Network
All
Ethereum
Arbitrum One
Base
Zora
Celo
Gnosis
Scroll
Scroll Sepolia
Xai
Rari
Forma
World Chain
Mode
Palm Testnet
Palm
Solana
coming soon
Celestia
coming soon
Eclipse
coming soon
Metal L2
coming soon
Xai Testnet
coming soon
Astria Devnet
coming soon
LUKSO
coming soon
Arbitrum Nova
coming soon
Astria
coming soon
Polygon ZKEVM
coming soon
Optimism
coming soon
zkSync Era
coming soon
Binance Smart Chain
coming soon
Polygon
coming soon
Scroll Goerli
coming soon
Movement
coming soon
Mantle
coming soon
账户
0x3d...07ff
0x3D...07ff
$500
此合同的源代码已经过验证!
合同元数据
编译器
0.8.16+commit.07a7930e
语言
Solidity
合同源代码
文件 1 的 30:Address.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/Address.sol)
pragma solidity ^0.8.1;
/**
* @dev Collection of functions related to the address type
*/
library Address {
/**
* @dev Returns true if `account` is a contract.
*
* [IMPORTANT]
* ====
* It is unsafe to assume that an address for which this function returns
* false is an externally-owned account (EOA) and not a contract.
*
* Among others, `isContract` will return false for the following
* types of addresses:
*
* - an externally-owned account
* - a contract in construction
* - an address where a contract will be created
* - an address where a contract lived, but was destroyed
*
* Furthermore, `isContract` will also return true if the target contract within
* the same transaction is already scheduled for destruction by `SELFDESTRUCT`,
* which only has an effect at the end of a transaction.
* ====
*
* [IMPORTANT]
* ====
* You shouldn't rely on `isContract` to protect against flash loan attacks!
*
* Preventing calls from contracts is highly discouraged. It breaks composability, breaks support for smart wallets
* like Gnosis Safe, and does not provide security since it can be circumvented by calling from a contract
* constructor.
* ====
*/
function isContract(address account) internal view returns (bool) {
// This method relies on extcodesize/address.code.length, which returns 0
// for contracts in construction, since the code is only stored at the end
// of the constructor execution.
return account.code.length > 0;
}
/**
* @dev Replacement for Solidity's `transfer`: sends `amount` wei to
* `recipient`, forwarding all available gas and reverting on errors.
*
* https://eips.ethereum.org/EIPS/eip-1884[EIP1884] increases the gas cost
* of certain opcodes, possibly making contracts go over the 2300 gas limit
* imposed by `transfer`, making them unable to receive funds via
* `transfer`. {sendValue} removes this limitation.
*
* https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/[Learn more].
*
* IMPORTANT: because control is transferred to `recipient`, care must be
* taken to not create reentrancy vulnerabilities. Consider using
* {ReentrancyGuard} or the
* https://solidity.readthedocs.io/en/v0.8.0/security-considerations.html#use-the-checks-effects-interactions-pattern[checks-effects-interactions pattern].
*/
function sendValue(address payable recipient, uint256 amount) internal {
require(address(this).balance >= amount, "Address: insufficient balance");
(bool success, ) = recipient.call{value: amount}("");
require(success, "Address: unable to send value, recipient may have reverted");
}
/**
* @dev Performs a Solidity function call using a low level `call`. A
* plain `call` is an unsafe replacement for a function call: use this
* function instead.
*
* If `target` reverts with a revert reason, it is bubbled up by this
* function (like regular Solidity function calls).
*
* Returns the raw returned data. To convert to the expected return value,
* use https://solidity.readthedocs.io/en/latest/units-and-global-variables.html?highlight=abi.decode#abi-encoding-and-decoding-functions[`abi.decode`].
*
* Requirements:
*
* - `target` must be a contract.
* - calling `target` with `data` must not revert.
*
* _Available since v3.1._
*/
function functionCall(address target, bytes memory data) internal returns (bytes memory) {
return functionCallWithValue(target, data, 0, "Address: low-level call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`], but with
* `errorMessage` as a fallback revert reason when `target` reverts.
*
* _Available since v3.1._
*/
function functionCall(
address target,
bytes memory data,
string memory errorMessage
) internal returns (bytes memory) {
return functionCallWithValue(target, data, 0, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but also transferring `value` wei to `target`.
*
* Requirements:
*
* - the calling contract must have an ETH balance of at least `value`.
* - the called Solidity function must be `payable`.
*
* _Available since v3.1._
*/
function functionCallWithValue(address target, bytes memory data, uint256 value) internal returns (bytes memory) {
return functionCallWithValue(target, data, value, "Address: low-level call with value failed");
}
/**
* @dev Same as {xref-Address-functionCallWithValue-address-bytes-uint256-}[`functionCallWithValue`], but
* with `errorMessage` as a fallback revert reason when `target` reverts.
*
* _Available since v3.1._
*/
function functionCallWithValue(
address target,
bytes memory data,
uint256 value,
string memory errorMessage
) internal returns (bytes memory) {
require(address(this).balance >= value, "Address: insufficient balance for call");
(bool success, bytes memory returndata) = target.call{value: value}(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but performing a static call.
*
* _Available since v3.3._
*/
function functionStaticCall(address target, bytes memory data) internal view returns (bytes memory) {
return functionStaticCall(target, data, "Address: low-level static call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
* but performing a static call.
*
* _Available since v3.3._
*/
function functionStaticCall(
address target,
bytes memory data,
string memory errorMessage
) internal view returns (bytes memory) {
(bool success, bytes memory returndata) = target.staticcall(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but performing a delegate call.
*
* _Available since v3.4._
*/
function functionDelegateCall(address target, bytes memory data) internal returns (bytes memory) {
return functionDelegateCall(target, data, "Address: low-level delegate call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
* but performing a delegate call.
*
* _Available since v3.4._
*/
function functionDelegateCall(
address target,
bytes memory data,
string memory errorMessage
) internal returns (bytes memory) {
(bool success, bytes memory returndata) = target.delegatecall(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Tool to verify that a low level call to smart-contract was successful, and revert (either by bubbling
* the revert reason or using the provided one) in case of unsuccessful call or if target was not a contract.
*
* _Available since v4.8._
*/
function verifyCallResultFromTarget(
address target,
bool success,
bytes memory returndata,
string memory errorMessage
) internal view returns (bytes memory) {
if (success) {
if (returndata.length == 0) {
// only check isContract if the call was successful and the return data is empty
// otherwise we already know that it was a contract
require(isContract(target), "Address: call to non-contract");
}
return returndata;
} else {
_revert(returndata, errorMessage);
}
}
/**
* @dev Tool to verify that a low level call was successful, and revert if it wasn't, either by bubbling the
* revert reason or using the provided one.
*
* _Available since v4.3._
*/
function verifyCallResult(
bool success,
bytes memory returndata,
string memory errorMessage
) internal pure returns (bytes memory) {
if (success) {
return returndata;
} else {
_revert(returndata, errorMessage);
}
}
function _revert(bytes memory returndata, string memory errorMessage) private pure {
// Look for revert reason and bubble it up if present
if (returndata.length > 0) {
// The easiest way to bubble the revert reason is using memory via assembly
/// @solidity memory-safe-assembly
assembly {
let returndata_size := mload(returndata)
revert(add(32, returndata), returndata_size)
}
} else {
revert(errorMessage);
}
}
}
合同源代码
文件 2 的 30:AddressUpgradeable.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/Address.sol)
pragma solidity ^0.8.1;
/**
* @dev Collection of functions related to the address type
*/
library AddressUpgradeable {
/**
* @dev Returns true if `account` is a contract.
*
* [IMPORTANT]
* ====
* It is unsafe to assume that an address for which this function returns
* false is an externally-owned account (EOA) and not a contract.
*
* Among others, `isContract` will return false for the following
* types of addresses:
*
* - an externally-owned account
* - a contract in construction
* - an address where a contract will be created
* - an address where a contract lived, but was destroyed
*
* Furthermore, `isContract` will also return true if the target contract within
* the same transaction is already scheduled for destruction by `SELFDESTRUCT`,
* which only has an effect at the end of a transaction.
* ====
*
* [IMPORTANT]
* ====
* You shouldn't rely on `isContract` to protect against flash loan attacks!
*
* Preventing calls from contracts is highly discouraged. It breaks composability, breaks support for smart wallets
* like Gnosis Safe, and does not provide security since it can be circumvented by calling from a contract
* constructor.
* ====
*/
function isContract(address account) internal view returns (bool) {
// This method relies on extcodesize/address.code.length, which returns 0
// for contracts in construction, since the code is only stored at the end
// of the constructor execution.
return account.code.length > 0;
}
/**
* @dev Replacement for Solidity's `transfer`: sends `amount` wei to
* `recipient`, forwarding all available gas and reverting on errors.
*
* https://eips.ethereum.org/EIPS/eip-1884[EIP1884] increases the gas cost
* of certain opcodes, possibly making contracts go over the 2300 gas limit
* imposed by `transfer`, making them unable to receive funds via
* `transfer`. {sendValue} removes this limitation.
*
* https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/[Learn more].
*
* IMPORTANT: because control is transferred to `recipient`, care must be
* taken to not create reentrancy vulnerabilities. Consider using
* {ReentrancyGuard} or the
* https://solidity.readthedocs.io/en/v0.8.0/security-considerations.html#use-the-checks-effects-interactions-pattern[checks-effects-interactions pattern].
*/
function sendValue(address payable recipient, uint256 amount) internal {
require(address(this).balance >= amount, "Address: insufficient balance");
(bool success, ) = recipient.call{value: amount}("");
require(success, "Address: unable to send value, recipient may have reverted");
}
/**
* @dev Performs a Solidity function call using a low level `call`. A
* plain `call` is an unsafe replacement for a function call: use this
* function instead.
*
* If `target` reverts with a revert reason, it is bubbled up by this
* function (like regular Solidity function calls).
*
* Returns the raw returned data. To convert to the expected return value,
* use https://solidity.readthedocs.io/en/latest/units-and-global-variables.html?highlight=abi.decode#abi-encoding-and-decoding-functions[`abi.decode`].
*
* Requirements:
*
* - `target` must be a contract.
* - calling `target` with `data` must not revert.
*
* _Available since v3.1._
*/
function functionCall(address target, bytes memory data) internal returns (bytes memory) {
return functionCallWithValue(target, data, 0, "Address: low-level call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`], but with
* `errorMessage` as a fallback revert reason when `target` reverts.
*
* _Available since v3.1._
*/
function functionCall(
address target,
bytes memory data,
string memory errorMessage
) internal returns (bytes memory) {
return functionCallWithValue(target, data, 0, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but also transferring `value` wei to `target`.
*
* Requirements:
*
* - the calling contract must have an ETH balance of at least `value`.
* - the called Solidity function must be `payable`.
*
* _Available since v3.1._
*/
function functionCallWithValue(address target, bytes memory data, uint256 value) internal returns (bytes memory) {
return functionCallWithValue(target, data, value, "Address: low-level call with value failed");
}
/**
* @dev Same as {xref-Address-functionCallWithValue-address-bytes-uint256-}[`functionCallWithValue`], but
* with `errorMessage` as a fallback revert reason when `target` reverts.
*
* _Available since v3.1._
*/
function functionCallWithValue(
address target,
bytes memory data,
uint256 value,
string memory errorMessage
) internal returns (bytes memory) {
require(address(this).balance >= value, "Address: insufficient balance for call");
(bool success, bytes memory returndata) = target.call{value: value}(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but performing a static call.
*
* _Available since v3.3._
*/
function functionStaticCall(address target, bytes memory data) internal view returns (bytes memory) {
return functionStaticCall(target, data, "Address: low-level static call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
* but performing a static call.
*
* _Available since v3.3._
*/
function functionStaticCall(
address target,
bytes memory data,
string memory errorMessage
) internal view returns (bytes memory) {
(bool success, bytes memory returndata) = target.staticcall(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but performing a delegate call.
*
* _Available since v3.4._
*/
function functionDelegateCall(address target, bytes memory data) internal returns (bytes memory) {
return functionDelegateCall(target, data, "Address: low-level delegate call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
* but performing a delegate call.
*
* _Available since v3.4._
*/
function functionDelegateCall(
address target,
bytes memory data,
string memory errorMessage
) internal returns (bytes memory) {
(bool success, bytes memory returndata) = target.delegatecall(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Tool to verify that a low level call to smart-contract was successful, and revert (either by bubbling
* the revert reason or using the provided one) in case of unsuccessful call or if target was not a contract.
*
* _Available since v4.8._
*/
function verifyCallResultFromTarget(
address target,
bool success,
bytes memory returndata,
string memory errorMessage
) internal view returns (bytes memory) {
if (success) {
if (returndata.length == 0) {
// only check isContract if the call was successful and the return data is empty
// otherwise we already know that it was a contract
require(isContract(target), "Address: call to non-contract");
}
return returndata;
} else {
_revert(returndata, errorMessage);
}
}
/**
* @dev Tool to verify that a low level call was successful, and revert if it wasn't, either by bubbling the
* revert reason or using the provided one.
*
* _Available since v4.3._
*/
function verifyCallResult(
bool success,
bytes memory returndata,
string memory errorMessage
) internal pure returns (bytes memory) {
if (success) {
return returndata;
} else {
_revert(returndata, errorMessage);
}
}
function _revert(bytes memory returndata, string memory errorMessage) private pure {
// Look for revert reason and bubble it up if present
if (returndata.length > 0) {
// The easiest way to bubble the revert reason is using memory via assembly
/// @solidity memory-safe-assembly
assembly {
let returndata_size := mload(returndata)
revert(add(32, returndata), returndata_size)
}
} else {
revert(errorMessage);
}
}
}
合同源代码
文件 3 的 30:ArrayUtils.sol
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
import "../state/StateV2.sol";
import "./SmtLib.sol";
/// @title A common functions for arrays.
library ArrayUtils {
/**
* @dev Calculates bounds for the slice of the array.
* @param arrLength An array length.
* @param start A start index.
* @param length A length of the slice.
* @param limit A limit for the length.
* @return The bounds for the slice of the array.
*/
function calculateBounds(
uint256 arrLength,
uint256 start,
uint256 length,
uint256 limit
) internal pure returns (uint256, uint256) {
require(length > 0, "Length should be greater than 0");
require(length <= limit, "Length limit exceeded");
require(start < arrLength, "Start index out of bounds");
uint256 end = start + length;
if (end > arrLength) {
end = arrLength;
}
return (start, end);
}
}
合同源代码
文件 4 的 30:Context.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (utils/Context.sol)
pragma solidity ^0.8.0;
/**
* @dev Provides information about the current execution context, including the
* sender of the transaction and its data. While these are generally available
* via msg.sender and msg.data, they should not be accessed in such a direct
* manner, since when dealing with meta-transactions the account sending and
* paying for execution may not be the actual sender (as far as an application
* is concerned).
*
* This contract is only required for intermediate, library-like contracts.
*/
abstract contract Context {
function _msgSender() internal view virtual returns (address) {
return msg.sender;
}
function _msgData() internal view virtual returns (bytes calldata) {
return msg.data;
}
}
合同源代码
文件 5 的 30:ContextUpgradeable.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (utils/Context.sol)
pragma solidity ^0.8.0;
import "../proxy/utils/Initializable.sol";
/**
* @dev Provides information about the current execution context, including the
* sender of the transaction and its data. While these are generally available
* via msg.sender and msg.data, they should not be accessed in such a direct
* manner, since when dealing with meta-transactions the account sending and
* paying for execution may not be the actual sender (as far as an application
* is concerned).
*
* This contract is only required for intermediate, library-like contracts.
*/
abstract contract ContextUpgradeable is Initializable {
function __Context_init() internal onlyInitializing {
}
function __Context_init_unchained() internal onlyInitializing {
}
function _msgSender() internal view virtual returns (address) {
return msg.sender;
}
function _msgData() internal view virtual returns (bytes calldata) {
return msg.data;
}
/**
* @dev This empty reserved space is put in place to allow future versions to add new
* variables without shifting down storage in the inheritance chain.
* See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
*/
uint256[50] private __gap;
}
合同源代码
文件 6 的 30:Dependencies.sol
// SPDX-License-Identifier: MIT
pragma solidity 0.8.16;
import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
import {VerifierSig} from "@iden3/contracts/lib/verifierSig.sol";
import {VerifierMTP} from "@iden3/contracts/lib/verifierMTP.sol";
import {VerifierV2} from "@iden3/contracts/lib/verifierV2.sol";
合同源代码
文件 7 的 30:ERC1967Proxy.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.7.0) (proxy/ERC1967/ERC1967Proxy.sol)
pragma solidity ^0.8.0;
import "../Proxy.sol";
import "./ERC1967Upgrade.sol";
/**
* @dev This contract implements an upgradeable proxy. It is upgradeable because calls are delegated to an
* implementation address that can be changed. This address is stored in storage in the location specified by
* https://eips.ethereum.org/EIPS/eip-1967[EIP1967], so that it doesn't conflict with the storage layout of the
* implementation behind the proxy.
