Function: requestWithdrawal(uint64 usdc, uint64 nonce, ValidatorSet hotValidatorSet, address[] signers, Signature[] signatures)
This function can be used to request a withdrawal from the bridge.
Inputs
usdc
Control: Arbitrary.
Constraints: None directly (must match the signature).
Impact: Amount to be withdrawn.
nonce
Control: Arbitrary.
Constraints: None directly (must match the signature).
Impact: Nonce used to deduplicate signatures.
hotValidatorSet
Control: Arbitrary.
Constraints: The hash must match the current hot validator set hash.
Impact: Validator set.
signers
Control: Arbitrary.
Constraints: Elements must match the corresponding element in
signatures
.Impact: Array of addresses that signed the request.
signatures
Control: Array.
Constraints: Must be valid signatures for the hash of the withdrawal request determined by the other parameters.
Impact: Signatures authorizing the transfer.
Branches and code coverage (including function calls)
Intended branches
Validates the validator set and the provided signature, and it records the pending withdrawal.
Negative behavior
Reverts if the provided validator set does not match the recorded validator set hash.
Reverts if a signature does not match the corresponding signer.
Reverts if the cumulative signing power is insufficient.
Reverts if the same withdrawal was already requested.
Function call analysis
rootFunction -> hash(agent)
What is controllable?
agent
, indirectly (some parts of the hash)If return value controllable, how is it used and how can it go wrong? Not controllable, used to identify the transfer
What happens if it reverts, reenters, or does other unusual control flow? Reverts and reentrancy can't happen
rootFunction -> checkValidatorSignatures(message, hotValidatorSet, signers, signatures, hotValidatorSetHash)
What is controllable?
message
,hotValidatorSet
,signers
, andsignatures
.If return value controllable, how is it used and how can it go wrong? N/A.
What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).
checkValidatorSignatures -> makeValidatorSetHash(activeValidatorSet)
What is controllable?
activeValidatorSet
.If return value controllable, how is it used and how can it go wrong? Not meaningfully controllable, compared against the expected validator set hash.
What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).
checkValidatorSignatures -> recoverSigner(message, signatures[signerIdx], domainSeparator)
What is controllable?
message
andsignatures[signerIdx]
.If return value controllable, how is it used and how can it go wrong? Not meaningfully controllable, compared against the expected signer; it is not possible to forge a signer's address.
What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).