Create FinalityCodec.sol

Author: RensR

chains/evm/GNUmakefile

@@ -1,12 +1,16 @@
+.PHONY: test
+test: ## Run the full Foundry test suite (always uses the `ccip` profile).
+	FOUNDRY_PROFILE=ccip forge test
+
 # Creates a gas snapshot
 # note `make snapshot` skips fuzz/fork/reverting tests.
 .PHONY: snapshot
 snapshot: ## Make a snapshot for a specific product.
-	export FOUNDRY_PROFILE=ccip && forge snapshot --nmt "test?(Fuzz|Fork|.*_RevertWhen)_.*"
+	FOUNDRY_PROFILE=ccip forge snapshot --nmt "test?(Fuzz|Fork|.*_RevertWhen)_.*"
 
 .PHONY: snapshot-diff
 snapshot-diff: ## Make a snapshot for a specific product.
-	export FOUNDRY_PROFILE=ccip && forge snapshot --nmt "test?(Fuzz|Fork|.*_RevertWhen)_.*" --diff
+	FOUNDRY_PROFILE=ccip forge snapshot --nmt "test?(Fuzz|Fork|.*_RevertWhen)_.*" --diff
 
 .PHONY: foundry
 foundry: ## Install foundry.

chains/evm/contracts/libraries/FinalityCodec.sol

@@ -0,0 +1,108 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.4;
+
+/// @notice This library provides encoding and validation for finality parameters used in cross-chain transfers.
+/// @dev this codec supports all the bit flags, even though some might not be assigned any meaning yet. This is
+/// intentional to allow for future flexibility.
+library FinalityCodec {
+  error InvalidBlockDepth(uint16 requestedDepth, uint16 maxDepth);
+  /// @notice Requested finality must be exactly one mode: any of the flag bits or a block depth with no upper flag bits.
+  /// It cannot combine a flag with a block depth.
+  error InvalidRequestedFinality(bytes2 encodedFinality);
+
+  /// @notice The block depth is stored in the lower 10 bits, leaving the upper 6 bits for flags. This allows for a
+  /// maximum block depth of 1023, which should be sufficient for most use cases. For more security, users should wait
+  /// for finality instead (bytes2(0)).
+  uint256 public constant BLOCK_DEPTH_BITS = 10;
+  /// @notice The maximum block depth that can be encoded in the finality params: 1023.
+  uint16 public constant MAX_BLOCK_DEPTH = uint16((1 << BLOCK_DEPTH_BITS) - 1);
+  /// @notice The block depth mask to extract the block depth from the finality params.
+  bytes2 public constant BLOCK_DEPTH_MASK = bytes2(MAX_BLOCK_DEPTH);
+
+  /// @notice The finality flag for waiting for finality is 0, this is the safest option. Any block depth that's deeper
+  /// than finality will fall back to finality, meaning a very deep block depth will not be more secure than finality.
+  bytes2 public constant WAIT_FOR_FINALITY_FLAG = bytes2(0);
+  /// @notice Signals to wait for the `safe` tag.
+  bytes2 public constant WAIT_FOR_SAFE_FLAG = bytes2(uint16(1 << BLOCK_DEPTH_BITS));
+
+  /// @notice Helper to encode block depth into the finality params. Will revert if the block depth is greater than the
+  /// maximum block depth.
+  /// @param blockDepth The block depth to encode into the finality params.
+  /// @return The encoded finality params with the block depth.
+  function _encodeBlockDepth(
+    uint16 blockDepth
+  ) internal pure returns (bytes2) {
+    if (blockDepth > MAX_BLOCK_DEPTH) {
+      revert InvalidBlockDepth(blockDepth, MAX_BLOCK_DEPTH);
+    }
+    return bytes2(blockDepth);
+  }
+
+  /// @notice Helper to encode the `safe` tag plus a block depth into the finality params.
+  /// NOTE: this format is only allowed for allowed finality, not requested finality, as requested finality can only
+  /// contain a single flag or block depth, but allowed finality can contain multiple.
+  /// @param blockDepth The block depth to encode into the finality params.
+  /// @return The encoded finality params with the `safe` tag and block depth.
+  function _encodeBlockDepthAndSafeFlag(
+    uint16 blockDepth
+  ) internal pure returns (bytes2) {
+    return _encodeBlockDepth(blockDepth) | WAIT_FOR_SAFE_FLAG;