*/
contract ERC1967Proxy is Proxy, ERC1967Upgrade {
/**
* @dev Initializes the upgradeable proxy with an initial implementation specified by `_logic`.
*
* If `_data` is nonempty, it's used as data in a delegate call to `_logic`. This will typically be an encoded
* function call, and allows initializing the storage of the proxy like a Solidity constructor.
*/
constructor(address _logic, bytes memory _data) payable {
_upgradeToAndCall(_logic, _data, false);
}
/**
* @dev Returns the current implementation address.
*/
function _implementation() internal view virtual override returns (address impl) {
return ERC1967Upgrade._getImplementation();
}
}
合同源代码
文件 8 的 30:ERC1967Upgrade.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (proxy/ERC1967/ERC1967Upgrade.sol)
pragma solidity ^0.8.2;
import "../beacon/IBeacon.sol";
import "../../interfaces/IERC1967.sol";
import "../../interfaces/draft-IERC1822.sol";
import "../../utils/Address.sol";
import "../../utils/StorageSlot.sol";
/**
* @dev This abstract contract provides getters and event emitting update functions for
* https://eips.ethereum.org/EIPS/eip-1967[EIP1967] slots.
*
* _Available since v4.1._
*/
abstract contract ERC1967Upgrade is IERC1967 {
// This is the keccak-256 hash of "eip1967.proxy.rollback" subtracted by 1
bytes32 private constant _ROLLBACK_SLOT = 0x4910fdfa16fed3260ed0e7147f7cc6da11a60208b5b9406d12a635614ffd9143;
/**
* @dev Storage slot with the address of the current implementation.
* This is the keccak-256 hash of "eip1967.proxy.implementation" subtracted by 1, and is
* validated in the constructor.
*/
bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;
/**
* @dev Returns the current implementation address.
*/
function _getImplementation() internal view returns (address) {
return StorageSlot.getAddressSlot(_IMPLEMENTATION_SLOT).value;
}
/**
* @dev Stores a new address in the EIP1967 implementation slot.
*/
function _setImplementation(address newImplementation) private {
require(Address.isContract(newImplementation), "ERC1967: new implementation is not a contract");
StorageSlot.getAddressSlot(_IMPLEMENTATION_SLOT).value = newImplementation;
}
/**
* @dev Perform implementation upgrade
*
* Emits an {Upgraded} event.
*/
function _upgradeTo(address newImplementation) internal {
_setImplementation(newImplementation);
emit Upgraded(newImplementation);
}
/**
* @dev Perform implementation upgrade with additional setup call.
*
* Emits an {Upgraded} event.
*/
function _upgradeToAndCall(address newImplementation, bytes memory data, bool forceCall) internal {
_upgradeTo(newImplementation);
if (data.length > 0 || forceCall) {
Address.functionDelegateCall(newImplementation, data);
}
}
/**
* @dev Perform implementation upgrade with security checks for UUPS proxies, and additional setup call.
*
* Emits an {Upgraded} event.
*/
function _upgradeToAndCallUUPS(address newImplementation, bytes memory data, bool forceCall) internal {
// Upgrades from old implementations will perform a rollback test. This test requires the new
// implementation to upgrade back to the old, non-ERC1822 compliant, implementation. Removing
// this special case will break upgrade paths from old UUPS implementation to new ones.
if (StorageSlot.getBooleanSlot(_ROLLBACK_SLOT).value) {
_setImplementation(newImplementation);
} else {
try IERC1822Proxiable(newImplementation).proxiableUUID() returns (bytes32 slot) {
require(slot == _IMPLEMENTATION_SLOT, "ERC1967Upgrade: unsupported proxiableUUID");
} catch {
revert("ERC1967Upgrade: new implementation is not UUPS");
}
_upgradeToAndCall(newImplementation, data, forceCall);
}
}
/**
* @dev Storage slot with the admin of the contract.
* This is the keccak-256 hash of "eip1967.proxy.admin" subtracted by 1, and is
* validated in the constructor.
*/
bytes32 internal constant _ADMIN_SLOT = 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103;
/**
* @dev Returns the current admin.
*/
function _getAdmin() internal view returns (address) {
return StorageSlot.getAddressSlot(_ADMIN_SLOT).value;
}
/**
* @dev Stores a new address in the EIP1967 admin slot.
*/
function _setAdmin(address newAdmin) private {
require(newAdmin != address(0), "ERC1967: new admin is the zero address");
StorageSlot.getAddressSlot(_ADMIN_SLOT).value = newAdmin;
}
/**
* @dev Changes the admin of the proxy.
*
* Emits an {AdminChanged} event.
*/
function _changeAdmin(address newAdmin) internal {
emit AdminChanged(_getAdmin(), newAdmin);
_setAdmin(newAdmin);
}
/**
* @dev The storage slot of the UpgradeableBeacon contract which defines the implementation for this proxy.
* This is bytes32(uint256(keccak256('eip1967.proxy.beacon')) - 1)) and is validated in the constructor.
*/
bytes32 internal constant _BEACON_SLOT = 0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50;
/**
* @dev Returns the current beacon.
*/
function _getBeacon() internal view returns (address) {
return StorageSlot.getAddressSlot(_BEACON_SLOT).value;
}
/**
* @dev Stores a new beacon in the EIP1967 beacon slot.
*/
function _setBeacon(address newBeacon) private {
require(Address.isContract(newBeacon), "ERC1967: new beacon is not a contract");
require(
Address.isContract(IBeacon(newBeacon).implementation()),
"ERC1967: beacon implementation is not a contract"
);
StorageSlot.getAddressSlot(_BEACON_SLOT).value = newBeacon;
}
/**
* @dev Perform beacon upgrade with additional setup call. Note: This upgrades the address of the beacon, it does
* not upgrade the implementation contained in the beacon (see {UpgradeableBeacon-_setImplementation} for that).
*
* Emits a {BeaconUpgraded} event.
*/
function _upgradeBeaconToAndCall(address newBeacon, bytes memory data, bool forceCall) internal {
_setBeacon(newBeacon);
emit BeaconUpgraded(newBeacon);
if (data.length > 0 || forceCall) {
Address.functionDelegateCall(IBeacon(newBeacon).implementation(), data);
}
}
}
合同源代码
文件 9 的 30:ERC20.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (token/ERC20/ERC20.sol)
pragma solidity ^0.8.0;
import "./IERC20.sol";
import "./extensions/IERC20Metadata.sol";
import "../../utils/Context.sol";
/**
* @dev Implementation of the {IERC20} interface.
*
* This implementation is agnostic to the way tokens are created. This means
* that a supply mechanism has to be added in a derived contract using {_mint}.
* For a generic mechanism see {ERC20PresetMinterPauser}.
*
* TIP: For a detailed writeup see our guide
* https://forum.openzeppelin.com/t/how-to-implement-erc20-supply-mechanisms/226[How
* to implement supply mechanisms].
*
* The default value of {decimals} is 18. To change this, you should override
* this function so it returns a different value.
*
* We have followed general OpenZeppelin Contracts guidelines: functions revert
* instead returning `false` on failure. This behavior is nonetheless
* conventional and does not conflict with the expectations of ERC20
* applications.
*
* Additionally, an {Approval} event is emitted on calls to {transferFrom}.
* This allows applications to reconstruct the allowance for all accounts just
* by listening to said events. Other implementations of the EIP may not emit
* these events, as it isn't required by the specification.
*
* Finally, the non-standard {decreaseAllowance} and {increaseAllowance}
* functions have been added to mitigate the well-known issues around setting
* allowances. See {IERC20-approve}.
*/
contract ERC20 is Context, IERC20, IERC20Metadata {
mapping(address => uint256) private _balances;
mapping(address => mapping(address => uint256)) private _allowances;
uint256 private _totalSupply;
string private _name;
string private _symbol;
/**
* @dev Sets the values for {name} and {symbol}.
*
* All two of these values are immutable: they can only be set once during
* construction.
*/
constructor(string memory name_, string memory symbol_) {
_name = name_;
_symbol = symbol_;
}
/**
* @dev Returns the name of the token.
*/
function name() public view virtual override returns (string memory) {
return _name;
}
/**
* @dev Returns the symbol of the token, usually a shorter version of the
* name.
*/
function symbol() public view virtual override returns (string memory) {
return _symbol;
}
/**
* @dev Returns the number of decimals used to get its user representation.
* For example, if `decimals` equals `2`, a balance of `505` tokens should
* be displayed to a user as `5.05` (`505 / 10 ** 2`).
*
* Tokens usually opt for a value of 18, imitating the relationship between
* Ether and Wei. This is the default value returned by this function, unless
* it's overridden.
*
* NOTE: This information is only used for _display_ purposes: it in
* no way affects any of the arithmetic of the contract, including
* {IERC20-balanceOf} and {IERC20-transfer}.
*/
function decimals() public view virtual override returns (uint8) {
return 18;
}
/**
* @dev See {IERC20-totalSupply}.
*/
function totalSupply() public view virtual override returns (uint256) {
return _totalSupply;
}
/**
* @dev See {IERC20-balanceOf}.
*/
function balanceOf(address account) public view virtual override returns (uint256) {
return _balances[account];
}
/**
* @dev See {IERC20-transfer}.
*
* Requirements:
*
* - `to` cannot be the zero address.
* - the caller must have a balance of at least `amount`.
*/
function transfer(address to, uint256 amount) public virtual override returns (bool) {
address owner = _msgSender();
_transfer(owner, to, amount);
return true;
}
/**
* @dev See {IERC20-allowance}.
*/
function allowance(address owner, address spender) public view virtual override returns (uint256) {
return _allowances[owner][spender];
}
/**
* @dev See {IERC20-approve}.
*
* NOTE: If `amount` is the maximum `uint256`, the allowance is not updated on
* `transferFrom`. This is semantically equivalent to an infinite approval.
*
* Requirements:
*
* - `spender` cannot be the zero address.
*/
function approve(address spender, uint256 amount) public virtual override returns (bool) {
address owner = _msgSender();
_approve(owner, spender, amount);
return true;
}
/**
* @dev See {IERC20-transferFrom}.
*
* Emits an {Approval} event indicating the updated allowance. This is not
* required by the EIP. See the note at the beginning of {ERC20}.
*
* NOTE: Does not update the allowance if the current allowance
* is the maximum `uint256`.
*
* Requirements:
*
* - `from` and `to` cannot be the zero address.
* - `from` must have a balance of at least `amount`.
* - the caller must have allowance for ``from``'s tokens of at least
* `amount`.
*/
function transferFrom(address from, address to, uint256 amount) public virtual override returns (bool) {
address spender = _msgSender();
_spendAllowance(from, spender, amount);
_transfer(from, to, amount);
return true;
}
/**
* @dev Atomically increases the allowance granted to `spender` by the caller.
*
* This is an alternative to {approve} that can be used as a mitigation for
* problems described in {IERC20-approve}.
*
* Emits an {Approval} event indicating the updated allowance.
*
* Requirements:
*
* - `spender` cannot be the zero address.
*/
function increaseAllowance(address spender, uint256 addedValue) public virtual returns (bool) {
address owner = _msgSender();
_approve(owner, spender, allowance(owner, spender) + addedValue);
return true;
}
/**
* @dev Atomically decreases the allowance granted to `spender` by the caller.
*
* This is an alternative to {approve} that can be used as a mitigation for
* problems described in {IERC20-approve}.
*
* Emits an {Approval} event indicating the updated allowance.
*
* Requirements:
*
* - `spender` cannot be the zero address.
* - `spender` must have allowance for the caller of at least
* `subtractedValue`.
*/
function decreaseAllowance(address spender, uint256 subtractedValue) public virtual returns (bool) {
address owner = _msgSender();
uint256 currentAllowance = allowance(owner, spender);
require(currentAllowance >= subtractedValue, "ERC20: decreased allowance below zero");
unchecked {
_approve(owner, spender, currentAllowance - subtractedValue);
}
return true;
}
/**
* @dev Moves `amount` of tokens from `from` to `to`.
*
* This internal function is equivalent to {transfer}, and can be used to
* e.g. implement automatic token fees, slashing mechanisms, etc.
*
* Emits a {Transfer} event.
*
* Requirements:
*
* - `from` cannot be the zero address.
* - `to` cannot be the zero address.
* - `from` must have a balance of at least `amount`.
*/
function _transfer(address from, address to, uint256 amount) internal virtual {
require(from != address(0), "ERC20: transfer from the zero address");
require(to != address(0), "ERC20: transfer to the zero address");
_beforeTokenTransfer(from, to, amount);
uint256 fromBalance = _balances[from];
require(fromBalance >= amount, "ERC20: transfer amount exceeds balance");
unchecked {
_balances[from] = fromBalance - amount;
// Overflow not possible: the sum of all balances is capped by totalSupply, and the sum is preserved by
// decrementing then incrementing.
_balances[to] += amount;
}
emit Transfer(from, to, amount);
_afterTokenTransfer(from, to, amount);
}
/** @dev Creates `amount` tokens and assigns them to `account`, increasing
* the total supply.
*
* Emits a {Transfer} event with `from` set to the zero address.
*
* Requirements:
*
* - `account` cannot be the zero address.
*/
function _mint(address account, uint256 amount) internal virtual {
require(account != address(0), "ERC20: mint to the zero address");
_beforeTokenTransfer(address(0), account, amount);
_totalSupply += amount;
unchecked {
// Overflow not possible: balance + amount is at most totalSupply + amount, which is checked above.
_balances[account] += amount;
}
emit Transfer(address(0), account, amount);
_afterTokenTransfer(address(0), account, amount);
}
/**
* @dev Destroys `amount` tokens from `account`, reducing the
* total supply.
*
* Emits a {Transfer} event with `to` set to the zero address.
*
* Requirements:
*
* - `account` cannot be the zero address.
* - `account` must have at least `amount` tokens.
*/
function _burn(address account, uint256 amount) internal virtual {
require(account != address(0), "ERC20: burn from the zero address");
_beforeTokenTransfer(account, address(0), amount);
uint256 accountBalance = _balances[account];
require(accountBalance >= amount, "ERC20: burn amount exceeds balance");
unchecked {
_balances[account] = accountBalance - amount;
// Overflow not possible: amount <= accountBalance <= totalSupply.
_totalSupply -= amount;
}
emit Transfer(account, address(0), amount);
_afterTokenTransfer(account, address(0), amount);
}
/**
* @dev Sets `amount` as the allowance of `spender` over the `owner` s tokens.
*
* This internal function is equivalent to `approve`, and can be used to
* e.g. set automatic allowances for certain subsystems, etc.
*
* Emits an {Approval} event.
*
* Requirements:
*
* - `owner` cannot be the zero address.
* - `spender` cannot be the zero address.
*/
function _approve(address owner, address spender, uint256 amount) internal virtual {
require(owner != address(0), "ERC20: approve from the zero address");
require(spender != address(0), "ERC20: approve to the zero address");
_allowances[owner][spender] = amount;
emit Approval(owner, spender, amount);
}
/**
* @dev Updates `owner` s allowance for `spender` based on spent `amount`.
*
* Does not update the allowance amount in case of infinite allowance.
* Revert if not enough allowance is available.
*
* Might emit an {Approval} event.
*/
function _spendAllowance(address owner, address spender, uint256 amount) internal virtual {
uint256 currentAllowance = allowance(owner, spender);
if (currentAllowance != type(uint256).max) {
require(currentAllowance >= amount, "ERC20: insufficient allowance");
unchecked {
_approve(owner, spender, currentAllowance - amount);
}
}
}
/**
* @dev Hook that is called before any transfer of tokens. This includes
* minting and burning.
*
* Calling conditions:
*
* - when `from` and `to` are both non-zero, `amount` of ``from``'s tokens
* will be transferred to `to`.
* - when `from` is zero, `amount` tokens will be minted for `to`.
* - when `to` is zero, `amount` of ``from``'s tokens will be burned.
* - `from` and `to` are never both zero.
*
* To learn more about hooks, head to xref:ROOT:extending-contracts.adoc#using-hooks[Using Hooks].
*/
function _beforeTokenTransfer(address from, address to, uint256 amount) internal virtual {}
/**
* @dev Hook that is called after any transfer of tokens. This includes
* minting and burning.
*
* Calling conditions:
*
* - when `from` and `to` are both non-zero, `amount` of ``from``'s tokens
* has been transferred to `to`.
* - when `from` is zero, `amount` tokens have been minted for `to`.
* - when `to` is zero, `amount` of ``from``'s tokens have been burned.
