Description:
Multi-signature wallet contract requiring multiple confirmations for transaction execution.
Blockchain: Ethereum
Source Code: View Code On The Blockchain
Solidity Source Code:
// SPDX-License-Identifier: BUSL-1.1
pragma solidity ^0.8.0 ^0.8.1 ^0.8.2 ^0.8.20 ^0.8.28;
// lib/openzeppelin-contracts-upgradeable/contracts/utils/AddressUpgradeable.sol
// OpenZeppelin Contracts (last updated v4.9.0) (utils/Address.sol)
/**
* @dev Collection of functions related to the address type
*/
library AddressUpgradeable {
/**
* @dev Returns true if `account` is a contract.
*
* [IMPORTANT]
* ====
* It is unsafe to assume that an address for which this function returns
* false is an externally-owned account (EOA) and not a contract.
*
* Among others, `isContract` will return false for the following
* types of addresses:
*
* - an externally-owned account
* - a contract in construction
* - an address where a contract will be created
* - an address where a contract lived, but was destroyed
*
* Furthermore, `isContract` will also return true if the target contract within
* the same transaction is already scheduled for destruction by `SELFDESTRUCT`,
* which only has an effect at the end of a transaction.
* ====
*
* [IMPORTANT]
* ====
* You shouldn't rely on `isContract` to protect against flash loan attacks!
*
* Preventing calls from contracts is highly discouraged. It breaks composability, breaks support for smart wallets
* like Gnosis Safe, and does not provide security since it can be circumvented by calling from a contract
* constructor.
* ====
*/
function isContract(address account) internal view returns (bool) {
// This method relies on extcodesize/address.code.length, which returns 0
// for contracts in construction, since the code is only stored at the end
// of the constructor execution.
return account.code.length > 0;
}
/**
* @dev Replacement for Solidity's `transfer`: sends `amount` wei to
* `recipient`, forwarding all available gas and reverting on errors.
*
* https://eips.ethereum.org/EIPS/eip-1884[EIP1884] increases the gas cost
* of certain opcodes, possibly making contracts go over the 2300 gas limit
* imposed by `transfer`, making them unable to receive funds via
* `transfer`. {sendValue} removes this limitation.
*
* https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/[Learn more].
*
* IMPORTANT: because control is transferred to `recipient`, care must be
* taken to not create reentrancy vulnerabilities. Consider using
* {ReentrancyGuard} or the
* https://solidity.readthedocs.io/en/v0.8.0/security-considerations.html#use-the-checks-effects-interactions-pattern[checks-effects-interactions pattern].
*/
function sendValue(address payable recipient, uint256 amount) internal {
require(address(this).balance >= amount, "Address: insufficient balance");
(bool success, ) = recipient.call{value: amount}("");
require(success, "Address: unable to send value, recipient may have reverted");
}
/**
* @dev Performs a Solidity function call using a low level `call`. A
* plain `call` is an unsafe replacement for a function call: use this
* function instead.
*
* If `target` reverts with a revert reason, it is bubbled up by this
* function (like regular Solidity function calls).
*
* Returns the raw returned data. To convert to the expected return value,
* use https://solidity.readthedocs.io/en/latest/units-and-global-variables.html?highlight=abi.decode#abi-encoding-and-decoding-functions[`abi.decode`].
*
* Requirements:
*
* - `target` must be a contract.
* - calling `target` with `data` must not revert.
*
* _Available since v3.1._
*/
function functionCall(address target, bytes memory data) internal returns (bytes memory) {
return functionCallWithValue(target, data, 0, "Address: low-level call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`], but with
* `errorMessage` as a fallback revert reason when `target` reverts.
*
* _Available since v3.1._
*/
function functionCall(
address target,
bytes memory data,
string memory errorMessage
) internal returns (bytes memory) {
return functionCallWithValue(target, data, 0, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but also transferring `value` wei to `target`.
*
* Requirements:
*
* - the calling contract must have an ETH balance of at least `value`.
* - the called Solidity function must be `payable`.
*
* _Available since v3.1._
*/
function functionCallWithValue(address target, bytes memory data, uint256 value) internal returns (bytes memory) {
return functionCallWithValue(target, data, value, "Address: low-level call with value failed");
}
/**
* @dev Same as {xref-Address-functionCallWithValue-address-bytes-uint256-}[`functionCallWithValue`], but
* with `errorMessage` as a fallback revert reason when `target` reverts.
*
* _Available since v3.1._
*/
function functionCallWithValue(
address target,
bytes memory data,
uint256 value,
string memory errorMessage
) internal returns (bytes memory) {
require(address(this).balance >= value, "Address: insufficient balance for call");
(bool success, bytes memory returndata) = target.call{value: value}(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but performing a static call.
*
* _Available since v3.3._
*/
function functionStaticCall(address target, bytes memory data) internal view returns (bytes memory) {
return functionStaticCall(target, data, "Address: low-level static call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
* but performing a static call.
*
* _Available since v3.3._
*/
function functionStaticCall(
address target,
bytes memory data,
string memory errorMessage
) internal view returns (bytes memory) {
(bool success, bytes memory returndata) = target.staticcall(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
* but performing a delegate call.
*
* _Available since v3.4._
*/
function functionDelegateCall(address target, bytes memory data) internal returns (bytes memory) {
return functionDelegateCall(target, data, "Address: low-level delegate call failed");
}
/**
* @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
* but performing a delegate call.
*
* _Available since v3.4._
*/
function functionDelegateCall(
address target,
bytes memory data,
string memory errorMessage
) internal returns (bytes memory) {
(bool success, bytes memory returndata) = target.delegatecall(data);
return verifyCallResultFromTarget(target, success, returndata, errorMessage);
}
/**
* @dev Tool to verify that a low level call to smart-contract was successful, and revert (either by bubbling
* the revert reason or using the provided one) in case of unsuccessful call or if target was not a contract.
*
* _Available since v4.8._
*/
function verifyCallResultFromTarget(
address target,
bool success,
bytes memory returndata,
string memory errorMessage
) internal view returns (bytes memory) {
if (success) {
if (returndata.length == 0) {
// only check isContract if the call was successful and the return data is empty
// otherwise we already know that it was a contract
require(isContract(target), "Address: call to non-contract");
}
return returndata;
} else {
_revert(returndata, errorMessage);
}
}
/**
* @dev Tool to verify that a low level call was successful, and revert if it wasn't, either by bubbling the
* revert reason or using the provided one.
