Code for 0x5566…4fab
Since block 21708400
Verified contract
- {{
- "language": "Solidity",
- "sources": {
- "src/CoinbaseSmartWallet.sol": {
- "content": "// SPDX-License-Identifier: MIT\npragma solidity 0.8.23;\n\nimport {IAccount} from \"account-abstraction/interfaces/IAccount.sol\";\n\nimport {UserOperation, UserOperationLib} from \"account-abstraction/interfaces/UserOperation.sol\";\nimport {Receiver} from \"solady/accounts/Receiver.sol\";\nimport {SignatureCheckerLib} from \"solady/utils/SignatureCheckerLib.sol\";\nimport {UUPSUpgradeable} from \"solady/utils/UUPSUpgradeable.sol\";\nimport {WebAuthn} from \"webauthn-sol/WebAuthn.sol\";\n\nimport {ERC1271} from \"./ERC1271.sol\";\nimport {MultiOwnable} from \"./MultiOwnable.sol\";\n\n/// @title Coinbase Smart Wallet\n///\n/// @notice ERC-4337-compatible smart account, based on Solady's ERC4337 account implementation\n/// with inspiration from Alchemy's LightAccount and Daimo's DaimoAccount. Verified by z0r0z.eth from (⌘) NANI.eth\n///\n/// @author Coinbase (https://github.com/coinbase/smart-wallet)\n/// @author Solady (https://github.com/vectorized/solady/blob/main/src/accounts/ERC4337.sol)\ncontract CoinbaseSmartWallet is ERC1271, IAccount, MultiOwnable, UUPSUpgradeable, Receiver {\n /// @notice A wrapper struct used for signature validation so that callers\n /// can identify the owner that signed.\n struct SignatureWrapper {\n /// @dev The index of the owner that signed, see `MultiOwnable.ownerAtIndex`\n uint256 ownerIndex;\n /// @dev If `MultiOwnable.ownerAtIndex` is an Ethereum address, this should be `abi.encodePacked(r, s, v)`\n /// If `MultiOwnable.ownerAtIndex` is a public key, this should be `abi.encode(WebAuthnAuth)`.\n bytes signatureData;\n }\n\n /// @notice Represents a call to make.\n struct Call {\n /// @dev The address to call.\n address target;\n /// @dev The value to send when making the call.\n uint256 value;\n /// @dev The data of the call.\n bytes data;\n }\n\n /// @notice Reserved nonce key (upper 192 bits of `UserOperation.nonce`) for cross-chain replayable\n /// transactions.\n ///\n /// @dev MUST BE the `UserOperation.nonce` key when `UserOperation.calldata` is calling\n /// `executeWithoutChainIdValidation`and MUST NOT BE `UserOperation.nonce` key when `UserOperation.calldata` is\n /// NOT calling `executeWithoutChainIdValidation`.\n ///\n /// @dev Helps enforce sequential sequencing of replayable transactions.\n uint256 public constant REPLAYABLE_NONCE_KEY = 8453;\n\n /// @notice Thrown when `initialize` is called but the account already has had at least one owner.\n error Initialized();\n\n /// @notice Thrown when a call is passed to `executeWithoutChainIdValidation` that is not allowed by\n /// `canSkipChainIdValidation`\n ///\n /// @param selector The selector of the call.\n error SelectorNotAllowed(bytes4 selector);\n\n /// @notice Thrown in validateUserOp if the key of `UserOperation.nonce` does not match the calldata.\n ///\n /// @dev Calls to `this.executeWithoutChainIdValidation` MUST use `REPLAYABLE_NONCE_KEY` and\n /// calls NOT to `this.executeWithoutChainIdValidation` MUST NOT use `REPLAYABLE_NONCE_KEY`.\n ///\n /// @param key The invalid `UserOperation.nonce` key.\n error InvalidNonceKey(uint256 key);\n\n /// @notice Reverts if the caller is not the EntryPoint.\n modifier onlyEntryPoint() virtual {\n if (msg.sender != entryPoint()) {\n revert Unauthorized();\n }\n\n _;\n }\n\n /// @notice Reverts if the caller is neither the EntryPoint, the owner, nor the account itself.\n modifier onlyEntryPointOrOwner() virtual {\n if (msg.sender != entryPoint()) {\n _checkOwner();\n }\n\n _;\n }\n\n /// @notice Sends to the EntryPoint (i.e. `msg.sender`) the missing funds for this transaction.\n ///\n /// @dev Subclass MAY override this modifier for better funds management (e.g. send to the\n /// EntryPoint more than the minimum required, so that in future transactions it will not\n /// be required to send again).\n ///\n /// @param missingAccountFunds The minimum value this modifier should send the EntryPoint which\n /// MAY be zero, in case there is enough deposit, or the userOp has a\n /// paymaster.\n modifier payPrefund(uint256 missingAccountFunds) virtual {\n _;\n\n assembly (\"memory-safe\") {\n if missingAccountFunds {\n // Ignore failure (it's EntryPoint's job to verify, not the account's).\n pop(call(gas(), caller(), missingAccountFunds, codesize(), 0x00, codesize(), 0x00))\n }\n }\n }\n\n constructor() {\n // Implementation should not be initializable (does not affect proxies which use their own storage).\n bytes[] memory owners = new bytes[](1);\n owners[0] = abi.encode(address(0));\n _initializeOwners(owners);\n }\n\n /// @notice Initializes the account with the `owners`.\n ///\n /// @dev Reverts if the account has had at least one owner, i.e. has been initialized.\n ///\n /// @param owners Array of initial owners for this account. Each item should be\n /// an ABI encoded Ethereum address, i.e. 32 bytes with 12 leading 0 bytes,\n /// or a 64 byte public key.\n function initialize(bytes[] calldata owners) external payable virtual {\n if (nextOwnerIndex() != 0) {\n revert Initialized();\n }\n\n _initializeOwners(owners);\n }\n\n /// @inheritdoc IAccount\n ///\n /// @notice ERC-4337 `validateUserOp` method. The EntryPoint will\n /// call `UserOperation.sender.call(UserOperation.callData)` only if this validation call returns\n /// successfully.\n ///\n /// @dev Signature failure should be reported by returning 1 (see: `this._isValidSignature`). This\n /// allows making a \"simulation call\" without a valid signature. Other failures (e.g. invalid signature format)\n /// should still revert to signal failure.\n /// @dev Reverts if the `UserOperation.nonce` key is invalid for `UserOperation.calldata`.\n /// @dev Reverts if the signature format is incorrect or invalid for owner type.\n ///\n /// @param userOp The `UserOperation` to validate.\n /// @param userOpHash The `UserOperation` hash, as computed by `EntryPoint.getUserOpHash(UserOperation)`.\n /// @param missingAccountFunds The missing account funds that must be deposited on the Entrypoint.\n ///\n /// @return validationData The encoded `ValidationData` structure:\n /// `(uint256(validAfter) << (160 + 48)) | (uint256(validUntil) << 160) | (success ? 0 : 1)`\n /// where `validUntil` is 0 (indefinite) and `validAfter` is 0.\n function validateUserOp(UserOperation calldata userOp, bytes32 userOpHash, uint256 missingAccountFunds)\n external\n virtual\n onlyEntryPoint\n payPrefund(missingAccountFunds)\n returns (uint256 validationData)\n {\n uint256 key = userOp.nonce >> 64;\n\n if (bytes4(userOp.callData) == this.executeWithoutChainIdValidation.selector) {\n userOpHash = getUserOpHashWithoutChainId(userOp);\n if (key != REPLAYABLE_NONCE_KEY) {\n revert InvalidNonceKey(key);\n }\n } else {\n if (key == REPLAYABLE_NONCE_KEY) {\n revert InvalidNonceKey(key);\n }\n }\n\n // Return 0 if the recovered address matches the owner.\n if (_isValidSignature(userOpHash, userOp.signature)) {\n return 0;\n }\n\n // Else return 1\n return 1;\n }\n\n /// @notice Executes `calls` on this account (i.e. self call).\n ///\n /// @dev Can only be called by the Entrypoint.\n /// @dev Reverts if the given call is not authorized to skip the chain ID validtion.\n /// @dev `validateUserOp()` will recompute the `userOpHash` without the chain ID before validating\n /// it if the `UserOperation.calldata` is calling this function. This allows certain UserOperations\n /// to be replayed for all accounts sharing the same address across chains. E.g. This may be\n /// useful for syncing owner changes.\n ///\n /// @param calls An array of calldata to use for separate self calls.\n function executeWithoutChainIdValidation(bytes[] calldata calls) external payable virtual onlyEntryPoint {\n for (uint256 i; i < calls.length; i++) {\n bytes calldata call = calls[i];\n bytes4 selector = bytes4(call);\n if (!canSkipChainIdValidation(selector)) {\n revert SelectorNotAllowed(selector);\n }\n\n _call(address(this), 0, call);\n }\n }\n\n /// @notice Executes the given call from this account.\n ///\n /// @dev Can only be called by the Entrypoint or an owner of this account (including itself).\n ///\n /// @param target The address to call.\n /// @param value The value to send with the call.\n /// @param data The data of the call.\n function execute(address target, uint256 value, bytes calldata data)\n external\n payable\n virtual\n onlyEntryPointOrOwner\n {\n _call(target, value, data);\n }\n\n /// @notice Executes batch of `Call`s.\n ///\n /// @dev Can only be called by the Entrypoint or an owner of this account (including itself).\n ///\n /// @param calls The list of `Call`s to execute.\n function executeBatch(Call[] calldata calls) external payable virtual onlyEntryPointOrOwner {\n for (uint256 i; i < calls.length; i++) {\n _call(calls[i].target, calls[i].value, calls[i].data);\n }\n }\n\n /// @notice Returns the address of the EntryPoint v0.6.\n ///\n /// @return The address of the EntryPoint v0.6\n function entryPoint() public view virtual returns (address) {\n return 0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789;\n }\n\n /// @notice Computes the hash of the `UserOperation` in the same way as EntryPoint v0.6, but\n /// leaves out the chain ID.\n ///\n /// @dev This allows accounts to sign a hash that can be used on many chains.\n ///\n /// @param userOp The `UserOperation` to compute the hash for.\n ///\n /// @return The `UserOperation` hash, which does not depend on chain ID.\n function getUserOpHashWithoutChainId(UserOperation calldata userOp) public view virtual returns (bytes32) {\n return keccak256(abi.encode(UserOperationLib.hash(userOp), entryPoint()));\n }\n\n /// @notice Returns the implementation of the ERC1967 proxy.\n ///\n /// @return $ The address of implementation contract.\n function implementation() public view returns (address $) {\n assembly {\n $ := sload(_ERC1967_IMPLEMENTATION_SLOT)\n }\n }\n\n /// @notice Returns whether `functionSelector` can be called in `executeWithoutChainIdValidation`.\n ///\n /// @param functionSelector The function selector to check.\n ////\n /// @return `true` is the function selector is allowed to skip the chain ID validation, else `false`.\n function canSkipChainIdValidation(bytes4 functionSelector) public pure returns (bool) {\n if (\n functionSelector == MultiOwnable.addOwnerPublicKey.selector\n || functionSelector == MultiOwnable.addOwnerAddress.selector\n || functionSelector == MultiOwnable.removeOwnerAtIndex.selector\n || functionSelector == MultiOwnable.removeLastOwner.selector\n || functionSelector == UUPSUpgradeable.upgradeToAndCall.selector\n ) {\n return true;\n }\n return false;\n }\n\n /// @notice Executes the given call from this account.\n ///\n /// @dev Reverts if the call reverted.\n /// @dev Implementation taken from\n /// https://github.com/alchemyplatform/light-account/blob/43f625afdda544d5e5af9c370c9f4be0943e4e90/src/common/BaseLightAccount.sol#L125\n ///\n /// @param target The target call address.\n /// @param value The call value to user.\n /// @param data The raw call data.\n function _call(address target, uint256 value, bytes memory data) internal {\n (bool success, bytes memory result) = target.call{value: value}(data);\n if (!success) {\n assembly (\"memory-safe\") {\n revert(add(result, 32), mload(result))\n }\n }\n }\n\n /// @inheritdoc ERC1271\n ///\n /// @dev Used by both `ERC1271.isValidSignature` AND `IAccount.validateUserOp` signature validation.\n /// @dev Reverts if owner at `ownerIndex` is not compatible with `signature` format.\n ///\n /// @param signature ABI encoded `SignatureWrapper`.\n function _isValidSignature(bytes32 hash, bytes calldata signature) internal view virtual override returns (bool) {\n SignatureWrapper memory sigWrapper = abi.decode(signature, (SignatureWrapper));\n bytes memory ownerBytes = ownerAtIndex(sigWrapper.ownerIndex);\n\n if (ownerBytes.length == 32) {\n if (uint256(bytes32(ownerBytes)) > type(uint160).max) {\n // technically should be impossible given owners can only be added with\n // addOwnerAddress and addOwnerPublicKey, but we leave incase of future changes.\n revert InvalidEthereumAddressOwner(ownerBytes);\n }\n\n address owner;\n assembly (\"memory-safe\") {\n owner := mload(add(ownerBytes, 32))\n }\n\n return SignatureCheckerLib.isValidSignatureNow(owner, hash, sigWrapper.signatureData);\n }\n\n if (ownerBytes.length == 64) {\n (uint256 x, uint256 y) = abi.decode(ownerBytes, (uint256, uint256));\n\n WebAuthn.WebAuthnAuth memory auth = abi.decode(sigWrapper.signatureData, (WebAuthn.WebAuthnAuth));\n\n return WebAuthn.verify({challenge: abi.encode(hash), requireUV: false, webAuthnAuth: auth, x: x, y: y});\n }\n\n revert InvalidOwnerBytesLength(ownerBytes);\n }\n\n /// @inheritdoc UUPSUpgradeable\n ///\n /// @dev Authorization logic is only based on the `msg.sender` being an owner of this account,\n /// or `address(this)`.\n function _authorizeUpgrade(address) internal view virtual override(UUPSUpgradeable) onlyOwner {}\n\n /// @inheritdoc ERC1271\n function _domainNameAndVersion() internal pure override(ERC1271) returns (string memory, string memory) {\n return (\"Coinbase Smart Wallet\", \"1\");\n }\n}\n"
- },
- "lib/account-abstraction/contracts/interfaces/IAccount.sol": {
- "content": "// SPDX-License-Identifier: GPL-3.0\npragma solidity ^0.8.12;\n\nimport \"./UserOperation.sol\";\n\ninterface IAccount {\n\n /**\n * Validate user's signature and nonce\n * the entryPoint will make the call to the recipient only if this validation call returns successfully.\n * signature failure should be reported by returning SIG_VALIDATION_FAILED (1).\n * This allows making a \"simulation call\" without a valid signature\n * Other failures (e.g. nonce mismatch, or invalid signature format) should still revert to signal failure.\n *\n * @dev Must validate caller is the entryPoint.\n * Must validate the signature and nonce\n * @param userOp the operation that is about to be executed.\n * @param userOpHash hash of the user's request data. can be used as the basis for signature.\n * @param missingAccountFunds missing funds on the account's deposit in the entrypoint.\n * This is the minimum amount to transfer to the sender(entryPoint) to be able to make the call.\n * The excess is left as a deposit in the entrypoint, for future calls.\n * can be withdrawn anytime using \"entryPoint.withdrawTo()\"\n * In case there is a paymaster in the request (or the current deposit is high enough), this value will be zero.\n * @return validationData packaged ValidationData structure. use `_packValidationData` and `_unpackValidationData` to encode and decode\n * <20-byte> sigAuthorizer - 0 for valid signature, 1 to mark signature failure,\n * otherwise, an address of an \"authorizer\" contract.\n * <6-byte> validUntil - last timestamp this operation is valid. 0 for \"indefinite\"\n * <6-byte> validAfter - first timestamp this operation is valid\n * If an account doesn't use time-range, it is enough to return SIG_VALIDATION_FAILED value (1) for signature failure.\n * Note that the validation code cannot use block.timestamp (or block.number) directly.\n */\n function validateUserOp(UserOperation calldata userOp, bytes32 userOpHash, uint256 missingAccountFunds)\n external returns (uint256 validationData);\n}\n"
- },
- "lib/account-abstraction/contracts/interfaces/UserOperation.sol": {
- "content": "// SPDX-License-Identifier: GPL-3.0\npragma solidity ^0.8.12;\n\n/* solhint-disable no-inline-assembly */\n\nimport {calldataKeccak} from \"../core/Helpers.sol\";\n\n/**\n * User Operation struct\n * @param sender the sender account of this request.\n * @param nonce unique value the sender uses to verify it is not a replay.\n * @param initCode if set, the account contract will be created by this constructor/\n * @param callData the method call to execute on this account.\n * @param callGasLimit the gas limit passed to the callData method call.\n * @param verificationGasLimit gas used for validateUserOp and validatePaymasterUserOp.\n * @param preVerificationGas gas not calculated by the handleOps method, but added to the gas paid. Covers batch overhead.\n * @param maxFeePerGas same as EIP-1559 gas parameter.\n * @param maxPriorityFeePerGas same as EIP-1559 gas parameter.\n * @param paymasterAndData if set, this field holds the paymaster address and paymaster-specific data. the paymaster will pay for the transaction instead of the sender.\n * @param signature sender-verified signature over the entire request, the EntryPoint address and the chain ID.\n */\n struct UserOperation {\n\n address sender;\n uint256 nonce;\n bytes initCode;\n bytes callData;\n uint256 callGasLimit;\n uint256 verificationGasLimit;\n uint256 preVerificationGas;\n uint256 maxFeePerGas;\n uint256 maxPriorityFeePerGas;\n bytes paymasterAndData;\n bytes signature;\n }\n\n/**\n * Utility functions helpful when working with UserOperation structs.\n */\nlibrary UserOperationLib {\n\n function getSender(UserOperation calldata userOp) internal pure returns (address) {\n address data;\n //read sender from userOp, which is first userOp member (saves 800 gas...)\n assembly {data := calldataload(userOp)}\n return address(uint160(data));\n }\n\n //relayer/block builder might submit the TX with higher priorityFee, but the user should not\n // pay above what he signed for.\n function gasPrice(UserOperation calldata userOp) internal view returns (uint256) {\n unchecked {\n uint256 maxFeePerGas = userOp.maxFeePerGas;\n uint256 maxPriorityFeePerGas = userOp.maxPriorityFeePerGas;\n if (maxFeePerGas == maxPriorityFeePerGas) {\n //legacy mode (for networks that don't support basefee opcode)\n return maxFeePerGas;\n }\n return min(maxFeePerGas, maxPriorityFeePerGas + block.basefee);\n }\n }\n\n function pack(UserOperation calldata userOp) internal pure returns (bytes memory ret) {\n address sender = getSender(userOp);\n uint256 nonce = userOp.nonce;\n bytes32 hashInitCode = calldataKeccak(userOp.initCode);\n bytes32 hashCallData = calldataKeccak(userOp.callData);\n uint256 callGasLimit = userOp.callGasLimit;\n uint256 verificationGasLimit = userOp.verificationGasLimit;\n uint256 preVerificationGas = userOp.preVerificationGas;\n uint256 maxFeePerGas = userOp.maxFeePerGas;\n uint256 maxPriorityFeePerGas = userOp.maxPriorityFeePerGas;\n bytes32 hashPaymasterAndData = calldataKeccak(userOp.paymasterAndData);\n\n return abi.encode(\n sender, nonce,\n hashInitCode, hashCallData,\n callGasLimit, verificationGasLimit, preVerificationGas,\n maxFeePerGas, maxPriorityFeePerGas,\n hashPaymasterAndData\n );\n }\n\n function hash(UserOperation calldata userOp) internal pure returns (bytes32) {\n return keccak256(pack(userOp));\n }\n\n function min(uint256 a, uint256 b) internal pure returns (uint256) {\n return a < b ? a : b;\n }\n}\n"
- },
- "lib/solady/src/accounts/Receiver.sol": {
