// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.8.0) (access/AccessControl.sol)

pragma solidity ^0.8.0;

import "./IAccessControl.sol";
import "../utils/Context.sol";
import "../utils/Strings.sol";
import "../utils/introspection/ERC165.sol";

/**
 * @dev Contract module that allows children to implement role-based access
 * control mechanisms. This is a lightweight version that doesn't allow enumerating role
 * members except through off-chain means by accessing the contract event logs. Some
 * applications may benefit from on-chain enumerability, for those cases see
 * {AccessControlEnumerable}.
 *
 * Roles are referred to by their `bytes32` identifier. These should be exposed
 * in the external API and be unique. The best way to achieve this is by
 * using `public constant` hash digests:
 *
 * ```
 * bytes32 public constant MY_ROLE = keccak256("MY_ROLE");
 * ```
 *
 * Roles can be used to represent a set of permissions. To restrict access to a
 * function call, use {hasRole}:
 *
 * ```
 * function foo() public {
 *     require(hasRole(MY_ROLE, msg.sender));
 *     ...
 * }
 * ```
 *
 * Roles can be granted and revoked dynamically via the {grantRole} and
 * {revokeRole} functions. Each role has an associated admin role, and only
 * accounts that have a role's admin role can call {grantRole} and {revokeRole}.
 *
 * By default, the admin role for all roles is `DEFAULT_ADMIN_ROLE`, which means
 * that only accounts with this role will be able to grant or revoke other
 * roles. More complex role relationships can be created by using
 * {_setRoleAdmin}.
 *
 * WARNING: The `DEFAULT_ADMIN_ROLE` is also its own admin: it has permission to
 * grant and revoke this role. Extra precautions should be taken to secure
 * accounts that have been granted it.
 */
abstract contract AccessControl is Context, IAccessControl, ERC165 {
    struct RoleData {
        mapping(address => bool) members;
        bytes32 adminRole;
    }

    mapping(bytes32 => RoleData) private _roles;

    bytes32 public constant DEFAULT_ADMIN_ROLE = 0x00;

    /**
     * @dev Modifier that checks that an account has a specific role. Reverts
     * with a standardized message including the required role.
     *
     * The format of the revert reason is given by the following regular expression:
     *
     *  /^AccessControl: account (0x[0-9a-f]{40}) is missing role (0x[0-9a-f]{64})$/
     *
     * _Available since v4.1._
     */
    modifier onlyRole(bytes32 role) {
        _checkRole(role);
        _;
    }

    /**
     * @dev See {IERC165-supportsInterface}.
     */
    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
        return interfaceId == type(IAccessControl).interfaceId || super.supportsInterface(interfaceId);
    }

    /**
     * @dev Returns `true` if `account` has been granted `role`.
     */
    function hasRole(bytes32 role, address account) public view virtual override returns (bool) {
        return _roles[role].members[account];
    }

    /**
     * @dev Revert with a standard message if `_msgSender()` is missing `role`.
     * Overriding this function changes the behavior of the {onlyRole} modifier.
     *
     * Format of the revert message is described in {_checkRole}.
     *
     * _Available since v4.6._
     */
    function _checkRole(bytes32 role) internal view virtual {
        _checkRole(role, _msgSender());
    }

    /**
     * @dev Revert with a standard message if `account` is missing `role`.
     *
     * The format of the revert reason is given by the following regular expression:
     *
     *  /^AccessControl: account (0x[0-9a-f]{40}) is missing role (0x[0-9a-f]{64})$/
     */
    function _checkRole(bytes32 role, address account) internal view virtual {
        if (!hasRole(role, account)) {
            revert(
                string(
                    abi.encodePacked(
                        "AccessControl: account ",
                        Strings.toHexString(account),
                        " is missing role ",
                        Strings.toHexString(uint256(role), 32)
                    )
                )
            );
        }
    }

    /**
     * @dev Returns the admin role that controls `role`. See {grantRole} and
     * {revokeRole}.
     *
     * To change a role's admin, use {_setRoleAdmin}.
     */
    function getRoleAdmin(bytes32 role) public view virtual override returns (bytes32) {
        return _roles[role].adminRole;
    }

    /**
     * @dev Grants `role` to `account`.
     *
     * If `account` had not been already granted `role`, emits a {RoleGranted}
     * event.
     *
     * Requirements:
     *
     * - the caller must have ``role``'s admin role.
     *
     * May emit a {RoleGranted} event.
     */
    function grantRole(bytes32 role, address account) public virtual override onlyRole(getRoleAdmin(role)) {
        _grantRole(role, account);
    }

    /**
     * @dev Revokes `role` from `account`.
     *
     * If `account` had been granted `role`, emits a {RoleRevoked} event.
     *
     * Requirements:
     *
     * - the caller must have ``role``'s admin role.
     *
     * May emit a {RoleRevoked} event.
     */
    function revokeRole(bytes32 role, address account) public virtual override onlyRole(getRoleAdmin(role)) {
        _revokeRole(role, account);
    }

    /**
     * @dev Revokes `role` from the calling account.
     *
     * Roles are often managed via {grantRole} and {revokeRole}: this function's
     * purpose is to provide a mechanism for accounts to lose their privileges
     * if they are compromised (such as when a trusted device is misplaced).
     *
     * If the calling account had been revoked `role`, emits a {RoleRevoked}
     * event.
     *
     * Requirements:
     *
     * - the caller must be `account`.
     *
     * May emit a {RoleRevoked} event.
     */
    function renounceRole(bytes32 role, address account) public virtual override {
        require(account == _msgSender(), "AccessControl: can only renounce roles for self");

        _revokeRole(role, account);
    }

    /**
     * @dev Grants `role` to `account`.
     *
     * If `account` had not been already granted `role`, emits a {RoleGranted}
     * event. Note that unlike {grantRole}, this function doesn't perform any
     * checks on the calling account.
     *
     * May emit a {RoleGranted} event.
     *
     * [WARNING]
     * ====
     * This function should only be called from the constructor when setting
     * up the initial roles for the system.
     *
     * Using this function in any other way is effectively circumventing the admin
     * system imposed by {AccessControl}.
     * ====
     *
     * NOTE: This function is deprecated in favor of {_grantRole}.
     */
    function _setupRole(bytes32 role, address account) internal virtual {
        _grantRole(role, account);
    }

    /**
     * @dev Sets `adminRole` as ``role``'s admin role.
     *
     * Emits a {RoleAdminChanged} event.
     */
    function _setRoleAdmin(bytes32 role, bytes32 adminRole) internal virtual {
        bytes32 previousAdminRole = getRoleAdmin(role);
        _roles[role].adminRole = adminRole;
        emit RoleAdminChanged(role, previousAdminRole, adminRole);
    }

    /**
     * @dev Grants `role` to `account`.
     *
     * Internal function without access restriction.
     *
     * May emit a {RoleGranted} event.
     */
    function _grantRole(bytes32 role, address account) internal virtual {
        if (!hasRole(role, account)) {
            _roles[role].members[account] = true;
            emit RoleGranted(role, account, _msgSender());
        }
    }

    /**
     * @dev Revokes `role` from `account`.
     *
     * Internal function without access restriction.
     *
     * May emit a {RoleRevoked} event.
     */
    function _revokeRole(bytes32 role, address account) internal virtual {
        if (hasRole(role, account)) {
            _roles[role].members[account] = false;
            emit RoleRevoked(role, account, _msgSender());
        }
    }
}

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

library BMTChunk {
    // max chunk payload size
    uint256 public constant MAX_CHUNK_PAYLOAD_SIZE = 4096;
    // segment byte size
    uint256 public constant SEGMENT_SIZE = 32;

    /**
     * @notice          Changes the endianness of a uint64.
     * @dev             https://graphics.stanford.edu/~seander/bithacks.html#ReverseParallel
     * @param _b        The unsigned integer to reverse
     * @return          v - The reversed value
     */
    function reverseUint64(uint64 _b) public pure returns (uint64) {
        uint256 v = _b;

        // swap bytes
        v =
            ((v >> 8) & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) |
            ((v & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) << 8);
        // swap 2-byte long pairs
        v =
            ((v >> 16) & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) |
            ((v & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) << 16);
        // swap 4-byte long pairs
        v =
            ((v >> 32) & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) |
            ((v & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) << 32);

        return uint64(v);
    }

    /** Calculates the root hash from the provided inclusion proof segments and its corresponding segment index
     * @param _proofSegments Proof segments.
     * @param _proveSegment Segment to prove.
     * @param _proveSegmentIndex Prove segment index
     * @return _calculatedHash chunk hash
     */
    function rootHashFromInclusionProof(
        bytes32[] memory _proofSegments,
        bytes32 _proveSegment,
        uint256 _proveSegmentIndex
    ) internal pure returns (bytes32 _calculatedHash) {
        _calculatedHash = _proveSegment;
        for (uint256 i = 0; i < _proofSegments.length; i++) {
            bool mergeFromRight = _proveSegmentIndex % 2 == 0;
            _calculatedHash = mergeSegment(_calculatedHash, _proofSegments[i], mergeFromRight);
            _proveSegmentIndex >>= 1;
        }
        return _calculatedHash;
    }

