Tornado.sol 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125
  1. // https://tornado.cash
  2. /*
  3. * d888888P dP a88888b. dP
  4. * 88 88 d8' `88 88
  5. * 88 .d8888b. 88d888b. 88d888b. .d8888b. .d888b88 .d8888b. 88 .d8888b. .d8888b. 88d888b.
  6. * 88 88' `88 88' `88 88' `88 88' `88 88' `88 88' `88 88 88' `88 Y8ooooo. 88' `88
  7. * 88 88. .88 88 88 88 88. .88 88. .88 88. .88 dP Y8. .88 88. .88 88 88 88
  8. * dP `88888P' dP dP dP `88888P8 `88888P8 `88888P' 88 Y88888P' `88888P8 `88888P' dP dP
  9. * ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
  10. */
  11. pragma solidity ^0.5.8;
  12. import "./MerkleTreeWithHistory.sol";
  13. import "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
  14. contract IVerifier {
  15. function verifyProof(bytes memory _proof, uint256[6] memory _input) public returns(bool);
  16. }
  17. contract Tornado is MerkleTreeWithHistory, ReentrancyGuard {
  18. uint256 public denomination;
  19. mapping(bytes32 => bool) public nullifierHashes;
  20. // we store all commitments just to prevent accidental deposits with the same commitment
  21. mapping(bytes32 => bool) public commitments;
  22. IVerifier public verifier;
  23. // operator can update snark verification key
  24. // after the final trusted setup ceremony operator rights are supposed to be transferred to zero address
  25. address public operator;
  26. modifier onlyOperator {
  27. require(msg.sender == operator, "Only operator can call this function.");
  28. _;
  29. }
  30. event Deposit(bytes32 indexed commitment, uint32 leafIndex, uint256 timestamp);
  31. event Withdrawal(address to, bytes32 nullifierHash, address indexed relayer, uint256 fee);
  32. /**
  33. @dev The constructor
  34. @param _verifier the address of SNARK verifier for this contract
  35. @param _denomination transfer amount for each deposit
  36. @param _merkleTreeHeight the height of deposits' Merkle Tree
  37. @param _operator operator address (see operator comment above)
  38. */
  39. constructor(
  40. IVerifier _verifier,
  41. uint256 _denomination,
  42. uint32 _merkleTreeHeight,
  43. address _operator
  44. ) MerkleTreeWithHistory(_merkleTreeHeight) public {
  45. require(_denomination > 0, "denomination should be greater than 0");
  46. verifier = _verifier;
  47. operator = _operator;
  48. denomination = _denomination;
  49. }
  50. /**
  51. @dev Deposit funds into the contract. The caller must send (for ETH) or approve (for ERC20) value equal to or `denomination` of this instance.
  52. @param _commitment the note commitment, which is PedersenHash(nullifier + secret)
  53. */
  54. function deposit(bytes32 _commitment) external payable nonReentrant {
  55. require(!commitments[_commitment], "The commitment has been submitted");
  56. uint32 insertedIndex = _insert(_commitment);
  57. commitments[_commitment] = true;
  58. _processDeposit();
  59. emit Deposit(_commitment, insertedIndex, block.timestamp);
  60. }
  61. /** @dev this function is defined in a child contract */
  62. function _processDeposit() internal;
  63. /**
  64. @dev Withdraw a deposit from the contract. `proof` is a zkSNARK proof data, and input is an array of circuit public inputs
  65. `input` array consists of:
  66. - merkle root of all deposits in the contract
  67. - hash of unique deposit nullifier to prevent double spends
  68. - the recipient of funds
  69. - optional fee that goes to the transaction sender (usually a relay)
  70. */
  71. function withdraw(bytes calldata _proof, bytes32 _root, bytes32 _nullifierHash, address payable _recipient, address payable _relayer, uint256 _fee, uint256 _refund) external payable nonReentrant {
  72. require(_fee <= denomination, "Fee exceeds transfer value");
  73. require(!nullifierHashes[_nullifierHash], "The note has been already spent");
  74. require(isKnownRoot(_root), "Cannot find your merkle root"); // Make sure to use a recent one
  75. require(verifier.verifyProof(_proof, [uint256(_root), uint256(_nullifierHash), uint256(_recipient), uint256(_relayer), _fee, _refund]), "Invalid withdraw proof");
  76. nullifierHashes[_nullifierHash] = true;
  77. _processWithdraw(_recipient, _relayer, _fee, _refund);
  78. emit Withdrawal(_recipient, _nullifierHash, _relayer, _fee);
  79. }
  80. /** @dev this function is defined in a child contract */
  81. function _processWithdraw(address payable _recipient, address payable _relayer, uint256 _fee, uint256 _refund) internal;
  82. /** @dev whether a note is already spent */
  83. function isSpent(bytes32 _nullifierHash) public view returns(bool) {
  84. return nullifierHashes[_nullifierHash];
  85. }
  86. /** @dev whether an array of notes is already spent */
  87. function isSpentArray(bytes32[] calldata _nullifierHashes) external view returns(bool[] memory spent) {
  88. spent = new bool[](_nullifierHashes.length);
  89. for(uint i = 0; i < _nullifierHashes.length; i++) {
  90. if (isSpent(_nullifierHashes[i])) {
  91. spent[i] = true;
  92. }
  93. }
  94. }
  95. /**
  96. @dev allow operator to update SNARK verification keys. This is needed to update keys after the final trusted setup ceremony is held.
  97. After that operator rights are supposed to be transferred to zero address
  98. */
  99. function updateVerifier(address _newVerifier) external onlyOperator {
  100. verifier = IVerifier(_newVerifier);
  101. }
  102. /** @dev operator can change his address */
  103. function changeOperator(address _newOperator) external onlyOperator {
  104. operator = _newOperator;
  105. }
  106. }