- "content": "// SPDX-License-Identifier: MIT\npragma solidity ^0.8.4;\n\n/// @notice Receiver mixin for ETH and safe-transferred ERC721 and ERC1155 tokens.\n/// @author Solady (https://github.com/Vectorized/solady/blob/main/src/accounts/Receiver.sol)\n///\n/// @dev Note:\n/// - Handles all ERC721 and ERC1155 token safety callbacks.\n/// - Collapses function table gas overhead and code size.\n/// - Utilizes fallback so unknown calldata will pass on.\nabstract contract Receiver {\n /// @dev For receiving ETH.\n receive() external payable virtual {}\n\n /// @dev Fallback function with the `receiverFallback` modifier.\n fallback() external payable virtual receiverFallback {}\n\n /// @dev Modifier for the fallback function to handle token callbacks.\n modifier receiverFallback() virtual {\n /// @solidity memory-safe-assembly\n assembly {\n let s := shr(224, calldataload(0))\n // 0x150b7a02: `onERC721Received(address,address,uint256,bytes)`.\n // 0xf23a6e61: `onERC1155Received(address,address,uint256,uint256,bytes)`.\n // 0xbc197c81: `onERC1155BatchReceived(address,address,uint256[],uint256[],bytes)`.\n if or(eq(s, 0x150b7a02), or(eq(s, 0xf23a6e61), eq(s, 0xbc197c81))) {\n mstore(0x20, s) // Store `msg.sig`.\n return(0x3c, 0x20) // Return `msg.sig`.\n }\n }\n _;\n }\n}\n"
- },
- "lib/solady/src/utils/SignatureCheckerLib.sol": {
- "content": "// SPDX-License-Identifier: MIT\npragma solidity ^0.8.4;\n\n/// @notice Signature verification helper that supports both ECDSA signatures from EOAs\n/// and ERC1271 signatures from smart contract wallets like Argent and Gnosis safe.\n/// @author Solady (https://github.com/vectorized/solady/blob/main/src/utils/SignatureCheckerLib.sol)\n/// @author Modified from OpenZeppelin (https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/SignatureChecker.sol)\n///\n/// @dev Note:\n/// - The signature checking functions use the ecrecover precompile (0x1).\n/// - The `bytes memory signature` variants use the identity precompile (0x4)\n/// to copy memory internally.\n/// - Unlike ECDSA signatures, contract signatures are revocable.\n/// - As of Solady version 0.0.134, all `bytes signature` variants accept both\n/// regular 65-byte `(r, s, v)` and EIP-2098 `(r, vs)` short form signatures.\n/// See: https://eips.ethereum.org/EIPS/eip-2098\n/// This is for calldata efficiency on smart accounts prevalent on L2s.\n///\n/// WARNING! Do NOT use signatures as unique identifiers:\n/// - Use a nonce in the digest to prevent replay attacks on the same contract.\n/// - Use EIP-712 for the digest to prevent replay attacks across different chains and contracts.\n/// EIP-712 also enables readable signing of typed data for better user safety.\n/// This implementation does NOT check if a signature is non-malleable.\nlibrary SignatureCheckerLib {\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* SIGNATURE CHECKING OPERATIONS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Returns whether `signature` is valid for `signer` and `hash`.\n /// If `signer` is a smart contract, the signature is validated with ERC1271.\n /// Otherwise, the signature is validated with `ECDSA.recover`.\n function isValidSignatureNow(address signer, bytes32 hash, bytes memory signature)\n internal\n view\n returns (bool isValid)\n {\n /// @solidity memory-safe-assembly\n assembly {\n // Clean the upper 96 bits of `signer` in case they are dirty.\n for { signer := shr(96, shl(96, signer)) } signer {} {\n let m := mload(0x40)\n mstore(0x00, hash)\n mstore(0x40, mload(add(signature, 0x20))) // `r`.\n if eq(mload(signature), 64) {\n let vs := mload(add(signature, 0x40))\n mstore(0x20, add(shr(255, vs), 27)) // `v`.\n mstore(0x60, shr(1, shl(1, vs))) // `s`.\n let t :=\n staticcall(\n gas(), // Amount of gas left for the transaction.\n 1, // Address of `ecrecover`.\n 0x00, // Start of input.\n 0x80, // Size of input.\n 0x01, // Start of output.\n 0x20 // Size of output.\n )\n // `returndatasize()` will be `0x20` upon success, and `0x00` otherwise.\n if iszero(or(iszero(returndatasize()), xor(signer, mload(t)))) {\n isValid := 1\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n break\n }\n }\n if eq(mload(signature), 65) {\n mstore(0x20, byte(0, mload(add(signature, 0x60)))) // `v`.\n mstore(0x60, mload(add(signature, 0x40))) // `s`.\n let t :=\n staticcall(\n gas(), // Amount of gas left for the transaction.\n 1, // Address of `ecrecover`.\n 0x00, // Start of input.\n 0x80, // Size of input.\n 0x01, // Start of output.\n 0x20 // Size of output.\n )\n // `returndatasize()` will be `0x20` upon success, and `0x00` otherwise.\n if iszero(or(iszero(returndatasize()), xor(signer, mload(t)))) {\n isValid := 1\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n break\n }\n }\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n\n let f := shl(224, 0x1626ba7e)\n mstore(m, f) // `bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))`.\n mstore(add(m, 0x04), hash)\n let d := add(m, 0x24)\n mstore(d, 0x40) // The offset of the `signature` in the calldata.\n // Copy the `signature` over.\n let n := add(0x20, mload(signature))\n pop(staticcall(gas(), 4, signature, n, add(m, 0x44), n))\n // forgefmt: disable-next-item\n isValid := and(\n // Whether the returndata is the magic value `0x1626ba7e` (left-aligned).\n eq(mload(d), f),\n // Whether the staticcall does not revert.\n // This must be placed at the end of the `and` clause,\n // as the arguments are evaluated from right to left.\n staticcall(\n gas(), // Remaining gas.\n signer, // The `signer` address.\n m, // Offset of calldata in memory.\n add(returndatasize(), 0x44), // Length of calldata in memory.\n d, // Offset of returndata.\n 0x20 // Length of returndata to write.\n )\n )\n break\n }\n }\n }\n\n /// @dev Returns whether `signature` is valid for `signer` and `hash`.\n /// If `signer` is a smart contract, the signature is validated with ERC1271.\n /// Otherwise, the signature is validated with `ECDSA.recover`.\n function isValidSignatureNowCalldata(address signer, bytes32 hash, bytes calldata signature)\n internal\n view\n returns (bool isValid)\n {\n /// @solidity memory-safe-assembly\n assembly {\n // Clean the upper 96 bits of `signer` in case they are dirty.\n for { signer := shr(96, shl(96, signer)) } signer {} {\n let m := mload(0x40)\n mstore(0x00, hash)\n if eq(signature.length, 64) {\n let vs := calldataload(add(signature.offset, 0x20))\n mstore(0x20, add(shr(255, vs), 27)) // `v`.\n mstore(0x40, calldataload(signature.offset)) // `r`.\n mstore(0x60, shr(1, shl(1, vs))) // `s`.\n let t :=\n staticcall(\n gas(), // Amount of gas left for the transaction.\n 1, // Address of `ecrecover`.\n 0x00, // Start of input.\n 0x80, // Size of input.\n 0x01, // Start of output.\n 0x20 // Size of output.\n )\n // `returndatasize()` will be `0x20` upon success, and `0x00` otherwise.\n if iszero(or(iszero(returndatasize()), xor(signer, mload(t)))) {\n isValid := 1\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n break\n }\n }\n if eq(signature.length, 65) {\n mstore(0x20, byte(0, calldataload(add(signature.offset, 0x40)))) // `v`.\n calldatacopy(0x40, signature.offset, 0x40) // `r`, `s`.\n let t :=\n staticcall(\n gas(), // Amount of gas left for the transaction.\n 1, // Address of `ecrecover`.\n 0x00, // Start of input.\n 0x80, // Size of input.\n 0x01, // Start of output.\n 0x20 // Size of output.\n )\n // `returndatasize()` will be `0x20` upon success, and `0x00` otherwise.\n if iszero(or(iszero(returndatasize()), xor(signer, mload(t)))) {\n isValid := 1\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n break\n }\n }\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n\n let f := shl(224, 0x1626ba7e)\n mstore(m, f) // `bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))`.\n mstore(add(m, 0x04), hash)\n let d := add(m, 0x24)\n mstore(d, 0x40) // The offset of the `signature` in the calldata.\n mstore(add(m, 0x44), signature.length)\n // Copy the `signature` over.\n calldatacopy(add(m, 0x64), signature.offset, signature.length)\n // forgefmt: disable-next-item\n isValid := and(\n // Whether the returndata is the magic value `0x1626ba7e` (left-aligned).\n eq(mload(d), f),\n // Whether the staticcall does not revert.\n // This must be placed at the end of the `and` clause,\n // as the arguments are evaluated from right to left.\n staticcall(\n gas(), // Remaining gas.\n signer, // The `signer` address.\n m, // Offset of calldata in memory.\n add(signature.length, 0x64), // Length of calldata in memory.\n d, // Offset of returndata.\n 0x20 // Length of returndata to write.\n )\n )\n break\n }\n }\n }\n\n /// @dev Returns whether the signature (`r`, `vs`) is valid for `signer` and `hash`.\n /// If `signer` is a smart contract, the signature is validated with ERC1271.\n /// Otherwise, the signature is validated with `ECDSA.recover`.\n function isValidSignatureNow(address signer, bytes32 hash, bytes32 r, bytes32 vs)\n internal\n view\n returns (bool isValid)\n {\n /// @solidity memory-safe-assembly\n assembly {\n // Clean the upper 96 bits of `signer` in case they are dirty.\n for { signer := shr(96, shl(96, signer)) } signer {} {\n let m := mload(0x40)\n mstore(0x00, hash)\n mstore(0x20, add(shr(255, vs), 27)) // `v`.\n mstore(0x40, r) // `r`.\n mstore(0x60, shr(1, shl(1, vs))) // `s`.\n let t :=\n staticcall(\n gas(), // Amount of gas left for the transaction.\n 1, // Address of `ecrecover`.\n 0x00, // Start of input.\n 0x80, // Size of input.\n 0x01, // Start of output.\n 0x20 // Size of output.\n )\n // `returndatasize()` will be `0x20` upon success, and `0x00` otherwise.\n if iszero(or(iszero(returndatasize()), xor(signer, mload(t)))) {\n isValid := 1\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n break\n }\n\n let f := shl(224, 0x1626ba7e)\n mstore(m, f) // `bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))`.\n mstore(add(m, 0x04), hash)\n let d := add(m, 0x24)\n mstore(d, 0x40) // The offset of the `signature` in the calldata.\n mstore(add(m, 0x44), 65) // Length of the signature.\n mstore(add(m, 0x64), r) // `r`.\n mstore(add(m, 0x84), mload(0x60)) // `s`.\n mstore8(add(m, 0xa4), mload(0x20)) // `v`.\n // forgefmt: disable-next-item\n isValid := and(\n // Whether the returndata is the magic value `0x1626ba7e` (left-aligned).\n eq(mload(d), f),\n // Whether the staticcall does not revert.\n // This must be placed at the end of the `and` clause,\n // as the arguments are evaluated from right to left.\n staticcall(\n gas(), // Remaining gas.\n signer, // The `signer` address.\n m, // Offset of calldata in memory.\n 0xa5, // Length of calldata in memory.\n d, // Offset of returndata.\n 0x20 // Length of returndata to write.\n )\n )\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n break\n }\n }\n }\n\n /// @dev Returns whether the signature (`v`, `r`, `s`) is valid for `signer` and `hash`.\n /// If `signer` is a smart contract, the signature is validated with ERC1271.\n /// Otherwise, the signature is validated with `ECDSA.recover`.\n function isValidSignatureNow(address signer, bytes32 hash, uint8 v, bytes32 r, bytes32 s)\n internal\n view\n returns (bool isValid)\n {\n /// @solidity memory-safe-assembly\n assembly {\n // Clean the upper 96 bits of `signer` in case they are dirty.\n for { signer := shr(96, shl(96, signer)) } signer {} {\n let m := mload(0x40)\n mstore(0x00, hash)\n mstore(0x20, and(v, 0xff)) // `v`.\n mstore(0x40, r) // `r`.\n mstore(0x60, s) // `s`.\n let t :=\n staticcall(\n gas(), // Amount of gas left for the transaction.\n 1, // Address of `ecrecover`.\n 0x00, // Start of input.\n 0x80, // Size of input.\n 0x01, // Start of output.\n 0x20 // Size of output.\n )\n // `returndatasize()` will be `0x20` upon success, and `0x00` otherwise.\n if iszero(or(iszero(returndatasize()), xor(signer, mload(t)))) {\n isValid := 1\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n break\n }\n\n let f := shl(224, 0x1626ba7e)\n mstore(m, f) // `bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))`.\n mstore(add(m, 0x04), hash)\n let d := add(m, 0x24)\n mstore(d, 0x40) // The offset of the `signature` in the calldata.\n mstore(add(m, 0x44), 65) // Length of the signature.\n mstore(add(m, 0x64), r) // `r`.\n mstore(add(m, 0x84), s) // `s`.\n mstore8(add(m, 0xa4), v) // `v`.\n // forgefmt: disable-next-item\n isValid := and(\n // Whether the returndata is the magic value `0x1626ba7e` (left-aligned).\n eq(mload(d), f),\n // Whether the staticcall does not revert.\n // This must be placed at the end of the `and` clause,\n // as the arguments are evaluated from right to left.\n staticcall(\n gas(), // Remaining gas.\n signer, // The `signer` address.\n m, // Offset of calldata in memory.\n 0xa5, // Length of calldata in memory.\n d, // Offset of returndata.\n 0x20 // Length of returndata to write.\n )\n )\n mstore(0x60, 0) // Restore the zero slot.\n mstore(0x40, m) // Restore the free memory pointer.\n break\n }\n }\n }\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* ERC1271 OPERATIONS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Returns whether `signature` is valid for `hash` for an ERC1271 `signer` contract.\n function isValidERC1271SignatureNow(address signer, bytes32 hash, bytes memory signature)\n internal\n view\n returns (bool isValid)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let m := mload(0x40)\n let f := shl(224, 0x1626ba7e)\n mstore(m, f) // `bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))`.\n mstore(add(m, 0x04), hash)\n let d := add(m, 0x24)\n mstore(d, 0x40) // The offset of the `signature` in the calldata.\n // Copy the `signature` over.\n let n := add(0x20, mload(signature))\n pop(staticcall(gas(), 4, signature, n, add(m, 0x44), n))\n // forgefmt: disable-next-item\n isValid := and(\n // Whether the returndata is the magic value `0x1626ba7e` (left-aligned).\n eq(mload(d), f),\n // Whether the staticcall does not revert.\n // This must be placed at the end of the `and` clause,\n // as the arguments are evaluated from right to left.\n staticcall(\n gas(), // Remaining gas.\n signer, // The `signer` address.\n m, // Offset of calldata in memory.\n add(returndatasize(), 0x44), // Length of calldata in memory.\n d, // Offset of returndata.\n 0x20 // Length of returndata to write.\n )\n )\n }\n }\n\n /// @dev Returns whether `signature` is valid for `hash` for an ERC1271 `signer` contract.\n function isValidERC1271SignatureNowCalldata(\n address signer,\n bytes32 hash,\n bytes calldata signature\n ) internal view returns (bool isValid) {\n /// @solidity memory-safe-assembly\n assembly {\n let m := mload(0x40)\n let f := shl(224, 0x1626ba7e)\n mstore(m, f) // `bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))`.\n mstore(add(m, 0x04), hash)\n let d := add(m, 0x24)\n mstore(d, 0x40) // The offset of the `signature` in the calldata.\n mstore(add(m, 0x44), signature.length)\n // Copy the `signature` over.\n calldatacopy(add(m, 0x64), signature.offset, signature.length)\n // forgefmt: disable-next-item\n isValid := and(\n // Whether the returndata is the magic value `0x1626ba7e` (left-aligned).\n eq(mload(d), f),\n // Whether the staticcall does not revert.\n // This must be placed at the end of the `and` clause,\n // as the arguments are evaluated from right to left.\n staticcall(\n gas(), // Remaining gas.\n signer, // The `signer` address.\n m, // Offset of calldata in memory.\n add(signature.length, 0x64), // Length of calldata in memory.\n d, // Offset of returndata.\n 0x20 // Length of returndata to write.\n )\n )\n }\n }\n\n /// @dev Returns whether the signature (`r`, `vs`) is valid for `hash`\n /// for an ERC1271 `signer` contract.\n function isValidERC1271SignatureNow(address signer, bytes32 hash, bytes32 r, bytes32 vs)\n internal\n view\n returns (bool isValid)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let m := mload(0x40)\n let f := shl(224, 0x1626ba7e)\n mstore(m, f) // `bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))`.\n mstore(add(m, 0x04), hash)\n let d := add(m, 0x24)\n mstore(d, 0x40) // The offset of the `signature` in the calldata.\n mstore(add(m, 0x44), 65) // Length of the signature.\n mstore(add(m, 0x64), r) // `r`.\n mstore(add(m, 0x84), shr(1, shl(1, vs))) // `s`.\n mstore8(add(m, 0xa4), add(shr(255, vs), 27)) // `v`.\n // forgefmt: disable-next-item\n isValid := and(\n // Whether the returndata is the magic value `0x1626ba7e` (left-aligned).\n eq(mload(d), f),\n // Whether the staticcall does not revert.\n // This must be placed at the end of the `and` clause,\n // as the arguments are evaluated from right to left.\n staticcall(\n gas(), // Remaining gas.\n signer, // The `signer` address.\n m, // Offset of calldata in memory.\n 0xa5, // Length of calldata in memory.\n d, // Offset of returndata.\n 0x20 // Length of returndata to write.\n )\n )\n }\n }\n\n /// @dev Returns whether the signature (`v`, `r`, `s`) is valid for `hash`\n /// for an ERC1271 `signer` contract.\n function isValidERC1271SignatureNow(address signer, bytes32 hash, uint8 v, bytes32 r, bytes32 s)\n internal\n view\n returns (bool isValid)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let m := mload(0x40)\n let f := shl(224, 0x1626ba7e)\n mstore(m, f) // `bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))`.\n mstore(add(m, 0x04), hash)\n let d := add(m, 0x24)\n mstore(d, 0x40) // The offset of the `signature` in the calldata.\n mstore(add(m, 0x44), 65) // Length of the signature.\n mstore(add(m, 0x64), r) // `r`.\n mstore(add(m, 0x84), s) // `s`.\n mstore8(add(m, 0xa4), v) // `v`.\n // forgefmt: disable-next-item\n isValid := and(\n // Whether the returndata is the magic value `0x1626ba7e` (left-aligned).\n eq(mload(d), f),\n // Whether the staticcall does not revert.\n // This must be placed at the end of the `and` clause,\n // as the arguments are evaluated from right to left.\n staticcall(\n gas(), // Remaining gas.\n signer, // The `signer` address.\n m, // Offset of calldata in memory.\n 0xa5, // Length of calldata in memory.\n d, // Offset of returndata.\n 0x20 // Length of returndata to write.\n )\n )\n }\n }\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* HASHING OPERATIONS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Returns an Ethereum Signed Message, created from a `hash`.\n /// This produces a hash corresponding to the one signed with the\n /// [`eth_sign`](https://eth.wiki/json-rpc/API#eth_sign)\n /// JSON-RPC method as part of EIP-191.\n function toEthSignedMessageHash(bytes32 hash) internal pure returns (bytes32 result) {\n /// @solidity memory-safe-assembly\n assembly {\n mstore(0x20, hash) // Store into scratch space for keccak256.\n mstore(0x00, \"\\x00\\x00\\x00\\x00\\x19Ethereum Signed Message:\\n32\") // 28 bytes.\n result := keccak256(0x04, 0x3c) // `32 * 2 - (32 - 28) = 60 = 0x3c`.\n }\n }\n\n /// @dev Returns an Ethereum Signed Message, created from `s`.\n /// This produces a hash corresponding to the one signed with the\n /// [`eth_sign`](https://eth.wiki/json-rpc/API#eth_sign)\n /// JSON-RPC method as part of EIP-191.\n /// Note: Supports lengths of `s` up to 999999 bytes.\n function toEthSignedMessageHash(bytes memory s) internal pure returns (bytes32 result) {\n /// @solidity memory-safe-assembly\n assembly {\n let sLength := mload(s)\n let o := 0x20\n mstore(o, \"\\x19Ethereum Signed Message:\\n\") // 26 bytes, zero-right-padded.\n mstore(0x00, 0x00)\n // Convert the `s.length` to ASCII decimal representation: `base10(s.length)`.\n for { let temp := sLength } 1 {} {\n o := sub(o, 1)\n mstore8(o, add(48, mod(temp, 10)))\n temp := div(temp, 10)\n if iszero(temp) { break }\n }\n let n := sub(0x3a, o) // Header length: `26 + 32 - o`.\n // Throw an out-of-offset error (consumes all gas) if the header exceeds 32 bytes.\n returndatacopy(returndatasize(), returndatasize(), gt(n, 0x20))\n mstore(s, or(mload(0x00), mload(n))) // Temporarily store the header.\n result := keccak256(add(s, sub(0x20, n)), add(n, sLength))\n mstore(s, sLength) // Restore the length.\n }\n }\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* EMPTY CALLDATA HELPERS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Returns an empty calldata bytes.\n function emptySignature() internal pure returns (bytes calldata signature) {\n /// @solidity memory-safe-assembly\n assembly {\n signature.length := 0\n }\n }\n}\n"
