Cardinal-Cryptography · fbielejec · Dec 2, 2024 · Dec 2, 2024 · Dec 2, 2024 · Dec 2, 2024
diff --git a/.github/workflows/_build-contracts.yml b/.github/workflows/_build-contracts.yml
@@ -9,7 +9,6 @@ jobs:
   main:
     name: Generate, compile and lint contracts
     runs-on: [self-hosted, Linux, X64, large]
-    #runs-on: ubuntu-20.04
     timeout-minutes: 10
 
     steps:

diff --git a/.github/workflows/_check-vars-and-secrets.yml b/.github/workflows/_check-vars-and-secrets.yml
@@ -18,6 +18,7 @@ jobs:
             -z '${{ vars.CI_TESTNET_ALICE_PUBLIC_KEY }} }}' || \
             -z '${{ vars.CI_TESTNET_BOB_PUBLIC_KEY }} }}' || \
             -z '${{ vars.CI_TESTNET_CHARLIE_PUBLIC_KEY }} }}' || \
+            -z '${{ vars.CI_TESTNET_TS_SDK_PUBLIC_KEY }} }}' || \
             -z '${{ vars.CI_TESTNET_RELAYER_SIGNER_ADDRESSES }} }}' || \
             -z '${{ vars.CI_TESTNET_FEE_DESTINATION }} }}'
           ]]; then
@@ -45,6 +46,7 @@ jobs:
             -z '${{ secrets.CI_TESTNET_ALICE_PRIVATE_KEY }}' || \
             -z '${{ secrets.CI_TESTNET_BOB_PRIVATE_KEY }}' || \
             -z '${{ secrets.CI_TESTNET_CHARLIE_PRIVATE_KEY }}' || \
+            -z '${{ secrets.CI_TESTNET_TS_SDK_PRIVATE_KEY }}' || \
             -z '${{ secrets.CI_TESTNET_FEE_DESTINATION_KEY }}' || \
             -z '${{ secrets.CI_TESTNET_RELAYER_SIGNING_KEYS }}' || \
             -z '${{ secrets.NPM_PUBLISHING_KEY }}'

diff --git a/.github/workflows/_ts-sdk-playwright-tests.yml b/.github/workflows/_ts-sdk-playwright-tests.yml
@@ -6,10 +6,10 @@ on:
   workflow_dispatch:
 
 jobs:
-  build-rust-binary:
-    name: Build Rust binary
-    runs-on: ubuntu-22.04
-    timeout-minutes: 10
+  build-rust-deps:
+    name: Build Rust dependencies
+    runs-on: [self-hosted, Linux, X64, large]
+    timeout-minutes: 20
     env:
       RUSTC_WRAPPER: sccache
     steps:
@@ -25,7 +25,7 @@ jobs:
           poseidon-gadget-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
           zkos-circuits-private-key: ${{ secrets.ZKOS_CIRCUITS_SSH_PRIVATE_KEY }}
 
-      - name: Build Rust binary
+      - name: Build Rust-TS conversions binary
         run: cargo build --manifest-path crates/test-ts-conversions/Cargo.toml
 
       - name: Build relayer
@@ -41,7 +41,7 @@ jobs:
           tags: shielder-relayer
           outputs: type=docker,dest=/tmp/shielder-relayer.tar
 
-      - name: Upload binary to artifacts
+      - name: Upload Rust-TS conversions binary to artifacts
         uses: actions/upload-artifact@v4
         with:
           name: test-ts-conversions-binary
@@ -57,9 +57,9 @@ jobs:
 
   ts-sdk-playwright-tests:
     name: Run shielder-sdk Playwright tests
-    runs-on: ubuntu-22.04
-    needs: [build-rust-binary]
-    timeout-minutes: 10
+    runs-on: [self-hosted, Linux, X64, large]
+    needs: [build-rust-deps]
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
@@ -70,13 +70,15 @@ jobs:
         shardTotal: [1]
         threads: [st, mt]
     steps:
-      - uses: webfactory/ssh-agent@v0.9.0
-        with:
-          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
-
       - name: Checkout source code
         uses: actions/checkout@v4
 
+      - name: Prepare Rust env
+        uses: ./.github/actions/prepare-rust-env
+        with:
+          poseidon-gadget-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+          zkos-circuits-private-key: ${{ secrets.ZKOS_CIRCUITS_SSH_PRIVATE_KEY }}
+
       - name: Cache pnpm modules
         uses: actions/cache@v4
         with:
@@ -98,10 +100,6 @@ jobs:
             contract-suite
           version: nightly-31dd1f77fd9156d09836486d97963cec7f555343
 
-      - name: Run anvil node in background
-        shell: bash
-        run: make anvil &
-
       - name: Install dependencies
         shell: bash
         run: make deps
@@ -118,15 +116,6 @@ jobs:
           name: contract-artifacts
           path: artifacts
 
