Cryo Explorer Ethereum Mainnet

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// solhint-disable-next-line interface-starts-with-i
interface AggregatorV3Interface {
  function decimals() external view returns (uint8);

  function description() external view returns (string memory);

  function version() external view returns (uint256);

  function getRoundData(
    uint80 _roundId
  ) external view returns (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound);

  function latestRoundData()
    external
    view
    returns (uint80 roundId, int256 answer, uint256 startedAt, uint256 updatedAt, uint80 answeredInRound);
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (access/Ownable.sol)

pragma solidity ^0.8.0;

import "../utils/ContextUpgradeable.sol";
import {Initializable} from "../proxy/utils/Initializable.sol";

/**
 * @dev Contract module which provides a basic access control mechanism, where
 * there is an account (an owner) that can be granted exclusive access to
 * specific functions.
 *
 * By default, the owner account will be the one that deploys the contract. This
 * can later be changed with {transferOwnership}.
 *
 * This module is used through inheritance. It will make available the modifier
 * `onlyOwner`, which can be applied to your functions to restrict their use to
 * the owner.
 */
abstract contract OwnableUpgradeable is Initializable, ContextUpgradeable {
    address private _owner;

    event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);

    /**
     * @dev Initializes the contract setting the deployer as the initial owner.
     */
    function __Ownable_init() internal onlyInitializing {
        __Ownable_init_unchained();
    }

    function __Ownable_init_unchained() internal onlyInitializing {
        _transferOwnership(_msgSender());
    }

    /**
     * @dev Throws if called by any account other than the owner.
     */
    modifier onlyOwner() {
        _checkOwner();
        _;
    }

    /**
     * @dev Returns the address of the current owner.
     */
    function owner() public view virtual returns (address) {
        return _owner;
    }

    /**
     * @dev Throws if the sender is not the owner.
     */
    function _checkOwner() internal view virtual {
        require(owner() == _msgSender(), "Ownable: caller is not the owner");
    }

    /**
     * @dev Leaves the contract without owner. It will not be possible to call
     * `onlyOwner` functions. Can only be called by the current owner.
     *
     * NOTE: Renouncing ownership will leave the contract without an owner,
     * thereby disabling any functionality that is only available to the owner.
     */
    function renounceOwnership() public virtual onlyOwner {
        _transferOwnership(address(0));
    }

    /**
     * @dev Transfers ownership of the contract to a new account (`newOwner`).
     * Can only be called by the current owner.
     */
    function transferOwnership(address newOwner) public virtual onlyOwner {
        require(newOwner != address(0), "Ownable: new owner is the zero address");
        _transferOwnership(newOwner);
    }

    /**
     * @dev Transfers ownership of the contract to a new account (`newOwner`).
     * Internal function without access restriction.
     */
    function _transferOwnership(address newOwner) internal virtual {
        address oldOwner = _owner;
        _owner = newOwner;
        emit OwnershipTransferred(oldOwner, newOwner);
    }

    /**
     * @dev This empty reserved space is put in place to allow future versions to add new
     * variables without shifting down storage in the inheritance chain.
     * See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
     */
    uint256[49] private __gap;
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (proxy/utils/Initializable.sol)

pragma solidity ^0.8.2;

import "../../utils/AddressUpgradeable.sol";

/**
 * @dev This is a base contract to aid in writing upgradeable contracts, or any kind of contract that will be deployed
 * behind a proxy. Since proxied contracts do not make use of a constructor, it's common to move constructor logic to an
 * external initializer function, usually called `initialize`. It then becomes necessary to protect this initializer
 * function so it can only be called once. The {initializer} modifier provided by this contract will have this effect.
 *
 * The initialization functions use a version number. Once a version number is used, it is consumed and cannot be
 * reused. This mechanism prevents re-execution of each "step" but allows the creation of new initialization steps in
 * case an upgrade adds a module that needs to be initialized.
 *
 * For example:
 *
 * [.hljs-theme-light.nopadding]
 * ```solidity
 * contract MyToken is ERC20Upgradeable {
 *     function initialize() initializer public {
 *         __ERC20_init("MyToken", "MTK");
 *     }
 * }
 *
 * contract MyTokenV2 is MyToken, ERC20PermitUpgradeable {
 *     function initializeV2() reinitializer(2) public {
 *         __ERC20Permit_init("MyToken");
 *     }
 * }
 * ```
 *
 * TIP: To avoid leaving the proxy in an uninitialized state, the initializer function should be called as early as
 * possible by providing the encoded function call as the `_data` argument to {ERC1967Proxy-constructor}.
 *
 * CAUTION: When used with inheritance, manual care must be taken to not invoke a parent initializer twice, or to ensure
 * that all initializers are idempotent. This is not verified automatically as constructors are by Solidity.
 *
 * [CAUTION]
 * ====
 * Avoid leaving a contract uninitialized.
 *
 * An uninitialized contract can be taken over by an attacker. This applies to both a proxy and its implementation
 * contract, which may impact the proxy. To prevent the implementation contract from being used, you should invoke
 * the {_disableInitializers} function in the constructor to automatically lock it when it is deployed:
 *
 * [.hljs-theme-light.nopadding]
 * ```
 * /// @custom:oz-upgrades-unsafe-allow constructor
 * constructor() {
 *     _disableInitializers();
 * }
 * ```
 * ====
 */
abstract contract Initializable {
    /**
     * @dev Indicates that the contract has been initialized.
     * @custom:oz-retyped-from bool
     */
    uint8 private _initialized;

    /**
     * @dev Indicates that the contract is in the process of being initialized.
     */
    bool private _initializing;

    /**
     * @dev Triggered when the contract has been initialized or reinitialized.
     */
    event Initialized(uint8 version);

    /**
     * @dev A modifier that defines a protected initializer function that can be invoked at most once. In its scope,
     * `onlyInitializing` functions can be used to initialize parent contracts.
     *
     * Similar to `reinitializer(1)`, except that functions marked with `initializer` can be nested in the context of a
     * constructor.
     *
     * Emits an {Initialized} event.
     */
    modifier initializer() {
        bool isTopLevelCall = !_initializing;
        require(
            (isTopLevelCall && _initialized < 1) || (!AddressUpgradeable.isContract(address(this)) && _initialized == 1),
            "Initializable: contract is already initialized"
        );
        _initialized = 1;
        if (isTopLevelCall) {
            _initializing = true;
        }
        _;
        if (isTopLevelCall) {
            _initializing = false;
            emit Initialized(1);
        }
    }

    /**
     * @dev A modifier that defines a protected reinitializer function that can be invoked at most once, and only if the
     * contract hasn't been initialized to a greater version before. In its scope, `onlyInitializing` functions can be
     * used to initialize parent contracts.
     *
     * A reinitializer may be used after the original initialization step. This is essential to configure modules that
     * are added through upgrades and that require initialization.
     *
     * When `version` is 1, this modifier is similar to `initializer`, except that functions marked with `reinitializer`
     * cannot be nested. If one is invoked in the context of another, execution will revert.
     *
     * Note that versions can jump in increments greater than 1; this implies that if multiple reinitializers coexist in
     * a contract, executing them in the right order is up to the developer or operator.
     *
     * WARNING: setting the version to 255 will prevent any future reinitialization.
     *
     * Emits an {Initialized} event.
     */
    modifier reinitializer(uint8 version) {
        require(!_initializing && _initialized < version, "Initializable: contract is already initialized");
        _initialized = version;
        _initializing = true;
        _;
        _initializing = false;
        emit Initialized(version);
    }

    /**
     * @dev Modifier to protect an initialization function so that it can only be invoked by functions with the
     * {initializer} and {reinitializer} modifiers, directly or indirectly.
     */
    modifier onlyInitializing() {
        require(_initializing, "Initializable: contract is not initializing");
        _;
    }

    /**
     * @dev Locks the contract, preventing any future reinitialization. This cannot be part of an initializer call.
     * Calling this in the constructor of a contract will prevent that contract from being initialized or reinitialized
     * to any version. It is recommended to use this to lock implementation contracts that are designed to be called
     * through proxies.
     *
     * Emits an {Initialized} event the first time it is successfully executed.
     */
    function _disableInitializers() internal virtual {
        require(!_initializing, "Initializable: contract is initializing");
        if (_initialized != type(uint8).max) {
            _initialized = type(uint8).max;
            emit Initialized(type(uint8).max);
        }
    }

    /**
     * @dev Returns the highest version that has been initialized. See {reinitializer}.
     */
    function _getInitializedVersion() internal view returns (uint8) {
        return _initialized;
    }

    /**
     * @dev Returns `true` if the contract is currently initializing. See {onlyInitializing}.
     */
    function _isInitializing() internal view returns (bool) {
        return _initializing;
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/Address.sol)

pragma solidity ^0.8.1;

/**
 * @dev Collection of functions related to the address type
 */
library AddressUpgradeable {
    /**
     * @dev Returns true if `account` is a contract.
     *
     * [IMPORTANT]
     * ====
     * It is unsafe to assume that an address for which this function returns
     * false is an externally-owned account (EOA) and not a contract.
     *
     * Among others, `isContract` will return false for the following
     * types of addresses:
     *
     *  - an externally-owned account
     *  - a contract in construction
     *  - an address where a contract will be created
     *  - an address where a contract lived, but was destroyed
     *
     * Furthermore, `isContract` will also return true if the target contract within
     * the same transaction is already scheduled for destruction by `SELFDESTRUCT`,
     * which only has an effect at the end of a transaction.
     * ====
     *
     * [IMPORTANT]
     * ====
     * You shouldn't rely on `isContract` to protect against flash loan attacks!
     *
     * Preventing calls from contracts is highly discouraged. It breaks composability, breaks support for smart wallets
     * like Gnosis Safe, and does not provide security since it can be circumvented by calling from a contract
     * constructor.
     * ====
     */
    function isContract(address account) internal view returns (bool) {
        // This method relies on extcodesize/address.code.length, which returns 0
        // for contracts in construction, since the code is only stored at the end
        // of the constructor execution.

        return account.code.length > 0;
    }

    /**
     * @dev Replacement for Solidity's `transfer`: sends `amount` wei to
     * `recipient`, forwarding all available gas and reverting on errors.
     *
     * https://eips.ethereum.org/EIPS/eip-1884[EIP1884] increases the gas cost
     * of certain opcodes, possibly making contracts go over the 2300 gas limit
     * imposed by `transfer`, making them unable to receive funds via
     * `transfer`. {sendValue} removes this limitation.
     *
     * https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/[Learn more].
     *
     * IMPORTANT: because control is transferred to `recipient`, care must be
     * taken to not create reentrancy vulnerabilities. Consider using
     * {ReentrancyGuard} or the
     * https://solidity.readthedocs.io/en/v0.8.0/security-considerations.html#use-the-checks-effects-interactions-pattern[checks-effects-interactions pattern].
     */
    function sendValue(address payable recipient, uint256 amount) internal {
        require(address(this).balance >= amount, "Address: insufficient balance");

        (bool success, ) = recipient.call{value: amount}("");
        require(success, "Address: unable to send value, recipient may have reverted");
    }

    /**
     * @dev Performs a Solidity function call using a low level `call`. A
     * plain `call` is an unsafe replacement for a function call: use this
     * function instead.
     *
     * If `target` reverts with a revert reason, it is bubbled up by this
     * function (like regular Solidity function calls).
     *
     * Returns the raw returned data. To convert to the expected return value,
     * use https://solidity.readthedocs.io/en/latest/units-and-global-variables.html?highlight=abi.decode#abi-encoding-and-decoding-functions[`abi.decode`].
     *
     * Requirements:
     *
     * - `target` must be a contract.
     * - calling `target` with `data` must not revert.
     *
     * _Available since v3.1._
     */
    function functionCall(address target, bytes memory data) internal returns (bytes memory) {
        return functionCallWithValue(target, data, 0, "Address: low-level call failed");
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`], but with
     * `errorMessage` as a fallback revert reason when `target` reverts.
     *
     * _Available since v3.1._
     */
    function functionCall(
        address target,
        bytes memory data,
        string memory errorMessage
    ) internal returns (bytes memory) {
        return functionCallWithValue(target, data, 0, errorMessage);
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
     * but also transferring `value` wei to `target`.
     *
     * Requirements:
     *
     * - the calling contract must have an ETH balance of at least `value`.
     * - the called Solidity function must be `payable`.
     *
     * _Available since v3.1._
     */
    function functionCallWithValue(address target, bytes memory data, uint256 value) internal returns (bytes memory) {
        return functionCallWithValue(target, data, value, "Address: low-level call with value failed");
    }

    /**
     * @dev Same as {xref-Address-functionCallWithValue-address-bytes-uint256-}[`functionCallWithValue`], but
     * with `errorMessage` as a fallback revert reason when `target` reverts.
     *
     * _Available since v3.1._
     */
    function functionCallWithValue(
        address target,
        bytes memory data,
        uint256 value,
        string memory errorMessage
    ) internal returns (bytes memory) {
        require(address(this).balance >= value, "Address: insufficient balance for call");
        (bool success, bytes memory returndata) = target.call{value: value}(data);
        return verifyCallResultFromTarget(target, success, returndata, errorMessage);
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
     * but performing a static call.
     *
     * _Available since v3.3._
     */
    function functionStaticCall(address target, bytes memory data) internal view returns (bytes memory) {
        return functionStaticCall(target, data, "Address: low-level static call failed");
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
     * but performing a static call.
     *
     * _Available since v3.3._
     */
    function functionStaticCall(
        address target,
        bytes memory data,
        string memory errorMessage
    ) internal view returns (bytes memory) {
        (bool success, bytes memory returndata) = target.staticcall(data);
        return verifyCallResultFromTarget(target, success, returndata, errorMessage);
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
     * but performing a delegate call.
     *
     * _Available since v3.4._
     */
    function functionDelegateCall(address target, bytes memory data) internal returns (bytes memory) {
        return functionDelegateCall(target, data, "Address: low-level delegate call failed");
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
     * but performing a delegate call.
     *
     * _Available since v3.4._
     */
    function functionDelegateCall(
        address target,
        bytes memory data,
        string memory errorMessage
    ) internal returns (bytes memory) {
        (bool success, bytes memory returndata) = target.delegatecall(data);
        return verifyCallResultFromTarget(target, success, returndata, errorMessage);
    }

    /**
     * @dev Tool to verify that a low level call to smart-contract was successful, and revert (either by bubbling
     * the revert reason or using the provided one) in case of unsuccessful call or if target was not a contract.
     *
     * _Available since v4.8._
     */
    function verifyCallResultFromTarget(
        address target,
        bool success,
        bytes memory returndata,
        string memory errorMessage
    ) internal view returns (bytes memory) {
        if (success) {
            if (returndata.length == 0) {
                // only check isContract if the call was successful and the return data is empty
                // otherwise we already know that it was a contract
                require(isContract(target), "Address: call to non-contract");
            }
            return returndata;
        } else {
            _revert(returndata, errorMessage);
        }
    }

    /**
     * @dev Tool to verify that a low level call was successful, and revert if it wasn't, either by bubbling the
     * revert reason or using the provided one.
     *
     * _Available since v4.3._
     */
    function verifyCallResult(
        bool success,
        bytes memory returndata,
        string memory errorMessage
    ) internal pure returns (bytes memory) {
        if (success) {
            return returndata;
        } else {
            _revert(returndata, errorMessage);
        }
    }

    function _revert(bytes memory returndata, string memory errorMessage) private pure {
        // Look for revert reason and bubble it up if present
        if (returndata.length > 0) {
            // The easiest way to bubble the revert reason is using memory via assembly
            /// @solidity memory-safe-assembly
            assembly {
                let returndata_size := mload(returndata)
                revert(add(32, returndata), returndata_size)
            }
        } else {
            revert(errorMessage);
        }
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.4) (utils/Context.sol)

pragma solidity ^0.8.0;
import {Initializable} from "../proxy/utils/Initializable.sol";