- },
- "lib/solady/src/utils/UUPSUpgradeable.sol": {
- "content": "// SPDX-License-Identifier: MIT\npragma solidity ^0.8.4;\n\n/// @notice UUPS proxy mixin.\n/// @author Solady (https://github.com/vectorized/solady/blob/main/src/utils/UUPSUpgradeable.sol)\n/// @author Modified from OpenZeppelin\n/// (https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/proxy/utils/UUPSUpgradeable.sol)\n///\n/// Note:\n/// - This implementation is intended to be used with ERC1967 proxies.\n/// See: `LibClone.deployERC1967` and related functions.\n/// - This implementation is NOT compatible with legacy OpenZeppelin proxies\n/// which do not store the implementation at `_ERC1967_IMPLEMENTATION_SLOT`.\nabstract contract UUPSUpgradeable {\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* CUSTOM ERRORS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev The upgrade failed.\n error UpgradeFailed();\n\n /// @dev The call is from an unauthorized call context.\n error UnauthorizedCallContext();\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* IMMUTABLES */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev For checking if the context is a delegate call.\n uint256 private immutable __self = uint256(uint160(address(this)));\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* EVENTS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Emitted when the proxy's implementation is upgraded.\n event Upgraded(address indexed implementation);\n\n /// @dev `keccak256(bytes(\"Upgraded(address)\"))`.\n uint256 private constant _UPGRADED_EVENT_SIGNATURE =\n 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b;\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* STORAGE */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev The ERC-1967 storage slot for the implementation in the proxy.\n /// `uint256(keccak256(\"eip1967.proxy.implementation\")) - 1`.\n bytes32 internal constant _ERC1967_IMPLEMENTATION_SLOT =\n 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* UUPS OPERATIONS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Please override this function to check if `msg.sender` is authorized\n /// to upgrade the proxy to `newImplementation`, reverting if not.\n /// ```\n /// function _authorizeUpgrade(address) internal override onlyOwner {}\n /// ```\n function _authorizeUpgrade(address newImplementation) internal virtual;\n\n /// @dev Returns the storage slot used by the implementation,\n /// as specified in [ERC1822](https://eips.ethereum.org/EIPS/eip-1822).\n ///\n /// Note: The `notDelegated` modifier prevents accidental upgrades to\n /// an implementation that is a proxy contract.\n function proxiableUUID() public view virtual notDelegated returns (bytes32) {\n // This function must always return `_ERC1967_IMPLEMENTATION_SLOT` to comply with ERC1967.\n return _ERC1967_IMPLEMENTATION_SLOT;\n }\n\n /// @dev Upgrades the proxy's implementation to `newImplementation`.\n /// Emits a {Upgraded} event.\n ///\n /// Note: Passing in empty `data` skips the delegatecall to `newImplementation`.\n function upgradeToAndCall(address newImplementation, bytes calldata data)\n public\n payable\n virtual\n onlyProxy\n {\n _authorizeUpgrade(newImplementation);\n /// @solidity memory-safe-assembly\n assembly {\n newImplementation := shr(96, shl(96, newImplementation)) // Clears upper 96 bits.\n mstore(0x01, 0x52d1902d) // `proxiableUUID()`.\n let s := _ERC1967_IMPLEMENTATION_SLOT\n // Check if `newImplementation` implements `proxiableUUID` correctly.\n if iszero(eq(mload(staticcall(gas(), newImplementation, 0x1d, 0x04, 0x01, 0x20)), s)) {\n mstore(0x01, 0x55299b49) // `UpgradeFailed()`.\n revert(0x1d, 0x04)\n }\n // Emit the {Upgraded} event.\n log2(codesize(), 0x00, _UPGRADED_EVENT_SIGNATURE, newImplementation)\n sstore(s, newImplementation) // Updates the implementation.\n\n // Perform a delegatecall to `newImplementation` if `data` is non-empty.\n if data.length {\n // Forwards the `data` to `newImplementation` via delegatecall.\n let m := mload(0x40)\n calldatacopy(m, data.offset, data.length)\n if iszero(delegatecall(gas(), newImplementation, m, data.length, codesize(), 0x00))\n {\n // Bubble up the revert if the call reverts.\n returndatacopy(m, 0x00, returndatasize())\n revert(m, returndatasize())\n }\n }\n }\n }\n\n /// @dev Requires that the execution is performed through a proxy.\n modifier onlyProxy() {\n uint256 s = __self;\n /// @solidity memory-safe-assembly\n assembly {\n // To enable use cases with an immutable default implementation in the bytecode,\n // (see: ERC6551Proxy), we don't require that the proxy address must match the\n // value stored in the implementation slot, which may not be initialized.\n if eq(s, address()) {\n mstore(0x00, 0x9f03a026) // `UnauthorizedCallContext()`.\n revert(0x1c, 0x04)\n }\n }\n _;\n }\n\n /// @dev Requires that the execution is NOT performed via delegatecall.\n /// This is the opposite of `onlyProxy`.\n modifier notDelegated() {\n uint256 s = __self;\n /// @solidity memory-safe-assembly\n assembly {\n if iszero(eq(s, address())) {\n mstore(0x00, 0x9f03a026) // `UnauthorizedCallContext()`.\n revert(0x1c, 0x04)\n }\n }\n _;\n }\n}\n"
- },
- "lib/webauthn-sol/src/WebAuthn.sol": {
- "content": "// SPDX-License-Identifier: MIT\npragma solidity ^0.8.0;\n\nimport {FCL_ecdsa} from \"FreshCryptoLib/FCL_ecdsa.sol\";\nimport {FCL_Elliptic_ZZ} from \"FreshCryptoLib/FCL_elliptic.sol\";\nimport {Base64} from \"openzeppelin-contracts/contracts/utils/Base64.sol\";\nimport {LibString} from \"solady/utils/LibString.sol\";\n\n/// @title WebAuthn\n///\n/// @notice A library for verifying WebAuthn Authentication Assertions, built off the work\n/// of Daimo.\n///\n/// @dev Attempts to use the RIP-7212 precompile for signature verification.\n/// If precompile verification fails, it falls back to FreshCryptoLib.\n///\n/// @author Coinbase (https://github.com/base-org/webauthn-sol)\n/// @author Daimo (https://github.com/daimo-eth/p256-verifier/blob/master/src/WebAuthn.sol)\nlibrary WebAuthn {\n using LibString for string;\n\n struct WebAuthnAuth {\n /// @dev The WebAuthn authenticator data.\n /// See https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-authenticatordata.\n bytes authenticatorData;\n /// @dev The WebAuthn client data JSON.\n /// See https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson.\n string clientDataJSON;\n /// @dev The index at which \"challenge\":\"...\" occurs in `clientDataJSON`.\n uint256 challengeIndex;\n /// @dev The index at which \"type\":\"...\" occurs in `clientDataJSON`.\n uint256 typeIndex;\n /// @dev The r value of secp256r1 signature\n uint256 r;\n /// @dev The s value of secp256r1 signature\n uint256 s;\n }\n\n /// @dev Bit 0 of the authenticator data struct, corresponding to the \"User Present\" bit.\n /// See https://www.w3.org/TR/webauthn-2/#flags.\n bytes1 private constant _AUTH_DATA_FLAGS_UP = 0x01;\n\n /// @dev Bit 2 of the authenticator data struct, corresponding to the \"User Verified\" bit.\n /// See https://www.w3.org/TR/webauthn-2/#flags.\n bytes1 private constant _AUTH_DATA_FLAGS_UV = 0x04;\n\n /// @dev Secp256r1 curve order / 2 used as guard to prevent signature malleability issue.\n uint256 private constant _P256_N_DIV_2 = FCL_Elliptic_ZZ.n / 2;\n\n /// @dev The precompiled contract address to use for signature verification in the “secp256r1” elliptic curve.\n /// See https://github.com/ethereum/RIPs/blob/master/RIPS/rip-7212.md.\n address private constant _VERIFIER = address(0x100);\n\n /// @dev The expected type (hash) in the client data JSON when verifying assertion signatures.\n /// See https://www.w3.org/TR/webauthn-2/#dom-collectedclientdata-type\n bytes32 private constant _EXPECTED_TYPE_HASH = keccak256('\"type\":\"webauthn.get\"');\n\n ///\n /// @notice Verifies a Webauthn Authentication Assertion as described\n /// in https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion.\n ///\n /// @dev We do not verify all the steps as described in the specification, only ones relevant to our context.\n /// Please carefully read through this list before usage.\n ///\n /// Specifically, we do verify the following:\n /// - Verify that authenticatorData (which comes from the authenticator, such as iCloud Keychain) indicates\n /// a well-formed assertion with the user present bit set. If `requireUV` is set, checks that the authenticator\n /// enforced user verification. User verification should be required if, and only if, options.userVerification\n /// is set to required in the request.\n /// - Verifies that the client JSON is of type \"webauthn.get\", i.e. the client was responding to a request to\n /// assert authentication.\n /// - Verifies that the client JSON contains the requested challenge.\n /// - Verifies that (r, s) constitute a valid signature over both the authenicatorData and client JSON, for public\n /// key (x, y).\n ///\n /// We make some assumptions about the particular use case of this verifier, so we do NOT verify the following:\n /// - Does NOT verify that the origin in the `clientDataJSON` matches the Relying Party's origin: tt is considered\n /// the authenticator's responsibility to ensure that the user is interacting with the correct RP. This is\n /// enforced by most high quality authenticators properly, particularly the iCloud Keychain and Google Password\n /// Manager were tested.\n /// - Does NOT verify That `topOrigin` in `clientDataJSON` is well-formed: We assume it would never be present, i.e.\n /// the credentials are never used in a cross-origin/iframe context. The website/app set up should disallow\n /// cross-origin usage of the credentials. This is the default behaviour for created credentials in common settings.\n /// - Does NOT verify that the `rpIdHash` in `authenticatorData` is the SHA-256 hash of the RP ID expected by the Relying\n /// Party: this means that we rely on the authenticator to properly enforce credentials to be used only by the correct RP.\n /// This is generally enforced with features like Apple App Site Association and Google Asset Links. To protect from\n /// edge cases in which a previously-linked RP ID is removed from the authorised RP IDs, we recommend that messages\n /// signed by the authenticator include some expiry mechanism.\n /// - Does NOT verify the credential backup state: this assumes the credential backup state is NOT used as part of Relying\n /// Party business logic or policy.\n /// - Does NOT verify the values of the client extension outputs: this assumes that the Relying Party does not use client\n /// extension outputs.\n /// - Does NOT verify the signature counter: signature counters are intended to enable risk scoring for the Relying Party.\n /// This assumes risk scoring is not used as part of Relying Party business logic or policy.\n /// - Does NOT verify the attestation object: this assumes that response.attestationObject is NOT present in the response,\n /// i.e. the RP does not intend to verify an attestation.\n ///\n /// @param challenge The challenge that was provided by the relying party.\n /// @param requireUV A boolean indicating whether user verification is required.\n /// @param webAuthnAuth The `WebAuthnAuth` struct.\n /// @param x The x coordinate of the public key.\n /// @param y The y coordinate of the public key.\n ///\n /// @return `true` if the authentication assertion passed validation, else `false`.\n function verify(bytes memory challenge, bool requireUV, WebAuthnAuth memory webAuthnAuth, uint256 x, uint256 y)\n internal\n view\n returns (bool)\n {\n if (webAuthnAuth.s > _P256_N_DIV_2) {\n // guard against signature malleability\n return false;\n }\n\n // 11. Verify that the value of C.type is the string webauthn.get.\n // bytes(\"type\":\"webauthn.get\").length = 21\n string memory _type = webAuthnAuth.clientDataJSON.slice(webAuthnAuth.typeIndex, webAuthnAuth.typeIndex + 21);\n if (keccak256(bytes(_type)) != _EXPECTED_TYPE_HASH) {\n return false;\n }\n\n // 12. Verify that the value of C.challenge equals the base64url encoding of options.challenge.\n bytes memory expectedChallenge = bytes(string.concat('\"challenge\":\"', Base64.encodeURL(challenge), '\"'));\n string memory actualChallenge =\n webAuthnAuth.clientDataJSON.slice(webAuthnAuth.challengeIndex, webAuthnAuth.challengeIndex + expectedChallenge.length);\n if (keccak256(bytes(actualChallenge)) != keccak256(expectedChallenge)) {\n return false;\n }\n\n // Skip 13., 14., 15.\n\n // 16. Verify that the UP bit of the flags in authData is set.\n if (webAuthnAuth.authenticatorData[32] & _AUTH_DATA_FLAGS_UP != _AUTH_DATA_FLAGS_UP) {\n return false;\n }\n\n // 17. If user verification is required for this assertion, verify that the User Verified bit of the flags in\n // authData is set.\n if (requireUV && (webAuthnAuth.authenticatorData[32] & _AUTH_DATA_FLAGS_UV) != _AUTH_DATA_FLAGS_UV) {\n return false;\n }\n\n // skip 18.\n\n // 19. Let hash be the result of computing a hash over the cData using SHA-256.\n bytes32 clientDataJSONHash = sha256(bytes(webAuthnAuth.clientDataJSON));\n\n // 20. Using credentialPublicKey, verify that sig is a valid signature over the binary concatenation of authData\n // and hash.\n bytes32 messageHash = sha256(abi.encodePacked(webAuthnAuth.authenticatorData, clientDataJSONHash));\n bytes memory args = abi.encode(messageHash, webAuthnAuth.r, webAuthnAuth.s, x, y);\n // try the RIP-7212 precompile address\n (bool success, bytes memory ret) = _VERIFIER.staticcall(args);\n // staticcall will not revert if address has no code\n // check return length\n // note that even if precompile exists, ret.length is 0 when verification returns false\n // so an invalid signature will be checked twice: once by the precompile and once by FCL.\n // Ideally this signature failure is simulated offchain and no one actually pay this gas.\n bool valid = ret.length > 0;\n if (success && valid) return abi.decode(ret, (uint256)) == 1;\n\n return FCL_ecdsa.ecdsa_verify(messageHash, webAuthnAuth.r, webAuthnAuth.s, x, y);\n }\n}\n"
- },
- "src/ERC1271.sol": {
- "content": "// SPDX-License-Identifier: MIT\npragma solidity ^0.8.4;\n\n/// @title ERC-1271\n///\n/// @notice Abstract ERC-1271 implementation (based on Solady's) with guards to handle the same\n/// signer being used on multiple accounts.\n///\n/// @dev To prevent the same signature from being validated on different accounts owned by the samer signer,\n/// we introduce an anti cross-account-replay layer: the original hash is input into a new EIP-712 compliant\n/// hash. The domain separator of this outer hash contains the chain id and address of this contract, so that\n/// it cannot be used on two accounts (see `replaySafeHash()` for the implementation details).\n///\n/// @author Coinbase (https://github.com/coinbase/smart-wallet)\n/// @author Solady (https://github.com/vectorized/solady/blob/main/src/accounts/ERC1271.sol)\nabstract contract ERC1271 {\n /// @dev Precomputed `typeHash` used to produce EIP-712 compliant hash when applying the anti\n /// cross-account-replay layer.\n ///\n /// The original hash must either be:\n /// - An EIP-191 hash: keccak256(\"\\x19Ethereum Signed Message:\\n\" || len(someMessage) || someMessage)\n /// - An EIP-712 hash: keccak256(\"\\x19\\x01\" || someDomainSeparator || hashStruct(someStruct))\n bytes32 private constant _MESSAGE_TYPEHASH = keccak256(\"CoinbaseSmartWalletMessage(bytes32 hash)\");\n\n /// @notice Returns information about the `EIP712Domain` used to create EIP-712 compliant hashes.\n ///\n /// @dev Follows ERC-5267 (see https://eips.ethereum.org/EIPS/eip-5267).\n ///\n /// @return fields The bitmap of used fields.\n /// @return name The value of the `EIP712Domain.name` field.\n /// @return version The value of the `EIP712Domain.version` field.\n /// @return chainId The value of the `EIP712Domain.chainId` field.\n /// @return verifyingContract The value of the `EIP712Domain.verifyingContract` field.\n /// @return salt The value of the `EIP712Domain.salt` field.\n /// @return extensions The list of EIP numbers, that extends EIP-712 with new domain fields.\n function eip712Domain()\n external\n view\n virtual\n returns (\n bytes1 fields,\n string memory name,\n string memory version,\n uint256 chainId,\n address verifyingContract,\n bytes32 salt,\n uint256[] memory extensions\n )\n {\n fields = hex\"0f\"; // `0b1111`.\n (name, version) = _domainNameAndVersion();\n chainId = block.chainid;\n verifyingContract = address(this);\n salt = salt; // `bytes32(0)`.\n extensions = extensions; // `new uint256[](0)`.\n }\n\n /// @notice Validates the `signature` against the given `hash`.\n ///\n /// @dev This implementation follows ERC-1271. See https://eips.ethereum.org/EIPS/eip-1271.\n /// @dev IMPORTANT: Signature verification is performed on the hash produced AFTER applying the anti\n /// cross-account-replay layer on the given `hash` (i.e., verification is run on the replay-safe\n /// hash version).\n ///\n /// @param hash The original hash.\n /// @param signature The signature of the replay-safe hash to validate.\n ///\n /// @return result `0x1626ba7e` if validation succeeded, else `0xffffffff`.\n function isValidSignature(bytes32 hash, bytes calldata signature) public view virtual returns (bytes4 result) {\n if (_isValidSignature({hash: replaySafeHash(hash), signature: signature})) {\n // bytes4(keccak256(\"isValidSignature(bytes32,bytes)\"))\n return 0x1626ba7e;\n }\n\n return 0xffffffff;\n }\n\n /// @notice Wrapper around `_eip712Hash()` to produce a replay-safe hash fron the given `hash`.\n ///\n /// @dev The returned EIP-712 compliant replay-safe hash is the result of:\n /// keccak256(\n /// \\x19\\x01 ||\n /// this.domainSeparator ||\n /// hashStruct(CoinbaseSmartWalletMessage({ hash: `hash`}))\n /// )\n ///\n /// @param hash The original hash.\n ///\n /// @return The corresponding replay-safe hash.\n function replaySafeHash(bytes32 hash) public view virtual returns (bytes32) {\n return _eip712Hash(hash);\n }\n\n /// @notice Returns the `domainSeparator` used to create EIP-712 compliant hashes.\n ///\n /// @dev Implements domainSeparator = hashStruct(eip712Domain).\n /// See https://eips.ethereum.org/EIPS/eip-712#definition-of-domainseparator.\n ///\n /// @return The 32 bytes domain separator result.\n function domainSeparator() public view returns (bytes32) {\n (string memory name, string memory version) = _domainNameAndVersion();\n return keccak256(\n abi.encode(\n keccak256(\"EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)\"),\n keccak256(bytes(name)),\n keccak256(bytes(version)),\n block.chainid,\n address(this)\n )\n );\n }\n\n /// @notice Returns the EIP-712 typed hash of the `CoinbaseSmartWalletMessage(bytes32 hash)` data structure.\n ///\n /// @dev Implements encode(domainSeparator : ?²⁵⁶, message : ?) = \"\\x19\\x01\" || domainSeparator ||\n /// hashStruct(message).\n /// @dev See https://eips.ethereum.org/EIPS/eip-712#specification.\n ///\n /// @param hash The `CoinbaseSmartWalletMessage.hash` field to hash.\n ////\n /// @return The resulting EIP-712 hash.\n function _eip712Hash(bytes32 hash) internal view virtual returns (bytes32) {\n return keccak256(abi.encodePacked(\"\\x19\\x01\", domainSeparator(), _hashStruct(hash)));\n }\n\n /// @notice Returns the EIP-712 `hashStruct` result of the `CoinbaseSmartWalletMessage(bytes32 hash)` data\n /// structure.\n ///\n /// @dev Implements hashStruct(s : ?) = keccak256(typeHash || encodeData(s)).\n /// @dev See https://eips.ethereum.org/EIPS/eip-712#definition-of-hashstruct.\n ///\n /// @param hash The `CoinbaseSmartWalletMessage.hash` field.\n ///\n /// @return The EIP-712 `hashStruct` result.\n function _hashStruct(bytes32 hash) internal view virtual returns (bytes32) {\n return keccak256(abi.encode(_MESSAGE_TYPEHASH, hash));\n }\n\n /// @notice Returns the domain name and version to use when creating EIP-712 signatures.\n ///\n /// @dev MUST be defined by the implementation.\n ///\n /// @return name The user readable name of signing domain.\n /// @return version The current major version of the signing domain.\n function _domainNameAndVersion() internal view virtual returns (string memory name, string memory version);\n\n /// @notice Validates the `signature` against the given `hash`.\n ///\n /// @dev MUST be defined by the implementation.\n ///\n /// @param hash The hash whose signature has been performed on.\n /// @param signature The signature associated with `hash`.\n ///\n /// @return `true` is the signature is valid, else `false`.\n function _isValidSignature(bytes32 hash, bytes calldata signature) internal view virtual returns (bool);\n}\n"
