ethereum · bencxr · Jul 11, 2016
diff --git a/wallet/wallet.sol b/wallet/wallet.sol
@@ -1,14 +1,96 @@
-//sol Wallet
+// sol Wallet
 // Multi-sig, daily-limited account proxy/wallet.
 // @authors:
 // Gav Wood <[email protected]>
+// Ben Chan <[email protected]>
+
+// Inheritable contract with methods that can be used to help with the pattern of using ecrecover to obtain a signing
+// address from a signature in a data field for the purposes of confirming an operation
+contract ecverifiable {
+  // When we use ecrecover to verify signatures (in addition to msg.sender), an array window of sequence ids is used.
+  // This prevents from replay attacks by the first signer.
+  //
+  // Sequence IDs may not be repeated and should start from 1 onwards. Stores the last 10 largest sequence ids in a window
+  // New sequence ids being added must replace the smallest of those numbers and must be larger than the smallest value stored.
+  // This allows some degree of flexibility for submission of multiple transactions in a block.
+  uint constant SEQUENCE_ID_WINDOW_SIZE = 10;
+  uint[10] recentSequenceIds;
+
+  // Gets the next available sequence ID for signing when using confirmAndCheckUsingECRecover
+  function getNextSequenceId() returns (uint) {
+    uint highestSequenceId = 0;
+    for (uint i = 0; i < SEQUENCE_ID_WINDOW_SIZE; i++) {
+      if (recentSequenceIds[i] > highestSequenceId) {
+        highestSequenceId = recentSequenceIds[i];
+      }
+    }
+    return highestSequenceId + 1;
+  }
+
+  // Given the sequence id, operation hash and signature, verify the sequence id against replay attacks and then
+  // recover the signing address
+  function ecVerifyAndRecover(bytes32 operation, uint sequenceId, bytes signature) internal returns (address) {
+    tryInsertSequenceId(sequenceId);
+    return recoverAddressFromSignature(operation, signature);
+  }
+
+  /**
+   * Gets a signer's address using ecrecover
+   * @param operationHash the sha3 of the operation to verify
+   * @param signature the tightly packed signature of r, s, and v as an array of 65 bytes (returned by eth.sign)
+   */
+  function recoverAddressFromSignature(bytes32 operationHash, bytes signature) private returns (address) {
+    if (signature.length != 65) {
+      throw;
+    }
+    // We need to unpack the signature, which is given as an array of 65 bytes (from eth.sign)
+    bytes32 r;
+    bytes32 s;
+    uint8 v;
+    assembly {
+      r := mload(add(signature, 32))
+      s := mload(add(signature, 64))
+      v := and(mload(add(signature, 65)), 255)
+    }
+    if (v < 27) {
+      v += 27; // Ethereum versions are 27 or 28 as opposed to 0 or 1 which is submitted by some signing libs
+    }
+    return ecrecover(operationHash, v, r, s);
+  }
+
+  /**
+   * Verify that the sequence id has not been used before and inserts it. Throws if the sequence ID was not accepted.
+   * We collect a window of up to 10 recent sequence ids, and allow any sequence id that is not in the window and
+   * greater than the minimum element in the window.
+   */
+  function tryInsertSequenceId(uint sequenceId) private returns (uint) {
+    // Keep a pointer to the lowest value element in the window
+    uint lowestValueIndex = 0;
+    for (uint i = 0; i < SEQUENCE_ID_WINDOW_SIZE; i++) {
+      if (recentSequenceIds[i] == sequenceId) {
+        // This sequence ID has been used before. Disallow!
+        throw;
+      }
+      if (recentSequenceIds[i] < recentSequenceIds[lowestValueIndex]) {
+        lowestValueIndex = i;
+      }
+    }
+    if (sequenceId < recentSequenceIds[lowestValueIndex]) {
+      // The sequence ID being used is lower than the lowest value in the window
+      // so we cannot accept it as it may have been used before
+      throw;
+    }
+    recentSequenceIds[lowestValueIndex] = sequenceId;
+  }
+}
+
 // inheritable "property" contract that enables methods to be protected by requiring the acquiescence of either a
 // single, or, crucially, each of a number of, designated owners.
 // usage:
 // use modifiers onlyowner (just own owned) or onlymanyowners(hash), whereby the same hash must be provided by
 // some number (specified in constructor) of the set of owners (specified in the constructor, modifiable) before the
 // interior is executed.
-contract multiowned {
+contract multiowned is ecverifiable {
 
 	// TYPES
 
@@ -138,33 +220,56 @@ contract multiowned {
         uint ownerIndexBit = 2**ownerIndex;
         return !(pending.ownersDone & ownerIndexBit == 0);
     }
-
-    // INTERNAL METHODS
 
