@layerzerolabs/protocol-stellar-v2 0.2.60 → 0.2.61

package/contracts/workers/dvn/src/auth.rs

@@ -2,10 +2,9 @@ use super::*;
 use crate::{Sender, TransactionAuthData};
 use soroban_sdk::{
     address_payload::AddressPayload,
-    assert_with_error,
     auth::{Context, CustomAccountInterface},
     crypto::Hash,
-    Bytes, Symbol,
+    vec, Symbol,
 };
 
 // ============================================================================
@@ -24,12 +23,9 @@ impl CustomAccountInterface for LzDVN {
         auth_data: Self::Signature,
         auth_contexts: Vec<Context>,
     ) -> Result<(), Self::Error> {
-        let TransactionAuthData { vid, expiration, signatures, sender, preimage } = auth_data;
+        let TransactionAuthData { vid, expiration, signatures, sender } = auth_data;
 
-        // 1. Verify preimage matches signature_payload
-        let invocation = Self::verify_preimage(&env, &signature_payload, &preimage);
-
-        // 2. Check VID and expiration
+        // 1. Check VID and expiration
         if vid != Self::vid(&env) {
             return Err(DvnError::InvalidVid);
         }
@@ -37,14 +33,24 @@ impl CustomAccountInterface for LzDVN {
             return Err(DvnError::AuthDataExpired);
         }
 
-        // 3. Admin verification (`set_admin` bypasses this - allows quorum-only admin changes)
-        let requires_admin = !Self::is_invoking_worker_set_admin(&env, &auth_contexts);
-        if requires_admin {
+        // 2. Extract and validate calls from auth contexts
+        let (calls, is_set_admin) = match auth_contexts.len() {
+            1 => {
+                let call = Self::extract_single_self_call(&env, &auth_contexts)?;
+                let is_set_admin = call.func == Symbol::new(&env, "set_admin");
+                (vec![&env, call], is_set_admin)
+            }
+            3 => (Self::extract_upgrade_calls(&env, &auth_contexts)?, false),
+            _ => return Err(DvnError::InvalidAuthContext),
+        };
+
+        // 3. Admin verification (set_admin bypasses)
+        if !is_set_admin {
             Self::verify_admin_signature(&env, &sender, &signature_payload)?;
         }
 
         // 4. Replay protection
-        let hash = Self::hash_call_data(&env, vid, expiration, &invocation);
+        let hash = Self::hash_call_data(&env, vid, expiration, &calls);
         if DvnStorage::used_hash(&env, &hash) {
             return Err(DvnError::HashAlreadyUsed);
         }
@@ -62,17 +68,6 @@ impl CustomAccountInterface for LzDVN {
 // ============================================================================
 
 impl LzDVN {
-    /// Verifies the preimage matches the host-provided `signature_payload`
-    /// and returns the invocation bytes extracted from it.
-    fn verify_preimage(env: &Env, signature_payload: &Hash<32>, preimage: &Bytes) -> Bytes {
-        let computed = env.crypto().sha256(preimage);
-        assert_with_error!(env, computed.to_bytes() == signature_payload.to_bytes(), DvnError::InvalidPreimage);
-
-        // Skip the 48-byte fixed prefix:
-        // envelope_type (4) + network_id (32) + nonce (8) + expiry_ledger (4) = 48
-        preimage.slice(48..)
-    }
-
     /// Verifies that the sender is an admin with a valid signature.
     ///
     /// # Errors
@@ -92,14 +87,56 @@ impl LzDVN {
         Ok(())
     }
 
-    /// Checks if the first auth context is a call to `set_admin` on this contract.
+    /// Extracts a single self-targeting contract call from auth_contexts.
+    fn extract_single_self_call(env: &Env, auth_contexts: &Vec<Context>) -> Result<Call, DvnError> {
+        let Context::Contract(ctx) = auth_contexts.get(0).unwrap() else {
+            return Err(DvnError::NonContractInvoke);
+        };
+        if ctx.contract != env.current_contract_address() {
+            return Err(DvnError::InvalidAuthContext);
+        }
+        Ok(Call { to: ctx.contract, func: ctx.fn_name, args: ctx.args })
+    }
+
+    /// Extracts and validates upgrade auth contexts (3 entries, positional).
     ///
-    /// Used to allow quorum-only admin changes without requiring existing admin authorization.
-    fn is_invoking_worker_set_admin(env: &Env, auth_contexts: &Vec<Context>) -> bool {
-        auth_contexts.len() == 1
-            && auth_contexts.first().is_some_and(|ctx| {
-                let Context::Contract(c) = ctx else { return false };
-                c.contract == env.current_contract_address() && c.fn_name == Symbol::new(env, "set_admin")
-            })
+    /// Expected order:
+    /// - `[0]`: Upgrader contract call (must target the registered upgrader)
+    /// - `[1]`: `upgrade` self-call
+    /// - `[2]`: `migrate` self-call
+    fn extract_upgrade_calls(env: &Env, auth_contexts: &Vec<Context>) -> Result<Vec<Call>, DvnError> {
+        let self_addr = env.current_contract_address();
+        let upgrader_addr = Self::upgrader(env).ok_or(DvnError::UpgraderNotSet)?;
+
+        // [0]: Upgrader contract call
+        let Context::Contract(ctx0) = auth_contexts.get(0).unwrap() else {
+            return Err(DvnError::NonContractInvoke);
+        };
+        if ctx0.contract != upgrader_addr {
+            return Err(DvnError::InvalidUpgradeContext);
+        }
+
+        // [1]: upgrade self-call
+        let Context::Contract(ctx1) = auth_contexts.get(1).unwrap() else {
+            return Err(DvnError::NonContractInvoke);
+        };
+        if ctx1.contract != self_addr || ctx1.fn_name != Symbol::new(env, "upgrade") {
+            return Err(DvnError::InvalidUpgradeContext);
+        }
+
+        // [2]: migrate self-call
+        let Context::Contract(ctx2) = auth_contexts.get(2).unwrap() else {
+            return Err(DvnError::NonContractInvoke);
+        };
+        if ctx2.contract != self_addr || ctx2.fn_name != Symbol::new(env, "migrate") {
+            return Err(DvnError::InvalidUpgradeContext);
+        }
+
+        Ok(vec![
+            env,
+            Call { to: ctx0.contract, func: ctx0.fn_name, args: ctx0.args },
+            Call { to: ctx1.contract, func: ctx1.fn_name, args: ctx1.args },
+            Call { to: ctx2.contract, func: ctx2.fn_name, args: ctx2.args },
+        ])
     }
 }