+  }
+
+  /// @notice Validates requested finality: either `bytes2(0)`, exactly `WAIT_FOR_SAFE_FLAG`, or a pure block depth
+  /// (no flag bits, depth in `1..MAX_BLOCK_DEPTH`). Never a flag combined with a non-zero depth.
+  /// @param encodedFinality The encoded finality params to validate.
+  function _validateRequestedFinality(
+    bytes2 encodedFinality
+  ) internal pure {
+    // Waiting for finality is always valid.
+    if (encodedFinality == WAIT_FOR_FINALITY_FLAG) {
+      return;
+    }
+    uint16 finality = uint16(encodedFinality);
+    bool hasBlockDepth = (finality & MAX_BLOCK_DEPTH) != 0;
+    uint256 activeModes = hasBlockDepth ? 1 : 0; // If it has depth, it counts as one active mode.
+
+    uint16 flags = finality >> BLOCK_DEPTH_BITS;
+    if (flags != 0) {
+      for (uint256 i = 0; i < 6; ++i) {
+        if ((flags & (1 << i)) != 0) {
+          activeModes += 1;
+        }
+      }
+    }
+    // There must be exactly one active mode: either a block depth or a single flag. Selecting multiple modes is only
+    // allowed for `allowedFinality` set by Pools, CCVs, etc., but not for `requestedFinality` set by senders.
+    if (activeModes != 1) {
+      revert InvalidRequestedFinality(encodedFinality);
+    }
+  }
+
+  /// @notice Ensures `requestedFinality` is permitted by `allowedFinality`. When matching on flags, the request must not
+  /// carry a block depth (lower bits zero aside from the all-zero finality case, which is handled earlier).
+  /// @param requestedFinality The requested finality params to check. This value must already be validated by
+  /// `_validateRequestedFinality` to ensure it is well-formed.
+  /// @param allowedFinality The allowed finality params to check against.
+  function _ensureRequestedFinalityAllowed(
+    bytes2 requestedFinality,
+    bytes2 allowedFinality
+  ) internal pure {
+    // Finality is always allowed.
+    if (requestedFinality == bytes2(0)) {
+      return;
+    }
+    // If any of the flags match, the request is allowed only when it has no depth field (flag-only request).
+    if (requestedFinality >> BLOCK_DEPTH_BITS & allowedFinality >> BLOCK_DEPTH_BITS != 0) {
+      if (uint16(requestedFinality & BLOCK_DEPTH_MASK) != 0) {
+        revert InvalidRequestedFinality(requestedFinality);
+      }
+      return;
+    }
+    // Otherwise, it must be block-depth based.
+    uint16 requestedBlockDepth = uint16(requestedFinality & BLOCK_DEPTH_MASK);
+    uint16 allowedBlockDepth = uint16(allowedFinality & BLOCK_DEPTH_MASK);
+    if (allowedBlockDepth == 0 || requestedBlockDepth > allowedBlockDepth) {
+      revert InvalidBlockDepth(requestedBlockDepth, allowedBlockDepth);
+    }
+  }
+}

chains/evm/contracts/test/helpers/FinalityCodecHelper.sol

@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.24;
+
+import {FinalityCodec} from "../../libraries/FinalityCodec.sol";
+
+/// @notice Exposes `FinalityCodec` internal functions for unit tests.
+contract FinalityCodecHelper {
+  function encodeBlockDepth(
+    uint16 blockDepth
+  ) external pure returns (bytes2) {
+    return FinalityCodec._encodeBlockDepth(blockDepth);
+  }
+
+  function encodeBlockDepthAndSafeFlag(
+    uint16 blockDepth
+  ) external pure returns (bytes2) {
+    return FinalityCodec._encodeBlockDepthAndSafeFlag(blockDepth);
+  }
+
+  function validateRequestedFinality(
+    bytes2 encodedFinality
+  ) external pure {
+    FinalityCodec._validateRequestedFinality(encodedFinality);
+  }
+
+  function ensureRequestedFinalityAllowed(
+    bytes2 requestedFinality,
+    bytes2 allowedFinality
+  ) external pure {
+    FinalityCodec._ensureRequestedFinalityAllowed(requestedFinality, allowedFinality);
+  }
+}

chains/evm/contracts/test/libraries/FinalityCodec/FinalityCodec._encodeBlockDepth.t.sol

