wip

0xClandestine · 0xClandestine · commit f3e733068112 · 2025-08-11T16:46:06.000-04:00
diff --git a/src/test/unit/libraries/Merkle.t.sol b/src/test/unit/libraries/Merkle.t.sol
@@ -0,0 +1,90 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.27;
+
+import "forge-std/Test.sol";
+import "src/contracts/libraries/Merkle.sol";
+import "src/test/utils/Murky.sol";
+
+abstract contract MerkleBaseTest is Test, MurkyBase {
+    bool usingSha;
+    bytes32[] leaves;
+    bytes32 root;
+    bytes[] proofs;
+
+    function test_verifyInclusion_ValidProof() public {
+        assertValidProofs();
+    }
+
+    function test_verifyInclusion_EmptyProofs() public {
+        proofs = new bytes[](proofs.length);
+        assertInvalidProofs();
+    }
+
+    function assertValidProofs() internal virtual {
+        function (bytes memory proof, bytes32 root, bytes32 leaf, uint256 index) returns (bool) verifyInclusion =
+            usingSha ? Merkle.verifyInclusionSha256 : Merkle.verifyInclusionKeccak;
+        for (uint i = 0; i < leaves.length; ++i) {
+            assertTrue(verifyInclusion(proofs[i], root, leaves[i], i), "invalid proof");
+        }
+    }
+
+    function assertInvalidProofs() internal virtual {
+        function (bytes memory proof, bytes32 root, bytes32 leaf, uint256 index) returns (bool) verifyInclusion =
+            usingSha ? Merkle.verifyInclusionSha256 : Merkle.verifyInclusionKeccak;
+        for (uint i = 0; i < leaves.length; ++i) {
+            assertFalse(verifyInclusion(proofs[i], root, leaves[i], i), "valid proof");
+        }
+    }
+
+    function getLeaves(uint numLeaves) internal view virtual returns (bytes32[] memory leaves) {
+        bytes memory _leavesAsBytes = vm.randomBytes(numLeaves * 32);
+        /// @solidity memory-safe-assembly
+        assembly {
+            leaves := _leavesAsBytes // Typecast bytes -> bytes32[].
+            mstore(leaves, numLeaves) // Update length n*32 -> n.
+        }
+    }
+
+    function getProofs(bytes32[] memory leaves) public view virtual returns (bytes[] memory proofs);
+}
+
+contract MerkleKeccakTest is MerkleBaseTest, MerkleKeccak {
+    function setUp() public {
+        usingSha = false;
+        leaves = getLeaves(vm.randomBool() ? 9 : 10);
+        root = Merkle.merkleizeKeccak(leaves);
+        proofs = getProofs(leaves);
+    }
+
+    function nextPowerOf2(uint v) internal pure returns (uint) {
+        unchecked {
+            // Round up to the next power of 2 using the method described here:
+            // https://graphics.stanford.edu/~seander/bithacks.html#RoundUpPowerOf2
+            if (v == 0) return 0;
+            v -= 1;
+            v |= v >> 1;
+            v |= v >> 2;
+            v |= v >> 4;
+            v |= v >> 8;
+            v |= v >> 16;
+            v |= v >> 32;
+            v |= v >> 64;
+            v |= v >> 128;
+            return v + 1;
+        }
+    }
+
+    function getProofs(bytes32[] memory leaves) public view virtual override returns (bytes[] memory proofs) {
+        // Merkle.merkleizeKeccak pads to next power of 2, so we need to match that.
+        uint numLeaves = nextPowerOf2(leaves.length);
+        bytes32[] memory paddedLeaves = new bytes32[](numLeaves);
+        for (uint i = 0; i < leaves.length; ++i) {
+            paddedLeaves[i] = leaves[i];
+        }
+
+        proofs = new bytes[](leaves.length);
+        for (uint i = 0; i < leaves.length; ++i) {
+            proofs[i] = abi.encodePacked(getProof(paddedLeaves, i));
+        }
+    }
+}
diff --git a/src/test/utils/Murky.sol b/src/test/utils/Murky.sol
@@ -0,0 +1,195 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.4;
+
+/// @notice Modified from https://github.com/dmfxyz/murky/commit/991e371eb1dfa9f86701869eb08ec4e98c3cc0b0.
+abstract contract MurkyBase {
+    function hashLeafPairs(bytes32 left, bytes32 right) public view virtual returns (bytes32 _hash);
+
+    function verifyProof(bytes32 root, bytes32[] memory proof, bytes32 valueToProve) external view virtual returns (bool) {
+        // proof length must be less than max array size
+        bytes32 rollingHash = valueToProve;
+        uint length = proof.length;
+        unchecked {
+            for (uint i = 0; i < length; ++i) {
+                rollingHash = hashLeafPairs(rollingHash, proof[i]);
+            }
+        }
+        return root == rollingHash;
+    }
+
+    /**
+     *
+     * PROOF GENERATION *
+     *
+     */
+    function getRoot(bytes32[] memory data) public view virtual returns (bytes32) {
+        require(data.length > 1, "won't generate root for single leaf");
+        while (data.length > 1) data = hashLevel(data);
+        return data[0];
+    }
+
+    function getProof(bytes32[] memory data, uint node) public view virtual returns (bytes32[] memory) {
+        require(data.length > 1, "won't generate proof for single leaf");
+        // The size of the proof is equal to the ceiling of log2(numLeaves)
+        bytes32[] memory result = new bytes32[](log2ceilBitMagic(data.length));
+        uint pos = 0;
+
+        // Two overflow risks: node, pos
+        // node: max array size is 2**256-1. Largest index in the array will be 1 less than that. Also,
+        // for dynamic arrays, size is limited to 2**64-1
+        // pos: pos is bounded by log2(data.length), which should be less than type(uint256).max
+        while (data.length > 1) {
+            unchecked {
+                if (node & 0x1 == 1) result[pos] = data[node - 1];
+                else if (node + 1 == data.length) result[pos] = bytes32(0);
+                else result[pos] = data[node + 1];
+                ++pos;
+                node /= 2;
+            }
+            data = hashLevel(data);
+        }
+        return result;
+    }
+
+    ///@dev function is private to prevent unsafe data from being passed
+    function hashLevel(bytes32[] memory data) private view returns (bytes32[] memory) {
+        bytes32[] memory result;
+
+        // Function is private, and all internal callers check that data.length >=2.