    /**
     * Calculate the chunk address from the Binary Merkle Tree of the chunk data
     *
     * The BMT chunk address is the hash of the 8 byte span and the root
     * hash of a binary Merkle tree (BMT) built on the 32-byte segments
     * of the underlying data.
     * @param _proofSegments Proof segments.
     * @param _proveSegment Segment to prove.
     * @param _proveSegmentIndex Prove segment index
     * @param _chunkSpan chunk bytes length
     * @return _chunkHash chunk hash
     */
    function chunkAddressFromInclusionProof(
        bytes32[] memory _proofSegments,
        bytes32 _proveSegment,
        uint256 _proveSegmentIndex,
        uint64 _chunkSpan
    ) internal pure returns (bytes32) {
        bytes32 rootHash = rootHashFromInclusionProof(_proofSegments, _proveSegment, _proveSegmentIndex);
        return keccak256(abi.encodePacked(reverseUint64(_chunkSpan), rootHash));
    }

    function mergeSegment(
        bytes32 _calculatedHash,
        bytes32 _proofSegment,
        bool mergeFromRight
    ) internal pure returns (bytes32 res) {
        if (mergeFromRight) {
            res = keccak256(abi.encode(_calculatedHash, _proofSegment));
        } else {
            res = keccak256(abi.encode(_proofSegment, _calculatedHash));
        }
        return res;
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (utils/Context.sol)

pragma solidity ^0.8.0;

/**
 * @dev Provides information about the current execution context, including the
 * sender of the transaction and its data. While these are generally available
 * via msg.sender and msg.data, they should not be accessed in such a direct
 * manner, since when dealing with meta-transactions the account sending and
 * paying for execution may not be the actual sender (as far as an application
 * is concerned).
 *
 * This contract is only required for intermediate, library-like contracts.
 */
abstract contract Context {
    function _msgSender() internal view virtual returns (address) {
        return msg.sender;
    }

    function _msgData() internal view virtual returns (bytes calldata) {
        return msg.data;
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (utils/introspection/ERC165.sol)

pragma solidity ^0.8.0;

import "./IERC165.sol";

/**
 * @dev Implementation of the {IERC165} interface.
 *
 * Contracts that want to implement ERC165 should inherit from this contract and override {supportsInterface} to check
 * for the additional interface id that will be supported. For example:
 *
 * ```solidity
 * function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
 *     return interfaceId == type(MyInterface).interfaceId || super.supportsInterface(interfaceId);
 * }
 * ```
 *
 * Alternatively, {ERC165Storage} provides an easier to use but more expensive implementation.
 */
abstract contract ERC165 is IERC165 {
    /**
     * @dev See {IERC165-supportsInterface}.
     */
    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
        return interfaceId == type(IERC165).interfaceId;
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (access/IAccessControl.sol)

pragma solidity ^0.8.0;

/**
 * @dev External interface of AccessControl declared to support ERC165 detection.
 */
interface IAccessControl {
    /**
     * @dev Emitted when `newAdminRole` is set as ``role``'s admin role, replacing `previousAdminRole`
     *
     * `DEFAULT_ADMIN_ROLE` is the starting admin for all roles, despite
     * {RoleAdminChanged} not being emitted signaling this.
     *
     * _Available since v3.1._
     */
    event RoleAdminChanged(bytes32 indexed role, bytes32 indexed previousAdminRole, bytes32 indexed newAdminRole);

    /**
     * @dev Emitted when `account` is granted `role`.
     *
     * `sender` is the account that originated the contract call, an admin role
     * bearer except when using {AccessControl-_setupRole}.
     */
    event RoleGranted(bytes32 indexed role, address indexed account, address indexed sender);

    /**
     * @dev Emitted when `account` is revoked `role`.
     *
     * `sender` is the account that originated the contract call:
     *   - if using `revokeRole`, it is the admin role bearer
     *   - if using `renounceRole`, it is the role bearer (i.e. `account`)
     */
    event RoleRevoked(bytes32 indexed role, address indexed account, address indexed sender);

    /**
     * @dev Returns `true` if `account` has been granted `role`.
     */
    function hasRole(bytes32 role, address account) external view returns (bool);

    /**
     * @dev Returns the admin role that controls `role`. See {grantRole} and
     * {revokeRole}.
     *
     * To change a role's admin, use {AccessControl-_setRoleAdmin}.
     */
    function getRoleAdmin(bytes32 role) external view returns (bytes32);

    /**
     * @dev Grants `role` to `account`.
     *
     * If `account` had not been already granted `role`, emits a {RoleGranted}
     * event.
     *
     * Requirements:
     *
     * - the caller must have ``role``'s admin role.
     */
    function grantRole(bytes32 role, address account) external;

    /**
     * @dev Revokes `role` from `account`.
     *
     * If `account` had been granted `role`, emits a {RoleRevoked} event.
     *
     * Requirements:
     *
     * - the caller must have ``role``'s admin role.
     */
    function revokeRole(bytes32 role, address account) external;

    /**
     * @dev Revokes `role` from the calling account.
     *
     * Roles are often managed via {grantRole} and {revokeRole}: this function's
     * purpose is to provide a mechanism for accounts to lose their privileges
     * if they are compromised (such as when a trusted device is misplaced).
     *
     * If the calling account had been granted `role`, emits a {RoleRevoked}
     * event.
     *
     * Requirements:
     *
     * - the caller must be `account`.
     */
    function renounceRole(bytes32 role, address account) external;
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (utils/introspection/IERC165.sol)

pragma solidity ^0.8.0;

/**
 * @dev Interface of the ERC165 standard, as defined in the
 * https://eips.ethereum.org/EIPS/eip-165[EIP].
 *
 * Implementers can declare support of contract interfaces, which can then be
 * queried by others ({ERC165Checker}).
 *
 * For an implementation, see {ERC165}.
 */
interface IERC165 {
    /**
     * @dev Returns true if this contract implements the interface defined by
     * `interfaceId`. See the corresponding
     * https://eips.ethereum.org/EIPS/eip-165#how-interfaces-are-identified[EIP section]
     * to learn more about how these ids are created.
     *
     * This function call must use less than 30 000 gas.
     */
    function supportsInterface(bytes4 interfaceId) external view returns (bool);
}

// SPDX-License-Identifier: BSD-3-Clause
pragma solidity ^0.8.19;

interface IPostageStamp {
    function withdraw(address beneficiary) external;

    function setPrice(uint256 _price) external;

    function validChunkCount() external view returns (uint256);

    function batchOwner(bytes32 _batchId) external view returns (address);

    function batchDepth(bytes32 _batchId) external view returns (uint8);

    function batchBucketDepth(bytes32 _batchId) external view returns (uint8);

    function remainingBalance(bytes32 _batchId) external view returns (uint256);

    function minimumInitialBalancePerChunk() external view returns (uint256);

    function batches(
        bytes32
    )
        external
        view
        returns (
            address owner,
            uint8 depth,
            uint8 bucketDepth,
            bool immutableFlag,
            uint256 normalisedBalance,
            uint256 lastUpdatedBlockNumber
        );
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.8.0) (utils/math/Math.sol)

pragma solidity ^0.8.0;

/**
 * @dev Standard math utilities missing in the Solidity language.
 */
library Math {
    enum Rounding {
        Down, // Toward negative infinity
        Up, // Toward infinity
        Zero // Toward zero
    }

    /**
     * @dev Returns the largest of two numbers.
     */
    function max(uint256 a, uint256 b) internal pure returns (uint256) {
        return a > b ? a : b;
    }

    /**
     * @dev Returns the smallest of two numbers.
     */
    function min(uint256 a, uint256 b) internal pure returns (uint256) {
        return a < b ? a : b;
    }

    /**
     * @dev Returns the average of two numbers. The result is rounded towards
     * zero.
     */
    function average(uint256 a, uint256 b) internal pure returns (uint256) {
        // (a + b) / 2 can overflow.
        return (a & b) + (a ^ b) / 2;
    }

    /**
     * @dev Returns the ceiling of the division of two numbers.
     *
     * This differs from standard division with `/` in that it rounds up instead
     * of rounding down.
     */
    function ceilDiv(uint256 a, uint256 b) internal pure returns (uint256) {
        // (a + b - 1) / b can overflow on addition, so we distribute.
        return a == 0 ? 0 : (a - 1) / b + 1;
    }

    /**
     * @notice Calculates floor(x * y / denominator) with full precision. Throws if result overflows a uint256 or denominator == 0
     * @dev Original credit to Remco Bloemen under MIT license (https://xn--2-umb.com/21/muldiv)
     * with further edits by Uniswap Labs also under MIT license.
     */
    function mulDiv(
        uint256 x,
        uint256 y,
        uint256 denominator
    ) internal pure returns (uint256 result) {
        unchecked {
            // 512-bit multiply [prod1 prod0] = x * y. Compute the product mod 2^256 and mod 2^256 - 1, then use
            // use the Chinese Remainder Theorem to reconstruct the 512 bit result. The result is stored in two 256
            // variables such that product = prod1 * 2^256 + prod0.
            uint256 prod0; // Least significant 256 bits of the product
            uint256 prod1; // Most significant 256 bits of the product
            assembly {
                let mm := mulmod(x, y, not(0))
                prod0 := mul(x, y)
                prod1 := sub(sub(mm, prod0), lt(mm, prod0))
            }

            // Handle non-overflow cases, 256 by 256 division.
            if (prod1 == 0) {
                return prod0 / denominator;
            }

            // Make sure the result is less than 2^256. Also prevents denominator == 0.
            require(denominator > prod1);

            ///////////////////////////////////////////////
            // 512 by 256 division.
            ///////////////////////////////////////////////

            // Make division exact by subtracting the remainder from [prod1 prod0].
            uint256 remainder;
            assembly {
                // Compute remainder using mulmod.
                remainder := mulmod(x, y, denominator)

                // Subtract 256 bit number from 512 bit number.
                prod1 := sub(prod1, gt(remainder, prod0))
                prod0 := sub(prod0, remainder)
            }

            // Factor powers of two out of denominator and compute largest power of two divisor of denominator. Always >= 1.
            // See https://cs.stackexchange.com/q/138556/92363.

