tornado-core/contracts/Tornado.sol

125 lines
5.3 KiB
Solidity
Raw Normal View History

2019-08-02 19:12:30 +02:00
// https://tornado.cash
/*
* d888888P dP a88888b. dP
* 88 88 d8' `88 88
* 88 .d8888b. 88d888b. 88d888b. .d8888b. .d888b88 .d8888b. 88 .d8888b. .d8888b. 88d888b.
* 88 88' `88 88' `88 88' `88 88' `88 88' `88 88' `88 88 88' `88 Y8ooooo. 88' `88
* 88 88. .88 88 88 88 88. .88 88. .88 88. .88 dP Y8. .88 88. .88 88 88 88
* dP `88888P' dP dP dP `88888P8 `88888P8 `88888P' 88 Y88888P' `88888P8 `88888P' dP dP
* ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
*/
2020-04-13 21:02:21 +02:00
pragma solidity 0.5.17;
2019-07-09 15:05:30 +02:00
import "./MerkleTreeWithHistory.sol";
2019-11-11 17:12:17 +01:00
import "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
2019-07-09 15:05:30 +02:00
contract IVerifier {
2019-11-04 20:42:41 +01:00
function verifyProof(bytes memory _proof, uint256[6] memory _input) public returns(bool);
2019-07-09 15:05:30 +02:00
}
2019-12-13 14:49:19 +01:00
contract Tornado is MerkleTreeWithHistory, ReentrancyGuard {
2019-10-04 16:27:47 +02:00
uint256 public denomination;
2019-11-04 22:04:22 +01:00
mapping(bytes32 => bool) public nullifierHashes;
2019-07-15 17:04:48 +02:00
// we store all commitments just to prevent accidental deposits with the same commitment
2019-11-04 22:04:22 +01:00
mapping(bytes32 => bool) public commitments;
2019-08-04 19:57:01 +02:00
IVerifier public verifier;
2019-10-04 16:27:47 +02:00
2019-11-09 00:48:35 +01:00
// operator can update snark verification key
// after the final trusted setup ceremony operator rights are supposed to be transferred to zero address
2019-11-01 01:56:24 +01:00
address public operator;
2019-10-04 16:27:47 +02:00
modifier onlyOperator {
require(msg.sender == operator, "Only operator can call this function.");
_;
}
2019-07-09 15:05:30 +02:00
2019-11-04 22:04:22 +01:00
event Deposit(bytes32 indexed commitment, uint32 leafIndex, uint256 timestamp);
event Withdrawal(address to, bytes32 nullifierHash, address indexed relayer, uint256 fee);
2019-07-09 15:05:30 +02:00
2019-07-10 14:35:46 +02:00
/**
@dev The constructor
@param _verifier the address of SNARK verifier for this contract
2019-11-04 20:45:56 +01:00
@param _denomination transfer amount for each deposit
2019-08-27 22:42:24 +02:00
@param _merkleTreeHeight the height of deposits' Merkle Tree
2019-11-04 20:45:56 +01:00
@param _operator operator address (see operator comment above)
2019-07-10 14:35:46 +02:00
*/
2019-07-12 17:04:45 +02:00
constructor(
2019-11-01 02:14:01 +01:00
IVerifier _verifier,
2019-10-04 16:27:47 +02:00
uint256 _denomination,
uint32 _merkleTreeHeight,
2019-11-01 01:56:24 +01:00
address _operator
2019-11-02 13:35:22 +01:00
) MerkleTreeWithHistory(_merkleTreeHeight) public {
2019-11-01 02:15:55 +01:00
require(_denomination > 0, "denomination should be greater than 0");
2019-11-01 02:14:01 +01:00
verifier = _verifier;
2019-08-02 19:12:30 +02:00
operator = _operator;
2019-10-04 16:27:47 +02:00
denomination = _denomination;
2019-07-09 15:05:30 +02:00
}
2019-10-04 16:27:47 +02:00
2019-09-06 23:22:30 +02:00
/**
2019-12-13 14:49:19 +01:00
@dev Deposit funds into the contract. The caller must send (for ETH) or approve (for ERC20) value equal to or `denomination` of this instance.
