Make trusted senders in coin hooks modifiable and include 0x caller address (#1360)

- Replace hardcoded trusted sender arrays with upgradeable lookup contract
- Add ITrustedMsgSenderProviderLookup interface for dynamic management
- Implement proxy/implementation pattern for trusted sender lookup
- Support batch add/remove operations with owner access control
- Update hooks to use shared trusted sender lookup instead of individual arrays

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <[email protected]>

Author: oveddan

.changeset/clean-lizards-tease.md

@@ -0,0 +1,7 @@
+---
+"@zoralabs/coins": minor
+---
+
+Make trusted senders in coin hooks modifiable
+
+Trusted message senders can now be added or removed after hook deployment instead of being hardcoded at deployment time.

.github/actions/setup_deps/action.yml

@@ -18,6 +18,6 @@ runs:
       shell: bash
 
     - name: Install Foundry
-      uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
+      uses: foundry-rs/foundry-toolchain@de808b1eea699e761c404bda44ba8f21aba30b2c # v1
       with:
         version: v1.2.3

packages/coins/script/DeployTrustedMsgSenderLookup.s.sol

@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.28;
+
+import {CoinsDeployerBase} from "../src/deployment/CoinsDeployerBase.sol";
+
+contract DeployTrustedMsgSenderLookup is CoinsDeployerBase {
+    function run() public {
+        CoinsDeployment memory deployment = readDeployment();
+
+        vm.startBroadcast();
+
+        // Deploy the trusted message sender lookup contract
+        deployment = deployTrustedMsgSenderLookup(deployment);
+
+        vm.stopBroadcast();
+
+        // Save the updated deployment json
+        saveDeployment(deployment);
+    }
+}

packages/coins/src/deployment/CoinsDeployerBase.sol

@@ -19,6 +19,8 @@ import {CreatorCoin} from "../CreatorCoin.sol";
 import {Create2} from "@openzeppelin/contracts/utils/Create2.sol";
 import {HookUpgradeGate} from "../hooks/HookUpgradeGate.sol";
 import {BuySupplyWithV4SwapHook} from "../hooks/deployment/BuySupplyWithV4SwapHook.sol";
+import {TrustedMsgSenderProviderLookup} from "../utils/TrustedMsgSenderProviderLookup.sol";
+import {ITrustedMsgSenderProviderLookup} from "../interfaces/ITrustedMsgSenderProviderLookup.sol";
 
 contract CoinsDeployerBase is ProxyDeployerScript {
     address internal constant PROTOCOL_REWARDS = 0x7777777F279eba3d3Ad8F4E708545291A6fDBA8B;
@@ -39,6 +41,8 @@ contract CoinsDeployerBase is ProxyDeployerScript {
         address buySupplyWithSwapRouterHook;
         address zoraV4CoinHook;
         address hookUpgradeGate;
+        // trusted sender lookup
+        address trustedMsgSenderLookup;
         // Hook deployment salt (for deterministic deployment)
         bytes32 zoraV4CoinHookSalt;
         bool isDev;
@@ -70,6 +74,7 @@ contract CoinsDeployerBase is ProxyDeployerScript {
         vm.serializeAddress(objectKey, "CREATOR_COIN_IMPL", deployment.creatorCoinImpl);
         vm.serializeAddress(objectKey, "HOOK_UPGRADE_GATE", deployment.hookUpgradeGate);
         vm.serializeAddress(objectKey, "ZORA_HOOK_REGISTRY", deployment.zoraHookRegistry);
+        vm.serializeAddress(objectKey, "TRUSTED_MSG_SENDER_LOOKUP", deployment.trustedMsgSenderLookup);
         string memory result = vm.serializeAddress(objectKey, "COIN_V4_IMPL", deployment.coinV4Impl);
 
         vm.writeJson(result, addressesFile(deployment.isDev));
@@ -98,6 +103,7 @@ contract CoinsDeployerBase is ProxyDeployerScript {
         deployment.creatorCoinImpl = readAddressOrDefaultToZero(json, "CREATOR_COIN_IMPL");
         deployment.hookUpgradeGate = readAddressOrDefaultToZero(json, "HOOK_UPGRADE_GATE");
         deployment.zoraHookRegistry = readAddressOrDefaultToZero(json, "ZORA_HOOK_REGISTRY");
+        deployment.trustedMsgSenderLookup = readAddressOrDefaultToZero(json, "TRUSTED_MSG_SENDER_LOOKUP");
     }
 
     function deployCoinV4Impl() internal returns (ContentCoin) {
@@ -139,14 +145,23 @@ contract CoinsDeployerBase is ProxyDeployerScript {
         return deployment;
     }
 