            // Does not overflow because the denominator cannot be zero at this stage in the function.
            uint256 twos = denominator & (~denominator + 1);
            assembly {
                // Divide denominator by twos.
                denominator := div(denominator, twos)

                // Divide [prod1 prod0] by twos.
                prod0 := div(prod0, twos)

                // Flip twos such that it is 2^256 / twos. If twos is zero, then it becomes one.
                twos := add(div(sub(0, twos), twos), 1)
            }

            // Shift in bits from prod1 into prod0.
            prod0 |= prod1 * twos;

            // Invert denominator mod 2^256. Now that denominator is an odd number, it has an inverse modulo 2^256 such
            // that denominator * inv = 1 mod 2^256. Compute the inverse by starting with a seed that is correct for
            // four bits. That is, denominator * inv = 1 mod 2^4.
            uint256 inverse = (3 * denominator) ^ 2;

            // Use the Newton-Raphson iteration to improve the precision. Thanks to Hensel's lifting lemma, this also works
            // in modular arithmetic, doubling the correct bits in each step.
            inverse *= 2 - denominator * inverse; // inverse mod 2^8
            inverse *= 2 - denominator * inverse; // inverse mod 2^16
            inverse *= 2 - denominator * inverse; // inverse mod 2^32
            inverse *= 2 - denominator * inverse; // inverse mod 2^64
            inverse *= 2 - denominator * inverse; // inverse mod 2^128
            inverse *= 2 - denominator * inverse; // inverse mod 2^256

            // Because the division is now exact we can divide by multiplying with the modular inverse of denominator.
            // This will give us the correct result modulo 2^256. Since the preconditions guarantee that the outcome is
            // less than 2^256, this is the final result. We don't need to compute the high bits of the result and prod1
            // is no longer required.
            result = prod0 * inverse;
            return result;
        }
    }

    /**
     * @notice Calculates x * y / denominator with full precision, following the selected rounding direction.
     */
    function mulDiv(
        uint256 x,
        uint256 y,
        uint256 denominator,
        Rounding rounding
    ) internal pure returns (uint256) {
        uint256 result = mulDiv(x, y, denominator);
        if (rounding == Rounding.Up && mulmod(x, y, denominator) > 0) {
            result += 1;
        }
        return result;
    }

    /**
     * @dev Returns the square root of a number. If the number is not a perfect square, the value is rounded down.
     *
     * Inspired by Henry S. Warren, Jr.'s "Hacker's Delight" (Chapter 11).
     */
    function sqrt(uint256 a) internal pure returns (uint256) {
        if (a == 0) {
            return 0;
        }

        // For our first guess, we get the biggest power of 2 which is smaller than the square root of the target.
        //
        // We know that the "msb" (most significant bit) of our target number `a` is a power of 2 such that we have
        // `msb(a) <= a < 2*msb(a)`. This value can be written `msb(a)=2**k` with `k=log2(a)`.
        //
        // This can be rewritten `2**log2(a) <= a < 2**(log2(a) + 1)`
        // → `sqrt(2**k) <= sqrt(a) < sqrt(2**(k+1))`
        // → `2**(k/2) <= sqrt(a) < 2**((k+1)/2) <= 2**(k/2 + 1)`
        //
        // Consequently, `2**(log2(a) / 2)` is a good first approximation of `sqrt(a)` with at least 1 correct bit.
        uint256 result = 1 << (log2(a) >> 1);

        // At this point `result` is an estimation with one bit of precision. We know the true value is a uint128,
        // since it is the square root of a uint256. Newton's method converges quadratically (precision doubles at
        // every iteration). We thus need at most 7 iteration to turn our partial result with one bit of precision
        // into the expected uint128 result.
        unchecked {
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            return min(result, a / result);
        }
    }

    /**
     * @notice Calculates sqrt(a), following the selected rounding direction.
     */
    function sqrt(uint256 a, Rounding rounding) internal pure returns (uint256) {
        unchecked {
            uint256 result = sqrt(a);
            return result + (rounding == Rounding.Up && result * result < a ? 1 : 0);
        }
    }

    /**
     * @dev Return the log in base 2, rounded down, of a positive value.
     * Returns 0 if given 0.
     */
    function log2(uint256 value) internal pure returns (uint256) {
        uint256 result = 0;
        unchecked {
            if (value >> 128 > 0) {
                value >>= 128;
                result += 128;
            }
            if (value >> 64 > 0) {
                value >>= 64;
                result += 64;
            }
            if (value >> 32 > 0) {
                value >>= 32;
                result += 32;
            }
            if (value >> 16 > 0) {
                value >>= 16;
                result += 16;
            }
            if (value >> 8 > 0) {
                value >>= 8;
                result += 8;
            }
            if (value >> 4 > 0) {
                value >>= 4;
                result += 4;
            }
            if (value >> 2 > 0) {
                value >>= 2;
                result += 2;
            }
            if (value >> 1 > 0) {
                result += 1;
            }
        }
        return result;
    }

    /**
     * @dev Return the log in base 2, following the selected rounding direction, of a positive value.
     * Returns 0 if given 0.
     */
    function log2(uint256 value, Rounding rounding) internal pure returns (uint256) {
        unchecked {
            uint256 result = log2(value);
            return result + (rounding == Rounding.Up && 1 << result < value ? 1 : 0);
        }
    }

    /**
     * @dev Return the log in base 10, rounded down, of a positive value.
     * Returns 0 if given 0.
     */
    function log10(uint256 value) internal pure returns (uint256) {
        uint256 result = 0;
        unchecked {
            if (value >= 10**64) {
                value /= 10**64;
                result += 64;
            }
            if (value >= 10**32) {
                value /= 10**32;
                result += 32;
            }
            if (value >= 10**16) {
                value /= 10**16;
                result += 16;
            }
            if (value >= 10**8) {
                value /= 10**8;
                result += 8;
            }
            if (value >= 10**4) {
                value /= 10**4;
                result += 4;
            }
            if (value >= 10**2) {
                value /= 10**2;
                result += 2;
            }
            if (value >= 10**1) {
                result += 1;
            }
        }
        return result;
    }

    /**
     * @dev Return the log in base 10, following the selected rounding direction, of a positive value.
     * Returns 0 if given 0.
     */
    function log10(uint256 value, Rounding rounding) internal pure returns (uint256) {
        unchecked {
            uint256 result = log10(value);
            return result + (rounding == Rounding.Up && 10**result < value ? 1 : 0);
        }
    }

    /**
     * @dev Return the log in base 256, rounded down, of a positive value.
     * Returns 0 if given 0.
     *
     * Adding one to the result gives the number of pairs of hex symbols needed to represent `value` as a hex string.
     */
    function log256(uint256 value) internal pure returns (uint256) {
        uint256 result = 0;
        unchecked {
            if (value >> 128 > 0) {
                value >>= 128;
                result += 16;
            }
            if (value >> 64 > 0) {
                value >>= 64;
                result += 8;
            }
            if (value >> 32 > 0) {
                value >>= 32;
                result += 4;
            }
            if (value >> 16 > 0) {
                value >>= 16;
                result += 2;
            }
            if (value >> 8 > 0) {
                result += 1;
            }
        }
        return result;
    }

    /**
     * @dev Return the log in base 10, following the selected rounding direction, of a positive value.
     * Returns 0 if given 0.
     */
    function log256(uint256 value, Rounding rounding) internal pure returns (uint256) {
        unchecked {
            uint256 result = log256(value);
            return result + (rounding == Rounding.Up && 1 << (result * 8) < value ? 1 : 0);
        }
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.7.0) (security/Pausable.sol)

pragma solidity ^0.8.0;

import "../utils/Context.sol";

/**
 * @dev Contract module which allows children to implement an emergency stop
 * mechanism that can be triggered by an authorized account.
 *
 * This module is used through inheritance. It will make available the
 * modifiers `whenNotPaused` and `whenPaused`, which can be applied to
 * the functions of your contract. Note that they will not be pausable by
 * simply including this module, only once the modifiers are put in place.
 */
abstract contract Pausable is Context {
    /**
     * @dev Emitted when the pause is triggered by `account`.
     */
    event Paused(address account);

    /**
     * @dev Emitted when the pause is lifted by `account`.
     */
    event Unpaused(address account);

    bool private _paused;

    /**
     * @dev Initializes the contract in unpaused state.
     */
    constructor() {
        _paused = false;
    }

    /**
     * @dev Modifier to make a function callable only when the contract is not paused.
     *
     * Requirements:
     *
     * - The contract must not be paused.
     */
    modifier whenNotPaused() {
        _requireNotPaused();
        _;
    }

    /**
     * @dev Modifier to make a function callable only when the contract is paused.
     *
     * Requirements:
     *
     * - The contract must be paused.
     */
    modifier whenPaused() {
        _requirePaused();
        _;
    }

    /**
     * @dev Returns true if the contract is paused, and false otherwise.
     */
    function paused() public view virtual returns (bool) {
        return _paused;
    }

    /**
     * @dev Throws if the contract is paused.
     */
    function _requireNotPaused() internal view virtual {
        require(!paused(), "Pausable: paused");
    }

    /**
     * @dev Throws if the contract is not paused.
     */
    function _requirePaused() internal view virtual {
        require(paused(), "Pausable: not paused");
    }

    /**
     * @dev Triggers stopped state.
     *
     * Requirements:
     *
     * - The contract must not be paused.
     */
    function _pause() internal virtual whenNotPaused {
        _paused = true;
        emit Paused(_msgSender());
    }

    /**
     * @dev Returns to normal state.
     *
     * Requirements:
     *
     * - The contract must be paused.
     */
    function _unpause() internal virtual whenPaused {
        _paused = false;
        emit Unpaused(_msgSender());
    }
}

