@layerzerolabs/lz-evm-messagelib-v2 2.0.2

package/contracts/uln/UlnBase.sol

@@ -0,0 +1,195 @@
+// SPDX-License-Identifier: LZBL-1.2
+
+pragma solidity ^0.8.22;
+
+import { Ownable } from "@openzeppelin/contracts/access/Ownable.sol";
+
+// the formal properties are documented in the setter functions
+struct UlnConfig {
+    uint64 confirmations;
+    // we store the length of required DVNs and optional DVNs instead of using DVN.length directly to save gas
+    uint8 requiredDVNCount; // 0 indicate DEFAULT, NIL_DVN_COUNT indicate NONE (to override the value of default)
+    uint8 optionalDVNCount; // 0 indicate DEFAULT, NIL_DVN_COUNT indicate NONE (to override the value of default)
+    uint8 optionalDVNThreshold; // (0, optionalDVNCount]
+    address[] requiredDVNs; // no duplicates. sorted an an ascending order. allowed overlap with optionalDVNs
+    address[] optionalDVNs; // no duplicates. sorted an an ascending order. allowed overlap with requiredDVNs
+}
+
+struct SetDefaultUlnConfigParam {
+    uint32 eid;
+    UlnConfig config;
+}
+
+/// @dev includes the utility functions for checking ULN states and logics
+abstract contract UlnBase is Ownable {
+    address private constant DEFAULT_CONFIG = address(0);
+    // reserved values for
+    uint8 internal constant DEFAULT = 0;
+    uint8 internal constant NIL_DVN_COUNT = type(uint8).max;
+    uint64 internal constant NIL_CONFIRMATIONS = type(uint64).max;
+    // 127 to prevent total number of DVNs (127 * 2) exceeding uint8.max (255)
+    // by limiting the total size, it would help constraint the design of DVNOptions
+    uint8 private constant MAX_COUNT = (type(uint8).max - 1) / 2;
+
+    mapping(address oapp => mapping(uint32 eid => UlnConfig)) internal ulnConfigs;
+
+    error Unsorted();
+    error InvalidRequiredDVNCount();
+    error InvalidOptionalDVNCount();
+    error AtLeastOneDVN();
+    error InvalidOptionalDVNThreshold();
+    error InvalidConfirmations();
+    error UnsupportedEid(uint32 eid);
+
+    event DefaultUlnConfigsSet(SetDefaultUlnConfigParam[] params);
+    event UlnConfigSet(address oapp, uint32 eid, UlnConfig config);
+
+    // ============================ OnlyOwner ===================================
+
+    /// @dev about the DEFAULT ULN config
+    /// 1) its values are all LITERAL (e.g. 0 is 0). whereas in the oapp ULN config, 0 (default value) points to the default ULN config
+    ///     this design enables the oapp to point to DEFAULT config without explicitly setting the config
+    /// 2) its configuration is more restrictive than the oapp ULN config that
+    ///     a) it must not use NIL value, where NIL is used only by oapps to indicate the LITERAL 0
+    ///     b) it must have at least one DVN
+    function setDefaultUlnConfigs(SetDefaultUlnConfigParam[] calldata _params) external onlyOwner {
+        for (uint256 i = 0; i < _params.length; ++i) {
+            SetDefaultUlnConfigParam calldata param = _params[i];
+
+            // 2.a must not use NIL
+            if (param.config.requiredDVNCount == NIL_DVN_COUNT) revert InvalidRequiredDVNCount();
+            if (param.config.optionalDVNCount == NIL_DVN_COUNT) revert InvalidOptionalDVNCount();
+            if (param.config.confirmations == NIL_CONFIRMATIONS) revert InvalidConfirmations();
+
+            // 2.b must have at least one dvn
+            _assertAtLeastOneDVN(param.config);
+
+            _setConfig(DEFAULT_CONFIG, param.eid, param.config);
+        }
+        emit DefaultUlnConfigsSet(_params);
+    }
+
+    // ============================ View ===================================
+    // @dev assuming most oapps use default, we get default as memory and custom as storage to save gas
