add AdminWithdrawManager and cleanup withdraw functions & param hash verification

Author: tbwebb22

contracts/interfaces/ICounterfactualDeposit.sol

@@ -19,6 +19,34 @@ interface ICounterfactualDeposit {
     /// @dev EIP-712 signature deadline has passed. SpokePool only.
     error SignatureExpired();
 
+    /// @notice Emitted when the admin withdraws tokens from the clone.
     event AdminWithdraw(address indexed token, address indexed to, uint256 amount);
+    /// @notice Emitted when the user withdraws tokens from the clone.
     event UserWithdraw(address indexed token, address indexed to, uint256 amount);
+
+    /**
+     * @notice Admin withdraw to an arbitrary recipient.
+     * @param params ABI-encoded route parameters (verified against stored hash).
+     * @param token ERC20 token to withdraw, or NATIVE_ASSET for native ETH.
+     * @param to Recipient of the withdrawn tokens.
+     * @param amount Amount to withdraw.
+     */
+    function adminWithdraw(bytes calldata params, address token, address to, uint256 amount) external;
+
+    /**
+     * @notice Admin withdraw that always sends to the clone's userWithdrawAddress.
+     * @param params ABI-encoded route parameters (verified against stored hash).
+     * @param token ERC20 token to withdraw, or NATIVE_ASSET for native ETH.
+     * @param amount Amount to withdraw.
+     */
+    function adminWithdrawToUser(bytes calldata params, address token, uint256 amount) external;
+
+    /**
+     * @notice User withdraw (escape hatch before execution).
+     * @param params ABI-encoded route parameters (verified against stored hash).
+     * @param token ERC20 token to withdraw, or NATIVE_ASSET for native ETH.
+     * @param to Recipient of the withdrawn tokens.
+     * @param amount Amount to withdraw.
+     */
+    function userWithdraw(bytes calldata params, address token, address to, uint256 amount) external;
 }

contracts/interfaces/ICounterfactualDepositFactory.sol

@@ -8,34 +8,70 @@ pragma solidity ^0.8.0;
  *      each implementation defines its own immutables struct, and the factory stores only the hash.
  */
 interface ICounterfactualDepositFactory {
+    /// @notice Emitted when a new clone is deployed.
     event DepositAddressCreated(
         address indexed depositAddress,
         address indexed counterfactualDepositImplementation,
         bytes32 indexed paramsHash,
         bytes32 salt
     );
 
+    /**
+     * @notice Predicts the deterministic address of a clone before deployment.
+     * @param counterfactualDepositImplementation Implementation contract address.
+     * @param paramsHash keccak256 hash of the ABI-encoded route parameters.
+     * @param salt Unique salt for address generation.
+     * @return Predicted address.
+     */
     function predictDepositAddress(
         address counterfactualDepositImplementation,
         bytes32 paramsHash,
         bytes32 salt
     ) external view returns (address);
 
+    /**
+     * @notice Deploys a counterfactual deposit clone via CREATE2.
+     * @param counterfactualDepositImplementation Implementation contract address.
+     * @param paramsHash keccak256 hash of the ABI-encoded route parameters.
+     * @param salt Unique salt for address generation.
+     * @return depositAddress Address of deployed clone.
+     */
     function deploy(
         address counterfactualDepositImplementation,
         bytes32 paramsHash,
         bytes32 salt
-    ) external returns (address);
+    ) external returns (address depositAddress);
 
+    /**
+     * @notice Forwards calldata to a deployed clone.
+     * @param depositAddress Address of the deployed clone.
+     * @param executeCalldata Calldata to forward (e.g. abi.encodeCall of executeDeposit).
+     */
     function execute(address depositAddress, bytes calldata executeCalldata) external payable;
 
+    /**
+     * @notice Deploys and executes a deposit in one transaction.
+     * @param counterfactualDepositImplementation Implementation contract address.
+     * @param paramsHash keccak256 hash of the ABI-encoded route parameters.
+     * @param salt Unique salt for address generation.
+     * @param executeCalldata Calldata to forward to the clone.
+     * @return depositAddress Address of deployed clone.
+     */
     function deployAndExecute(
         address counterfactualDepositImplementation,
         bytes32 paramsHash,
         bytes32 salt,
         bytes calldata executeCalldata
     ) external payable returns (address depositAddress);
 
