Rename the coins folder to networks (#583)

* Rename the coins folder to networks

Ethereum isn't a coin. It's a network.

Resolves #357.

* More renames of coins -> networks in orchestration

* Correct paths in tests/

* cargo fmt

networks/ethereum/contracts/Deployer.sol

@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: AGPLv3
+pragma solidity ^0.8.0;
+
+/*
+The expected deployment process of the Router is as follows:
+
+1) A transaction deploying Deployer is made. Then, a deterministic signature is
+   created such that an account with an unknown private key is the creator of
+   the contract. Anyone can fund this address, and once anyone does, the
+   transaction deploying Deployer can be published by anyone. No other
+   transaction may be made from that account.
+
+2) Anyone deploys the Router through the Deployer. This uses a sequential nonce
+   such that meet-in-the-middle attacks, with complexity 2**80, aren't feasible.
+   While such attacks would still be feasible if the Deployer's address was
+   controllable, the usage of a deterministic signature with a NUMS method
+   prevents that.
+
+This doesn't have any denial-of-service risks and will resolve once anyone steps
+forward as deployer. This does fail to guarantee an identical address across
+every chain, though it enables letting anyone efficiently ask the Deployer for
+the address (with the Deployer having an identical address on every chain).
+
+Unfortunately, guaranteeing identical addresses aren't feasible. We'd need the
+Deployer contract to use a consistent salt for the Router, yet the Router must
+be deployed with a specific public key for Serai. Since Ethereum isn't able to
+determine a valid public key (one the result of a Serai DKG) from a dishonest
+public key, we have to allow multiple deployments with Serai being the one to
+determine which to use.
+
+The alternative would be to have a council publish the Serai key on-Ethereum,
+with Serai verifying the published result. This would introduce a DoS risk in
+the council not publishing the correct key/not publishing any key.
+*/
+
+contract Deployer {
+  event Deployment(bytes32 indexed init_code_hash, address created);
+
+  error DeploymentFailed();
+
+  function deploy(bytes memory init_code) external {
+    address created;
+    assembly {
+      created := create(0, add(init_code, 0x20), mload(init_code))
+    }
+    if (created == address(0)) {
+      revert DeploymentFailed();
+    }
+    // These may be emitted out of order upon re-entrancy
+    emit Deployment(keccak256(init_code), created);
+  }
+}

networks/ethereum/contracts/IERC20.sol

@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: CC0
+pragma solidity ^0.8.0;
+
+interface IERC20 {
+  event Transfer(address indexed from, address indexed to, uint256 value);
+  event Approval(address indexed owner, address indexed spender, uint256 value);
+
+  function name() external view returns (string memory);
+  function symbol() external view returns (string memory);
+  function decimals() external view returns (uint8);
+
+  function totalSupply() external view returns (uint256);
+
+  function balanceOf(address owner) external view returns (uint256);
+  function transfer(address to, uint256 value) external returns (bool);
+  function transferFrom(address from, address to, uint256 value) external returns (bool);
+
+  function approve(address spender, uint256 value) external returns (bool);
+  function allowance(address owner, address spender) external view returns (uint256);
+}