+    function getUlnConfig(address _oapp, uint32 _remoteEid) public view returns (UlnConfig memory rtnConfig) {
+        UlnConfig storage defaultConfig = ulnConfigs[DEFAULT_CONFIG][_remoteEid];
+        UlnConfig storage customConfig = ulnConfigs[_oapp][_remoteEid];
+
+        // if confirmations is 0, use default
+        uint64 confirmations = customConfig.confirmations;
+        if (confirmations == DEFAULT) {
+            rtnConfig.confirmations = defaultConfig.confirmations;
+        } else if (confirmations != NIL_CONFIRMATIONS) {
+            // if confirmations is uint64.max, no block confirmations required
+            rtnConfig.confirmations = confirmations;
+        } // else do nothing, rtnConfig.confirmation is 0
+
+        if (customConfig.requiredDVNCount == DEFAULT) {
+            if (defaultConfig.requiredDVNCount > 0) {
+                // copy only if count > 0. save gas
+                rtnConfig.requiredDVNs = defaultConfig.requiredDVNs;
+                rtnConfig.requiredDVNCount = defaultConfig.requiredDVNCount;
+            } // else, do nothing
+        } else {
+            if (customConfig.requiredDVNCount != NIL_DVN_COUNT) {
+                rtnConfig.requiredDVNs = customConfig.requiredDVNs;
+                rtnConfig.requiredDVNCount = customConfig.requiredDVNCount;
+            } // else, do nothing
+        }
+
+        if (customConfig.optionalDVNCount == DEFAULT) {
+            if (defaultConfig.optionalDVNCount > 0) {
+                // copy only if count > 0. save gas
+                rtnConfig.optionalDVNs = defaultConfig.optionalDVNs;
+                rtnConfig.optionalDVNCount = defaultConfig.optionalDVNCount;
+                rtnConfig.optionalDVNThreshold = defaultConfig.optionalDVNThreshold;
+            }
+        } else {
+            if (customConfig.optionalDVNCount != NIL_DVN_COUNT) {
+                rtnConfig.optionalDVNs = customConfig.optionalDVNs;
+                rtnConfig.optionalDVNCount = customConfig.optionalDVNCount;
+                rtnConfig.optionalDVNThreshold = customConfig.optionalDVNThreshold;
+            }
+        }
+
+        // the final value must have at least one dvn
+        // it is possible that some default config result into 0 dvns
+        _assertAtLeastOneDVN(rtnConfig);
+    }
+
+    /// @dev Get the uln config without the default config for the given remoteEid.
+    function getAppUlnConfig(address _oapp, uint32 _remoteEid) external view returns (UlnConfig memory) {
+        return ulnConfigs[_oapp][_remoteEid];
+    }
+
+    // ============================ Internal ===================================
+    function _setUlnConfig(uint32 _remoteEid, address _oapp, UlnConfig memory _param) internal {
+        _setConfig(_oapp, _remoteEid, _param);
+
+        // get ULN config again as a catch all to ensure the config is valid
+        getUlnConfig(_oapp, _remoteEid);
+        emit UlnConfigSet(_oapp, _remoteEid, _param);
+    }
+
+    /// @dev a supported Eid must have a valid default uln config, which has at least one dvn
+    function _isSupportedEid(uint32 _remoteEid) internal view returns (bool) {
+        UlnConfig storage defaultConfig = ulnConfigs[DEFAULT_CONFIG][_remoteEid];
+        return defaultConfig.requiredDVNCount > 0 || defaultConfig.optionalDVNThreshold > 0;
+    }
+
+    function _assertSupportedEid(uint32 _remoteEid) internal view {
+        if (!_isSupportedEid(_remoteEid)) revert UnsupportedEid(_remoteEid);
+    }
+
+    // ============================ Private ===================================
+
+    function _assertAtLeastOneDVN(UlnConfig memory _config) private pure {