- },
- "src/MultiOwnable.sol": {
- "content": "// SPDX-License-Identifier: MIT\npragma solidity ^0.8.18;\n\n/// @notice Storage layout used by this contract.\n///\n/// @custom:storage-location erc7201:coinbase.storage.MultiOwnable\nstruct MultiOwnableStorage {\n /// @dev Tracks the index of the next owner to add.\n uint256 nextOwnerIndex;\n /// @dev Tracks number of owners that have been removed.\n uint256 removedOwnersCount;\n /// @dev Maps index to owner bytes, used to idenfitied owners via a uint256 index.\n ///\n /// Some uses—-such as signature validation for secp256r1 public key owners—-\n /// requires the caller to assert the public key of the caller. To economize calldata,\n /// we allow an index to identify an owner, so that the full owner bytes do\n /// not need to be passed.\n ///\n /// The `owner` bytes should either be\n /// - An ABI encoded Ethereum address\n /// - An ABI encoded public key\n mapping(uint256 index => bytes owner) ownerAtIndex;\n /// @dev Mapping of bytes to booleans indicating whether or not\n /// bytes_ is an owner of this contract.\n mapping(bytes bytes_ => bool isOwner_) isOwner;\n}\n\n/// @title Multi Ownable\n///\n/// @notice Auth contract allowing multiple owners, each identified as bytes.\n///\n/// @author Coinbase (https://github.com/coinbase/smart-wallet)\ncontract MultiOwnable {\n /// @dev Slot for the `MultiOwnableStorage` struct in storage.\n /// Computed from\n /// keccak256(abi.encode(uint256(keccak256(\"coinbase.storage.MultiOwnable\")) - 1)) & ~bytes32(uint256(0xff))\n /// Follows ERC-7201 (see https://eips.ethereum.org/EIPS/eip-7201).\n bytes32 private constant MUTLI_OWNABLE_STORAGE_LOCATION =\n 0x97e2c6aad4ce5d562ebfaa00db6b9e0fb66ea5d8162ed5b243f51a2e03086f00;\n\n /// @notice Thrown when the `msg.sender` is not an owner and is trying to call a privileged function.\n error Unauthorized();\n\n /// @notice Thrown when trying to add an already registered owner.\n ///\n /// @param owner The owner bytes.\n error AlreadyOwner(bytes owner);\n\n /// @notice Thrown when trying to remove an owner from an index that is empty.\n ///\n /// @param index The targeted index for removal.\n error NoOwnerAtIndex(uint256 index);\n\n /// @notice Thrown when `owner` argument does not match owner found at index.\n ///\n /// @param index The index of the owner to be removed.\n /// @param expectedOwner The owner passed in the remove call.\n /// @param actualOwner The actual owner at `index`.\n error WrongOwnerAtIndex(uint256 index, bytes expectedOwner, bytes actualOwner);\n\n /// @notice Thrown when a provided owner is neither 64 bytes long (for public key)\n /// nor a ABI encoded address.\n ///\n /// @param owner The invalid owner.\n error InvalidOwnerBytesLength(bytes owner);\n\n /// @notice Thrown if a provided owner is 32 bytes long but does not fit in an `address` type.\n ///\n /// @param owner The invalid owner.\n error InvalidEthereumAddressOwner(bytes owner);\n\n /// @notice Thrown when removeOwnerAtIndex is called and there is only one current owner.\n error LastOwner();\n\n /// @notice Thrown when removeLastOwner is called and there is more than one current owner.\n ///\n /// @param ownersRemaining The number of current owners.\n error NotLastOwner(uint256 ownersRemaining);\n\n /// @notice Emitted when a new owner is registered.\n ///\n /// @param index The owner index of the owner added.\n /// @param owner The owner added.\n event AddOwner(uint256 indexed index, bytes owner);\n\n /// @notice Emitted when an owner is removed.\n ///\n /// @param index The owner index of the owner removed.\n /// @param owner The owner removed.\n event RemoveOwner(uint256 indexed index, bytes owner);\n\n /// @notice Access control modifier ensuring the caller is an authorized owner\n modifier onlyOwner() virtual {\n _checkOwner();\n _;\n }\n\n /// @notice Adds a new Ethereum-address owner.\n ///\n /// @param owner The owner address.\n function addOwnerAddress(address owner) external virtual onlyOwner {\n _addOwnerAtIndex(abi.encode(owner), _getMultiOwnableStorage().nextOwnerIndex++);\n }\n\n /// @notice Adds a new public-key owner.\n ///\n /// @param x The owner public key x coordinate.\n /// @param y The owner public key y coordinate.\n function addOwnerPublicKey(bytes32 x, bytes32 y) external virtual onlyOwner {\n _addOwnerAtIndex(abi.encode(x, y), _getMultiOwnableStorage().nextOwnerIndex++);\n }\n\n /// @notice Removes owner at the given `index`.\n ///\n /// @dev Reverts if the owner is not registered at `index`.\n /// @dev Reverts if there is currently only one owner.\n /// @dev Reverts if `owner` does not match bytes found at `index`.\n ///\n /// @param index The index of the owner to be removed.\n /// @param owner The ABI encoded bytes of the owner to be removed.\n function removeOwnerAtIndex(uint256 index, bytes calldata owner) external virtual onlyOwner {\n if (ownerCount() == 1) {\n revert LastOwner();\n }\n\n _removeOwnerAtIndex(index, owner);\n }\n\n /// @notice Removes owner at the given `index`, which should be the only current owner.\n ///\n /// @dev Reverts if the owner is not registered at `index`.\n /// @dev Reverts if there is currently more than one owner.\n /// @dev Reverts if `owner` does not match bytes found at `index`.\n ///\n /// @param index The index of the owner to be removed.\n /// @param owner The ABI encoded bytes of the owner to be removed.\n function removeLastOwner(uint256 index, bytes calldata owner) external virtual onlyOwner {\n uint256 ownersRemaining = ownerCount();\n if (ownersRemaining > 1) {\n revert NotLastOwner(ownersRemaining);\n }\n\n _removeOwnerAtIndex(index, owner);\n }\n\n /// @notice Checks if the given `account` address is registered as owner.\n ///\n /// @param account The account address to check.\n ///\n /// @return `true` if the account is an owner else `false`.\n function isOwnerAddress(address account) public view virtual returns (bool) {\n return _getMultiOwnableStorage().isOwner[abi.encode(account)];\n }\n\n /// @notice Checks if the given `x`, `y` public key is registered as owner.\n ///\n /// @param x The public key x coordinate.\n /// @param y The public key y coordinate.\n ///\n /// @return `true` if the account is an owner else `false`.\n function isOwnerPublicKey(bytes32 x, bytes32 y) public view virtual returns (bool) {\n return _getMultiOwnableStorage().isOwner[abi.encode(x, y)];\n }\n\n /// @notice Checks if the given `account` bytes is registered as owner.\n ///\n /// @param account The account, should be ABI encoded address or public key.\n ///\n /// @return `true` if the account is an owner else `false`.\n function isOwnerBytes(bytes memory account) public view virtual returns (bool) {\n return _getMultiOwnableStorage().isOwner[account];\n }\n\n /// @notice Returns the owner bytes at the given `index`.\n ///\n /// @param index The index to lookup.\n ///\n /// @return The owner bytes (empty if no owner is registered at this `index`).\n function ownerAtIndex(uint256 index) public view virtual returns (bytes memory) {\n return _getMultiOwnableStorage().ownerAtIndex[index];\n }\n\n /// @notice Returns the next index that will be used to add a new owner.\n ///\n /// @return The next index that will be used to add a new owner.\n function nextOwnerIndex() public view virtual returns (uint256) {\n return _getMultiOwnableStorage().nextOwnerIndex;\n }\n\n /// @notice Returns the current number of owners\n ///\n /// @return The current owner count\n function ownerCount() public view virtual returns (uint256) {\n MultiOwnableStorage storage $ = _getMultiOwnableStorage();\n return $.nextOwnerIndex - $.removedOwnersCount;\n }\n\n /// @notice Tracks the number of owners removed\n ///\n /// @dev Used with `this.nextOwnerIndex` to avoid removing all owners\n ///\n /// @return The number of owners that have been removed.\n function removedOwnersCount() public view virtual returns (uint256) {\n return _getMultiOwnableStorage().removedOwnersCount;\n }\n\n /// @notice Initialize the owners of this contract.\n ///\n /// @dev Intended to be called contract is first deployed and never again.\n /// @dev Reverts if a provided owner is neither 64 bytes long (for public key) nor a valid address.\n ///\n /// @param owners The initial set of owners.\n function _initializeOwners(bytes[] memory owners) internal virtual {\n MultiOwnableStorage storage $ = _getMultiOwnableStorage();\n uint256 nextOwnerIndex_ = $.nextOwnerIndex;\n for (uint256 i; i < owners.length; i++) {\n if (owners[i].length != 32 && owners[i].length != 64) {\n revert InvalidOwnerBytesLength(owners[i]);\n }\n\n if (owners[i].length == 32 && uint256(bytes32(owners[i])) > type(uint160).max) {\n revert InvalidEthereumAddressOwner(owners[i]);\n }\n\n _addOwnerAtIndex(owners[i], nextOwnerIndex_++);\n }\n $.nextOwnerIndex = nextOwnerIndex_;\n }\n\n /// @notice Adds an owner at the given `index`.\n ///\n /// @dev Reverts if `owner` is already registered as an owner.\n ///\n /// @param owner The owner raw bytes to register.\n /// @param index The index to write to.\n function _addOwnerAtIndex(bytes memory owner, uint256 index) internal virtual {\n if (isOwnerBytes(owner)) revert AlreadyOwner(owner);\n\n MultiOwnableStorage storage $ = _getMultiOwnableStorage();\n $.isOwner[owner] = true;\n $.ownerAtIndex[index] = owner;\n\n emit AddOwner(index, owner);\n }\n\n /// @notice Removes owner at the given `index`.\n ///\n /// @dev Reverts if the owner is not registered at `index`.\n /// @dev Reverts if `owner` does not match bytes found at `index`.\n ///\n /// @param index The index of the owner to be removed.\n /// @param owner The ABI encoded bytes of the owner to be removed.\n function _removeOwnerAtIndex(uint256 index, bytes calldata owner) internal virtual {\n bytes memory owner_ = ownerAtIndex(index);\n if (owner_.length == 0) revert NoOwnerAtIndex(index);\n if (keccak256(owner_) != keccak256(owner)) {\n revert WrongOwnerAtIndex({index: index, expectedOwner: owner, actualOwner: owner_});\n }\n\n MultiOwnableStorage storage $ = _getMultiOwnableStorage();\n delete $.isOwner[owner];\n delete $.ownerAtIndex[index];\n $.removedOwnersCount++;\n\n emit RemoveOwner(index, owner);\n }\n\n /// @notice Checks if the sender is an owner of this contract or the contract itself.\n ///\n /// @dev Revert if the sender is not an owner fo the contract itself.\n function _checkOwner() internal view virtual {\n if (isOwnerAddress(msg.sender) || (msg.sender == address(this))) {\n return;\n }\n\n revert Unauthorized();\n }\n\n /// @notice Helper function to get a storage reference to the `MultiOwnableStorage` struct.\n ///\n /// @return $ A storage reference to the `MultiOwnableStorage` struct.\n function _getMultiOwnableStorage() internal pure returns (MultiOwnableStorage storage $) {\n assembly (\"memory-safe\") {\n $.slot := MUTLI_OWNABLE_STORAGE_LOCATION\n }\n }\n}\n"
- },
- "lib/account-abstraction/contracts/core/Helpers.sol": {
- "content": "// SPDX-License-Identifier: GPL-3.0\npragma solidity ^0.8.12;\n\n/* solhint-disable no-inline-assembly */\n\n/**\n * returned data from validateUserOp.\n * validateUserOp returns a uint256, with is created by `_packedValidationData` and parsed by `_parseValidationData`\n * @param aggregator - address(0) - the account validated the signature by itself.\n * address(1) - the account failed to validate the signature.\n * otherwise - this is an address of a signature aggregator that must be used to validate the signature.\n * @param validAfter - this UserOp is valid only after this timestamp.\n * @param validaUntil - this UserOp is valid only up to this timestamp.\n */\n struct ValidationData {\n address aggregator;\n uint48 validAfter;\n uint48 validUntil;\n }\n\n//extract sigFailed, validAfter, validUntil.\n// also convert zero validUntil to type(uint48).max\n function _parseValidationData(uint validationData) pure returns (ValidationData memory data) {\n address aggregator = address(uint160(validationData));\n uint48 validUntil = uint48(validationData >> 160);\n if (validUntil == 0) {\n validUntil = type(uint48).max;\n }\n uint48 validAfter = uint48(validationData >> (48 + 160));\n return ValidationData(aggregator, validAfter, validUntil);\n }\n\n// intersect account and paymaster ranges.\n function _intersectTimeRange(uint256 validationData, uint256 paymasterValidationData) pure returns (ValidationData memory) {\n ValidationData memory accountValidationData = _parseValidationData(validationData);\n ValidationData memory pmValidationData = _parseValidationData(paymasterValidationData);\n address aggregator = accountValidationData.aggregator;\n if (aggregator == address(0)) {\n aggregator = pmValidationData.aggregator;\n }\n uint48 validAfter = accountValidationData.validAfter;\n uint48 validUntil = accountValidationData.validUntil;\n uint48 pmValidAfter = pmValidationData.validAfter;\n uint48 pmValidUntil = pmValidationData.validUntil;\n\n if (validAfter < pmValidAfter) validAfter = pmValidAfter;\n if (validUntil > pmValidUntil) validUntil = pmValidUntil;\n return ValidationData(aggregator, validAfter, validUntil);\n }\n\n/**\n * helper to pack the return value for validateUserOp\n * @param data - the ValidationData to pack\n */\n function _packValidationData(ValidationData memory data) pure returns (uint256) {\n return uint160(data.aggregator) | (uint256(data.validUntil) << 160) | (uint256(data.validAfter) << (160 + 48));\n }\n\n/**\n * helper to pack the return value for validateUserOp, when not using an aggregator\n * @param sigFailed - true for signature failure, false for success\n * @param validUntil last timestamp this UserOperation is valid (or zero for infinite)\n * @param validAfter first timestamp this UserOperation is valid\n */\n function _packValidationData(bool sigFailed, uint48 validUntil, uint48 validAfter) pure returns (uint256) {\n return (sigFailed ? 1 : 0) | (uint256(validUntil) << 160) | (uint256(validAfter) << (160 + 48));\n }\n\n/**\n * keccak function over calldata.\n * @dev copy calldata into memory, do keccak and drop allocated memory. Strangely, this is more efficient than letting solidity do it.\n */\n function calldataKeccak(bytes calldata data) pure returns (bytes32 ret) {\n assembly {\n let mem := mload(0x40)\n let len := data.length\n calldatacopy(mem, data.offset, len)\n ret := keccak256(mem, len)\n }\n }\n\n"
- },
- "lib/webauthn-sol/lib/FreshCryptoLib/solidity/src/FCL_ecdsa.sol": {
- "content": "//********************************************************************************************/\n// ___ _ ___ _ _ _ _\n// | __| _ ___ __| |_ / __|_ _ _ _ _ __| |_ ___ | | (_) |__\n// | _| '_/ -_|_-< ' \\ | (__| '_| || | '_ \\ _/ _ \\ | |__| | '_ \\\n// |_||_| \\___/__/_||_| \\___|_| \\_, | .__/\\__\\___/ |____|_|_.__/\n// |__/|_|\n///* Copyright (C) 2022 - Renaud Dubois - This file is part of FCL (Fresh CryptoLib) project\n///* License: This software is licensed under MIT License\n///* This Code may be reused including license and copyright notice.\n///* See LICENSE file at the root folder of the project.\n///* FILE: FCL_ecdsa.sol\n///*\n///*\n///* DESCRIPTION: ecdsa verification implementation\n///*\n//**************************************************************************************/\n//* WARNING: this code SHALL not be used for non prime order curves for security reasons.\n// Code is optimized for a=-3 only curves with prime order, constant like -1, -2 shall be replaced\n// if ever used for other curve than sec256R1\n// SPDX-License-Identifier: MIT\npragma solidity >=0.8.19 <0.9.0;\n\n\nimport {FCL_Elliptic_ZZ} from \"./FCL_elliptic.sol\";\n\n\n\nlibrary FCL_ecdsa {\n // Set parameters for curve sec256r1.public\n //curve order (number of points)\n uint256 constant n = FCL_Elliptic_ZZ.n;\n \n /**\n * @dev ECDSA verification, given , signature, and public key.\n */\n\n /**\n * @dev ECDSA verification, given , signature, and public key, no calldata version\n */\n function ecdsa_verify(bytes32 message, uint256 r, uint256 s, uint256 Qx, uint256 Qy) internal view returns (bool){\n\n if (r == 0 || r >= FCL_Elliptic_ZZ.n || s == 0 || s >= FCL_Elliptic_ZZ.n) {\n return false;\n }\n \n if (!FCL_Elliptic_ZZ.ecAff_isOnCurve(Qx, Qy)) {\n return false;\n }\n\n uint256 sInv = FCL_Elliptic_ZZ.FCL_nModInv(s);\n\n uint256 scalar_u = mulmod(uint256(message), sInv, FCL_Elliptic_ZZ.n);\n uint256 scalar_v = mulmod(r, sInv, FCL_Elliptic_ZZ.n);\n uint256 x1;\n\n x1 = FCL_Elliptic_ZZ.ecZZ_mulmuladd_S_asm(Qx, Qy, scalar_u, scalar_v);\n\n x1= addmod(x1, n-r,n );\n \n return x1 == 0;\n }\n\n function ec_recover_r1(uint256 h, uint256 v, uint256 r, uint256 s) internal view returns (address)\n {\n if (r == 0 || r >= FCL_Elliptic_ZZ.n || s == 0 || s >= FCL_Elliptic_ZZ.n) {\n return address(0);\n }\n uint256 y=FCL_Elliptic_ZZ.ec_Decompress(r, v-27);\n uint256 rinv=FCL_Elliptic_ZZ.FCL_nModInv(r);\n uint256 u1=mulmod(FCL_Elliptic_ZZ.n-addmod(0,h,FCL_Elliptic_ZZ.n), rinv,FCL_Elliptic_ZZ.n);//-hr^-1\n uint256 u2=mulmod(s, rinv,FCL_Elliptic_ZZ.n);//sr^-1\n\n uint256 Qx;\n uint256 Qy;\n (Qx,Qy)=FCL_Elliptic_ZZ.ecZZ_mulmuladd(r,y, u1, u2);\n\n return address(uint160(uint256(keccak256(abi.encodePacked(Qx, Qy)))));\n }\n\n function ecdsa_precomputed_verify(bytes32 message, uint256 r, uint256 s, address Shamir8)\n internal view\n returns (bool)\n {\n \n if (r == 0 || r >= n || s == 0 || s >= n) {\n return false;\n }\n /* Q is pushed via the contract at address Shamir8 assumed to be correct\n if (!isOnCurve(Q[0], Q[1])) {\n return false;\n }*/\n\n uint256 sInv = FCL_Elliptic_ZZ.FCL_nModInv(s);\n\n uint256 X;\n\n //Shamir 8 dimensions\n X = FCL_Elliptic_ZZ.ecZZ_mulmuladd_S8_extcode(mulmod(uint256(message), sInv, n), mulmod(r, sInv, n), Shamir8);\n\n X= addmod(X, n-r,n );\n\n return X == 0;\n } //end ecdsa_precomputed_verify()\n\n function ecdsa_precomputed_verify(bytes32 message, uint256[2] calldata rs, address Shamir8)\n internal view\n returns (bool)\n {\n uint256 r = rs[0];\n uint256 s = rs[1];\n if (r == 0 || r >= n || s == 0 || s >= n) {\n return false;\n }\n /* Q is pushed via the contract at address Shamir8 assumed to be correct\n if (!isOnCurve(Q[0], Q[1])) {\n return false;\n }*/\n\n uint256 sInv = FCL_Elliptic_ZZ.FCL_nModInv(s);\n\n uint256 X;\n\n //Shamir 8 dimensions\n X = FCL_Elliptic_ZZ.ecZZ_mulmuladd_S8_extcode(mulmod(uint256(message), sInv, n), mulmod(r, sInv, n), Shamir8);\n\n X= addmod(X, n-r,n );\n\n return X == 0;\n } //end ecdsa_precomputed_verify()\n\n}\n"