/**
 * @dev Provides information about the current execution context, including the
 * sender of the transaction and its data. While these are generally available
 * via msg.sender and msg.data, they should not be accessed in such a direct
 * manner, since when dealing with meta-transactions the account sending and
 * paying for execution may not be the actual sender (as far as an application
 * is concerned).
 *
 * This contract is only required for intermediate, library-like contracts.
 */
abstract contract ContextUpgradeable is Initializable {
    function __Context_init() internal onlyInitializing {
    }

    function __Context_init_unchained() internal onlyInitializing {
    }
    function _msgSender() internal view virtual returns (address) {
        return msg.sender;
    }

    function _msgData() internal view virtual returns (bytes calldata) {
        return msg.data;
    }

    function _contextSuffixLength() internal view virtual returns (uint256) {
        return 0;
    }

    /**
     * @dev This empty reserved space is put in place to allow future versions to add new
     * variables without shifting down storage in the inheritance chain.
     * See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
     */
    uint256[50] private __gap;
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (token/ERC20/IERC20.sol)

pragma solidity ^0.8.0;

/**
 * @dev Interface of the ERC20 standard as defined in the EIP.
 */
interface IERC20 {
    /**
     * @dev Emitted when `value` tokens are moved from one account (`from`) to
     * another (`to`).
     *
     * Note that `value` may be zero.
     */
    event Transfer(address indexed from, address indexed to, uint256 value);

    /**
     * @dev Emitted when the allowance of a `spender` for an `owner` is set by
     * a call to {approve}. `value` is the new allowance.
     */
    event Approval(address indexed owner, address indexed spender, uint256 value);

    /**
     * @dev Returns the amount of tokens in existence.
     */
    function totalSupply() external view returns (uint256);

    /**
     * @dev Returns the amount of tokens owned by `account`.
     */
    function balanceOf(address account) external view returns (uint256);

    /**
     * @dev Moves `amount` tokens from the caller's account to `to`.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * Emits a {Transfer} event.
     */
    function transfer(address to, uint256 amount) external returns (bool);

    /**
     * @dev Returns the remaining number of tokens that `spender` will be
     * allowed to spend on behalf of `owner` through {transferFrom}. This is
     * zero by default.
     *
     * This value changes when {approve} or {transferFrom} are called.
     */
    function allowance(address owner, address spender) external view returns (uint256);

    /**
     * @dev Sets `amount` as the allowance of `spender` over the caller's tokens.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * IMPORTANT: Beware that changing an allowance with this method brings the risk
     * that someone may use both the old and the new allowance by unfortunate
     * transaction ordering. One possible solution to mitigate this race
     * condition is to first reduce the spender's allowance to 0 and set the
     * desired value afterwards:
     * https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
     *
     * Emits an {Approval} event.
     */
    function approve(address spender, uint256 amount) external returns (bool);

    /**
     * @dev Moves `amount` tokens from `from` to `to` using the
     * allowance mechanism. `amount` is then deducted from the caller's
     * allowance.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * Emits a {Transfer} event.
     */
    function transferFrom(address from, address to, uint256 amount) external returns (bool);
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.4) (token/ERC20/extensions/IERC20Permit.sol)

pragma solidity ^0.8.0;

/**
 * @dev Interface of the ERC20 Permit extension allowing approvals to be made via signatures, as defined in
 * https://eips.ethereum.org/EIPS/eip-2612[EIP-2612].
 *
 * Adds the {permit} method, which can be used to change an account's ERC20 allowance (see {IERC20-allowance}) by
 * presenting a message signed by the account. By not relying on {IERC20-approve}, the token holder account doesn't
 * need to send a transaction, and thus is not required to hold Ether at all.
 *
 * ==== Security Considerations
 *
 * There are two important considerations concerning the use of `permit`. The first is that a valid permit signature
 * expresses an allowance, and it should not be assumed to convey additional meaning. In particular, it should not be
 * considered as an intention to spend the allowance in any specific way. The second is that because permits have
 * built-in replay protection and can be submitted by anyone, they can be frontrun. A protocol that uses permits should
 * take this into consideration and allow a `permit` call to fail. Combining these two aspects, a pattern that may be
 * generally recommended is:
 *
 * ```solidity
 * function doThingWithPermit(..., uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public {
 *     try token.permit(msg.sender, address(this), value, deadline, v, r, s) {} catch {}
 *     doThing(..., value);
 * }
 *
 * function doThing(..., uint256 value) public {
 *     token.safeTransferFrom(msg.sender, address(this), value);
 *     ...
 * }
 * ```
 *
 * Observe that: 1) `msg.sender` is used as the owner, leaving no ambiguity as to the signer intent, and 2) the use of
 * `try/catch` allows the permit to fail and makes the code tolerant to frontrunning. (See also
 * {SafeERC20-safeTransferFrom}).
 *
 * Additionally, note that smart contract wallets (such as Argent or Safe) are not able to produce permit signatures, so
 * contracts should have entry points that don't rely on permit.
 */
interface IERC20Permit {
    /**
     * @dev Sets `value` as the allowance of `spender` over ``owner``'s tokens,
     * given ``owner``'s signed approval.
     *
     * IMPORTANT: The same issues {IERC20-approve} has related to transaction
     * ordering also apply here.
     *
     * Emits an {Approval} event.
     *
     * Requirements:
     *
     * - `spender` cannot be the zero address.
     * - `deadline` must be a timestamp in the future.
     * - `v`, `r` and `s` must be a valid `secp256k1` signature from `owner`
     * over the EIP712-formatted function arguments.
     * - the signature must use ``owner``'s current nonce (see {nonces}).
     *
     * For more information on the signature format, see the
     * https://eips.ethereum.org/EIPS/eip-2612#specification[relevant EIP
     * section].
     *
     * CAUTION: See Security Considerations above.
     */
    function permit(
        address owner,
        address spender,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external;

    /**
     * @dev Returns the current nonce for `owner`. This value must be
     * included whenever a signature is generated for {permit}.
     *
     * Every successful call to {permit} increases ``owner``'s nonce by one. This
     * prevents a signature from being used multiple times.
     */
    function nonces(address owner) external view returns (uint256);

    /**
     * @dev Returns the domain separator used in the encoding of the signature for {permit}, as defined by {EIP712}.
     */
    // solhint-disable-next-line func-name-mixedcase
    function DOMAIN_SEPARATOR() external view returns (bytes32);
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.3) (token/ERC20/utils/SafeERC20.sol)

pragma solidity ^0.8.0;

import "../IERC20.sol";
import "../extensions/IERC20Permit.sol";
import "../../../utils/Address.sol";

/**
 * @title SafeERC20
 * @dev Wrappers around ERC20 operations that throw on failure (when the token
 * contract returns false). Tokens that return no value (and instead revert or
 * throw on failure) are also supported, non-reverting calls are assumed to be
 * successful.
 * To use this library you can add a `using SafeERC20 for IERC20;` statement to your contract,
 * which allows you to call the safe operations as `token.safeTransfer(...)`, etc.
 */
library SafeERC20 {
    using Address for address;

    /**
     * @dev Transfer `value` amount of `token` from the calling contract to `to`. If `token` returns no value,
     * non-reverting calls are assumed to be successful.
     */
    function safeTransfer(IERC20 token, address to, uint256 value) internal {
        _callOptionalReturn(token, abi.encodeWithSelector(token.transfer.selector, to, value));
    }

    /**
     * @dev Transfer `value` amount of `token` from `from` to `to`, spending the approval given by `from` to the
     * calling contract. If `token` returns no value, non-reverting calls are assumed to be successful.
     */
    function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {
        _callOptionalReturn(token, abi.encodeWithSelector(token.transferFrom.selector, from, to, value));
    }

    /**
     * @dev Deprecated. This function has issues similar to the ones found in
     * {IERC20-approve}, and its usage is discouraged.
     *
     * Whenever possible, use {safeIncreaseAllowance} and
     * {safeDecreaseAllowance} instead.
     */
    function safeApprove(IERC20 token, address spender, uint256 value) internal {
        // safeApprove should only be called when setting an initial allowance,
        // or when resetting it to zero. To increase and decrease it, use
        // 'safeIncreaseAllowance' and 'safeDecreaseAllowance'
        require(
            (value == 0) || (token.allowance(address(this), spender) == 0),
            "SafeERC20: approve from non-zero to non-zero allowance"
        );
        _callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, value));
    }

    /**
     * @dev Increase the calling contract's allowance toward `spender` by `value`. If `token` returns no value,
     * non-reverting calls are assumed to be successful.
     */
    function safeIncreaseAllowance(IERC20 token, address spender, uint256 value) internal {
        uint256 oldAllowance = token.allowance(address(this), spender);
        _callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, oldAllowance + value));
    }

    /**
     * @dev Decrease the calling contract's allowance toward `spender` by `value`. If `token` returns no value,
     * non-reverting calls are assumed to be successful.
     */
    function safeDecreaseAllowance(IERC20 token, address spender, uint256 value) internal {
        unchecked {
            uint256 oldAllowance = token.allowance(address(this), spender);
            require(oldAllowance >= value, "SafeERC20: decreased allowance below zero");
            _callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, oldAllowance - value));
        }
    }

    /**
     * @dev Set the calling contract's allowance toward `spender` to `value`. If `token` returns no value,
     * non-reverting calls are assumed to be successful. Meant to be used with tokens that require the approval
     * to be set to zero before setting it to a non-zero value, such as USDT.
     */
    function forceApprove(IERC20 token, address spender, uint256 value) internal {
        bytes memory approvalCall = abi.encodeWithSelector(token.approve.selector, spender, value);

        if (!_callOptionalReturnBool(token, approvalCall)) {
            _callOptionalReturn(token, abi.encodeWithSelector(token.approve.selector, spender, 0));
            _callOptionalReturn(token, approvalCall);
        }
    }

    /**
     * @dev Use a ERC-2612 signature to set the `owner` approval toward `spender` on `token`.
     * Revert on invalid signature.
     */
    function safePermit(
        IERC20Permit token,
        address owner,
        address spender,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) internal {
        uint256 nonceBefore = token.nonces(owner);
        token.permit(owner, spender, value, deadline, v, r, s);
        uint256 nonceAfter = token.nonces(owner);
        require(nonceAfter == nonceBefore + 1, "SafeERC20: permit did not succeed");
    }

    /**
     * @dev Imitates a Solidity high-level call (i.e. a regular function call to a contract), relaxing the requirement
     * on the return value: the return value is optional (but if data is returned, it must not be false).
     * @param token The token targeted by the call.
     * @param data The call data (encoded using abi.encode or one of its variants).
     */
    function _callOptionalReturn(IERC20 token, bytes memory data) private {
        // We need to perform a low level call here, to bypass Solidity's return data size checking mechanism, since
        // we're implementing it ourselves. We use {Address-functionCall} to perform this call, which verifies that
        // the target address contains contract code and also asserts for success in the low-level call.

        bytes memory returndata = address(token).functionCall(data, "SafeERC20: low-level call failed");
        require(returndata.length == 0 || abi.decode(returndata, (bool)), "SafeERC20: ERC20 operation did not succeed");
    }

    /**
     * @dev Imitates a Solidity high-level call (i.e. a regular function call to a contract), relaxing the requirement
     * on the return value: the return value is optional (but if data is returned, it must not be false).
     * @param token The token targeted by the call.
     * @param data The call data (encoded using abi.encode or one of its variants).
     *
     * This is a variant of {_callOptionalReturn} that silents catches all reverts and returns a bool instead.
     */
    function _callOptionalReturnBool(IERC20 token, bytes memory data) private returns (bool) {
        // We need to perform a low level call here, to bypass Solidity's return data size checking mechanism, since
        // we're implementing it ourselves. We cannot use {Address-functionCall} here since this should return false
        // and not revert is the subcall reverts.

        (bool success, bytes memory returndata) = address(token).call(data);
        return
            success && (returndata.length == 0 || abi.decode(returndata, (bool))) && Address.isContract(address(token));
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (token/ERC721/IERC721.sol)

pragma solidity ^0.8.0;

import "../../utils/introspection/IERC165.sol";

/**
 * @dev Required interface of an ERC721 compliant contract.
 */
interface IERC721 is IERC165 {
    /**
     * @dev Emitted when `tokenId` token is transferred from `from` to `to`.
     */
    event Transfer(address indexed from, address indexed to, uint256 indexed tokenId);

    /**
     * @dev Emitted when `owner` enables `approved` to manage the `tokenId` token.
     */
    event Approval(address indexed owner, address indexed approved, uint256 indexed tokenId);

    /**
     * @dev Emitted when `owner` enables or disables (`approved`) `operator` to manage all of its assets.
     */
    event ApprovalForAll(address indexed owner, address indexed operator, bool approved);

    /**
     * @dev Returns the number of tokens in ``owner``'s account.
     */
    function balanceOf(address owner) external view returns (uint256 balance);

    /**
     * @dev Returns the owner of the `tokenId` token.
     *
     * Requirements:
     *
     * - `tokenId` must exist.
     */
    function ownerOf(uint256 tokenId) external view returns (address owner);

    /**
     * @dev Safely transfers `tokenId` token from `from` to `to`.
     *
     * Requirements:
     *
     * - `from` cannot be the zero address.
     * - `to` cannot be the zero address.
     * - `tokenId` token must exist and be owned by `from`.
     * - If the caller is not `from`, it must be approved to move this token by either {approve} or {setApprovalForAll}.
     * - If `to` refers to a smart contract, it must implement {IERC721Receiver-onERC721Received}, which is called upon a safe transfer.
     *
     * Emits a {Transfer} event.
     */
    function safeTransferFrom(address from, address to, uint256 tokenId, bytes calldata data) external;

    /**
     * @dev Safely transfers `tokenId` token from `from` to `to`, checking first that contract recipients
     * are aware of the ERC721 protocol to prevent tokens from being forever locked.
     *
     * Requirements:
     *
     * - `from` cannot be the zero address.
     * - `to` cannot be the zero address.
     * - `tokenId` token must exist and be owned by `from`.
     * - If the caller is not `from`, it must have been allowed to move this token by either {approve} or {setApprovalForAll}.
     * - If `to` refers to a smart contract, it must implement {IERC721Receiver-onERC721Received}, which is called upon a safe transfer.
     *
     * Emits a {Transfer} event.
     */
    function safeTransferFrom(address from, address to, uint256 tokenId) external;

    /**
     * @dev Transfers `tokenId` token from `from` to `to`.
     *
     * WARNING: Note that the caller is responsible to confirm that the recipient is capable of receiving ERC721
     * or else they may be permanently lost. Usage of {safeTransferFrom} prevents loss, though the caller must
     * understand this adds an external call which potentially creates a reentrancy vulnerability.
     *
     * Requirements:
     *
     * - `from` cannot be the zero address.
     * - `to` cannot be the zero address.
     * - `tokenId` token must be owned by `from`.
     * - If the caller is not `from`, it must be approved to move this token by either {approve} or {setApprovalForAll}.
     *
     * Emits a {Transfer} event.
     */
    function transferFrom(address from, address to, uint256 tokenId) external;

    /**
     * @dev Gives permission to `to` to transfer `tokenId` token to another account.
     * The approval is cleared when the token is transferred.
     *
     * Only a single account can be approved at a time, so approving the zero address clears previous approvals.
     *
     * Requirements:
     *
     * - The caller must own the token or be an approved operator.
     * - `tokenId` must exist.
     *
     * Emits an {Approval} event.
     */
    function approve(address to, uint256 tokenId) external;