+    /**
+     * @notice Deploys (if needed) and executes a deposit in one transaction.
+     * @param counterfactualDepositImplementation Implementation contract address.
+     * @param paramsHash keccak256 hash of the ABI-encoded route parameters.
+     * @param salt Unique salt for address generation.
+     * @param executeCalldata Calldata to forward to the clone.
+     * @return depositAddress Address of deployed clone.
+     */
     function deployIfNeededAndExecute(
         address counterfactualDepositImplementation,
         bytes32 paramsHash,

contracts/periphery/counterfactual/AdminWithdrawManager.sol

@@ -0,0 +1,103 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.0;
+
+import { Ownable } from "@openzeppelin/contracts/access/Ownable.sol";
+import { ECDSA } from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
+import { EIP712 } from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
+import { ICounterfactualDeposit } from "../../interfaces/ICounterfactualDeposit.sol";
+
+/**
+ * @title AdminWithdrawManager
+ * @notice Manages admin withdrawals from counterfactual deposit clones via two paths:
+ *         1. Direct withdraw — trusted `directWithdrawer` specifies any recipient
+ *         2. Signed withdraw — anyone can trigger with a `signer` signature; recipient is always the clone's userWithdrawAddress
+ * @dev Set this contract's address as `adminWithdrawAddress` on clones.
+ */
+contract AdminWithdrawManager is Ownable, EIP712 {
+    event DirectWithdrawerUpdated(address indexed directWithdrawer);
+    event SignerUpdated(address indexed signer);
+
+    error Unauthorized();
+    error InvalidSignature();
+    error SignatureExpired();
+
+    bytes32 public constant SIGNED_WITHDRAW_TYPEHASH =
+        keccak256("SignedWithdraw(address depositAddress,address token,uint256 amount,uint256 deadline)");
+
+    address public directWithdrawer;
+    address public signer;
+
+    /**
+     * @param _owner Contract owner (can update directWithdrawer and signer).
+     * @param _directWithdrawer Initial direct withdrawer address.
+     * @param _signer Initial signer address for signed withdrawals.
+     */
+    constructor(
+        address _owner,
+        address _directWithdrawer,
+        address _signer
+    ) Ownable(_owner) EIP712("AdminWithdrawManager", "v1.0.0") {
+        directWithdrawer = _directWithdrawer;
+        signer = _signer;
+    }
+
+    /**
+     * @notice Direct withdraw — forwards raw calldata to the deposit clone.
+     * @dev Only callable by `directWithdrawer`. Caller encodes the implementation-specific adminWithdraw call.
+     * @param depositAddress Address of the deployed clone.
+     * @param adminWithdrawCalldata Encoded call to adminWithdraw on the clone.
+     */
+    function directWithdraw(address depositAddress, bytes calldata adminWithdrawCalldata) external {
+        if (msg.sender != directWithdrawer) revert Unauthorized();
+        (bool success, bytes memory returnData) = depositAddress.call(adminWithdrawCalldata);
+        if (!success) {
+            assembly {
+                revert(add(returnData, 32), mload(returnData))
+            }
+        }
+    }
+
+    /**
+     * @notice Signed withdraw to user — anyone can trigger with a valid signature from `signer`.
+     * @dev Recipient is always the clone's `userWithdrawAddress` (enforced by adminWithdrawToUser).
+     * @param depositAddress Address of the deployed clone.
+     * @param paramsBytes ABI-encoded route parameters (passed to adminWithdrawToUser).
+     * @param token ERC20 token to withdraw, or NATIVE_ASSET for native ETH.
+     * @param amount Amount to withdraw.
+     * @param deadline Timestamp after which the signature is no longer valid.
+     * @param signature EIP-712 signature from `signer`.
+     */
+    function signedWithdrawToUser(
+        address depositAddress,
+        bytes calldata paramsBytes,
+        address token,
+        uint256 amount,
+        uint256 deadline,
+        bytes calldata signature
+    ) external {
+        if (block.timestamp > deadline) revert SignatureExpired();
+
+        bytes32 structHash = keccak256(abi.encode(SIGNED_WITHDRAW_TYPEHASH, depositAddress, token, amount, deadline));
+        if (ECDSA.recover(_hashTypedDataV4(structHash), signature) != signer) revert InvalidSignature();
+
+        ICounterfactualDeposit(depositAddress).adminWithdrawToUser(paramsBytes, token, amount);
+    }
+
+    /**
+     * @notice Updates the direct withdrawer address.
+     * @param _directWithdrawer New direct withdrawer address.
+     */
+    function setDirectWithdrawer(address _directWithdrawer) external onlyOwner {
+        directWithdrawer = _directWithdrawer;
+        emit DirectWithdrawerUpdated(_directWithdrawer);
+    }
+
+    /**
+     * @notice Updates the signer address used for signed withdrawals.
+     * @param _signer New signer address.
+     */
+    function setSigner(address _signer) external onlyOwner {
+        signer = _signer;
+        emit SignerUpdated(_signer);
+    }
+}