*
* _Available since v4.3._
*/
function verifyCallResult(
bool success,
bytes memory returndata,
string memory errorMessage
) internal pure returns (bytes memory) {
if (success) {
return returndata;
} else {
_revert(returndata, errorMessage);
}
}
function _revert(bytes memory returndata, string memory errorMessage) private pure {
// Look for revert reason and bubble it up if present
if (returndata.length > 0) {
// The easiest way to bubble the revert reason is using memory via assembly
/// @solidity memory-safe-assembly
assembly {
let returndata_size := mload(returndata)
revert(add(32, returndata), returndata_size)
}
} else {
revert(errorMessage);
}
}
}
// lib/openzeppelin-contracts/contracts/utils/cryptography/ECDSA.sol
// OpenZeppelin Contracts (last updated v5.1.0) (utils/cryptography/ECDSA.sol)
/**
* @dev Elliptic Curve Digital Signature Algorithm (ECDSA) operations.
*
* These functions can be used to verify that a message was signed by the holder
* of the private keys of a given address.
*/
library ECDSA {
enum RecoverError {
NoError,
InvalidSignature,
InvalidSignatureLength,
InvalidSignatureS
}
/**
* @dev The signature derives the `address(0)`.
*/
error ECDSAInvalidSignature();
/**
* @dev The signature has an invalid length.
*/
error ECDSAInvalidSignatureLength(uint256 length);
/**
* @dev The signature has an S value that is in the upper half order.
*/
error ECDSAInvalidSignatureS(bytes32 s);
/**
* @dev Returns the address that signed a hashed message (`hash`) with `signature` or an error. This will not
* return address(0) without also returning an error description. Errors are documented using an enum (error type)
* and a bytes32 providing additional information about the error.
*
* If no error is returned, then the address can be used for verification purposes.
*
* The `ecrecover` EVM precompile allows for malleable (non-unique) signatures:
* this function rejects them by requiring the `s` value to be in the lower
* half order, and the `v` value to be either 27 or 28.
*
* IMPORTANT: `hash` _must_ be the result of a hash operation for the
* verification to be secure: it is possible to craft signatures that
* recover to arbitrary addresses for non-hashed data. A safe way to ensure
* this is by receiving a hash of the original message (which may otherwise
* be too long), and then calling {MessageHashUtils-toEthSignedMessageHash} on it.
*
* Documentation for signature generation:
* - with https://web3js.readthedocs.io/en/v1.3.4/web3-eth-accounts.html#sign[Web3.js]
* - with https://docs.ethers.io/v5/api/signer/#Signer-signMessage[ethers]
*/
function tryRecover(
bytes32 hash,
bytes memory signature
) internal pure returns (address recovered, RecoverError err, bytes32 errArg) {
if (signature.length == 65) {
bytes32 r;
bytes32 s;
uint8 v;
// ecrecover takes the signature parameters, and the only way to get them
// currently is to use assembly.
assembly ("memory-safe") {
r := mload(add(signature, 0x20))
s := mload(add(signature, 0x40))
v := byte(0, mload(add(signature, 0x60)))
}
return tryRecover(hash, v, r, s);
} else {
return (address(0), RecoverError.InvalidSignatureLength, bytes32(signature.length));
}
}
/**
* @dev Returns the address that signed a hashed message (`hash`) with
* `signature`. This address can then be used for verification purposes.
*
* The `ecrecover` EVM precompile allows for malleable (non-unique) signatures:
* this function rejects them by requiring the `s` value to be in the lower
* half order, and the `v` value to be either 27 or 28.
*
* IMPORTANT: `hash` _must_ be the result of a hash operation for the
* verification to be secure: it is possible to craft signatures that
* recover to arbitrary addresses for non-hashed data. A safe way to ensure
* this is by receiving a hash of the original message (which may otherwise
* be too long), and then calling {MessageHashUtils-toEthSignedMessageHash} on it.
*/
function recover(bytes32 hash, bytes memory signature) internal pure returns (address) {
(address recovered, RecoverError error, bytes32 errorArg) = tryRecover(hash, signature);
_throwError(error, errorArg);
return recovered;
}
/**
* @dev Overload of {ECDSA-tryRecover} that receives the `r` and `vs` short-signature fields separately.
*
* See https://eips.ethereum.org/EIPS/eip-2098[ERC-2098 short signatures]
*/
function tryRecover(
bytes32 hash,
bytes32 r,
bytes32 vs
) internal pure returns (address recovered, RecoverError err, bytes32 errArg) {
unchecked {
bytes32 s = vs & bytes32(0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff);
// We do not check for an overflow here since the shift operation results in 0 or 1.
uint8 v = uint8((uint256(vs) >> 255) + 27);
return tryRecover(hash, v, r, s);
}
}
/**
* @dev Overload of {ECDSA-recover} that receives the `r and `vs` short-signature fields separately.
*/
function recover(bytes32 hash, bytes32 r, bytes32 vs) internal pure returns (address) {
(address recovered, RecoverError error, bytes32 errorArg) = tryRecover(hash, r, vs);
_throwError(error, errorArg);
return recovered;
}
/**
* @dev Overload of {ECDSA-tryRecover} that receives the `v`,
* `r` and `s` signature fields separately.
*/
function tryRecover(
bytes32 hash,
uint8 v,
bytes32 r,
bytes32 s
) internal pure returns (address recovered, RecoverError err, bytes32 errArg) {
// EIP-2 still allows signature malleability for ecrecover(). Remove this possibility and make the signature
// unique. Appendix F in the Ethereum Yellow paper (https://ethereum.github.io/yellowpaper/paper.pdf), defines
// the valid range for s in (301): 0 < s < secp256k1n ÷ 2 + 1, and for v in (302): v ∈ {27, 28}. Most
// signatures from current libraries generate a unique signature with an s-value in the lower half order.
//
// If your library generates malleable signatures, such as s-values in the upper range, calculate a new s-value
// with 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 - s1 and flip v from 27 to 28 or
// vice versa. If your library also generates signatures with 0/1 for v instead 27/28, add 27 to v to accept
// these malleable signatures as well.
if (uint256(s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0) {
return (address(0), RecoverError.InvalidSignatureS, s);
}
// If the signature is valid (and not malleable), return the signer address
address signer = ecrecover(hash, v, r, s);
if (signer == address(0)) {
return (address(0), RecoverError.InvalidSignature, bytes32(0));
}
return (signer, RecoverError.NoError, bytes32(0));
}
/**
* @dev Overload of {ECDSA-recover} that receives the `v`,
* `r` and `s` signature fields separately.
*/
function recover(bytes32 hash, uint8 v, bytes32 r, bytes32 s) internal pure returns (address) {
(address recovered, RecoverError error, bytes32 errorArg) = tryRecover(hash, v, r, s);
_throwError(error, errorArg);
return recovered;
}
/**
* @dev Optionally reverts with the corresponding custom error according to the `error` argument provided.