+    // INTERNAL METHODS
+    // Called within the onlymanyowners modifier.
+    // Records a confirmation by msg.sender and returns true if the operation has the required number of confirmations
     function confirmAndCheck(bytes32 _operation) internal returns (bool) {
-        // determine what index the present sender is:
-        uint ownerIndex = m_ownerIndex[uint(msg.sender)];
-        // make sure they're an owner
-        if (ownerIndex == 0) return;
+        return confirmAndCheckOperationForOwner(_operation, msg.sender);
+    }
+
+    // This operation will look for 2 confirmations
+    // The first confirmation will be verified using ecrecover
+    // The second confirmation will be verified using msg.sender
+    function confirmWithSenderAndECRecover(bytes32 _operation, uint _sequenceId, bytes _signature) internal returns (bool) {
+        // We expect confirmAndCheckUsingECRecover to run and return false, but mark the pending operation as having 1 confirm
+        return confirmAndCheckUsingECRecover(_operation, _sequenceId, _signature) || confirmAndCheck(_operation);
+    }
+
+    // Gets an owner using ecrecover, records their confirmation and
+    // returns true if the operation has the required number of confirmations
+    function confirmAndCheckUsingECRecover(bytes32 _operation, uint _sequenceId, bytes _signature) internal returns (bool) {
+        var ownerAddress = ecVerifyAndRecover(_operation, _sequenceId, _signature);
+        return confirmAndCheckOperationForOwner(_operation, ownerAddress);
+    }
+
+    // Records confirmations for an operation by the given owner and
+    // returns true if the operation has the required number of confirmations
+    function confirmAndCheckOperationForOwner(bytes32 _operation, address _owner) private returns (bool) {
+        // Determine what index the present sender is
+        uint ownerIndex = m_ownerIndex[uint(_owner)];
+        // Make sure they're an owner
+        if (ownerIndex == 0) return false;
 
         var pending = m_pending[_operation];
-        // if we're not yet working on this operation, switch over and reset the confirmation status.
+        // If we're not yet working on this operation, add it
         if (pending.yetNeeded == 0) {
-            // reset count of confirmations needed.
+            // Reset count of confirmations needed.
             pending.yetNeeded = m_required;
-            // reset which owners have confirmed (none) - set our bitmap to 0.
+            // Reset which owners have confirmed (none) - set our bitmap to 0.
             pending.ownersDone = 0;
             pending.index = m_pendingIndex.length++;
             m_pendingIndex[pending.index] = _operation;
         }
-        // determine the bit to set for this owner.
+
+        // Determine the bit to set for this owner on the pending state for the operation
         uint ownerIndexBit = 2**ownerIndex;
-        // make sure we (the message sender) haven't confirmed this operation previously.
+        // Make sure the owner has not confirmed this operation previously.
         if (pending.ownersDone & ownerIndexBit == 0) {
-            Confirmation(msg.sender, _operation);
-            // ok - check if count is enough to go ahead.
+            Confirmation(_owner, _operation);
+            // Check if this confirmation puts us at the required number of needed confirmations.
             if (pending.yetNeeded <= 1) {
-                // enough confirmations: reset and run interior.
+                // Enough confirmations: mark operation as passed and return true to continue execution
                 delete m_pendingIndex[m_pending[_operation].index];
                 delete m_pending[_operation];
                 return true;
@@ -176,6 +281,8 @@ contract multiowned {
                 pending.ownersDone |= ownerIndexBit;
             }
         }
+
+        return false;
     }
 
     function reorganizeOwners() private {
@@ -363,9 +470,38 @@ contract Wallet is multisig, multiowned, daylimit {
             return true;
         }
     }
-
+
+    // Execute and confirm a transaction with 2 signatures - one using the msg.sender and another using ecrecover
+    // The signature is a signed form (using eth.sign) of tightly packed to, value, data, expiretime and sequenceId
+    // Sequence IDs are numbers starting from 1. They used to prevent replay attacks and may not be repeated.
+    function executeAndConfirm(address _to, uint _value, bytes _data, uint _expireTime, uint _sequenceId, bytes _signature)
+        external onlyowner
+        returns (bytes32)
+    {
+        if (_expireTime < block.timestamp) {
+            throw;
+        }
+
+        // The unique hash is the combination of all arguments except the signature
+        var operationHash = sha3(_to, _value, _data, _expireTime, _sequenceId);
+
+        // Confirm the operation
+        if (confirmWithSenderAndECRecover(operationHash, _sequenceId, _signature)) {
+            if (!(_to.call.value(_value)(_data))) {
+                throw;
+            }
+            MultiTransact(msg.sender, operationHash, _value, _to, _data);
+            return 0;
+        }
+
+        m_txs[operationHash].to = _to;
+        m_txs[operationHash].value = _value;
+        m_txs[operationHash].data = _data;
+        ConfirmationNeeded(operationHash, msg.sender, _value, _to, _data);
+        return operationHash;
+    }
+
     // INTERNAL METHODS
-
     function clearPending() internal {
         uint length = m_pendingIndex.length;
         for (uint i = 0; i < length; ++i)