@openzeppelin/confidential-contracts 0.2.0-rc.1

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "@openzeppelin/confidential-contracts",
+  "description": "Smart Contract library for use with confidential coprocessors",
+  "version": "0.2.0-rc.1",
+  "files": [
+    "**/*.sol",
+    "/build/contracts/*.json",
+    "!/mocks/**/*"
+  ],
+  "scripts": {
+    "prepack": "bash ../scripts/prepack.sh",
+    "prepare-docs": "cd ..; npm run prepare-docs"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/OpenZeppelin/openzeppelin-confidential-contracts.git"
+  },
+  "keywords": [
+    "solidity",
+    "ethereum",
+    "smart",
+    "contracts",
+    "security",
+    "zeppelin",
+    "confidential",
+    "fhe"
+  ],
+  "author": "OpenZeppelin Community <maintainers@openzeppelin.org>",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/OpenZeppelin/openzeppelin-confidential-contracts/issues"
+  },
+  "homepage": "https://openzeppelin.com/contracts/",
+  "peerDependencies": {
+    "@fhevm/solidity": "0.7.0",
+    "@openzeppelin/contracts": "^5.3.0",
+    "@openzeppelin/contracts-upgradeable": "^5.3.0"
+  }
+}

package/token/ConfidentialFungibleToken.sol

@@ -0,0 +1,314 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.2.0-rc.1) (token/ConfidentialFungibleToken.sol)
+pragma solidity ^0.8.27;
+
+import {FHE, externalEuint64, ebool, euint64} from "@fhevm/solidity/lib/FHE.sol";
+import {IConfidentialFungibleToken} from "./../interfaces/IConfidentialFungibleToken.sol";
+import {TFHESafeMath} from "./../utils/TFHESafeMath.sol";
+import {ConfidentialFungibleTokenUtils} from "./utils/ConfidentialFungibleTokenUtils.sol";
+
+/**
+ * @dev Reference implementation for {IConfidentialFungibleToken}.
+ *
+ * This contract implements a fungible token where balances and transfers are encrypted using the Zama fhEVM,
+ * providing confidentiality to users. Token amounts are stored as encrypted, unsigned integers (`euint64`)
+ * that can only be decrypted by authorized parties.
+ *
+ * Key features:
+ *
+ * - All balances are encrypted
+ * - Transfers happen without revealing amounts
+ * - Support for operators (delegated transfer capabilities with time bounds)
+ * - Transfer and call pattern
+ * - Safe overflow/underflow handling for FHE operations
+ */
+abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
+    mapping(address holder => euint64) private _balances;
+    mapping(address holder => mapping(address spender => uint48)) private _operators;
+    mapping(uint256 requestId => euint64 encryptedAmount) private _requestHandles;
+    euint64 private _totalSupply;
+    string private _name;
+    string private _symbol;
+    string private _tokenURI;
+
+    /// @dev The given receiver `receiver` is invalid for transfers.
+    error ConfidentialFungibleTokenInvalidReceiver(address receiver);
+
+    /// @dev The given sender `sender` is invalid for transfers.
+    error ConfidentialFungibleTokenInvalidSender(address sender);
+
+    /// @dev The given holder `holder` is not authorized to spend on behalf of `spender`.
+    error ConfidentialFungibleTokenUnauthorizedSpender(address holder, address spender);
+
+    /// @dev The holder `holder` is trying to send tokens but has a balance of 0.
+    error ConfidentialFungibleTokenZeroBalance(address holder);
+
+    /**
+     * @dev The caller `user` does not have access to the encrypted amount `amount`.
+     *
+     * NOTE: Try using the equivalent transfer function with an input proof.
+     */
+    error ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(euint64 amount, address user);
+
+    /// @dev The given caller `caller` is not authorized for the current operation.
+    error ConfidentialFungibleTokenUnauthorizedCaller(address caller);
+
+    /// @dev The given gateway request ID `requestId` is invalid.
+    error ConfidentialFungibleTokenInvalidGatewayRequest(uint256 requestId);
+
+    constructor(string memory name_, string memory symbol_, string memory tokenURI_) {
+        _name = name_;
+        _symbol = symbol_;
+        _tokenURI = tokenURI_;
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function name() public view virtual returns (string memory) {
+        return _name;
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function symbol() public view virtual returns (string memory) {
+        return _symbol;
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function decimals() public view virtual returns (uint8) {
