Skip to content

Add Dusk contract standards and Forge reference contracts#24

Draft
HDauven wants to merge 35 commits into
mainfrom
research/dusk-standards-hardening
Draft

Add Dusk contract standards and Forge reference contracts#24
HDauven wants to merge 35 commits into
mainfrom
research/dusk-standards-hardening

Conversation

@HDauven

@HDauven HDauven commented Apr 28, 2026

Copy link
Copy Markdown
Member

Adds a Dusk-native standards layer inspired by OpenZeppelin, but shaped around Dusk contract semantics instead of EVM compatibility.

This includes:

  • reusable standards primitives for principals, nonces, replay protection, signed authorization, ownership, roles, pausing, reentrancy, proxy admin, timelock and multisig control
  • DRC20 and DRC721 primitives with Dusk-native authorization and event semantics
  • Forge reference contracts for:
    • authorization counter
    • DRC20 roles/pausable token
    • DRC721 collection
    • proxy counter
    • multisig controller
  • client-side signing examples for Phoenix and Moonlight authorization
  • Forge data-driver builds and ABI/data-driver fuzz coverage
  • local-node/testnet smoke script covering positive and negative flows
  • security, hardening, audit-readiness, and multisig review docs

Security Model

The standards layer explicitly distinguishes between:

  • Moonlight callers, which can be observed for root transaction calls or authorized by signed action
  • contract callers, which can be observed as immediate inter-contract callers
  • Phoenix principals, which cannot cleanly act as msg.sender and therefore use explicit signed authorizations

A normal Moonlight transaction reaches the target through the transfer contract. CallContext::current() treats the root transfer-contract entrypoint into the target as the transaction boundary and maps that to public_sender. Nested calls are not rewritten to the public sender; they stay bound to the immediate caller contract.

Signed actions bind:

  • chain ID
  • contract ID
  • domain
  • action ID
  • payload hash
  • nonce
  • expiry

The higher-level authorization helpers verify the full action envelope before consuming nonces, so failed authorization paths should not advance replay state.

Validation

The PR includes invariant tests, property tests, data-driver fuzz tests, and VM deploy/query tests.

Passed locally on the current branch:

  • cargo fmt --check
  • git diff --check
  • bash -n scripts/dusk-contract-standards-local-smoke.sh scripts/dusk-contract-standards-audit-grade.sh
  • cargo clippy -p dusk-contract-standards --all-targets -- -D warnings
  • cargo test -p dusk-contract-standards
  • reference contract Wasm build
  • cargo test -p dusk-contract-standards --test examples_vm -- --ignored
  • Forge data-driver build
  • RUN_CARGO_AUDIT=0 RUN_LOCAL_NODE_SMOKE=0 ./scripts/dusk-contract-standards-audit-grade.sh
    • includes 8192-case property hardening
    • includes reference contract Wasm build and VM deploy/query test
    • includes Forge data-driver builds and 4096-case data-driver fuzz

Additional validation done outside of the package test suite:

  • full local-node smoke completed successfully
  • full Dusk testnet deploy/action smoke completed twice successfully against https://testnet.nodes.dusk.network

The testnet smoke covered deploys plus positive and negative action flows for Phoenix auth, Moonlight auth, DRC20, DRC721, proxy admin and 2-of-3 multisig-governed proxy execution.

Dependency Note

This draft PR is intended for prerelease review before final standards publication.

The branch currently uses published package versions where available:

  • dusk-forge = 0.3.0
  • dusk-data-driver = 0.3.2-alpha.1
  • dusk-core = 1.6.0
  • dusk-vm = 1.6.0
  • dusk-wallet-core = 1.6.0
  • rusk-profile = 1.6.0
  • rusk-prover = 1.6.0

The old local prerelease checkout dependencies for ../rusk-private and ../forge-explicit-emits have been removed from this branch.

Review Focus

Please review especially:

  • signed authorization envelope semantics
  • nonce consumption and replay boundaries
  • Phoenix vs Moonlight vs contract principal handling
  • ownership and role authorization helpers
  • pause semantics for token balance-changing operations
  • multisig operation lifecycle and tombstone/replay behavior
  • proxy admin and timelock safety assumptions
  • data-driver ABI shape and client ergonomics

Auditor-facing documentation can be found here: https://github.com/dusk-network/contracts/blob/research/dusk-standards-hardening/docs/dusk-contract-standards-audit.md

@HDauven HDauven requested a review from moCello April 28, 2026 12:58
@HDauven HDauven removed the request for review from moCello May 27, 2026 10:02
@HDauven HDauven marked this pull request as draft May 27, 2026 10:05
@HDauven HDauven force-pushed the research/dusk-standards-hardening branch from ccd00af to 2184b27 Compare May 27, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant