-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathRedistribution.sol
1146 lines (971 loc) · 41.8 KB
/
Redistribution.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// SPDX-License-Identifier: BSD-3-Clause
pragma solidity ^0.8.19;
import "@openzeppelin/contracts/access/AccessControl.sol";
import "@openzeppelin/contracts/security/Pausable.sol";
import "./Util/TransformedChunkProof.sol";
import "./Util/ChunkProof.sol";
import "./Util/Signatures.sol";
import "./interface/IPostageStamp.sol";
interface IPriceOracle {
function adjustPrice(uint16 redundancy) external returns (bool);
}
interface IStakeRegistry {
struct Stake {
bytes32 overlay;
uint256 stakeAmount;
uint256 lastUpdatedBlockNumber;
}
function freezeDeposit(address _owner, uint256 _time) external;
function lastUpdatedBlockNumberOfAddress(address _owner) external view returns (uint256);
function overlayOfAddress(address _owner) external view returns (bytes32);
function heightOfAddress(address _owner) external view returns (uint8);
function nodeEffectiveStake(address _owner) external view returns (uint256);
}
/**
* @title Redistribution contract
* @author The Swarm Authors
* @dev Implements a Schelling Co-ordination game to form consensus around the Reserve Commitment hash. This takes
* place in three phases: _commit_, _reveal_ and _claim_.
*
* A node, upon establishing that it _isParticipatingInUpcomingRound_, i.e. it's overlay falls within proximity order
* of its reported depth with the _currentRoundAnchor_, prepares a "reserve commitment hash" using the chunks
* it currently stores in its reserve and calculates the "storage depth" (see Bee for details). These values, if calculated
* honestly, and with the right chunks stored, should be the same for every node in a neighbourhood. This is the Schelling point.
* Each eligible node can then use these values, together with a random, single use, secret _revealNonce_ and their
* _overlay_ as the pre-image values for the obsfucated _commit_, using the _wrapCommit_ method.
*
* Once the _commit_ round has elapsed, participating nodes must provide the values used to calculate their obsfucated
* _commit_ hash, which, once verified for correctness and proximity to the anchor are retained in the _currentReveals_.
* Nodes that have committed but do not reveal the correct values used to create the pre-image will have their stake
* "frozen" for a period of rounds proportional to their reported depth.
*
* During the _reveal_ round, randomness is updated after every successful reveal. Once the reveal round is concluded,
* the _currentRoundAnchor_ is updated and users can determine if they will be eligible their overlay will be eligible
* for the next commit phase using _isParticipatingInUpcomingRound_.
*
* When the _reveal_ phase has been concluded, the claim phase can begin. At this point, the truth teller and winner
* are already determined. By calling _isWinner_, an applicant node can run the relevant logic to determine if they have
* been selected as the beneficiary of this round. When calling _claim_, the current pot from the PostageStamp contract
* is withdrawn and transferred to that beneficiaries address. Nodes that have revealed values that differ from the truth,
* have their stakes "frozen" for a period of rounds proportional to their reported depth.
*/
contract Redistribution is AccessControl, Pausable {
// ----------------------------- Type declarations ------------------------------
// An eligible user may commit to an _obfuscatedHash_ during the commit phase...
struct Commit {
bytes32 overlay;
address owner;
bool revealed;
uint8 height;
uint256 stake;
bytes32 obfuscatedHash;
uint256 revealIndex;
}
// ...then provide the actual values that are the constituents of the pre-image of the _obfuscatedHash_
// during the reveal phase.
struct Reveal {
bytes32 overlay;
address owner;
uint8 depth;
uint256 stake;
uint256 stakeDensity;
bytes32 hash;
}
struct ChunkInclusionProof {
bytes32[] proofSegments;
bytes32 proveSegment;
// _RCspan is known for RC 32*32
// Inclusion proof of transformed address
bytes32[] proofSegments2;
bytes32 proveSegment2;
// proveSegmentIndex2 known from deterministic random selection;
uint64 chunkSpan;
bytes32[] proofSegments3;
// _proveSegment3 known, is equal _proveSegment2
// proveSegmentIndex3 know, is equal _proveSegmentIndex2;
// chunkSpan2 is equal to chunkSpan (as the data is the same)
//
PostageProof postageProof;
SOCProof[] socProof;
}
struct SOCProof {
address signer; // signer Ethereum address to check against
bytes signature;
bytes32 identifier; //
bytes32 chunkAddr; // wrapped chunk address
}
struct PostageProof {
bytes signature;
bytes32 postageId;
uint64 index;
uint64 timeStamp;
// address signer; it is provided by the postage stamp contract
// bytes32 chunkAddr; it equals to the proveSegment argument
}
// The address of the linked PostageStamp contract.
