tornado-nova/contracts/TornadoPool.sol

// SPDX-License-Identifier: MIT
// https://tornado.cash
/*
 * d888888P                                           dP              a88888b.                   dP
 *    88                                              88             d8'   `88                   88
 *    88    .d8888b. 88d888b. 88d888b. .d8888b. .d888b88 .d8888b.    88        .d8888b. .d8888b. 88d888b.
 *    88    88'  `88 88'  `88 88'  `88 88'  `88 88'  `88 88'  `88    88        88'  `88 Y8ooooo. 88'  `88
 *    88    88.  .88 88       88    88 88.  .88 88.  .88 88.  .88 dP Y8.   .88 88.  .88       88 88    88
 *    dP    `88888P' dP       dP    dP `88888P8 `88888P8 `88888P' 88  Y88888P' `88888P8 `88888P' dP    dP
 * ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
 */

pragma solidity ^0.7.0;
pragma experimental ABIEncoderV2;
import "@openzeppelin/contracts-upgradeable/proxy/Initializable.sol";

interface IVerifier {
  function verifyProof(bytes memory _proof, uint256[9] memory _input) external view returns (bool);

  function verifyProof(bytes memory _proof, uint256[23] memory _input) external view returns (bool);
}

interface ERC20 {
  function transfer(address to, uint256 value) external returns (bool);
}

contract TornadoPool is Initializable {
  uint256 public constant FIELD_SIZE = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
  int256 public constant MAX_EXT_AMOUNT = 2**248;
  uint256 public constant MAX_FEE = 2**248;

  mapping(bytes32 => bool) public nullifierHashes;
  bytes32 public currentRoot;
  uint256 public currentCommitmentIndex;
  IVerifier public immutable verifier2;
  IVerifier public immutable verifier16;

  struct ExtData {
    address payable recipient;
    int256 extAmount;
    address payable relayer;
    uint256 fee;
    bytes encryptedOutput1;
    bytes encryptedOutput2;
  }

  struct Proof {
    bytes proof;
    bytes32 root;
    bytes32 newRoot;
    bytes32[] inputNullifiers;
    bytes32[2] outputCommitments;
    uint256 outPathIndices;
    uint256 publicAmount;
    bytes32 extDataHash;
  }

  struct Register {
    bytes pubKey;
    bytes account;
  }

  event NewCommitment(bytes32 commitment, uint256 index, bytes encryptedOutput);
  event NewNullifier(bytes32 nullifier);
  event PublicKey(address indexed owner, bytes key);
  event EncryptedAccount(address indexed owner, bytes account);

  /**
    @dev The constructor
    @param _verifier2 the address of SNARK verifier for 2 inputs
    @param _verifier16 the address of SNARK verifier for 16 inputs
  */
  constructor(IVerifier _verifier2, IVerifier _verifier16) {
    verifier2 = _verifier2;
    verifier16 = _verifier16;
  }

  function initialize(bytes32 _currentRoot) external initializer {
    currentRoot = _currentRoot;
  }

  function transaction(Proof calldata _args, ExtData calldata _extData) public payable {
    require(currentRoot == _args.root, "Invalid merkle root");
    for (uint256 i = 0; i < _args.inputNullifiers.length; i++) {
      require(!isSpent(_args.inputNullifiers[i]), "Input is already spent");
    }
    require(uint256(_args.extDataHash) == uint256(keccak256(abi.encode(_extData))) % FIELD_SIZE, "Incorrect external data hash");
    uint256 cachedCommitmentIndex = currentCommitmentIndex;
    require(_args.outPathIndices == cachedCommitmentIndex >> 1, "Invalid merkle tree insert position");
    require(_args.publicAmount == calculatePublicAmount(_extData.extAmount, _extData.fee), "Invalid public amount");
    require(verifyProof(_args), "Invalid transaction proof");

    currentRoot = _args.newRoot;
    currentCommitmentIndex = cachedCommitmentIndex + 2;
    for (uint256 i = 0; i < _args.inputNullifiers.length; i++) {
      nullifierHashes[_args.inputNullifiers[i]] = true;
    }

    if (_extData.extAmount > 0) {
      require(msg.value == uint256(_extData.extAmount), "Incorrect amount of ETH sent on deposit");
    } else if (_extData.extAmount < 0) {
      require(msg.value == 0, "Sent ETH amount should be 0 for withdrawal");
      require(_extData.recipient != address(0), "Can't withdraw to zero address");
      _transfer(_extData.recipient, uint256(-_extData.extAmount));
    } else {
      require(msg.value == 0, "Sent ETH amount should be 0 for transaction");
    }

