chanlink 0.0.1-security → 0.8.2

package/v0.5/contracts/dev/SafeMath128.sol

@@ -0,0 +1,110 @@
+pragma solidity ^0.5.0;
+
+/**
+ * @dev Wrappers over Solidity's arithmetic operations with added overflow
+ * checks.
+ *
+ * Arithmetic operations in Solidity wrap on overflow. This can easily result
+ * in bugs, because programmers usually assume that an overflow raises an
+ * error, which is the standard behavior in high level programming languages.
+ * `SafeMath` restores this intuition by reverting the transaction when an
+ * operation overflows.
+ *
+ * Using this library instead of the unchecked operations eliminates an entire
+ * class of bugs, so it's recommended to use it always.
+ *
+ * This library is a version of Open Zeppelin's SafeMath, modified to support
+ * unsigned 128 bit integers.
+ */
+library SafeMath128 {
+  /**
+    * @dev Returns the addition of two unsigned integers, reverting on
+    * overflow.
+    *
+    * Counterpart to Solidity's `+` operator.
+    *
+    * Requirements:
+    * - Addition cannot overflow.
+    */
+  function add(uint128 a, uint128 b) internal pure returns (uint128) {
+    uint128 c = a + b;
+    require(c >= a, "SafeMath: addition overflow");
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the subtraction of two unsigned integers, reverting on
+    * overflow (when the result is negative).
+    *
+    * Counterpart to Solidity's `-` operator.
+    *
+    * Requirements:
+    * - Subtraction cannot overflow.
+    */
+  function sub(uint128 a, uint128 b) internal pure returns (uint128) {
+    require(b <= a, "SafeMath: subtraction overflow");
+    uint128 c = a - b;
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the multiplication of two unsigned integers, reverting on
+    * overflow.
+    *
+    * Counterpart to Solidity's `*` operator.
+    *
+    * Requirements:
+    * - Multiplication cannot overflow.
+    */
+  function mul(uint128 a, uint128 b) internal pure returns (uint128) {
+    // Gas optimization: this is cheaper than requiring 'a' not being zero, but the
+    // benefit is lost if 'b' is also tested.
+    // See: https://github.com/OpenZeppelin/openzeppelin-solidity/pull/522
+    if (a == 0) {
+      return 0;
+    }
+
+    uint128 c = a * b;
+    require(c / a == b, "SafeMath: multiplication overflow");
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the integer division of two unsigned integers. Reverts on
+    * division by zero. The result is rounded towards zero.
+    *
+    * Counterpart to Solidity's `/` operator. Note: this function uses a
+    * `revert` opcode (which leaves remaining gas untouched) while Solidity
+    * uses an invalid opcode to revert (consuming all remaining gas).
+    *
+    * Requirements:
+    * - The divisor cannot be zero.
+    */
+  function div(uint128 a, uint128 b) internal pure returns (uint128) {
+    // Solidity only automatically asserts when dividing by 0
+    require(b > 0, "SafeMath: division by zero");
+    uint128 c = a / b;
+    // assert(a == b * c + a % b); // There is no case in which this doesn't hold
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the remainder of dividing two unsigned integers. (unsigned integer modulo),
+    * Reverts when dividing by zero.
+    *
+    * Counterpart to Solidity's `%` operator. This function uses a `revert`
+    * opcode (which leaves remaining gas untouched) while Solidity uses an
+    * invalid opcode to revert (consuming all remaining gas).
+    *
+    * Requirements:
+    * - The divisor cannot be zero.
+    */
+  function mod(uint128 a, uint128 b) internal pure returns (uint128) {
+    require(b != 0, "SafeMath: modulo by zero");
+    return a % b;
+  }
+}

