[eth] - optimize ReceiverMessages parseAndVerifyVM (#901)

* feat(eth): optimize ReceiverMessages parseAndVerifyVM

* test(eth): update test setups to use wormholeReceiver

* chore(eth): remove console logging

* feat(eth): optimize & revert return type for parseAndVerifyVM

* fix(eth): add index boundary checks

* perf(eth): optimize verifySignature by passing in primitives instead of structs

* test(eth): add wormhole tests related to guardian set validity

* test(eth): add more parseAndVerify failure test cases

* test(eth): add more failure tests for parseAndVerify

* test(eth): add empty forge test, refactor/deduplicate

Author: swimricky

target_chains/ethereum/contracts/contracts/libraries/external/UnsafeCalldataBytesLib.sol

@@ -20,6 +20,13 @@ library UnsafeCalldataBytesLib {
         return _bytes[_start:_start + _length];
     }
 
+    function sliceFrom(
+        bytes calldata _bytes,
+        uint256 _start
+    ) internal pure returns (bytes calldata) {
+        return _bytes[_start:_bytes.length];
+    }
+
     function toAddress(
         bytes calldata _bytes,
         uint256 _start

target_chains/ethereum/contracts/contracts/pyth/Pyth.sol

@@ -75,7 +75,8 @@ abstract contract Pyth is
         for (uint i = 0; i < updateData.length; ) {
             if (
                 updateData[i].length > 4 &&
-                UnsafeBytesLib.toUint32(updateData[i], 0) == ACCUMULATOR_MAGIC
+                UnsafeCalldataBytesLib.toUint32(updateData[i], 0) ==
+                ACCUMULATOR_MAGIC
             ) {
                 totalNumUpdates += updatePriceInfosFromAccumulatorUpdate(
                     updateData[i]
@@ -143,7 +144,6 @@ abstract contract Pyth is
         // operations have proper require.
         unchecked {
             bytes memory encoded = vm.payload;
-
             (
                 uint index,
                 uint nAttestations,

target_chains/ethereum/contracts/contracts/pyth/PythAccumulator.sol

@@ -31,7 +31,7 @@ abstract contract PythAccumulator is PythGetters, PythSetters, AbstractPyth {
     // This method is also used by batch attestation but moved here
     // as the batch attestation will deprecate soon.
     function parseAndVerifyPythVM(
-        bytes memory encodedVm
+        bytes calldata encodedVm
     ) internal view returns (IWormhole.VM memory vm) {
         {
             bool valid;
@@ -152,7 +152,6 @@ abstract contract PythAccumulator is PythGetters, PythSetters, AbstractPyth {
 
                     // TODO: Do we need to emit an update for accumulator update? If so what should we emit?
                     // emit AccumulatorUpdate(vm.chainId, vm.sequence);
-
                     encodedPayload = vm.payload;
                 }
 
@@ -200,16 +199,19 @@ abstract contract PythAccumulator is PythGetters, PythSetters, AbstractPyth {
     }
 
     function parseWormholeMerkleHeaderNumUpdates(
-        bytes memory wormholeMerkleUpdate,
+        bytes calldata wormholeMerkleUpdate,
         uint offset
     ) internal pure returns (uint8 numUpdates) {
-        uint16 whProofSize = UnsafeBytesLib.toUint16(
+        uint16 whProofSize = UnsafeCalldataBytesLib.toUint16(
             wormholeMerkleUpdate,
             offset
         );
         offset += 2;
         offset += whProofSize;
-        numUpdates = UnsafeBytesLib.toUint8(wormholeMerkleUpdate, offset);
+        numUpdates = UnsafeCalldataBytesLib.toUint8(
+            wormholeMerkleUpdate,
+            offset
+        );
     }
 
     function extractPriceInfoFromMerkleProof(

target_chains/ethereum/contracts/contracts/wormhole-receiver/ReceiverMessages.sol

