From 2081e0077d1002c5cc33360b286dfb62c5c40669 Mon Sep 17 00:00:00 2001 From: Joey Santoro Date: Tue, 28 Nov 2023 08:44:43 -0600 Subject: [PATCH 01/24] changes for rid --- ERCS/erc-7540.md | 267 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 234 insertions(+), 33 deletions(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index fe35babb4e..3f7b755532 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -15,7 +15,7 @@ requires: 20, 165, 4626 The following standard extends [ERC-4626](./eip-4626.md) by adding support for asynchronous deposit and redemption flows. The async flows are called Requests. -New methods are added to asynchronously Request a deposit or redemption, and view the pending status of the Request. The existing `deposit`, `mint`, `withdraw`, and `redeem` ERC-4626 methods are used for executing Claimable Requests. +New methods are added to asynchronously Request a deposit or redemption, and view the status of the Request. The existing `deposit`, `mint`, `withdraw`, and `redeem` ERC-4626 methods are used for executing Claimable Requests. Implementations can choose to whether to add asynchronous flows for deposits, redemptions, or both. @@ -33,12 +33,11 @@ This standard expands the utility of ERC-4626 Vaults for asynchronous use cases. The existing definitions from [ERC-4626](./eip-4626.md) apply. In addition, this spec defines: -- Request: a function call that initiates an asynchronous deposit/redemption flow +- Request: a request to enter (`requestDeposit`) or exit (`requestRedeem`) the Vault - Pending: the state where a Request has been made but is not yet Claimable - Claimable: the state where a Request is processed by the Vault enabling the user to claim corresponding `shares` (for async deposit) or `assets` (for async redeem) - Claimed: the state where a Request is finalized by the user and the user receives the output token (e.g. `shares` for a deposit Request) - Claim function: the corresponding Vault method to bring a Request to Claimed state (e.g. `deposit` or `mint` claims `shares` from `requestDeposit`). Lower case claim always describes the verb action of calling a Claim function. -- operator: the account specified by the sender of the Request which has the right to claim a given Request once it is Claimable - asynchronous deposit Vault: a Vault that implements asynchronous Requests for deposit flows - asynchronous redemption Vault: a Vault that implements asynchronous redemption flows - fully asynchronous Vault: a Vault that implements asynchronous Requests for both deposit and redemption @@ -57,7 +56,7 @@ Asynchronous deposit Vaults MUST override the ERC-4626 specification as follows: Asynchronous redeem Vaults MUST override the ERC-4626 specification as follows: 1. The `redeem` and `withdraw` methods do not transfer `shares` to the Vault, because this already happened on `requestRedeem`. -2. The `owner/operator` field of `redeem` and `withdraw` MUST be `msg.sender` to prevent the theft of requested redemptions by a non-owner/operator. +2. The `owner` field of `redeem` and `withdraw` MUST be `msg.sender` to prevent the theft of requested redemptions by a non-owner. 3. `previewRedeem` and `previewWithdraw` MUST revert for all callers and inputs. ### Request Lifecycle @@ -66,9 +65,11 @@ After submission, Requests go through Pending, Claimable, and Claimed stages. An | **State** | **User** | **Vault** | |-------------|---------------------------------|-----------| -| Pending | `requestDeposit(assets, operator)` | `asset.transferFrom(msg.sender, vault, assets)`; `pendingDepositRequest[operator] += assets` | -| Claimable | | *Internal Request fulfillment*: `pendingDepositRequest[msg.sender] -= assets`; `maxDeposit[operator] += assets` | -| Claimed | `deposit(assets, receiver)` | `maxDeposit[msg.sender] -= assets`; `vault.balanceOf[receiver] += shares` | +| Pending | `requestDeposit(assets, receiver, owner, data)` | `asset.transferFrom(msg.sender, vault, assets)`; `pendingDepositRequest[owner] += assets` | +| Claimable | | *Internal Request fulfillment*: `pendingDepositRequest[msg.sender] -= assets`; `claimableDepositRequest[owner] += assets` | +| Claimed | `deposit(assets, receiver)` | `claimableDepositRequest[msg.sender] -= assets`; `vault.balanceOf[receiver] += shares` | + +Note that `maxDeposit` increases and decreases in sync with `claimableDepositRequest`. An important Vault inequality is that following a Request(s), the cumulative requested quantity MUST be more than `pendingDepositRequest + maxDeposit - claimed`. The inequality may come from fees or other state transitions outside implemented by Vault logic such as cancellation of a Request, otherwise this would be a strict equality. @@ -76,19 +77,37 @@ Requests MUST NOT skip or otherwise short-circuit the Claim state. In other word For asynchronous Vaults, the exchange rate between `shares` and `assets` including fees and yield is up to the Vault implementation. In other words, pending redemption Requests MAY NOT be yield bearing and MAY NOT have a fixed exchange rate. +### Request Ids +The request ID (`rid`) of a request is returned by the corresponding `requestDeposit` and `requestRedeem` functions. + +Multiple requests may have the same `rid`, so a given Request is discriminated by both the `rid` and the `owner`. + +Requests of the same `rid` MUST be fungible with each other (except in the special case `rid == 0` described below). I.e. all Requests with the same `rid` MUST transition from Pending to Claimable at the same time and receive the same exchange rate between `assets` and `shares`. + +If a Request becomes partially claimable, all requests of the same `rid` MUST become claimable at the same pro rata rate. + +There are no assumptions or requirements of requests with different `rid`. I.e. they MAY transition to Claimable at different times and exchange rates with no ordering or correlation enforced in any way. + +When `rid==0`, the Vault MUST use purely the `owner` to discriminate the request state. The Pending and Claimable state of multiple requests from the same `owner` would be aggregated. If a Vault returns `0` for the `rid` of any request, it MUST return `0` for all requests. ### Methods #### requestDeposit -Transfers `assets` from `msg.sender` into the Vault and submits a Request for asynchronous `deposit/mint`. This places the Request in Pending state, with a corresponding increase in `pendingDepositRequest` for the amount `assets`. +Transfers `assets` from `msg.sender` into the Vault and submits a Request for asynchronous `deposit/mint`. This places the Request in Pending state, with a corresponding increase in `pendingDepositRequest` for the amount `assets`. + +The output `rid` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. -When the Request is Claimable, `maxDeposit` and `maxMint` will be increased for the case where the `receiver` input is the `operator`. `deposit` or `mint` can subsequently be called by `operator` to receive `shares`. A Request MAY transition straight to Claimable state but MUST NOT skip the Claimable state. +If the length of `data` is not 0, the Request MUST send an `onERC7540DepositReceived` callback to `receiver` following the interface of ERC7540DepositReceiver described in "Request Callbacks" section. If the length of `data` is 0, the Request MUST NOT send a callback. + +When the Request is Claimable, `claimableDepositRequest` will be increased for the `receiver`. `deposit` or `mint` can subsequently be called by `receiver` to receive `shares`. A Request MAY transition straight to Claimable state but MUST NOT skip the Claimable state. The `shares` that will be received on `deposit` or `mint` MAY NOT be equivalent to the value of `convertToShares(assets)` at the time of Request, as the price can change between Request and Claim. MUST support [ERC-20](./eip-20.md) `approve` / `transferFrom` on `asset` as a deposit Request flow. +`owner` MUST equal `msg.sender` unless the `owner` has approved the `msg.sender` by some mechanism. + MUST revert if all of `assets` cannot be requested for `deposit`/`mint` (due to deposit limit being reached, slippage, the user not approving enough underlying tokens to the Vault contract, etc). Note that most implementations will require pre-approval of the Vault with the Vault's underlying `asset` token. @@ -103,13 +122,20 @@ MUST emit the `RequestDeposit` event. inputs: - name: assets type: uint256 - - name: operator + - name: receiver + type: address + - name: owner type: address + - name: data + type: bytes + outputs: + - name: rid + type: uint256 ``` #### pendingDepositRequest -The amount of requested `assets` in Pending state for the `operator` to `deposit` or `mint`. +The amount of requested `assets` in Pending state for the `owner` to `deposit` or `mint`. MUST NOT include any `assets` in Claimable state for `deposit` or `mint`. @@ -123,7 +149,31 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i stateMutability: view inputs: - - name: operator + - name: owner + type: