feat: Smart contract draft (not tested)

Author: imiskii

.gitignore

@@ -37,3 +37,14 @@ docs/
 
 # Dotenv file
 .env
+
+# Circuit files
+circuits/build
+*.r1cs
+*.sym
+*.wasm
+*.zkey
+*.ptau
+*.zkey
+verification_key.json
+Verifier.sol

circuits/TaskProof.circom

@@ -0,0 +1,40 @@
+pragma circom 2.0.0;
+include "../node_modules/circomlib/circuits/poseidon.circom";
+
+/*
+  Public inputs (in this exact order as declared in main.public):
+    0: commit    -- Poseidon(solution, taskId, taskSalt)
+    1: taskId
+    2: taskSalt
+    3: recipient -- uint256 (uint160(msg.sender)) as field element
+
+  Private inputs:
+    solution
+
+  NOTE: component main {public [...]} ensures these inputs are exported as
+  public inputs (and in that order) for snarkjs / verifier.sol.
+*/
+
+template TaskProof() {
+  // public inputs (declared here, but must be listed as public in main)
+  signal input commit;
+  signal input taskId;
+  signal input taskSalt;
+  signal input recipient;
+
+  // private input
+  signal input solution;
+
+  // (1) commitment check: Poseidon([solution, taskId, taskSalt]) === commit
+  component h = Poseidon(3);
+  h.inputs[0] <== solution;
+  h.inputs[1] <== taskId;
+  h.inputs[2] <== taskSalt;
+  h.out === commit;
+
+  // Note: recipient is a public input. By including it among the public inputs
+  // of the proof you make the proof specific to that recipient value.
+  // The contract must check recipient == msg.sender to enforce caller binding.
+}
+
+component main { public [commit, taskId, taskSalt, recipient] } = TaskProof();

package-lock.json

@@ -32,6 +32,7 @@
   },
   "homepage": "https://github.com/imiskii/BountiBoard#readme",
   "dependencies": {
+    "circomlib": "^2.0.5",
     "dotenv": "^17.2.1",
     "multiformats": "^13.3.7"
   }

package.json

@@ -0,0 +1,59 @@
+// SPDX-License-Identifier: GNU
+pragma solidity ^0.8.24;
+
+import "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
+
+contract TaskCreatorAccess {
+    using EnumerableSet for EnumerableSet.AddressSet;
+
+    EnumerableSet.AddressSet private _taskCreators;
+
+    mapping(address => uint256) public voteCount;
+    mapping(address => mapping(address => bool)) public hasVoted;
+
+    event TaskCreatorAdded(address indexed newCreator);
+    event Voted(address indexed voter, address indexed candidate, uint256 votes);
+
+    modifier onlyTaskCreator() {
+        require(isTaskCreator(msg.sender), "Not a TaskCreator");
+        _;
+    }
+
+    constructor(address initialCreator) {
+        _taskCreators.add(initialCreator);
+    }
+
+    function isTaskCreator(address account) public view returns (bool) {
+        return _taskCreators.contains(account);
+    }
+
+    function taskCreatorCount() public view returns (uint256) {
+        return _taskCreators.length();
+    }
+
+    function threshold() public view returns (uint256) {
+        uint256 n = taskCreatorCount();
+        if (n <= 20) {
+            return (n / 2) + 1; // majority
+        } else if (n < 200) {
+            return n / 3;       // ~1/3 when moderately sized
+        } else {
+            return 100;         // capped threshold
+        }
+    }
+
+    function voteForTaskCreator(address candidate) external onlyTaskCreator {
+        require(!isTaskCreator(candidate), "Already TaskCreator");
+        require(!hasVoted[msg.sender][candidate], "Already voted");
+
+        hasVoted[msg.sender][candidate] = true;
+        voteCount[candidate]++;
+
+        emit Voted(msg.sender, candidate, voteCount[candidate]);
+
+        if (voteCount[candidate] >= threshold()) {
+            _taskCreators.add(candidate);
+            emit TaskCreatorAdded(candidate);
+        }
+    }
+}

src/TaskCreatorAccess.sol

@@ -1,49 +1,69 @@
-// SPDX-License-Identifier: MIT
+// SPDX-License-Identifier: GNU
 pragma solidity ^0.8.24;
 
-import {ERC1155} from "@openzeppelin/contracts/token/ERC1155/ERC1155.sol";
-import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
+import "./TaskToken.sol";
+import "./TaskCreatorAccess.sol";
+import "./Verifier.sol";
 
-contract CTFProof is ERC1155, Ownable {
-    // Mapping: taskId => metadata URI
-    mapping(uint256 => string) private _taskURIs;
+contract TaskManager {
+    CTFProof public ctfProof;
+    PlonkVerifier public verifier;
+    TaskCreatorAccess public accessControl;
 
