chore(withdrawals): move withdrawals feature to extensions directory

Author: xenoliss

contracts/src/chains/OPStackKeystoreWithdrawable.sol

@@ -116,7 +116,7 @@ abstract contract Keystore {
     //                                          CONSTRUCTOR                                           //
     ////////////////////////////////////////////////////////////////////////////////////////////////////
 
-    /// @notice Creates the Keystore.
+    /// @notice Constructor.
     ///
     /// @param masterChainId_ The master chain id.
     constructor(uint256 masterChainId_) {
@@ -196,7 +196,7 @@ abstract contract Keystore {
         // confirmation flow.
         if (isSet) {
             // Ensure the `newConfirmedConfig` matches with the extracted `newConfirmedConfigHash`.
-            ConfigLib.verify({configHash: newConfirmedConfigHash, config: newConfirmedConfig});
+            ConfigLib.verify({config: newConfirmedConfig, account: address(this), configHash: newConfirmedConfigHash});
 
             _applyNewConfirmedConfig({
                 newConfirmedConfigHash: newConfirmedConfigHash,
@@ -324,7 +324,7 @@ abstract contract Keystore {
         require(config.nonce == 0, InitialNonceIsNotZero());
 
         // Initialize the internal Keystore storage.
-        bytes32 configHash = ConfigLib.hash(config);
+        bytes32 configHash = ConfigLib.hash({config: config, account: address(this)});
         if (block.chainid == masterChainId) {
             require(_sMaster().configHash == 0, KeystoreAlreadyInitialized());
             _sMaster().configHash = configHash;
@@ -394,7 +394,7 @@ abstract contract Keystore {
     ///
     /// @return The new config hash.
     function _applyMasterConfig(ConfigLib.Config calldata newConfig) private returns (bytes32) {
-        bytes32 newConfigHash = ConfigLib.hash(newConfig);
+        bytes32 newConfigHash = ConfigLib.hash({config: newConfig, account: address(this)});
         _sMaster().configHash = newConfigHash;
         _sMaster().configNonce = newConfig.nonce;
 
@@ -407,7 +407,7 @@ abstract contract Keystore {
     ///
     /// @return The new config hash.
     function _applyReplicaConfig(ConfigLib.Config calldata newConfig) private returns (bytes32) {
-        bytes32 newConfigHash = ConfigLib.hash(newConfig);
+        bytes32 newConfigHash = ConfigLib.hash({config: newConfig, account: address(this)});
         _setPreconfirmedConfig({preconfirmedConfigHash: newConfigHash, preconfirmedConfigNonce: newConfig.nonce});
 
         return newConfigHash;

contracts/src/Keystore.sol renamed to contracts/src/core/Keystore.sol

@@ -34,27 +34,29 @@ library ConfigLib {
     ///
     /// @dev Reverts if the parameters hashes do not match.
     ///
-    /// @param configHash The Keystore config hash.
     /// @param config The Keystore config.
-    function verify(bytes32 configHash, Config calldata config) internal view {
+    /// @param account The account address.
+    /// @param configHash The Keystore config hash.
+    function verify(Config calldata config, address account, bytes32 configHash) internal pure {
         // Ensure the recomputed config hash matches witht the given `configHash` parameter.
-        bytes32 recomputedConfigHash = hash(config);
+        bytes32 recomputedConfigHash = hash({config: config, account: account});
 
         require(
             recomputedConfigHash == configHash,
             InvalidConfig({configHash: configHash, recomputedConfigHash: recomputedConfigHash})
         );
     }
 
-    /// @notice Computed the hash of the provided `config`.
+    /// @notice Computes the hash of the provided `config`.
     ///
-    /// @dev To avoid replay of similar configs on different wallets with the same signers, the wallet address is also
-    ///      part of the hashed data.
+    /// @dev To avoid replay of similar config signatures on different wallets with the same signers, the account
+    ///      address is also hashed with the config.
     ///
     /// @param config The Keystore config.
+    /// @param account The account address.
     ///
     /// @return The corresponding config hash.
-    function hash(Config calldata config) internal view returns (bytes32) {
-        return keccak256(abi.encodePacked(address(this), config.nonce, config.data));
+    function hash(Config calldata config, address account) internal pure returns (bytes32) {
+        return keccak256(abi.encodePacked(account, config.nonce, config.data));
     }
 }

contracts/src/KeystoreLibs.sol renamed to contracts/src/core/KeystoreLibs.sol

@@ -6,10 +6,9 @@ import {UserOperation} from "aa/interfaces/UserOperation.sol";
 import {Receiver} from "solady/accounts/Receiver.sol";
 import {SignatureCheckerLib} from "solady/utils/SignatureCheckerLib.sol";
 
-import {OPStackKeystore} from "../chains/OPStackKeystore.sol";
-
-import {Keystore} from "../Keystore.sol";
-import {ConfigLib} from "../KeystoreLibs.sol";
+import {Keystore} from "../core/Keystore.sol";
+import {ConfigLib} from "../core/KeystoreLibs.sol";
+import {OPStackKeystore} from "../core/chains/OPStackKeystore.sol";
 
 import {ERC1271} from "./ERC1271.sol";
 import {TransientUUPSUpgradeable} from "./TransientUUPSUpgradeable.sol";
@@ -210,7 +209,7 @@ contract MultiOwnableWallet is OPStackKeystore, ERC1271, TransientUUPSUpgradeabl
     {
         // NOTE: Because this hook is limited to a view function, no special access control logic is required.
 