*/
function _throwError(RecoverError error, bytes32 errorArg) private pure {
if (error == RecoverError.NoError) {
return; // no error: do nothing
} else if (error == RecoverError.InvalidSignature) {
revert ECDSAInvalidSignature();
} else if (error == RecoverError.InvalidSignatureLength) {
revert ECDSAInvalidSignatureLength(uint256(errorArg));
} else if (error == RecoverError.InvalidSignatureS) {
revert ECDSAInvalidSignatureS(errorArg);
}
}
}
// src/interfaces/allowlist/IAllowlistAddressPermissions.sol
/**
* @title IAllowlistAddressPermissions
* @notice Core interface for address permissions and entity ID lookups
* @dev This interface provides the essential allowlist functions needed for
* checking address permissions and entity mappings
*/
interface IAllowlistAddressPermissions {
/**
* @notice Gets the entityId for the provided address
* @param addr The address to get the entityId for
*/
function addressEntityIds(address addr) external view returns (uint256);
/**
* @notice Checks whether an address is allowed to use a private instrument
* @param addr The address to check permissions for
* @param instrument The private instrument symbol to check permissions for
*/
function isAddressAllowedForPrivateInstrument(address addr, string calldata instrument) external view returns (bool);
/**
* @dev Checks if an address is allowed to interact with public instrument
* @param addr The address to check
* @return True if the address is allowed, false otherwise
*/
function isAddressAllowedForPublicInstrument(address addr) external view returns (bool);
}
// src/interfaces/allowlist/IAllowlistV3.sol
interface IAllowlistV3 is IAllowlistAddressPermissions {
/// @notice An event emitted when an address's permission is changed for a private instrument.
event PrivateInstrumentPermissionSet(uint256 indexed entityId, string instrument, bool permission);
/// @notice An event emitted when an address's permission is changed for public instruments
event PublicInstrumentPermissionSet(uint256 indexed entityId, bool permission);
/// @notice An event emitted when a protocol's permission is changed for a private instrument.
event ProtocolAddressPermissionSet(address indexed addr, string instrument, bool isAllowed);
/// @notice An event emitted when an address is associated with an entityId
event EntityIdSet(address indexed addr, uint256 indexed entityId);
/// @dev Thrown when the input for a function is invalid
error BadData();
/// @dev Thrown when the input is already equivalent to the storage being set
error AlreadySet();
/// @dev An address's entityId can not be changed once set, it can only be unset and then set to a new value
error NonZeroEntityIdMustBeChangedToZero();
/// @dev Thrown when trying to set entityId for an address that has protocol permissions
error AddressHasProtocolPermissions();
/// @dev Thrown when trying to set protocol permissions for an address that has an entityId
error AddressHasEntityId();
/// @dev Thrown when trying to set protocol permissions but the code size is 0
error CodeSizeZero();
/// @dev Thrown when a method is no longer supported
error Deprecated();
/// @dev Thrown if an attempt to call `renounceOwnership` is made
error RenounceOwnershipDisabled();
/// @dev Thrown when a signature has expired
error SignatureExpired();
/// @dev Thrown when a signature is from an invalid signer
error InvalidSigner();
/// @dev Thrown when a nonce is not in sequence or expected
error InvalidNonce();
/**
* @notice Checks whether an Entity is allowed to use a private instrument
* @param entityId The reference for entity to check for
* @param instrument The private instrument symbol to check permissions for
*/
function isEntityAllowedForPrivateInstrument(uint256 entityId, string calldata instrument) external view returns (bool);
/**
* @notice Checks whether an Entity is allowed to use public instruments
* @param entityId The reference for entity to check for
*/
function isEntityAllowedForPublicInstrument(uint256 entityId) external view returns (bool);
/**
* @notice Sets whether an Entity is allowed to use a private instrument
* @param entityId The reference for entity to check for
* @param instrument The private instrument symbol to check permissions for
* @param isAllowed The permission value to set
*/
function setEntityAllowedForPrivateInstrument(uint256 entityId, string calldata instrument, bool isAllowed) external;
/**
* @notice Sets whether an Entity is allowed to use a public instrument
* @param entityId The reference for entity to check for
* @param isAllowed The permission value to set
*/
function setEntityAllowedForPublicInstrument(uint256 entityId, bool isAllowed) external;
/**
* @notice Unified signature-based method for setting user permissions for instruments
* @param entityId The entity identifier (must be > 0 for users)
* @param isPublic Whether this is for a public or private instrument
* @param isAllowed The new permission state
* @param addr The address to update permissions for
* @param instrument The instrument identifier (empty string for public instruments)
* @param nonce The nonce for replay protection
* @param deadline Expiration timestamp for the signature
* @param v The recovery byte of the signature
* @param r Half of the ECDSA signature pair
* @param s Half of the ECDSA signature pair
*/
function setUserPermissionForInstrument(
uint256 entityId,
bool isPublic,
bool isAllowed,
address addr,
string calldata instrument,
uint256 nonce,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external;
/**
* @notice Sets the entityId for a given address.
* @notice Setting to 0 removes the address from the allowlist !!
* @param entityId The entityId to associate with an address
* @param addr The address to associate with an entityId
*/
function setEntityIdForAddress(uint256 entityId, address addr) external;
/**
* @notice Sets the entity Id for a list of addresses.
* @notice Setting to 0 removes the address from the allowlist !!
* @param entityId The entityId to associate with an address
* @param addresses The addresses to associate with an entityId
*/
function setEntityIdForMultipleAddresses(uint256 entityId, address[] calldata addresses) external;
/**
* @notice Sets protocol permissions for an address
* @param addr The address to set permissions for
* @param instrument The private instrument symbol to set permissions for
* @param isAllowed The permission value to set
*/
function setProtocolAddressPermission(address addr, string calldata instrument, bool isAllowed) external;
/**
* @notice Sets protocol permissions for multiple addresses
* @param addresses The addresses to set permissions for
* @param instrument The private instrument symbol to set permissions for
* @param isAllowed The permission value to set
*/
function setProtocolAddressPermissions(address[] calldata addresses, string calldata instrument, bool isAllowed)
external;
/**
* @notice Sets entity for an array of addresses and sets permissions for an entity
* @param entityId The entityId to be updated
* @param addresses The addresses to associate with an entityId
* @param instrumentPermissionsToUpdate The instruments to update permissions for
* @param instrumentPermissions The permissions for each instrument
*/
function setEntityPermissionsAndAddresses(
uint256 entityId,
address[] calldata addresses,
string[] calldata instrumentPermissionsToUpdate,
bool[] calldata instrumentPermissions
) external;
function hasAnyProtocolPermissions(address addr) external view returns (bool hasPermissions);
function protocolPermissionsForPrivateInstruments(address protocol) external view returns (uint256);
function protocolPermissions(address, string calldata) external view returns (bool);
function nonces(uint256 entityId) external view returns (uint256);
function DOMAIN_SEPARATOR() external view returns (bytes32);
function hashTypedDataV4(bytes32 structHash) external view returns (bytes32);
function initializeV3() external;
// NOTE: for backward compatability with allowlist v2, to be removed by v4 or when all dependencies upgrade to v3+ api
function isAddressAllowedForFund(address addr, string calldata fundSymbol) external view returns (bool);
}
// lib/openzeppelin-contracts-upgradeable/contracts/proxy/utils/Initializable.sol
// OpenZeppelin Contracts (last updated v4.9.0) (proxy/utils/Initializable.sol)
/**
* @dev This is a base contract to aid in writing upgradeable contracts, or any kind of contract that will be deployed
* behind a proxy. Since proxied contracts do not make use of a constructor, it's common to move constructor logic to an
* external initializer function, usually called `initialize`. It then becomes necessary to protect this initializer
* function so it can only be called once. The {initializer} modifier provided by this contract will have this effect.