+        return 6;
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function tokenURI() public view virtual returns (string memory) {
+        return _tokenURI;
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTotalSupply() public view virtual returns (euint64) {
+        return _totalSupply;
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialBalanceOf(address account) public view virtual returns (euint64) {
+        return _balances[account];
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function isOperator(address holder, address spender) public view virtual returns (bool) {
+        return holder == spender || block.timestamp <= _operators[holder][spender];
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function setOperator(address operator, uint48 until) public virtual {
+        _setOperator(msg.sender, operator, until);
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTransfer(
+        address to,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof
+    ) public virtual returns (euint64) {
+        return _transfer(msg.sender, to, FHE.fromExternal(encryptedAmount, inputProof));
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTransfer(address to, euint64 amount) public virtual returns (euint64) {
+        require(
+            FHE.isAllowed(amount, msg.sender),
+            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
+        );
+        return _transfer(msg.sender, to, amount);
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTransferFrom(
+        address from,
+        address to,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof
+    ) public virtual returns (euint64 transferred) {
+        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        transferred = _transfer(from, to, FHE.fromExternal(encryptedAmount, inputProof));
+        FHE.allowTransient(transferred, msg.sender);
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTransferFrom(
+        address from,
+        address to,
+        euint64 amount
+    ) public virtual returns (euint64 transferred) {
+        require(
+            FHE.isAllowed(amount, msg.sender),
+            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
+        );
+        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        transferred = _transfer(from, to, amount);
+        FHE.allowTransient(transferred, msg.sender);
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTransferAndCall(
+        address to,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof,
+        bytes calldata data
+    ) public virtual returns (euint64 transferred) {
+        transferred = _transferAndCall(msg.sender, to, FHE.fromExternal(encryptedAmount, inputProof), data);
+        FHE.allowTransient(transferred, msg.sender);
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTransferAndCall(
+        address to,
+        euint64 amount,
+        bytes calldata data
+    ) public virtual returns (euint64 transferred) {
+        require(
+            FHE.isAllowed(amount, msg.sender),
+            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
+        );
+        transferred = _transferAndCall(msg.sender, to, amount, data);
+        FHE.allowTransient(transferred, msg.sender);
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTransferFromAndCall(
+        address from,
+        address to,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof,
+        bytes calldata data
+    ) public virtual returns (euint64 transferred) {
+        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        transferred = _transferAndCall(from, to, FHE.fromExternal(encryptedAmount, inputProof), data);
+        FHE.allowTransient(transferred, msg.sender);
+    }
+
+    /// @inheritdoc IConfidentialFungibleToken
+    function confidentialTransferFromAndCall(
+        address from,
+        address to,
+        euint64 amount,
+        bytes calldata data
+    ) public virtual returns (euint64 transferred) {
+        require(
+            FHE.isAllowed(amount, msg.sender),
+            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
+        );
+        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        transferred = _transferAndCall(from, to, amount, data);
+        FHE.allowTransient(transferred, msg.sender);
+    }
+
+    /**
+     * @dev Discloses an encrypted amount `encryptedAmount` publicly via an {IConfidentialFungibleToken-AmountDisclosed}