networks/ethereum/contracts/Router.sol

@@ -0,0 +1,222 @@
+// SPDX-License-Identifier: AGPLv3
+pragma solidity ^0.8.0;
+
+import "./IERC20.sol";
+
+import "./Schnorr.sol";
+import "./Sandbox.sol";
+
+contract Router {
+  // Nonce is incremented for each batch of transactions executed/key update
+  uint256 public nonce;
+
+  // Current public key's x-coordinate
+  // This key must always have the parity defined within the Schnorr contract
+  bytes32 public seraiKey;
+
+  struct OutInstruction {
+    address to;
+    Call[] calls;
+
+    uint256 value;
+  }
+
+  struct Signature {
+    bytes32 c;
+    bytes32 s;
+  }
+
+  event SeraiKeyUpdated(
+    uint256 indexed nonce,
+    bytes32 indexed key,
+    Signature signature
+  );
+  event InInstruction(
+    address indexed from,
+    address indexed coin,
+    uint256 amount,
+    bytes instruction
+  );
+  // success is a uint256 representing a bitfield of transaction successes
+  event Executed(
+    uint256 indexed nonce,
+    bytes32 indexed batch,
+    uint256 success,
+    Signature signature
+  );
+
+  // error types
+  error InvalidKey();
+  error InvalidSignature();
+  error InvalidAmount();
+  error FailedTransfer();
+  error TooManyTransactions();
+
+  modifier _updateSeraiKeyAtEndOfFn(
+    uint256 _nonce,
+    bytes32 key,
+    Signature memory sig
+  ) {
+    if (
+      (key == bytes32(0)) ||
+      ((bytes32(uint256(key) % Schnorr.Q)) != key)
+    ) {
+      revert InvalidKey();
+    }
+
+    _;
+
+    seraiKey = key;
+    emit SeraiKeyUpdated(_nonce, key, sig);
+  }
+
+  constructor(bytes32 _seraiKey) _updateSeraiKeyAtEndOfFn(
+    0,
+    _seraiKey,
+    Signature({ c: bytes32(0), s: bytes32(0) })
+  ) {
+    nonce = 1;
+  }
+
+  // updateSeraiKey validates the given Schnorr signature against the current
+  // public key, and if successful, updates the contract's public key to the
+  // given one.
+  function updateSeraiKey(
+    bytes32 _seraiKey,
+    Signature calldata sig
+  ) external _updateSeraiKeyAtEndOfFn(nonce, _seraiKey, sig) {
+    bytes memory message =
+      abi.encodePacked("updateSeraiKey", block.chainid, nonce, _seraiKey);
+    nonce++;
+
+    if (!Schnorr.verify(seraiKey, message, sig.c, sig.s)) {
+      revert InvalidSignature();
+    }
+  }
+
+  function inInstruction(
+    address coin,
+    uint256 amount,
+    bytes memory instruction
+  ) external payable {
+    if (coin == address(0)) {
+      if (amount != msg.value) {
+        revert InvalidAmount();
+      }
+    } else {
+      (bool success, bytes memory res) =
+        address(coin).call(
+          abi.encodeWithSelector(
+            IERC20.transferFrom.selector,
+            msg.sender,
+            address(this),
+            amount
+          )
+        );
+
+      // Require there was nothing returned, which is done by some non-standard
+      // tokens, or that the ERC20 contract did in fact return true
+      bool nonStandardResOrTrue =
+        (res.length == 0) || abi.decode(res, (bool));
+      if (!(success && nonStandardResOrTrue)) {
+        revert FailedTransfer();
+      }
+    }
+
+    /*
+    Due to fee-on-transfer tokens, emitting the amount directly is frowned upon.
+    The amount instructed to transfer may not actually be the amount
+    transferred.
+
+    If we add nonReentrant to every single function which can effect the
+    balance, we can check the amount exactly matches. This prevents transfers of
+    less value than expected occurring, at least, not without an additional
+    transfer to top up the difference (which isn't routed through this contract
+    and accordingly isn't trying to artificially create events).
+
+    If we don't add nonReentrant, a transfer can be started, and then a new
+    transfer for the difference can follow it up (again and again until a
+    rounding error is reached). This contract would believe all transfers were
+    done in full, despite each only being done in part (except for the last
+    one).
+
+    Given fee-on-transfer tokens aren't intended to be supported, the only
+    token planned to be supported is Dai and it doesn't have any fee-on-transfer
+    logic, fee-on-transfer tokens aren't even able to be supported at this time,
+    we simply classify this entire class of tokens as non-standard
+    implementations which induce undefined behavior. It is the Serai network's
+    role not to add support for any non-standard implementations.
+    */
+    emit InInstruction(msg.sender, coin, amount, instruction);
+  }
+
+  // execute accepts a list of transactions to execute as well as a signature.
+  // if signature verification passes, the given transactions are executed.
+  // if signature verification fails, this function will revert.
+  function execute(
+    OutInstruction[] calldata transactions,
+    Signature calldata sig
+  ) external {
+    if (transactions.length > 256) {
+      revert TooManyTransactions();
+    }
+
+    bytes memory message =
+      abi.encode("execute", block.chainid, nonce, transactions);
+    uint256 executed_with_nonce = nonce;
+    // This prevents re-entrancy from causing double spends yet does allow
+    // out-of-order execution via re-entrancy
+    nonce++;
+
+    if (!Schnorr.verify(seraiKey, message, sig.c, sig.s)) {
+      revert InvalidSignature();
+    }
+
+    uint256 successes;
+    for (uint256 i = 0; i < transactions.length; i++) {
+      bool success;
+
+      // If there are no calls, send to `to` the value
+      if (transactions[i].calls.length == 0) {
+        (success, ) = transactions[i].to.call{
+          value: transactions[i].value,
+          gas: 5_000
+        }("");
+      } else {
+        // If there are calls, ignore `to`. Deploy a new Sandbox and proxy the
+        // calls through that
+        //
+        // We could use a single sandbox in order to reduce gas costs, yet that
+        // risks one person creating an approval that's hooked before another
+        // user's intended action executes, in order to drain their coins
+        //
+        // While technically, that would be a flaw in the sandboxed flow, this
+        // is robust and prevents such flaws from being possible
+        //
+        // We also don't want people to set state via the Sandbox and expect it
+        // future available when anyone else could set a distinct value
+        Sandbox sandbox = new Sandbox();
+        (success, ) = address(sandbox).call{
+          value: transactions[i].value,
+          // TODO: Have the Call specify the gas up front
+          gas: 350_000
+        }(
+          abi.encodeWithSelector(
+            Sandbox.sandbox.selector,
+            transactions[i].calls
+          )
+        );
+      }
+
+      assembly {
+        successes := or(successes, shl(i, success))
+      }
+    }
+    emit Executed(
+      executed_with_nonce,
+      keccak256(message),
+      successes,
+      sig
+    );
+  }
+}

