// SPDX-License-Identifier: BUSL-1.1pragmasolidity ^0.8.0;// End consumer library.libraryClient{
structEVMTokenAmount {
address token; // token address on the local chain.uint256 amount; // Amount of tokens.
}
structAny2EVMMessage {
bytes32 messageId; // MessageId corresponding to ccipSend on source.uint64 sourceChainSelector; // Source chain selector.bytes sender; // abi.decode(sender) if coming from an EVM chain.bytes data; // payload sent in original message.
EVMTokenAmount[] destTokenAmounts; // Tokens and their amounts in their destination chain representation.
}
// If extraArgs is empty bytes, the default is 200k gas limit and strict = false.structEVM2AnyMessage {
bytes receiver; // abi.encode(receiver address) for dest EVM chainsbytes data; // Data payload
EVMTokenAmount[] tokenAmounts; // Token transfersaddress feeToken; // Address of feeToken. address(0) means you will send msg.value.bytes extraArgs; // Populate this with _argsToBytes(EVMExtraArgsV1)
}
// extraArgs will evolve to support new features// bytes4(keccak256("CCIP EVMExtraArgsV1"));bytes4publicconstant EVM_EXTRA_ARGS_V1_TAG =0x97a657c9;
structEVMExtraArgsV1 {
uint256 gasLimit; // ATTENTION!!! MAX GAS LIMIT 4M FOR BETA TESTINGbool strict; // See strict sequencing details below.
}
function_argsToBytes(EVMExtraArgsV1 memory extraArgs) internalpurereturns (bytesmemory bts) {
returnabi.encodeWithSelector(EVM_EXTRA_ARGS_V1_TAG, extraArgs);
}
}
Contract Source Code
File 2 of 14: CommitStore.sol
// SPDX-License-Identifier: BUSL-1.1pragmasolidity 0.8.19;import {TypeAndVersionInterface} from"../interfaces/TypeAndVersionInterface.sol";
import {ICommitStore} from"./interfaces/ICommitStore.sol";
import {IARM} from"./interfaces/IARM.sol";
import {IPriceRegistry} from"./interfaces/IPriceRegistry.sol";
import {OCR2Base} from"./ocr/OCR2Base.sol";
import {Internal} from"./libraries/Internal.sol";
import {MerkleMultiProof} from"./libraries/MerkleMultiProof.sol";
contractCommitStoreisICommitStore, TypeAndVersionInterface, OCR2Base{
errorStaleReport();
errorPausedError();
errorInvalidInterval(Interval interval);
errorInvalidRoot();
errorInvalidCommitStoreConfig();
errorBadARMSignal();
errorRootAlreadyCommitted();
eventPaused(address account);
eventUnpaused(address account);
eventReportAccepted(CommitReport report);
eventConfigSet(StaticConfig staticConfig, DynamicConfig dynamicConfig);
eventRootRemoved(bytes32 root);
/// @notice Static commit store configstructStaticConfig {
uint64 chainSelector; // -------┐ Destination chainSelectoruint64 sourceChainSelector; // -┘ Source chainSelectoraddress onRamp; // OnRamp address on the source chainaddress armProxy; // ARM proxy address
}
/// @notice Dynamic commit store configstructDynamicConfig {
address priceRegistry; // Price registry address on the destination chain
}
/// @notice a sequenceNumber intervalstructInterval {
uint64 min; // ---┐ Minimum sequence number, inclusiveuint64 max; // ---┘ Maximum sequence number, inclusive
}
/// @notice Report that is committed by the observing DON at the committing phasestructCommitReport {
Internal.PriceUpdates priceUpdates;
Interval interval;
bytes32 merkleRoot;
}
// STATIC CONFIG// solhint-disable-next-line chainlink-solidity/all-caps-constant-storage-variablesstringpublicconstantoverride typeAndVersion ="CommitStore 1.0.0";
// Chain ID of this chainuint64internalimmutable i_chainSelector;
// Chain ID of the source chainuint64internalimmutable i_sourceChainSelector;
// The onRamp address on the source chainaddressinternalimmutable i_onRamp;
// The address of the arm proxyaddressinternalimmutable i_armProxy;
// DYNAMIC CONFIG// The dynamic commitStore config
DynamicConfig internal s_dynamicConfig;
// STATE// The min sequence number expected for future messagesuint64private s_minSeqNr =1;
/// @dev The epoch and round of the last reportuint40private s_latestPriceEpochAndRound;
/// @dev Whether this OnRamp is paused or notboolprivate s_paused =false;
// merkleRoot => timestamp when receivedmapping(bytes32 merkleRoot =>uint256 timestamp) private s_roots;
/// @param staticConfig Containing the static part of the commitStore config/// @dev When instantiating OCR2Base we set UNIQUE_REPORTS to false, which means/// that we do not require 2f+1 signatures on a report, only f+1 to save gas. 2f+1 is required/// only if one must strictly ensure that for a given round there is only one valid report ever generated by/// the DON. In our case additional valid reports (i.e. approved by >= f+1 oracles) are not a problem, as they will/// will either be ignored (reverted as an invalid interval) or will be accepted as an additional valid price update.constructor(StaticConfig memory staticConfig) OCR2Base(false) {
if (
staticConfig.onRamp ==address(0) ||
staticConfig.chainSelector ==0||
staticConfig.sourceChainSelector ==0||
staticConfig.armProxy ==address(0)
) revert InvalidCommitStoreConfig();
i_chainSelector = staticConfig.chainSelector;
i_sourceChainSelector = staticConfig.sourceChainSelector;
i_onRamp = staticConfig.onRamp;
i_armProxy = staticConfig.armProxy;
}
// ================================================================// | Verification |// ================================================================/// @notice Returns the next expected sequence number./// @return the next expected sequenceNumber.functiongetExpectedNextSequenceNumber() externalviewreturns (uint64) {
return s_minSeqNr;
}
/// @notice Sets the minimum sequence number./// @param minSeqNr The new minimum sequence number.functionsetMinSeqNr(uint64 minSeqNr) externalonlyOwner{
s_minSeqNr = minSeqNr;
}