+        if (_config.requiredDVNCount == 0 && _config.optionalDVNThreshold == 0) revert AtLeastOneDVN();
+    }
+
+    /// @dev this private function is used in both setDefaultUlnConfigs and setUlnConfig
+    function _setConfig(address _oapp, uint32 _eid, UlnConfig memory _param) private {
+        // @dev required dvns
+        // if dvnCount == NONE, dvns list must be empty
+        // if dvnCount == DEFAULT, dvn list must be empty
+        // otherwise, dvnList.length == dvnCount and assert the list is valid
+        if (_param.requiredDVNCount == NIL_DVN_COUNT || _param.requiredDVNCount == DEFAULT) {
+            if (_param.requiredDVNs.length != 0) revert InvalidRequiredDVNCount();
+        } else {
+            if (_param.requiredDVNs.length != _param.requiredDVNCount || _param.requiredDVNCount > MAX_COUNT)
+                revert InvalidRequiredDVNCount();
+            _assertNoDuplicates(_param.requiredDVNs);
+        }
+
+        // @dev optional dvns
+        // if optionalDVNCount == NONE, optionalDVNs list must be empty and threshold must be 0
+        // if optionalDVNCount == DEFAULT, optionalDVNs list must be empty and threshold must be 0
+        // otherwise, optionalDVNs.length == optionalDVNCount, threshold > 0 && threshold <= optionalDVNCount and assert the list is valid
+
+        // example use case: an oapp uses the DEFAULT 'required' but
+        //     a) use a custom 1/1 dvn (practically a required dvn), or
+        //     b) use a custom 2/3 dvn
+        if (_param.optionalDVNCount == NIL_DVN_COUNT || _param.optionalDVNCount == DEFAULT) {
+            if (_param.optionalDVNs.length != 0) revert InvalidOptionalDVNCount();
+            if (_param.optionalDVNThreshold != 0) revert InvalidOptionalDVNThreshold();
+        } else {
+            if (_param.optionalDVNs.length != _param.optionalDVNCount || _param.optionalDVNCount > MAX_COUNT)
+                revert InvalidOptionalDVNCount();
+            if (_param.optionalDVNThreshold == 0 || _param.optionalDVNThreshold > _param.optionalDVNCount)
+                revert InvalidOptionalDVNThreshold();
+            _assertNoDuplicates(_param.optionalDVNs);
+        }
+        // don't assert valid count here, as it needs to be validated along side default config
+
+        ulnConfigs[_oapp][_eid] = _param;
+    }
+
+    function _assertNoDuplicates(address[] memory _dvns) private pure {
+        address lastDVN = address(0);
+        for (uint256 i = 0; i < _dvns.length; i++) {
+            address dvn = _dvns[i];
+            if (dvn <= lastDVN) revert Unsorted(); // to ensure no duplicates
+            lastDVN = dvn;
+        }
+    }
+}

package/contracts/uln/dvn/DVN.sol

@@ -0,0 +1,349 @@
+// SPDX-License-Identifier: LZBL-1.2
+
+pragma solidity 0.8.22;
+
+import { ILayerZeroUltraLightNodeV2 } from "@layerzerolabs/lz-evm-v1-0.7/contracts/interfaces/ILayerZeroUltraLightNodeV2.sol";
+
+import { Worker } from "../../Worker.sol";
+import { MultiSig } from "./MultiSig.sol";
+import { IDVN } from "../interfaces/IDVN.sol";
+import { IDVNFeeLib } from "../interfaces/IDVNFeeLib.sol";
+import { IReceiveUlnE2 } from "../interfaces/IReceiveUlnE2.sol";
+
+struct ExecuteParam {
+    uint32 vid;
+    address target;
+    bytes callData;
+    uint256 expiration;
+    bytes signatures;
+}
+
+contract DVN is Worker, MultiSig, IDVN {
+    // to uniquely identify this DVN instance
+    // set to endpoint v1 eid if available OR endpoint v2 eid % 30_000
+    uint32 public immutable vid;
+
+    mapping(uint32 dstEid => DstConfig) public dstConfig;
+    mapping(bytes32 executableHash => bool used) public usedHashes;
+
+    error OnlySelf();
+    error InvalidRole(bytes32 role);
