// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;
import { IShieldsAPI } from "shields-api/interfaces/IShieldsAPI.sol";
import { Owned } from "solmate/auth/Owned.sol";
import { ERC721 } from "solmate/tokens/ERC721.sol";
import { LibString } from "solmate/utils/LibString.sol";
import { ICurta } from "@/contracts/interfaces/ICurta.sol";
import { Base64 } from "@/contracts/utils/Base64.sol";
/// @title The Authorship Token ERC-721 token contract
/// @author fiveoutofnine
/// @author Modified from Solmate (https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC721.sol)
/// @notice ``Authorship Tokens'' are ERC-721 tokens that are required to add
/// puzzles to Curta. Each Authorship Token may be used like a ticket once.
/// After an Authorship Token has been used to add a puzzle, it can never be
/// used again to add another puzzle. As soon as a puzzle has been deployed and
/// added to Curta, anyone may attempt to solve it.
/// @dev Other than the initial distribution, the only way to obtain an
/// Authorship Token will be to be the first solver to any puzzle on Curta.
contract AuthorshipToken is ERC721, Owned {
using LibString for uint256;
// -------------------------------------------------------------------------
// Constants
// -------------------------------------------------------------------------
/// @notice The shields API contract.
/// @dev This is the mainnet address.
IShieldsAPI constant shieldsAPI = IShieldsAPI(0x740CBbF0116a82F64e83E1AE68c92544870B0C0F);
/// @notice Salt used to compute the seed in {AuthorshipToken.tokenURI}.
bytes32 constant SALT = bytes32("Curta.AuthorshipToken");
// -------------------------------------------------------------------------
// Errors
// -------------------------------------------------------------------------
/// @notice Emitted when there are no tokens available to claim.
error NoTokensAvailable();
/// @notice Emitted when `msg.sender` is not authorized.
error Unauthorized();
// -------------------------------------------------------------------------
// Immutable Storage
// -------------------------------------------------------------------------
/// @notice The Curta / Flags contract.
address public immutable curta;
/// @notice The number of seconds until an additional token is made
/// available for minting by the author.
uint256 public immutable issueLength;
/// @notice The timestamp of when the contract was deployed.
uint256 public immutable deployTimestamp;
// -------------------------------------------------------------------------
// Storage
// -------------------------------------------------------------------------
/// @notice The number of tokens that have been claimed by the owner.
uint256 public numClaimedByOwner;
/// @notice The total supply of tokens.
uint256 public totalSupply;
// -------------------------------------------------------------------------
// Constructor
// -------------------------------------------------------------------------
/// @param _curta The Curta / Flags contract.
/// @param _issueLength The number of seconds until an additional token is
/// made available for minting by the author.
/// @param _authors The list of authors in the initial batch.
constructor(address _curta, uint256 _issueLength, address[] memory _authors)
ERC721("Authorship Token", "AUTH")
curta = _curta;
issueLength = _issueLength;
deployTimestamp = block.timestamp;
// Mint tokens to the initial batch of authors.
uint256 length = _authors.length;
for (uint256 i; i < length;) {
_mint(_authors[i], i + 1);
unchecked {
// [MIGRATION] Mint 1 token to `sampriti.eth`
_mint(0x58593392d72A9D90b133e1C8ecEec581C354687f, length + 1);
totalSupply = length + 1;
// -------------------------------------------------------------------------
// Functions
// -------------------------------------------------------------------------
/// @notice Mints a token to `_to`.
/// @dev Only the Curta contract can call this function.
/// @param _to The address to mint the token to.
function curtaMint(address _to) external {
// Revert if the sender is not the Curta contract.
if (msg.sender != curta) revert Unauthorized();
unchecked {
uint256 tokenId = ++totalSupply;
_mint(_to, tokenId);
/// @notice Mints a token to `_to`.
/// @dev Only the owner can call this function. The owner may claim a token
/// every `issueLength` seconds.
/// @param _to The address to mint the token to.
function ownerMint(address _to) external onlyOwner {
unchecked {
uint256 numIssued = (block.timestamp - deployTimestamp) / issueLength;
uint256 numMintable = numIssued - numClaimedByOwner++;
// Revert if no tokens are available to mint.
if (numMintable == 0) revert NoTokensAvailable();
// Mint token
uint256 tokenId = ++totalSupply;
_mint(_to, tokenId);
// -------------------------------------------------------------------------
// ERC721Metadata
// -------------------------------------------------------------------------
/// @notice A distinct Uniform Resource Identifier (URI) for a given asset.
/// @param _tokenId The token ID.
/// @return URI for the token.
function tokenURI(uint256 _tokenId) public view override returns (string memory) {
require(_ownerOf[_tokenId] != address(0), "NOT_MINTED");
// Generate seed.
uint256 seed = uint256(keccak256(abi.encodePacked(_tokenId, SALT)));
// Bitpacked colors.
uint256 colors = 0x6351CEFF00FFB300FF6B00B5000A007FFF78503C323232FE7FFF6C28A2FF007A;
// Shuffle `colors` by performing 4 iterations of Fisher-Yates shuffle.
// We do this to pick 4 unique colors from `colors`.
unchecked {
uint256 shift = 24 * (seed % 11);
colors = (colors & ((type(uint256).max ^ (0xFFFFFF << shift)) ^ 0xFFFFFF))
| ((colors & 0xFFFFFF) << shift) | ((colors >> shift) & 0xFFFFFF);
seed >>= 4;
shift = 24 * (seed % 10);
colors = (colors & ((type(uint256).max ^ (0xFFFFFF << shift)) ^ (0xFFFFFF << 24)))
| (((colors >> 24) & 0xFFFFFF) << shift) | (((colors >> shift) & 0xFFFFFF) << 24);
seed >>= 4;
shift = 24 * (seed % 9);
colors = (colors & ((type(uint256).max ^ (0xFFFFFF << shift)) ^ (0xFFFFFF << 48)))
| (((colors >> 48) & 0xFFFFFF) << shift) | (((colors >> shift) & 0xFFFFFF) << 48);
seed >>= 4;
shift = 24 * (seed & 7);
colors = (colors & ((type(uint256).max ^ (0xFFFFFF << shift)) ^ (0xFFFFFF << 72)))
| (((colors >> 72) & 0xFFFFFF) << shift) | (((colors >> shift) & 0xFFFFFF) << 72);
seed >>= 3;
return string.concat(
'{"name":"Authorship Token #',
'","description":"This token allows 1 puzzle to be added to Curta. Once it has '
'been used, it can never be used again.","image_data":"data:image/svg+xml;base6'
'<svg width="750" height="750" xmlns="http://www.w3.org/2000/svg" fill='
'"none" viewBox="0 0 750 750"><style>.a{filter:url(#c)drop-shadow(0 0 2'
"px #007fff);fill:#fff;width:4px}.b{filter:drop-shadow(0 0 .5px #007fff"
'MW6dCcHc6I9atPW9msuGc/bptop2dPAAA=)}</style><defs><radialGradient id="'
'b"><stop stop-color="#007FFF"/><stop offset="100%" stop-opacity="0"/><'
'/radialGradient><filter id="c"><feGaussianBlur stdDeviation="8" in="So'
'urceGraphic" result="offset-blur"/><feComposite operator="out" in="Sou'
'rceGraphic" in2="offset-blur" result="inverse"/><feFlood flood-color="'
'#007FFF" flood-opacity=".95" result="color"/><feComposite operator="in'
'" in="color" in2="inverse" result="shadow"/><feComposite in="shadow" i'
'n2="SourceGraphic"/><feComposite operator="atop" in="shadow" in2="Sour'
'ceGraphic"/></filter><mask id="a"><path fill="#000" d="M0 0h750v750H0z'
'"/><rect class="i" x="215" y="65" rx="20" fill="#FFF"/><circle class="'
'j l" cy="65"/><circle class="j l" cy="685"/></mask></defs><path fill="'
'#10131C" d="M0 0h750v750H0z"/><rect class="i n" x="215" y="65" mask="u'
'rl(#a)" rx="20"/><circle mask="url(#a)" fill="url(#b)" cx="375" cy="38'
'1" r="180"/><circle class="j k n" cy="125"/><g transform="translate(35'
'9 110)"><circle class="n" cy="16" cx="16" r="16"/><rect class="a c" x='
'"8" y="7" rx="2"/><rect class="b f" x="8.5" y="7.5" rx="1.5"/><rect cl'
'ass="a e" x="8" y="21" rx="2"/><rect class="b h" x="8.5" y="21.5" rx="'
'1.5"/><rect class="a d" x="14" y="7" rx="2"/><rect class="b g" x="14.5'
'" y="7.5" rx="1.5"/><rect class="a e" x="14" y="14" rx="2"/><rect clas'
's="b h" x="14.5" y="14.5" rx="1.5"/><rect class="a d" x="14" y="19" rx'
'="2"/><rect class="b g" x="14.5" y="19.5" rx="1.5"/><rect class="a c" '
'x="20" y="12" rx="2"/><rect class="b f" x="20.5" y="12.5" rx="1.5"/><r'
'ect class="a e" x="20" y="7" rx="2"/><rect class="b h" x="20.5" y="7.5'
'" rx="1.5"/></g><path d="M338.814 168.856c-.373 0-.718-.063-1.037-.191'
"a2.829 2.829 0 0 1-.878-.606 2.828 2.828 0 0 1-.606-.878 2.767 2.767 0"
" 0 1-.193-1.037v-.336c0-.372.064-.723.192-1.053.138-.319.34-.611.606-."
"877a2.59 2.59 0 0 1 .878-.59 2.58 2.58 0 0 1 1.038-.208h4.26c.245 0 .4"
".345.431.558. 0 0 1-.016.095.346.346 0 0"
" 1-. 0 0 1-.32.032.333.333 0 0 1-.239-.192 3.016 3.016 0 "
"0 0-.303-.399 2.614 2.614 0 0 0-.415-.303 1.935 1.935 0 0 0-.463-.191 "
"1.536 1.536 0 0 0-.495-.048c-.712 0-1.42-.006-2.122-.016-.713 0-1.425."
"005-2.138.016-.266 0-.51.042-.734.127-.234.096-.442.24-.623.431a1.988 "
"1.988 0 0 0-.43.623 1.961 1.961 0 0 0-.144.75v.335a1.844 1.844 0 0 0 ."
"574 1.356 1.844 1.844 0 0 0 1.356.574h4.261c.17 0 .33-.015.48-.047a2.0"
"2 2.02 0 0 0 .446-.192c.149-.074.282-.165.399-.271.106-.107.207-.229.3"
"03-.367a.438.438 0 0 1 .255-.144c.096-. 0 0 1 "
".16.24.306.306 0 0 1-.033.27 2.653 2.653 0 0 1-.43.527c-.16.139-.346.2"
"7.553 0c-.713 0-1.324-.266-1.835-.797a2.69 2.69 0 0 1-.766-1.931v-2.66"
"5c0-.117.037-.213.112-.287a.37.37 0 0 1 .27-.112c.118 0 ."
"12a.39.39 0 0 1 .112.287v2.664c0 .533.18.99.542 1.373a1.71 1.71 0 0 0 "
"1.293.559h3.878c.51 0 .941-.187 1.292-.559a1.93 1.93 0 0 0 .543-1.372v"
"-2.665a.39.39 0 0 1 .111-.287.389.389 0 0 1 .288-.112.37.37 0 0 1 .271"
".112.39.39 0 0 1 .112.287v2.664c0 .756-.256 1.4-.766 1.932-.51.531-1.1"
"28.797-1.851.797h-3.894Zm23.824-.718a.456.456 0 0 1 .16.192c.01.042.01"
" 0 0 1-.016.112.355.355 0 0 1-.143.208.423.423 0 0 "
"1-.24.063h-.048a.141.141 0 0 1-.064-.016c-.02 0-.037-.005-.047-.016a10"
"4.86 104.86 0 0 1-1.18-.83c-.374-.265-.746-.531-1.118-.797-.011 0-.016"
"-.006-.016-.016-.01 0-.016-.005-.016-.016-.01 0-.016-.005-.016-.016h-5"
".553v1.324a.39.39 0 0 1-.112.288.425.425 0 0 1-. 0 0 1-.2"
"72-.111.389.389 0 0 1-.111-.288v-4.946c0-.054.005-.107.016-.16a.502.50"
"2 0 0 1 .095-.128.374.374 0 0 1 .128-.08.316.316 0 0 1 .144-.031h6.893"
"c.256 0 .49.048.702."
