@layerzerolabs/layerzero-v2-ton 3.0.19-ton.0 → 3.0.19-ton.1

package/src/protocol/channel/interface.fc

@@ -0,0 +1,60 @@
+#include "callbackOpcodes.fc";
+
+;; Opcodes
+const int Channel::OP::SET_EP_CONFIG_OAPP = "Channel::OP::SET_EP_CONFIG_OAPP"c;
+const int Channel::OP::MSGLIB_SEND_CALLBACK = "Channel::OP::MSGLIB_SEND_CALLBACK"c;
+const int Channel::OP::CHANNEL_SEND = "Channel::OP::CHANNEL_SEND"c;
+const int Channel::OP::CHANNEL_COMMIT_PACKET = "Channel::OP::CHANNEL_COMMIT_PACKET"c;
+const int Channel::OP::LZ_RECEIVE_PREPARE = "Channel::OP::LZ_RECEIVE_PREPARE"c;
+const int Channel::OP::DEPOSIT_ZRO = "Channel::OP::DEPOSIT_ZRO"c;
+const int Channel::OP::NILIFY = "Channel::OP::NILIFY"c;
+const int Channel::OP::BURN = "Channel::OP::BURN"c;
+const int Channel::OP::FORCE_ABORT = "Channel::OP::FORCE_ABORT"c;
+const int Channel::OP::LZ_RECEIVE_LOCK = "Channel::OP::LZ_RECEIVE_LOCK"c;
+const int Channel::OP::SYNC_MSGLIB_CONNECTION = "Channel::OP::SYNC_MSGLIB_CONNECTION"c;
+const int Channel::OP::LZ_RECEIVE_EXECUTE_CALLBACK = "Channel::OP::LZ_RECEIVE_EXECUTE_CALLBACK"c;
+const int Channel::OP::NOTIFY_PACKET_EXECUTED = "Channel::OP::NOTIFY_PACKET_EXECUTED"c;
+const int Channel::OP::EMIT_LZ_RECEIVE_ALERT = "Channel::OP::EMIT_LZ_RECEIVE_ALERT"c;
+
+;; EVENTS
+const int Channel::event::EP_CFG_OAPP_SET = "Channel::event::EP_CFG_OAPP_SET"u;
+const int Channel::event::PACKET_SENT = "Channel::event::PACKET_SENT"u;
+const int Channel::event::PACKET_COMMITTED = "Channel::event::PACKET_COMMITTED"u;
+const int Channel::event::PACKET_NILIFIED = "Channel::event::PACKET_NILIFIED"u;
+const int Channel::event::PACKET_BURNED = "Channel::event::PACKET_BURNED"u;
+const int Channel::event::DELIVERED = "Channel::event::DELIVERED"u;
+const int Channel::event::LZ_RECEIVE_ALERT = "Channel::event::LZ_RECEIVE_ALERT"u;
+const int Channel::event::NOT_EXECUTABLE = "Channel::event::NOT_EXECUTABLE"u;
+const int Channel::event::ZRO_DEPOSITED = "Channel::event::ZRO_DEPOSITED"u;
+
+;; ERRORS
+const int Channel::ERROR::onlyEndpoint = 129;
+const int Channel::ERROR::onlyOApp = 130;
+const int Channel::ERROR::onlyApprovedSendMsglib = 131;
+const int Channel::ERROR::onlyApprovedReceiveMsglib = 132;
+const int Channel::ERROR::invalidNonce = 133;
+const int Channel::ERROR::cannotAbortSend = 134;
+const int Channel::ERROR::sendAborted = 135;
+const int Channel::ERROR::notEnoughNative = 136;
+const int Channel::ERROR::notEnoughZroToken = 137;
+const int Channel::ERROR::sendQueueCongested = 138;
+const int Channel::ERROR::notEnoughZroTokenBalance = 139;
+const int Channel::ERROR::notCommittable = 140;
+const int Channel::ERROR::notExecutable = 141;
+const int Channel::ERROR::notExecuting = 142;
+const int Channel::ERROR::wrongPath = 143;
+const int Channel::NO_ERROR = 0;
+
+;; States for view function and packet executability management
+const int ExecutionStatus::uncommitted = 0;
+const int ExecutionStatus::committedNotExecutable = 1;
+const int ExecutionStatus::executable = 2;
+const int ExecutionStatus::executed = 3;
+const int ExecutionStatus::executing = 4; ;; new state
+const int ExecutionStatus::committed = 8; ;; only used internally
+
+const int ExecutionQueue::uncommitted = 0;
+const int ExecutionQueue::executing = 1;
+const int ExecutionQueue::committed = 2;
+
+const int SendRequestQueue::sending = 1;

