Purpose
TheConsensus contract manages a permissioned set of signers and enforces multi-signature validation logic using either EIP-712 or EIP-1271 signatures. It is a lightweight module designed for verifying offchain consensus before executing critical actions such as deposit and redemptions via SignatureQueues.
It supports:
- Threshold-based consensus
- Two signature modes: EIP712 (EOA) and EIP1271 (contract-based)
- Dynamic signer set management
- Stateless, reusable verification interface
Core Concepts
Threshold-Based Verification
To validate an action, a set of authorized signers must collectively submit signatures. The number of valid signatures must be greater than or equal to the configuredthreshold.
Signature Types
Each signer is associated with aSignatureType:
EIP712– Used for externally owned accounts (standardECDSA.recover)EIP1271– Used for contract accounts (viaisValidSignature())
Storage Layout
threshold: Minimum number of valid signatures required for verification to succeed.signers: Mapping of signer addresses → their configured signature type.
Initialization
- Expects
abi.encode(owner)as input. - Sets the initial owner using
OwnableUpgradeable.
Signature Verification
checkSignatures
- Returns
trueif:- At least
thresholdsignatures are present - Each signature is:
- From an authorized signer
- Valid according to the signer’s configured signature type
- At least
- Returns
falseotherwise
EIP712: UsesECDSA.recover(orderHash, sig)and matches signerEIP1271: CallsisValidSignature(orderHash, sig)on the contract
requireValidSignatures
- Same logic as
checkSignatures, but reverts withInvalidSignatureserror if validation fails
Signer Management (Owner-only)
setThreshold
- Sets a new threshold
- Must be
> 0and≤ signers.length() - Emits
ThresholdSet
addSigner
- Adds a new signer with specified signature type
- Updates threshold (as part of signer addition)
- Reverts if:
signer == address(0)- Signer already exists
- Emits
SignerAddedandThresholdSet
removeSigner
- Removes signer from consensus set
- Updates threshold
- Reverts if signer not found
- Emits
SignerRemovedandThresholdSet
View Functions
Events
Initialized(bytes)ThresholdSet(uint256)SignerAdded(address signer, SignatureType)SignerRemoved(address signer)InvalidSignatures(bytes32 hash, Signature[] signatures)(used in revert)
Security Considerations
- Only the owner (via
OwnableUpgradeable) may update signer set or threshold - Signatures are stateless and externally verifiable
- Replay protection (e.g., nonce checks) must be handled by upstream systems (nonces)
- Signers using
EIP1271are trusted for contract logic – contracts must not be mutable without governance