fix(protocol)!: add message owner parameter to vault operations

[Brechtpd]

Addresses #15740 (comment)

There's now a separate owner on both the source (srcOwner) and destination chain (destOwner). This is necessary because the srcOwner (msg.sender) that does the bridge operation on the source chain may not own the same address on the destination chain. That's where destOwner comes in, that's an address on the destination chain that the srcOwner also needs to control. So we have to be careful to only use srcOwner on the source chain and destChain on the destination chain to make sure the message owner actually does have access to the message on both chains as expected.

Please also double check that srcOwner is only used on the source chain, and destOwner is only used on the destination chain.

Summary by CodeRabbit

• New Features
  • Introduced distinctions between source and destination owners in various contracts to enhance clarity and functionality.
• Refactor
  • Updated contract logic and events to accommodate the separation of srcOwner and destOwner.
  • Modified message processing and token transfer operations to reflect owner distinctions.
• Bug Fixes
  • Corrected permissions and gas limit checks to ensure they are based on the appropriate owner roles.

[dantaik]

@KorbinianK @cyberhorsey @xiaodino please also review this PR as there is a minor breaking change that bridge shall be aware of.

[Brechtpd]

Oh was double checking the owner use, and recall still uses message.owner on the source chain, message.owner should only be used on the destination chain. Will fix.

[Brechtpd]

Fixed, but please also double check that srcOwner is only used on the source chain, and destOwner is only used on the destination chain.

[dantaik]

Fixed, but please also double check that srcOwner is only used on the source chain, and destOwner is only used on the destination chain.

Doubled checked, looks good.

[coderabbitai]

Walkthrough

The recent updates focus on enhancing clarity and flexibility in handling ownership across blockchain bridges. By differentiating between srcOwner and destOwner, the protocol now more accurately represents the roles of message senders and recipients across chains. This distinction allows for more precise control and verification, particularly in cross-chain operations, improving security and user experience in bridge transactions and token vault interactions.

Changes

Files	Change Summary
.../L1/libs/LibProving.sol	Introduced flexibility for future prover address changes; removed specific comments.
.../bridge/Bridge.sol, .../bridge/IBridge.sol	Enhanced clarity and control by distinguishing between srcOwner and destOwner.
.../tokenvault/BaseNFTVault.sol, .../tokenvault/ERC1155Vault.sol, .../tokenvault/ERC20Vault.sol, .../tokenvault/ERC721Vault.sol	Added destOwner and updated owner references to srcOwner and destOwner for clearer ownership handling.
.../genesis/GenerateGenesis.g.sol, .../test/...	Adjusted test and genesis generation scripts to align with the new ownership structure.

🐇💬
Changes abound, in code we trust,
Across the chains, through bytes and dust.
From source to dest, the owners split,
A bridge more robust, with every bit.
🌉➡️🌍
So hop along, no time to dwell,
In blockchain realms, where ledgers swell.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository from git and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 4

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between a401622 and 44e6ffa.

Files selected for processing (12)

• packages/protocol/contracts/L1/libs/LibProving.sol (2 hunks)
• packages/protocol/contracts/bridge/Bridge.sol (10 hunks)
• packages/protocol/contracts/bridge/IBridge.sol (1 hunks)
• packages/protocol/contracts/tokenvault/BaseNFTVault.sol (1 hunks)
• packages/protocol/contracts/tokenvault/ERC1155Vault.sol (3 hunks)
• packages/protocol/contracts/tokenvault/ERC20Vault.sol (4 hunks)
• packages/protocol/contracts/tokenvault/ERC721Vault.sol (3 hunks)
• packages/protocol/genesis/GenerateGenesis.g.sol (2 hunks)
• packages/protocol/test/bridge/Bridge.t.sol (8 hunks)
• packages/protocol/test/tokenvault/ERC1155Vault.t.sol (14 hunks)
• packages/protocol/test/tokenvault/ERC20Vault.t.sol (7 hunks)
• packages/protocol/test/tokenvault/ERC721Vault.t.sol (14 hunks)

Additional comments: 65

packages/protocol/contracts/tokenvault/BaseNFTVault.sol (1)

• 38-39: The addition of destOwner in the BridgeTransferOp struct aligns with the PR objectives to differentiate between source and destination owners. Ensure that this field is utilized correctly in all relevant operations.