+    error InstructionExpired();
+    error InvalidTarget(address target);
+    error InvalidVid(uint32 vid);
+    error InvalidSignatures();
+    error DuplicatedHash(bytes32 executableHash);
+
+    event VerifySignaturesFailed(uint256 idx);
+    event ExecuteFailed(uint256 _index, bytes _data);
+    event HashAlreadyUsed(ExecuteParam param, bytes32 _hash);
+    // same as DVNFeePaid, but for ULNv2
+    event VerifierFeePaid(uint256 fee);
+
+    // ========================= Constructor =========================
+
+    /// @dev DVN doesn't have a roleAdmin (address(0x0))
+    /// @dev Supports all of ULNv2, ULN301, ULN302 and more
+    /// @param _vid unique identifier for this DVN instance
+    /// @param _messageLibs array of message lib addresses that are granted the MESSAGE_LIB_ROLE
+    /// @param _priceFeed price feed address
+    /// @param _signers array of signer addresses for multisig
+    /// @param _quorum quorum for multisig
+    /// @param _admins array of admin addresses that are granted the ADMIN_ROLE
+    constructor(
+        uint32 _vid,
+        address[] memory _messageLibs,
+        address _priceFeed,
+        address[] memory _signers,
+        uint64 _quorum,
+        address[] memory _admins
+    ) Worker(_messageLibs, _priceFeed, 12000, address(0x0), _admins) MultiSig(_signers, _quorum) {
+        vid = _vid;
+    }
+
+    // ========================= Modifier =========================
+
+    /// @dev depending on role, restrict access to only self or admin
+    /// @dev ALLOWLIST, DENYLIST, MESSAGE_LIB_ROLE can only be granted/revoked by self
+    /// @dev ADMIN_ROLE can only be granted/revoked by admin
+    /// @dev reverts if not one of the above roles
+    /// @param _role role to check
+    modifier onlySelfOrAdmin(bytes32 _role) {
+        if (_role == ALLOWLIST || _role == DENYLIST || _role == MESSAGE_LIB_ROLE) {
+            // self required
+            if (address(this) != msg.sender) {
+                revert OnlySelf();
+            }
+        } else if (_role == ADMIN_ROLE) {
+            // admin required
+            _checkRole(ADMIN_ROLE);
+        } else {
+            revert InvalidRole(_role);
+        }
+        _;
+    }
+
+    modifier onlySelf() {
+        if (address(this) != msg.sender) {
+            revert OnlySelf();
+        }
+        _;
+    }
+
+    // ========================= OnlySelf =========================
+
+    /// @dev set signers for multisig
+    /// @dev function sig 0x31cb6105
+    /// @param _signer signer address
+    /// @param _active true to add, false to remove
+    function setSigner(address _signer, bool _active) external onlySelf {
+        _setSigner(_signer, _active);
+    }
+
+    /// @dev set quorum for multisig
+    /// @dev function sig 0x8585c945
+    /// @param _quorum to set
+    function setQuorum(uint64 _quorum) external onlySelf {
+        _setQuorum(_quorum);
+    }
+
+    // ========================= OnlySelf / OnlyAdmin =========================
+
+    /// @dev overrides AccessControl to allow self/admin to grant role'
+    /// @dev function sig 0x2f2ff15d
+    /// @param _role role to grant
+    /// @param _account account to grant role to
+    function grantRole(bytes32 _role, address _account) public override onlySelfOrAdmin(_role) {
+        _grantRole(_role, _account);
+    }
+
+    /// @dev overrides AccessControl to allow self/admin to revoke role
+    /// @dev function sig 0xd547741f
+    /// @param _role role to revoke
+    /// @param _account account to revoke role from
+    function revokeRole(bytes32 _role, address _account) public override onlySelfOrAdmin(_role) {
+        _revokeRole(_role, _account);