// SPDX-License-Identifier: BSD-3-Clause
pragma solidity ^0.8.19;
import "@openzeppelin/contracts/access/AccessControl.sol";
import "@openzeppelin/contracts/security/Pausable.sol";
import "./Util/TransformedChunkProof.sol";
import "./Util/ChunkProof.sol";
import "./Util/Signatures.sol";
import "./interface/IPostageStamp.sol";

interface IPriceOracle {
    function adjustPrice(uint16 redundancy) external returns (bool);
}

interface IStakeRegistry {
    struct Stake {
        bytes32 overlay;
        uint256 stakeAmount;
        uint256 lastUpdatedBlockNumber;
    }

    function freezeDeposit(address _owner, uint256 _time) external;

    function lastUpdatedBlockNumberOfAddress(address _owner) external view returns (uint256);

    function overlayOfAddress(address _owner) external view returns (bytes32);

    function heightOfAddress(address _owner) external view returns (uint8);

    function nodeEffectiveStake(address _owner) external view returns (uint256);
}

/**
 * @title Redistribution contract
 * @author The Swarm Authors
 * @dev Implements a Schelling Co-ordination game to form consensus around the Reserve Commitment hash. This takes
 * place in three phases: _commit_, _reveal_ and _claim_.
 *
 * A node, upon establishing that it _isParticipatingInUpcomingRound_, i.e. it's overlay falls within proximity order
 * of its reported depth with the _currentRoundAnchor_, prepares a "reserve commitment hash" using the chunks
 * it currently stores in its reserve and calculates the "storage depth" (see Bee for details). These values, if calculated
 * honestly, and with the right chunks stored, should be the same for every node in a neighbourhood. This is the Schelling point.
 * Each eligible node can then use these values, together with a random, single use, secret  _revealNonce_ and their
 * _overlay_ as the pre-image values for the obsfucated _commit_, using the _wrapCommit_ method.
 *
 * Once the _commit_ round has elapsed, participating nodes must provide the values used to calculate their obsfucated
 * _commit_ hash, which, once verified for correctness and proximity to the anchor are retained in the _currentReveals_.
 * Nodes that have committed but do not reveal the correct values used to create the pre-image will have their stake
 * "frozen" for a period of rounds proportional to their reported depth.
 *
 * During the _reveal_ round, randomness is updated after every successful reveal. Once the reveal round is concluded,
 * the _currentRoundAnchor_ is updated and users can determine if they will be eligible their overlay will be eligible
 * for the next commit phase using _isParticipatingInUpcomingRound_.
 *
 * When the _reveal_ phase has been concluded, the claim phase can begin. At this point, the truth teller and winner
 * are already determined. By calling _isWinner_, an applicant node can run the relevant logic to determine if they have
 * been selected as the beneficiary of this round. When calling _claim_, the current pot from the PostageStamp contract
 * is withdrawn and transferred to that beneficiaries address. Nodes that have revealed values that differ from the truth,
 * have their stakes "frozen" for a period of rounds proportional to their reported depth.
 */

contract Redistribution is AccessControl, Pausable {
    // ----------------------------- Type declarations ------------------------------

    // An eligible user may commit to an _obfuscatedHash_ during the commit phase...
    struct Commit {
        bytes32 overlay;
        address owner;
        bool revealed;
        uint8 height;
        uint256 stake;
        bytes32 obfuscatedHash;
        uint256 revealIndex;
    }
    // ...then provide the actual values that are the constituents of the pre-image of the _obfuscatedHash_
    // during the reveal phase.
    struct Reveal {
        bytes32 overlay;
        address owner;
        uint8 depth;
        uint256 stake;
        uint256 stakeDensity;
        bytes32 hash;
    }

    struct ChunkInclusionProof {
        bytes32[] proofSegments;
        bytes32 proveSegment;
        // _RCspan is known for RC 32*32

        // Inclusion proof of transformed address
        bytes32[] proofSegments2;
        bytes32 proveSegment2;
        // proveSegmentIndex2 known from deterministic random selection;
        uint64 chunkSpan;
        bytes32[] proofSegments3;
        //  _proveSegment3 known, is equal _proveSegment2
        // proveSegmentIndex3 know, is equal _proveSegmentIndex2;
        // chunkSpan2 is equal to chunkSpan (as the data is the same)
        //
        PostageProof postageProof;
        SOCProof[] socProof;
    }

    struct SOCProof {
        address signer; // signer Ethereum address to check against
        bytes signature;
        bytes32 identifier; //
        bytes32 chunkAddr; // wrapped chunk address
    }

    struct PostageProof {
        bytes signature;
        bytes32 postageId;
        uint64 index;
        uint64 timeStamp;
        // address signer; it is provided by the postage stamp contract
        // bytes32 chunkAddr; it equals to the proveSegment argument
    }

    // The address of the linked PostageStamp contract.
    IPostageStamp public PostageContract;
    // The address of the linked PriceOracle contract.
    IPriceOracle public OracleContract;
    // The address of the linked Staking contract.
    IStakeRegistry public Stakes;

    // Commits for the current round.
    Commit[] public currentCommits;
    // Reveals for the current round.
    Reveal[] public currentReveals;

    // The current anchor that being processed for the reveal and claim phases of the round.
    bytes32 private currentRevealRoundAnchor;

    // The current random value from which we will random.
    // inputs for selection of the truth teller and beneficiary.
    bytes32 private seed;

    // The number of the currently active round phases.
    uint64 public currentCommitRound;
    uint64 public currentRevealRound;
    uint64 public currentClaimRound;

    // Settings for slashing and freezing
    uint8 private penaltyMultiplierDisagreement = 1;
    uint8 private penaltyMultiplierNonRevealed = 2;
    uint8 private penaltyRandomFactor = 100; // Use 100 as value to ignore random factor in freezing penalty

    // alpha=0.097612 beta=0.0716570 k=16
    uint256 private sampleMaxValue = 1284401000000000000000000000000000000000000000000000000000000000000000000;

    // The reveal of the winner of the last round.
    Reveal public winner;

    // The length of a round in blocks.
    uint256 private constant ROUND_LENGTH = 152;

    // Maximum value of the keccack256 hash.
    bytes32 private constant MAX_H = 0x00000000000000000000000000000000ffffffffffffffffffffffffffffffff;

    // ----------------------------- Events ------------------------------

    /**
     * @dev Emitted when the winner of a round is selected in the claim phase
     */
    event WinnerSelected(Reveal winner);

    /**
     * @dev Emitted when the truth oracle of a round is selected in the claim phase.
     */
    event TruthSelected(bytes32 hash, uint8 depth);

    // Next two events to be removed after testing phase pending some other usefulness being found.
    /**
     * @dev Emits the number of commits being processed by the claim phase.
     */
    event CountCommits(uint256 _count);

    /**
     * @dev Emits the number of reveals being processed by the claim phase.
     */
    event CountReveals(uint256 _count);

    /**
     * @dev Logs that an overlay has committed
     */
    event Committed(uint256 roundNumber, bytes32 overlay, uint8 height);
    /**
     * @dev Emit from Postagestamp contract valid chunk count at the end of claim
     */
    event ChunkCount(uint256 validChunkCount);

    /**
     * @dev Bytes32 anhor of current reveal round
     */
    event CurrentRevealAnchor(uint256 roundNumber, bytes32 anchor);

    /**
     * @dev Output external call status
     */
    event PriceAdjustmentSkipped(uint16 redundancyCount);

    /**
     * @dev Withdraw not successful in claim
     */
    event WithdrawFailed(address owner);

    /**
     * @dev Logs that an overlay has revealed
     */
    event Revealed(
        uint256 roundNumber,
        bytes32 overlay,
        uint256 stake,
        uint256 stakeDensity,
        bytes32 reserveCommitment,
        uint8 depth
    );

    /**
     * @dev Logs for inclusion proof
     */
    event transformedChunkAddressFromInclusionProof(uint256 indexInRC, bytes32 chunkAddress);

    // ----------------------------- Errors ------------------------------

    error NotCommitPhase(); // Game is not in commit phase
    error NoCommitsReceived(); // Round didn't receive any commits
    error PhaseLastBlock(); // We don't permit commits in last block of the phase
    error CommitRoundOver(); // Commit phase in this round is over
    error CommitRoundNotStarted(); // Commit phase in this round has not started yet
    error NotMatchingOwner(); // Sender of commit is not matching the overlay address
    error MustStake2Rounds(); // Before entering the game node must stake 2 rounds prior
    error NotStaked(); // Node didn't add any staking
    error WrongPhase(); // Checking in wrong phase, need to check duing claim phase of current round for next round or commit in current round
    error AlreadyCommitted(); // Node already committed in this round
    error NotRevealPhase(); // Game is not in reveal phase
    error OutOfDepthReveal(bytes32); // Anchor is out of reported depth in Reveal phase, anchor data available as argument
    error OutOfDepthClaim(uint8); // Anchor is out of reported depth in Claim phase, entryProof index is argument
    error OutOfDepth(); // Anchor is out of reported depth
    error AlreadyRevealed(); // Node already revealed
    error NoMatchingCommit(); // No matching commit and hash
    error NotClaimPhase(); // Game is not in the claim phase
    error NoReveals(); // Round did not receive any reveals
    error FirstRevealDone(); // We don't want to return value after first reveal
    error AlreadyClaimed(); // This round was already claimed
    error NotAdmin(); // Caller of trx is not admin
    error OnlyPauser(); // Only account with pauser role can call pause/unpause
    error SocVerificationFailed(bytes32); // Soc verification failed for this element
    error SocCalcNotMatching(bytes32); // Soc address calculation does not match with the witness
    error IndexOutsideSet(bytes32); // Stamp available: index resides outside of the valid index set
    error SigRecoveryFailed(bytes32); // Stamp authorized: signature recovery failed for element
    error BatchDoesNotExist(bytes32); // Stamp alive: batch remaining balance validation failed for attached stamp
    error BucketDiffers(bytes32); // Stamp aligned: postage bucket differs from address bucket
    error InclusionProofFailed(uint8, bytes32);
    // 1 = RC inclusion proof failed for element
    // 2 = First sister segment in data must match,
    // 3 = Inclusion proof failed for original address of element
    // 4 = Inclusion proof failed for transformed address of element
    error RandomElementCheckFailed(); // Random element order check failed
    error LastElementCheckFailed(); // Last element order check failed
    error ReserveCheckFailed(bytes32 trALast); // Reserve size estimation check failed

