Merge pull request #15 from Layr-Labs/jb/ledger

[1.1.0] ledger<>gnosis rewrite

Author: jbrower95

CHANGELOG.md

@@ -1,5 +1,8 @@
 
 **[Current]** 
+1.1.0:
+- Complete rewrite of the ledger integration, with an emphasis on viem+ledger. Multisig ledger phases now work properly.
+
 1.0.6:
 - disables gnosis verification (cringe)
 

__mocks__/@safe-global/api-kit.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect, jest, beforeEach, afterEach } from '@jest/globals';
+import { jest } from '@jest/globals';
 import { SafeMultisigTransactionResponse, SafeMultisigConfirmationResponse } from '@safe-global/types-kit';
 
 type TGetTransaction = import('@safe-global/api-kit').default['getTransaction']
@@ -13,7 +13,7 @@ const mockConfirmation: () => SafeMultisigConfirmationResponse = () => {
         transactionHash: "0xabcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
         confirmationType: "StaticConfirmation",
         signature: "0xabcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
-        signatureType: "StaticSignatureType",
+        signatureType: "ETH_SIGN",
     };
 }
 

jest.config.mjs

@@ -26,6 +26,7 @@ export default {
     '!**/node_modules/**',
     '!**/vendor/**',
   ],
+  extensionsToTreatAsEsm: [".ts", ".tsx"],
   coverageReporters: ['html', 'lcov'],
   coverageThreshold: {
       "global": {

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@layr-labs/zeus",
-  "version": "1.0.9",
+  "version": "1.1.0",
   "description": "web3 deployer / metadata manager",
   "main": "src/index.ts",
   "scripts": {
@@ -32,6 +32,7 @@
     "@inquirer/prompts": "^6.0.1",
     "@inquirer/search": "^3.0.0",
     "@ledgerhq/errors": "^6.19.1",
+    "@ledgerhq/hw-app-eth": "^6.42.1",
     "@ledgerhq/hw-transport-node-hid": "^6.29.5",
     "@safe-global/api-kit": "^2.4.6",
     "@types/bun": "^1.1.9",
@@ -44,7 +45,6 @@
     "cli-spinners": "^3.2.0",
     "clipboardy": "^4.0.0",
     "cmd-ts": "^0.13.0",
-    "ethers": "^6.13.3",
     "express": "^4.21.0",
     "glob": "^11.0.0",
     "loading-spinner": "^1.2.1",

package.json

@@ -55,7 +55,7 @@ export async function handler(_user: TState, args: {env: string, resume: boolean
     if (!isValidFork(args.fork)) {
         throw new Error(`Invalid value for 'fork' - expected one of (tenderly, anvil)`);
     }
-    
+
     const user: TLoggedInState = _user;
     const repoConfig = await configs.zeus.load();
     if (!repoConfig) {

src/commands/deploy/cmd/run.ts

@@ -1,5 +1,5 @@
 import { select } from './utils';
-import { mnemonicToAccount, privateKeyToAccount } from 'viem/accounts';
+import { privateKeyToAccount } from 'viem/accounts';
 import { search, input, password as inquirerPassword } from '@inquirer/prompts';
 import chalk from 'chalk';
 import * as AllChains from "viem/chains";
@@ -125,24 +125,27 @@ export const privateKey: (chainId: number, overridePrompt?: string) => Promise<`
     return res as `0x${string}`;
 }
 
-export const derivationPath = async () => {
-    const cont = await wouldYouLikeToContinue("Would you like to use a custom derivation path? (NOTE: the default 'm/44'/60'/0'/0/0' will be used otherwise)");
+export const accountIndex = async () => {
+    const cont = await wouldYouLikeToContinue("Would you like to use a custom bip39 account index? (NOTE: the default 'm/44'/60'/0'/0/[0]s' will be used otherwise)");
     if (!cont) {
-        return false;
+        return 0;
     }
 