address + + outputs: + - name: assets + type: uint256 +``` + +#### claimableDepositRequest + +The amount of requested `assets` in Claimable state for the `owner` to `deposit` or `mint`. + +MUST NOT include any `assets` in Pending state for `deposit` or `mint`. + +MUST NOT show any variations depending on the caller. + +MUST NOT revert unless due to integer overflow caused by an unreasonably large input. + +```yaml +- name: claimableDepositRequest + type: function + stateMutability: view + + inputs: + - name: owner type: address outputs: @@ -135,13 +185,17 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i Assumes control of `shares` from `owner` and submits a Request for asynchronous `redeem/withdraw`. This places the Request in Pending state, with a corresponding increase in `pendingRedeemRequest` for the amount `shares`. +The output `rid` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. + MAY support either a locking or a burning mechanism for `shares` depending on the Vault implemention. If a Vault uses a locking mechanism for `shares`, those `shares` MUST be burned from the Vault balance before or upon claiming the Request. MUST support a redeem Request flow where the control of `shares` is taken from `owner` directly where `msg.sender` has ERC-20 approval over the `shares` of `owner`. -When the Request is Claimable, `maxRedeem` and `maxWithdraw` will be increased for the case where the `owner` input is the `operator`. `redeem` or `withdraw` can subsequently be called by `operator` to receive `assets`. A Request MAY transition straight to Claimable state but MUST NOT skip the Claimable state. +If the length of `data` is not 0, the Request MUST send an `onERC7540RedeemReceived` callback to `receiver` following the interface of ERC7540RedeemReceiver described in "Request Callbacks" section. If the length of `data` is 0, the Request MUST NOT send a callback. + +When the Request is Claimable, `claimableRedeemRequest` will be increased for the `receiver`. `redeem` or `withdraw` can subsequently be called by `receiver` to receive `assets`. A Request MAY transition straight to Claimable state but MUST NOT skip the Claimable state. The `assets` that will be received on `redeem` or `withdraw` MAY NOT be equivalent to the value of `convertToAssets(shares)` at time of Request, as the price can change between Pending and Claimed. @@ -159,15 +213,20 @@ MUST emit the `RequestRedeem` event. inputs: - name: shares type: uint256 - - name: operator + - name: receiver type: address - name: owner type: address + - name: data + type: bytes + outputs: + - name: rid + - type: uint256 ``` #### pendingRedeemRequest -The amount of requested `shares` in Pending state for the `operator` to `redeem` or `withdraw`. +The amount of requested `shares` in Pending state for the `owner` to `redeem` or `withdraw`. MUST NOT include any `shares` in Claimable state for `redeem` or `withdraw`. @@ -181,7 +240,31 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i stateMutability: view inputs: - - name: operator + - name: owner + type: address + + outputs: + - name: shares + type: uint256 +``` + +#### claimableRedeemRequest + +The amount of requested `shares` in Claimable state for the `owner` to `redeem` or `withdraw`. + +MUST NOT include any `shares` in Pending state for `redeem` or `withdraw`. + +MUST NOT show any variations depending on the caller. + +MUST NOT revert unless due to integer overflow caused by an unreasonably large input. + +```yaml +- name: claimableRedeemRequest + type: function + stateMutability: view + + inputs: + - name: owner type: address outputs: @@ -193,7 +276,7 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i #### DepositRequest -`sender` has locked `assets` in the Vault to Request a deposit. `operator` controls this Request. +`sender` has locked `assets` in the Vault to Request a deposit with request ID `rid`. `receiver` controls this Request. MUST be emitted when a deposit Request is submitted using the `requestDeposit` method. @@ -205,9 +288,12 @@ MUST be emitted when a deposit Request is submitted using the `requestDeposit` m - name: sender indexed: true type: address - - name: operator + - name: receiver indexed: true type: address + - name: rid + indexed: true + type: uint256 - name: assets indexed: false type: uint256 @@ -215,7 +301,7 @@ MUST be emitted when a deposit Request is submitted using the `requestDeposit` m #### RedeemRequest -`sender` has locked `shares`, owned by `owner`, in the Vault to Request a redemption. `operator` controls this Request. +`sender` has locked `shares`, owned by `owner`, in the Vault to Request a redemption. `receiver` controls this Request, but is not necessarily the `owner`. MUST be emitted when a redemption Request is submitted using the `requestRedeem` method. @@ -224,30 +310,107 @@ MUST be emitted when a redemption Request is submitted using the `requestRedeem` type: event inputs: - - name: sender - indexed: true - type: address - - name: operator + - name: receiver indexed: true type: address - name: owner indexed: true type: address + - name: rid + indexed: true + type: uint256 + - name: sender + indexed: false + type: uint256 - name: assets indexed: false type: uint256 ``` +### Request Callbacks + +All methods which initiate a request (including `rid==0`) include a `data` parameter, which if nonzero length MUST send a callback to the receiver. + +There are two interfaces, `ERC7540DepositReceiver` and `ERC7540RedeemReceiver` which each define the single callback method to be called. + +#### ERC7540DepositReceiver +The interface to be called on `requestDeposit`. + +`operator` is the `msg.sender` of the original `requestDeposit` call. `owner` is the `owner` of the `requestDeposit`. `rid` is the output `rid` of the `requestDeposit` and `data` is the `data` of the `requestDeposit`. + +This function MUST return `TODO` upon successful execution of the callback. + +```yaml +- name: onERC7540DepositReceived + type: function + + inputs: + - name: operator + type: address + - name: owner + type: address + - name: rid + type: uint256 + - name: data + type: bytes + outputs: + - name: interfaceId + type: bytes4 +``` + + +#### ERC7540RedeemReceiver +The interface to be called on `requestRedeem`. + +`operator` is the `msg.sender` of the original `requestRedeem` call. `owner` is the `owner` of the `requestRedeem`. `rid` is the output `rid` of the `requestRedeem` and `data` is the `data` of the `requestRedeem`. + +This function MUST return `TODO` upon successful execution of the callback. + +```yaml +- name: onERC7540RedeemReceived + type: function + + inputs: + - name: operator + type: address + - name: owner + type: address + - name: rid + type: uint256 + - name: data + type: bytes + outputs: + - name: interfaceId + type: bytes4 +``` + ### [ERC-165](./eip-165.md) support Smart contracts implementing this standard MUST implement the [ERC-165](./eip-165.md) `supportsInterface` function. -Asynchronous deposit Vaults MUST return the constant value `true` if `0xea446681` is passed through the `interfaceID` argument. +Asynchronous deposit Vaults MUST return the constant value `true` if TODO `0xea446681` is passed through the `interfaceID` argument. + +Asynchronous redemption Vaults MUST return the constant value `true` if TODO `0x2e9dd5bd` is passed through the `interfaceID` argument. -Asynchronous redemption Vaults MUST return the constant value `true` if `0x2e9dd5bd` is passed through the `interfaceID` argument. +ERC7540DepositReceiver contracts MUST return the constant value `true` if TODO is passed through the `interfaceID` argument. + +ERC7540RedeemReceiver contracts MUST return the constant value `true` if TODO is passed through the `interfaceID` argument. ## Rationale +### Including Request IDs but Not Including a Claim by ID method +Requests in an Asynchronous Vault have properties of NFTs or Semi-Fungible tokens due to their asynchronicity. However, trying to pigeonhole all ERC-7540 Vaults into supporting [ERC-721](./eip-721) or [ERC-1155](./erc-1155) for Requests would create too much interface bloat. + +Using both an id and address to discriminate Requests allows for any of these use cases to be developed at an external layer without adding too much complexity to the core interface. + +Certain Vaults especially `rid==0` cases benefit from using the underlying ERC4626 methods for claiming because there is no discrimination at the `rid` level. This standard is written primarily with those use cases in mind. A future standard can optimize for nonzero RID with support for claiming and transferring requests discriminated also with an `rid`. + +### Callbacks + +Callbacks on Request calls can be used among other things to allow Requests to become fully [ERC-721](./eip-721) or [ERC-1155](./erc-1155) compatible in an external layer. + +This can support flows where a smart contract manages the Request lifecycle on behalf of a user. + ### Symmetry and Non-inclusion of requestWithdraw and requestMint In ERC-4626, the