@@ -7,20 +7,179 @@ pragma experimental ABIEncoderV2;
 import "./ReceiverGetters.sol";
 import "./ReceiverStructs.sol";
 import "../libraries/external/BytesLib.sol";
+import "../libraries/external/UnsafeCalldataBytesLib.sol";
+
+error VmVersionIncompatible();
+error SignatureIndexesNotAscending();
 
 contract ReceiverMessages is ReceiverGetters {
     using BytesLib for bytes;
 
     /// @dev parseAndVerifyVM serves to parse an encodedVM and wholy validate it for consumption
+    /// WARNING: it intentionally sets vm.signatures to an empty array since it is not needed after it is validated in this function
+    /// since it not used anywhere. If you need to use vm.signatures, use parseVM and verifyVM separately.
     function parseAndVerifyVM(
         bytes calldata encodedVM
     )
         public
         view
         returns (ReceiverStructs.VM memory vm, bool valid, string memory reason)
     {
-        vm = parseVM(encodedVM);
-        (valid, reason) = verifyVM(vm);
+        uint index = 0;
+        unchecked {
+            {
+                vm.version = UnsafeCalldataBytesLib.toUint8(encodedVM, index);
+                index += 1;
+                if (vm.version != 1) {
+                    revert VmVersionIncompatible();
+                }
+            }
+
+            ReceiverStructs.GuardianSet memory guardianSet;
+            {
+                vm.guardianSetIndex = UnsafeCalldataBytesLib.toUint32(
+                    encodedVM,
+                    index
+                );
+                index += 4;
+                guardianSet = getGuardianSet(vm.guardianSetIndex);
+
+                /**
+                 * @dev Checks whether the guardianSet has zero keys
+                 * WARNING: This keys check is critical to ensure the guardianSet has keys present AND to ensure
+                 * that guardianSet key size doesn't fall to zero and negatively impact quorum assessment.  If guardianSet
+                 * key length is 0 and vm.signatures length is 0, this could compromise the integrity of both vm and
+                 * signature verification.
+                 */
+                if (guardianSet.keys.length == 0) {
+                    return (vm, false, "invalid guardian set");
+                }
+
+                /// @dev Checks if VM guardian set index matches the current index (unless the current set is expired).
+                if (
+                    vm.guardianSetIndex != getCurrentGuardianSetIndex() &&
+                    guardianSet.expirationTime < block.timestamp
+                ) {
+                    return (vm, false, "guardian set has expired");
+                }
+            }
+
+            // Parse Signatures
+            uint256 signersLen = UnsafeCalldataBytesLib.toUint8(
+                encodedVM,
+                index
+            );
+            index += 1;
+            {
+                // 66 is the length of each signature
+                // 1 (guardianIndex) + 32 (r) + 32 (s) + 1 (v)
+                uint hashIndex = index + (signersLen * 66);
+                if (hashIndex > encodedVM.length) {
+                    return (vm, false, "invalid signature length");
+                }
+                // Hash the body
+                vm.hash = keccak256(
+                    abi.encodePacked(
+                        keccak256(
+                            UnsafeCalldataBytesLib.sliceFrom(
+                                encodedVM,
+                                hashIndex
+                            )
+                        )
+                    )
+                );
+            }
+
+            {
+                uint8 lastIndex = 0;
+                for (uint i = 0; i < signersLen; i++) {
+                    ReceiverStructs.Signature memory sig;
+                    sig.guardianIndex = UnsafeCalldataBytesLib.toUint8(
+                        encodedVM,
+                        index
+                    );
+                    index += 1;
+
+                    sig.r = UnsafeCalldataBytesLib.toBytes32(encodedVM, index);
+                    index += 32;
+                    sig.s = UnsafeCalldataBytesLib.toBytes32(encodedVM, index);
+                    index += 32;
+                    sig.v =
+                        UnsafeCalldataBytesLib.toUint8(encodedVM, index) +
+                        27;
+                    index += 1;
+                    bool signatureValid;
+                    string memory invalidReason;
+                    (signatureValid, invalidReason) = verifySignature(
+                        i,
+                        lastIndex,
+                        vm.hash,
+                        sig.guardianIndex,
+                        sig.r,
+                        sig.s,
+                        sig.v,
+                        guardianSet.keys[sig.guardianIndex]
+                    );
+                    if (!signatureValid) {
+                        return (vm, false, invalidReason);
+                    }
+                    lastIndex = sig.guardianIndex;
+                }
+            }
+
+            /**
+             * @dev We're using a fixed point number transformation with 1 decimal to deal with rounding.
+             *   WARNING: This quorum check is critical to assessing whether we have enough Guardian signatures to validate a VM
+             *   if making any changes to this, obtain additional peer review. If guardianSet key length is 0 and
+             *   vm.signatures length is 0, this could compromise the integrity of both vm and signature verification.
+             */
+
+            if (
+                (((guardianSet.keys.length * 10) / 3) * 2) / 10 + 1 > signersLen
+            ) {
+                return (vm, false, "no quorum");
+            }
+
+            // purposely setting vm.signatures to empty array since we don't need it anymore
+            // and we've already verified it above
+            vm.signatures = new ReceiverStructs.Signature[](0);
+
+            // Parse the body
+            vm.timestamp = UnsafeCalldataBytesLib.toUint32(encodedVM, index);
+            index += 4;
+
+            vm.nonce = UnsafeCalldataBytesLib.toUint32(encodedVM, index);
+            index += 4;
+
+            vm.emitterChainId = UnsafeCalldataBytesLib.toUint16(
+                encodedVM,
+                index
+            );
+            index += 2;
+
+            vm.emitterAddress = UnsafeCalldataBytesLib.toBytes32(
+                encodedVM,
+                index
+            );
+            index += 32;
+
+            vm.sequence = UnsafeCalldataBytesLib.toUint64(encodedVM, index);
+            index += 8;
+
+            vm.consistencyLevel = UnsafeCalldataBytesLib.toUint8(
+                encodedVM,
+                index
+            );
+            index += 1;
+
+            if (index > encodedVM.length) {
+                return (vm, false, "invalid payload length");
+            }
+
+            vm.payload = UnsafeCalldataBytesLib.sliceFrom(encodedVM, index);
+
+            return (vm, true, "");
+        }
     }
 