package/src/protocol/channel/main.fc

@@ -0,0 +1,39 @@
+#include "../core/abstract/protocolMain.fc";
+
+#include "handler.fc";
+#include "interface.fc";
+
+tuple _executeOpcode(int op, cell $md) impure inline {
+    if (op == Channel::OP::SET_EP_CONFIG_OAPP) {
+        return setEpConfigOApp($md);
+    } elseif (op == Channel::OP::CHANNEL_SEND) {
+        return channelSend($md);
+    } elseif (op == Channel::OP::MSGLIB_SEND_CALLBACK) {
+        return msglibSendCallback($md);
+    } elseif (op == Channel::OP::CHANNEL_COMMIT_PACKET) {
+        return channelCommitPacket($md);
+    } elseif (op == Channel::OP::LZ_RECEIVE_PREPARE) {
+        return lzReceivePrepare($md);
+    } elseif (op == Channel::OP::LZ_RECEIVE_LOCK) {
+        return lzReceiveLock($md);
+    } elseif (op == Channel::OP::LZ_RECEIVE_EXECUTE_CALLBACK) {
+        return lzReceiveExecuteCallback($md);
+    } elseif (op == Channel::OP::DEPOSIT_ZRO) {
+        return depositZro($md);
+    } elseif (op == Channel::OP::NILIFY) {
+        return nilify($md);
+    } elseif (op == Channel::OP::BURN) {
+        return burn($md);
+    } elseif (op == Channel::OP::FORCE_ABORT) {
+        return forceAbort($md);
+    } elseif (op == Channel::OP::SYNC_MSGLIB_CONNECTION) {
+        return syncMsglibConnection($md);
+    } elseif (op == Channel::OP::NOTIFY_PACKET_EXECUTED) {
+        return notifyPacketExecuted($md);
+    } elseif (op == Channel::OP::EMIT_LZ_RECEIVE_ALERT) {
+        return emitLzReceiveAlert($md);
+    } else {
+        throw(BaseInterface::ERROR::invalidOpcode);
+    }
+    return empty_tuple();
+}

