Contract Name:
ValidatorsRegistry
Contract Source Code:
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.0.0) (access/Ownable.sol)
pragma solidity ^0.8.20;
import {Context} from "../utils/Context.sol";
/**
* @dev Contract module which provides a basic access control mechanism, where
* there is an account (an owner) that can be granted exclusive access to
* specific functions.
*
* The initial owner is set to the address provided by the deployer. This can
* later be changed with {transferOwnership}.
*
* This module is used through inheritance. It will make available the modifier
* `onlyOwner`, which can be applied to your functions to restrict their use to
* the owner.
*/
abstract contract Ownable is Context {
address private _owner;
/**
* @dev The caller account is not authorized to perform an operation.
*/
error OwnableUnauthorizedAccount(address account);
/**
* @dev The owner is not a valid owner account. (eg. `address(0)`)
*/
error OwnableInvalidOwner(address owner);
event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);
/**
* @dev Initializes the contract setting the address provided by the deployer as the initial owner.
*/
constructor(address initialOwner) {
if (initialOwner == address(0)) {
revert OwnableInvalidOwner(address(0));
}
_transferOwnership(initialOwner);
}
/**
* @dev Throws if called by any account other than the owner.
*/
modifier onlyOwner() {
_checkOwner();
_;
}
/**
* @dev Returns the address of the current owner.
*/
function owner() public view virtual returns (address) {
return _owner;
}
/**
* @dev Throws if the sender is not the owner.
*/
function _checkOwner() internal view virtual {
if (owner() != _msgSender()) {
revert OwnableUnauthorizedAccount(_msgSender());
}
}
/**
* @dev Leaves the contract without owner. It will not be possible to call
* `onlyOwner` functions. Can only be called by the current owner.
*
* NOTE: Renouncing ownership will leave the contract without an owner,
* thereby disabling any functionality that is only available to the owner.
*/
function renounceOwnership() public virtual onlyOwner {
_transferOwnership(address(0));
}
/**
* @dev Transfers ownership of the contract to a new account (`newOwner`).
* Can only be called by the current owner.
*/
function transferOwnership(address newOwner) public virtual onlyOwner {
if (newOwner == address(0)) {
revert OwnableInvalidOwner(address(0));
}
_transferOwnership(newOwner);
}
/**
* @dev Transfers ownership of the contract to a new account (`newOwner`).
* Internal function without access restriction.
*/
function _transferOwnership(address newOwner) internal virtual {
address oldOwner = _owner;
_owner = newOwner;
emit OwnershipTransferred(oldOwner, newOwner);
}
}
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.0.1) (utils/Context.sol)
pragma solidity ^0.8.20;
/**
* @dev Provides information about the current execution context, including the
* sender of the transaction and its data. While these are generally available
* via msg.sender and msg.data, they should not be accessed in such a direct
* manner, since when dealing with meta-transactions the account sending and
* paying for execution may not be the actual sender (as far as an application
* is concerned).
*
* This contract is only required for intermediate, library-like contracts.
*/
abstract contract Context {
function _msgSender() internal view virtual returns (address) {
return msg.sender;
}
function _msgData() internal view virtual returns (bytes calldata) {
return msg.data;
}
function _contextSuffixLength() internal view virtual returns (uint256) {
return 0;
}
}
// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.0.0) (utils/cryptography/ECDSA.sol)
pragma solidity ^0.8.20;
/**
* @dev Elliptic Curve Digital Signature Algorithm (ECDSA) operations.
*
* These functions can be used to verify that a message was signed by the holder
* of the private keys of a given address.
*/
library ECDSA {
enum RecoverError {
NoError,
InvalidSignature,
InvalidSignatureLength,
InvalidSignatureS
}
/**
* @dev The signature derives the `address(0)`.
*/
error ECDSAInvalidSignature();
/**
* @dev The signature has an invalid length.
*/
error ECDSAInvalidSignatureLength(uint256 length);
/**
* @dev The signature has an S value that is in the upper half order.
*/
error ECDSAInvalidSignatureS(bytes32 s);
/**
* @dev Returns the address that signed a hashed message (`hash`) with `signature` or an error. This will not
* return address(0) without also returning an error description. Errors are documented using an enum (error type)
* and a bytes32 providing additional information about the error.