+    }
+
+    // ========================= OnlyQuorum =========================
+
+    /// @notice function for quorum to change admin without going through execute function
+    /// @dev calldata in the case is abi.encode new admin address
+    function quorumChangeAdmin(ExecuteParam calldata _param) external {
+        if (_param.expiration <= block.timestamp) {
+            revert InstructionExpired();
+        }
+        if (_param.target != address(this)) {
+            revert InvalidTarget(_param.target);
+        }
+        if (_param.vid != vid) {
+            revert InvalidVid(_param.vid);
+        }
+
+        // generate and validate hash
+        bytes32 hash = hashCallData(_param.vid, _param.target, _param.callData, _param.expiration);
+        (bool sigsValid, ) = verifySignatures(hash, _param.signatures);
+        if (!sigsValid) {
+            revert InvalidSignatures();
+        }
+        if (usedHashes[hash]) {
+            revert DuplicatedHash(hash);
+        }
+
+        usedHashes[hash] = true;
+        _grantRole(ADMIN_ROLE, abi.decode(_param.callData, (address)));
+    }
+
+    // ========================= OnlyAdmin =========================
+
+    /// @param _params array of DstConfigParam
+    function setDstConfig(DstConfigParam[] calldata _params) external onlyRole(ADMIN_ROLE) {
+        for (uint256 i = 0; i < _params.length; ++i) {
+            DstConfigParam calldata param = _params[i];
+            dstConfig[param.dstEid] = DstConfig(param.gas, param.multiplierBps, param.floorMarginUSD);
+        }
+        emit SetDstConfig(_params);
+    }
+
+    /// @dev takes a list of instructions and executes them in order
+    /// @dev if any of the instructions fail, it will emit an error event and continue to execute the rest of the instructions
+    /// @param _params array of ExecuteParam, includes target, callData, expiration, signatures
+    function execute(ExecuteParam[] calldata _params) external onlyRole(ADMIN_ROLE) {
+        for (uint256 i = 0; i < _params.length; ++i) {
+            ExecuteParam calldata param = _params[i];
+            // 1. skip if invalid vid
+            if (param.vid != vid) {
+                continue;
+            }
+
+            // 2. skip if expired
+            if (param.expiration <= block.timestamp) {
+                continue;
+            }
+
+            // generate and validate hash
+            bytes32 hash = hashCallData(param.vid, param.target, param.callData, param.expiration);
+
+            // 3. check signatures
+            (bool sigsValid, ) = verifySignatures(hash, param.signatures);
+            if (!sigsValid) {
+                emit VerifySignaturesFailed(i);
+                continue;
+            }
+
+            // 4. should check hash
+            bool shouldCheckHash = _shouldCheckHash(bytes4(param.callData));
+            if (shouldCheckHash) {
+                if (usedHashes[hash]) {
+                    emit HashAlreadyUsed(param, hash);
+                    continue;
+                } else {
+                    usedHashes[hash] = true; // prevent reentry and replay attack
+                }
+            }
+
+            (bool success, bytes memory rtnData) = param.target.call(param.callData);
+            if (!success) {
+                if (shouldCheckHash) {
+                    // need to unset the usedHash otherwise it cant be used
+                    usedHashes[hash] = false;
+                }
+                // emit an event in any case
+                emit ExecuteFailed(i, rtnData);
+            }
+        }
+    }
+
+    /// @dev to support ULNv2
+    /// @dev the withdrawFee function for ULN30X is built in the Worker contract
