sui_bridge/

utils.rs

// Copyright (c) Mysten Labs, Inc.
// SPDX-License-Identifier: Apache-2.0

use crate::abi::{
    EthBridgeCommittee, EthBridgeConfig, EthBridgeLimiter, EthBridgeVault, EthSuiBridge,
};
use crate::config::{
    BridgeNodeConfig, EthConfig, MetricsConfig, SuiConfig, WatchdogConfig, default_ed25519_key_pair,
};
use crate::crypto::{BridgeAuthorityKeyPair, BridgeAuthorityPublicKeyBytes};
use crate::server::APPLICATION_JSON;
use crate::types::{AddTokensOnSuiAction, BridgeAction, BridgeCommittee};
use alloy::network::EthereumWallet;
use alloy::primitives::Address as EthAddress;
use alloy::providers::{ProviderBuilder, RootProvider, WsConnect};
use alloy::signers::local::PrivateKeySigner;
use anyhow::anyhow;
use fastcrypto::ed25519::Ed25519KeyPair;
use fastcrypto::encoding::{Encoding, Hex};
use fastcrypto::secp256k1::Secp256k1KeyPair;
use fastcrypto::traits::{EncodeDecodeBase64, KeyPair};
use futures::future::join_all;
use move_core_types::language_storage::StructTag;
use std::collections::BTreeMap;
use std::path::PathBuf;
use std::str::FromStr;
use std::sync::Arc;
use sui_config::Config;
use sui_keys::keypair_file::read_key;
use sui_sdk::wallet_context::WalletContext;
use sui_test_transaction_builder::TestTransactionBuilder;
use sui_types::BRIDGE_PACKAGE_ID;
use sui_types::base_types::SuiAddress;
use sui_types::bridge::{
    BRIDGE_MODULE_NAME, BRIDGE_REGISTER_FOREIGN_TOKEN_FUNCTION_NAME, BridgeChainId,
};
use sui_types::committee::StakeUnit;
use sui_types::crypto::{SuiKeyPair, ToFromBytes, get_key_pair};
use sui_types::effects::TransactionEffectsAPI;
use sui_types::programmable_transaction_builder::ProgrammableTransactionBuilder;
use sui_types::sui_system_state::sui_system_state_summary::SuiSystemStateSummary;
use sui_types::transaction::{ObjectArg, TransactionData};
use url::Url;

pub struct EthBridgeContracts {
    pub bridge: EthSuiBridge::EthSuiBridgeInstance<EthProvider>,
    pub committee: EthBridgeCommittee::EthBridgeCommitteeInstance<EthProvider>,
    pub limiter: EthBridgeLimiter::EthBridgeLimiterInstance<EthProvider>,
    pub vault: EthBridgeVault::EthBridgeVaultInstance<EthProvider>,
    pub config: EthBridgeConfig::EthBridgeConfigInstance<EthProvider>,
}

pub type EthProvider = Arc<RootProvider<alloy::network::Ethereum>>;
pub type EthSignerProvider = Arc<
    alloy::providers::fillers::FillProvider<
        alloy::providers::fillers::JoinFill<
            alloy::providers::fillers::JoinFill<
                alloy::providers::Identity,
                alloy::providers::fillers::JoinFill<
                    alloy::providers::fillers::GasFiller,
                    alloy::providers::fillers::JoinFill<
                        alloy::providers::fillers::BlobGasFiller,
                        alloy::providers::fillers::JoinFill<
                            alloy::providers::fillers::NonceFiller,
                            alloy::providers::fillers::ChainIdFiller,
                        >,
                    >,
                >,
            >,
            alloy::providers::fillers::WalletFiller<EthereumWallet>,
        >,
        EthProvider,
        alloy::network::Ethereum,
    >,
>;
pub type EthWsProvider = Arc<
    alloy::providers::fillers::FillProvider<
        alloy::providers::fillers::JoinFill<
            alloy::providers::Identity,
            alloy::providers::fillers::JoinFill<
                alloy::providers::fillers::GasFiller,
                alloy::providers::fillers::JoinFill<
                    alloy::providers::fillers::BlobGasFiller,
                    alloy::providers::fillers::JoinFill<
                        alloy::providers::fillers::NonceFiller,
                        alloy::providers::fillers::ChainIdFiller,
                    >,
                >,
            >,
        >,
        alloy::providers::RootProvider<alloy::network::Ethereum>,
        alloy::network::Ethereum,
    >,
>;

