using bitmap for nonces

mgretzke · mgretzke · commit fe0477add017 · 2025-03-06T18:22:50.000+01:00
diff --git a/src/allocators/ERC7683Allocator.sol b/src/allocators/ERC7683Allocator.sol
@@ -29,9 +29,10 @@ contract ERC7683Allocator is SimpleAllocator, IERC7683Allocator {
     /// @notice keccak256("Mandate(uint256 chainId,address tribunal,address recipient,uint256 expires,address token,uint256 minimumAmount,uint256 baselinePriorityFee,uint256 scalingFactor,bytes32 salt)")
     bytes32 internal constant MANDATE_TYPEHASH = 0x52c75464356e20084ae43acac75087fbf0e0c678e7ffa326f369f37e88696036;
 
-    bytes32 immutable _COMPACT_DOMAIN_SEPARATOR;
+    /// @notice uint256(uint8(keccak256("ERC7683Allocator.nonce")))
+    uint8 internal constant NONCE_MASTER_SLOT_SEED = 0x39;
 
-    mapping(uint256 nonce => bool nonceUsed) private _userNonce;
+    bytes32 immutable _COMPACT_DOMAIN_SEPARATOR;
 
     constructor(address compactContract_, uint256 minWithdrawalDelay_, uint256 maxWithdrawalDelay_)
         SimpleAllocator(compactContract_, minWithdrawalDelay_, maxWithdrawalDelay_)
@@ -105,22 +106,24 @@ contract ERC7683Allocator is SimpleAllocator, IERC7683Allocator {
 
     /// @inheritdoc IERC7683Allocator
     function checkNonce(address sponsor_, uint256 nonce_) external view returns (bool nonceFree_) {
-        _checkNonce(sponsor_, nonce_);
-        nonceFree_ = !_userNonce[nonce_];
+        uint96 nonceWithoutAddress = _checkNonce(sponsor_, nonce_);
+        uint96 wordPos = uint96(nonceWithoutAddress / 256);
+        uint96 bitPos = uint96(nonceWithoutAddress % 256);
+        assembly ("memory-safe") {
+            let masterSlot := or(shl(248, NONCE_MASTER_SLOT_SEED), or(shl(88, sponsor_), wordPos))
+            nonceFree_ := iszero(and(sload(masterSlot), shl(bitPos, 1)))
+        }
         return nonceFree_;
     }
 
     function _open(OrderData memory orderData_, uint32 fillDeadline_, address sponsor_, bytes memory sponsorSignature_)
         internal
     {
         // Enforce a nonce where the most significant 96 bits are the nonce and the least significant 160 bits are the sponsor
-        _checkNonce(sponsor_, orderData_.nonce);
+        uint96 nonceWithoutAddress = _checkNonce(sponsor_, orderData_.nonce);
 
-        // Check the nonce
-        if (_userNonce[orderData_.nonce]) {
-            revert NonceAlreadyInUse(orderData_.nonce);
-        }
-        _userNonce[orderData_.nonce] = true;
+        // Set a nonce or revert if it is already used
+        _setNonce(sponsor_, nonceWithoutAddress);
 
         // We do not enforce a specific tribunal or arbiter. This will allow to support new arbiters and tribunals after the deployment of the allocator
         // Going with an immutable arbiter and tribunal would limit support for new chains with a fully decentralized allocator
@@ -180,36 +183,31 @@ contract ERC7683Allocator is SimpleAllocator, IERC7683Allocator {
         );
     }
 
-    function _lockTokens(OrderData memory orderData_, address sponsor_, uint256 identifier)
+    function _lockTokens(OrderData memory orderData_, address sponsor_, uint256 nonce)
         internal
         returns (bytes32 tokenHash_)
     {
-        return
-            _lockTokens(orderData_.arbiter, sponsor_, identifier, orderData_.expires, orderData_.id, orderData_.amount);
+        return _lockTokens(orderData_.arbiter, sponsor_, nonce, orderData_.expires, orderData_.id, orderData_.amount);
     }
 
-    function _lockTokens(
-        address arbiter,
-        address sponsor,
-        uint256 identifier,
-        uint256 expires,
-        uint256 id,
-        uint256 amount
-    ) internal returns (bytes32 tokenHash_) {
+    function _lockTokens(address arbiter, address sponsor, uint256 nonce, uint256 expires, uint256 id, uint256 amount)
+        internal
+        returns (bytes32 tokenHash_)
+    {
         tokenHash_ = _checkAllocation(
-            Compact({arbiter: arbiter, sponsor: sponsor, nonce: identifier, expires: expires, id: id, amount: amount})
+            Compact({arbiter: arbiter, sponsor: sponsor, nonce: nonce, expires: expires, id: id, amount: amount})
         );
         _claim[tokenHash_] = expires;
         _amount[tokenHash_] = amount;
-        _nonce[tokenHash_] = identifier;
+        _nonce[tokenHash_] = nonce;
 
         return tokenHash_;
     }
 
     function _resolveOrder(
         address sponsor,
         uint32 fillDeadline,
-        uint256 identifier,
+        uint256 nonce,
         OrderData memory orderData,
         bytes memory sponsorSignature
     ) internal view returns (ResolvedCrossChainOrder memory) {
@@ -267,26 +265,46 @@ contract ERC7683Allocator is SimpleAllocator, IERC7683Allocator {
             originChainId: block.chainid,
             openDeadline: uint32(orderData.expires),
             fillDeadline: fillDeadline,
-            orderId: bytes32(identifier),
+            orderId: bytes32(nonce),
             maxSpent: maxSpent,
             minReceived: minReceived,
             fillInstructions: fillInstructions
         });
         return resolvedOrder;
     }
 