@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.24;
+
+import {FinalityCodec} from "../../../libraries/FinalityCodec.sol";
+import {FinalityCodecSetup} from "./FinalityCodecSetup.t.sol";
+
+contract FinalityCodec__encodeBlockDepth is FinalityCodecSetup {
+  function test__encodeBlockDepth_ZeroAndMax() public view {
+    assertEq(bytes2(uint16(0)), s_helper.encodeBlockDepth(0));
+    assertEq(bytes2(uint16(1023)), s_helper.encodeBlockDepth(1023));
+  }
+
+  function test__encodeBlockDepth_ArbitraryDepth() public view {
+    assertEq(bytes2(uint16(100)), s_helper.encodeBlockDepth(100));
+  }
+
+  // Reverts
+
+  function test__encodeBlockDepth_RevertWhen_InvalidBlockDepth_DepthExceedsMax() public {
+    vm.expectRevert(
+      abi.encodeWithSelector(FinalityCodec.InvalidBlockDepth.selector, uint16(1024), FinalityCodec.MAX_BLOCK_DEPTH)
+    );
+    s_helper.encodeBlockDepth(1024);
+  }
+}

chains/evm/contracts/test/libraries/FinalityCodec/FinalityCodec._encodeBlockDepthAndSafeFlag.t.sol

@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.24;
+
+import {FinalityCodec} from "../../../libraries/FinalityCodec.sol";
+import {FinalityCodecSetup} from "./FinalityCodecSetup.t.sol";
+
+contract FinalityCodec__encodeBlockDepthAndSafeFlag is FinalityCodecSetup {
+  function test__encodeBlockDepthAndSafeFlag_CombinesFlagAndDepth() public view {
+    assertEq(
+      FinalityCodec.WAIT_FOR_SAFE_FLAG,
+      s_helper.encodeBlockDepthAndSafeFlag(0),
+      "depth 0 leaves only the safe flag in the lower bits as 0"
+    );
+    bytes2 expected = bytes2(uint16(uint16(FinalityCodec.WAIT_FOR_SAFE_FLAG) | 42));
+    assertEq(expected, s_helper.encodeBlockDepthAndSafeFlag(42));
+  }
+
+  // Reverts
+
+  function test__encodeBlockDepthAndSafeFlag_RevertWhen_InvalidBlockDepth_DepthExceedsMax() public {
+    vm.expectRevert(
+      abi.encodeWithSelector(FinalityCodec.InvalidBlockDepth.selector, uint16(1024), FinalityCodec.MAX_BLOCK_DEPTH)
+    );
+    s_helper.encodeBlockDepthAndSafeFlag(1024);
+  }
+}

chains/evm/contracts/test/libraries/FinalityCodec/FinalityCodec._ensureRequestedFinalityAllowed.t.sol