spec was written to be fully symmetrical with respect to converting `assets` and `shares` by including deposit/withdraw and mint/redeem. @@ -284,10 +447,6 @@ The 2-step approach used in the standard may be abstracted into a 1-step approac In the case where a Request may become Claimable immediately in the same block, there can be router contracts which atomically check for Claimable amounts immediately upon Request. Frontends can dynamically route Requests in this way depending on the state and implementation of the Vault to handle this edge case. -### Operator function parameter on requestDeposit and requestRedeem - -To support flows where a smart contract manages the Request lifecycle on behalf of a user, the `operator` parameter is included in the `requestDeposit` and `requestRedeem` functions. This is not called `owner` because the `assets` or `shares` are not transferred from this account on Request submission, unlike the behaviour of an `owner` on `redeem`. It is also not called `receiver` because the `shares` or `assets` are not necessarily transferred on claiming the Request, this can be chosen by the operator when they call `deposit`, `mint`, `redeem`, or `withdraw`. - ### No Outputs for Request functions `requestDeposit` and `requestRedeem` may not have a known exchange rate that will happen when the Request becomes Claimed. Returning the corresponding `assets` or `shares` could not work in this case. @@ -300,7 +459,7 @@ The state transition of a Request from Pending to Claimable happens at the Vault ### Reversion of Preview Functions in Async Request Flows -The preview functions do not take an address parameter, therefore the only way to discriminate discrepancies in exchange rate are via the `msg.sender`. However, this could lead to integration/implementation complexities where support contracts cannot determine the output of a claim on behalf of an `operator`. +The preview functions do not take an address parameter, therefore the only way to discriminate discrepancies in exchange rate are via the `msg.sender`. However, this could lead to integration/implementation complexities where support contracts cannot determine the output of a claim on behalf of an `owner`. In addition, there is no on-chain benefit to previewing the Claim step as the only valid state transition is to Claim anyway. If the output of a Claim is undesirable for any reason, the calling contract can revert on the output of that function call. @@ -319,11 +478,53 @@ The interface is fully backwards compatible with [ERC-4626](./eip-4626.md). The ## Reference Implementation -WIP +```solidity + // This code snippet is incomplete pseudocode used for example only and is no way intended to be used in production or guaranteed to be secure + + mapping(address => uint256) public pendingDepositRequest; + + mapping(address => uint256) public claimableDepositRequest; + + function requestDeposit(uint256 assets, address receiver, address owner, bytes calldata data) external returns (uint256 rid) { + require(assets != 0); + require(owner == msg.sender); + + rid = 0; // no rid associated with this request + + asset.safeTransferFrom(msg.sender, address(this), assets); // asset here is the Vault underlying asset + + pendingDepositRequest[owner] += assets; + + // Perform the callback + if (data.length != 0) { + ERC7540Receiver(receiver).onERC7540DepositReceived(msg.sender, owner, rid, data); + } + + emit DepositRequest(msg.sender, operator, rid, assets); + return rid; + } + + /** + * Include some arbitrary transition logic here from Pending to Claimable + */ + + function deposit(uint256 assets, address receiver) external returns (uint256 shares) { + require(assets != 0); + + claimableDepositRequest[msg.sender] -= assets; // underflow would revert if not enough claimable assets + + shares = convertToShares(assets); // this naive example uses the instantaneous exchange rate. It may be more common to use the rate locked in upon Claimable stage. + + balanceOf[receiver] += shares; + + emit Deposit(msg.sender, receiver, assets, shares); + } + +``` ## Security Considerations -The methods `pendingDepositRequest` and `pendingRedeemRequest` are estimates useful for display purposes, and can be outdated due to the asynchronicity. +The view methods for viewing Pending and Claimable request states (e.g. `pendingDepositRequest`) are estimates useful for display purposes, and can be outdated due to the asynchronicity. In general, asynchronicity concerns make state transitions in the Vault much more complex and vulnerable to security risks. Access control on Vault operations, clear documentation of state transitioning, and invariant checks should all be performed to mitigate these risks. @@ -331,7 +532,7 @@ In particular, shares or assets locked for Requests can be stuck in the Pending Moreover, users might not know what the final exchange rate will be on any Request due to the asynchronicity. Users therefore trust the implementation of the asynchronous Vault in the computation of the exchange rate and fulfillment of their Request. -It is worth highlighting again here that the Claim functions for any asynchronous flows MUST enforce that `msg.sender == operator/owner` to prevent theft of Claimable `assets` or `shares` +It is worth highlighting again here that the Claim functions for any asynchronous flows MUST enforce that `msg.sender == owner` to prevent theft of Claimable `assets` or `shares` ## Copyright From 94936c7c8c124762e16304e30345e68cf042bd8f Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 29 Nov 2023 14:48:41 -0600 Subject: [PATCH 02/24] Update ERCS/erc-7540.md Co-authored-by: Farhaan <59924029+0xfarhaan@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 3f7b755532..a796e775e2 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -94,7 +94,7 @@ When `rid==0`, the Vault MUST use purely the `owner` to discriminate the request #### requestDeposit -Transfers `assets` from `msg.sender` into the Vault and submits a Request for asynchronous `deposit/mint`. This places the Request in Pending state, with a corresponding increase in `pendingDepositRequest` for the amount `assets`. +Transfers `assets` from `msg.sender` into the Vault and submits a Request for asynchronous `deposit`. This places the Request in Pending state, with a corresponding increase in `pendingDepositRequest` for the amount `assets`. The output `rid` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. From e6a1956860194196b380c94f124b44925040ddd4 Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 29 Nov 2023 14:48:48 -0600 Subject: [PATCH 03/24] Update ERCS/erc-7540.md Co-authored-by: Farhaan <59924029+0xfarhaan@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index a796e775e2..7c691ad76d 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -183,7 +183,7 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i #### requestRedeem -Assumes control of `shares` from `owner` and submits a Request for asynchronous `redeem/withdraw`. This places the Request in Pending state, with a corresponding increase in `pendingRedeemRequest` for the amount `shares`. +Assumes control of `shares` from `owner` and submits a Request for asynchronous `redeem`. This places the Request in Pending state, with a corresponding increase in `pendingRedeemRequest` for the amount `shares`. The output `rid` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. From 2aaf591048d3e23020b88607efd73a35a9b4322f Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Tue, 5 Dec 2023 14:14:01 -0500 Subject: [PATCH 04/24] Update ERCS/erc-7540.md Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 7c691ad76d..d69f9ffd01 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -65,7 +65,7 @@ After submission, Requests go through Pending, Claimable, and Claimed stages. An | **State** | **User** | **Vault** | |-------------|---------------------------------|-----------| -| Pending | `requestDeposit(assets, receiver, owner, data)` | `asset.transferFrom(msg.sender, vault, assets)`; `pendingDepositRequest[owner] += assets` | +| Pending | `requestDeposit(assets, receiver, owner, data)` | `asset.transferFrom(msg.sender, vault, assets)`; `pendingDepositRequest[receiver] += assets` | | Claimable | | *Internal Request fulfillment*: `pendingDepositRequest[msg.sender] -= assets`; `claimableDepositRequest[owner] += assets` | | Claimed | `deposit(assets, receiver)` | `claimableDepositRequest[msg.sender] -= assets`; `vault.balanceOf[receiver] += shares` | From 26466ef3e85777d1f864ab63b852c1abb035f355 Mon Sep 17 00:00:00 2001 From: Joey Santoro Date: Tue, 5 Dec 2023 14:15:06 -0500 Subject: [PATCH 05/24] sec considerations --- ERCS/erc-7540.