*
* The initialization functions use a version number. Once a version number is used, it is consumed and cannot be
* reused. This mechanism prevents re-execution of each "step" but allows the creation of new initialization steps in
* case an upgrade adds a module that needs to be initialized.
*
* For example:
*
* [.hljs-theme-light.nopadding]
* ```solidity
* contract MyToken is ERC20Upgradeable {
* function initialize() initializer public {
* __ERC20_init("MyToken", "MTK");
* }
* }
*
* contract MyTokenV2 is MyToken, ERC20PermitUpgradeable {
* function initializeV2() reinitializer(2) public {
* __ERC20Permit_init("MyToken");
* }
* }
* ```
*
* TIP: To avoid leaving the proxy in an uninitialized state, the initializer function should be called as early as
* possible by providing the encoded function call as the `_data` argument to {ERC1967Proxy-constructor}.
*
* CAUTION: When used with inheritance, manual care must be taken to not invoke a parent initializer twice, or to ensure
* that all initializers are idempotent. This is not verified automatically as constructors are by Solidity.
*
* [CAUTION]
* ====
* Avoid leaving a contract uninitialized.
*
* An uninitialized contract can be taken over by an attacker. This applies to both a proxy and its implementation
* contract, which may impact the proxy. To prevent the implementation contract from being used, you should invoke
* the {_disableInitializers} function in the constructor to automatically lock it when it is deployed:
*
* [.hljs-theme-light.nopadding]
* ```
* /// @custom:oz-upgrades-unsafe-allow constructor
* constructor() {
* _disableInitializers();
* }
* ```
* ====
*/
abstract contract Initializable {
/**
* @dev Indicates that the contract has been initialized.
* @custom:oz-retyped-from bool
*/
uint8 private _initialized;
/**
* @dev Indicates that the contract is in the process of being initialized.
*/
bool private _initializing;
/**
* @dev Triggered when the contract has been initialized or reinitialized.
*/
event Initialized(uint8 version);
/**
* @dev A modifier that defines a protected initializer function that can be invoked at most once. In its scope,
* `onlyInitializing` functions can be used to initialize parent contracts.
*
* Similar to `reinitializer(1)`, except that functions marked with `initializer` can be nested in the context of a
* constructor.
*
* Emits an {Initialized} event.
*/
modifier initializer() {
bool isTopLevelCall = !_initializing;
require(
(isTopLevelCall && _initialized < 1) || (!AddressUpgradeable.isContract(address(this)) && _initialized == 1),
"Initializable: contract is already initialized"
);
_initialized = 1;
if (isTopLevelCall) {
_initializing = true;
}
_;
if (isTopLevelCall) {
_initializing = false;
emit Initialized(1);
}
}
/**
* @dev A modifier that defines a protected reinitializer function that can be invoked at most once, and only if the
* contract hasn't been initialized to a greater version before. In its scope, `onlyInitializing` functions can be
* used to initialize parent contracts.
*
* A reinitializer may be used after the original initialization step. This is essential to configure modules that
* are added through upgrades and that require initialization.
*
* When `version` is 1, this modifier is similar to `initializer`, except that functions marked with `reinitializer`
* cannot be nested. If one is invoked in the context of another, execution will revert.
*
* Note that versions can jump in increments greater than 1; this implies that if multiple reinitializers coexist in
* a contract, executing them in the right order is up to the developer or operator.
*
* WARNING: setting the version to 255 will prevent any future reinitialization.
*
* Emits an {Initialized} event.
*/
modifier reinitializer(uint8 version) {
require(!_initializing && _initialized < version, "Initializable: contract is already initialized");
_initialized = version;
_initializing = true;
_;
_initializing = false;
emit Initialized(version);
}
/**
* @dev Modifier to protect an initialization function so that it can only be invoked by functions with the
* {initializer} and {reinitializer} modifiers, directly or indirectly.
*/
modifier onlyInitializing() {
require(_initializing, "Initializable: contract is not initializing");
_;
}
/**
* @dev Locks the contract, preventing any future reinitialization. This cannot be part of an initializer call.
* Calling this in the constructor of a contract will prevent that contract from being initialized or reinitialized
* to any version. It is recommended to use this to lock implementation contracts that are designed to be called
* through proxies.
*
* Emits an {Initialized} event the first time it is successfully executed.
*/
function _disableInitializers() internal virtual {
require(!_initializing, "Initializable: contract is initializing");
if (_initialized != type(uint8).max) {
_initialized = type(uint8).max;
emit Initialized(type(uint8).max);
}
}
/**
* @dev Returns the highest version that has been initialized. See {reinitializer}.
*/
function _getInitializedVersion() internal view returns (uint8) {
return _initialized;
}
/**
* @dev Returns `true` if the contract is currently initializing. See {onlyInitializing}.
*/
function _isInitializing() internal view returns (bool) {
return _initializing;
}
}
// lib/openzeppelin-contracts-upgradeable/contracts/utils/ContextUpgradeable.sol
// OpenZeppelin Contracts v4.4.1 (utils/Context.sol)
/**
* @dev Provides information about the current execution context, including the
* sender of the transaction and its data. While these are generally available
* via msg.sender and msg.data, they should not be accessed in such a direct
* manner, since when dealing with meta-transactions the account sending and
* paying for execution may not be the actual sender (as far as an application
* is concerned).
*
* This contract is only required for intermediate, library-like contracts.