* - `from` and `to` are never both zero.
*
* To learn more about hooks, head to xref:ROOT:extending-contracts.adoc#using-hooks[Using Hooks].
*/
function _afterTokenTransfer(address from, address to, uint256 amount) internal virtual {}
}
合同源代码
文件 10 的 30:IBeacon.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (proxy/beacon/IBeacon.sol)
pragma solidity ^0.8.0;
/**
* @dev This is the interface that {BeaconProxy} expects of its beacon.
*/
interface IBeacon {
/**
* @dev Must return an address that can be used as a delegate call target.
*
* {BeaconProxy} will check that this address is a contract.
*/
function implementation() external view returns (address);
}
合同源代码
文件 11 的 30:IERC1967.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (interfaces/IERC1967.sol)
pragma solidity ^0.8.0;
/**
* @dev ERC-1967: Proxy Storage Slots. This interface contains the events defined in the ERC.
*
* _Available since v4.8.3._
*/
interface IERC1967 {
/**
* @dev Emitted when the implementation is upgraded.
*/
event Upgraded(address indexed implementation);
/**
* @dev Emitted when the admin account has changed.
*/
event AdminChanged(address previousAdmin, address newAdmin);
/**
* @dev Emitted when the beacon is changed.
*/
event BeaconUpgraded(address indexed beacon);
}
合同源代码
文件 12 的 30:IERC20.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (token/ERC20/IERC20.sol)
pragma solidity ^0.8.0;
/**
* @dev Interface of the ERC20 standard as defined in the EIP.
*/
interface IERC20 {
/**
* @dev Emitted when `value` tokens are moved from one account (`from`) to
* another (`to`).
*
* Note that `value` may be zero.
*/
event Transfer(address indexed from, address indexed to, uint256 value);
/**
* @dev Emitted when the allowance of a `spender` for an `owner` is set by
* a call to {approve}. `value` is the new allowance.
*/
event Approval(address indexed owner, address indexed spender, uint256 value);
/**
* @dev Returns the amount of tokens in existence.
*/
function totalSupply() external view returns (uint256);
/**
* @dev Returns the amount of tokens owned by `account`.
*/
function balanceOf(address account) external view returns (uint256);
/**
* @dev Moves `amount` tokens from the caller's account to `to`.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* Emits a {Transfer} event.
*/
function transfer(address to, uint256 amount) external returns (bool);
/**
* @dev Returns the remaining number of tokens that `spender` will be
* allowed to spend on behalf of `owner` through {transferFrom}. This is
* zero by default.
*
* This value changes when {approve} or {transferFrom} are called.
*/
function allowance(address owner, address spender) external view returns (uint256);
/**
* @dev Sets `amount` as the allowance of `spender` over the caller's tokens.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* IMPORTANT: Beware that changing an allowance with this method brings the risk
* that someone may use both the old and the new allowance by unfortunate
* transaction ordering. One possible solution to mitigate this race
* condition is to first reduce the spender's allowance to 0 and set the
* desired value afterwards:
* https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
*
* Emits an {Approval} event.
*/
function approve(address spender, uint256 amount) external returns (bool);
/**
* @dev Moves `amount` tokens from `from` to `to` using the
* allowance mechanism. `amount` is then deducted from the caller's
* allowance.
*
* Returns a boolean value indicating whether the operation succeeded.
*
* Emits a {Transfer} event.
*/
function transferFrom(address from, address to, uint256 amount) external returns (bool);
}
合同源代码
文件 13 的 30:IERC20Metadata.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (token/ERC20/extensions/IERC20Metadata.sol)
pragma solidity ^0.8.0;
import "../IERC20.sol";
/**
* @dev Interface for the optional metadata functions from the ERC20 standard.
*
* _Available since v4.1._
*/
interface IERC20Metadata is IERC20 {
/**
* @dev Returns the name of the token.
*/
function name() external view returns (string memory);
/**
* @dev Returns the symbol of the token.
*/
function symbol() external view returns (string memory);
/**
* @dev Returns the decimals places of the token.
*/
function decimals() external view returns (uint8);
}
合同源代码
文件 14 的 30:IState.sol
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
uint256 constant MAX_SMT_DEPTH = 64;
interface IState {
/**
* @dev Struct for public interfaces to represent a state information.
* @param id An identity.
* @param state A state.
* @param replacedByState A state, which replaced this state for the identity.
* @param createdAtTimestamp A time when the state was created.
* @param replacedAtTimestamp A time when the state was replaced by the next identity state.
* @param createdAtBlock A block number when the state was created.
* @param replacedAtBlock A block number when the state was replaced by the next identity state.
*/
struct StateInfo {
uint256 id;
uint256 state;
uint256 replacedByState;
uint256 createdAtTimestamp;
uint256 replacedAtTimestamp;
uint256 createdAtBlock;
uint256 replacedAtBlock;
}
/**
* @dev Struct for public interfaces to represent GIST root information.
* @param root This GIST root.
* @param replacedByRoot A root, which replaced this root.
* @param createdAtTimestamp A time, when the root was saved to blockchain.
* @param replacedAtTimestamp A time, when the root was replaced by the next root in blockchain.
* @param createdAtBlock A number of block, when the root was saved to blockchain.
* @param replacedAtBlock A number of block, when the root was replaced by the next root in blockchain.
*/
struct GistRootInfo {
uint256 root;
uint256 replacedByRoot;
uint256 createdAtTimestamp;
uint256 replacedAtTimestamp;
uint256 createdAtBlock;
uint256 replacedAtBlock;
}
/**
* @dev Struct for public interfaces to represent GIST proof information.
* @param root This GIST root.
* @param existence A flag, which shows if the leaf index exists in the GIST.
* @param siblings An array of GIST sibling node hashes.
* @param index An index of the leaf in the GIST.
* @param value A value of the leaf in the GIST.
* @param auxExistence A flag, which shows if the auxiliary leaf exists in the GIST.
* @param auxIndex An index of the auxiliary leaf in the GIST.
* @param auxValue An value of the auxiliary leaf in the GIST.
*/
struct GistProof {
uint256 root;
bool existence;
uint256[MAX_SMT_DEPTH] siblings;
uint256 index;
uint256 value;
bool auxExistence;
uint256 auxIndex;
uint256 auxValue;
}
/**
* @dev Retrieve last state information of specific id.
* @param id An identity.
* @return The state info.
*/
function getStateInfoById(uint256 id) external view returns (StateInfo memory);
/**
* @dev Retrieve state information by id and state.
* @param id An identity.
* @param state A state.
* @return The state info.
*/
function getStateInfoByIdAndState(
uint256 id,
uint256 state
) external view returns (StateInfo memory);
/**
* @dev Retrieve the specific GIST root information.
* @param root GIST root.
* @return The GIST root info.
*/
function getGISTRootInfo(uint256 root) external view returns (GistRootInfo memory);
}
合同源代码
文件 15 的 30:IStateTransitionVerifier.sol
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
interface IStateTransitionVerifier {
function verifyProof(
uint256[2] memory a,
uint256[2][2] memory b,
uint256[2] memory c,
uint256[4] memory input
) external view returns (bool r);
}
合同源代码
文件 16 的 30:Initializable.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (proxy/utils/Initializable.sol)
pragma solidity ^0.8.2;
import "../../utils/AddressUpgradeable.sol";
/**
* @dev This is a base contract to aid in writing upgradeable contracts, or any kind of contract that will be deployed
* behind a proxy. Since proxied contracts do not make use of a constructor, it's common to move constructor logic to an
* external initializer function, usually called `initialize`. It then becomes necessary to protect this initializer
* function so it can only be called once. The {initializer} modifier provided by this contract will have this effect.
*
* The initialization functions use a version number. Once a version number is used, it is consumed and cannot be
* reused. This mechanism prevents re-execution of each "step" but allows the creation of new initialization steps in
* case an upgrade adds a module that needs to be initialized.
*
* For example:
*
* [.hljs-theme-light.nopadding]
* ```solidity
* contract MyToken is ERC20Upgradeable {
* function initialize() initializer public {
* __ERC20_init("MyToken", "MTK");
* }
* }
*
* contract MyTokenV2 is MyToken, ERC20PermitUpgradeable {
* function initializeV2() reinitializer(2) public {
* __ERC20Permit_init("MyToken");
* }
* }
* ```
*
* TIP: To avoid leaving the proxy in an uninitialized state, the initializer function should be called as early as
* possible by providing the encoded function call as the `_data` argument to {ERC1967Proxy-constructor}.
*
* CAUTION: When used with inheritance, manual care must be taken to not invoke a parent initializer twice, or to ensure
* that all initializers are idempotent. This is not verified automatically as constructors are by Solidity.
*
* [CAUTION]
* ====
* Avoid leaving a contract uninitialized.
*
* An uninitialized contract can be taken over by an attacker. This applies to both a proxy and its implementation
* contract, which may impact the proxy. To prevent the implementation contract from being used, you should invoke
* the {_disableInitializers} function in the constructor to automatically lock it when it is deployed:
*
* [.hljs-theme-light.nopadding]
* ```
* /// @custom:oz-upgrades-unsafe-allow constructor
* constructor() {
* _disableInitializers();
* }
* ```
* ====
*/
abstract contract Initializable {
/**
* @dev Indicates that the contract has been initialized.
* @custom:oz-retyped-from bool
*/
uint8 private _initialized;
/**
* @dev Indicates that the contract is in the process of being initialized.
*/
bool private _initializing;
/**
* @dev Triggered when the contract has been initialized or reinitialized.
*/
event Initialized(uint8 version);
/**
* @dev A modifier that defines a protected initializer function that can be invoked at most once. In its scope,
* `onlyInitializing` functions can be used to initialize parent contracts.
*
* Similar to `reinitializer(1)`, except that functions marked with `initializer` can be nested in the context of a
* constructor.
*
* Emits an {Initialized} event.
*/
modifier initializer() {
bool isTopLevelCall = !_initializing;
require(
(isTopLevelCall && _initialized < 1) || (!AddressUpgradeable.isContract(address(this)) && _initialized == 1),
"Initializable: contract is already initialized"
);
_initialized = 1;
if (isTopLevelCall) {
_initializing = true;
}
_;
if (isTopLevelCall) {
_initializing = false;
emit Initialized(1);
}
}
/**
* @dev A modifier that defines a protected reinitializer function that can be invoked at most once, and only if the
* contract hasn't been initialized to a greater version before. In its scope, `onlyInitializing` functions can be
* used to initialize parent contracts.
*
* A reinitializer may be used after the original initialization step. This is essential to configure modules that
* are added through upgrades and that require initialization.
*
* When `version` is 1, this modifier is similar to `initializer`, except that functions marked with `reinitializer`
* cannot be nested. If one is invoked in the context of another, execution will revert.
*
* Note that versions can jump in increments greater than 1; this implies that if multiple reinitializers coexist in
* a contract, executing them in the right order is up to the developer or operator.
*
* WARNING: setting the version to 255 will prevent any future reinitialization.
*
* Emits an {Initialized} event.
*/
modifier reinitializer(uint8 version) {
require(!_initializing && _initialized < version, "Initializable: contract is already initialized");
_initialized = version;
_initializing = true;
_;
_initializing = false;
emit Initialized(version);
}
/**
* @dev Modifier to protect an initialization function so that it can only be invoked by functions with the
* {initializer} and {reinitializer} modifiers, directly or indirectly.
*/
modifier onlyInitializing() {
require(_initializing, "Initializable: contract is not initializing");
_;
}
/**
* @dev Locks the contract, preventing any future reinitialization. This cannot be part of an initializer call.
* Calling this in the constructor of a contract will prevent that contract from being initialized or reinitialized
* to any version. It is recommended to use this to lock implementation contracts that are designed to be called
* through proxies.
*
* Emits an {Initialized} event the first time it is successfully executed.
*/
function _disableInitializers() internal virtual {
require(!_initializing, "Initializable: contract is initializing");
if (_initialized != type(uint8).max) {
_initialized = type(uint8).max;
emit Initialized(type(uint8).max);
}
}
/**
* @dev Returns the highest version that has been initialized. See {reinitializer}.
*/
function _getInitializedVersion() internal view returns (uint8) {
return _initialized;
}
/**
* @dev Returns `true` if the contract is currently initializing. See {onlyInitializing}.
*/
function _isInitializing() internal view returns (bool) {
return _initializing;
}
}
合同源代码
文件 17 的 30:Ownable2StepUpgradeable.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (access/Ownable2Step.sol)
pragma solidity ^0.8.0;
import "./OwnableUpgradeable.sol";
import "../proxy/utils/Initializable.sol";
/**
* @dev Contract module which provides access control mechanism, where
* there is an account (an owner) that can be granted exclusive access to
* specific functions.
*
* By default, the owner account will be the one that deploys the contract. This
* can later be changed with {transferOwnership} and {acceptOwnership}.
*
* This module is used through inheritance. It will make available all functions
* from parent (Ownable).
*/
abstract contract Ownable2StepUpgradeable is Initializable, OwnableUpgradeable {
function __Ownable2Step_init() internal onlyInitializing {
__Ownable_init_unchained();
}
function __Ownable2Step_init_unchained() internal onlyInitializing {
}
address private _pendingOwner;
event OwnershipTransferStarted(address indexed previousOwner, address indexed newOwner);
/**
* @dev Returns the address of the pending owner.
*/
function pendingOwner() public view virtual returns (address) {
return _pendingOwner;
}
/**
* @dev Starts the ownership transfer of the contract to a new account. Replaces the pending transfer if there is one.
* Can only be called by the current owner.
*/
function transferOwnership(address newOwner) public virtual override onlyOwner {
_pendingOwner = newOwner;
emit OwnershipTransferStarted(owner(), newOwner);
}
/**
* @dev Transfers ownership of the contract to a new account (`newOwner`) and deletes any pending owner.
* Internal function without access restriction.
*/
function _transferOwnership(address newOwner) internal virtual override {
delete _pendingOwner;
super._transferOwnership(newOwner);
}
/**
* @dev The new owner accepts the ownership transfer.
*/
function acceptOwnership() public virtual {
address sender = _msgSender();
require(pendingOwner() == sender, "Ownable2Step: caller is not the new owner");
_transferOwnership(sender);
}
/**
* @dev This empty reserved space is put in place to allow future versions to add new
* variables without shifting down storage in the inheritance chain.
* See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
*/
uint256[49] private __gap;
}
合同源代码
文件 18 的 30:OwnableUpgradeable.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (access/Ownable.sol)
pragma solidity ^0.8.0;
import "../utils/ContextUpgradeable.sol";
import "../proxy/utils/Initializable.sol";
/**
* @dev Contract module which provides a basic access control mechanism, where
* there is an account (an owner) that can be granted exclusive access to
* specific functions.
*
* By default, the owner account will be the one that deploys the contract. This
* can later be changed with {transferOwnership}.
*
* This module is used through inheritance. It will make available the modifier
* `onlyOwner`, which can be applied to your functions to restrict their use to
* the owner.
*/
abstract contract OwnableUpgradeable is Initializable, ContextUpgradeable {
address private _owner;
event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);
/**
* @dev Initializes the contract setting the deployer as the initial owner.
*/
function __Ownable_init() internal onlyInitializing {
__Ownable_init_unchained();
}
function __Ownable_init_unchained() internal onlyInitializing {
_transferOwnership(_msgSender());
}
/**
* @dev Throws if called by any account other than the owner.
*/
modifier onlyOwner() {
_checkOwner();
_;
}
/**
* @dev Returns the address of the current owner.
*/
function owner() public view virtual returns (address) {
return _owner;
}
/**
* @dev Throws if the sender is not the owner.
*/
function _checkOwner() internal view virtual {
require(owner() == _msgSender(), "Ownable: caller is not the owner");
}
/**
* @dev Leaves the contract without owner. It will not be possible to call
* `onlyOwner` functions. Can only be called by the current owner.
*
* NOTE: Renouncing ownership will leave the contract without an owner,
* thereby disabling any functionality that is only available to the owner.
*/
function renounceOwnership() public virtual onlyOwner {
_transferOwnership(address(0));
}
/**
* @dev Transfers ownership of the contract to a new account (`newOwner`).
* Can only be called by the current owner.
*/
function transferOwnership(address newOwner) public virtual onlyOwner {
require(newOwner != address(0), "Ownable: new owner is the zero address");
_transferOwnership(newOwner);
}
/**
* @dev Transfers ownership of the contract to a new account (`newOwner`).
* Internal function without access restriction.
*/
function _transferOwnership(address newOwner) internal virtual {
address oldOwner = _owner;
_owner = newOwner;
emit OwnershipTransferred(oldOwner, newOwner);
}
/**
* @dev This empty reserved space is put in place to allow future versions to add new
* variables without shifting down storage in the inheritance chain.