    // ----------------------------- CONSTRUCTOR ------------------------------

    /**
     * @param staking the address of the linked Staking contract.
     * @param postageContract the address of the linked PostageStamp contract.
     * @param oracleContract the address of the linked PriceOracle contract.
     */
    constructor(address staking, address postageContract, address oracleContract) {
        Stakes = IStakeRegistry(staking);
        PostageContract = IPostageStamp(postageContract);
        OracleContract = IPriceOracle(oracleContract);
        _setupRole(DEFAULT_ADMIN_ROLE, msg.sender);
    }

    ////////////////////////////////////////
    //           STATE CHANGING           //
    ////////////////////////////////////////

    /**
     * @notice Begin application for a round if eligible. Commit a hashed value for which the pre-image will be
     * subsequently revealed.
     * @dev If a node's overlay is _inProximity_(_depth_) of the _currentRoundAnchor_, that node may compute an
     * _obfuscatedHash_ by providing their _overlay_, reported storage _depth_, reserve commitment _hash_ and a
     * randomly generated, and secret _revealNonce_ to the _wrapCommit_ method.
     * @param _obfuscatedHash The calculated hash resultant of the required pre-image values.
     * and be derived from the same key pair as the message sender.
     * @param _roundNumber Node needs to provide round number for which commit is valid
     */
    function commit(bytes32 _obfuscatedHash, uint64 _roundNumber) external whenNotPaused {
        uint64 cr = currentRound();
        bytes32 _overlay = Stakes.overlayOfAddress(msg.sender);
        uint256 _stake = Stakes.nodeEffectiveStake(msg.sender);
        uint256 _lastUpdate = Stakes.lastUpdatedBlockNumberOfAddress(msg.sender);
        uint8 _height = Stakes.heightOfAddress(msg.sender);

        if (!currentPhaseCommit()) {
            revert NotCommitPhase();
        }
        if (block.number % ROUND_LENGTH == (ROUND_LENGTH / 4) - 1) {
            revert PhaseLastBlock();
        }

        if (cr > _roundNumber) {
            revert CommitRoundOver();
        }

        if (cr < _roundNumber) {
            revert CommitRoundNotStarted();
        }

        if (_lastUpdate == 0) {
            revert NotStaked();
        }

        if (_lastUpdate >= block.number - 2 * ROUND_LENGTH) {
            revert MustStake2Rounds();
        }

        // if we are in a new commit phase, reset the array of commits and
        // set the currentCommitRound to be the current one
        if (cr != currentCommitRound) {
            delete currentCommits;
            currentCommitRound = cr;
        }

        uint256 commitsArrayLength = currentCommits.length;

        for (uint256 i = 0; i < commitsArrayLength; ) {
            if (currentCommits[i].overlay == _overlay) {
                revert AlreadyCommitted();
            }

            unchecked {
                ++i;
            }
        }

        currentCommits.push(
            Commit({
                overlay: _overlay,
                owner: msg.sender,
                revealed: false,
                height: _height,
                stake: _stake,
                obfuscatedHash: _obfuscatedHash,
                revealIndex: 0
            })
        );

        emit Committed(_roundNumber, _overlay, _height);
    }

    /**
     * @notice Reveal the pre-image values used to generate commit provided during this round's commit phase.
     * @param _depth The reported depth.
     * @param _hash The reserve commitment hash.
     * @param _revealNonce The nonce used to generate the commit that is being revealed.
     */
    function reveal(uint8 _depth, bytes32 _hash, bytes32 _revealNonce) external whenNotPaused {
        uint64 cr = currentRound();
        bytes32 _overlay = Stakes.overlayOfAddress(msg.sender);

        if (_depth < currentMinimumDepth()) {
            revert OutOfDepth();
        }

        if (!currentPhaseReveal()) {
            revert NotRevealPhase();
        }

        if (cr != currentCommitRound) {
            revert NoCommitsReceived();
        }

        if (cr != currentRevealRound) {
            currentRevealRoundAnchor = currentRoundAnchor();
            delete currentReveals;
            // We set currentRevealRound ONLY after we set current anchor
            currentRevealRound = cr;
            emit CurrentRevealAnchor(cr, currentRevealRoundAnchor);
            updateRandomness();
        }

        bytes32 obfuscatedHash = wrapCommit(_overlay, _depth, _hash, _revealNonce);
        uint256 id = findCommit(_overlay, obfuscatedHash);
        Commit memory revealedCommit = currentCommits[id];
        uint8 depthResponsibility = _depth - revealedCommit.height;

        // Check that commit is in proximity of the current anchor
        if (!inProximity(revealedCommit.overlay, currentRevealRoundAnchor, depthResponsibility)) {
            revert OutOfDepthReveal(currentRevealRoundAnchor);
        }
        // Check that the commit has not already been revealed
        if (revealedCommit.revealed) {
            revert AlreadyRevealed();
        }

        currentCommits[id].revealed = true;
        currentCommits[id].revealIndex = currentReveals.length;

        currentReveals.push(
            Reveal({
                overlay: revealedCommit.overlay,
                owner: revealedCommit.owner,
                depth: _depth,
                stake: revealedCommit.stake,
                stakeDensity: revealedCommit.stake * uint256(2 ** depthResponsibility),
                hash: _hash
            })
        );

        emit Revealed(
            cr,
            revealedCommit.overlay,
            revealedCommit.stake,
            revealedCommit.stake * uint256(2 ** depthResponsibility),
            _hash,
            _depth
        );
    }

    /**
     * @notice Helper function to get this round truth
     * @dev
     */
    function claim(
        ChunkInclusionProof calldata entryProof1,
        ChunkInclusionProof calldata entryProof2,
        ChunkInclusionProof calldata entryProofLast
    ) external whenNotPaused {
        winnerSelection();

        Reveal memory winnerSelected = winner;
        uint256 indexInRC1;
        uint256 indexInRC2;
        bytes32 _currentRevealRoundAnchor = currentRevealRoundAnchor;
        bytes32 _seed = seed;

        // rand(14)
        indexInRC1 = uint256(_seed) % 15;
        // rand(13)
        indexInRC2 = uint256(_seed) % 14;
        if (indexInRC2 >= indexInRC1) {
            indexInRC2++;
        }

        if (!inProximity(entryProofLast.proveSegment, _currentRevealRoundAnchor, winnerSelected.depth)) {
            revert OutOfDepthClaim(3);
        }

        inclusionFunction(entryProofLast, 30);
        stampFunction(entryProofLast);
        socFunction(entryProofLast);

        if (!inProximity(entryProof1.proveSegment, _currentRevealRoundAnchor, winnerSelected.depth)) {
            revert OutOfDepthClaim(2);
        }

        inclusionFunction(entryProof1, indexInRC1 * 2);
        stampFunction(entryProof1);
        socFunction(entryProof1);

        if (!inProximity(entryProof2.proveSegment, _currentRevealRoundAnchor, winnerSelected.depth)) {
            revert OutOfDepthClaim(1);
        }

        inclusionFunction(entryProof2, indexInRC2 * 2);
        stampFunction(entryProof2);
        socFunction(entryProof2);

        checkOrder(
            indexInRC1,
            indexInRC2,
            entryProof1.proofSegments[0],
            entryProof2.proofSegments[0],
            entryProofLast.proofSegments[0]
        );

        estimateSize(entryProofLast.proofSegments[0]);

        // Do the check if the withdraw was success
        (bool success, ) = address(PostageContract).call(
            abi.encodeWithSignature("withdraw(address)", winnerSelected.owner)
        );
        if (!success) {
            emit WithdrawFailed(winnerSelected.owner);
        }

        emit WinnerSelected(winnerSelected);
        emit ChunkCount(PostageContract.validChunkCount());
    }

    function winnerSelection() internal {
        uint64 cr = currentRound();

        if (!currentPhaseClaim()) {
            revert NotClaimPhase();
        }

        if (cr != currentRevealRound) {
            revert NoReveals();
        }

        if (cr <= currentClaimRound) {
            revert AlreadyClaimed();
        }

        uint256 currentWinnerSelectionSum = 0;
        uint256 redundancyCount = 0;
        bytes32 randomNumber;
        uint256 randomNumberTrunc;

        bytes32 truthRevealedHash;
        uint8 truthRevealedDepth;
        uint256 currentCommitsLength = currentCommits.length;

        emit CountCommits(currentCommitsLength);
        emit CountReveals(currentReveals.length);

        (truthRevealedHash, truthRevealedDepth) = getCurrentTruth();
        emit TruthSelected(truthRevealedHash, truthRevealedDepth);
        string memory winnerSelectionAnchor = currentWinnerSelectionAnchor();

        for (uint256 i = 0; i < currentCommitsLength; ) {
            Commit memory currentCommit = currentCommits[i];
            uint256 revIndex = currentCommit.revealIndex;
            Reveal memory currentReveal = currentReveals[revIndex];