-        bytes32 newConfigHash = ConfigLib.hash(newConfig);
+        bytes32 newConfigHash = ConfigLib.hash({config: newConfig, account: address(this)});
         (, bytes memory signatureUpdate) = abi.decode(validationProof, (bytes, bytes));
         (uint256 sigUpdateSignerIndex, bytes memory signature) = abi.decode(signatureUpdate, (uint256, bytes));
 
@@ -259,7 +258,7 @@ contract MultiOwnableWallet is OPStackKeystore, ERC1271, TransientUUPSUpgradeabl
         override
         returns (bool)
     {
-        bytes32 newConfigHash = ConfigLib.hash(newConfig);
+        bytes32 newConfigHash = ConfigLib.hash({config: newConfig, account: address(this)});
         (bytes memory signatureAuth,) = abi.decode(authorizationProof, (bytes, bytes));
 
         // Ensure the update is authorized.
@@ -288,7 +287,7 @@ contract MultiOwnableWallet is OPStackKeystore, ERC1271, TransientUUPSUpgradeabl
 
         // Otherwise set the new signers.
         (, address[] memory signers) = abi.decode(newConfig.data, (address, address[]));
-        bytes32 configHash = ConfigLib.hash(newConfig);
+        bytes32 configHash = ConfigLib.hash({config: newConfig, account: address(this)});
         mapping(address signer => bool isSigner) storage signers_ = _sWallet().keystoreConfig[configHash].signers;
         for (uint256 i; i < signers.length; i++) {
             signers_[signers[i]] = true;

contracts/src/chains/OPStackKeystore.sol renamed to contracts/src/core/chains/OPStackKeystore.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.27;
 
 import {LibClone} from "solady/utils/LibClone.sol";
 
-import {ConfigLib} from "../KeystoreLibs.sol";
+import {ConfigLib} from "../core/KeystoreLibs.sol";
 
 import {MultiOwnableWallet} from "./MultiOwnableWallet.opstack.sol";
 

