Contracts V2

[vgeddes]

Tasks:

• V2 types
• V2 inbound messaging
• V2 outbound messaging
• Refactor to support both V1 & V2
• Re-implement native token registration for V2 & Kusama compatibility
• Auto-wrap ether for Ethereum->Polkadot
• Auto-unwrap ether for Polkadot->Ethereum
• Generate encoded XCM fragments for token registration
• Split IGateway into IGatewayV1 and IGatewayV2
• Remove duplicated error definitions scattered throughout code
• Unit tests
• Code documentation

[codecov]

Codecov Report

Attention: Patch coverage is 51.76152% with 178 lines in your changes missing coverage. Please review.

Please upload report for BASE (v2@6d11768). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
contracts/src/Gateway.sol	27.04%	88 Missing and 1 partial ⚠️
contracts/src/v2/Calls.sol	0.00%	50 Missing ⚠️
contracts/src/v2/Handlers.sol	0.00%	21 Missing ⚠️
contracts/src/Functions.sol	80.95%	8 Missing ⚠️
contracts/src/v1/Calls.sol	90.90%	5 Missing ⚠️
contracts/src/AgentExecutor.sol	0.00%	3 Missing ⚠️
contracts/src/upgrades/polkadot/Gateway202411.sol	33.33%	2 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##             v2    #1300   +/-   ##
=====================================
  Coverage      ?   60.22%           
=====================================
  Files         ?       23           
  Lines         ?      714           
  Branches      ?      120           
=====================================
  Hits          ?      430           
  Misses        ?      275           
  Partials      ?        9           

Flag	Coverage Δ
solidity	60.22% <51.76%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[yrong]

Since we know agent of asset-hub do exists in production. Is this check nessessary?

[vgeddes]

Yeah the check is not necessary, I'll add a TODO.

[yrong]

Cool, A lot more simple now!

With ticket.xcm does that mean for V2 there is no need to construct xcm on chain any more?

UI will build the xcm and it's the responsibility of relayer to validate the xcm and check the relay is profitable or not.

On BH we just decode the xcm with

VersionedXcm::<()>::decode_with_depth_limit(
    MAX_XCM_DECODE_DEPTH,
    &mut data,
)

and forward it to AH transparently.

[vgeddes]

Yeah, exactly.

Though for registration of native tokens, we need to control the XCM and so we need to build it on chain. See more details in 149c3e4.

[yrong]

Though for registration of native tokens, control the XCM and so we need to build it on chain

Still not sure fully understand why ticket.assets is required here, why not just build the xcm off chain?

@vgeddes I've removed the MessageConverter completely in yrong/polkadot-sdk#3 which I'd assume is not in use any more, correct me if I'm wrong.

[vgeddes]

Still not sure fully understand why ticket.assets is required here, why not just build the xcm off chain?

When the message gets to BH, we convert the payload.assets to instructions like ReserveAssetDeposited,etc, and then append the instructions in payload.xcm.

Or in other words, BH builds final XCM using:

finalXCM = concat(
assets_to_xcm(payload.asssets),
UniversalOrigin(Ethereum)
DescendOrigin(payload.origin)
payload.xcm
)

We can't trust the user to build the entire xcm offchain as they could mint any assets they want. Rather, they can only supply a fragment of the xcm.

[yrong]

We can't trust the user to build the entire xcm offchain as they could mint any assets they want.

Yeah, that make sense.

Instead of convert the assets to xcm, can we just do some basic check on BH to verify the xcm is constructed correctly based upon the assets? e.g.

ensure!(xcm contains DescendOrigin(payload.origin))
ensure!(xcm contains ReserveAssetDeposited(asset)|WithdrawAsset(asset)) // Depends on the transfer type is ENA or PNA
...

So the point here is on chain we do validate rather than construct.

[yrong]

Btw: for transfer I'm not sure DescendOrigin(userOrigin) make sense. For PNA we need to burn the asset locked in Ethereum sovereign on AH. IIUC that's why we change origin to UniversalOrigin(GlobalConsensus(network)) before WithdrawAsset here.

[alistair-singh]

So the point here is on chain we do validate rather than construct.

The issue with this approach is that the validation needs to happen on the Ethereum side in order to do this right. The actual locking/unlocking/minting/burning of tokens occurs on the Ethereum side in solidity, which must match the Assets section of the XCM. If the validation happens on BH or in a relayer, and we reject the message, it is too late because we have already changed the state on the Ethereum side. This is why it is better to build the assets section of the XCM on BH to match what was done on the Ethereum side.

Related comment here: yrong/polkadot-sdk#3 (comment)

[yrong]

it is too late because we have already changed the state on the Ethereum side

Just curious what will happen in this case. Is this something acceptable assuming we will implement error handing mechanism any way? The message with errored xcm will get trapped on BH and we allow end user to edit/repair it?

Something like we allow user to add fee for message pending from Substrate to Ethereum direction, assuming there is no relayer who will pick it up if it's not profitable.

[alistair-singh]

Just curious what will happen in this case. Is this something acceptable assuming we will implement error handing mechanism any way?

I think if the message is queued and if the message is profitable, than once submitted to BH we should not fail for any reason (such as validating the xcm for example) and we should try to always push the assets to AH where they can get trapped if the user passes invalid xcm. And we should trust that we constrain the origin to stop users from doing things that they cannot within the xcm, instead of validating.

[yrong]

should it also be in IGateway.sol? Meanwhile we may need another function isRelayed(nonce) to check if the nonce has been relayed.