-    return envVarOrPrompt({
-        title: `Enter the derivation path (e.g m/44'/60'/0'/0/0)`,
+    const val = await envVarOrPrompt({
+        title: `Enter the derivation path suffix (e.g m/44'/60'/0'/0/[0]) - (default: 0)`,
         directEntryInputType: 'text',
-        isValid: (path: string) => {
+        reuseKey: `derivationPathSuffix`,
+        isValid: (val: string) => {
             try {
-                mnemonicToAccount('bean spread behind outdoor cotton discover leaf dance captain once intact learn success height cool', {path: path as `m/44'/60'/${string}`})
+                parseInt(val);
                 return true;
             } catch {
                 return false;
             }
         }
     })
+
+    return parseInt(val);
 }
 
 export const signerKey = async (chainId: number, rpcUrl: string, overridePrompt: string | undefined, safeAddress: `0x${string}`) => {
@@ -212,7 +215,7 @@ export const rpcUrl = async (forChainId: number) => {
     while (true) {
         const result = await envVarOrPrompt({
             title: `Enter an RPC url (or $ENV_VAR) for ${chainIdName(forChainId)}`,
-            reuseKey: `node-${forChainId}`,
+            reuseKey: `node-url`,
             isValid: (text) => {
                 try {
                     let url: string = text;

src/commands/prompts.ts

@@ -46,6 +46,7 @@ export async function executeMultisigPhase(deploy: SavebleDocument<TDeploy>, met
                     if (res.code !== 0) {
                         throw new HaltDeployError(deploy, `One or more tests failed.`, false);
                     }
+                    
                     const testOutput = await metatxn.getJSONFile<TTestOutput>(canonicalPaths.testRun({deployEnv: deploy._.env, deployName: deploy._.name, segmentId: deploy._.segmentId}))
                     testOutput._ = res;
                     await testOutput.save();

src/deploy/handlers/gnosis.ts

@@ -1,47 +1,36 @@
 import EOABaseSigningStrategy from "./eoa";
-import { getLedgerSigner } from "../ledgerTransport";
-import { JsonRpcProvider } from "ethers";
+import { getLedgerAccount } from "../ledgerTransport";
 import { ICachedArg, TStrategyOptions } from "../../strategy";
 import { SavebleDocument, Transaction } from "../../../metadata/metadataStore";
 import { TDeploy } from "../../../metadata/schema";
 import * as prompts from '../../../commands/prompts';
+import { DEFAULT_BASE_DERIVATION_PATH } from "../ledgerTransport";
 
 export class LedgerSigningStrategy extends EOABaseSigningStrategy {
     id = "ledger";
     description = "Signing w/ ledger";
 
-    public derivationPath: ICachedArg<string | boolean> 
+    public accountIndex: ICachedArg<number> 
 
     constructor(deploy: SavebleDocument<TDeploy>, transaction: Transaction, options?: TStrategyOptions) {
         super(deploy, transaction, options);
-        this.derivationPath = this.arg(async () => {
-            return await prompts.derivationPath();
-        }, 'derivationPath')
+        this.accountIndex = this.arg(async () => {
+            return await prompts.accountIndex();
+        }, 'accountIndex')
     }
 
     async getSignerAddress(): Promise<`0x${string}`> {
         console.warn(`If your ledger is not working, you may need to open LedgerLive, navigate to: Accounts -> <Signer> -> Receive and follow the prompts on device. Once your Ledger says "Application is Ready", you can force quit LedgerLive and retry Zeus.`)
-        const dpArg = await (async () => {
-            const dp = await this.derivationPath.get();
-            if (dp !== true && dp !== false) {
-                return dp
-            }
-        })()
-
-        const rpc = await this.rpcUrl.get();
-        const provider = new JsonRpcProvider(rpc);
-
-        const signer = await getLedgerSigner(provider, dpArg);
-        return await signer.getAddress() as `0x${string}`;
+        const signer = await getLedgerAccount(await this.accountIndex.get());
+        return await signer.address as `0x${string}`;
     }
 
     async subclassForgeArgs(): Promise<string[]> {
         const derivationPathArgs = await (async () => {
-            const dp = await this.derivationPath.get();
-            if (dp !== true && dp !== false) {
-                // if a derivation path is specified, use the `--mnemonic-derivation-paths` option.
-                return [`--mnemonic-derivation-paths`, `${dp}`]
-            } else {
+            try {
+                const accountIndex = await this.accountIndex.getImmediately();
+                return [`--mnemonic-derivation-paths`, `${DEFAULT_BASE_DERIVATION_PATH}/${accountIndex}`]
+            } catch {
                 return [];
             }
         })()