- },
- "lib/webauthn-sol/lib/FreshCryptoLib/solidity/src/FCL_elliptic.sol": {
- "content": "//********************************************************************************************/\n// ___ _ ___ _ _ _ _\n// | __| _ ___ __| |_ / __|_ _ _ _ _ __| |_ ___ | | (_) |__\n// | _| '_/ -_|_-< ' \\ | (__| '_| || | '_ \\ _/ _ \\ | |__| | '_ \\\n// |_||_| \\___/__/_||_| \\___|_| \\_, | .__/\\__\\___/ |____|_|_.__/\n// |__/|_|\n///* Copyright (C) 2022 - Renaud Dubois - This file is part of FCL (Fresh CryptoLib) project\n///* License: This software is licensed under MIT License\n///* This Code may be reused including license and copyright notice.\n///* See LICENSE file at the root folder of the project.\n///* FILE: FCL_elliptic.sol\n///*\n///*\n///* DESCRIPTION: modified XYZZ system coordinates for EVM elliptic point multiplication\n///* optimization\n///*\n//**************************************************************************************/\n//* WARNING: this code SHALL not be used for non prime order curves for security reasons.\n// Code is optimized for a=-3 only curves with prime order, constant like -1, -2 shall be replaced\n// if ever used for other curve than sec256R1\n// SPDX-License-Identifier: MIT\npragma solidity >=0.8.19 <0.9.0;\n\nlibrary FCL_Elliptic_ZZ {\n // Set parameters for curve sec256r1.\n\n // address of the ModExp precompiled contract (Arbitrary-precision exponentiation under modulo)\n address constant MODEXP_PRECOMPILE = 0x0000000000000000000000000000000000000005;\n //curve prime field modulus\n uint256 constant p = 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF;\n //short weierstrass first coefficient\n uint256 constant a = 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC;\n //short weierstrass second coefficient\n uint256 constant b = 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B;\n //generating point affine coordinates\n uint256 constant gx = 0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296;\n uint256 constant gy = 0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5;\n //curve order (number of points)\n uint256 constant n = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551;\n /* -2 mod p constant, used to speed up inversion and doubling (avoid negation)*/\n uint256 constant minus_2 = 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFD;\n /* -2 mod n constant, used to speed up inversion*/\n uint256 constant minus_2modn = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63254F;\n\n uint256 constant minus_1 = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;\n //P+1 div 4\n uint256 constant pp1div4=0x3fffffffc0000000400000000000000000000000400000000000000000000000;\n //arbitrary constant to express no quadratic residuosity\n uint256 constant _NOTSQUARE=0xFFFFFFFF00000002000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF;\n uint256 constant _NOTONCURVE=0xFFFFFFFF00000003000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF;\n\n /**\n * /* inversion mod n via a^(n-2), use of precompiled using little Fermat theorem\n */\n function FCL_nModInv(uint256 u) internal view returns (uint256 result) {\n assembly {\n let pointer := mload(0x40)\n // Define length of base, exponent and modulus. 0x20 == 32 bytes\n mstore(pointer, 0x20)\n mstore(add(pointer, 0x20), 0x20)\n mstore(add(pointer, 0x40), 0x20)\n // Define variables base, exponent and modulus\n mstore(add(pointer, 0x60), u)\n mstore(add(pointer, 0x80), minus_2modn)\n mstore(add(pointer, 0xa0), n)\n\n // Call the precompiled contract 0x05 = ModExp\n if iszero(staticcall(not(0), 0x05, pointer, 0xc0, pointer, 0x20)) { revert(0, 0) }\n result := mload(pointer)\n }\n }\n /**\n * /* @dev inversion mod nusing little Fermat theorem via a^(n-2), use of precompiled\n */\n\n function FCL_pModInv(uint256 u) internal view returns (uint256 result) {\n assembly {\n let pointer := mload(0x40)\n // Define length of base, exponent and modulus. 0x20 == 32 bytes\n mstore(pointer, 0x20)\n mstore(add(pointer, 0x20), 0x20)\n mstore(add(pointer, 0x40), 0x20)\n // Define variables base, exponent and modulus\n mstore(add(pointer, 0x60), u)\n mstore(add(pointer, 0x80), minus_2)\n mstore(add(pointer, 0xa0), p)\n\n // Call the precompiled contract 0x05 = ModExp\n if iszero(staticcall(not(0), 0x05, pointer, 0xc0, pointer, 0x20)) { revert(0, 0) }\n result := mload(pointer)\n }\n }\n\n //Coron projective shuffling, take as input alpha as blinding factor\n function ecZZ_Coronize(uint256 alpha, uint256 x, uint256 y, uint256 zz, uint256 zzz) internal pure returns (uint256 x3, uint256 y3, uint256 zz3, uint256 zzz3)\n {\n \n uint256 alpha2=mulmod(alpha,alpha,p);\n \n x3=mulmod(alpha2, x,p); //alpha^-2.x\n y3=mulmod(mulmod(alpha, alpha2,p), y,p);\n\n zz3=mulmod(zz,alpha2,p);//alpha^2 zz\n zzz3=mulmod(zzz,mulmod(alpha, alpha2,p),p);//alpha^3 zzz\n \n return (x3, y3, zz3, zzz3);\n }\n\n\n function ecZZ_Add(uint256 x1, uint256 y1, uint256 zz1, uint256 zzz1, uint256 x2, uint256 y2, uint256 zz2, uint256 zzz2) internal pure returns (uint256 x3, uint256 y3, uint256 zz3, uint256 zzz3)\n {\n uint256 u1=mulmod(x1,zz2,p); // U1 = X1*ZZ2\n uint256 u2=mulmod(x2, zz1,p); // U2 = X2*ZZ1\n u2=addmod(u2, p-u1, p);// P = U2-U1\n x1=mulmod(u2, u2, p);//PP\n x2=mulmod(x1, u2, p);//PPP\n \n zz3=mulmod(x1, mulmod(zz1, zz2, p),p);//ZZ3 = ZZ1*ZZ2*PP \n zzz3=mulmod(zzz1, mulmod(zzz2, x2, p),p);//ZZZ3 = ZZZ1*ZZZ2*PPP\n\n zz1=mulmod(y1, zzz2,p); // S1 = Y1*ZZZ2\n zz2=mulmod(y2, zzz1, p); // S2 = Y2*ZZZ1 \n zz2=addmod(zz2, p-zz1, p);//R = S2-S1\n zzz1=mulmod(u1, x1,p); //Q = U1*PP\n x3= addmod(addmod(mulmod(zz2, zz2, p), p-x2,p), mulmod(minus_2, zzz1,p),p); //X3 = R2-PPP-2*Q\n y3=addmod( mulmod(zz2, addmod(zzz1, p-x3, p),p), p-mulmod(zz1, x2, p),p);//R*(Q-X3)-S1*PPP\n\n return (x3, y3, zz3, zzz3);\n }\n\n/// @notice Calculate one modular square root of a given integer. Assume that p=3 mod 4.\n/// @dev Uses the ModExp precompiled contract at address 0x05 for fast computation using little Fermat theorem\n/// @param self The integer of which to find the modular inverse\n/// @return result The modular inverse of the input integer. If the modular inverse doesn't exist, it revert the tx\n\nfunction SqrtMod(uint256 self) internal view returns (uint256 result){\n assembly (\"memory-safe\") {\n // load the free memory pointer value\n let pointer := mload(0x40)\n\n // Define length of base (Bsize)\n mstore(pointer, 0x20)\n // Define the exponent size (Esize)\n mstore(add(pointer, 0x20), 0x20)\n // Define the modulus size (Msize)\n mstore(add(pointer, 0x40), 0x20)\n // Define variables base (B)\n mstore(add(pointer, 0x60), self)\n // Define the exponent (E)\n mstore(add(pointer, 0x80), pp1div4)\n // We save the point of the last argument, it will be override by the result\n // of the precompile call in order to avoid paying for the memory expansion properly\n let _result := add(pointer, 0xa0)\n // Define the modulus (M)\n mstore(_result, p)\n\n // Call the precompiled ModExp (0x05) https://www.evm.codes/precompiled#0x05\n if iszero(\n staticcall(\n not(0), // amount of gas to send\n MODEXP_PRECOMPILE, // target\n pointer, // argsOffset\n 0xc0, // argsSize (6 * 32 bytes)\n _result, // retOffset (we override M to avoid paying for the memory expansion)\n 0x20 // retSize (32 bytes)\n )\n ) { revert(0, 0) }\n\n result := mload(_result)\n// result :=addmod(result,0,p)\n }\n if(mulmod(result,result,p)!=self){\n result=_NOTSQUARE;\n }\n \n return result;\n}\n /**\n * /* @dev Convert from affine rep to XYZZ rep\n */\n function ecAff_SetZZ(uint256 x0, uint256 y0) internal pure returns (uint256[4] memory P) {\n unchecked {\n P[2] = 1; //ZZ\n P[3] = 1; //ZZZ\n P[0] = x0;\n P[1] = y0;\n }\n }\n\n function ec_Decompress(uint256 x, uint256 parity) internal view returns(uint256 y){ \n\n uint256 y2=mulmod(x,mulmod(x,x,p),p);//x3\n y2=addmod(b,addmod(y2,mulmod(x,a,p),p),p);//x3+ax+b\n\n y=SqrtMod(y2);\n if(y==_NOTSQUARE){\n return _NOTONCURVE;\n }\n if((y&1)!=(parity&1)){\n y=p-y;\n }\n }\n\n /**\n * /* @dev Convert from XYZZ rep to affine rep\n */\n /* https://hyperelliptic.org/EFD/g1p/auto-shortw-xyzz-3.html#addition-add-2008-s*/\n function ecZZ_SetAff(uint256 x, uint256 y, uint256 zz, uint256 zzz) internal view returns (uint256 x1, uint256 y1) {\n uint256 zzzInv = FCL_pModInv(zzz); //1/zzz\n y1 = mulmod(y, zzzInv, p); //Y/zzz\n uint256 _b = mulmod(zz, zzzInv, p); //1/z\n zzzInv = mulmod(_b, _b, p); //1/zz\n x1 = mulmod(x, zzzInv, p); //X/zz\n }\n\n /**\n * /* @dev Sutherland2008 doubling\n */\n /* The \"dbl-2008-s-1\" doubling formulas */\n\n function ecZZ_Dbl(uint256 x, uint256 y, uint256 zz, uint256 zzz)\n internal\n pure\n returns (uint256 P0, uint256 P1, uint256 P2, uint256 P3)\n {\n unchecked {\n assembly {\n P0 := mulmod(2, y, p) //U = 2*Y1\n P2 := mulmod(P0, P0, p) // V=U^2\n P3 := mulmod(x, P2, p) // S = X1*V\n P1 := mulmod(P0, P2, p) // W=UV\n P2 := mulmod(P2, zz, p) //zz3=V*ZZ1\n zz := mulmod(3, mulmod(addmod(x, sub(p, zz), p), addmod(x, zz, p), p), p) //M=3*(X1-ZZ1)*(X1+ZZ1)\n P0 := addmod(mulmod(zz, zz, p), mulmod(minus_2, P3, p), p) //X3=M^2-2S\n x := mulmod(zz, addmod(P3, sub(p, P0), p), p) //M(S-X3)\n P3 := mulmod(P1, zzz, p) //zzz3=W*zzz1\n P1 := addmod(x, sub(p, mulmod(P1, y, p)), p) //Y3= M(S-X3)-W*Y1\n }\n }\n return (P0, P1, P2, P3);\n }\n\n /**\n * @dev Sutherland2008 add a ZZ point with a normalized point and greedy formulae\n * warning: assume that P1(x1,y1)!=P2(x2,y2), true in multiplication loop with prime order (cofactor 1)\n */\n\n function ecZZ_AddN(uint256 x1, uint256 y1, uint256 zz1, uint256 zzz1, uint256 x2, uint256 y2)\n internal\n pure\n returns (uint256 P0, uint256 P1, uint256 P2, uint256 P3)\n {\n unchecked {\n if (y1 == 0) {\n return (x2, y2, 1, 1);\n }\n\n assembly {\n y1 := sub(p, y1)\n y2 := addmod(mulmod(y2, zzz1, p), y1, p)\n x2 := addmod(mulmod(x2, zz1, p), sub(p, x1), p)\n P0 := mulmod(x2, x2, p) //PP = P^2\n P1 := mulmod(P0, x2, p) //PPP = P*PP\n P2 := mulmod(zz1, P0, p) ////ZZ3 = ZZ1*PP\n P3 := mulmod(zzz1, P1, p) ////ZZZ3 = ZZZ1*PPP\n zz1 := mulmod(x1, P0, p) //Q = X1*PP\n P0 := addmod(addmod(mulmod(y2, y2, p), sub(p, P1), p), mulmod(minus_2, zz1, p), p) //R^2-PPP-2*Q\n P1 := addmod(mulmod(addmod(zz1, sub(p, P0), p), y2, p), mulmod(y1, P1, p), p) //R*(Q-X3)\n }\n //end assembly\n } //end unchecked\n return (P0, P1, P2, P3);\n }\n\n /**\n * @dev Return the zero curve in XYZZ coordinates.\n */\n function ecZZ_SetZero() internal pure returns (uint256 x, uint256 y, uint256 zz, uint256 zzz) {\n return (0, 0, 0, 0);\n }\n /**\n * @dev Check if point is the neutral of the curve\n */\n\n // uint256 x0, uint256 y0, uint256 zz0, uint256 zzz0\n function ecZZ_IsZero(uint256, uint256 y0, uint256, uint256) internal pure returns (bool) {\n return y0 == 0;\n }\n /**\n * @dev Return the zero curve in affine coordinates. Compatible with the double formulae (no special case)\n */\n\n function ecAff_SetZero() internal pure returns (uint256 x, uint256 y) {\n return (0, 0);\n }\n\n /**\n * @dev Check if the curve is the zero curve in affine rep.\n */\n // uint256 x, uint256 y)\n function ecAff_IsZero(uint256, uint256 y) internal pure returns (bool flag) {\n return (y == 0);\n }\n\n /**\n * @dev Check if a point in affine coordinates is on the curve (reject Neutral that is indeed on the curve).\n */\n function ecAff_isOnCurve(uint256 x, uint256 y) internal pure returns (bool) {\n if (x >= p || y >= p || ((x == 0) && (y == 0))) {\n return false;\n }\n unchecked {\n uint256 LHS = mulmod(y, y, p); // y^2\n uint256 RHS = addmod(mulmod(mulmod(x, x, p), x, p), mulmod(x, a, p), p); // x^3+ax\n RHS = addmod(RHS, b, p); // x^3 + a*x + b\n\n return LHS == RHS;\n }\n }\n\n /**\n * @dev Add two elliptic curve points in affine coordinates. Deal with P=Q\n */\n\n function ecAff_add(uint256 x0, uint256 y0, uint256 x1, uint256 y1) internal view returns (uint256, uint256) {\n uint256 zz0;\n uint256 zzz0;\n\n if (ecAff_IsZero(x0, y0)) return (x1, y1);\n if (ecAff_IsZero(x1, y1)) return (x0, y0);\n if((x0==x1)&&(y0==y1)) {\n (x0, y0, zz0, zzz0) = ecZZ_Dbl(x0, y0,1,1);\n }\n else{\n (x0, y0, zz0, zzz0) = ecZZ_AddN(x0, y0, 1, 1, x1, y1);\n }\n\n return ecZZ_SetAff(x0, y0, zz0, zzz0);\n }\n\n /**\n * @dev Computation of uG+vQ using Strauss-Shamir's trick, G basepoint, Q public key\n * Returns only x for ECDSA use \n * */\n function ecZZ_mulmuladd_S_asm(\n uint256 Q0,\n uint256 Q1, //affine rep for input point Q\n uint256 scalar_u,\n uint256 scalar_v\n ) internal view returns (uint256 X) {\n uint256 zz;\n uint256 zzz;\n uint256 Y;\n uint256 index = 255;\n uint256 H0;\n uint256 H1;\n\n unchecked {\n if (scalar_u == 0 && scalar_v == 0) return 0;\n\n (H0, H1) = ecAff_add(gx, gy, Q0, Q1); \n if((H0==0)&&(H1==0))//handling Q=-G\n {\n scalar_u=addmod(scalar_u, n-scalar_v, n);\n scalar_v=0;\n if (scalar_u == 0 && scalar_v == 0) return 0;\n }\n assembly {\n for { let T4 := add(shl(1, and(shr(index, scalar_v), 1)), and(shr(index, scalar_u), 1)) } eq(T4, 0) {\n index := sub(index, 1)\n T4 := add(shl(1, and(shr(index, scalar_v), 1)), and(shr(index, scalar_u), 1))\n } {}\n zz := add(shl(1, and(shr(index, scalar_v), 1)), and(shr(index, scalar_u), 1))\n\n if eq(zz, 1) {\n X := gx\n Y := gy\n }\n if eq(zz, 2) {\n X := Q0\n Y := Q1\n }\n if eq(zz, 3) {\n X := H0\n Y := H1\n }\n\n index := sub(index, 1)\n zz := 1\n zzz := 1\n\n for {} gt(minus_1, index) { index := sub(index, 1) } {\n // inlined EcZZ_Dbl\n let T1 := mulmod(2, Y, p) //U = 2*Y1, y free\n let T2 := mulmod(T1, T1, p) // V=U^2\n let T3 := mulmod(X, T2, p) // S = X1*V\n T1 := mulmod(T1, T2, p) // W=UV\n let T4 := mulmod(3, mulmod(addmod(X, sub(p, zz), p), addmod(X, zz, p), p), p) //M=3*(X1-ZZ1)*(X1+ZZ1)\n zzz := mulmod(T1, zzz, p) //zzz3=W*zzz1\n zz := mulmod(T2, zz, p) //zz3=V*ZZ1, V free\n\n X := addmod(mulmod(T4, T4, p), mulmod(minus_2, T3, p), p) //X3=M^2-2S\n T2 := mulmod(T4, addmod(X, sub(p, T3), p), p) //-M(S-X3)=M(X3-S)\n Y := addmod(mulmod(T1, Y, p), T2, p) //-Y3= W*Y1-M(S-X3), we replace Y by -Y to avoid a sub in ecAdd\n\n {\n //value of dibit\n T4 := add(shl(1, and(shr(index, scalar_v), 1)), and(shr(index, scalar_u), 1))\n\n if iszero(T4) {\n Y := sub(p, Y) //restore the -Y inversion\n continue\n } // if T4!=0\n\n if eq(T4, 1) {\n T1 := gx\n T2 := gy\n }\n if eq(T4, 2) {\n T1 := Q0\n T2 := Q1\n }\n if eq(T4, 3) {\n T1 := H0\n T2 := H1\n }\n if iszero(zz) {\n X := T1\n Y := T2\n zz := 1\n zzz := 1\n continue\n }\n // inlined EcZZ_AddN\n\n //T3:=sub(p, Y)\n //T3:=Y\n let y2 := addmod(mulmod(T2, zzz, p), Y, p) //R\n T2 := addmod(mulmod(T1, zz, p), sub(p, X), p) //P\n\n //special extremely rare case accumulator where EcAdd is replaced by EcDbl, no need to optimize this\n //todo : construct edge vector case\n if iszero(y2) {\n if iszero(T2) {\n T1 := mulmod(minus_2, Y, p) //U = 2*Y1, y free\n T2 := mulmod(T1, T1, p) // V=U^2\n T3 := mulmod(X, T2, p) // S = X1*V\n\n T1 := mulmod(T1, T2, p) // W=UV\n y2 := mulmod(addmod(X, zz, p), addmod(X, sub(p, zz), p), p) //(X-ZZ)(X+ZZ)\n T4 := mulmod(3, y2, p) //M=3*(X-ZZ)(X+ZZ)\n\n zzz := mulmod(T1, zzz, p) //zzz3=W*zzz1\n zz := mulmod(T2, zz, p) //zz3=V*ZZ1, V free\n\n X := addmod(mulmod(T4, T4, p), mulmod(minus_2, T3, p), p) //X3=M^2-2S\n T2 := mulmod(T4, addmod(T3, sub(p, X), p), p) //M(S-X3)\n\n Y := addmod(T2, mulmod(T1, Y, p), p) //Y3= M(S-X3)-W*Y1\n\n continue\n }\n }\n\n T4 := mulmod(T2, T2, p) //PP\n let TT1 := mulmod(T4, T2, p) //PPP, this one could be spared, but adding this register spare gas\n zz := mulmod(zz, T4, p)\n zzz := mulmod(zzz, TT1, p) //zz3=V*ZZ1\n let TT2 := mulmod(X, T4, p)\n T4 := addmod(addmod(mulmod(y2, y2, p), sub(p, TT1), p), mulmod(minus_2, TT2, p), p)\n Y := addmod(mulmod(addmod(TT2, sub(p, T4), p), y2, p), mulmod(Y, TT1, p), p)\n\n X := T4\n }\n } //end loop\n let T := mload(0x40)\n mstore(add(T, 0x60), zz)\n //(X,Y)=ecZZ_SetAff(X,Y,zz, zzz);\n //T[0] = inverseModp_Hard(T[0], p); //1/zzz, inline modular inversion using precompile:\n // Define length of base, exponent and modulus. 0x20 == 32 bytes\n mstore(T, 0x20)\n mstore(add(T, 0x20), 0x20)\n mstore(add(T, 0x40), 0x20)\n // Define variables base, exponent and modulus\n //mstore(add(pointer, 0x60), u)\n mstore(add(T, 0x80), minus_2)\n mstore(add(T, 0xa0), p)\n\n // Call the precompiled contract 0x05 = ModExp\n if iszero(staticcall(not(0), 0x05, T, 0xc0, T, 0x20)) { revert(0, 0) }\n\n //Y:=mulmod(Y,zzz,p)//Y/zzz\n //zz :=mulmod(zz, mload(T),p) //1/z\n //zz:= mulmod(zz,zz,p) //1/zz\n X := mulmod(X, mload(T), p) //X/zz\n } //end assembly\n } //end unchecked\n\n return X;\n }\n\n\n /**\n * @dev Computation of uG+vQ using Strauss-Shamir's trick, G basepoint, Q public key\n * Returns affine representation of point (normalized) \n * */\n function ecZZ_mulmuladd(\n uint256 Q0,\n uint256 Q1, //affine rep for input point Q\n uint256 scalar_u,\n uint256 scalar_v\n ) internal view returns (uint256 X, uint256 Y) {\n uint256 zz;\n uint256 zzz;\n uint256 index = 255;\n uint256[6] memory T;\n uint256[2] memory H;\n \n unchecked {\n if (scalar_u == 0 && scalar_v == 0) return (0,0);\n\n (H[0], H[1]) = ecAff_add(gx, gy, Q0, Q1); //will not work if Q=P, obvious forbidden private key\n\n assembly {\n for { let T4 := add(shl(1, and(shr(index, scalar_v), 1)), and(shr(index, scalar_u), 1)) } eq(T4, 0) {\n index := sub(index, 1)\n T4 := add(shl(1, and(shr(index, scalar_v), 1)), and(shr(index, scalar_u), 1))\n } {}\n zz := add(shl(1, and(shr(index, scalar_v), 1)), and(shr(index, scalar_u), 1))\n\n if eq(zz, 1) {\n X := gx\n Y := gy\n }\n if eq(zz, 2) {\n X := Q0\n Y := Q1\n }\n if eq(zz, 3) {\n Y := mload(add(H,32))\n X := mload(H)\n }\n\n index := sub(index, 1)\n zz := 1\n zzz := 1\n\n for {} gt(minus_1, index) { index := sub(index, 1) } {\n // inlined EcZZ_Dbl\n let T1 := mulmod(2, Y, p) //U = 2*Y1, y free\n let T2 := mulmod(T1, T1, p) // V=U^2\n let T3 := mulmod(X, T2, p) // S = X1*V\n T1 := mulmod(T1, T2, p) // W=UV\n let T4 := mulmod(3, mulmod(addmod(X, sub(p, zz), p), addmod(X, zz, p), p), p) //M=3*(X1-ZZ1)*(X1+ZZ1)\n zzz := mulmod(T1, zzz, p) //zzz3=W*zzz1\n zz := mulmod(T2, zz, p) //zz3=V*ZZ1, V free\n\n X := addmod(mulmod(T4, T4, p), mulmod(minus_2, T3, p), p) //X3=M^2-2S\n T2 := mulmod(T4, addmod(X, sub(p, T3), p), p) //-M(S-X3)=M(X3-S)\n Y := addmod(mulmod(T1, Y, p), T2, p) //-Y3= W*Y1-M(S-X3), we replace Y by -Y to avoid a sub in ecAdd\n\n {\n //value of dibit\n T4 := add(shl(1, and(shr(index, scalar_v), 1)), and(shr(index, scalar_u), 1))\n\n if iszero(T4) {\n Y := sub(p, Y) //restore the -Y inversion\n continue\n } // if T4!