+    /// @param _lib message lib address
+    /// @param _to address to withdraw to
+    /// @param _amount amount to withdraw
+    function withdrawFeeFromUlnV2(address _lib, address payable _to, uint256 _amount) external onlyRole(ADMIN_ROLE) {
+        if (!hasRole(MESSAGE_LIB_ROLE, _lib)) {
+            revert OnlyMessageLib();
+        }
+        ILayerZeroUltraLightNodeV2(_lib).withdrawNative(_to, _amount);
+    }
+
+    // ========================= OnlyMessageLib =========================
+
+    /// @dev for ULN301, ULN302 and more to assign job
+    /// @dev dvn network can reject job from _sender by adding/removing them from allowlist/denylist
+    /// @param _param assign job param
+    /// @param _options dvn options
+    function assignJob(
+        AssignJobParam calldata _param,
+        bytes calldata _options
+    ) external payable onlyRole(MESSAGE_LIB_ROLE) onlyAcl(_param.sender) returns (uint256 totalFee) {
+        IDVNFeeLib.FeeParams memory feeParams = IDVNFeeLib.FeeParams(
+            priceFeed,
+            _param.dstEid,
+            _param.confirmations,
+            _param.sender,
+            quorum,
+            defaultMultiplierBps
+        );
+        totalFee = IDVNFeeLib(workerFeeLib).getFeeOnSend(feeParams, dstConfig[_param.dstEid], _options);
+    }
+
+    /// @dev to support ULNv2
+    /// @dev dvn network can reject job from _sender by adding/removing them from allowlist/denylist
+    /// @param _dstEid destination EndpointId
+    /// @param //_outboundProofType outbound proof type
+    /// @param _confirmations block confirmations
+    /// @param _sender message sender address
+    function assignJob(
+        uint16 _dstEid,
+        uint16 /*_outboundProofType*/,
+        uint64 _confirmations,
+        address _sender
+    ) external onlyRole(MESSAGE_LIB_ROLE) onlyAcl(_sender) returns (uint256 totalFee) {
+        IDVNFeeLib.FeeParams memory params = IDVNFeeLib.FeeParams(
+            priceFeed,
+            _dstEid,
+            _confirmations,
+            _sender,
+            quorum,
+            defaultMultiplierBps
+        );
+        // ULNV2 does not have dvn options
+        totalFee = IDVNFeeLib(workerFeeLib).getFeeOnSend(params, dstConfig[_dstEid], bytes(""));
+        emit VerifierFeePaid(totalFee);
+    }
+
+    // ========================= View =========================
+
+    /// @dev getFee can revert if _sender doesn't pass ACL
+    /// @param _dstEid destination EndpointId
+    /// @param _confirmations block confirmations
+    /// @param _sender message sender address
+    /// @param _options dvn options
+    /// @return fee fee in native amount
+    function getFee(
+        uint32 _dstEid,
+        uint64 _confirmations,
+        address _sender,
+        bytes calldata _options
+    ) external view onlyAcl(_sender) returns (uint256 fee) {
+        IDVNFeeLib.FeeParams memory params = IDVNFeeLib.FeeParams(
+            priceFeed,
+            _dstEid,
+            _confirmations,
+            _sender,
+            quorum,
+            defaultMultiplierBps
+        );
+        return IDVNFeeLib(workerFeeLib).getFee(params, dstConfig[_dstEid], _options);
+    }
+
+    /// @dev to support ULNv2
+    /// @dev getFee can revert if _sender doesn't pass ACL
+    /// @param _dstEid destination EndpointId
+    /// @param //_outboundProofType outbound proof type
+    /// @param _confirmations block confirmations
+    /// @param _sender message sender address
+    function getFee(
+        uint16 _dstEid,
+        uint16 /*_outboundProofType*/,
+        uint64 _confirmations,
+        address _sender
+    ) public view onlyAcl(_sender) returns (uint256 fee) {