    /**
     * @dev Approve or remove `operator` as an operator for the caller.
     * Operators can call {transferFrom} or {safeTransferFrom} for any token owned by the caller.
     *
     * Requirements:
     *
     * - The `operator` cannot be the caller.
     *
     * Emits an {ApprovalForAll} event.
     */
    function setApprovalForAll(address operator, bool approved) external;

    /**
     * @dev Returns the account approved for `tokenId` token.
     *
     * Requirements:
     *
     * - `tokenId` must exist.
     */
    function getApproved(uint256 tokenId) external view returns (address operator);

    /**
     * @dev Returns if the `operator` is allowed to manage all of the assets of `owner`.
     *
     * See {setApprovalForAll}
     */
    function isApprovedForAll(address owner, address operator) external view returns (bool);
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/Address.sol)

pragma solidity ^0.8.1;

/**
 * @dev Collection of functions related to the address type
 */
library Address {
    /**
     * @dev Returns true if `account` is a contract.
     *
     * [IMPORTANT]
     * ====
     * It is unsafe to assume that an address for which this function returns
     * false is an externally-owned account (EOA) and not a contract.
     *
     * Among others, `isContract` will return false for the following
     * types of addresses:
     *
     *  - an externally-owned account
     *  - a contract in construction
     *  - an address where a contract will be created
     *  - an address where a contract lived, but was destroyed
     *
     * Furthermore, `isContract` will also return true if the target contract within
     * the same transaction is already scheduled for destruction by `SELFDESTRUCT`,
     * which only has an effect at the end of a transaction.
     * ====
     *
     * [IMPORTANT]
     * ====
     * You shouldn't rely on `isContract` to protect against flash loan attacks!
     *
     * Preventing calls from contracts is highly discouraged. It breaks composability, breaks support for smart wallets
     * like Gnosis Safe, and does not provide security since it can be circumvented by calling from a contract
     * constructor.
     * ====
     */
    function isContract(address account) internal view returns (bool) {
        // This method relies on extcodesize/address.code.length, which returns 0
        // for contracts in construction, since the code is only stored at the end
        // of the constructor execution.

        return account.code.length > 0;
    }

    /**
     * @dev Replacement for Solidity's `transfer`: sends `amount` wei to
     * `recipient`, forwarding all available gas and reverting on errors.
     *
     * https://eips.ethereum.org/EIPS/eip-1884[EIP1884] increases the gas cost
     * of certain opcodes, possibly making contracts go over the 2300 gas limit
     * imposed by `transfer`, making them unable to receive funds via
     * `transfer`. {sendValue} removes this limitation.
     *
     * https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/[Learn more].
     *
     * IMPORTANT: because control is transferred to `recipient`, care must be
     * taken to not create reentrancy vulnerabilities. Consider using
     * {ReentrancyGuard} or the
     * https://solidity.readthedocs.io/en/v0.8.0/security-considerations.html#use-the-checks-effects-interactions-pattern[checks-effects-interactions pattern].
     */
    function sendValue(address payable recipient, uint256 amount) internal {
        require(address(this).balance >= amount, "Address: insufficient balance");

        (bool success, ) = recipient.call{value: amount}("");
        require(success, "Address: unable to send value, recipient may have reverted");
    }

    /**
     * @dev Performs a Solidity function call using a low level `call`. A
     * plain `call` is an unsafe replacement for a function call: use this
     * function instead.
     *
     * If `target` reverts with a revert reason, it is bubbled up by this
     * function (like regular Solidity function calls).
     *
     * Returns the raw returned data. To convert to the expected return value,
     * use https://solidity.readthedocs.io/en/latest/units-and-global-variables.html?highlight=abi.decode#abi-encoding-and-decoding-functions[`abi.decode`].
     *
     * Requirements:
     *
     * - `target` must be a contract.
     * - calling `target` with `data` must not revert.
     *
     * _Available since v3.1._
     */
    function functionCall(address target, bytes memory data) internal returns (bytes memory) {
        return functionCallWithValue(target, data, 0, "Address: low-level call failed");
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`], but with
     * `errorMessage` as a fallback revert reason when `target` reverts.
     *
     * _Available since v3.1._
     */
    function functionCall(
        address target,
        bytes memory data,
        string memory errorMessage
    ) internal returns (bytes memory) {
        return functionCallWithValue(target, data, 0, errorMessage);
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
     * but also transferring `value` wei to `target`.
     *
     * Requirements:
     *
     * - the calling contract must have an ETH balance of at least `value`.
     * - the called Solidity function must be `payable`.
     *
     * _Available since v3.1._
     */
    function functionCallWithValue(address target, bytes memory data, uint256 value) internal returns (bytes memory) {
        return functionCallWithValue(target, data, value, "Address: low-level call with value failed");
    }

    /**
     * @dev Same as {xref-Address-functionCallWithValue-address-bytes-uint256-}[`functionCallWithValue`], but
     * with `errorMessage` as a fallback revert reason when `target` reverts.
     *
     * _Available since v3.1._
     */
    function functionCallWithValue(
        address target,
        bytes memory data,
        uint256 value,
        string memory errorMessage
    ) internal returns (bytes memory) {
        require(address(this).balance >= value, "Address: insufficient balance for call");
        (bool success, bytes memory returndata) = target.call{value: value}(data);
        return verifyCallResultFromTarget(target, success, returndata, errorMessage);
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
     * but performing a static call.
     *
     * _Available since v3.3._
     */
    function functionStaticCall(address target, bytes memory data) internal view returns (bytes memory) {
        return functionStaticCall(target, data, "Address: low-level static call failed");
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
     * but performing a static call.
     *
     * _Available since v3.3._
     */
    function functionStaticCall(
        address target,
        bytes memory data,
        string memory errorMessage
    ) internal view returns (bytes memory) {
        (bool success, bytes memory returndata) = target.staticcall(data);
        return verifyCallResultFromTarget(target, success, returndata, errorMessage);
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-}[`functionCall`],
     * but performing a delegate call.
     *
     * _Available since v3.4._
     */
    function functionDelegateCall(address target, bytes memory data) internal returns (bytes memory) {
        return functionDelegateCall(target, data, "Address: low-level delegate call failed");
    }

    /**
     * @dev Same as {xref-Address-functionCall-address-bytes-string-}[`functionCall`],
     * but performing a delegate call.
     *
     * _Available since v3.4._
     */
    function functionDelegateCall(
        address target,
        bytes memory data,
        string memory errorMessage
    ) internal returns (bytes memory) {
        (bool success, bytes memory returndata) = target.delegatecall(data);
        return verifyCallResultFromTarget(target, success, returndata, errorMessage);
    }

    /**
     * @dev Tool to verify that a low level call to smart-contract was successful, and revert (either by bubbling
     * the revert reason or using the provided one) in case of unsuccessful call or if target was not a contract.
     *
     * _Available since v4.8._
     */
    function verifyCallResultFromTarget(
        address target,
        bool success,
        bytes memory returndata,
        string memory errorMessage
    ) internal view returns (bytes memory) {
        if (success) {
            if (returndata.length == 0) {
                // only check isContract if the call was successful and the return data is empty
                // otherwise we already know that it was a contract
                require(isContract(target), "Address: call to non-contract");
            }
            return returndata;
        } else {
            _revert(returndata, errorMessage);
        }
    }

    /**
     * @dev Tool to verify that a low level call was successful, and revert if it wasn't, either by bubbling the
     * revert reason or using the provided one.
     *
     * _Available since v4.3._
     */
    function verifyCallResult(
        bool success,
        bytes memory returndata,
        string memory errorMessage
    ) internal pure returns (bytes memory) {
        if (success) {
            return returndata;
        } else {
            _revert(returndata, errorMessage);
        }
    }

    function _revert(bytes memory returndata, string memory errorMessage) private pure {
        // Look for revert reason and bubble it up if present
        if (returndata.length > 0) {
            // The easiest way to bubble the revert reason is using memory via assembly
            /// @solidity memory-safe-assembly
            assembly {
                let returndata_size := mload(returndata)
                revert(add(32, returndata), returndata_size)
            }
        } else {
            revert(errorMessage);
        }
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/StorageSlot.sol)
// This file was procedurally generated from scripts/generate/templates/StorageSlot.js.

pragma solidity ^0.8.0;

/**
 * @dev Library for reading and writing primitive types to specific storage slots.
 *
 * Storage slots are often used to avoid storage conflict when dealing with upgradeable contracts.
 * This library helps with reading and writing to such slots without the need for inline assembly.
 *
 * The functions in this library return Slot structs that contain a `value` member that can be used to read or write.
 *
 * Example usage to set ERC1967 implementation slot:
 * ```solidity
 * contract ERC1967 {
 *     bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;
 *
 *     function _getImplementation() internal view returns (address) {
 *         return StorageSlot.getAddressSlot(_IMPLEMENTATION_SLOT).value;
 *     }
 *
 *     function _setImplementation(address newImplementation) internal {
 *         require(Address.isContract(newImplementation), "ERC1967: new implementation is not a contract");
 *         StorageSlot.getAddressSlot(_IMPLEMENTATION_SLOT).value = newImplementation;
 *     }
 * }
 * ```
 *
 * _Available since v4.1 for `address`, `bool`, `bytes32`, `uint256`._
 * _Available since v4.9 for `string`, `bytes`._
 */
library StorageSlot {
    struct AddressSlot {
        address value;
    }

    struct BooleanSlot {
        bool value;
    }

    struct Bytes32Slot {
        bytes32 value;
    }

    struct Uint256Slot {
        uint256 value;
    }

    struct StringSlot {
        string value;
    }

    struct BytesSlot {
        bytes value;
    }

    /**
     * @dev Returns an `AddressSlot` with member `value` located at `slot`.
     */
    function getAddressSlot(bytes32 slot) internal pure returns (AddressSlot storage r) {
        /// @solidity memory-safe-assembly
        assembly {
            r.slot := slot
        }
    }

    /**
     * @dev Returns an `BooleanSlot` with member `value` located at `slot`.
     */
    function getBooleanSlot(bytes32 slot) internal pure returns (BooleanSlot storage r) {
        /// @solidity memory-safe-assembly
        assembly {
            r.slot := slot
        }
    }

    /**
     * @dev Returns an `Bytes32Slot` with member `value` located at `slot`.
     */
    function getBytes32Slot(bytes32 slot) internal pure returns (Bytes32Slot storage r) {
        /// @solidity memory-safe-assembly
        assembly {
            r.slot := slot
        }
    }

    /**
     * @dev Returns an `Uint256Slot` with member `value` located at `slot`.
     */
    function getUint256Slot(bytes32 slot) internal pure returns (Uint256Slot storage r) {
        /// @solidity memory-safe-assembly
        assembly {
            r.slot := slot
        }
    }

    /**
     * @dev Returns an `StringSlot` with member `value` located at `slot`.
     */
    function getStringSlot(bytes32 slot) internal pure returns (StringSlot storage r) {
        /// @solidity memory-safe-assembly
        assembly {
            r.slot := slot
        }
    }

    /**
     * @dev Returns an `StringSlot` representation of the string storage pointer `store`.
     */
    function getStringSlot(string storage store) internal pure returns (StringSlot storage r) {
        /// @solidity memory-safe-assembly
        assembly {
            r.slot := store.slot
        }
    }

    /**
     * @dev Returns an `BytesSlot` with member `value` located at `slot`.
     */
    function getBytesSlot(bytes32 slot) internal pure returns (BytesSlot storage r) {
        /// @solidity memory-safe-assembly
        assembly {
            r.slot := slot
        }
    }

    /**
     * @dev Returns an `BytesSlot` representation of the bytes storage pointer `store`.
     */
    function getBytesSlot(bytes storage store) internal pure returns (BytesSlot storage r) {
        /// @solidity memory-safe-assembly
        assembly {
            r.slot := store.slot
        }
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/Strings.sol)

pragma solidity ^0.8.0;

import "./math/Math.sol";
import "./math/SignedMath.sol";

/**
 * @dev String operations.
 */
library Strings {
    bytes16 private constant _SYMBOLS = "0123456789abcdef";
    uint8 private constant _ADDRESS_LENGTH = 20;

    /**
     * @dev Converts a `uint256` to its ASCII `string` decimal representation.
     */
    function toString(uint256 value) internal pure returns (string memory) {
        unchecked {
            uint256 length = Math.log10(value) + 1;
            string memory buffer = new string(length);
            uint256 ptr;
            /// @solidity memory-safe-assembly
            assembly {
                ptr := add(buffer, add(32, length))
            }
            while (true) {
                ptr--;
                /// @solidity memory-safe-assembly
                assembly {
                    mstore8(ptr, byte(mod(value, 10), _SYMBOLS))
                }
                value /= 10;
                if (value == 0) break;
            }
            return buffer;
        }
    }

    /**
     * @dev Converts a `int256` to its ASCII `string` decimal representation.
     */
    function toString(int256 value) internal pure returns (string memory) {
        return string(abi.encodePacked(value < 0 ? "-" : "", toString(SignedMath.abs(value))));
    }

    /**
     * @dev Converts a `uint256` to its ASCII `string` hexadecimal representation.
     */
    function toHexString(uint256 value) internal pure returns (string memory) {
        unchecked {
            return toHexString(value, Math.log256(value) + 1);
        }
    }

    /**
     * @dev Converts a `uint256` to its ASCII `string` hexadecimal representation with fixed length.
     */
    function toHexString(uint256 value, uint256 length) internal pure returns (string memory) {
        bytes memory buffer = new bytes(2 * length + 2);
        buffer[0] = "0";
        buffer[1] = "x";
        for (uint256 i = 2 * length + 1; i > 1; --i) {
            buffer[i] = _SYMBOLS[value & 0xf];
            value >>= 4;
        }
        require(value == 0, "Strings: hex length insufficient");
        return string(buffer);
    }

    /**
     * @dev Converts an `address` with fixed length of 20 bytes to its not checksummed ASCII `string` hexadecimal representation.
     */
    function toHexString(address addr) internal pure returns (string memory) {
        return toHexString(uint256(uint160(addr)), _ADDRESS_LENGTH);
    }

    /**
     * @dev Returns true if the two strings are equal.
     */
    function equal(string memory a, string memory b) internal pure returns (bool) {
        return keccak256(bytes(a)) == keccak256(bytes(b));
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/cryptography/ECDSA.sol)

pragma solidity ^0.8.0;

import "../Strings.sol";

/**
 * @dev Elliptic Curve Digital Signature Algorithm (ECDSA) operations.
 *
 * These functions can be used to verify that a message was signed by the holder
 * of the private keys of a given address.
 */
library ECDSA {
    enum RecoverError {
        NoError,
        InvalidSignature,
        InvalidSignatureLength,
        InvalidSignatureS,
        InvalidSignatureV // Deprecated in v4.8
    }

    function _throwError(RecoverError error) private pure {
        if (error == RecoverError.NoError) {
            return; // no error: do nothing
        } else if (error == RecoverError.InvalidSignature) {
            revert("ECDSA: invalid signature");
        } else if (error == RecoverError.InvalidSignatureLength) {
            revert("ECDSA: invalid signature length");
        } else if (error == RecoverError.InvalidSignatureS) {
            revert("ECDSA: invalid signature 's' value");
        }
    }