=0\n\n if eq(T4, 1) {\n T1 := gx\n T2 := gy\n }\n if eq(T4, 2) {\n T1 := Q0\n T2 := Q1\n }\n if eq(T4, 3) {\n T1 := mload(H)\n T2 := mload(add(H,32))\n }\n if iszero(zz) {\n X := T1\n Y := T2\n zz := 1\n zzz := 1\n continue\n }\n // inlined EcZZ_AddN\n\n //T3:=sub(p, Y)\n //T3:=Y\n let y2 := addmod(mulmod(T2, zzz, p), Y, p) //R\n T2 := addmod(mulmod(T1, zz, p), sub(p, X), p) //P\n\n //special extremely rare case accumulator where EcAdd is replaced by EcDbl, no need to optimize this\n //todo : construct edge vector case\n if iszero(y2) {\n if iszero(T2) {\n T1 := mulmod(minus_2, Y, p) //U = 2*Y1, y free\n T2 := mulmod(T1, T1, p) // V=U^2\n T3 := mulmod(X, T2, p) // S = X1*V\n\n T1 := mulmod(T1, T2, p) // W=UV\n y2 := mulmod(addmod(X, zz, p), addmod(X, sub(p, zz), p), p) //(X-ZZ)(X+ZZ)\n T4 := mulmod(3, y2, p) //M=3*(X-ZZ)(X+ZZ)\n\n zzz := mulmod(T1, zzz, p) //zzz3=W*zzz1\n zz := mulmod(T2, zz, p) //zz3=V*ZZ1, V free\n\n X := addmod(mulmod(T4, T4, p), mulmod(minus_2, T3, p), p) //X3=M^2-2S\n T2 := mulmod(T4, addmod(T3, sub(p, X), p), p) //M(S-X3)\n\n Y := addmod(T2, mulmod(T1, Y, p), p) //Y3= M(S-X3)-W*Y1\n\n continue\n }\n }\n\n T4 := mulmod(T2, T2, p) //PP\n let TT1 := mulmod(T4, T2, p) //PPP, this one could be spared, but adding this register spare gas\n zz := mulmod(zz, T4, p)\n zzz := mulmod(zzz, TT1, p) //zz3=V*ZZ1\n let TT2 := mulmod(X, T4, p)\n T4 := addmod(addmod(mulmod(y2, y2, p), sub(p, TT1), p), mulmod(minus_2, TT2, p), p)\n Y := addmod(mulmod(addmod(TT2, sub(p, T4), p), y2, p), mulmod(Y, TT1, p), p)\n\n X := T4\n }\n } //end loop\n mstore(add(T, 0x60), zzz)\n //(X,Y)=ecZZ_SetAff(X,Y,zz, zzz);\n //T[0] = inverseModp_Hard(T[0], p); //1/zzz, inline modular inversion using precompile:\n // Define length of base, exponent and modulus. 0x20 == 32 bytes\n mstore(T, 0x20)\n mstore(add(T, 0x20), 0x20)\n mstore(add(T, 0x40), 0x20)\n // Define variables base, exponent and modulus\n //mstore(add(pointer, 0x60), u)\n mstore(add(T, 0x80), minus_2)\n mstore(add(T, 0xa0), p)\n\n // Call the precompiled contract 0x05 = ModExp\n if iszero(staticcall(not(0), 0x05, T, 0xc0, T, 0x20)) { revert(0, 0) }\n\n Y:=mulmod(Y,mload(T),p)//Y/zzz\n zz :=mulmod(zz, mload(T),p) //1/z\n zz:= mulmod(zz,zz,p) //1/zz\n X := mulmod(X, zz, p) //X/zz\n } //end assembly\n } //end unchecked\n\n return (X,Y);\n }\n\n //8 dimensions Shamir's trick, using precomputations stored in Shamir8, stored as Bytecode of an external\n //contract at given address dataPointer\n //(thx to Lakhdar https://github.com/Kelvyne for EVM storage explanations and tricks)\n // the external tool to generate tables from public key is in the /sage directory\n function ecZZ_mulmuladd_S8_extcode(uint256 scalar_u, uint256 scalar_v, address dataPointer)\n internal view\n returns (uint256 X /*, uint Y*/ )\n {\n unchecked {\n uint256 zz; // third and coordinates of the point\n\n uint256[6] memory T;\n zz = 256; //start index\n\n while (T[0] == 0) {\n zz = zz - 1;\n //tbd case of msb octobit is null\n T[0] = 64\n * (\n 128 * ((scalar_v >> zz) & 1) + 64 * ((scalar_v >> (zz - 64)) & 1)\n + 32 * ((scalar_v >> (zz - 128)) & 1) + 16 * ((scalar_v >> (zz - 192)) & 1)\n + 8 * ((scalar_u >> zz) & 1) + 4 * ((scalar_u >> (zz - 64)) & 1)\n + 2 * ((scalar_u >> (zz - 128)) & 1) + ((scalar_u >> (zz - 192)) & 1)\n );\n }\n assembly {\n extcodecopy(dataPointer, T, mload(T), 64)\n let index := sub(zz, 1)\n X := mload(T)\n let Y := mload(add(T, 32))\n let zzz := 1\n zz := 1\n\n //loop over 1/4 of scalars thx to Shamir's trick over 8 points\n for {} gt(index, 191) { index := add(index, 191) } {\n //inline Double\n {\n let TT1 := mulmod(2, Y, p) //U = 2*Y1, y free\n let T2 := mulmod(TT1, TT1, p) // V=U^2\n let T3 := mulmod(X, T2, p) // S = X1*V\n let T1 := mulmod(TT1, T2, p) // W=UV\n let T4 := mulmod(3, mulmod(addmod(X, sub(p, zz), p), addmod(X, zz, p), p), p) //M=3*(X1-ZZ1)*(X1+ZZ1)\n zzz := mulmod(T1, zzz, p) //zzz3=W*zzz1\n zz := mulmod(T2, zz, p) //zz3=V*ZZ1, V free\n\n X := addmod(mulmod(T4, T4, p), mulmod(minus_2, T3, p), p) //X3=M^2-2S\n //T2:=mulmod(T4,addmod(T3, sub(p, X),p),p)//M(S-X3)\n let T5 := mulmod(T4, addmod(X, sub(p, T3), p), p) //-M(S-X3)=M(X3-S)\n\n //Y:= addmod(T2, sub(p, mulmod(T1, Y ,p)),p )//Y3= M(S-X3)-W*Y1\n Y := addmod(mulmod(T1, Y, p), T5, p) //-Y3= W*Y1-M(S-X3), we replace Y by -Y to avoid a sub in ecAdd\n\n /* compute element to access in precomputed table */\n }\n {\n let T4 := add(shl(13, and(shr(index, scalar_v), 1)), shl(9, and(shr(index, scalar_u), 1)))\n let index2 := sub(index, 64)\n let T3 :=\n add(T4, add(shl(12, and(shr(index2, scalar_v), 1)), shl(8, and(shr(index2, scalar_u), 1))))\n let index3 := sub(index2, 64)\n let T2 :=\n add(T3, add(shl(11, and(shr(index3, scalar_v), 1)), shl(7, and(shr(index3, scalar_u), 1))))\n index := sub(index3, 64)\n let T1 :=\n add(T2, add(shl(10, and(shr(index, scalar_v), 1)), shl(6, and(shr(index, scalar_u), 1))))\n\n //tbd: check validity of formulae with (0,1) to remove conditional jump\n if iszero(T1) {\n Y := sub(p, Y)\n\n continue\n }\n extcodecopy(dataPointer, T, T1, 64)\n }\n\n {\n /* Access to precomputed table using extcodecopy hack */\n\n // inlined EcZZ_AddN\n if iszero(zz) {\n X := mload(T)\n Y := mload(add(T, 32))\n zz := 1\n zzz := 1\n\n continue\n }\n\n let y2 := addmod(mulmod(mload(add(T, 32)), zzz, p), Y, p)\n let T2 := addmod(mulmod(mload(T), zz, p), sub(p, X), p)\n\n //special case ecAdd(P,P)=EcDbl\n if iszero(y2) {\n if iszero(T2) {\n let T1 := mulmod(minus_2, Y, p) //U = 2*Y1, y free\n T2 := mulmod(T1, T1, p) // V=U^2\n let T3 := mulmod(X, T2, p) // S = X1*V\n\n T1 := mulmod(T1, T2, p) // W=UV\n y2 := mulmod(addmod(X, zz, p), addmod(X, sub(p, zz), p), p) //(X-ZZ)(X+ZZ)\n let T4 := mulmod(3, y2, p) //M=3*(X-ZZ)(X+ZZ)\n\n zzz := mulmod(T1, zzz, p) //zzz3=W*zzz1\n zz := mulmod(T2, zz, p) //zz3=V*ZZ1, V free\n\n X := addmod(mulmod(T4, T4, p), mulmod(minus_2, T3, p), p) //X3=M^2-2S\n T2 := mulmod(T4, addmod(T3, sub(p, X), p), p) //M(S-X3)\n\n Y := addmod(T2, mulmod(T1, Y, p), p) //Y3= M(S-X3)-W*Y1\n\n continue\n }\n }\n\n let T4 := mulmod(T2, T2, p)\n let T1 := mulmod(T4, T2, p) //\n zz := mulmod(zz, T4, p)\n //zzz3=V*ZZ1\n zzz := mulmod(zzz, T1, p) // W=UV/\n let zz1 := mulmod(X, T4, p)\n X := addmod(addmod(mulmod(y2, y2, p), sub(p, T1), p), mulmod(minus_2, zz1, p), p)\n Y := addmod(mulmod(addmod(zz1, sub(p, X), p), y2, p), mulmod(Y, T1, p), p)\n }\n } //end loop\n mstore(add(T, 0x60), zz)\n\n //(X,Y)=ecZZ_SetAff(X,Y,zz, zzz);\n //T[0] = inverseModp_Hard(T[0], p); //1/zzz, inline modular inversion using precompile:\n // Define length of base, exponent and modulus. 0x20 == 32 bytes\n mstore(T, 0x20)\n mstore(add(T, 0x20), 0x20)\n mstore(add(T, 0x40), 0x20)\n // Define variables base, exponent and modulus\n //mstore(add(pointer, 0x60), u)\n mstore(add(T, 0x80), minus_2)\n mstore(add(T, 0xa0), p)\n\n // Call the precompiled contract 0x05 = ModExp\n if iszero(staticcall(not(0), 0x05, T, 0xc0, T, 0x20)) { revert(0, 0) }\n\n zz := mload(T)\n X := mulmod(X, zz, p) //X/zz\n }\n } //end unchecked\n }\n\n \n\n // improving the extcodecopy trick : append array at end of contract\n function ecZZ_mulmuladd_S8_hackmem(uint256 scalar_u, uint256 scalar_v, uint256 dataPointer)\n internal view\n returns (uint256 X /*, uint Y*/ )\n {\n uint256 zz; // third and coordinates of the point\n\n uint256[6] memory T;\n zz = 256; //start index\n\n unchecked {\n while (T[0] == 0) {\n zz = zz - 1;\n //tbd case of msb octobit is null\n T[0] = 64\n * (\n 128 * ((scalar_v >> zz) & 1) + 64 * ((scalar_v >> (zz - 64)) & 1)\n + 32 * ((scalar_v >> (zz - 128)) & 1) + 16 * ((scalar_v >> (zz - 192)) & 1)\n + 8 * ((scalar_u >> zz) & 1) + 4 * ((scalar_u >> (zz - 64)) & 1)\n + 2 * ((scalar_u >> (zz - 128)) & 1) + ((scalar_u >> (zz - 192)) & 1)\n );\n }\n assembly {\n codecopy(T, add(mload(T), dataPointer), 64)\n X := mload(T)\n let Y := mload(add(T, 32))\n let zzz := 1\n zz := 1\n\n //loop over 1/4 of scalars thx to Shamir's trick over 8 points\n for { let index := 254 } gt(index, 191) { index := add(index, 191) } {\n let T1 := mulmod(2, Y, p) //U = 2*Y1, y free\n let T2 := mulmod(T1, T1, p) // V=U^2\n let T3 := mulmod(X, T2, p) // S = X1*V\n T1 := mulmod(T1, T2, p) // W=UV\n let T4 := mulmod(3, mulmod(addmod(X, sub(p, zz), p), addmod(X, zz, p), p), p) //M=3*(X1-ZZ1)*(X1+ZZ1)\n zzz := mulmod(T1, zzz, p) //zzz3=W*zzz1\n zz := mulmod(T2, zz, p) //zz3=V*ZZ1, V free\n\n X := addmod(mulmod(T4, T4, p), mulmod(minus_2, T3, p), p) //X3=M^2-2S\n //T2:=mulmod(T4,addmod(T3, sub(p, X),p),p)//M(S-X3)\n T2 := mulmod(T4, addmod(X, sub(p, T3), p), p) //-M(S-X3)=M(X3-S)\n\n //Y:= addmod(T2, sub(p, mulmod(T1, Y ,p)),p )//Y3= M(S-X3)-W*Y1\n Y := addmod(mulmod(T1, Y, p), T2, p) //-Y3= W*Y1-M(S-X3), we replace Y by -Y to avoid a sub in ecAdd\n\n /* compute element to access in precomputed table */\n T4 := add(shl(13, and(shr(index, scalar_v), 1)), shl(9, and(shr(index, scalar_u), 1)))\n index := sub(index, 64)\n T4 := add(T4, add(shl(12, and(shr(index, scalar_v), 1)), shl(8, and(shr(index, scalar_u), 1))))\n index := sub(index, 64)\n T4 := add(T4, add(shl(11, and(shr(index, scalar_v), 1)), shl(7, and(shr(index, scalar_u), 1))))\n index := sub(index, 64)\n T4 := add(T4, add(shl(10, and(shr(index, scalar_v), 1)), shl(6, and(shr(index, scalar_u), 1))))\n //index:=add(index,192), restore index, interleaved with loop\n\n //tbd: check validity of formulae with (0,1) to remove conditional jump\n if iszero(T4) {\n Y := sub(p, Y)\n\n continue\n }\n {\n /* Access to precomputed table using extcodecopy hack */\n codecopy(T, add(T4, dataPointer), 64)\n\n // inlined EcZZ_AddN\n\n let y2 := addmod(mulmod(mload(add(T, 32)), zzz, p), Y, p)\n T2 := addmod(mulmod(mload(T), zz, p), sub(p, X), p)\n T4 := mulmod(T2, T2, p)\n T1 := mulmod(T4, T2, p)\n T2 := mulmod(zz, T4, p) // W=UV\n zzz := mulmod(zzz, T1, p) //zz3=V*ZZ1\n let zz1 := mulmod(X, T4, p)\n T4 := addmod(addmod(mulmod(y2, y2, p), sub(p, T1), p), mulmod(minus_2, zz1, p), p)\n Y := addmod(mulmod(addmod(zz1, sub(p, T4), p), y2, p), mulmod(Y, T1, p), p)\n zz := T2\n X := T4\n }\n } //end loop\n mstore(add(T, 0x60), zz)\n\n //(X,Y)=ecZZ_SetAff(X,Y,zz, zzz);\n //T[0] = inverseModp_Hard(T[0], p); //1/zzz, inline modular inversion using precompile:\n // Define length of base, exponent and modulus. 0x20 == 32 bytes\n mstore(T, 0x20)\n mstore(add(T, 0x20), 0x20)\n mstore(add(T, 0x40), 0x20)\n // Define variables base, exponent and modulus\n //mstore(add(pointer, 0x60), u)\n mstore(add(T, 0x80), minus_2)\n mstore(add(T, 0xa0), p)\n\n // Call the precompiled contract 0x05 = ModExp\n if iszero(staticcall(not(0), 0x05, T, 0xc0, T, 0x20)) { revert(0, 0) }\n\n zz := mload(T)\n X := mulmod(X, zz, p) //X/zz\n }\n } //end unchecked\n }\n\n\n /**\n * @dev ECDSA verification using a precomputed table of multiples of P and Q stored in contract at address Shamir8\n * generation of contract bytecode for precomputations is done using sagemath code\n * (see sage directory, WebAuthn_precompute.sage)\n */\n\n /**\n * @dev ECDSA verification using a precomputed table of multiples of P and Q appended at end of contract at address endcontract\n * generation of contract bytecode for precomputations is done using sagemath code\n * (see sage directory, WebAuthn_precompute.sage)\n */\n\n function ecdsa_precomputed_hackmem(bytes32 message, uint256[2] calldata rs, uint256 endcontract)\n internal view\n returns (bool)\n {\n uint256 r = rs[0];\n uint256 s = rs[1];\n if (r == 0 || r >= n || s == 0 || s >= n) {\n return false;\n }\n /* Q is pushed via bytecode assumed to be correct\n if (!isOnCurve(Q[0], Q[1])) {\n return false;\n }*/\n\n uint256 sInv = FCL_nModInv(s);\n uint256 X;\n\n //Shamir 8 dimensions\n X = ecZZ_mulmuladd_S8_hackmem(mulmod(uint256(message), sInv, n), mulmod(r, sInv, n), endcontract);\n\n assembly {\n X := addmod(X, sub(n, r), n)\n }\n return X == 0;\n } //end ecdsa_precomputed_verify()\n\n\n\n} //EOF\n"
- },
- "lib/openzeppelin-contracts/contracts/utils/Base64.sol": {
- "content": "// SPDX-License-Identifier: MIT\n// OpenZeppelin Contracts (last updated v5.0.2) (utils/Base64.sol)\n\npragma solidity ^0.8.20;\n\n/**\n * @dev Provides a set of functions to operate with Base64 strings.\n */\nlibrary Base64 {\n /**\n * @dev Base64 Encoding/Decoding Table\n * See sections 4 and 5 of https://datatracker.ietf.org/doc/html/rfc4648\n */\n string internal constant _TABLE = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";\n string internal constant _TABLE_URL = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\";\n\n /**\n * @dev Converts a `bytes` to its Bytes64 `string` representation.\n */\n function encode(bytes memory data) internal pure returns (string memory) {\n return _encode(data, _TABLE, true);\n }\n\n /**\n * @dev Converts a `bytes` to its Bytes64Url `string` representation.\n */\n function encodeURL(bytes memory data) internal pure returns (string memory) {\n return _encode(data, _TABLE_URL, false);\n }\n\n /**\n * @dev Internal table-agnostic conversion\n */\n function _encode(bytes memory data, string memory table, bool withPadding) private pure returns (string memory) {\n /**\n * Inspired by Brecht Devos (Brechtpd) implementation - MIT licence\n * https://github.com/Brechtpd/base64/blob/e78d9fd951e7b0977ddca77d92dc85183770daf4/base64.sol\n */\n if (data.length == 0) return \"\";\n\n // If padding is enabled, the final length should be `bytes` data length divided by 3 rounded up and then\n // multiplied by 4 so that it leaves room for padding the last chunk\n // - `data.length + 2` -> Round up\n // - `/ 3` -> Number of 3-bytes chunks\n // - `4 *` -> 4 characters for each chunk\n // If padding is disabled, the final length should be `bytes` data length multiplied by 4/3 rounded up as\n // opposed to when padding is required to fill the last chunk.\n // - `4 *` -> 4 characters for each chunk\n // - `data.length + 2` -> Round up\n // - `/ 3` -> Number of 3-bytes chunks\n uint256 resultLength = withPadding ? 4 * ((data.length + 2) / 3) : (4 * data.length + 2) / 3;\n\n string memory result = new string(resultLength);\n\n /// @solidity memory-safe-assembly\n assembly {\n // Prepare the lookup table (skip the first \"length\" byte)\n let tablePtr := add(table, 1)\n\n // Prepare result pointer, jump over length\n let resultPtr := add(result, 0x20)\n let dataPtr := data\n let endPtr := add(data, mload(data))\n\n // In some cases, the last iteration will read bytes after the end of the data. We cache the value, and\n // set it to zero to make sure no dirty bytes are read in that section.\n let afterPtr := add(endPtr, 0x20)\n let afterCache := mload(afterPtr)\n mstore(afterPtr, 0x00)\n\n // Run over the input, 3 bytes at a time\n for {\n\n } lt(dataPtr, endPtr) {\n\n } {\n // Advance 3 bytes\n dataPtr := add(dataPtr, 3)\n let input := mload(dataPtr)\n\n // To write each character, shift the 3 byte (24 bits) chunk\n // 4 times in blocks of 6 bits for each character (18, 12, 6, 0)\n // and apply logical AND with 0x3F to bitmask the least significant 6 bits.\n // Use this as an index into the lookup table, mload an entire word\n // so the desired character is in the least significant byte, and\n // mstore8 this least significant byte into the result and continue.\n\n mstore8(resultPtr, mload(add(tablePtr, and(shr(18, input), 0x3F))))\n resultPtr := add(resultPtr, 1) // Advance\n\n mstore8(resultPtr, mload(add(tablePtr, and(shr(12, input), 0x3F))))\n resultPtr := add(resultPtr, 1) // Advance\n\n mstore8(resultPtr, mload(add(tablePtr, and(shr(6, input), 0x3F))))\n resultPtr := add(resultPtr, 1) // Advance\n\n mstore8(resultPtr, mload(add(tablePtr, and(input, 0x3F))))\n resultPtr := add(resultPtr, 1) // Advance\n }\n\n // Reset the value that was cached\n mstore(afterPtr, afterCache)\n\n if withPadding {\n // When data `bytes` is not exactly 3 bytes long\n // it is padded with `=` characters at the end\n switch mod(mload(data), 3)\n case 1 {\n mstore8(sub(resultPtr, 1), 0x3d)\n mstore8(sub(resultPtr, 2), 0x3d)\n }\n case 2 {\n mstore8(sub(resultPtr, 1), 0x3d)\n }\n }\n }\n\n return result;\n }\n}\n"
- },
- "lib/solady/src/utils/LibString.sol": {
- "content": "// SPDX-License-Identifier: MIT\npragma solidity ^0.8.4;\n\n/// @notice Library for converting numbers into strings and other string operations.\n/// @author Solady (https://github.com/vectorized/solady/blob/main/src/utils/LibString.sol)\n/// @author Modified from Solmate (https://github.com/transmissions11/solmate/blob/main/src/utils/LibString.sol)\n///\n/// @dev Note:\n/// For performance and bytecode compactness, most of the string operations are restricted to\n/// byte strings (7-bit ASCII), except where otherwise specified.\n/// Usage of byte string operations on charsets with runes spanning two or more bytes\n/// can lead to undefined behavior.\nlibrary LibString {\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* CUSTOM ERRORS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev The length of the output is too small to contain all the hex digits.\n error HexLengthInsufficient();\n\n /// @dev The length of the string is more than 32 bytes.\n error TooBigForSmallString();\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* CONSTANTS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev The constant returned when the `search` is not found in the string.\n uint256 internal constant NOT_FOUND = type(uint256).max;\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* DECIMAL OPERATIONS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Returns the base 10 decimal representation of `value`.\n function toString(uint256 value) internal pure returns (string memory str) {\n /// @solidity memory-safe-assembly\n assembly {\n // The maximum value of a uint256 contains 78 digits (1 byte per digit), but\n // we allocate 0xa0 bytes to keep the free memory pointer 32-byte word aligned.\n // We will need 1 word for the trailing zeros padding, 1 word for the length,\n // and 3 words for a maximum of 78 digits.\n str := add(mload(0x40), 0x80)\n // Update the free memory pointer to allocate.\n mstore(0x40, add(str, 0x20))\n // Zeroize the slot after the string.\n mstore(str, 0)\n\n // Cache the end of the memory to calculate the length later.\n let end := str\n\n let w := not(0) // Tsk.\n // We write the string from rightmost digit to leftmost digit.\n // The following is essentially a do-while loop that also handles the zero case.\n for { let temp := value } 1 {} {\n str := add(str, w) // `sub(str, 1)`.\n // Write the character to the pointer.\n // The ASCII index of the '0' character is 48.\n mstore8(str, add(48, mod(temp, 10)))\n // Keep dividing `temp` until zero.\n temp := div(temp, 10)\n if iszero(temp) { break }\n }\n\n let length := sub(end, str)\n // Move the pointer 32 bytes leftwards to make room for the length.\n str := sub(str, 0x20)\n // Store the length.\n mstore(str, length)\n }\n }\n\n /// @dev Returns the base 10 decimal representation of `value`.\n function toString(int256 value) internal pure returns (string memory str) {\n if (value >= 0) {\n return toString(uint256(value));\n }\n unchecked {\n str = toString(~uint256(value) + 1);\n }\n /// @solidity memory-safe-assembly\n assembly {\n // We still have some spare memory space on the left,\n // as we have allocated 3 words (96 bytes) for up to 78 digits.\n let length := mload(str) // Load the string length.\n mstore(str, 0x2d) // Store the '-' character.