package/v0.5/contracts/dev/SafeMath32.sol

@@ -0,0 +1,110 @@
+pragma solidity ^0.5.0;
+
+/**
+ * @dev Wrappers over Solidity's arithmetic operations with added overflow
+ * checks.
+ *
+ * Arithmetic operations in Solidity wrap on overflow. This can easily result
+ * in bugs, because programmers usually assume that an overflow raises an
+ * error, which is the standard behavior in high level programming languages.
+ * `SafeMath` restores this intuition by reverting the transaction when an
+ * operation overflows.
+ *
+ * Using this library instead of the unchecked operations eliminates an entire
+ * class of bugs, so it's recommended to use it always.
+ *
+ * This library is a version of Open Zeppelin's SafeMath, modified to support
+ * unsigned 32 bit integers.
+ */
+library SafeMath32 {
+  /**
+    * @dev Returns the addition of two unsigned integers, reverting on
+    * overflow.
+    *
+    * Counterpart to Solidity's `+` operator.
+    *
+    * Requirements:
+    * - Addition cannot overflow.
+    */
+  function add(uint32 a, uint32 b) internal pure returns (uint32) {
+    uint32 c = a + b;
+    require(c >= a, "SafeMath: addition overflow");
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the subtraction of two unsigned integers, reverting on
+    * overflow (when the result is negative).
+    *
+    * Counterpart to Solidity's `-` operator.
+    *
+    * Requirements:
+    * - Subtraction cannot overflow.
+    */
+  function sub(uint32 a, uint32 b) internal pure returns (uint32) {
+    require(b <= a, "SafeMath: subtraction overflow");
+    uint32 c = a - b;
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the multiplication of two unsigned integers, reverting on
+    * overflow.
+    *
+    * Counterpart to Solidity's `*` operator.
+    *
+    * Requirements:
+    * - Multiplication cannot overflow.
+    */
+  function mul(uint32 a, uint32 b) internal pure returns (uint32) {
+    // Gas optimization: this is cheaper than requiring 'a' not being zero, but the
+    // benefit is lost if 'b' is also tested.
+    // See: https://github.com/OpenZeppelin/openzeppelin-solidity/pull/522
+    if (a == 0) {
+      return 0;
+    }
+
+    uint32 c = a * b;
+    require(c / a == b, "SafeMath: multiplication overflow");
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the integer division of two unsigned integers. Reverts on
+    * division by zero. The result is rounded towards zero.
+    *
+    * Counterpart to Solidity's `/` operator. Note: this function uses a
+    * `revert` opcode (which leaves remaining gas untouched) while Solidity
+    * uses an invalid opcode to revert (consuming all remaining gas).
+    *
+    * Requirements:
+    * - The divisor cannot be zero.
+    */
+  function div(uint32 a, uint32 b) internal pure returns (uint32) {
+    // Solidity only automatically asserts when dividing by 0
+    require(b > 0, "SafeMath: division by zero");
+    uint32 c = a / b;
+    // assert(a == b * c + a % b); // There is no case in which this doesn't hold
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the remainder of dividing two unsigned integers. (unsigned integer modulo),
+    * Reverts when dividing by zero.
+    *
+    * Counterpart to Solidity's `%` operator. This function uses a `revert`
+    * opcode (which leaves remaining gas untouched) while Solidity uses an
+    * invalid opcode to revert (consuming all remaining gas).
+    *
+    * Requirements:
+    * - The divisor cannot be zero.
+    */
+  function mod(uint32 a, uint32 b) internal pure returns (uint32) {
+    require(b != 0, "SafeMath: modulo by zero");
+    return a % b;
+  }
+}

