-
Notifications
You must be signed in to change notification settings - Fork 0
/
gasRNG.sol
444 lines (341 loc) · 16.2 KB
/
gasRNG.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
//SPDX-License-Identifier: Apache-2.0
pragma solidity ^0.8.20;
import { VerifyVDF } from "./VerifyVDF.sol";
contract gasRNG {
// for now it's hardcoded for easy testing, then we should create a constructor
address public dealer;
uint public constant d = 1 ether; // register deposit
uint public constant d_star = 0.5 ether; // challenging commitment
uint public constant d_prime = 0.5 ether; // session deposit by dealer
uint public dealer_funds = 0;
bool public dealer_funds_partly_frozen;
bool public dealer_deposit_frozen;
bool public dealer_responded_to_challenge;
uint public constant t1 = 2 minutes;
uint public constant t2 = 2 minutes;
uint public constant t3 = 2 minutes;
uint public constant t4 = 2 minutes;
uint public constant t5 = 2 minutes;
uint public constant t6 = 2 minutes;
uint public constant t7 = 2 minutes;
uint public constant t8 = 2 minutes;
uint public rho = 1 ether; // session reward
// bytes32 public root_T_c; // root of the merkle tree commit
// bytes32 public root_T; // root of the merkle tree final
uint public n = 0; // number of participants
VerifyVDF public verify_vdf;
constructor(address verify_vdf_address) {
dealer = msg.sender;
verify_vdf = VerifyVDF(verify_vdf_address);
}
struct Participant {
bool registered;
uint index;
uint deposit;
uint reward_withdrawn;
uint submit;
bool deposit_frozen;
bool deposit_partly_frozen;
uint reward;
bool requested_submit;
}
mapping(address => Participant) public participants;
mapping(address => bool) public challenged_participants;
mapping(address => address) public challenging_participants;
struct Session {
bool active;
uint reward;
uint start_time;
uint dealer_deposit;
bytes32 root_T; // root of the merkle tree final
uint no_of_participants;
uint dealer_cheating_rewards;
}
mapping(uint => Session) public sessions;
// sessions.
uint session_id = 0;
// Session public session = Session(false, 0, 0, 0, 0);
// uint public dealer_cheating_rewards = 0;
uint public session_rewards = 0;
struct Result {
bytes g;
bytes pi;
bytes y;
bytes q;
bytes dst;
uint256 nonce;
uint256 delay;
}
Result public dealer_result = Result("", "", "", "", "", 0, 0);
modifier deposit_paid_register() {
require(msg.value >= d, "Deposit must be paid.");
_;
}
modifier not_registered() {
require(!participants[msg.sender].registered, "Participant is already registered.");
_;
}
modifier registered() {
require(participants[msg.sender].registered, "Participant is not registered.");
_;
}
modifier deposit_and_reward_paid_session() {
require(msg.value >= rho + d_prime, "Deposit and rewards must be paid.");
_;
}
modifier only_dealer() {
require(msg.sender == dealer, "Only dealer can call the function.");
_;
}
modifier only_participants() {
require(msg.sender != dealer, "Only participants can call the function.");
_;
}
// modifier reward_paid() {
// require(msg.value >= rho, "Reward must be paid.");
// _;
// }
modifier no_active_session() {
require(!sessions[session_id].active, "There is an active session.");
_;
}
modifier active_session() {
require(sessions[session_id].active, "There is no active session in progress.");
_;
}
modifier funds_not_frozen() {
require(!participants[msg.sender].deposit_frozen, "Deposit is frozen.");
_;
}
modifier funds_frozen() {
require(participants[msg.sender].deposit_frozen, "Deposit is not frozen.");
_;
}
modifier requested_submit(address _addr) {
require(participants[_addr].requested_submit, "Participant submitted value successfully.");
_;
}
modifier not_challenged(address _addr) {
require(!challenged_participants[_addr], "Participant is already challenged.");
_;
}
modifier t2_in_progress() {
require(block.timestamp > sessions[session_id].start_time + t1 && block.timestamp <=sessions[session_id].start_time + t1 + t2, "Must be t2 period.");
_;
}
modifier t3_in_progress() {
require(block.timestamp > sessions[session_id].start_time + t1 + t2 && block.timestamp <=sessions[session_id].start_time + t1 + t2 + t3, "Must be t3 period.");
_;
}
modifier after_t3() {
require(block.timestamp > sessions[session_id].start_time + t1 + t2 + t3, "We can check if participant did not submit the value only after t3 period.");
_;
}
modifier t4_in_progress() {
require(block.timestamp > sessions[session_id].start_time + t1 + t2 + t3 && block.timestamp <=sessions[session_id].start_time + t1 + t2 + t3 + t4, "Must be t4 period.");