+     * event. The caller and this contract must be authorized to use the encrypted amount on the ACL.
+     *
+     * NOTE: This is an asynchronous operation where the actual decryption happens off-chain and
+     * {finalizeDiscloseEncryptedAmount} is called with the result.
+     */
+    function discloseEncryptedAmount(euint64 encryptedAmount) public virtual {
+        require(
+            FHE.isAllowed(encryptedAmount, msg.sender) && FHE.isAllowed(encryptedAmount, address(this)),
+            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(encryptedAmount, msg.sender)
+        );
+
+        bytes32[] memory cts = new bytes32[](1);
+        cts[0] = euint64.unwrap(encryptedAmount);
+        uint256 requestID = FHE.requestDecryption(cts, this.finalizeDiscloseEncryptedAmount.selector);
+        _requestHandles[requestID] = encryptedAmount;
+    }
+
+    /// @dev May only be called by the gateway contract. Finalizes a disclose encrypted amount request.
+    function finalizeDiscloseEncryptedAmount(
+        uint256 requestId,
+        uint64 amount,
+        bytes[] memory signatures
+    ) public virtual {
+        FHE.checkSignatures(requestId, signatures);
+
+        euint64 requestHandle = _requestHandles[requestId];
+        require(FHE.isInitialized(requestHandle), ConfidentialFungibleTokenInvalidGatewayRequest(requestId));
+        emit AmountDisclosed(requestHandle, amount);
+
+        _requestHandles[requestId] = euint64.wrap(0);
+    }
+
+    function _setOperator(address holder, address operator, uint48 until) internal virtual {
+        _operators[holder][operator] = until;
+        emit OperatorSet(holder, operator, until);
+    }
+
+    function _mint(address to, euint64 amount) internal returns (euint64 transferred) {
+        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(address(0)));
+        return _update(address(0), to, amount);
+    }
+
+    function _burn(address from, euint64 amount) internal returns (euint64 transferred) {
+        require(from != address(0), ConfidentialFungibleTokenInvalidSender(address(0)));
+        return _update(from, address(0), amount);
+    }
+
+    function _transfer(address from, address to, euint64 amount) internal returns (euint64 transferred) {
+        require(from != address(0), ConfidentialFungibleTokenInvalidSender(address(0)));
+        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(address(0)));
+        return _update(from, to, amount);
+    }
+
+    function _transferAndCall(
+        address from,
+        address to,
+        euint64 amount,
+        bytes calldata data
+    ) internal returns (euint64 transferred) {
+        // Try to transfer amount + replace input with actually transferred amount.
+        euint64 sent = _transfer(from, to, amount);
+
+        // Perform callback
+        transferred = FHE.select(
+            ConfidentialFungibleTokenUtils.checkOnTransferReceived(msg.sender, from, to, sent, data),
+            sent,
+            FHE.asEuint64(0)
+        );
+
+        // Refund if success fails. refund should never fail
+        _update(to, from, FHE.sub(sent, transferred));
+    }
+
+    function _update(address from, address to, euint64 amount) internal virtual returns (euint64 transferred) {
+        ebool success;
+        euint64 ptr;
+
+        if (from == address(0)) {
+            (success, ptr) = TFHESafeMath.tryIncrease(_totalSupply, amount);
+            FHE.allowThis(ptr);
+            _totalSupply = ptr;
+        } else {
+            euint64 fromBalance = _balances[from];
+            require(FHE.isInitialized(fromBalance), ConfidentialFungibleTokenZeroBalance(from));
+            (success, ptr) = TFHESafeMath.tryDecrease(fromBalance, amount);
+            FHE.allowThis(ptr);
+            FHE.allow(ptr, from);
+            _balances[from] = ptr;
+        }
+
+        transferred = FHE.select(success, amount, FHE.asEuint64(0));
+
+        if (to == address(0)) {
+            ptr = FHE.sub(_totalSupply, transferred);
+            FHE.allowThis(ptr);
+            _totalSupply = ptr;
+        } else {
+            ptr = FHE.add(_balances[to], transferred);
+            FHE.allowThis(ptr);
+            FHE.allow(ptr, to);
+            _balances[to] = ptr;
+        }
+
+        if (from != address(0)) FHE.allow(transferred, from);
+        if (to != address(0)) FHE.allow(transferred, to);
+        FHE.allowThis(transferred);
+        emit ConfidentialTransfer(from, to, transferred);
+    }
+}