pub fn get_eth_provider(url: &str) -> anyhow::Result<EthProvider> {
    let url = Url::parse(url).map_err(|e| anyhow!("Invalid RPC URL: {}", e))?;
    let provider = RootProvider::new_http(url);
    Ok(Arc::new(provider))
}

pub fn get_eth_signer_provider(
    url: &str,
    private_key_hex: &str,
) -> anyhow::Result<EthSignerProvider> {
    let signer = PrivateKeySigner::from_str(private_key_hex)
        .map_err(|e| anyhow!("Invalid private key: {}", e))?;
    let wallet = EthereumWallet::from(signer);
    let provider = ProviderBuilder::new()
        .wallet(wallet)
        .connect_provider(get_eth_provider(url)?);
    Ok(Arc::new(provider))
}

pub async fn get_eth_ws_provider(url: &str) -> anyhow::Result<EthWsProvider> {
    let url = Url::parse(url).map_err(|e| anyhow!("Invalid WebSocket URL: {}", e))?;
    let ws = WsConnect::new(url);
    let provider = ProviderBuilder::new().connect_ws(ws).await?;
    Ok(Arc::new(provider))
}

/// Generate Bridge Authority key (Secp256k1KeyPair) and write to a file as base64 encoded `privkey`.
pub fn generate_bridge_authority_key_and_write_to_file(
    path: &PathBuf,
) -> Result<(), anyhow::Error> {
    let (_, kp): (_, BridgeAuthorityKeyPair) = get_key_pair();
    let eth_address = BridgeAuthorityPublicKeyBytes::from(&kp.public).to_eth_address();
    println!(
        "Corresponding Ethereum address by this ecdsa key: {:?}",
        eth_address
    );
    let sui_address = SuiAddress::from(&kp.public);
    println!(
        "Corresponding Sui address by this ecdsa key: {:?}",
        sui_address
    );
    let base64_encoded = kp.encode_base64();
    std::fs::write(path, base64_encoded)
        .map_err(|err| anyhow!("Failed to write encoded key to path: {:?}", err))
}

/// Generate Bridge Client key (Secp256k1KeyPair or Ed25519KeyPair) and write to a file as base64 encoded `flag || privkey`.
pub fn generate_bridge_client_key_and_write_to_file(
    path: &PathBuf,
    use_ecdsa: bool,
) -> Result<(), anyhow::Error> {
    let kp = if use_ecdsa {
        let (_, kp): (_, Secp256k1KeyPair) = get_key_pair();
        let eth_address = BridgeAuthorityPublicKeyBytes::from(&kp.public).to_eth_address();
        println!(
            "Corresponding Ethereum address by this ecdsa key: {:?}",
            eth_address
        );
        SuiKeyPair::from(kp)
    } else {
        let (_, kp): (_, Ed25519KeyPair) = get_key_pair();
        SuiKeyPair::from(kp)
    };
    let sui_address = SuiAddress::from(&kp.public());
    println!("Corresponding Sui address by this key: {:?}", sui_address);

    let contents = kp.encode_base64();
    std::fs::write(path, contents)
        .map_err(|err| anyhow!("Failed to write encoded key to path: {:?}", err))
}

/// Given the address of SuiBridge Proxy, return the addresses of the committee, limiter, vault, and config.
pub async fn get_eth_contract_addresses(
    bridge_proxy_address: EthAddress,
    provider: EthProvider,
) -> anyhow::Result<(
    EthAddress,
    EthAddress,
    EthAddress,
    EthAddress,
    EthAddress,
    EthAddress,
    EthAddress,
    EthAddress,
)> {
    let sui_bridge = EthSuiBridge::new(bridge_proxy_address, provider.clone());
    let committee_address: EthAddress = sui_bridge.committee().call().await?;
    let committee = EthBridgeCommittee::new(committee_address, provider.clone());
    let config_address: EthAddress = committee.config().call().await?;
    let bridge_config = EthBridgeConfig::new(config_address, provider.clone());
    let limiter_address: EthAddress = sui_bridge.limiter().call().await?;
    let vault_address: EthAddress = sui_bridge.vault().call().await?;