_;
}
modifier t5_in_progress() {
require(block.timestamp > sessions[session_id].start_time + t1 + t2 + t3 + t4 && block.timestamp <=sessions[session_id].start_time + t1 + t2 + t3 + t4 + t5, "Must be t5 period.");
_;
}
modifier t6_in_progress() {
require(block.timestamp > sessions[session_id].start_time + t1 + t2 + t3 + t4 + t5 && block.timestamp <=sessions[session_id].start_time + t1 + t2 + t3 + t4 + t5 + t6, "Must be t6 period.");
_;
}
modifier after_t6() {
require(block.timestamp > sessions[session_id].start_time + t1 + t2 + t3 + t4 + t5 + t6, "We can check if dealer did not respond to all challenges only after t6 period.");
_;
}
modifier t8_in_progress() {
require(block.timestamp > sessions[session_id].start_time + t1 + t2 + t3 + t4 + t5 +t6 + t7 && block.timestamp <=sessions[session_id].start_time + t1 + t2 + t3 + t4 + t5 + t6 + t7 + t8, "Must be t8 period.");
_;
}
modifier after_t8() {
require(block.timestamp > sessions[session_id].start_time + t1 + t2 + t3 + t4 + t5 +t6 + t7 + t8, "Dealer can end the session only after t8.");
_;
}
function hash(uint _x, uint _n) public pure returns(bytes32) {
return keccak256(abi.encodePacked(_x, _n));
}
function verify_merkle_proof(bytes32[] memory _proof, bytes32 _root, bytes32 _leaf, uint _index) public pure returns (bool) {
bytes32 hash = _leaf;
for (uint i = 0; i < _proof.length; i++) {
bytes32 proof_element = _proof[i];
if (_index % 2 == 0) {
hash = keccak256(abi.encodePacked(hash, proof_element));
} else {
hash = keccak256(abi.encodePacked(proof_element, hash));
}
_index /= 2;
}
return hash == _root;
}
function getEthSignedMessageHash(bytes32 _messageHash) public pure returns (bytes32) {
return keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", _messageHash));
}
function splitSignature(bytes memory sig) public pure returns (bytes32 r, bytes32 s, uint8 v) {
require(sig.length == 65, "invalid signature length");
assembly {
r := mload(add(sig, 32))
s := mload(add(sig, 64))
v := byte(0, mload(add(sig, 96)))
}
}
function recoverSigner(bytes32 _ethSignedMessageHash, bytes memory _signature) public pure returns (address) {
(bytes32 r, bytes32 s, uint8 v) = splitSignature(_signature);
return ecrecover(_ethSignedMessageHash, v, r, s);
}
function verify_signature(address _signer, bytes32 _messageHash, bytes memory signature) public pure returns (bool) {
bytes32 ethSignedMessageHash = getEthSignedMessageHash(_messageHash);
return recoverSigner(ethSignedMessageHash, signature) == _signer;
}
// function verify_hash( uint _x, uint _n, address _addr) public view returns (bool) {
// return hash(_x, _n) == participants[_addr].submit;
// }
function register() public payable deposit_paid_register not_registered only_participants {
participants[msg.sender] = Participant(true, n, msg.value, 0, 0, false, false, 0, false);
n += 1;
}
function new_session() public payable only_dealer deposit_and_reward_paid_session no_active_session {
sessions[session_id] = Session(false, 0, 0, 0, 0, 0, 0);
sessions[session_id].active = true;
sessions[session_id].reward = rho;
sessions[session_id].start_time = block.timestamp;
sessions[session_id].dealer_deposit = msg.value - rho; // >= d_prime
sessions[session_id].no_of_participants = n;
session_id += 1;
}
function withdraw() public registered no_active_session {
uint deposit_to_send = participants[msg.sender].deposit;
if (participants[msg.sender].deposit_partly_frozen) {
deposit_to_send = participants[msg.sender].deposit - d_star;
}
if (participants[msg.sender].deposit_frozen) {
deposit_to_send = 0;
}
// have a loop here through participants[msg.sender][session_id].rewards
// uint amount_to_send = deposit_to_send + dealer_cheating_rewards + session_rewards - participants[msg.sender].reward_withdrawn + participants[msg.sender].reward;
// not correct actually :( participant may collect rewards for sessions he didn;t participate, how to avoid for loop???
// participants[msg.sender].reward_withdrawn += dealer_cheating_rewards + session_rewards; // this is done to avoid for loops in sending rewards
// sessions[session_id].dealer_cheating_rewards loop
participants[msg.sender].deposit = 0;
participants[msg.sender].registered = false;
participants[msg.sender].submit = 0;
participants[msg.sender].deposit_frozen = false;
participants[msg.sender].deposit_partly_frozen = false;
participants[msg.sender].reward = 0;
// think about index?