package/v0.5/contracts/dev/SafeMath64.sol

@@ -0,0 +1,110 @@
+pragma solidity ^0.5.0;
+
+/**
+ * @dev Wrappers over Solidity's arithmetic operations with added overflow
+ * checks.
+ *
+ * Arithmetic operations in Solidity wrap on overflow. This can easily result
+ * in bugs, because programmers usually assume that an overflow raises an
+ * error, which is the standard behavior in high level programming languages.
+ * `SafeMath` restores this intuition by reverting the transaction when an
+ * operation overflows.
+ *
+ * Using this library instead of the unchecked operations eliminates an entire
+ * class of bugs, so it's recommended to use it always.
+ *
+ * This library is a version of Open Zeppelin's SafeMath, modified to support
+ * unsigned 64 bit integers.
+ */
+library SafeMath64 {
+  /**
+    * @dev Returns the addition of two unsigned integers, reverting on
+    * overflow.
+    *
+    * Counterpart to Solidity's `+` operator.
+    *
+    * Requirements:
+    * - Addition cannot overflow.
+    */
+  function add(uint64 a, uint64 b) internal pure returns (uint64) {
+    uint64 c = a + b;
+    require(c >= a, "SafeMath: addition overflow");
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the subtraction of two unsigned integers, reverting on
+    * overflow (when the result is negative).
+    *
+    * Counterpart to Solidity's `-` operator.
+    *
+    * Requirements:
+    * - Subtraction cannot overflow.
+    */
+  function sub(uint64 a, uint64 b) internal pure returns (uint64) {
+    require(b <= a, "SafeMath: subtraction overflow");
+    uint64 c = a - b;
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the multiplication of two unsigned integers, reverting on
+    * overflow.
+    *
+    * Counterpart to Solidity's `*` operator.
+    *
+    * Requirements:
+    * - Multiplication cannot overflow.
+    */
+  function mul(uint64 a, uint64 b) internal pure returns (uint64) {
+    // Gas optimization: this is cheaper than requiring 'a' not being zero, but the
+    // benefit is lost if 'b' is also tested.
+    // See: https://github.com/OpenZeppelin/openzeppelin-solidity/pull/522
+    if (a == 0) {
+      return 0;
+    }
+
+    uint64 c = a * b;
+    require(c / a == b, "SafeMath: multiplication overflow");
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the integer division of two unsigned integers. Reverts on
+    * division by zero. The result is rounded towards zero.
+    *
+    * Counterpart to Solidity's `/` operator. Note: this function uses a
+    * `revert` opcode (which leaves remaining gas untouched) while Solidity
+    * uses an invalid opcode to revert (consuming all remaining gas).
+    *
+    * Requirements:
+    * - The divisor cannot be zero.
+    */
+  function div(uint64 a, uint64 b) internal pure returns (uint64) {
+    // Solidity only automatically asserts when dividing by 0
+    require(b > 0, "SafeMath: division by zero");
+    uint64 c = a / b;
+    // assert(a == b * c + a % b); // There is no case in which this doesn't hold
+
+    return c;
+  }
+
+  /**
+    * @dev Returns the remainder of dividing two unsigned integers. (unsigned integer modulo),
+    * Reverts when dividing by zero.
+    *
+    * Counterpart to Solidity's `%` operator. This function uses a `revert`
+    * opcode (which leaves remaining gas untouched) while Solidity uses an
+    * invalid opcode to revert (consuming all remaining gas).
+    *
+    * Requirements:
+    * - The divisor cannot be zero.
+    */
+  function mod(uint64 a, uint64 b) internal pure returns (uint64) {
+    require(b != 0, "SafeMath: modulo by zero");
+    return a % b;
+  }
+}