            // Select winner with valid truth
            if (
                currentCommit.revealed &&
                truthRevealedHash == currentReveal.hash &&
                truthRevealedDepth == currentReveal.depth
            ) {
                currentWinnerSelectionSum += currentReveal.stakeDensity;
                randomNumber = keccak256(abi.encodePacked(winnerSelectionAnchor, redundancyCount));
                randomNumberTrunc = uint256(randomNumber & MAX_H);

                if (randomNumberTrunc * currentWinnerSelectionSum < currentReveal.stakeDensity * (uint256(MAX_H) + 1)) {
                    winner = currentReveal;
                }

                redundancyCount++;
            }

            // Freeze deposit if any truth is false, make it a penaltyRandomFactor chance for this to happen
            if (
                currentCommit.revealed &&
                (truthRevealedHash != currentReveal.hash || truthRevealedDepth != currentReveal.depth) &&
                (block.prevrandao % 100 < penaltyRandomFactor)
            ) {
                Stakes.freezeDeposit(
                    currentReveal.owner,
                    penaltyMultiplierDisagreement * ROUND_LENGTH * uint256(2 ** truthRevealedDepth)
                );
            }

            // Slash deposits if revealed is false
            if (!currentCommit.revealed) {
                // slash in later phase (ph5)
                // Stakes.slashDeposit(currentCommits[i].overlay, currentCommits[i].stake);
                Stakes.freezeDeposit(
                    currentCommit.owner,
                    penaltyMultiplierNonRevealed * ROUND_LENGTH * uint256(2 ** truthRevealedDepth)
                );
            }
            unchecked {
                ++i;
            }
        }

        bool success = OracleContract.adjustPrice(uint16(redundancyCount));
        if (!success) {
            emit PriceAdjustmentSkipped(uint16(redundancyCount));
        }
        currentClaimRound = cr;
    }

    function inclusionFunction(ChunkInclusionProof calldata entryProof, uint256 indexInRC) internal {
        uint256 randomChunkSegmentIndex = uint256(seed) % 128;
        bytes32 calculatedTransformedAddr = TransformedBMTChunk.transformedChunkAddressFromInclusionProof(
            entryProof.proofSegments3,
            entryProof.proveSegment2,
            randomChunkSegmentIndex,
            entryProof.chunkSpan,
            currentRevealRoundAnchor
        );

        emit transformedChunkAddressFromInclusionProof(indexInRC, calculatedTransformedAddr);

        if (
            winner.hash !=
            BMTChunk.chunkAddressFromInclusionProof(
                entryProof.proofSegments,
                entryProof.proveSegment,
                indexInRC,
                32 * 32
            )
        ) {
            revert InclusionProofFailed(1, calculatedTransformedAddr);
        }

        if (entryProof.proofSegments2[0] != entryProof.proofSegments3[0]) {
            revert InclusionProofFailed(2, calculatedTransformedAddr);
        }

        bytes32 originalAddress = entryProof.socProof.length > 0
            ? entryProof.socProof[0].chunkAddr // soc attestation in socFunction
            : entryProof.proveSegment;

        if (
            originalAddress !=
            BMTChunk.chunkAddressFromInclusionProof(
                entryProof.proofSegments2,
                entryProof.proveSegment2,
                randomChunkSegmentIndex,
                entryProof.chunkSpan
            )
        ) {
            revert InclusionProofFailed(3, calculatedTransformedAddr);
        }

        // In case of SOC, the transformed address is hashed together with its address in the sample
        if (entryProof.socProof.length > 0) {
            calculatedTransformedAddr = keccak256(
                abi.encode(
                    entryProof.proveSegment, // SOC address
                    calculatedTransformedAddr
                )
            );
        }

        if (entryProof.proofSegments[0] != calculatedTransformedAddr) {
            revert InclusionProofFailed(4, calculatedTransformedAddr);
        }
    }

    /**
     * @notice Set freezing parameters
     */
    function setFreezingParams(
        uint8 _penaltyMultiplierDisagreement,
        uint8 _penaltyMultiplierNonRevealed,
        uint8 _penaltyRandomFactor
    ) external {
        if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
            revert NotAdmin();
        }

        penaltyMultiplierDisagreement = _penaltyMultiplierDisagreement;
        penaltyMultiplierNonRevealed = _penaltyMultiplierNonRevealed;
        penaltyRandomFactor = _penaltyRandomFactor;
    }

    /**
     * @notice changes the max sample value used for reserve estimation
     */
    function setSampleMaxValue(uint256 _sampleMaxValue) external {
        if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
            revert NotAdmin();
        }

        sampleMaxValue = _sampleMaxValue;
    }

    /**
     * @notice Updates the source of randomness. Uses block.difficulty in pre-merge chains, this is substituted
     * to block.prevrandao in post merge chains.
     */
    function updateRandomness() private {
        seed = keccak256(abi.encode(seed, block.prevrandao));
    }

    /**
    * @dev Pause the contract. The contract is provably stopped by renouncing
     the pauser role and the admin role after pausing, can only be called by the `PAUSER`
     */
    function pause() public {
        if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
            revert OnlyPauser();
        }

        _pause();
    }

    /**
     * @dev Unpause the contract, can only be called by the pauser when paused
     */
    function unPause() public {
        if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
            revert OnlyPauser();
        }
        _unpause();
    }

    ////////////////////////////////////////
    //            STATE READING           //
    ////////////////////////////////////////

    // ----------------------------- Anchor calculations ------------------------------

    /**
     * @notice Returns the current random seed which is used to determine later utilised random numbers.
     * If rounds have elapsed without reveals, hash the seed with an incremented nonce to produce a new
     * random seed and hence a new round anchor.
     */
    function currentSeed() public view returns (bytes32) {
        uint64 cr = currentRound();
        bytes32 currentSeedValue = seed;

        if (cr > currentRevealRound + 1) {
            uint256 difference = cr - currentRevealRound - 1;
            currentSeedValue = keccak256(abi.encodePacked(currentSeedValue, difference));
        }

        return currentSeedValue;
    }

    /**
     * @notice Returns the seed which will become current once the next commit phase begins.
     * Used to determine what the next round's anchor will be.
     */
    function nextSeed() public view returns (bytes32) {
        uint64 cr = currentRound() + 1;
        bytes32 currentSeedValue = seed;

        if (cr > currentRevealRound + 1) {
            uint256 difference = cr - currentRevealRound - 1;
            currentSeedValue = keccak256(abi.encodePacked(currentSeedValue, difference));
        }

        return currentSeedValue;
    }

    /**
     * @notice The random value used to choose the selected truth teller.
     */
    function currentTruthSelectionAnchor() private view returns (string memory) {
        if (!currentPhaseClaim()) {
            revert NotClaimPhase();
        }

        uint64 cr = currentRound();
        if (cr != currentRevealRound) {
            revert NoReveals();
        }

        return string(abi.encodePacked(seed, "0"));
    }

    /**
     * @notice The random value used to choose the selected beneficiary.
     */
    function currentWinnerSelectionAnchor() private view returns (string memory) {
        if (!currentPhaseClaim()) {
            revert NotClaimPhase();
        }
        uint64 cr = currentRound();
        if (cr != currentRevealRound) {
            revert NoReveals();
        }

        return string(abi.encodePacked(seed, "1"));
    }

    /**
     * @notice The anchor used to determine eligibility for the current round.
     * @dev A node must be within proximity order of less than or equal to the storage depth they intend to report.
     */
    function currentRoundAnchor() public view returns (bytes32 returnVal) {
        // This will be called in reveal phase and set as currentRevealRoundAnchor or in
        // commit phase when checking eligibility for next round by isParticipatingInUpcomingRound
        if (currentPhaseCommit() || (currentRound() > currentRevealRound && !currentPhaseClaim())) {
            return currentSeed();
        }

        // This will be called by isParticipatingInUpcomingRound check in claim phase
        if (currentPhaseClaim()) {
            return nextSeed();
        }

        // Without this, this function will output 0x0 after first reveal which is value and we prefere it reverts
        if (currentPhaseReveal() && currentRound() == currentRevealRound) {
            revert FirstRevealDone();
        }
    }

    /**
     * @notice Returns true if an overlay address _A_ is within proximity order _minimum_ of _B_.
     * @param A An overlay address to compare.
     * @param B An overlay address to compare.
     * @param minimum Minimum proximity order.
     */
    function inProximity(bytes32 A, bytes32 B, uint8 minimum) public pure returns (bool) {
        if (minimum == 0) {
            return true;
        }

        return uint256(A ^ B) < uint256(2 ** (256 - minimum));
    }

    // ----------------------------- Commit ------------------------------

    /**
     * @notice The number of the current round.
     */
    function currentRound() public view returns (uint64) {
        return uint64(block.number / ROUND_LENGTH);
    }

    /**
     * @notice Returns true if current block is during commit phase.
     */
    function currentPhaseCommit() public view returns (bool) {
        if (block.number % ROUND_LENGTH < ROUND_LENGTH / 4) {
            return true;
        }
        return false;
    }

    /**
     * @notice Determine if a the owner of a given overlay can participate in the upcoming round.
     * @param _owner The address of the applicant from.
     * @param _depth The storage depth the applicant intends to report.
     */
    function isParticipatingInUpcomingRound(address _owner, uint8 _depth) public view returns (bool) {
        uint256 _lastUpdate = Stakes.lastUpdatedBlockNumberOfAddress(_owner);
        uint8 _depthResponsibility = _depth - Stakes.heightOfAddress(_owner);

        if (currentPhaseReveal()) {
            revert WrongPhase();
        }

        if (_lastUpdate == 0) {
            revert NotStaked();
        }

        if (_lastUpdate >= block.number - 2 * ROUND_LENGTH) {
            revert MustStake2Rounds();
        }

        return inProximity(Stakes.overlayOfAddress(_owner), currentRoundAnchor(), _depthResponsibility);
    }