package/token/extensions/ConfidentialFungibleTokenERC20Wrapper.sol

@@ -0,0 +1,175 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.2.0-rc.1) (token/extensions/ConfidentialFungibleTokenERC20Wrapper.sol)
+
+pragma solidity ^0.8.27;
+
+import {FHE, externalEuint64, euint64} from "@fhevm/solidity/lib/FHE.sol";
+import {IERC1363Receiver} from "@openzeppelin/contracts/interfaces/IERC1363Receiver.sol";
+import {IERC20} from "@openzeppelin/contracts/interfaces/IERC20.sol";
+import {IERC20Metadata} from "@openzeppelin/contracts/interfaces/IERC20Metadata.sol";
+import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+import {SafeCast} from "@openzeppelin/contracts/utils/math/SafeCast.sol";
+import {ConfidentialFungibleToken} from "./../ConfidentialFungibleToken.sol";
+
+/**
+ * @dev A wrapper contract built on top of {ConfidentialFungibleToken} that allows wrapping an `ERC20` token
+ * into a confidential fungible token. The wrapper contract implements the `IERC1363Receiver` interface
+ * which allows users to transfer `ERC1363` tokens directly to the wrapper with a callback to wrap the tokens.
+ */
+abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleToken, IERC1363Receiver {
+    IERC20 private immutable _underlying;
+    uint8 private immutable _decimals;
+    uint256 private immutable _rate;
+
+    /// @dev Mapping from gateway decryption request ID to the address that will receive the tokens
+    mapping(uint256 decryptionRequest => address) private _receivers;
+
+    constructor(IERC20 underlying_) {
+        _underlying = underlying_;
+
+        uint8 tokenDecimals = _tryGetAssetDecimals(underlying_);
+        uint8 maxDecimals = _maxDecimals();
+        if (tokenDecimals > maxDecimals) {
+            _decimals = maxDecimals;
+            _rate = 10 ** (tokenDecimals - maxDecimals);
+        } else {
+            _decimals = tokenDecimals;
+            _rate = 1;
+        }
+    }
+
+    /// @inheritdoc ConfidentialFungibleToken
+    function decimals() public view virtual override returns (uint8) {
+        return _decimals;
+    }
+
+    /**
+     * @dev Returns the rate at which the underlying token is converted to the wrapped token.
+     * For example, if the `rate` is 1000, then 1000 units of the underlying token equal 1 unit of the wrapped token.
+     */
+    function rate() public view virtual returns (uint256) {
+        return _rate;
+    }
+
+    /// @dev Returns the address of the underlying ERC-20 token that is being wrapped.
+    function underlying() public view returns (IERC20) {
+        return _underlying;
+    }
+
+    /**
+     * @dev `ERC1363` callback function which wraps tokens to the address specified in `data` or
+     * the address `from` (if no address is specified in `data`). This function refunds any excess tokens
+     * sent beyond the nearest multiple of {rate}. See {wrap} from more details on wrapping tokens.
+     */
+    function onTransferReceived(
+        address /*operator*/,
+        address from,
+        uint256 amount,
+        bytes calldata data
+    ) public virtual returns (bytes4) {
+        // check caller is the token contract
+        require(address(underlying()) == msg.sender, ConfidentialFungibleTokenUnauthorizedCaller(msg.sender));
+
+        // transfer excess back to the sender
+        uint256 excess = amount % rate();
+        if (excess > 0) SafeERC20.safeTransfer(underlying(), from, excess);
+
+        // mint confidential token
+        address to = data.length < 20 ? from : address(bytes20(data));
+        _mint(to, FHE.asEuint64(SafeCast.toUint64(amount / rate())));
+
+        // return magic value
+        return IERC1363Receiver.onTransferReceived.selector;