package/contracts/workers/dvn/src/dvn.rs

@@ -5,12 +5,17 @@
 //! signatures for authorization and implements Soroban's custom account
 //! interface for transaction signing.
 
-use crate::{errors::DvnError, events::SetDstConfig, storage::DvnStorage, DstConfig, DstConfigParam, IDVN};
-use common_macros::{contract_impl, lz_contract};
+use crate::{
+    errors::DvnError,
+    events::{SetDstConfig, SetUpgrader},
+    storage::DvnStorage,
+    Call, DstConfig, DstConfigParam, IDVN,
+};
+use common_macros::{contract_impl, lz_contract, only_auth};
 use endpoint_v2::FeeRecipient;
 use fee_lib_interfaces::{DvnFeeLibClient, DvnFeeParams};
 use message_lib_common::interfaces::ILayerZeroDVN;
-use soroban_sdk::{Address, Bytes, BytesN, Env, Vec};
+use soroban_sdk::{xdr::ToXdr, Address, Bytes, BytesN, Env, Val, Vec};
 use utils::{buffer_writer::BufferWriter, multisig, option_ext::OptionExt};
 use worker::{
     assert_acl, assert_not_paused, assert_supported_message_lib, init_worker, require_admin_auth, set_admin_by_admin,
@@ -88,6 +93,26 @@ impl LzDVN {
 
 #[contract_impl]
 impl IDVN for LzDVN {
+    /// Dispatches external contract calls.
+    #[only_auth]
+    fn execute_transaction(env: &Env, calls: &Vec<Call>) {
+        for call in calls.iter() {
+            env.invoke_contract::<Val>(&call.to, &call.func, call.args);
+        }
+    }
+
+    /// Sets the upgrader contract address. Requires self authorization.
+    #[only_auth]
+    fn set_upgrader(env: &Env, upgrader: &Option<Address>) {
+        DvnStorage::set_or_remove_upgrader(env, upgrader);
+        SetUpgrader { upgrader: upgrader.clone() }.publish(env);
+    }
+
+    /// Returns the current upgrader contract address, if set.
+    fn upgrader(env: &Env) -> Option<Address> {
+        DvnStorage::upgrader(env)
+    }
+
     /// Sets destination chain configurations. Requires admin authorization.
     fn set_dst_config(env: &Env, admin: &Address, params: &Vec<DstConfigParam>) {
         require_admin_auth::<Self>(env, admin);
@@ -107,12 +132,12 @@ impl IDVN for LzDVN {
         DvnStorage::vid(env).unwrap()
     }
 
-    /// Computes the hash of invocation data for multisig signing.
+    /// Computes the hash of call data for multisig signing.
     ///
     /// Off-chain signers use this to compute the hash they need to sign.
-    fn hash_call_data(env: &Env, vid: u32, expiration: u64, invocation: &Bytes) -> BytesN<32> {
+    fn hash_call_data(env: &Env, vid: u32, expiration: u64, calls: &Vec<Call>) -> BytesN<32> {
         let mut writer = BufferWriter::new(env);
-        let data = writer.write_u32(vid).write_u64(expiration).write_bytes(invocation).to_bytes();
+        let data = writer.write_u32(vid).write_u64(expiration).write_bytes(&calls.to_xdr(env)).to_bytes();
         env.crypto().keccak256(&data).into()
     }
 }

package/contracts/workers/dvn/src/errors.rs

@@ -5,7 +5,10 @@ pub enum DvnError {
     AuthDataExpired,
     EidNotSupported,
     HashAlreadyUsed,
-    InvalidPreimage,
+    InvalidAuthContext,
+    InvalidUpgradeContext,
     InvalidVid,
+    NonContractInvoke,
     OnlyAdmin,
+    UpgraderNotSet,
 }

package/contracts/workers/dvn/src/events.rs

@@ -1,8 +1,14 @@
 use crate::DstConfigParam;
-use soroban_sdk::{contractevent, Vec};
+use soroban_sdk::{contractevent, Address, Vec};
 