*/
abstract contract ContextUpgradeable is Initializable {
function __Context_init() internal onlyInitializing {
}
function __Context_init_unchained() internal onlyInitializing {
}
function _msgSender() internal view virtual returns (address) {
return msg.sender;
}
function _msgData() internal view virtual returns (bytes calldata) {
return msg.data;
}
/**
* @dev This empty reserved space is put in place to allow future versions to add new
* variables without shifting down storage in the inheritance chain.
* See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
*/
uint256[50] private __gap;
}
// lib/openzeppelin-contracts-upgradeable/contracts/access/OwnableUpgradeable.sol
// OpenZeppelin Contracts (last updated v4.9.0) (access/Ownable.sol)
/**
* @dev Contract module which provides a basic access control mechanism, where
* there is an account (an owner) that can be granted exclusive access to
* specific functions.
*
* By default, the owner account will be the one that deploys the contract. This
* can later be changed with {transferOwnership}.
*
* This module is used through inheritance. It will make available the modifier
* `onlyOwner`, which can be applied to your functions to restrict their use to
* the owner.
*/
abstract contract OwnableUpgradeable is Initializable, ContextUpgradeable {
address private _owner;
event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);
/**
* @dev Initializes the contract setting the deployer as the initial owner.
*/
function __Ownable_init() internal onlyInitializing {
__Ownable_init_unchained();
}
function __Ownable_init_unchained() internal onlyInitializing {
_transferOwnership(_msgSender());
}
/**
* @dev Throws if called by any account other than the owner.
*/
modifier onlyOwner() {
_checkOwner();
_;
}
/**
* @dev Returns the address of the current owner.
*/
function owner() public view virtual returns (address) {
return _owner;
}
/**
* @dev Throws if the sender is not the owner.
*/
function _checkOwner() internal view virtual {
require(owner() == _msgSender(), "Ownable: caller is not the owner");
}
/**
* @dev Leaves the contract without owner. It will not be possible to call
* `onlyOwner` functions. Can only be called by the current owner.
*
* NOTE: Renouncing ownership will leave the contract without an owner,
* thereby disabling any functionality that is only available to the owner.
*/
function renounceOwnership() public virtual onlyOwner {
_transferOwnership(address(0));
}
/**
* @dev Transfers ownership of the contract to a new account (`newOwner`).
* Can only be called by the current owner.
*/
function transferOwnership(address newOwner) public virtual onlyOwner {
require(newOwner != address(0), "Ownable: new owner is the zero address");
_transferOwnership(newOwner);
}
/**
* @dev Transfers ownership of the contract to a new account (`newOwner`).
* Internal function without access restriction.
*/
function _transferOwnership(address newOwner) internal virtual {
address oldOwner = _owner;
_owner = newOwner;
emit OwnershipTransferred(oldOwner, newOwner);
}
/**
* @dev This empty reserved space is put in place to allow future versions to add new
* variables without shifting down storage in the inheritance chain.
* See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
*/
uint256[49] private __gap;
}
// lib/openzeppelin-contracts-upgradeable/contracts/access/Ownable2StepUpgradeable.sol
// OpenZeppelin Contracts (last updated v4.9.0) (access/Ownable2Step.sol)
/**
* @dev Contract module which provides access control mechanism, where
* there is an account (an owner) that can be granted exclusive access to
* specific functions.
*
* By default, the owner account will be the one that deploys the contract. This
* can later be changed with {transferOwnership} and {acceptOwnership}.
*
* This module is used through inheritance. It will make available all functions
* from parent (Ownable).
*/
abstract contract Ownable2StepUpgradeable is Initializable, OwnableUpgradeable {
function __Ownable2Step_init() internal onlyInitializing {
__Ownable_init_unchained();
}
function __Ownable2Step_init_unchained() internal onlyInitializing {
}
address private _pendingOwner;
event OwnershipTransferStarted(address indexed previousOwner, address indexed newOwner);
/**
* @dev Returns the address of the pending owner.
*/
function pendingOwner() public view virtual returns (address) {
return _pendingOwner;
}
/**
* @dev Starts the ownership transfer of the contract to a new account. Replaces the pending transfer if there is one.
* Can only be called by the current owner.
*/
function transferOwnership(address newOwner) public virtual override onlyOwner {
_pendingOwner = newOwner;
emit OwnershipTransferStarted(owner(), newOwner);
}
/**
* @dev Transfers ownership of the contract to a new account (`newOwner`) and deletes any pending owner.
* Internal function without access restriction.
*/
function _transferOwnership(address newOwner) internal virtual override {
delete _pendingOwner;
super._transferOwnership(newOwner);
}
/**
* @dev The new owner accepts the ownership transfer.
*/
function acceptOwnership() public virtual {
address sender = _msgSender();
require(pendingOwner() == sender, "Ownable2Step: caller is not the new owner");
_transferOwnership(sender);
}
/**
* @dev This empty reserved space is put in place to allow future versions to add new
* variables without shifting down storage in the inheritance chain.
