zama-ai
diff --git a/‎protocol-contracts/confidential-wrapper-upgradeable/docs/README.md‎
Lines changed: 292 additions & 0 deletions b/‎protocol-contracts/confidential-wrapper-upgradeable/docs/README.md‎
Lines changed: 292 additions & 0 deletions
@@ -0,0 +1,292 @@
+# Confidential Wrapper
+
+The **Confidential Wrapper** is a smart contract that wraps standard ERC-20 tokens into confidential ERC-7984 tokens. Built on Zama's FHEVM, it enables privacy-preserving token transfers where balances and transfer amounts remain encrypted.
+
+## Terminology
+
+- **Confidential Token**: The ERC-7984 confidential token wrapper.
+- **Underlying Token**: The standard ERC-20 token wrapped by the confidential wrapper.
+- **Wrapping**: Converting ERC-20 tokens into confidential tokens.
+- **Unwrapping**: Converting confidential tokens back into ERC-20 tokens.
+- **Rate**: The conversion ratio between underlying token units and confidential token units (due to decimal differences). 
+- **Operator**: An address authorized to transfer confidential tokens on behalf of another address.
+- **Owner**: The owner of the wrapper contract. In the FHEVM protocol, this is initially set to a DAO governance contract handled by Zama. Ownership will then be transferred to the underlying token's owner.
+- **Registry**: The registry contract that maps ERC-20 tokens to their corresponding confidential wrappers. More information [here](../../confidential-token-wrappers-registry/docs/README.md).
+- **ACL**: The ACL contract that manages the ACL permissions for encrypted amounts. More information in the [FHEVM library documentation](https://docs.zama.org/protocol/protocol/overview/library#access-control).
+- **Input proof**: A proof that the encrypted amount is valid. More information in the [`relayer-sdk` documentation](https://docs.zama.org/protocol/relayer-sdk-guides/fhevm-relayer/input).
+- **Public decryption**: A request to publicly decrypt an encrypted amount. More information in the [`relayer-sdk` documentation](https://docs.zama.org/protocol/relayer-sdk-guides/fhevm-relayer/decryption/public-decryption).
+
+## Quick Start
+
+> ⚠️ **Decimal conversion:** The wrapper enforces a maximum of **6 decimals** for the confidential token. When wrapping, amounts are rounded down and excess tokens are refunded.
+
+> ⚠️ **Unsupported tokens:** Non-standard tokens such as fee-on-transfer or any deflationary-type tokens are NOT supported.
+
+### Get the confidential wrapper address of an ERC-20 token
+
+Zama provides a registry contract that maps ERC-20 tokens to their corresponding verified confidential wrappers. Make sure to check the registry contract to ensure the confidential wrapper is valid before wrapping. More information [here](../../confidential-token-wrappers-registry/docs/README.md).
+
+### Wrap ERC-20 → Confidential Token
+
+**Important:** Prior to wrapping, the confidential wrapper contract must be approved by the `msg.sender` on the underlying token.
+
+```solidity
+wrapper.wrap(recipientAddress, amount);
+```
+
+The wrapper will mint the corresponding confidential token to the `recipientAddress` and refund the excess tokens to the `msg.sender` (due to decimal conversion). Considerations:
+- `amount` must be a value using the same decimal precision as the underlying token.
+- `recipientAddress` must not be the zero address.
+
+> ℹ️ **Low amount handling:** If the amount is less than the rate, the wrapping will succeed but the recipient will receive 0 confidential tokens and the excess tokens will be refunded to the `msg.sender`.
+
+
+### Unwrap Confidential Token → ERC-20
+
+Unwrapping is a **two-step asynchronous process**: an `unwrap` must be first made and then finalized with `finalizeUnwrap`. The `unwrap` function can be called with or without an input proof.
+
+#### 1) Unwrap request
+
+##### With input proof
+
+> ℹ️ **Input proof:** To unwrap any amount of confidential tokens, the `fromAddress` must first create an encrypted input to generate an `encryptedAmount` (`externalEuint64`) along its `inputProof`. The amount to be encrypted must use the same decimal precision as the confidential wrapper. More information in the [`relayer-sdk` documentation](https://docs.zama.org/protocol/relayer-sdk-guides/fhevm-relayer/input).
+
+```solidity
+wrapper.unwrap(fromAddress, recipientAddress, encryptedAmount, inputProof);
+```
+
+Alternatively, an unwrap request can be made without an input proof if the encrypted amount (`euint64`) is known to `fromAddress`. For example, this can be the confidential balance of `fromAddress`.