    /**
     * @dev Returns the address that signed a hashed message (`hash`) with
     * `signature` or error string. This address can then be used for verification purposes.
     *
     * The `ecrecover` EVM opcode allows for malleable (non-unique) signatures:
     * this function rejects them by requiring the `s` value to be in the lower
     * half order, and the `v` value to be either 27 or 28.
     *
     * IMPORTANT: `hash` _must_ be the result of a hash operation for the
     * verification to be secure: it is possible to craft signatures that
     * recover to arbitrary addresses for non-hashed data. A safe way to ensure
     * this is by receiving a hash of the original message (which may otherwise
     * be too long), and then calling {toEthSignedMessageHash} on it.
     *
     * Documentation for signature generation:
     * - with https://web3js.readthedocs.io/en/v1.3.4/web3-eth-accounts.html#sign[Web3.js]
     * - with https://docs.ethers.io/v5/api/signer/#Signer-signMessage[ethers]
     *
     * _Available since v4.3._
     */
    function tryRecover(bytes32 hash, bytes memory signature) internal pure returns (address, RecoverError) {
        if (signature.length == 65) {
            bytes32 r;
            bytes32 s;
            uint8 v;
            // ecrecover takes the signature parameters, and the only way to get them
            // currently is to use assembly.
            /// @solidity memory-safe-assembly
            assembly {
                r := mload(add(signature, 0x20))
                s := mload(add(signature, 0x40))
                v := byte(0, mload(add(signature, 0x60)))
            }
            return tryRecover(hash, v, r, s);
        } else {
            return (address(0), RecoverError.InvalidSignatureLength);
        }
    }

    /**
     * @dev Returns the address that signed a hashed message (`hash`) with
     * `signature`. This address can then be used for verification purposes.
     *
     * The `ecrecover` EVM opcode allows for malleable (non-unique) signatures:
     * this function rejects them by requiring the `s` value to be in the lower
     * half order, and the `v` value to be either 27 or 28.
     *
     * IMPORTANT: `hash` _must_ be the result of a hash operation for the
     * verification to be secure: it is possible to craft signatures that
     * recover to arbitrary addresses for non-hashed data. A safe way to ensure
     * this is by receiving a hash of the original message (which may otherwise
     * be too long), and then calling {toEthSignedMessageHash} on it.
     */
    function recover(bytes32 hash, bytes memory signature) internal pure returns (address) {
        (address recovered, RecoverError error) = tryRecover(hash, signature);
        _throwError(error);
        return recovered;
    }

    /**
     * @dev Overload of {ECDSA-tryRecover} that receives the `r` and `vs` short-signature fields separately.
     *
     * See https://eips.ethereum.org/EIPS/eip-2098[EIP-2098 short signatures]
     *
     * _Available since v4.3._
     */
    function tryRecover(bytes32 hash, bytes32 r, bytes32 vs) internal pure returns (address, RecoverError) {
        bytes32 s = vs & bytes32(0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff);
        uint8 v = uint8((uint256(vs) >> 255) + 27);
        return tryRecover(hash, v, r, s);
    }

    /**
     * @dev Overload of {ECDSA-recover} that receives the `r and `vs` short-signature fields separately.
     *
     * _Available since v4.2._
     */
    function recover(bytes32 hash, bytes32 r, bytes32 vs) internal pure returns (address) {
        (address recovered, RecoverError error) = tryRecover(hash, r, vs);
        _throwError(error);
        return recovered;
    }

    /**
     * @dev Overload of {ECDSA-tryRecover} that receives the `v`,
     * `r` and `s` signature fields separately.
     *
     * _Available since v4.3._
     */
    function tryRecover(bytes32 hash, uint8 v, bytes32 r, bytes32 s) internal pure returns (address, RecoverError) {
        // EIP-2 still allows signature malleability for ecrecover(). Remove this possibility and make the signature
        // unique. Appendix F in the Ethereum Yellow paper (https://ethereum.github.io/yellowpaper/paper.pdf), defines
        // the valid range for s in (301): 0 < s < secp256k1n ÷ 2 + 1, and for v in (302): v ∈ {27, 28}. Most
        // signatures from current libraries generate a unique signature with an s-value in the lower half order.
        //
        // If your library generates malleable signatures, such as s-values in the upper range, calculate a new s-value
        // with 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 - s1 and flip v from 27 to 28 or
        // vice versa. If your library also generates signatures with 0/1 for v instead 27/28, add 27 to v to accept
        // these malleable signatures as well.
        if (uint256(s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0) {
            return (address(0), RecoverError.InvalidSignatureS);
        }

        // If the signature is valid (and not malleable), return the signer address
        address signer = ecrecover(hash, v, r, s);
        if (signer == address(0)) {
            return (address(0), RecoverError.InvalidSignature);
        }

        return (signer, RecoverError.NoError);
    }

    /**
     * @dev Overload of {ECDSA-recover} that receives the `v`,
     * `r` and `s` signature fields separately.
     */
    function recover(bytes32 hash, uint8 v, bytes32 r, bytes32 s) internal pure returns (address) {
        (address recovered, RecoverError error) = tryRecover(hash, v, r, s);
        _throwError(error);
        return recovered;
    }

    /**
     * @dev Returns an Ethereum Signed Message, created from a `hash`. This
     * produces hash corresponding to the one signed with the
     * https://eth.wiki/json-rpc/API#eth_sign[`eth_sign`]
     * JSON-RPC method as part of EIP-191.
     *
     * See {recover}.
     */
    function toEthSignedMessageHash(bytes32 hash) internal pure returns (bytes32 message) {
        // 32 is the length in bytes of hash,
        // enforced by the type signature above
        /// @solidity memory-safe-assembly
        assembly {
            mstore(0x00, "\x19Ethereum Signed Message:\n32")
            mstore(0x1c, hash)
            message := keccak256(0x00, 0x3c)
        }
    }

    /**
     * @dev Returns an Ethereum Signed Message, created from `s`. This
     * produces hash corresponding to the one signed with the
     * https://eth.wiki/json-rpc/API#eth_sign[`eth_sign`]
     * JSON-RPC method as part of EIP-191.
     *
     * See {recover}.
     */
    function toEthSignedMessageHash(bytes memory s) internal pure returns (bytes32) {
        return keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n", Strings.toString(s.length), s));
    }

    /**
     * @dev Returns an Ethereum Signed Typed Data, created from a
     * `domainSeparator` and a `structHash`. This produces hash corresponding
     * to the one signed with the
     * https://eips.ethereum.org/EIPS/eip-712[`eth_signTypedData`]
     * JSON-RPC method as part of EIP-712.
     *
     * See {recover}.
     */
    function toTypedDataHash(bytes32 domainSeparator, bytes32 structHash) internal pure returns (bytes32 data) {
        /// @solidity memory-safe-assembly
        assembly {
            let ptr := mload(0x40)
            mstore(ptr, "\x19\x01")
            mstore(add(ptr, 0x02), domainSeparator)
            mstore(add(ptr, 0x22), structHash)
            data := keccak256(ptr, 0x42)
        }
    }

    /**
     * @dev Returns an Ethereum Signed Data with intended validator, created from a
     * `validator` and `data` according to the version 0 of EIP-191.
     *
     * See {recover}.
     */
    function toDataWithIntendedValidatorHash(address validator, bytes memory data) internal pure returns (bytes32) {
        return keccak256(abi.encodePacked("\x19\x00", validator, data));
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts v4.4.1 (utils/introspection/IERC165.sol)

pragma solidity ^0.8.0;

/**
 * @dev Interface of the ERC165 standard, as defined in the
 * https://eips.ethereum.org/EIPS/eip-165[EIP].
 *
 * Implementers can declare support of contract interfaces, which can then be
 * queried by others ({ERC165Checker}).
 *
 * For an implementation, see {ERC165}.
 */
interface IERC165 {
    /**
     * @dev Returns true if this contract implements the interface defined by
     * `interfaceId`. See the corresponding
     * https://eips.ethereum.org/EIPS/eip-165#how-interfaces-are-identified[EIP section]
     * to learn more about how these ids are created.
     *
     * This function call must use less than 30 000 gas.
     */
    function supportsInterface(bytes4 interfaceId) external view returns (bool);
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.9.0) (utils/math/Math.sol)

pragma solidity ^0.8.0;

/**
 * @dev Standard math utilities missing in the Solidity language.
 */
library Math {
    enum Rounding {
        Down, // Toward negative infinity
        Up, // Toward infinity
        Zero // Toward zero
    }

    /**
     * @dev Returns the largest of two numbers.
     */
    function max(uint256 a, uint256 b) internal pure returns (uint256) {
        return a > b ? a : b;
    }

    /**
     * @dev Returns the smallest of two numbers.
     */
    function min(uint256 a, uint256 b) internal pure returns (uint256) {
        return a < b ? a : b;
    }

    /**
     * @dev Returns the average of two numbers. The result is rounded towards
     * zero.
     */
    function average(uint256 a, uint256 b) internal pure returns (uint256) {
        // (a + b) / 2 can overflow.
        return (a & b) + (a ^ b) / 2;
    }

    /**
     * @dev Returns the ceiling of the division of two numbers.
     *
     * This differs from standard division with `/` in that it rounds up instead
     * of rounding down.
     */
    function ceilDiv(uint256 a, uint256 b) internal pure returns (uint256) {
        // (a + b - 1) / b can overflow on addition, so we distribute.
        return a == 0 ? 0 : (a - 1) / b + 1;
    }

    /**
     * @notice Calculates floor(x * y / denominator) with full precision. Throws if result overflows a uint256 or denominator == 0
     * @dev Original credit to Remco Bloemen under MIT license (https://xn--2-umb.com/21/muldiv)
     * with further edits by Uniswap Labs also under MIT license.
     */
    function mulDiv(uint256 x, uint256 y, uint256 denominator) internal pure returns (uint256 result) {
        unchecked {
            // 512-bit multiply [prod1 prod0] = x * y. Compute the product mod 2^256 and mod 2^256 - 1, then use
            // use the Chinese Remainder Theorem to reconstruct the 512 bit result. The result is stored in two 256
            // variables such that product = prod1 * 2^256 + prod0.
            uint256 prod0; // Least significant 256 bits of the product
            uint256 prod1; // Most significant 256 bits of the product
            assembly {
                let mm := mulmod(x, y, not(0))
                prod0 := mul(x, y)
                prod1 := sub(sub(mm, prod0), lt(mm, prod0))
            }

            // Handle non-overflow cases, 256 by 256 division.
            if (prod1 == 0) {
                // Solidity will revert if denominator == 0, unlike the div opcode on its own.
                // The surrounding unchecked block does not change this fact.
                // See https://docs.soliditylang.org/en/latest/control-structures.html#checked-or-unchecked-arithmetic.
                return prod0 / denominator;
            }

            // Make sure the result is less than 2^256. Also prevents denominator == 0.
            require(denominator > prod1, "Math: mulDiv overflow");

            ///////////////////////////////////////////////
            // 512 by 256 division.
            ///////////////////////////////////////////////

            // Make division exact by subtracting the remainder from [prod1 prod0].
            uint256 remainder;
            assembly {
                // Compute remainder using mulmod.
                remainder := mulmod(x, y, denominator)

                // Subtract 256 bit number from 512 bit number.
                prod1 := sub(prod1, gt(remainder, prod0))
                prod0 := sub(prod0, remainder)
            }

            // Factor powers of two out of denominator and compute largest power of two divisor of denominator. Always >= 1.
            // See https://cs.stackexchange.com/q/138556/92363.

            // Does not overflow because the denominator cannot be zero at this stage in the function.
            uint256 twos = denominator & (~denominator + 1);
            assembly {
                // Divide denominator by twos.
                denominator := div(denominator, twos)

                // Divide [prod1 prod0] by twos.
                prod0 := div(prod0, twos)

                // Flip twos such that it is 2^256 / twos. If twos is zero, then it becomes one.
                twos := add(div(sub(0, twos), twos), 1)
            }

            // Shift in bits from prod1 into prod0.
            prod0 |= prod1 * twos;

            // Invert denominator mod 2^256. Now that denominator is an odd number, it has an inverse modulo 2^256 such
            // that denominator * inv = 1 mod 2^256. Compute the inverse by starting with a seed that is correct for
            // four bits. That is, denominator * inv = 1 mod 2^4.
            uint256 inverse = (3 * denominator) ^ 2;

            // Use the Newton-Raphson iteration to improve the precision. Thanks to Hensel's lifting lemma, this also works
            // in modular arithmetic, doubling the correct bits in each step.
            inverse *= 2 - denominator * inverse; // inverse mod 2^8
            inverse *= 2 - denominator * inverse; // inverse mod 2^16
            inverse *= 2 - denominator * inverse; // inverse mod 2^32
            inverse *= 2 - denominator * inverse; // inverse mod 2^64
            inverse *= 2 - denominator * inverse; // inverse mod 2^128
            inverse *= 2 - denominator * inverse; // inverse mod 2^256

            // Because the division is now exact we can divide by multiplying with the modular inverse of denominator.
            // This will give us the correct result modulo 2^256. Since the preconditions guarantee that the outcome is
            // less than 2^256, this is the final result. We don't need to compute the high bits of the result and prod1
            // is no longer required.
            result = prod0 * inverse;
            return result;
        }
    }

    /**
     * @notice Calculates x * y / denominator with full precision, following the selected rounding direction.
     */
    function mulDiv(uint256 x, uint256 y, uint256 denominator, Rounding rounding) internal pure returns (uint256) {
        uint256 result = mulDiv(x, y, denominator);
        if (rounding == Rounding.Up && mulmod(x, y, denominator) > 0) {
            result += 1;
        }
        return result;
    }

    /**
     * @dev Returns the square root of a number. If the number is not a perfect square, the value is rounded down.
     *
     * Inspired by Henry S. Warren, Jr.'s "Hacker's Delight" (Chapter 11).
     */
    function sqrt(uint256 a) internal pure returns (uint256) {
        if (a == 0) {
            return 0;
        }

        // For our first guess, we get the biggest power of 2 which is smaller than the square root of the target.
        //
        // We know that the "msb" (most significant bit) of our target number `a` is a power of 2 such that we have
        // `msb(a) <= a < 2*msb(a)`. This value can be written `msb(a)=2**k` with `k=log2(a)`.
        //
        // This can be rewritten `2**log2(a) <= a < 2**(log2(a) + 1)`
        // → `sqrt(2**k) <= sqrt(a) < sqrt(2**(k+1))`
        // → `2**(k/2) <= sqrt(a) < 2**((k+1)/2) <= 2**(k/2 + 1)`
        //
        // Consequently, `2**(log2(a) / 2)` is a good first approximation of `sqrt(a)` with at least 1 correct bit.
        uint256 result = 1 << (log2(a) >> 1);

        // At this point `result` is an estimation with one bit of precision. We know the true value is a uint128,
        // since it is the square root of a uint256. Newton's method converges quadratically (precision doubles at
        // every iteration). We thus need at most 7 iteration to turn our partial result with one bit of precision
        // into the expected uint128 result.
        unchecked {
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            result = (result + a / result) >> 1;
            return min(result, a / result);
        }
    }

    /**
     * @notice Calculates sqrt(a), following the selected rounding direction.
     */
    function sqrt(uint256 a, Rounding rounding) internal pure returns (uint256) {
        unchecked {
            uint256 result = sqrt(a);
            return result + (rounding == Rounding.Up && result * result < a ? 1 : 0);
        }
    }

    /**
     * @dev Return the log in base 2, rounded down, of a positive value.
     * Returns 0 if given 0.
     */
    function log2(uint256 value) internal pure returns (uint256) {
        uint256 result = 0;
        unchecked {
            if (value >> 128 > 0) {
                value >>= 128;
                result += 128;
            }
            if (value >> 64 > 0) {
                value >>= 64;
                result += 64;
            }
            if (value >> 32 > 0) {
                value >>= 32;
                result += 32;
            }
            if (value >> 16 > 0) {
                value >>= 16;
                result += 16;
            }
            if (value >> 8 > 0) {
                value >>= 8;
                result += 8;
            }
            if (value >> 4 > 0) {
                value >>= 4;
                result += 4;
            }
            if (value >> 2 > 0) {
                value >>= 2;
                result += 2;
            }
            if (value >> 1 > 0) {
                result += 1;
            }
        }
        return result;
    }

