Support compliance modules for confidential RWAs

.changeset/new-crews-boil.md

@@ -0,0 +1,5 @@
+---
+'openzeppelin-confidential-contracts': minor
+---
+
+`ERC7984Rwa`: An extension of `ERC7984`, that supports confidential Real World Assets (RWAs).

.changeset/wet-results-doubt.md

@@ -0,0 +1,5 @@
+---
+'openzeppelin-confidential-contracts': minor
+---
+
+`ERC7984RwaCompliance`: Support compliance modules for confidential RWAs.

contracts/interfaces/IERC7984Restricted.sol

@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.24;
+
+/// @dev Interface for contracts that implements user account transfer restrictions.
+interface IERC7984Restricted {
+    enum Restriction {
+        DEFAULT, // User has no explicit restriction
+        BLOCKED, // User is explicitly blocked
+        ALLOWED // User is explicitly allowed
+    }
+
+    /// @dev Emitted when a user account's restriction is updated.
+    event UserRestrictionUpdated(address indexed account, Restriction restriction);
+
+    /// @dev The operation failed because the user account is restricted.
+    error UserRestricted(address account);
+
+    /// @dev Returns the restriction of a user account.
+    function getRestriction(address account) external view returns (Restriction);
+    /// @dev Returns whether a user account is allowed to interact with the token.
+    function isUserAllowed(address account) external view returns (bool);
+}