+
+This requests an unwrap request of `encryptedAmount` confidential tokens from `fromAddress`. Considerations:
+- `msg.sender` must be `fromAddress` or an approved operator for `fromAddress`.
+- `fromAddress` mut not be the zero address.
+- `encryptedAmount` will be burned in the request.
+- **NO** transfer of underlying tokens is made in this request.
+
+
+It emits an `UnwrapRequested` event: 
+```solidity
+event UnwrapRequested(address indexed receiver, euint64 amount);
+```
+
+###### Without input proof
+
+Alternatively, an unwrap request can be made without an input proof if the encrypted amount (`euint64`) is known to `fromAddress`. For example, this can be the confidential balance of `fromAddress`.
+
+```solidity
+wrapper.unwrap(fromAddress, recipientAddress, encryptedAmount);
+```
+
+On top of the above unwrap request considerations:
+- `msg.sender` must be approved by ACL for the given `encryptedAmount` ⚠️ (see [ACL documentation](https://docs.zama.org/protocol/protocol/overview/library#access-control)).
+
+
+#### 2) Finalize unwrap
+
+> ℹ️ **Public decryption:** The encrypted burned amount emitted by the `UnwrapRequested` event must be publicly decrypted to get the `cleartextAmount` along its `decryptionProof`. More information in the [`relayer-sdk` documentation](https://docs.zama.org/protocol/relayer-sdk-guides/fhevm-relayer/decryption/public-decryption).
+
+```solidity
+wrapper.finalizeUnwrap(burntAmount, cleartextAmount, decryptionProof);
+```
+
+This finalizes the unwrap request by sending the corresponding amount of underlying tokens to the `recipientAddress` defined in the `unwrap` request.
+
+### Transfer confidential tokens
+
+> ℹ️ **Transfer with input proof:** Similarly to the unwrap process, transfers can be made with or without an input proof and the encrypted amount must be approved by the ACL for the `msg.sender`.
+
+#### Direct transfer
+
+```solidity
+token.confidentialTransfer(to, encryptedAmount, inputProof);
+
+token.confidentialTransfer(to, encryptedAmount);
+```
+
+#### Operator-based transfer
+
+```solidity
+token.confidentialTransferFrom(from, to, encryptedAmount, inputProof);
+
+token.confidentialTransferFrom(from, to, encryptedAmount);
+```
+
+Considerations:
+- `msg.sender` must be `fromAddress` or an approved operator for `fromAddress`.
+
+#### Transfer with callback
+
+The callback can be used along an ERC-7984 receiver contract.
+
+```solidity
+token.confidentialTransferAndCall(to, encryptedAmount, inputProof, callbackData);
+
+token.confidentialTransferAndCall(to, encryptedAmount, callbackData);
+```
+
+#### Operator-based transfer with callback
+
+The callback can be used along an ERC-7984 receiver contract.
+
+```solidity
+token.confidentialTransferFromAndCall(from, to, encryptedAmount, inputProof, callbackData);
+
+token.confidentialTransferFromAndCall(from, to, encryptedAmount, callbackData);
+```
+
+Considerations:
+- `msg.sender` must be `fromAddress` or an approved operator for `fromAddress`.
+
+### Check the conversion rate and decimals
+
+```solidity
+uint256 conversionRate = wrapper.rate();
+uint8 wrapperDecimals = wrapper.decimals();
+```
+
+**Examples:**
+| Underlying Decimals | Wrapper Decimals | Rate | Effect |
+|---------------------|------------------|------|--------|
+| 18 | 6 | 10^12 | 1 wrapped = 10^12 underlying |
+| 6 | 6 | 1 | 1:1 mapping |
+| 2 | 2 | 1 | 1:1 mapping |
+
+### Check supplies
+
+#### Non-confidential total supply
+
+The wrapper exposes a non-confidential view of the total supply, computed from the underlying ERC20 balance held by the wrapper contract. This value may be higher than `confidentialTotalSupply()` if tokens are sent directly to the wrapper outside of the wrapping process.
+
+```solidity
+uint256 nonConfidentialSupply = wrapper.totalSupply();
+```
+
+#### Encrypted (confidential) total supply
+
+The actual supply tracked by the confidential token contract, represented as an encrypted value. To determine the cleartext value, you need to request decryption and appropriate ACL authorization.
+
+```solidity
+euint64 encryptedSupply = wrapper.confidentialTotalSupply();
+```
+
+#### Maximum total supply
+
+The maximum number of wrapped tokens supported by the encrypted datatype (uint64 limit). If this maximum is exceeded, wrapping new tokens will revert.