*
* If no error is returned, then the address can be used for verification purposes.
*
* The `ecrecover` EVM precompile allows for malleable (non-unique) signatures:
* this function rejects them by requiring the `s` value to be in the lower
* half order, and the `v` value to be either 27 or 28.
*
* IMPORTANT: `hash` _must_ be the result of a hash operation for the
* verification to be secure: it is possible to craft signatures that
* recover to arbitrary addresses for non-hashed data. A safe way to ensure
* this is by receiving a hash of the original message (which may otherwise
* be too long), and then calling {MessageHashUtils-toEthSignedMessageHash} on it.
*
* Documentation for signature generation:
* - with https://web3js.readthedocs.io/en/v1.3.4/web3-eth-accounts.html#sign[Web3.js]
* - with https://docs.ethers.io/v5/api/signer/#Signer-signMessage[ethers]
*/
function tryRecover(bytes32 hash, bytes memory signature) internal pure returns (address, RecoverError, bytes32) {
if (signature.length == 65) {
bytes32 r;
bytes32 s;
uint8 v;
// ecrecover takes the signature parameters, and the only way to get them
// currently is to use assembly.
/// @solidity memory-safe-assembly
assembly {
r := mload(add(signature, 0x20))
s := mload(add(signature, 0x40))
v := byte(0, mload(add(signature, 0x60)))
}
return tryRecover(hash, v, r, s);
} else {
return (address(0), RecoverError.InvalidSignatureLength, bytes32(signature.length));
}
}
/**
* @dev Returns the address that signed a hashed message (`hash`) with
* `signature`. This address can then be used for verification purposes.
*
* The `ecrecover` EVM precompile allows for malleable (non-unique) signatures:
* this function rejects them by requiring the `s` value to be in the lower
* half order, and the `v` value to be either 27 or 28.
*
* IMPORTANT: `hash` _must_ be the result of a hash operation for the
* verification to be secure: it is possible to craft signatures that
* recover to arbitrary addresses for non-hashed data. A safe way to ensure
* this is by receiving a hash of the original message (which may otherwise
* be too long), and then calling {MessageHashUtils-toEthSignedMessageHash} on it.
*/
function recover(bytes32 hash, bytes memory signature) internal pure returns (address) {
(address recovered, RecoverError error, bytes32 errorArg) = tryRecover(hash, signature);
_throwError(error, errorArg);
return recovered;
}
/**
* @dev Overload of {ECDSA-tryRecover} that receives the `r` and `vs` short-signature fields separately.
*
* See https://eips.ethereum.org/EIPS/eip-2098[EIP-2098 short signatures]
*/
function tryRecover(bytes32 hash, bytes32 r, bytes32 vs) internal pure returns (address, RecoverError, bytes32) {
unchecked {
bytes32 s = vs & bytes32(0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff);
// We do not check for an overflow here since the shift operation results in 0 or 1.
uint8 v = uint8((uint256(vs) >> 255) + 27);
return tryRecover(hash, v, r, s);
}
}
/**
* @dev Overload of {ECDSA-recover} that receives the `r and `vs` short-signature fields separately.
*/
function recover(bytes32 hash, bytes32 r, bytes32 vs) internal pure returns (address) {
(address recovered, RecoverError error, bytes32 errorArg) = tryRecover(hash, r, vs);
_throwError(error, errorArg);
return recovered;
}
/**
* @dev Overload of {ECDSA-tryRecover} that receives the `v`,
* `r` and `s` signature fields separately.
*/
function tryRecover(
bytes32 hash,
uint8 v,
bytes32 r,
bytes32 s
) internal pure returns (address, RecoverError, bytes32) {
// EIP-2 still allows signature malleability for ecrecover(). Remove this possibility and make the signature
// unique. Appendix F in the Ethereum Yellow paper (https://ethereum.github.io/yellowpaper/paper.pdf), defines
// the valid range for s in (301): 0 < s < secp256k1n ÷ 2 + 1, and for v in (302): v ∈ {27, 28}. Most
// signatures from current libraries generate a unique signature with an s-value in the lower half order.