-    // Optional: track existing task IDs
-    uint256 public nextTaskId = 1;
+    struct Task {
+        uint256 commit;   // Poseidon(solution, taskId, salt)
+        uint256 salt;     // Public salt
+        bool exists;
+    }
 
-    constructor(address initialOwner)
-        ERC1155("") // base URI not used; we override uri()
-        Ownable(initialOwner)
-    {}
+    mapping(uint256 => Task) public tasks;
+    uint256 public nextTaskId;
 
-    /// @notice Add a new CTF task with its metadata URI
-    function addTask(string memory taskURI) external onlyOwner returns (uint256 taskId) {
-        taskId = nextTaskId++;
-        _taskURIs[taskId] = taskURI;
-    }
+    event TaskCreated(uint256 indexed taskId, uint256 commit, uint256 salt);
+    event TaskSolved(uint256 indexed taskId, address indexed solver);
 
-    /// @notice Mint proof token after validating solution (you call this after verification)
-    function mintProof(address to, uint256 taskId) external onlyOwner {
-        require(bytes(_taskURIs[taskId]).length > 0, "Invalid taskId");
-        require(balanceOf(to, taskId) == 0, "Already claimed");
-        _mint(to, taskId, 1, "");
+    constructor(
+        address _ctfProof,
+        address _verifier,
+        address _accessControl
+    ) {
+        ctfProof = CTFProof(_ctfProof);
+        verifier = PlonkVerifier(_verifier);
+        accessControl = TaskCreatorAccess(_accessControl);
     }
 
-    /// @dev Prevent transfers except mint (from == 0) or burn (to == 0)
-    function _update(
-        address from,
-        address to,
-        uint256[] memory ids,
-        uint256[] memory amounts
-    ) internal override {
-        if (from != address(0) && to != address(0)) {
-            revert("Transfers disabled");
-        }
-        super._update(from, to, ids, amounts);
+    function addTask(uint256 commit, uint256 salt) external {
+        require(accessControl.isTaskCreator(msg.sender), "Not TaskCreator");
+
+        uint256 taskId = ++nextTaskId;
+        tasks[taskId] = Task(commit, salt, true);
+
+        emit TaskCreated(taskId, commit, salt);
     }
 
-    /// @notice Return token-specific URI
-    function uri(uint256 taskId) public view override returns (string memory) {
-        return _taskURIs[taskId];
+    function solveTask(
+        uint256 taskId,
+        address recipient,
+        uint256[24] calldata proof,
+        uint256[4] calldata publicSignals
+    ) external {
+        Task storage task = tasks[taskId];
+        require(task.exists, "Task not found");
+
+        // Verify zkSNARK proof
+        require(verifier.verifyProof(proof, publicSignals), "Invalid proof");
+
+        // Public signals expected order:
+        // [0] = commit, [1] = taskId, [2] = salt, [3] = recipient
+        require(publicSignals[0] == task.commit, "Commit mismatch");
+        require(publicSignals[1] == taskId, "TaskId mismatch");
+        require(publicSignals[2] == task.salt, "Salt mismatch");
+        require(publicSignals[3] == uint256(uint160(recipient)), "Recipient mismatch");
+        require(recipient == msg.sender, "Recipient must be caller");
+
+        // Mint ERC-1155 token (1 per solver per task)
+        ctfProof.mintProof(msg.sender, taskId);
+
+        emit TaskSolved(taskId, msg.sender);
     }
 }

src/TaskManager.sol

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: GNU
+pragma solidity ^0.8.24;
+
+import {ERC1155} from "@openzeppelin/contracts/token/ERC1155/ERC1155.sol";
+
+contract CTFProof is ERC1155 {
+    // Mapping: taskId => metadata URI
+    mapping(uint256 => string) private _taskURIs;
+
+    // Optional: track existing task IDs
+    uint256 public nextTaskId = 1;
+
+    constructor()
+        ERC1155("")
+    {}
+
+    /// @notice Add a new CTF task with its metadata URI
+    function addTask(string memory taskURI) external returns (uint256 taskId) {
+        taskId = nextTaskId++;
+        _taskURIs[taskId] = taskURI;
+    }
+
+    /// @notice Mint proof token after validating solution (you call this after verification)
+    function mintProof(address to, uint256 taskId) external {
+        require(bytes(_taskURIs[taskId]).length > 0, "Invalid taskId");
+        require(balanceOf(to, taskId) == 0, "Already claimed");
+        _mint(to, taskId, 1, "");
+    }
+
+    /// @dev Prevent transfers except mint (from == 0) or burn (to == 0)
+    function _update(
+        address from,
+        address to,
+        uint256[] memory ids,
+        uint256[] memory amounts
+    ) internal override {
+        if (from != address(0) && to != address(0)) {
+            revert("Transfers disabled");
+        }
+        super._update(from, to, ids, amounts);
+    }
+
+    /// @notice Return token-specific URI
+    function uri(uint256 taskId) public view override returns (string memory) {
+        return _taskURIs[taskId];
+    }
+}