@layerzerolabs/protocol-stellar-v2 0.2.18 → 0.2.19

package/contracts/oapps/{oft → oft-core}/src/tests/test_utils.rs

@@ -4,7 +4,7 @@
 
 use crate::{
     codec::oft_msg_codec::OFTMessage,
-    oft::OFTClient,
+    oft_core::OFTClient,
     types::{OFTReceipt, SendParam},
 };
 use endpoint_v2::{LayerZeroReceiverClient, MessagingFee, MessagingParams, MessagingReceipt, Origin};
@@ -104,15 +104,21 @@ pub fn create_origin(src_eid: u32, sender: &BytesN<32>, nonce: u64) -> Origin {
 // ==================== Test OFT Contracts ====================
 
 mod test_mint_burn_oft {
-    extern crate self as oft;
-
-    use crate::initialize_oft;
-    use crate::oft::{OFTInternal, OFT};
-    use crate::oft_impl;
-    use crate::types::OFTReceipt;
+    use crate::{
+        self as oft_core,
+        oft_core::{initialize_oft, lz_receive, OFTCore, OFTInternal},
+        types::OFTReceipt,
+    };
     use endpoint_v2::Origin;
     use oapp::oapp_receiver::LzReceiveInternal;
-    use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
+    use soroban_sdk::{contractclient, contractimpl, Address, Bytes, BytesN, Env};
+
+    #[contractclient(name = "MintBurnTokenClient")]
+    #[allow(dead_code)]
+    trait MintBurnToken {
+        fn mint(env: Env, to: Address, amount: i128);
+        fn burn(env: Env, from: Address, amount: i128);
+    }
 
     #[oapp_macros::oapp]
     pub struct TestMintBurnOFT;
@@ -132,7 +138,7 @@ mod test_mint_burn_oft {
     }
 
     #[contractimpl(contracttrait)]
-    impl OFT for TestMintBurnOFT {}
+    impl OFTCore for TestMintBurnOFT {}
 
     impl LzReceiveInternal for TestMintBurnOFT {
         fn __lz_receive(
@@ -144,32 +150,36 @@ mod test_mint_burn_oft {
             executor: &Address,
             value: i128,
         ) {
-            oft_impl::lz_receive::<Self>(env, executor, origin, guid, message, extra_data, value)
+            lz_receive::<Self>(env, executor, origin, guid, message, extra_data, value)
         }
     }
 
     impl OFTInternal for TestMintBurnOFT {
         fn __debit(env: &Env, sender: &Address, amount_ld: i128, min_amount_ld: i128, dst_eid: u32) -> OFTReceipt {
-            crate::oft_types::mint_burn::debit::<Self>(env, sender, amount_ld, min_amount_ld, dst_eid)
+            // Inline mint_burn::debit implementation
+            let receipt = Self::__debit_view(env, amount_ld, min_amount_ld, dst_eid);
+            MintBurnTokenClient::new(env, &Self::token(env)).burn(sender, &receipt.amount_received_ld);
+            receipt
         }
 
-        fn __credit(env: &Env, to: &Address, amount_ld: i128, src_eid: u32) -> i128 {
-            crate::oft_types::mint_burn::credit::<Self>(env, to, amount_ld, src_eid)
+        fn __credit(env: &Env, to: &Address, amount_ld: i128, _src_eid: u32) -> i128 {
+            // Inline mint_burn::credit implementation
+            MintBurnTokenClient::new(env, &Self::token(env)).mint(to, &amount_ld);
+            amount_ld
         }
     }
 }
 pub use test_mint_burn_oft::TestMintBurnOFT;
 
 mod test_lock_unlock_oft {
-    extern crate self as oft;
-
-    use crate::initialize_oft;
-    use crate::oft::{OFTInternal, OFT};
-    use crate::oft_impl;
-    use crate::types::OFTReceipt;
+    use crate::{
+        self as oft_core,
+        oft_core::{initialize_oft, lz_receive, OFTCore, OFTInternal},
+        types::OFTReceipt,
+    };
     use endpoint_v2::Origin;
     use oapp::oapp_receiver::{LzReceiveInternal, OAppReceiver};
-    use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
+    use soroban_sdk::{contractimpl, token::TokenClient, Address, Bytes, BytesN, Env};
 
