@openzeppelin/confidential-contracts 0.2.0-rc.2 → 0.3.0-rc.0

package/token/{ConfidentialFungibleToken.sol → ERC7984/ERC7984.sol}

@@ -1,14 +1,14 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Confidential Contracts (last updated v0.2.0-rc.2) (token/ConfidentialFungibleToken.sol)
+// OpenZeppelin Confidential Contracts (last updated v0.3.0-rc.0) (token/ERC7984/ERC7984.sol)
 pragma solidity ^0.8.27;
 
 import {FHE, externalEuint64, ebool, euint64} from "@fhevm/solidity/lib/FHE.sol";
-import {IConfidentialFungibleToken} from "./../interfaces/IConfidentialFungibleToken.sol";
-import {TFHESafeMath} from "./../utils/TFHESafeMath.sol";
-import {ConfidentialFungibleTokenUtils} from "./utils/ConfidentialFungibleTokenUtils.sol";
+import {IERC7984} from "./../../interfaces/IERC7984.sol";
+import {FHESafeMath} from "./../../utils/FHESafeMath.sol";
+import {ERC7984Utils} from "./utils/ERC7984Utils.sol";
 
 /**
- * @dev Reference implementation for {IConfidentialFungibleToken}.
+ * @dev Reference implementation for {IERC7984}.
  *
  * This contract implements a fungible token where balances and transfers are encrypted using the Zama fhEVM,
  * providing confidentiality to users. Token amounts are stored as encrypted, unsigned integers (`euint64`)
@@ -22,87 +22,86 @@ import {ConfidentialFungibleTokenUtils} from "./utils/ConfidentialFungibleTokenU
  * - Transfer and call pattern
  * - Safe overflow/underflow handling for FHE operations
  */
-abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
+abstract contract ERC7984 is IERC7984 {
     mapping(address holder => euint64) private _balances;
     mapping(address holder => mapping(address spender => uint48)) private _operators;
-    mapping(uint256 requestId => euint64 encryptedAmount) private _requestHandles;
     euint64 private _totalSupply;
     string private _name;
     string private _symbol;
-    string private _tokenURI;
+    string private _contractURI;
 
     /// @dev The given receiver `receiver` is invalid for transfers.
-    error ConfidentialFungibleTokenInvalidReceiver(address receiver);
+    error ERC7984InvalidReceiver(address receiver);
 
     /// @dev The given sender `sender` is invalid for transfers.
-    error ConfidentialFungibleTokenInvalidSender(address sender);
+    error ERC7984InvalidSender(address sender);
 
     /// @dev The given holder `holder` is not authorized to spend on behalf of `spender`.
-    error ConfidentialFungibleTokenUnauthorizedSpender(address holder, address spender);
+    error ERC7984UnauthorizedSpender(address holder, address spender);
 
     /// @dev The holder `holder` is trying to send tokens but has a balance of 0.
-    error ConfidentialFungibleTokenZeroBalance(address holder);
+    error ERC7984ZeroBalance(address holder);
 
     /**
      * @dev The caller `user` does not have access to the encrypted amount `amount`.
      *
      * NOTE: Try using the equivalent transfer function with an input proof.
      */
-    error ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(euint64 amount, address user);
+    error ERC7984UnauthorizedUseOfEncryptedAmount(euint64 amount, address user);
 
     /// @dev The given caller `caller` is not authorized for the current operation.
-    error ConfidentialFungibleTokenUnauthorizedCaller(address caller);
+    error ERC7984UnauthorizedCaller(address caller);
 
     /// @dev The given gateway request ID `requestId` is invalid.
-    error ConfidentialFungibleTokenInvalidGatewayRequest(uint256 requestId);
+    error ERC7984InvalidGatewayRequest(uint256 requestId);
 