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 7c691ad76d..de9f0322b9 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -524,15 +524,12 @@ The interface is fully backwards compatible with [ERC-4626](./eip-4626.md). The ## Security Considerations -The view methods for viewing Pending and Claimable request states (e.g. `pendingDepositRequest`) are estimates useful for display purposes, and can be outdated due to the asynchronicity. +In general, asynchronicity concerns make state transitions in the Vault much more complex and vulnerable to security risks. Access control on Vault operations, clear documentation of state transitioning, and invariant checks should all be performed to mitigate these risks. For example: -In general, asynchronicity concerns make state transitions in the Vault much more complex and vulnerable to security risks. Access control on Vault operations, clear documentation of state transitioning, and invariant checks should all be performed to mitigate these risks. +* The view methods for viewing Pending and Claimable request states (e.g. pendingDepositRequest) are estimates useful for display purposes but can be outdated. The inability to know the final exchange rate will be on any Request requires users to trust the implementation of the asynchronous Vault in the computation of the exchange rate and fulfillment of their Request. +* Shares or assets locked for Requests can be stuck in the Pending state. Vaults may elect to allow for fungibility of pending claims or implement some cancellation functionality to protect users. -In particular, shares or assets locked for Requests can be stuck in the Pending state. Vaults may elect to allow for fungibility of pending claims or implement some cancellation functionality to protect users. - -Moreover, users might not know what the final exchange rate will be on any Request due to the asynchronicity. Users therefore trust the implementation of the asynchronous Vault in the computation of the exchange rate and fulfillment of their Request. - -It is worth highlighting again here that the Claim functions for any asynchronous flows MUST enforce that `msg.sender == owner` to prevent theft of Claimable `assets` or `shares` +Lastly, it is worth highlighting again here that the Claim functions for any asynchronous flows MUST enforce that msg.sender == owner to prevent theft of Claimable assets or shares. ## Copyright From e3a1026e5ba2abd2d4ce08cdad1b42c3ad23f499 Mon Sep 17 00:00:00 2001 From: Joey Santoro Date: Tue, 5 Dec 2023 14:23:32 -0500 Subject: [PATCH 06/24] events and 165 --- ERCS/erc-7540.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index aeeaf9e733..f1c032b388 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -276,7 +276,7 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i #### DepositRequest -`sender` has locked `assets` in the Vault to Request a deposit with request ID `rid`. `receiver` controls this Request. +`owner` has locked `assets` in the Vault to Request a deposit with request ID `rid`. `receiver` controls this Request. `sender` is the caller of the `requestDeposit` which may not be equal to the `owner`. MUST be emitted when a deposit Request is submitted using the `requestDeposit` method. @@ -285,15 +285,18 @@ MUST be emitted when a deposit Request is submitted using the `requestDeposit` m type: event inputs: - - name: sender + - name: receiver indexed: true type: address - - name: receiver + - name: owner indexed: true type: address - name: rid indexed: true type: uint256 + - name: sender + indexed: false + type: address - name: assets indexed: false type: uint256 @@ -386,16 +389,12 @@ This function MUST return `TODO` upon successful execution of the callback. ### [ERC-165](./eip-165.md) support -Smart contracts implementing this standard MUST implement the [ERC-165](./eip-165.md) `supportsInterface` function. +Smart contracts implementing this Vault standard MUST implement the [ERC-165](./eip-165.md) `supportsInterface` function. Asynchronous deposit Vaults MUST return the constant value `true` if TODO `0xea446681` is passed through the `interfaceID` argument. Asynchronous redemption Vaults MUST return the constant value `true` if TODO `0x2e9dd5bd` is passed through the `interfaceID` argument. -ERC7540DepositReceiver contracts MUST return the constant value `true` if TODO is passed through the `interfaceID` argument. - -ERC7540RedeemReceiver contracts MUST return the constant value `true` if TODO is passed through the `interfaceID` argument. - ## Rationale ### Including Request IDs but Not Including a Claim by ID method From 8387565cad7cff2c60b8454a122de9485e950e90 Mon Sep 17 00:00:00 2001 From: Joey Santoro Date: Tue, 5 Dec 2023 14:28:58 -0500 Subject: [PATCH 07/24] rid --- ERCS/erc-7540.md | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index f1c032b388..2eb153cbe5 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -78,17 +78,17 @@ Requests MUST NOT skip or otherwise short-circuit the Claim state. In other word For asynchronous Vaults, the exchange rate between `shares` and `assets` including fees and yield is up to the Vault implementation. In other words, pending redemption Requests MAY NOT be yield bearing and MAY NOT have a fixed exchange rate. ### Request Ids -The request ID (`rid`) of a request is returned by the corresponding `requestDeposit` and `requestRedeem` functions. +The request ID (`requestId`) of a request is returned by the corresponding `requestDeposit` and `requestRedeem` functions. -Multiple requests may have the same `rid`, so a given Request is discriminated by both the `rid` and the `owner`. +Multiple requests may have the same `requestId`, so a given Request is discriminated by both the `requestId` and the `owner`. -Requests of the same `rid` MUST be fungible with each other (except in the special case `rid == 0` described below). I.e. all Requests with the same `rid` MUST transition from Pending to Claimable at the same time and receive the same exchange rate between `assets` and `shares`. +Requests of the same `requestId` MUST be fungible with each other (except in the special case `requestId == 0` described below). I.e. all Requests with the same `requestId` MUST transition from Pending to Claimable at the same time and receive the same exchange rate between `assets` and `shares`. -If a Request becomes partially claimable, all requests of the same `rid` MUST become claimable at the same pro rata rate. +If a Request becomes partially claimable, all requests of the same `requestId` MUST become claimable at the same pro rata rate. -There are no assumptions or requirements of requests with different `rid`. I.e. they MAY transition to Claimable at different times and exchange rates with no ordering or correlation enforced in any way. +There are no assumptions or requirements of requests with different `requestId`. I.e. they MAY transition to Claimable at different times and exchange rates with no ordering or correlation enforced in any way. -When `rid==0`, the Vault MUST use purely the `owner` to discriminate the request state. The Pending and Claimable state of multiple requests from the same `owner` would be aggregated. If a Vault returns `0` for the `rid` of any request, it MUST return `0` for all requests. +When `requestId==0`, the Vault MUST use purely the `owner` to discriminate the request state. The Pending and Claimable state of multiple requests from the same `owner` would be aggregated. If a Vault returns `0` for the `requestId` of any request, it MUST return `0` for all requests. ### Methods @@ -96,7 +96,7 @@ When `rid==0`, the Vault MUST use purely the `owner` to discriminate the request Transfers `assets` from `msg.sender` into the Vault and submits a Request for asynchronous `deposit`. This places the Request in Pending state, with a corresponding increase in `pendingDepositRequest` for the amount `assets`. -The output `rid` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. +The output `requestId` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. If the length of `data` is not 0, the Request MUST send an `onERC7540DepositReceived` callback to `receiver` following the interface of ERC7540DepositReceiver described in "Request Callbacks" section. If the length of `data` is 0, the Request MUST NOT send a callback. @@ -129,7 +129,7 @@ MUST emit the `RequestDeposit` event. - name: data type: bytes outputs: - - name: rid + - name: requestId type: uint256 ``` @@ -185,7 +185,7 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i Assumes control of `shares` from `owner` and submits a Request for asynchronous `redeem`. This places the Request in Pending state, with a corresponding increase in `pendingRedeemRequest` for the amount `shares`. -The output `rid` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. +The output `requestId` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. MAY support either a locking or a burning mechanism for `shares` depending on the Vault implemention. @@ -220,7 +220,7 @@ MUST emit the `RequestRedeem` event. - name: data type: bytes outputs: - - name: rid + - name: requestId - type: uint256 ``` @@ -276,7 +276,7 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i #### DepositRequest -`owner` has locked `assets` in the Vault to Request a deposit with request ID `rid`. `receiver` controls this Request. `sender` is