/// @notice Returns the epoch and round of the last price update./// @return the latest price epoch and round.functiongetLatestPriceEpochAndRound() publicviewreturns (uint64) {
return s_latestPriceEpochAndRound;
}
/// @notice Sets the latest epoch and round for price update./// @param latestPriceEpochAndRound The new epoch and round for prices.functionsetLatestPriceEpochAndRound(uint40 latestPriceEpochAndRound) externalonlyOwner{
s_latestPriceEpochAndRound = latestPriceEpochAndRound;
}
/// @notice Returns the timestamp of a potentially previously committed merkle root./// If the root was never committed 0 will be returned./// @param root The merkle root to check the commit status for./// @return the timestamp of the committed root or zero in the case that it was never/// committed.functiongetMerkleRoot(bytes32 root) externalviewreturns (uint256) {
return s_roots[root];
}
/// @notice Returns if a root is blessed or not./// @param root The merkle root to check the blessing status for./// @return whether the root is blessed or not.functionisBlessed(bytes32 root) publicviewreturns (bool) {
return IARM(i_armProxy).isBlessed(IARM.TaggedRoot({commitStore: address(this), root: root}));
}
/// @notice Used by the owner in case an invalid sequence of roots has been/// posted and needs to be removed. The interval in the report is trusted./// @param rootToReset The roots that will be reset. This function will only/// reset roots that are not blessed.functionresetUnblessedRoots(bytes32[] calldata rootToReset) externalonlyOwner{
for (uint256 i =0; i < rootToReset.length; ++i) {
bytes32 root = rootToReset[i];
if (!isBlessed(root)) {
delete s_roots[root];
emit RootRemoved(root);
}
}
}
/// @inheritdoc ICommitStorefunctionverify(bytes32[] calldata hashedLeaves,
bytes32[] calldata proofs,
uint256 proofFlagBits
) externalviewoverridewhenNotPausedreturns (uint256 timestamp) {
bytes32 root = MerkleMultiProof.merkleRoot(hashedLeaves, proofs, proofFlagBits);
// Only return non-zero if present and blessed.if (!isBlessed(root)) {
return0;
}
return s_roots[root];
}
/// @inheritdoc OCR2Base/// @dev A commitReport can have two distinct parts:/// 1. Price updates/// 2. A merkle root and sequence number interval/// Both have their own, separate, staleness checks, with price updates using the epoch and round/// number of the latest price update. The merkle root checks for staleness based on the seqNums./// They need to be separate because a price report for round t+2 might be included before a report/// containing a merkle root for round t+1. This merkle root report for round t+1 is still valid/// and should not be rejected. When a report with a stale root but valid price updates is submitted,/// we are OK to revert to preserve the invariant that we always revert on invalid sequence number ranges./// If that happens, prices will be updates in later rounds.function_report(bytescalldata encodedReport, uint40 epochAndRound) internaloverridewhenNotPausedwhenHealthy{
CommitReport memory report =abi.decode(encodedReport, (CommitReport));
// Check if the report contains price updatesif (report.priceUpdates.tokenPriceUpdates.length>0|| report.priceUpdates.destChainSelector !=0) {
// Check for price staleness based on the epoch and roundif (s_latestPriceEpochAndRound < epochAndRound) {
// If prices are not stale, update the latest epoch and round
s_latestPriceEpochAndRound = epochAndRound;
// And update the prices in the price registry
IPriceRegistry(s_dynamicConfig.priceRegistry).updatePrices(report.priceUpdates);
// If there is no root, the report only contained fee updated and// we return to not revert on the empty root check below.if (report.merkleRoot ==bytes32(0)) return;
} else {
// If prices are stale and the report doesn't contain a root, this report// does not have any valid information and we revert.// If it does contain a merkle root, continue to the root checking section.if (report.merkleRoot ==bytes32(0)) revert StaleReport();
}
}
// If we reached this section, the report should contain a valid rootif (s_minSeqNr != report.interval.min|| report.interval.min> report.interval.max)
revert InvalidInterval(report.interval);
if (report.merkleRoot ==bytes32(0)) revert InvalidRoot();
// Disallow duplicate roots as that would reset the timestamp and// delay potential manual execution.if (s_roots[report.merkleRoot] !=0) revert RootAlreadyCommitted();
s_minSeqNr = report.interval.max+1;
s_roots[report.merkleRoot] =block.timestamp;
emit ReportAccepted(report);
}
// ================================================================// | Config |// ================================================================/// @notice Returns the static commit store config./// @return the configuration.functiongetStaticConfig() externalviewreturns (StaticConfig memory) {
return
StaticConfig({
chainSelector: i_chainSelector,
sourceChainSelector: i_sourceChainSelector,
onRamp: i_onRamp,
armProxy: i_armProxy
});
}
/// @notice Returns the dynamic commit store config./// @return the configuration.functiongetDynamicConfig() externalviewreturns (DynamicConfig memory) {
return s_dynamicConfig;
}
/// @notice Sets the dynamic config. This function is called during `setOCR2Config` flowfunction_beforeSetConfig(bytesmemory onchainConfig) internaloverride{
DynamicConfig memory dynamicConfig =abi.decode(onchainConfig, (DynamicConfig));
if (dynamicConfig.priceRegistry ==address(0)) revert InvalidCommitStoreConfig();
s_dynamicConfig = dynamicConfig;
// When the OCR config changes, we reset the price epoch and round// since epoch and rounds are scoped per config digest.// Note that s_minSeqNr/roots do not need to be reset as the roots persist// across reconfigurations and are de-duplicated separately.