-    constructor(string memory name_, string memory symbol_, string memory tokenURI_) {
+    constructor(string memory name_, string memory symbol_, string memory contractURI_) {
         _name = name_;
         _symbol = symbol_;
-        _tokenURI = tokenURI_;
+        _contractURI = contractURI_;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function name() public view virtual returns (string memory) {
         return _name;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function symbol() public view virtual returns (string memory) {
         return _symbol;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function decimals() public view virtual returns (uint8) {
         return 6;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
-    function tokenURI() public view virtual returns (string memory) {
-        return _tokenURI;
+    /// @inheritdoc IERC7984
+    function contractURI() public view virtual returns (string memory) {
+        return _contractURI;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTotalSupply() public view virtual returns (euint64) {
         return _totalSupply;
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialBalanceOf(address account) public view virtual returns (euint64) {
         return _balances[account];
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function isOperator(address holder, address spender) public view virtual returns (bool) {
         return holder == spender || block.timestamp <= _operators[holder][spender];
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function setOperator(address operator, uint48 until) public virtual {
         _setOperator(msg.sender, operator, until);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransfer(
         address to,
         externalEuint64 encryptedAmount,
@@ -111,43 +110,37 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         return _transfer(msg.sender, to, FHE.fromExternal(encryptedAmount, inputProof));
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransfer(address to, euint64 amount) public virtual returns (euint64) {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
         return _transfer(msg.sender, to, amount);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferFrom(
         address from,
         address to,
         externalEuint64 encryptedAmount,
         bytes calldata inputProof
     ) public virtual returns (euint64 transferred) {
-        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        require(isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
         transferred = _transfer(from, to, FHE.fromExternal(encryptedAmount, inputProof));
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferFrom(
         address from,
         address to,
         euint64 amount
     ) public virtual returns (euint64 transferred) {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
-        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
+        require(isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
         transferred = _transfer(from, to, amount);
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferAndCall(
         address to,
         externalEuint64 encryptedAmount,
@@ -158,21 +151,18 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferAndCall(
         address to,
         euint64 amount,
         bytes calldata data
     ) public virtual returns (euint64 transferred) {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
         transferred = _transferAndCall(msg.sender, to, amount, data);
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferFromAndCall(
         address from,
         address to,
@@ -180,29 +170,26 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         bytes calldata inputProof,
         bytes calldata data
     ) public virtual returns (euint64 transferred) {
-        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        require(isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
         transferred = _transferAndCall(from, to, FHE.fromExternal(encryptedAmount, inputProof), data);
         FHE.allowTransient(transferred, msg.sender);
     }
 
-    /// @inheritdoc IConfidentialFungibleToken
+    /// @inheritdoc IERC7984
     function confidentialTransferFromAndCall(
         address from,
         address to,
         euint64 amount,
         bytes calldata data
     ) public virtual returns (euint64 transferred) {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
-        require(isOperator(from, msg.sender), ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender));
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
+        require(isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
         transferred = _transferAndCall(from, to, amount, data);
         FHE.allowTransient(transferred, msg.sender);
     }
 
     /**
-     * @dev Discloses an encrypted amount `encryptedAmount` publicly via an {IConfidentialFungibleToken-AmountDisclosed}
+     * @dev Discloses an encrypted amount `encryptedAmount` publicly via an {IERC7984-AmountDisclosed}
      * event. The caller and this contract must be authorized to use the encrypted amount on the ACL.
      *
      * NOTE: This is an asynchronous operation where the actual decryption happens off-chain and
@@ -210,29 +197,34 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
      */
     function discloseEncryptedAmount(euint64 encryptedAmount) public virtual {
         require(
-            FHE.isAllowed(encryptedAmount, msg.sender) && FHE.isAllowed(encryptedAmount, address(this)),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(encryptedAmount, msg.sender)
+            FHE.isAllowed(encryptedAmount, msg.sender),
+            ERC7984UnauthorizedUseOfEncryptedAmount(encryptedAmount, msg.sender)
         );
 
         bytes32[] memory cts = new bytes32[](1);
         cts[0] = euint64.unwrap(encryptedAmount);
-        uint256 requestID = FHE.requestDecryption(cts, this.finalizeDiscloseEncryptedAmount.selector);
-        _requestHandles[requestID] = encryptedAmount;
+        FHE.requestDecryption(cts, this.finalizeDiscloseEncryptedAmount.selector);
     }
 