IPostageStamp public PostageContract;
// The address of the linked PriceOracle contract.
IPriceOracle public OracleContract;
// The address of the linked Staking contract.
IStakeRegistry public Stakes;
// Commits for the current round.
Commit[] public currentCommits;
// Reveals for the current round.
Reveal[] public currentReveals;
// The current anchor that being processed for the reveal and claim phases of the round.
bytes32 private currentRevealRoundAnchor;
// The current random value from which we will random.
// inputs for selection of the truth teller and beneficiary.
bytes32 private seed;
// The number of the currently active round phases.
uint64 public currentCommitRound;
uint64 public currentRevealRound;
uint64 public currentClaimRound;
// Settings for slashing and freezing
uint8 private penaltyMultiplierDisagreement = 1;
uint8 private penaltyMultiplierNonRevealed = 2;
uint8 private penaltyRandomFactor = 100; // Use 100 as value to ignore random factor in freezing penalty
// alpha=0.097612 beta=0.0716570 k=16
uint256 private sampleMaxValue = 1284401000000000000000000000000000000000000000000000000000000000000000000;
// The reveal of the winner of the last round.
Reveal public winner;
// The length of a round in blocks.
uint256 private constant ROUND_LENGTH = 152;
// Maximum value of the keccack256 hash.
bytes32 private constant MAX_H = 0x00000000000000000000000000000000ffffffffffffffffffffffffffffffff;
// ----------------------------- Events ------------------------------
/**
* @dev Emitted when the winner of a round is selected in the claim phase
*/
event WinnerSelected(Reveal winner);
/**
* @dev Emitted when the truth oracle of a round is selected in the claim phase.
*/
event TruthSelected(bytes32 hash, uint8 depth);
// Next two events to be removed after testing phase pending some other usefulness being found.
/**
* @dev Emits the number of commits being processed by the claim phase.
*/
event CountCommits(uint256 _count);
/**
* @dev Emits the number of reveals being processed by the claim phase.
*/
event CountReveals(uint256 _count);
/**
* @dev Logs that an overlay has committed
*/
event Committed(uint256 roundNumber, bytes32 overlay, uint8 height);
/**
* @dev Emit from Postagestamp contract valid chunk count at the end of claim
*/
event ChunkCount(uint256 validChunkCount);
/**
* @dev Bytes32 anhor of current reveal round
*/
event CurrentRevealAnchor(uint256 roundNumber, bytes32 anchor);
/**
* @dev Output external call status
*/
event PriceAdjustmentSkipped(uint16 redundancyCount);
/**
* @dev Withdraw not successful in claim
*/
event WithdrawFailed(address owner);
/**
* @dev Logs that an overlay has revealed
*/
event Revealed(
uint256 roundNumber,
bytes32 overlay,
uint256 stake,
uint256 stakeDensity,
bytes32 reserveCommitment,
uint8 depth
);
/**
* @dev Logs for inclusion proof
*/
event transformedChunkAddressFromInclusionProof(uint256 indexInRC, bytes32 chunkAddress);
// ----------------------------- Errors ------------------------------
error NotCommitPhase(); // Game is not in commit phase
error NoCommitsReceived(); // Round didn't receive any commits
error PhaseLastBlock(); // We don't permit commits in last block of the phase
error CommitRoundOver(); // Commit phase in this round is over
error CommitRoundNotStarted(); // Commit phase in this round has not started yet
error NotMatchingOwner(); // Sender of commit is not matching the overlay address
error MustStake2Rounds(); // Before entering the game node must stake 2 rounds prior
error NotStaked(); // Node didn't add any staking
error WrongPhase(); // Checking in wrong phase, need to check duing claim phase of current round for next round or commit in current round
error AlreadyCommitted(); // Node already committed in this round
error NotRevealPhase(); // Game is not in reveal phase
error OutOfDepthReveal(bytes32); // Anchor is out of reported depth in Reveal phase, anchor data available as argument
error OutOfDepthClaim(uint8); // Anchor is out of reported depth in Claim phase, entryProof index is argument
error OutOfDepth(); // Anchor is out of reported depth
error AlreadyRevealed(); // Node already revealed
error NoMatchingCommit(); // No matching commit and hash