the caller of the `requestDeposit` which may not be equal to the `owner`. +`owner` has locked `assets` in the Vault to Request a deposit with request ID `requestId`. `receiver` controls this Request. `sender` is the caller of the `requestDeposit` which may not be equal to the `owner`. MUST be emitted when a deposit Request is submitted using the `requestDeposit` method. @@ -291,7 +291,7 @@ MUST be emitted when a deposit Request is submitted using the `requestDeposit` m - name: owner indexed: true type: address - - name: rid + - name: requestId indexed: true type: uint256 - name: sender @@ -319,7 +319,7 @@ MUST be emitted when a redemption Request is submitted using the `requestRedeem` - name: owner indexed: true type: address - - name: rid + - name: requestId indexed: true type: uint256 - name: sender @@ -332,14 +332,14 @@ MUST be emitted when a redemption Request is submitted using the `requestRedeem` ### Request Callbacks -All methods which initiate a request (including `rid==0`) include a `data` parameter, which if nonzero length MUST send a callback to the receiver. +All methods which initiate a request (including `requestId==0`) include a `data` parameter, which if nonzero length MUST send a callback to the receiver. There are two interfaces, `ERC7540DepositReceiver` and `ERC7540RedeemReceiver` which each define the single callback method to be called. #### ERC7540DepositReceiver The interface to be called on `requestDeposit`. -`operator` is the `msg.sender` of the original `requestDeposit` call. `owner` is the `owner` of the `requestDeposit`. `rid` is the output `rid` of the `requestDeposit` and `data` is the `data` of the `requestDeposit`. +`operator` is the `msg.sender` of the original `requestDeposit` call. `owner` is the `owner` of the `requestDeposit`. `requestId` is the output `requestId` of the `requestDeposit` and `data` is the `data` of the `requestDeposit`. This function MUST return `TODO` upon successful execution of the callback. @@ -352,7 +352,7 @@ This function MUST return `TODO` upon successful execution of the callback. type: address - name: owner type: address - - name: rid + - name: requestId type: uint256 - name: data type: bytes @@ -365,7 +365,7 @@ This function MUST return `TODO` upon successful execution of the callback. #### ERC7540RedeemReceiver The interface to be called on `requestRedeem`. -`operator` is the `msg.sender` of the original `requestRedeem` call. `owner` is the `owner` of the `requestRedeem`. `rid` is the output `rid` of the `requestRedeem` and `data` is the `data` of the `requestRedeem`. +`operator` is the `msg.sender` of the original `requestRedeem` call. `owner` is the `owner` of the `requestRedeem`. `requestId` is the output `requestId` of the `requestRedeem` and `data` is the `data` of the `requestRedeem`. This function MUST return `TODO` upon successful execution of the callback. @@ -378,7 +378,7 @@ This function MUST return `TODO` upon successful execution of the callback. type: address - name: owner type: address - - name: rid + - name: requestId type: uint256 - name: data type: bytes @@ -402,7 +402,7 @@ Requests in an Asynchronous Vault have properties of NFTs or Semi-Fungible token Using both an id and address to discriminate Requests allows for any of these use cases to be developed at an external layer without adding too much complexity to the core interface. -Certain Vaults especially `rid==0` cases benefit from using the underlying ERC4626 methods for claiming because there is no discrimination at the `rid` level. This standard is written primarily with those use cases in mind. A future standard can optimize for nonzero RID with support for claiming and transferring requests discriminated also with an `rid`. +Certain Vaults especially `requestId==0` cases benefit from using the underlying ERC4626 methods for claiming because there is no discrimination at the `requestId` level. This standard is written primarily with those use cases in mind. A future standard can optimize for nonzero RID with support for claiming and transferring requests discriminated also with an `requestId`. ### Callbacks @@ -484,11 +484,11 @@ The interface is fully backwards compatible with [ERC-4626](./eip-4626.md). The mapping(address => uint256) public claimableDepositRequest; - function requestDeposit(uint256 assets, address receiver, address owner, bytes calldata data) external returns (uint256 rid) { + function requestDeposit(uint256 assets, address receiver, address owner, bytes calldata data) external returns (uint256 requestId) { require(assets != 0); require(owner == msg.sender); - rid = 0; // no rid associated with this request + requestId = 0; // no requestId associated with this request asset.safeTransferFrom(msg.sender, address(this), assets); // asset here is the Vault underlying asset @@ -496,11 +496,11 @@ The interface is fully backwards compatible with [ERC-4626](./eip-4626.md). The // Perform the callback if (data.length != 0) { - ERC7540Receiver(receiver).onERC7540DepositReceived(msg.sender, owner, rid, data); + ERC7540Receiver(receiver).onERC7540DepositReceived(msg.sender, owner, requestId, data); } - emit DepositRequest(msg.sender, operator, rid, assets); - return rid; + emit DepositRequest(msg.sender, operator, requestId, assets); + return requestId; } /** From 3f0493f323f4a283a6962d4b33b76cd57a6f2916 Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:39:55 -0500 Subject: [PATCH 08/24] Update ERCS/erc-7540.md Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 2eb153cbe5..212c492121 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -66,7 +66,7 @@ After submission, Requests go through Pending, Claimable, and Claimed stages. An | **State** | **User** | **Vault** | |-------------|---------------------------------|-----------| | Pending | `requestDeposit(assets, receiver, owner, data)` | `asset.transferFrom(msg.sender, vault, assets)`; `pendingDepositRequest[receiver] += assets` | -| Claimable | | *Internal Request fulfillment*: `pendingDepositRequest[msg.sender] -= assets`; `claimableDepositRequest[owner] += assets` | +| Claimable | | *Internal Request fulfillment*: `pendingDepositRequest[owner] -= assets`; `claimableDepositRequest[owner] += assets` | | Claimed | `deposit(assets, receiver)` | `claimableDepositRequest[msg.sender] -= assets`; `vault.balanceOf[receiver] += shares` | Note that `maxDeposit` increases and decreases in sync with `claimableDepositRequest`. From ae5148e0a2e79b297ee23098e3e0c55d3a2efcfe Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:53:03 -0500 Subject: [PATCH 09/24] Update ERCS/erc-7540.md Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 212c492121..eba49c769d 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -391,7 +391,7 @@ This function MUST return `TODO` upon successful execution of the callback. Smart contracts implementing this Vault standard MUST implement the [ERC-165](./eip-165.md) `supportsInterface` function. -Asynchronous deposit Vaults MUST return the constant value `true` if TODO `0xea446681` is passed through the `interfaceID` argument. +Asynchronous deposit Vaults MUST return the constant value `true` if `0x1683f250` is passed through the `interfaceID` argument. Asynchronous redemption Vaults MUST return the constant value `true` if TODO `0x2e9dd5bd` is passed through the `interfaceID` argument. From 1981de35e6b3ced7f920e744caa4b3b2e2fdfea0 Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:53:11 -0500 Subject: [PATCH 10/24] Update ERCS/erc-7540.md Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index eba49c769d..c9e5720096 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -393,7 +393,7 @@ Smart contracts implementing this Vault standard MUST implement the [ERC-165](./ Asynchronous deposit Vaults MUST return the constant value `true` if `0x1683f250` is passed through the `interfaceID` argument. -Asynchronous redemption Vaults MUST return the constant value `true` if TODO `0x2e9dd5bd` is passed through the `interfaceID` argument. +Asynchronous redemption Vaults MUST return the constant value `true` if `0x0899cb0b` is passed through the `interfaceID` argument. ## Rationale From c6d2bcc328102a47d488c4aeb7ae149d2a0f97b4 Mon Sep 17 00:00:00 2001 From: Joey Santoro Date: Wed, 6 Dec 2023 14:24:33 -0500 Subject: [PATCH 11/24] selectors --- ERCS/erc-7540.