packages/protocol/contracts/tokenvault/ERC721Vault.sol (4)

• 58-59: Correctly replaced message.owner with message.srcOwner and added message.destOwner. This change aligns with the PR objectives for distinguishing between source and destination owners.
• 73-73: Ensure that the TokenSent event correctly logs message.srcOwner as the sender. This change is consistent with the updated logic for handling source and destination owners.
• 137-138: Correctly using message.srcOwner for token transfers back to the owner in the onMessageRecalled function. This aligns with the PR's objective of correctly identifying the source owner.
• 142-142: The TokenReleased event correctly logs message.srcOwner as the sender, aligning with the updated logic for handling source and destination owners.

packages/protocol/contracts/tokenvault/ERC1155Vault.sol (4)

• 68-69: Correctly replaced message.owner with message.srcOwner and added message.destOwner. This change aligns with the PR objectives for distinguishing between source and destination owners.
• 85-85: Ensure that the TokenSent event correctly logs message.srcOwner as the sender. This change is consistent with the updated logic for handling source and destination owners.
• 156-157: Correctly using message.srcOwner for token transfers back to the owner in the onMessageRecalled function. This aligns with the PR's objective of correctly identifying the source owner.
• 162-162: The TokenReleased event correctly logs message.srcOwner as the sender, aligning with the updated logic for handling source and destination owners.

packages/protocol/genesis/GenerateGenesis.g.sol (2)

• 163-164: The addition of srcOwner and destOwner in the bridgeProxy.processMessage call aligns with the PR objectives. Ensure that these fields are utilized correctly in all relevant operations within the contract.
• 189-190: The addition of srcOwner and destOwner in the bridgeProxy.processMessage call within the expectRevert block aligns with the PR objectives. Ensure that these fields are utilized correctly in all relevant operations within the contract.

packages/protocol/contracts/tokenvault/ERC20Vault.sol (5)

• 43-43: Addition of destOwner in BridgeTransferOp struct aligns with the PR objective to differentiate between source and destination owners.
• 190-191: The logic to default destOwner to msg.sender if not provided is correctly implemented, ensuring backward compatibility and flexibility.
• 205-205: Event TokenSent correctly includes _message.srcOwner to reflect the source owner in event emissions, aligning with the changes made.
• 267-268: In onMessageRecalled, using message.srcOwner for token transfer ensures that the tokens are returned to the correct source owner upon message recall.
• 272-272: The TokenReleased event correctly logs message.srcOwner as the source of the token release, maintaining consistency with the updated logic.

packages/protocol/test/tokenvault/ERC20Vault.t.sol (7)

• 179-179: The addition of address(0) as destOwner in BridgeTransferOp function call correctly reflects the contract changes in tests.
• 195-195: Including address(0) as destOwner in this test case is consistent with the contract modifications, ensuring the tests remain valid.
• 215-215: The inclusion of address(0) as destOwner in the BridgeTransferOp function call is correctly applied, aligning with the updated contract logic.
• 232-232: Correctly adding address(0) as destOwner in the BridgeTransferOp function call for this test case reflects the necessary adjustments for the contract changes.
• 258-258: The inclusion of address(0) as destOwner in the BridgeTransferOp function call is appropriate, ensuring the test aligns with the contract's updated logic.
• 270-272: Adding address(0) as destOwner in the BridgeTransferOp function call is correctly implemented, reflecting the contract changes in the test.
• 453-453: Including address(0) as destOwner in the BridgeTransferOp function call for this test case is consistent with the contract modifications, ensuring the test remains valid.

packages/protocol/contracts/L1/libs/LibProving.sol (1)

• 156-156: Separating msgSender to allow the prover to be any address in the future enhances flexibility in proof verification, aligning with potential protocol evolution.

packages/protocol/contracts/bridge/Bridge.sol (7)