* See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
*/
uint256[49] private __gap;
}
// src/allowlist/Allowlist.sol
/**
* @title Allowlist V3.1
* @notice An advanced access control contract that manages permissions for financial instruments
* @dev This contract supports two mutually exclusive permission models:
* 1. Entity-based permissions: Users are grouped by entityId with granular instrument access
* 2. Protocol-based permissions: Direct contract address permissions (private instruments only)
*
* Key Features:
* - Private instruments (e.g., USTB, USCC): Restricted access funds requiring specific permissions
* - Public instruments: Broadly accessible instruments with simplified entity-only permissions
* - Upgradeable design with storage layout preservation
* - Two-step ownership for enhanced security
*
* @author Jake Goh Si Yuan, Chris Ridmann (Superstate)
* @custom:version 3.1.0
* @custom:security-contact security@superstate.co
*/
contract Allowlist is IAllowlistV3, Ownable2StepUpgradeable {
/*//////////////////////////////////////////////////////////////
STORAGE LAYOUT
//////////////////////////////////////////////////////////////*/
/**
* @dev Reserved space for future inheritance without storage conflicts
*/
uint256[500] private __inheritanceGap;
/// @notice The major version of this contract implementation
/// @dev Used for upgrade compatibility verification
string public constant VERSION = "3.1";
/*//////////////////////////////////////////////////////////////
CORE STORAGE MAPPINGS
//////////////////////////////////////////////////////////////*/
/// @notice Maps addresses to their associated entity IDs
/// @dev entityId of 0 indicates the address has no entity-based permissions
/// @custom:invariant An address with entityId > 0 cannot have protocol permissions
mapping(address => uint256) public addressEntityIds;
/// @notice Maps entity IDs to their private instrument permissions
/// @dev Private instruments require explicit per-instrument permissions
/// @custom:example privateInstrumentPermissionByEntityId[123]["USTB"] = true
mapping(uint256 entityId => mapping(string instrument => bool permission)) public
privateInstrumentPermissionByEntityId;
/// @notice Tracks the number of instruments each protocol address has permissions for
/// @dev Used for efficient checking of protocol permission existence
/// @custom:invariant Must equal the sum of all true values in protocolPermissions[addr]
mapping(address protocol => uint256 numberOfInstruments) public protocolPermissionsForInstruments;
/// @notice Maps protocol addresses to their specific instrument permissions
/// @dev Only applies to contract addresses (extcodesize > 0)
/// @custom:invariant Protocol addresses with permissions cannot have entityIds
mapping(address protocol => mapping(string instrument => bool permission)) public protocolPermissions;
/// @notice Maps entity IDs to their public instrument permissions
/// @dev Public instruments use a single boolean flag per entity
/// @custom:security Protocol addresses cannot access public instruments
mapping(uint256 entityId => bool permission) public publicInstrumentPermissionByEntityId;
/**
* @dev Reserved space for future storage variables
*/
uint256[99] private __additionalFieldsGap;
/*//////////////////////////////////////////////////////////////
NAMESPACED STORAGE (ERC-7201)
//////////////////////////////////////////////////////////////*/
/**
* @custom:storage-location erc7201:superstate.storage.allowlist
*/
struct AllowlistV3Storage {
/// @notice Tracks nonces for signature-based entity ID assignments
/// @dev Prevents replay attacks by ensuring each signature can only be used once
mapping(uint256 => uint256) nonces;
/// @notice The cached domain separator for EIP-712
bytes32 domainSeparator;
/// @notice The cached chain id
uint256 cachedChainId;
/// @notice The cached self address
address cachedSelf;
}
// keccak256(abi.encode(uint256(keccak256("superstate.storage.allowlist")) - 1)) & ~bytes32(uint256(0xff))
bytes32 private constant AllowlistV3StorageLocation =
0xff964854c365c68ab0639012767b019dce81068dee578d1c55b686815fe32e00;
/**
* @dev Returns the AllowlistV3Storage struct from ERC-7201 namespace
* @return $ Storage pointer to the AllowlistV3Storage struct
*
* @custom:security Uses assembly for direct storage access to namespaced location
*/
function _getAllowlistV3Storage() private pure returns (AllowlistV3Storage storage $) {
assembly {
$.slot := AllowlistV3StorageLocation
}
}
/*//////////////////////////////////////////////////////////////
EIP-712 CONSTANTS
//////////////////////////////////////////////////////////////*/
/// @notice The EIP-712 typehash for unified user permission assignment
/// @dev Handles all permission scenarios: entity/address for public/private instruments
/// @dev Used for signature verification in setUserPermissionForInstrument
bytes32 public constant SET_USER_PERMISSION_FOR_INSTRUMENT_TYPEHASH =
keccak256(
"SetUserPermissionForInstrument(uint256 entityId,bool isPublic,bool isAllowed,address addr,string instrument,uint256 nonce,uint256 deadline)"
);
/// @dev The EIP-712 typehash for the contract's domain
bytes32 internal constant DOMAIN_TYPEHASH =
keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)");
/*//////////////////////////////////////////////////////////////
CONSTRUCTOR & INITIALIZER
//////////////////////////////////////////////////////////////*/
/**
* @notice Disables initializers to prevent implementation contract misuse
* @dev This is the implementation contract; actual instances use initialize()
*/
constructor() {
_disableInitializers();
}
/**
* @notice Initializes the proxy contract instance
* @dev Can only be called once per proxy deployment
* @custom:oz-upgrades-unsafe-allow constructor
*/
function initialize() public initializer {
__Ownable2Step_init();
_initializeEIP712("Allowlist", VERSION);
}
/**
* @notice Reinitializes the contract to version 3
* @dev Called during upgrade from V2 to V3 to set up EIP-712 domain
*
* @custom:upgrade-note Adds EIP-712 support for signature-based operations
* @custom:security Can only be called once during the upgrade process
*/
function initializeV3() public reinitializer(3) {
_initializeEIP712("Allowlist", VERSION);
}
/*//////////////////////////////////////////////////////////////
ADDRESS PERMISSION QUERIES
//////////////////////////////////////////////////////////////*/
/**
* @notice Checks if an address is allowed to access a private instrument
* @param addr The address to check permissions for
* @param instrument The private instrument identifier (e.g., "USTB", "USCC")
* @return allowed True if the address has permission for the specified instrument
*
* @dev Permission Resolution Logic:
* 1. If address has entityId > 0: Must be EOA or whitelisted contract, then check entity-based permissions
* 2. If address has entityId = 0: Check protocol-based permissions
*
* @custom:example
* // Entity-based access (EOAs and whitelisted contracts)
* isAddressAllowedForPrivateInstrument(userAddress, "USTB") → true
* isAddressAllowedForPrivateInstrument(whitelistedMultisig, "USTB") → true
*
* // Protocol-based access
* isAddressAllowedForPrivateInstrument(dexContract, "USTB") → true
*
* @custom:security No restrictions on contracts having entity permissions
*/
function isAddressAllowedForPrivateInstrument(address addr, string calldata instrument)
public
view
returns (bool allowed)
{
uint256 entityId = addressEntityIds[addr];
if (entityId == 0) {
// No entity ID: check protocol permissions
return protocolPermissions[addr][instrument];
}
// Has entity ID: check entity permissions
return isEntityAllowedForPrivateInstrument(entityId, instrument);
}
/**
* @notice Checks if an address is allowed to access a fund, DEPRECATED. Only checks private allowlist, even if asset is on the public allowlist
* @param addr The address to check permissions for
* @param fundSymbol The fund symbol to check permissions for
* @return allowed True if the address has permission for the fund
* @dev This function is only for backward compatibility with allowlist v2
* @dev Use isAddressAllowedForPrivateInstrument and isAddressAllowedForPublicInstrument instead.