* See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
*/
uint256[49] private __gap;
}
合同源代码
文件 19 的 30:Pairing.sol
//
// Copyright 2017 Christian Reitwiessner
// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// 2019 OKIMS
// ported to solidity 0.6
// fixed linter warnings
// added requiere error messages
//
//
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
library Pairing {
struct G1Point {
uint X;
uint Y;
}
// Encoding of field elements is: X[0] * z + X[1]
struct G2Point {
uint[2] X;
uint[2] Y;
}
/// @return the generator of G1
function P1() internal pure returns (G1Point memory) {
return G1Point(1, 2);
}
/// @return the generator of G2
function P2() internal pure returns (G2Point memory) {
// Original code point
return
G2Point(
[
11559732032986387107991004021392285783925812861821192530917403151452391805634,
10857046999023057135944570762232829481370756359578518086990519993285655852781
],
[
4082367875863433681332203403145435568316851327593401208105741076214120093531,
8495653923123431417604973247489272438418190587263600148770280649306958101930
]
);
/*
// Changed by Jordi point
return G2Point(
[10857046999023057135944570762232829481370756359578518086990519993285655852781,
11559732032986387107991004021392285783925812861821192530917403151452391805634],
[8495653923123431417604973247489272438418190587263600148770280649306958101930,
4082367875863433681332203403145435568316851327593401208105741076214120093531]
);
*/
}
/// @return r the negation of p, i.e. p.addition(p.negate()) should be zero.
function negate(G1Point memory p) internal pure returns (G1Point memory r) {
// The prime q in the base field F_q for G1
uint q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
if (p.X == 0 && p.Y == 0) return G1Point(0, 0);
return G1Point(p.X, q - (p.Y % q));
}
/// @return r the sum of two points of G1
function addition(
G1Point memory p1,
G1Point memory p2
) internal view returns (G1Point memory r) {
uint[4] memory input;
input[0] = p1.X;
input[1] = p1.Y;
input[2] = p2.X;
input[3] = p2.Y;
bool success;
// solium-disable-next-line security/no-inline-assembly
assembly {
success := staticcall(sub(gas(), 2000), 6, input, 0xc0, r, 0x60)
// Use "invalid" to make gas estimation work
switch success
case 0 {
invalid()
}
}
require(success, "pairing-add-failed");
}
/// @return r the product of a point on G1 and a scalar, i.e.
/// p == p.scalar_mul(1) and p.addition(p) == p.scalar_mul(2) for all points p.
function scalar_mul(G1Point memory p, uint s) internal view returns (G1Point memory r) {
uint[3] memory input;
input[0] = p.X;
input[1] = p.Y;
input[2] = s;
bool success;
// solium-disable-next-line security/no-inline-assembly
assembly {
success := staticcall(sub(gas(), 2000), 7, input, 0x80, r, 0x60)
// Use "invalid" to make gas estimation work
switch success
case 0 {
invalid()
}
}
require(success, "pairing-mul-failed");
}
/// @return the result of computing the pairing check
/// e(p1[0], p2[0]) * .... * e(p1[n], p2[n]) == 1
/// For example pairing([P1(), P1().negate()], [P2(), P2()]) should
/// return true.
function pairing(G1Point[] memory p1, G2Point[] memory p2) internal view returns (bool) {
require(p1.length == p2.length, "pairing-lengths-failed");
uint elements = p1.length;
uint inputSize = elements * 6;
uint[] memory input = new uint[](inputSize);
for (uint i = 0; i < elements; i++) {
input[i * 6 + 0] = p1[i].X;
input[i * 6 + 1] = p1[i].Y;
input[i * 6 + 2] = p2[i].X[0];
input[i * 6 + 3] = p2[i].X[1];
input[i * 6 + 4] = p2[i].Y[0];
input[i * 6 + 5] = p2[i].Y[1];
}
uint[1] memory out;
bool success;
// solium-disable-next-line security/no-inline-assembly
assembly {
success := staticcall(
sub(gas(), 2000),
8,
add(input, 0x20),
mul(inputSize, 0x20),
out,
0x20
)
// Use "invalid" to make gas estimation work
switch success
case 0 {
invalid()
}
}
require(success, "pairing-opcode-failed");
return out[0] != 0;
}
/// Convenience method for a pairing check for two pairs.
function pairingProd2(
G1Point memory a1,
G2Point memory a2,
G1Point memory b1,
G2Point memory b2
) internal view returns (bool) {
G1Point[] memory p1 = new G1Point[](2);
G2Point[] memory p2 = new G2Point[](2);
p1[0] = a1;
p1[1] = b1;
p2[0] = a2;
p2[1] = b2;
return pairing(p1, p2);
}
/// Convenience method for a pairing check for three pairs.
function pairingProd3(
G1Point memory a1,
G2Point memory a2,
G1Point memory b1,
G2Point memory b2,
G1Point memory c1,
G2Point memory c2
) internal view returns (bool) {
G1Point[] memory p1 = new G1Point[](3);
G2Point[] memory p2 = new G2Point[](3);
p1[0] = a1;
p1[1] = b1;
p1[2] = c1;
p2[0] = a2;
p2[1] = b2;
p2[2] = c2;
return pairing(p1, p2);
}
/// Convenience method for a pairing check for four pairs.
function pairingProd4(
G1Point memory a1,
G2Point memory a2,
G1Point memory b1,
G2Point memory b2,
G1Point memory c1,
G2Point memory c2,
G1Point memory d1,
G2Point memory d2
) internal view returns (bool) {
G1Point[] memory p1 = new G1Point[](4);
G2Point[] memory p2 = new G2Point[](4);
p1[0] = a1;
p1[1] = b1;
p1[2] = c1;
p1[3] = d1;
p2[0] = a2;
p2[1] = b2;
p2[2] = c2;
p2[3] = d2;
return pairing(p1, p2);
}
}
合同源代码
文件 20 的 30:Poseidon.sol
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
library PoseidonUnit1L {
function poseidon(uint256[1] calldata) public pure returns (uint256) {}
}
library PoseidonUnit2L {
function poseidon(uint256[2] calldata) public pure returns (uint256) {}
}
library PoseidonUnit3L {
function poseidon(uint256[3] calldata) public pure returns (uint256) {}
}
library PoseidonUnit4L {
function poseidon(uint256[4] calldata) public pure returns (uint256) {}
}
library PoseidonUnit5L {
function poseidon(uint256[5] calldata) public pure returns (uint256) {}
}
library PoseidonUnit6L {
function poseidon(uint256[6] calldata) public pure returns (uint256) {}
}
library SpongePoseidon {
uint32 constant BATCH_SIZE = 6;
function hash(uint256[] calldata values) public pure returns (uint256) {
uint256[BATCH_SIZE] memory frame = [uint256(0), 0, 0, 0, 0, 0];
bool dirty = false;
uint256 fullHash = 0;
uint32 k = 0;
for (uint32 i = 0; i < values.length; i++) {
dirty = true;
frame[k] = values[i];
if (k == BATCH_SIZE - 1) {
fullHash = PoseidonUnit6L.poseidon(frame);
dirty = false;
frame = [uint256(0), 0, 0, 0, 0, 0];
frame[0] = fullHash;
k = 1;
} else {
k++;
}
}
if (dirty) {
// we haven't hashed something in the main sponge loop and need to do hash here
fullHash = PoseidonUnit6L.poseidon(frame);
}
return fullHash;
}
}
library PoseidonFacade {
function poseidon1(uint256[1] calldata el) public pure returns (uint256) {
return PoseidonUnit1L.poseidon(el);
}
function poseidon2(uint256[2] calldata el) public pure returns (uint256) {
return PoseidonUnit2L.poseidon(el);
}
function poseidon3(uint256[3] calldata el) public pure returns (uint256) {
return PoseidonUnit3L.poseidon(el);
}
function poseidon4(uint256[4] calldata el) public pure returns (uint256) {
return PoseidonUnit4L.poseidon(el);
}
function poseidon5(uint256[5] calldata el) public pure returns (uint256) {
return PoseidonUnit5L.poseidon(el);
}
function poseidon6(uint256[6] calldata el) public pure returns (uint256) {
return PoseidonUnit6L.poseidon(el);
}
function poseidonSponge(uint256[] calldata el) public pure returns (uint256) {
return SpongePoseidon.hash(el);
}
}
合同源代码
文件 21 的 30:Proxy.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.6.0) (proxy/Proxy.sol)
pragma solidity ^0.8.0;
/**
* @dev This abstract contract provides a fallback function that delegates all calls to another contract using the EVM
* instruction `delegatecall`. We refer to the second contract as the _implementation_ behind the proxy, and it has to
* be specified by overriding the virtual {_implementation} function.
*
* Additionally, delegation to the implementation can be triggered manually through the {_fallback} function, or to a
* different contract through the {_delegate} function.
*
* The success and return data of the delegated call will be returned back to the caller of the proxy.
*/
abstract contract Proxy {
/**
* @dev Delegates the current call to `implementation`.
*
* This function does not return to its internal call site, it will return directly to the external caller.
*/
function _delegate(address implementation) internal virtual {
assembly {
// Copy msg.data. We take full control of memory in this inline assembly
// block because it will not return to Solidity code. We overwrite the
// Solidity scratch pad at memory position 0.
calldatacopy(0, 0, calldatasize())
// Call the implementation.
// out and outsize are 0 because we don't know the size yet.
let result := delegatecall(gas(), implementation, 0, calldatasize(), 0, 0)
// Copy the returned data.
returndatacopy(0, 0, returndatasize())
switch result
// delegatecall returns 0 on error.
case 0 {
revert(0, returndatasize())
}
default {
return(0, returndatasize())
}
}
}
/**
* @dev This is a virtual function that should be overridden so it returns the address to which the fallback function
* and {_fallback} should delegate.
*/
function _implementation() internal view virtual returns (address);
/**
* @dev Delegates the current call to the address returned by `_implementation()`.
*
* This function does not return to its internal call site, it will return directly to the external caller.
*/
function _fallback() internal virtual {
_beforeFallback();
_delegate(_implementation());
}
/**
* @dev Fallback function that delegates calls to the address returned by `_implementation()`. Will run if no other
* function in the contract matches the call data.
*/
fallback() external payable virtual {
_fallback();
}
/**
* @dev Fallback function that delegates calls to the address returned by `_implementation()`. Will run if call data
* is empty.
*/
receive() external payable virtual {
_fallback();
}
/**
* @dev Hook that is called before falling back to the implementation. Can happen as part of a manual `_fallback`
* call, or as part of the Solidity `fallback` or `receive` functions.
*
* If overridden should call `super._beforeFallback()`.
*/
function _beforeFallback() internal virtual {}
}
合同源代码
文件 22 的 30:SmtLib.sol
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
import "./Poseidon.sol";
import "./ArrayUtils.sol";
/// @title A sparse merkle tree implementation, which keeps tree history.
// Note that this SMT implementation can manage duplicated roots in the history,
// which may happen when some leaf change its value and then changes it back to the original value.
// Leaves deletion is not supported, although it should be possible to implement it in the future
// versions of this library, without changing the existing state variables
// In this way all the SMT data may be preserved for the contracts already in production.
library SmtLib {
/**
* @dev Max return array length for SMT root history requests
*/
uint256 public constant ROOT_INFO_LIST_RETURN_LIMIT = 1000;
/**
* @dev Max depth hard cap for SMT
* We can't use depth > 256 because of bits number limitation in the uint256 data type.
*/
uint256 public constant MAX_DEPTH_HARD_CAP = 256;
/**
* @dev Enum of SMT node types
*/
enum NodeType {
EMPTY,
LEAF,
MIDDLE
}
/**
* @dev Sparse Merkle Tree data
* Note that we count the SMT depth starting from 0, which is the root level.
*
* For example, the following tree has a maxDepth = 2:
*
* O <- root level (depth = 0)
* / \
* O O <- depth = 1
* / \ / \
* O O O O <- depth = 2
*/
struct Data {
mapping(uint256 => Node) nodes;
RootEntry[] rootEntries;
mapping(uint256 => uint256[]) rootIndexes; // root => rootEntryIndex[]
uint256 maxDepth;
bool initialized;
// This empty reserved space is put in place to allow future versions
// of the SMT library to add new Data struct fields without shifting down
// storage of upgradable contracts that use this struct as a state variable
// (see https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable#storage-gaps)
uint256[45] __gap;
}
/**
* @dev Struct of the node proof in the SMT.
* @param root This SMT root.
* @param existence A flag, which shows if the leaf index exists in the SMT.
* @param siblings An array of SMT sibling node hashes.
* @param index An index of the leaf in the SMT.
* @param value A value of the leaf in the SMT.
* @param auxExistence A flag, which shows if the auxiliary leaf exists in the SMT.
* @param auxIndex An index of the auxiliary leaf in the SMT.
* @param auxValue An value of the auxiliary leaf in the SMT.
*/
struct Proof {
uint256 root;
bool existence;
uint256[] siblings;
uint256 index;
uint256 value;
bool auxExistence;
uint256 auxIndex;
uint256 auxValue;
}
/**
* @dev Struct for SMT root internal storage representation.
* @param root SMT root.
* @param createdAtTimestamp A time, when the root was saved to blockchain.
* @param createdAtBlock A number of block, when the root was saved to blockchain.
*/
struct RootEntry {
uint256 root;
uint256 createdAtTimestamp;
uint256 createdAtBlock;
}
/**
* @dev Struct for public interfaces to represent SMT root info.
* @param root This SMT root.
* @param replacedByRoot A root, which replaced this root.
* @param createdAtTimestamp A time, when the root was saved to blockchain.
* @param replacedAtTimestamp A time, when the root was replaced by the next root in blockchain.
* @param createdAtBlock A number of block, when the root was saved to blockchain.
* @param replacedAtBlock A number of block, when the root was replaced by the next root in blockchain.
*/
struct RootEntryInfo {
uint256 root;
uint256 replacedByRoot;
uint256 createdAtTimestamp;
uint256 replacedAtTimestamp;
uint256 createdAtBlock;
uint256 replacedAtBlock;
}
/**
* @dev Struct of SMT node.
* @param NodeType type of node.
* @param childLeft left child of node.
* @param childRight right child of node.
* @param Index index of node.
* @param Value value of node.
*/
struct Node {
NodeType nodeType;
uint256 childLeft;
uint256 childRight;
uint256 index;
uint256 value;
}
using BinarySearchSmtRoots for Data;
using ArrayUtils for uint256[];
/**
* @dev Reverts if root does not exist in SMT roots history.
* @param root SMT root.
*/
modifier onlyExistingRoot(Data storage self, uint256 root) {
require(rootExists(self, root), "Root does not exist");
_;
}
/**
* @dev Add a leaf to the SMT
* @param i Index of a leaf
* @param v Value of a leaf
*/
function addLeaf(Data storage self, uint256 i, uint256 v) external onlyInitialized(self) {
Node memory node = Node({
nodeType: NodeType.LEAF,
childLeft: 0,
childRight: 0,
index: i,
value: v
});
uint256 prevRoot = getRoot(self);
uint256 newRoot = _addLeaf(self, node, prevRoot, 0);
_addEntry(self, newRoot, block.timestamp, block.number);
}
/**
* @dev Get SMT root history length
* @return SMT history length
*/
function getRootHistoryLength(Data storage self) external view returns (uint256) {
return self.rootEntries.length;
}
/**
* @dev Get SMT root history
* @param startIndex start index of history
* @param length history length
* @return array of RootEntryInfo structs
*/
function getRootHistory(
Data storage self,
uint256 startIndex,
uint256 length
) external view returns (RootEntryInfo[] memory) {
(uint256 start, uint256 end) = ArrayUtils.calculateBounds(
self.rootEntries.length,
startIndex,
length,
ROOT_INFO_LIST_RETURN_LIMIT
);
RootEntryInfo[] memory result = new RootEntryInfo[](end - start);
for (uint256 i = start; i < end; i++) {
result[i - start] = _getRootInfoByIndex(self, i);
}
return result;
}
/**
* @dev Get the SMT node by hash
* @param nodeHash Hash of a node
* @return A node struct
*/
function getNode(Data storage self, uint256 nodeHash) public view returns (Node memory) {
return self.nodes[nodeHash];
}
/**
* @dev Get the proof if a node with specific index exists or not exists in the SMT.
* @param index A node index.
* @return SMT proof struct.
*/
function getProof(Data storage self, uint256 index) external view returns (Proof memory) {
return getProofByRoot(self, index, getRoot(self));
}
/**
* @dev Get the proof if a node with specific index exists or not exists in the SMT for some historical tree state.
* @param index A node index
* @param historicalRoot Historical SMT roof to get proof for.
* @return Proof struct.