-      - name: Deploy eth contracts
-        shell: bash
-        run: |
-          NETWORK=anvil make deploy-contracts
-          SHIELDER_CONTRACT_ADDRESS=$(
-            NETWORK=anvil make deploy-contracts \
-            | grep 'Shielder deployed at:' | awk '{print $NF}')
-          echo "SHIELDER_CONTRACT_ADDRESS=${SHIELDER_CONTRACT_ADDRESS}" >> $GITHUB_ENV
-
       - name: Download generated wasm from artifacts
         uses: actions/download-artifact@v4
         with:
@@ -148,15 +137,6 @@ jobs:
       - name: Load relayer image
         run: docker load --input /tmp/shielder-relayer.tar
 
-      - name: Run shielder-relayer
-        run: |
-          source ../../tooling-e2e-tests/local_env.sh
-          DOCKER_USER="$(id -u):$(id -g)" \
-          RELAYER_CONTAINER_NAME=shielder-relayer \
-          RELAYER_DOCKER_IMAGE=shielder-relayer \
-          ./run-relayer.sh&
-        working-directory: crates/shielder-relayer
-
       - name: Executable permissions
         run: chmod +x target/debug/test-ts-conversions
 
@@ -186,16 +166,10 @@ jobs:
 
       - name: Run tests (shielder-sdk-tests)
         run: |
-          if [[ ${{ matrix.threads }} == "st" ]]; then
-            CONFIG="playwright.singlethreaded.config.mjs"
-          else
-            CONFIG="playwright.multithreaded.config.mjs"
-          fi
-          source ../../tooling-e2e-tests/local_env.sh
-          RELAYER_SIGNER_ADDRESSES="$RELAYER_SIGNER_ADDRESSES" \
-          pnpm playwright test --config $CONFIG \
-            --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
-        working-directory: ts/shielder-sdk-tests
+          NO_FORMATTING=true \
+          THREADING=${{ matrix.threads }} \
+          PLAYWRIGHT_SHARDS=--shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} \
+          ./tooling-e2e-tests/ts_sdk_tests.sh
 
       - name: Upload blob report to GitHub Actions Artifacts
         if: ${{ !cancelled() }}
@@ -245,7 +219,7 @@ jobs:
           retention-days: 14
 
   clean-rust-artifact:
-    name: Clean rust artifacts
+    name: Clean rust dependencies
     runs-on: ubuntu-22.04
     if: ${{ always() }}
     needs: [ts-sdk-playwright-tests]

diff --git a/.github/workflows/testnet-nightly-e2e.yml b/.github/workflows/testnet-nightly-e2e.yml
@@ -3,7 +3,7 @@ name: Nightly E2E tests run on testnet
 
 on:
   schedule:
-    - cron: '00 23 * * *'
+    - cron: "00 23 * * *"
   workflow_dispatch:
 
 concurrency:
@@ -85,6 +85,39 @@ jobs:
         shell: bash
         run: make compile-contracts
 
+      - name: Install wasm-pack
+        run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+
+      - name: Build shielder-wasm
+        run: cd crates/shielder-wasm && make all
+
+      - name: Build Rust-TS conversions binary
+        run: cargo build --manifest-path crates/test-ts-conversions/Cargo.toml
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: latest
+
+      - name: Install dependencies (shielder-sdk)
+        run: pnpm install --frozen-lockfile
+        working-directory: ts/shielder-sdk
+
+      - name: Build shielder-sdk
+        run: pnpm build
+        working-directory: ts/shielder-sdk
+
+      - name: Install dependencies (shielder-sdk-tests)
+        run: pnpm install --frozen-lockfile
+        working-directory: ts/shielder-sdk-tests
+
+      - name: Install Playwright dependencies (shielder-sdk-tests)
+        run: pnpm postinstall
+        working-directory: ts/shielder-sdk-tests
+
+      - name: Build shielder-sdk-tests
+        run: pnpm build
+        working-directory: ts/shielder-sdk-tests
+
       - name: Run e2e tooling tests
         env:
           DEPLOYER_PRIVATE_KEY: ${{ secrets.CI_TESTNET_DEPLOYER_PRIVATE_KEY }}
@@ -94,6 +127,8 @@ jobs:
           BOB_PRIVATE_KEY: ${{ secrets.CI_TESTNET_BOB_PRIVATE_KEY }}
           CHARLIE_PUBLIC_KEY: ${{ vars.CI_TESTNET_CHARLIE_PUBLIC_KEY }}
           CHARLIE_PRIVATE_KEY: ${{ secrets.CI_TESTNET_CHARLIE_PRIVATE_KEY }}
+          TS_SDK_PUBLIC_KEY: ${{ vars.CI_TESTNET_TS_SDK_PUBLIC_KEY }}
+          TS_SDK_PRIVATE_KEY: ${{ secrets.CI_TESTNET_TS_SDK_PRIVATE_KEY }}
           FEE_DESTINATION: ${{ vars.CI_TESTNET_FEE_DESTINATION }}
           FEE_DESTINATION_KEY: ${{ secrets.CI_TESTNET_FEE_DESTINATION_KEY }}
           RELAYER_SIGNER_ADDRESSES: ${{ vars.CI_TESTNET_RELAYER_SIGNER_ADDRESSES }}
@@ -102,6 +137,7 @@ jobs:
           NO_FORMATTING=true TESTNET=true ./tooling-e2e-tests/full_scenario.sh
           NO_FORMATTING=true TESTNET=true ./tooling-e2e-tests/recovery_scenario.sh
           NO_FORMATTING=true TESTNET=true ./tooling-e2e-tests/many_actors.sh
+          NO_FORMATTING=true TESTNET=true ./tooling-e2e-tests/ts_sdk_tests.sh
 
