/// This module implements upgradeability for the token bridge contract.
/// Contract upgrades are authorised by governance, which means that performing
/// an upgrade requires a governance VAA signed by a supermajority of the
/// wormhole guardians.
/// Upgrades are performed in a commit-reveal scheme, where submitting the VAA
/// authorises a particular contract hash. Then in a subsequent transaction, the
/// bytecode is uploaded, and if the hash of the bytecode matches the committed
/// hash, then the upgrade proceeds.
/// This two-phase process has the advantage that even if the bytecode can't be
/// upgraded to for whatever reason, the governance VAA won't be possible to
/// replay in the future, since the commit transaction replay protects it.
/// Additionally, there is an optional migration step that may include one-off
/// logic to be executed after the upgrade. This has to be done in a separate
/// transaction, because the transaction that uploads bytecode cannot execute
/// it.
module token_bridge::contract_upgrade {
use std::vector;
use aptos_framework::code;
use wormhole::deserialize;
use wormhole::cursor;
use wormhole::vaa;
use wormhole::state as core;
use wormhole::keccak256::keccak256;
use token_bridge::vaa as token_bridge_vaa;
use token_bridge::state;
/// "TokenBridge" (left padded)
const TOKEN_BRIDGE: vector<u8> = x"000000000000000000000000000000000000000000546f6b656e427269646765";
const E_UNEXPECTED_HASH: u64 = 1;
const E_INVALID_MODULE: u64 = 2;
const E_INVALID_ACTION: u64 = 3;
const E_INVALID_TARGET: u64 = 4;
const E_NOT_MIGRATING: u64 = 5;
/// The `UpgradeAuthorized` type in the global storage represents the fact
/// there is an ongoing approved upgrade.
/// When the upgrade is finalised in `upgrade`, this object is deleted.
struct UpgradeAuthorized has key {
hash: vector<u8>
struct Hash has drop {
hash: vector<u8>
public fun get_hash(hash: &Hash): vector<u8> {
fun parse_payload(payload: vector<u8>): Hash {
let cur = cursor::init(payload);
let target_module = deserialize::deserialize_vector(&mut cur, 32);
assert!(target_module == TOKEN_BRIDGE, E_INVALID_MODULE);
let action = deserialize::deserialize_u8(&mut cur);
assert!(action == 0x02, E_INVALID_ACTION);
let chain = deserialize::deserialize_u16(&mut cur);
assert!(chain == core::get_chain_id(), E_INVALID_TARGET);
let hash = deserialize::deserialize_vector(&mut cur, 32);
Hash { hash }
// -----------------------------------------------------------------------------
// Commit
public fun submit_vaa(vaa: vector<u8>): Hash acquires UpgradeAuthorized {
let vaa = vaa::parse_and_verify(vaa);
let hash = parse_payload(vaa::destroy(vaa));
public entry fun submit_vaa_entry(vaa: vector<u8>) acquires UpgradeAuthorized {
fun authorize_upgrade(hash: &Hash) acquires UpgradeAuthorized {
let token_bridge = state::token_bridge_signer();
if (exists<UpgradeAuthorized>(@token_bridge)) {
// NOTE: here we're dropping the upgrade hash, allowing to override
// a previous upgrade that hasn't been executed. It's possible that
// an upgrade hash corresponds to bytecode that can't be upgraded
// to, because it fails bytecode compatibility verification. While
// that should never happen^TM, we don't want to deadlock the
// contract if it does.
let UpgradeAuthorized { hash: _ } = move_from<UpgradeAuthorized>(@token_bridge);
move_to(&token_bridge, UpgradeAuthorized { hash: hash.hash });
public fun authorized_hash(): vector<u8> acquires UpgradeAuthorized {
let u = borrow_global<UpgradeAuthorized>(@token_bridge);
// -----------------------------------------------------------------------------
// Reveal
public entry fun upgrade(
metadata_serialized: vector<u8>,
code: vector<vector<u8>>
) acquires UpgradeAuthorized {
assert!(exists<UpgradeAuthorized>(@token_bridge), E_UPGRADE_UNAUTHORIZED);
let UpgradeAuthorized { hash } = move_from<UpgradeAuthorized>(@token_bridge);
// we compute the hash of hashes of the metadata and the bytecodes.