*/
function getProofByRoot(
Data storage self,
uint256 index,
uint256 historicalRoot
) public view onlyExistingRoot(self, historicalRoot) returns (Proof memory) {
uint256[] memory siblings = new uint256[](self.maxDepth);
// Solidity does not guarantee that memory vars are zeroed out
for (uint256 i = 0; i < self.maxDepth; i++) {
siblings[i] = 0;
}
Proof memory proof = Proof({
root: historicalRoot,
existence: false,
siblings: siblings,
index: index,
value: 0,
auxExistence: false,
auxIndex: 0,
auxValue: 0
});
uint256 nextNodeHash = historicalRoot;
Node memory node;
for (uint256 i = 0; i <= self.maxDepth; i++) {
node = getNode(self, nextNodeHash);
if (node.nodeType == NodeType.EMPTY) {
break;
} else if (node.nodeType == NodeType.LEAF) {
if (node.index == proof.index) {
proof.existence = true;
proof.value = node.value;
break;
} else {
proof.auxExistence = true;
proof.auxIndex = node.index;
proof.auxValue = node.value;
proof.value = node.value;
break;
}
} else if (node.nodeType == NodeType.MIDDLE) {
if ((proof.index >> i) & 1 == 1) {
nextNodeHash = node.childRight;
proof.siblings[i] = node.childLeft;
} else {
nextNodeHash = node.childLeft;
proof.siblings[i] = node.childRight;
}
} else {
revert("Invalid node type");
}
}
return proof;
}
/**
* @dev Get the proof if a node with specific index exists or not exists in the SMT by some historical timestamp.
* @param index Node index.
* @param timestamp The latest timestamp to get proof for.
* @return Proof struct.
*/
function getProofByTime(
Data storage self,
uint256 index,
uint256 timestamp
) public view returns (Proof memory) {
RootEntryInfo memory rootInfo = getRootInfoByTime(self, timestamp);
return getProofByRoot(self, index, rootInfo.root);
}
/**
* @dev Get the proof if a node with specific index exists or not exists in the SMT by some historical block number.
* @param index Node index.
* @param blockNumber The latest block number to get proof for.
* @return Proof struct.
*/
function getProofByBlock(
Data storage self,
uint256 index,
uint256 blockNumber
) external view returns (Proof memory) {
RootEntryInfo memory rootInfo = getRootInfoByBlock(self, blockNumber);
return getProofByRoot(self, index, rootInfo.root);
}
function getRoot(Data storage self) public view onlyInitialized(self) returns (uint256) {
return self.rootEntries[self.rootEntries.length - 1].root;
}
/**
* @dev Get root info by some historical timestamp.
* @param timestamp The latest timestamp to get the root info for.
* @return Root info struct
*/
function getRootInfoByTime(
Data storage self,
uint256 timestamp
) public view returns (RootEntryInfo memory) {
require(timestamp <= block.timestamp, "No future timestamps allowed");
return
_getRootInfoByTimestampOrBlock(
self,
timestamp,
BinarySearchSmtRoots.SearchType.TIMESTAMP
);
}
/**
* @dev Get root info by some historical block number.
* @param blockN The latest block number to get the root info for.
* @return Root info struct
*/
function getRootInfoByBlock(
Data storage self,
uint256 blockN
) public view returns (RootEntryInfo memory) {
require(blockN <= block.number, "No future blocks allowed");
return _getRootInfoByTimestampOrBlock(self, blockN, BinarySearchSmtRoots.SearchType.BLOCK);
}
/**
* @dev Returns root info by root
* @param root root
* @return Root info struct
*/
function getRootInfo(
Data storage self,
uint256 root
) public view onlyExistingRoot(self, root) returns (RootEntryInfo memory) {
uint256[] storage indexes = self.rootIndexes[root];
uint256 lastIndex = indexes[indexes.length - 1];
return _getRootInfoByIndex(self, lastIndex);
}
/**
* @dev Retrieve duplicate root quantity by id and state.
* If the root repeats more that once, the length may be greater than 1.
* @param root A root.
* @return Root root entries quantity.
*/
function getRootInfoListLengthByRoot(
Data storage self,
uint256 root
) public view returns (uint256) {
return self.rootIndexes[root].length;
}
/**
* @dev Retrieve root infos list of duplicated root by id and state.
* If the root repeats more that once, the length list may be greater than 1.
* @param root A root.
* @param startIndex The index to start the list.
* @param length The length of the list.
* @return Root Root entries quantity.
*/
function getRootInfoListByRoot(
Data storage self,
uint256 root,
uint256 startIndex,
uint256 length
) public view onlyExistingRoot(self, root) returns (RootEntryInfo[] memory) {
uint256[] storage indexes = self.rootIndexes[root];
(uint256 start, uint256 end) = ArrayUtils.calculateBounds(
indexes.length,
startIndex,
length,
ROOT_INFO_LIST_RETURN_LIMIT
);
RootEntryInfo[] memory result = new RootEntryInfo[](end - start);
for (uint256 i = start; i < end; i++) {
result[i - start] = _getRootInfoByIndex(self, indexes[i]);
}
return result;
}
/**
* @dev Checks if root exists
* @param root root
* return true if root exists
*/
function rootExists(Data storage self, uint256 root) public view returns (bool) {
return self.rootIndexes[root].length > 0;
}
/**
* @dev Sets max depth of the SMT
* @param maxDepth max depth
*/
function setMaxDepth(Data storage self, uint256 maxDepth) public {
require(maxDepth > 0, "Max depth must be greater than zero");
require(maxDepth > self.maxDepth, "Max depth can only be increased");
require(maxDepth <= MAX_DEPTH_HARD_CAP, "Max depth is greater than hard cap");
self.maxDepth = maxDepth;
}
/**
* @dev Gets max depth of the SMT
* return max depth
*/
function getMaxDepth(Data storage self) external view returns (uint256) {
return self.maxDepth;
}
/**
* @dev Initialize SMT with max depth and root entry of an empty tree.
* @param maxDepth Max depth of the SMT.
*/
function initialize(Data storage self, uint256 maxDepth) external {
require(!isInitialized(self), "Smt is already initialized");
setMaxDepth(self, maxDepth);
_addEntry(self, 0, 0, 0);
self.initialized = true;
}
modifier onlyInitialized(Data storage self) {
require(isInitialized(self), "Smt is not initialized");
_;
}
function isInitialized(Data storage self) public view returns (bool) {
return self.initialized;
}
function _addLeaf(
Data storage self,
Node memory newLeaf,
uint256 nodeHash,
uint256 depth
) internal returns (uint256) {
if (depth > self.maxDepth) {
revert("Max depth reached");
}
Node memory node = self.nodes[nodeHash];
uint256 nextNodeHash;
uint256 leafHash = 0;
if (node.nodeType == NodeType.EMPTY) {
leafHash = _addNode(self, newLeaf);
} else if (node.nodeType == NodeType.LEAF) {
leafHash = node.index == newLeaf.index
? _addNode(self, newLeaf)
: _pushLeaf(self, newLeaf, node, depth);
} else if (node.nodeType == NodeType.MIDDLE) {
Node memory newNodeMiddle;
if ((newLeaf.index >> depth) & 1 == 1) {
nextNodeHash = _addLeaf(self, newLeaf, node.childRight, depth + 1);
newNodeMiddle = Node({
nodeType: NodeType.MIDDLE,
childLeft: node.childLeft,
childRight: nextNodeHash,
index: 0,
value: 0
});
} else {
nextNodeHash = _addLeaf(self, newLeaf, node.childLeft, depth + 1);
newNodeMiddle = Node({
nodeType: NodeType.MIDDLE,
childLeft: nextNodeHash,
childRight: node.childRight,
index: 0,
value: 0
});
}
leafHash = _addNode(self, newNodeMiddle);
}
return leafHash;
}
function _pushLeaf(
Data storage self,
Node memory newLeaf,
Node memory oldLeaf,
uint256 depth
) internal returns (uint256) {
// no reason to continue if we are at max possible depth
// as, anyway, we exceed the depth going down the tree
if (depth >= self.maxDepth) {
revert("Max depth reached");
}
Node memory newNodeMiddle;
bool newLeafBitAtDepth = (newLeaf.index >> depth) & 1 == 1;
bool oldLeafBitAtDepth = (oldLeaf.index >> depth) & 1 == 1;
// Check if we need to go deeper if diverge at the depth's bit
if (newLeafBitAtDepth == oldLeafBitAtDepth) {
uint256 nextNodeHash = _pushLeaf(self, newLeaf, oldLeaf, depth + 1);
if (newLeafBitAtDepth) {
// go right
newNodeMiddle = Node(NodeType.MIDDLE, 0, nextNodeHash, 0, 0);
} else {
// go left
newNodeMiddle = Node(NodeType.MIDDLE, nextNodeHash, 0, 0, 0);
}
return _addNode(self, newNodeMiddle);
}
if (newLeafBitAtDepth) {
newNodeMiddle = Node({
nodeType: NodeType.MIDDLE,
childLeft: _getNodeHash(oldLeaf),
childRight: _getNodeHash(newLeaf),
index: 0,
value: 0
});
} else {
newNodeMiddle = Node({
nodeType: NodeType.MIDDLE,
childLeft: _getNodeHash(newLeaf),
childRight: _getNodeHash(oldLeaf),
index: 0,
value: 0
});
}
_addNode(self, newLeaf);
return _addNode(self, newNodeMiddle);
}
function _addNode(Data storage self, Node memory node) internal returns (uint256) {
uint256 nodeHash = _getNodeHash(node);
// We don't have any guarantees if the hash function attached is good enough.
// So, if the node hash already exists, we need to check
// if the node in the tree exactly matches the one we are trying to add.
if (self.nodes[nodeHash].nodeType != NodeType.EMPTY) {
assert(self.nodes[nodeHash].nodeType == node.nodeType);
assert(self.nodes[nodeHash].childLeft == node.childLeft);
assert(self.nodes[nodeHash].childRight == node.childRight);
assert(self.nodes[nodeHash].index == node.index);
assert(self.nodes[nodeHash].value == node.value);
return nodeHash;
}
self.nodes[nodeHash] = node;
return nodeHash;
}
function _getNodeHash(Node memory node) internal view returns (uint256) {
uint256 nodeHash = 0;
if (node.nodeType == NodeType.LEAF) {
uint256[3] memory params = [node.index, node.value, uint256(1)];
nodeHash = PoseidonUnit3L.poseidon(params);
} else if (node.nodeType == NodeType.MIDDLE) {
nodeHash = PoseidonUnit2L.poseidon([node.childLeft, node.childRight]);
}
return nodeHash; // Note: expected to return 0 if NodeType.EMPTY, which is the only option left
}
function _getRootInfoByIndex(
Data storage self,
uint256 index
) internal view returns (RootEntryInfo memory) {
bool isLastRoot = index == self.rootEntries.length - 1;
RootEntry storage rootEntry = self.rootEntries[index];
return
RootEntryInfo({
root: rootEntry.root,
replacedByRoot: isLastRoot ? 0 : self.rootEntries[index + 1].root,
createdAtTimestamp: rootEntry.createdAtTimestamp,
replacedAtTimestamp: isLastRoot
? 0
: self.rootEntries[index + 1].createdAtTimestamp,
createdAtBlock: rootEntry.createdAtBlock,
replacedAtBlock: isLastRoot ? 0 : self.rootEntries[index + 1].createdAtBlock
});
}
function _getRootInfoByTimestampOrBlock(
Data storage self,
uint256 timestampOrBlock,
BinarySearchSmtRoots.SearchType searchType
) internal view returns (RootEntryInfo memory) {
(uint256 index, bool found) = self.binarySearchUint256(timestampOrBlock, searchType);
// As far as we always have at least one root entry, we should always find it
assert(found);
return _getRootInfoByIndex(self, index);
}
function _addEntry(
Data storage self,
uint256 root,
uint256 _timestamp,
uint256 _block
) internal {
self.rootEntries.push(
RootEntry({root: root, createdAtTimestamp: _timestamp, createdAtBlock: _block})
);
self.rootIndexes[root].push(self.rootEntries.length - 1);
}
}
/// @title A binary search for the sparse merkle tree root history
// Implemented as a separate library for testing purposes
library BinarySearchSmtRoots {
/**
* @dev Enum for the SMT history field selection
*/
enum SearchType {
TIMESTAMP,
BLOCK
}
/**
* @dev Binary search method for the SMT history,
* which searches for the index of the root entry saved by the given timestamp or block
* @param value The timestamp or block to search for.
* @param searchType The type of the search (timestamp or block).
*/
function binarySearchUint256(
SmtLib.Data storage self,
uint256 value,
SearchType searchType
) internal view returns (uint256, bool) {
if (self.rootEntries.length == 0) {
return (0, false);
}
uint256 min = 0;
uint256 max = self.rootEntries.length - 1;
uint256 mid;
while (min <= max) {
mid = (max + min) / 2;
uint256 midValue = fieldSelector(self.rootEntries[mid], searchType);
if (midValue == value) {
while (mid < self.rootEntries.length - 1) {
uint256 nextValue = fieldSelector(self.rootEntries[mid + 1], searchType);
if (nextValue == value) {
mid++;
} else {
return (mid, true);
}
}
return (mid, true);
} else if (value > midValue) {
min = mid + 1;
} else if (value < midValue && mid > 0) {
// mid > 0 is to avoid underflow
max = mid - 1;
} else {
// This means that value < midValue && mid == 0. So we found nothing.
return (0, false);
}
}
// The case when the searched value does not exist and we should take the closest smaller value
// Index in the "max" var points to the root entry with max value smaller than the searched value
return (max, true);
}
/**
* @dev Selects either timestamp or block field from the root entry struct
* depending on the search type
* @param rti The root entry to select the field from.
* @param st The search type.
*/
function fieldSelector(
SmtLib.RootEntry memory rti,
SearchType st
) internal pure returns (uint256) {
if (st == SearchType.BLOCK) {
return rti.createdAtBlock;
} else if (st == SearchType.TIMESTAMP) {
return rti.createdAtTimestamp;
} else {
revert("Invalid search type");
}
}
}
合同源代码
文件 23 的 30:State.sol
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
import "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
import "@iden3/contracts/interfaces/IState.sol";
import "@iden3/contracts/interfaces/IStateTransitionVerifier.sol";
import "@iden3/contracts/lib/SmtLib.sol";
import "@iden3/contracts/lib/Poseidon.sol";
import "@iden3/contracts/lib/StateLib.sol";
/**
* @dev This contract is a copy of the [StateV2](https://github.com/iden3/contracts/blob/5f6569bc2f942e3cf1c6032c05228046b3f3f5d5/contracts/state/StateV2.sol) contract from iden3 with the addition of an auxiliary event in the transitState function
*/
contract State is Ownable2StepUpgradeable, IState {
using SmtLib for SmtLib.Data;
using StateLib for StateLib.Data;
/**
* @dev Version of contract
*/
string public constant VERSION = "2.1.0";
// This empty reserved space is put in place to allow future versions
// of the State contract to inherit from other contracts without a risk of
// breaking the storage layout. This is necessary because the parent contracts in the
// future may introduce some storage variables, which are placed before the State
// contract's storage variables.
// (see https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable#storage-gaps)
// slither-disable-next-line shadowing-state
// slither-disable-next-line unused-state
uint256[500] private __gap;
/**
* @dev Verifier address
*/
IStateTransitionVerifier internal verifier;
/**
* @dev State data
*/
StateLib.Data internal _stateData;
/**
* @dev Global Identity State Tree (GIST) data
*/
SmtLib.Data internal _gistData;
event StateTransited(
uint256 gistRoot,
uint256 indexed id,
uint256 state,
uint256 timestamp,
uint256 blockNumber
);
/// @custom:oz-upgrades-unsafe-allow constructor
constructor() {
_disableInitializers();
}
/**
* @dev Initialize the contract
* @param verifierContractAddr_ Verifier address
*/
function __State_init(IStateTransitionVerifier verifierContractAddr_) public initializer {
__Ownable_init();
_gistData.initialize(MAX_SMT_DEPTH);
verifier = verifierContractAddr_;
}
/**
* @dev Set ZKP verifier contract address
* @param newVerifierAddr_ Verifier contract address
*/
function setVerifier(address newVerifierAddr_) external onlyOwner {
verifier = IStateTransitionVerifier(newVerifierAddr_);
}
/**
* @dev Change the state of an identity (transit to the new state) with ZKP ownership check.
* @param id_ Identity
* @param oldState_ Previous identity state
* @param newState_ New identity state
* @param isOldStateGenesis_ Is the previous state genesis?