+    }
+
+    /**
+     * @dev Wraps amount `amount` of the underlying token into a confidential token and sends it to
+     * `to`. Tokens are exchanged at a fixed rate specified by {rate} such that `amount / rate()` confidential
+     * tokens are sent. Amount transferred in is rounded down to the nearest multiple of {rate}.
+     */
+    function wrap(address to, uint256 amount) public virtual {
+        // take ownership of the tokens
+        SafeERC20.safeTransferFrom(underlying(), msg.sender, address(this), amount - (amount % rate()));
+
+        // mint confidential token
+        _mint(to, FHE.asEuint64(SafeCast.toUint64(amount / rate())));
+    }
+
+    /**
+     * @dev Unwraps tokens from `from` and sends the underlying tokens to `to`. The caller must be `from`
+     * or be an approved operator for `from`. `amount * rate()` underlying tokens are sent to `to`.
+     *
+     * NOTE: This is an asynchronous function and waits for decryption to be completed off-chain before disbursing
+     * tokens.
+     * NOTE: The caller *must* already be approved by ACL for the given `amount`.
+     */
+    function unwrap(address from, address to, euint64 amount) public virtual {
+        require(
+            FHE.isAllowed(amount, msg.sender),
+            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
+        );
+        _unwrap(from, to, amount);
+    }
+
+    /**
+     * @dev Variant of {unwrap} that passes an `inputProof` which approves the caller for the `encryptedAmount`
+     * in the ACL.
+     */
+    function unwrap(
+        address from,
+        address to,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof
+    ) public virtual {
+        _unwrap(from, to, FHE.fromExternal(encryptedAmount, inputProof));
+    }
+
+    /**
+     * @dev Called by the fhEVM gateway with the decrypted amount `amount` for a request id `requestId`.
+     * Fills unwrap requests.
+     */
+    function finalizeUnwrap(uint256 requestID, uint64 amount, bytes[] memory signatures) public virtual {
+        FHE.checkSignatures(requestID, signatures);
+        address to = _receivers[requestID];
+        require(to != address(0), ConfidentialFungibleTokenInvalidGatewayRequest(requestID));
+        delete _receivers[requestID];
+
+        SafeERC20.safeTransfer(underlying(), to, amount * rate());
+    }
+
+    function _unwrap(address from, address to, euint64 amount) internal virtual {
+        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(to));
+        require(
+            from == msg.sender || isOperator(from, msg.sender),
+            ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender)
+        );
+
+        // try to burn, see how much we actually got
+        euint64 burntAmount = _burn(from, amount);
+
+        // decrypt that burntAmount
+        bytes32[] memory cts = new bytes32[](1);
+        cts[0] = euint64.unwrap(burntAmount);
+        uint256 requestID = FHE.requestDecryption(cts, this.finalizeUnwrap.selector);
+
+        // register who is getting the tokens
+        _receivers[requestID] = to;
+    }
+
+    /**
+     * @dev Returns the maximum number that will be used for {decimals} by the wrapper.
+     */
+    function _maxDecimals() internal pure virtual returns (uint8) {
+        return 6;
+    }
+
+    function _tryGetAssetDecimals(IERC20 asset_) private view returns (uint8 assetDecimals) {
+        (bool success, bytes memory encodedDecimals) = address(asset_).staticcall(
+            abi.encodeCall(IERC20Metadata.decimals, ())
+        );
+        if (success && encodedDecimals.length == 32) {
+            return abi.decode(encodedDecimals, (uint8));
+        }
+        return 18;
+    }
+}