error NotClaimPhase(); // Game is not in the claim phase
error NoReveals(); // Round did not receive any reveals
error FirstRevealDone(); // We don't want to return value after first reveal
error AlreadyClaimed(); // This round was already claimed
error NotAdmin(); // Caller of trx is not admin
error OnlyPauser(); // Only account with pauser role can call pause/unpause
error SocVerificationFailed(bytes32); // Soc verification failed for this element
error SocCalcNotMatching(bytes32); // Soc address calculation does not match with the witness
error IndexOutsideSet(bytes32); // Stamp available: index resides outside of the valid index set
error SigRecoveryFailed(bytes32); // Stamp authorized: signature recovery failed for element
error BatchDoesNotExist(bytes32); // Stamp alive: batch remaining balance validation failed for attached stamp
error BucketDiffers(bytes32); // Stamp aligned: postage bucket differs from address bucket
error InclusionProofFailed(uint8, bytes32);
// 1 = RC inclusion proof failed for element
// 2 = First sister segment in data must match,
// 3 = Inclusion proof failed for original address of element
// 4 = Inclusion proof failed for transformed address of element
error RandomElementCheckFailed(); // Random element order check failed
error LastElementCheckFailed(); // Last element order check failed
error ReserveCheckFailed(bytes32 trALast); // Reserve size estimation check failed
// ----------------------------- CONSTRUCTOR ------------------------------
/**
* @param staking the address of the linked Staking contract.
* @param postageContract the address of the linked PostageStamp contract.
* @param oracleContract the address of the linked PriceOracle contract.
*/
constructor(address staking, address postageContract, address oracleContract) {
Stakes = IStakeRegistry(staking);
PostageContract = IPostageStamp(postageContract);
OracleContract = IPriceOracle(oracleContract);
_setupRole(DEFAULT_ADMIN_ROLE, msg.sender);
}
////////////////////////////////////////
// STATE CHANGING //
////////////////////////////////////////
/**
* @notice Begin application for a round if eligible. Commit a hashed value for which the pre-image will be
* subsequently revealed.
* @dev If a node's overlay is _inProximity_(_depth_) of the _currentRoundAnchor_, that node may compute an
* _obfuscatedHash_ by providing their _overlay_, reported storage _depth_, reserve commitment _hash_ and a
* randomly generated, and secret _revealNonce_ to the _wrapCommit_ method.
* @param _obfuscatedHash The calculated hash resultant of the required pre-image values.
* and be derived from the same key pair as the message sender.
* @param _roundNumber Node needs to provide round number for which commit is valid
*/
function commit(bytes32 _obfuscatedHash, uint64 _roundNumber) external whenNotPaused {
uint64 cr = currentRound();
bytes32 _overlay = Stakes.overlayOfAddress(msg.sender);
uint256 _stake = Stakes.nodeEffectiveStake(msg.sender);
uint256 _lastUpdate = Stakes.lastUpdatedBlockNumberOfAddress(msg.sender);
uint8 _height = Stakes.heightOfAddress(msg.sender);
if (!currentPhaseCommit()) {
revert NotCommitPhase();
}
if (block.number % ROUND_LENGTH == (ROUND_LENGTH / 4) - 1) {
revert PhaseLastBlock();
}
if (cr > _roundNumber) {
revert CommitRoundOver();
}
if (cr < _roundNumber) {
revert CommitRoundNotStarted();
}
if (_lastUpdate == 0) {
revert NotStaked();
}
if (_lastUpdate >= block.number - 2 * ROUND_LENGTH) {
revert MustStake2Rounds();
}
// if we are in a new commit phase, reset the array of commits and
// set the currentCommitRound to be the current one
if (cr != currentCommitRound) {
delete currentCommits;
currentCommitRound = cr;
}
uint256 commitsArrayLength = currentCommits.length;
for (uint256 i = 0; i < commitsArrayLength; ) {
if (currentCommits[i].overlay == _overlay) {
revert AlreadyCommitted();
}
unchecked {
++i;
}
}
currentCommits.push(
Commit({
overlay: _overlay,
owner: msg.sender,
revealed: false,
height: _height,
stake: _stake,
obfuscatedHash: _obfuscatedHash,
revealIndex: 0
})
);
emit Committed(_roundNumber, _overlay, _height);
}
/**
* @notice Reveal the pre-image values used to generate commit provided during this round's commit phase.