-    /// @dev May only be called by the gateway contract. Finalizes a disclose encrypted amount request.
+    /**
+     * @dev Finalizes a disclose encrypted amount request.
+     * For gas saving purposes, the `requestId` might not be related to a
+     * {discloseEncryptedAmount} request. As a result, the current {finalizeDiscloseEncryptedAmount}
+     * function might emit a disclosed amount related to another decryption request context.
+     * In this case it would only display public information
+     * since the handle would have already been allowed for public decryption through a previous
+     * `FHE.requestDecryption` call.
+     * The downside of this behavior is that a {finalizeDiscloseEncryptedAmount} watcher might observe
+     * unexpected `AmountDisclosed` events.
+     */
     function finalizeDiscloseEncryptedAmount(
         uint256 requestId,
-        uint64 amount,
-        bytes[] memory signatures
+        bytes calldata cleartexts,
+        bytes calldata decryptionProof
     ) public virtual {
-        FHE.checkSignatures(requestId, signatures);
-
-        euint64 requestHandle = _requestHandles[requestId];
-        require(FHE.isInitialized(requestHandle), ConfidentialFungibleTokenInvalidGatewayRequest(requestId));
-        emit AmountDisclosed(requestHandle, amount);
-
-        _requestHandles[requestId] = euint64.wrap(0);
+        FHE.checkSignatures(requestId, cleartexts, decryptionProof);
+        euint64 requestHandle = euint64.wrap(FHE.loadRequestedHandles(requestId)[0]);
+        emit AmountDisclosed(requestHandle, abi.decode(cleartexts, (uint64)));
     }
 
     function _setOperator(address holder, address operator, uint48 until) internal virtual {
@@ -241,18 +233,18 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
     }
 
     function _mint(address to, euint64 amount) internal returns (euint64 transferred) {
-        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(address(0)));
+        require(to != address(0), ERC7984InvalidReceiver(address(0)));
         return _update(address(0), to, amount);
     }
 
     function _burn(address from, euint64 amount) internal returns (euint64 transferred) {
-        require(from != address(0), ConfidentialFungibleTokenInvalidSender(address(0)));
+        require(from != address(0), ERC7984InvalidSender(address(0)));
         return _update(from, address(0), amount);
     }
 
     function _transfer(address from, address to, euint64 amount) internal returns (euint64 transferred) {
-        require(from != address(0), ConfidentialFungibleTokenInvalidSender(address(0)));
-        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(address(0)));
+        require(from != address(0), ERC7984InvalidSender(address(0)));
+        require(to != address(0), ERC7984InvalidReceiver(address(0)));
         return _update(from, to, amount);
     }
 
@@ -266,14 +258,11 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         euint64 sent = _transfer(from, to, amount);
 
         // Perform callback
-        transferred = FHE.select(
-            ConfidentialFungibleTokenUtils.checkOnTransferReceived(msg.sender, from, to, sent, data),
-            sent,
-            FHE.asEuint64(0)
-        );
+        ebool success = ERC7984Utils.checkOnTransferReceived(msg.sender, from, to, sent, data);
 
-        // Refund if success fails. refund should never fail
-        _update(to, from, FHE.sub(sent, transferred));
+        // Try to refund if callback fails
+        euint64 refund = _update(to, from, FHE.select(success, FHE.asEuint64(0), sent));
+        transferred = FHE.sub(sent, refund);
     }
 
     function _update(address from, address to, euint64 amount) internal virtual returns (euint64 transferred) {
@@ -281,13 +270,13 @@ abstract contract ConfidentialFungibleToken is IConfidentialFungibleToken {
         euint64 ptr;
 
         if (from == address(0)) {
-            (success, ptr) = TFHESafeMath.tryIncrease(_totalSupply, amount);
+            (success, ptr) = FHESafeMath.tryIncrease(_totalSupply, amount);
             FHE.allowThis(ptr);
             _totalSupply = ptr;
         } else {
             euint64 fromBalance = _balances[from];
-            require(FHE.isInitialized(fromBalance), ConfidentialFungibleTokenZeroBalance(from));
-            (success, ptr) = TFHESafeMath.tryDecrease(fromBalance, amount);
+            require(FHE.isInitialized(fromBalance), ERC7984ZeroBalance(from));
+            (success, ptr) = FHESafeMath.tryDecrease(fromBalance, amount);
             FHE.allowThis(ptr);
             FHE.allow(ptr, from);
             _balances[from] = ptr;

package/token/{extensions/ConfidentialFungibleTokenERC20Wrapper.sol → ERC7984/extensions/ERC7984ERC20Wrapper.sol}