networks/ethereum/contracts/Sandbox.sol

@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: AGPLv3
+pragma solidity ^0.8.24;
+
+struct Call {
+  address to;
+  uint256 value;
+  bytes data;
+}
+
+// A minimal sandbox focused on gas efficiency.
+//
+// The first call is executed if any of the calls fail, making it a fallback.
+// All other calls are executed sequentially.
+contract Sandbox {
+  error AlreadyCalled();
+  error CallsFailed();
+
+  function sandbox(Call[] calldata calls) external payable {
+    // Prevent re-entrancy due to this executing arbitrary calls from anyone
+    // and anywhere
+    bool called;
+    assembly { called := tload(0) }
+    if (called) {
+      revert AlreadyCalled();
+    }
+    assembly { tstore(0, 1) }
+
+    // Execute the calls, starting from 1
+    for (uint256 i = 1; i < calls.length; i++) {
+      (bool success, ) =
+        calls[i].to.call{ value: calls[i].value }(calls[i].data);
+
+      // If this call failed, execute the fallback (call 0)
+      if (!success) {
+        (success, ) =
+          calls[0].to.call{ value: address(this).balance }(calls[0].data);
+        // If this call also failed, revert entirely
+        if (!success) {
+          revert CallsFailed();
+        }
+        return;
+      }
+    }
+
+    // We don't clear the re-entrancy guard as this contract should never be
+    // called again, so there's no reason to spend the effort
+  }
+}

networks/ethereum/contracts/Schnorr.sol

@@ -0,0 +1,44 @@
+// SPDX-License-Identifier: AGPLv3
+pragma solidity ^0.8.0;
+
+// see https://github.com/noot/schnorr-verify for implementation details
+library Schnorr {
+  // secp256k1 group order
+  uint256 constant public Q =
+    0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141;
+
+  // Fixed parity for the public keys used in this contract
+  // This avoids spending a word passing the parity in a similar style to
+  // Bitcoin's Taproot
+  uint8 constant public KEY_PARITY = 27;
+
+  error InvalidSOrA();
+  error MalformedSignature();
+
+  // px := public key x-coord, where the public key has a parity of KEY_PARITY
+  // message := 32-byte hash of the message
+  // c := schnorr signature challenge
+  // s := schnorr signature
+  function verify(
+    bytes32 px,
+    bytes memory message,
+    bytes32 c,
+    bytes32 s
+  ) internal pure returns (bool) {
+    // ecrecover = (m, v, r, s) -> key
+    // We instead pass the following to obtain the nonce (not the key)
+    // Then we hash it and verify it matches the challenge
+    bytes32 sa = bytes32(Q - mulmod(uint256(s), uint256(px), Q));
+    bytes32 ca = bytes32(Q - mulmod(uint256(c), uint256(px), Q));
+
+    // For safety, we want each input to ecrecover to be 0 (sa, px, ca)
+    // The ecreover precomple checks `r` and `s` (`px` and `ca`) are non-zero
+    // That leaves us to check `sa` are non-zero
+    if (sa == 0) revert InvalidSOrA();
+    address R = ecrecover(sa, KEY_PARITY, px, ca);
+    if (R == address(0)) revert MalformedSignature();
+
+    // Check the signature is correct by rebuilding the challenge
+    return c == keccak256(abi.encodePacked(R, px, message));
+  }
+}