Contracts V2

[vgeddes]

Tasks:

• V2 types
• V2 inbound messaging
• V2 outbound messaging
• Refactor to support both V1 & V2
• Re-implement native token registration for V2 & Kusama compatibility
• Generate encoded XCM fragments for token registration
• Split IGateway into IGatewayV1 and IGatewayV2
• Remove duplicated error definitions scattered throughout code
• Unit tests
• Code documentation

[codecov]

Codecov Report

Attention: Patch coverage is 51.76152% with 178 lines in your changes missing coverage. Please review.

Please upload report for BASE (v2@6d11768). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
contracts/src/Gateway.sol	27.04%	88 Missing and 1 partial ⚠️
contracts/src/v2/Calls.sol	0.00%	50 Missing ⚠️
contracts/src/v2/Handlers.sol	0.00%	21 Missing ⚠️
contracts/src/Functions.sol	80.95%	8 Missing ⚠️
contracts/src/v1/Calls.sol	90.90%	5 Missing ⚠️
contracts/src/AgentExecutor.sol	0.00%	3 Missing ⚠️
contracts/src/upgrades/polkadot/Gateway202411.sol	33.33%	2 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##             v2    #1300   +/-   ##
=====================================
  Coverage      ?   60.22%           
=====================================
  Files         ?       23           
  Lines         ?      714           
  Branches      ?      120           
=====================================
  Hits          ?      430           
  Misses        ?      275           
  Partials      ?        9           

Flag	Coverage Δ
solidity	60.22% <51.76%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[yrong]

Since we know agent of asset-hub do exists in production. Is this check nessessary?

[vgeddes]

Yeah the check is not necessary, I'll add a TODO.

[yrong]

Cool, A lot more simple now!

With ticket.xcm does that mean for V2 there is no need to construct xcm on chain any more?

UI will build the xcm and it's the responsibility of relayer to validate the xcm and check the relay is profitable or not.

On BH we just decode the xcm with

VersionedXcm::<()>::decode_with_depth_limit(
    MAX_XCM_DECODE_DEPTH,
    &mut data,
)

and forward it to AH transparently.

[vgeddes]

Yeah, exactly.

Though for registration of native tokens, we need to control the XCM and so we need to build it on chain. See more details in 149c3e4.

[yrong]

Though for registration of native tokens, control the XCM and so we need to build it on chain

Still not sure fully understand why ticket.assets is required here, why not just build the xcm off chain?

@vgeddes I've removed the MessageConverter completely in yrong/polkadot-sdk#3 which I'd assume is not in use any more, correct me if I'm wrong.

[vgeddes]

Still not sure fully understand why ticket.assets is required here, why not just build the xcm off chain?

When the message gets to BH, we convert the payload.assets to instructions like ReserveAssetDeposited,etc, and then append the instructions in payload.xcm.

Or in other words, BH builds final XCM using:

finalXCM = concat(
assets_to_xcm(payload.asssets),
UniversalOrigin(Ethereum)
DescendOrigin(payload.origin)
payload.xcm
)

We can't trust the user to build the entire xcm offchain as they could mint any assets they want. Rather, they can only supply a fragment of the xcm.

[yrong]

We can't trust the user to build the entire xcm offchain as they could mint any assets they want.

Yeah, that make sense.

Instead of convert the assets to xcm, can we just do some basic check on BH to verify the xcm is constructed correctly based upon the assets? e.g.

ensure!(xcm contains DescendOrigin(payload.origin))
ensure!(xcm contains ReserveAssetDeposited(asset)|WithdrawAsset(asset)) // Depends on the transfer type is ENA or PNA
...

So the point here is on chain we do validate rather than construct.

[yrong]

Btw: for transfer I'm not sure DescendOrigin(userOrigin) make sense. For PNA we need to burn the asset locked in Ethereum sovereign on AH. IIUC that's why we change origin to UniversalOrigin(GlobalConsensus(network)) before WithdrawAsset here.

[alistair-singh]

So the point here is on chain we do validate rather than construct.

The issue with this approach is that the validation needs to happen on the Ethereum side in order to do this right. The actual locking/unlocking/minting/burning of tokens occurs on the Ethereum side in solidity, which must match the Assets section of the XCM. If the validation happens on BH or in a relayer, and we reject the message, it is too late because we have already changed the state on the Ethereum side. This is why it is better to build the assets section of the XCM on BH to match what was done on the Ethereum side.

Related comment here: yrong/polkadot-sdk#3 (comment)

[yrong]

it is too late because we have already changed the state on the Ethereum side

Just curious what will happen in this case. Is this something acceptable assuming we will implement error handing mechanism any way? The message with errored xcm will get trapped on BH and we allow end user to edit/repair it?

Something like we allow user to add fee for message pending from Substrate to Ethereum direction, assuming there is no relayer who will pick it up if it's not profitable.

[alistair-singh]

Just curious what will happen in this case. Is this something acceptable assuming we will implement error handing mechanism any way?

I think if the message is queued and if the message is profitable, than once submitted to BH we should not fail for any reason (such as validating the xcm for example) and we should try to always push the assets to AH where they can get trapped if the user passes invalid xcm. And we should trust that we constrain the origin to stop users from doing things that they cannot within the xcm, instead of validating.

[yrong]

should it also be in IGateway.sol? Meanwhile we may need another function isRelayed(nonce) to check if the nonce has been relayed.

[vgeddes]

Good catch!

[yrong]

Gas is uint64.

[alistair-singh]

Maybe test the bits around the set bit to make sure they remain unset.

Suggested change

	assertEq(bitmap.get(384), true);
	assertEq(bitmap.get(383), false);
	assertEq(bitmap.get(384), true);
	assertEq(bitmap.get(385), false);

[alistair-singh]

So the point here is on chain we do validate rather than construct.

The issue with this approach is that the validation needs to happen on the Ethereum side in order to do this right. The actual locking/unlocking/minting/burning of tokens occurs on the Ethereum side in solidity, which must match the Assets section of the XCM. If the validation happens on BH or in a relayer, and we reject the message, it is too late because we have already changed the state on the Ethereum side. This is why it is better to build the assets section of the XCM on BH to match what was done on the Ethereum side.

Related comment here: yrong/polkadot-sdk#3 (comment)

[alistair-singh]

Maybe we should introduce a Network Enum here as a destination parameter, instead of having 2 registers methods. The network can simply contain the Polkadot networks.
https://github.com/paritytech/polkadot-sdk/blob/master/polkadot/xcm/src/v4/junction.rs/#L125

[alistair-singh]

Hardcoded WETH_ADDRESS?

[vgeddes]

yeah, why would it need to be mutable?

[vgeddes]

Oh, I see, for Ethereum testnets, WETH will have a different address. got it. 👍

[alistair-singh]

I think we should add a MultiAddress parameter that can be the asset claimer. If provided then we can use this account with the SetClaimer XCM instruction. If it is zero/empty address then we SetClaimer to the origin(msg.sender).