"23.127.457.127.702v.335c0 .223-.032.43-.095.622a2.107 2.107 0 0 1-.32."
"7.469.345.703.526Zm-8.281-4.228v2.425h6.494a.954.954 0 0 0 .4-.08.776."
"776 0 0 0 .334-.223c.107-.106.186-.218.24-.335.053-.128.08-.266.08-.41"
"5v-.32a.954.954 0 0 0-.08-.398 1.232 1.232 0 0 0-.224-.351 1.228 1.228"
" 0 0 0-.35-.224.954.954 0 0 0-.4-.08h-6.494Zm24.67-.782c.106 0 .202.03"
"7.287.111a.37.37 0 0 1 . 0 0 1-.112.287.425.425 0 0 1-.28"
"7.112h-3.64v4.579a.37.37 0 0 1-.111.272.348.348 0 0 1-.271.127.397.397"
" 0 0 1-.288-.127.37.37 0 0 1-.111-.272v-4.579h-3.639a.37.37 0 0 1-.271"
"-.111.39.39 0 0 1-.112-.287.37.37 0 0 1 .112-.272.37.37 0 0 1 .271-.11"
"1h8.058Zm15.782-.048c.723 0 1.34.266 1.85.798.511.532.767 1.17.767 1.9"
"15v2.68a.37.37 0 0 1-.112.272.397.397 0 0 1-.287.127.348.348 0 0 1-.27"
"2-.127.348.348 0 0 1-.127-.272v-1.196h-7.532v1.196a.348.348 0 0 1-.128"
".272.348.348 0 0 1-.271.127.348.348 0 0 1-.271-.127.348.348 0 0 1-.128"
"-.272v-2.68c0-.745.255-1.383.766-1.915.51-.532 1.128-.798 1.851-.798h3"
".894Zm-5.697 3.415h7.548v-.702c0-.532-.176-.984-.527-1.357-.362-.383-."
"792-.574-1.292-.574H408.5c-.51 0-.942.191-1.293.574a1.875 1.875 0 0 0-"
".542 1.357v.702ZM297.898 204.5h4.16l1.792-5.152h9.408l1.824 5.152h4.44"
"8l-8.704-23.2h-4.288l-8.64 23.2Zm10.624-18.496 3.52 9.952h-7.008l3.488"
"-9.952Zm22.81 18.496h3.807v-17.216h-3.808v9.184c0 3.104-1.024 5.344-3."
"872 5.344s-3.168-2.272-3.168-4.608v-9.92h-3.808v10.848c0 4.096 1.664 6"
".784 5.76 6.784 2.336 0 4.096-.992 5.088-2.784v2.368Zm7.678-17.216h-2."
"56v2.752h2.56v9.952c0 3.52.736 4.512 4.416 4.512h2.816v-2.912h-1.376c-"
"1.632 0-2.048-.416-2.048-2.176v-9.376h3.456v-2.752h-3.456v-4.544h-3.80"
"8v4.544Zm13.179-5.984h-3.809v23.2h3.808v-9.152c0-3.104 1.088-5.344 4-5"
".344s3.264 2.272 3.264 4.608v9.888h3.808v-10.816c0-4.096-1.696-6.784-5"
".856-6.784-2.4 0-4.224.992-5.216 2.784V181.3Zm16.86 14.624c0-3.968 2.1"
"44-5.92 4.544-5.92 2.4 0 4.544 1.952 4.544 5.92s-2.144 5.888-4.544 5.8"
"88c-2.4 0-4.544-1.92-4.544-5.888Zm4.544-9.024c-4.192 0-8.48 2.816-8.48"
" 9.024 0 6.208 4.288 8.992 8.48 8.992s8.48-2.784 8.48-8.992c0-6.208-4."
"288-9.024-8.48-9.024Zm20.057.416a10.32 10.32 0 0 0-.992-.064c-2.08.032"
"-3.744 1.184-4.672 3.104v-3.072h-3.744V204.5h3.808v-9.024c0-3.456 1.37"
"6-4.416 3.776-4.416.576 0 1.184.032 1.824.096v-3.84Zm14.665 4.672c-.70"
"4-3.456-3.776-5.088-7.136-5.088-3.744 0-7.008 1.952-7.008 4.992 0 3.13"
"6 2.272 4.448 5.184 5.024l2.592.512c1.696.32 2.976.96 2.976 2.368s-1.4"
"72 2.24-3.456 2.24c-2.24 0-3.52-1.024-3.872-2.784h-3.712c.416 3.264 3."
"232 5.664 7.456 5.664 3.904 0 7.296-1.984 7.296-5.568 0-3.36-2.656-4.4"
"48-6.144-5.12l-2.432-.48c-1.472-.288-2.304-.896-2.304-2.048 0-1.152 1."
"536-1.888 3.2-1.888 1.92 0 3.36.608 3.776 2.176h3.584Zm6.284-10.688h-3"
".808v23.2h3.808v-9.152c0-3.104 1.088-5.344 4-5.344s3.264 2.272 3.264 4"
".608v9.888h3.808v-10.816c0-4.096-1.696-6.784-5.856-6.784-2.4 0-4.224.9"
"92-5.216 2.784V181.3Zm14.076 0v3.84h3.808v-3.84h-3.808Zm0 5.984V204.5h"
"3.808v-17.216h-3.808Zm10.781 8.608c0-3.968 1.952-5.888 4.448-5.888 2.6"
"56 0 4.256 2.272 4.256 5.888 0 3.648-1.6 5.92-4.256 5.92-2.496 0-4.448"
"-1.952-4.448-5.92Zm-3.648-8.608V210.1h3.808v-7.872c1.024 1.696 2.816 2"
".688 5.12 2.688 4.192 0 7.392-3.488 7.392-9.024 0-5.504-3.2-8.992-7.39"
'2-8.992-2.304 0-4.096.992-5.12 2.688v-2.304h-3.808Z" fill="#F0F6FC"/><'
'path class="k" stroke-dashoffset="5" stroke-dasharray="10" d="M215 545'
'h320"/><g transform="translate(231 237) scale(0.384)">',
field: uint16(seed % 300),
colors: [
uint24(colors & 0xFFFFFF),
uint24((colors >> 24) & 0xFFFFFF),
uint24((colors >> 48) & 0xFFFFFF),
uint24((colors >> 72) & 0xFFFFFF)
hardware: uint16((seed >> 9) % 120),
frame: uint16((seed >> 17) % 5)
'</g><text font-family="A" x="50%" y="605" fill="#F0F6FC" font-size="40'
'" dominant-baseline="central" text-anchor="middle">#',
'</text><rect class="i k o" x="215" y="65" mask="url(#a)" rx="20"/><cir'
'cle class="j k o" cy="65" mask="url(#a)"/><circle class="j k o" cy="68'
'5" mask="url(#a)"/></svg>'
ICurta(curta).hasUsedAuthorshipToken(_tokenId) ? "true" : "false",
// -------------------------------------------------------------------------
// Helper Functions
// -------------------------------------------------------------------------
/// @notice Converts `_value` to a string with leading zeros to reach a
/// minimum of 7 characters.
/// @param _value Number to convert.
/// @return string memory The string representation of `_value` with leading
/// zeros.
function _zfill(uint256 _value) internal pure returns (string memory) {
string memory result = _value.toString();
if (_value < 10) return string.concat("000000", result);
else if (_value < 100) return string.concat("00000", result);
else if (_value < 1000) return string.concat("0000", result);
else if (_value < 10_000) return string.concat("000", result);
else if (_value < 100_000) return string.concat("00", result);
else if (_value < 1_000_000) return string.concat("0", result);
return result;
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;
/// @title Base64
/// @author Brecht Devos - <brecht@loopring.org>
/// @notice Provides a function for encoding some bytes in base64
library Base64 {
string internal constant TABLE =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345678" "9+/";
function encode(bytes memory data) internal pure returns (string memory) {
if (data.length == 0) return "";
string memory table = TABLE;
uint256 encodedLength = ((data.length + 2) / 3) << 2;
string memory result = new string(encodedLength + 0x20);
assembly {
mstore(result, encodedLength)
let tablePtr := add(table, 1)
let dataPtr := data
let endPtr := add(dataPtr, mload(data))
let resultPtr := add(result, 0x20)
for { } lt(dataPtr, endPtr) { } {
dataPtr := add(dataPtr, 3)
let input := mload(dataPtr)
mstore(resultPtr, shl(0xF8, mload(add(tablePtr, and(shr(0x12, input), 0x3F)))))
resultPtr := add(resultPtr, 1)
mstore(resultPtr, shl(0xF8, mload(add(tablePtr, and(shr(0xC, input), 0x3F)))))
resultPtr := add(resultPtr, 1)
mstore(resultPtr, shl(0xF8, mload(add(tablePtr, and(shr(6, input), 0x3F)))))
resultPtr := add(resultPtr, 1)
mstore(resultPtr, shl(0xF8, mload(add(tablePtr, and(input, 0x3F)))))
resultPtr := add(resultPtr, 1)
switch mod(mload(data), 3)
case 1 { mstore(sub(resultPtr, 2), shl(0xF0, 0x3D3D)) }
case 2 { mstore(sub(resultPtr, 1), shl(0xF8, 0x3D)) }
return result;
// SPDX-License-Identifier: AGPL-3.0-only
pragma solidity >=0.8.0;
/// @notice Modern, minimalist, and gas efficient ERC-721 implementation.