+    function deployTrustedMsgSenderLookup(CoinsDeployment memory deployment) internal returns (CoinsDeployment memory) {
+        // Deploy the contract directly using constructor
+        deployment.trustedMsgSenderLookup = address(new TrustedMsgSenderProviderLookup(getDefaultTrustedMessageSenders(), getProxyAdmin()));
+
+        return deployment;
+    }
+
     function deployZoraV4CoinHook(CoinsDeployment memory deployment) internal returns (IHooks hook, bytes32 salt) {
+        require(deployment.trustedMsgSenderLookup != address(0), "Trusted message sender lookup not deployed");
+
         return
             HooksDeployment.deployHookWithExistingOrNewSalt(
                 HooksDeployment.FOUNDRY_SCRIPT_ADDRESS,
                 HooksDeployment.makeHookCreationCode(
                     getUniswapV4PoolManager(),
                     deployment.zoraFactory,
-                    getDefaultTrustedMessageSenders(),
+                    ITrustedMsgSenderProviderLookup(deployment.trustedMsgSenderLookup),
                     deployment.hookUpgradeGate
                 ),
                 deployment.zoraV4CoinHookSalt
@@ -175,6 +190,9 @@ contract CoinsDeployerBase is ProxyDeployerScript {
     function deployImpls(CoinsDeployment memory deployment) internal returns (CoinsDeployment memory) {
         // Deploy implementation contracts
 
+        // Deploy trusted message sender lookup first
+        deployment = deployTrustedMsgSenderLookup(deployment);
+
         // Deploy hook first, then use its address for coin v4 impl
         console.log("deploying content coin hook");
         (IHooks zoraV4CoinHook, bytes32 usedSalt) = deployZoraV4CoinHook(deployment);
@@ -191,6 +209,9 @@ contract CoinsDeployerBase is ProxyDeployerScript {
     }
 
     function deployHooks(CoinsDeployment memory deployment) internal returns (CoinsDeployment memory) {
+        // Deploy trusted message sender lookup first
+        deployment = deployTrustedMsgSenderLookup(deployment);
+
         // Deploy hook first, then use its address for coin v4 impl
         (IHooks zoraV4CoinHook, bytes32 usedSalt) = deployZoraV4CoinHook(deployment);
         deployment.zoraV4CoinHook = address(zoraV4CoinHook);

packages/coins/src/hooks/ZoraV4CoinHook.sol

@@ -16,6 +16,7 @@ import {Currency} from "@uniswap/v4-core/src/types/Currency.sol";
 import {SwapParams} from "@uniswap/v4-core/src/types/PoolOperation.sol";
 import {IZoraV4CoinHook} from "../interfaces/IZoraV4CoinHook.sol";
 import {IMsgSender} from "../interfaces/IMsgSender.sol";
+import {ITrustedMsgSenderProviderLookup} from "../interfaces/ITrustedMsgSenderProviderLookup.sol";
 import {IHasSwapPath} from "../interfaces/ICoin.sol";
 import {LpPosition} from "../types/LpPosition.sol";
 import {V4Liquidity} from "../libs/V4Liquidity.sol";
@@ -60,9 +61,10 @@ contract ZoraV4CoinHook is
 {
     using BalanceDeltaLibrary for BalanceDelta;
 
-    /// @notice Mapping of trusted message senders - these are addresses that are trusted to provide a
-    /// an original msg.sender
-    mapping(address => bool) internal trustedMessageSender;
+    /// @dev DEPRECATED: This mapping is kept for storage compatibility. It doesn't matter that storage slots moved around
+    /// between versions since the contracts are immutable, but in some tests we do etching to test if a new hook fixes some bugs, so we want to maintain the storage slot order.
+    /// This slot previously held the mappings of trusted message senders.
+    mapping(address => bool) internal legacySlot0;
 
     /// @notice Mapping of pool keys to coins.
     mapping(bytes32 => IZoraV4CoinHook.PoolCoin) internal poolCoins;
@@ -73,27 +75,34 @@ contract ZoraV4CoinHook is
     /// @notice The upgrade gate contract - used to verify allowed upgrade paths
     IHooksUpgradeGate internal immutable upgradeGate;
 
