Merge pull request #3 from wesenditmedia/feature/wesendit-3.0

Feature/wesendit 3.0

Author: Nico205

.devcontainer/devcontainer.json

@@ -0,0 +1,22 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/alpine
+{
+	"name": "ETH Security Toolbox",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	"image": "ghcr.io/trailofbits/eth-security-toolbox:nightly",
+
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	// "features": {},
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	"postCreateCommand": "solc-select install 0.8.17 && sudo n 16"
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}

.gitignore

@@ -11,4 +11,8 @@ artifacts
 flattened.sol
 
 docs
-abi
+abi
+generated
+
+scripts/*.json
+scripts/*.csv

LICENSE.md

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 WeSendit Media AG
+Copyright (c) 2023 WeSendit Media AG
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,23 +1,32 @@
 # <img src="https://wesendit.io/wp-content/uploads/2022/04/cropped-WSI_Favicon-192x192.png" width="20px" height="20px"></img> WeSendit Smart Contracts 🚀
 
-> This repository contains the core smart contracts used by the WeSendit crypto project.
+This repository contains a set of smart contracts used by WeSendit.
 
 ## Deployment
 
 ```shell
 npx hardhat run --network bscTestnet scripts/deploy.ts
 ```
 
-## Included Smart Contracts
+## Smart Contracts
 
 | Sourcefile | Description |
 |---|---|
 | [WeSenditToken.sol](contracts/WeSenditToken.sol) | WeSendit ERC20 Token Contract, with small modifications to support fee reflection using Dynamic Fee Manager.
 | [DynamicFeeManager.sol](contracts/DynamicFeeManager.sol) | Dynamic Fee Manager, able to dynamically add or remove fees for reflection on transactions.
+| [EmergencyGuard.sol](contracts/EmergencyGuard.sol) | Emergency Guard, provides emergency ETH / token withdrawal functions from contract address.
+| [StakingPool.sol](contracts/StakingPool.sol) | WeSendit Staking Pool Contract.
+| [WeStakeitToken.sol](contracts/WeStakeitToken.sol) | WeSendit Staking Pool Proof NFT.
+| [VestingWallet.sol](contracts/VestingWallet.sol) | WeSendit Vesting Wallet, based on OpenZeppelin Vesting Wallet.
+| [TokenVault.sol](contracts/TokenVault.sol) | WeSendit Token Vault, used to lock token on it.
+| [MultiVestingWallet.sol](contracts/MultiVestingWallet.sol) | WeSendit Multi Vesting Wallet, used to vest token for multiple beneficiaries.
+| [PaymentProcessor.sol](contracts/PaymentProcessor.sol) | WeSendit 3.0 Payment Processor Smart Contract, used for web3 payments.
+| [RewardDistributor.sol](contracts/RewardDistributor.sol) | WeSendit 3.0 Reward Distributor Smart Contract, used for web3 activity rewards.
 
 ## Audits
 
 | Report | Audit Date | Organization |
 |---|---|---|
-| [WeSendit_SCAudit_Report_Hacken_io.pdf](WeSendit_SCAudit_Report_Hacken_io.pdf) | 20th Oct. 2022 | [Hacken](https://hacken.io)
-| [WeSendit_SCAudit_Report_Solidproof_io.pdf](WeSendit_SCAudit_Report_Solidproof_io.pdf) | 22th Oct. 2022 | [Solidproof](https://solidproof.io)
+| [WeSendit_SCAudit_Report_Hacken_io.pdf](audits/WeSendit_SCAudit_Report_Hacken_io.pdf) | 20th Oct. 2022 | [Hacken](https://hacken.io)
+| [WeSendit_SCAudit_Report_Solidproof_io.pdf](audits/WeSendit_SCAudit_Report_Solidproof_io.pdf) | 22nd Oct. 2022 | [Solidproof](https://solidproof.io)
+| [SmartContract_Audit_Solidproof_WesendIt_PaymentDistributor.pdf](audits/SmartContract_Audit_Solidproof_WesendIt_PaymentDistributor.pdf) | 21st Dec. 2022 | [Solidproof](https://solidproof.io)

audits/SmartContract_Audit_Solidproof_WesendIt_PaymentDistributor.pdf

@@ -7,6 +7,8 @@ import "./BaseDynamicFeeManager.sol";
 import "./interfaces/IFeeReceiver.sol";
 import "./interfaces/IWeSenditToken.sol";
 
+import "hardhat/console.sol";
+
 /**
  * @title Dynamic Fee Manager for ERC20 token
  *
@@ -134,7 +136,10 @@ contract DynamicFeeManager is BaseDynamicFeeManager {
         for (uint256 i = 0; i < feeAmount; i++) {
             FeeEntry memory fee = feeEntries[i];
 