n -= 1;
// (bool sent, bytes memory data) = msg.sender.call{value: amount_to_send}("");
// require(sent, "failed to send ether");
}
function participate_again() public payable deposit_paid_register registered only_participants no_active_session{
participants[msg.sender].deposit = msg.value;
participants[msg.sender].deposit_frozen = false;
n += 1;
}
// Step 1: Off-chain Submitting
// Step 2: On-chain Submitting Request
function request_submit(address _addr) public only_dealer active_session t2_in_progress {
participants[_addr].deposit_frozen = true;
participants[_addr].requested_submit = true;
dealer_funds_partly_frozen = true;
}
// Step 3: On-chain Submitting // funds_frozen active_session t3_in_progress
function submit(uint _x) public {
uint gas_before = gasleft();
participants[msg.sender].deposit_frozen = false;
participants[msg.sender].submit = _x;
participants[msg.sender].requested_submit = false;
uint gas_after = gasleft();
uint gas_next_constant = 80000; // we require more gas for the next operations, so we set is as an overhead constant
uint gas_usage = gas_before - gas_after + gas_next_constant;
if (d_star > gas_usage/2) {
participants[msg.sender].reward += (gas_usage/2);
sessions[session_id].dealer_deposit -= (gas_usage/2);
}
else {
participants[msg.sender].reward += d_star;
sessions[session_id].dealer_deposit -= d_star;
}
}
// call this function when participant did not submit by the deadline
function did_not_submit(address _addr) public requested_submit(_addr) active_session after_t3 {
dealer_funds_partly_frozen = false;
participants[_addr].submit = 0;
}
// Step 4: Merkle Tree Announcement
function announce_root(bytes32 _root_T) public only_dealer active_session t4_in_progress {
sessions[session_id].root_T = _root_T;
}
// Step 5: On-chain Challenges
function challenge(address _addr) public not_challenged(_addr) active_session t5_in_progress {
participants[msg.sender].deposit_partly_frozen = true;
challenged_participants[_addr] = true; // commitment of _addr is not correctly included
challenging_participants[_addr] = msg.sender; // msg.sender challenged commitment of _addr
}
// Step 6: On-chain Responses
function challenge_response(address _addr, bytes32[] memory _proof, bytes32 _x, bytes memory _signature) public only_dealer active_session t6_in_progress{
uint gas_before = gasleft();
bool proof_verified = verify_merkle_proof(_proof, sessions[session_id].root_T, _x, participants[_addr].index);
bool signature_verified = verify_signature(_addr, _x, _signature);
if (!proof_verified || !signature_verified) {
// correct reward calculation later!!
sessions[session_id].dealer_cheating_rewards += (sessions[session_id].dealer_deposit / sessions[session_id].no_of_participants);
sessions[session_id].reward += (sessions[session_id].reward / sessions[session_id].no_of_participants);
sessions[session_id].dealer_deposit = 0;
sessions[session_id].active = false;
address challenging_participant = challenging_participants[_addr];
participants[challenging_participant].deposit_partly_frozen = false;
}
else {
uint gas_after = gasleft();
uint gas_next_constant = 80000; // we require more gas for the next operations, so we set is as an overhead constant
uint gas_usage = gas_before - gas_after + gas_next_constant;
if (d_star > gas_usage/2) {
dealer_funds += (gas_usage/2);
}
else {
dealer_funds += d_star;
}
}
// it indicates that the dealer responded to challenge (even if he couldn't prove it, his deposit was confiscated already)
challenged_participants[_addr] = false;
}
// this function is for participants to claim that the dealer did not respond to all challenges on time
function did_not_respond_to_challenge(address _addr) public after_t6 {
require(!challenged_participants[_addr], "Dealer already responded to the challenge for this participant.");
require(!dealer_responded_to_challenge, "This function can be called only once");
sessions[session_id].dealer_cheating_rewards += (sessions[session_id].dealer_deposit / sessions[session_id].no_of_participants);
sessions[session_id].reward += (sessions[session_id].reward / sessions[session_id].no_of_participants);
sessions[session_id].dealer_deposit = 0;
sessions[session_id].active = false;
address challenging_participant = challenging_participants[_addr];
participants[challenging_participant].deposit_partly_frozen = false;
challenged_participants[_addr] = false;
}
// Step 7: Verifiable Delay Function
function announce_result(bytes memory g, bytes memory pi, bytes memory y, bytes memory q, bytes memory dst, uint256 nonce, uint256 delay) external {
dealer_result.g = g;
dealer_result.pi = pi;
dealer_result.y = y;
dealer_result.q = q;
dealer_result.dst = dst;
dealer_result.nonce = nonce;
dealer_result.delay = delay;
}
// Step 8: VDF Challenge
function challenge_result(bytes memory g, bytes memory pi, bytes memory y, bytes memory q, bytes memory dst, uint256 nonce, uint256 delay) external returns (bool) {
bool res_participant_correct = verify_vdf.verify(g, pi, y, q, dst, nonce, delay);
bool res_dealer_correct = verify_vdf.verify(dealer_result.g, dealer_result.pi, dealer_result.y, dealer_result.q, dealer_result.dst, dealer_result.nonce, dealer_result.delay);
if (res_participant_correct && !res_dealer_correct) {
dealer_deposit_frozen = true;
// then increase participant reward
}
}
function end_session() public after_t8 only_dealer active_session {
sessions[session_id].active = false;
sessions[session_id].no_of_participants = n;
}
}