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Confidential Contracts (last updated v0.2.0-rc.2) (token/extensions/ConfidentialFungibleTokenERC20Wrapper.sol)
+// OpenZeppelin Confidential Contracts (last updated v0.3.0-rc.0) (token/ERC7984/extensions/ERC7984ERC20Wrapper.sol)
 
 pragma solidity ^0.8.27;
 
@@ -9,14 +9,17 @@ import {IERC20} from "@openzeppelin/contracts/interfaces/IERC20.sol";
 import {IERC20Metadata} from "@openzeppelin/contracts/interfaces/IERC20Metadata.sol";
 import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 import {SafeCast} from "@openzeppelin/contracts/utils/math/SafeCast.sol";
-import {ConfidentialFungibleToken} from "./../ConfidentialFungibleToken.sol";
+import {ERC7984} from "./../ERC7984.sol";
 
 /**
- * @dev A wrapper contract built on top of {ConfidentialFungibleToken} that allows wrapping an `ERC20` token
- * into a confidential fungible token. The wrapper contract implements the `IERC1363Receiver` interface
+ * @dev A wrapper contract built on top of {ERC7984} that allows wrapping an `ERC20` token
+ * into an `ERC7984` token. The wrapper contract implements the `IERC1363Receiver` interface
  * which allows users to transfer `ERC1363` tokens directly to the wrapper with a callback to wrap the tokens.
+ *
+ * WARNING: Minting assumes the full amount of the underlying token transfer has been received, hence some non-standard
+ * tokens such as fee-on-transfer or other deflationary-type tokens are not supported by this wrapper.
  */
-abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleToken, IERC1363Receiver {
+abstract contract ERC7984ERC20Wrapper is ERC7984, IERC1363Receiver {
     IERC20 private immutable _underlying;
     uint8 private immutable _decimals;
     uint256 private immutable _rate;
@@ -38,7 +41,7 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
         }
     }
 
-    /// @inheritdoc ConfidentialFungibleToken
+    /// @inheritdoc ERC7984
     function decimals() public view virtual override returns (uint8) {
         return _decimals;
     }
@@ -68,16 +71,16 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
         bytes calldata data
     ) public virtual returns (bytes4) {
         // check caller is the token contract
-        require(address(underlying()) == msg.sender, ConfidentialFungibleTokenUnauthorizedCaller(msg.sender));
-
-        // transfer excess back to the sender
-        uint256 excess = amount % rate();
-        if (excess > 0) SafeERC20.safeTransfer(underlying(), from, excess);
+        require(address(underlying()) == msg.sender, ERC7984UnauthorizedCaller(msg.sender));
 
         // mint confidential token
         address to = data.length < 20 ? from : address(bytes20(data));
         _mint(to, FHE.asEuint64(SafeCast.toUint64(amount / rate())));
 
+        // transfer excess back to the sender
+        uint256 excess = amount % rate();
+        if (excess > 0) SafeERC20.safeTransfer(underlying(), from, excess);
+
         // return magic value
         return IERC1363Receiver.onTransferReceived.selector;
     }
@@ -104,10 +107,7 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
      * NOTE: The caller *must* already be approved by ACL for the given `amount`.
      */
     function unwrap(address from, address to, euint64 amount) public virtual {
-        require(
-            FHE.isAllowed(amount, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedUseOfEncryptedAmount(amount, msg.sender)
-        );
+        require(FHE.isAllowed(amount, msg.sender), ERC7984UnauthorizedUseOfEncryptedAmount(amount, msg.sender));
         _unwrap(from, to, amount);
     }
 