// the aptos framework appears to perform no validation of the metadata,
// so we check it here too.
let c = copy code;
vector::reverse(&mut c);
let a = keccak256(metadata_serialized);
while (!vector::is_empty(&c)) vector::append(&mut a, keccak256(vector::pop_back(&mut c)));
assert!(keccak256(a) == hash, E_UNEXPECTED_HASH);
let token_bridge = state::token_bridge_signer();
code::publish_package_txn(&token_bridge, metadata_serialized, code);
// allow migration to be run.
if (!exists<Migrating>(@token_bridge)) {
move_to(&token_bridge, Migrating {});
// -----------------------------------------------------------------------------
// Migration
struct Migrating has key {}
public fun is_migrating(): bool {
public entry fun migrate() acquires Migrating {
assert!(exists<Migrating>(@token_bridge), E_NOT_MIGRATING);
let Migrating { } = move_from<Migrating>(@token_bridge);
// NOTE: put any one-off migration logic here.
// Most upgrades likely won't need to do anything, in which case the
// rest of this function's body may be empty.
// Make sure to delete it after the migration has gone through
// successfully.
// WARNING: the migration does *not* proceed atomically with the
// upgrade (as they are done in separate transactions).
// If the nature of your migration absolutely requires the migration to
// happen before certain other functionality is available, then guard
// that functionality with `assert!(!is_migrating())` (from above).
module token_bridge::contract_upgrade_test {
use wormhole::wormhole;
use token_bridge::contract_upgrade;
use token_bridge::token_bridge;
/// A token bridge upgrade VAA that upgrades to 0x10263f154c466b139fda0bf2caa08fd9819d8ded3810446274a99399f886fc76
const UPGRADE_VAA: vector<u8> = x"01000000000100b5ebfcccb84d740684429622f2fbc16638fb01222e4a580a6d2049227f37a31a7162d32770f72398fe10d160a968c94256eae9225a3da9c69ab7a41d7b307ede010000000100000001000100000000000000000000000000000000000000000000000000000000000000040000000001f96c9900000000000000000000000000000000000000000000546f6b656e42726964676502001610263f154c466b139fda0bf2caa08fd9819d8ded3810446274a99399f886fc76";
/// A token bridge upgrade VAA that targets ethereum
const ETH_UPGRADE: vector<u8> = x"0100000000010090014add41120b33eb4a03c5dce613815071d18b69a185bf322f327cc79cc52d7d133a59515d13ccfb030f9cc26a86b2bcd4dbe34d8ca6c4cc83299efb3e9b430100000001000000010001000000000000000000000000000000000000000000000000000000000000000400000000030a9ea600000000000000000000000000000000000000000000546f6b656e42726964676502000210263f154c466b139fda0bf2caa08fd9819d8ded3810446274a99399f886fc76";
fun setup(deployer: &signer) {
let aptos_framework = std::account::create_account_for_test(@aptos_framework);
#[test(deployer = @deployer)]
public fun test_contract_upgrade_authorize(deployer: &signer) {
let expected_hash = x"10263f154c466b139fda0bf2caa08fd9819d8ded3810446274a99399f886fc76";
assert!(contract_upgrade::authorized_hash() == expected_hash, 0);
#[test(deployer = @deployer)]
#[expected_failure(abort_code = 0x6407, location = 0x1::table)]
public fun test_contract_upgrade_double(deployer: &signer) {
// make sure we can't replay a VAA
#[test(deployer = @deployer)]
#[expected_failure(abort_code = 4, location = token_bridge::contract_upgrade)]
public fun test_contract_upgrade_wrong_chain(deployer: &signer) {