    if (_extData.fee > 0) {
      _transfer(_extData.relayer, _extData.fee);
    }

    emit NewCommitment(_args.outputCommitments[0], cachedCommitmentIndex, _extData.encryptedOutput1);
    emit NewCommitment(_args.outputCommitments[1], cachedCommitmentIndex + 1, _extData.encryptedOutput2);
    for (uint256 i = 0; i < _args.inputNullifiers.length; i++) {
      emit NewNullifier(_args.inputNullifiers[i]);
    }
  }

  function _transfer(address payable _to, uint256 _amount) internal {
    uint256 id;
    assembly {
      id := chainid()
    }
    if (id == 10) {
      ERC20(0x4200000000000000000000000000000000000006).transfer(_to, _amount);
    } else {
      _to.transfer(_amount);
    }
  }

  function calculatePublicAmount(int256 _extAmount, uint256 _fee) public pure returns (uint256) {
    require(_fee < MAX_FEE, "Invalid fee");
    require(_extAmount > -MAX_EXT_AMOUNT && _extAmount < MAX_EXT_AMOUNT, "Invalid ext amount");
    int256 publicAmount = _extAmount - int256(_fee);
    return (publicAmount >= 0) ? uint256(publicAmount) : FIELD_SIZE - uint256(-publicAmount);
  }

  /** @dev whether a note is already spent */
  function isSpent(bytes32 _nullifierHash) public view returns (bool) {
    return nullifierHashes[_nullifierHash];
  }

  function verifyProof(Proof calldata _args) public view returns (bool) {
    if (_args.inputNullifiers.length == 2) {
      return
        verifier2.verifyProof(
          _args.proof,
          [
            uint256(_args.root),
            uint256(_args.newRoot),
            _args.publicAmount,
            uint256(_args.extDataHash),
            uint256(_args.inputNullifiers[0]),
            uint256(_args.inputNullifiers[1]),
            uint256(_args.outputCommitments[0]),
            uint256(_args.outputCommitments[1]),
            _args.outPathIndices
          ]
        );
    } else if (_args.inputNullifiers.length == 16) {
      return
        verifier16.verifyProof(
          _args.proof,
          [
            uint256(_args.root),
            uint256(_args.newRoot),
            _args.publicAmount,
            uint256(_args.extDataHash),
            uint256(_args.inputNullifiers[0]),
            uint256(_args.inputNullifiers[1]),
            uint256(_args.inputNullifiers[2]),
            uint256(_args.inputNullifiers[3]),
            uint256(_args.inputNullifiers[4]),
            uint256(_args.inputNullifiers[5]),
            uint256(_args.inputNullifiers[6]),
            uint256(_args.inputNullifiers[7]),
            uint256(_args.inputNullifiers[8]),
            uint256(_args.inputNullifiers[9]),
            uint256(_args.inputNullifiers[10]),
            uint256(_args.inputNullifiers[11]),
            uint256(_args.inputNullifiers[12]),
            uint256(_args.inputNullifiers[13]),
            uint256(_args.inputNullifiers[14]),
            uint256(_args.inputNullifiers[15]),
            uint256(_args.outputCommitments[0]),
            uint256(_args.outputCommitments[1]),
            _args.outPathIndices
          ]
        );
    } else {
      revert("unsupported input count");
    }
  }

  function register(Register calldata args) public {
    emit PublicKey(msg.sender, args.pubKey);
    emit EncryptedAccount(msg.sender, args.account);
  }