   slack-notification:
     name: Slack notification

diff --git a/contracts/Shielder.sol b/contracts/Shielder.sol
@@ -78,18 +78,21 @@ contract Shielder is
 
     // -- Events --
     event NewAccountNative(
+        bytes3 contractVersion,
         uint256 idHash,
         uint256 amount,
         uint256 newNote,
         uint256 newNoteIndex
     );
     event DepositNative(
+        bytes3 contractVersion,
         uint256 idHiding,
         uint256 amount,
         uint256 newNote,
         uint256 newNoteIndex
     );
     event WithdrawNative(
+        bytes3 contractVersion,
         uint256 idHiding,
         uint256 amount,
         address to,
@@ -114,12 +117,19 @@ contract Shielder is
     error ContractBalanceLimitReached();
     error LeafIsNotInTheTree();
     error PrecompileCallFailed();
+    error WrongContractVersion(bytes3 actual, bytes3 expectedByCaller);
 
     modifier withinDepositLimit() {
         if (msg.value > depositLimit) revert AmountOverDepositLimit();
         _;
     }
 
+    modifier restrictContractVersion(bytes3 expectedByCaller) {
+        if (expectedByCaller != CONTRACT_VERSION)
+            revert WrongContractVersion(CONTRACT_VERSION, expectedByCaller);
+        _;
+    }
+
     constructor() {
         _disableInitializers();
     }
@@ -173,10 +183,17 @@ contract Shielder is
      * This transaction serves as the entrypoint to the Shielder.
      */
     function newAccountNative(
+        bytes3 expectedContractVersion,
         uint256 newNote,
         uint256 idHash,
         bytes calldata proof
-    ) external payable whenNotPaused withinDepositLimit {
+    )
+        external
+        payable
+        whenNotPaused
+        withinDepositLimit
+        restrictContractVersion(expectedContractVersion)
+    {
         uint256 amount = msg.value;
         if (nullifiers[idHash] != 0) revert DuplicatedNullifier();
         // `address(this).balance` already includes `msg.value`.
@@ -202,19 +219,26 @@ contract Shielder is
         merkleRoots.add(merkleTree.root);
         registerNullifier(idHash);
 
-        emit NewAccountNative(idHash, amount, newNote, index);
+        emit NewAccountNative(CONTRACT_VERSION, idHash, amount, newNote, index);
     }
 
     /*
      * Make a native token deposit into the Shielder
      */
     function depositNative(
+        bytes3 expectedContractVersion,
         uint256 idHiding,
         uint256 oldNullifierHash,
         uint256 newNote,
         uint256 merkleRoot,
         bytes calldata proof
-    ) external payable whenNotPaused withinDepositLimit {
+    )
+        external
+        payable
+        whenNotPaused
+        withinDepositLimit
+        restrictContractVersion(expectedContractVersion)
+    {
         uint256 amount = msg.value;
         if (amount == 0) revert ZeroAmount();
         if (nullifiers[oldNullifierHash] != 0) revert DuplicatedNullifier();
@@ -244,13 +268,20 @@ contract Shielder is
         merkleRoots.add(merkleTree.root);
         registerNullifier(oldNullifierHash);
 
-        emit DepositNative(idHiding, msg.value, newNote, index);
+        emit DepositNative(
+            CONTRACT_VERSION,
+            idHiding,
+            msg.value,
+            newNote,
+            index
+        );
     }
 
     /*
      * Withdraw shielded native funds
      */
     function withdrawNative(
+        bytes3 expectedContractVersion,
         uint256 idHiding,
         uint256 amount,
         address withdrawAddress,
@@ -260,7 +291,7 @@ contract Shielder is
         bytes calldata proof,
         address relayerAddress,
         uint256 relayerFee
-    ) external whenNotPaused {
+    ) external whenNotPaused restrictContractVersion(expectedContractVersion) {
         if (amount == 0) revert ZeroAmount();
         if (amount <= relayerFee) revert FeeHigherThanAmount();
         if (amount > MAX_TRANSACTION_AMOUNT) revert AmountTooHigh();
@@ -313,6 +344,7 @@ contract Shielder is
         if (!nativeTransferSuccess) revert NativeTransferFailed();
 
         emit WithdrawNative(
+            CONTRACT_VERSION,
             idHiding,
             amount,
             withdrawAddress,