* @param a_ ZKP proof field
* @param b_ ZKP proof field
* @param c_ ZKP proof field
*/
function transitState(
uint256 id_,
uint256 oldState_,
uint256 newState_,
bool isOldStateGenesis_,
uint256[2] memory a_,
uint256[2][2] memory b_,
uint256[2] memory c_
) external {
require(id_ != 0, "ID should not be zero");
require(newState_ != 0, "New state should not be zero");
require(!stateExists(id_, newState_), "New state already exists");
if (isOldStateGenesis_) {
require(!idExists(id_), "Old state is genesis but identity already exists");
// Push old state to state entries, with zero timestamp and block
_stateData.addGenesisState(id_, oldState_);
} else {
require(idExists(id_), "Old state is not genesis but identity does not yet exist");
StateLib.EntryInfo memory prevStateInfo_ = _stateData.getStateInfoById(id_);
require(
prevStateInfo_.createdAtBlock != block.number,
"No multiple set in the same block"
);
require(
prevStateInfo_.state == oldState_,
"Old state does not match the latest state"
);
}
uint256[4] memory inputs_ = [
id_,
oldState_,
newState_,
uint256(isOldStateGenesis_ ? 1 : 0)
];
require(
verifier.verifyProof(a_, b_, c_, inputs_),
"Zero-knowledge proof of state transition is not valid"
);
_stateData.addState(id_, newState_);
_gistData.addLeaf(PoseidonUnit1L.poseidon([id_]), newState_);
emit StateTransited(_gistData.getRoot(), id_, newState_, block.timestamp, block.number);
}
/**
* @dev Get ZKP verifier contract address
* @return verifier contract address
*/
function getVerifier() external view returns (address) {
return address(verifier);
}
/**
* @dev Retrieve the last state info for a given identity
* @param id_ identity
* @return state info of the last committed state
*/
function getStateInfoById(uint256 id_) external view returns (IState.StateInfo memory) {
return _stateEntryInfoAdapter(_stateData.getStateInfoById(id_));
}
/**
* @dev Retrieve states quantity for a given identity
* @param id_ identity
* @return states quantity
*/
function getStateInfoHistoryLengthById(uint256 id_) external view returns (uint256) {
return _stateData.getStateInfoHistoryLengthById(id_);
}
/**
* Retrieve state infos for a given identity
* @param id_ identity
* @param startIndex_ start index of the state history
* @param length_ length of the state history
* @return A list of state infos of the identity
*/
function getStateInfoHistoryById(
uint256 id_,
uint256 startIndex_,
uint256 length_
) external view returns (IState.StateInfo[] memory) {
StateLib.EntryInfo[] memory stateInfos_ = _stateData.getStateInfoHistoryById(
id_,
startIndex_,
length_
);
IState.StateInfo[] memory result_ = new IState.StateInfo[](stateInfos_.length);
for (uint256 i = 0; i < stateInfos_.length; i++) {
result_[i] = _stateEntryInfoAdapter(stateInfos_[i]);
}
return result_;
}
/**
* @dev Retrieve state information by id and state.
* @param id_ An identity.
* @param state_ A state.
* @return The state info.
*/
function getStateInfoByIdAndState(
uint256 id_,
uint256 state_
) external view returns (IState.StateInfo memory) {
return _stateEntryInfoAdapter(_stateData.getStateInfoByIdAndState(id_, state_));
}
/**
* @dev Retrieve GIST inclusion or non-inclusion proof for a given identity.
* @param id_ Identity
* @return The GIST inclusion or non-inclusion proof for the identity
*/
function getGISTProof(uint256 id_) external view returns (IState.GistProof memory) {
return _smtProofAdapter(_gistData.getProof(PoseidonUnit1L.poseidon([id_])));
}
/**
* @dev Retrieve GIST inclusion or non-inclusion proof for a given identity for
* some GIST root in the past.
* @param id_ Identity
* @param root_ GIST root
* @return The GIST inclusion or non-inclusion proof for the identity
*/
function getGISTProofByRoot(
uint256 id_,
uint256 root_
) external view returns (IState.GistProof memory) {
return _smtProofAdapter(_gistData.getProofByRoot(PoseidonUnit1L.poseidon([id_]), root_));
}
/**
* @dev Retrieve GIST inclusion or non-inclusion proof for a given identity
* for GIST latest snapshot by the block number provided.
* @param id_ Identity
* @param blockNumber_ Blockchain block number
* @return The GIST inclusion or non-inclusion proof for the identity
*/
function getGISTProofByBlock(
uint256 id_,
uint256 blockNumber_
) external view returns (IState.GistProof memory) {
return
_smtProofAdapter(
_gistData.getProofByBlock(PoseidonUnit1L.poseidon([id_]), blockNumber_)
);
}
/**
* @dev Retrieve GIST inclusion or non-inclusion proof for a given identity
* for GIST latest snapshot by the blockchain timestamp provided.
* @param id_ Identity
* @param timestamp_ Blockchain timestamp
* @return The GIST inclusion or non-inclusion proof for the identity
*/
function getGISTProofByTime(
uint256 id_,
uint256 timestamp_
) external view returns (IState.GistProof memory) {
return
_smtProofAdapter(_gistData.getProofByTime(PoseidonUnit1L.poseidon([id_]), timestamp_));
}
/**
* @dev Retrieve GIST latest root.
* @return The latest GIST root
*/
function getGISTRoot() external view returns (uint256) {
return _gistData.getRoot();
}
/**
* @dev Retrieve the GIST root history.
* @param start_ Start index in the root history
* @param length_ Length of the root history
* @return Array of GIST roots infos
*/
function getGISTRootHistory(
uint256 start_,
uint256 length_
) external view returns (IState.GistRootInfo[] memory) {
SmtLib.RootEntryInfo[] memory rootInfos_ = _gistData.getRootHistory(start_, length_);
IState.GistRootInfo[] memory result_ = new IState.GistRootInfo[](rootInfos_.length);
for (uint256 i = 0; i < rootInfos_.length; i++) {
result_[i] = _smtRootInfoAdapter(rootInfos_[i]);
}
return result_;
}
/**
* @dev Retrieve the length of the GIST root history.
* @return The GIST root history length
*/
function getGISTRootHistoryLength() external view returns (uint256) {
return _gistData.rootEntries.length;
}
/**
* @dev Retrieve the specific GIST root information.
* @param root_ GIST root.
* @return The GIST root information.
*/
function getGISTRootInfo(uint256 root_) external view returns (IState.GistRootInfo memory) {
return _smtRootInfoAdapter(_gistData.getRootInfo(root_));
}
/**
* @dev Retrieve the GIST root information, which is latest by the block provided.
* @param blockNumber_ Blockchain block number
* @return The GIST root info
*/
function getGISTRootInfoByBlock(
uint256 blockNumber_
) external view returns (IState.GistRootInfo memory) {
return _smtRootInfoAdapter(_gistData.getRootInfoByBlock(blockNumber_));
}
/**
* @dev Retrieve the GIST root information, which is latest by the blockchain timestamp provided.
* @param timestamp_ Blockchain timestamp
* @return The GIST root info
*/
function getGISTRootInfoByTime(
uint256 timestamp_
) external view returns (IState.GistRootInfo memory) {
return _smtRootInfoAdapter(_gistData.getRootInfoByTime(timestamp_));
}
/**
* @dev Check if identity exists.
* @param id_ Identity
* @return True if the identity exists
*/
function idExists(uint256 id_) public view returns (bool) {
return _stateData.idExists(id_);
}
/**
* @dev Check if state exists.
* @param id_ Identity
* @param state_ State
* @return True if the state exists
*/
function stateExists(uint256 id_, uint256 state_) public view returns (bool) {
return _stateData.stateExists(id_, state_);
}
function _smtProofAdapter(
SmtLib.Proof memory proof_
) internal pure returns (IState.GistProof memory) {
// slither-disable-next-line uninitialized-local
uint256[MAX_SMT_DEPTH] memory siblings_;
for (uint256 i = 0; i < MAX_SMT_DEPTH; i++) {
siblings_[i] = proof_.siblings[i];
}
IState.GistProof memory result = IState.GistProof({
root: proof_.root,
existence: proof_.existence,
siblings: siblings_,
index: proof_.index,
value: proof_.value,
auxExistence: proof_.auxExistence,
auxIndex: proof_.auxIndex,
auxValue: proof_.auxValue
});
return result;
}
function _smtRootInfoAdapter(
SmtLib.RootEntryInfo memory rootInfo_
) internal pure returns (IState.GistRootInfo memory) {
return
IState.GistRootInfo({
root: rootInfo_.root,
replacedByRoot: rootInfo_.replacedByRoot,
createdAtTimestamp: rootInfo_.createdAtTimestamp,
replacedAtTimestamp: rootInfo_.replacedAtTimestamp,
createdAtBlock: rootInfo_.createdAtBlock,
replacedAtBlock: rootInfo_.replacedAtBlock
});
}
function _stateEntryInfoAdapter(
StateLib.EntryInfo memory sei_
) internal pure returns (IState.StateInfo memory) {
return
IState.StateInfo({
id: sei_.id,
state: sei_.state,
replacedByState: sei_.replacedByState,
createdAtTimestamp: sei_.createdAtTimestamp,
replacedAtTimestamp: sei_.replacedAtTimestamp,
createdAtBlock: sei_.createdAtBlock,
replacedAtBlock: sei_.replacedAtBlock
});
}
}
合同源代码
文件 24 的 30:StateLib.sol
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
import "../lib/ArrayUtils.sol";
/// @title Library for state data management.
// It's purpose is to keep records of identity states along with their metadata and history.
library StateLib {
/**
* @dev Max return array length for id history requests
*/
uint256 public constant ID_HISTORY_RETURN_LIMIT = 1000;
/**
* @dev Struct for public interfaces to represent a state information.
* @param id identity.
* @param state A state.
* @param replacedByState A state, which replaced this state for the identity.
* @param createdAtTimestamp A time when the state was created.
* @param replacedAtTimestamp A time when the state was replaced by the next identity state.
* @param createdAtBlock A block number when the state was created.
* @param replacedAtBlock A block number when the state was replaced by the next identity state.
*/
struct EntryInfo {
uint256 id;
uint256 state;
uint256 replacedByState;
uint256 createdAtTimestamp;
uint256 replacedAtTimestamp;
uint256 createdAtBlock;
uint256 replacedAtBlock;
}
/**
* @dev Struct for identity state internal storage representation.
* @param state A state.
* @param timestamp A time when the state was committed to blockchain.
* @param block A block number when the state was committed to blockchain.
*/
struct Entry {
uint256 state;
uint256 timestamp;
uint256 block;
}
/**
* @dev Struct for storing all the state data.
* We assume that a state can repeat more than once for the same identity,
* so we keep a mapping of state entries per each identity and state.
* @param statesHistories A state history per each identity.
* @param stateEntries A state metadata of each state.
*/
struct Data {
/*
id => stateEntry[]
--------------------------------
id1 => [
index 0: StateEntry1 {state1, timestamp2, block1},
index 1: StateEntry2 {state2, timestamp2, block2},
index 2: StateEntry3 {state1, timestamp3, block3}
]
*/
mapping(uint256 => Entry[]) stateEntries;
/*
id => state => stateEntryIndex[]
-------------------------------
id1 => state1 => [index0, index2],
id1 => state2 => [index1]
*/
mapping(uint256 => mapping(uint256 => uint256[])) stateIndexes;
// This empty reserved space is put in place to allow future versions
// of the State contract to add new SmtData struct fields without shifting down
// storage of upgradable contracts that use this struct as a state variable
// (see https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable#storage-gaps)
uint256[48] __gap;
}
/**
* @dev event called when a state is updated
* @param id identity
* @param blockN Block number when the state has been committed
* @param timestamp Timestamp when the state has been committed
* @param state Identity state committed
*/
event StateUpdated(uint256 id, uint256 blockN, uint256 timestamp, uint256 state);
/**
* @dev Revert if identity does not exist in the contract
* @param id Identity
*/
modifier onlyExistingId(Data storage self, uint256 id) {
require(idExists(self, id), "Identity does not exist");
_;
}
/**
* @dev Revert if state does not exist in the contract
* @param id Identity
* @param state State
*/
modifier onlyExistingState(
Data storage self,
uint256 id,
uint256 state
) {
require(stateExists(self, id, state), "State does not exist");
_;
}
/**
* @dev Add a state to the contract with transaction timestamp and block number.
* @param id Identity
* @param state State
*/
function addState(Data storage self, uint256 id, uint256 state) external {
_addState(self, id, state, block.timestamp, block.number);
}
/**
* @dev Add a state to the contract with zero timestamp and block number.
* @param id Identity
* @param state State
*/
function addGenesisState(Data storage self, uint256 id, uint256 state) external {
require(
!idExists(self, id),
"Zero timestamp and block should be only in the first identity state"
);
_addState(self, id, state, 0, 0);
}
/**
* @dev Retrieve the last state info for a given identity.
* @param id Identity.
* @return State info of the last committed state.
*/
function getStateInfoById(
Data storage self,
uint256 id
) external view onlyExistingId(self, id) returns (EntryInfo memory) {
Entry[] storage stateEntries = self.stateEntries[id];
Entry memory se = stateEntries[stateEntries.length - 1];
return
EntryInfo({
id: id,
state: se.state,
replacedByState: 0,
createdAtTimestamp: se.timestamp,
replacedAtTimestamp: 0,
createdAtBlock: se.block,
replacedAtBlock: 0
});
}
/**
* @dev Retrieve states quantity for a given identity
* @param id identity
* @return states quantity
*/
function getStateInfoHistoryLengthById(
Data storage self,
uint256 id
) external view onlyExistingId(self, id) returns (uint256) {
return self.stateEntries[id].length;
}
/**
* Retrieve state infos for a given identity
* @param id Identity
* @param startIndex Start index of the state history.
* @param length Max length of the state history retrieved.
* @return A list of state infos of the identity
*/
function getStateInfoHistoryById(
Data storage self,
uint256 id,
uint256 startIndex,
uint256 length
) external view onlyExistingId(self, id) returns (EntryInfo[] memory) {
(uint256 start, uint256 end) = ArrayUtils.calculateBounds(
self.stateEntries[id].length,
startIndex,
length,
ID_HISTORY_RETURN_LIMIT
);
EntryInfo[] memory result = new EntryInfo[](end - start);
for (uint256 i = start; i < end; i++) {
result[i - start] = _getStateInfoByIndex(self, id, i);
}
return result;
}
/**
* @dev Retrieve state info by id and state.
* Note, that the latest state info is returned,
* if the state repeats more that once for the same identity.
* @param id An identity.
* @param state A state.
* @return The state info.
*/
function getStateInfoByIdAndState(
Data storage self,
uint256 id,
uint256 state
) external view onlyExistingState(self, id, state) returns (EntryInfo memory) {
return _getStateInfoByState(self, id, state);
}
/**
* @dev Retrieve state entries quantity by id and state.
* If the state repeats more that once for the same identity,
* the length will be greater than 1.
* @param id An identity.
* @param state A state.
* @return The state info list length.
*/
function getStateInfoListLengthByIdAndState(
Data storage self,
uint256 id,
uint256 state
) external view returns (uint256) {
return self.stateIndexes[id][state].length;
}
/**
* @dev Retrieve state info list by id and state.
* If the state repeats more that once for the same identity,
* the length of the list may be greater than 1.
* @param id An identity.
* @param state A state.
* @param startIndex Start index in the same states list.
* @param length Max length of the state info list retrieved.
* @return The state info list.
*/
function getStateInfoListByIdAndState(
Data storage self,
uint256 id,
uint256 state,
uint256 startIndex,
uint256 length
) external view onlyExistingState(self, id, state) returns (EntryInfo[] memory) {
uint256[] storage stateIndexes = self.stateIndexes[id][state];
(uint256 start, uint256 end) = ArrayUtils.calculateBounds(
stateIndexes.length,
startIndex,
length,
ID_HISTORY_RETURN_LIMIT
);
EntryInfo[] memory result = new EntryInfo[](end - start);
for (uint256 i = start; i < end; i++) {
result[i - start] = _getStateInfoByIndex(self, id, stateIndexes[i]);
}
return result;
}
/**
* @dev Check if identity exists.
* @param id Identity
* @return True if the identity exists
*/
function idExists(Data storage self, uint256 id) public view returns (bool) {
return self.stateEntries[id].length > 0;
}
/**
* @dev Check if state exists.
* @param id Identity
* @param state State
* @return True if the state exists
*/
function stateExists(Data storage self, uint256 id, uint256 state) public view returns (bool) {
return self.stateIndexes[id][state].length > 0;
}
function _addState(
Data storage self,
uint256 id,
uint256 state,
uint256 _timestamp,
uint256 _block
) internal {
Entry[] storage stateEntries = self.stateEntries[id];
stateEntries.push(Entry({state: state, timestamp: _timestamp, block: _block}));
self.stateIndexes[id][state].push(stateEntries.length - 1);
emit StateUpdated(id, _block, _timestamp, state);
}
/**
* @dev Get state info by id and state without state existence check.