  function registerAndTransact(
    Register calldata _registerArgs,
    Proof calldata _proofArgs,
    ExtData calldata _extData
  ) external payable {
    register(_registerArgs);
    transaction(_proofArgs, _extData);
  }
}
update 2021-06-06 19:31:32 +02:00			`// SPDX-License-Identifier: MIT`
initial 2020-04-08 11:41:12 +02:00			`// https://tornado.cash`
			`/*`
lint, CI, Readme 2021-06-16 02:31:31 +02:00			`* d888888P dP a88888b. dP`
			* 88 88 d8' `88 88
			`* 88 .d8888b. 88d888b. 88d888b. .d8888b. .d888b88 .d8888b. 88 .d8888b. .d8888b. 88d888b.`
			* 88 88' `88 88' `88 88' `88 88' `88 88' `88 88' `88 88 88' `88 Y8ooooo. 88' `88
			`* 88 88. .88 88 88 88 88. .88 88. .88 88. .88 dP Y8. .88 88. .88 88 88 88`
			* dP `88888P' dP dP dP `88888P8 `88888P8 `88888P' 88 Y88888P' `88888P8 `88888P' dP dP
			`* ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo`
			`*/`
initial 2020-04-08 11:41:12 +02:00
solidity 7 2021-07-06 23:10:18 +02:00			`pragma solidity ^0.7.0;`
updates 2021-06-07 12:12:15 +02:00			`pragma experimental ABIEncoderV2;`
Upgradeability tests 2021-08-05 09:29:49 +02:00			`import "@openzeppelin/contracts-upgradeable/proxy/Initializable.sol";`
initial 2020-04-08 11:41:12 +02:00
update 2021-06-06 19:31:32 +02:00			`interface IVerifier {`
refactor extAmount and fee into a single public input 2021-08-13 19:07:53 +02:00			`function verifyProof(bytes memory _proof, uint256[9] memory _input) external view returns (bool);`
lint, CI, Readme 2021-06-16 02:31:31 +02:00
refactor extAmount and fee into a single public input 2021-08-13 19:07:53 +02:00			`function verifyProof(bytes memory _proof, uint256[23] memory _input) external view returns (bool);`
initial 2020-04-08 11:41:12 +02:00			`}`

fix: transfer from contract 2021-07-08 19:50:44 +02:00			`interface ERC20 {`
			`function transfer(address to, uint256 value) external returns (bool);`
			`}`

Upgradeability tests 2021-08-05 09:29:49 +02:00			`contract TornadoPool is Initializable {`
initial 2020-04-08 11:41:12 +02:00			`uint256 public constant FIELD_SIZE = 21888242871839275222246405745257275088548364400416034343698204186575808495617;`
calc public amount 2021-08-16 21:17:07 +02:00			`int256 public constant MAX_EXT_AMOUNT = 2**248;`
refactor publicAmount 2021-08-16 18:53:18 +02:00			`uint256 public constant MAX_FEE = 2**248;`
initial 2020-04-08 11:41:12 +02:00
			`mapping(bytes32 => bool) public nullifierHashes;`
			`bytes32 public currentRoot;`
lint, CI, Readme 2021-06-16 02:31:31 +02:00			`uint256 public currentCommitmentIndex;`
ensure no holes in merkle tree leaves 2021-06-16 13:01:29 +02:00			`IVerifier public immutable verifier2;`
			`IVerifier public immutable verifier16;`
initial 2020-04-08 11:41:12 +02:00
updates 2021-06-07 12:12:15 +02:00			`struct ExtData {`
utxo class, separate private key for each input 2021-06-08 20:50:34 +02:00			`address payable recipient;`
refactor publicAmount 2021-08-16 18:53:18 +02:00			`int256 extAmount;`
utxo class, separate private key for each input 2021-06-08 20:50:34 +02:00			`address payable relayer;`
refactor extAmount and fee into a single public input 2021-08-13 19:07:53 +02:00			`uint256 fee;`
updates 2021-06-07 12:12:15 +02:00			`bytes encryptedOutput1;`
			`bytes encryptedOutput2;`
			`}`

feat: method register and transact 2021-07-22 16:01:22 +02:00			`struct Proof {`
			`bytes proof;`
			`bytes32 root;`
			`bytes32 newRoot;`
			`bytes32[] inputNullifiers;`
			`bytes32[2] outputCommitments;`
			`uint256 outPathIndices;`
refactor extAmount and fee into a single public input 2021-08-13 19:07:53 +02:00			`uint256 publicAmount;`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`bytes32 extDataHash;`
			`}`

			`struct Register {`
			`bytes pubKey;`
			`bytes account;`
			`}`

lint, CI, Readme 2021-06-16 02:31:31 +02:00			`event NewCommitment(bytes32 commitment, uint256 index, bytes encryptedOutput);`
initial 2020-04-08 11:41:12 +02:00			`event NewNullifier(bytes32 nullifier);`
add user registration 2021-06-21 19:05:36 +02:00			`event PublicKey(address indexed owner, bytes key);`
feat: encrypted account event 2021-06-25 11:35:32 +02:00			`event EncryptedAccount(address indexed owner, bytes account);`
initial 2020-04-08 11:41:12 +02:00
			`/**`
			`@dev The constructor`
refactor 2021-06-16 10:28:39 +02:00			`@param _verifier2 the address of SNARK verifier for 2 inputs`
			`@param _verifier16 the address of SNARK verifier for 16 inputs`
initial 2020-04-08 11:41:12 +02:00			`*/`
Upgradeability tests 2021-08-05 09:29:49 +02:00			`constructor(IVerifier _verifier2, IVerifier _verifier16) {`
transaaction circuit with custom input count 2021-06-15 13:25:06 +02:00			`verifier2 = _verifier2;`
			`verifier16 = _verifier16;`
Upgradeability tests 2021-08-05 09:29:49 +02:00			`}`

