallet\n .movingFundsTargetWalletsCommitmentHash;\n\n require(\n targetWalletsCommitmentHash != bytes32(0),\n \"Target wallets commitment not submitted yet\"\n );\n\n // Make sure that the target wallets where funds were moved to are\n // exactly the same as the ones the source wallet committed to.\n require(\n targetWalletsCommitmentHash == targetWalletsHash,\n \"Target wallets don't correspond to the commitment\"\n );\n\n // If funds were moved, the wallet has no longer a main UTXO.\n delete wallet.mainUtxoHash;\n\n beginWalletClosing(self, walletPubKeyHash);\n }\n\n /// @notice Called when a MovingFunds wallet has a balance below the dust\n /// threshold. Begins the wallet closing.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @dev Requirements:\n /// - The wallet must be in the MovingFunds state.\n function notifyWalletMovingFundsBelowDust(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash\n ) internal {\n WalletState walletState = self\n .registeredWallets[walletPubKeyHash]\n .state;\n\n require(\n walletState == Wallets.WalletState.MovingFunds,\n \"Wallet must be in MovingFunds state\"\n );\n\n beginWalletClosing(self, walletPubKeyHash);\n }\n\n /// @notice Called when the timeout for MovingFunds for the wallet elapsed.\n /// Slashes wallet members and terminates the wallet.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @param walletMembersIDs Identifiers of the wallet signing group members.\n /// @dev Requirements:\n /// - The wallet must be in the MovingFunds state.\n function notifyWalletMovingFundsTimeout(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n uint32[] calldata walletMembersIDs\n ) internal {\n Wallets.Wallet storage wallet = self.registeredWallets[\n walletPubKeyHash\n ];\n\n require(\n wallet.state == Wallets.WalletState.MovingFunds,\n \"Wallet must be in MovingFunds state\"\n );\n\n self.ecdsaWalletRegistry.seize(\n self.movingFundsTimeoutSlashingAmount,\n self.movingFundsTimeoutNotifierRewardMultiplier,\n msg.sender,\n wallet.ecdsaWalletID,\n walletMembersIDs\n );\n\n terminateWallet(self, walletPubKeyHash);\n }\n\n /// @notice Called when a wallet which was asked to sweep funds moved from\n /// another wallet did not provide a sweeping proof before a timeout.\n /// Slashes and terminates the wallet who failed to provide a proof.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet which was\n /// supposed to sweep funds.\n /// @param walletMembersIDs Identifiers of the wallet signing group members.\n /// @dev Requirements:\n /// - The wallet must be in the `Live`, `MovingFunds`,\n /// or `Terminated` state.\n function notifyWalletMovedFundsSweepTimeout(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n uint32[] calldata walletMembersIDs\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n WalletState walletState = wallet.state;\n\n require(\n walletState == WalletState.Live ||\n walletState == WalletState.MovingFunds ||\n walletState == WalletState.Terminated,\n \"Wallet must be in Live or MovingFunds or Terminated state\"\n );\n\n if (\n walletState == Wallets.WalletState.Live ||\n walletState == Wallets.WalletState.MovingFunds\n ) {\n self.ecdsaWalletRegistry.seize(\n self.movedFundsSweepTimeoutSlashingAmount,\n self.movedFundsSweepTimeoutNotifierRewardMultiplier,\n msg.sender,\n wallet.ecdsaWalletID,\n walletMembersIDs\n );\n\n terminateWallet(self, walletPubKeyHash);\n }\n }\n\n /// @notice Called when a wallet which was challenged for a fraud did not\n /// defeat the challenge before the timeout. Slashes and terminates\n /// the wallet who failed to defeat the challenge. If the wallet is\n /// already terminated, it does nothing.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet which was\n /// supposed to sweep funds.\n /// @param walletMembersIDs Identifiers of the wallet signing group members.\n /// @param challenger Address of the party which submitted the fraud\n /// challenge.\n /// @dev Requirements:\n /// - The wallet must be in the `Live`, `MovingFunds`, `Closing`\n /// or `Terminated` state.\n function notifyWalletFraudChallengeDefeatTimeout(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n uint32[] calldata walletMembersIDs,\n address challenger\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n WalletState walletState = wallet.state;\n\n if (\n walletState == Wallets.WalletState.Live ||\n walletState == Wallets.WalletState.MovingFunds ||\n walletState == Wallets.WalletState.Closing\n ) {\n self.ecdsaWalletRegistry.seize(\n self.fraudSlashingAmount,\n self.fraudNotifierRewardMultiplier,\n challenger,\n wallet.ecdsaWalletID,\n walletMembersIDs\n );\n\n terminateWallet(self, walletPubKeyHash);\n } else if (walletState == Wallets.WalletState.Terminated) {\n // This is a special case when the wallet was already terminated\n // due to a previous deliberate protocol violation. In that\n // case, this function should be still callable for other fraud\n // challenges timeouts in order to let the challenger unlock its\n // ETH deposit back. However, the wallet termination logic is\n // not called and the challenger is not rewarded.