Goal is to allow pipelining. Invalidating one should invalidate all successive ones

We ought not rely on slip44. We know there will be some 4 byte ID but don't want to nail it down yet

We'll call this ID the "domain" ID. as in sending messages between domains

• shared tests for rust and solidity merkles
• shared tests for rust and solidity message format
• more

async fn signed_update_by_old_root(&self, old_root:: H256) -> Result<Option<SignedUpdate>, ChainCommunicationError>

Should query chain events for an Update event with the correct old root, and return it (if any exists)

• fill in Processor description
• Update others so level of detail is consistent between Notion and GitHub

• right now any actor is allowed to reset a processed message from Message.Processed back to Message.Pending by just calling prove on an already-processed message
• fix: require message in prove() to have status Message.None

The new lib folder relies on the json artifacts.

It is loaded by hardhat before any task, including compile.

Therefore if the artifacts don't exist, hardhat errors during compilation, and the artifacts can't be generated

Figure out how to fix this

Create a series of JSON test vectors that can be read from both the solidity and rust tests
These should test

• that the merkle tree root generation is identical for a large set of leaves
• that proofs generated in rust can be processed by solidity

More materials for explaining what Optics is and how people are expected to interact with it

A rust daemon using optics-base

• maintain a local merkle tree with ALL leaves
• observe >= 1 replica
• wait for confirmations with new batch
• generate proofs for messages when the root changes
• dispatch proofs to replicas (if configured)
• dispatches messages for processing (if configured)

introduced in #38

Need to update optics_base::abis to match the new solidity call

A rust daemon using optics-base:

• observe Home for signed updates
• forward signed updates to the replica contracts
• poll replica contracts for updates that can be confirmed
• cause updates to be confirmed (call confirm)

currently rust/optics-base/update_abis.sh must be manually run to update rust bindings whenever the contract ABI changes. We should ensure that npm run compile ALWAYS does this.

• in optics_core::traits::replica add a prove_and_process function.
  • It should match the Solidity declaration and the existing prove and process functions
  • provide a default implementation in the trait that calls
• in optics_base::abis override the prove_and_process function to use Solidity's proveAndProcess instead of the default

here's the default implementation. it goes in the trait declaration

    /// WRITE A DOCSTRING
    async fn prove_and_process(
        &self,
        message: &Message,
        index: u32,
        proof: [H256; 32],
    ) -> Result<TxOutcome, ChainCommunicationError> {
        // Write a function using `prove` and `process`
    }

https://github.com/rust-lang/rfcs/blob/master/text/2906-cargo-workspace-deduplicate.md

These should check

• checksig behavior
• double update processing
• domain has calculation (compare to rust if possible)

the proveAndProcess function will be easier to read if it only takes three params — message, proof, index — and then passes in keccak256(message) into the prove function

• currently, watcher only checks for double updates
• need to cross-check Replica updates with list of all roots from home to ensure that updater is not signing fake data and only submitting it to the Replica
• listen for Update events from Replica and ensure they exist in Home event logs (i.e. signed_update_by_new_root(replica_root) exists)
• if root doesn't exist halt Home and somehow fail Replicas...

• Static message
• List of static messages
• Random messages

• takes watcher's history map and persists data to disk
• bootup should load this data from disk if it exists
• bootup root collection and disk persistence should both go on new WatcherSync struct

Should come after #75

Right now, it expects 1 signer, but it should accept 0 or 1 signers.

Steps to reproduce:
Run cargo run --example example from /rust/optics-base

Also, update readme to include that cargo run --example example command :)

• get list of all previous Update events emitted from Home and Replica
• fill watcher's history map using list

Comes before #84

• run prettier
• do linting
• run tests / coverage (?)

• upgradability of contracts
  • home
  • replica upgrades
• future voting?
• social reset mechanisms
• code for "big red button" to disconnect a replica of a faulty home
  • who controls these buttons?
  • how do we ensure reliability?
  • how do we rotate them?
• what does "on-chain governance" mean in a cross-chain environment?

• Halting and Restarting on Home

  • halt trigger: how do we trigger the "halted" state --> Watcher proves fraud on Replica
  • halt behavior: what happens when we enter "halted" state --> Updater is slashed; rewards go to Watcher; messages can still be submitted to Home; signed messages aren't accepted
  • gov process: elect a new Updater to replace the fraudulent one
  • restart trigger: when a new Updater has been elected
  • restart behavior: resume signing updates for all the messages