s_latestPriceEpochAndRound =0;
emit ConfigSet(
StaticConfig({
chainSelector: i_chainSelector,
sourceChainSelector: i_sourceChainSelector,
onRamp: i_onRamp,
armProxy: i_armProxy
}),
dynamicConfig
);
}
// ================================================================// | Access and ARM |// ================================================================/// @notice Single function to check the status of the commitStore.functionisUnpausedAndARMHealthy() externalviewreturns (bool) {
return!IARM(i_armProxy).isCursed() &&!s_paused;
}
/// @notice Support querying whether health checker is healthy.functionisARMHealthy() externalviewreturns (bool) {
return!IARM(i_armProxy).isCursed();
}
/// @notice Ensure that the ARM has not emitted a bad signal, and that the latest heartbeat is not stale.modifierwhenHealthy() {
if (IARM(i_armProxy).isCursed()) revert BadARMSignal();
_;
}
/// @notice Modifier to make a function callable only when the contract is not paused.modifierwhenNotPaused() {
if (paused()) revert PausedError();
_;
}
/// @notice Returns true if the contract is paused, and false otherwise.functionpaused() publicviewreturns (bool) {
return s_paused;
}
/// @notice Pause the contract/// @dev only callable by the ownerfunctionpause() externalonlyOwner{
s_paused =true;
emit Paused(msg.sender);
}
/// @notice Unpause the contract/// @dev only callable by the ownerfunctionunpause() externalonlyOwner{
s_paused =false;
emit Unpaused(msg.sender);
}
}
Contract Source Code
File 3 of 14: ConfirmedOwner.sol
// SPDX-License-Identifier: MITpragmasolidity ^0.8.0;import"./ConfirmedOwnerWithProposal.sol";
/**
* @title The ConfirmedOwner contract
* @notice A contract with helpers for basic contract ownership.
*/contractConfirmedOwnerisConfirmedOwnerWithProposal{
constructor(address newOwner) ConfirmedOwnerWithProposal(newOwner, address(0)) {}
}
Contract Source Code
File 4 of 14: ConfirmedOwnerWithProposal.sol
// SPDX-License-Identifier: MITpragmasolidity ^0.8.0;import"./interfaces/OwnableInterface.sol";
/**
* @title The ConfirmedOwner contract
* @notice A contract with helpers for basic contract ownership.
*/contractConfirmedOwnerWithProposalisOwnableInterface{
addressprivate s_owner;
addressprivate s_pendingOwner;
eventOwnershipTransferRequested(addressindexedfrom, addressindexed to);
eventOwnershipTransferred(addressindexedfrom, addressindexed to);
constructor(address newOwner, address pendingOwner) {
require(newOwner !=address(0), "Cannot set owner to zero");
s_owner = newOwner;
if (pendingOwner !=address(0)) {
_transferOwnership(pendingOwner);
}
}
/**
* @notice Allows an owner to begin transferring ownership to a new address,
* pending.
*/functiontransferOwnership(address to) publicoverrideonlyOwner{
_transferOwnership(to);
}
/**
* @notice Allows an ownership transfer to be completed by the recipient.
*/functionacceptOwnership() externaloverride{
require(msg.sender== s_pendingOwner, "Must be proposed owner");
address oldOwner = s_owner;
s_owner =msg.sender;
s_pendingOwner =address(0);
emit OwnershipTransferred(oldOwner, msg.sender);
}
/**
* @notice Get the current owner
*/functionowner() publicviewoverridereturns (address) {
return s_owner;
}
/**
* @notice validate, transfer ownership, and emit relevant events
*/function_transferOwnership(address to) private{
require(to !=msg.sender, "Cannot transfer to self");
s_pendingOwner = to;
emit OwnershipTransferRequested(s_owner, to);
}
/**
* @notice validate access
*/function_validateOwnership() internalview{
require(msg.sender== s_owner, "Only callable by owner");
}
/**
* @notice Reverts if called by anyone other than the contract owner.