+        IDVNFeeLib.FeeParams memory params = IDVNFeeLib.FeeParams(
+            priceFeed,
+            _dstEid,
+            _confirmations,
+            _sender,
+            quorum,
+            defaultMultiplierBps
+        );
+        return IDVNFeeLib(workerFeeLib).getFee(params, dstConfig[_dstEid], bytes(""));
+    }
+
+    /// @param _target target address
+    /// @param _callData call data
+    /// @param _expiration expiration timestamp
+    /// @return hash of above
+    function hashCallData(
+        uint32 _vid,
+        address _target,
+        bytes calldata _callData,
+        uint256 _expiration
+    ) public pure returns (bytes32) {
+        return keccak256(abi.encodePacked(_vid, _target, _expiration, _callData));
+    }
+
+    // ========================= Internal =========================
+
+    /// @dev to save gas, we don't check hash for some functions (where replaying won't change the state)
+    /// @dev for example, some administrative functions like changing signers, the contract should check hash to double spending
+    /// @dev should ensure that all onlySelf functions have unique functionSig
+    /// @param _functionSig function signature
+    /// @return true if should check hash
+    function _shouldCheckHash(bytes4 _functionSig) internal pure returns (bool) {
+        // never check for these selectors to save gas
+        return
+            _functionSig != IReceiveUlnE2.verify.selector && // 0x0223536e, replaying won't change the state
+            _functionSig != ILayerZeroUltraLightNodeV2.updateHash.selector; // 0x704316e5, replaying will be revert at uln
+    }
+}

package/contracts/uln/dvn/DVNFeeLib.sol

@@ -0,0 +1,141 @@
+// SPDX-License-Identifier: LZBL-1.2
+
+pragma solidity 0.8.22;
+
+import { Ownable } from "@openzeppelin/contracts/access/Ownable.sol";
+import { Transfer } from "@layerzerolabs/lz-evm-protocol-v2/contracts/libs/Transfer.sol";
+
+import { ILayerZeroPriceFeed } from "../../interfaces/ILayerZeroPriceFeed.sol";
+import { IDVN } from "../interfaces/IDVN.sol";
+import { IDVNFeeLib } from "../interfaces/IDVNFeeLib.sol";
+import { DVNOptions } from "../libs/DVNOptions.sol";
+
+contract DVNFeeLib is Ownable, IDVNFeeLib {
+    using DVNOptions for bytes;
+
+    uint16 internal constant EXECUTE_FIXED_BYTES = 68; // encoded: funcSigHash + params -> 4  + (32 * 2)
+    uint16 internal constant SIGNATURE_RAW_BYTES = 65; // not encoded
+    // callData(updateHash) = 132 (4 + 32 * 4), padded to 32 = 160 and encoded as bytes with an 64 byte overhead = 224
+    uint16 internal constant UPDATE_HASH_BYTES = 224;
+
+    uint256 private immutable nativeDecimalsRate;
+
+    constructor(uint256 _nativeDecimalsRate) {
+        nativeDecimalsRate = _nativeDecimalsRate;
+    }
+
+    // ================================ OnlyOwner ================================
+    function withdrawToken(address _token, address _to, uint256 _amount) external onlyOwner {
+        // transfers native if _token is address(0x0)
+        Transfer.nativeOrToken(_token, _to, _amount);
+    }
+
+    // ========================= External =========================
+    /// @dev get fee function that can change state. e.g. paying priceFeed
+    /// @param _params fee params
+    /// @param _dstConfig dst config
+    /// @param //_options options
+    function getFeeOnSend(
+        FeeParams calldata _params,
+        IDVN.DstConfig calldata _dstConfig,
+        bytes calldata _options
+    ) external payable returns (uint256) {
+        _decodeDVNOptions(_options); // todo: validate options
+
+        uint256 callDataSize = _getCallDataSize(_params.quorum);
+