* @param _depth The reported depth.
* @param _hash The reserve commitment hash.
* @param _revealNonce The nonce used to generate the commit that is being revealed.
*/
function reveal(uint8 _depth, bytes32 _hash, bytes32 _revealNonce) external whenNotPaused {
uint64 cr = currentRound();
bytes32 _overlay = Stakes.overlayOfAddress(msg.sender);
if (_depth < currentMinimumDepth()) {
revert OutOfDepth();
}
if (!currentPhaseReveal()) {
revert NotRevealPhase();
}
if (cr != currentCommitRound) {
revert NoCommitsReceived();
}
if (cr != currentRevealRound) {
currentRevealRoundAnchor = currentRoundAnchor();
delete currentReveals;
// We set currentRevealRound ONLY after we set current anchor
currentRevealRound = cr;
emit CurrentRevealAnchor(cr, currentRevealRoundAnchor);
updateRandomness();
}
bytes32 obfuscatedHash = wrapCommit(_overlay, _depth, _hash, _revealNonce);
uint256 id = findCommit(_overlay, obfuscatedHash);
Commit memory revealedCommit = currentCommits[id];
uint8 depthResponsibility = _depth - revealedCommit.height;
// Check that commit is in proximity of the current anchor
if (!inProximity(revealedCommit.overlay, currentRevealRoundAnchor, depthResponsibility)) {
revert OutOfDepthReveal(currentRevealRoundAnchor);
}
// Check that the commit has not already been revealed
if (revealedCommit.revealed) {
revert AlreadyRevealed();
}
currentCommits[id].revealed = true;
currentCommits[id].revealIndex = currentReveals.length;
currentReveals.push(
Reveal({
overlay: revealedCommit.overlay,
owner: revealedCommit.owner,
depth: _depth,
stake: revealedCommit.stake,
stakeDensity: revealedCommit.stake * uint256(2 ** depthResponsibility),
hash: _hash
})
);
emit Revealed(
cr,
revealedCommit.overlay,
revealedCommit.stake,
revealedCommit.stake * uint256(2 ** depthResponsibility),
_hash,
_depth
);
}
/**
* @notice Helper function to get this round truth
* @dev
*/
function claim(
ChunkInclusionProof calldata entryProof1,
ChunkInclusionProof calldata entryProof2,
ChunkInclusionProof calldata entryProofLast
) external whenNotPaused {
winnerSelection();
Reveal memory winnerSelected = winner;
uint256 indexInRC1;
uint256 indexInRC2;
bytes32 _currentRevealRoundAnchor = currentRevealRoundAnchor;
bytes32 _seed = seed;
// rand(14)
indexInRC1 = uint256(_seed) % 15;
// rand(13)
indexInRC2 = uint256(_seed) % 14;
if (indexInRC2 >= indexInRC1) {
indexInRC2++;
}
if (!inProximity(entryProofLast.proveSegment, _currentRevealRoundAnchor, winnerSelected.depth)) {
revert OutOfDepthClaim(3);
}
inclusionFunction(entryProofLast, 30);
stampFunction(entryProofLast);
socFunction(entryProofLast);
if (!inProximity(entryProof1.proveSegment, _currentRevealRoundAnchor, winnerSelected.depth)) {
revert OutOfDepthClaim(2);
}
inclusionFunction(entryProof1, indexInRC1 * 2);
stampFunction(entryProof1);
socFunction(entryProof1);
if (!inProximity(entryProof2.proveSegment, _currentRevealRoundAnchor, winnerSelected.depth)) {
revert OutOfDepthClaim(1);
}
inclusionFunction(entryProof2, indexInRC2 * 2);
stampFunction(entryProof2);
socFunction(entryProof2);
checkOrder(
indexInRC1,
indexInRC2,
entryProof1.proofSegments[0],
entryProof2.proofSegments[0],
entryProofLast.proofSegments[0]
);
estimateSize(entryProofLast.proofSegments[0]);
// Do the check if the withdraw was success
(bool success, ) = address(PostageContract).call(
abi.encodeWithSignature("withdraw(address)", winnerSelected.owner)