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index c9e5720096..4f53513712 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -341,7 +341,7 @@ The interface to be called on `requestDeposit`. `operator` is the `msg.sender` of the original `requestDeposit` call. `owner` is the `owner` of the `requestDeposit`. `requestId` is the output `requestId` of the `requestDeposit` and `data` is the `data` of the `requestDeposit`. -This function MUST return `TODO` upon successful execution of the callback. +This function MUST return `0xe74d2a41` upon successful execution of the callback. ```yaml - name: onERC7540DepositReceived @@ -367,7 +367,7 @@ The interface to be called on `requestRedeem`. `operator` is the `msg.sender` of the original `requestRedeem` call. `owner` is the `owner` of the `requestRedeem`. `requestId` is the output `requestId` of the `requestRedeem` and `data` is the `data` of the `requestRedeem`. -This function MUST return `TODO` upon successful execution of the callback. +This function MUST return `0x0102fde4` upon successful execution of the callback. ```yaml - name: onERC7540RedeemReceived From f80ad231c1179c4928b6b3dbb531c1af5277c508 Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:28:39 -0500 Subject: [PATCH 12/24] Update ERCS/erc-7540.md Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 4f53513712..9f281555e1 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -496,7 +496,7 @@ The interface is fully backwards compatible with [ERC-4626](./eip-4626.md). The // Perform the callback if (data.length != 0) { - ERC7540Receiver(receiver).onERC7540DepositReceived(msg.sender, owner, requestId, data); + require(ERC7540Receiver(receiver).onERC7540DepositReceived(msg.sender, owner, requestId, data) == ERC7540Receiver.onERC7540DepositReceived.selector, "receiver failed"); } emit DepositRequest(msg.sender, operator, requestId, assets); From 36b04d87d98a2b4359a080dca913047f751a3f93 Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:28:55 -0500 Subject: [PATCH 13/24] Update ERCS/erc-7540.md Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 9f281555e1..9bd5b442dd 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -65,7 +65,7 @@ After submission, Requests go through Pending, Claimable, and Claimed stages. An | **State** | **User** | **Vault** | |-------------|---------------------------------|-----------| -| Pending | `requestDeposit(assets, receiver, owner, data)` | `asset.transferFrom(msg.sender, vault, assets)`; `pendingDepositRequest[receiver] += assets` | +| Pending | `requestDeposit(assets, receiver, owner, data)` | `asset.transferFrom(owner, vault, assets)`; `pendingDepositRequest[receiver] += assets` | | Claimable | | *Internal Request fulfillment*: `pendingDepositRequest[owner] -= assets`; `claimableDepositRequest[owner] += assets` | | Claimed | `deposit(assets, receiver)` | `claimableDepositRequest[msg.sender] -= assets`; `vault.balanceOf[receiver] += shares` | From 37ff809e6ebf4c634b53674ff01244a512715a74 Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:29:08 -0500 Subject: [PATCH 14/24] Update ERCS/erc-7540.md Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 9bd5b442dd..c4cbc1f923 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -67,7 +67,7 @@ After submission, Requests go through Pending, Claimable, and Claimed stages. An |-------------|---------------------------------|-----------| | Pending | `requestDeposit(assets, receiver, owner, data)` | `asset.transferFrom(owner, vault, assets)`; `pendingDepositRequest[receiver] += assets` | | Claimable | | *Internal Request fulfillment*: `pendingDepositRequest[owner] -= assets`; `claimableDepositRequest[owner] += assets` | -| Claimed | `deposit(assets, receiver)` | `claimableDepositRequest[msg.sender] -= assets`; `vault.balanceOf[receiver] += shares` | +| Claimed | `deposit(assets, receiver)` | `claimableDepositRequest[owner] -= assets`; `vault.balanceOf[receiver] += shares` | Note that `maxDeposit` increases and decreases in sync with `claimableDepositRequest`. From 85001edec51d303cfe086fe00336dbd6c1e26bdc Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:29:24 -0500 Subject: [PATCH 15/24] Update ERCS/erc-7540.md Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index c4cbc1f923..41c35986b8 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -96,7 +96,7 @@ When `requestId==0`, the Vault MUST use purely the `owner` to discriminate the r Transfers `assets` from `msg.sender` into the Vault and submits a Request for asynchronous `deposit`. This places the Request in Pending state, with a corresponding increase in `pendingDepositRequest` for the amount `assets`. -The output `requestId` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. +The output `requestId` is used to partially discriminate the request along with the `receiver`. See "Request Ids" section for more info. If the length of `data` is not 0, the Request MUST send an `onERC7540DepositReceived` callback to `receiver` following the interface of ERC7540DepositReceiver described in "Request Callbacks" section. If the length of `data` is 0, the Request MUST NOT send a callback. From 9961e5e6295276b11dfcb114ba5d652530acb44a Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:30:53 -0500 Subject: [PATCH 16/24] Apply suggestions from code review Co-authored-by: Jeroen <1748621+hieronx@users.noreply.github.com> --- ERCS/erc-7540.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 41c35986b8..8be4dc8a0a 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -98,7 +98,7 @@ Transfers `assets` from `msg.sender` into the Vault and submits a Request for as The output `requestId` is used to partially discriminate the request along with the `receiver`. See "Request Ids" section for more info. -If the length of `data` is not 0, the Request MUST send an `onERC7540DepositReceived` callback to `receiver` following the interface of ERC7540DepositReceiver described in "Request Callbacks" section. If the length of `data` is 0, the Request MUST NOT send a callback. +If the length of `data` is not 0, the Request MUST send an `onERC7540DepositReceived` callback to `receiver` following the interface of ERC7540DepositReceiver described in [Request Callbacks](#request-callbacks) section. If the length of `data` is 0, the Request MUST NOT send a callback. When the Request is Claimable, `claimableDepositRequest` will be increased for the `receiver`. `deposit` or `mint` can subsequently be called by `receiver` to receive `shares`. A Request MAY transition straight to Claimable state but MUST NOT skip the Claimable state. @@ -185,7 +185,7 @@ MUST NOT revert unless due to integer overflow caused by an unreasonably large i Assumes control of `shares` from `owner` and submits a Request for asynchronous `redeem`. This places the Request in Pending state, with a corresponding increase in `pendingRedeemRequest` for the amount `shares`. -The output `requestId` is used to partially descriminate the request along with the `receiver`. See "Request Ids" section for more info. +The output `requestId` is used to partially discriminate the request along with the `receiver`. See [Request Ids](#request-ids) section for more info. MAY support either a locking or a burning mechanism for `shares` depending on the Vault implemention. @@ -193,7 +193,7 @@ If a Vault uses a locking mechanism for `shares`, those `shares` MUST be burned MUST support a redeem Request flow where the control of `shares` is taken from `owner` directly where `msg.sender` has ERC-20 approval over the `shares` of `owner`. -If the length of `data` is not 0, the Request MUST send an `onERC7540RedeemReceived` callback to `receiver` following the interface of ERC7540RedeemReceiver described in "Request Callbacks" section. If the length of `data` is 0, the Request MUST NOT send a callback. +If the length of `data` is not 0, the Request MUST send an `onERC7540RedeemReceived` callback to `receiver` following the interface of ERC7540RedeemReceiver described in [Request Callbacks](#request-callbacks) section. If the length of `data` is 0, the Request MUST NOT send a callback. When the Request is Claimable, `claimableRedeemRequest` will be increased for the `receiver`. `redeem` or `withdraw` can subsequently be called by `receiver` to receive `assets`. A Request MAY transition straight to Claimable state but MUST NOT skip the Claimable state. @@ -402,7 +402,7 @@ Requests in an Asynchronous Vault have properties of NFTs or Semi-Fungible token Using both an id and address to discriminate Requests allows for any of these use cases to be developed at an external layer without adding too much complexity to the core interface. -Certain Vaults especially `requestId==0` cases benefit from using the underlying ERC4626 methods for claiming because there is no discrimination at the `requestId` level. This standard is written primarily with those use cases in mind. A future standard can optimize for nonzero RID with support for claiming and transferring requests discriminated also with an `requestId`. +Certain Vaults especially `requestId==0` cases benefit from using the underlying [ERC-4626](./eip-4626) methods for claiming because there is no discrimination at the `requestId` level. This standard is written primarily with those use cases in mind. A future standard can optimize for nonzero request ID with support for claiming and transferring requests discriminated also with an `requestId`. ### Callbacks @@ -490,7 +490,7 @@ The interface is fully backwards compatible with [ERC-4626](./eip-4626.md). The requestId = 0; // no requestId associated with this request - asset.safeTransferFrom(msg.sender, address(this), assets); // asset here is the Vault underlying asset + asset.safeTransferFrom(owner, address(this), assets); // asset here is the Vault underlying asset pendingDepositRequest[owner] += assets; @@ -499,7 +499,7 @@ The interface is fully backwards compatible with [ERC-4626](./eip-4626.md). The require(ERC7540Receiver(receiver).onERC7540DepositReceived(msg.sender, owner, requestId, data) == ERC7540Receiver.onERC7540DepositReceived.selector, "receiver failed"); } - emit DepositRequest(msg.sender, operator, requestId, assets); + emit DepositRequest(receiver, owner, requestId, msg.sender, assets); return requestId; } From 2b756a71b85c80e86041567dac9eb1920e5af01b Mon Sep 17 00:00:00 2001 From: Joey <31974730+Joeysantoro@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:32:01 -0500 Subject: [PATCH 17/24] Apply suggestions from code review --- ERCS/erc-7540.