package/src/protocol/channel/storage.fc

@@ -0,0 +1,55 @@
+#include "../../funC++/dataStructures/PipelinedOutOfOrder.fc";
+
+#include "../../classes/lz/EpConfig.fc";
+
+#include "../core/baseStorage.fc";
+
+;; maximum concurrent sendable inflight send requests
+;; must be low to avoid permanent bricking
+const Channel::MAX_SEND_SLOTS = MAX_CELL_BITS;
+
+;; required object name
+const int Channel::NAME = "channel"u;
+
+;; field names
+;; Init state (sharding key)
+const int Channel::baseStorage = 0;
+const int Channel::path = 1;
+
+;; Both send and receive channel state
+const int Channel::endpointAddress = 2;
+const int Channel::epConfigOApp = 3;
+
+;; Send channel state
+const int Channel::outboundNonce = 4;
+const int Channel::sendRequestQueue = 5;
+const int Channel::lastSendRequestId = 6;
+
+;; Receive channel state
+const int Channel::commitPOOO = 7;
+
+;; Used to track the commit verification queue / capacity
+const int Channel::executePOOO = 8;
+const int Channel::executionQueue = 9;
+
+const int Channel::zroBalance = 10;
+
+;; @owner manager
+cell Channel::New(int owner, cell $path, int endpointAddress) inline method_id {
+    return cl::declare(
+        Channel::NAME,
+        unsafeTuple([
+            [cl::t::objRef, BaseStorage::New(owner)],           ;; Channel::baseStorage
+            [cl::t::objRef, $path],                             ;; Channel::path
+            [cl::t::address, endpointAddress],                  ;; Channel::endpointAddress
+            [cl::t::objRef, lz::EpConfig::NewWithDefaults()],   ;; Channel::epConfigOApp
+            [cl::t::uint64, 0],                                 ;; Channel::outboundNonce
+            [cl::t::dict256, empty_cell()],                     ;; Channel::sendRequestQueue
+            [cl::t::uint64, 0],                                 ;; Channel::sendRequestId
+            [cl::t::objRef, POOO::New()],                       ;; Channel::commitPOOO
+            [cl::t::objRef, POOO::New()],                       ;; Channel::executePOOO
+            [cl::t::cellRef, empty_cell()],                     ;; Channel::executionQueue (DICQ)
+            [cl::t::coins, 0]                                   ;; Channel::zroBalance
+        ])
+    );
+}