/// @author Solmate (https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC721.sol)
abstract contract ERC721 {
event Transfer(address indexed from, address indexed to, uint256 indexed id);
event Approval(address indexed owner, address indexed spender, uint256 indexed id);
event ApprovalForAll(address indexed owner, address indexed operator, bool approved);
string public name;
string public symbol;
function tokenURI(uint256 id) public view virtual returns (string memory);
mapping(uint256 => address) internal _ownerOf;
mapping(address => uint256) internal _balanceOf;
function ownerOf(uint256 id) public view virtual returns (address owner) {
require((owner = _ownerOf[id]) != address(0), "NOT_MINTED");
function balanceOf(address owner) public view virtual returns (uint256) {
require(owner != address(0), "ZERO_ADDRESS");
return _balanceOf[owner];
mapping(uint256 => address) public getApproved;
mapping(address => mapping(address => bool)) public isApprovedForAll;
constructor(string memory _name, string memory _symbol) {
name = _name;
symbol = _symbol;
function approve(address spender, uint256 id) public virtual {
address owner = _ownerOf[id];
require(msg.sender == owner || isApprovedForAll[owner][msg.sender], "NOT_AUTHORIZED");
getApproved[id] = spender;
emit Approval(owner, spender, id);
function setApprovalForAll(address operator, bool approved) public virtual {
isApprovedForAll[msg.sender][operator] = approved;
emit ApprovalForAll(msg.sender, operator, approved);
function transferFrom(address from, address to, uint256 id) public virtual {
require(from == _ownerOf[id], "WRONG_FROM");
require(to != address(0), "INVALID_RECIPIENT");
msg.sender == from || isApprovedForAll[from][msg.sender]
|| msg.sender == getApproved[id],
// Underflow of the sender's balance is impossible because we check for
// ownership above and the recipient's balance can't realistically overflow.
unchecked {
_ownerOf[id] = to;
delete getApproved[id];
emit Transfer(from, to, id);
function safeTransferFrom(address from, address to, uint256 id) public virtual {
transferFrom(from, to, id);
to.code.length == 0
|| ERC721TokenReceiver(to).onERC721Received(msg.sender, from, id, "")
== ERC721TokenReceiver.onERC721Received.selector,
function safeTransferFrom(address from, address to, uint256 id, bytes calldata data)
transferFrom(from, to, id);
to.code.length == 0
|| ERC721TokenReceiver(to).onERC721Received(msg.sender, from, id, data)
== ERC721TokenReceiver.onERC721Received.selector,
function supportsInterface(bytes4 interfaceId) public view virtual returns (bool) {
return interfaceId == 0x01ffc9a7 // ERC165 Interface ID for ERC165
|| interfaceId == 0x80ac58cd // ERC165 Interface ID for ERC721
|| interfaceId == 0x5b5e139f; // ERC165 Interface ID for ERC721Metadata
function _mint(address to, uint256 id) internal virtual {
require(to != address(0), "INVALID_RECIPIENT");
require(_ownerOf[id] == address(0), "ALREADY_MINTED");
// Counter overflow is incredibly unrealistic.
unchecked {
_ownerOf[id] = to;
emit Transfer(address(0), to, id);
function _burn(uint256 id) internal virtual {
address owner = _ownerOf[id];
require(owner != address(0), "NOT_MINTED");
// Ownership check above ensures no underflow.
unchecked {
delete _ownerOf[id];
delete getApproved[id];
emit Transfer(owner, address(0), id);
function _safeMint(address to, uint256 id) internal virtual {
_mint(to, id);
to.code.length == 0
|| ERC721TokenReceiver(to).onERC721Received(msg.sender, address(0), id, "")
== ERC721TokenReceiver.onERC721Received.selector,
function _safeMint(address to, uint256 id, bytes memory data) internal virtual {
_mint(to, id);
to.code.length == 0
|| ERC721TokenReceiver(to).onERC721Received(msg.sender, address(0), id, data)
== ERC721TokenReceiver.onERC721Received.selector,
/// @notice A generic interface for a contract which properly accepts ERC721 tokens.
/// @author Solmate (https://github.com/transmissions11/solmate/blob/main/src/tokens/ERC721.sol)
abstract contract ERC721TokenReceiver {
function onERC721Received(address, address, uint256, bytes calldata)
returns (bytes4)
return ERC721TokenReceiver.onERC721Received.selector;
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;
import { LibString } from "solady/utils/LibString.sol";
import { ICurta } from "@/contracts/interfaces/ICurta.sol";
import { IColormapRegistry } from "@/contracts/interfaces/IColormapRegistry.sol";
import { Base64 } from "@/contracts/utils/Base64.sol";
/// @title Curta Flag Renderer
/// @author fiveoutofnine
/// @notice A contract that renders the JSON and SVG for a Flag token.
contract FlagRenderer {
using LibString for uint256;
using LibString for address;
using LibString for string;
// -------------------------------------------------------------------------
// Constants
// -------------------------------------------------------------------------
/// @notice The colormap registry.
IColormapRegistry constant colormapRegistry =
/// @notice Render the JSON and SVG for a Flag token.
/// @param _puzzleData The puzzle data.
/// @param _tokenId The token ID.
/// @param _author The author of the puzzle.
/// @param _solveTime The time it took to solve the puzzle.
/// @param _solveMetadata The metadata associated with the solve.
/// @param _phase The phase of the puzzle.
/// @param _solves The number of solves the puzzle has.
/// @param _colors The colors of the Flag.
/// @return string memory The JSON and SVG for the Flag token.
function render(
ICurta.PuzzleData memory _puzzleData,
uint256 _tokenId,
address _author,
uint40 _solveTime,
uint56 _solveMetadata,
uint8 _phase,
uint32 _solves,
uint120 _colors
) external view returns (string memory) {
// Generate the puzzle's attributes.
string memory attributes;
attributes = string.concat(
'"},{"trait_type":"Puzzle ID","value":',
uint256(_tokenId >> 128).toString(),
_formatValueAsAddress(uint256(_solveMetadata & 0xFFFFFFF)),
'"},{"trait_type":"Solve time","value":',
// Generate the puzzle's SVG.
string memory image;
image = string.concat(
'<svg xmlns="http://www.w3.org/2000/svg" width="550" height="550" viewBox="0 0 550 '
uint256((_colors >> 72) & 0xFFFFFF).toHexStringNoPrefix(3), // Fill
uint256((_colors >> 24) & 0xFFFFFF).toHexStringNoPrefix(3), // Primary text
uint256(_colors & 0xFFFFFF).toHexStringNoPrefix(3), // Secondary text
uint256(_colors & 0xFFFFFF).toHexStringNoPrefix(3) // Secondary text
image = string.concat(
'}.x{width:1px;height:1px}</style><mask id="m"><rect width="20" height="20" rx="0.3'
'70370" fill="#FFF"/></mask><path d="M0 0h550v550H0z" style="fill:#',
uint256((_colors >> 96) & 0xFFFFFF).toHexStringNoPrefix(3), // Background
'"/><rect x="143" y="69" width="264" height="412" rx="8" fill="#',
uint256((_colors >> 48) & 0xFFFFFF).toHexStringNoPrefix(3), // Border
'"/><rect class="f" x="147" y="73" width="256" height="404" rx="4"/>',
image = string.concat(
'<text class="a h" x="163" y="101" font-size="20">Puzzle #',
(_tokenId >> 128).toString(),
'</text><text x="163" y="121"><tspan class="b d i">Created by </tspan><tspan class='
'"a d h">'
uint256 luma =
((_colors >> 88) & 0xFF) + ((_colors >> 80) & 0xFF) + ((_colors >> 72) & 0xFF);
image = string.concat(
_formatValueAsAddress(uint160(_author) >> 132), // Authors
'</tspan></text><rect x="163" y="137" width="224" height="224" fill="rgba(',
luma < ((255 * 3) >> 1) ? "255,255,255" : "0,0,0", // Background behind the heatmap
',0.2)" rx="8"/>',
_drawDrunkenBishop(_solveMetadata, _tokenId),
'<path class="j" d="M176.988 387.483A4.992 4.992 0 0 0 173 385.5a4.992 4.992 0 0 0-'
"3.988 1.983m7.975 0a6 6 0 1 0-7.975 0m7.975 0A5.977 5.977 0 0 1 173 389a5.977 5.97"
'7 0 0 1-3.988-1.517M175 381.5a2 2 0 1 1-4 0 2 2 0 0 1 4 0z"/><text class="a c h" x'
'="187" y="383">',
_formatValueAsAddress(_solveMetadata >> 28), // Captured by
'</text><text class="b d i" x="187" y="403">Captured by</text><path class="j" d="m2'
"85.5 380 2 1.5-2 1.5m3 0h2m-6 5.5h9a1.5 1.5 0 0 0 1.5-1.5v-8a1.5 1.5 0 0 0-1.5-1.5"
'h-9a1.5 1.5 0 0 0-1.5 1.5v8a1.5 1.5 0 0 0 1.5 1.5z"/><text class="a c h" x="303" y'
_formatValueAsAddress(_solveMetadata & 0xFFFFFFF), // Solution
'</text><text class="b d i" x="303" y="403">Solution</text><path class="j" d="M176 '
"437.5h-6m6 0a2 2 0 0 1 2 2h-10a2 2 0 0 1 2-2m6 0v-2.25a.75.75 0 0 0-.75-.75h-.58m-"
"4.67 3v-2.25a.75.75 0 0 1 .75-.75h.581m3.338 0h-3.338m3.338 0a4.97 4.97 0 0 1-.654"
"-2.115m-2.684 2.115a4.97 4.97 0 0 0 .654-2.115m-3.485-4.561c-.655.095-1.303.211-1."
"944.347a4.002 4.002 0 0 0 3.597 3.314m-1.653-3.661V428a4.49 4.49 0 0 0 1.653 3.485"
"m-1.653-3.661v-1.01a32.226 32.226 0 0 1 4.5-.314c1.527 0 3.03.107 4.5.313v1.011m-7"
".347 3.661a4.484 4.484 0 0 0 1.832.9m5.515-4.561V428a4.49 4.49 0 0 1-1.653 3.485m1"
".653-3.661a30.88 30.88 0 0 1 1.944.347 4.002 4.002 0 0 1-3.597 3.314m0 0a4.484 4.4"
'84 0 0 1-1.832.9m0 0a4.515 4.515 0 0 1-2.03 0"/><text><tspan class="a c h" x="187"'
' y="433">'
image = string.concat(
uint256(uint128(_tokenId)).toString(), // Rank
' </tspan><tspan class="a d i" y="435">/ ',
uint256(_solves).toString(), // Solvers
'</tspan></text><text class="b d i" x="187" y="453">Rank</text><path class="j" d="M'
'289 429v4h3m3 0a6 6 0 1 1-12 0 6 6 0 0 1 12 0z"/><text class="a c h" x="303" y="43'
_formatTime(_solveTime), // Solve time
'</text><text class="b d i" x="303" y="453">Solve time</text></svg>'
return string.concat(
": Flag #",
'","description":"This token represents solve #',
" in puzzle #",
uint256(_tokenId >> 128).toString(),
'.","image_data": "data:image/svg+xml;base64,',
/// @notice Returns the SVG component for the ``heatmap'' generated by
/// applying the Drunken Bishop algorithm.
/// @param _solveMetadata A bitpacked `uint56` containing metadata of the
/// solver and solution.
/// @param _tokenId The token ID of the Flag.
/// @return string memory The SVG for the heatmap.
function _drawDrunkenBishop(uint56 _solveMetadata, uint256 _tokenId)
returns (string memory)
uint256 seed = uint256(keccak256(abi.encodePacked(_tokenId, _solveMetadata)));
// Select the colormap.
bytes32 colormapHash = [
][seed % 18];
// We start at the middle of the board.
uint256 index = 210;
uint256 max = 1;
uint8[] memory counts = new uint8[](400);
counts[index] = 1;
// Apply Drunken Bishop algorithm.
unchecked {
while (seed != 0) {
(uint256 x, uint256 y) = (index % 20, index / 20);
assembly {
// Read down/up
switch and(shr(1, seed), 1)
// Up case
case 0 { index := add(index, mul(20, iszero(eq(y, 19)))) }
// Down case
default { index := sub(index, mul(20, iszero(eq(y, 0)))) }
// Read left/right
switch and(seed, 1)
// Left case
case 0 { index := add(index, iszero(eq(x, 19))) }
// Right case
default { index := sub(index, iszero(eq(y, 0))) }
if (++counts[index] > max) max = counts[index];
seed >>= 2;
// Draw heatmap from counts.
string memory image = '<g transform="translate(167 141) scale(10.8)" mask="url(#m)">';
unchecked {
for (uint256 i; i < 400; ++i) {
image = string.concat(
'<rect class="x" x="',
(i % 20).toString(),
'" y="',
(i / 20).toString(),
'" fill="#',
colormapHash, uint8((uint256(counts[i]) * 255) / max)
return string.concat(image, "</g>");
/// @notice Returns the SVG component for the stars corresponding to the
/// phase, including the background pill.
/// @dev Phase 0 = 3 stars; Phase 1 = 2 stars; Phase 2 = 1 star. Also, note
/// that the SVGs are returned positioned relative to the whole SVG for the
/// Flag.
/// @param _phase The phase of the solve.