    // ----------------------------- Reveal ------------------------------

    /**
     * @notice Returns minimum depth reveal has to have to participate in this round
     */
    function currentMinimumDepth() public view returns (uint8) {
        // We are checking value in reveal phase, as the currentCommitRound is set to the current round
        // but the currentClaimRound is still set to the last time claim was made
        // We add 1 to ensure that for the next round the minimum depth is the same as last winner depth

        uint256 difference = currentCommitRound - currentClaimRound;
        uint8 skippedRounds = uint8(difference > 254 ? 254 : difference) + 1;

        uint8 lastWinnerDepth = winner.depth;

        // We ensure that skippedRounds is not bigger than lastWinnerDepth, because of overflow
        return skippedRounds >= lastWinnerDepth ? 0 : lastWinnerDepth - skippedRounds;
    }

    /**
     * @notice Helper function to get this node reveal in commits
     * @dev
     */
    function findCommit(bytes32 _overlay, bytes32 _obfuscatedHash) internal view returns (uint256) {
        for (uint256 i = 0; i < currentCommits.length; ) {
            if (currentCommits[i].overlay == _overlay && _obfuscatedHash == currentCommits[i].obfuscatedHash) {
                return i;
            }
            unchecked {
                ++i;
            }
        }
        revert NoMatchingCommit();
    }

    /**
     * @notice Hash the pre-image values to the obsfucated hash.
     * @dev _revealNonce_ must be randomly generated, used once and kept secret until the reveal phase.
     * @param _overlay The overlay address of the applicant.
     * @param _depth The reported depth.
     * @param _hash The reserve commitment hash.
     * @param revealNonce A random, single use, secret nonce.
     */
    function wrapCommit(
        bytes32 _overlay,
        uint8 _depth,
        bytes32 _hash,
        bytes32 revealNonce
    ) public pure returns (bytes32) {
        return keccak256(abi.encodePacked(_overlay, _depth, _hash, revealNonce));
    }

    /**
     * @notice Returns true if current block is during reveal phase.
     */
    function currentPhaseReveal() public view returns (bool) {
        uint256 number = block.number % ROUND_LENGTH;
        if (number >= ROUND_LENGTH / 4 && number < ROUND_LENGTH / 2) {
            return true;
        }
        return false;
    }

    /**
     * @notice Returns true if current block is during reveal phase.
     */
    function currentRoundReveals() public view returns (Reveal[] memory) {
        if (!currentPhaseClaim()) {
            revert NotClaimPhase();
        }
        uint64 cr = currentRound();
        if (cr != currentRevealRound) {
            revert NoReveals();
        }

        return currentReveals;
    }

    // ----------------------------- Claim  ------------------------------

    /**
     * @notice Returns true if current block is during claim phase.
     */
    function currentPhaseClaim() public view returns (bool) {
        if (block.number % ROUND_LENGTH >= ROUND_LENGTH / 2) {
            return true;
        }
        return false;
    }

    function getCurrentTruth() internal view returns (bytes32 Hash, uint8 Depth) {
        uint256 currentSum;
        bytes32 randomNumber;
        uint256 randomNumberTrunc;

        bytes32 truthRevealedHash;
        uint8 truthRevealedDepth;
        uint256 revIndex;
        string memory truthSelectionAnchor = currentTruthSelectionAnchor();
        uint256 commitsArrayLength = currentCommits.length;

        for (uint256 i = 0; i < commitsArrayLength; ) {
            if (currentCommits[i].revealed) {
                revIndex = currentCommits[i].revealIndex;
                currentSum += currentReveals[revIndex].stakeDensity;
                randomNumber = keccak256(abi.encodePacked(truthSelectionAnchor, i));
                randomNumberTrunc = uint256(randomNumber & MAX_H);

                // question is whether randomNumber / MAX_H < probability
                // where probability is stakeDensity / currentSum
                // to avoid resorting to floating points all divisions should be
                // simplified with multiplying both sides (as long as divisor > 0)
                // randomNumber / (MAX_H + 1) < stakeDensity / currentSum
                // ( randomNumber / (MAX_H + 1) ) * currentSum < stakeDensity
                // randomNumber * currentSum < stakeDensity * (MAX_H + 1)
                if (randomNumberTrunc * currentSum < currentReveals[revIndex].stakeDensity * (uint256(MAX_H) + 1)) {
                    truthRevealedHash = currentReveals[revIndex].hash;
                    truthRevealedDepth = currentReveals[revIndex].depth;
                }
            }
            unchecked {
                ++i;
            }
        }

        return (truthRevealedHash, truthRevealedDepth);
    }

    /**
     * @notice Determine if a the owner of a given overlay will be the beneficiary of the claim phase.
     * @param _overlay The overlay address of the applicant.
     */
    function isWinner(bytes32 _overlay) public view returns (bool) {
        if (!currentPhaseClaim()) {
            revert NotClaimPhase();
        }

        uint64 cr = currentRound();
        if (cr != currentRevealRound) {
            revert NoReveals();
        }

        if (cr <= currentClaimRound) {
            revert AlreadyClaimed();
        }

        uint256 currentWinnerSelectionSum;
        bytes32 winnerIs;
        bytes32 randomNumber;
        uint256 randomNumberTrunc;
        bytes32 truthRevealedHash;
        uint8 truthRevealedDepth;
        uint256 revIndex;
        string memory winnerSelectionAnchor = currentWinnerSelectionAnchor();
        uint256 redundancyCount = 0;

        // Get current truth
        (truthRevealedHash, truthRevealedDepth) = getCurrentTruth();
        uint256 commitsArrayLength = currentCommits.length;

        for (uint256 i = 0; i < commitsArrayLength; ) {
            revIndex = currentCommits[i].revealIndex;

            // Deterministically read winner
            if (
                currentCommits[i].revealed &&
                truthRevealedHash == currentReveals[revIndex].hash &&
                truthRevealedDepth == currentReveals[revIndex].depth
            ) {
                currentWinnerSelectionSum += currentReveals[revIndex].stakeDensity;
                randomNumber = keccak256(abi.encodePacked(winnerSelectionAnchor, redundancyCount));
                randomNumberTrunc = uint256(randomNumber & MAX_H);

                if (
                    randomNumberTrunc * currentWinnerSelectionSum <
                    currentReveals[revIndex].stakeDensity * (uint256(MAX_H) + 1)
                ) {
                    winnerIs = currentReveals[revIndex].overlay;
                }

                redundancyCount++;
            }
            unchecked {
                ++i;
            }
        }

        return (winnerIs == _overlay);
    }

    // ----------------------------- Claim verifications  ------------------------------

    function socFunction(ChunkInclusionProof calldata entryProof) internal pure {
        if (entryProof.socProof.length == 0) return;

        if (
            !Signatures.socVerify(
                entryProof.socProof[0].signer, // signer Ethereum address to check against
                entryProof.socProof[0].signature,
                entryProof.socProof[0].identifier,
                entryProof.socProof[0].chunkAddr
            )
        ) {
            revert SocVerificationFailed(entryProof.socProof[0].chunkAddr);
        }

        if (
            calculateSocAddress(entryProof.socProof[0].identifier, entryProof.socProof[0].signer) !=
            entryProof.proveSegment
        ) {
            revert SocCalcNotMatching(entryProof.socProof[0].chunkAddr);
        }
    }

    function stampFunction(ChunkInclusionProof calldata entryProof) internal view {
        // authentic
        (address batchOwner, uint8 batchDepth, uint8 bucketDepth, , , ) = PostageContract.batches(
            entryProof.postageProof.postageId
        );

        // alive
        if (batchOwner == address(0)) {
            revert BatchDoesNotExist(entryProof.postageProof.postageId); // Batch does not exist or expired
        }

        uint32 postageIndex = getPostageIndex(entryProof.postageProof.index);
        uint256 maxPostageIndex = postageStampIndexCount(batchDepth, bucketDepth);
        // available
        if (postageIndex >= maxPostageIndex) {
            revert IndexOutsideSet(entryProof.postageProof.postageId);
        }

        // aligned
        uint64 postageBucket = getPostageBucket(entryProof.postageProof.index);
        uint64 addressBucket = addressToBucket(entryProof.proveSegment, bucketDepth);
        if (postageBucket != addressBucket) {
            revert BucketDiffers(entryProof.postageProof.postageId);
        }

        // authorized
        if (
            !Signatures.postageVerify(
                batchOwner,
                entryProof.postageProof.signature,
                entryProof.proveSegment,
                entryProof.postageProof.postageId,
                entryProof.postageProof.index,
                entryProof.postageProof.timeStamp
            )
        ) {
            revert SigRecoveryFailed(entryProof.postageProof.postageId);
        }
    }

    function addressToBucket(bytes32 swarmAddress, uint8 bucketDepth) internal pure returns (uint32) {
        uint32 prefix = uint32(uint256(swarmAddress) >> (256 - 32));
        return prefix >> (32 - bucketDepth);
    }

    function postageStampIndexCount(uint8 postageDepth, uint8 bucketDepth) internal pure returns (uint256) {
        return 1 << (postageDepth - bucketDepth);
    }

    function getPostageIndex(uint64 signedIndex) internal pure returns (uint32) {
        return uint32(signedIndex);
    }

    function getPostageBucket(uint64 signedIndex) internal pure returns (uint64) {
        return uint32(signedIndex >> 32);
    }

    function calculateSocAddress(bytes32 identifier, address signer) internal pure returns (bytes32) {
        return keccak256(abi.encodePacked(identifier, signer));
    }

    function checkOrder(uint256 a, uint256 b, bytes32 trA1, bytes32 trA2, bytes32 trALast) internal pure {
        if (a < b) {
            if (uint256(trA1) >= uint256(trA2)) {
                revert RandomElementCheckFailed();
            }
            if (uint256(trA2) >= uint256(trALast)) {
                revert LastElementCheckFailed();
            }
        } else {
            if (uint256(trA2) >= uint256(trA1)) {
                revert RandomElementCheckFailed();
            }
            if (uint256(trA1) >= uint256(trALast)) {
                revert LastElementCheckFailed();
            }
        }
    }

    function estimateSize(bytes32 trALast) internal view {
        if (uint256(trALast) >= sampleMaxValue) {
            revert ReserveCheckFailed(trALast);
        }
    }
}