package/src/protocol/controller/handler.fc

@@ -0,0 +1,347 @@
+;;; ===============================================================
+;; The controller is only used for deployment and configuration.
+;; Controller handlers are not necessarily gas efficient, as they
+;; are expected to be called infrequently.
+;; No dictionaries exist in the controller, so there is no risk of
+;; gas usage increasing over time and resulting in DoS due to the 1m gas
+;; limit.
+;;; ===============================================================
+
+#include "../core/abstract/protocolHandler.fc";
+
+#include "../../classes/lz/Path.fc";
+
+#include "../../classes/msgdata/Deploy.fc";
+#include "../../classes/msgdata/ExtendedMd.fc";
+#include "../../classes/msgdata/CoinsAmount.fc";
+#include "../../classes/msgdata/AddMsglib.fc";
+#include "../../classes/msgdata/InitEndpoint.fc";
+#include "../../classes/msgdata/MdEid.fc";
+#include "../../classes/msgdata/MdObj.fc";
+#include "../../classes/msgdata/SetAddress.fc";
+
+#include "../core/baseStorage.fc";
+
+#include "../channel/storage.fc";
+#include "../endpoint/storage.fc";
+#include "../interfaces.fc";
+
+#include "interface.fc";
+#include "storage.fc";
+
+;;; ================INTERFACE FUNCTIONS=====================
+
+(cell, tuple) _initialize(cell $md) impure inline {
+    return preamble();
+}
+
+;; should be the protocol owner's zro wallet
+int _getZroWalletAddress() inline method_id {
+    return getContractStorage().cl::get<address>(Controller::zroWallet);
+}
+
+() assertTentativeOwner() impure inline {
+    throw_unless(
+        Controller::ERROR::onlyTentativeOwner,
+        getCaller() == getContractStorage().cl::get<address>(Controller::tentativeOwner)
+    );
+}
+
+int _getEventSink() inline {
+    return getContractAddress();
+}
+
+;;; ================PERMISSION FUNCTIONS=====================
+
+() _checkPermissions(int op, cell $md) impure inline {
+    if (op == Controller::OP::DEPLOY_CHANNEL) {
+        ;; Controller::OP::DEPLOY_CHANNEL determines the initial storage of
+        ;; the deployed channel by the caller address, making this opcode
+        ;; safe for open and public calls
+        return ();
+    } elseif (op == Controller::OP::SET_EP_CONFIG_OAPP) {
+        cell $path = $md.cl::get<objRef>(md::ExtendedMd::obj);
+        throw_unless(
+            Controller::ERROR::onlyOApp,
+            getCaller() == $path.cl::get<uint256>(lz::Path::srcOApp)
+        );
+    } elseif (
+        (op == Controller::OP::DEPLOY_ENDPOINT)
+        | (op == Controller::OP::ADD_MSGLIB)
+        | (op == Controller::OP::SET_EP_CONFIG_DEFAULTS)
+        | (op == Controller::OP::SET_ZRO_WALLET)
+        | (op == Controller::OP::TRANSFER_OWNERSHIP)
+    ) {
+        return assertOwner();
+    } elseif (op == Controller::OP::CLAIM_OWNERSHIP) {
+        return assertTentativeOwner();
+    } elseif (op == Controller::OP::EXCESSES) {
+        throw_unless(Controller::ERROR::onlyZroWallet, getCaller() == _getZroWalletAddress());
+    } else {
+        ;; Any other opcodes will throw, to limit possibility of unexpected behaviors
+        throw(BaseInterface::ERROR::invalidOpcode);
+    }
+}
+
+;;; ==========================HELPER FUNCTIONS=====================================
+
+int _calculateEndpointAddress(int dstEid) impure inline method_id {
+    throw_if(Controller::ERROR::invalidEid, dstEid == 0);
+
+    return computeContractAddress(
+        Endpoint::New(
+            getContractStorage().cl::get<uint32>(Controller::eid),
+            dstEid,
+            getContractAddress()
+        ),
+        getContractStorage().cl::get<cellRef>(Controller::endpointCode)
+    );
+}
+
+;;; ==========================VIEW FUNCTIONS=====================================
+
+;; _verifyEventSender is used by offchain entities to verify that an event emitted
+;; by the controller was sent by a protocol contract (endpoint or channel).
+;; Each event transaction includes the storage init of the event emitting contract,
+;; which is used to verify the sender is the contract they claim to be.
+