/// @return string memory The SVG for the stars.
function _drawStars(uint8 _phase) internal pure returns (string memory) {
// This will never underflow because `_phase` is always in the range
// [0, 4].
unchecked {
uint256 width = ((4 - _phase) << 4);
return string.concat(
'<rect class="h" x="',
(383 - width).toString(),
'" y="97" width="',
'" height="24" rx="12"/><path id="s" d="M366.192 103.14c.299-.718 1.317-.718 1.616 '
"0l1.388 3.338 3.603.289c.776.062 1.09 1.03.499 1.536l-2.745 2.352.838 3.515c.181.7"
"57-.642 1.355-1.306.95L367 113.236l-3.085 1.884c-.664.405-1.487-.193-1.306-.95l.83"
'8-3.515-2.745-2.352c-.591-.506-.277-1.474.5-1.536l3.602-.289 1.388-3.337z"/>',
_phase < 2 ? '<use href="#s" x="-16" />' : "",
_phase < 1 ? '<use href="#s" x="-32" />' : ""
/// @notice Helper function to format the last 28 bits of a value as a
/// hexstring of length 7. If the value is less than 24 bits, it is padded
/// with leading zeros.
/// @param _value The value to format.
/// @return string memory The formatted string.
function _formatValueAsAddress(uint256 _value) internal pure returns (string memory) {
return string.concat(
string(abi.encodePacked(bytes32("0123456789ABCDEF")[(_value >> 24) & 0xF])),
(_value & 0xFFFFFF).toHexStringNoPrefix(3).toCase(true)
/// @notice Helper function to format seconds into a length string. In order
/// to fit the solve time in the card, we format it as follows:
/// * 0:00:00 to 95:59:59
/// * 96 hours to 983 hours
/// * 41 days to 729 days
/// * 2 years onwards
/// @param _solveTime The solve time in seconds.
/// @return string memory The formatted string.
function _formatTime(uint40 _solveTime) internal pure returns (string memory) {
if (_solveTime < 96 hours) {
uint256 numHours = _solveTime / (1 hours);
uint256 numMinutes = (_solveTime % (1 hours)) / (1 minutes);
uint256 numSeconds = _solveTime % (1 minutes);
return string.concat(
_zeroPadOne(numHours), ":", _zeroPadOne(numMinutes), ":", _zeroPadOne(numSeconds)
} else if (_solveTime < 41 days) {
return string.concat(uint256(_solveTime / (1 hours)).toString(), " hours");
} else if (_solveTime < 730 days) {
return string.concat(uint256(_solveTime / (1 days)).toString(), " days");
return string.concat(uint256(_solveTime / (365 days)).toString(), " years");
/// @notice Helper function to zero pad a number by 1 if it is less than 10.
/// @param _value The number to zero pad.
/// @return string memory The zero padded string.
function _zeroPadOne(uint256 _value) internal pure returns (string memory) {
if (_value < 10) {
return string.concat("0", _value.toString());
return _value.toString();
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;
import { IPaletteGenerator } from "@/contracts/interfaces/IPaletteGenerator.sol";
/// @title The interface for the colormap registry.
/// @author fiveoutofnine
/// @dev A colormap may be defined in 2 ways: (1) via segment data and (2) via a
/// ``palette generator.''
/// 1. via segment data
/// 2. or via a palette generator ({IPaletteGenerator}).
/// Segment data contains 1 `uint256` each for red, green, and blue describing
/// their intensity values along the colormap. Each `uint256` contains 24-bit
/// words bitpacked together with the following structure (bits are
/// right-indexed):
/// | Bits | Meaning |
/// | --------- | ---------------------------------------------------- |
/// | `23 - 16` | Position in the colormap the segment begins from |
/// | `15 - 08` | Intensity of R, G, or B the previous segment ends at |
/// | `07 - 00` | Intensity of R, G, or B the next segment starts at |
/// Given some position, the output will be computed via linear interpolations
/// on the segment data for R, G, and B. A maximum of 10 of these segments fit
/// within 256 bits, so up to 9 segments can be defined. If you need more
/// granularity or a nonlinear palette function, you may implement
/// {IPaletteGenerator} and define a colormap with that.
interface IColormapRegistry {
// -------------------------------------------------------------------------
// Errors
// -------------------------------------------------------------------------
/// @notice Emitted when a colormap already exists.
/// @param _colormapHash Hash of the colormap's definition.
error ColormapAlreadyExists(bytes32 _colormapHash);
/// @notice Emitted when a colormap does not exist.
/// @param _colormapHash Hash of the colormap's definition.
error ColormapDoesNotExist(bytes32 _colormapHash);
/// @notice Emitted when a segment data used to define a colormap does not
/// follow the representation outlined in {IColormapRegistry}.
/// @param _segmentData Segment data for 1 of R, G, or B. See
/// {IColormapRegistry} for its representation.
error SegmentDataInvalid(uint256 _segmentData);
// -------------------------------------------------------------------------
// Structs
// -------------------------------------------------------------------------
/// @notice Segment data that defines a colormap when read via piece-wise
/// linear interpolation.
/// @dev Each param contains 24-bit words, so each one may contain at most
/// 9 (24*10 - 1) segments. See {IColormapRegistry} for how the segment data
/// should be structured.
/// @param r Segment data for red's color value along the colormap.
/// @param g Segment data for green's color value along the colormap.
/// @param b Segment data for blue's color value along the colormap.
struct SegmentData {
uint256 r;
uint256 g;
uint256 b;
// -------------------------------------------------------------------------
// Events
// -------------------------------------------------------------------------
/// @notice Emitted when a colormap is registered via a palette generator
/// function.
/// @param _hash Hash of `_paletteGenerator`.
/// @param _paletteGenerator Instance of {IPaletteGenerator} for the
/// colormap.
event RegisterColormap(bytes32 _hash, IPaletteGenerator _paletteGenerator);
/// @notice Emitted when a colormap is registered via segment data.
/// @param _hash Hash of `_segmentData`.
/// @param _segmentData Segment data defining the colormap.
event RegisterColormap(bytes32 _hash, SegmentData _segmentData);
// -------------------------------------------------------------------------
// Storage
// -------------------------------------------------------------------------
/// @param _colormapHash Hash of the colormap's definition (segment data).
/// @return uint256 Segment data for red's color value along the colormap.
/// @return uint256 Segment data for green's color value along the colormap.
/// @return uint256 Segment data for blue's color value along the colormap.
function segments(bytes32 _colormapHash) external view returns (uint256, uint256, uint256);
/// @param _colormapHash Hash of the colormap's definition (palette
/// generator).
/// @return IPaletteGenerator Instance of {IPaletteGenerator} for the
/// colormap.
function paletteGenerators(bytes32 _colormapHash) external view returns (IPaletteGenerator);
// -------------------------------------------------------------------------
// Actions
// -------------------------------------------------------------------------
/// @notice Register a colormap with a palette generator.
/// @param _paletteGenerator Instance of {IPaletteGenerator} for the
/// colormap.
function register(IPaletteGenerator _paletteGenerator) external;
/// @notice Register a colormap with segment data that will be read via
/// piece-wise linear interpolation.
/// @dev See {IColormapRegistry} for how the segment data should be
/// structured.
/// @param _segmentData Segment data defining the colormap.
function register(SegmentData memory _segmentData) external;
// -------------------------------------------------------------------------
// View
// -------------------------------------------------------------------------
/// @notice Get the red, green, and blue color values of a color in a
/// colormap at some position.
/// @dev Each color value will be returned as a 18 decimal fixed-point
/// number in [0, 1]. Note that the function *will not* revert if
/// `_position` is an invalid input (i.e. greater than 1e18). This
/// responsibility is left to the implementation of {IPaletteGenerator}s.
/// @param _colormapHash Hash of the colormap's definition.
/// @param _position 18 decimal fixed-point number in [0, 1] representing
/// the position in the colormap (i.e. 0 being min, and 1 being max).
/// @return uint256 Intensity of red in that color at the position
/// `_position`.
/// @return uint256 Intensity of green in that color at the position
/// `_position`.
/// @return uint256 Intensity of blue in that color at the position
/// `_position`.
function getValue(bytes32 _colormapHash, uint256 _position)
returns (uint256, uint256, uint256);
/// @notice Get the red, green, and blue color values of a color in a
/// colormap at some position.
/// @dev Each color value will be returned as a `uint8` number in [0, 255].
/// @param _colormapHash Hash of the colormap's definition.
/// @param _position Position in the colormap (i.e. 0 being min, and 255
/// being max).
/// @return uint8 Intensity of red in that color at the position
/// `_position`.
/// @return uint8 Intensity of green in that color at the position
/// `_position`.
/// @return uint8 Intensity of blue in that color at the position
/// `_position`.
function getValueAsUint8(bytes32 _colormapHash, uint8 _position)
returns (uint8, uint8, uint8);
/// @notice Get the hexstring for a color in a colormap at some position.
/// @param _colormapHash Hash of the colormap's definition.
/// @param _position Position in the colormap (i.e. 0 being min, and 255
/// being max).
/// @return string Hexstring excluding ``#'' (e.g. `007CFF`) of the color
/// at the position `_position`.
function getValueAsHexString(bytes32 _colormapHash, uint8 _position)
returns (string memory);
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;
import { IPuzzle } from "./IPuzzle.sol";
import { AuthorshipToken } from "@/contracts/AuthorshipToken.sol";
import { FlagRenderer } from "@/contracts/FlagRenderer.sol";
/// @title The interface for Curta
/// @notice A CTF protocol, where players create and solve EVM puzzles to earn
/// NFTs.
/// @dev Each solve is represented by an NFT. However, the NFT with token ID 0
/// is reserved to denote ``Fermat''—the author's whose puzzle went the longest
/// unsolved.
interface ICurta {
// -------------------------------------------------------------------------
// Errors
// -------------------------------------------------------------------------
/// @notice Emitted when an Authorship Token has already been used to add a
/// puzzle to Curta.
/// @param _tokenId The ID of an Authorship Token.
error AuthorshipTokenAlreadyUsed(uint256 _tokenId);
/// @notice Emitted when a puzzle's solution is incorrect.
error IncorrectSolution();
/// @notice Emitted when insufficient funds are sent during "Phase 2"
/// submissions.
error InsufficientFunds();
/// @notice Emitted when a puzzle is already marked as Fermat.
/// @param _puzzleId The ID of a puzzle.
error PuzzleAlreadyFermat(uint32 _puzzleId);
/// @notice Emitted when a solver has already solved a puzzle.
/// @param _puzzleId The ID of a puzzle.
error PuzzleAlreadySolved(uint32 _puzzleId);
/// @notice Emitted when a puzzle does not exist.
/// @param _puzzleId The ID of a puzzle.
error PuzzleDoesNotExist(uint32 _puzzleId);
/// @notice Emitted when the puzzle was not the one that went longest
/// unsolved.
/// @param _puzzleId The ID of a puzzle.
error PuzzleNotFermat(uint32 _puzzleId);
/// @notice Emitted when a puzzle has not been solved yet.
/// @param _puzzleId The ID of a puzzle.
error PuzzleNotSolved(uint32 _puzzleId);
/// @notice Emitted when submissions for a puzzle is closed.
/// @param _puzzleId The ID of a puzzle.
error SubmissionClosed(uint32 _puzzleId);
/// @notice Emitted when `msg.sender` is not authorized.
error Unauthorized();
// -------------------------------------------------------------------------
// Structs
// -------------------------------------------------------------------------
/// @notice A struct containing data about the puzzle corresponding to
/// Fermat (i.e. the puzzle that went the longest unsolved).
/// @param puzzleId The ID of the puzzle.
/// @param timeTaken The number of seconds it took to first solve the
/// puzzle.
struct Fermat {
uint32 puzzleId;
uint40 timeTaken;
/// @notice A struct containing data about a puzzle.
/// @param puzzle The address of the puzzle.
/// @param addedTimestamp The timestamp at which the puzzle was added.