*/modifieronlyOwner() {
_validateOwnership();
_;
}
}
Contract Source Code
File 5 of 14: IARM.sol
// SPDX-License-Identifier: BUSL-1.1pragmasolidity ^0.8.0;/// @notice This interface contains the only ARM-related functions that might be used on-chain by other CCIP contracts.interfaceIARM{
/// @notice A Merkle root tagged with the address of the commit store contract it is destined for.structTaggedRoot {
address commitStore;
bytes32 root;
}
/// @notice Callers MUST NOT cache the return value as a blessed tagged root could become unblessed.functionisBlessed(TaggedRoot calldata taggedRoot) externalviewreturns (bool);
/// @notice When the ARM is "cursed", CCIP pauses until the curse is lifted.functionisCursed() externalviewreturns (bool);
}
Contract Source Code
File 6 of 14: ICommitStore.sol
// SPDX-License-Identifier: BUSL-1.1pragmasolidity ^0.8.0;interfaceICommitStore{
/// @notice Returns timestamp of when root was accepted or 0 if verification fails./// @dev This method uses a merkle tree within a merkle tree, with the hashedLeaves,/// proofs and proofFlagBits being used to get the root of the inner tree./// This root is then used as the singular leaf of the outer tree.functionverify(bytes32[] calldata hashedLeaves,
bytes32[] calldata proofs,
uint256 proofFlagBits
) externalviewreturns (uint256 timestamp);
/// @notice Returns the expected next sequence numberfunctiongetExpectedNextSequenceNumber() externalviewreturns (uint64 sequenceNumber);
}
Contract Source Code
File 7 of 14: IPriceRegistry.sol
// SPDX-License-Identifier: BUSL-1.1pragmasolidity ^0.8.0;import {Internal} from"../libraries/Internal.sol";
interfaceIPriceRegistry{
/// @notice Update the price for given tokens and destination chain./// @param priceUpdates The price updates to apply.functionupdatePrices(Internal.PriceUpdates memory priceUpdates) external;
/// @notice Get the `tokenPrice` for a given token./// @param token The token to get the price for./// @return tokenPrice The tokenPrice for the given token.functiongetTokenPrice(address token) externalviewreturns (Internal.TimestampedUint192Value memory);
/// @notice Get the `tokenPrice` for a given token, checks if the price is valid./// @param token The token to get the price for./// @return tokenPrice The tokenPrice for the given token if it exists and is valid.functiongetValidatedTokenPrice(address token) externalviewreturns (uint192);
/// @notice Get the `tokenPrice` for an array of tokens./// @param tokens The tokens to get prices for./// @return tokenPrices The tokenPrices for the given tokens.functiongetTokenPrices(address[] calldata tokens) externalviewreturns (Internal.TimestampedUint192Value[] memory);
/// @notice Get the `gasPrice` for a given destination chain ID./// @param destChainSelector The destination chain to get the price for./// @return gasPrice The gasPrice for the given destination chain ID.functiongetDestinationChainGasPrice(uint64 destChainSelector
) externalviewreturns (Internal.TimestampedUint192Value memory);
/// @notice Gets the fee token price and the gas price, both denominated in dollars./// @param token The source token to get the price for./// @param destChainSelector The destination chain to get the gas price for./// @return tokenPrice The price of the feeToken in 1e18 dollars per base unit./// @return gasPrice The price of gas in 1e18 dollars per base unit.functiongetTokenAndGasPrices(address token,
uint64 destChainSelector
) externalviewreturns (uint192 tokenPrice, uint192 gasPrice);
/// @notice Convert a given token amount to target token amount./// @param fromToken The given token address./// @param fromTokenAmount The given token amount./// @param toToken The target token address./// @return toTokenAmount The target token amount.functionconvertTokenAmount(address fromToken,
uint256 fromTokenAmount,
address toToken
) externalviewreturns (uint256 toTokenAmount);
}
Contract Source Code
File 8 of 14: Internal.sol
// SPDX-License-Identifier: BUSL-1.1pragmasolidity ^0.8.0;import {Client} from"./Client.sol";
import {MerkleMultiProof} from"../libraries/MerkleMultiProof.sol";
// Library for CCIP internal definitions common to multiple contracts.libraryInternal{
structPriceUpdates {
TokenPriceUpdate[] tokenPriceUpdates;
uint64 destChainSelector; // --┐ Destination chain selectoruint192 usdPerUnitGas; // -----┘ 1e18 USD per smallest unit (e.g. wei) of destination chain gas
}
structTokenPriceUpdate {
address sourceToken; // Source tokenuint192 usdPerToken; // 1e18 USD per smallest unit of token
}
structTimestampedUint192Value {
uint192 value; // -------┐ The price, in 1e18 USD.uint64 timestamp; // ----┘ Timestamp of the most recent price update.