    // Token address lookups are only used for watchdog monitoring and are not critical
    // for the signing server. If vault_address is zero (can happen due to storage layout
    // mismatch during upgrades), skip these lookups and use zero addresses.
    let (weth_address, usdt_address, wbtc_address, lbtc_address) =
        if vault_address.is_zero() {
            tracing::warn!(
                "Vault address is zero - likely storage layout mismatch. \
            Token address lookups skipped. Watchdog monitoring will be limited."
            );
            (
                EthAddress::ZERO,
                EthAddress::ZERO,
                EthAddress::ZERO,
                EthAddress::ZERO,
            )
        } else {
            let vault = EthBridgeVault::new(vault_address, provider.clone());
            let weth_address: EthAddress = vault.wETH().call().await.unwrap_or_else(|e| {
                tracing::warn!("Failed to get wETH address from vault: {:?}", e);
                EthAddress::ZERO
            });
            let usdt_address: EthAddress = bridge_config
                .tokenAddressOf(4)
                .call()
                .await
                .unwrap_or_else(|e| {
                    tracing::warn!("Failed to get USDT address: {:?}", e);
                    EthAddress::ZERO
                });
            let wbtc_address: EthAddress = bridge_config
                .tokenAddressOf(1)
                .call()
                .await
                .unwrap_or_else(|e| {
                    tracing::warn!("Failed to get WBTC address: {:?}", e);
                    EthAddress::ZERO
                });
            let lbtc_address: EthAddress = bridge_config
                .tokenAddressOf(6)
                .call()
                .await
                .unwrap_or_else(|e| {
                    tracing::warn!("Failed to get LBTC address: {:?}", e);
                    EthAddress::ZERO
                });
            (weth_address, usdt_address, wbtc_address, lbtc_address)
        };

    Ok((
        committee_address,
        limiter_address,
        vault_address,
        config_address,
        weth_address,
        usdt_address,
        wbtc_address,
        lbtc_address,
    ))
}

/// Given the address of SuiBridge Proxy, return the contracts of the committee, limiter, vault, and config.
pub async fn get_eth_contracts(
    bridge_proxy_address: EthAddress,
    provider: EthProvider,
) -> anyhow::Result<EthBridgeContracts> {
    let sui_bridge = EthSuiBridge::new(bridge_proxy_address, provider.clone());
    let committee_address: EthAddress = sui_bridge.committee().call().await?;
    let limiter_address: EthAddress = sui_bridge.limiter().call().await?;
    let vault_address: EthAddress = sui_bridge.vault().call().await?;
    let committee = EthBridgeCommittee::new(committee_address, provider.clone());
    let config_address: EthAddress = committee.config().call().await?;

    let limiter = EthBridgeLimiter::new(limiter_address, provider.clone());
    let vault = EthBridgeVault::new(vault_address, provider.clone());
    let config = EthBridgeConfig::new(config_address, provider.clone());
    Ok(EthBridgeContracts {
        bridge: sui_bridge,
        committee,
        limiter,
        vault,
        config,
    })
}

/// Read bridge key from a file and print the corresponding information.
/// If `is_validator_key` is true, the key must be a Secp256k1 key.
pub fn examine_key(path: &PathBuf, is_validator_key: bool) -> Result<(), anyhow::Error> {
    let key = read_key(path, is_validator_key)?;
    let sui_address = SuiAddress::from(&key.public());
    let pubkey = match key {
        SuiKeyPair::Secp256k1(kp) => {
            println!("Secp256k1 key:");
            let eth_address = BridgeAuthorityPublicKeyBytes::from(&kp.public).to_eth_address();
            println!("Corresponding Ethereum address: {:x}", eth_address);
            kp.public.as_bytes().to_vec()
        }
        SuiKeyPair::Ed25519(kp) => {
            println!("Ed25519 key:");
            kp.public().as_bytes().to_vec()
        }
        SuiKeyPair::Secp256r1(kp) => {
            println!("Secp256r1 key:");
            kp.public().as_bytes().to_vec()
        }
    };
    println!("Corresponding Sui address: {:?}", sui_address);
    println!("Corresponding PublicKey: {:?}", Hex::encode(pubkey));
    Ok(())
}