);
if (!success) {
emit WithdrawFailed(winnerSelected.owner);
}
emit WinnerSelected(winnerSelected);
emit ChunkCount(PostageContract.validChunkCount());
}
function winnerSelection() internal {
uint64 cr = currentRound();
if (!currentPhaseClaim()) {
revert NotClaimPhase();
}
if (cr != currentRevealRound) {
revert NoReveals();
}
if (cr <= currentClaimRound) {
revert AlreadyClaimed();
}
uint256 currentWinnerSelectionSum = 0;
uint256 redundancyCount = 0;
bytes32 randomNumber;
uint256 randomNumberTrunc;
bytes32 truthRevealedHash;
uint8 truthRevealedDepth;
uint256 currentCommitsLength = currentCommits.length;
emit CountCommits(currentCommitsLength);
emit CountReveals(currentReveals.length);
(truthRevealedHash, truthRevealedDepth) = getCurrentTruth();
emit TruthSelected(truthRevealedHash, truthRevealedDepth);
string memory winnerSelectionAnchor = currentWinnerSelectionAnchor();
for (uint256 i = 0; i < currentCommitsLength; ) {
Commit memory currentCommit = currentCommits[i];
uint256 revIndex = currentCommit.revealIndex;
Reveal memory currentReveal = currentReveals[revIndex];
// Select winner with valid truth
if (
currentCommit.revealed &&
truthRevealedHash == currentReveal.hash &&
truthRevealedDepth == currentReveal.depth
) {
currentWinnerSelectionSum += currentReveal.stakeDensity;
randomNumber = keccak256(abi.encodePacked(winnerSelectionAnchor, redundancyCount));
randomNumberTrunc = uint256(randomNumber & MAX_H);
if (randomNumberTrunc * currentWinnerSelectionSum < currentReveal.stakeDensity * (uint256(MAX_H) + 1)) {
winner = currentReveal;
}
redundancyCount++;
}
// Freeze deposit if any truth is false, make it a penaltyRandomFactor chance for this to happen
if (
currentCommit.revealed &&
(truthRevealedHash != currentReveal.hash || truthRevealedDepth != currentReveal.depth) &&
(block.prevrandao % 100 < penaltyRandomFactor)
) {
Stakes.freezeDeposit(
currentReveal.owner,
penaltyMultiplierDisagreement * ROUND_LENGTH * uint256(2 ** truthRevealedDepth)
);
}
// Slash deposits if revealed is false
if (!currentCommit.revealed) {
// slash in later phase (ph5)
// Stakes.slashDeposit(currentCommits[i].overlay, currentCommits[i].stake);
Stakes.freezeDeposit(
currentCommit.owner,
penaltyMultiplierNonRevealed * ROUND_LENGTH * uint256(2 ** truthRevealedDepth)
);
}
unchecked {
++i;
}
}
bool success = OracleContract.adjustPrice(uint16(redundancyCount));
if (!success) {
emit PriceAdjustmentSkipped(uint16(redundancyCount));
}
currentClaimRound = cr;
}
function inclusionFunction(ChunkInclusionProof calldata entryProof, uint256 indexInRC) internal {
uint256 randomChunkSegmentIndex = uint256(seed) % 128;
bytes32 calculatedTransformedAddr = TransformedBMTChunk.transformedChunkAddressFromInclusionProof(
entryProof.proofSegments3,
entryProof.proveSegment2,
randomChunkSegmentIndex,
entryProof.chunkSpan,
currentRevealRoundAnchor
);
emit transformedChunkAddressFromInclusionProof(indexInRC, calculatedTransformedAddr);
if (
winner.hash !=
BMTChunk.chunkAddressFromInclusionProof(
entryProof.proofSegments,
entryProof.proveSegment,
indexInRC,
32 * 32
)
) {
revert InclusionProofFailed(1, calculatedTransformedAddr);
}
if (entryProof.proofSegments2[0] != entryProof.proofSegments3[0]) {
revert InclusionProofFailed(2, calculatedTransformedAddr);
}
bytes32 originalAddress = entryProof.socProof.length > 0
? entryProof.socProof[0].chunkAddr // soc attestation in socFunction