src/signing/strategies/eoa/ledger.ts

@@ -6,7 +6,6 @@ import { MultisigMetadata, TDeploy, TMultisigPhase } from "../../../../metadata/
 import { overrideTxServiceUrlForChainId } from "./utils";
 import { TSignatureRequest } from "../../../strategy";
 import { OperationType } from '@safe-global/types-kit';
-import ora from "ora";
 import chalk from "chalk";
 import { getAddress, hexToNumber } from "viem";
 import { SafeTransaction } from '@safe-global/types-kit';
@@ -109,6 +108,8 @@ export abstract class GnosisApiStrategy extends GnosisSigningStrategy {
         }
 
         const senderSignature = await this.getSignature(version, txn, safeContext.addr)
+
+        console.log(`Signature requested: ${senderSignature}`);
 
         await apiKit.proposeTransaction({
             safeAddress: getAddress(safeContext.addr),

src/signing/strategies/gnosis/api/gnosisApi.ts

@@ -1,49 +1,40 @@
 import { GnosisApiStrategy } from "./gnosisApi";
 import { SafeTransaction } from '@safe-global/types-kit';
 import { getEip712TxTypes } from "@safe-global/protocol-kit/dist/src/utils/eip-712/index"
-import { getDefaultProvider } from 'ethers'
 import { checkShouldSignGnosisMessage, pressAnyButtonToContinue } from "../../../../commands/prompts";
-import { getLedgerSigner } from "../../ledgerTransport";
-import { createPublicClient, getContract, http, verifyMessage } from "viem";
+import { createPublicClient, getContract, hashTypedData, http } from "viem";
 import { ICachedArg, TStrategyOptions } from "../../../strategy";
 import { SavebleDocument, Transaction } from "../../../../metadata/metadataStore";
 import { TDeploy } from "../../../../metadata/schema";
 import * as prompts from '../../../../commands/prompts';
-import { JsonRpcProvider } from "ethers";
 import * as AllChains from 'viem/chains';
 import { abi } from "../onchain/Safe";
-import { adjustVInSignature, calculateSafeTransactionHash } from "@safe-global/protocol-kit/dist/src/utils";
-import { SigningMethod } from "@safe-global/protocol-kit";
+import { getLedgerAccount } from "../../ledgerTransport";
 
 export class GnosisLedgerStrategy extends GnosisApiStrategy {
     id = "gnosis.api.ledger";
     description = "Gnosis API - Ledger (Not For Private Hotfixes)";
 
-    public derivationPath: ICachedArg<string | boolean> 
+    public accountIndex: ICachedArg<number> 
 
     constructor(deploy: SavebleDocument<TDeploy>, transaction: Transaction, options?: TStrategyOptions) {
         super(deploy, transaction, options);
-        this.derivationPath= this.arg(async () => {
-            return await prompts.derivationPath();
-        }, 'derivationPath')
+        this.accountIndex = this.arg(async () => {
+            return await prompts.accountIndex();
+        }, 'accountIndex')
     }
-    
-    async getSignature(version: string, txn: SafeTransaction, safeAddress: `0x${string}`): Promise<`0x${string}`> {
-        const provider = getDefaultProvider();
 
-        const derivationPath = await (async () => {
-            const dp = await this.derivationPath.get();
-            if (!dp) return undefined;
-            if (dp === true) throw new Error(`Invalid.`)
-            return dp;
-        })()
+    async getSignature(version: string, txn: SafeTransaction, safeAddress: `0x${string}`): Promise<`0x${string}`> {
+        const signer = await getLedgerAccount(await this.accountIndex.get());
+        if (!signer.signTypedData) {
+            throw new Error(`This ledger does not support signing typed data, and cannot be used with zeus.`);
+        }
 
-        const signer = await getLedgerSigner(provider, derivationPath);
         const types = getEip712TxTypes(version);
-        const typedDataArgs = {
-            types: {SafeTx: types.SafeTx},
+        const typedDataParameters = {
+            types: types as unknown as Record<string, unknown>,
             domain: {
-                verifyingContract: safeAddress,
+                verifyingContract: safeAddress as `0x${string}`,
                 chainId: this.deploy._.chainId,
             },
             primaryType: 'SafeTx',
@@ -53,42 +44,25 @@ export class GnosisLedgerStrategy extends GnosisApiStrategy {
                 safeTxGas: txn.data.safeTxGas,
                 baseGas: txn.data.baseGas,
                 gasPrice: txn.data.gasPrice,
-                nonce: txn.data.nonce
+                nonce: txn.data.nonce,
+                refundReceiver: txn.data.refundReceiver,
             }
-        } as const;
+        };
 