@@ -0,0 +1,89 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.24;
+
+import {FinalityCodec} from "../../../libraries/FinalityCodec.sol";
+import {FinalityCodecSetup} from "./FinalityCodecSetup.t.sol";
+
+contract FinalityCodec__ensureRequestedFinalityAllowed is FinalityCodecSetup {
+  function test__ensureRequestedFinalityAllowed_FinalityAlwaysAllowed() public view {
+    s_helper.ensureRequestedFinalityAllowed(bytes2(0), bytes2(0));
+    s_helper.ensureRequestedFinalityAllowed(bytes2(0), bytes2(uint16(1)));
+    s_helper.ensureRequestedFinalityAllowed(bytes2(0), FinalityCodec.WAIT_FOR_SAFE_FLAG);
+  }
+
+  function test__ensureRequestedFinalityAllowed_AllowedWhen_UpperFlagBitsOverlap() public view {
+    bytes2 requested = FinalityCodec.WAIT_FOR_SAFE_FLAG;
+    bytes2 allowed = bytes2(uint16(uint16(FinalityCodec.WAIT_FOR_SAFE_FLAG) | 500));
+    s_helper.ensureRequestedFinalityAllowed(requested, allowed);
+  }
+
+  function test__ensureRequestedFinalityAllowed_AllowedWhen_BlockDepthWithinAllowance() public view {
+    s_helper.ensureRequestedFinalityAllowed(bytes2(uint16(50)), bytes2(uint16(100)));
+    s_helper.ensureRequestedFinalityAllowed(bytes2(uint16(100)), bytes2(uint16(100)));
+  }
+
+  function test__ensureRequestedFinalityAllowed_AllowedWhen_RequestedSafeAndAllowedIsDepthOnly() public view {
+    s_helper.ensureRequestedFinalityAllowed(FinalityCodec.WAIT_FOR_SAFE_FLAG, bytes2(uint16(200)));
+  }
+
+  /// forge-config: default.fuzz.runs = 1024
+  /// forge-config: ccip.fuzz.runs = 1024
+  function testFuzz__ensureRequestedFinalityAllowed_FinalityAlwaysAllowed(
+    bytes2 allowed
+  ) public view {
+    s_helper.ensureRequestedFinalityAllowed(bytes2(0), allowed);
+  }
+
+  /// forge-config: default.fuzz.runs = 1024
+  /// forge-config: ccip.fuzz.runs = 1024
+  function testFuzz__ensureRequestedFinalityAllowed_BlockDepthAllowedWhen_LessOrEqual(
+    uint16 allowedDepth,
+    uint16 requestedDepth
+  ) public view {
+    allowedDepth = uint16(bound(uint256(allowedDepth), 0, uint256(FinalityCodec.MAX_BLOCK_DEPTH)));
+    requestedDepth = uint16(bound(uint256(requestedDepth), 0, uint256(allowedDepth)));
+    s_helper.ensureRequestedFinalityAllowed(bytes2(requestedDepth), bytes2(allowedDepth));
+  }
+
+  // Reverts
+
+  function test__ensureRequestedFinalityAllowed_RevertWhen_InvalidBlockDepth_RequestedDepthExceedsAllowed() public {
+    bytes2 requested = bytes2(uint16(101));
+    bytes2 allowed = bytes2(uint16(100));
+    vm.expectRevert(abi.encodeWithSelector(FinalityCodec.InvalidBlockDepth.selector, uint16(101), uint16(100)));
+    s_helper.ensureRequestedFinalityAllowed(requested, allowed);
+  }
+
+  function test__ensureRequestedFinalityAllowed_RevertWhen_InvalidBlockDepth_NoMatchingFlagAndRequestedDepthExceedsAllowed()
+    public
+  {
+    bytes2 requested = bytes2(uint16(1));
+    bytes2 allowed = FinalityCodec.WAIT_FOR_SAFE_FLAG;
+    vm.expectRevert(abi.encodeWithSelector(FinalityCodec.InvalidBlockDepth.selector, uint16(1), uint16(0)));
+    s_helper.ensureRequestedFinalityAllowed(requested, allowed);
+  }
+
+  /// @dev Documents `_ensureRequestedFinalityAllowed` when flag bits overlap but lower bits are non-zero (ill-formed
+  /// for a validated request; callers should run `_validateRequestedFinality` first).
+  function test__ensureRequestedFinalityAllowed_RevertWhen_InvalidRequestedFinality_FlagOverlapWithNonZeroDepth()
+    public
+  {
+    bytes2 requested = bytes2(uint16(uint16(FinalityCodec.WAIT_FOR_SAFE_FLAG) | 7));
+    bytes2 allowed = bytes2(uint16(uint16(FinalityCodec.WAIT_FOR_SAFE_FLAG) | 500));
+    vm.expectRevert(abi.encodeWithSelector(FinalityCodec.InvalidRequestedFinality.selector, requested));
+    s_helper.ensureRequestedFinalityAllowed(requested, allowed);
+  }
+
+  /// forge-config: default.fuzz.runs = 1024
+  /// forge-config: ccip.fuzz.runs = 1024
+  function testFuzz__ensureRequestedFinalityAllowed_RevertWhen_InvalidBlockDepth_RequestedDepthGreaterThanAllowed(
+    uint16 allowedDepth,
+    uint16 requestedDepth
+  ) public {
+    allowedDepth = uint16(bound(uint256(allowedDepth), 0, uint256(FinalityCodec.MAX_BLOCK_DEPTH - 1)));
+    requestedDepth =
+      uint16(bound(uint256(requestedDepth), uint256(allowedDepth) + 1, uint256(FinalityCodec.MAX_BLOCK_DEPTH)));
+    vm.expectRevert(abi.encodeWithSelector(FinalityCodec.InvalidBlockDepth.selector, requestedDepth, allowedDepth));
+    s_helper.ensureRequestedFinalityAllowed(bytes2(requestedDepth), bytes2(allowedDepth));
+  }
+}