+;; Returns true if the event originates from a protocol contract.
+;; returns false if the event does not originate from a protocol contract.
+int _verifyEventSender(int sender, cell $senderStorageInit) impure method_id {
+    cell $storage = getContractStorage();
+
+    int storageType = cl::typeof($senderStorageInit);
+    int senderOwner = $senderStorageInit
+        .cl::get<objRef>(BASE_STORAGE_INDEX)
+        .cl::get<address>(BaseStorage::owner);
+
+    ;; If senderOwner != controller address, then this event sender might be using the correct
+    ;; bytecode and storage but be part of a different LayerZero protocol deployment owned
+    ;; by a different signer.
+    throw_if(BaseInterface::ERROR::invalidEventSource, senderOwner != getContractAddress());
+
+    if (storageType == Endpoint::NAME) {
+        cell endpointCode = $storage.cl::get<cellRef>(Controller::endpointCode);
+        throw_unless(
+            BaseInterface::ERROR::invalidEventSource,
+            sender == computeContractAddress($senderStorageInit, endpointCode)
+        );
+    } elseif (storageType == Channel::NAME) {
+        cell channelCode = $storage.cl::get<cellRef>(Controller::channelCode);
+        throw_unless(
+            BaseInterface::ERROR::invalidEventSource,
+            sender == computeContractAddress($senderStorageInit, channelCode)
+        );
+    } else {
+        throw(BaseInterface::ERROR::invalidEventSource);
+    }
+
+    return true;
+}
+
+;;; ==========================HANDLERS=====================================
+
+;; @in owner EOA
+;; @in_md deployEndpoint
+;; @out endpoint/handler.fc
+;; @out_md deployAndCall(endpointInitData, endpointCode, endpoint_initialize)
+;; @permissions only owner
+tuple deployEndpoint(cell $deploy) impure inline method_id {
+    (cell $storage, tuple actions) = preamble();
+
+    int dstEid = $deploy.cl::get<uint32>(md::Deploy::dstEid);
+    throw_if(Controller::ERROR::invalidEid, dstEid == 0);
+
+    int eid = $storage.cl::get<uint32>(Controller::eid);
+
+    actions~pushAction<deployAndCall>(
+        $storage.cl::get<cellRef>(Controller::endpointCode),
+        Endpoint::New(eid, dstEid, getContractAddress()),
+        $deploy.cl::get<coins>(md::Deploy::initialDeposit),
+        BaseInterface::OP::INITIALIZE,
+        md::InitEndpoint::New($storage.cl::get<cellRef>(Controller::channelCode)),
+        0
+    );
+
+    return actions;
+}
+
+;; @in oApp
+;; @in_md deployChannel
+;; @out channel/handler.fc
+;; @out_md deployAndCall(endpoint_state_init, endpointCode, channel_initialize)
+;; @note: There's no need to check for permissions here because ctx.SENDER is derived from the oApp.
+;; @permissionless
+tuple deployChannel(cell $deploy) impure inline method_id {
+    (cell $storage, tuple actions) = preamble();
+
+    int dstEid = $deploy.cl::get<uint32>(md::Deploy::dstEid);
+
+    ;; create the path object
+    cell $path = lz::Path::New(
+        $storage.cl::get<uint32>(Controller::eid), ;; srcEid
+        getCaller(), ;; srcOApp
+        dstEid, ;; dstEid
+        $deploy.cl::get<uint256>(md::Deploy::dstOApp) ;; dstOApp
+    );
+
+    ;; get the endpoint address
+    int endpointAddress = _calculateEndpointAddress(dstEid);
+
+    actions~pushAction<deployAndCall>(
+        $storage.cl::get<cellRef>(Controller::channelCode),
+        Channel::New(getContractAddress(), $path, endpointAddress),
+        $deploy.cl::get<coins>(md::Deploy::initialDeposit),
+        BaseInterface::OP::INITIALIZE,
+        cl::nullObject(),
+        0
+    );
+
+    return actions;
+}
+
+;; @in owner EOA
+;; @in_md setEpConfigDefaults
+;; @out endpoint/handler.fc/setEpConfigDefaults
+;; @out_md setEpConfig
+;; @permissions only owner
+tuple setEpConfigDefaults(cell $mdEid) impure inline method_id {
+    (_, tuple actions) = preamble();
+
+    int dstEid = $mdEid.cl::get<uint32>(md::MdEid::eid);
+
+    actions~pushAction<call>(
+        _calculateEndpointAddress(dstEid),
+        Endpoint::OP::SET_EP_CONFIG_DEFAULTS,
+        $mdEid.cl::get<objRef>(md::MdEid::md)
+    );
+
+    return actions;
+}
