refactor: change to list of rose feeds and average price

Author: rube-de

contracts/.env.example

@@ -7,8 +7,17 @@ PRIVATE_KEY=your_private_key_here
 
 # External contracts
 SHOYU_BASHI=0xShoyuBashiAddress
-ROSE_USD_FEED=0xRoseUsdAggregator
-TOKEN_USD_FEED=0xTokenUsdAggregator
+
+# ROSE/USD Price Feeds (comma-separated for redundancy)
+# For production: configure 3+ feeds for median aggregation and outlier resistance
+# For testing: minimum 1 feed required
+# Example: ROSE_USD_FEEDS=0xFeed1Address,0xFeed2Address,0xFeed3Address
+ROSE_USD_FEEDS=0x47EFD60558012A64649c709b350f20C7a5f5e2Aa,0x666938f7FBC353227F98DA43C050C8252eBfC0f7
+
+# Token price feed (for PaymasterVault)
+TOKEN_USD_FEED=0xd29802275E41449f675A2650629fBB268D2Ab52d
+
+# Price staleness threshold in seconds (default: 3600 = 1 hour)
 PRICE_STALENESS_SECONDS=3600
 
 # Distribution limits (ROSE units)

contracts/README.md

@@ -47,8 +47,10 @@ cp .env.example .env
 | `PRIVATE_KEY` | No | Deployer/signing key for Hardhat networks; defaults to test mnemonic if unset. |
 | `ALCHEMY_API_KEY` | No | Used for Hardhat mainnet fork and default RPC hints in `post-blockhash`. |
 | `OWNER` | Yes | Owner address for `deploy:cross-chain-paymaster`. |
-| `PRICE_ORACLE` | Yes | Price oracle address on Sapphire; used by deploy and oracle config tasks. |
-| `SHOYU_shellI` | Yes | Shoyushelli address on Sapphire. |
+| `SHOYU_BASHI` | Yes | ShoyuBashi address on Sapphire for block header verification. |
+| `ROSE_USD_FEEDS` | Yes | Comma-separated list of ROSE/USD price feed addresses (e.g., `0xFeed1,0xFeed2,0xFeed3`). Min 1 required, 3+ recommended for production (median aggregation). |
+| `PRICE_STALENESS_SECONDS` | No | Price staleness threshold in seconds (default `3600`). |
+| `TOKEN_USD_FEED` | Yes (vault config) | Token/USD price feed address for PaymasterVault token configuration. |
 | `DAILY_LIMIT_ROSE` | No | Daily ROSE distribution limit for CrossChainPaymaster (default `10000`). |
 | `PER_TX_LIMIT_ROSE` | No | Per-transaction ROSE limit for CrossChainPaymaster (default `100`). |
 | `LIMITS_ENABLED` | No | Enable/disable distribution limits (default `true`). |
@@ -84,8 +86,9 @@ bun hardhat deploy:cross-chain-paymaster --network sapphire-testnet
 # Custom params
 bun hardhat deploy:cross-chain-paymaster \
   --owner 0x... \
-  --oracle 0x... \
-  --shoyushelli 0x... \
+  --shoyubashi 0x... \
+  --roseusd 0xFeed1,0xFeed2,0xFeed3 \
+  --stale 3600 \
   --daily 50000 \
   --pertx 500 \
   --enabled true \
@@ -107,12 +110,22 @@ bun hardhat deploy:paymaster-vault \
   --network eth-sepolia
 ```
 
-### 3) Deploy Mock Oracle (testing)
+### 3) Deploy Mock Price Feeds (testing)
+
+Deploy Chainlink-compatible mock price feeds for testing ROSE/USD conversion:
 
 ```shell
+# Deploy mock ROSE/USD feed #1 (default: 18 decimals, price = 1)
+bun hardhat deploy:mock-oracle --network sapphire-testnet
+
+# Deploy with custom price (e.g., 0.05 for $0.05/ROSE)
 bun hardhat deploy:mock-oracle \
-  --paymaster 0x<PAYMASTER_PROXY> \
+  --price 0.05 \
+  --decimals 18 \
   --network sapphire-testnet
+
+# For production-like testing, deploy 3+ feeds with varied prices
+# Then configure CrossChainPaymaster with --roseusd feed1,feed2,feed3
 ```
 
 ## Configuration
@@ -156,23 +169,11 @@ bun hardhat configure:paymaster-vault \
   --network eth-sepolia
 ```
 
-### Mock Oracle (testing)
+### Price Feed Management
 
-```shell
-# Add token feed at price=1 ROSE
-bun hardhat oracle:addtokenfeed \
-  --oracle 0x<ORACLE_ADDRESS> \
-  --token 0x<USDC_ADDRESS> \
-  --decimals 6 \
-  --price 1 \
-  --network sapphire-testnet
+CrossChainPaymaster uses ROSE/USD price feeds configured at deployment. To update feeds after deployment, use the upgrade or configure tasks with new feed addresses.
 