: entryProof.proveSegment;
if (
originalAddress !=
BMTChunk.chunkAddressFromInclusionProof(
entryProof.proofSegments2,
entryProof.proveSegment2,
randomChunkSegmentIndex,
entryProof.chunkSpan
)
) {
revert InclusionProofFailed(3, calculatedTransformedAddr);
}
// In case of SOC, the transformed address is hashed together with its address in the sample
if (entryProof.socProof.length > 0) {
calculatedTransformedAddr = keccak256(
abi.encode(
entryProof.proveSegment, // SOC address
calculatedTransformedAddr
)
);
}
if (entryProof.proofSegments[0] != calculatedTransformedAddr) {
revert InclusionProofFailed(4, calculatedTransformedAddr);
}
}
/**
* @notice Set freezing parameters
*/
function setFreezingParams(
uint8 _penaltyMultiplierDisagreement,
uint8 _penaltyMultiplierNonRevealed,
uint8 _penaltyRandomFactor
) external {
if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
revert NotAdmin();
}
penaltyMultiplierDisagreement = _penaltyMultiplierDisagreement;
penaltyMultiplierNonRevealed = _penaltyMultiplierNonRevealed;
penaltyRandomFactor = _penaltyRandomFactor;
}
/**
* @notice changes the max sample value used for reserve estimation
*/
function setSampleMaxValue(uint256 _sampleMaxValue) external {
if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
revert NotAdmin();
}
sampleMaxValue = _sampleMaxValue;
}
/**
* @notice Updates the source of randomness. Uses block.difficulty in pre-merge chains, this is substituted
* to block.prevrandao in post merge chains.
*/
function updateRandomness() private {
seed = keccak256(abi.encode(seed, block.prevrandao));
}
/**
* @dev Pause the contract. The contract is provably stopped by renouncing
the pauser role and the admin role after pausing, can only be called by the `PAUSER`
*/
function pause() public {
if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
revert OnlyPauser();
}
_pause();
}
/**
* @dev Unpause the contract, can only be called by the pauser when paused
*/
function unPause() public {
if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) {
revert OnlyPauser();
}
_unpause();
}
////////////////////////////////////////
// STATE READING //
////////////////////////////////////////
// ----------------------------- Anchor calculations ------------------------------
/**
* @notice Returns the current random seed which is used to determine later utilised random numbers.
* If rounds have elapsed without reveals, hash the seed with an incremented nonce to produce a new
* random seed and hence a new round anchor.
*/
function currentSeed() public view returns (bytes32) {
uint64 cr = currentRound();
bytes32 currentSeedValue = seed;
if (cr > currentRevealRound + 1) {
uint256 difference = cr - currentRevealRound - 1;
currentSeedValue = keccak256(abi.encodePacked(currentSeedValue, difference));
}
return currentSeedValue;
}
/**
* @notice Returns the seed which will become current once the next commit phase begins.
* Used to determine what the next round's anchor will be.
*/
function nextSeed() public view returns (bytes32) {
uint64 cr = currentRound() + 1;
bytes32 currentSeedValue = seed;
if (cr > currentRevealRound + 1) {
uint256 difference = cr - currentRevealRound - 1;
currentSeedValue = keccak256(abi.encodePacked(currentSeedValue, difference));
}
return currentSeedValue;
}
/**
* @notice The random value used to choose the selected truth teller.