    /**
     * @dev Return the log in base 2, following the selected rounding direction, of a positive value.
     * Returns 0 if given 0.
     */
    function log2(uint256 value, Rounding rounding) internal pure returns (uint256) {
        unchecked {
            uint256 result = log2(value);
            return result + (rounding == Rounding.Up && 1 << result < value ? 1 : 0);
        }
    }

    /**
     * @dev Return the log in base 10, rounded down, of a positive value.
     * Returns 0 if given 0.
     */
    function log10(uint256 value) internal pure returns (uint256) {
        uint256 result = 0;
        unchecked {
            if (value >= 10 ** 64) {
                value /= 10 ** 64;
                result += 64;
            }
            if (value >= 10 ** 32) {
                value /= 10 ** 32;
                result += 32;
            }
            if (value >= 10 ** 16) {
                value /= 10 ** 16;
                result += 16;
            }
            if (value >= 10 ** 8) {
                value /= 10 ** 8;
                result += 8;
            }
            if (value >= 10 ** 4) {
                value /= 10 ** 4;
                result += 4;
            }
            if (value >= 10 ** 2) {
                value /= 10 ** 2;
                result += 2;
            }
            if (value >= 10 ** 1) {
                result += 1;
            }
        }
        return result;
    }

    /**
     * @dev Return the log in base 10, following the selected rounding direction, of a positive value.
     * Returns 0 if given 0.
     */
    function log10(uint256 value, Rounding rounding) internal pure returns (uint256) {
        unchecked {
            uint256 result = log10(value);
            return result + (rounding == Rounding.Up && 10 ** result < value ? 1 : 0);
        }
    }

    /**
     * @dev Return the log in base 256, rounded down, of a positive value.
     * Returns 0 if given 0.
     *
     * Adding one to the result gives the number of pairs of hex symbols needed to represent `value` as a hex string.
     */
    function log256(uint256 value) internal pure returns (uint256) {
        uint256 result = 0;
        unchecked {
            if (value >> 128 > 0) {
                value >>= 128;
                result += 16;
            }
            if (value >> 64 > 0) {
                value >>= 64;
                result += 8;
            }
            if (value >> 32 > 0) {
                value >>= 32;
                result += 4;
            }
            if (value >> 16 > 0) {
                value >>= 16;
                result += 2;
            }
            if (value >> 8 > 0) {
                result += 1;
            }
        }
        return result;
    }

    /**
     * @dev Return the log in base 256, following the selected rounding direction, of a positive value.
     * Returns 0 if given 0.
     */
    function log256(uint256 value, Rounding rounding) internal pure returns (uint256) {
        unchecked {
            uint256 result = log256(value);
            return result + (rounding == Rounding.Up && 1 << (result << 3) < value ? 1 : 0);
        }
    }
}

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v4.8.0) (utils/math/SignedMath.sol)

pragma solidity ^0.8.0;

/**
 * @dev Standard signed math utilities missing in the Solidity language.
 */
library SignedMath {
    /**
     * @dev Returns the largest of two signed numbers.
     */
    function max(int256 a, int256 b) internal pure returns (int256) {
        return a > b ? a : b;
    }

    /**
     * @dev Returns the smallest of two signed numbers.
     */
    function min(int256 a, int256 b) internal pure returns (int256) {
        return a < b ? a : b;
    }

    /**
     * @dev Returns the average of two signed numbers without overflow.
     * The result is rounded towards zero.
     */
    function average(int256 a, int256 b) internal pure returns (int256) {
        // Formula from the book "Hacker's Delight"
        int256 x = (a & b) + ((a ^ b) >> 1);
        return x + (int256(uint256(x) >> 255) & (a ^ b));
    }

    /**
     * @dev Returns the absolute unsigned value of a signed value.
     */
    function abs(int256 n) internal pure returns (uint256) {
        unchecked {
            // must be unchecked in order to support `n = type(int256).min`
            return uint256(n >= 0 ? n : -n);
        }
    }
}

// SPDX-License-Identifier: UNLICENSED
// Based on code from MACI:
// (https://github.com/appliedzkp/maci/blob/7f36a915244a6e8f98bacfe255f8bd44193e7919/contracts/sol/IncrementalMerkleTree.sol)

pragma solidity 0.8.23;

import { Initializable } from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";

import { SNARK_SCALAR_FIELD } from "./Globals.sol";
import { PoseidonT3 } from "./PoseidonT3.sol";

/// @title Commitments
/// @author DOP Team
/// @notice Batch Incremental Merkle Tree for commitments
/// @dev Publicly accessible functions to be put in DOPLogic. Relevant external contract calls should be in those
/// functions, not here
contract Commitments is Initializable {
    /// @notice Tree zero value
    bytes32 public constant ZERO_VALUE = bytes32(uint256(keccak256("DOP")) % SNARK_SCALAR_FIELD);

    /// @dev Tree depth
    uint256 internal constant _TREE_DEPTH = 16;

    /// @notice Merkle root
    bytes32 public merkleRoot;

    /// @notice Next leaf index (number of inserted leaves in the current tree)
    uint256 public nextLeafIndex;

    /// @notice Tree number
    uint256 public treeNumber;

    /// @dev Store new tree root to quickly migrate to a new tree
    bytes32 private _newMerkleRoot;

    /// @notice Whether the contract has already seen a particular commitment nullifier
    mapping(uint256 treeNumber => mapping(bytes32 nullifier => bool seen)) public nullifiers;

    /// @notice The Merkle path to the leftmost leaf upon initialization. It SHOULD NOT be modified after it has been
    /// set by the initialize function. Caching these values is essential to efficient appends
    bytes32[_TREE_DEPTH] public zeros;

    /// @dev Right-most elements at each level. Used for efficient updates of the merkle tree
    bytes32[_TREE_DEPTH] private _rightMostLeafAtLevel;

    /// @notice Whether the contract has already seen a particular Merkle tree root
    mapping(uint256 treeNumber => mapping(bytes32 root => bool seen)) public rootHistory;

    /// @notice Gets tree number that new commitments will get inserted to
    /// @param newCommitments Number of new commitments
    /// @return treeNumber Number of the current tree given the new commitments
    /// @return startingIndex Index of the current tree given the new commitments
    function getInsertionTreeNumberAndStartingIndex(uint256 newCommitments) public view returns (uint256, uint256) {
        if ((nextLeafIndex + newCommitments) > (2 ** _TREE_DEPTH)) {
            return (treeNumber + 1, 0);
        }

        return (treeNumber, nextLeafIndex);
    }

    /// @notice Hash 2 uint256 values
    /// @param left Left side of hash
    /// @param right Right side of hash
    /// @return hash Poseidon processed hash
    function hashLeftRight(bytes32 left, bytes32 right) public pure returns (bytes32) {
        return PoseidonT3.poseidon([left, right]);
    }

    /// @dev Calculates initial values for Merkle Tree
    function _initializeCommitments() internal onlyInitializing {
        zeros[0] = ZERO_VALUE;
        bytes32 currentZero = ZERO_VALUE;

        for (uint256 i = 0; i < _TREE_DEPTH; ++i) {
            zeros[i] = currentZero;
            _rightMostLeafAtLevel[i] = currentZero;
            currentZero = hashLeftRight(currentZero, currentZero);
        }

        _newMerkleRoot = merkleRoot = currentZero;
        rootHistory[treeNumber][currentZero] = true;
    }

    /// @dev Calculates initial values for Merkle Tree
    /// @dev Insert leaves into the current merkle tree
    /// Note: This function INTENTIONALLY causes side effects to save on gas. leafHashes and count should never be
    /// reused
    /// @param leaves array of leaf hashes to be added to the merkle tree
    function _addLeaves(bytes32[] memory leaves) internal {
        uint256 leafCount = leaves.length;

        if (leafCount == 0) {
            return;
        }

        if ((nextLeafIndex + leafCount) > (2 ** _TREE_DEPTH)) {
            _startNewTree();
        }

        uint256 insertionIndex = nextLeafIndex;
        nextLeafIndex += leafCount;
        uint256 nextLevelIndex;
        uint256 nextLevelStartingIndex;

        for (uint256 level = 0; level < _TREE_DEPTH; ++level) {
            nextLevelStartingIndex = insertionIndex >> 1;
            uint256 insertionElement = 0;

            if (insertionIndex % 2 == 1) {
                nextLevelIndex = (insertionIndex >> 1) - nextLevelStartingIndex;
                leaves[nextLevelIndex] = hashLeftRight(_rightMostLeafAtLevel[level], leaves[insertionElement]);
                ++insertionElement;
                ++insertionIndex;
            }

            for (insertionElement; insertionElement < leafCount; insertionElement += 2) {
                bytes32 right;

                if (insertionElement < leafCount - 1) {
                    right = leaves[insertionElement + 1];
                } else {
                    right = zeros[level];
                }

                if (insertionElement == leafCount - 1 || insertionElement == leafCount - 2) {
                    _rightMostLeafAtLevel[level] = leaves[insertionElement];
                }

                nextLevelIndex = (insertionIndex >> 1) - nextLevelStartingIndex;
                leaves[nextLevelIndex] = hashLeftRight(leaves[insertionElement], right);
                insertionIndex += 2;
            }

            insertionIndex = nextLevelStartingIndex;
            leafCount = nextLevelIndex + 1;
        }

        merkleRoot = leaves[0];
        rootHistory[treeNumber][merkleRoot] = true;
    }

    /// @dev Creates new merkle tree
    function _startNewTree() internal {
        merkleRoot = _newMerkleRoot;
        nextLeafIndex = 0;
        ++treeNumber;
    }

    uint256[50] private _gap;
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

import { AggregatorV3Interface } from "@chainlink/contracts/src/v0.8/shared/interfaces/AggregatorV3Interface.sol";

import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import { SafeERC20 } from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
import { IERC721 } from "@openzeppelin/contracts/token/ERC721/IERC721.sol";
import { Address } from "@openzeppelin/contracts/utils/Address.sol";
import { StorageSlot } from "@openzeppelin/contracts/utils/StorageSlot.sol";
import { ECDSA } from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
import { OwnableUpgradeable } from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
import { Initializable } from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";

import { Commitments } from "./Commitments.sol";
// prettier-ignore
import {
    SNARK_SCALAR_FIELD,
    DecryptType,
    TokenType,
    ValidationType,
    Balance,
    Configuration,
    CommitmentCiphertext,
    CommitmentPreimage,
    EncryptCiphertext,
    EncryptRequest,
    TokenData,
    Transaction,
    IdenticalValue,
    InvalidAddress,
    UnsafeVectors,
    UnsupportedToken
} from "./Globals.sol";
import { ITokenBlocklist } from "./ITokenBlocklist.sol";
import { IVaultFactory, IVault } from "./IVaultFactory.sol";
import { OraclePriceFetcher } from "./OraclePriceFetcher.sol";
import { PoseidonT4 } from "./PoseidonT4.sol";
import { Verifier } from "./Verifier.sol";

/// @title DOPLogic
/// @author DOP Team
/// @notice Logic to process transactions
contract DOPLogic is Initializable, OwnableUpgradeable, Commitments, Verifier {
    using SafeERC20 for IERC20;
    using Address for address payable;
    using ECDSA for bytes32;
    using OraclePriceFetcher for AggregatorV3Interface;

    /// @dev Current version of the protocol
    string private constant _VERSION = "2.2.0";

    /// @dev limit to the number of encrypt requests that can be initiated in a single transaction
    uint256 private constant _MAX_ENCRYPT_REQUESTS = 20;

    /// @dev Number of basis points that equal 100%
    uint120 private constant _BASIS_POINTS = 10000;

    /// @dev Maximum fee limit in basic points (BPS)
    uint120 private constant _MAX_FEE_BPS = 5000;

    /// @dev Encrypt fee in basis points (BPS)
    uint120 private immutable _ENCRYPT_FEE_BPS;

    /// @dev Decrypt fee in basis points (BPS)
    uint120 private immutable _DECRYPT_FEE_BPS;

    /// @dev NFT fee in fiat currency
    /// NOTE: Denomination of NFT fee must be equivalent to price feed's price denomination
    uint256 internal immutable _NFT_FEE_FIAT;

    /// @dev Encrypt requests holding time period
    uint256 private immutable _HOLDING_PERIOD;

    /// @dev Treasury contract
    address payable internal immutable _TREASURY;

    /// @dev Vault factory contract
    IVaultFactory private immutable _VAULT_FACTORY;

    /// @dev Token blocklist contract
    ITokenBlocklist private immutable _TOKEN_BLOCKLIST;

    /// @notice Address of the native asset price feed oracle
    AggregatorV3Interface internal immutable _NATIVE_ASSET_PRICE_FEED;

    /// @notice Timeout in seconds to use with the price feed oracle
    /// NOTE: Timeout should always be greater than the provided heartbeat
    uint256 internal immutable _PRICE_FEED_TIMEOUT;

    /// @notice Last event block to assist with scanning
    uint256 public lastEventBlock;

    /// @notice Snark safety vectors
    mapping(uint256 vector => bool state) public snarkSafetyVector;

    /// @notice Token ID mapping
    mapping(bytes32 tokenID => TokenData tokenData) public tokenIDMapping;

    /// @notice Encrypt request validatory signer
    address public signer;

    /// @notice Number of holdings created
    uint256 public totalHoldings;

    /// @dev Holdee's holding data with respect to a unique index
    mapping(uint256 index => Holding holding) internal _holdings;

    /// @dev Holding data structure
    struct Holding {
        address holdee;
        IVault vault;
        uint256 deadline;
        EncryptRequest[] encryptRequests;
    }

    /// @dev Emitted when signer is changed
    event SignerChanged(address newSigner, address oldSigner);

    /// @dev Emitted when tokens are transferred
    event Transact(uint256 treeNumber, uint256 startPosition, bytes32[] hash, CommitmentCiphertext[] ciphertext);

    /// @dev Emitted when adding a snark safety vector
    event VectorAdded(uint256 vector, bool state);

    /// @dev Emitted when removing a snark safety vector
    event VectorRemoved(uint256 vector, bool state);

    /// @dev Emitted when tokens are encrypted
    event Encrypt(
        uint256 treeNumber,
        uint256 startPosition,
        CommitmentPreimage[] commitments,
        EncryptCiphertext[] encryptCiphertext,
        uint256[] fees
    );

    /// @dev Emitted when tokens are decrypted
    event Decrypt(address to, TokenData token, uint256 amount, uint256 fee);

    /// @dev Emitted when any commitment is nullified
    event Nullified(uint16 treeNumber, bytes32[] nullifier);

    /// @dev Emitted when an encrypt request is put on hold
    event EncryptHeld(
        uint256 indexed index,
        address indexed holdee,
        IVault vault,
        uint256 deadline,
        CommitmentPreimage[] commitments,
        EncryptCiphertext[] encryptCiphertext
    );

    /// @dev Emitted when an approved encrypt request is finalized
    event EncryptApproved(uint256 indexed index);

    /// @dev Emitted when a rejected encrypt request is finalized
    event EncryptRejected(uint256 indexed index);

    /// @dev Emitted when an expired encrypt request is finalized
    event EncryptExpired(uint256 indexed index);

    error InvalidCommitment(ValidationType validationType);
    error InvalidTransaction(ValidationType validationType);
    error InvalidFee();
    error ERC20TokenTransferFailed();
    error ERC721TokenTransferFailed();
    error NoteAlreadySpent();
    error InvalidValue();
    error InvalidIndex();
    error InvalidHolder();
    error HoldingNotExpired();
    error EncryptRequestsOutofBounds();
    error InvalidSignatureOrSigner();

