Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
4381242
feat(token): add native shielded token standard
0xisk Jun 19, 2026
5b00332
fix(token): make native shielded token build
0xisk Jun 19, 2026
3a03211
refactor(multisig): group modules into subdirs
0xisk Jun 22, 2026
df3a57a
refactor(multisig): remove legacy SignerManager module
0xisk Jun 22, 2026
ab066db
refactor(multisig): rename Signer module to SignerManager
0xisk Jun 22, 2026
9e9f1d6
feat(token): make supply an opt-in extension
0xisk Jun 23, 2026
9ed588c
refactor(multisig): regroup into examples and root primitives
0xisk Jun 24, 2026
c9dd117
refactor(multisig): split signer manager by scheme
0xisk Jun 24, 2026
23aa9d2
fix(multisig): keep private forwarder commitment domain within 32 bytes
0xisk Jun 25, 2026
2c24853
refactor(multisig): defer forwarder example wrappers to preset branch
0xisk Jun 25, 2026
3b1e138
test(multisig): collapse per-contract witnesses into shared EmptyWitn…
0xisk Jun 25, 2026
5fcd7d5
test(multisig): cover example modules and rename verifier to EcdsaSig…
0xisk Jun 25, 2026
21b1da3
test(multisig): realign forwarder module tests with renamed asserts
0xisk Jun 25, 2026
8ff1812
refactor(multisig): defer presets to a follow-up branch
0xisk Jun 25, 2026
5b79878
test(multisig): add NativeShieldedTreasuryStateless coverage
0xisk Jun 25, 2026
8da5a2e
Merge branch 'feat/native-shielded-token-supply' into feat/native-shi…
0xisk Jun 25, 2026
fbd9bad
feat(multisig): add shielded token preset
0xisk Jun 25, 2026
6ecbb5e
refactor(multisig): move examples to integration
0xisk Jun 25, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
220 changes: 220 additions & 0 deletions contracts/src/multisig/EcdsaSignerManager.compact
Original file line number Diff line number Diff line change
@@ -0,0 +1,220 @@
// SPDX-License-Identifier: MIT
// OpenZeppelin Compact Contracts v0.2.0 (multisig/EcdsaSignerManager.compact)

pragma language_version >= 0.23.0;

/**
* @module EcdsaSignerManager
* @description ECDSA signature scheme manager — the signer entrance examples
* import for ECDSA-authorized multisig. Wraps the general `SignerManager<Bytes<32>>`
* registry and adds threshold ECDSA-commitment verification on top of it.
*
* Signers are identified on-chain by commitments — `persistentHash` of an ECDSA
* public key with an instance salt and a domain separator — held in one
* `SignerManager<Bytes<32>>`. `verify` checks a parallel vector of public keys
* and signatures in a single transaction: each key is hashed into a commitment,
* checked for membership and duplicates, and its signature validated, with the
* valid count folded against the threshold.
*
* This is the ECDSA member of the per-scheme manager family. Compact cannot make
* `verify` generic over a signature scheme, so each scheme is its own manager (a
* future `SchnorrSignerManager` is a sibling) that wraps the same general
* `SignerManager` registry. Caller-authorized contracts that need no signature
* verification use `SignerManager<T>` directly (see `examples/ProposalTreasury`).
*
* The registry state (signer set, count, threshold) lives in one place — the
* underlying `SignerManager<Bytes<32>>` — and every `<#n>` circuit reads it, so
* the signer count is a single source of truth. Composing modules import the
* same `../EcdsaSignerManager` path so they share that one registry.
*
* @notice ECDSA verification is stubbed (`stubVerifySignature` always returns
* true). Replace it with `ecdsaVerify` once the Compact ECDSA primitive is
* available.
*
* @notice Duplicate detection compares each commitment against the previous one
* only, which is sufficient for at most 2 signers. Larger signer sets need a
* different uniqueness mechanism (sorted commitments or a bitmap).
*/
module EcdsaSignerManager {
import CompactStandardLibrary;
import "./SignerManager"<Bytes<32>> prefix Signer_;

// ─── Types ──────────────────────────────────────────────────────

/**
* @description Accumulator for fold-based signature verification. Threads the
* valid count, previous commitment (for duplicate detection), and message hash
* through each iteration.
*/
export struct VerificationState {
validCount: Uint<8>,
prevCommitment: Bytes<32>,
msgHash: Bytes<32>
}

/**
* @description Input to `persistentHash` for computing signer commitments.
* Combines the ECDSA public key with an instance-specific salt and a domain
* separator to produce a unique, unlinkable commitment.
*/
export struct SignerCommitmentInput {
pk: Bytes<64>,
salt: Bytes<32>,
domain: Bytes<32>
}

// ─── State ──────────────────────────────────────────────────────

export ledger _instanceSalt: Bytes<32>;