chains/evm/contracts/test/libraries/FinalityCodec/FinalityCodec._validateRequestedFinality.t.sol

@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.24;
+
+import {FinalityCodec} from "../../../libraries/FinalityCodec.sol";
+import {FinalityCodecSetup} from "./FinalityCodecSetup.t.sol";
+
+contract FinalityCodec__validateRequestedFinality is FinalityCodecSetup {
+  function test__validateRequestedFinality_WaitForFinality() public view {
+    s_helper.validateRequestedFinality(FinalityCodec.WAIT_FOR_FINALITY_FLAG);
+  }
+
+  function test__validateRequestedFinality_WaitForSafe() public view {
+    s_helper.validateRequestedFinality(FinalityCodec.WAIT_FOR_SAFE_FLAG);
+  }
+
+  function test__validateRequestedFinality_PureBlockDepth_Boundaries() public view {
+    s_helper.validateRequestedFinality(bytes2(uint16(1)));
+    s_helper.validateRequestedFinality(bytes2(FinalityCodec.MAX_BLOCK_DEPTH));
+  }
+
+  function test__validateRequestedFinality_PureBlockDepth_MidRange() public view {
+    s_helper.validateRequestedFinality(bytes2(uint16(500)));
+  }
+
+  // Reverts
+
+  function test__validateRequestedFinality_RevertWhen_InvalidRequestedFinality_FlagWithNonZeroDepth() public {
+    bytes2 invalid = bytes2(uint16(uint16(FinalityCodec.WAIT_FOR_SAFE_FLAG) | 1));
+    vm.expectRevert(abi.encodeWithSelector(FinalityCodec.InvalidRequestedFinality.selector, invalid));
+    s_helper.validateRequestedFinality(invalid);
+  }
+
+  function test__validateRequestedFinality_RevertWhen_InvalidRequestedFinality_MultipleFlagBits() public {
+    bytes2 invalid = bytes2(uint16((1 << 10) | (1 << 11)));
+    vm.expectRevert(abi.encodeWithSelector(FinalityCodec.InvalidRequestedFinality.selector, invalid));
+    s_helper.validateRequestedFinality(invalid);
+  }
+}

chains/evm/contracts/test/libraries/FinalityCodec/FinalityCodecSetup.t.sol

@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.24;
+
+import {FinalityCodecHelper} from "../../helpers/FinalityCodecHelper.sol";
+import {Test} from "forge-std/Test.sol";
+
+contract FinalityCodecSetup is Test {
+  FinalityCodecHelper internal s_helper;
+
+  function setUp() public virtual {
+    s_helper = new FinalityCodecHelper();
+  }
+}

chains/evm/foundry.toml

@@ -1,3 +1,4 @@
+# Run Forge tests, coverage, and snapshots with `FOUNDRY_PROFILE=ccip` (see `GNUmakefile` and `package.json`).
 [profile.default]
 solc_version = '0.8.26'
 evm_version = 'paris'

chains/evm/package.json

@@ -7,6 +7,7 @@
   "license": "BUSL-1.1",
   "private": false,
   "scripts": {
+    "test": "FOUNDRY_PROFILE=ccip forge test",
     "publish-beta": "pnpm publish --tag beta",
     "publish-prod": "pnpm publish --tag latest",
     "compile": "./scripts/compile_all",