     #[oapp_macros::oapp(custom = [receiver])]
     pub struct TestLockUnlockOFT;
@@ -189,7 +199,7 @@ mod test_lock_unlock_oft {
     }
 
     #[contractimpl(contracttrait)]
-    impl OFT for TestLockUnlockOFT {}
+    impl OFTCore for TestLockUnlockOFT {}
 
     impl LzReceiveInternal for TestLockUnlockOFT {
         fn __lz_receive(
@@ -201,7 +211,7 @@ mod test_lock_unlock_oft {
             executor: &Address,
             value: i128,
         ) {
-            oft_impl::lz_receive::<Self>(env, executor, origin, guid, message, extra_data, value)
+            lz_receive::<Self>(env, executor, origin, guid, message, extra_data, value)
         }
     }
 
@@ -211,11 +221,20 @@ mod test_lock_unlock_oft {
 
     impl OFTInternal for TestLockUnlockOFT {
         fn __debit(env: &Env, sender: &Address, amount_ld: i128, min_amount_ld: i128, dst_eid: u32) -> OFTReceipt {
-            crate::oft_types::lock_unlock::debit::<Self>(env, sender, amount_ld, min_amount_ld, dst_eid)
+            // Inline lock_unlock::debit implementation
+            let receipt: OFTReceipt = Self::__debit_view(env, amount_ld, min_amount_ld, dst_eid);
+            TokenClient::new(env, &Self::token(env)).transfer(
+                sender,
+                env.current_contract_address(),
+                &receipt.amount_received_ld,
+            );
+            receipt
         }
 
-        fn __credit(env: &Env, to: &Address, amount_ld: i128, src_eid: u32) -> i128 {
-            crate::oft_types::lock_unlock::credit::<Self>(env, to, amount_ld, src_eid)
+        fn __credit(env: &Env, to: &Address, amount_ld: i128, _src_eid: u32) -> i128 {
+            // Inline lock_unlock::credit implementation
+            TokenClient::new(env, &Self::token(env)).transfer(&env.current_contract_address(), to, &amount_ld);
+            amount_ld
         }
     }
 }

package/contracts/oapps/{oft → oft-core}/src/utils.rs

@@ -38,7 +38,7 @@ pub fn remove_dust(amount_ld: i128, conversion_rate: i128) -> i128 {
 ///
 /// # Returns
 /// A 32-byte payload (contract ID hash or Ed25519 public key)
-pub fn address_to_bytes32(address: &Address) -> BytesN<32> {
+pub fn address_payload(address: &Address) -> BytesN<32> {
     match address.to_payload().unwrap() {
         AddressPayload::ContractIdHash(payload) => payload,
         AddressPayload::AccountIdPublicKeyEd25519(payload) => payload,

package/contracts/utils/src/errors.rs

@@ -27,8 +27,12 @@ pub enum TtlConfigurableError {
 /// OwnableError: 1030-1039
 #[contract_error]
 pub enum OwnableError {
-    OwnerAlreadySet = 1030,
+    InvalidPendingOwner = 1030,
+    InvalidTtl,
+    NoPendingTransfer,
+    OwnerAlreadySet,
     OwnerNotSet,
+    TransferInProgress,
 }
 
 /// BytesExtError: 1040-1049

package/contracts/utils/src/ownable.rs

@@ -6,7 +6,7 @@ use soroban_sdk::{assert_with_error, contractevent, Address, Env};
 // Ownable events
 // ===========================================================================
 