-# Remove token feed
-bun hardhat oracle:removetokenfeed \
-  --oracle 0x<ORACLE_ADDRESS> \
-  --token 0x<USDC_ADDRESS> \
-  --network sapphire-testnet
-```
+For testing with mock feeds, deploy multiple `MockV3Aggregator` instances (see deployment section above) and configure them via the `--roseusd` parameter.
 
 ## Flow: Deposit → Proof → Relay
 

contracts/contracts/sapphire/CrossChainPaymaster.sol

@@ -5,6 +5,7 @@ import { Initializable } from "@openzeppelin/contracts-upgradeable/proxy/utils/I
 import { UUPSUpgradeable } from "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
 import { PausableUpgradeable } from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";
 import { ReentrancyGuardUpgradeable } from "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";
+import { EnumerableSet } from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 
 import { RLPReader } from "@eth-optimism/contracts-bedrock/src/libraries/rlp/RLPReader.sol";
 
@@ -14,6 +15,7 @@ import { ReceiptProof } from "../hashi/prover/HashiProverStructs.sol";
 import "@chainlink/contracts/src/v0.8/shared/interfaces/AggregatorV3Interface.sol";
 import { ICrossChainPaymaster } from "./interfaces/ICrossChainPaymaster.sol";
 import { Math } from "@openzeppelin/contracts/utils/math/Math.sol";
+import { Arrays } from "@openzeppelin/contracts/utils/Arrays.sol";
 import { SapphireTypes } from "./libraries/SapphireTypes.sol";
 
 /**
@@ -32,6 +34,8 @@ contract CrossChainPaymaster is
 {
     using RLPReader for RLPReader.RLPItem;
     using RLPReader for bytes;
+    using EnumerableSet for EnumerableSet.AddressSet;
+    using Arrays for uint256[];
 
     // ---------------------------------------------------------------------
     // Constants
@@ -42,6 +46,12 @@ contract CrossChainPaymaster is
         )
     );
 
+    /**
+     * @notice Standard decimal scale for normalizing ROSE/USD feed prices
+     * @dev All feed prices are normalized to this scale before averaging
+     */
+    uint8 internal constant NORMALIZED_DECIMALS = 18;
+
     // ---------------------------------------------------------------------
     // Storage
     // ---------------------------------------------------------------------
@@ -53,9 +63,10 @@ contract CrossChainPaymaster is
     mapping(address => AggregatorV3Interface) public priceFeeds;
 
     /**
-     * @notice ROSE/USD price feed (USD per 1 ROSE)
+     * @notice Set of ROSE/USD price feeds (USD per 1 ROSE) from multiple sources
+     * @dev Using EnumerableSet to prevent duplicates and allow efficient add/remove
      */
-    AggregatorV3Interface public roseUsdFeed;
+    EnumerableSet.AddressSet private _roseUsdFeeds;
 
     /**
      * @notice Token decimal mappings (token => decimals)
@@ -97,14 +108,14 @@ contract CrossChainPaymaster is
      * @param _shoyuBashi Hashi ShoyuBashi contract address
      * @param _limits Distribution limits for payments
      * @param _stalenessThreshold Maximum age for price data in seconds
-     * @param _roseUsdFeed Chainlink Aggregator for ROSE/USD
+     * @param roseUsdFeeds Array of price feed addresses for ROSE/USD
      */
     function initialize(
         address _owner,
         address _shoyuBashi,
         SapphireTypes.DistributionLimits memory _limits,
         uint256 _stalenessThreshold,
-        address _roseUsdFeed
+        address[] memory roseUsdFeeds
     ) external initializer {
         __ReentrancyGuard_init();
         __HashiProverUpgradeable_init(_shoyuBashi);
@@ -114,8 +125,14 @@ contract CrossChainPaymaster is
         stalenessThreshold = _stalenessThreshold;
         limits = _limits;
 
-        if (_roseUsdFeed == address(0)) revert InvalidPriceFeed();
-        roseUsdFeed = AggregatorV3Interface(_roseUsdFeed);
+        // Require at least one ROSE/USD feed
+        if (roseUsdFeeds.length == 0) revert NoRoseUsdFeeds();
+
+        // Add all provided feeds to the set
+        for (uint256 i = 0; i < roseUsdFeeds.length; i++) {
+            if (roseUsdFeeds[i] == address(0)) revert InvalidPriceFeed();
+            if (!_roseUsdFeeds.add(roseUsdFeeds[i])) revert DuplicateRoseUsdFeed(roseUsdFeeds[i]);
+        }
 