package/token/extensions/ConfidentialFungibleTokenVotes.sol

@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.2.0-rc.1) (token/extensions/ConfidentialFungibleTokenVotes.sol)
+pragma solidity ^0.8.27;
+
+import {euint64} from "@fhevm/solidity/lib/FHE.sol";
+import {VotesConfidential} from "./../../governance/utils/VotesConfidential.sol";
+import {ConfidentialFungibleToken} from "./../ConfidentialFungibleToken.sol";
+
+abstract contract ConfidentialFungibleTokenVotes is ConfidentialFungibleToken, VotesConfidential {
+    function confidentialTotalSupply()
+        public
+        view
+        virtual
+        override(VotesConfidential, ConfidentialFungibleToken)
+        returns (euint64)
+    {
+        return super.confidentialTotalSupply();
+    }
+
+    function _update(address from, address to, euint64 amount) internal virtual override returns (euint64 transferred) {
+        transferred = super._update(from, to, amount);
+
+        _transferVotingUnits(from, to, transferred);
+    }
+
+    function _getVotingUnits(address account) internal view virtual override returns (euint64) {
+        return confidentialBalanceOf(account);
+    }
+}

package/token/utils/ConfidentialFungibleTokenUtils.sol

@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.2.0-rc.1) (token/utils/ConfidentialFungibleTokenUtils.sol)
+pragma solidity ^0.8.24;
+
+import {FHE, ebool, euint64} from "@fhevm/solidity/lib/FHE.sol";
+
+import {IConfidentialFungibleTokenReceiver} from "../../interfaces/IConfidentialFungibleTokenReceiver.sol";
+import {ConfidentialFungibleToken} from "../ConfidentialFungibleToken.sol";
+
+/// @dev Library that provides common {ConfidentialFungibleToken} utility functions.
+library ConfidentialFungibleTokenUtils {
+    /**
+     * @dev Performs a transfer callback to the recipient of the transfer `to`. Should be invoked
+     * after all transfers "withCallback" on a {ConfidentialFungibleToken}.
+     *
+     * The transfer callback is not invoked on the recipient if the recipient has no code (i.e. is an EOA). If the
+     * recipient has non-zero code, it must implement
+     * {IConfidentialFungibleTokenReceiver-onConfidentialTransferReceived} and return an `ebool` indicating
+     * whether the transfer was accepted or not. If the `ebool` is `false`, the transfer will be reversed.
+     */
+    function checkOnTransferReceived(
+        address operator,
+        address from,
+        address to,
+        euint64 amount,
+        bytes calldata data
+    ) internal returns (ebool) {
+        if (to.code.length > 0) {
+            try
+                IConfidentialFungibleTokenReceiver(to).onConfidentialTransferReceived(operator, from, amount, data)
+            returns (ebool retval) {
+                return retval;
+            } catch (bytes memory reason) {
+                if (reason.length == 0) {
+                    revert ConfidentialFungibleToken.ConfidentialFungibleTokenInvalidReceiver(to);
+                } else {
+                    assembly ("memory-safe") {
+                        revert(add(32, reason), mload(reason))
+                    }
+                }
+            }
+        } else {
+            return FHE.asEbool(true);
+        }
+    }
+}

package/utils/TFHESafeMath.sol

@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.2.0-rc.1) (utils/TFHESafeMath.sol)
+pragma solidity ^0.8.24;
+
+import {FHE, ebool, euint64} from "@fhevm/solidity/lib/FHE.sol";
+
+/**
+ * @dev Library providing safe arithmetic operations for encrypted values
+ * to handle potential overflows in FHE operations.
+ */
+library TFHESafeMath {
+    /**
+     * @dev Try to increase the encrypted value `oldValue` by `delta`. If the operation is successful,
+     * `success` will be true and `updated` will be the new value. Otherwise, `success` will be false
+     * and `updated` will be the original value.
+     */
+    function tryIncrease(euint64 oldValue, euint64 delta) internal returns (ebool success, euint64 updated) {
+        if (!FHE.isInitialized(oldValue)) {
+            success = FHE.asEbool(true);
+            updated = delta;
+        } else {
+            euint64 newValue = FHE.add(oldValue, delta);
+            success = FHE.ge(newValue, oldValue);
+            updated = FHE.select(success, newValue, oldValue);
+        }
+    }
+
+    /**
+     * @dev Try to decrease the encrypted value `oldValue` by `delta`. If the operation is successful,
+     * `success` will be true and `updated` will be the new value. Otherwise, `success` will be false
+     * and `updated` will be the original value.
+     */
+    function tryDecrease(euint64 oldValue, euint64 delta) internal returns (ebool success, euint64 updated) {
+        success = FHE.ge(oldValue, delta);
+        updated = FHE.select(success, FHE.sub(oldValue, delta), oldValue);
+    }
+}