-            if (_isFeeEntryValid(fee) && _isFeeEntryMatching(fee, from, to)) {
+            if (
+                _isFeeEntryValid(fee) &&
+                (_isFeeEntryMatching(fee, from, to, amount))
+            ) {
                 uint256 tFee = _calculateFee(amount, fee.percentage);
                 uint256 tempPercentage = totalFeePercentage + fee.percentage;
 
@@ -152,6 +157,40 @@ contract DynamicFeeManager is BaseDynamicFeeManager {
         return (tTotal, tFees);
     }
 
+    function _isFeeMatchingStakingUnclaim(
+        FeeEntry memory fee,
+        address to,
+        uint256 amount
+    ) private view returns (bool matching) {
+        // Get users staking nfts balance
+        uint256 balance = weStakeitToken().balanceOf(to);
+
+        for (uint256 i = 0; i < balance; i++) {
+            // Get staking token id
+            uint256 tokenId = weStakeitToken().tokenOfOwnerByIndex(to, i);
+
+            // Get staking entry from pool
+            PoolEntry memory entry = stakingPool().poolEntry(tokenId);
+
+            /**
+             * Check if entry is:
+             * - unstaked (happens right before transfer)
+             * - claimed with this block (happens likely directly before transfer)
+             * - fee amount is matching 3% of initial stake amount
+             */
+            if (
+                entry.isUnstaked &&
+                entry.lastClaimedAt == block.timestamp &&
+                (amount * fee.percentage) / FEE_DIVIDER ==
+                (entry.amount * fee.percentage) / FEE_DIVIDER
+            ) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Reflects a single fee
      *
@@ -168,8 +207,8 @@ contract DynamicFeeManager is BaseDynamicFeeManager {
         FeeEntry memory fee,
         bool bypassSwapAndLiquify
     ) private {
-        // add to liquify / swap amount or transfer to fee destination
         if (fee.doLiquify || fee.doSwapForBusd) {
+            // add to liquify / swap amount or transfer to fee destination
             require(
                 IWeSenditToken(address(token())).transferFromNoFees(
                     from,
@@ -275,8 +314,14 @@ contract DynamicFeeManager is BaseDynamicFeeManager {
     function _isFeeEntryMatching(
         FeeEntry memory fee,
         address from,
-        address to
+        address to,
+        uint256 amount
     ) private view returns (bool matching) {
+        // Staking pool customization
+        if (fee.from == address(stakingPool())) {
+            return _isFeeMatchingStakingUnclaim(fee, to, amount);
+        }
+
         return
             ((fee.from == WHITELIST_ADDRESS &&
                 fee.to == WHITELIST_ADDRESS &&

WeSendit_SCAudit_Report_Hacken_io.pdf renamed to audits/WeSendit_SCAudit_Report_Hacken_io.pdf