+
+;; @in OApp contract
+;; @in_md ExtendedMd(path, setEpConfig)
+;; @out endpoint/handler.fc/setEpConfig
+;; @out_md ExtendedMd(channelAddress, setEpConfig)
+;; @note: There's no need to check for permissions here because ctx.SENDER is derived from the oApp.
+;; Any configuration changes made will only impact the `oApp` that invokes this function.
+;; @permissionless
+tuple setEpConfigOApp(cell $mdObj) impure inline method_id {
+    (_, tuple actions) = preamble();
+
+    ;; get the path and setEpConfigMd from the md
+    cell $path = $mdObj.cl::get<objRef>(md::MdObj::obj);
+
+    actions~pushAction<call>(
+        _calculateEndpointAddress($path.cl::get<uint32>(lz::Path::dstEid)),
+        Endpoint::OP::SET_EP_CONFIG_OAPP,
+        $mdObj
+    );
+
+    return actions;
+}
+
+tuple addMsglib(cell $addMsglibMd) impure inline method_id {
+    (_, tuple actions) = preamble();
+
+    actions~pushAction<call>(
+        _calculateEndpointAddress(
+            $addMsglibMd.cl::get<uint32>(md::AddMsglib::dstEid)
+        ),
+        Endpoint::OP::ADD_MSGLIB,
+        $addMsglibMd
+    );
+
+    return actions;
+}
+
+;; only controller zro wallet
+tuple depositZro(cell $path) impure inline method_id {
+    (cell $storage, tuple actions) = preamble();
+
+    ;; The message format of jetton happens to align with funC++
+    ;; but the jetton token amount is aliased as donationNanos
+    int tokenAmount = getDonationNanos();
+    setDonationNanos(0);
+
+    ;; get the endpoint address
+    int endpointAddress = _calculateEndpointAddress($path.cl::get<uint32>(lz::Path::dstEid));
+
+    int channelAddress = computeContractAddress(
+        Channel::New(getContractAddress(), $path, endpointAddress),
+        $storage.cl::get<cellRef>(Controller::channelCode)
+    );
+
+    actions~pushAction<call>(
+        channelAddress,
+        Channel::OP::DEPOSIT_ZRO,
+        md::CoinsAmount::New(tokenAmount)
+    );
+
+    return actions;
+}
+
+tuple setZroWallet(cell $setAddress) impure inline method_id {
+    (cell $storage, tuple actions) = preamble();
+
+    setContractStorage(
+        $storage.cl::set(
+            Controller::zroWallet,
+            $setAddress.cl::get<address>(md::SetAddress::address)
+        )
+    );
+
+    actions~pushAction<event>(Controller::event::ZRO_WALLET_SET, $setAddress);
+    return actions;
+}
+
+;; This will override an existing tentative owner
+;; Becuase we assert that the 'claimOwnership' can't be done by the 'null' address, it means
+;; if we want to burn the ownership, we will need to set it to a contract which only has ability to
+;; claim, but nothing else. This effectively burns it.
+tuple transferOwnership(cell $setAddress) impure inline {
+    (cell $storage, tuple actions) = preamble();
+
+    setContractStorage(
+        $storage.cl::set(
+            Controller::tentativeOwner,
+            $setAddress.cl::get<address>(md::SetAddress::address)
+        )
+    );
+
+    actions~pushAction<event>(
+        Controller::event::OWNER_SET_TENTATIVE,
+        $setAddress
+    );
+
+    return actions;
+}
+
+tuple claimOwnership(cell $emptyMd) impure inline {
+    (cell $storage, tuple actions) = preamble();
+
+    ;; permissions check guarantees newOwner == $storage.tentativeOwner
+    int newOwner = $storage.cl::get<address>(Controller::tentativeOwner);
+
+    ;; this should be caught by the permission check, BUT let's be super safe about this
+    throw_if(Controller::ERROR::nullTentativeOwner, newOwner == NULLADDRESS);
+
+    ;; erase the tentative owner AND set that tentative owner to the actual owner
+    setContractStorage(
+        $storage
+            .cl::set(Controller::tentativeOwner, NULLADDRESS)
+            .cl::set(
+                Controller::baseStorage,
+                $storage
+                    .cl::get<objRef>(Controller::baseStorage)
+                    .cl::set(BaseStorage::owner, newOwner)
+            )
+    );
+
+    actions~pushAction<event>(
+        Controller::event::OWNER_SET,
+        md::SetAddress::New(newOwner)
+    );
+
+    return actions;
+}