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 8be4dc8a0a..6cc09713d3 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -96,7 +96,7 @@ When `requestId==0`, the Vault MUST use purely the `owner` to discriminate the r Transfers `assets` from `msg.sender` into the Vault and submits a Request for asynchronous `deposit`. This places the Request in Pending state, with a corresponding increase in `pendingDepositRequest` for the amount `assets`. -The output `requestId` is used to partially discriminate the request along with the `receiver`. See "Request Ids" section for more info. +The output `requestId` is used to partially discriminate the request along with the `receiver`. See [Request Ids](#request-ids) section for more info. If the length of `data` is not 0, the Request MUST send an `onERC7540DepositReceived` callback to `receiver` following the interface of ERC7540DepositReceiver described in [Request Callbacks](#request-callbacks) section. If the length of `data` is 0, the Request MUST NOT send a callback. From fd209e76c5ff58832c53945e60064a00127e4b5d Mon Sep 17 00:00:00 2001 From: Joey Santoro Date: Wed, 6 Dec 2023 14:39:29 -0500 Subject: [PATCH 18/24] eipw --- ERCS/erc-7540.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 6cc09713d3..15be6e1cca 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -98,7 +98,7 @@ Transfers `assets` from `msg.sender` into the Vault and submits a Request for as The output `requestId` is used to partially discriminate the request along with the `receiver`. See [Request Ids](#request-ids) section for more info. -If the length of `data` is not 0, the Request MUST send an `onERC7540DepositReceived` callback to `receiver` following the interface of ERC7540DepositReceiver described in [Request Callbacks](#request-callbacks) section. If the length of `data` is 0, the Request MUST NOT send a callback. +If the length of `data` is not 0, the Request MUST send an `onERC7540DepositReceived` callback to `receiver` following the interface of `ERC7540DepositReceiver` described in [Request Callbacks](#request-callbacks) section. If the length of `data` is 0, the Request MUST NOT send a callback. When the Request is Claimable, `claimableDepositRequest` will be increased for the `receiver`. `deposit` or `mint` can subsequently be called by `receiver` to receive `shares`. A Request MAY transition straight to Claimable state but MUST NOT skip the Claimable state. @@ -193,7 +193,7 @@ If a Vault uses a locking mechanism for `shares`, those `shares` MUST be burned MUST support a redeem Request flow where the control of `shares` is taken from `owner` directly where `msg.sender` has ERC-20 approval over the `shares` of `owner`. -If the length of `data` is not 0, the Request MUST send an `onERC7540RedeemReceived` callback to `receiver` following the interface of ERC7540RedeemReceiver described in [Request Callbacks](#request-callbacks) section. If the length of `data` is 0, the Request MUST NOT send a callback. +If the length of `data` is not 0, the Request MUST send an `onERC7540RedeemReceived` callback to `receiver` following the interface of `ERC7540RedeemReceiver` described in [Request Callbacks](#request-callbacks) section. If the length of `data` is 0, the Request MUST NOT send a callback. When the Request is Claimable, `claimableRedeemRequest` will be increased for the `receiver`. `redeem` or `withdraw` can subsequently be called by `receiver` to receive `assets`. A Request MAY transition straight to Claimable state but MUST NOT skip the Claimable state. @@ -336,7 +336,7 @@ All methods which initiate a request (including `requestId==0`) include a `data` There are two interfaces, `ERC7540DepositReceiver` and `ERC7540RedeemReceiver` which each define the single callback method to be called. -#### ERC7540DepositReceiver +#### `ERC7540DepositReceiver` The interface to be called on `requestDeposit`. `operator` is the `msg.sender` of the original `requestDeposit` call. `owner` is the `owner` of the `requestDeposit`. `requestId` is the output `requestId` of the `requestDeposit` and `data` is the `data` of the `requestDeposit`. @@ -362,7 +362,7 @@ This function MUST return `0xe74d2a41` upon successful execution of the callback ``` -#### ERC7540RedeemReceiver +#### `ERC7540RedeemReceiver` The interface to be called on `requestRedeem`. `operator` is the `msg.sender` of the original `requestRedeem` call. `owner` is the `owner` of the `requestRedeem`. `requestId` is the output `requestId` of the `requestRedeem` and `data` is the `data` of the `requestRedeem`. From 17739aac29e301046420c703afddbf904604053f Mon Sep 17 00:00:00 2001 From: Joey Santoro Date: Wed, 6 Dec 2023 14:52:32 -0500 Subject: [PATCH 19/24] html --- ERCS/erc-7540.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ERCS/erc-7540.md b/ERCS/erc-7540.md index 15be6e1cca..f6e4cb590e 100644 --- a/ERCS/erc-7540.md +++ b/ERCS/erc-7540.md @@ -398,7 +398,7 @@ Asynchronous redemption Vaults MUST return the constant value `true` if `0x0899c ## Rationale ### Including Request IDs but Not Including a Claim by ID method -Requests in an Asynchronous Vault have properties of NFTs or Semi-Fungible tokens due to their asynchronicity. However, trying to pigeonhole all ERC-7540 Vaults into supporting [ERC-721](./eip-721) or [ERC-1155](./erc-1155) for Requests would create too much interface bloat. +Requests in an Asynchronous Vault have properties of NFTs or Semi-Fungible tokens due to their asynchronicity. However, trying to pigeonhole all ERC-7540 Vaults into supporting [ERC-721](./eip-721) or [ERC-1155](./eip-1155) for Requests would create too much interface bloat. Using both an id and address to discriminate Requests allows for any of these use cases to be developed at an external layer without adding too much complexity to the core interface. @@ -406,7 +406,7 @@ Certain Vaults especially `requestId==0` cases benefit from using the underlying ### Callbacks -Callbacks on Request calls can be used among other things to allow Requests to become fully [ERC-721](./eip-721) or [ERC-1155](./erc-1155) compatible in an external layer. +Callbacks on Request calls can be used among other things to allow Requests to become fully [ERC-721](./eip-721) or [ERC-1155](./eip-1155) compatible in an external layer. This can support flows where a smart contract manages the Request lifecycle on behalf of a user. From 94b6edef4d74cfcc60acf850a8318d854d92d042 Mon Sep 17 00:00:00 2001 From: Jeroen Offerijns Date: Thu, 7 Dec 2023 21:59:59 +0100 Subject: [PATCH 20/24] Set up multi-vault support ERC --- ERCS/erc-x.md | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 ERCS/erc-x.md diff --git a/ERCS/erc-x.md b/ERCS/erc-x.md new file mode 100644 index 0000000000..6cb5ce2aec --- /dev/null +++ b/ERCS/erc-x.md @@ -0,0 +1,78 @@ +--- +eip: TODO +title: Multi-vault support for ERC-4626 +description: Extension of ERC-4626 that enables multiple Vaults to mint a single ERC-20 +author: Jeroen Offerijns (@hieronx), Alina Sinelnikova (@ilinzweilin), Vikram Arun (@vikramarun), Joey Santoro (@joeysantoro), Farhaan Ali (@0xfarhaan) +discussions-to: TODO +status: Draft +type: Standards Track +category: ERC +created: TODO +requires: 20, 165, 4626 +--- + +## Abstract + +The following standard adapts [ERC-4626](./eip-4626.md) by removing the extension of [ERC-20](./eip-20.md), and adding a share method in its place that links the Vault to the share. + +## Motivation + +[ERC-4626](./eip-4626.md) Vaults are specified to extend [ERC-20](./eip-20.md). This limits them to a one-to-one relationship between asset and share. + +There are use cases where multiple assets can be deposited to receive the same share. This standard accomplishes that by indirectly linking the share to the Vault. + +## Specification + +### Definitions: + +The existing definitions from [ERC-4626](./eip-4626.md) apply. + +### Deviation from [ERC-4626](./eip-4626.md) + +ERC-x Vaults MAY implement [ERC-20](./eip-20.md) to represent shares. If an ERC-x Vault does implement [ERC-20](./eip-20.md), the `share` method SHOULD return the address of the Vault. If an ERC-x Vault does not implement [ERC-20](./eip-20.md), the `share` method SHOULD NOT return the address of