-/// Event emitted when ownership is transferred.
+/// Event emitted when ownership is transferred (both single-step and two-step completion).
 #[contractevent]
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub struct OwnershipTransferred {
@@ -14,6 +14,15 @@ pub struct OwnershipTransferred {
     pub new_owner: Address,
 }
 
+/// Event emitted when a 2-step ownership transfer is proposed.
+#[contractevent]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct OwnershipTransferring {
+    pub old_owner: Address,
+    pub new_owner: Address,
+    pub ttl: u32,
+}
+
 /// Event emitted when ownership is renounced.
 #[contractevent]
 #[derive(Clone, Debug, Eq, PartialEq)]
@@ -30,6 +39,10 @@ pub struct OwnershipRenounced {
 pub enum OwnableStorage {
     #[instance(Address)]
     Owner,
+    /// Pending owner for 2-step transfer. Stored in temporary storage with TTL -
+    /// automatically expires if not accepted in time.
+    #[temporary(Address)]
+    PendingOwner,
 }
 
 // ===========================================================================
@@ -40,23 +53,126 @@ pub enum OwnableStorage {
 ///
 /// Extends `Auth` to provide owner-based authorization. The `Auth::authorizer()`
 /// implementation should return the owner address for Ownable contracts.
+///
+/// Supports both single-step and two-step ownership transfer:
+/// - Single-step: `transfer_ownership` - Immediate transfer (use with caution)
+/// - Two-step: `propose_ownership_transfer` + `accept_ownership` - Safer, requires new owner to accept
 #[contract_trait]
 pub trait Ownable: Sized + Auth {
+    // ===========================================================================
+    // View functions
+    // ===========================================================================
+
     /// Returns the current owner address, or None if no owner is set.
     fn owner(env: &Env) -> Option<Address> {
         OwnableStorage::owner(env)
     }
 
-    /// Transfers ownership to a new address. Requires current owner authorization.
+    /// Returns the pending owner address for 2-step transfer, or None if no transfer is pending.
+    fn pending_owner(env: &Env) -> Option<Address> {
+        OwnableStorage::pending_owner(env)
+    }
+
+    // ===========================================================================
+    // Single-step transfer (immediate)
+    // ===========================================================================
+
+    /// Transfers ownership immediately to a new address.
+    ///
+    /// Use with caution - if you transfer to a wrong address, ownership is lost forever.
+    /// Consider using `propose_ownership_transfer` instead.
+    ///
+    /// # Panics
+    /// - `OwnerNotSet` if no owner is currently set
+    /// - `TransferInProgress` if a 2-step transfer is in progress
     fn transfer_ownership(env: &Env, new_owner: &Address) {
         let old_owner = enforce_owner_auth::<Self>(env);
+        assert_no_pending_transfer::<Self>(env);
+
         OwnableStorage::set_owner(env, new_owner);
         OwnershipTransferred { old_owner, new_owner: new_owner.clone() }.publish(env);
     }
 