}
structPoolUpdate {
address token; // The IERC20 token addressaddress pool; // The token pool address
}
structExecutionReport {
EVM2EVMMessage[] messages;
// Contains a bytes array for each message// each inner bytes array contains bytes per transferred tokenbytes[][] offchainTokenData;
bytes32[] proofs;
uint256 proofFlagBits;
}
// @notice The cross chain message that gets committed to EVM chainsstructEVM2EVMMessage {
uint64 sourceChainSelector;
uint64 sequenceNumber;
uint256 feeTokenAmount;
address sender;
uint64 nonce;
uint256 gasLimit;
bool strict;
// User fieldsaddress receiver;
bytes data;
Client.EVMTokenAmount[] tokenAmounts;
address feeToken;
bytes32 messageId;
}
function_toAny2EVMMessage(
EVM2EVMMessage memory original,
Client.EVMTokenAmount[] memory destTokenAmounts
) internalpurereturns (Client.Any2EVMMessage memory message) {
message = Client.Any2EVMMessage({
messageId: original.messageId,
sourceChainSelector: original.sourceChainSelector,
sender: abi.encode(original.sender),
data: original.data,
destTokenAmounts: destTokenAmounts
});
}
bytes32internalconstant EVM_2_EVM_MESSAGE_HASH =keccak256("EVM2EVMMessageEvent");
function_hash(EVM2EVMMessage memory original, bytes32 metadataHash) internalpurereturns (bytes32) {
returnkeccak256(
abi.encode(
MerkleMultiProof.LEAF_DOMAIN_SEPARATOR,
metadataHash,
original.sequenceNumber,
original.nonce,
original.sender,
original.receiver,
keccak256(original.data),
keccak256(abi.encode(original.tokenAmounts)),
original.gasLimit,
original.strict,
original.feeToken,
original.feeTokenAmount
)
);
}
/// @notice Enum listing the possible message execution states within/// the offRamp contract./// UNTOUCHED never executed/// IN_PROGRESS currently being executed, used a replay protection/// SUCCESS successfully executed. End state/// FAILURE unsuccessfully executed, manual execution is now enabled.enumMessageExecutionState {
UNTOUCHED,
IN_PROGRESS,
SUCCESS,
FAILURE
}
}
Contract Source Code
File 9 of 14: MerkleMultiProof.sol
// SPDX-License-Identifier: BUSL-1.1pragmasolidity ^0.8.0;libraryMerkleMultiProof{
/// @notice Leaf domain separator, should be used as the first 32 bytes of a leaf's preimage.bytes32internalconstant LEAF_DOMAIN_SEPARATOR =0x0000000000000000000000000000000000000000000000000000000000000000;
/// @notice Internal domain separator, should be used as the first 32 bytes of an internal node's preiimage.bytes32internalconstant INTERNAL_DOMAIN_SEPARATOR =0x0000000000000000000000000000000000000000000000000000000000000001;
uint256internalconstant MAX_NUM_HASHES =256;
errorInvalidProof();
errorLeavesCannotBeEmpty();
/// @notice Computes the root based on provided pre-hashed leaf nodes in/// leaves, internal nodes in proofs, and using proofFlagBits' i-th bit to/// determine if an element of proofs or one of the previously computed leafs/// or internal nodes will be used for the i-th hash./// @param leaves Should be pre-hashed and the first 32 bytes of a leaf's/// preimage should match LEAF_DOMAIN_SEPARATOR./// @param proofs The hashes to be used instead of a leaf hash when the proofFlagBits/// indicates a proof should be used./// @param proofFlagBits A single uint256 of which each bit indicates whether a leaf or/// a proof needs to be used in a hash operation./// @dev the maximum number of hash operations it set to 256. Any input that would require/// more than 256 hashes to get to a root will revert./// @dev For given input `leaves` = [a,b,c] `proofs` = [D] and `proofFlagBits` = 5/// totalHashes = 3 + 1 - 1 = 3/// ** round 1 **/// proofFlagBits = (5 >> 0) & 1 = true/// hashes[0] = hashPair(a, b)/// (leafPos, hashPos, proofPos) = (2, 0, 0);////// ** round 2 **/// proofFlagBits = (5 >> 1) & 1 = false/// hashes[1] = hashPair(D, c)/// (leafPos, hashPos, proofPos) = (3, 0, 1);////// ** round 3 **/// proofFlagBits = (5 >> 2) & 1 = true/// hashes[2] = hashPair(hashes[0], hashes[1])/// (leafPos, hashPos, proofPos) = (3, 2, 1);////// i = 3 and no longer < totalHashes. The algorithm is done/// return hashes[totalHashes - 1] = hashes[2]; the last hash we computed.// We mark this function as internal to force it to be inlined in contracts// that use it, but semantically it is public.// solhint-disable-next-line chainlink-solidity/prefix-internal-functions-with-underscorefunctionmerkleRoot(bytes32[] memory leaves,
bytes32[] memory proofs,
uint256 proofFlagBits
) internalpurereturns (bytes32) {
unchecked {
uint256 leavesLen = leaves.length;
uint256 proofsLen = proofs.length;
if (leavesLen ==0) revert LeavesCannotBeEmpty();
if (!(leavesLen <= MAX_NUM_HASHES +1&& proofsLen <= MAX_NUM_HASHES +1)) revert InvalidProof();
uint256 totalHashes = leavesLen + proofsLen -1;
if (!(totalHashes <= MAX_NUM_HASHES)) revert InvalidProof();
if (totalHashes ==0) {
return leaves[0];
}
bytes32[] memory hashes =newbytes32[](totalHashes);
(uint256 leafPos, uint256 hashPos, uint256 proofPos) = (0, 0, 0);
for (uint256 i =0; i < totalHashes; ++i) {
// Checks if the bit flag signals the use of a supplied proof or a leaf/previous hash.bytes32 a;
if (proofFlagBits & (1<< i) == (1<< i)) {
// Use a leaf or a previously computed hash.if (leafPos < leavesLen) {
a = leaves[leafPos++];
} else {
a = hashes[hashPos++];
}
} else {
// Use a supplied proof.