+        // for future versions where priceFeed charges a fee
+        //        uint256 priceFeedFee = ILayerZeroPriceFeed(_params.priceFeed).getFee(_params.dstEid, callDataSize, _dstConfig.gas);
+        //        (uint256 fee, , , uint128 nativePriceUSD) = ILayerZeroPriceFeed(_params.priceFeed).estimateFeeOnSend{
+        //            value: priceFeedFee
+        //        }(_params.dstEid, callDataSize, _dstConfig.gas);
+
+        (uint256 fee, , , uint128 nativePriceUSD) = ILayerZeroPriceFeed(_params.priceFeed).estimateFeeOnSend(
+            _params.dstEid,
+            callDataSize,
+            _dstConfig.gas
+        );
+
+        return
+            _applyPremium(
+                fee,
+                _dstConfig.multiplierBps,
+                _params.defaultMultiplierBps,
+                _dstConfig.floorMarginUSD,
+                nativePriceUSD
+            );
+    }
+
+    // ========================= View =========================
+    /// @dev get fee view function
+    /// @param _params fee params
+    /// @param _dstConfig dst config
+    /// @param //_options options
+    function getFee(
+        FeeParams calldata _params,
+        IDVN.DstConfig calldata _dstConfig,
+        bytes calldata _options
+    ) external view returns (uint256) {
+        _decodeDVNOptions(_options); // validate options
+
+        uint256 callDataSize = _getCallDataSize(_params.quorum);
+        (uint256 fee, , , uint128 nativePriceUSD) = ILayerZeroPriceFeed(_params.priceFeed).estimateFeeByEid(
+            _params.dstEid,
+            callDataSize,
+            _dstConfig.gas
+        );
+        return
+            _applyPremium(
+                fee,
+                _dstConfig.multiplierBps,
+                _params.defaultMultiplierBps,
+                _dstConfig.floorMarginUSD,
+                nativePriceUSD
+            );
+    }
+
+    // ========================= Internal =========================
+    function _getCallDataSize(uint256 _quorum) internal pure returns (uint256) {
+        uint256 totalSignatureBytes = _quorum * SIGNATURE_RAW_BYTES;
+        if (totalSignatureBytes % 32 != 0) {
+            totalSignatureBytes = totalSignatureBytes - (totalSignatureBytes % 32) + 32;
+        }
+        // getFee should charge on execute(updateHash)
+        // totalSignatureBytesPadded also has 64 overhead for bytes
+        return uint256(EXECUTE_FIXED_BYTES) + UPDATE_HASH_BYTES + totalSignatureBytes + 64;
+    }
+
+    function _applyPremium(
+        uint256 _fee,
+        uint16 _bps,
+        uint16 _defaultBps,
+        uint128 _marginUSD,
+        uint128 _nativePriceUSD
+    ) internal view returns (uint256) {
+        uint16 multiplierBps = _bps == 0 ? _defaultBps : _bps;
+
+        uint256 feeWithMultiplier = (_fee * multiplierBps) / 10000;
+        if (_nativePriceUSD == 0 || _marginUSD == 0) {
+            return feeWithMultiplier;
+        }
+
+        uint256 feeWithFloorMargin = _fee + (_marginUSD * nativeDecimalsRate) / _nativePriceUSD;
+
+        return feeWithFloorMargin > feeWithMultiplier ? feeWithFloorMargin : feeWithMultiplier;
+    }
+
+    function _decodeDVNOptions(bytes calldata _options) internal pure returns (uint256) {
+        uint256 cursor;
+        while (cursor < _options.length) {
+            (uint8 optionType, , uint256 newCursor) = _options.nextDVNOption(cursor);
+            cursor = newCursor;
+            revert UnsupportedOptionType(optionType);
+        }
+        if (cursor != _options.length) revert DVNOptions.InvalidDVNOptions(cursor);
+
+        return 0; // todo: precrime fee model
+    }
+
+    // send funds here to pay for price feed directly
+    receive() external payable {}
+}