+    /// @notice The trusted message sender lookup contract - used to determine if an address is trusted
+    ITrustedMsgSenderProviderLookup internal immutable trustedMsgSenderLookup;
+
     /// @notice The constructor for the ZoraV4CoinHook.
     /// @param poolManager_ The Uniswap V4 pool manager
     /// @param coinVersionLookup_ The coin version lookup contract - used to determine if an address is a coin and what version it is.
-    /// @param trustedMessageSenders_ The addresses of the trusted message senders - these are addresses that are trusted to provide a
+    /// @param trustedMsgSenderLookup_ The trusted message sender lookup contract - used to determine if an address is trusted
     /// @param upgradeGate_ The upgrade gate contract for managing hook upgrades
     constructor(
         IPoolManager poolManager_,
         IDeployedCoinVersionLookup coinVersionLookup_,
-        address[] memory trustedMessageSenders_,
+        ITrustedMsgSenderProviderLookup trustedMsgSenderLookup_,
         IHooksUpgradeGate upgradeGate_
     ) BaseHook(poolManager_) {
         require(address(coinVersionLookup_) != address(0), CoinVersionLookupCannotBeZeroAddress());
 
         require(address(upgradeGate_) != address(0), UpgradeGateCannotBeZeroAddress());
 
+        require(address(trustedMsgSenderLookup_) != address(0), TrustedMsgSenderLookupCannotBeZeroAddress());
+
         coinVersionLookup = coinVersionLookup_;
         upgradeGate = upgradeGate_;
+        trustedMsgSenderLookup = trustedMsgSenderLookup_;
+    }
 
-        for (uint256 i = 0; i < trustedMessageSenders_.length; i++) {
-            trustedMessageSender[trustedMessageSenders_[i]] = true;
-        }
+    /// @notice Returns the trusted message sender lookup contract
+    function getTrustedMsgSenderLookup() external view returns (ITrustedMsgSenderProviderLookup) {
+        return trustedMsgSenderLookup;
     }
 
     /// @notice Returns the uniswap v4 hook settings / permissions.
@@ -120,7 +129,7 @@ contract ZoraV4CoinHook is
 
     /// @inheritdoc IZoraV4CoinHook
     function isTrustedMessageSender(address sender) external view returns (bool) {
-        return trustedMessageSender[sender];
+        return trustedMsgSenderLookup.isTrustedMsgSenderProvider(sender);
     }
 
     /// @inheritdoc IZoraV4CoinHook
@@ -403,7 +412,12 @@ contract ZoraV4CoinHook is
     /// @return swapper The original message sender.
     /// @return senderIsTrusted Whether the sender is a trusted message sender.
     function _getOriginalMsgSender(address sender) internal view returns (address swapper, bool senderIsTrusted) {
-        senderIsTrusted = trustedMessageSender[sender];
+        // Always trust the zero address (0x caller)
+        if (sender == address(0)) {
+            senderIsTrusted = true;
+        } else {
+            senderIsTrusted = trustedMsgSenderLookup.isTrustedMsgSenderProvider(sender);
+        }
 
         // If getter function reverts, we return a 0 address by default and continue execution.
         try IMsgSender(sender).msgSender() returns (address _swapper) {

packages/coins/src/interfaces/ITrustedMsgSenderProviderLookup.sol

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: ZORA-DELAYED-OSL-v1
+// This software is licensed under the Zora Delayed Open Source License.
+// Under this license, you may use, copy, modify, and distribute this software for
+// non-commercial purposes only. Commercial use and competitive products are prohibited
+// until the "Open Date" (3 years from first public distribution or earlier at Zora's discretion),
+// at which point this software automatically becomes available under the MIT License.
+// Full license terms available at: https://docs.zora.co/coins/license
+pragma solidity ^0.8.23;
+
+/// @title ITrustedMsgSenderProviderLookup
+/// @notice Interface for contracts that can determine if an address is a trusted message sender
+/// @dev This interface allows the hook to delegate the trusted sender check to an external contract
+interface ITrustedMsgSenderProviderLookup {
+    /// @notice Checks if an address is a trusted message sender provider
+    /// @param sender The address to check
+    /// @return true if the sender is trusted, false otherwise
+    function isTrustedMsgSenderProvider(address sender) external view returns (bool);
+}

packages/coins/src/interfaces/IZoraV4CoinHook.sol

@@ -44,6 +44,9 @@ interface IZoraV4CoinHook is IUpgradeableV4Hook {
     /// @notice Upgrade gate cannot be the zero address.
     error UpgradeGateCannotBeZeroAddress();
 