         // Transfer ownership to requested owner if different
         if (_owner != owner()) {
@@ -141,10 +158,19 @@ contract CrossChainPaymaster is
     /**
      * @inheritdoc ICrossChainPaymaster
      */
-    function setRoseUsdFeed(address feed) external onlyOwner override {
+    function addRoseUsdFeed(address feed) external onlyOwner override {
         if (feed == address(0)) revert InvalidPriceFeed();
-        emit RoseUsdFeedUpdated(address(roseUsdFeed), feed);
-        roseUsdFeed = AggregatorV3Interface(feed);
+        if (!_roseUsdFeeds.add(feed)) revert DuplicateRoseUsdFeed(feed);
+        emit RoseUsdFeedAdded(feed);
+    }
+
+    /**
+     * @inheritdoc ICrossChainPaymaster
+     */
+    function removeRoseUsdFeed(address feed) external onlyOwner override {
+        if (_roseUsdFeeds.length() <= 1) revert NoRoseUsdFeeds();
+        if (!_roseUsdFeeds.remove(feed)) revert RoseUsdFeedNotFound(feed);
+        emit RoseUsdFeedRemoved(feed);
     }
 
     /**
@@ -304,6 +330,27 @@ contract CrossChainPaymaster is
         return processedPayments[paymentId];
     }
 
+    /**
+     * @inheritdoc ICrossChainPaymaster
+     */
+    function getRoseUsdFeeds() external view override returns (address[] memory) {
+        return _roseUsdFeeds.values();
+    }
+
+    /**
+     * @inheritdoc ICrossChainPaymaster
+     */
+    function getRoseUsdFeedCount() external view override returns (uint256) {
+        return _roseUsdFeeds.length();
+    }
+
+    /**
+     * @inheritdoc ICrossChainPaymaster
+     */
+    function getRoseUsdFeedAt(uint256 index) external view override returns (address) {
+        return _roseUsdFeeds.at(index);
+    }
+
     // Decode PaymentInitiated log: [address, [topics...], data]
     /**
      * @notice Decodes a PaymentInitiated event log entry from RLP format
@@ -365,36 +412,133 @@ contract CrossChainPaymaster is
 
     /**
      * @notice Converts token amount to ROSE amount using Chainlink-style price feeds
+     * @dev Aggregates ROSE/USD price feeds as follows: uses the median value if
+     * there are 3 or more valid feeds, the mean if there are 2 valid feeds, and
+     * the direct value if there is only 1 valid feed. Skips invalid/stale feeds.     
      * @param token The token address
      * @param tokenAmount The amount of tokens to convert
      * @return roseAmount The equivalent amount in ROSE
      */
     function _convertToRose(address token, uint256 tokenAmount) internal view returns (uint256 roseAmount) {
         AggregatorV3Interface tokenUsd = priceFeeds[token];
         if (address(tokenUsd) == address(0)) revert NoPriceFeedForToken(token);
-        if (address(roseUsdFeed) == address(0)) revert InvalidPriceFeed();
+        if (_roseUsdFeeds.length() == 0) revert NoRoseUsdFeeds();
 
+        // Get token price data
         (uint80 tRound, int256 tPrice, , uint256 tUpdated, uint80 tAnsweredIn) = tokenUsd.latestRoundData();
-        (uint80 rRound, int256 rPrice, , uint256 rUpdated, uint80 rAnsweredIn) = roseUsdFeed.latestRoundData();
 
-        // Validate prices & rounds
+        // Validate token price
         if (tPrice <= 0) revert InvalidPrice(tPrice);
-        if (rPrice <= 0) revert InvalidPrice(rPrice);
-        if (tAnsweredIn < tRound || rAnsweredIn < rRound) revert StalePrice(0, 0);
+        if (tAnsweredIn < tRound) revert StalePrice(0, 0);
         if (tUpdated == 0 || block.timestamp - tUpdated > stalenessThreshold) revert StalePrice(tUpdated, stalenessThreshold);
-        if (rUpdated == 0 || block.timestamp - rUpdated > stalenessThreshold) revert StalePrice(rUpdated, stalenessThreshold);
 