    /// @dev Constructor
    /// @param initEncryptFee Encrypt fee
    /// @param initDecryptFee Decrypt fee
    /// @param initNFTFee NFT fee
    /// @param initTreasury Address to send usage fees to
    /// @param initVaultFactory Address that deploys vaults
    /// @param initTokenBlocklist Address that checks token block status
    /// @param initHoldingPeriod Encrypt request holding time period
    /// @param initNativeAssetPriceFeed Address of the native asset price feed oracle
    /// @param initPriceFeedTimeout Timeout in seconds to use with the price feed oracle
    constructor(
        uint120 initEncryptFee,
        uint120 initDecryptFee,
        uint256 initNFTFee,
        uint256 initHoldingPeriod,
        address payable initTreasury,
        IVaultFactory initVaultFactory,
        ITokenBlocklist initTokenBlocklist,
        AggregatorV3Interface initNativeAssetPriceFeed,
        uint256 initPriceFeedTimeout
    ) {
        if (
            initEncryptFee == 0 ||
            initDecryptFee == 0 ||
            initNFTFee == 0 ||
            initHoldingPeriod == 0 ||
            initPriceFeedTimeout == 0
        ) {
            revert InvalidValue();
        }

        if (initEncryptFee > _MAX_FEE_BPS || initDecryptFee > _MAX_FEE_BPS) {
            revert InvalidFee();
        }

        if (
            initTreasury == address(0) ||
            address(initVaultFactory) == address(0) ||
            address(initTokenBlocklist) == address(0) ||
            address(initNativeAssetPriceFeed) == address(0)
        ) {
            revert InvalidAddress();
        }

        _ENCRYPT_FEE_BPS = initEncryptFee;
        _DECRYPT_FEE_BPS = initDecryptFee;
        _NFT_FEE_FIAT = initNFTFee;
        _HOLDING_PERIOD = initHoldingPeriod;
        _TREASURY = initTreasury;
        _VAULT_FACTORY = initVaultFactory;
        _TOKEN_BLOCKLIST = initTokenBlocklist;
        _NATIVE_ASSET_PRICE_FEED = initNativeAssetPriceFeed;
        _PRICE_FEED_TIMEOUT = initPriceFeedTimeout;
    }

    /// @notice Safety check for badly behaving code
    function checkSafetyVectors() external {
        StorageSlot.getBooleanSlot(0x8dea8703c3cf94703383ce38a9c894669dccd4ca8e65ddb43267aa0248711450).value = true;
        bool result = false;

        // solhint-disable-next-line no-inline-assembly
        assembly {
            mstore(0, caller())
            mstore(32, snarkSafetyVector.slot)
            let hash := keccak256(0, 64)
            result := sload(hash)
        }

        if (!result) {
            revert UnsafeVectors();
        }
    }

    /// @notice Adds or removes a given snark safety vector, only callable by the owner, i.e. governance contract
    /// @param vector Note to change state of
    /// @param state New state of note
    function updateVector(uint256 vector, bool state) external onlyOwner {
        _updateVector(vector, state);
    }

    /// @notice Changes signer, only callable by the owner, i.e. governance contract
    /// @param newSigner Address of the new signer
    function changeSigner(address newSigner) external onlyOwner {
        _changeSigner(newSigner);
    }

    /// @notice Finalizes an approved encrypt request
    /// @param signature Signed message to determine correctness
    /// @param index Unique holding index to get the encrypt requests for
    function encryptApproved(bytes calldata signature, uint256 index) external payable {
        (IVault vault, , EncryptRequest[] memory encryptRequests) = _validateFinalizeEncrypt(index);

        _validateSignature(signature, index, true);
        _encrypt(vault, encryptRequests);

        emit EncryptApproved({ index: index });
    }

    /// @notice Finalizes a rejected encrypt request
    /// @param signature Signed message to determine correctness
    /// @param index Unique holding index to get the encrypt requests for
    function encryptRejected(bytes calldata signature, uint256 index) external {
        (IVault vault, , EncryptRequest[] memory encryptRequests) = _validateFinalizeEncrypt(index);

        _validateSignature(signature, index, false);
        _revertEncrypt(vault, encryptRequests);

        emit EncryptRejected({ index: index });
    }

    /// @notice Finalizes an expired encrypt request
    /// @param index Unique holding index to get the encrypt requests for
    function encryptExpired(uint256 index) external {
        (IVault vault, uint256 deadline, EncryptRequest[] memory encryptRequests) = _validateFinalizeEncrypt(index);

        if (block.timestamp < deadline) {
            revert HoldingNotExpired();
        }

        _revertEncrypt(vault, encryptRequests);

        emit EncryptExpired({ index: index });
    }

    /// @notice Gets all external configuration data
    /// @return configuration Data pertaining to external requirements
    function configuration() external view returns (Configuration memory) {
        return
            Configuration({
                treasury: _TREASURY,
                vaultFactory: address(_VAULT_FACTORY),
                tokenBlocklist: address(_TOKEN_BLOCKLIST),
                encryptFeeBPS: _ENCRYPT_FEE_BPS,
                decryptFeeBPS: _DECRYPT_FEE_BPS,
                holdingPeriod: _HOLDING_PERIOD,
                version: _VERSION
            });
    }

    /// @notice Gets holding data from holding index
    /// @param index Unique holding index
    /// @return holding Holding data for the given holding index
    function holdings(uint256 index) external view returns (Holding memory) {
        return _holdings[index];
    }

    /// @notice Initialize logic contract
    /// @dev OpenZeppelin initializer ensures this can only be called once. This function also calls initializers on
    /// inherited contracts
    /// @param owner Governance contract
    /// @param initSigner Encrypt request validatory signer
    function initializeDOPLogic(address owner, address initSigner) public initializer {
        OwnableUpgradeable.__Ownable_init();
        Commitments._initializeCommitments();

        OwnableUpgradeable.transferOwnership(owner);

        _updateVector(11991246288605609459798790887503763024866871101, true);
        _updateVector(135932600361240492381964832893378343190771392134, true);
        _updateVector(1165567609304106638376634163822860648671860889162, true);

        _changeSigner(initSigner);
    }

    /// @notice Commits data to put an encrypt request on hold
    /// @param encryptRequests List of commitments to encrypt
    function initEncrypt(EncryptRequest[] memory encryptRequests) public {
        uint256 length = encryptRequests.length;

        if (length > _MAX_ENCRYPT_REQUESTS) {
            revert EncryptRequestsOutofBounds();
        }

        // No concern for overflow since upper bound is 2 ^ 256 - 1 which is very unlikely to reach using this version
        uint256 index = totalHoldings++;
        IVault vault = _VAULT_FACTORY.createVault();
        uint256 deadline = block.timestamp + _HOLDING_PERIOD;

        Holding storage holding = _holdings[index];
        holding.holdee = msg.sender;
        holding.vault = vault;
        holding.deadline = deadline;

        CommitmentPreimage[] memory commitments = new CommitmentPreimage[](length);
        EncryptCiphertext[] memory encryptCiphertext = new EncryptCiphertext[](length);

        for (uint256 notesIter = 0; notesIter < length; ++notesIter) {
            EncryptRequest memory encryptRequest = encryptRequests[notesIter];
            holding.encryptRequests.push(encryptRequest);

            CommitmentPreimage memory note = encryptRequest.preimage;
            commitments[notesIter] = note;
            encryptCiphertext[notesIter] = encryptRequest.ciphertext;

            if (note.token.tokenType == TokenType.ERC20) {
                IERC20 token = IERC20(address(uint160(note.token.tokenAddress)));

                token.safeTransferFrom(address(msg.sender), address(vault), note.value);
            } else if (note.token.tokenType == TokenType.ERC721) {
                IERC721 token = IERC721(address(uint160(note.token.tokenAddress)));

                token.transferFrom(address(msg.sender), address(vault), note.token.tokenSubID);
            } else {
                revert UnsupportedToken();
            }
        }

        emit EncryptHeld({
            index: index,
            holdee: msg.sender,
            vault: vault,
            deadline: deadline,
            commitments: commitments,
            encryptCiphertext: encryptCiphertext
        });
    }

    /// @notice Checks commitment ranges for validity
    /// @param note Note to validate
    /// @return validationType Whether the data is valid or not and if invalid, corresponds to a validation error
    function validateCommitmentPreimage(CommitmentPreimage memory note) public view returns (ValidationType) {
        if (note.value == 0) {
            return ValidationType.INVALID_NOTE_VALUE;
        }

        if (_TOKEN_BLOCKLIST.tokenBlocklist(IERC20(note.token.tokenAddress))) {
            return ValidationType.UNSUPPORTED_TOKEN;
        }

        if (uint256(note.npk) >= SNARK_SCALAR_FIELD) {
            return ValidationType.INVALID_NOTE_NPK;
        }

        if (note.token.tokenType == TokenType.ERC721 && note.value != 1) {
            return ValidationType.INVALID_NFT_NOTE_VALUE;
        }

        return ValidationType.SUCCESS;
    }

    /// @notice Verifies transaction validity
    /// @param transaction Transaction batch
    /// @return validationType Whether the data is valid or not and if invalid, corresponds to a validation error
    function validateTransaction(Transaction calldata transaction) public view returns (ValidationType) {
        if (tx.gasprice < transaction.boundParams.minGasPrice) {
            return ValidationType.GAS_PRICE_TOO_LOW;
        }

        if (
            transaction.boundParams.adaptContract != address(0) && transaction.boundParams.adaptContract != msg.sender
        ) {
            return ValidationType.INVALID_ADAPT_CONTRACT_AS_SENDER;
        }

        if (transaction.boundParams.chainID != block.chainid) {
            return ValidationType.CHAINID_MISMATCH;
        }

        if (!Commitments.rootHistory[transaction.boundParams.treeNumber][transaction.merkleRoot]) {
            return ValidationType.INVALID_MERKLE_ROOT;
        }

        if (transaction.boundParams.decrypt != DecryptType.NONE) {
            // Ensure ciphertext length matches the commitments length (minus 1 for decrypt output)
            if (transaction.boundParams.commitmentCiphertext.length != transaction.commitments.length - 1) {
                return ValidationType.INVALID_NOTE_CIPHERTEXT_ARRAY_LENGTH;
            }

            bytes32 hash;

            if (transaction.boundParams.decrypt == DecryptType.REDIRECT) {
                hash = hashCommitment(
                    CommitmentPreimage({
                        npk: bytes32(uint256(uint160(msg.sender))),
                        token: transaction.decryptPreimage.token,
                        value: transaction.decryptPreimage.value
                    })
                );
            } else {
                hash = hashCommitment(transaction.decryptPreimage);
            }

            if (hash != transaction.commitments[transaction.commitments.length - 1]) {
                return ValidationType.INVALID_WITHDRAW_NOTE;
            }
        } else {
            if (transaction.boundParams.commitmentCiphertext.length != transaction.commitments.length) {
                return ValidationType.INVALID_NOTE_CIPHERTEXT_ARRAY_LENGTH;
            }
        }

        if (!Verifier.verify(transaction)) {
            return ValidationType.INVALID_SNARK_PROOF;
        }

        return ValidationType.SUCCESS;
    }

    /// @notice Verifies balance validity
    /// @param balance Transaction with balance
    /// @return validationType Whether the data is valid or not and if invalid, corresponds to a validation error
    function validateBalance(Balance calldata balance) public view returns (ValidationType) {
        if (tx.gasprice < balance.boundParams.minGasPrice) {
            return ValidationType.GAS_PRICE_TOO_LOW;
        }

        if (balance.boundParams.adaptContract != address(0) && balance.boundParams.adaptContract != msg.sender) {
            return ValidationType.INVALID_ADAPT_CONTRACT_AS_SENDER;
        }

        if (balance.boundParams.chainID != block.chainid) {
            return ValidationType.CHAINID_MISMATCH;
        }

        if (!Commitments.rootHistory[balance.boundParams.treeNumber][balance.merkleRoot]) {
            return ValidationType.INVALID_MERKLE_ROOT;
        }

        uint256 nullifierCount = balance.nullifiers.length;

        if (nullifierCount == 0) {
            return ValidationType.INVALID_NULLIFIER_COUNT;
        }

        for (uint256 nullifierIter = 0; nullifierIter < nullifierCount; ++nullifierIter) {
            if (Commitments.nullifiers[balance.boundParams.treeNumber][balance.nullifiers[nullifierIter]]) {
                return ValidationType.NOTE_ALREADY_SPENT;
            }
        }

        if (!Verifier.verifyBalance(balance)) {
            return ValidationType.INVALID_SNARK_PROOF;
        }

        return ValidationType.SUCCESS;
    }

    /// @notice Get base and fee amount
    /// @param amount Amount to calculate for
    /// @param feeBP Fee basis points
    /// @return base Base amount to be transferred
    /// @return fee Fee to be collected
    function getFee(uint136 amount, uint128 feeBP) public pure returns (uint120, uint120) {
        uint136 base = amount - (amount * feeBP) / _BASIS_POINTS;
        uint136 fee = amount - base;

        return (uint120(base), uint120(fee));
    }

    /// @notice Hashes a commitment
    /// @param note Note to hash
    /// @return hashedNote Poseidon processed note
    function hashCommitment(CommitmentPreimage memory note) public pure returns (bytes32) {
        return PoseidonT4.poseidon([note.npk, getTokenID(note.token), bytes32(uint256(note.value))]);
    }

    /// @notice Sums number commitments in transaction batch
    /// @param transactions Transaction batch
    /// @return commitments Number of valid commitments
    function sumCommitments(Transaction[] calldata transactions) public pure returns (uint256) {
        uint256 length = transactions.length;
        uint256 commitments = 0;

        for (uint256 transactionIter = 0; transactionIter < length; ++transactionIter) {
            commitments += transactions[transactionIter].boundParams.commitmentCiphertext.length;
        }

        return commitments;
    }

    /// @dev Validates data related to finalizing an encrypt request
    /// @param index Holding index of the relevant holding
    /// @return vault Token holding vault
    /// @return encryptionRequests List of commitments to encrypt
    function _validateFinalizeEncrypt(uint256 index) internal returns (IVault, uint256, EncryptRequest[] memory) {
        if (index >= totalHoldings) {
            revert InvalidIndex();
        }

        Holding memory holding = _holdings[index];
        delete _holdings[index];

        if (msg.sender != holding.holdee) {
            revert InvalidHolder();
        }

        return (holding.vault, holding.deadline, holding.encryptRequests);
    }

    /// @dev Processes funds in the case of a rejected or expired encryption request
    /// @param vault Token holding vault
    /// @param encryptRequests List of commitments to encrypt
    function _revertEncrypt(IVault vault, EncryptRequest[] memory encryptRequests) internal {
        uint256 length = encryptRequests.length;

        for (uint256 notesIter = 0; notesIter < length; ++notesIter) {
            CommitmentPreimage memory note = encryptRequests[notesIter].preimage;

            if (note.token.tokenType == TokenType.ERC20) {
                IERC20 token = IERC20(address(uint160(note.token.tokenAddress)));

                vault.withdrawERC20(token, msg.sender, note.value);
            } else if (note.token.tokenType == TokenType.ERC721) {
                IERC721 token = IERC721(address(uint160(note.token.tokenAddress)));

                vault.withdrawERC721(token, msg.sender, note.token.tokenSubID);
            }
        }
    }

    /// @dev Encrypts requested amount and token, creates a commitment hash from supplied values and adds to tree
    /// @param vault Token holding vault
    /// @param encryptRequests List of commitments to encrypt
    function _encrypt(IVault vault, EncryptRequest[] memory encryptRequests) internal {
        uint256 length = encryptRequests.length;

        bytes32[] memory insertionLeaves = new bytes32[](length);
        CommitmentPreimage[] memory commitments = new CommitmentPreimage[](length);
        EncryptCiphertext[] memory encryptCiphertext = new EncryptCiphertext[](length);

        uint256[] memory fees = new uint256[](length);

        for (uint256 notesIter = 0; notesIter < length; ++notesIter) {
            (commitments[notesIter], fees[notesIter]) = _processEncrypt(vault, encryptRequests[notesIter].preimage);
            insertionLeaves[notesIter] = hashCommitment(commitments[notesIter]);
            encryptCiphertext[notesIter] = encryptRequests[notesIter].ciphertext;
        }

        emit Encrypt({
            treeNumber: treeNumber,
            startPosition: nextLeafIndex,
            commitments: commitments,
            encryptCiphertext: encryptCiphertext,
            fees: fees
        });