contracts/interfaces/IERC7984Rwa.sol

@@ -0,0 +1,113 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.24;
+
+import {ebool, externalEuint64, euint64} from "@fhevm/solidity/lib/FHE.sol";
+import {IAccessControl} from "@openzeppelin/contracts/access/IAccessControl.sol";
+import {IERC165} from "@openzeppelin/contracts/interfaces/IERC165.sol";
+import {IERC7984} from "./IERC7984.sol";
+import {IERC7984Restricted} from "./IERC7984Restricted.sol";
+
+/// @dev Base interface for confidential RWA contracts.
+interface IERC7984RwaBase {
+    /// @dev Emitted when the contract is paused.
+    event Paused(address account);
+    /// @dev Emitted when the contract is unpaused.
+    event Unpaused(address account);
+
+    /// @dev The caller account is not authorized to perform an operation.
+    error OwnableUnauthorizedAccount(address account);
+    /// @dev The owner is not a valid owner account. (eg. `address(0)`)
+    error OwnableInvalidOwner(address owner);
+    /// @dev The operation failed because the contract is paused.
+    error EnforcedPause();
+
+    /// @dev Returns true if has admin role, false otherwise.
+    function isAdmin(address account) external view returns (bool);
+    /// @dev Returns true if agent, false otherwise.
+    function isAgent(address account) external view returns (bool);
+    /// @dev Returns true if the contract is paused, and false otherwise.
+    function paused() external view returns (bool);
+    /// @dev Pauses contract.
+    function pause() external;
+    /// @dev Unpauses contract.
+    function unpause() external;
+    /// @dev Returns the restriction of a user account.
+    function getRestriction(address account) external view returns (IERC7984Restricted.Restriction);
+    /// @dev Blocks a user account.
+    function blockUser(address account) external;
+    /// @dev Unblocks a user account.
+    function unblockUser(address account) external;
+    /// @dev Returns whether an account is allowed to interact with the token.
+    function isUserAllowed(address account) external view returns (bool);
+    /// @dev Returns the confidential frozen balance of an account.
+    function confidentialFrozen(address account) external view returns (euint64);
+    /// @dev Returns the available (unfrozen) balance of an account. Up to {confidentialBalanceOf}.
+    function confidentialAvailable(address account) external returns (euint64);
+    /// @dev Sets confidential amount of token for an account as frozen with proof.
+    function setConfidentialFrozen(
+        address account,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof
+    ) external;
+    /// @dev Sets confidential amount of token for an account as frozen.
+    function setConfidentialFrozen(address account, euint64 encryptedAmount) external;
+    /// @dev Mints confidential amount of tokens to account with proof.
+    function confidentialMint(
+        address to,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof
+    ) external returns (euint64);
+    /// @dev Mints confidential amount of tokens to account.
+    function confidentialMint(address to, euint64 encryptedAmount) external returns (euint64);
+    /// @dev Burns confidential amount of tokens from account with proof.
+    function confidentialBurn(
+        address account,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof
+    ) external returns (euint64);
+    /// @dev Burns confidential amount of tokens from account.
+    function confidentialBurn(address account, euint64 encryptedAmount) external returns (euint64);
+    /// @dev Forces transfer of confidential amount of tokens from account to account with proof by skipping compliance checks.
+    function forceConfidentialTransferFrom(
+        address from,
+        address to,
+        externalEuint64 encryptedAmount,
+        bytes calldata inputProof
+    ) external returns (euint64);
+    /// @dev Forces transfer of confidential amount of tokens from account to account by skipping compliance checks.
+    function forceConfidentialTransferFrom(
+        address from,
+        address to,
+        euint64 encryptedAmount
+    ) external returns (euint64);
+    /// @dev Receives and executes a batch of function calls on this contract.
+    function multicall(bytes[] calldata data) external returns (bytes[] memory results);
+}
+
+/// @dev Full interface for confidential RWA contracts.
+interface IERC7984Rwa is IERC7984, IERC7984RwaBase, IERC165, IAccessControl {}
+
+/// @dev Interface for confidential RWA compliance.
+interface IERC7984RwaCompliance {
+    enum ComplianceModuleType {
+        ALWAYS_ON,
+        TRANSFER_ONLY
+    }
+
+    /// @dev Installs a transfer compliance module.
+    function installModule(ComplianceModuleType moduleType, address module) external;
+    /// @dev Uninstalls a transfer compliance module.
+    function uninstallModule(ComplianceModuleType moduleType, address module) external;
+    /// @dev Checks if a compliance module is installed.
+    function isModuleInstalled(ComplianceModuleType moduleType, address module) external view returns (bool);
+}
+
+/// @dev Interface for confidential RWA transfer compliance module.
+interface IERC7984RwaTransferComplianceModule {
+    /// @dev Returns magic number if it is a module.
+    function isModule() external returns (bytes4);
+    /// @dev Checks if a transfer is compliant. Should be non-mutating.
+    function isCompliantTransfer(address from, address to, euint64 encryptedAmount) external returns (ebool);
+    /// @dev Performs operation after transfer.
+    function postTransfer(address from, address to, euint64 encryptedAmount) external;
+}

contracts/mocks/token/ERC7984RwaBalanceCapModuleMock.sol

@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.24;
+
+import {SepoliaConfig} from "@fhevm/solidity/config/ZamaConfig.sol";
+import {ERC7984RwaBalanceCapModule} from "../../token/ERC7984/extensions/rwa/ERC7984RwaBalanceCapModule.sol";
+
+contract ERC7984RwaBalanceCapModuleMock is ERC7984RwaBalanceCapModule, SepoliaConfig {
+    constructor(address compliance) ERC7984RwaBalanceCapModule(compliance) {}
+}

contracts/mocks/token/ERC7984RwaInvestorCapModuleMock.sol

@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.24;
+
+import {SepoliaConfig} from "@fhevm/solidity/config/ZamaConfig.sol";
+import {ERC7984RwaInvestorCapModule} from "../../token/ERC7984/extensions/rwa/ERC7984RwaInvestorCapModule.sol";
+
+contract ERC7984RwaInvestorCapModuleMock is ERC7984RwaInvestorCapModule, SepoliaConfig {
+    constructor(address compliance, uint256 maxInvestor) ERC7984RwaInvestorCapModule(compliance, maxInvestor) {}
+}