• 140-142: Ensure validation for srcOwner and destOwner being non-zero addresses is correctly implemented to prevent operations from uninitialized addresses.
• 243-243: Clarification needed: The comment suggests any address can call processMessage, but the logic restricts certain operations to destOwner. Ensure this is intentional and correctly implemented.
• 278-278: Using msg.sender as preferredExecutor when gasLimit is 0 might not align with the intended logic, especially if destOwner is expected to be the executor in such cases. Review this logic for consistency.
• 293-293: The condition to allow only destOwner to process the message when gasLimit is 0 is correctly implemented, aligning with the PR objectives.
• 323-323: Correctly determining the refund recipient based on message.refundTo being zero or not aligns with expected functionality.
• 344-344: The comment correctly indicates that retryMessage can be called by any address, including destOwner, aligning with the PR objectives.
• 360-362: The logic to enforce destOwner as the caller for specific conditions is correctly implemented, ensuring secure operation as per PR objectives.

packages/protocol/test/bridge/Bridge.t.sol (8)

• 132-133: Correctly updating test cases to use srcOwner and destOwner instead of a single owner aligns with the PR objectives.
• 170-171: Correctly updating test cases to use srcOwner and destOwner instead of a single owner aligns with the PR objectives.
• 227-228: Correctly updating test cases to use srcOwner and destOwner instead of a single owner aligns with the PR objectives.
• 279-280: Correctly updating test cases to use srcOwner and destOwner instead of a single owner aligns with the PR objectives.
• 317-318: Correctly updating test cases to use srcOwner and destOwner instead of a single owner aligns with the PR objectives.
• 594-599: Correctly using destOwner for retrying messages aligns with the PR objectives, ensuring only the rightful owner can perform retries under specific conditions.
• 666-667: The test setup correctly reflects the changes made to the IBridge.Message struct, ensuring tests are aligned with the updated contract logic.
• 696-697: Correctly updating helper function newMessage to use srcOwner and destOwner instead of a single owner aligns with the PR objectives.

packages/protocol/test/tokenvault/ERC721Vault.t.sol (12)

• 248-248: The address(0) parameter is used as a placeholder for srcOwner or destOwner. Ensure this aligns with the intended logic of differentiating between source and destination owners in cross-chain operations. If address(0) is meant to represent a non-existent or default owner, consider documenting this explicitly in the code to avoid confusion.
• 277-286: The use of address(0) for both the token address and srcOwner/destOwner in a test case designed to fail due to an invalid token address is appropriate. However, ensure that the test case's intent is clearly documented, especially the reason for using address(0) as the token address, to maintain readability and understandability of the test suite.
• 306-306: Using address(0) as a placeholder for srcOwner or destOwner in a test case designed to fail due to an invalid amount is consistent with the PR's objectives. However, ensure that the test case's purpose and the use of address(0) are well-documented for clarity.
• 338-338: The addition of address(0) in this context seems to follow the pattern established in previous changes. Ensure that its use is consistent with the intended logic for handling srcOwner and destOwner and that any assumptions or implications of using address(0) are clearly documented.
• 391-391: The use of address(0) here follows the established pattern. Confirm that this is the intended usage for differentiating between srcOwner and destOwner in the context of this test case, and ensure that the rationale behind using address(0) is documented.
• 439-439: Consistency in using address(0) for srcOwner or destOwner is observed. As before, ensure that the use of address(0) is intentional and documented, especially in the context of this test case which seems to simulate a second bridging operation.
• 482-482: The addition of address(0) in this test case, which involves sending tokens along with ether, is noted. Verify that address(0) is used correctly as per the PR's objectives and document its use to maintain clarity in the test suite.
• 541-541: Using address(0) in the context of a message recall test case is consistent with previous changes. Ensure that this usage aligns with the intended differentiation between srcOwner and destOwner and that the choice of address(0) is documented.
• 582-582: The use of address(0) in a test case involving multiple tokens is observed. Confirm that this usage is consistent with the PR's objectives and ensure that the rationale behind using address(0) is clearly documented.
• 637-637: The addition of address(0) in this test case, which seems to simulate a bridging operation where the owner changes, is noted. Ensure that the use of address(0) is intentional and aligns with the PR's objectives, and document its purpose.
• 736-736: Using address(0) in a test case designed to simulate a scenario where the original owner cannot claim the bridged token if sold is appropriate. Confirm that this aligns with the intended logic and document the use of address(0) for clarity.
• 820-820: The use of address(0) in a test case for upgrading bridged tokens is consistent with the pattern established in previous changes. Ensure that this usage is intentional and documented, especially in the context of testing contract upgrades.

packages/protocol/test/tokenvault/ERC1155Vault.t.sol (14)