*/
function currentTruthSelectionAnchor() private view returns (string memory) {
if (!currentPhaseClaim()) {
revert NotClaimPhase();
}
uint64 cr = currentRound();
if (cr != currentRevealRound) {
revert NoReveals();
}
return string(abi.encodePacked(seed, "0"));
}
/**
* @notice The random value used to choose the selected beneficiary.
*/
function currentWinnerSelectionAnchor() private view returns (string memory) {
if (!currentPhaseClaim()) {
revert NotClaimPhase();
}
uint64 cr = currentRound();
if (cr != currentRevealRound) {
revert NoReveals();
}
return string(abi.encodePacked(seed, "1"));
}
/**
* @notice The anchor used to determine eligibility for the current round.
* @dev A node must be within proximity order of less than or equal to the storage depth they intend to report.
*/
function currentRoundAnchor() public view returns (bytes32 returnVal) {
// This will be called in reveal phase and set as currentRevealRoundAnchor or in
// commit phase when checking eligibility for next round by isParticipatingInUpcomingRound
if (currentPhaseCommit() || (currentRound() > currentRevealRound && !currentPhaseClaim())) {
return currentSeed();
}
// This will be called by isParticipatingInUpcomingRound check in claim phase
if (currentPhaseClaim()) {
return nextSeed();
}
// Without this, this function will output 0x0 after first reveal which is value and we prefere it reverts
if (currentPhaseReveal() && currentRound() == currentRevealRound) {
revert FirstRevealDone();
}
}
/**
* @notice Returns true if an overlay address _A_ is within proximity order _minimum_ of _B_.
* @param A An overlay address to compare.
* @param B An overlay address to compare.
* @param minimum Minimum proximity order.
*/
function inProximity(bytes32 A, bytes32 B, uint8 minimum) public pure returns (bool) {
if (minimum == 0) {
return true;
}
return uint256(A ^ B) < uint256(2 ** (256 - minimum));
}
// ----------------------------- Commit ------------------------------
/**
* @notice The number of the current round.
*/
function currentRound() public view returns (uint64) {
return uint64(block.number / ROUND_LENGTH);
}
/**
* @notice Returns true if current block is during commit phase.
*/
function currentPhaseCommit() public view returns (bool) {
if (block.number % ROUND_LENGTH < ROUND_LENGTH / 4) {
return true;
}
return false;
}
/**
* @notice Determine if a the owner of a given overlay can participate in the upcoming round.
* @param _owner The address of the applicant from.
* @param _depth The storage depth the applicant intends to report.
*/
function isParticipatingInUpcomingRound(address _owner, uint8 _depth) public view returns (bool) {
uint256 _lastUpdate = Stakes.lastUpdatedBlockNumberOfAddress(_owner);
uint8 _depthResponsibility = _depth - Stakes.heightOfAddress(_owner);
if (currentPhaseReveal()) {
revert WrongPhase();
}
if (_lastUpdate == 0) {
revert NotStaked();
}
if (_lastUpdate >= block.number - 2 * ROUND_LENGTH) {
revert MustStake2Rounds();
}
return inProximity(Stakes.overlayOfAddress(_owner), currentRoundAnchor(), _depthResponsibility);
}
// ----------------------------- Reveal ------------------------------
/**
* @notice Returns minimum depth reveal has to have to participate in this round
*/
function currentMinimumDepth() public view returns (uint8) {
// We are checking value in reveal phase, as the currentCommitRound is set to the current round
// but the currentClaimRound is still set to the last time claim was made
// We add 1 to ensure that for the next round the minimum depth is the same as last winner depth
uint256 difference = currentCommitRound - currentClaimRound;
uint8 skippedRounds = uint8(difference > 254 ? 254 : difference) + 1;
uint8 lastWinnerDepth = winner.depth;
// We ensure that skippedRounds is not bigger than lastWinnerDepth, because of overflow
return skippedRounds >= lastWinnerDepth ? 0 : lastWinnerDepth - skippedRounds;
}
/**
* @notice Helper function to get this node reveal in commits
* @dev
*/
function findCommit(bytes32 _overlay, bytes32 _obfuscatedHash) internal view returns (uint256) {
for (uint256 i = 0; i < currentCommits.length; ) {
if (currentCommits[i].overlay == _overlay && _obfuscatedHash == currentCommits[i].obfuscatedHash) {
return i;
}
unchecked {
++i;
}
}
revert NoMatchingCommit();
}
/**
* @notice Hash the pre-image values to the obsfucated hash.