a = proofs[proofPos++];
}
// The second part of the hashed pair is never a proof as hashing two proofs would result in a// hash that can already be computed offchain.bytes32 b;
if (leafPos < leavesLen) {
b = leaves[leafPos++];
} else {
b = hashes[hashPos++];
}
if (!(hashPos <= i)) revert InvalidProof();
hashes[i] = _hashPair(a, b);
}
if (!(hashPos == totalHashes -1&& leafPos == leavesLen && proofPos == proofsLen)) revert InvalidProof();
// Return the last hash.return hashes[totalHashes -1];
}
}
/// @notice Hashes two bytes32 objects in their given order, prepended by the/// INTERNAL_DOMAIN_SEPARATOR.function_hashInternalNode(bytes32 left, bytes32 right) privatepurereturns (bytes32 hash) {
returnkeccak256(abi.encode(INTERNAL_DOMAIN_SEPARATOR, left, right));
}
/// @notice Hashes two bytes32 objects. The order is taken into account,/// using the lower value first.function_hashPair(bytes32 a, bytes32 b) privatepurereturns (bytes32) {
return a < b ? _hashInternalNode(a, b) : _hashInternalNode(b, a);
}
}
Contract Source Code
File 10 of 14: OCR2Abstract.sol
// SPDX-License-Identifier: BUSL-1.1pragmasolidity ^0.8.0;import {TypeAndVersionInterface} from"../../interfaces/TypeAndVersionInterface.sol";
abstractcontractOCR2AbstractisTypeAndVersionInterface{
// Maximum number of oracles the offchain reporting protocol is designed foruint256internalconstant MAX_NUM_ORACLES =31;
/// @notice triggers a new run of the offchain reporting protocol/// @param previousConfigBlockNumber block in which the previous config was set, to simplify historic analysis/// @param configDigest configDigest of this configuration/// @param configCount ordinal number of this config setting among all config settings over the life of this contract/// @param signers ith element is address ith oracle uses to sign a report/// @param transmitters ith element is address ith oracle uses to transmit a report via the transmit method/// @param f maximum number of faulty/dishonest oracles the protocol can tolerate while still working correctly/// @param onchainConfig serialized configuration used by the contract (and possibly oracles)/// @param offchainConfigVersion version of the serialization format used for "offchainConfig" parameter/// @param offchainConfig serialized configuration used by the oracles exclusively and only passed through the contracteventConfigSet(uint32 previousConfigBlockNumber,
bytes32 configDigest,
uint64 configCount,
address[] signers,
address[] transmitters,
uint8 f,
bytes onchainConfig,
uint64 offchainConfigVersion,
bytes offchainConfig
);
/// @notice sets offchain reporting protocol configuration incl. participating oracles/// @param signers addresses with which oracles sign the reports/// @param transmitters addresses oracles use to transmit the reports/// @param f number of faulty oracles the system can tolerate/// @param onchainConfig serialized configuration used by the contract (and possibly oracles)/// @param offchainConfigVersion version number for offchainEncoding schema/// @param offchainConfig serialized configuration used by the oracles exclusively and only passed through the contractfunctionsetOCR2Config(address[] memory signers,
address[] memory transmitters,
uint8 f,
bytesmemory onchainConfig,
uint64 offchainConfigVersion,
bytesmemory offchainConfig
) externalvirtual;
/// @notice information about current offchain reporting protocol configuration/// @return configCount ordinal number of current config, out of all configs applied to this contract so far/// @return blockNumber block at which this config was set/// @return configDigest domain-separation tag for current config (see _configDigestFromConfigData)functionlatestConfigDetails()
externalviewvirtualreturns (uint32 configCount, uint32 blockNumber, bytes32 configDigest);
function_configDigestFromConfigData(uint256 chainId,
address contractAddress,
uint64 configCount,
address[] memory signers,
address[] memory transmitters,
uint8 f,
bytesmemory onchainConfig,
uint64 offchainConfigVersion,
bytesmemory offchainConfig
) internalpurereturns (bytes32) {
uint256 h =uint256(
keccak256(
abi.encode(
chainId,
contractAddress,
configCount,
signers,
transmitters,
f,
onchainConfig,
offchainConfigVersion,
offchainConfig
)
)
);
uint256 prefixMask =type(uint256).max<< (256-16); // 0xFFFF00..00uint256 prefix =0x0001<< (256-16); // 0x000100..00returnbytes32((prefix & prefixMask) | (h &~prefixMask));
}
/// @notice optionally emitted to indicate the latest configDigest and epoch for/// which a report was successfully transmitted. Alternatively, the contract may/// use latestConfigDigestAndEpoch with scanLogs set to false.eventTransmitted(bytes32 configDigest, uint32 epoch);
/// @notice optionally returns the latest configDigest and epoch for which a/// report was successfully transmitted. Alternatively, the contract may return/// scanLogs set to true and use Transmitted events to provide this information/// to offchain watchers./// @return scanLogs indicates whether to rely on the configDigest and epoch/// returned or whether to scan logs for the Transmitted event instead./// @return configDigest/// @return epochfunctionlatestConfigDigestAndEpoch()
externalviewvirtualreturns (bool scanLogs, bytes32 configDigest, uint32 epoch);
/// @notice transmit is called to post a new report to the contract/// @param report serialized report, which the signatures are signing./// @param rs ith element is the R components of the ith signature on report. Must have at most MAX_NUM_ORACLES entries/// @param ss ith element is the S components of the ith signature on report. Must have at most MAX_NUM_ORACLES entries/// @param rawVs ith element is the the V component of the ith signaturefunctiontransmit(// NOTE: If these parameters are changed, expectedMsgDataLength and/or// TRANSMIT_MSGDATA_CONSTANT_LENGTH_COMPONENT need to be changed accordinglybytes32[3] calldata reportContext,
bytescalldata report,
bytes32[] calldata rs,
bytes32[] calldata ss,
bytes32 rawVs // signatures) externalvirtual;
}
Contract Source Code
File 11 of 14: OCR2Base.sol
// SPDX-License-Identifier: BUSL-1.1pragmasolidity ^0.8.0;import {OwnerIsCreator} from"../../shared/access/OwnerIsCreator.sol";
import {OCR2Abstract} from"./OCR2Abstract.sol";
/// @notice Onchain verification of reports from the offchain reporting protocol/// @dev For details on its operation, see the offchain reporting protocol design/// doc, which refers to this contract as simply the "contract".abstractcontractOCR2BaseisOwnerIsCreator, OCR2Abstract{
errorInvalidConfig(string message);
errorWrongMessageLength(uint256 expected, uint256 actual);
errorConfigDigestMismatch(bytes32 expected, bytes32 actual);
errorForkedChain(uint256 expected, uint256 actual);
errorWrongNumberOfSignatures();
errorSignaturesOutOfRegistration();
errorUnauthorizedTransmitter();
errorUnauthorizedSigner();
errorNonUniqueSignatures();
errorOracleCannotBeZeroAddress();
// Packing these fields used on the hot path in a ConfigInfo variable reduces the// retrieval of all of them to a minimum number of SLOADs.structConfigInfo {
bytes32 latestConfigDigest;
uint8 f;
uint8 n;
}
// Used for s_oracles[a].role, where a is an address, to track the purpose// of the address, or to indicate that the address is unset.enumRole {
// No oracle role has been set for address a
Unset,
// Signing address for the s_oracles[a].index'th oracle. I.e., report// signatures from this oracle should ecrecover back to address a.