/// @param firstSolveTimestamp The timestamp at which the first valid
/// solution was submitted.
struct PuzzleData {
IPuzzle puzzle;
uint40 addedTimestamp;
uint40 firstSolveTimestamp;
/// @notice A struct containing the number of solves a puzzle has.
/// @param colors A bitpacked `uint120` of 5 24-bit colors for the puzzle's
/// Flags in the following order (left-to-right):
/// * Background color
/// * Fill color
/// * Border color
/// * Primary text color
/// * Secondary text color
/// @param phase0Solves The total number of Phase 0 solves a puzzle has.
/// @param phase1Solves The total number of Phase 1 solves a puzzle has.
/// @param phase2Solves The total number of Phase 2 solves a puzzle has.
/// @param solves The total number of solves a puzzle has.
struct PuzzleColorsAndSolves {
uint120 colors;
uint32 phase0Solves;
uint32 phase1Solves;
uint32 phase2Solves;
uint32 solves;
// -------------------------------------------------------------------------
// Events
// -------------------------------------------------------------------------
/// @notice Emitted when a puzzle is added.
/// @param id The ID of the puzzle.
/// @param author The address of the puzzle author.
/// @param puzzle The address of the puzzle.
event AddPuzzle(uint32 indexed id, address indexed author, IPuzzle puzzle);
/// @notice Emitted when a puzzle is solved.
/// @param id The ID of the puzzle.
/// @param solver The address of the solver.
/// @param solution The solution.
/// @param phase The phase in which the puzzle was solved.
event SolvePuzzle(uint32 indexed id, address indexed solver, uint256 solution, uint8 phase);
/// @notice Emitted when a puzzle's colors are updated.
/// @param id The ID of the puzzle.
/// @param colors A bitpacked `uint120` of 5 24-bit colors for the puzzle's
/// Flags.
event UpdatePuzzleColors(uint32 indexed id, uint256 colors);
// -------------------------------------------------------------------------
// Immutable Storage
// -------------------------------------------------------------------------
/// @notice The Flag metadata and art renderer contract.
function flagRenderer() external view returns (FlagRenderer);
/// @return The Authorship Token contract.
function authorshipToken() external view returns (AuthorshipToken);
// -------------------------------------------------------------------------
// Storage
// -------------------------------------------------------------------------
/// @return The total number of puzzles.
function puzzleId() external view returns (uint32);
/// @return puzzleId The ID of the puzzle corresponding to Fermat.
/// @return timeTaken The number of seconds it took to solve the puzzle.
function fermat() external view returns (uint32 puzzleId, uint40 timeTaken);
/// @param _puzzleId The ID of a puzzle.
/// @return colors A bitpacked `uint120` of 5 24-bit colors for the puzzle's
/// Flags.
/// @return phase0Solves The total number of Phase 0 solves a puzzle has.
/// @return phase1Solves The total number of Phase 1 solves a puzzle has.
/// @return phase2Solves The total number of Phase 2 solves a puzzle has.
/// @return solves The total number of solves a puzzle has.
function getPuzzleColorsAndSolves(uint32 _puzzleId)
returns (
uint120 colors,
uint32 phase0Solves,
uint32 phase1Solves,
uint32 phase2Solves,
uint32 solves
/// @param _puzzleId The ID of a puzzle.
/// @return puzzle The address of the puzzle.
/// @return addedTimestamp The timestamp at which the puzzle was added.
/// @return firstSolveTimestamp The timestamp at which the first solution
/// was submitted.
function getPuzzle(uint32 _puzzleId)
returns (IPuzzle puzzle, uint40 addedTimestamp, uint40 firstSolveTimestamp);
/// @param _puzzleId The ID of a puzzle.
/// @return The address of the puzzle author.
function getPuzzleAuthor(uint32 _puzzleId) external view returns (address);
/// @param _solver The address of a solver.
/// @param _puzzleId The ID of a puzzle.
/// @return Whether `_solver` has solved the puzzle of ID `_puzzleId`.
function hasSolvedPuzzle(address _solver, uint32 _puzzleId) external view returns (bool);
/// @param _tokenId The ID of an Authorship Token.
/// @return Whether the Authorship Token of ID `_tokenId` has been used to
/// add a puzzle.
function hasUsedAuthorshipToken(uint256 _tokenId) external view returns (bool);
// -------------------------------------------------------------------------
// Functions
// -------------------------------------------------------------------------
/// @notice Mints a Flag NFT if the provided solution solves the puzzle.
/// @param _puzzleId The ID of the puzzle.
/// @param _solution The solution.
function solve(uint32 _puzzleId, uint256 _solution) external payable;
/// @notice Adds a puzzle to the contract. Note that an unused Authorship
/// Token is required to add a puzzle (see {AuthorshipToken}).
/// @param _puzzle The address of the puzzle.
/// @param _id The ID of the Authorship Token to burn.
function addPuzzle(IPuzzle _puzzle, uint256 _id) external;
/// @notice Set the colors for a puzzle's Flags.
/// @dev Only the author of the puzzle of ID `_puzzleId` may set its token
/// renderer.
/// @param _puzzleId The ID of the puzzle.
/// @param _colors A bitpacked `uint120` of 5 24-bit colors for the puzzle's
/// Flags.
function setPuzzleColors(uint32 _puzzleId, uint120 _colors) external;
/// @notice Burns and mints NFT #0 to the author of the puzzle of ID
/// `_puzzleId` if it is the puzzle that went longest unsolved.
/// @dev The puzzle of ID `_puzzleId` must have been solved at least once.
/// @param _puzzleId The ID of the puzzle.
function setFermat(uint32 _puzzleId) external;
// SPDX-License-Identifier: The Unlicense
pragma solidity ^0.8.9;
import "./IShields.sol";
import "./IFrameGenerator.sol";
import "./IFieldGenerator.sol";
import "./IHardwareGenerator.sol";
import "./IShieldBadgeSVGs.sol";
interface IEmblemWeaver {
function fieldGenerator() external returns (IFieldGenerator);
function hardwareGenerator() external returns (IHardwareGenerator);
function frameGenerator() external returns (IFrameGenerator);
function shieldBadgeSVGGenerator() external returns (IShieldBadgeSVGs);
function generateShieldURI(IShields.Shield memory shield)
returns (string memory);
function generateShieldBadgeURI(IShields.ShieldBadge shieldBadge)
returns (string memory);
// SPDX-License-Identifier: The Unlicense
pragma solidity ^0.8.9;
interface IFieldGenerator {
enum FieldCategories {
struct FieldData {
string title;
FieldCategories fieldType;
string svgString;
function generateField(uint16 field, uint24[4] memory colors)
returns (FieldData memory);
// SPDX-License-Identifier: The Unlicense
pragma solidity ^0.8.9;
interface IFrameGenerator {
struct FrameData {
string title;
uint256 fee;
string svgString;
function generateFrame(uint16 Frame)
returns (FrameData memory);
// SPDX-License-Identifier: The Unlicense
pragma solidity ^0.8.9;
interface IHardwareGenerator {
enum HardwareCategories {
struct HardwareData {
string title;
HardwareCategories hardwareType;
string svgString;
function generateHardware(uint16 hardware)
returns (HardwareData memory);
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;
/// @title The interface for a palette generator.
/// @author fiveoutofnine
/// @dev `IPaletteGenerator` contains generator functions for a color's red,
/// green, and blue color values. Each of these functions is intended to take in
/// a 18 decimal fixed-point number in [0, 1] representing the position in the
/// colormap and return the corresponding 18 decimal fixed-point number in
/// [0, 1] representing the value of each respective color.
interface IPaletteGenerator {
// -------------------------------------------------------------------------
// Errors
// -------------------------------------------------------------------------
/// @notice Reverts if the position is not a valid input.
/// @dev The position is not a valid input if it is greater than 1e18.
/// @param _position Position in the colormap.
error InvalidPosition(uint256 _position);
// -------------------------------------------------------------------------
// Generators
// -------------------------------------------------------------------------
/// @notice Computes the intensity of red of the palette at some position.
/// @dev The function should revert if `_position` is not a valid input
/// (i.e. greater than 1e18). Also, the return value for all inputs must be
/// a 18 decimal.
/// @param _position Position in the colormap.
/// @return uint256 Intensity of red in that color at the position
/// `_position`.
function r(uint256 _position) external pure returns (uint256);
/// @notice Computes the intensity of green of the palette at some position.
/// @dev The function should revert if `_position` is not a valid input
/// (i.e. greater than 1e18). Also, the return value for all inputs must be
/// a 18 decimal.
/// @param _position Position in the colormap.
/// @return uint256 Intensity of green in that color at the position
/// `_position`.
function g(uint256 _position) external pure returns (uint256);
/// @notice Computes the intensity of blue of the palette at some position.
/// @dev The function should revert if `_position` is not a valid input
/// (i.e. greater than 1e18). Also, the return value for all inputs must be
/// a 18 decimal.
/// @param _position Position in the colormap.
/// @return uint256 Intensity of blue in that color at the position
/// `_position`.
function b(uint256 _position) external pure returns (uint256);
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;
/// @title The interface for a puzzle on Curta
/// @notice The goal of players is to view the source code of the puzzle (may
/// range from just the bytecode to Solidity—whatever the author wishes to
/// provide), interpret the code, solve it as if it was a regular puzzle, then
/// verify the solution on-chain.
/// @dev Since puzzles are on-chain, everyone can view everyone else's
/// submissions. The generative aspect prevents front-running and allows for
/// multiple winners: even if players view someone else's solution, they still
/// have to figure out what the rules/constraints of the puzzle are and apply
/// the solution to their respective starting position.
interface IPuzzle {
/// @notice Returns the puzzle's name.
/// @return The puzzle's name.
function name() external pure returns (string memory);
/// @notice Generates the puzzle's starting position based on a seed.
/// @dev The seed is intended to be `msg.sender` of some wrapper function or
/// call.
/// @param _seed The seed to use to generate the puzzle.
/// @return The puzzle's starting position.
function generate(address _seed) external returns (uint256);
/// @notice Verifies that a solution is valid for the puzzle.
/// @dev `_start` is intended to be an output from {IPuzzle-generate}.
/// @param _start The puzzle's starting position.
/// @param _solution The solution to the puzzle.
/// @return Whether the solution is valid.
function verify(uint256 _start, uint256 _solution) external returns (bool);
// SPDX-License-Identifier: The Unlicense
pragma solidity ^0.8.9;
import "./IShields.sol";
interface IShieldBadgeSVGs {
function generateShieldBadgeSVG(IShields.ShieldBadge shieldBadge)
returns (string memory);
// SPDX-License-Identifier: The Unlicense
pragma solidity ^0.8.9;
import "./IEmblemWeaver.sol";
interface IShields {
enum ShieldBadge {
struct Shield {
bool built;
uint16 field;
uint16 hardware;
uint16 frame;
ShieldBadge shieldBadge;
uint24[4] colors;
function emblemWeaver() external view returns (IEmblemWeaver);
function shields(uint256 tokenId)
returns (
uint16 field,
uint16 hardware,
uint16 frame,
uint24 color1,
uint24 color2,
uint24 color3,
uint24 color4,
ShieldBadge shieldBadge
// SPDX-License-Identifier: The Unlicense
pragma solidity ^0.8.9;
import "./IShields.sol";
import "./IFieldGenerator.sol";
import "./IHardwareGenerator.sol";
import "./IFrameGenerator.sol";
interface IShieldsAPI {
function getShield(uint256 shieldId)
returns (IShields.Shield memory);
function getShieldSVG(uint256 shieldId)
returns (string memory);
function getShieldSVG(
uint16 field,
uint24[4] memory colors,
uint16 hardware,
uint16 frame
) external view returns (string memory);
function isShieldBuilt(uint256 shieldId) external view returns (bool);
function getField(uint16 field, uint24[4] memory colors)
returns (IFieldGenerator.FieldData memory);
function getFieldTitle(uint16 field, uint24[4] memory colors)
returns (string memory);
function getFieldSVG(uint16 field, uint24[4] memory colors)
returns (string memory);
function getHardware(uint16 hardware)
returns (IHardwareGenerator.HardwareData memory);
function getHardwareTitle(uint16 hardware)
returns (string memory);
function getHardwareSVG(uint16 hardware)
returns (string memory);
function getFrame(uint16 frame)
returns (IFrameGenerator.FrameData memory);
function getFrameTitle(uint16 frame) external view returns (string memory);
function getFrameSVG(uint16 frame) external view returns (string memory);
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.4;
/// @notice Library for converting numbers into strings and other string operations.
