2021-06-06 19:31:32 +02:00
|
|
|
// SPDX-License-Identifier: MIT
|
2020-04-08 11:41:12 +02:00
|
|
|
// https://tornado.cash
|
|
|
|
/*
|
2021-06-16 02:31:31 +02:00
|
|
|
* d888888P dP a88888b. dP
|
|
|
|
* 88 88 d8' `88 88
|
|
|
|
* 88 .d8888b. 88d888b. 88d888b. .d8888b. .d888b88 .d8888b. 88 .d8888b. .d8888b. 88d888b.
|
|
|
|
* 88 88' `88 88' `88 88' `88 88' `88 88' `88 88' `88 88 88' `88 Y8ooooo. 88' `88
|
|
|
|
* 88 88. .88 88 88 88 88. .88 88. .88 88. .88 dP Y8. .88 88. .88 88 88 88
|
|
|
|
* dP `88888P' dP dP dP `88888P8 `88888P8 `88888P' 88 Y88888P' `88888P8 `88888P' dP dP
|
|
|
|
* ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
|
|
|
|
*/
|
2020-04-08 11:41:12 +02:00
|
|
|
|
2021-06-06 19:31:32 +02:00
|
|
|
pragma solidity ^0.6.0;
|
2021-06-07 12:12:15 +02:00
|
|
|
pragma experimental ABIEncoderV2;
|
2020-04-08 11:41:12 +02:00
|
|
|
|
|
|
|
import "@openzeppelin/contracts/utils/ReentrancyGuard.sol"; // todo: maybe remove?
|
|
|
|
|
2021-06-06 19:31:32 +02:00
|
|
|
interface IVerifier {
|
2021-06-16 13:01:29 +02:00
|
|
|
function verifyProof(bytes memory _proof, uint256[10] memory _input) external view returns (bool);
|
2021-06-16 02:31:31 +02:00
|
|
|
|
2021-06-16 13:01:29 +02:00
|
|
|
function verifyProof(bytes memory _proof, uint256[24] memory _input) external view returns (bool);
|
2020-04-08 11:41:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
contract TornadoPool is ReentrancyGuard {
|
|
|
|
uint256 public constant FIELD_SIZE = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
|
|
|
|
uint256 public constant MAX_EXT_AMOUNT = 2**248 - 1;
|
|
|
|
|
|
|
|
mapping(bytes32 => bool) public nullifierHashes;
|
|
|
|
bytes32 public currentRoot;
|
2021-06-16 02:31:31 +02:00
|
|
|
uint256 public currentCommitmentIndex;
|
2021-06-16 13:01:29 +02:00
|
|
|
IVerifier public immutable verifier2;
|
|
|
|
IVerifier public immutable verifier16;
|
2020-04-08 11:41:12 +02:00
|
|
|
|
2021-06-07 12:12:15 +02:00
|
|
|
struct ExtData {
|
2021-06-08 20:50:34 +02:00
|
|
|
address payable recipient;
|
|
|
|
address payable relayer;
|
2021-06-07 12:12:15 +02:00
|
|
|
bytes encryptedOutput1;
|
|
|
|
bytes encryptedOutput2;
|
|
|
|
}
|
|
|
|
|
2021-06-16 02:31:31 +02:00
|
|
|
event NewCommitment(bytes32 commitment, uint256 index, bytes encryptedOutput);
|
2020-04-08 11:41:12 +02:00
|
|
|
event NewNullifier(bytes32 nullifier);
|
|
|
|
|
|
|
|
/**
|
|
|
|
@dev The constructor
|
2021-06-16 10:28:39 +02:00
|
|
|
@param _verifier2 the address of SNARK verifier for 2 inputs
|
|
|
|
@param _verifier16 the address of SNARK verifier for 16 inputs
|
2020-04-08 11:41:12 +02:00
|
|
|
*/
|
2021-06-16 02:31:31 +02:00
|
|
|
constructor(
|
|
|
|
IVerifier _verifier2,
|
|
|
|
IVerifier _verifier16,
|
|
|
|
bytes32 _currentRoot
|
|
|
|
) public {
|
2021-06-15 13:25:06 +02:00
|
|
|
verifier2 = _verifier2;
|
|
|
|
verifier16 = _verifier16;
|
2020-04-09 20:38:10 +02:00
|
|
|