/// Generate Bridge Node Config template and write to a file.
pub fn generate_bridge_node_config_and_write_to_file(
    path: &PathBuf,
    run_client: bool,
) -> Result<(), anyhow::Error> {
    let mut config = BridgeNodeConfig {
        server_listen_port: 9191,
        metrics_port: 9184,
        bridge_authority_key_path: PathBuf::from("/path/to/your/bridge_authority_key"),
        sui: SuiConfig {
            sui_rpc_url: "your_sui_rpc_url".to_string(),
            sui_bridge_chain_id: BridgeChainId::SuiTestnet as u8,
            bridge_client_key_path: None,
            bridge_client_gas_object: None,
            sui_bridge_module_last_processed_event_id_override: None,
            sui_bridge_next_sequence_number_override: None,
        },
        eth: EthConfig {
            eth_rpc_url: None, // to be deprecated
            eth_rpc_urls: Some(vec!["your_eth_rpc_url".to_string()]),
            eth_rpc_quorum: 1,
            eth_health_check_interval_secs: 300,
            eth_bridge_proxy_address: "0x0000000000000000000000000000000000000000".to_string(),
            eth_bridge_chain_id: BridgeChainId::EthSepolia as u8,
            eth_contracts_start_block_fallback: Some(0),
            eth_contracts_start_block_override: None,
        },
        approved_governance_actions: vec![],
        run_client,
        db_path: None,
        metrics_key_pair: default_ed25519_key_pair(),
        metrics: Some(MetricsConfig {
            push_interval_seconds: None, // use default value
            push_url: "metrics_proxy_url".to_string(),
        }),
        watchdog_config: Some(WatchdogConfig {
            total_supplies: BTreeMap::from_iter(vec![(
                "eth".to_string(),
                "0xd0e89b2af5e4910726fbcd8b8dd37bb79b29e5f83f7491bca830e94f7f226d29::eth::ETH"
                    .to_string(),
            )]),
        }),
    };
    if run_client {
        config.sui.bridge_client_key_path = Some(PathBuf::from("/path/to/your/bridge_client_key"));
        config.db_path = Some(PathBuf::from("/path/to/your/client_db"));
    }
    config.save(path)
}

pub async fn publish_and_register_coins_return_add_coins_on_sui_action(
    wallet_context: &WalletContext,
    bridge_arg: ObjectArg,
    token_packages_dir: Vec<PathBuf>,
    token_ids: Vec<u8>,
    token_prices: Vec<u64>,
    nonce: u64,
) -> BridgeAction {
    assert!(token_ids.len() == token_packages_dir.len());
    assert!(token_prices.len() == token_packages_dir.len());
    let client = wallet_context.grpc_client().unwrap();
    let rgp = client.get_reference_gas_price().await.unwrap();

    let senders = wallet_context.get_addresses();
    // We want each sender to deal with one coin
    assert!(senders.len() >= token_packages_dir.len());

    // publish coin packages
    let mut publish_tokens_tasks = vec![];

    for (token_package_dir, sender) in token_packages_dir.iter().zip(senders.clone()) {
        let gas = wallet_context
            .get_one_gas_object_owned_by_address(sender)
            .await
            .unwrap()
            .unwrap();
        let tx = TestTransactionBuilder::new(sender, gas, rgp)
            .publish(token_package_dir.to_path_buf())
            .build();
        let tx = wallet_context.sign_transaction(&tx).await;
        let api_clone = client.clone();
        publish_tokens_tasks.push(tokio::spawn(async move {
            api_clone
                .execute_transaction_and_wait_for_checkpoint(&tx)
                .await
        }));
    }
    let publish_coin_responses = join_all(publish_tokens_tasks).await;

    let mut token_type_names = vec![];
    let mut register_tasks = vec![];
    for (response, sender) in publish_coin_responses.into_iter().zip(senders.clone()) {
        let response = response.unwrap().unwrap();
        assert!(response.effects.status().is_ok());
        let mut tc = None;
        let mut type_ = None;
        let mut uc = None;
        let mut metadata = None;
        for o in &response.changed_objects {
            use sui_rpc::proto::sui::rpc::v2::changed_object::IdOperation;
            if matches!(o.id_operation(), IdOperation::Created) {
                let Ok(object_type) = o.object_type().parse::<StructTag>() else {
                    continue;
                };
                if object_type.name.as_str().starts_with("TreasuryCap") {
                    assert!(tc.is_none() && type_.is_none());
                    tc = {
                        let id = o.object_id().parse().unwrap();
                        let version = o.output_version().into();
                        let digest = o.output_digest().parse().unwrap();
                        Some((id, version, digest))
                    };
                    type_ = Some(object_type.type_params.first().unwrap().clone());
                } else if object_type.name.as_str().starts_with("UpgradeCap") {
                    assert!(uc.is_none());
                    uc = {
                        let id = o.object_id().parse().unwrap();
                        let version = o.output_version().into();
                        let digest = o.output_digest().parse().unwrap();
                        Some((id, version, digest))
                    };
                } else if object_type.name.as_str().starts_with("CoinMetadata") {
                    assert!(metadata.is_none());
                    metadata = {
                        let id = o.object_id().parse().unwrap();
                        let version = o.output_version().into();
                        let digest = o.output_digest().parse().unwrap();
                        Some((id, version, digest))
                    };
                }
            }
        }
        let (tc, type_, uc, metadata) =
            (tc.unwrap(), type_.unwrap(), uc.unwrap(), metadata.unwrap());