* @param id Identity
* @param state State
* @return The state info
*/
function _getStateInfoByState(
Data storage self,
uint256 id,
uint256 state
) internal view returns (EntryInfo memory) {
uint256[] storage indexes = self.stateIndexes[id][state];
uint256 lastIndex = indexes[indexes.length - 1];
return _getStateInfoByIndex(self, id, lastIndex);
}
function _getStateInfoByIndex(
Data storage self,
uint256 id,
uint256 index
) internal view returns (EntryInfo memory) {
bool isLastState = index == self.stateEntries[id].length - 1;
Entry storage se = self.stateEntries[id][index];
return
EntryInfo({
id: id,
state: se.state,
replacedByState: isLastState ? 0 : self.stateEntries[id][index + 1].state,
createdAtTimestamp: se.timestamp,
replacedAtTimestamp: isLastState ? 0 : self.stateEntries[id][index + 1].timestamp,
createdAtBlock: se.block,
replacedAtBlock: isLastState ? 0 : self.stateEntries[id][index + 1].block
});
}
}
合同源代码
文件 25 的 30:StateV2.sol
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
import "@openzeppelin/contracts-upgradeable/access/Ownable2StepUpgradeable.sol";
import "../interfaces/IState.sol";
import "../interfaces/IStateTransitionVerifier.sol";
import "../lib/SmtLib.sol";
import "../lib/Poseidon.sol";
import "../lib/StateLib.sol";
/// @title Set and get states for each identity
contract StateV2 is Ownable2StepUpgradeable, IState {
/**
* @dev Version of contract
*/
string public constant VERSION = "2.1.0";
// This empty reserved space is put in place to allow future versions
// of the State contract to inherit from other contracts without a risk of
// breaking the storage layout. This is necessary because the parent contracts in the
// future may introduce some storage variables, which are placed before the State
// contract's storage variables.
// (see https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable#storage-gaps)
// slither-disable-next-line shadowing-state
// slither-disable-next-line unused-state
uint256[500] private __gap;
/**
* @dev Verifier address
*/
IStateTransitionVerifier internal verifier;
/**
* @dev State data
*/
StateLib.Data internal _stateData;
/**
* @dev Global Identity State Tree (GIST) data
*/
SmtLib.Data internal _gistData;
using SmtLib for SmtLib.Data;
using StateLib for StateLib.Data;
/// @custom:oz-upgrades-unsafe-allow constructor
constructor() {
_disableInitializers();
}
/**
* @dev Initialize the contract
* @param verifierContractAddr Verifier address
*/
function initialize(IStateTransitionVerifier verifierContractAddr) public initializer {
verifier = verifierContractAddr;
_gistData.initialize(MAX_SMT_DEPTH);
__Ownable_init();
}
/**
* @dev Set ZKP verifier contract address
* @param newVerifierAddr Verifier contract address
*/
function setVerifier(address newVerifierAddr) external onlyOwner {
verifier = IStateTransitionVerifier(newVerifierAddr);
}
/**
* @dev Change the state of an identity (transit to the new state) with ZKP ownership check.
* @param id Identity
* @param oldState Previous identity state
* @param newState New identity state
* @param isOldStateGenesis Is the previous state genesis?
* @param a ZKP proof field
* @param b ZKP proof field
* @param c ZKP proof field
*/
function transitState(
uint256 id,
uint256 oldState,
uint256 newState,
bool isOldStateGenesis,
uint256[2] memory a,
uint256[2][2] memory b,
uint256[2] memory c
) external {
require(id != 0, "ID should not be zero");
require(newState != 0, "New state should not be zero");
require(!stateExists(id, newState), "New state already exists");
if (isOldStateGenesis) {
require(!idExists(id), "Old state is genesis but identity already exists");
// Push old state to state entries, with zero timestamp and block
_stateData.addGenesisState(id, oldState);
} else {
require(idExists(id), "Old state is not genesis but identity does not yet exist");
StateLib.EntryInfo memory prevStateInfo = _stateData.getStateInfoById(id);
require(
prevStateInfo.createdAtBlock != block.number,
"No multiple set in the same block"
);
require(prevStateInfo.state == oldState, "Old state does not match the latest state");
}
uint256[4] memory input = [id, oldState, newState, uint256(isOldStateGenesis ? 1 : 0)];
require(
verifier.verifyProof(a, b, c, input),
"Zero-knowledge proof of state transition is not valid"
);
_stateData.addState(id, newState);
_gistData.addLeaf(PoseidonUnit1L.poseidon([id]), newState);
}
/**
* @dev Get ZKP verifier contract address
* @return verifier contract address
*/
function getVerifier() external view returns (address) {
return address(verifier);
}
/**
* @dev Retrieve the last state info for a given identity
* @param id identity
* @return state info of the last committed state
*/
function getStateInfoById(uint256 id) external view returns (IState.StateInfo memory) {
return _stateEntryInfoAdapter(_stateData.getStateInfoById(id));
}
/**
* @dev Retrieve states quantity for a given identity
* @param id identity
* @return states quantity
*/
function getStateInfoHistoryLengthById(uint256 id) external view returns (uint256) {
return _stateData.getStateInfoHistoryLengthById(id);
}
/**
* Retrieve state infos for a given identity
* @param id identity
* @param startIndex start index of the state history
* @param length length of the state history
* @return A list of state infos of the identity
*/
function getStateInfoHistoryById(
uint256 id,
uint256 startIndex,
uint256 length
) external view returns (IState.StateInfo[] memory) {
StateLib.EntryInfo[] memory stateInfos = _stateData.getStateInfoHistoryById(
id,
startIndex,
length
);
IState.StateInfo[] memory result = new IState.StateInfo[](stateInfos.length);
for (uint256 i = 0; i < stateInfos.length; i++) {
result[i] = _stateEntryInfoAdapter(stateInfos[i]);
}
return result;
}
/**
* @dev Retrieve state information by id and state.
* @param id An identity.
* @param state A state.
* @return The state info.
*/
function getStateInfoByIdAndState(
uint256 id,
uint256 state
) external view returns (IState.StateInfo memory) {
return _stateEntryInfoAdapter(_stateData.getStateInfoByIdAndState(id, state));
}
/**
* @dev Retrieve GIST inclusion or non-inclusion proof for a given identity.
* @param id Identity
* @return The GIST inclusion or non-inclusion proof for the identity
*/
function getGISTProof(uint256 id) external view returns (IState.GistProof memory) {
return _smtProofAdapter(_gistData.getProof(PoseidonUnit1L.poseidon([id])));
}
/**
* @dev Retrieve GIST inclusion or non-inclusion proof for a given identity for
* some GIST root in the past.
* @param id Identity
* @param root GIST root
* @return The GIST inclusion or non-inclusion proof for the identity
*/
function getGISTProofByRoot(
uint256 id,
uint256 root
) external view returns (IState.GistProof memory) {
return _smtProofAdapter(_gistData.getProofByRoot(PoseidonUnit1L.poseidon([id]), root));
}
/**
* @dev Retrieve GIST inclusion or non-inclusion proof for a given identity
* for GIST latest snapshot by the block number provided.
* @param id Identity
* @param blockNumber Blockchain block number
* @return The GIST inclusion or non-inclusion proof for the identity
*/
function getGISTProofByBlock(
uint256 id,
uint256 blockNumber
) external view returns (IState.GistProof memory) {
return
_smtProofAdapter(_gistData.getProofByBlock(PoseidonUnit1L.poseidon([id]), blockNumber));
}
/**
* @dev Retrieve GIST inclusion or non-inclusion proof for a given identity
* for GIST latest snapshot by the blockchain timestamp provided.
* @param id Identity
* @param timestamp Blockchain timestamp
* @return The GIST inclusion or non-inclusion proof for the identity
*/
function getGISTProofByTime(
uint256 id,
uint256 timestamp
) external view returns (IState.GistProof memory) {
return _smtProofAdapter(_gistData.getProofByTime(PoseidonUnit1L.poseidon([id]), timestamp));
}
/**
* @dev Retrieve GIST latest root.
* @return The latest GIST root
*/
function getGISTRoot() external view returns (uint256) {
return _gistData.getRoot();
}
/**
* @dev Retrieve the GIST root history.
* @param start Start index in the root history
* @param length Length of the root history
* @return Array of GIST roots infos
*/
function getGISTRootHistory(
uint256 start,
uint256 length
) external view returns (IState.GistRootInfo[] memory) {
SmtLib.RootEntryInfo[] memory rootInfos = _gistData.getRootHistory(start, length);
IState.GistRootInfo[] memory result = new IState.GistRootInfo[](rootInfos.length);
for (uint256 i = 0; i < rootInfos.length; i++) {
result[i] = _smtRootInfoAdapter(rootInfos[i]);
}
return result;
}
/**
* @dev Retrieve the length of the GIST root history.
* @return The GIST root history length
*/
function getGISTRootHistoryLength() external view returns (uint256) {
return _gistData.rootEntries.length;
}
/**
* @dev Retrieve the specific GIST root information.
* @param root GIST root.
* @return The GIST root information.
*/
function getGISTRootInfo(uint256 root) external view returns (IState.GistRootInfo memory) {
return _smtRootInfoAdapter(_gistData.getRootInfo(root));
}
/**
* @dev Retrieve the GIST root information, which is latest by the block provided.
* @param blockNumber Blockchain block number
* @return The GIST root info
*/
function getGISTRootInfoByBlock(
uint256 blockNumber
) external view returns (IState.GistRootInfo memory) {
return _smtRootInfoAdapter(_gistData.getRootInfoByBlock(blockNumber));
}
/**
* @dev Retrieve the GIST root information, which is latest by the blockchain timestamp provided.
* @param timestamp Blockchain timestamp
* @return The GIST root info
*/
function getGISTRootInfoByTime(
uint256 timestamp
) external view returns (IState.GistRootInfo memory) {
return _smtRootInfoAdapter(_gistData.getRootInfoByTime(timestamp));
}
/**
* @dev Check if identity exists.
* @param id Identity
* @return True if the identity exists
*/
function idExists(uint256 id) public view returns (bool) {
return _stateData.idExists(id);
}
/**
* @dev Check if state exists.
* @param id Identity
* @param state State
* @return True if the state exists
*/
function stateExists(uint256 id, uint256 state) public view returns (bool) {
return _stateData.stateExists(id, state);
}
function _smtProofAdapter(
SmtLib.Proof memory proof
) internal pure returns (IState.GistProof memory) {
// slither-disable-next-line uninitialized-local
uint256[MAX_SMT_DEPTH] memory siblings;
for (uint256 i = 0; i < MAX_SMT_DEPTH; i++) {
siblings[i] = proof.siblings[i];
}
IState.GistProof memory result = IState.GistProof({
root: proof.root,
existence: proof.existence,
siblings: siblings,
index: proof.index,
value: proof.value,
auxExistence: proof.auxExistence,
auxIndex: proof.auxIndex,
auxValue: proof.auxValue
});
return result;
}
function _smtRootInfoAdapter(
SmtLib.RootEntryInfo memory rootInfo
) internal pure returns (IState.GistRootInfo memory) {
return
IState.GistRootInfo({
root: rootInfo.root,
replacedByRoot: rootInfo.replacedByRoot,
createdAtTimestamp: rootInfo.createdAtTimestamp,
replacedAtTimestamp: rootInfo.replacedAtTimestamp,
createdAtBlock: rootInfo.createdAtBlock,
replacedAtBlock: rootInfo.replacedAtBlock
});
}
function _stateEntryInfoAdapter(
StateLib.EntryInfo memory sei
) internal pure returns (IState.StateInfo memory) {
return
IState.StateInfo({
id: sei.id,
state: sei.state,
replacedByState: sei.replacedByState,
createdAtTimestamp: sei.createdAtTimestamp,
replacedAtTimestamp: sei.replacedAtTimestamp,
createdAtBlock: sei.createdAtBlock,
replacedAtBlock: sei.replacedAtBlock
});
}
}
合同源代码
文件 26 的 30:StorageSlot.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/StorageSlot.sol)
// This file was procedurally generated from scripts/generate/templates/StorageSlot.js.
pragma solidity ^0.8.0;
/**
* @dev Library for reading and writing primitive types to specific storage slots.
*
* Storage slots are often used to avoid storage conflict when dealing with upgradeable contracts.
* This library helps with reading and writing to such slots without the need for inline assembly.
*
* The functions in this library return Slot structs that contain a `value` member that can be used to read or write.
*
* Example usage to set ERC1967 implementation slot:
* ```solidity
* contract ERC1967 {
* bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;
*
* function _getImplementation() internal view returns (address) {
* return StorageSlot.getAddressSlot(_IMPLEMENTATION_SLOT).value;
* }
*
* function _setImplementation(address newImplementation) internal {
* require(Address.isContract(newImplementation), "ERC1967: new implementation is not a contract");
* StorageSlot.getAddressSlot(_IMPLEMENTATION_SLOT).value = newImplementation;
* }
* }
* ```
*
* _Available since v4.1 for `address`, `bool`, `bytes32`, `uint256`._
* _Available since v4.9 for `string`, `bytes`._
*/
library StorageSlot {
struct AddressSlot {
address value;
}
struct BooleanSlot {
bool value;
}
struct Bytes32Slot {
bytes32 value;
}
struct Uint256Slot {
uint256 value;
}
struct StringSlot {
string value;
}
struct BytesSlot {
bytes value;
}
/**
* @dev Returns an `AddressSlot` with member `value` located at `slot`.
*/
function getAddressSlot(bytes32 slot) internal pure returns (AddressSlot storage r) {
/// @solidity memory-safe-assembly
assembly {
r.slot := slot
}
}
/**
* @dev Returns an `BooleanSlot` with member `value` located at `slot`.
*/
function getBooleanSlot(bytes32 slot) internal pure returns (BooleanSlot storage r) {
/// @solidity memory-safe-assembly
assembly {
r.slot := slot
}
}
/**
* @dev Returns an `Bytes32Slot` with member `value` located at `slot`.
*/
function getBytes32Slot(bytes32 slot) internal pure returns (Bytes32Slot storage r) {
/// @solidity memory-safe-assembly
assembly {
r.slot := slot
}
}
/**
* @dev Returns an `Uint256Slot` with member `value` located at `slot`.
*/
function getUint256Slot(bytes32 slot) internal pure returns (Uint256Slot storage r) {
/// @solidity memory-safe-assembly
assembly {
r.slot := slot
}
}
/**
* @dev Returns an `StringSlot` with member `value` located at `slot`.
*/
function getStringSlot(bytes32 slot) internal pure returns (StringSlot storage r) {
/// @solidity memory-safe-assembly
assembly {
r.slot := slot
}
}
/**
* @dev Returns an `StringSlot` representation of the string storage pointer `store`.
*/
function getStringSlot(string storage store) internal pure returns (StringSlot storage r) {
/// @solidity memory-safe-assembly
assembly {
r.slot := store.slot
}
}
/**
* @dev Returns an `BytesSlot` with member `value` located at `slot`.
*/
function getBytesSlot(bytes32 slot) internal pure returns (BytesSlot storage r) {
/// @solidity memory-safe-assembly
assembly {
r.slot := slot
}
}
/**
* @dev Returns an `BytesSlot` representation of the bytes storage pointer `store`.
*/
function getBytesSlot(bytes storage store) internal pure returns (BytesSlot storage r) {
/// @solidity memory-safe-assembly
assembly {
r.slot := store.slot
}
}
}
合同源代码
文件 27 的 30:draft-IERC1822.sol
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.5.0) (interfaces/draft-IERC1822.sol)
pragma solidity ^0.8.0;
/**
* @dev ERC1822: Universal Upgradeable Proxy Standard (UUPS) documents a method for upgradeability through a simplified
* proxy whose upgrades are fully controlled by the current implementation.
*/
interface IERC1822Proxiable {
/**
* @dev Returns the storage slot that the proxiable contract assumes is being used to store the implementation
* address.
*
* IMPORTANT: A proxy pointing at a proxiable contract should not be considered proxiable itself, because this risks
* bricking a proxy that upgrades to it, by delegating to itself until out of gas. Thus it is critical that this
* function revert if invoked through a proxy.