/// @author Solady (https://github.com/vectorized/solady/blob/main/src/utils/LibString.sol)
/// @author Modified from Solmate (https://github.com/transmissions11/solmate/blob/main/src/utils/LibString.sol)
library LibString {
/// @dev The `length` of the output is too small to contain all the hex digits.
error HexLengthInsufficient();
/// @dev The constant returned when the `search` is not found in the string.
uint256 internal constant NOT_FOUND = type(uint256).max;
/// @dev Returns the base 10 decimal representation of `value`.
function toString(uint256 value) internal pure returns (string memory str) {
/// @solidity memory-safe-assembly
assembly {
// The maximum value of a uint256 contains 78 digits (1 byte per digit), but
// we allocate 0xa0 bytes to keep the free memory pointer 32-byte word aligned.
// We will need 1 word for the trailing zeros padding, 1 word for the length,
// and 3 words for a maximum of 78 digits.
str := add(mload(0x40), 0x80)
// Update the free memory pointer to allocate.
mstore(0x40, add(str, 0x20))
// Zeroize the slot after the string.
mstore(str, 0)
// Cache the end of the memory to calculate the length later.
let end := str
let w := not(0) // Tsk.
// We write the string from rightmost digit to leftmost digit.
// The following is essentially a do-while loop that also handles the zero case.
for { let temp := value } 1 {} {
str := add(str, w) // `sub(str, 1)`.
// Write the character to the pointer.
// The ASCII index of the '0' character is 48.
mstore8(str, add(48, mod(temp, 10)))
// Keep dividing `temp` until zero.
temp := div(temp, 10)
if iszero(temp) { break }
let length := sub(end, str)
// Move the pointer 32 bytes leftwards to make room for the length.
str := sub(str, 0x20)
// Store the length.
mstore(str, length)
/// @dev Returns the base 10 decimal representation of `value`.
function toString(int256 value) internal pure returns (string memory str) {
if (value >= 0) {
return toString(uint256(value));
unchecked {
str = toString(uint256(-value));
/// @solidity memory-safe-assembly
assembly {
// We still have some spare memory space on the left,
// as we have allocated 3 words (96 bytes) for up to 78 digits.
let length := mload(str) // Load the string length.
mstore(str, 0x2d) // Store the '-' character.
str := sub(str, 1) // Move back the string pointer by a byte.
mstore(str, add(length, 1)) // Update the string length.
/// @dev Returns the hexadecimal representation of `value`,
/// left-padded to an input length of `length` bytes.
/// The output is prefixed with "0x" encoded using 2 hexadecimal digits per byte,
/// giving a total length of `length * 2 + 2` bytes.
/// Reverts if `length` is too small for the output to contain all the digits.
function toHexString(uint256 value, uint256 length) internal pure returns (string memory str) {
str = toHexStringNoPrefix(value, length);
/// @solidity memory-safe-assembly
assembly {
let strLength := add(mload(str), 2) // Compute the length.
mstore(str, 0x3078) // Write the "0x" prefix.
str := sub(str, 2) // Move the pointer.
mstore(str, strLength) // Write the length.
/// @dev Returns the hexadecimal representation of `value`,
/// left-padded to an input length of `length` bytes.
/// The output is prefixed with "0x" encoded using 2 hexadecimal digits per byte,
/// giving a total length of `length * 2` bytes.
/// Reverts if `length` is too small for the output to contain all the digits.
function toHexStringNoPrefix(uint256 value, uint256 length)
returns (string memory str)
/// @solidity memory-safe-assembly
assembly {
// We need 0x20 bytes for the trailing zeros padding, `length * 2` bytes
// for the digits, 0x02 bytes for the prefix, and 0x20 bytes for the length.
// We add 0x20 to the total and round down to a multiple of 0x20.
// (0x20 + 0x20 + 0x02 + 0x20) = 0x62.
str := add(mload(0x40), and(add(shl(1, length), 0x42), not(0x1f)))
// Allocate the memory.
mstore(0x40, add(str, 0x20))
// Zeroize the slot after the string.
mstore(str, 0)
// Cache the end to calculate the length later.
let end := str
// Store "0123456789abcdef" in scratch space.
mstore(0x0f, 0x30313233343536373839616263646566)
let start := sub(str, add(length, length))
let w := not(1) // Tsk.
let temp := value
// We write the string from rightmost digit to leftmost digit.
// The following is essentially a do-while loop that also handles the zero case.
for {} 1 {} {
str := add(str, w) // `sub(str, 2)`.
mstore8(add(str, 1), mload(and(temp, 15)))
mstore8(str, mload(and(shr(4, temp), 15)))
temp := shr(8, temp)
if iszero(xor(str, start)) { break }
if temp {
// Store the function selector of `HexLengthInsufficient()`.
mstore(0x00, 0x2194895a)
// Revert with (offset, size).
revert(0x1c, 0x04)
// Compute the string's length.
let strLength := sub(end, str)
// Move the pointer and write the length.
str := sub(str, 0x20)
mstore(str, strLength)
/// @dev Returns the hexadecimal representation of `value`.
/// The output is prefixed with "0x" and encoded using 2 hexadecimal digits per byte.
/// As address are 20 bytes long, the output will left-padded to have
/// a length of `20 * 2 + 2` bytes.
function toHexString(uint256 value) internal pure returns (string memory str) {
str = toHexStringNoPrefix(value);
/// @solidity memory-safe-assembly
assembly {
let strLength := add(mload(str), 2) // Compute the length.
mstore(str, 0x3078) // Write the "0x" prefix.
str := sub(str, 2) // Move the pointer.
mstore(str, strLength) // Write the length.
/// @dev Returns the hexadecimal representation of `value`.
/// The output is encoded using 2 hexadecimal digits per byte.
/// As address are 20 bytes long, the output will left-padded to have
/// a length of `20 * 2` bytes.
function toHexStringNoPrefix(uint256 value) internal pure returns (string memory str) {
/// @solidity memory-safe-assembly
assembly {
// We need 0x20 bytes for the trailing zeros padding, 0x20 bytes for the length,
// 0x02 bytes for the prefix, and 0x40 bytes for the digits.
// The next multiple of 0x20 above (0x20 + 0x20 + 0x02 + 0x40) is 0xa0.
str := add(mload(0x40), 0x80)
// Allocate the memory.
mstore(0x40, add(str, 0x20))
// Zeroize the slot after the string.
mstore(str, 0)
// Cache the end to calculate the length later.
let end := str
// Store "0123456789abcdef" in scratch space.
mstore(0x0f, 0x30313233343536373839616263646566)
let w := not(1) // Tsk.
// We write the string from rightmost digit to leftmost digit.
// The following is essentially a do-while loop that also handles the zero case.
for { let temp := value } 1 {} {
str := add(str, w) // `sub(str, 2)`.
mstore8(add(str, 1), mload(and(temp, 15)))
mstore8(str, mload(and(shr(4, temp), 15)))
temp := shr(8, temp)
if iszero(temp) { break }
// Compute the string's length.
let strLength := sub(end, str)
// Move the pointer and write the length.
str := sub(str, 0x20)
mstore(str, strLength)
/// @dev Returns the hexadecimal representation of `value`.
/// The output is prefixed with "0x", encoded using 2 hexadecimal digits per byte,
/// and the alphabets are capitalized conditionally according to
/// https://eips.ethereum.org/EIPS/eip-55
function toHexStringChecksumed(address value) internal pure returns (string memory str) {
str = toHexString(value);
/// @solidity memory-safe-assembly
assembly {
let mask := shl(6, div(not(0), 255)) // `0b010000000100000000 ...`
let o := add(str, 0x22)
let hashed := and(keccak256(o, 40), mul(34, mask)) // `0b10001000 ... `
let t := shl(240, 136) // `0b10001000 << 240`
for { let i := 0 } 1 {} {
mstore(add(i, i), mul(t, byte(i, hashed)))
i := add(i, 1)
if eq(i, 20) { break }
mstore(o, xor(mload(o), shr(1, and(mload(0x00), and(mload(o), mask)))))
o := add(o, 0x20)
mstore(o, xor(mload(o), shr(1, and(mload(0x20), and(mload(o), mask)))))
/// @dev Returns the hexadecimal representation of `value`.
/// The output is prefixed with "0x" and encoded using 2 hexadecimal digits per byte.
function toHexString(address value) internal pure returns (string memory str) {
str = toHexStringNoPrefix(value);
/// @solidity memory-safe-assembly
assembly {
let strLength := add(mload(str), 2) // Compute the length.
mstore(str, 0x3078) // Write the "0x" prefix.
str := sub(str, 2) // Move the pointer.
mstore(str, strLength) // Write the length.
/// @dev Returns the hexadecimal representation of `value`.
/// The output is encoded using 2 hexadecimal digits per byte.
function toHexStringNoPrefix(address value) internal pure returns (string memory str) {
/// @solidity memory-safe-assembly
assembly {
str := mload(0x40)
// Allocate the memory.
// We need 0x20 bytes for the trailing zeros padding, 0x20 bytes for the length,
// 0x02 bytes for the prefix, and 0x28 bytes for the digits.
// The next multiple of 0x20 above (0x20 + 0x20 + 0x02 + 0x28) is 0x80.
mstore(0x40, add(str, 0x80))
// Store "0123456789abcdef" in scratch space.
mstore(0x0f, 0x30313233343536373839616263646566)
str := add(str, 2)
mstore(str, 40)
let o := add(str, 0x20)
mstore(add(o, 40), 0)
value := shl(96, value)
// We write the string from rightmost digit to leftmost digit.
// The following is essentially a do-while loop that also handles the zero case.
for { let i := 0 } 1 {} {
let p := add(o, add(i, i))
let temp := byte(i, value)
mstore8(add(p, 1), mload(and(temp, 15)))
mstore8(p, mload(shr(4, temp)))
i := add(i, 1)
if eq(i, 20) { break }
/// @dev Returns the hex encoded string from the raw bytes.
/// The output is encoded using 2 hexadecimal digits per byte.
function toHexString(bytes memory raw) internal pure returns (string memory str) {
str = toHexStringNoPrefix(raw);
/// @solidity memory-safe-assembly
assembly {
let strLength := add(mload(str), 2) // Compute the length.
mstore(str, 0x3078) // Write the "0x" prefix.
str := sub(str, 2) // Move the pointer.
mstore(str, strLength) // Write the length.
/// @dev Returns the hex encoded string from the raw bytes.
/// The output is encoded using 2 hexadecimal digits per byte.
function toHexStringNoPrefix(bytes memory raw) internal pure returns (string memory str) {
/// @solidity memory-safe-assembly
assembly {
let length := mload(raw)
str := add(mload(0x40), 2) // Skip 2 bytes for the optional prefix.
mstore(str, add(length, length)) // Store the length of the output.