\n str := sub(str, 1) // Move back the string pointer by a byte.\n mstore(str, add(length, 1)) // Update the string length.\n }\n }\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* HEXADECIMAL OPERATIONS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Returns the hexadecimal representation of `value`,\n /// left-padded to an input length of `length` bytes.\n /// The output is prefixed with \"0x\" encoded using 2 hexadecimal digits per byte,\n /// giving a total length of `length * 2 + 2` bytes.\n /// Reverts if `length` is too small for the output to contain all the digits.\n function toHexString(uint256 value, uint256 length) internal pure returns (string memory str) {\n str = toHexStringNoPrefix(value, length);\n /// @solidity memory-safe-assembly\n assembly {\n let strLength := add(mload(str), 2) // Compute the length.\n mstore(str, 0x3078) // Write the \"0x\" prefix.\n str := sub(str, 2) // Move the pointer.\n mstore(str, strLength) // Write the length.\n }\n }\n\n /// @dev Returns the hexadecimal representation of `value`,\n /// left-padded to an input length of `length` bytes.\n /// The output is prefixed with \"0x\" encoded using 2 hexadecimal digits per byte,\n /// giving a total length of `length * 2` bytes.\n /// Reverts if `length` is too small for the output to contain all the digits.\n function toHexStringNoPrefix(uint256 value, uint256 length)\n internal\n pure\n returns (string memory str)\n {\n /// @solidity memory-safe-assembly\n assembly {\n // We need 0x20 bytes for the trailing zeros padding, `length * 2` bytes\n // for the digits, 0x02 bytes for the prefix, and 0x20 bytes for the length.\n // We add 0x20 to the total and round down to a multiple of 0x20.\n // (0x20 + 0x20 + 0x02 + 0x20) = 0x62.\n str := add(mload(0x40), and(add(shl(1, length), 0x42), not(0x1f)))\n // Allocate the memory.\n mstore(0x40, add(str, 0x20))\n // Zeroize the slot after the string.\n mstore(str, 0)\n\n // Cache the end to calculate the length later.\n let end := str\n // Store \"0123456789abcdef\" in scratch space.\n mstore(0x0f, 0x30313233343536373839616263646566)\n\n let start := sub(str, add(length, length))\n let w := not(1) // Tsk.\n let temp := value\n // We write the string from rightmost digit to leftmost digit.\n // The following is essentially a do-while loop that also handles the zero case.\n for {} 1 {} {\n str := add(str, w) // `sub(str, 2)`.\n mstore8(add(str, 1), mload(and(temp, 15)))\n mstore8(str, mload(and(shr(4, temp), 15)))\n temp := shr(8, temp)\n if iszero(xor(str, start)) { break }\n }\n\n if temp {\n mstore(0x00, 0x2194895a) // `HexLengthInsufficient()`.\n revert(0x1c, 0x04)\n }\n\n // Compute the string's length.\n let strLength := sub(end, str)\n // Move the pointer and write the length.\n str := sub(str, 0x20)\n mstore(str, strLength)\n }\n }\n\n /// @dev Returns the hexadecimal representation of `value`.\n /// The output is prefixed with \"0x\" and encoded using 2 hexadecimal digits per byte.\n /// As address are 20 bytes long, the output will left-padded to have\n /// a length of `20 * 2 + 2` bytes.\n function toHexString(uint256 value) internal pure returns (string memory str) {\n str = toHexStringNoPrefix(value);\n /// @solidity memory-safe-assembly\n assembly {\n let strLength := add(mload(str), 2) // Compute the length.\n mstore(str, 0x3078) // Write the \"0x\" prefix.\n str := sub(str, 2) // Move the pointer.\n mstore(str, strLength) // Write the length.\n }\n }\n\n /// @dev Returns the hexadecimal representation of `value`.\n /// The output is prefixed with \"0x\".\n /// The output excludes leading \"0\" from the `toHexString` output.\n /// `0x00: \"0x0\", 0x01: \"0x1\", 0x12: \"0x12\", 0x123: \"0x123\"`.\n function toMinimalHexString(uint256 value) internal pure returns (string memory str) {\n str = toHexStringNoPrefix(value);\n /// @solidity memory-safe-assembly\n assembly {\n let o := eq(byte(0, mload(add(str, 0x20))), 0x30) // Whether leading zero is present.\n let strLength := add(mload(str), 2) // Compute the length.\n mstore(add(str, o), 0x3078) // Write the \"0x\" prefix, accounting for leading zero.\n str := sub(add(str, o), 2) // Move the pointer, accounting for leading zero.\n mstore(str, sub(strLength, o)) // Write the length, accounting for leading zero.\n }\n }\n\n /// @dev Returns the hexadecimal representation of `value`.\n /// The output excludes leading \"0\" from the `toHexStringNoPrefix` output.\n /// `0x00: \"0\", 0x01: \"1\", 0x12: \"12\", 0x123: \"123\"`.\n function toMinimalHexStringNoPrefix(uint256 value) internal pure returns (string memory str) {\n str = toHexStringNoPrefix(value);\n /// @solidity memory-safe-assembly\n assembly {\n let o := eq(byte(0, mload(add(str, 0x20))), 0x30) // Whether leading zero is present.\n let strLength := mload(str) // Get the length.\n str := add(str, o) // Move the pointer, accounting for leading zero.\n mstore(str, sub(strLength, o)) // Write the length, accounting for leading zero.\n }\n }\n\n /// @dev Returns the hexadecimal representation of `value`.\n /// The output is encoded using 2 hexadecimal digits per byte.\n /// As address are 20 bytes long, the output will left-padded to have\n /// a length of `20 * 2` bytes.\n function toHexStringNoPrefix(uint256 value) internal pure returns (string memory str) {\n /// @solidity memory-safe-assembly\n assembly {\n // We need 0x20 bytes for the trailing zeros padding, 0x20 bytes for the length,\n // 0x02 bytes for the prefix, and 0x40 bytes for the digits.\n // The next multiple of 0x20 above (0x20 + 0x20 + 0x02 + 0x40) is 0xa0.\n str := add(mload(0x40), 0x80)\n // Allocate the memory.\n mstore(0x40, add(str, 0x20))\n // Zeroize the slot after the string.\n mstore(str, 0)\n\n // Cache the end to calculate the length later.\n let end := str\n // Store \"0123456789abcdef\" in scratch space.\n mstore(0x0f, 0x30313233343536373839616263646566)\n\n let w := not(1) // Tsk.\n // We write the string from rightmost digit to leftmost digit.\n // The following is essentially a do-while loop that also handles the zero case.\n for { let temp := value } 1 {} {\n str := add(str, w) // `sub(str, 2)`.\n mstore8(add(str, 1), mload(and(temp, 15)))\n mstore8(str, mload(and(shr(4, temp), 15)))\n temp := shr(8, temp)\n if iszero(temp) { break }\n }\n\n // Compute the string's length.\n let strLength := sub(end, str)\n // Move the pointer and write the length.\n str := sub(str, 0x20)\n mstore(str, strLength)\n }\n }\n\n /// @dev Returns the hexadecimal representation of `value`.\n /// The output is prefixed with \"0x\", encoded using 2 hexadecimal digits per byte,\n /// and the alphabets are capitalized conditionally according to\n /// https://eips.ethereum.org/EIPS/eip-55\n function toHexStringChecksummed(address value) internal pure returns (string memory str) {\n str = toHexString(value);\n /// @solidity memory-safe-assembly\n assembly {\n let mask := shl(6, div(not(0), 255)) // `0b010000000100000000 ...`\n let o := add(str, 0x22)\n let hashed := and(keccak256(o, 40), mul(34, mask)) // `0b10001000 ... `\n let t := shl(240, 136) // `0b10001000 << 240`\n for { let i := 0 } 1 {} {\n mstore(add(i, i), mul(t, byte(i, hashed)))\n i := add(i, 1)\n if eq(i, 20) { break }\n }\n mstore(o, xor(mload(o), shr(1, and(mload(0x00), and(mload(o), mask)))))\n o := add(o, 0x20)\n mstore(o, xor(mload(o), shr(1, and(mload(0x20), and(mload(o), mask)))))\n }\n }\n\n /// @dev Returns the hexadecimal representation of `value`.\n /// The output is prefixed with \"0x\" and encoded using 2 hexadecimal digits per byte.\n function toHexString(address value) internal pure returns (string memory str) {\n str = toHexStringNoPrefix(value);\n /// @solidity memory-safe-assembly\n assembly {\n let strLength := add(mload(str), 2) // Compute the length.\n mstore(str, 0x3078) // Write the \"0x\" prefix.\n str := sub(str, 2) // Move the pointer.\n mstore(str, strLength) // Write the length.\n }\n }\n\n /// @dev Returns the hexadecimal representation of `value`.\n /// The output is encoded using 2 hexadecimal digits per byte.\n function toHexStringNoPrefix(address value) internal pure returns (string memory str) {\n /// @solidity memory-safe-assembly\n assembly {\n str := mload(0x40)\n\n // Allocate the memory.\n // We need 0x20 bytes for the trailing zeros padding, 0x20 bytes for the length,\n // 0x02 bytes for the prefix, and 0x28 bytes for the digits.\n // The next multiple of 0x20 above (0x20 + 0x20 + 0x02 + 0x28) is 0x80.\n mstore(0x40, add(str, 0x80))\n\n // Store \"0123456789abcdef\" in scratch space.\n mstore(0x0f, 0x30313233343536373839616263646566)\n\n str := add(str, 2)\n mstore(str, 40)\n\n let o := add(str, 0x20)\n mstore(add(o, 40), 0)\n\n value := shl(96, value)\n\n // We write the string from rightmost digit to leftmost digit.\n // The following is essentially a do-while loop that also handles the zero case.\n for { let i := 0 } 1 {} {\n let p := add(o, add(i, i))\n let temp := byte(i, value)\n mstore8(add(p, 1), mload(and(temp, 15)))\n mstore8(p, mload(shr(4, temp)))\n i := add(i, 1)\n if eq(i, 20) { break }\n }\n }\n }\n\n /// @dev Returns the hex encoded string from the raw bytes.\n /// The output is encoded using 2 hexadecimal digits per byte.\n function toHexString(bytes memory raw) internal pure returns (string memory str) {\n str = toHexStringNoPrefix(raw);\n /// @solidity memory-safe-assembly\n assembly {\n let strLength := add(mload(str), 2) // Compute the length.\n mstore(str, 0x3078) // Write the \"0x\" prefix.\n str := sub(str, 2) // Move the pointer.\n mstore(str, strLength) // Write the length.\n }\n }\n\n /// @dev Returns the hex encoded string from the raw bytes.\n /// The output is encoded using 2 hexadecimal digits per byte.\n function toHexStringNoPrefix(bytes memory raw) internal pure returns (string memory str) {\n /// @solidity memory-safe-assembly\n assembly {\n let length := mload(raw)\n str := add(mload(0x40), 2) // Skip 2 bytes for the optional prefix.\n mstore(str, add(length, length)) // Store the length of the output.\n\n // Store \"0123456789abcdef\" in scratch space.\n mstore(0x0f, 0x30313233343536373839616263646566)\n\n let o := add(str, 0x20)\n let end := add(raw, length)\n\n for {} iszero(eq(raw, end)) {} {\n raw := add(raw, 1)\n mstore8(add(o, 1), mload(and(mload(raw), 15)))\n mstore8(o, mload(and(shr(4, mload(raw)), 15)))\n o := add(o, 2)\n }\n mstore(o, 0) // Zeroize the slot after the string.\n mstore(0x40, add(o, 0x20)) // Allocate the memory.\n }\n }\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* RUNE STRING OPERATIONS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n /// @dev Returns the number of UTF characters in the string.\n function runeCount(string memory s) internal pure returns (uint256 result) {\n /// @solidity memory-safe-assembly\n assembly {\n if mload(s) {\n mstore(0x00, div(not(0), 255))\n mstore(0x20, 0x0202020202020202020202020202020202020202020202020303030304040506)\n let o := add(s, 0x20)\n let end := add(o, mload(s))\n for { result := 1 } 1 { result := add(result, 1) } {\n o := add(o, byte(0, mload(shr(250, mload(o)))))\n if iszero(lt(o, end)) { break }\n }\n }\n }\n }\n\n /// @dev Returns if this string is a 7-bit ASCII string.\n /// (i.e. all characters codes are in [0..127])\n function is7BitASCII(string memory s) internal pure returns (bool result) {\n /// @solidity memory-safe-assembly\n assembly {\n let mask := shl(7, div(not(0), 255))\n result := 1\n let n := mload(s)\n if n {\n let o := add(s, 0x20)\n let end := add(o, n)\n let last := mload(end)\n mstore(end, 0)\n for {} 1 {} {\n if and(mask, mload(o)) {\n result := 0\n break\n }\n o := add(o, 0x20)\n if iszero(lt(o, end)) { break }\n }\n mstore(end, last)\n }\n }\n }\n\n /*´:°•.°+.*•´.*:˚.°*.˚•´.°:°•.°•.*•´.*:˚.°*.˚•´.°:°•.°+.*•´.*:*/\n /* BYTE STRING OPERATIONS */\n /*.•°:°.´+˚.*°.˚:*.´•*.+°.•°:´*.´•*.•°.•°:°.´:•˚°.*°.˚:*.´+°.•*/\n\n // For performance and bytecode compactness, byte string operations are restricted\n // to 7-bit ASCII strings. All offsets are byte offsets, not UTF character offsets.\n // Usage of byte string operations on charsets with runes spanning two or more bytes\n // can lead to undefined behavior.\n\n /// @dev Returns `subject` all occurrences of `search` replaced with `replacement`.\n function replace(string memory subject, string memory search, string memory replacement)\n internal\n pure\n returns (string memory result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let subjectLength := mload(subject)\n let searchLength := mload(search)\n let replacementLength := mload(replacement)\n\n subject := add(subject, 0x20)\n search := add(search, 0x20)\n replacement := add(replacement, 0x20)\n result := add(mload(0x40), 0x20)\n\n let subjectEnd := add(subject, subjectLength)\n if iszero(gt(searchLength, subjectLength)) {\n let subjectSearchEnd := add(sub(subjectEnd, searchLength), 1)\n let h := 0\n if iszero(lt(searchLength, 0x20)) { h := keccak256(search, searchLength) }\n let m := shl(3, sub(0x20, and(searchLength, 0x1f)))\n let s := mload(search)\n for {} 1 {} {\n let t := mload(subject)\n // Whether the first `searchLength % 32` bytes of\n // `subject` and `search` matches.\n if iszero(shr(m, xor(t, s))) {\n if h {\n if iszero(eq(keccak256(subject, searchLength), h)) {\n mstore(result, t)\n result := add(result, 1)\n subject := add(subject, 1)\n if iszero(lt(subject, subjectSearchEnd)) { break }\n continue\n }\n }\n // Copy the `replacement` one word at a time.\n for { let o := 0 } 1 {} {\n mstore(add(result, o), mload(add(replacement, o)))\n o := add(o, 0x20)\n if iszero(lt(o, replacementLength)) { break }\n }\n result := add(result, replacementLength)\n subject := add(subject, searchLength)\n if searchLength {\n if iszero(lt(subject, subjectSearchEnd)) { break }\n continue\n }\n }\n mstore(result, t)\n result := add(result, 1)\n subject := add(subject, 1)\n if iszero(lt(subject, subjectSearchEnd)) { break }\n }\n }\n\n let resultRemainder := result\n result := add(mload(0x40), 0x20)\n let k := add(sub(resultRemainder, result), sub(subjectEnd, subject))\n // Copy the rest of the string one word at a time.\n for {} lt(subject, subjectEnd) {} {\n mstore(resultRemainder, mload(subject))\n resultRemainder := add(resultRemainder, 0x20)\n subject := add(subject, 0x20)\n }\n result := sub(result, 0x20)\n let last := add(add(result, 0x20), k) // Zeroize the slot after the string.\n mstore(last, 0)\n mstore(0x40, add(last, 0x20)) // Allocate the memory.\n mstore(result, k) // Store the length.\n }\n }\n\n /// @dev Returns the byte index of the first location of `search` in `subject`,\n /// searching from left to right, starting from `from`.\n /// Returns `NOT_FOUND` (i.e. `type(uint256).max`) if the `search` is not found.\n function indexOf(string memory subject, string memory search, uint256 from)\n internal\n pure\n returns (uint256 result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n for { let subjectLength := mload(subject) } 1 {} {\n if iszero(mload(search)) {\n if iszero(gt(from, subjectLength)) {\n result := from\n break\n }\n result := subjectLength\n break\n }\n let searchLength := mload(search)\n let subjectStart := add(subject, 0x20)\n\n result := not(0) // Initialize to `NOT_FOUND`.\n\n subject := add(subjectStart, from)\n let end := add(sub(add(subjectStart, subjectLength), searchLength), 1)\n\n let m := shl(3, sub(0x20, and(searchLength, 0x1f)))\n let s := mload(add(search, 0x20))\n\n if iszero(and(lt(subject, end), lt(from, subjectLength))) { break }\n\n if iszero(lt(searchLength, 0x20)) {\n for { let h := keccak256(add(search, 0x20), searchLength) } 1 {} {\n if iszero(shr(m, xor(mload(subject), s))) {\n if eq(keccak256(subject, searchLength), h) {\n result := sub(subject, subjectStart)\n break\n }\n }\n subject := add(subject, 1)\n if iszero(lt(subject, end)) { break }\n }\n break\n }\n for {} 1 {} {\n if iszero(shr(m, xor(mload(subject), s))) {\n result := sub(subject, subjectStart)\n break\n }\n subject := add(subject, 1)\n if iszero(lt(subject, end)) { break }\n }\n break\n }\n }\n }\n\n /// @dev Returns the byte index of the first location of `search` in `subject`,\n /// searching from left to right.\n /// Returns `NOT_FOUND` (i.e. `type(uint256).max`) if the `search` is not found.\n function indexOf(string memory subject, string memory search)\n internal\n pure\n returns (uint256 result)\n {\n result = indexOf(subject, search, 0);\n }\n\n /// @dev Returns the byte index of the first location of `search` in `subject`,\n /// searching from right to left, starting from `from`.\n /// Returns `NOT_FOUND` (i.e. `type(uint256).max`) if the `search` is not found.\n function lastIndexOf(string memory subject, string memory search, uint256 from)\n internal\n pure\n returns (uint256 result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n for {} 1 {} {\n result := not(0) // Initialize to `NOT_FOUND`.\n let searchLength := mload(search)\n if gt(searchLength, mload(subject)) { break }\n let w := result\n\n let fromMax := sub(mload(subject), searchLength)\n if iszero(gt(fromMax, from)) { from := fromMax }\n\n let end := add(add(subject, 0x20), w)\n subject := add(add(subject, 0x20), from)\n if iszero(gt(subject, end)) { break }\n // As this function is not too often used,\n // we shall simply use keccak256 for smaller bytecode size.\n for { let h := keccak256(add(search, 0x20), searchLength) } 1 {} {\n if eq(keccak256(subject, searchLength), h) {\n result := sub(subject, add(end, 1))\n break\n }\n subject := add(subject, w) // `sub(subject, 1)`.\n if iszero(gt(subject, end)) { break }\n }\n break\n }\n }\n }\n\n /// @dev Returns the byte index of the first location of `search` in `subject`,\n /// searching from right to left.\n /// Returns `NOT_FOUND` (i.e. `type(uint256).max`) if the `search` is not found.\n function lastIndexOf(string memory subject, string memory search)\n internal\n pure\n returns (uint256 result)\n {\n result = lastIndexOf(subject, search, uint256(int256(-1)));\n }\n\n /// @dev Returns true if `search` is found in `subject`, false otherwise.\n function contains(string memory subject, string memory search) internal pure returns (bool) {\n return indexOf(subject, search) != NOT_FOUND;\n }\n\n /// @dev Returns whether `subject` starts with `search`.\n function startsWith(string memory subject, string memory search)\n internal\n pure\n returns (bool result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let searchLength := mload(search)\n // Just using keccak256 directly is actually cheaper.\n // forgefmt: disable-next-item\n result := and(\n iszero(gt(searchLength, mload(subject))),\n eq(\n keccak256(add(subject, 0x20), searchLength),\n keccak256(add(search, 0x20), searchLength)\n )\n )\n }\n }\n\n /// @dev Returns whether `subject` ends with `search`.\n function endsWith(string memory subject, string memory search)\n internal\n pure\n returns (bool result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let searchLength := mload(search)\n let subjectLength := mload(subject)\n // Whether `search` is not longer than `subject`.\n let withinRange := iszero(gt(searchLength, subjectLength))\n // Just using keccak256 directly is actually cheaper.\n // forgefmt: disable-next-item\n result := and(\n withinRange,\n eq(\n keccak256(\n // `subject + 0x20 + max(subjectLength - searchLength, 0)`.