contracts/mocks/token/ERC7984RwaMock.sol

@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.24;
+
+import {SepoliaConfig} from "@fhevm/solidity/config/ZamaConfig.sol";
+import {FHE, ebool, euint64, externalEuint64} from "@fhevm/solidity/lib/FHE.sol";
+import {Impl} from "@fhevm/solidity/lib/Impl.sol";
+import {ERC7984Rwa} from "../../token/ERC7984/extensions/ERC7984Rwa.sol";
+import {FHESafeMath} from "../../utils/FHESafeMath.sol";
+import {HandleAccessManager} from "../../utils/HandleAccessManager.sol";
+
+// solhint-disable func-name-mixedcase
+contract ERC7984RwaMock is ERC7984Rwa, HandleAccessManager, SepoliaConfig {
+    mapping(address account => euint64 encryptedAmount) private _frozenBalances;
+    bool public compliantTransfer = false;
+    bool public compliantForceTransfer = false;
+
+    // TODO: Move modifiers to `ERC7984Rwa` or remove from mock if useless
+    /// @dev Checks if the sender is an admin.
+    modifier onlyAdmin() {
+        require(isAdmin(_msgSender()), UnauthorizedSender(_msgSender()));
+        _;
+    }
+    /// @dev Checks if the sender is an agent.
+    modifier onlyAgent() {
+        require(isAgent(_msgSender()), UnauthorizedSender(_msgSender()));
+        _;
+    }
+
+    constructor(string memory name, string memory symbol, string memory tokenUri) ERC7984Rwa(name, symbol, tokenUri) {}
+
+    function createEncryptedAmount(uint64 amount) public returns (euint64 encryptedAmount) {
+        FHE.allowThis(encryptedAmount = FHE.asEuint64(amount));
+        FHE.allow(encryptedAmount, msg.sender);
+    }
+
+    function $_setCompliantTransfer() public {
+        compliantTransfer = true;
+    }
+
+    function $_unsetCompliantTransfer() public {
+        compliantTransfer = false;
+    }
+
+    function $_setCompliantForceTransfer() public {
+        compliantForceTransfer = true;
+    }
+
+    function $_unsetCompliantForceTransfer() public {
+        compliantForceTransfer = false;
+    }
+
+    function $_mint(address to, uint64 amount) public returns (euint64 transferred) {
+        return _mint(to, FHE.asEuint64(amount));
+    }
+
+    function _preCheckTransfer(
+        address /*from*/,
+        address /*to*/,
+        euint64 /*encryptedAmount*/
+    ) internal override returns (ebool compliant) {
+        compliant = FHE.asEbool(compliantTransfer);
+        FHE.allowThis(compliant);
+    }
+
+    function _preCheckForceTransfer(
+        address /*from*/,
+        address /*to*/,
+        euint64 /*encryptedAmount*/
+    ) internal override returns (ebool compliant) {
+        compliant = FHE.asEbool(compliantForceTransfer);
+        FHE.allowThis(compliant);
+    }
+
+    function _validateHandleAllowance(bytes32 handle) internal view override onlyAdminOrAgent {}
+}

contracts/mocks/token/ERC7984RwaModularComplianceMock.sol

@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.24;
+
+import {SepoliaConfig} from "@fhevm/solidity/config/ZamaConfig.sol";
+import {FHE, ebool, euint64, externalEuint64} from "@fhevm/solidity/lib/FHE.sol";
+import {Impl} from "@fhevm/solidity/lib/Impl.sol";
+import {ERC7984Rwa} from "../../token/ERC7984/extensions/ERC7984Rwa.sol";
+import {ERC7984RwaCompliance} from "../../token/ERC7984/extensions/rwa/ERC7984RwaCompliance.sol";
+import {FHESafeMath} from "../../utils/FHESafeMath.sol";
+import {HandleAccessManager} from "../../utils/HandleAccessManager.sol";
+
+contract ERC7984RwaModularComplianceMock is ERC7984RwaCompliance, SepoliaConfig {
+    constructor(string memory name, string memory symbol, string memory tokenUri) ERC7984Rwa(name, symbol, tokenUri) {}
+}

contracts/token/ERC7984/extensions/ERC7984Freezable.sol

@@ -21,6 +21,8 @@ import {ERC7984} from "../ERC7984.sol";
 abstract contract ERC7984Freezable is ERC7984 {
     /// @dev Confidential frozen amount of tokens per address.
     mapping(address account => euint64 encryptedAmount) private _frozenBalances;
+    /// @dev Skips frozen checks in {_update}.
+    bool private _skipUpdateCheck;
 