@@ -125,24 +125,24 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
     }
 
     /**
-     * @dev Called by the fhEVM gateway with the decrypted amount `amount` for a request id `requestId`.
-     * Fills unwrap requests.
+     * @dev Fills an unwrap request for a given request id related to a decrypted unwrap amount.
      */
-    function finalizeUnwrap(uint256 requestID, uint64 amount, bytes[] memory signatures) public virtual {
-        FHE.checkSignatures(requestID, signatures);
+    function finalizeUnwrap(
+        uint256 requestID,
+        bytes calldata cleartexts,
+        bytes calldata decryptionProof
+    ) public virtual {
+        FHE.checkSignatures(requestID, cleartexts, decryptionProof);
         address to = _receivers[requestID];
-        require(to != address(0), ConfidentialFungibleTokenInvalidGatewayRequest(requestID));
+        require(to != address(0), ERC7984InvalidGatewayRequest(requestID));
         delete _receivers[requestID];
 
-        SafeERC20.safeTransfer(underlying(), to, amount * rate());
+        SafeERC20.safeTransfer(underlying(), to, abi.decode(cleartexts, (uint64)) * rate());
     }
 
     function _unwrap(address from, address to, euint64 amount) internal virtual {
-        require(to != address(0), ConfidentialFungibleTokenInvalidReceiver(to));
-        require(
-            from == msg.sender || isOperator(from, msg.sender),
-            ConfidentialFungibleTokenUnauthorizedSpender(from, msg.sender)
-        );
+        require(to != address(0), ERC7984InvalidReceiver(to));
+        require(from == msg.sender || isOperator(from, msg.sender), ERC7984UnauthorizedSpender(from, msg.sender));
 
         // try to burn, see how much we actually got
         euint64 burntAmount = _burn(from, amount);
@@ -156,6 +156,15 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
         _receivers[requestID] = to;
     }
 
+    /**
+     * @dev Returns the default number of decimals of the underlying ERC-20 token that is being wrapped.
+     * Used as a default fallback when {_tryGetAssetDecimals} fails to fetch decimals of the underlying
+     * ERC-20 token.
+     */
+    function _fallbackUnderlyingDecimals() internal pure virtual returns (uint8) {
+        return 18;
+    }
+
     /**
      * @dev Returns the maximum number that will be used for {decimals} by the wrapper.
      */
@@ -170,6 +179,6 @@ abstract contract ConfidentialFungibleTokenERC20Wrapper is ConfidentialFungibleT
         if (success && encodedDecimals.length == 32) {
             return abi.decode(encodedDecimals, (uint8));
         }
-        return 18;
+        return _fallbackUnderlyingDecimals();
     }
 }

package/token/ERC7984/extensions/ERC7984Freezable.sol

@@ -0,0 +1,66 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.3.0-rc.0) (token/ERC7984/extensions/ERC7984Freezable.sol)
+
+pragma solidity ^0.8.27;
+
+import {FHE, ebool, euint64, externalEuint64} from "@fhevm/solidity/lib/FHE.sol";
+import {FHESafeMath} from "../../../utils/FHESafeMath.sol";
+import {ERC7984} from "../ERC7984.sol";
+
+/**
+ * @dev Extension of {ERC7984} that implements a confidential
+ * freezing mechanism that can be managed by an authorized account with
+ * {setConfidentialFrozen} functions.
+ *
+ * The freezing mechanism provides the guarantee to the contract owner
+ * (e.g. a DAO or a well-configured multisig) that a specific confidential
+ * amount of tokens held by an account won't be transferable until those
+ * tokens are unfrozen.
+ *
+ * Inspired by https://github.com/OpenZeppelin/openzeppelin-community-contracts/blob/master/contracts/token/ERC20/extensions/ERC20Freezable.sol
+ */
+abstract contract ERC7984Freezable is ERC7984 {
+    /// @dev Confidential frozen amount of tokens per address.
+    mapping(address account => euint64 encryptedAmount) private _frozenBalances;
+
+    /// @dev Emitted when a confidential amount of token is frozen for an account
+    event TokensFrozen(address indexed account, euint64 encryptedAmount);
+
+    /// @dev Returns the confidential frozen balance of an account.
+    function confidentialFrozen(address account) public view virtual returns (euint64) {
+        return _frozenBalances[account];
+    }
+
+    /// @dev Returns the confidential available (unfrozen) balance of an account. Up to {confidentialBalanceOf}.
+    function confidentialAvailable(address account) public virtual returns (euint64) {
+        (ebool success, euint64 unfrozen) = FHESafeMath.tryDecrease(
+            confidentialBalanceOf(account),
+            confidentialFrozen(account)
+        );
+        return FHE.select(success, unfrozen, FHE.asEuint64(0));
+    }
+
+    /// @dev Internal function to freeze a confidential amount of tokens for an account.
+    function _setConfidentialFrozen(address account, euint64 encryptedAmount) internal virtual {
+        FHE.allowThis(encryptedAmount);
+        FHE.allow(encryptedAmount, account);
+        _frozenBalances[account] = encryptedAmount;
+        emit TokensFrozen(account, encryptedAmount);
+    }
+
+    /**
+     * @dev See {ERC7984-_update}.
+     *
+     * The `from` account must have sufficient unfrozen balance,
+     * otherwise 0 tokens are transferred.
+     * The default freezing behavior can be changed (for a pass-through for instance) by overriding
+     * {confidentialAvailable}.
+     */
+    function _update(address from, address to, euint64 encryptedAmount) internal virtual override returns (euint64) {
+        if (from != address(0)) {
+            euint64 unfrozen = confidentialAvailable(from);
+            encryptedAmount = FHE.select(FHE.le(encryptedAmount, unfrozen), encryptedAmount, FHE.asEuint64(0));
+        }
+        return super._update(from, to, encryptedAmount);
+    }
+}