-        const gnosisHash = calculateSafeTransactionHash(safeAddress, txn.data, version, BigInt(this.deploy._.chainId));
-        console.log(`Expected gnosis hash: ${gnosisHash}`);
+        await checkShouldSignGnosisMessage(typedDataParameters);
 
-        await checkShouldSignGnosisMessage(typedDataArgs);
+        if (!signer.signMessage) {
+            throw new Error(`This ledger doesn't support signing somehow.`);
+        }
 
-        console.log(`Signing with ledger (please check your device for instructions)...`);
+        const preImage = hashTypedData(typedDataParameters);
+        console.log(`Signing from: ${signer.address}`);
+        console.log(`Typed data hash to sign: ${preImage}`);
 
         try {
-            const addr = await signer.getAddress() as `0x${string}`;
-            console.log(`The ledger reported this address: ${addr}`);
-            
-            const _signature = await signer.signMessage(
-                gnosisHash
-            ) as `0x${string}`
-
-            const signature = (await adjustVInSignature(SigningMethod.ETH_SIGN, _signature, gnosisHash, addr)) as `0x${string}`;
-
-            const valid = await verifyMessage({address: addr, message: gnosisHash, signature: _signature});
-            if (!valid) {
-                console.error(`Failed to verify signature. Nothing will be submitted. (signed from ${addr})`);
-                console.warn(`Signature: ${_signature}`);
-                console.log(`V-Adjusted signature: ${signature}`);
-                console.warn(`Gnosis Hash: ${gnosisHash}`);
-                console.warn(`From: ${addr}`);
-                throw new Error(`Invalid signature. Failed to verify typedData.`);
-            } else {
-                console.log(`Successfully verified signature (from=${addr},signature=${_signature})`);
-            }
-
-            console.log(`Original Signature: ${_signature}`);
-            console.log(`V-Adjusted signature: ${signature}`);
-
+            console.log(`Signing with ledger(${signer.address}) (please check your device for instructions)...`);
+            const signature = await signer.signTypedData(typedDataParameters);
+            console.log(`Signature: ${signature}`);
             return signature;
         } catch (e) {
             if ((e as Error).message.includes(`0x6a80`)) {
@@ -102,22 +76,14 @@ export class GnosisLedgerStrategy extends GnosisApiStrategy {
     }
 
     async getSignerAddress(): Promise<`0x${string}`> {
-        console.log(`Querying ledger for address...`);
-        
-        const derivationPath = await (async () => {
-            const dp = await this.derivationPath.get();
-            if (!dp) return undefined;
-            if (dp === true) throw new Error(`Invalid.`)
-            return dp;
-        })()
+        console.log(`Querying ledger for address (check device for instructions)...`);
 
         try {
             while (true) {
                 try {
-                    const provider = new JsonRpcProvider(await this.rpcUrl.get());
-                    const signer = await getLedgerSigner(provider, derivationPath);
-                    const res = await signer.getAddress() as `0x${string}`;
-                    console.log(`Detected ledger address(${derivationPath}): ${res}`);    
+                    const accountIndex = await this.accountIndex.get();
+                    const signer = await getLedgerAccount(accountIndex);
+                    console.log(`Detected ledger address: ${signer.address}`);    
 
                     // double check that this ledger is a signer for the multisig.
                     if (this.forMultisig) {
@@ -130,12 +96,12 @@ export class GnosisLedgerStrategy extends GnosisApiStrategy {
                             abi,
                             address: this.forMultisig
                         })
-                        if (!await safe.read.isOwner([res])) {
-                            throw new Error(`This ledger path (${derivationPath}) produced address (${res}), which is not a signer on the multisig (${this.forMultisig})`);
+                        if (!await safe.read.isOwner([signer.address])) {
+                            throw new Error(`This ledger path (accountIndex=${accountIndex}) produced address (${signer.address}), which is not a signer on the multisig (${this.forMultisig})`);
                         }
                     }
 
-                    return res;
+                    return signer.address;
                 } catch (e) {
                     if ((e as Error).message.includes('Locked device')) {
                         console.error(`Error: Please unlock your ledger.`);