-    function _checkNonce(address sponsor_, uint256 nonce_) internal pure {
+    function _checkNonce(address sponsor_, uint256 nonce_) internal pure returns (uint96 nonce) {
         // Enforce a nonce where the least significant 96 bits are the nonce and the most significant 160 bits are the sponsors address
         // This ensures that the nonce is unique for a given sponsor
         address expectedSponsor;
         assembly ("memory-safe") {
             expectedSponsor := shr(96, nonce_)
+            nonce := shr(160, shl(160, nonce_))
         }
         if (expectedSponsor != sponsor_) {
             revert InvalidNonce(nonce_);
         }
     }
 
+    function _setNonce(address sponsor_, uint96 nonce_) internal {
+        bool used;
+        uint96 wordPos = nonce_ / 256; // uint96 divided by 256 means it becomes a uint88 (11 bytes)
+        uint96 bitPos = nonce_ % 256;
+        assembly ("memory-safe") {
+            // [NONCE_MASTER_SLOT_SEED - 1 byte][sponsor address - 20 bytes][wordPos - 11 bytes]
+            let masterSlot := or(shl(248, NONCE_MASTER_SLOT_SEED), or(shl(88, sponsor_), wordPos))
+            let previouslyUsedNonces := sload(masterSlot)
+            if and(previouslyUsedNonces, shl(bitPos, 1)) { used := 1 }
+            {
+                let usedNonces := or(previouslyUsedNonces, shl(bitPos, 1))
+                sstore(masterSlot, usedNonces)
+            }
+        }
+        if (used) {
+            revert NonceAlreadyInUse(uint256(bytes32(abi.encodePacked(sponsor_, nonce_))));
+        }
+    }
+
     function _idToToken(uint256 id_) internal pure returns (address token_) {
         assembly ("memory-safe") {
             token_ := shr(96, shl(96, id_))
diff --git a/test/ERC7683Allocator.t.sol b/test/ERC7683Allocator.t.sol
@@ -925,10 +925,10 @@ contract ERC7683Allocator_getCompactWitnessTypeString is MocksSetup {
 }
 
 contract ERC7683Allocator_checkNonce is OnChainCrossChainOrderData {
-    function test_revert_checkNonce(uint256 nonce_) public {
+    function test_revert_invalidNonce(uint256 nonce_) public {
         address expectedSponsor;
         assembly ("memory-safe") {
-            expectedSponsor := shr(96, shl(96, nonce_))
+            expectedSponsor := shr(96, nonce_)
         }
         vm.assume(user != expectedSponsor);
 
@@ -962,13 +962,39 @@ contract ERC7683Allocator_checkNonce is OnChainCrossChainOrderData {
         bytes32 typeHash = _getTypeHash();
         compactContract.register(claimHash, typeHash, defaultResetPeriodTimestamp);
 
+        (IOriginSettler.OnchainCrossChainOrder memory onChainCrossChainOrder_) = _getOnChainCrossChainOrder();
+        erc7683Allocator.open(onChainCrossChainOrder_);
+
+        vm.assertEq(erc7683Allocator.checkNonce(user, defaultNonce), false);
         vm.stopPrank();
+    }
+
+    function test_checkNonce_fuzz(uint8 nonce_) public {
+        uint256 nonce = uint256(bytes32(abi.encodePacked(user, uint96(nonce_))));
+
+        bool sameNonce = nonce == defaultNonce;
+
+        // Deposit tokens
+        vm.startPrank(user);
+        usdc.mint(user, defaultAmount);
+        usdc.approve(address(compactContract), defaultAmount);
+        compactContract.deposit(
+            address(usdc), address(erc7683Allocator), defaultResetPeriod, defaultScope, defaultAmount, user
+        );
+
+        // register a claim
+        Compact memory compact_ = _getCompact();
+        Mandate memory mandate_ = _getMandate();
+
+        bytes32 claimHash = _hashCompact(compact_, mandate_);
+        bytes32 typeHash = _getTypeHash();
+        compactContract.register(claimHash, typeHash, defaultResetPeriodTimestamp);
 
         (IOriginSettler.OnchainCrossChainOrder memory onChainCrossChainOrder_) = _getOnChainCrossChainOrder();
-        vm.prank(user);
         erc7683Allocator.open(onChainCrossChainOrder_);
 
-        vm.prank(user);
-        vm.assertEq(erc7683Allocator.checkNonce(user, defaultNonce), false);
+        vm.assertEq(erc7683Allocator.checkNonce(user, nonce), !sameNonce);
+
+        vm.stopPrank();
     }
 }