+
+```solidity
+uint256 maxSupply = wrapper.maxTotalSupply();
+```
+
+---
+
+## Integration Patterns
+
+### Operator system
+
+Delegate transfer capabilities with time-based expiration:
+
+```solidity
+// Grant operator permission until a specific timestamp
+token.setOperator(operatorAddress, validUntilTimestamp);
+
+// Check if an address is an authorized operator
+bool isAuthorized = token.isOperator(holder, spender);
+```
+
+### Amount disclosure
+
+Optionally reveal encrypted amounts publicly:
+
+```solidity
+// Request disclosure (initiates async decryption)
+token.requestDiscloseEncryptedAmount(encryptedAmount);
+
+// Complete disclosure with proof
+token.discloseEncryptedAmount(encryptedAmount, cleartextAmount, decryptionProof);
+```
+
+### Check ACL permissions
+
+Before using encrypted amounts in transactions, callers must be authorized:
+
+```solidity
+require(FHE.isAllowed(encryptedAmount, msg.sender), "Unauthorized");
+```
+
+Transfer functions with `euint64` (not `externalEuint64`) require the caller to already have ACL permission for that ciphertext. More information in the [FHEVM library documentation](https://docs.zama.org/protocol/protocol/overview/library#access-control).
+
+---
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                     ConfidentialWrapper                         │
+│  (UUPS Upgradeable, Ownable2Step)                              │
+├─────────────────────────────────────────────────────────────────┤
+│                 ERC7984ERC20WrapperUpgradeable                  │
+│  (Wrapping/Unwrapping Logic, ERC1363 Receiver)                 │
+├─────────────────────────────────────────────────────────────────┤
+│                    ERC7984Upgradeable                           │
+│  (Confidential Token Standard - Encrypted Balances/Transfers)  │
+├─────────────────────────────────────────────────────────────────┤
+│               ZamaEthereumConfigUpgradeable                     │
+│  (FHE Coprocessor Configuration)                               │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Events
+
+| Event | Description |
+|-------|-------------|
+| `ConfidentialTransfer(from, to, encryptedAmount)` | Emitted on every transfer (including mint/burn) |
+| `OperatorSet(holder, operator, until)` | Emitted when operator permissions change |
+| `UnwrapRequested(receiver, encryptedAmount)` | Emitted when unwrap is initiated |
+| `UnwrapFinalized(receiver, encryptedAmount, cleartextAmount)` | Emitted when unwrap completes |
+| `AmountDiscloseRequested(encryptedAmount, requester)` | Emitted when disclosure is requested |
+| `AmountDisclosed(encryptedAmount, cleartextAmount)` | Emitted when amount is publicly disclosed |
+
+---
+
+## Errors
+
+| Error | Cause |
+|-------|-------|
+| `ERC7984InvalidReceiver(address)` | Transfer to zero address |
+| `ERC7984InvalidSender(address)` | Transfer from zero address |
+| `ERC7984UnauthorizedSpender(holder, spender)` | Caller not authorized as operator |
+| `ERC7984ZeroBalance(holder)` | Sender has never held tokens |
+| `ERC7984UnauthorizedUseOfEncryptedAmount(amount, user)` | Caller lacks ACL permission for ciphertext |
+| `ERC7984UnauthorizedCaller(caller)` | Invalid caller for operation |
+| `InvalidUnwrapRequest(amount)` | Finalizing non-existent unwrap request |
+| `ERC7984TotalSupplyOverflow()` | Minting would exceed uint64 max |
+
+---
+
+## Important Considerations
+
+### Zero balance requirement
+
+Accounts with a zero balance that have never held tokens cannot be the `from` address in transfers. This will revert with `ERC7984ZeroBalance`.
+
+### Ciphertext uniqueness assumption
+
+The unwrap mechanism stores requests in a mapping keyed by ciphertext. The current implementation assumes ciphertexts are unique. This holds in practice but be aware of this architectural decision as it is not true in the general case.
+
+---
+
+## Interface Support (ERC-165)
+
+```solidity
+wrapper.supportsInterface(type(IERC7984).interfaceId);
+wrapper.supportsInterface(type(IERC7984ERC20Wrapper).interfaceId);
+wrapper.supportsInterface(type(IERC165).interfaceId);
+```
+
+---
+
+## Upgradeability
+
+The contract uses **UUPS (Universal Upgradeable Proxy Standard)** with 2-step ownership transfer. Only the owner can upgrade the contract. Initially, the owner is set to a DAO governance contract handled by Zama. Ownership will then be transferred to the underlying token's owner.