contracts/periphery/counterfactual/CounterfactualDepositBase.sol

@@ -19,40 +19,87 @@ abstract contract CounterfactualDepositBase is ICounterfactualDeposit {
     /// @notice Sentinel address representing native ETH in withdraw calls.
     address public constant NATIVE_ASSET = 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE;
 
-    /// @dev Reads the stored params hash from the clone's appended immutable args and compares.
-    /// @param paramsHash keccak256 hash of the caller-supplied route parameters.
-    function _verifyParamsHash(bytes32 paramsHash) internal view {
+    /// @dev Verifies caller-supplied params hash against the clone's stored hash.
+    modifier verifyParamsHash(bytes32 paramsHash) {
         bytes32 storedHash = abi.decode(Clones.fetchCloneArgs(address(this)), (bytes32));
         if (paramsHash != storedHash) revert InvalidParamsHash();
+        _;
     }
 
     /**
      * @notice Allows the admin to withdraw any token from this clone (e.g. recovery of stuck funds).
-     * @param adminWithdrawAddress Authorized admin address.
+     * @param params ABI-encoded route parameters (verified against stored hash).
      * @param token ERC20 token to withdraw, or NATIVE_ASSET for native ETH.
      * @param to Recipient of the withdrawn tokens.
      * @param amount Amount to withdraw.
      */
-    function _adminWithdraw(address adminWithdrawAddress, address token, address to, uint256 amount) internal {
-        if (msg.sender != adminWithdrawAddress) revert Unauthorized();
+    function adminWithdraw(
+        bytes calldata params,
+        address token,
+        address to,
+        uint256 amount
+    ) external verifyParamsHash(keccak256(params)) {
+        if (msg.sender != _getAdminWithdrawAddress(params)) revert Unauthorized();
+        _transferOut(token, to, amount);
+        emit AdminWithdraw(token, to, amount);
+    }
+
+    /**
+     * @notice Admin withdraw that always sends to the clone's userWithdrawAddress.
+     * @dev Used by AdminWithdrawManager.signedWithdrawToUser so the recipient is enforced on-chain.
+     * @param params ABI-encoded route parameters (verified against stored hash).
+     * @param token ERC20 token to withdraw, or NATIVE_ASSET for native ETH.
+     * @param amount Amount to withdraw.
+     */
+    function adminWithdrawToUser(
+        bytes calldata params,
+        address token,
+        uint256 amount
+    ) external verifyParamsHash(keccak256(params)) {
+        if (msg.sender != _getAdminWithdrawAddress(params)) revert Unauthorized();
+        address to = _getUserWithdrawAddress(params);
         _transferOut(token, to, amount);
         emit AdminWithdraw(token, to, amount);
     }
 
     /**
      * @notice Allows the user to withdraw tokens before execution (escape hatch).
-     * @param userWithdrawAddress Authorized user address.
+     * @param params ABI-encoded route parameters (verified against stored hash).
      * @param token ERC20 token to withdraw, or NATIVE_ASSET for native ETH.
      * @param to Recipient of the withdrawn tokens.
      * @param amount Amount to withdraw.
      */
-    function _userWithdraw(address userWithdrawAddress, address token, address to, uint256 amount) internal {
-        if (msg.sender != userWithdrawAddress) revert Unauthorized();
+    function userWithdraw(
+        bytes calldata params,
+        address token,
+        address to,
+        uint256 amount
+    ) external verifyParamsHash(keccak256(params)) {
+        if (msg.sender != _getUserWithdrawAddress(params)) revert Unauthorized();
         _transferOut(token, to, amount);
         emit UserWithdraw(token, to, amount);
     }
 
