From 9ad683a555d0a1eca665f2c599915ab5d96c53b2 Mon Sep 17 00:00:00 2001
From: Colin Nielsen <33375223+colinnielsen@users.noreply.github.com>
Date: Tue, 12 Nov 2024 07:55:09 -0800
Subject: [PATCH 1/3] docs: add readme
---
.github/workflows/e2e.yml | 2 -
README.md | 79 ++++++++++++++++++++++++++++++++---
contracts/test/E2E.t copy.sol | 49 ----------------------
contracts/test/E2E.t.sol | 2 +-
scripts/utils/inquirer.ts | 1 +
5 files changed, 76 insertions(+), 57 deletions(-)
delete mode 100644 contracts/test/E2E.t copy.sol
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 6f7ebae..979a461 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -45,8 +45,6 @@ jobs:
- name: Run Forge build
run: |
forge install
- forge --version
- forge build --sizes
id: build
- name: Run Forge tests
diff --git a/README.md b/README.md
index 4df53b8..ee633f8 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,9 @@
-# Add signers to a safe and keep them secret
+# Safe Multisig (but signers are secret)
+
+## Deep Dive Video 📺
-Project Structure
+Repo Structure
```plaintext
├── circuits # contains the noir code
@@ -18,17 +20,84 @@
-## Setup
+## What
+
+A zodiac-compatible [Safe](https://app.safe.global) module that shields the ethereum addresses of up to 8 authorized "dark signers".
+
+## Background
+
+The idea for this project started back at devcon 6 - where I saw Noir had efficient keccak256 and secp256k1 signature verification circuits.
+
+I spent the plane ride home wondering if Noir could enable Gnosis Safes with a shielded set of signers, removing the attack vector of publically stored signer addresses.
+
+This would allow for anonymous onchain orgs, where signers could coordinate to execute transactions.
+
+### Problem
+
+Using this project as a research playground, I wanted to find an _~ elegant ~_ data structure that represented **_the set of valid sigers_** and **_the signing threshold_** in a **single hash**.
+
+- I knew I did not want to store all the leaves of some `n` depth merkle tree, nor do hash path and leaf index computation off-chain. Also... Merkle trees are boring 🚫🌳
+
+### Solution
+
+Thanks to some great help from @autoparallel and @0x_jepsen, I ended up representing valid signer sets (including signing threshold) into a polynomial.
+
+This polynomial is [emitted in an event onchain](contracts/DarkSafe.sol#L48) as a _reverse_ encoded array, of 32 byte coefficiencts, with the array index representing the degree of the `x` value's exponent. For example:
+
+```plaintext
+# Polynomial in array form: index represents exponent degree.
+[42, 1, 9, 145, 1]
+
+# Polynomial in standard algebraic form
+Polynomial = x^4 + 145x^3 + 9x^2 + x + 42
+ 👆🏼 👆🏼 👆🏼
+# (implied) (1x^4) (1x^1) (42x^0)
+```
+
+## A TLDR Of How It works
+
+### 👷🏽♂️ Setup
+
+1. An admin selects up to 8 Ethereum EOA `addresses` as signers on the safe and a signing `threshold`
+ - (Note: to prevent brute-force attacks decoding who the signers are, add at least **one** fresh EOA as a signer).
+2. [`K choose N`](scripts/build.ts#L53) over the signer set and the threshold to find all possible _additive_ combinations of the Ethereum addresses (remember, an eth address is just a number, so you can use addition to express a combination of multiple addresses).
+3. Consider those combinations as ["roots"](scripts/build.ts#L60) and [Lagrange Interpolate](scripts/build.ts#L68) a polynomial that passes through all those points where `y=0`.
+4. Take the [Pedersen hash](scripts/build.ts#L137) of the polynomial as a suscinct commitment to the polynomial.
+5. Deploy a new instance of [DarkSafe](contracts/DarkSafe.sol#L31), via the [ModuleProxyFactory](lib/zodiac/contracts/factory/ModuleProxyFactory.sol#L40) passing the `polynomialHash` and the `polynomial` as initialization params.
+ - The contract will emit the `polynomial` and `polynomialHash` in a `SignersRotated()` event as decentralized, succinct data stucture to represent the signer set and threshold.
+
+### ✍️ Signing
+
+1. Sign over a [SafeMessageHash](lib/safe-contracts/contracts/Safe.sol#L427) with an EOA Private Key (via `eth_personalSign`).
+2. Pass your signature to the next signer.
+3. Repeat steps 1+2 until a valid signer until a valid proof can be generated via the Noir circuit.
+ - This keeps other signers anonymous on a "need-to-know" basis. In other words, not all signers need to be known at proof generation.
+4. Have some relayer call the [\_execute](contracts/DarkSafe.sol#L55) function, passing only the safe TX data, and the valid noir proof.
+5. 🍃 Transaction is executed 🍃
+
+## See it in action
```bash
-yarn && yarn build
+yarn && yarn build --debug
```
## Run tests
+
```bash
yarn && yarn build
cd circuits/ && nargo prove
forge test
-```
\ No newline at end of file
+```
+
+## Notes
+
+- This project is just for fun, demonstrating a relatively efficient and elegant usecase for Noir and shouldn't be used in production unless we work together on this and get it audited
+
+- Interpolating a polynomial over the K choose N of the signer set is _not_ secure enough for me to be comfortable. It is not impossible to brute force k choose n up to 8 over all the Ethereum addresses and compute f(x) to try and brute-force find out who's on the safe.