currentRoot = _currentRoot;
|
2020-04-08 11:41:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
function transaction(
|
|
|
|
bytes calldata _proof,
|
|
|
|
bytes32 _root,
|
|
|
|
bytes32 _newRoot,
|
2021-06-15 13:47:54 +02:00
|
|
|
bytes32[] calldata _inputNullifiers,
|
2020-04-08 11:41:12 +02:00
|
|
|
bytes32[2] calldata _outputCommitments,
|
2021-06-16 13:01:29 +02:00
|
|
|
uint256 _outPathIndices,
|
2020-04-08 11:41:12 +02:00
|
|
|
uint256 _extAmount,
|
|
|
|
uint256 _fee,
|
2021-06-07 12:12:15 +02:00
|
|
|
ExtData calldata _extData,
|
|
|
|
bytes32 _extDataHash
|
2021-06-16 02:31:31 +02:00
|
|
|
) external payable nonReentrant {
|
2020-04-08 11:41:12 +02:00
|
|
|
require(currentRoot == _root, "Invalid merkle root");
|
2021-06-16 02:31:31 +02:00
|
|
|
for (uint256 i = 0; i < _inputNullifiers.length; i++) {
|
2021-06-15 13:47:54 +02:00
|
|
|
require(!isSpent(_inputNullifiers[i]), "Input is already spent");
|
|
|
|
}
|
2021-06-07 12:12:15 +02:00
|
|
|
require(uint256(_extDataHash) == uint256(keccak256(abi.encode(_extData))) % FIELD_SIZE, "Incorrect external data hash");
|
2021-06-16 13:01:29 +02:00
|
|
|
require(_outPathIndices == currentCommitmentIndex >> 1, "Invalid merkle tree insert position");
|
2021-06-16 10:28:39 +02:00
|
|
|
require(
|
2021-06-16 13:01:29 +02:00
|
|
|
verifyProof(_proof, _root, _newRoot, _inputNullifiers, _outputCommitments, _outPathIndices, _extAmount, _fee, _extDataHash),
|
2021-06-16 10:28:39 +02:00
|
|
|
"Invalid transaction proof"
|
|
|
|
);
|
|
|
|
|
|
|
|
currentRoot = _newRoot;
|
|
|
|
for (uint256 i = 0; i < _inputNullifiers.length; i++) {
|
|
|
|
nullifierHashes[_inputNullifiers[i]] = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
int256 extAmount = calculateExternalAmount(_extAmount);
|
|
|
|
if (extAmount > 0) {
|
|
|
|
require(msg.value == uint256(extAmount), "Incorrect amount of ETH sent on deposit");
|
|
|
|
} else if (extAmount < 0) {
|
|
|
|
require(msg.value == 0, "Sent ETH amount should be 0 for withdrawal");
|
|
|
|
require(_extData.recipient != address(0), "Can't withdraw to zero address");
|
|
|
|
_extData.recipient.transfer(uint256(-extAmount));
|
|
|
|
} else {
|
|
|
|
require(msg.value == 0, "Sent ETH amount should be 0 for transaction");
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_fee > 0) {
|
|
|
|
_extData.relayer.transfer(_fee);
|
|
|
|
}
|
|
|
|
|
|
|
|
emit NewCommitment(_outputCommitments[0], currentCommitmentIndex++, _extData.encryptedOutput1);
|
|
|
|
emit NewCommitment(_outputCommitments[1], currentCommitmentIndex++, _extData.encryptedOutput2);
|
|
|
|
for (uint256 i = 0; i < _inputNullifiers.length; i++) {
|
|
|
|
emit NewNullifier(_inputNullifiers[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
function calculateExternalAmount(uint256 _extAmount) public pure returns (int256) {
|
|
|
|
// -MAX_EXT_AMOUNT < extAmount < MAX_EXT_AMOUNT
|
|
|
|
if (_extAmount < MAX_EXT_AMOUNT) {
|