     /// @dev Emitted when a confidential amount of token is frozen for an account
     event TokensFrozen(address indexed account, euint64 encryptedAmount);
@@ -36,6 +38,9 @@ abstract contract ERC7984Freezable is ERC7984 {
             confidentialBalanceOf(account),
             confidentialFrozen(account)
         );
+        if (!FHE.isInitialized(unfrozen)) {
+            return unfrozen;
+        }
         return FHE.select(success, unfrozen, FHE.asEuint64(0));
     }
 
@@ -59,7 +64,14 @@ abstract contract ERC7984Freezable is ERC7984 {
 
     /// @dev Internal function to freeze a confidential amount of tokens for an account.
     function _setConfidentialFrozen(address account, euint64 encryptedAmount) internal virtual {
-        _checkFreezer();
+        _setConfidentialFrozen(account, encryptedAmount, true);
+    }
+
+    /// @dev Private function to freeze a confidential amount of tokens for an account with optional freezer check.
+    function _setConfidentialFrozen(address account, euint64 encryptedAmount, bool checkFreezer) internal virtual {
+        if (checkFreezer) {
+            _checkFreezer();
+        }
         FHE.allowThis(encryptedAmount);
         FHE.allow(encryptedAmount, account);
         _frozenBalances[account] = encryptedAmount;
@@ -69,15 +81,41 @@ abstract contract ERC7984Freezable is ERC7984 {
     /// @dev Unimplemented function that must revert if `msg.sender` is not authorized as a freezer.
     function _checkFreezer() internal virtual;
 
+    /// @dev Internal function to skip update check. Check can be restored with {_restoreERC7984FreezableUpdateCheck}.
+    function _disableERC7984FreezableUpdateCheck() internal virtual {
+        if (!_skipUpdateCheck) {
+            _skipUpdateCheck = true;
+        }
+    }
+
+    /// @dev Internal function to restore update check previously disabled by {_disableERC7984FreezableUpdateCheck}.
+    function _restoreERC7984FreezableUpdateCheck() internal virtual {
+        if (_skipUpdateCheck) {
+            _skipUpdateCheck = false;
+        }
+    }
+
     /**
      * @dev See {ERC7984-_update}. The `from` account must have sufficient unfrozen balance,
      * otherwise 0 tokens are transferred.
      */
     function _update(address from, address to, euint64 encryptedAmount) internal virtual override returns (euint64) {
+        euint64 available;
         if (from != address(0)) {
-            euint64 unfrozen = confidentialAvailable(from);
-            encryptedAmount = FHE.select(FHE.le(encryptedAmount, unfrozen), encryptedAmount, FHE.asEuint64(0));
+            available = confidentialAvailable(from);
+            if (!_skipUpdateCheck) {
+                encryptedAmount = FHE.select(FHE.le(encryptedAmount, available), encryptedAmount, FHE.asEuint64(0));
+            }
+        }
+        euint64 transferred = super._update(from, to, encryptedAmount);
+        if (from != address(0) && _skipUpdateCheck) {
+            // Reset frozen to balance if transferred more than available
+            _setConfidentialFrozen(
+                from,
+                FHE.select(FHE.gt(transferred, available), confidentialBalanceOf(from), confidentialFrozen(from)),
+                false
+            );
         }
-        return super._update(from, to, encryptedAmount);
+        return transferred;
     }
 }