// ─── Setup ──────────────────────────────────────────────────────

/**
* @description Initializes the commitment signer registry and the instance
* salt. Should be called once from the consuming contract's constructor.
*
* @param {Bytes<32>} salt - Cryptographically random instance salt.
* @param {Vector<n, Bytes<32>>} signers - The signer commitments.
* @param {Uint<8>} thresh - The minimum number of approvals required.
* @returns {[]} Empty tuple.
*/
export circuit initialize<#n>(
salt: Bytes<32>,
signers: Vector<n, Bytes<32>>,
thresh: Uint<8>
): [] {
_instanceSalt = disclose(salt);
Signer_initialize<n>(signers, thresh);
}

// ─── Verification ───────────────────────────────────────────────

/**
* @description Verifies a parallel vector of public keys and signatures and
* asserts the threshold is met. Each key is hashed into a commitment, checked
* for duplicates and registry membership, and its signature validated against
* `msgHash`; the valid count is then checked against the threshold.
*
* @notice Duplicate detection is correct for at most 2 signers (see module
* notice).
*
* Requirements:
*
* - Every public key must hash to a registered signer commitment.
* - Every signature must be valid over `msgHash`.
* - Signers must not be duplicates.
* - Valid count must meet the threshold.
*
* @param {Bytes<32>} msgHash - The message hash signers signed off-chain.
* @param {Vector<n, Bytes<64>>} pubkeys - ECDSA public keys of approving signers.
* @param {Vector<n, Bytes<64>>} signatures - Signatures over `msgHash`.
* @returns {[]} Empty tuple.
*/
export circuit verify<#n>(
msgHash: Bytes<32>,
pubkeys: Vector<n, Bytes<64>>,
signatures: Vector<n, Bytes<64>>
): [] {
const initialState = VerificationState {
validCount: 0 as Uint<8>,
prevCommitment: pad(32, ""),
msgHash: msgHash
};

const finalState = fold(verifySignature, initialState, pubkeys, signatures);
Signer_assertThresholdMet(finalState.validCount);
}

/**
* @description Computes a signer commitment from an ECDSA public key. Pure —
* callable off-chain by the deployer to compute the constructor commitments.
*
* The commitment is `persistentHash(pk, salt, "multisig:signer:")`, where the
* salt is instance-specific (prevents cross-contract correlation) and the
* domain provides separation.
*
* @param {Bytes<64>} pk - The ECDSA public key.
* @param {Bytes<32>} salt - The instance salt.
* @returns {Bytes<32>} The signer commitment.
*/
export pure circuit _calculateSignerId(pk: Bytes<64>, salt: Bytes<32>): Bytes<32> {
return persistentHash<SignerCommitmentInput>(SignerCommitmentInput {
pk: pk,
salt: salt,
domain: pad(32, "multisig:signer:")
});
}

// ─── View ───────────────────────────────────────────────────────

/**
* @description Returns the number of registered signers.
* @returns {Uint<8>} The signer count.
*/
export circuit getSignerCount(): Uint<8> {
return Signer_getSignerCount();
}

/**
* @description Returns the approval threshold.
* @returns {Uint<8>} The threshold.
*/
export circuit getThreshold(): Uint<8> {
return Signer_getThreshold();
}

/**
* @description Returns whether the given commitment is a registered signer.
* @param {Bytes<32>} account - The commitment to check.
* @returns {Boolean} True if registered.
*/
export circuit isSigner(account: Bytes<32>): Boolean {
return Signer_isSigner(account);
}

// ─── Internal ───────────────────────────────────────────────────

/**
* @description Fold callback. Verifies one signer's approval: derives the
* commitment, rejects duplicates against the previous commitment, checks
* registry membership, and validates the signature.
*
* @param {VerificationState} state - Accumulator threaded through fold.
* @param {Bytes<64>} pubkey - The signer's ECDSA public key.
* @param {Bytes<64>} signature - The signer's signature over `msgHash`.
* @returns {VerificationState} Updated accumulator.
*/
circuit verifySignature(
state: VerificationState,
pubkey: Bytes<64>,
signature: Bytes<64>
): VerificationState {
const commitment = _calculateSignerId(pubkey, _instanceSalt);

// Duplicate detection — sufficient for 2 signers only
assert(commitment != state.prevCommitment, "EcdsaSignerManager: duplicate signer");

Signer_assertSigner(commitment);

// TODO: Replace with ecdsaVerify when the Compact ECDSA primitive is available
assert(stubVerifySignature(pubkey, state.msgHash, signature), "EcdsaSignerManager: invalid signature");

return VerificationState {
validCount: state.validCount + 1 as Uint<8>,
prevCommitment: commitment,
msgHash: state.msgHash
};
}

/**
* @description Stub for ECDSA signature verification. Always returns true.
* MUST be replaced before any non-test deployment.
*/
circuit stubVerifySignature(
pubkey: Bytes<64>,
msgHash: Bytes<32>,
signature: Bytes<64>
): Boolean {
return true;
}
}
Loading