* @dev _revealNonce_ must be randomly generated, used once and kept secret until the reveal phase.
* @param _overlay The overlay address of the applicant.
* @param _depth The reported depth.
* @param _hash The reserve commitment hash.
* @param revealNonce A random, single use, secret nonce.
*/
function wrapCommit(
bytes32 _overlay,
uint8 _depth,
bytes32 _hash,
bytes32 revealNonce
) public pure returns (bytes32) {
return keccak256(abi.encodePacked(_overlay, _depth, _hash, revealNonce));
}
/**
* @notice Returns true if current block is during reveal phase.
*/
function currentPhaseReveal() public view returns (bool) {
uint256 number = block.number % ROUND_LENGTH;
if (number >= ROUND_LENGTH / 4 && number < ROUND_LENGTH / 2) {
return true;
}
return false;
}
/**
* @notice Returns true if current block is during reveal phase.
*/
function currentRoundReveals() public view returns (Reveal[] memory) {
if (!currentPhaseClaim()) {
revert NotClaimPhase();
}
uint64 cr = currentRound();
if (cr != currentRevealRound) {
revert NoReveals();
}
return currentReveals;
}
// ----------------------------- Claim ------------------------------
/**
* @notice Returns true if current block is during claim phase.
*/
function currentPhaseClaim() public view returns (bool) {
if (block.number % ROUND_LENGTH >= ROUND_LENGTH / 2) {
return true;
}
return false;
}
function getCurrentTruth() internal view returns (bytes32 Hash, uint8 Depth) {
uint256 currentSum;
bytes32 randomNumber;
uint256 randomNumberTrunc;
bytes32 truthRevealedHash;
uint8 truthRevealedDepth;
uint256 revIndex;
string memory truthSelectionAnchor = currentTruthSelectionAnchor();
uint256 commitsArrayLength = currentCommits.length;
for (uint256 i = 0; i < commitsArrayLength; ) {
if (currentCommits[i].revealed) {
revIndex = currentCommits[i].revealIndex;
currentSum += currentReveals[revIndex].stakeDensity;
randomNumber = keccak256(abi.encodePacked(truthSelectionAnchor, i));
randomNumberTrunc = uint256(randomNumber & MAX_H);
// question is whether randomNumber / MAX_H < probability
// where probability is stakeDensity / currentSum
// to avoid resorting to floating points all divisions should be
// simplified with multiplying both sides (as long as divisor > 0)
// randomNumber / (MAX_H + 1) < stakeDensity / currentSum
// ( randomNumber / (MAX_H + 1) ) * currentSum < stakeDensity
// randomNumber * currentSum < stakeDensity * (MAX_H + 1)
if (randomNumberTrunc * currentSum < currentReveals[revIndex].stakeDensity * (uint256(MAX_H) + 1)) {
truthRevealedHash = currentReveals[revIndex].hash;
truthRevealedDepth = currentReveals[revIndex].depth;
}
}
unchecked {
++i;
}
}
return (truthRevealedHash, truthRevealedDepth);
}
/**
* @notice Determine if a the owner of a given overlay will be the beneficiary of the claim phase.
* @param _overlay The overlay address of the applicant.
*/
function isWinner(bytes32 _overlay) public view returns (bool) {
if (!currentPhaseClaim()) {
revert NotClaimPhase();
}
uint64 cr = currentRound();
if (cr != currentRevealRound) {
revert NoReveals();
}
if (cr <= currentClaimRound) {
revert AlreadyClaimed();
}
uint256 currentWinnerSelectionSum;
bytes32 winnerIs;
bytes32 randomNumber;
uint256 randomNumberTrunc;
bytes32 truthRevealedHash;
uint8 truthRevealedDepth;
uint256 revIndex;