     /**
@@ -84,6 +243,27 @@ contract ReceiverMessages is ReceiverGetters {
         return (true, "");
     }
 
+    function verifySignature(
+        uint i,
+        uint8 lastIndex,
+        bytes32 hash,
+        uint8 guardianIndex,
+        bytes32 r,
+        bytes32 s,
+        uint8 v,
+        address guardianSetKey
+    ) private pure returns (bool valid, string memory reason) {
+        /// Ensure that provided signature indices are ascending only
+        if (i != 0 && guardianIndex <= lastIndex) {
+            revert SignatureIndexesNotAscending();
+        }
+        /// Check to see if the signer of the signature does not match a specific Guardian key at the provided index
+        if (ecrecover(hash, v, r, s) != guardianSetKey) {
+            return (false, "VM signature invalid");
+        }
+        return (true, "");
+    }
+
     /**
      * @dev verifySignatures serves to validate arbitrary sigatures against an arbitrary guardianSet
      *  - it intentionally does not solve for expectations within guardianSet (you should use verifyVM if you need these protections)
@@ -98,21 +278,20 @@ contract ReceiverMessages is ReceiverGetters {
         uint8 lastIndex = 0;
         for (uint i = 0; i < signatures.length; i++) {
             ReceiverStructs.Signature memory sig = signatures[i];
-
-            /// Ensure that provided signature indices are ascending only
-            require(
-                i == 0 || sig.guardianIndex > lastIndex,
-                "signature indices must be ascending"
-            );
-            lastIndex = sig.guardianIndex;
-
-            /// Check to see if the signer of the signature does not match a specific Guardian key at the provided index
-            if (
-                ecrecover(hash, sig.v, sig.r, sig.s) !=
+            (valid, reason) = verifySignature(
+                i,
+                lastIndex,
+                hash,
+                sig.guardianIndex,
+                sig.r,
+                sig.s,
+                sig.v,
                 guardianSet.keys[sig.guardianIndex]
-            ) {
-                return (false, "VM signature invalid");
+            );
+            if (!valid) {
+                return (false, reason);
             }
+            lastIndex = sig.guardianIndex;
         }
 