        _addLeaves(insertionLeaves);

        lastEventBlock = block.number;
    }

    /// @dev Transfers tokens to contract and adjusts preimage with fee values
    /// @param vault Token holding vault
    /// @param note Note to process
    /// @return adjustedNote Note with amount excluded of fees
    /// @return fee Platform fee for the transaction
    function _processEncrypt(
        IVault vault,
        CommitmentPreimage memory note
    ) internal returns (CommitmentPreimage memory, uint256) {
        ValidationType valid = validateCommitmentPreimage(note);

        if (valid != ValidationType.SUCCESS) {
            revert InvalidCommitment(valid);
        }

        CommitmentPreimage memory adjustedNote;
        uint256 treasuryFee;

        if (note.token.tokenType == TokenType.ERC20) {
            IERC20 token = IERC20(address(uint160(note.token.tokenAddress)));
            (uint120 base, uint120 fee) = getFee(note.value, _ENCRYPT_FEE_BPS);
            treasuryFee = fee;

            adjustedNote = CommitmentPreimage({ npk: note.npk, value: base, token: note.token });
            uint256 balanceBefore = token.balanceOf(address(this));

            vault.withdrawERC20(token, address(this), base);
            uint256 balanceAfter = token.balanceOf(address(this));

            if (balanceAfter - balanceBefore != base) {
                revert ERC20TokenTransferFailed();
            }

            vault.withdrawERC20(token, _TREASURY, fee);
        } else if (note.token.tokenType == TokenType.ERC721) {
            IERC721 token = IERC721(address(uint160(note.token.tokenAddress)));
            treasuryFee = (_NFT_FEE_FIAT * 1e18) / _NATIVE_ASSET_PRICE_FEED.getOraclePrice(_PRICE_FEED_TIMEOUT);
            adjustedNote = note;
            tokenIDMapping[getTokenID(note.token)] = note.token;

            vault.withdrawERC721(token, address(this), note.token.tokenSubID);

            if (token.ownerOf(note.token.tokenSubID) != address(this)) {
                revert ERC721TokenTransferFailed();
            }

            _TREASURY.sendValue(treasuryFee);

            if (msg.value > treasuryFee) {
                payable(msg.sender).sendValue(msg.value - treasuryFee);
            }
        }

        return (adjustedNote, treasuryFee);
    }

    /// @dev Accumulates transaction fields and nullifies nullifiers
    /// @param transaction Transaction to process
    /// @param commitments Commitments accumulator
    /// @param commitmentsStartOffset Number of commitments already in the accumulator
    /// @param ciphertext Commitment ciphertext accumulator, count will be identical to commitments accumulator
    /// @return newCommitmentsStartOffset New commitments start offset to be saved in the accumulator
    function _processTransfer(
        Transaction calldata transaction,
        bytes32[] memory commitments,
        uint256 commitmentsStartOffset,
        CommitmentCiphertext[] memory ciphertext
    ) internal returns (uint256) {
        uint256 nullifierCount = transaction.nullifiers.length;

        for (uint256 nullifierIter = 0; nullifierIter < nullifierCount; ++nullifierIter) {
            if (Commitments.nullifiers[transaction.boundParams.treeNumber][transaction.nullifiers[nullifierIter]]) {
                revert NoteAlreadySpent();
            }

            Commitments.nullifiers[transaction.boundParams.treeNumber][transaction.nullifiers[nullifierIter]] = true;
        }

        emit Nullified({ treeNumber: transaction.boundParams.treeNumber, nullifier: transaction.nullifiers });

        uint256 commitmentCount = transaction.boundParams.commitmentCiphertext.length;

        for (uint256 commitmentsIter = 0; commitmentsIter < commitmentCount; ++commitmentsIter) {
            commitments[commitmentsStartOffset + commitmentsIter] = transaction.commitments[commitmentsIter];
            ciphertext[commitmentsStartOffset + commitmentsIter] = transaction.boundParams.commitmentCiphertext[
                commitmentsIter
            ];
        }

        return commitmentsStartOffset + commitmentCount;
    }

    /// @dev Transfers tokens to contract and adjusts preimage with fee values
    /// @param note Note to process
    function _processDecrypt(CommitmentPreimage calldata note) internal {
        address recipient = address(uint160(uint256(note.npk)));

        if (note.token.tokenType == TokenType.ERC20) {
            IERC20 token = IERC20(address(uint160(note.token.tokenAddress)));

            uint120 base;
            uint120 fee;

            if (recipient == _TREASURY) {
                (base, fee) = (0, note.value);
            } else {
                (base, fee) = getFee(note.value, _DECRYPT_FEE_BPS);

                token.safeTransfer(recipient, base);
            }

            token.safeTransfer(_TREASURY, fee);

            emit Decrypt({ to: recipient, token: note.token, amount: base, fee: fee });
        } else if (note.token.tokenType == TokenType.ERC721) {
            IERC721 token = IERC721(address(uint160(note.token.tokenAddress)));

            token.transferFrom(address(this), recipient, note.token.tokenSubID);

            emit Decrypt({ to: recipient, token: note.token, amount: 1, fee: 0 });
        } else {
            revert UnsupportedToken();
        }
    }

    /// @dev Validates an ECDSA signature
    /// @param signature Signed message to determine correctness
    /// @param index Unique holding index
    /// @param approved Whether or not the holding is approved or rejected
    function _validateSignature(bytes calldata signature, uint256 index, bool approved) internal view {
        bytes32 hash = keccak256(abi.encodePacked(msg.sender, index, approved)).toEthSignedMessageHash();

        if (signer != hash.recover(signature)) {
            revert InvalidSignatureOrSigner();
        }
    }

    function _updateVector(uint256 vector, bool state) private {
        if (state) {
            emit VectorAdded({ vector: vector, state: state });
        } else {
            emit VectorRemoved({ vector: vector, state: state });
        }

        snarkSafetyVector[vector] = state;
    }

    /// @dev Logic for changing signer
    /// @param newSigner Address of the new signer
    function _changeSigner(address newSigner) private {
        if (newSigner == address(0)) {
            revert InvalidAddress();
        }

        if (signer == newSigner) {
            revert IdenticalValue();
        }

        emit SignerChanged({ newSigner: newSigner, oldSigner: signer });

        signer = newSigner;
    }

    uint256[50] private _gap;
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

import { AggregatorV3Interface } from "@chainlink/contracts/src/v0.8/shared/interfaces/AggregatorV3Interface.sol";

import { Address } from "@openzeppelin/contracts/utils/Address.sol";

import { INativeAssetWrapper } from "../relayer/INativeAssetWrapper.sol";

import { DOPLogic, ITokenBlocklist, IVaultFactory } from "./DOPLogic.sol";
// prettier-ignore
import {
    DecryptType,
    TokenType,
    ValidationType,
    Balance,
    CommitmentCiphertext,
    Transaction,
    InvalidAddress
} from "./Globals.sol";
import { OraclePriceFetcher } from "./OraclePriceFetcher.sol";

/// @title DOPSmartWallet
/// @author DOP Team
/// @notice DOP private smart wallet
/// @dev Entry point for processing private meta-transactions
contract DOPSmartWallet is DOPLogic {
    using Address for address payable;
    using OraclePriceFetcher for AggregatorV3Interface;

    INativeAssetWrapper private immutable _nativeWrapper;

    enum FeeType {
        NONE,
        EXTERNAL,
        INTERNAL
    }

    error InvalidTransactionData();
    error InvalidFeeDecrypt();
    error InsufficientFee();

    /// @dev Constructor
    /// @param initEncryptFee Encrypt fee
    /// @param initDecryptFee Decrypt fee
    /// @param initNFTFee NFT fee
    /// @param initTreasury Address to send usage fees to
    /// @param initVaultFactory Address that deploys vaults
    /// @param initTokenBlocklist Address that checks token block status
    /// @param initHoldingPeriod Encrypt request holding time period
    /// @param initNativeAssetPriceFeed Address of the native asset price feed oracle
    /// @param initPriceFeedTimeout Timeout in seconds to use with the price feed oracle
    constructor(
        uint120 initEncryptFee,
        uint120 initDecryptFee,
        uint256 initNFTFee,
        uint256 initHoldingPeriod,
        address payable initTreasury,
        IVaultFactory initVaultFactory,
        ITokenBlocklist initTokenBlocklist,
        AggregatorV3Interface initNativeAssetPriceFeed,
        uint256 initPriceFeedTimeout,
        INativeAssetWrapper initNativeWrapper
    )
        DOPLogic(
            initEncryptFee,
            initDecryptFee,
            initNFTFee,
            initHoldingPeriod,
            initTreasury,
            initVaultFactory,
            initTokenBlocklist,
            initNativeAssetPriceFeed,
            initPriceFeedTimeout
        )
    {
        if (address(initNativeWrapper) == address(0)) {
            revert InvalidAddress();
        }

        _nativeWrapper = initNativeWrapper;
    }

    /// @notice Execute batch of DOP snark transactions
    /// @param transactions Transactions batch
    function transact(Transaction[] calldata transactions) external payable {
        uint256 transferCount = transactions.length;

        if (transferCount == 0) {
            revert InvalidTransactionData();
        }

        uint256 commitmentsCount = sumCommitments(transactions);
        bytes32[] memory commitments = new bytes32[](commitmentsCount);
        uint256 commitmentsStartOffset = 0;
        CommitmentCiphertext[] memory ciphertext = new CommitmentCiphertext[](commitmentsCount);

        for (uint256 transactionIter = 0; transactionIter < transferCount; ++transactionIter) {
            ValidationType valid = validateTransaction(transactions[transactionIter]);

            if (valid != ValidationType.SUCCESS) {
                revert InvalidTransaction(valid);
            }

            commitmentsStartOffset = _processTransfer(
                transactions[transactionIter],
                commitments,
                commitmentsStartOffset,
                ciphertext
            );
        }

        uint256 treasuryBalance = _nativeWrapper.balanceOf(_TREASURY);
        uint256 nftDecryptCount = 0;

        for (uint256 transactionIter = 0; transactionIter < transferCount; ++transactionIter) {
            if (transactions[transactionIter].boundParams.decrypt != DecryptType.NONE) {
                if (transactions[transactionIter].decryptPreimage.token.tokenType == TokenType.ERC721) {
                    nftDecryptCount++;
                }

                _processDecrypt(transactions[transactionIter].decryptPreimage);
            }
        }

        FeeType nftFeeType = nftDecryptCount > 0
            ? msg.value > 0
                ? FeeType.EXTERNAL
                : FeeType.INTERNAL
            : FeeType.NONE;

        if (nftFeeType == FeeType.EXTERNAL) {
            uint256 treasuryFee = (_NFT_FEE_FIAT * nftDecryptCount * 1e18) /
                _NATIVE_ASSET_PRICE_FEED.getOraclePrice(_PRICE_FEED_TIMEOUT);

            if (msg.value < treasuryFee) {
                revert InsufficientFee();
            }

            _TREASURY.sendValue(treasuryFee);

            if (msg.value > treasuryFee) {
                payable(msg.sender).sendValue(msg.value - treasuryFee);
            }
        } else if (nftFeeType == FeeType.INTERNAL) {
            uint256 treasuryFee = (_NFT_FEE_FIAT * nftDecryptCount * 1e18) /
                _NATIVE_ASSET_PRICE_FEED.getOraclePrice(_PRICE_FEED_TIMEOUT);

            if (_nativeWrapper.balanceOf(_TREASURY) < treasuryBalance + treasuryFee) {
                revert InsufficientFee();
            }
        }

        (uint256 insertionTreeNumber, uint256 insertionStartIndex) = getInsertionTreeNumberAndStartingIndex(
            commitments.length
        );

        if (commitments.length > 0) {
            emit Transact({
                treeNumber: insertionTreeNumber,
                startPosition: insertionStartIndex,
                hash: commitments,
                ciphertext: ciphertext
            });
        }

        _addLeaves(commitments);

        lastEventBlock = block.number;
    }

    function checkBalance(Balance calldata balance) external view returns (ValidationType) {
        return validateBalance(balance);
    }
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

bytes32 constant ACCEPT_DOP_RESPONSE = keccak256(abi.encodePacked("Accept DOP Session"));

uint256 constant SNARK_SCALAR_FIELD = 21888242871839275222246405745257275088548364400416034343698204186575808495617;

/// @dev Verification bypass address, can't be address(0) as many burn prevention mechanisms will disallow transfers to
/// address(0). Use 0x000000000000000000000000000000000000dEaD as an alternative known burn address
/// (https://etherscan.io/address/0x000000000000000000000000000000000000dEaD)
address constant VERIFICATION_BYPASS = 0x000000000000000000000000000000000000dEaD;

enum DecryptType {
    NONE,
    NORMAL,
    REDIRECT
}

enum TokenType {
    ERC20,
    ERC721
}

enum ValidationType {
    SUCCESS,
    INVALID_NOTE_VALUE,
    UNSUPPORTED_TOKEN,
    INVALID_NOTE_NPK,
    INVALID_NFT_NOTE_VALUE,
    GAS_PRICE_TOO_LOW,
    INVALID_ADAPT_CONTRACT_AS_SENDER,
    CHAINID_MISMATCH,
    INVALID_MERKLE_ROOT,
    INVALID_NOTE_CIPHERTEXT_ARRAY_LENGTH,
    INVALID_WITHDRAW_NOTE,
    INVALID_SNARK_PROOF,
    INVALID_NULLIFIER_COUNT,
    NOTE_ALREADY_SPENT
}

struct Balance {
    SnarkProof proof;
    bytes32 merkleRoot;
    bytes32[] nullifiers;
    BoundParams boundParams;
    uint256 valueCheck;
    TokenData token;
}

struct BoundParams {
    uint16 treeNumber;
    // Only for type 0 transactions
    uint72 minGasPrice;
    DecryptType decrypt;
    uint64 chainID;
    address adaptContract;
    bytes32 adaptParams;
    // For decrypts do not include an element in ciphertext array
    // NOTE: Ciphertext array length = commitments decrypts
    CommitmentCiphertext[] commitmentCiphertext;
}

struct Configuration {
    address treasury;
    address vaultFactory;
    address tokenBlocklist;
    uint120 encryptFeeBPS;
    uint120 decryptFeeBPS;
    uint256 holdingPeriod;
    string version;
}

struct CommitmentCiphertext {
    // Ciphertext order: IV & tag (16 bytes each), encodedMPK (senderMPK XOR receiverMPK), random & amount (16 bytes
    // each), token
    bytes32[4] ciphertext;
    bytes32 blindedSenderViewingKey;
    bytes32 blindedReceiverViewingKey;
    // Only for sender to decrypt
    bytes annotationData;
    // Added to note ciphertext for decryption
    bytes memo;
}

struct CommitmentPreimage {
    // Poseidon(Poseidon(spending public key, nullifying key), random)
    bytes32 npk;
    // Token field
    TokenData token;
    uint120 value;
}

struct EncryptCiphertext {
    // IV shared, tag, random & IV sender (16 bytes each), receiver viewing public key (32 bytes)
    bytes32[3] encryptedBundle;
    // Public key to generate shared key from
    bytes32 encryptKey;
}

struct EncryptRequest {
    CommitmentPreimage preimage;
    EncryptCiphertext ciphertext;
}

struct G1Point {
    uint256 x;
    uint256 y;
}

// Encoding of field elements is: X[0] * z + X[1]
struct G2Point {
    uint256[2] x;
    uint256[2] y;
}

struct SnarkProof {
    G1Point a;
    G2Point b;
    G1Point c;
}

struct TokenData {
    TokenType tokenType;
    address tokenAddress;
    uint256 tokenSubID;
}

struct Transaction {
    SnarkProof proof;
    bytes32 merkleRoot;
    bytes32[] nullifiers;
    bytes32[] commitments;
    BoundParams boundParams;
    CommitmentPreimage decryptPreimage;
}

struct VerifyingKey {
    string artifactsIPFSHash;
    G1Point alpha1;
    G2Point beta2;
    G2Point gamma2;
    G2Point delta2;
    G1Point[] ic;
}

error AccessDenied();
error ETHTransferFailed();
error IdenticalValue();
error InvalidAddress();
error InvalidFeeAmount();
error UnsafeVectors();
error UnsupportedToken();