Signer,
// Transmission address for the s_oracles[a].index'th oracle. I.e., if a// report is received by OCR2Aggregator.transmit in which msg.sender is// a, it is attributed to the s_oracles[a].index'th oracle.
Transmitter
}
structOracle {
uint8 index; // Index of oracle in s_signers/s_transmitters
Role role; // Role of the address which mapped to this struct
}
// The current config
ConfigInfo internal s_configInfo;
// incremented each time a new config is posted. This count is incorporated// into the config digest, to prevent replay attacks.uint32internal s_configCount;
// makes it easier for offchain systems to extract config from logs.uint32internal s_latestConfigBlockNumber;
// signer OR transmitter addressmapping(address signerOrTransmitter => Oracle oracle) internal s_oracles;
// s_signers contains the signing address of each oracleaddress[] internal s_signers;
// s_transmitters contains the transmission address of each oracle,// i.e. the address the oracle actually sends transactions to the contract fromaddress[] internal s_transmitters;
// The constant-length components of the msg.data sent to transmit.// See the "If we wanted to call sam" example on for example reasoning// https://solidity.readthedocs.io/en/v0.7.2/abi-spec.htmluint16privateconstant TRANSMIT_MSGDATA_CONSTANT_LENGTH_COMPONENT =4+// function selector32*3+// 3 words containing reportContext32+// word containing start location of abiencoded report value32+// word containing location start of abiencoded rs value32+// word containing start location of abiencoded ss value32+// rawVs value32+// word containing length of report32+// word containing length rs32; // word containing length of ssboolinternalimmutable i_uniqueReports;
uint256internalimmutable i_chainID;
constructor(bool uniqueReports) {
i_uniqueReports = uniqueReports;
i_chainID =block.chainid;
}
// Reverts transaction if config args are invalidmodifiercheckConfigValid(uint256 numSigners,
uint256 numTransmitters,
uint256 f
) {
if (numSigners > MAX_NUM_ORACLES) revert InvalidConfig("too many signers");
if (f ==0) revert InvalidConfig("f must be positive");
if (numSigners != numTransmitters) revert InvalidConfig("oracle addresses out of registration");
if (numSigners <=3* f) revert InvalidConfig("faulty-oracle f too high");
_;
}
/// @notice sets offchain reporting protocol configuration incl. participating oracles/// @param signers addresses with which oracles sign the reports/// @param transmitters addresses oracles use to transmit the reports/// @param f number of faulty oracles the system can tolerate/// @param onchainConfig encoded on-chain contract configuration/// @param offchainConfigVersion version number for offchainEncoding schema/// @param offchainConfig encoded off-chain oracle configurationfunctionsetOCR2Config(address[] memory signers,
address[] memory transmitters,
uint8 f,
bytesmemory onchainConfig,
uint64 offchainConfigVersion,
bytesmemory offchainConfig
) externaloverridecheckConfigValid(signers.length, transmitters.length, f) onlyOwner{
_beforeSetConfig(onchainConfig);
uint256 oldSignerLength = s_signers.length;
for (uint256 i =0; i < oldSignerLength; ++i) {
delete s_oracles[s_signers[i]];
delete s_oracles[s_transmitters[i]];
}
uint256 newSignersLength = signers.length;
for (uint256 i =0; i < newSignersLength; ++i) {
// add new signer/transmitter addressesaddress signer = signers[i];
if (s_oracles[signer].role != Role.Unset) revert InvalidConfig("repeated signer address");
if (signer ==address(0)) revert OracleCannotBeZeroAddress();
s_oracles[signer] = Oracle(uint8(i), Role.Signer);
address transmitter = transmitters[i];
if (s_oracles[transmitter].role != Role.Unset) revert InvalidConfig("repeated transmitter address");
if (transmitter ==address(0)) revert OracleCannotBeZeroAddress();
s_oracles[transmitter] = Oracle(uint8(i), Role.Transmitter);
}
s_signers = signers;
s_transmitters = transmitters;
s_configInfo.f = f;
s_configInfo.n =uint8(newSignersLength);
s_configInfo.latestConfigDigest = _configDigestFromConfigData(
block.chainid,
address(this),
++s_configCount,
signers,
transmitters,
f,
onchainConfig,
offchainConfigVersion,
offchainConfig
);
uint32 previousConfigBlockNumber = s_latestConfigBlockNumber;
s_latestConfigBlockNumber =uint32(block.number);
emit ConfigSet(
previousConfigBlockNumber,
s_configInfo.latestConfigDigest,
s_configCount,
signers,
transmitters,
f,
onchainConfig,
offchainConfigVersion,
offchainConfig
);
}