+        // Underflow is not possible as lowest possible value for data/result index is 1
+        // overflow should be safe as length is / 2 always.
+        unchecked {
+            uint length = data.length;
+            if (length & 0x1 == 1) {
+                result = new bytes32[](length / 2 + 1);
+                result[result.length - 1] = hashLeafPairs(data[length - 1], bytes32(0));
+            } else {
+                result = new bytes32[](length / 2);
+            }
+            // pos is upper bounded by data.length / 2, so safe even if array is at max size
+            uint pos = 0;
+            for (uint i = 0; i < length - 1; i += 2) {
+                result[pos] = hashLeafPairs(data[i], data[i + 1]);
+                ++pos;
+            }
+        }
+        return result;
+    }
+
+    /**
+     *
+     * MATH "LIBRARY" *
+     *
+     */
+
+    /// @dev  Note that x is assumed > 0
+    function log2ceil(uint x) public view returns (uint) {
+        uint ceil = 0;
+        uint pOf2;
+        // If x is a power of 2, then this function will return a ceiling
+        // that is 1 greater than the actual ceiling. So we need to check if
+        // x is a power of 2, and subtract one from ceil if so.
+        assembly {
+            // we check by seeing if x == (~x + 1) & x. This applies a mask
+            // to find the lowest set bit of x and then checks it for equality
+            // with x. If they are equal, then x is a power of 2.
+
+            /* Example
+                x has single bit set
+                x := 0000_1000
+                (~x + 1) = (1111_0111) + 1 = 1111_1000
+                (1111_1000 & 0000_1000) = 0000_1000 == x
+
+                x has multiple bits set
+                x := 1001_0010
+                (~x + 1) = (0110_1101 + 1) = 0110_1110
+                (0110_1110 & x) = 0000_0010 != x
+            */
+
+            // we do some assembly magic to treat the bool as an integer later on
+            pOf2 := eq(and(add(not(x), 1), x), x)
+        }
+
+        // if x == type(uint256).max, than ceil is capped at 256
+        // if x == 0, then pO2 == 0, so ceil won't underflow
+        unchecked {
+            while (x > 0) {
+                x >>= 1;
+                ceil++;
+            }
+            ceil -= pOf2; // see above
+        }
+        return ceil;
+    }
+
+    /// Original bitmagic adapted from https://github.com/paulrberg/prb-math/blob/main/contracts/PRBMath.sol
+    /// @dev Note that x assumed > 1
+    function log2ceilBitMagic(uint x) public view returns (uint) {
+        if (x <= 1) return 0;
+        uint msb = 0;
+        uint _x = x;
+        if (x >= 2 ** 128) {
+            x >>= 128;
+            msb += 128;
+        }
+        if (x >= 2 ** 64) {
+            x >>= 64;
+            msb += 64;
+        }
+        if (x >= 2 ** 32) {
+            x >>= 32;
+            msb += 32;
+        }
+        if (x >= 2 ** 16) {
+            x >>= 16;
+            msb += 16;
+        }
+        if (x >= 2 ** 8) {
+            x >>= 8;
+            msb += 8;
+        }
+        if (x >= 2 ** 4) {
+            x >>= 4;
+            msb += 4;
+        }
+        if (x >= 2 ** 2) {
+            x >>= 2;
+            msb += 2;
+        }
+        if (x >= 2 ** 1) msb += 1;
+
+        uint lsb = (~_x + 1) & _x;
+        if ((lsb == _x) && (msb > 0)) return msb;
+        else return msb + 1;
+    }
+}
+
+contract MerkleKeccak is MurkyBase {
+    function hashLeafPairs(bytes32 left, bytes32 right) public view override returns (bytes32 _hash) {
+        assembly {
+            mstore(0x0, left)
+            mstore(0x20, right)
+            _hash := keccak256(0x0, 0x40)
+        }
+    }
+}
+
+contract MerkleSha is MurkyBase {
+    address constant SHA256_PRECOMPILE = 0x0000000000000000000000000000000000000002;
+
+    function hashLeafPairs(bytes32 left, bytes32 right) public view override returns (bytes32 _hash) {
+        assembly {
+            switch lt(left, right)
+            case 0 {
+                mstore(0x0, right)
+                mstore(0x20, left)
+            }
+            default {
+                mstore(0x0, left)
+                mstore(0x20, right)
+            }
+            _hash := mload(iszero(staticcall(gas(), SHA256_PRECOMPILE, 0x0, 0x40, 0x0, 0x20)))
+            if iszero(returndatasize()) { invalid() }
+        }
+    }
+}