-    /// Permanently renounces ownership. Requires current owner authorization.
+    // ===========================================================================
+    // Two-step transfer (safer)
+    // ===========================================================================
+
+    /// Proposes an ownership transfer to a new address.
+    ///
+    /// The new owner must call `accept_ownership()` within `ttl` ledgers
+    /// to complete the transfer. The pending transfer will automatically expire after.
+    ///
+    /// # Arguments
+    /// - `new_owner` - The proposed new owner
+    /// - `ttl` - Number of ledgers the new owner has to accept.
+    ///   Use `0` to cancel a pending transfer (new_owner must match pending).
+    ///
+    /// # Panics
+    /// - `OwnerNotSet` if no owner is currently set
+    /// - `NoPendingTransfer` when cancelling and no pending transfer exists
+    /// - `InvalidTtl` if ttl exceeds max TTL
+    /// - `InvalidPendingOwner` when cancelling with wrong new_owner address
+    fn propose_ownership_transfer(env: &Env, new_owner: &Address, ttl: u32) {
+        let old_owner = enforce_owner_auth::<Self>(env);
+
+        // Cancel case: ttl == 0
+        if ttl == 0 {
+            let pending = Self::pending_owner(env).unwrap_or_panic(env, OwnableError::NoPendingTransfer);
+
+            // Verify new_owner matches pending (prevents accidental cancellation)
+            assert_with_error!(env, pending == *new_owner, OwnableError::InvalidPendingOwner);
+
+            OwnableStorage::remove_pending_owner(env);
+            return;
+        }
+
+        // Initiate case: validate ttl
+        assert_with_error!(env, ttl <= env.storage().max_ttl(), OwnableError::InvalidTtl);
+
+        // Store pending owner with TTL
+        OwnableStorage::set_pending_owner(env, new_owner);
+        OwnableStorage::extend_pending_owner_ttl(env, ttl, ttl);
+
+        OwnershipTransferring { old_owner, new_owner: new_owner.clone(), ttl }.publish(env);
+    }
+
+    /// Accepts a pending 2-step ownership transfer.
+    ///
+    /// Must be called by the pending owner before the TTL expires.
+    ///
+    /// # Panics
+    /// - `NoPendingTransfer` if there is no pending transfer (or it expired)
+    fn accept_ownership(env: &Env) {
+        let new_owner = Self::pending_owner(env).unwrap_or_panic(env, OwnableError::NoPendingTransfer);
+
+        // Require authorization from the pending owner
+        new_owner.require_auth();
+
+        // Safe to unwrap: owner must exist if pending_owner exists because:
+        // 1. pending_owner can only be set via propose_ownership_transfer, which requires owner auth
+        // 2. renounce_ownership is blocked while a 2-step transfer is in progress
+        let old_owner = OwnableStorage::owner(env).unwrap();
+
+        // Transfer ownership
+        OwnableStorage::remove_pending_owner(env);
+        OwnableStorage::set_owner(env, &new_owner);
+
+        OwnershipTransferred { old_owner, new_owner }.publish(env);
+    }
+
+    // ===========================================================================
+    // Renounce
+    // ===========================================================================
+
+    /// Permanently renounces ownership.
+    ///
+    /// # Panics
+    /// - `OwnerNotSet` if no owner is currently set
+    /// - `TransferInProgress` if a 2-step transfer is in progress (cancel it first)
     fn renounce_ownership(env: &Env) {
         let old_owner = enforce_owner_auth::<Self>(env);
+        assert_no_pending_transfer::<Self>(env);
+
         OwnableStorage::remove_owner(env);
         OwnershipRenounced { old_owner }.publish(env);
     }
@@ -86,3 +202,9 @@ pub fn enforce_owner_auth<T: Ownable>(env: &Env) -> Address {
 pub fn require_owner_auth<T: Ownable>(env: &Env) {
     let _ = enforce_owner_auth::<T>(env);
 }
+
+/// Asserts that no 2-step ownership transfer is in progress.
+/// Panics with `TransferInProgress` if a pending transfer exists.
+fn assert_no_pending_transfer<T: Ownable>(env: &Env) {
+    assert_with_error!(env, T::pending_owner(env).is_none(), OwnableError::TransferInProgress);
+}

package/contracts/utils/src/tests/option_ext.rs

@@ -10,7 +10,7 @@ fn unwrap_or_panic_some_returns_value() {
 
 #[test]
 fn unwrap_or_panic_none_panics_with_error() {
-    const EXPECTED: &str = "Error(Contract, #1031)"; // OwnerNotSet
+    const EXPECTED: &str = "Error(Contract, #1034)"; // OwnerNotSet
     assert_panics_contains("none unwrap_or_panic", EXPECTED, || {
         let env = Env::default();
         let _got: u32 = None::<u32>.unwrap_or_panic(&env, OwnableError::OwnerNotSet);