*/
function isAddressAllowedForFund(address addr, string calldata fundSymbol) external view returns (bool) {
return isAddressAllowedForPrivateInstrument(addr, fundSymbol);
}
/**
* @notice Checks if an address is allowed to access public instruments
* @param addr The address to check permissions for
* @return allowed True if the address has permission for public instruments
*
* @dev Public Instrument Access Rules:
* - Only entity-based permissions are supported
* - Protocol addresses (entityId = 0) are automatically denied
* - Addresses with entityId > 0 must be EOAs or whitelisted contracts
* - Simplified boolean permission per entity (no per-instrument granularity)
*
* @custom:security Protocol addresses cannot access public instruments by design for now
*/
function isAddressAllowedForPublicInstrument(address addr) external view returns (bool allowed) {
uint256 entityId = addressEntityIds[addr];
if (entityId == 0) {
// Protocol addresses cannot access public instruments
return false;
}
// Has entity ID: check entity permissions
return isEntityAllowedForPublicInstrument(entityId);
}
/*//////////////////////////////////////////////////////////////
ENTITY PERMISSION QUERIES
//////////////////////////////////////////////////////////////*/
/**
* @notice Checks if an entity has permission for a specific private instrument
* @param entityId The entity identifier to check
* @param instrument The private instrument identifier
* @return allowed True if the entity has permission for the instrument
*
* @dev Direct storage lookup with no additional logic
* @custom:gas Highly optimized for frequent calls
*/
function isEntityAllowedForPrivateInstrument(uint256 entityId, string calldata instrument)
public
view
returns (bool allowed)
{
return privateInstrumentPermissionByEntityId[entityId][instrument];
}
/**
* @notice Checks if an entity has permission for public instruments
* @param entityId The entity identifier to check
* @return allowed True if the entity has permission for public instruments
*
* @dev Single boolean flag covers all public instruments for the entity
*/
function isEntityAllowedForPublicInstrument(uint256 entityId) public view returns (bool allowed) {
return publicInstrumentPermissionByEntityId[entityId];
}
/*//////////////////////////////////////////////////////////////
ENTITY PERMISSION MANAGEMENT
//////////////////////////////////////////////////////////////*/
/**
* @notice Sets an entity's permission for a specific private instrument
* @param entityId The entity identifier to update
* @param instrument The private instrument identifier
* @param isAllowed The new permission state
*
* @dev Emits PrivateInstrumentPermissionSet event for off-chain tracking
* @custom:access-control Only contract owner
*/
function setEntityAllowedForPrivateInstrument(uint256 entityId, string calldata instrument, bool isAllowed)
external
onlyOwner
{
_setEntityAllowedForPrivateInstrumentInternal(entityId, instrument, isAllowed);
}
/**
* @notice Unified signature-based method for setting user permissions for instruments
* @param entityId The entity identifier (must be > 0 for users)
* @param isPublic Whether this is for a public or private instrument
* @param isAllowed The new permission state
* @param addr The address to update permissions for
* @param instrument The instrument identifier (empty string for public instruments)
* @param deadline Expiration timestamp for the signature
* @param v The recovery byte of the signature
* @param r Half of the ECDSA signature pair
* @param s Half of the ECDSA signature pair
*
* @dev This unified method handles 4 scenarios:
* 1. Set entity permission for private instrument: entityId > 0, isPublic = false, addr = zero, instrument != ""
* 2. Set entity permission for public instrument: entityId > 0, isPublic = true, addr = zero, instrument = ""
* 3. Set address entity ID and private instrument: entityId > 0, isPublic = false, addr != zero, instrument != ""
* 4. Set address entity ID and public instrument: entityId > 0, isPublic = true, addr != zero, instrument = ""
*
* @dev Signature Requirements:
* - Must be signed by the contract owner
* - Must include correct entity nonce to prevent replay attacks
* - Must be used before the deadline
* - Uses entity-based nonces for replay protection
*
* @custom:security Uses EIP-712 structured data signing for secure off-chain authorization
* @custom:gas-optimization Allows batch permission updates without owner being on-chain
* @custom:throws SignatureExpired if deadline has passed
* @custom:throws InvalidSigner if signature is not from owner
* @custom:throws AlreadySet if permission is already at desired state
* @custom:throws BadData if parameters are inconsistent
*/
function setUserPermissionForInstrument(
uint256 entityId,
bool isPublic,
bool isAllowed,
address addr,
string calldata instrument,
uint256 nonce,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external {
// Build and verify the signature
bytes32 structHash = _buildUserPermissionStructHash(
entityId, isPublic, isAllowed, addr, instrument, nonce, deadline
);
_verifyAndIncrementNonce(entityId, structHash, nonce, deadline, v, r, s);
// Route to appropriate internal function based on parameters
_routeUserPermission(entityId, isPublic, isAllowed, addr, instrument);
}
/**
* @dev Builds the EIP-712 struct hash for unified user permission signatures
* @param entityId The entity identifier
* @param isPublic Whether the instrument is public or private
* @param isAllowed The permission state to set
* @param addr The address to update
* @param instrument The instrument identifier
* @param deadline The signature expiration timestamp
* @return structHash The EIP-712 struct hash for signature verification
*
* @custom:security Includes entity's current nonce to prevent replay attacks
*/
function _buildUserPermissionStructHash(
uint256 entityId,
bool isPublic,
bool isAllowed,
address addr,
string calldata instrument,
uint256 nonce,
uint256 deadline
) internal view returns (bytes32) {
// Validation will be done in _routeUserPermission
return keccak256(
abi.encode(
SET_USER_PERMISSION_FOR_INSTRUMENT_TYPEHASH,
entityId,
isPublic,
isAllowed,
addr,
keccak256(bytes(instrument)),
nonce,
deadline
)
);
}
/**
* @notice Sets an entity's permission for all public instruments
* @param entityId The entity identifier to update
* @param isAllowed The new permission state
*
* @dev Emits PublicInstrumentPermissionSet event for off-chain tracking
* @custom:access-control Only contract owner
*/
function setEntityAllowedForPublicInstrument(uint256 entityId, bool isAllowed) external onlyOwner {
_setEntityAllowedForPublicInstrumentInternal(entityId, isAllowed);
}
/*//////////////////////////////////////////////////////////////
PROTOCOL PERMISSION MANAGEMENT
//////////////////////////////////////////////////////////////*/
/**
* @notice Sets protocol permissions for a contract address
* @param addr The contract address to update (must have bytecode)
* @param instrument The private instrument identifier
* @param isAllowed The new permission state
*
* @dev Security Requirements:
* - Address must be a contract (extcodesize > 0)
* - Address must not have an entity ID (mutual exclusivity)
* - Prevents duplicate permission setting
*
* @custom:access-control Only contract owner
* @custom:throws CodeSizeZero if address is not a contract
* @custom:throws AddressHasEntityId if address has entity permissions
* @custom:throws AlreadySet if permission is already at desired state
*/
function setProtocolAddressPermission(address addr, string calldata instrument, bool isAllowed)
external
onlyOwner
{
if (addressEntityIds[addr] != 0) revert AddressHasEntityId();
_setProtocolAllowedForInstrumentInternal(addr, instrument, isAllowed);
}
/**
* @notice Sets protocol permissions for multiple contract addresses at once
* @param addrs Array of contract addresses to update
* @param instrument The private instrument identifier
* @param isAllowed The new permission state for all addresses
*
* @dev Batch operation for gas efficiency. All addresses must meet protocol requirements.