// Store "0123456789abcdef" in scratch space.
mstore(0x0f, 0x30313233343536373839616263646566)
let o := add(str, 0x20)
let end := add(raw, length)
for {} iszero(eq(raw, end)) {} {
raw := add(raw, 1)
mstore8(add(o, 1), mload(and(mload(raw), 15)))
mstore8(o, mload(and(shr(4, mload(raw)), 15)))
o := add(o, 2)
mstore(o, 0) // Zeroize the slot after the string.
mstore(0x40, and(add(o, 31), not(31))) // Allocate the memory.
/// @dev Returns the number of UTF characters in the string.
function runeCount(string memory s) internal pure returns (uint256 result) {
/// @solidity memory-safe-assembly
assembly {
if mload(s) {
mstore(0x00, div(not(0), 255))
mstore(0x20, 0x0202020202020202020202020202020202020202020202020303030304040506)
let o := add(s, 0x20)
let end := add(o, mload(s))
for { result := 1 } 1 { result := add(result, 1) } {
o := add(o, byte(0, mload(shr(250, mload(o)))))
if iszero(lt(o, end)) { break }
// For performance and bytecode compactness, all indices of the following operations
// are byte (ASCII) offsets, not UTF character offsets.
/// @dev Returns `subject` all occurrences of `search` replaced with `replacement`.
function replace(string memory subject, string memory search, string memory replacement)
returns (string memory result)
/// @solidity memory-safe-assembly
assembly {
let subjectLength := mload(subject)
let searchLength := mload(search)
let replacementLength := mload(replacement)
subject := add(subject, 0x20)
search := add(search, 0x20)
replacement := add(replacement, 0x20)
result := add(mload(0x40), 0x20)
let subjectEnd := add(subject, subjectLength)
if iszero(gt(searchLength, subjectLength)) {
let subjectSearchEnd := add(sub(subjectEnd, searchLength), 1)
let h := 0
if iszero(lt(searchLength, 32)) { h := keccak256(search, searchLength) }
let m := shl(3, sub(32, and(searchLength, 31)))
let s := mload(search)
for {} 1 {} {
let t := mload(subject)
// Whether the first `searchLength % 32` bytes of
// `subject` and `search` matches.
if iszero(shr(m, xor(t, s))) {
if h {
if iszero(eq(keccak256(subject, searchLength), h)) {
mstore(result, t)
result := add(result, 1)
subject := add(subject, 1)
if iszero(lt(subject, subjectSearchEnd)) { break }
// Copy the `replacement` one word at a time.
for { let o := 0 } 1 {} {
mstore(add(result, o), mload(add(replacement, o)))
o := add(o, 0x20)
if iszero(lt(o, replacementLength)) { break }
result := add(result, replacementLength)
subject := add(subject, searchLength)
if searchLength {
if iszero(lt(subject, subjectSearchEnd)) { break }
mstore(result, t)
result := add(result, 1)
subject := add(subject, 1)
if iszero(lt(subject, subjectSearchEnd)) { break }
let resultRemainder := result
result := add(mload(0x40), 0x20)
let k := add(sub(resultRemainder, result), sub(subjectEnd, subject))
// Copy the rest of the string one word at a time.
for {} lt(subject, subjectEnd) {} {
mstore(resultRemainder, mload(subject))
resultRemainder := add(resultRemainder, 0x20)
subject := add(subject, 0x20)
result := sub(result, 0x20)
// Zeroize the slot after the string.
let last := add(add(result, 0x20), k)
mstore(last, 0)
// Allocate memory for the length and the bytes,
// rounded up to a multiple of 32.
mstore(0x40, and(add(last, 31), not(31)))
// Store the length of the result.
mstore(result, k)
/// @dev Returns the byte index of the first location of `search` in `subject`,
/// searching from left to right, starting from `from`.
/// Returns `NOT_FOUND` (i.e. `type(uint256).max`) if the `search` is not found.
function indexOf(string memory subject, string memory search, uint256 from)
returns (uint256 result)
/// @solidity memory-safe-assembly
assembly {
for { let subjectLength := mload(subject) } 1 {} {
if iszero(mload(search)) {
if iszero(gt(from, subjectLength)) {
result := from
result := subjectLength
let searchLength := mload(search)
let subjectStart := add(subject, 0x20)
result := not(0) // Initialize to `NOT_FOUND`.
subject := add(subjectStart, from)
let end := add(sub(add(subjectStart, subjectLength), searchLength), 1)
let m := shl(3, sub(32, and(searchLength, 31)))
let s := mload(add(search, 0x20))
if iszero(and(lt(subject, end), lt(from, subjectLength))) { break }
if iszero(lt(searchLength, 32)) {
for { let h := keccak256(add(search, 0x20), searchLength) } 1 {} {
if iszero(shr(m, xor(mload(subject), s))) {
if eq(keccak256(subject, searchLength), h) {
result := sub(subject, subjectStart)
subject := add(subject, 1)
if iszero(lt(subject, end)) { break }
for {} 1 {} {
if iszero(shr(m, xor(mload(subject), s))) {
result := sub(subject, subjectStart)
subject := add(subject, 1)
if iszero(lt(subject, end)) { break }
/// @dev Returns the byte index of the first location of `search` in `subject`,
/// searching from left to right.
/// Returns `NOT_FOUND` (i.e. `type(uint256).max`) if the `search` is not found.
function indexOf(string memory subject, string memory search)
returns (uint256 result)
result = indexOf(subject, search, 0);
/// @dev Returns the byte index of the first location of `search` in `subject`,
/// searching from right to left, starting from `from`.
/// Returns `NOT_FOUND` (i.e. `type(uint256).max`) if the `search` is not found.
function lastIndexOf(string memory subject, string memory search, uint256 from)
returns (uint256 result)
/// @solidity memory-safe-assembly
assembly {
for {} 1 {} {
result := not(0) // Initialize to `NOT_FOUND`.
let searchLength := mload(search)
if gt(searchLength, mload(subject)) { break }
let w := result
let fromMax := sub(mload(subject), searchLength)
if iszero(gt(fromMax, from)) { from := fromMax }
let end := add(add(subject, 0x20), w)
subject := add(add(subject, 0x20), from)
if iszero(gt(subject, end)) { break }
// As this function is not too often used,
// we shall simply use keccak256 for smaller bytecode size.
for { let h := keccak256(add(search, 0x20), searchLength) } 1 {} {
if eq(keccak256(subject, searchLength), h) {
result := sub(subject, add(end, 1))
subject := add(subject, w) // `sub(subject, 1)`.
if iszero(gt(subject, end)) { break }
/// @dev Returns the byte index of the first location of `search` in `subject`,
/// searching from right to left.
/// Returns `NOT_FOUND` (i.e. `type(uint256).max`) if the `search` is not found.
function lastIndexOf(string memory subject, string memory search)
returns (uint256 result)
result = lastIndexOf(subject, search, uint256(int256(-1)));
/// @dev Returns whether `subject` starts with `search`.
function startsWith(string memory subject, string memory search)
returns (bool result)
/// @solidity memory-safe-assembly
assembly {
let searchLength := mload(search)
// Just using keccak256 directly is actually cheaper.
// forgefmt: disable-next-item
result := and(
iszero(gt(searchLength, mload(subject))),
keccak256(add(subject, 0x20), searchLength),
keccak256(add(search, 0x20), searchLength)
/// @dev Returns whether `subject` ends with `search`.
function endsWith(string memory subject, string memory search)
returns (bool result)
/// @solidity memory-safe-assembly
assembly {
let searchLength := mload(search)
let subjectLength := mload(subject)
// Whether `search` is not longer than `subject`.
let withinRange := iszero(gt(searchLength, subjectLength))
// Just using keccak256 directly is actually cheaper.
// forgefmt: disable-next-item
result := and(
// `subject + 0x20 + max(subjectLength - searchLength, 0)`.
add(add(subject, 0x20), mul(withinRange, sub(subjectLength, searchLength))),
keccak256(add(search, 0x20), searchLength)
/// @dev Returns `subject` repeated `times`.
function repeat(string memory subject, uint256 times)
returns (string memory result)
/// @solidity memory-safe-assembly
assembly {
let subjectLength := mload(subject)
if iszero(or(iszero(times), iszero(subjectLength))) {
subject := add(subject, 0x20)
result := mload(0x40)
let output := add(result, 0x20)
for {} 1 {} {
// Copy the `subject` one word at a time.
for { let o := 0 } 1 {} {
mstore(add(output, o), mload(add(subject, o)))
o := add(o, 0x20)
if iszero(lt(o, subjectLength)) { break }
output := add(output, subjectLength)
times := sub(times, 1)
if iszero(times) { break }
// Zeroize the slot after the string.
mstore(output, 0)
// Store the length.
let resultLength := sub(output, add(result, 0x20))
mstore(result, resultLength)
// Allocate memory for the length and the bytes,
// rounded up to a multiple of 32.
mstore(0x40, add(result, and(add(resultLength, 63), not(31))))
/// @dev Returns a copy of `subject` sliced from `start` to `end` (exclusive).
/// `start` and `end` are byte offsets.
function slice(string memory subject, uint256 start, uint256 end)
returns (string memory result)
/// @solidity memory-safe-assembly
assembly {
let subjectLength := mload(subject)
if iszero(gt(subjectLength, end)) { end := subjectLength }
if iszero(gt(subjectLength, start)) { start := subjectLength }
if lt(start, end) {
result := mload(0x40)
let resultLength := sub(end, start)
mstore(result, resultLength)
subject := add(subject, start)
let w := not(31)
// Copy the `subject` one word at a time, backwards.
for { let o := and(add(resultLength, 31), w) } 1 {} {
mstore(add(result, o), mload(add(subject, o)))
o := add(o, w) // `sub(o, 0x20)`.
if iszero(o) { break }
// Zeroize the slot after the string.
mstore(add(add(result, 0x20), resultLength), 0)
// Allocate memory for the length and the bytes,
// rounded up to a multiple of 32.
mstore(0x40, add(result, and(add(resultLength, 63), w)))
/// @dev Returns a copy of `subject` sliced from `start` to the end of the string.
/// `start` is a byte offset.
function slice(string memory subject, uint256 start)
returns (string memory result)
result = slice(subject, start, uint256(int256(-1)));
/// @dev Returns all the indices of `search` in `subject`.
/// The indices are byte offsets.
function indicesOf(string memory subject, string memory search)
returns (uint256[] memory result)
/// @solidity memory-safe-assembly
assembly {
let subjectLength := mload(subject)
let searchLength := mload(search)
if iszero(gt(searchLength, subjectLength)) {
subject := add(subject, 0x20)
search := add(search, 0x20)
result := add(mload(0x40), 0x20)
let subjectStart := subject
let subjectSearchEnd := add(sub(add(subject, subjectLength), searchLength), 1)
let h := 0
if iszero(lt(searchLength, 32)) { h := keccak256(search, searchLength) }
let m := shl(3, sub(32, and(searchLength, 31)))
let s := mload(search)
for {} 1 {} {
let t := mload(subject)
// Whether the first `searchLength % 32` bytes of
// `subject` and `search` matches.
if iszero(shr(m, xor(t, s))) {
if h {
if iszero(eq(keccak256(subject, searchLength), h)) {
subject := add(subject, 1)
if iszero(lt(subject, subjectSearchEnd)) { break }
// Append to `result`.
mstore(result, sub(subject, subjectStart))
result := add(result, 0x20)
// Advance `subject` by `searchLength`.
subject := add(subject, searchLength)
if searchLength {
if iszero(lt(subject, subjectSearchEnd)) { break }
subject := add(subject, 1)
if iszero(lt(subject, subjectSearchEnd)) { break }
let resultEnd := result
// Assign `result` to the free memory pointer.
result := mload(0x40)
// Store the length of `result`.
mstore(result, shr(5, sub(resultEnd, add(result, 0x20))))
// Allocate memory for result.