@param _commitment the note commitment, which is PedersenHash(nullifier + secret)
2019-09-06 23:22:30 +02:00
*/
2019-11-14 18:49:34 +01:00
function deposit(bytes32 _commitment) external payable nonReentrant {
require(!commitments[_commitment], "The commitment has been submitted");
2019-11-04 20:42:41 +01:00
uint32 insertedIndex = _insert(_commitment);
commitments[_commitment] = true;
_processDeposit();
2019-07-09 15:05:30 +02:00
emit Deposit(_commitment, insertedIndex, block.timestamp);
2019-09-06 23:22:30 +02:00
}
2019-10-04 16:27:47 +02:00
/** @dev this function is defined in a child contract */
2019-11-01 02:17:00 +01:00
function _processDeposit() internal;
2019-10-04 16:27:47 +02:00
2019-09-06 23:22:30 +02:00
/**
2019-12-13 14:49:19 +01:00
@dev Withdraw a deposit from the contract. `proof` is a zkSNARK proof data, and input is an array of circuit public inputs
2019-09-06 23:22:30 +02:00
`input` array consists of:
2019-12-13 14:49:19 +01:00
- merkle root of all deposits in the contract
2019-09-06 23:22:30 +02:00
- hash of unique deposit nullifier to prevent double spends
2019-11-07 08:04:29 +01:00
- the recipient of funds
2019-09-06 23:22:30 +02:00
- optional fee that goes to the transaction sender (usually a relay)
*/
2019-11-14 18:49:34 +01:00
function withdraw(bytes calldata _proof, bytes32 _root, bytes32 _nullifierHash, address payable _recipient, address payable _relayer, uint256 _fee, uint256 _refund) external payable nonReentrant {
2019-11-04 20:42:41 +01:00
require(_fee <= denomination, "Fee exceeds transfer value");
require(!nullifierHashes[_nullifierHash], "The note has been already spent");
require(isKnownRoot(_root), "Cannot find your merkle root"); // Make sure to use a recent one
2019-11-07 08:04:29 +01:00
require(verifier.verifyProof(_proof, [uint256(_root), uint256(_nullifierHash), uint256(_recipient), uint256(_relayer), _fee, _refund]), "Invalid withdraw proof");
2019-11-04 20:42:41 +01:00
nullifierHashes[_nullifierHash] = true;
2019-11-07 08:04:29 +01:00
_processWithdraw(_recipient, _relayer, _fee, _refund);
emit Withdrawal(_recipient, _nullifierHash, _relayer, _fee);
2019-07-09 15:05:30 +02:00
}
2019-07-15 18:15:06 +02:00
2019-10-04 16:27:47 +02:00
/** @dev this function is defined in a child contract */
2019-11-07 08:04:29 +01:00
function _processWithdraw(address payable _recipient, address payable _relayer, uint256 _fee, uint256 _refund) internal;
2019-10-04 16:27:47 +02:00
/** @dev whether a note is already spent */
2019-11-28 04:45:52 +01:00
function isSpent(bytes32 _nullifierHash) public view returns(bool) {
return nullifierHashes[_nullifierHash];
2019-10-04 16:27:47 +02:00
}
2019-11-28 04:45:52 +01:00
/** @dev whether an array of notes is already spent */
function isSpentArray(bytes32[] calldata _nullifierHashes) external view returns(bool[] memory spent) {
spent = new bool[](_nullifierHashes.length);
for(uint i = 0; i < _nullifierHashes.length; i++) {
if (isSpent(_nullifierHashes[i])) {
spent[i] = true;
}
}
}
2019-10-04 16:27:47 +02:00
/**
@dev allow operator to update SNARK verification keys. This is needed to update keys after the final trusted setup ceremony is held.
2019-11-09 00:48:35 +01:00
After that operator rights are supposed to be transferred to zero address
2019-10-04 16:27:47 +02:00
*/
function updateVerifier(address _newVerifier) external onlyOperator {
verifier = IVerifier(_newVerifier);
}
2019-10-04 16:27:47 +02:00
/** @dev operator can change his address */
2019-11-01 02:28:46 +01:00
function changeOperator(address _newOperator) external onlyOperator {
operator = _newOperator;
2019-08-01 18:58:34 +02:00
}
2019-07-10 18:58:21 +02:00
}