* @custom:access-control Only contract owner
* @custom:gas-optimization Batch processing reduces transaction costs
*/
function setProtocolAddressPermissions(address[] calldata addrs, string calldata instrument, bool isAllowed)
external
onlyOwner
{
uint256 length = addrs.length;
for (uint256 i = 0; i < length; ++i) {
if (addressEntityIds[addrs[i]] != 0) revert AddressHasEntityId();
_setProtocolAllowedForInstrumentInternal(addrs[i], instrument, isAllowed);
}
}
/*//////////////////////////////////////////////////////////////
ENTITY-ADDRESS ASSOCIATION
//////////////////////////////////////////////////////////////*/
/**
* @notice Associates an address with an entity ID
* @param entityId The entity ID to assign (0 to remove association)
* @param addr The address to update
*
* @dev Entity ID Rules:
* - Setting entityId = 0 removes the address from the allowlist
* - Non-zero entityId requires two-step process: set to 0, then set to new value
* - Address cannot have protocol permissions when setting entityId > 0
*
* @custom:access-control Only contract owner
* @custom:security Prevents accidental overwrites with two-step requirement
* @custom:security No restrictions on contracts having entity IDs
*/
function setEntityIdForAddress(uint256 entityId, address addr) external onlyOwner {
_setEntityAddressInternal(entityId, addr);
}
/**
* @dev Verifies a signature and increments the entity's nonce
* @param entityId The entity whose nonce to increment
* @param structHash The EIP-712 struct hash to verify
* @param nonce The nonce
* @param deadline The signature expiration timestamp
* @param v The recovery byte of the signature
* @param r Half of the ECDSA signature pair
* @param s Half of the ECDSA signature pair
*
* @custom:security Combines deadline validation, nonce verification, signature verification, and nonce increment
* @custom:atomicity All checks must pass before nonce is incremented
*/
function _verifyAndIncrementNonce(
uint256 entityId,
bytes32 structHash,
uint256 nonce,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) internal {
_requireValidDeadline(deadline);
_requireValidNonce(entityId, nonce);
_verifySignature(structHash, v, r, s);
_incrementNonce(entityId);
}
function _requireValidNonce(uint256 entityId, uint256 nonce) internal view {
if (nonces(entityId) != nonce) revert InvalidNonce();
}
/**
* @dev Validates that a signature deadline has not expired
* @param deadline The timestamp to check against current block time
*
* @custom:throws SignatureExpired if current time exceeds deadline
*/
function _requireValidDeadline(uint256 deadline) internal view {
if (block.timestamp > deadline) revert SignatureExpired();
}
/**
* @dev Verifies that a signature was created by the contract owner
* @param structHash The EIP-712 struct hash that was signed
* @param v The recovery byte of the signature
* @param r Half of the ECDSA signature pair
* @param s Half of the ECDSA signature pair
*
* @custom:security Uses ECDSA.recover for secure signature verification
* @custom:throws InvalidSigner if recovered address is not the owner
*/
function _verifySignature(bytes32 structHash, uint8 v, bytes32 r, bytes32 s) internal view {
bytes32 digest = _hashTypedDataV4(structHash);
if (ECDSA.recover(digest, v, r, s) != owner()) revert InvalidSigner();
}
/**
* @dev Increments the nonce for an entity to prevent signature replay
* @param entityId The entity whose nonce to increment
*
* @custom:security Critical for preventing replay attacks on signature-based functions
*/
function _incrementNonce(uint256 entityId) internal {
AllowlistV3Storage storage $ = _getAllowlistV3Storage();
$.nonces[entityId] = $.nonces[entityId] + 1;
}
/**
* @notice Associates multiple addresses with the same entity ID
* @param entityId The entity ID to assign to all addresses
* @param addresses Array of addresses to update
*
* @dev Batch operation following same rules as setEntityIdForAddress
* @custom:access-control Only contract owner
* @custom:gas-optimization Batch processing for multiple address updates
*/
function setEntityIdForMultipleAddresses(uint256 entityId, address[] calldata addresses) external onlyOwner {
uint256 length = addresses.length;
for (uint256 i = 0; i < length; ++i) {
_setEntityAddressInternal(entityId, addresses[i]);
}
}
/**
* @notice Atomically sets entity associations and permissions
* @param entityId The entity ID to update
* @param addresses Array of addresses to associate with the entity
* @param instrumentPermissionsToUpdate Array of instruments to update permissions for
* @param instrumentPermissions Array of permission states (must match instruments array length)
*
* @dev Atomic Operation Benefits:
* - Ensures consistency between address associations and permissions
* - Reduces transaction count for complex permission setups
* - All-or-nothing execution prevents partial state updates
*
* @custom:access-control Only contract owner
* @custom:throws BadData if array lengths don't match
* @custom:gas-optimization Single transaction for complex permission setup
*/
function setEntityPermissionsAndAddresses(
uint256 entityId,
address[] calldata addresses,
string[] calldata instrumentPermissionsToUpdate,
bool[] calldata instrumentPermissions
) external onlyOwner {
if (instrumentPermissionsToUpdate.length != instrumentPermissions.length) {
revert BadData();
}
// Set entity associations for all addresses
uint256 addressLength = addresses.length;
for (uint256 i = 0; i < addressLength; ++i) {
_setEntityAddressInternal(entityId, addresses[i]);
}
// Set permissions for the entity
uint256 permissionLength = instrumentPermissionsToUpdate.length;
for (uint256 i = 0; i < permissionLength; ++i) {
_setEntityAllowedForPrivateInstrumentInternal(
entityId, instrumentPermissionsToUpdate[i], instrumentPermissions[i]
);
}
}
/*//////////////////////////////////////////////////////////////
UTILITY FUNCTIONS
//////////////////////////////////////////////////////////////*/
/**
* @notice Returns the current nonce for an entity
* @param entityId The entity to get the nonce for
* @return The current nonce value
* @dev Used for signature verification to prevent replay attacks
*/
function nonces(uint256 entityId) public view returns (uint256) {
AllowlistV3Storage storage $ = _getAllowlistV3Storage();
return $.nonces[entityId];
}
/**
* @notice Checks if an address has any protocol permissions
* @param addr The address to check
* @return hasPermissions True if the address has permissions for any instrument
*
* @dev Used internally to enforce mutual exclusivity between entity and protocol permissions
* @custom:gas-optimization Uses counter instead of iterating through all permissions
Submitted on: 2025-09-24 17:07:06
Comments
Log in to comment.
No comments yet.