// We allocate one more word, so this array can be recycled for {split}.
mstore(0x40, add(resultEnd, 0x20))
/// @dev Returns a arrays of strings based on the `delimiter` inside of the `subject` string.
function split(string memory subject, string memory delimiter)
returns (string[] memory result)
uint256[] memory indices = indicesOf(subject, delimiter);
/// @solidity memory-safe-assembly
assembly {
let w := not(31)
let indexPtr := add(indices, 0x20)
let indicesEnd := add(indexPtr, shl(5, add(mload(indices), 1)))
mstore(add(indicesEnd, w), mload(subject))
mstore(indices, add(mload(indices), 1))
let prevIndex := 0
for {} 1 {} {
let index := mload(indexPtr)
mstore(indexPtr, 0x60)
if iszero(eq(index, prevIndex)) {
let element := mload(0x40)
let elementLength := sub(index, prevIndex)
mstore(element, elementLength)
// Copy the `subject` one word at a time, backwards.
for { let o := and(add(elementLength, 31), w) } 1 {} {
mstore(add(element, o), mload(add(add(subject, prevIndex), o)))
o := add(o, w) // `sub(o, 0x20)`.
if iszero(o) { break }
// Zeroize the slot after the string.
mstore(add(add(element, 0x20), elementLength), 0)
// Allocate memory for the length and the bytes,
// rounded up to a multiple of 32.
mstore(0x40, add(element, and(add(elementLength, 63), w)))
// Store the `element` into the array.
mstore(indexPtr, element)
prevIndex := add(index, mload(delimiter))
indexPtr := add(indexPtr, 0x20)
if iszero(lt(indexPtr, indicesEnd)) { break }
result := indices
if iszero(mload(delimiter)) {
result := add(indices, 0x20)
mstore(result, sub(mload(indices), 2))
/// @dev Returns a concatenated string of `a` and `b`.
/// Cheaper than `string.concat()` and does not de-align the free memory pointer.
function concat(string memory a, string memory b)
returns (string memory result)
/// @solidity memory-safe-assembly
assembly {
let w := not(31)
result := mload(0x40)
let aLength := mload(a)
// Copy `a` one word at a time, backwards.
for { let o := and(add(mload(a), 32), w) } 1 {} {
mstore(add(result, o), mload(add(a, o)))
o := add(o, w) // `sub(o, 0x20)`.
if iszero(o) { break }
let bLength := mload(b)
let output := add(result, mload(a))
// Copy `b` one word at a time, backwards.
for { let o := and(add(bLength, 32), w) } 1 {} {
mstore(add(output, o), mload(add(b, o)))
o := add(o, w) // `sub(o, 0x20)`.
if iszero(o) { break }
let totalLength := add(aLength, bLength)
let last := add(add(result, 0x20), totalLength)
// Zeroize the slot after the string.
mstore(last, 0)
// Stores the length.
mstore(result, totalLength)
// Allocate memory for the length and the bytes,
// rounded up to a multiple of 32.
mstore(0x40, and(add(last, 31), w))
/// @dev Returns a copy of the string in either lowercase or UPPERCASE.
function toCase(string memory subject, bool toUpper)
returns (string memory result)
/// @solidity memory-safe-assembly
assembly {
let length := mload(subject)
if length {
result := add(mload(0x40), 0x20)
subject := add(subject, 1)
let flags := shl(add(70, shl(5, toUpper)), 67108863)
let w := not(0)
for { let o := length } 1 {} {
o := add(o, w)
let b := and(0xff, mload(add(subject, o)))
mstore8(add(result, o), xor(b, and(shr(b, flags), 0x20)))
if iszero(o) { break }
// Restore the result.
result := mload(0x40)
// Stores the string length.
mstore(result, length)
// Zeroize the slot after the string.
let last := add(add(result, 0x20), length)
mstore(last, 0)
// Allocate memory for the length and the bytes,
// rounded up to a multiple of 32.
mstore(0x40, and(add(last, 31), not(31)))
/// @dev Returns a lowercased copy of the string.
function lower(string memory subject) internal pure returns (string memory result) {
result = toCase(subject, false);
/// @dev Returns an UPPERCASED copy of the string.
function upper(string memory subject) internal pure returns (string memory result) {
result = toCase(subject, true);
/// @dev Escapes the string to be used within HTML tags.
function escapeHTML(string memory s) internal pure returns (string memory result) {
/// @solidity memory-safe-assembly
assembly {
for {
let end := add(s, mload(s))
result := add(mload(0x40), 0x20)
// Store the bytes of the packed offsets and strides into the scratch space.
// `packed = (stride << 5) | offset`. Max offset is 20. Max stride is 6.
mstore(0x1f, 0x900094)
mstore(0x08, 0xc0000000a6ab)
// Store ""&'<>" into the scratch space.
mstore(0x00, shl(64, 0x2671756f743b26616d703b262333393b266c743b2667743b))
} iszero(eq(s, end)) {} {
s := add(s, 1)
let c := and(mload(s), 0xff)
// Not in `["\"","'","&","<",">"]`.
if iszero(and(shl(c, 1), 0x500000c400000000)) {
mstore8(result, c)
result := add(result, 1)
let t := shr(248, mload(c))
mstore(result, mload(and(t, 31)))
result := add(result, shr(5, t))
let last := result
// Zeroize the slot after the string.
mstore(last, 0)
// Restore the result to the start of the free memory.
result := mload(0x40)
// Store the length of the result.
mstore(result, sub(last, add(result, 0x20)))
// Allocate memory for the length and the bytes,
// rounded up to a multiple of 32.
mstore(0x40, and(add(last, 31), not(31)))
/// @dev Escapes the string to be used within double-quotes in a JSON.
function escapeJSON(string memory s) internal pure returns (string memory result) {
/// @solidity memory-safe-assembly
assembly {
for {
let end := add(s, mload(s))
result := add(mload(0x40), 0x20)
// Store "\\u0000" in scratch space.
// Store "0123456789abcdef" in scratch space.
// Also, store `{0x08:"b", 0x09:"t", 0x0a:"n", 0x0c:"f", 0x0d:"r"}`.
// into the scratch space.
mstore(0x15, 0x5c75303030303031323334353637383961626364656662746e006672)
// Bitmask for detecting `["\"","\\"]`.
let e := or(shl(0x22, 1), shl(0x5c, 1))
} iszero(eq(s, end)) {} {
s := add(s, 1)
let c := and(mload(s), 0xff)
if iszero(lt(c, 0x20)) {
if iszero(and(shl(c, 1), e)) {
// Not in `["\"","\\"]`.
mstore8(result, c)
result := add(result, 1)
mstore8(result, 0x5c) // "\\".
mstore8(add(result, 1), c)
result := add(result, 2)
if iszero(and(shl(c, 1), 0x3700)) {
// Not in `["\b","\t","\n","\f","\d"]`.
mstore8(0x1d, mload(shr(4, c))) // Hex value.
mstore8(0x1e, mload(and(c, 15))) // Hex value.
mstore(result, mload(0x19)) // "\\u00XX".
result := add(result, 6)
mstore8(result, 0x5c) // "\\".
mstore8(add(result, 1), mload(add(c, 8)))
result := add(result, 2)
let last := result
// Zeroize the slot after the string.
mstore(last, 0)
// Restore the result to the start of the free memory.
result := mload(0x40)
// Store the length of the result.
mstore(result, sub(last, add(result, 0x20)))
// Allocate memory for the length and the bytes,
// rounded up to a multiple of 32.
mstore(0x40, and(add(last, 31), not(31)))
/// @dev Returns whether `a` equals `b`.
function eq(string memory a, string memory b) internal pure returns (bool result) {
assembly {
result := eq(keccak256(add(a, 0x20), mload(a)), keccak256(add(b, 0x20), mload(b)))
/// @dev Packs a single string with its length into a single word.
/// Returns `bytes32(0)` if the length is zero or greater than 31.
function packOne(string memory a) internal pure returns (bytes32 result) {
/// @solidity memory-safe-assembly
assembly {
// We don't need to zero right pad the string,
// since this is our own custom non-standard packing scheme.
result :=
// Load the length and the bytes.
mload(add(a, 0x1f)),
// `length != 0 && length < 32`. Abuses underflow.
// Assumes that the length is valid and within the block gas limit.
lt(sub(mload(a), 1), 0x1f)
/// @dev Unpacks a string packed using {packOne}.
/// Returns the empty string if `packed` is `bytes32(0)`.
/// If `packed` is not an output of {packOne}, the output behaviour is undefined.
function unpackOne(bytes32 packed) internal pure returns (string memory result) {
/// @solidity memory-safe-assembly
assembly {
// Grab the free memory pointer.
result := mload(0x40)
// Allocate 2 words (1 for the length, 1 for the bytes).
mstore(0x40, add(result, 0x40))
// Zeroize the length slot.
mstore(result, 0)
// Store the length and bytes.
mstore(add(result, 0x1f), packed)
// Right pad with zeroes.
mstore(add(add(result, 0x20), mload(result)), 0)
/// @dev Packs two strings with their lengths into a single word.
/// Returns `bytes32(0)` if combined length is zero or greater than 30.
function packTwo(string memory a, string memory b) internal pure returns (bytes32 result) {
/// @solidity memory-safe-assembly
assembly {
let aLength := mload(a)
// We don't need to zero right pad the strings,
// since this is our own custom non-standard packing scheme.
result :=
// Load the length and the bytes of `a` and `b`.
shl(shl(3, sub(0x1f, aLength)), mload(add(a, aLength))),
mload(sub(add(b, 0x1e), aLength))
// `totalLength != 0 && totalLength < 31`. Abuses underflow.
// Assumes that the lengths are valid and within the block gas limit.
lt(sub(add(aLength, mload(b)), 1), 0x1e)
/// @dev Unpacks strings packed using {packTwo}.
/// Returns the empty strings if `packed` is `bytes32(0)`.
/// If `packed` is not an output of {packTwo}, the output behaviour is undefined.
function unpackTwo(bytes32 packed)
returns (string memory resultA, string memory resultB)
/// @solidity memory-safe-assembly
assembly {
// Grab the free memory pointer.
resultA := mload(0x40)
resultB := add(resultA, 0x40)
// Allocate 2 words for each string (1 for the length, 1 for the byte). Total 4 words.
mstore(0x40, add(resultB, 0x40))
// Zeroize the length slots.
mstore(resultA, 0)
mstore(resultB, 0)
// Store the lengths and bytes.
mstore(add(resultA, 0x1f), packed)
mstore(add(resultB, 0x1f), mload(add(add(resultA, 0x20), mload(resultA))))
// Right pad with zeroes.
mstore(add(add(resultA, 0x20), mload(resultA)), 0)
mstore(add(add(resultB, 0x20), mload(resultB)), 0)
/// @dev Directly returns `a` without copying.
function directReturn(string memory a) internal pure {
assembly {
// Assumes that the string does not start from the scratch space.
let retStart := sub(a, 0x20)
let retSize := add(mload(a), 0x40)
// Right pad with zeroes. Just in case the string is produced
// by a method that doesn't zero right pad.
mstore(add(retStart, retSize), 0)
// Store the return offset.
mstore(retStart, 0x20)
// End the transaction, returning the string.
return(retStart, retSize)
// SPDX-License-Identifier: AGPL-3.0-only
pragma solidity >=0.8.0;
/// @notice Simple single owner authorization mixin.
/// @author Solmate (https://github.com/transmissions11/solmate/blob/main/src/auth/Owned.sol)
abstract contract Owned {
event OwnershipTransferred(address indexed user, address indexed newOwner);
address public owner;
modifier onlyOwner() virtual {
require(msg.sender == owner, "UNAUTHORIZED");
constructor(address _owner) {
owner = _owner;
emit OwnershipTransferred(address(0), _owner);
function transferOwnership(address newOwner) public virtual onlyOwner {
owner = newOwner;
emit OwnershipTransferred(msg.sender, newOwner);