*/
function proxiableUUID() external view returns (bytes32);
}
合同源代码
文件 28 的 30:verifierMTP.sol
//
// Copyright 2017 Christian Reitwiessner
// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// 2019 OKIMS
// ported to solidity 0.6
// fixed linter warnings
// added requiere error messages
//
//
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
import "../lib/Pairing.sol";
contract VerifierMTP {
using Pairing for *;
struct VerifyingKey {
Pairing.G1Point alfa1;
Pairing.G2Point beta2;
Pairing.G2Point gamma2;
Pairing.G2Point delta2;
Pairing.G1Point[] IC;
}
struct Proof {
Pairing.G1Point A;
Pairing.G2Point B;
Pairing.G1Point C;
}
function verifyingKey() internal pure returns (VerifyingKey memory vk) {
vk.alfa1 = Pairing.G1Point(
20491192805390485299153009773594534940189261866228447918068658471970481763042,
9383485363053290200918347156157836566562967994039712273449902621266178545958
);
vk.beta2 = Pairing.G2Point(
[
4252822878758300859123897981450591353533073413197771768651442665752259397132,
6375614351688725206403948262868962793625744043794305715222011528459656738731
],
[
21847035105528745403288232691147584728191162732299865338377159692350059136679,
10505242626370262277552901082094356697409835680220590971873171140371331206856
]
);
vk.gamma2 = Pairing.G2Point(
[
11559732032986387107991004021392285783925812861821192530917403151452391805634,
10857046999023057135944570762232829481370756359578518086990519993285655852781
],
[
4082367875863433681332203403145435568316851327593401208105741076214120093531,
8495653923123431417604973247489272438418190587263600148770280649306958101930
]
);
vk.delta2 = Pairing.G2Point(
[
10069053650952764050770858763214373754669660210324204774418789033662943009749,
21107007358082136795614874512538836487771939470796762405748007366166733704104
],
[
4852486786898691455964846082763016922630372558821263656172370355988314898575,
8559222867245112767064473074858818732424559824983124225374445082554790506808
]
);
vk.IC = new Pairing.G1Point[](12);
vk.IC[0] = Pairing.G1Point(
1313452981527053129337572951247197324361989034671138626745310268341512913566,
15303507074060980322389491486850010383524156520378503449579570642767442684301
);
vk.IC[1] = Pairing.G1Point(
19469759548582862041953210077461806234755067239635831761330214958262728102210,
16182855449814336395630220912227600929619756764754084585163045607249874698864
);
vk.IC[2] = Pairing.G1Point(
5328220111696630739082100852965753471276442277347833726730125705096477686086,
18905255288005092837452154631677141443252188654645540166408868771529766552954
);
vk.IC[3] = Pairing.G1Point(
10933184819912527903586676306361564765563053120720138042486726178048079682568,
18280626518907496130958526005677563160967544228407334084744886760261543167298
);
vk.IC[4] = Pairing.G1Point(
11558797904750992453617754478260603596631069504995139547656018378652112039786,
7387560020132856716152855364841368262707029595898949014465420811988605836841
);
vk.IC[5] = Pairing.G1Point(
258345740540242369340676522345540363903777759573849221853370493977314124714,
8261745575084416750025555445617776886593428107172740509334601364674159098729
);
vk.IC[6] = Pairing.G1Point(
12229618381132244012134195568281704584580345418094236823704672151870483088680,
19652481126909183227792433955062439643525977794731426347743513078747968248518
);
vk.IC[7] = Pairing.G1Point(
21501269229626602828017941470237394838663343517747470934919163514713566489074,
10918047203423236169474519778878366520860074771272087858656960949070403283927
);
vk.IC[8] = Pairing.G1Point(
560417708851693272956571111854350209791303214876197214262570647517120871869,
188344482860559912840076092213437046073780559836275799283864998836054113147
);
vk.IC[9] = Pairing.G1Point(
12941763790218889190383140140219843141955553218417052891852216993045901023120,
12682291388476462975465775054567905896202239758296039216608811622228355512204
);
vk.IC[10] = Pairing.G1Point(
11112576039136275785110528933884279009037779878785871940581425517795519742410,
6613377654128709188004788921975143848004552607600543819185067176149822253345
);
vk.IC[11] = Pairing.G1Point(
13613305841160720689914712433320508347546323189059844660259139894452538774575,
5325101314795154200638690464360192908052407201796948025470533168336651686116
);
}
function verify(uint[] memory input, Proof memory proof) internal view returns (uint) {
uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
VerifyingKey memory vk = verifyingKey();
require(input.length + 1 == vk.IC.length, "verifier-bad-input");
// Compute the linear combination vk_x
Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
for (uint i = 0; i < input.length; i++) {
require(input[i] < snark_scalar_field, "verifier-gte-snark-scalar-field");
vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
}
vk_x = Pairing.addition(vk_x, vk.IC[0]);
if (
!Pairing.pairingProd4(
Pairing.negate(proof.A),
proof.B,
vk.alfa1,
vk.beta2,
vk_x,
vk.gamma2,
proof.C,
vk.delta2
)
) return 1;
return 0;
}
/// @return r bool true if proof is valid
function verifyProof(
uint[2] memory a,
uint[2][2] memory b,
uint[2] memory c,
uint[11] memory input
) public view returns (bool r) {
// slither-disable-next-line uninitialized-local
Proof memory proof;
proof.A = Pairing.G1Point(a[0], a[1]);
proof.B = Pairing.G2Point([b[0][0], b[0][1]], [b[1][0], b[1][1]]);
proof.C = Pairing.G1Point(c[0], c[1]);
uint[] memory inputValues = new uint[](input.length);
for (uint i = 0; i < input.length; i++) {
inputValues[i] = input[i];
}
if (verify(inputValues, proof) == 0) {
return true;
} else {
return false;
}
}
}
合同源代码
文件 29 的 30:verifierSig.sol
//
// Copyright 2017 Christian Reitwiessner
// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// 2019 OKIMS
// ported to solidity 0.6
// fixed linter warnings
// added requiere error messages
//
//
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
import "../lib/Pairing.sol";
contract VerifierSig {
using Pairing for *;
struct VerifyingKey {
Pairing.G1Point alfa1;
Pairing.G2Point beta2;
Pairing.G2Point gamma2;
Pairing.G2Point delta2;
Pairing.G1Point[] IC;
}
struct Proof {
Pairing.G1Point A;
Pairing.G2Point B;
Pairing.G1Point C;
}
function verifyingKey() internal pure returns (VerifyingKey memory vk) {
vk.alfa1 = Pairing.G1Point(
20491192805390485299153009773594534940189261866228447918068658471970481763042,
9383485363053290200918347156157836566562967994039712273449902621266178545958
);
vk.beta2 = Pairing.G2Point(
[
4252822878758300859123897981450591353533073413197771768651442665752259397132,
6375614351688725206403948262868962793625744043794305715222011528459656738731
],
[
21847035105528745403288232691147584728191162732299865338377159692350059136679,
10505242626370262277552901082094356697409835680220590971873171140371331206856
]
);
vk.gamma2 = Pairing.G2Point(
[
11559732032986387107991004021392285783925812861821192530917403151452391805634,
10857046999023057135944570762232829481370756359578518086990519993285655852781
],
[
4082367875863433681332203403145435568316851327593401208105741076214120093531,
8495653923123431417604973247489272438418190587263600148770280649306958101930
]
);
vk.delta2 = Pairing.G2Point(
[
9233349870741476556654282208992970742179487991957579201151126362431960413225,
1710121669395829903049554646654548770025644546791991387060028241346751736139
],
[
19704486125052989683894847401785081114275457166241990059352921424459992638027,
19046562201477515176875600774989213534306185878886204544239016053798985855692
]
);
vk.IC = new Pairing.G1Point[](12);
vk.IC[0] = Pairing.G1Point(
4329040981391513141295391766415175655220156497739526881302609278948222504970,
284608453342683033767670137533198892462004759449479316068661948021384180405
);
vk.IC[1] = Pairing.G1Point(
7902292650777562978905160367453874788768779199030594846897219439327408939067,
10012458713202587447931138874528085940712240664721354058270362630899015322036
);
vk.IC[2] = Pairing.G1Point(
11697814597341170748167341793832824505245257771165671796257313346092824905883,
5174781854368103007061208391170453909797905136821147372441461132562334328215
);
vk.IC[3] = Pairing.G1Point(
1726927835877229859131056157678822776962440564906076714962505486421376544987,
7352133740317971386526986860674287355620937922375271614467789385331477610856
);
vk.IC[4] = Pairing.G1Point(
9990035903997574691712818787908054784756674039249764811431700936009293741830,
4755447104942954158928166153067753327016299728030535979210293681329469052797
);
vk.IC[5] = Pairing.G1Point(
15940583140274302050208676622092202988851114679125808597061574700878232173357,
7533895757575770389928466511298564722397429905987255823784436733572909906714
);
vk.IC[6] = Pairing.G1Point(
5508259264227278997738923725524430810437674978357251435507761322739607112981,
14840270001783263053608712412057782257449606192737461326359694374707752442879
);
vk.IC[7] = Pairing.G1Point(
19432593446453142673661052218577694238117210547713431221983638840685247652932,
16697624670306221047608606229322371623883167253922210155632497282220974839920
);
vk.IC[8] = Pairing.G1Point(
6174854815751106275031120096370935217144939918507999853315484754500615715470,
3190247589562983462928111436181764721696742385815918920518303351200817921520
);
vk.IC[9] = Pairing.G1Point(
20417210161225663628251386960452026588766551723348342467498648706108529814968,
13308394646519897771630385644245620946922357621078786238887021263713833144471
);
vk.IC[10] = Pairing.G1Point(
1439721648429120110444974852972369847408183115096685822065827204634576313044,
7403516047177423709103114106022932360673171438277930001711953991194526055082
);
vk.IC[11] = Pairing.G1Point(
18655728389101903942401016308093091046804775184674794685591712671240928471338,
15349580464155803523251530156943886363594022485425879189715213626172422717967
);
}
function verify(uint[] memory input, Proof memory proof) internal view returns (uint) {
uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
VerifyingKey memory vk = verifyingKey();
require(input.length + 1 == vk.IC.length, "verifier-bad-input");
// Compute the linear combination vk_x
Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
for (uint i = 0; i < input.length; i++) {
require(input[i] < snark_scalar_field, "verifier-gte-snark-scalar-field");
vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
}
vk_x = Pairing.addition(vk_x, vk.IC[0]);
if (
!Pairing.pairingProd4(
Pairing.negate(proof.A),
proof.B,
vk.alfa1,
vk.beta2,
vk_x,
vk.gamma2,
proof.C,
vk.delta2
)
) return 1;
return 0;
}
/// @return r bool true if proof is valid
function verifyProof(
uint[2] memory a,
uint[2][2] memory b,
uint[2] memory c,
uint[11] memory input
) public view returns (bool r) {
// slither-disable-next-line uninitialized-local
Proof memory proof;
proof.A = Pairing.G1Point(a[0], a[1]);
proof.B = Pairing.G2Point([b[0][0], b[0][1]], [b[1][0], b[1][1]]);
proof.C = Pairing.G1Point(c[0], c[1]);
uint[] memory inputValues = new uint[](input.length);
for (uint i = 0; i < input.length; i++) {
inputValues[i] = input[i];
}
if (verify(inputValues, proof) == 0) {
return true;
} else {
return false;
}
}
}
合同源代码
文件 30 的 30:verifierV2.sol
//
// Copyright 2017 Christian Reitwiessner
// Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
// The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// 2019 OKIMS
// ported to solidity 0.6
// fixed linter warnings
// added requiere error messages
//
//
// SPDX-License-Identifier: GPL-3.0
pragma solidity 0.8.16;
import "../lib/Pairing.sol";
import "../interfaces/IStateTransitionVerifier.sol";
contract VerifierV2 is IStateTransitionVerifier {
using Pairing for *;
struct VerifyingKey {
Pairing.G1Point alfa1;
Pairing.G2Point beta2;
Pairing.G2Point gamma2;
Pairing.G2Point delta2;
Pairing.G1Point[] IC;
}
struct Proof {
Pairing.G1Point A;
Pairing.G2Point B;
Pairing.G1Point C;
}
function verifyingKey() internal pure returns (VerifyingKey memory vk) {
vk.alfa1 = Pairing.G1Point(
20491192805390485299153009773594534940189261866228447918068658471970481763042,
9383485363053290200918347156157836566562967994039712273449902621266178545958
);
vk.beta2 = Pairing.G2Point(
[
4252822878758300859123897981450591353533073413197771768651442665752259397132,
6375614351688725206403948262868962793625744043794305715222011528459656738731
],
[
21847035105528745403288232691147584728191162732299865338377159692350059136679,
10505242626370262277552901082094356697409835680220590971873171140371331206856
]
);
vk.gamma2 = Pairing.G2Point(
[
11559732032986387107991004021392285783925812861821192530917403151452391805634,
10857046999023057135944570762232829481370756359578518086990519993285655852781
],
[
4082367875863433681332203403145435568316851327593401208105741076214120093531,
8495653923123431417604973247489272438418190587263600148770280649306958101930
]
);
vk.delta2 = Pairing.G2Point(
[
4246152484702050277565132335408650010216666048103975186858037423667921011245,
11761106885383518720174451196687963724495127702612880995502231202411849421701
],
[
20662719780693521898375922787282175696841448037933826627867273008735335783602,
9540218714987219778576059617464635889429392349728954857252076100095683267633
]
);
vk.IC = new Pairing.G1Point[](5);
vk.IC[0] = Pairing.G1Point(
16043291973889324756617069487195476149512574727363051659112556958735977616725,
16864605224185193093062266789812233298859884301538621362226822022081041278677
);
vk.IC[1] = Pairing.G1Point(
15935621905201691307201070923038920580506689594547556653696264182846970978554,
20793947184131761785325026067954699416249353321530615459908048240252442935417
);
vk.IC[2] = Pairing.G1Point(
15873695673932800019757092006642463598109301274410205214955538808836281067900,
13581010826645089044340117513778871694012835043547906854734814490388643425494
);
vk.IC[3] = Pairing.G1Point(
436067793811322464859758359330968701378288169738014324837094148538366747065,
5184689509856778472522887232562113210294765146488556347841833551753176606959
);
vk.IC[4] = Pairing.G1Point(
1580946655352989990810599848244095954566838172532565943008224849077018394283,
8901953775389474246223858845884219088656635610469822712500097959042485592148
);
}
function verify(uint[] memory input, Proof memory proof) internal view returns (uint) {
uint256 snark_scalar_field = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
VerifyingKey memory vk = verifyingKey();
require(input.length + 1 == vk.IC.length, "verifier-bad-input");
// Compute the linear combination vk_x
Pairing.G1Point memory vk_x = Pairing.G1Point(0, 0);
for (uint i = 0; i < input.length; i++) {
require(input[i] < snark_scalar_field, "verifier-gte-snark-scalar-field");
vk_x = Pairing.addition(vk_x, Pairing.scalar_mul(vk.IC[i + 1], input[i]));
}
vk_x = Pairing.addition(vk_x, vk.IC[0]);
if (
!Pairing.pairingProd4(
Pairing.negate(proof.A),
proof.B,
vk.alfa1,
vk.beta2,
vk_x,
vk.gamma2,
proof.C,
vk.delta2
)
) return 1;
return 0;
}
/// @return r bool true if proof is valid
function verifyProof(
uint[2] memory a,
uint[2][2] memory b,
uint[2] memory c,
uint[4] memory input
) public view returns (bool r) {
// slither-disable-next-line uninitialized-local
Proof memory proof;
proof.A = Pairing.G1Point(a[0], a[1]);
proof.B = Pairing.G2Point([b[0][0], b[0][1]], [b[1][0], b[1][1]]);
proof.C = Pairing.G1Point(c[0], c[1]);
uint[] memory inputValues = new uint[](input.length);
for (uint i = 0; i < input.length; i++) {
inputValues[i] = input[i];
}
if (verify(inputValues, proof) == 0) {
return true;
} else {
return false;
}
}
}
设置
{
"compilationTarget": {
"@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol": "ERC1967Proxy"
},
"evmVersion": "london",
"libraries": {},
"metadata": {
"bytecodeHash": "ipfs"
},
"optimizer": {
"enabled": true,
"runs": 200
},
"remappings": []
}ABI
[{"inputs":[{"internalType":"address","name":"_logic","type":"address"},{"internalType":"bytes","name":"_data","type":"bytes"}],"stateMutability":"payable","type":"constructor"},{"anonymous":false,"inputs":[{"indexed":false,"internalType":"address","name":"previousAdmin","type":"address"},{"indexed":false,"internalType":"address","name":"newAdmin","type":"address"}],"name":"AdminChanged","type":"event"},{"anonymous":false,"inputs":[{"indexed":true,"internalType":"address","name":"beacon","type":"address"}],"name":"BeaconUpgraded","type":"event"},{"anonymous":false,"inputs":[{"indexed":true,"internalType":"address","name":"implementation","type":"address"}],"name":"Upgraded","type":"event"},{"stateMutability":"payable","type":"fallback"},{"stateMutability":"payable","type":"receive"}]