package/v0.5/contracts/dev/SchnorrSECP256K1.sol

@@ -0,0 +1,147 @@
+pragma solidity ^0.5.0;
+
+////////////////////////////////////////////////////////////////////////////////
+//       XXX: Do not use in production until this code has been audited.
+////////////////////////////////////////////////////////////////////////////////
+
+contract SchnorrSECP256K1 {
+  // See https://en.bitcoin.it/wiki/Secp256k1 for this constant.
+  uint256 constant public Q = // Group order of secp256k1
+    // solium-disable-next-line indentation
+    0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141;
+  // solium-disable-next-line zeppelin/no-arithmetic-operations
+  uint256 constant public HALF_Q = (Q >> 1) + 1;
+
+  /** **************************************************************************
+      @notice verifySignature returns true iff passed a valid Schnorr signature.
+
+      @dev See https://en.wikipedia.org/wiki/Schnorr_signature for reference.
+
+      @dev In what follows, let d be your secret key, PK be your public key,
+      PKx be the x ordinate of your public key, and PKyp be the parity bit for
+      the y ordinate (i.e., 0 if PKy is even, 1 if odd.)
+      **************************************************************************
+      @dev TO CREATE A VALID SIGNATURE FOR THIS METHOD
+
+      @dev First PKx must be less than HALF_Q. Then follow these instructions
+           (see evm/test/schnorr_test.js, for an example of carrying them out):
+      @dev 1. Hash the target message to a uint256, called msgHash here, using
+              keccak256
+
+      @dev 2. Pick k uniformly and cryptographically securely randomly from
+              {0,...,Q-1}. It is critical that k remains confidential, as your
+              private key can be reconstructed from k and the signature.
+
+      @dev 3. Compute k*g in the secp256k1 group, where g is the group
+              generator. (This is the same as computing the public key from the
+              secret key k. But it's OK if k*g's x ordinate is greater than
+              HALF_Q.)
+
+      @dev 4. Compute the ethereum address for k*g. This is the lower 160 bits
+              of the keccak hash of the concatenated affine coordinates of k*g,
+              as 32-byte big-endians. (For instance, you could pass k to
+              ethereumjs-utils's privateToAddress to compute this, though that
+              should be strictly a development convenience, not for handling
+              live secrets, unless you've locked your javascript environment
+              down very carefully.) Call this address
+              nonceTimesGeneratorAddress.
+
+      @dev 5. Compute e=uint256(keccak256(PKx as a 32-byte big-endian
+                                        ‖ PKyp as a single byte
+                                        ‖ msgHash
+                                        ‖ nonceTimesGeneratorAddress))
+              This value e is called "msgChallenge" in verifySignature's source
+              code below. Here "‖" means concatenation of the listed byte
+              arrays.
+
+      @dev 6. Let x be your secret key. Compute s = (k - d * e) % Q. Add Q to
+              it, if it's negative. This is your signature. (d is your secret
+              key.)
+      **************************************************************************
+      @dev TO VERIFY A SIGNATURE
+
+      @dev Given a signature (s, e) of msgHash, constructed as above, compute
+      S=e*PK+s*generator in the secp256k1 group law, and then the ethereum
+      address of S, as described in step 4. Call that
+      nonceTimesGeneratorAddress. Then call the verifySignature method as:
+
+      @dev    verifySignature(PKx, PKyp, s, msgHash,
+                              nonceTimesGeneratorAddress)
+      **************************************************************************
+      @dev This signging scheme deviates slightly from the classical Schnorr
+      signature, in that the address of k*g is used in place of k*g itself,
+      both when calculating e and when verifying sum S as described in the
+      verification paragraph above. This reduces the difficulty of
+      brute-forcing a signature by trying random secp256k1 points in place of
+      k*g in the signature verification process from 256 bits to 160 bits.
+      However, the difficulty of cracking the public key using "baby-step,
+      giant-step" is only 128 bits, so this weakening constitutes no compromise
+      in the security of the signatures or the key.
+
+      @dev The constraint signingPubKeyX < HALF_Q comes from Eq. (281), p. 24
+      of Yellow Paper version 78d7b9a. ecrecover only accepts "s" inputs less
+      than HALF_Q, to protect against a signature- malleability vulnerability in
+      ECDSA. Schnorr does not have this vulnerability, but we must account for
+      ecrecover's defense anyway. And since we are abusing ecrecover by putting
+      signingPubKeyX in ecrecover's "s" argument the constraint applies to
+      signingPubKeyX, even though it represents a value in the base field, and
+      has no natural relationship to the order of the curve's cyclic group.
+      **************************************************************************
+      @param signingPubKeyX is the x ordinate of the public key. This must be
+             less than HALF_Q. 
+      @param pubKeyYParity is 0 if the y ordinate of the public key is even, 1 
+             if it's odd.
+      @param signature is the actual signature, described as s in the above
+             instructions.
+      @param msgHash is a 256-bit hash of the message being signed.
+      @param nonceTimesGeneratorAddress is the ethereum address of k*g in the
+             above instructions
+      **************************************************************************
+      @return True if passed a valid signature, false otherwise. */
+  function verifySignature(
+    uint256 signingPubKeyX,
+    uint8 pubKeyYParity,
+    uint256 signature,
+    uint256 msgHash,
+    address nonceTimesGeneratorAddress) external pure returns (bool) {
+    require(signingPubKeyX < HALF_Q, "Public-key x >= HALF_Q");
+    // Avoid signature malleability from multiple representations for ℤ/Qℤ elts
+    require(signature < Q, "signature must be reduced modulo Q");
+
+    // Forbid trivial inputs, to avoid ecrecover edge cases. The main thing to
+    // avoid is something which causes ecrecover to return 0x0: then trivial
+    // signatures could be constructed with the nonceTimesGeneratorAddress input
+    // set to 0x0.
+    //
+    // solium-disable-next-line indentation
+    require(nonceTimesGeneratorAddress != address(0) && signingPubKeyX > 0 &&
+      signature > 0 && msgHash > 0, "no zero inputs allowed");
+
+    // solium-disable-next-line indentation
+    uint256 msgChallenge = // "e"
+      // solium-disable-next-line indentation
+      uint256(keccak256(abi.encodePacked(signingPubKeyX, pubKeyYParity,
+        msgHash, nonceTimesGeneratorAddress))
+    );
+
+    // Verify msgChallenge * signingPubKey + signature * generator ==
+    //        nonce * generator
+    //
+    // https://ethresear.ch/t/you-can-kinda-abuse-ecrecover-to-do-ecmul-in-secp256k1-today/2384/9
+    // The point corresponding to the address returned by
+    // ecrecover(-s*r,v,r,e*r) is (r⁻¹ mod Q)*(e*r*R-(-s)*r*g)=e*R+s*g, where R
+    // is the (v,r) point. See https://crypto.stackexchange.com/a/18106
+    //
+    // solium-disable-next-line indentation
+    address recoveredAddress = ecrecover(
+      // solium-disable-next-line zeppelin/no-arithmetic-operations
+      bytes32(Q - mulmod(signingPubKeyX, signature, Q)),
+      // https://ethereum.github.io/yellowpaper/paper.pdf p. 24, "The
+      // value 27 represents an even y value and 28 represents an odd
+      // y value."
+      (pubKeyYParity == 0) ? 27 : 28,
+      bytes32(signingPubKeyX),
+      bytes32(mulmod(msgChallenge, signingPubKeyX, Q)));
+    return nonceTimesGeneratorAddress == recoveredAddress;
+  }
+}