+    /// @notice Trusted message sender lookup cannot be the zero address.
+    error TrustedMsgSenderLookupCannotBeZeroAddress();
+
     /// @notice Thrown when a pool is not initialized for the hook.
     /// @param key The pool key struct to identify the pool.
     error NoCoinForHook(PoolKey key);

packages/coins/src/libs/HooksDeployment.sol

@@ -14,6 +14,7 @@ import {HookMiner} from "@uniswap/v4-periphery/src/utils/HookMiner.sol";
 import {IPoolManager} from "@uniswap/v4-core/src/interfaces/IPoolManager.sol";
 import {Create2} from "@openzeppelin/contracts/utils/Create2.sol";
 import {IHooks} from "@uniswap/v4-core/src/interfaces/IHooks.sol";
+import {ITrustedMsgSenderProviderLookup} from "../interfaces/ITrustedMsgSenderProviderLookup.sol";
 
 Vm constant vm = Vm(address(bytes20(uint160(uint256(keccak256("hevm cheat code"))))));
 
@@ -86,10 +87,10 @@ library HooksDeployment {
         address deployer,
         address poolManager,
         address coinVersionLookup,
-        address[] memory trustedMessageSenders,
+        ITrustedMsgSenderProviderLookup trustedMsgSenderLookup,
         address upgradeGate
     ) internal returns (address hookAddress, bytes32 salt) {
-        bytes memory hookCreationCode = makeHookCreationCode(poolManager, coinVersionLookup, trustedMessageSenders, upgradeGate);
+        bytes memory hookCreationCode = makeHookCreationCode(poolManager, coinVersionLookup, trustedMsgSenderLookup, upgradeGate);
         (salt, ) = mineAndCacheSalt(deployer, hookCreationCode);
         hookAddress = HookMinerWithCreationCodeArgs.deterministicHookAddress(deployer, salt, hookCreationCode);
     }
@@ -131,31 +132,31 @@ library HooksDeployment {
     function hookConstructorArgs(
         address poolManager,
         address coinVersionLookup,
-        address[] memory trustedMessageSenders,
+        ITrustedMsgSenderProviderLookup trustedMsgSenderLookup,
         address upgradeGate
     ) internal pure returns (bytes memory) {
-        return abi.encode(poolManager, coinVersionLookup, trustedMessageSenders, upgradeGate);
+        return abi.encode(poolManager, coinVersionLookup, trustedMsgSenderLookup, upgradeGate);
     }
 
     function makeHookCreationCode(
         address poolManager,
         address coinVersionLookup,
-        address[] memory trustedMessageSenders,
+        ITrustedMsgSenderProviderLookup trustedMsgSenderLookup,
         address upgradeGate
     ) internal pure returns (bytes memory) {
-        return abi.encodePacked(type(ZoraV4CoinHook).creationCode, hookConstructorArgs(poolManager, coinVersionLookup, trustedMessageSenders, upgradeGate));
+        return abi.encodePacked(type(ZoraV4CoinHook).creationCode, hookConstructorArgs(poolManager, coinVersionLookup, trustedMsgSenderLookup, upgradeGate));
     }
 
     /// @notice Deploys or returns existing ContentCoinHook using deterministic deployment.  Ensures that if a hooks is already
     /// deployed with the provided salt, it will be returned.
     function deployZoraV4CoinHook(
         address poolManager,
         address coinVersionLookup,
-        address[] memory trustedMessageSenders,
+        ITrustedMsgSenderProviderLookup trustedMsgSenderLookup,
         address upgradeGate,
         bytes32 salt
     ) internal returns (IHooks hook) {
-        bytes memory creationCode = makeHookCreationCode(poolManager, coinVersionLookup, trustedMessageSenders, upgradeGate);
+        bytes memory creationCode = makeHookCreationCode(poolManager, coinVersionLookup, trustedMsgSenderLookup, upgradeGate);
         return deployHookWithSalt(creationCode, salt);
     }
 