• 240-249: The BridgeTransferOp struct initialization correctly updates parameters to reflect the intended changes. However, ensure that the destChainId and Alice as srcOwner and destOwner align with the PR objectives of differentiating between source and destination owners.
• 272-281: The BridgeTransferOp struct initialization with address(0) as the token address correctly simulates an invalid token scenario. This is a good test case for ensuring the contract handles invalid token addresses as expected.
• 302-311: The BridgeTransferOp struct initialization with amounts[0] = 0 correctly simulates a scenario with zero tokens being transferred. This test case is important for ensuring the contract correctly handles attempts to transfer zero tokens.
• 335-344: The BridgeTransferOp struct initialization in this test case is similar to the first one reviewed. It's used to test receiving tokens from a newly deployed bridged contract on the destination chain. Ensure that the test setup and assertions accurately reflect the scenario being tested, including the correct handling of destChainId and ownership parameters.
• 399-408: This BridgeTransferOp struct initialization is part of a test case for receiving tokens but not deploying a new bridged contract if it's the second time tokens are bridged. The setup appears correct for the intended test scenario. Ensure that the test assertions validate the expected behavior, especially regarding the non-deployment of a new contract on subsequent token transfers.
• 452-461: The BridgeTransferOp struct initialization here is used to test bridging tokens back but with a different owner. Ensure that the test case accurately reflects scenarios where ownership might change on the destination chain and that the contract logic correctly handles such cases.
• 506-515: The BridgeTransferOp struct initialization includes David as the destination owner, testing the scenario where tokens and ether are sent to a different owner on the destination chain. This test case is important for ensuring that the contract correctly handles transfers involving ether and changes in ownership.
• 569-578: The BridgeTransferOp struct initialization is part of a test case for the onMessageRecalled functionality. Ensure that the test setup and assertions accurately reflect the scenario being tested, including the correct handling of token returns upon message recall.
• 613-622: This BridgeTransferOp struct initialization is used to test receiving multiple ERC1155 tokens. Ensure that the test case accurately reflects scenarios of multiple token transfers and that the contract logic and assertions validate the expected behavior.
• 678-687: Similar to a previous comment, this BridgeTransferOp struct initialization tests bridging back tokens when the owner has changed. Ensure that the test case and assertions accurately reflect and validate the intended behavior, especially regarding ownership changes on the destination chain.
• 737-746: The BridgeTransferOp struct initialization here tests bridging back tokens with a different owner, specifically focusing on the scenario where Bob, as the new owner, bridges the tokens back. Ensure that the test case accurately reflects this scenario and that the contract logic correctly handles such ownership changes.
• 792-801: This BridgeTransferOp struct initialization is part of a test case for ensuring that the original owner cannot claim tokens anymore if they have been sold on the destination chain. This is an important test for validating ownership logic and transfer restrictions.
• 851-860: The BridgeTransferOp struct initialization here attempts to bridge back tokens under the original owner's name after they've been sold, expecting a revert. This test case is crucial for ensuring the contract enforces ownership correctly and prevents unauthorized token claims.
• 882-891: The BridgeTransferOp struct initialization is part of a test case for upgrading bridged tokens. Ensure that the test setup, including the contract upgrade process, accurately reflects the scenario being tested and that the assertions validate the upgrade's success.

[coderabbitai]

Directly sending Ether using sendEther without checking the success of the operation can lead to silent failures. Consider using a safer pattern like call with proper error handling.

[coderabbitai]

The logic to determine gasLimit based on the caller being destOwner or not seems inverted. It should use the specified gasLimit if msg.sender is destOwner, otherwise use gasleft().

- uint256 gasLimit = msg.sender == message.destOwner ? gasleft() : message.gasLimit;
+ uint256 gasLimit = msg.sender == message.destOwner ? message.gasLimit : gasleft();

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	uint256 gasLimit = msg.sender == message.destOwner ? gasleft() : message.gasLimit;
	uint256 gasLimit = msg.sender == message.destOwner ? message.gasLimit : gasleft();

[coderabbitai]

Ensure the new srcOwner and destOwner fields are properly documented to clarify their roles in cross-chain operations.

[coderabbitai]

Clarify in the comment for refundTo that it refers to an address on the destination chain, enhancing understanding for future developers.