/// @dev Hook that is run from setOCR2Config() right after validating configuration./// Empty by default, please provide an implementation in a child contract if you need additional configuration processingfunction_beforeSetConfig(bytesmemory _onchainConfig) internalvirtual{}
/// @return list of addresses permitted to transmit reports to this contract/// @dev The list will match the order used to specify the transmitter during setConfigfunctiongetTransmitters() externalviewreturns (address[] memory) {
return s_transmitters;
}
/// @notice transmit is called to post a new report to the contract/// @param report serialized report, which the signatures are signing./// @param rs ith element is the R components of the ith signature on report. Must have at most MAX_NUM_ORACLES entries/// @param ss ith element is the S components of the ith signature on report. Must have at most MAX_NUM_ORACLES entries/// @param rawVs ith element is the the V component of the ith signaturefunctiontransmit(// NOTE: If these parameters are changed, expectedMsgDataLength and/or// TRANSMIT_MSGDATA_CONSTANT_LENGTH_COMPONENT need to be changed accordinglybytes32[3] calldata reportContext,
bytescalldata report,
bytes32[] calldata rs,
bytes32[] calldata ss,
bytes32 rawVs // signatures) externaloverride{
// Scoping this reduces stack pressure and gas usage
{
// report and epochAndRound
_report(report, uint40(uint256(reportContext[1])));
}
// reportContext consists of:// reportContext[0]: ConfigDigest// reportContext[1]: 27 byte padding, 4-byte epoch and 1-byte round// reportContext[2]: ExtraHashbytes32 configDigest = reportContext[0];
ConfigInfo memory configInfo = s_configInfo;
if (configInfo.latestConfigDigest != configDigest)
revert ConfigDigestMismatch(configInfo.latestConfigDigest, configDigest);
// If the cached chainID at time of deployment doesn't match the current chainID, we reject all signed reports.// This avoids a (rare) scenario where chain A forks into chain A and A', A' still has configDigest// calculated from chain A and so OCR reports will be valid on both forks.if (i_chainID !=block.chainid) revert ForkedChain(i_chainID, block.chainid);
emit Transmitted(configDigest, uint32(uint256(reportContext[1]) >>8));
uint256 expectedNumSignatures;
if (i_uniqueReports) {
expectedNumSignatures = (configInfo.n + configInfo.f) /2+1;
} else {
expectedNumSignatures = configInfo.f +1;
}
if (rs.length!= expectedNumSignatures) revert WrongNumberOfSignatures();
if (rs.length!= ss.length) revert SignaturesOutOfRegistration();
// Scoping this reduces stack pressure and gas usage
{
Oracle memory transmitter = s_oracles[msg.sender];
// Check that sender is authorized to reportif (!(transmitter.role == Role.Transmitter &&msg.sender== s_transmitters[transmitter.index]))
revert UnauthorizedTransmitter();
}
// Scoping this reduces stack pressure and gas usage
{
uint256 expectedDataLength =uint256(TRANSMIT_MSGDATA_CONSTANT_LENGTH_COMPONENT) +
report.length+// one byte pure entry in _report
rs.length*32+// 32 bytes per entry in _rs
ss.length*32; // 32 bytes per entry in _ss)if (msg.data.length != expectedDataLength) revert WrongMessageLength(expectedDataLength, msg.data.length);
}
// Verify signatures attached to reportbytes32 h =keccak256(abi.encodePacked(keccak256(report), reportContext));
bool[MAX_NUM_ORACLES] memory signed;
uint256 numberOfSignatures = rs.length;
for (uint256 i =0; i < numberOfSignatures; ++i) {
address signer =ecrecover(h, uint8(rawVs[i]) +27, rs[i], ss[i]);
// Since we disallow address(0) as a valid signer address, it can// never have a signer role.
Oracle memory oracle = s_oracles[signer];
if (oracle.role != Role.Signer) revert UnauthorizedSigner();
if (signed[oracle.index]) revert NonUniqueSignatures();
signed[oracle.index] =true;
}
}
/// @notice information about current offchain reporting protocol configuration/// @return configCount ordinal number of current config, out of all configs applied to this contract so far/// @return blockNumber block at which this config was set/// @return configDigest domain-separation tag for current config (see _configDigestFromConfigData)functionlatestConfigDetails()
externalviewoverridereturns (uint32 configCount, uint32 blockNumber, bytes32 configDigest)
{
return (s_configCount, s_latestConfigBlockNumber, s_configInfo.latestConfigDigest);
}
/// @inheritdoc OCR2AbstractfunctionlatestConfigDigestAndEpoch()
externalviewvirtualoverridereturns (bool scanLogs, bytes32 configDigest, uint32 epoch)
{
return (true, bytes32(0), uint32(0));
}
function_report(bytescalldata report, uint40 epochAndRound) internalvirtual;
}