package/src/protocol/controller/interface.fc

@@ -0,0 +1,25 @@
+const int MAX_MSGLIBS = 255;
+
+;; OPCODES
+const int Controller::OP::DEPLOY_ENDPOINT = "Controller::OP::DEPLOY_ENDPOINT"c;
+const int Controller::OP::DEPLOY_CHANNEL = "Controller::OP::DEPLOY_CHANNEL"c;
+const int Controller::OP::SET_EP_CONFIG_DEFAULTS = "Controller::OP::SET_EP_CONFIG_DEFAULTS"c;
+const int Controller::OP::SET_EP_CONFIG_OAPP = "Controller::OP::SET_EP_CONFIG_OAPP"c;
+const int Controller::OP::ADD_MSGLIB = "Controller::OP::ADD_MSGLIB"c;
+const int Controller::OP::DEPOSIT_ZRO = "Controller::OP::DEPOSIT_ZRO"c;
+const int Controller::OP::SET_ZRO_WALLET = "Controller::OP::SET_ZRO_WALLET"c;
+const int Controller::OP::EXCESSES = 0xd53276db; ;; op::excesses: 0xd53276db
+const int Controller::OP::TRANSFER_OWNERSHIP = "Controller::OP::TRANSFER_OWNERSHIP"c;
+const int Controller::OP::CLAIM_OWNERSHIP = "Controller::OP::CLAIM_OWNERSHIP"c;
+
+;; EVENT
+const int Controller::event::ZRO_WALLET_SET = "Controller::event::ZRO_WALLT_SET"u;
+const int Controller::event::OWNER_SET = "Controller::event::OWNER_SET"u;
+const int Controller::event::OWNER_SET_TENTATIVE = "Controller::event::OWNERSET_TENT"u;
+
+;; ERRORS
+const int Controller::ERROR::onlyOApp = 65;
+const int Controller::ERROR::invalidEid = 66;
+const int Controller::ERROR::onlyZroWallet = 67;
+const int Controller::ERROR::onlyTentativeOwner = 68;
+const int Controller::ERROR::nullTentativeOwner = 69;

package/src/protocol/controller/main.fc

@@ -0,0 +1,29 @@
+#include "../core/abstract/protocolMain.fc";
+
+#include "handler.fc";
+#include "interface.fc";
+
+tuple _executeOpcode(int op, cell $md) impure inline {
+    if (op == Controller::OP::DEPLOY_ENDPOINT) {
+        return deployEndpoint($md);
+    } elseif (op == Controller::OP::DEPLOY_CHANNEL) {
+        return deployChannel($md);
+    } elseif (op == Controller::OP::SET_EP_CONFIG_DEFAULTS) {
+        return setEpConfigDefaults($md);
+    } elseif (op == Controller::OP::SET_EP_CONFIG_OAPP) {
+        return setEpConfigOApp($md);
+    } elseif (op == Controller::OP::ADD_MSGLIB) {
+        return addMsglib($md);
+    } elseif (op == Controller::OP::SET_ZRO_WALLET) {
+        return setZroWallet($md);
+    } elseif (op == Controller::OP::EXCESSES) {
+        return depositZro($md);
+    } elseif (op == Controller::OP::TRANSFER_OWNERSHIP) {
+        return transferOwnership($md);
+    } elseif (op == Controller::OP::CLAIM_OWNERSHIP) {
+        return claimOwnership($md);
+    } else {
+        throw(BaseInterface::ERROR::invalidOpcode);
+    }
+    return empty_tuple();
+}

package/src/protocol/controller/storage.fc

@@ -0,0 +1,31 @@
+#include "../../funC++/constants.fc";
+
+#include "../core/baseStorage.fc";
+
+const int Controller::NAME = "controller"u;
+
+const int Controller::baseStorage = 0;
+const int Controller::eid = 1;
+
+;; Bytecodes
+const int Controller::endpointCode = 2;
+const int Controller::channelCode = 3;
+;; Zro wallet
+const int Controller::zroWallet = 4;
+;; tentative owner
+const int Controller::tentativeOwner = 5;
+
+;; @owner Protocol admin EOA
+cell Controller::New(int owner, int eid, cell endpointCode, cell channelCode) method_id {
+    return cl::declare(
+        Controller::NAME,
+        unsafeTuple([
+            [cl::t::objRef, BaseStorage::New(owner)],   ;; Controller::baseStorage
+            [cl::t::uint32, eid],                       ;; Controller::eid
+            [cl::t::cellRef, endpointCode],             ;; Controller::endpointCode
+            [cl::t::cellRef, channelCode],              ;; Controller::channelCode
+            [cl::t::address, NULLADDRESS],              ;; Controller::zroWallet
+            [cl::t::address, NULLADDRESS]               ;; Controller::tentativeOwner
+        ])
+    );
+}