contracts/src/libs/BlockLib.sol renamed to contracts/src/core/libs/BlockLib.sol

@@ -0,0 +1,109 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.27;
+
+import {Keystore} from "../../core/Keystore.sol";
+import {ConfigLib} from "../../core/KeystoreLibs.sol";
+
+abstract contract WithdrawableKeystore is Keystore {
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+    //                                              ERRORS                                            //
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /// @notice Thrown when the call is not performed on the master chain.
+    ///
+    /// @param chainId The current `block.chainid`.
+    /// @param masterChainId The master chain id.
+    error NotOnMasterChain(uint256 chainId, uint256 masterChainId);
+
+    /// @notice Thrown when the call is not performed on the L1.
+    ///
+    /// @param chainId The current `block.chainid`.
+    error NotOnL1(uint256 chainId);
+
+    /// @notice Thrown when the call to `withdrawConfigReceiver()` was not initiated by a Keystore config withdrawal
+    ///         on the master chain.
+    error CallNotInitiatedByWithdrawalFromMasterChain();
+
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+    //                                           MODIFIERS                                            //
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /// @notice Ensures the call is performed on the master chain.
+    modifier onlyOnMasterChain() {
+        require(
+            block.chainid == masterChainId, NotOnMasterChain({chainId: block.chainid, masterChainId: masterChainId})
+        );
+        _;
+    }
+
+    /// @notice Ensures the call is performed on the L1.
+    modifier onlyOnL1() {
+        require(block.chainid == 1, NotOnL1(block.chainid));
+        _;
+    }
+
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+    //                                        PUBLIC FUNCTIONS                                        //
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /// @notice Withdraws the master Keystore config to the L1.
+    ///
+    /// @dev Reverts if not called on the master chain.
+    ///
+    /// @param masterConfig The master Keystore config to withdraw.
+    function withdrawMasterConfig(ConfigLib.Config calldata masterConfig) external onlyOnMasterChain {
+        // Ensure the provided `masterConfig` hashes to `masterConfigHash`.
+        (bytes32 masterConfigHash, uint256 masterBlockTimestamp) = _confirmedConfigHash();
+        ConfigLib.verify({config: masterConfig, account: address(this), configHash: masterConfigHash});
+
+        // Withdraw the config to L1.
+        // FIXME: If the contract on L1 is compromised it could lead to account takeover on all chains.
+        //        Current solution would be to not withdraw to the account directly but to a dedicated L1 contract.
+        _withdrawConfig({masterConfig: masterConfig, masterBlockTimestamp: masterBlockTimestamp});
+    }
+
+    /// @notice Receives a Keystore config withdrawal on L1.
+    ///
+    /// @dev Reverts if not called on the L1.
+    ///
+    /// @param masterConfig The master Keystore config to apply.
+    /// @param newMasterBlockTimestamp The master chain block timestamp.
+    function withdrawConfigReceiver(ConfigLib.Config calldata masterConfig, uint256 newMasterBlockTimestamp)
+        external
+        onlyOnL1
+    {
+        require(_isWithdrawalFromMasterKeystore(), CallNotInitiatedByWithdrawalFromMasterChain());
+
+        // Ensure we are going forward when confirming a new config.
+        (, uint256 masterBlockTimestamp) = _confirmedConfigHash();
+        require(
+            newMasterBlockTimestamp > masterBlockTimestamp,
+            ConfirmedConfigOutdated({
+                currentMasterBlockTimestamp: masterBlockTimestamp,
+                newMasterBlockTimestamp: newMasterBlockTimestamp
+            })
+        );
+
+        // Apply the new confirmed config to the Keystore storage.
+        _applyNewConfirmedConfig({
+            newConfirmedConfigHash: ConfigLib.hash({config: masterConfig, account: address(this)}),
+            newConfirmedConfig: masterConfig,
+            newMasterBlockTimestamp: newMasterBlockTimestamp
+        });
+    }
+
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+    //                                       INTERNAL FUNCTIONS                                       //
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /// @notice Checks if the call was initiated by withdrawal from the master Keystore.
+    ///
+    /// @return A boolean indicating whether the withdrawal originates from the master Keystore.
+    function _isWithdrawalFromMasterKeystore() internal virtual returns (bool);
+
+    /// @notice Performs a chain-specific Keystore config withdrawal to L1.
+    ///
+    /// @param masterConfig The master Keystore config to withdraw.
+    /// @param masterBlockTimestamp The master chain block timestamp.
+    function _withdrawConfig(ConfigLib.Config calldata masterConfig, uint256 masterBlockTimestamp) internal virtual;
+}

contracts/src/libs/ConfigLib.sol renamed to contracts/src/core/libs/ConfigLib.sol

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.27;
+
+import {Predeploys} from "optimism-contracts/libraries/Predeploys.sol";
+import {ICrossDomainMessenger} from "optimism-interfaces/universal/ICrossDomainMessenger.sol";
+
+import {ConfigLib} from "../../../core/KeystoreLibs.sol";
+
+import {WithdrawableKeystore} from "../WithdrawableKeystore.sol";
+
+abstract contract OPStackWithdrawableKeystore is WithdrawableKeystore {
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+    //                                           CONSTANTS                                            //
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /// @notice The minimum gas limit required for cross-chain message execution.
+    uint32 constant MIN_GAS_LIMIT = 200_000;
+
+    /// @notice The `L1CrossDomainMessenger` address.
+    address public immutable l1CrossDomainMessenger;
+
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+    //                                          CONSTRUCTOR                                           //
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /// @notice Constructor.
+    ///
+    /// @param l1CrossDomainMessenger_ The `L1CrossDomainMessenger` address.
+    constructor(address l1CrossDomainMessenger_) {
+        l1CrossDomainMessenger = l1CrossDomainMessenger_;
+    }
+
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+    //                                        INTERNAL FUNCTIONS                                      //
+    ////////////////////////////////////////////////////////////////////////////////////////////////////
+
+    /// @inheritdoc WithdrawableKeystore
+    function _isWithdrawalFromMasterKeystore() internal virtual override returns (bool) {
+        // Checks the tx sender is the `L1CrossDomainMessenger` and that the message was sent from this contract.
+        return msg.sender == l1CrossDomainMessenger
+            && ICrossDomainMessenger(l1CrossDomainMessenger).xDomainMessageSender() == address(this);
+    }
+
+    /// @inheritdoc WithdrawableKeystore
+    function _withdrawConfig(ConfigLib.Config calldata masterConfig, uint256 masterBlockTimestamp)
+        internal
+        virtual
+        override
+    {
+        // Send a message to the `L2CrossDomainMessenger`.
+        ICrossDomainMessenger(Predeploys.L2_CROSS_DOMAIN_MESSENGER).sendMessage({
+            _target: address(this),
+            _message: abi.encodeCall(this.withdrawConfigReceiver, (masterConfig, masterBlockTimestamp)),
+            _minGasLimit: MIN_GAS_LIMIT
+        });
+    }
+}