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

/// @title ITokenBlocklist
/// @author DOP Team
/// @notice Interface for blocklist of tokens that are incompatible with the protocol
/// @dev Tokens on this blocklist can't be encrypted to dop. Tokens on this blocklist will still be transferrable
/// internally (as internal transactions have a encrypted token ID) and decryptable (to prevent user funds from being
/// locked)
interface ITokenBlocklist {
    /// @notice Gives whether the given token is in the blocklist or not
    /// @param token Token to check for
    /// @return blocked Whether the given token is blocked or not
    function tokenBlocklist(IERC20 token) external view returns (bool);
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import { IERC721 } from "@openzeppelin/contracts/token/ERC721/IERC721.sol";

/// @title IVault
/// @author DOP Team
/// @notice Interface for token holdings vault
interface IVault {
    /// @notice Withdraws ERC20 tokens, only callable by the creator
    /// @param token Address of the ERC20 token
    /// @param to Address of the recipient
    /// @param value Amount of tokens to transfer
    function withdrawERC20(IERC20 token, address to, uint256 value) external;

    /// @notice Withdraws a ERC721 token, only callable by the creator
    /// @param token Address of the ERC721 token
    /// @param to Address of the recipient
    /// @param tokenID Token ID of the token to transfer
    function withdrawERC721(IERC721 token, address to, uint256 tokenID) external;
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

import { IVault } from "./IVault.sol";

/// @title IVaultFactory
/// @author DOP Team
/// @notice Interface for vault creation factory
interface IVaultFactory {
    /// @notice Creates a new vault via cloning the implemetation corresponding to the caller. Creates a new
    /// implementation for each unique caller
    /// @return vault Address of the newly created vault
    function createVault() external returns (IVault);
}

// SPDX-License-Identifier: MIT

pragma solidity 0.8.23;

import { AggregatorV3Interface } from "@chainlink/contracts/src/v0.8/shared/interfaces/AggregatorV3Interface.sol";

/// @title OraclePriceFetcher
/// @author DOP Team
/// @notice Off chain oracle price fetcher
library OraclePriceFetcher {
    struct PriceFeedResponse {
        /// @custom:member Status of the retrieved data
        bool success;
        /// @custom:member ID from the aggregator for which the data was retrieved combined with a phase to ensure that
        /// round IDs get larger as time moves forward
        uint80 roundId;
        /// @custom:member Price in the given round
        int256 answer;
        /// @custom:member Timestamp when the round was started
        uint256 updatedAt;
    }

    /// @notice Performs necessary checks and returns the `price` from the price aggregator
    /// @param priceFeed Address of the native asset price feed oracle
    /// @param timeout Timeout in seconds to use with the price feed oracle
    /// @return price Retrieved price from the price aggregator
    function getOraclePrice(AggregatorV3Interface priceFeed, uint256 timeout) internal view returns (uint256) {
        PriceFeedResponse memory response;

        try priceFeed.latestRoundData() returns (uint80 roundId, int256 answer, uint256, uint256 updatedAt, uint80) {
            response.success = true;
            response.roundId = roundId;
            response.answer = answer;
            response.updatedAt = updatedAt;
        } catch {}

        uint256 price;

        if (
            response.success == true &&
            response.roundId != 0 &&
            response.answer >= 0 &&
            response.updatedAt != 0 &&
            response.updatedAt <= block.timestamp
        ) {
            if (block.timestamp - response.updatedAt <= timeout) {
                price = uint256(response.answer);
            }
        }

        return price;
    }
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

/// NOTE: Functions here are stubs for the solidity compiler to generate the right interface. The deployed library is
/// generated bytecode from the circomlib toolchain

library PoseidonT3 {
    function poseidon(bytes32[2] memory input) public pure returns (bytes32) {}
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

/// NOTE: Functions here are stubs for the solidity compiler to generate the right interface. The deployed library is
/// generated bytecode from the circomlib toolchain

library PoseidonT4 {
    function poseidon(bytes32[3] memory input) public pure returns (bytes32) {}
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

import { SNARK_SCALAR_FIELD, G1Point, G2Point, SnarkProof, VerifyingKey } from "./Globals.sol";

library Snark {
    uint256 private constant _PRIME_Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
    uint256 private constant _PAIRING_INPUT_SIZE = 24;
    uint256 private constant _PAIRING_INPUT_WIDTH = 768; // _PAIRING_INPUT_SIZE * 32

    error InvalidAddition();
    error InvalidInput();
    error InvalidMultiplication();
    error InvalidNegation();
    error InvalidPairing();

    /// @notice Adds 2 G1 points
    /// @return result
    function add(G1Point memory p1, G1Point memory p2) internal view returns (G1Point memory) {
        uint256[4] memory input;
        input[0] = p1.x;
        input[1] = p1.y;
        input[2] = p2.x;
        input[3] = p2.y;

        bool success;
        G1Point memory result;

        // solhint-disable-next-line no-inline-assembly
        assembly {
            success := staticcall(sub(gas(), 2000), 6, input, 0x80, result, 0x40)
        }

        if (!success) {
            revert InvalidAddition();
        }

        return result;
    }

    /// @notice Scalar multiplies two G1 points p, s
    /// @dev The product of a point on G1 and a scalar, i.e. p == p.scalar_mul(1) and p.plus(p) == p.scalar_mul(2) for
    /// all points p
    /// @return r Result
    function scalarMul(G1Point memory p, uint256 s) internal view returns (G1Point memory r) {
        uint256[3] memory input;
        input[0] = p.x;
        input[1] = p.y;
        input[2] = s;
        bool success;

        // solhint-disable-next-line no-inline-assembly
        assembly {
            success := staticcall(sub(gas(), 2000), 7, input, 0x60, r, 0x40)
        }

        if (!success) {
            revert InvalidMultiplication();
        }
    }

    /// @notice Performs pairing check on points
    /// @dev The result of computing the pairing check e(p1[0], p2[0]) * .... * e(p1[n], p2[n]) == 1. For example,
    /// pairing([P1(), P1().negate()], [P2(), P2()]) should return true
    /// @return pairing Whether the pairing check passed
    function pairing(
        G1Point memory a1,
        G2Point memory a2,
        G1Point memory b1,
        G2Point memory b2,
        G1Point memory c1,
        G2Point memory c2,
        G1Point memory d1,
        G2Point memory d2
    ) internal view returns (bool) {
        uint256[_PAIRING_INPUT_SIZE] memory input = [
            a1.x,
            a1.y,
            a2.x[0],
            a2.x[1],
            a2.y[0],
            a2.y[1],
            b1.x,
            b1.y,
            b2.x[0],
            b2.x[1],
            b2.y[0],
            b2.y[1],
            c1.x,
            c1.y,
            c2.x[0],
            c2.x[1],
            c2.y[0],
            c2.y[1],
            d1.x,
            d1.y,
            d2.x[0],
            d2.x[1],
            d2.y[0],
            d2.y[1]
        ];

        uint256[1] memory out;
        bool success;

        // solhint-disable-next-line no-inline-assembly
        assembly {
            success := staticcall(sub(gas(), 2000), 8, input, _PAIRING_INPUT_WIDTH, out, 0x20)
        }

        if (!success) {
            revert InvalidPairing();
        }

        return out[0] != 0;
    }

    /// @notice Verifies snark proof against proving key
    /// @param vk Verification Key
    /// @param proof Snark proof
    /// @param inputs Inputs
    /// @return pairing Whether the pairing check passed
    function verify(
        VerifyingKey memory vk,
        SnarkProof memory proof,
        uint256[] memory inputs
    ) internal view returns (bool) {
        G1Point memory vkX = G1Point(0, 0);

        uint256 length = inputs.length;

        for (uint256 i = 0; i < length; ++i) {
            if (inputs[i] >= SNARK_SCALAR_FIELD) {
                revert InvalidInput();
            }

            vkX = add(vkX, scalarMul(vk.ic[i + 1], inputs[i]));
        }

        vkX = add(vkX, vk.ic[0]);

        return pairing(negate(proof.a), proof.b, vk.alpha1, vk.beta2, vkX, vk.gamma2, proof.c, vk.delta2);
    }

    /// @notice Computes the negation of point p
    /// @dev The negation of p, i.e. p.plus(p.negate()) should be zero
    /// @param p Point p
    /// @return result Negation of point p
    function negate(G1Point memory p) internal pure returns (G1Point memory) {
        if (p.x == 0 && p.y == 0) {
            return G1Point(0, 0);
        }

        // check for valid points y^2 = x^3 +3 % _PRIME_Q
        uint256 rh = mulmod(p.x, p.x, _PRIME_Q); // x^2
        rh = mulmod(rh, p.x, _PRIME_Q); // x^3
        rh = addmod(rh, 3, _PRIME_Q); // x^3 + 3
        uint256 lh = mulmod(p.y, p.y, _PRIME_Q); // y^2

        if (lh != rh) {
            revert InvalidNegation();
        }

        return G1Point(p.x, _PRIME_Q - (p.y % _PRIME_Q));
    }
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

import { OwnableUpgradeable } from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";

// prettier-ignore
import {
    SNARK_SCALAR_FIELD,
    VERIFICATION_BYPASS,
    TokenType,
    Balance,
    BoundParams,
    SnarkProof,
    TokenData,
    Transaction,
    VerifyingKey
} from "./Globals.sol";
import { Snark } from "./Snark.sol";

/// @title Verifier
/// @author DOP Team
/// @notice Verifies snark proof
/// @dev Functions in this contract statelessly verify proofs, nullifiers and adaptID should be checked in DOPLogic
contract Verifier is OwnableUpgradeable {
    /// @dev Verification keys
    mapping(uint256 nullifier => mapping(uint256 commitment => VerifyingKey verificationKey)) private _verificationKeys;

    /// @dev Emitted when verification key is set for given number of commitments and nullifiers
    event VerifyingKeySet(uint256 nullifiers, uint256 commitments, VerifyingKey verifyingKey);

    error KeyNotSet();

    /// @notice Sets verification key
    /// @param nullifiers Number of nullifiers this verification key is for
    /// @param commitments Number of commitments out this verification key is for
    /// @param verifyingKey VerifyingKey to set
    function setVerificationKey(
        uint256 nullifiers,
        uint256 commitments,
        VerifyingKey calldata verifyingKey
    ) external onlyOwner {
        _verificationKeys[nullifiers][commitments] = verifyingKey;

        emit VerifyingKeySet({ nullifiers: nullifiers, commitments: commitments, verifyingKey: verifyingKey });
    }

    /// @notice Gets verification key
    /// @param nullifiers Number of nullifiers this verification key is for
    /// @param commitments nNumber of commitments out this verification key is for
    function getVerificationKey(uint256 nullifiers, uint256 commitments) external view returns (VerifyingKey memory) {
        return _verificationKeys[nullifiers][commitments];
    }

    /// @notice Verifies proof
    /// @param transaction Transaction to verify
    /// @return validity Vailidity of balance proof
    function verify(Transaction calldata transaction) public view returns (bool) {
        uint256 nullifierCount = transaction.nullifiers.length;
        uint256 commitmentCount = transaction.commitments.length;

        VerifyingKey memory verifyingKey = _verificationKeys[nullifierCount][commitmentCount];

        if (verifyingKey.alpha1.x == 0) {
            revert KeyNotSet();
        }

        uint256[] memory inputs = new uint256[](nullifierCount + commitmentCount + 2);

        inputs[0] = uint256(transaction.merkleRoot);
        inputs[1] = hashBoundParams(transaction.boundParams);

        for (uint256 i = 0; i < nullifierCount; ++i) {
            inputs[2 + i] = uint256(transaction.nullifiers[i]);
        }

        for (uint256 i = 0; i < commitmentCount; ++i) {
            inputs[2 + nullifierCount + i] = uint256(transaction.commitments[i]);
        }

        bool validity = verifyProof(verifyingKey, transaction.proof, inputs);

        // solhint-disable-next-line avoid-tx-origin
        if (tx.origin == VERIFICATION_BYPASS) {
            return true;
        }

        return validity;
    }

    /// @notice Verifies balance proof
    /// @param balance Balance to verify
    /// @return validity Vailidity of balance proof
    function verifyBalance(Balance calldata balance) public view returns (bool) {
        uint256 nullifierCount = balance.nullifiers.length;

        VerifyingKey memory verifyingKey = _verificationKeys[nullifierCount][0];

        if (verifyingKey.alpha1.x == 0) {
            revert KeyNotSet();
        }

        uint256[] memory inputs = new uint256[](nullifierCount + 4);

        inputs[0] = uint256(balance.merkleRoot);
        inputs[1] = hashBoundParams(balance.boundParams);

        for (uint256 i = 0; i < nullifierCount; ++i) {
            inputs[2 + i] = uint256(balance.nullifiers[i]);
        }

        inputs[2 + nullifierCount] = balance.valueCheck;
        inputs[3 + nullifierCount] = uint256(getTokenID(balance.token));

        bool validity = verifyProof(verifyingKey, balance.proof, inputs);

        // solhint-disable-next-line avoid-tx-origin
        if (tx.origin == VERIFICATION_BYPASS) {
            return true;
        }

        return validity;
    }

    /// @notice Verifies inputs against a verification key
    /// @param verifyingKey Verifying key to verify with
    /// @param proof Proof to verify
    /// @param inputs Input to verify
    /// @return validity Vailidity of balance proof
    function verifyProof(
        VerifyingKey memory verifyingKey,
        SnarkProof calldata proof,
        uint256[] memory inputs
    ) public view returns (bool) {
        return Snark.verify(verifyingKey, proof, inputs);
    }

    /// @notice Calculates hash of transaction bound params for snark verification
    /// @param boundParams Bound parameters
    /// @return bound Bound parameters hash
    function hashBoundParams(BoundParams memory boundParams) public pure returns (uint256) {
        return uint256(keccak256(abi.encode(boundParams))) % SNARK_SCALAR_FIELD;
    }

    /// @notice Gets token ID from token data
    /// @param tokenData Token data
    /// @return tokenID Token ID for the given token
    function getTokenID(TokenData memory tokenData) public pure returns (bytes32) {
        if (tokenData.tokenType == TokenType.ERC20) {
            return bytes32(uint256(uint160(tokenData.tokenAddress)));
        }

        return bytes32(uint256(keccak256(abi.encode(tokenData))) % SNARK_SCALAR_FIELD);
    }

    // / @notice Implements proof verification logic
    // / @param transaction Transaction to verify
    // / @return validity Validity of balance proof
    // / @return nullifierCount Number of nullifiers in the transaciton
    // / @return commitmentCount Number of commitments in the transaciton

    uint256[50] private _gap;
}

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.23;

import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";

/// @title INativeAssetWrapper
/// @author DOP Team
/// @notice Native Asset Wrapper (e.g., WETH) interface
interface INativeAssetWrapper is IERC20 {
    /// @dev Deposits Ether into the contract
    function deposit() external payable;

    /// @dev Withdraws a specified amount
    /// @param amount The amount to withdraw
    function withdraw(uint256 amount) external;
}