 #[contractevent]
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub struct SetDstConfig {
     pub params: Vec<DstConfigParam>,
 }
+
+#[contractevent]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct SetUpgrader {
+    pub upgrader: Option<Address>,
+}

package/contracts/workers/dvn/src/interfaces/dvn.rs

@@ -1,5 +1,5 @@
 use message_lib_common::interfaces::ILayerZeroDVN;
-use soroban_sdk::{auth::CustomAccountInterface, contractclient, contracttype, Address, Bytes, BytesN, Env, Vec};
+use soroban_sdk::{auth::CustomAccountInterface, contractclient, contracttype, Address, BytesN, Env, Symbol, Val, Vec};
 use utils::multisig::MultiSig;
 use worker::Worker;
 
@@ -32,9 +32,6 @@ pub struct TransactionAuthData {
     pub signatures: Vec<BytesN<65>>,
     /// Entity submitting the transaction (admin, or permissionless).
     pub sender: Sender,
-    /// XDR-encoded `HashIdPreimage::SorobanAuthorization` from the auth entry.
-    /// Layout: envelope_type (4) || network_id (32) || nonce (8) || expiry_ledger (4) || invocation (variable).
-    pub preimage: Bytes,
 }
 
 // ============================================================================
@@ -66,12 +63,32 @@ pub struct DstConfigParam {
     pub config: DstConfig,
 }
 
+/// Represents a single contract invocation for multisig authorization.
+///
+/// Used in `hash_call_data` to compute the hash that signers sign over.
+#[contracttype]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct Call {
+    /// Target contract address.
+    pub to: Address,
+    /// Function name to invoke.
+    pub func: Symbol,
+    /// Function arguments.
+    pub args: Vec<Val>,
+}
+
 /// DVN (Decentralized Verifier Network) contract interface.
 ///
 /// Extends the LayerZero DVN interface with destination configuration management
 /// and multisig capabilities for secure cross-chain message verification.
 #[contractclient(name = "DVNClient")]
 pub trait IDVN: ILayerZeroDVN + Worker + MultiSig + CustomAccountInterface {
+    /// Dispatches a list of external contract calls.
+    ///
+    /// # Arguments
+    /// * `calls` - List of calls to execute atomically
+    fn execute_transaction(env: &Env, calls: &Vec<Call>);
+
     /// Sets the configuration for one or more destination chains.
     ///
     /// # Arguments
@@ -93,17 +110,26 @@ pub trait IDVN: ILayerZeroDVN + Worker + MultiSig + CustomAccountInterface {
     /// The VID is a unique identifier used in multisig authentication.
     fn vid(env: &Env) -> u32;
 
-    /// Computes the hash of invocation data for multisig signing.
+    /// Sets or clears the registered upgrader contract address.
+    ///
+    /// Protected by `#[only_auth]` (multisig quorum required).
+    /// Pass `None` to remove the upgrader.
+    fn set_upgrader(env: &Env, upgrader: &Option<Address>);
+
+    /// Returns the registered upgrader contract address, if any.
+    fn upgrader(env: &Env) -> Option<Address>;
+
+    /// Computes the hash of call data for multisig signing.
     ///
     /// Off-chain signers use this to compute the hash they need to sign.
-    /// The hash includes the VID, expiration, and the raw invocation XDR.
+    /// The hash includes the VID, expiration, and the calls being authorized.
     ///
     /// # Arguments
     /// * `vid` - Verifier ID (must match contract's VID)
     /// * `expiration` - Expiration timestamp for the authorization
-    /// * `invocation` - XDR-encoded `SorobanAuthorizedInvocation` from the auth entry
+    /// * `calls` - The contract calls being authorized
     ///
     /// # Returns
     /// A 32-byte keccak256 hash to be signed by the multisig quorum
-    fn hash_call_data(env: &Env, vid: u32, expiration: u64, invocation: &Bytes) -> BytesN<32>;
+    fn hash_call_data(env: &Env, vid: u32, expiration: u64, calls: &Vec<Call>) -> BytesN<32>;
 }

package/contracts/workers/dvn/src/storage.rs

@@ -1,6 +1,6 @@
 use crate::DstConfig;
 use common_macros::storage;
-use soroban_sdk::BytesN;
+use soroban_sdk::{Address, BytesN};
 
 /// DVN contract storage keys.
 ///
@@ -11,6 +11,10 @@ pub enum DvnStorage {
     #[instance(u32)]
     Vid,
 
+    /// Registered upgrader contract address for upgrade operations.
+    #[instance(Address)]
+    Upgrader,
+
     /// Destination chain configuration, keyed by endpoint ID.
     #[persistent(DstConfig)]
     DstConfig { dst_eid: u32 },