package/v0.5/contracts/dev/ServiceAgreementDecoder.sol

@@ -0,0 +1,59 @@
+pragma solidity 0.5.0;
+
+contract ServiceAgreementDecoder {
+
+  struct ServiceAgreement {
+    uint256 payment;
+    uint256 expiration;
+    uint256 endAt;
+    address[] oracles;
+    // This effectively functions as an ID tag for the off-chain job of the
+    // service agreement. It is calculated as the keccak256 hash of the
+    // normalized JSON request to create the ServiceAgreement, but that identity
+    // is unused, and its value is essentially arbitrary.
+    bytes32 requestDigest;
+    // Specification of aggregator interface. See ../tests/MeanAggregator.sol
+    // for example
+    address aggregator;
+    // Selectors for the interface methods must be specified, because their
+    // arguments can vary from aggregator to aggregator.
+    //
+    // Function selector for aggregator initiateJob method
+    bytes4 aggInitiateJobSelector;
+    // Function selector for aggregator fulfill method
+    bytes4 aggFulfillSelector;
+  }
+
+  function decodeServiceAgreement(
+    bytes memory _serviceAgreementData
+  )
+    internal
+    pure
+    returns(ServiceAgreement memory)
+  {
+    // solhint-disable indent
+    ServiceAgreement memory agreement;
+
+    ( agreement.payment,
+      agreement.expiration,
+      agreement.endAt,
+      agreement.oracles,
+      agreement.requestDigest,
+      agreement.aggregator,
+      agreement.aggInitiateJobSelector,
+      agreement.aggFulfillSelector) =
+      abi.decode(
+        _serviceAgreementData,
+        ( uint256,
+        uint256,
+        uint256,
+        address[],
+        bytes32,
+        address,
+        bytes4,
+        bytes4 )
+      );
+
+    return agreement;
+  }
+}