|
|
|
return int256(_extAmount);
|
|
|
|
} else if (_extAmount > FIELD_SIZE - MAX_EXT_AMOUNT) {
|
|
|
|
// FIELD_SIZE - MAX_EXT_AMOUNT < _extAmount < FIELD_SIZE
|
|
|
|
return -(int256(FIELD_SIZE) - int256(_extAmount));
|
|
|
|
} else {
|
|
|
|
revert("Invalid extAmount value");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/** @dev whether a note is already spent */
|
|
|
|
function isSpent(bytes32 _nullifierHash) public view returns (bool) {
|
|
|
|
return nullifierHashes[_nullifierHash];
|
|
|
|
}
|
|
|
|
|
|
|
|
function verifyProof(
|
|
|
|
bytes memory _proof,
|
|
|
|
bytes32 _root,
|
|
|
|
bytes32 _newRoot,
|
|
|
|
bytes32[] memory _inputNullifiers,
|
|
|
|
bytes32[2] memory _outputCommitments,
|
2021-06-16 13:01:29 +02:00
|
|
|
uint256 _outPathIndices,
|
2021-06-16 10:28:39 +02:00
|
|
|
uint256 _extAmount,
|
|
|
|
uint256 _fee,
|
|
|
|
bytes32 _extDataHash
|
|
|
|
) public view returns (bool) {
|
2021-06-15 13:47:54 +02:00
|
|
|
if (_inputNullifiers.length == 2) {
|
2021-06-16 10:28:39 +02:00
|
|
|
return
|
2021-06-16 02:31:31 +02:00
|
|
|
verifier2.verifyProof(
|
|
|
|
_proof,
|
|
|
|
[
|
|
|
|
uint256(_root),
|
|
|
|
uint256(_newRoot),
|
2021-06-16 13:01:29 +02:00
|
|
|
_extAmount,
|
|
|
|
_fee,
|
|
|
|
uint256(_extDataHash),
|
2021-06-16 02:31:31 +02:00
|
|
|
uint256(_inputNullifiers[0]),
|
|
|
|
uint256(_inputNullifiers[1]),
|
|
|
|
uint256(_outputCommitments[0]),
|
|
|
|
uint256(_outputCommitments[1]),
|
2021-06-16 13:01:29 +02:00
|
|
|
_outPathIndices
|
2021-06-16 02:31:31 +02:00
|
|
|
]
|
2021-06-16 10:28:39 +02:00
|
|
|
);
|
2021-06-15 13:47:54 +02:00
|
|
|
} else if (_inputNullifiers.length == 16) {
|
2021-06-16 10:28:39 +02:00
|
|
|
return
|
2021-06-16 02:31:31 +02:00
|
|
|
verifier16.verifyProof(
|
|
|
|
_proof,
|
|
|
|
[
|
|
|
|
uint256(_root),
|
|
|
|
uint256(_newRoot),
|
2021-06-16 13:01:29 +02:00
|
|
|
_extAmount,
|
|
|
|
_fee,
|
|
|
|
uint256(_extDataHash),
|
2021-06-16 02:31:31 +02:00
|
|
|
uint256(_inputNullifiers[0]),
|
|
|
|
uint256(_inputNullifiers[1]),
|
|
|
|
uint256(_inputNullifiers[2]),
|
|
|
|
uint256(_inputNullifiers[3]),
|
|
|
|
uint256(_inputNullifiers[4]),
|
|
|
|
uint256(_inputNullifiers[5]),
|
|
|
|
uint256(_inputNullifiers[6]),
|
|
|
|
uint256(_inputNullifiers[7]),
|
|
|
|
uint256(_inputNullifiers[8]),
|
|
|
|
uint256(_inputNullifiers[9]),
|
|
|
|
uint256(_inputNullifiers[10]),
|
|
|
|
uint256(_inputNullifiers[11]),
|
|
|
|
uint256(_inputNullifiers[12]),
|
|
|
|
uint256(_inputNullifiers[13]),
|
|
|
|
uint256(_inputNullifiers[14]),
|
|
|
|
uint256(_inputNullifiers[15]),
|
|
|
|
uint256(_outputCommitments[0]),
|
|
|
|
uint256(_outputCommitments[1]),
|
2021-06-16 13:01:29 +02:00
|
|
|
_outPathIndices
|
2021-06-16 02:31:31 +02:00
|
|
|
]
|
2021-06-16 10:28:39 +02:00
|
|
|
);
|
2021-06-15 13:47:54 +02:00
|
|
|
} else {
|
|
|
|
revert("unsupported input count");
|
|
|
|
}
|
2020-04-08 11:41:12 +02:00
|
|
|
}
|
|
|
|
}
|