package/token/ERC7984/extensions/ERC7984ObserverAccess.sol

@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Confidential Contracts (last updated v0.3.0-rc.0) (token/ERC7984/extensions/ERC7984ObserverAccess.sol)
+
+pragma solidity ^0.8.27;
+
+import {FHE, euint64} from "@fhevm/solidity/lib/FHE.sol";
+import {ERC7984} from "../ERC7984.sol";
+
+/**
+ * @dev Extension of {ERC7984} that allows each account to add a observer who is given
+ * permanent ACL access to its transfer and balance amounts. A observer can be added or removed at any point in time.
+ */
+abstract contract ERC7984ObserverAccess is ERC7984 {
+    mapping(address => address) private _observers;
+
+    /// @dev Emitted when the observer is changed for the given account `account`.
+    event ERC7984ObserverAccessObserverSet(address account, address oldObserver, address newObserver);
+
+    /// @dev Thrown when an account tries to set a `newObserver` for a given `account` without proper authority.
+    error Unauthorized();
+
+    /**
+     * @dev Sets the observer for the given account `account` to `newObserver`. Can be called by the
+     * account or the existing observer to abdicate the observer role (may only set to `address(0)`).
+     */
+    function setObserver(address account, address newObserver) public virtual {
+        address oldObserver = observer(account);
+        require(msg.sender == account || (msg.sender == oldObserver && newObserver == address(0)), Unauthorized());
+        if (oldObserver != newObserver) {
+            if (newObserver != address(0)) {
+                euint64 balanceHandle = confidentialBalanceOf(account);
+                if (FHE.isInitialized(balanceHandle)) {
+                    FHE.allow(balanceHandle, newObserver);
+                }
+            }
+
+            emit ERC7984ObserverAccessObserverSet(account, oldObserver, _observers[account] = newObserver);
+        }
+    }
+
+    /// @dev Returns the observer for the given account `account`.
+    function observer(address account) public view virtual returns (address) {
+        return _observers[account];
+    }
+
+    function _update(address from, address to, euint64 amount) internal virtual override returns (euint64 transferred) {
+        transferred = super._update(from, to, amount);
+
+        address fromObserver = observer(from);
+        address toObserver = observer(to);
+
+        if (fromObserver != address(0)) {
+            FHE.allow(confidentialBalanceOf(from), fromObserver);
+            FHE.allow(transferred, fromObserver);
+        }
+        if (toObserver != address(0)) {
+            FHE.allow(confidentialBalanceOf(to), toObserver);
+            if (toObserver != fromObserver) {
+                FHE.allow(transferred, toObserver);
+            }
+        }
+    }
+}