+
+Some possible solutions are:
+
+- Always spin up a fresh EOA to add as a signer, it's important this account has never made an Ethereum transaction on any chain.
+- Refactor the code to accept a bit of randomness: an `r` value to hash together with each `root`. This makes it impossible to brute force. The `r` value can be as simple as a known `password` has to at least be known by the prover.
\ No newline at end of file
diff --git a/contracts/test/E2E.t copy.sol b/contracts/test/E2E.t copy.sol
deleted file mode 100644
index c4a568e..0000000
--- a/contracts/test/E2E.t copy.sol
+++ /dev/null
@@ -1,49 +0,0 @@
-// // SPDX-License-Identifier: MIT
-// pragma solidity 0.8.27;
-
-// import "safe-tools/SafeTestTools.sol";
-// import "forge-std/Test.sol";
-
-// import {DeployScript} from "../script/Deploy.s.sol";
-// import {DarkSafeVerifier} from "../Verifier.sol";
-// import {DarkSafe} from "../DarkSafe.sol";
-// import {DarkSafeFactory} from "../utils/DarkSafeFactory.sol";
-
-// contract DarkSafeTest is Test, SafeTestTools {
-// using SafeTestLib for SafeInstance;
-
-// address private alice = address(0xA11c3);
-// DarkSafeFactory private darkSafeFactory;
-// DarkSafeVerifier private verifier;
-
-// function setUp() public {
-// (darkSafeFactory, verifier) = (new DeployScript()).run();
-// }
-
-// function test() public {
-// uint256[] memory ownerPKs = new uint256[](1);
-// ownerPKs[0] = 12345;
-
-// SafeInstance memory safeInstance = _setupSafe({
-// ownerPKs: ownerPKs,
-// threshold: 1,
-// initialBalance: 1 ether,
-// advancedParams: AdvancedSafeInitParams({
-// includeFallbackHandler: true,
-// initData: "",
-// saltNonce: 0,
-// setupModulesCall_to: address(0),
-// setupModulesCall_data: "",
-// refundAmount: 0,
-// refundToken: address(0),
-// refundReceiver: payable(address(0))
-// })
-// });
-
-// DarkSafe darkSafeMo
-
-// safeInstance.execTransaction({to: alice, value: 0.5 ether, data: ""});
-
-// assertEq(alice.balance, 0.5 ether);
-// }
-// }
diff --git a/contracts/test/E2E.t.sol b/contracts/test/E2E.t.sol
index 1c788e8..16eefc9 100644
--- a/contracts/test/E2E.t.sol
+++ b/contracts/test/E2E.t.sol
@@ -71,7 +71,7 @@ contract DarkSafeTest is Test, SafeTestTools {
);
// expect the signers rotated event to be emitted
- vm.expectEmit(true, true, true, true);
+ vm.expectEmit();
emit DarkSafe.SignersRotated(polynomialInput.polynomial_hash, polynomialInput.polynomial);
// deploy a new module proxy off the master copy
diff --git a/scripts/utils/inquirer.ts b/scripts/utils/inquirer.ts
index b16a795..8cca8ed 100644
--- a/scripts/utils/inquirer.ts
+++ b/scripts/utils/inquirer.ts
@@ -8,6 +8,7 @@ function parseCliArgs() {
options: {
signers: { type: "string" },
threshold: { type: "string" },
+ debug: { type: "boolean" },
},
});
From e18fddea4a114f44027048d14fb6e011d01de6cf Mon Sep 17 00:00:00 2001
From: Colin Nielsen <33375223+colinnielsen@users.noreply.github.com>
Date: Tue, 12 Nov 2024 08:39:40 -0800
Subject: [PATCH 2/3] docs: add polynomial explanation
---
README.md | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index ee633f8..bf9b0e9 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,14 @@ Polynomial = x^4 + 145x^3 + 9x^2 + x + 42
# (implied) (1x^4) (1x^1) (42x^0)
```
+This polynomial represents all the valid combinations of the signers.
+
+Just like Safe, it protects against:
+
+- double signing
+- under signing
+- non-signer signatures
+
## A TLDR Of How It works
### 👷🏽♂️ Setup
@@ -100,4 +108,4 @@ forge test
Some possible solutions are:
- Always spin up a fresh EOA to add as a signer, it's important this account has never made an Ethereum transaction on any chain.
-- Refactor the code to accept a bit of randomness: an `r` value to hash together with each `root`. This makes it impossible to brute force. The `r` value can be as simple as a known `password` has to at least be known by the prover.
\ No newline at end of file
+- Refactor the code to accept a bit of randomness: an `r` value to hash together with each `root`. This makes it impossible to brute force. The `r` value can be as simple as a known `password` has to at least be known by the prover.
From c2482cce8e6de5c45ea2971e2f0e03fcbf2f29a3 Mon Sep 17 00:00:00 2001
From: Colin Nielsen <33375223+colinnielsen@users.noreply.github.com>
Date: Wed, 13 Nov 2024 12:20:49 +0700
Subject: [PATCH 3/3] docs: add video
---
README.md | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index bf9b0e9..4269c9c 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,19 @@
-# Safe Multisig (but signers are secret)
+# 🥷🏽 Dark Safe 🏦
## Deep Dive Video 📺
+
+
+
+
Repo Structure