\n add(add(subject, 0x20), mul(withinRange, sub(subjectLength, searchLength))),\n searchLength\n ),\n keccak256(add(search, 0x20), searchLength)\n )\n )\n }\n }\n\n /// @dev Returns `subject` repeated `times`.\n function repeat(string memory subject, uint256 times)\n internal\n pure\n returns (string memory result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let subjectLength := mload(subject)\n if iszero(or(iszero(times), iszero(subjectLength))) {\n subject := add(subject, 0x20)\n result := mload(0x40)\n let output := add(result, 0x20)\n for {} 1 {} {\n // Copy the `subject` one word at a time.\n for { let o := 0 } 1 {} {\n mstore(add(output, o), mload(add(subject, o)))\n o := add(o, 0x20)\n if iszero(lt(o, subjectLength)) { break }\n }\n output := add(output, subjectLength)\n times := sub(times, 1)\n if iszero(times) { break }\n }\n mstore(output, 0) // Zeroize the slot after the string.\n let resultLength := sub(output, add(result, 0x20))\n mstore(result, resultLength) // Store the length.\n // Allocate the memory.\n mstore(0x40, add(result, add(resultLength, 0x20)))\n }\n }\n }\n\n /// @dev Returns a copy of `subject` sliced from `start` to `end` (exclusive).\n /// `start` and `end` are byte offsets.\n function slice(string memory subject, uint256 start, uint256 end)\n internal\n pure\n returns (string memory result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let subjectLength := mload(subject)\n if iszero(gt(subjectLength, end)) { end := subjectLength }\n if iszero(gt(subjectLength, start)) { start := subjectLength }\n if lt(start, end) {\n result := mload(0x40)\n let resultLength := sub(end, start)\n mstore(result, resultLength)\n subject := add(subject, start)\n let w := not(0x1f)\n // Copy the `subject` one word at a time, backwards.\n for { let o := and(add(resultLength, 0x1f), w) } 1 {} {\n mstore(add(result, o), mload(add(subject, o)))\n o := add(o, w) // `sub(o, 0x20)`.\n if iszero(o) { break }\n }\n // Zeroize the slot after the string.\n mstore(add(add(result, 0x20), resultLength), 0)\n // Allocate memory for the length and the bytes,\n // rounded up to a multiple of 32.\n mstore(0x40, add(result, and(add(resultLength, 0x3f), w)))\n }\n }\n }\n\n /// @dev Returns a copy of `subject` sliced from `start` to the end of the string.\n /// `start` is a byte offset.\n function slice(string memory subject, uint256 start)\n internal\n pure\n returns (string memory result)\n {\n result = slice(subject, start, uint256(int256(-1)));\n }\n\n /// @dev Returns all the indices of `search` in `subject`.\n /// The indices are byte offsets.\n function indicesOf(string memory subject, string memory search)\n internal\n pure\n returns (uint256[] memory result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let subjectLength := mload(subject)\n let searchLength := mload(search)\n\n if iszero(gt(searchLength, subjectLength)) {\n subject := add(subject, 0x20)\n search := add(search, 0x20)\n result := add(mload(0x40), 0x20)\n\n let subjectStart := subject\n let subjectSearchEnd := add(sub(add(subject, subjectLength), searchLength), 1)\n let h := 0\n if iszero(lt(searchLength, 0x20)) { h := keccak256(search, searchLength) }\n let m := shl(3, sub(0x20, and(searchLength, 0x1f)))\n let s := mload(search)\n for {} 1 {} {\n let t := mload(subject)\n // Whether the first `searchLength % 32` bytes of\n // `subject` and `search` matches.\n if iszero(shr(m, xor(t, s))) {\n if h {\n if iszero(eq(keccak256(subject, searchLength), h)) {\n subject := add(subject, 1)\n if iszero(lt(subject, subjectSearchEnd)) { break }\n continue\n }\n }\n // Append to `result`.\n mstore(result, sub(subject, subjectStart))\n result := add(result, 0x20)\n // Advance `subject` by `searchLength`.\n subject := add(subject, searchLength)\n if searchLength {\n if iszero(lt(subject, subjectSearchEnd)) { break }\n continue\n }\n }\n subject := add(subject, 1)\n if iszero(lt(subject, subjectSearchEnd)) { break }\n }\n let resultEnd := result\n // Assign `result` to the free memory pointer.\n result := mload(0x40)\n // Store the length of `result`.\n mstore(result, shr(5, sub(resultEnd, add(result, 0x20))))\n // Allocate memory for result.\n // We allocate one more word, so this array can be recycled for {split}.\n mstore(0x40, add(resultEnd, 0x20))\n }\n }\n }\n\n /// @dev Returns a arrays of strings based on the `delimiter` inside of the `subject` string.\n function split(string memory subject, string memory delimiter)\n internal\n pure\n returns (string[] memory result)\n {\n uint256[] memory indices = indicesOf(subject, delimiter);\n /// @solidity memory-safe-assembly\n assembly {\n let w := not(0x1f)\n let indexPtr := add(indices, 0x20)\n let indicesEnd := add(indexPtr, shl(5, add(mload(indices), 1)))\n mstore(add(indicesEnd, w), mload(subject))\n mstore(indices, add(mload(indices), 1))\n let prevIndex := 0\n for {} 1 {} {\n let index := mload(indexPtr)\n mstore(indexPtr, 0x60)\n if iszero(eq(index, prevIndex)) {\n let element := mload(0x40)\n let elementLength := sub(index, prevIndex)\n mstore(element, elementLength)\n // Copy the `subject` one word at a time, backwards.\n for { let o := and(add(elementLength, 0x1f), w) } 1 {} {\n mstore(add(element, o), mload(add(add(subject, prevIndex), o)))\n o := add(o, w) // `sub(o, 0x20)`.\n if iszero(o) { break }\n }\n // Zeroize the slot after the string.\n mstore(add(add(element, 0x20), elementLength), 0)\n // Allocate memory for the length and the bytes,\n // rounded up to a multiple of 32.\n mstore(0x40, add(element, and(add(elementLength, 0x3f), w)))\n // Store the `element` into the array.\n mstore(indexPtr, element)\n }\n prevIndex := add(index, mload(delimiter))\n indexPtr := add(indexPtr, 0x20)\n if iszero(lt(indexPtr, indicesEnd)) { break }\n }\n result := indices\n if iszero(mload(delimiter)) {\n result := add(indices, 0x20)\n mstore(result, sub(mload(indices), 2))\n }\n }\n }\n\n /// @dev Returns a concatenated string of `a` and `b`.\n /// Cheaper than `string.concat()` and does not de-align the free memory pointer.\n function concat(string memory a, string memory b)\n internal\n pure\n returns (string memory result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let w := not(0x1f)\n result := mload(0x40)\n let aLength := mload(a)\n // Copy `a` one word at a time, backwards.\n for { let o := and(add(aLength, 0x20), w) } 1 {} {\n mstore(add(result, o), mload(add(a, o)))\n o := add(o, w) // `sub(o, 0x20)`.\n if iszero(o) { break }\n }\n let bLength := mload(b)\n let output := add(result, aLength)\n // Copy `b` one word at a time, backwards.\n for { let o := and(add(bLength, 0x20), w) } 1 {} {\n mstore(add(output, o), mload(add(b, o)))\n o := add(o, w) // `sub(o, 0x20)`.\n if iszero(o) { break }\n }\n let totalLength := add(aLength, bLength)\n let last := add(add(result, 0x20), totalLength)\n // Zeroize the slot after the string.\n mstore(last, 0)\n // Stores the length.\n mstore(result, totalLength)\n // Allocate memory for the length and the bytes,\n // rounded up to a multiple of 32.\n mstore(0x40, and(add(last, 0x1f), w))\n }\n }\n\n /// @dev Returns a copy of the string in either lowercase or UPPERCASE.\n /// WARNING! This function is only compatible with 7-bit ASCII strings.\n function toCase(string memory subject, bool toUpper)\n internal\n pure\n returns (string memory result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let length := mload(subject)\n if length {\n result := add(mload(0x40), 0x20)\n subject := add(subject, 1)\n let flags := shl(add(70, shl(5, toUpper)), 0x3ffffff)\n let w := not(0)\n for { let o := length } 1 {} {\n o := add(o, w)\n let b := and(0xff, mload(add(subject, o)))\n mstore8(add(result, o), xor(b, and(shr(b, flags), 0x20)))\n if iszero(o) { break }\n }\n result := mload(0x40)\n mstore(result, length) // Store the length.\n let last := add(add(result, 0x20), length)\n mstore(last, 0) // Zeroize the slot after the string.\n mstore(0x40, add(last, 0x20)) // Allocate the memory.\n }\n }\n }\n\n /// @dev Returns a string from a small bytes32 string.\n /// `s` must be null-terminated, or behavior will be undefined.\n function fromSmallString(bytes32 s) internal pure returns (string memory result) {\n /// @solidity memory-safe-assembly\n assembly {\n result := mload(0x40)\n let n := 0\n for {} byte(n, s) { n := add(n, 1) } {} // Scan for '\\0'.\n mstore(result, n)\n let o := add(result, 0x20)\n mstore(o, s)\n mstore(add(o, n), 0)\n mstore(0x40, add(result, 0x40))\n }\n }\n\n /// @dev Returns the small string, with all bytes after the first null byte zeroized.\n function normalizeSmallString(bytes32 s) internal pure returns (bytes32 result) {\n /// @solidity memory-safe-assembly\n assembly {\n for {} byte(result, s) { result := add(result, 1) } {} // Scan for '\\0'.\n mstore(0x00, s)\n mstore(result, 0x00)\n result := mload(0x00)\n }\n }\n\n /// @dev Returns the string as a normalized null-terminated small string.\n function toSmallString(string memory s) internal pure returns (bytes32 result) {\n /// @solidity memory-safe-assembly\n assembly {\n result := mload(s)\n if iszero(lt(result, 33)) {\n mstore(0x00, 0xec92f9a3) // `TooBigForSmallString()`.\n revert(0x1c, 0x04)\n }\n result := shl(shl(3, sub(32, result)), mload(add(s, result)))\n }\n }\n\n /// @dev Returns a lowercased copy of the string.\n /// WARNING! This function is only compatible with 7-bit ASCII strings.\n function lower(string memory subject) internal pure returns (string memory result) {\n result = toCase(subject, false);\n }\n\n /// @dev Returns an UPPERCASED copy of the string.\n /// WARNING! This function is only compatible with 7-bit ASCII strings.\n function upper(string memory subject) internal pure returns (string memory result) {\n result = toCase(subject, true);\n }\n\n /// @dev Escapes the string to be used within HTML tags.\n function escapeHTML(string memory s) internal pure returns (string memory result) {\n /// @solidity memory-safe-assembly\n assembly {\n let end := add(s, mload(s))\n result := add(mload(0x40), 0x20)\n // Store the bytes of the packed offsets and strides into the scratch space.\n // `packed = (stride << 5) | offset`. Max offset is 20. Max stride is 6.\n mstore(0x1f, 0x900094)\n mstore(0x08, 0xc0000000a6ab)\n // Store \""&'<>\" into the scratch space.\n mstore(0x00, shl(64, 0x2671756f743b26616d703b262333393b266c743b2667743b))\n for {} iszero(eq(s, end)) {} {\n s := add(s, 1)\n let c := and(mload(s), 0xff)\n // Not in `[\"\\\"\",\"'\",\"&\",\"<\",\">\"]`.\n if iszero(and(shl(c, 1), 0x500000c400000000)) {\n mstore8(result, c)\n result := add(result, 1)\n continue\n }\n let t := shr(248, mload(c))\n mstore(result, mload(and(t, 0x1f)))\n result := add(result, shr(5, t))\n }\n let last := result\n mstore(last, 0) // Zeroize the slot after the string.\n result := mload(0x40)\n mstore(result, sub(last, add(result, 0x20))) // Store the length.\n mstore(0x40, add(last, 0x20)) // Allocate the memory.\n }\n }\n\n /// @dev Escapes the string to be used within double-quotes in a JSON.\n /// If `addDoubleQuotes` is true, the result will be enclosed in double-quotes.\n function escapeJSON(string memory s, bool addDoubleQuotes)\n internal\n pure\n returns (string memory result)\n {\n /// @solidity memory-safe-assembly\n assembly {\n let end := add(s, mload(s))\n result := add(mload(0x40), 0x20)\n if addDoubleQuotes {\n mstore8(result, 34)\n result := add(1, result)\n }\n // Store \"\\\\u0000\" in scratch space.\n // Store \"0123456789abcdef\" in scratch space.\n // Also, store `{0x08:\"b\", 0x09:\"t\", 0x0a:\"n\", 0x0c:\"f\", 0x0d:\"r\"}`.\n // into the scratch space.\n mstore(0x15, 0x5c75303030303031323334353637383961626364656662746e006672)\n // Bitmask for detecting `[\"\\\"\",\"\\\\\"]`.\n let e := or(shl(0x22, 1), shl(0x5c, 1))\n for {} iszero(eq(s, end)) {} {\n s := add(s, 1)\n let c := and(mload(s), 0xff)\n if iszero(lt(c, 0x20)) {\n if iszero(and(shl(c, 1), e)) {\n // Not in `[\"\\\"\",\"\\\\\"]`.\n mstore8(result, c)\n result := add(result, 1)\n continue\n }\n mstore8(result, 0x5c) // \"\\\\\".\n mstore8(add(result, 1), c)\n result := add(result, 2)\n continue\n }\n if iszero(and(shl(c, 1), 0x3700)) {\n // Not in `[\"\\b\",\"\\t\",\"\\n\",\"\\f\",\"\\d\"]`.\n mstore8(0x1d, mload(shr(4, c))) // Hex value.\n mstore8(0x1e, mload(and(c, 15))) // Hex value.\n mstore(result, mload(0x19)) // \"\\\\u00XX\".\n result := add(result, 6)\n continue\n }\n mstore8(result, 0x5c) // \"\\\\\".\n mstore8(add(result, 1), mload(add(c, 8)))\n result := add(result, 2)\n }\n if addDoubleQuotes {\n mstore8(result, 34)\n result := add(1, result)\n }\n let last := result\n mstore(last, 0) // Zeroize the slot after the string.\n result := mload(0x40)\n mstore(result, sub(last, add(result, 0x20))) // Store the length.\n mstore(0x40, add(last, 0x20)) // Allocate the memory.\n }\n }\n\n /// @dev Escapes the string to be used within double-quotes in a JSON.\n function escapeJSON(string memory s) internal pure returns (string memory result) {\n result = escapeJSON(s, false);\n }\n\n /// @dev Returns whether `a` equals `b`.\n function eq(string memory a, string memory b) internal pure returns (bool result) {\n /// @solidity memory-safe-assembly\n assembly {\n result := eq(keccak256(add(a, 0x20), mload(a)), keccak256(add(b, 0x20), mload(b)))\n }\n }\n\n /// @dev Returns whether `a` equals `b`, where `b` is a null-terminated small string.\n function eqs(string memory a, bytes32 b) internal pure returns (bool result) {\n /// @solidity memory-safe-assembly\n assembly {\n // These should be evaluated on compile time, as far as possible.\n let m := not(shl(7, div(not(iszero(b)), 255))) // `0x7f7f ...`.\n let x := not(or(m, or(b, add(m, and(b, m)))))\n let r := shl(7, iszero(iszero(shr(128, x))))\n r := or(r, shl(6, iszero(iszero(shr(64, shr(r, x))))))\n r := or(r, shl(5, lt(0xffffffff, shr(r, x))))\n r := or(r, shl(4, lt(0xffff, shr(r, x))))\n r := or(r, shl(3, lt(0xff, shr(r, x))))\n // forgefmt: disable-next-item\n result := gt(eq(mload(a), add(iszero(x), xor(31, shr(3, r)))),\n xor(shr(add(8, r), b), shr(add(8, r), mload(add(a, 0x20)))))\n }\n }\n\n /// @dev Packs a single string with its length into a single word.\n /// Returns `bytes32(0)` if the length is zero or greater than 31.\n function packOne(string memory a) internal pure returns (bytes32 result) {\n /// @solidity memory-safe-assembly\n assembly {\n // We don't need to zero right pad the string,\n // since this is our own custom non-standard packing scheme.\n result :=\n mul(\n // Load the length and the bytes.\n mload(add(a, 0x1f)),\n // `length != 0 && length < 32`. Abuses underflow.\n // Assumes that the length is valid and within the block gas limit.\n lt(sub(mload(a), 1), 0x1f)\n )\n }\n }\n\n /// @dev Unpacks a string packed using {packOne}.\n /// Returns the empty string if `packed` is `bytes32(0)`.\n /// If `packed` is not an output of {packOne}, the output behavior is undefined.\n function unpackOne(bytes32 packed) internal pure returns (string memory result) {\n /// @solidity memory-safe-assembly\n assembly {\n // Grab the free memory pointer.\n result := mload(0x40)\n // Allocate 2 words (1 for the length, 1 for the bytes).\n mstore(0x40, add(result, 0x40))\n // Zeroize the length slot.\n mstore(result, 0)\n // Store the length and bytes.\n mstore(add(result, 0x1f), packed)\n // Right pad with zeroes.\n mstore(add(add(result, 0x20), mload(result)), 0)\n }\n }\n\n /// @dev Packs two strings with their lengths into a single word.\n /// Returns `bytes32(0)` if combined length is zero or greater than 30.\n function packTwo(string memory a, string memory b) internal pure returns (bytes32 result) {\n /// @solidity memory-safe-assembly\n assembly {\n let aLength := mload(a)\n // We don't need to zero right pad the strings,\n // since this is our own custom non-standard packing scheme.\n result :=\n mul(\n // Load the length and the bytes of `a` and `b`.\n or(\n shl(shl(3, sub(0x1f, aLength)), mload(add(a, aLength))),\n mload(sub(add(b, 0x1e), aLength))\n ),\n // `totalLength != 0 && totalLength < 31`. Abuses underflow.\n // Assumes that the lengths are valid and within the block gas limit.\n lt(sub(add(aLength, mload(b)), 1), 0x1e)\n )\n }\n }\n\n /// @dev Unpacks strings packed using {packTwo}.\n /// Returns the empty strings if `packed` is `bytes32(0)`.\n /// If `packed` is not an output of {packTwo}, the output behavior is undefined.\n function unpackTwo(bytes32 packed)\n internal\n pure\n returns (string memory resultA, string memory resultB)\n {\n /// @solidity memory-safe-assembly\n assembly {\n // Grab the free memory pointer.\n resultA := mload(0x40)\n resultB := add(resultA, 0x40)\n // Allocate 2 words for each string (1 for the length, 1 for the byte). Total 4 words.\n mstore(0x40, add(resultB, 0x40))\n // Zeroize the length slots.\n mstore(resultA, 0)\n mstore(resultB, 0)\n // Store the lengths and bytes.\n mstore(add(resultA, 0x1f), packed)\n mstore(add(resultB, 0x1f), mload(add(add(resultA, 0x20), mload(resultA))))\n // Right pad with zeroes.\n mstore(add(add(resultA, 0x20), mload(resultA)), 0)\n mstore(add(add(resultB, 0x20), mload(resultB)), 0)\n }\n }\n\n /// @dev Directly returns `a` without copying.\n function directReturn(string memory a) internal pure {\n assembly {\n // Assumes that the string does not start from the scratch space.\n let retStart := sub(a, 0x20)\n let retSize := add(mload(a), 0x40)\n // Right pad with zeroes. Just in case the string is produced\n // by a method that doesn't zero right pad.\n mstore(add(retStart, retSize), 0)\n // Store the return offset.\n mstore(retStart, 0x20)\n // End the transaction, returning the string.\n return(retStart, retSize)\n }\n }\n}\n"
- }
- },
- "settings": {
- "remappings": [
- "@openzeppelin/contracts/=lib/openzeppelin-contracts/contracts/",
- "FreshCryptoLib/=lib/webauthn-sol/lib/FreshCryptoLib/solidity/src/",
- "account-abstraction/=lib/account-abstraction/contracts/",
- "ds-test/=lib/forge-std/lib/ds-test/src/",
- "erc4626-tests/=lib/openzeppelin-contracts/lib/erc4626-tests/",
- "forge-std/=lib/forge-std/src/",
- "openzeppelin-contracts/=lib/openzeppelin-contracts/",
- "p256-verifier/=lib/p256-verifier/",
- "safe-singleton-deployer-sol/=lib/safe-singleton-deployer-sol/",
- "solady/=lib/solady/src/",
- "webauthn-sol/=lib/webauthn-sol/src/"
- ],
- "optimizer": {
- "enabled": true,
- "runs": 9999999
- },
- "metadata": {
- "useLiteralContent": false,
- "bytecodeHash": "ipfs",
- "appendCBOR": true
- },
- "outputSelection": {
- "*": {
- "*": [
- "evm.bytecode",
- "evm.deployedBytecode",
- "abi"
- ]
- }
- },
- "evmVersion": "paris",
- "viaIR": false,
- "libraries": {}
- }
- }}
Contract sourced from Etherscan. Solidity version v0.8.23+commit.f704f362.
Panoramix decompilation
# Palkeoramix decompiler. def storage: stor3608 is uint256 at storage 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc def _fallback(?) payable: # default function delegate stor3608 with: funct call.data[return_data.size len 4] gas gas_remaining wei args call.data[return_data.size + 4 len calldata.size - 4] if not delegate.return_code: revert with ext_call.return_data[0 len return_data.size] return ext_call.return_data[0 len return_data.size]
Decompilation generated by Panoramix.
Raw bytecode
0x363d3d373d3d363d7f360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc545af43d6000803e6038573d6000fd5b3d6000f3