        // register with the bridge
        let mut builder = ProgrammableTransactionBuilder::new();
        let bridge_arg = builder.obj(bridge_arg).unwrap();
        let uc_arg = builder.obj(ObjectArg::ImmOrOwnedObject(uc)).unwrap();
        let tc_arg = builder.obj(ObjectArg::ImmOrOwnedObject(tc)).unwrap();
        let metadata_arg = builder.obj(ObjectArg::ImmOrOwnedObject(metadata)).unwrap();
        builder.programmable_move_call(
            BRIDGE_PACKAGE_ID,
            BRIDGE_MODULE_NAME.into(),
            BRIDGE_REGISTER_FOREIGN_TOKEN_FUNCTION_NAME.into(),
            vec![type_.clone()],
            vec![bridge_arg, tc_arg, uc_arg, metadata_arg],
        );
        let pt = builder.finish();
        let gas = wallet_context
            .get_one_gas_object_owned_by_address(sender)
            .await
            .unwrap()
            .unwrap();
        let tx = TransactionData::new_programmable(sender, vec![gas], pt, 1_000_000_000, rgp);
        let signed_tx = wallet_context.sign_transaction(&tx).await;
        let api_clone = client.clone();
        register_tasks.push(async move {
            api_clone
                .execute_transaction_and_wait_for_checkpoint(&signed_tx)
                .await
        });
        token_type_names.push(type_);
    }
    for response in join_all(register_tasks).await {
        assert!(response.unwrap().effects.status().is_ok());
    }

    BridgeAction::AddTokensOnSuiAction(AddTokensOnSuiAction {
        nonce,
        chain_id: BridgeChainId::SuiCustom,
        native: false,
        token_ids,
        token_type_names,
        token_prices,
    })
}

pub async fn wait_for_server_to_be_up(server_url: String, timeout_sec: u64) -> anyhow::Result<()> {
    let now = std::time::Instant::now();
    loop {
        if let Ok(true) = reqwest::Client::new()
            .get(server_url.clone())
            .header(reqwest::header::ACCEPT, APPLICATION_JSON)
            .send()
            .await
            .map(|res| res.status().is_success())
        {
            break;
        }
        if now.elapsed().as_secs() > timeout_sec {
            anyhow::bail!("Server is not up and running after {} seconds", timeout_sec);
        }
        tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
    }
    Ok(())
}

/// Return a mappping from validator name to their bridge voting power.
/// If a validator is not in the Sui committee, we will use its base URL as the name.
pub async fn get_committee_voting_power_by_name(
    bridge_committee: &Arc<BridgeCommittee>,
    system_state: &SuiSystemStateSummary,
) -> BTreeMap<String, StakeUnit> {
    let mut sui_committee: BTreeMap<_, _> = system_state
        .active_validators
        .iter()
        .map(|v| (v.sui_address, v.name.clone()))
        .collect();
    bridge_committee
        .members()
        .iter()
        .map(|v| {
            (
                sui_committee
                    .remove(&v.1.sui_address)
                    .unwrap_or(v.1.base_url.clone()),
                v.1.voting_power,
            )
        })
        .collect()
}

/// Return a mappping from validator pub keys to their names.
/// If a validator is not in the Sui committee, we will use its base URL as the name.
pub async fn get_validator_names_by_pub_keys(
    bridge_committee: &Arc<BridgeCommittee>,
    system_state: &SuiSystemStateSummary,
) -> BTreeMap<BridgeAuthorityPublicKeyBytes, String> {
    let mut sui_committee: BTreeMap<_, _> = system_state
        .active_validators
        .iter()
        .map(|v| (v.sui_address, v.name.clone()))
        .collect();
    bridge_committee
        .members()
        .iter()
        .map(|(name, validator)| {
            (
                name.clone(),
                sui_committee
                    .remove(&validator.sui_address)
                    .unwrap_or(validator.base_url.clone()),
            )
        })
        .collect()
}