\n } else {\n revert(\n \"Wallet must be in Live or MovingFunds or Closing or Terminated state\"\n );\n }\n }\n\n /// @notice Requests a wallet to move their funds. If the wallet balance\n /// is zero, the wallet closing begins immediately. If the move\n /// funds request refers to the current active wallet, such a wallet\n /// is no longer considered active and the active wallet slot\n /// is unset allowing to trigger a new wallet creation immediately.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @dev Requirements:\n /// - The caller must make sure that the wallet is in the Live state.\n function moveFunds(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n\n if (wallet.mainUtxoHash == bytes32(0)) {\n // If the wallet has no main UTXO, that means its BTC balance\n // is zero and the wallet closing should begin immediately.\n beginWalletClosing(self, walletPubKeyHash);\n } else {\n // Otherwise, initialize the moving funds process.\n wallet.state = WalletState.MovingFunds;\n /* solhint-disable-next-line not-rely-on-time */\n wallet.movingFundsRequestedAt = uint32(block.timestamp);\n\n // slither-disable-next-line reentrancy-events\n emit WalletMovingFunds(wallet.ecdsaWalletID, walletPubKeyHash);\n }\n\n if (self.activeWalletPubKeyHash == walletPubKeyHash) {\n // If the move funds request refers to the current active wallet,\n // unset the active wallet and make the wallet creation process\n // possible in order to get a new healthy active wallet.\n delete self.activeWalletPubKeyHash;\n }\n\n self.liveWalletsCount--;\n }\n\n /// @notice Begins the closing period of the given wallet.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @dev Requirements:\n /// - The caller must make sure that the wallet is in the\n /// MovingFunds state.\n function beginWalletClosing(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n // Initialize the closing period.\n wallet.state = WalletState.Closing;\n /* solhint-disable-next-line not-rely-on-time */\n wallet.closingStartedAt = uint32(block.timestamp);\n\n // slither-disable-next-line reentrancy-events\n emit WalletClosing(wallet.ecdsaWalletID, walletPubKeyHash);\n }\n\n /// @notice Finalizes the closing period of the given wallet and notifies\n /// the ECDSA registry about this fact.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @dev Requirements:\n /// - The caller must make sure that the wallet is in the Closing state.\n function finalizeWalletClosing(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n\n wallet.state = WalletState.Closed;\n\n emit WalletClosed(wallet.ecdsaWalletID, walletPubKeyHash);\n\n self.ecdsaWalletRegistry.closeWallet(wallet.ecdsaWalletID);\n }\n\n /// @notice Terminates the given wallet and notifies the ECDSA registry\n /// about this fact. If the wallet termination refers to the current\n /// active wallet, such a wallet is no longer considered active and\n /// the active wallet slot is unset allowing to trigger a new wallet\n /// creation immediately.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @dev Requirements:\n /// - The caller must make sure that the wallet is in the\n /// Live or MovingFunds or Closing state.\n function terminateWallet(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash\n ) internal {\n Wallet storage wallet = self.registeredWallets[walletPubKeyHash];\n\n if (wallet.state == WalletState.Live) {\n self.liveWalletsCount--;\n }\n\n wallet.state = WalletState.Terminated;\n\n // slither-disable-next-line reentrancy-events\n emit WalletTerminated(wallet.ecdsaWalletID, walletPubKeyHash);\n\n if (self.activeWalletPubKeyHash == walletPubKeyHash) {\n // If termination refers to the current active wallet,\n // unset the active wallet and make the wallet creation process\n // possible in order to get a new healthy active wallet.\n delete self.activeWalletPubKeyHash;\n }\n\n self.ecdsaWalletRegistry.closeWallet(wallet.ecdsaWalletID);\n }\n\n /// @notice Gets BTC balance for given the wallet.\n /// @param walletPubKeyHash 20-byte public key hash of the wallet.\n /// @param walletMainUtxo Data of the wallet's main UTXO, as currently\n /// known on the Ethereum chain.\n /// @return walletBtcBalance Current BTC balance for the given wallet.\n /// @dev Requirements:\n /// - `walletMainUtxo` components must point to the recent main UTXO\n /// of the given wallet, as currently known on the Ethereum chain.\n /// If the wallet has no main UTXO, this parameter can be empty as it\n /// is ignored.\n function getWalletBtcBalance(\n BridgeState.Storage storage self,\n bytes20 walletPubKeyHash,\n BitcoinTx.UTXO calldata walletMainUtxo\n ) internal view returns (uint64 walletBtcBalance) {\n bytes32 walletMainUtxoHash = self\n .registeredWallets[walletPubKeyHash]\n .mainUtxoHash;\n\n // If the wallet has a main UTXO hash set, cross-check it with the\n // provided plain-text parameter and get the transaction output value\n // as BTC balance. Otherwise, the BTC balance is just zero.\n if (walletMainUtxoHash != bytes32(0)) {\n require(\n keccak256(\n abi.encodePacked(\n walletMainUtxo.txHash,\n walletMainUtxo.txOutputIndex,\n walletMainUtxo.txOutputValue\n )\n ) == walletMainUtxoHash,\n \"Invalid wallet main UTXO data\"\n );\n\n walletBtcBalance = walletMainUtxo.txOutputValue;\n }\n\n return walletBtcBalance;\n }\n}\n"
|