         uint8 tokenDec = tokenDecimals[token];
         if (tokenDec == 0) tokenDec = 18;
-
         uint8 tDec = tokenUsd.decimals();
-        uint8 rDec = roseUsdFeed.decimals();
+
+        // Collect valid ROSE/USD prices from all feeds, normalized to 18 decimals
+        uint256[] memory normalizedPrices = new uint256[](_roseUsdFeeds.length());
+        uint256 validFeedCount = 0;
+
+        uint256 roseUsdFeedCount = _roseUsdFeeds.length();
+        for (uint256 i = 0; i < roseUsdFeedCount; i++) {
+            address feedAddr = _roseUsdFeeds.at(i);
+            AggregatorV3Interface roseFeed = AggregatorV3Interface(feedAddr);
+
+            try roseFeed.latestRoundData() returns (
+                uint80 rRound,
+                int256 rPrice,
+                uint256,
+                uint256 rUpdated,
+                uint80 rAnsweredIn
+            ) {
+                // Validate ROSE price from this feed
+                if (rPrice <= 0) continue; // Skip invalid price
+                if (rAnsweredIn < rRound) continue; // Skip stale round
+                if (rUpdated == 0 || block.timestamp - rUpdated > stalenessThreshold) continue; // Skip stale data
+
+                // Normalize price to 18 decimals before storing
+                uint8 feedDecimals = roseFeed.decimals();
+                uint256 normalizedPrice;
+
+                if (feedDecimals < NORMALIZED_DECIMALS) {
+                    // Scale up: price * 10^(18 - feedDecimals)
+                    normalizedPrice = uint256(rPrice) * (10 ** (NORMALIZED_DECIMALS - feedDecimals));
+                } else if (feedDecimals > NORMALIZED_DECIMALS) {
+                    // Scale down: price / 10^(feedDecimals - 18)
+                    normalizedPrice = uint256(rPrice) / (10 ** (feedDecimals - NORMALIZED_DECIMALS));
+                } else {
+                    // Already 18 decimals
+                    normalizedPrice = uint256(rPrice);
+                }
+
+                normalizedPrices[validFeedCount] = normalizedPrice;
+                validFeedCount++;
+            } catch {
+                // Skip feeds that revert
+                continue;
+            }
+        }
+
+        // Require at least one valid feed
+        if (validFeedCount == 0) revert NoValidRoseUsdFeeds();
+
+        // Calculate aggregated ROSE/USD price using appropriate method
+        uint256 avgRosePrice;
+        if (validFeedCount == 1) {
+            // Single feed: use directly
+            avgRosePrice = normalizedPrices[0];
+        } else if (validFeedCount == 2) {
+            // Two feeds: calculate mean (equivalent to median for 2 values)
+            avgRosePrice = Math.average(normalizedPrices[0], normalizedPrices[1]);
+        } else {
+            // Three or more feeds: use median for outlier resistance
+            avgRosePrice = _calculateMedian(normalizedPrices, validFeedCount);
+        }
 
         // roseAmount = tokenAmount * (tokenUsd / roseUsd) adjusted to 18 decimals
-        // = tokenAmount * tPrice * 10^rDec * 10^18 / (10^tokenDec * 10^tDec * rPrice)
+        // = tokenAmount * tPrice * 10^18 * 10^18 / (10^tokenDec * 10^tDec * avgRosePrice)
         uint256 num = Math.mulDiv(tokenAmount, uint256(tPrice), 10 ** tokenDec);
-        num = Math.mulDiv(num, 10 ** rDec, 10 ** tDec);
-        roseAmount = Math.mulDiv(num, 1e18, uint256(rPrice));
+        num = Math.mulDiv(num, 10 ** NORMALIZED_DECIMALS, 10 ** tDec);
+        roseAmount = Math.mulDiv(num, 1e18, avgRosePrice);
+    }
+
+    // ---------------------------------------------------------------------
+    // Price Aggregation Helpers
+    // ---------------------------------------------------------------------
+
+    /**
+     * @notice Calculates the median of a price array
+     * @dev Sorts the array using OpenZeppelin's Arrays.sort() and returns the middle value(s)
+     * @param prices Array of normalized prices
+     * @param count Number of valid prices in the array
+     * @return The median price, if len(prices) is odd or mean of two median prices, if len(price) is even  
+
+     */
+    function _calculateMedian(uint256[] memory prices, uint256 count) internal pure returns (uint256) {
+        require(count > 0, "Empty price array");
+
+        // If count < array length, we need to create a new array with only valid elements
+        uint256[] memory validPrices;
+        if (count < prices.length) {
+            validPrices = new uint256[](count);
+            for (uint256 i = 0; i < count; i++) {
+                validPrices[i] = prices[i];
+            }
+        } else {
+            validPrices = prices;
+        }
+
+        validPrices.sort();
+
+        // Calculate median
+        if (count % 2 == 1) {
+            // Odd count: return middle element
+            return validPrices[count / 2];
+        } else {
+            // Even count: return average of two middle elements
+            return Math.average(validPrices[count / 2 - 1], validPrices[count / 2]);
+        }
     }
 
     /// @notice Accepts ROSE funding