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

library Signatures {
    error InvalidSignatureLength();

    /** Hash of the message to sign */
    function getPostageMessageHash(
        bytes32 _chunkAddr,
        bytes32 _batchId,
        uint64 _index,
        uint64 _timeStamp
    ) internal pure returns (bytes32) {
        return keccak256(abi.encodePacked(_chunkAddr, _batchId, _index, _timeStamp));
    }

    function postageVerify(
        address _signer, // signer Ethereum address to check against
        bytes memory _signature,
        bytes32 _chunkAddr,
        bytes32 _postageId,
        uint64 _index,
        uint64 _timeStamp
    ) internal pure returns (bool) {
        bytes32 messageHash = getPostageMessageHash(_chunkAddr, _postageId, _index, _timeStamp);
        bytes32 ethMessageHash = getEthSignedMessageHash(messageHash);

        return recoverSigner(ethMessageHash, _signature) == _signer;
    }

    function getEthSignedMessageHash(bytes32 _messageHash) internal pure returns (bytes32) {
        /*
        Signature is produced by signing a keccak256 hash with the following format:
        "\x19Ethereum Signed Message\n" + len(msg) + msg
        */
        return keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", _messageHash));
    }

    function recoverSigner(
        bytes32 _ethSignedMessageHash, // it has to be prefixed message: https://ethereum.stackexchange.com/questions/19582/does-ecrecover-in-solidity-expects-the-x19ethereum-signed-message-n-prefix/21037
        bytes memory _signature
    ) internal pure returns (address) {
        (bytes32 r, bytes32 s, uint8 v) = splitSignature(_signature);

        return ecrecover(_ethSignedMessageHash, v, r, s);
    }

    function splitSignature(bytes memory sig) internal pure returns (bytes32 r_, bytes32 s_, uint8 v_) {
        if (sig.length != 65) {
            revert InvalidSignatureLength();
        }

        assembly {
            /*
            verbose explanation: https://ethereum.stackexchange.com/questions/135591/split-signature-function-in-solidity-by-example-docs
            First 32 bytes stores the length of the signature
            add(sig, 32) = pointer of sig + 32
            effectively, skips first 32 bytes of signature
            mload(p) loads next 32 bytes starting at the memory address p into memory
            */

            // first 32 bytes, after the length prefix
            r_ := mload(add(sig, 32))
            // second 32 bytes
            s_ := mload(add(sig, 64))
            // final byte (first byte of the next 32 bytes)
            v_ := byte(0, mload(add(sig, 96)))
        }

        // implicitly return (r, s, v)
    }

    function getSocMessageHash(bytes32 _identifier, bytes32 _chunkAddr) internal pure returns (bytes32) {
        return keccak256(abi.encodePacked(_identifier, _chunkAddr));
    }

    function socVerify(
        address _signer, // signer Ethereum address to check against
        bytes memory _signature,
        bytes32 _identifier,
        bytes32 _chunkAddr
    ) internal pure returns (bool) {
        bytes32 messageHash = getSocMessageHash(_identifier, _chunkAddr);
        bytes32 ethMessageHash = getEthSignedMessageHash(messageHash);

        return recoverSigner(ethMessageHash, _signature) == _signer;
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.8.0) (utils/Strings.sol)

pragma solidity ^0.8.0;

import "./math/Math.sol";

/**
 * @dev String operations.
 */
library Strings {
    bytes16 private constant _SYMBOLS = "0123456789abcdef";
    uint8 private constant _ADDRESS_LENGTH = 20;

    /**
     * @dev Converts a `uint256` to its ASCII `string` decimal representation.
     */
    function toString(uint256 value) internal pure returns (string memory) {
        unchecked {
            uint256 length = Math.log10(value) + 1;
            string memory buffer = new string(length);
            uint256 ptr;
            /// @solidity memory-safe-assembly
            assembly {
                ptr := add(buffer, add(32, length))
            }
            while (true) {
                ptr--;
                /// @solidity memory-safe-assembly
                assembly {
                    mstore8(ptr, byte(mod(value, 10), _SYMBOLS))
                }
                value /= 10;
                if (value == 0) break;
            }
            return buffer;
        }
    }

    /**
     * @dev Converts a `uint256` to its ASCII `string` hexadecimal representation.
     */
    function toHexString(uint256 value) internal pure returns (string memory) {
        unchecked {
            return toHexString(value, Math.log256(value) + 1);
        }
    }

    /**
     * @dev Converts a `uint256` to its ASCII `string` hexadecimal representation with fixed length.
     */
    function toHexString(uint256 value, uint256 length) internal pure returns (string memory) {
        bytes memory buffer = new bytes(2 * length + 2);
        buffer[0] = "0";
        buffer[1] = "x";
        for (uint256 i = 2 * length + 1; i > 1; --i) {
            buffer[i] = _SYMBOLS[value & 0xf];
            value >>= 4;
        }
        require(value == 0, "Strings: hex length insufficient");
        return string(buffer);
    }

    /**
     * @dev Converts an `address` with fixed length of 20 bytes to its not checksummed ASCII `string` hexadecimal representation.
     */
    function toHexString(address addr) internal pure returns (string memory) {
        return toHexString(uint256(uint160(addr)), _ADDRESS_LENGTH);
    }
}

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

library TransformedBMTChunk {
    // max chunk payload size
    uint256 public constant MAX_CHUNK_PAYLOAD_SIZE = 4096;
    // segment byte size
    uint256 public constant SEGMENT_SIZE = 32;

    /** Calculates the root hash from the provided inclusion proof segments and its corresponding segment index
     * @param _proofSegments Proof segments.
     * @param _proveSegment Segment to prove.
     * @param _proveSegmentIndex Prove segment index
     * @return _calculatedHash chunk hash
     */
    function transformedRootHashFromInclusionProof(
        bytes32[] memory _proofSegments,
        bytes32 _proveSegment,
        uint256 _proveSegmentIndex,
        bytes32 key
    ) internal pure returns (bytes32 _calculatedHash) {
        _calculatedHash = _proveSegment;
        for (uint256 i = 0; i < _proofSegments.length; i++) {
            bool mergeFromRight = _proveSegmentIndex % 2 == 0 ? true : false;
            _calculatedHash = transformedMergeSegment(_calculatedHash, _proofSegments[i], mergeFromRight, key);
            _proveSegmentIndex >>= 1;
        }

        return _calculatedHash;
    }

    /**
     * @notice          Changes the endianness of a uint64.
     * @dev             https://graphics.stanford.edu/~seander/bithacks.html#ReverseParallel
     * @param _b        The unsigned integer to reverse
     * @return          v - The reversed value
     */
    function reverseUint64(uint64 _b) public pure returns (uint64) {
        uint256 v = _b;

        // swap bytes
        v =
            ((v >> 8) & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) |
            ((v & 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF) << 8);
        // swap 2-byte long pairs
        v =
            ((v >> 16) & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) |
            ((v & 0x0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF) << 16);
        // swap 4-byte long pairs
        v =
            ((v >> 32) & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) |
            ((v & 0x00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF) << 32);

        return uint64(v);
    }

    /**
     * Calculate the chunk address from the Binary Merkle Tree of the chunk data
     *
     * The BMT chunk address is the hash of the 8 byte span and the root
     * hash of a binary Merkle tree (BMT) built on the 32-byte segments
     * of the underlying data.
     * @param _proofSegments Proof segments.
     * @param _proveSegment Segment to prove.
     * @param _proveSegmentIndex Prove segment index
     * @param _chunkSpan chunk bytes length
     * @return _chunkHash chunk hash
     */
    function transformedChunkAddressFromInclusionProof(
        bytes32[] memory _proofSegments,
        bytes32 _proveSegment,
        uint256 _proveSegmentIndex,
        uint64 _chunkSpan,
        bytes32 key
    ) internal pure returns (bytes32) {
        bytes32 rootHash = transformedRootHashFromInclusionProof(
            _proofSegments,
            _proveSegment,
            _proveSegmentIndex,
            key
        );
        return keccak256(abi.encodePacked(key, reverseUint64(_chunkSpan), rootHash));
    }

    function transformedMergeSegment(
        bytes32 _calculatedHash,
        bytes32 _proofSegment,
        bool mergeFromRight,
        bytes32 key
    ) internal pure returns (bytes32 res) {
        if (mergeFromRight) {
            res = keccak256(abi.encode(key, _calculatedHash, _proofSegment));
        } else {
            res = keccak256(abi.encode(key, _proofSegment, _calculatedHash));
        }
        return res;
    }
}

{
  "compilationTarget": {
    "src/Redistribution.sol": "Redistribution"
  },
  "evmVersion": "paris",
  "libraries": {},
  "metadata": {
    "bytecodeHash": "ipfs",
    "useLiteralContent": true
  },
  "optimizer": {
    "enabled": true,
    "runs": 1000
  },
  "remappings": []
}