[vgeddes]

Good catch!

[yrong]

Gas is uint64.

[alistair-singh]

Maybe test the bits around the set bit to make sure they remain unset.

Suggested change

	assertEq(bitmap.get(384), true);
	assertEq(bitmap.get(383), false);
	assertEq(bitmap.get(384), true);
	assertEq(bitmap.get(385), false);

[alistair-singh]

So the point here is on chain we do validate rather than construct.

The issue with this approach is that the validation needs to happen on the Ethereum side in order to do this right. The actual locking/unlocking/minting/burning of tokens occurs on the Ethereum side in solidity, which must match the Assets section of the XCM. If the validation happens on BH or in a relayer, and we reject the message, it is too late because we have already changed the state on the Ethereum side. This is why it is better to build the assets section of the XCM on BH to match what was done on the Ethereum side.

Related comment here: yrong/polkadot-sdk#3 (comment)

[alistair-singh]

Maybe we should introduce a Network Enum here as a destination parameter, instead of having 2 registers methods. The network can simply contain the Polkadot networks.
https://github.com/paritytech/polkadot-sdk/blob/master/polkadot/xcm/src/v4/junction.rs/#L125

[alistair-singh]

Hardcoded WETH_ADDRESS?

[vgeddes]

yeah, why would it need to be mutable?

[vgeddes]

Oh, I see, for Ethereum testnets, WETH will have a different address. got it. 👍

[alistair-singh]

I think we should add a MultiAddress parameter that can be the asset claimer. If provided then we can use this account with the SetClaimer XCM instruction. If it is zero/empty address then we SetClaimer to the origin(msg.sender).

[yrong]

Would it be better to store the delivery status on chain? e.g:

mapping(uint64 nonce => DeliveryStatus) public nonces;
struct DeliveryStatus {
    uint64 blockNumber;
    bool result;
}

With the blockNumber it's easy for relayer to filter this event efficiently when submit the delivery proof.

[vgeddes]

That's a good point Ron. Though there are some simplifying assumptions which I think allow us to save 20000 gas by not storing that status on-chain.

The plan I had in mind was that the relayer who calls v2_submit is also responsible for sending delivery proof back to BH. Since this relayer witnessed the result for v2_submit it can generate a proof for InboundMessageDispatched, and there isn't a need for additional metadata on-chain.

For other cases when the delivery proof could not be sent back immediately, we could create a command in snowbridge-relay that queries for InboundMessageDispatched(rewardAddress=X) against some public ethereum node or event indexer, and sends the delivery proofs for the matching events.

I will make a rewardAddress an indexed event parameter, which allows this query to be much faster to execute.

[yrong]

7187bf3

[yrong]

would suggest to rename as InboundMessageV2 or conflict error when generate go bindings.

 > mage build
2024/10/28 15:53:26 INFO: Skipped ssz generated object: relays/beacon/state/beacon_encoding.go
2024/10/28 15:53:26 INFO: Skipped ssz generated object: relays/beacon/state/beacon_deneb_encoding.go
# github.com/snowfork/snowbridge/relayer/contracts
contracts/gateway.go:47:6: InboundMessage redeclared in this block
	contracts/gateway.go:40:6: other declaration of InboundMessage
Error: running "go build -o build/snowbridge-relay main.go" failed with exit code 1

[yrong]

af374a6 FYI

[yrong]

Should add view keyword here.

2e8d519

[alistair-singh]

Just a thought on registration while thinking about our Security model. Kusama token registration can be built as a separate contract on top of the gateway.

The implementation of a contract called KusamaRegistration, that can build the registration Transact call onchain, and then submit it to the gateway.

On BH we would decend origin to that Location so the origin would be { parents:2 interior: X2(Ethreum{chain_id:1}, KusamaRegistration)}.

This origin would be forwarded to AHK using AliasOrigin, and can be used secure the register extrinsic on the foreignAssets pallet on AHK. This is currently how we secure token registration now on AHP, using the gateway contracts origin (Snowbridge Sovereign).

Upgrade would be just deploying a new version of the KusamaRegistration contract and then updating the origin which is allowed to call register on AHK. And it would be separate from the Gateway.

[claravanstaden]

Nice!

I was wondering if it would be feasible to add Transact support in this release, given that all the building blocks are there?

[claravanstaden]

Probably don't need this anymore, since we have already dropped the operator on mainnet?

[claravanstaden]

Nice! Seems like these para IDs are the same on all the environments now anyway.

[claravanstaden]

So we essentially disable creating new channels?

[claravanstaden]

How come this is constrained to v1? Would it not stay the same for v2?

[claravanstaden]

Why is there an extra layer of functions for these commands? Wouldn't it be fine to use HandlersV1.createAgent(data); directly in https://github.com/Snowfork/snowbridge/pull/1300/files#diff-74470ba8f35b42dbc8805739e92708c0696343e0b1819feb3e7a5ebb77cc623cR168?

[yrong]

try / catch can only catch errors from external function calls.

[claravanstaden]

How do you calculate this? Comment about it might be useful.

[claravanstaden]

nit: File should probably be for Westend now that Rococo is deprecated.

[claravanstaden]

Suggested change

	// Convert foreign currency to native currency (ROC/KSM/DOT -> ETH)
	// Convert foreign currency to native currency (WND/PAS/KSM/DOT -> ETH)

[claravanstaden]

Won't we just just derive the account from the origin on BH?

[yrong]

It's different. The origin in InboundMessage is derived from account on source chain, while the rewardAddress is account of the relayer for accepting reward.