//
// If your library generates malleable signatures, such as s-values in the upper range, calculate a new s-value
// with 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 - s1 and flip v from 27 to 28 or
// vice versa. If your library also generates signatures with 0/1 for v instead 27/28, add 27 to v to accept
// these malleable signatures as well.
if (uint256(s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0) {
return (address(0), RecoverError.InvalidSignatureS, s);
}
// If the signature is valid (and not malleable), return the signer address
address signer = ecrecover(hash, v, r, s);
if (signer == address(0)) {
return (address(0), RecoverError.InvalidSignature, bytes32(0));
}
return (signer, RecoverError.NoError, bytes32(0));
}
/**
* @dev Overload of {ECDSA-recover} that receives the `v`,
* `r` and `s` signature fields separately.
*/
function recover(bytes32 hash, uint8 v, bytes32 r, bytes32 s) internal pure returns (address) {
(address recovered, RecoverError error, bytes32 errorArg) = tryRecover(hash, v, r, s);
_throwError(error, errorArg);
return recovered;
}
/**
* @dev Optionally reverts with the corresponding custom error according to the `error` argument provided.
*/
function _throwError(RecoverError error, bytes32 errorArg) private pure {
if (error == RecoverError.NoError) {
return; // no error: do nothing
} else if (error == RecoverError.InvalidSignature) {
revert ECDSAInvalidSignature();
} else if (error == RecoverError.InvalidSignatureLength) {
revert ECDSAInvalidSignatureLength(uint256(errorArg));
} else if (error == RecoverError.InvalidSignatureS) {
revert ECDSAInvalidSignatureS(errorArg);
}
}
}
// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.27;
/// State oracle provides the hash of a different chain state.
interface IStateOracle {
function lastState() external view returns (bytes32);
function lastBlockNum() external view returns (uint256);
function lastUpdateTime() external view returns (uint256);
function chainId() external view returns (uint256);
function update(uint256 blockNum, bytes32 stateRoot) external;
}
// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.27;
/// Update verifier provides a way to verify validators signatures on an update.
/// It provides access to the validators registry for the purpose of inter-chain synchronization.
interface IUpdateVerifier {
struct Validator {
uint256 id;
address addr;
uint256 weight;
}
/// Verify the state oracle update signatures
function verifyUpdate(uint256 blockNum, bytes32 stateRoot, uint256 chainId, bytes calldata newValidators, address proofVerifier, address updateVerifier, address exitAdmin, bytes[] calldata signatures) external view returns (uint256[] memory);
/// Write into the validators registry - reverts if the registry is readonly.
function setValidators(bytes calldata newValidators) external;
/// Get the highest validator id for purpose of iterating
function lastValidatorId() external view returns(uint256);
/// Get validator pubkey address by validator id
function validatorAddress(uint256 index) external view returns(address);
/// Get validator weight by validator address
function validatorWeight(address addr) external view returns(uint256);
/// Get validator id by validator pubkey address
function validatorId(address addr) external view returns(uint256);
/// Get weight of all registered validators
function totalWeight() external view returns(uint256);
/// Get weight necessary to update the state oracle
function getQuorum() external view returns (uint256);
}
// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.27;
import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
import {IUpdateVerifier} from "./interfaces/IUpdateVerifier.sol";
import {IStateOracle} from "./interfaces/IStateOracle.sol";
/// Validators registry is an update verifier which use its internal storage of validators.
/// To be owned by UpdateManager, to allow setting validators by signed updates.