         /// If we are here, we've validated that the provided signatures are valid for the provided guardianSet
@@ -130,7 +309,9 @@ contract ReceiverMessages is ReceiverGetters {
 
         vm.version = encodedVM.toUint8(index);
         index += 1;
-        require(vm.version == 1, "VM version incompatible");
+        if (vm.version != 1) {
+            revert VmVersionIncompatible();
+        }
 
         vm.guardianSetIndex = encodedVM.toUint32(index);
         index += 4;

target_chains/ethereum/contracts/forge-test/GasBenchmark.t.sol

@@ -25,6 +25,7 @@ contract GasBenchmark is Test, WormholeTestUtils, PythTestUtils {
     // We will have less than 512 price for a foreseeable future.
     uint8 constant MERKLE_TREE_DEPTH = 9;
 
+    IWormhole public wormhole;
     IPyth public pyth;
 
     bytes32[] priceIds;
@@ -51,7 +52,9 @@ contract GasBenchmark is Test, WormholeTestUtils, PythTestUtils {
     uint randSeed;
 
     function setUp() public {
-        pyth = IPyth(setUpPyth(setUpWormhole(NUM_GUARDIANS)));
+        address wormholeAddr = setUpWormholeReceiver(NUM_GUARDIANS);
+        wormhole = IWormhole(wormholeAddr);
+        pyth = IPyth(setUpPyth(wormholeAddr));
 
         priceIds = new bytes32[](NUM_PRICES);
         priceIds[0] = bytes32(
@@ -101,7 +104,6 @@ contract GasBenchmark is Test, WormholeTestUtils, PythTestUtils {
             freshPricesWhMerkleUpdateData.push(updateData);
             freshPricesWhMerkleUpdateFee.push(updateFee);
         }
-
         // Populate the contract with the initial prices
         (
             cachedPricesWhBatchUpdateData,
@@ -417,4 +419,8 @@ contract GasBenchmark is Test, WormholeTestUtils, PythTestUtils {
     function testBenchmarkGetUpdateFeeWhMerkle5() public view {
         pyth.getUpdateFee(freshPricesWhMerkleUpdateData[4]);
     }
+
+    function testBenchmarkWormholeParseAndVerifyVMBatchAttestation() public {
+        wormhole.parseAndVerifyVM(freshPricesWhBatchUpdateData[0]);
+    }
 }

target_chains/ethereum/contracts/forge-test/Pyth.WormholeMerkleAccumulator.t.sol

@@ -26,7 +26,7 @@ contract PythWormholeMerkleAccumulatorTest is
     uint64 constant MAX_UINT64 = uint64(int64(-1));
 
     function setUp() public {
-        pyth = IPyth(setUpPyth(setUpWormhole(1)));
+        pyth = IPyth(setUpPyth(setUpWormholeReceiver(1)));
     }
 
     function assertPriceFeedMessageStored(
@@ -476,13 +476,6 @@ contract PythWormholeMerkleAccumulatorTest is
         );
     }
 
-    function isNotMatch(
-        bytes memory a,
-        bytes memory b
-    ) public pure returns (bool) {
-        return keccak256(a) != keccak256(b);
-    }
-
     /// @notice This method creates a forged invalid wormhole update data.
     /// The caller should pass the forgeItem as string and if it matches the
     /// expected value, that item will be forged to be invalid.

target_chains/ethereum/contracts/forge-test/Pyth.t.sol

@@ -19,7 +19,7 @@ contract PythTest is Test, WormholeTestUtils, PythTestUtils, RandTestUtils {
     uint64 constant MAX_UINT64 = uint64(int64(-1));
 
     function setUp() public {
-        pyth = IPyth(setUpPyth(setUpWormhole(1)));
+        pyth = IPyth(setUpPyth(setUpWormholeReceiver(1)));
     }
 
     function generateRandomPriceAttestations(