			`function initialize(bytes32 _currentRoot) external initializer {`
first deposit 2020-04-09 20:38:10 +02:00			`currentRoot = _currentRoot;`
initial 2020-04-08 11:41:12 +02:00			`}`

feat: method register and transact 2021-07-22 16:01:22 +02:00			`function transaction(Proof calldata _args, ExtData calldata _extData) public payable {`
			`require(currentRoot == _args.root, "Invalid merkle root");`
			`for (uint256 i = 0; i < _args.inputNullifiers.length; i++) {`
			`require(!isSpent(_args.inputNullifiers[i]), "Input is already spent");`
test merge tx 2021-06-15 13:47:54 +02:00			`}`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`require(uint256(_args.extDataHash) == uint256(keccak256(abi.encode(_extData))) % FIELD_SIZE, "Incorrect external data hash");`
cache currentCommitmentIndex 2021-08-13 17:56:56 +02:00			`uint256 cachedCommitmentIndex = currentCommitmentIndex;`
			`require(_args.outPathIndices == cachedCommitmentIndex >> 1, "Invalid merkle tree insert position");`
calc public amount 2021-08-16 21:17:07 +02:00			`require(_args.publicAmount == calculatePublicAmount(_extData.extAmount, _extData.fee), "Invalid public amount");`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`require(verifyProof(_args), "Invalid transaction proof");`

			`currentRoot = _args.newRoot;`
cache currentCommitmentIndex 2021-08-13 17:56:56 +02:00			`currentCommitmentIndex = cachedCommitmentIndex + 2;`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`for (uint256 i = 0; i < _args.inputNullifiers.length; i++) {`
			`nullifierHashes[_args.inputNullifiers[i]] = true;`
refactor 2021-06-16 10:28:39 +02:00			`}`

refactor publicAmount 2021-08-16 18:53:18 +02:00			`if (_extData.extAmount > 0) {`
refactor extAmount and fee into a single public input 2021-08-13 19:07:53 +02:00			`require(msg.value == uint256(_extData.extAmount), "Incorrect amount of ETH sent on deposit");`
refactor publicAmount 2021-08-16 18:53:18 +02:00			`} else if (_extData.extAmount < 0) {`
refactor 2021-06-16 10:28:39 +02:00			`require(msg.value == 0, "Sent ETH amount should be 0 for withdrawal");`
			`require(_extData.recipient != address(0), "Can't withdraw to zero address");`
Merge branch 'master' into optimism 2021-08-17 10:24:24 +02:00			`_transfer(_extData.recipient, uint256(-_extData.extAmount));`
refactor 2021-06-16 10:28:39 +02:00			`} else {`
			`require(msg.value == 0, "Sent ETH amount should be 0 for transaction");`
			`}`

refactor extAmount and fee into a single public input 2021-08-13 19:07:53 +02:00			`if (_extData.fee > 0) {`
Merge branch 'master' into optimism 2021-08-17 10:24:24 +02:00			`_transfer(_extData.relayer, _extData.fee);`
refactor 2021-06-16 10:28:39 +02:00			`}`

cache currentCommitmentIndex 2021-08-13 17:56:56 +02:00			`emit NewCommitment(_args.outputCommitments[0], cachedCommitmentIndex, _extData.encryptedOutput1);`
			`emit NewCommitment(_args.outputCommitments[1], cachedCommitmentIndex + 1, _extData.encryptedOutput2);`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`for (uint256 i = 0; i < _args.inputNullifiers.length; i++) {`
			`emit NewNullifier(_args.inputNullifiers[i]);`
refactor 2021-06-16 10:28:39 +02:00			`}`
			`}`

update transfer to support any chains 2021-08-02 20:32:33 +02:00			`function _transfer(address payable _to, uint256 _amount) internal {`
			`uint256 id;`
			`assembly {`
			`id := chainid()`
			`}`
			`if (id == 10) {`
			`ERC20(0x4200000000000000000000000000000000000006).transfer(_to, _amount);`
			`} else {`
			`_to.transfer(_amount);`
			`}`
			`}`

code stylr fixes 2021-08-19 12:31:58 +02:00			`function calculatePublicAmount(int256 _extAmount, uint256 _fee) public pure returns (uint256) {`
calc public amount 2021-08-16 21:17:07 +02:00			`require(_fee < MAX_FEE, "Invalid fee");`
			`require(_extAmount > -MAX_EXT_AMOUNT && _extAmount < MAX_EXT_AMOUNT, "Invalid ext amount");`
			`int256 publicAmount = _extAmount - int256(_fee);`
			`return (publicAmount >= 0) ? uint256(publicAmount) : FIELD_SIZE - uint256(-publicAmount);`
refactor 2021-06-16 10:28:39 +02:00			`}`