the vault. + +### Methods + +#### share + +The address of the underlying share received on deposit into the Vault. + +```yaml +- name: share + type: function + stateMutability: view + + inputs: [] + outputs: + - name: shareTokenAddress + type: address +``` + +### [ERC-165](./eip-165.md) support + +Smart contracts implementing this Vault standard MUST implement the [ERC-165](./eip-165.md) `supportsInterface` function. + +Vaults MUST return the constant value `true` if `TODO` is passed through the `interfaceID` argument. + +## Rationale + +TODO +### Mandated Support for [ERC-165](./eip-165.md) + +Implementing support for [ERC-165](./eip-165.md) is mandated because this enables differentiating [ERC-4626](./eip-4626.md) Vaults that use ERC-X from those that do not. + +## Backwards Compatibility + +TODO + +## Reference Implementation + +TODO + +## Security Considerations + +TODO + +## Copyright + +Copyright and related rights waived via [CC0](../LICENSE.md). From 801774e4417e1e787e83ede1d80dd13a5dbcb659 Mon Sep 17 00:00:00 2001 From: Jeroen Offerijns Date: Fri, 8 Dec 2023 14:19:34 +0100 Subject: [PATCH 21/24] Remove 165 dependency, add definitions and securuity consideration --- ERCS/erc-x.md | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/ERCS/erc-x.md b/ERCS/erc-x.md index 6cb5ce2aec..6f5dba1a8c 100644 --- a/ERCS/erc-x.md +++ b/ERCS/erc-x.md @@ -8,7 +8,7 @@ status: Draft type: Standards Track category: ERC created: TODO -requires: 20, 165, 4626 +requires: 20, 2771, 4626 --- ## Abstract @@ -27,9 +27,16 @@ There are use cases where multiple assets can be deposited to receive the same s The existing definitions from [ERC-4626](./eip-4626.md) apply. +- [ERC-20](./eip-20.md) compliant Vault: Vault that implements the [ERC-20](./eip-20.md) specification including the optional metadata extension +- [ERC-20](./eip-20.md) non-compliant Vault: Vault that do not implement the [ERC-20](./eip-20.md) specification + ### Deviation from [ERC-4626](./eip-4626.md) -ERC-x Vaults MAY implement [ERC-20](./eip-20.md) to represent shares. If an ERC-x Vault does implement [ERC-20](./eip-20.md), the `share` method SHOULD return the address of the Vault. If an ERC-x Vault does not implement [ERC-20](./eip-20.md), the `share` method SHOULD NOT return the address of the vault. +ERC-x Vaults MAY implement [ERC-20](./eip-20.md) to represent shares. + +For [ERC-20](./eip-20.md) compliant Vaults, the `share` method SHOULD return the address of the Vault. + +For [ERC-20](./eip-20.md) non-compliant Vaults, the `share` method SHOULD NOT return the address of the Vault. ### Methods @@ -48,30 +55,19 @@ The address of the underlying share received on deposit into the Vault. type: address ``` -### [ERC-165](./eip-165.md) support - -Smart contracts implementing this Vault standard MUST implement the [ERC-165](./eip-165.md) `supportsInterface` function. - -Vaults MUST return the constant value `true` if `TODO` is passed through the `interfaceID` argument. - ## Rationale TODO -### Mandated Support for [ERC-165](./eip-165.md) -Implementing support for [ERC-165](./eip-165.md) is mandated because this enables differentiating [ERC-4626](./eip-4626.md) Vaults that use ERC-X from those that do not. ## Backwards Compatibility TODO -## Reference Implementation - -TODO - ## Security Considerations -TODO +Vaults that do not implement [ERC-20](./eip-20.md), where `share` does not return the address of the Vault, must take care with supporting a redeem flow where `owner` is not `msg.sender`, since the [ERC-20](./eip-20.md) approval flow does not by itself work if the Vault and share are separate contracts. It can work by setting up the Vault as a trusted forwarder of the share token, using [ERC-2771](./eip-2771.md). + ## Copyright From 37c23cf9e9ff9b652ef5abfcb8b74c5ec9a18928 Mon Sep 17 00:00:00 2001 From: Jeroen Offerijns Date: Fri, 8 Dec 2023 14:25:52 +0100 Subject: [PATCH 22/24] Extend --- ERCS/erc-x.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/ERCS/erc-x.md b/ERCS/erc-x.md index 6f5dba1a8c..1a204f2307 100644 --- a/ERCS/erc-x.md +++ b/ERCS/erc-x.md @@ -57,17 +57,15 @@ The address of the underlying share received on deposit into the Vault. ## Rationale -TODO - +This standard is intentionally flexible to support both existing [ERC-4626](./eip-4626.md) Vaults easily by the introduction of a single new method, but also flexible to support new use cases by allowing separate share tokens. ## Backwards Compatibility -TODO +Existing [ERC-4626](./eip-4626.md) Vaults can be made compatible with ERC-x by adding a single `share` method that returns the address of the Vault. ## Security Considerations -Vaults that do not implement [ERC-20](./eip-20.md), where `share` does not return the address of the Vault, must take care with supporting a redeem flow where `owner` is not `msg.sender`, since the [ERC-20](./eip-20.md) approval flow does not by itself work if the Vault and share are separate contracts. It can work by setting up the Vault as a trusted forwarder of the share token, using [ERC-2771](./eip-2771.md). - +[ERC-20](./eip-20.md) non-compliant Vaults must take care with supporting a redeem flow where `owner` is not `msg.sender`, since the [ERC-20](./eip-20.md) approval flow does not by itself work if the Vault and share are separate contracts. It can work by setting up the Vault as a Trusted Forwarder of the share token, using [ERC-2771](./eip-2771.md). ## Copyright From 4c3c6364f01ed478a22e8c400757473196e8c485 Mon Sep 17 00:00:00 2001 From: Jeroen Offerijns Date: Fri, 8 Dec 2023 14:32:54 +0100 Subject: [PATCH 23/24] Update --- ERCS/erc-x.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/ERCS/erc-x.md b/ERCS/erc-x.md index 1a204f2307..1685bf8cf6 100644 --- a/ERCS/erc-x.md +++ b/ERCS/erc-x.md @@ -30,13 +30,9 @@ The existing definitions from [ERC-4626](./eip-4626.md) apply. - [ERC-20](./eip-20.md) compliant Vault: Vault that implements the [ERC-20](./eip-20.md) specification including the optional metadata extension - [ERC-20](./eip-20.md) non-compliant Vault: Vault that do not implement the [ERC-20](./eip-20.md) specification -### Deviation from [ERC-4626](./eip-4626.md) +### [ERC-20](./eip-20.md) non-compliant Vaults -ERC-x Vaults MAY implement [ERC-20](./eip-20.md) to represent shares. - -For [ERC-20](./eip-20.md) compliant Vaults, the `share` method SHOULD return the address of the Vault. - -For [ERC-20](./eip-20.md) non-compliant Vaults, the `share` method SHOULD NOT return the address of the Vault. +ERC-x Vaults MAY implement [ERC-20](./eip-20.md) to represent shares. If they do not, there needs to be a separate share token contract, that is minted on entering the vault and burned on exiting the vault. ### Methods @@ -44,6 +40,10 @@ For [ERC-20](./eip-20.md) non-compliant Vaults, the `share` method SHOULD NOT re The address of the underlying share received on deposit into the Vault. +For [ERC-20](./eip-20.md) compliant Vaults, the `share` method SHOULD return the address of the Vault. + +For [ERC-20](./eip-20.md) non-compliant Vaults, the `share` method SHOULD NOT return the address of the Vault. + ```yaml - name: share type: function @@ -59,6 +59,10 @@ The address of the underlying share received on deposit into the Vault. This standard is intentionally flexible to support both existing [ERC-4626](./eip-4626.md) Vaults easily by the introduction of a single new method, but also flexible to support new use cases by allowing separate share tokens. +## Reference Implementation + +N/A + ## Backwards Compatibility Existing [ERC-4626](./eip-4626.md) Vaults can be made compatible with ERC-x by adding a single `share` method that returns the address of the Vault. From 9335f65665b57a25bd889686f4fe0d5ecb3c3215 Mon Sep 17 00:00:00 2001 From: Jeroen Offerijns Date: Mon, 11 Dec 2023 07:41:05 +0100 Subject: [PATCH 24/24] Typos --- ERCS/erc-x.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ERCS/erc-x.md b/ERCS/erc-x.md index 1685bf8cf6..0d22dd555b 100644 --- a/ERCS/erc-x.md +++ b/ERCS/erc-x.md @@ -28,11 +28,11 @@ There are use cases where multiple assets can be deposited to receive the same s The existing definitions from [ERC-4626](./eip-4626.md) apply. - [ERC-20](./eip-20.md) compliant Vault: Vault that implements the [ERC-20](./eip-20.md) specification including the optional metadata extension -- [ERC-20](./eip-20.md) non-compliant Vault: Vault that do not implement the [ERC-20](./eip-20.md) specification +- [ERC-20](./eip-20.md) non-compliant Vault: Vault that does not implement the [ERC-20](./eip-20.md) specification ### [ERC-20](./eip-20.md) non-compliant Vaults -ERC-x Vaults MAY implement [ERC-20](./eip-20.md) to represent shares. If they do not, there needs to be a separate share token contract, that is minted on entering the vault and burned on exiting the vault. +ERC-x Vaults MAY implement [ERC-20](./eip-20.md) to represent shares. If they do not, there needs to be a separate share token contract, that is minted on entering the Vault and burned on exiting the Vault. ### Methods