-    /// @dev Transfers native ETH (token == NATIVE_ASSET) or ERC20 tokens.
+    /**
+     * @dev Extracts the user withdraw address from implementation-specific params.
+     * @param params ABI-encoded route parameters.
+     * @return User withdraw address.
+     */
+    function _getUserWithdrawAddress(bytes calldata params) internal pure virtual returns (address);
+
+    /**
+     * @dev Extracts the admin withdraw address from implementation-specific params.
+     * @param params ABI-encoded route parameters.
+     * @return Admin withdraw address.
+     */
+    function _getAdminWithdrawAddress(bytes calldata params) internal pure virtual returns (address);
+
+    /**
+     * @dev Transfers native ETH (token == NATIVE_ASSET) or ERC20 tokens.
+     * @param token ERC20 token address, or NATIVE_ASSET for native ETH.
+     * @param to Recipient address.
+     * @param amount Amount to transfer.
+     */
     function _transferOut(address token, address to, uint256 amount) internal {
         if (token == NATIVE_ASSET) {
             (bool success, ) = to.call{ value: amount }("");

contracts/periphery/counterfactual/CounterfactualDepositCCTP.sol

@@ -69,12 +69,10 @@ contract CounterfactualDepositCCTP is CounterfactualDepositBase {
     /// @notice CCTP source domain ID for this chain
     uint32 public immutable sourceDomain;
 
-    /// @dev Hashes caller-supplied params and checks against the clone's stored hash.
-    modifier verifyParams(CCTPImmutables memory params) {
-        _verifyParamsHash(keccak256(abi.encode(params)));
-        _;
-    }
-
+    /**
+     * @param _srcPeriphery SponsoredCCTPSrcPeriphery contract address.
+     * @param _sourceDomain CCTP source domain ID for this chain.
+     */
     constructor(address _srcPeriphery, uint32 _sourceDomain) {
         srcPeriphery = _srcPeriphery;
         sourceDomain = _sourceDomain;
@@ -96,7 +94,7 @@ contract CounterfactualDepositCCTP is CounterfactualDepositBase {
         bytes32 nonce,
         uint256 cctpDeadline,
         bytes calldata signature
-    ) external verifyParams(params) {
+    ) external verifyParamsHash(keccak256(abi.encode(params))) {
         address inputToken = address(uint160(uint256(params.depositParams.burnToken)));
 
         // transfer execution fee to execution fee recipient
@@ -135,35 +133,13 @@ contract CounterfactualDepositCCTP is CounterfactualDepositBase {
         emit CCTPDepositExecuted(amount, executionFeeRecipient, nonce, cctpDeadline);
     }
 
-    /**
-     * @notice Allows admin to withdraw any token from this clone.
-     * @param params Route parameters (verified against stored hash).
-     * @param token ERC20 token to withdraw.
-     * @param to Recipient of the withdrawn tokens.
-     * @param amount Amount to withdraw.
-     */
-    function adminWithdraw(
-        CCTPImmutables memory params,
-        address token,
-        address to,
-        uint256 amount
-    ) external verifyParams(params) {
-        _adminWithdraw(params.executionParams.adminWithdrawAddress, token, to, amount);
+    /// @inheritdoc CounterfactualDepositBase
+    function _getUserWithdrawAddress(bytes calldata params) internal pure override returns (address) {
+        return abi.decode(params, (CCTPImmutables)).executionParams.userWithdrawAddress;
     }
 
-    /**
-     * @notice Allows user to withdraw tokens before execution.
-     * @param params Route parameters (verified against stored hash).
-     * @param token ERC20 token to withdraw.
-     * @param to Recipient of the withdrawn tokens.
-     * @param amount Amount to withdraw.
-     */
-    function userWithdraw(
-        CCTPImmutables memory params,
-        address token,
-        address to,
-        uint256 amount
-    ) external verifyParams(params) {
-        _userWithdraw(params.executionParams.userWithdrawAddress, token, to, amount);
+    /// @inheritdoc CounterfactualDepositBase
+    function _getAdminWithdrawAddress(bytes calldata params) internal pure override returns (address) {
+        return abi.decode(params, (CCTPImmutables)).executionParams.adminWithdrawAddress;
     }
 }

contracts/periphery/counterfactual/CounterfactualDepositFactory.sol

@@ -99,7 +99,11 @@ contract CounterfactualDepositFactory is ICounterfactualDepositFactory {
             );
     }
 
-    /// @dev Forwards calldata to a clone, bubbling up any revert.
+    /**
+     * @dev Forwards calldata to a clone, bubbling up any revert.
+     * @param depositAddress Address of the deployed clone.
+     * @param executeCalldata Calldata to forward.
+     */
     function _execute(address depositAddress, bytes calldata executeCalldata) internal {
         (bool success, bytes memory returnData) = depositAddress.call{ value: msg.value }(executeCalldata);
         if (!success) {