• Halting and Restarting on Replica

  • halt trigger: someone triggers "halt" after observing the Home contract has been halted
  • gov question: who can trigger a halt on the Replica? --
    • fraud can't be proven on the Replica chain, so whoever pushes the "big red button" must be trusted
    • what's the incentive to reliably un-enroll fraudulent Replicas?
      - [ ] 🔨 require the button-pusher to stake on Home, slash them via governance if they don't report to Replica
      - [ ] 🥕 reward the button-pusher for reporting with rewards on the Replica chain
  • halt behavior: un-enroll the Replica for the fraudulent Home from the UsingOptics contract registry
  • _wait for the new Updater to be elected on the old contract
    • possibly flag certain messages as fraudulent (?)
    • possibly flush the current queue of messages (?)
    • possibly deploy an entirely new Replica?_
  • restart trigger: someone triggers restart after observing Updater has been elected on Home
  • gov question: how do we decide who has the authority to re-enroll the Replica after an election?
  • restart behavior: set the new Updater public key on the Replica and re-enroll it with UsingOptics contract

Tactical tasks

• Watcher reporting Updater fraud on Home
  • slash the Updater's stake - custodied in some contract (where ?)
  • reward the Watcher for reporting fraud (give them the stake? give them governance tokens?)
  • could the stake be taken over as part of a community governable fund, perhaps 👁️

Currently we are reproducing these in rust/optics-base/src/abis and in solidity/lib. We should move them to a shared location if possible

hardhat task documentation

Basic hardhat tasks for deploying and manually calling important contract functions.

• Deploy Home
• Deploy Replica
• Enqueue message
• Prove message
• Process message
• Submit Update
• Submit Double Update

• review existing patterns for governing contract upgrades on-chain
  • Uniswap
  • Celo
  • Compound
  • Fei
  • yearn.finance (multisig)
  • Dharma (multisig)
• governance token patterns
  • initial token distribution - who receives tokens ? when? how?
  • voting system - how are tokens used for voting?

Research existing governance systems
Describe design choices & tradeoffs — pros & cons
What do we like about them? What do we not like?

Need designs for:

• updater rotation
  • when is an updater rotated?
  • why?
  • how do we updater handle failure?
  • can we have round robin updates?
• replica notification
  • destination message that all replicas process?
• bond management
  • how is bond size set?
  • how is the bond custodied
• can we have synchrony assumptions?
  • should we embed home chain timestamp in messages?

Natspec documentation for clarification and easier understanding for later bridges newcomers. For now, this would include Common, Home, Replica, and maybe Sortition.

Somehow deleted during conflict resolution...

Should check

• halt on fail
  • set the contract to failed, and ensure that notFailed modifier correctly causes errors
• double updates
• update acceptance
• improper updates
• suggest update behavior
• root calculation and the root queue
  • now: push N messages, log out the root, queue, branch, and messages
  • later: test the solidity against the rust using shared vectors
• write a JS util function to sign updates (@prestwich)

• Add tests to Replica for proving messages (use merkleTestCases.json for cases)
• Add test cases for message formatting helpers (ensure byte indexing is correct)

Should test the the queue is FIFO and doesn't allow out of bounds access

Below is outdated. See code in #71

high level sketch of functionality

• Vault contract
  • unescrows native tokens (or creates non-native ones)
  • escrows tokens (or destroys non-native ones)
  • registers sender and receiver contracts
• Sender contract
  • dispatches messages to the Home contract
  • may send to any destination
• Receiver contract
  • manages a set of create2 addresses for non-native tokens
  • processes messages from a single local replica

big question:
how are tokens recognized based on their route?
- suppose it goes A-> B-> C -> A
- how do we know what to unescrow?

A rust daemon using optics-base:

• connect to the home chain only
• sign update attestations
• submit them to the home chain
• config: escalate gas middleware
• prevent double-update middleware

On the Home.sol contract

• add a function that can be called by anyone that will slash the Updater's stake if a certain amount of time has passed since the a message has been added & an update has not occurred (timestamp should be timestamp of oldest message that has not also been updated)

Update documentation

Other updates?

A rust daemon using optics-base

• connect to home
• connect to any number of replicas
• cache all updates
• check for fraud (double/improper updates)
• submit fraud to home chain
• config: emergency stop on any replica

Relayer is missing config file

• eslint
• solidity coverage? (may be broken)
• rust cargo test
• precommit hooks for running tests and linters?
• circle CI?

• use submitSignedUpdate and submitDoubleUpdate
• use Replica and Home classes

When a message is submitted to the home, it's just a destination, recipient, and message. The Home adds the sequence, origin, and sender attributes. Right now, the rust doesn't have a representation of the Message. just

• Come up with cute names for "message" and "stamped + addressed message"
• Refactor optics-core and optics-base to have 2 separate structs for these

These should check

• optimistic root acceptance
• the new root queue
• batched confirmations
• update signature checking
• halt on failure
• double updates
• merkle proving
• processing a proven message

• review existing upgradability patterns
  • OpenZeppelin
  • avoid the Diamond Standard
• review existing upgradable contract implementations + design choices
  • Compound
  • Uniswap
  • Dharma
  • Celo
• security concerns?