			`/** @dev whether a note is already spent */`
			`function isSpent(bytes32 _nullifierHash) public view returns (bool) {`
			`return nullifierHashes[_nullifierHash];`
			`}`

feat: method register and transact 2021-07-22 16:01:22 +02:00			`function verifyProof(Proof calldata _args) public view returns (bool) {`
			`if (_args.inputNullifiers.length == 2) {`
refactor 2021-06-16 10:28:39 +02:00			`return`
lint, CI, Readme 2021-06-16 02:31:31 +02:00			`verifier2.verifyProof(`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`_args.proof,`
lint, CI, Readme 2021-06-16 02:31:31 +02:00			`[`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`uint256(_args.root),`
			`uint256(_args.newRoot),`
refactor extAmount and fee into a single public input 2021-08-13 19:07:53 +02:00			`_args.publicAmount,`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`uint256(_args.extDataHash),`
			`uint256(_args.inputNullifiers[0]),`
			`uint256(_args.inputNullifiers[1]),`
			`uint256(_args.outputCommitments[0]),`
			`uint256(_args.outputCommitments[1]),`
			`_args.outPathIndices`
lint, CI, Readme 2021-06-16 02:31:31 +02:00			`]`
refactor 2021-06-16 10:28:39 +02:00			`);`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`} else if (_args.inputNullifiers.length == 16) {`
refactor 2021-06-16 10:28:39 +02:00			`return`
lint, CI, Readme 2021-06-16 02:31:31 +02:00			`verifier16.verifyProof(`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`_args.proof,`
lint, CI, Readme 2021-06-16 02:31:31 +02:00			`[`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`uint256(_args.root),`
			`uint256(_args.newRoot),`
refactor extAmount and fee into a single public input 2021-08-13 19:07:53 +02:00			`_args.publicAmount,`
feat: method register and transact 2021-07-22 16:01:22 +02:00			`uint256(_args.extDataHash),`
			`uint256(_args.inputNullifiers[0]),`
			`uint256(_args.inputNullifiers[1]),`
			`uint256(_args.inputNullifiers[2]),`
			`uint256(_args.inputNullifiers[3]),`
			`uint256(_args.inputNullifiers[4]),`
			`uint256(_args.inputNullifiers[5]),`
			`uint256(_args.inputNullifiers[6]),`
			`uint256(_args.inputNullifiers[7]),`
			`uint256(_args.inputNullifiers[8]),`
			`uint256(_args.inputNullifiers[9]),`
			`uint256(_args.inputNullifiers[10]),`
			`uint256(_args.inputNullifiers[11]),`
			`uint256(_args.inputNullifiers[12]),`
			`uint256(_args.inputNullifiers[13]),`
			`uint256(_args.inputNullifiers[14]),`
			`uint256(_args.inputNullifiers[15]),`
			`uint256(_args.outputCommitments[0]),`
			`uint256(_args.outputCommitments[1]),`
			`_args.outPathIndices`
lint, CI, Readme 2021-06-16 02:31:31 +02:00			`]`
refactor 2021-06-16 10:28:39 +02:00			`);`
test merge tx 2021-06-15 13:47:54 +02:00			`} else {`
			`revert("unsupported input count");`
			`}`
initial 2020-04-08 11:41:12 +02:00			`}`
add user registration 2021-06-21 19:05:36 +02:00
feat: method register and transact 2021-07-22 16:01:22 +02:00			`function register(Register calldata args) public {`
			`emit PublicKey(msg.sender, args.pubKey);`
			`emit EncryptedAccount(msg.sender, args.account);`
			`}`

			`function registerAndTransact(`
			`Register calldata _registerArgs,`
			`Proof calldata _proofArgs,`
			`ExtData calldata _extData`
			`) external payable {`
			`register(_registerArgs);`
			`transaction(_proofArgs, _extData);`
add user registration 2021-06-21 19:05:36 +02:00			`}`
initial 2020-04-08 11:41:12 +02:00			`}`