packages/coins/src/utils/TrustedMsgSenderProviderLookup.sol

@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: ZORA-DELAYED-OSL-v1
+// This software is licensed under the Zora Delayed Open Source License.
+// Under this license, you may use, copy, modify, and distribute this software for
+// non-commercial purposes only. Commercial use and competitive products are prohibited
+// until the "Open Date" (3 years from first public distribution or earlier at Zora's discretion),
+// at which point this software automatically becomes available under the MIT License.
+// Full license terms available at: https://docs.zora.co/coins/license
+pragma solidity ^0.8.23;
+
+import {Ownable2Step} from "@openzeppelin/contracts/access/Ownable2Step.sol";
+import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
+import {ContractVersionBase} from "../version/ContractVersionBase.sol";
+import {ITrustedMsgSenderProviderLookup} from "../interfaces/ITrustedMsgSenderProviderLookup.sol";
+
+/// @title TrustedMsgSenderProviderLookup
+/// @notice Contract for ITrustedMsgSenderProviderLookup that manages trusted message senders
+/// @dev This contract allows the owner to add/remove trusted senders and provides lookup functionality
+contract TrustedMsgSenderProviderLookup is ITrustedMsgSenderProviderLookup, ContractVersionBase, Ownable2Step {
+    /// @notice Emitted when a trusted sender is added
+    /// @param sender The address that was added as trusted
+    event TrustedSenderAdded(address indexed sender);
+
+    /// @notice Emitted when a trusted sender is removed
+    /// @param sender The address that was removed from trusted
+    event TrustedSenderRemoved(address indexed sender);
+
+    /// @notice Mapping of addresses to their trusted sender status
+    mapping(address => bool) private trustedSenders;
+
+    /// @notice Constructor that initializes the contract with trusted senders and sets the owner
+    /// @param trustedMessageSenders Array of addresses to mark as trusted senders initially
+    /// @param initialOwner The address that will own this contract
+    constructor(address[] memory trustedMessageSenders, address initialOwner) Ownable(initialOwner) {
+        for (uint256 i = 0; i < trustedMessageSenders.length; i++) {
+            trustedSenders[trustedMessageSenders[i]] = true;
+            emit TrustedSenderAdded(trustedMessageSenders[i]);
+        }
+    }
+
+    /// @notice Checks if an address is a trusted message sender provider
+    /// @param sender The address to check
+    /// @return true if the sender is trusted, false otherwise
+    function isTrustedMsgSenderProvider(address sender) external view override returns (bool) {
+        return trustedSenders[sender];
+    }
+
+    /// @notice Adds multiple trusted senders in a single transaction (only callable by owner)
+    /// @param senders Array of addresses to add as trusted
+    function addTrustedMsgSenderProviders(address[] calldata senders) external onlyOwner {
+        for (uint256 i = 0; i < senders.length; i++) {
+            address sender = senders[i];
+            require(sender != address(0), "Cannot add zero address as trusted sender");
+
+            if (!trustedSenders[sender]) {
+                trustedSenders[sender] = true;
+                emit TrustedSenderAdded(sender);
+            }
+        }
+    }
+
+    /// @notice Removes multiple trusted senders in a single transaction (only callable by owner)
+    /// @param senders Array of addresses to remove from trusted
+    function removeTrustedMsgSenderProviders(address[] calldata senders) external onlyOwner {
+        for (uint256 i = 0; i < senders.length; i++) {
+            address sender = senders[i];
+
+            if (trustedSenders[sender]) {
+                trustedSenders[sender] = false;
+                emit TrustedSenderRemoved(sender);
+            }
+        }
+    }
+}

packages/coins/test/CreatorCoinRewards.t.sol

@@ -289,12 +289,16 @@ contract CreatorCoinRewardsTest is BaseTest {
     function test_buy_then_sell_both_referrers() public {
         uint128 buyAmount = 100 ether; // Fixed amount
 
+        console.log("deploying creator coin with platform referrer");
         // Deploy CreatorCoin with platform referrer
         _deployCreatorCoin(true);
 
+        console.log("buying creator coin with both referrers");
         // Step 1: Buy creator coin (ZORA -> Creator Coin)
         _buyCreatorCoin(buyAmount, true);
 
+        console.log("buyer's creator coin balance", creatorCoin.balanceOf(users.buyer));
+
         // Get buyer's creator coin balance after purchase
         uint256 creatorCoinBalance = creatorCoin.balanceOf(users.buyer);
         require(creatorCoinBalance > 0, "Buyer must have creator coin balance to sell");