/// @custom:security-contact [email protected]
contract ValidatorsRegistry is Ownable, IUpdateVerifier {
mapping(address validatorId => uint256 weight) public validatorWeight;
mapping(address validatorAddr => uint256 validatorId) public validatorId;
uint256 public totalWeight;
address[] public validatorAddress;
IStateOracle public immutable stateOracle; // for threshold decreasing on stateOracle inactivity
constructor(address _stateOracle, address _ownedBy) Ownable(_ownedBy) {
stateOracle = IStateOracle(_stateOracle); // zero allowed (if no threshold decreasing should be applied)
validatorAddress.push(); // avoid lastValidatorId underflow
}
function lastValidatorId() public view returns(uint256) {
return validatorAddress.length - 1; // index 0 is not used
}
function setValidators(bytes calldata newValidatorsBytes) onlyOwner external {
IUpdateVerifier.Validator[] memory newValidators = abi.decode(newValidatorsBytes, (IUpdateVerifier.Validator[]));
uint256 total = totalWeight;
for (uint16 i; i < newValidators.length; i++) {
uint256 id = newValidators[i].id;
address newAddr = newValidators[i].addr;
uint256 newWeight = newValidators[i].weight;
require(id != 0, "validator id cannot be 0");
if (validatorAddress.length <= id) {
// adding new validator id
require(validatorId[newAddr] == 0, "setting duplicate address");
extendValidatorsArray(id + 1);
validatorAddress[id] = newAddr;
validatorId[newAddr] = id;
} else {
// existing validator id
address oldAddr = validatorAddress[id];
total -= validatorWeight[oldAddr];
if (oldAddr != newAddr) {
// setting new address (public key)
require(validatorId[newAddr] == 0, "setting duplicate address");
delete validatorWeight[oldAddr];
delete validatorId[oldAddr];
validatorAddress[id] = newAddr;
validatorId[newAddr] = id;
}
}
validatorWeight[newAddr] = newWeight;
total += newWeight;
}
totalWeight = total;
}
function extendValidatorsArray(uint256 newLength) private {
// set validatorAddress.length
assembly {
sstore(validatorAddress.slot, newLength)
}
}
/// Verify the state oracle update signatures
function verifyUpdate(uint256 blockNum, bytes32 stateRoot, uint256 chainId, bytes calldata newValidators, address proofVerifier, address updateVerifier, address exitAdmin, bytes[] calldata signatures) external view returns (uint256[] memory) {
bytes32 messageHash = keccak256(abi.encodePacked(uint8(0x19), uint8(0x00), msg.sender, blockNum, stateRoot, chainId, newValidators, proofVerifier, updateVerifier, exitAdmin));
uint256 weight = 0;
address lastSigner = address(0);
uint256[] memory signers = new uint256[](signatures.length);
for (uint16 i; i < signatures.length; i++) {
address signer = ECDSA.recover(messageHash, signatures[i]);
uint256 signerWeight = validatorWeight[signer];
require(signerWeight > 0, "Invalid signer");
require(signer > lastSigner, "Invalid signatures order"); // ensures signers uniqueness
lastSigner = signer;
weight += signerWeight;
signers[i] = validatorId[signer];
}
if (weight > (totalWeight * 2 / 3)) {
return signers; // fast path
}
// allow updating with lower quorum if the oracle is dying
if (weight > getQuorum()) {
return signers;
}
revert("Insufficient signatures weight");
}
function getQuorum() public view returns (uint256) {
uint256 total = totalWeight;
uint256 initialQuorum = total * 2 / 3; // 66%
uint256 recoveryQuorum = total * 55 / 100; // 55%
uint256 rebornQuorum = total / 3; // 33%
if (address(stateOracle) == address(0)) {
return initialQuorum; // threshold decreasing not enabled
}
uint256 lastUpdateTime = stateOracle.lastUpdateTime();
if (lastUpdateTime == 0) {
return initialQuorum; // state oracle not initialized yet
}
uint256 offlineTime = block.timestamp - lastUpdateTime;
if (offlineTime <= 5 days) {
return initialQuorum;
}
if (offlineTime <= 7 days) {
return slope(initialQuorum, recoveryQuorum, offlineTime - 5 days, 2 days);
}
if (offlineTime <= 182 days) {
return recoveryQuorum;
}
if (offlineTime <= 189 days) {
return slope(recoveryQuorum, rebornQuorum, offlineTime - 182 days, 7 days);
}
return rebornQuorum;
}
function slope(uint256 maxOut, uint256 minOut, uint256 currentDuration, uint256 totalDuration) private pure returns (uint256) {
uint256 slopeHeight = maxOut - minOut;
return maxOut - (slopeHeight * currentDuration / totalDuration);
}
}