@@ -0,0 +1,229 @@
+// SPDX-License-Identifier: MIT
+// Based on VestingWallet from OpenZeppelin Contracts (last updated v4.8.0) (finance/VestingWallet.sol)
+pragma solidity 0.8.17;
+
+import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+import "@openzeppelin/contracts/utils/Address.sol";
+import "@openzeppelin/contracts/utils/Context.sol";
+import "@openzeppelin/contracts/utils/math/Math.sol";
+import "@openzeppelin/contracts/access/Ownable.sol";
+
+import "./interfaces/IMultiVestingWallet.sol";
+import "./EmergencyGuard.sol";
+
+import "hardhat/console.sol";
+
+contract MultiVestingWallet is
+    IMultiVestingWallet,
+    Context,
+    Ownable,
+    EmergencyGuard
+{
+    uint64 private immutable _start;
+    uint64 private immutable _duration;
+
+    // Total initial ETH amount
+    uint256 private _totalInitialETH;
+
+    // Mapping from token to total initial token amount
+    mapping(address => uint256) private _totalInitialToken;
+
+    // Total released token amount
+    uint256 private _totalReleasedETH;
+
+    // Mapping from ttoken to total released token amount
+    mapping(address => uint256) private _totalReleasedToken;
+
+    // Mapping from beneficiary address to initial ETH
+    mapping(address => uint256) private _userInitialETH;
+
+    // Mapping from beneficiary address to release ETH
+    mapping(address => uint256) private _userReleaseETH;
+
+    // Mapping from beneficiary address to token address to initial token
+    mapping(address => mapping(address => uint256)) private _userInitialToken;
+
+    // Mapping from beneficiary address to token address to release token
+    mapping(address => mapping(address => uint256)) private _userReleasedToken;
+
+    /**
+     * @dev Set the start timestamp and vesting duration of the vesting wallet.
+     */
+    constructor(uint64 startTimestamp, uint64 durationSeconds) payable {
+        _start = startTimestamp;
+        _duration = durationSeconds;
+    }
+
+    receive() external payable virtual {}
+
+    function addBeneficiaries(
+        address[] calldata beneficiaries,
+        uint256[] calldata amounts
+    ) external virtual onlyOwner {
+        require(
+            beneficiaries.length == amounts.length,
+            "MultiVestingWallet: mismatching beneficiaries / amounts pair"
+        );
+
+        for (uint256 i = 0; i < beneficiaries.length; i++) {
+            addBeneficiary(beneficiaries[i], amounts[i]);
+        }
+    }
+
+    function addBeneficiaries(
+        address[] calldata beneficiaries,
+        address token,
+        uint256[] calldata amounts
+    ) external virtual onlyOwner {
+        require(
+            beneficiaries.length == amounts.length,
+            "MultiVestingWallet: mismatching beneficiaries / amounts pair"
+        );
+
+        for (uint256 i = 0; i < beneficiaries.length; i++) {
+            addBeneficiary(beneficiaries[i], token, amounts[i]);
+        }
+    }
+
+    function addBeneficiary(
+        address beneficiary,
+        uint256 amount
+    ) public virtual onlyOwner {
+        require(
+            address(this).balance + _totalReleasedETH - _totalInitialETH >=
+                amount,
+            "MultiVestingWallet: ETH amount exceeds balance"
+        );
+
+        _userInitialETH[beneficiary] = amount;
+        _totalInitialETH += amount;
+    }
+
+    function addBeneficiary(
+        address beneficiary,
+        address token,
+        uint256 amount
+    ) public virtual onlyOwner {
+        require(
+            IERC20(token).balanceOf(address(this)) +
+                _totalReleasedToken[token] -
+                _totalInitialToken[token] >=
+                amount,
+            "MultiVestingWallet: Token amount exceeds balance"
+        );
+
+        _userInitialToken[beneficiary][token] = amount;
+        _totalInitialToken[token] += amount;
+    }
+
+    function start() public view virtual returns (uint256) {
+        return _start;
+    }
+
+    function duration() public view virtual returns (uint256) {
+        return _duration;
+    }
+
+    function initial(
+        address beneficiary
+    ) public view virtual returns (uint256) {
+        return _userInitialETH[beneficiary];
+    }
+
+    function initial(
+        address beneficiary,
+        address token
+    ) public view virtual returns (uint256) {
+        return _userInitialToken[beneficiary][token];
+    }
+
+    function released(
+        address beneficiary
+    ) public view virtual returns (uint256) {
+        return _userReleaseETH[beneficiary];
+    }
+
+    function released(
+        address beneficiary,
+        address token
+    ) public view virtual returns (uint256) {
+        return _userReleasedToken[beneficiary][token];
+    }
+
+    function releasable(
+        address beneficiary
+    ) public view virtual returns (uint256) {
+        return
+            vestedAmount(beneficiary, uint64(block.timestamp)) -
+            released(beneficiary);
+    }
+
+    function releasable(
+        address beneficiary,
+        address token
+    ) public view virtual returns (uint256) {
+        return
+            vestedAmount(beneficiary, token, uint64(block.timestamp)) -
+            released(beneficiary, token);
+    }
+
+    function release(address beneficiary) public virtual {
+        uint256 amount = releasable(beneficiary);
+        _userReleaseETH[beneficiary] += amount;
+        _totalReleasedETH += amount;
+        emit EtherReleased(beneficiary, amount);
+        Address.sendValue(payable(beneficiary), amount);
+    }
+
+    function release(address beneficiary, address token) public virtual {
+        uint256 amount = releasable(beneficiary, token);
+        _userReleasedToken[beneficiary][token] += amount;
+        _totalReleasedToken[token] += amount;
+        emit ERC20Released(beneficiary, token, amount);
+        SafeERC20.safeTransfer(IERC20(token), beneficiary, amount);
+    }
+
+    function vestedAmount(
+        address beneficiary,
+        uint64 timestamp
+    ) public view virtual returns (uint256) {
+        return _vestingSchedule(_userInitialETH[beneficiary], timestamp);
+    }
+
+    function vestedAmount(
+        address beneficiary,
+        address token,
+        uint64 timestamp
+    ) public view virtual returns (uint256) {
+        return
+            _vestingSchedule(_userInitialToken[beneficiary][token], timestamp);
+    }
+
+    /**
+     * @dev Virtual implementation of the vesting formula. This returns the amount vested, as a function of time, for
+     * an asset given its total historical allocation.
+     */
+    function _vestingSchedule(
+        uint256 totalAllocation,
+        uint64 timestamp
+    ) internal view virtual returns (uint256) {
+        if (timestamp < start()) {
+            return 0;
+        } else if (timestamp > start() + duration()) {
+            return totalAllocation;
+        } else {
+            return (totalAllocation * (timestamp - start())) / duration();
+        }
+    }
+
+    function emergencyWithdraw(uint256 amount) external override onlyOwner {
+        super._emergencyWithdraw(amount);
+    }
+
+    function emergencyWithdrawToken(
+        address token,
+        uint256 amount
+    ) external override onlyOwner {
+        super._emergencyWithdrawToken(token, amount);
+    }
+}