-
Notifications
You must be signed in to change notification settings - Fork 0
/
MultiSig.etiml
539 lines (460 loc) · 22 KB
/
MultiSig.etiml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
(* //sol Wallet *)
(* // Multi-sig, daily-limited account proxy/wallet. *)
(* // @authors: *)
(* // Gav Wood <[email protected]> *)
(* // inheritable "property" contract that enables methods to be protected by requiring the acquiescence of either a *)
(* // single, or, crucially, each of a number of, designated owners. *)
(* // usage: *)
(* // use modifiers onlyOwner (just own owned) or onlymanyowners(hash), whereby the same hash must be provided by *)
(* // some number (specified in constructor) of the set of owners (specified in the constructor, modifiable) before the *)
(* // interior is executed. *)
structure Pervasive = struct
fun inc n = n + 1
fun dec n = n - 1
fun nat_inc {n : Nat} (n : nat {n}) = n #+ #1
fun nat_dec {n : Nat | n >= 1} (n : nat {n}) = n #- #1
fun addBy b a = a + b
fun subBy b a = a - b
fun orBy b a = a bit_or b
(* fun waste_time () = 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 *)
fun for_ ['a] {m1 m2: Time} {m1' m2' start : Nat} {eend : Nat | start <= eend} (start : nat {start}, eend : nat {eend}, init : 'a, f : forall {i : Nat | start <= i /\ i < eend} using (m1, m1'), nat {i} * 'a -- m2, m2' --> 'a) return 'a using (m1+m2+3281.0)*$(eend-start)+4012.0, (m1'+m2'+52*32)*(eend-start)+50*32 =
lets
fun loop {i : Nat | start <= i /\ i <= eend} (i : nat {i}, acc : 'a) (* using (m1+m2) * $(eend-i), (m1'+m2') * (eend-i) *) =
ifi i #>= eend then (* waste_time (); *)acc
else
%loop (i #+ #1, %f (i, acc)) using (m1+m2+3281.0) * $(eend-i)+1651.0, (m1'+m2'+52*32) * (eend-i)+16*32
end
in
%loop (start, init)
end
fun require b = if b then (* waste_time (); *)() else (throw using _) end
(* fun unop_ref ['a] {m : Time} {m' : Nat} r (f : 'a -- m, m' --> 'a) = r := f !r *)
val ether = 1000000000000000000
val minute = 60
val hour = 60 * minute
val day = 24 * hour
end
contract multiowned = struct inherit Pervasive
(* TYPES *)
(* struct for the status of a pending operation. *)
type PendingState = {
yetNeeded : uint,
ownersDone : uint,
index : uint,
}
fun copy_PendingState (t : storage PendingState, s : PendingState) =
&t->yetNeeded ::= s.yetNeeded;
&t->ownersDone ::= s.ownersDone;
&t->index ::= s.index
fun clear_PendingState (t : storage PendingState) =
&t->yetNeeded ::= 0;
&t->ownersDone ::= 0;
&t->index ::= 0
(* FIELDS *)
(* the number of owners that must confirm the same operation before it is run. *)
(* zerofiable types can omit initialization *)
public state m_required : cell uint
(* pointer used to find a free slot in m_owners *)
public state m_numOwners : icell
(* list of owners *)
(* state m_owners : array uint {256} *)
state m_owners : map uint uint
val c_maxOwners = 250
(* index on the list of owners to allow reverse lookup *)
state m_ownerIndex : map uint uint
(* the ongoing operations. *)
state m_pending : map bytes32 (* PendingState *){
yetNeeded : uint,
ownersDone : uint,
index : uint,
} (* should be called m_op2state *)
state m_pendingIndex : map uint bytes32 (* should be called m_idx2op *)
state m_numOps : icell
public state m_needToIncNumOps : cell bool
(* EVENTS *)
(* this contract only has five types of events: it can accept a confirmation, in which case *)
(* we record owner and operation (hash) alongside it. *)
event Confirmation(owner : address, operation : bytes32)
event Revoke(owner : address, operation : bytes32)
(* some others are in the case of an owner changing. *)
event OwnerChanged(oldOwner : address, newOwner : address)
event OwnerAdded(newOwner : address)
event OwnerRemoved(oldOwner : address)
(* the last one is emitted if the required signatures change *)
event RequirementChanged(newRequirement : uint)
(* MODIFIERS *)
fun isOwner (_addr : address) return bool =
m_ownerIndex[_addr : uint] > 0
(* simple single-sig function modifier. *)
fun onlyOwner () =
require(isOwner msg.sender)
fun opExists (_operation : bytes32) =
m_pending[_operation].yetNeeded > 0
fun numOpsGood () = require (not !!m_needToIncNumOps)
fun numOpsBad () = require (!!m_needToIncNumOps)
fun incNumOps {n : Nat} () pre {m_numOps : n} post {m_numOps : n+1} guard onlyOwner =
modify m_numOps %nat_inc;
set m_needToIncNumOps false
internal fun confirmAndCheck {n : Nat} (_operation : bytes32) pre {m_numOps : n} guard onlyOwner =
(* determine what index the present sender is: *)
let ownerIndex : uint = m_ownerIndex[msg.sender : uint];
let pending = &m_pending->[_operation];
if deref pending->yetNeeded = 0 then
(* reset count of confirmations needed. *)
&pending->yetNeeded ::= !!m_required;
(* reset which owners have confirmed (none) - set our bitmap to 0. *)
&pending->ownersDone ::= 0;
let index = nat2int (!!m_numOps);
&pending->index ::= index;
set m_pendingIndex[index] _operation;
(* we need to rely on the users to increase m_numOps since the post-condition must specify a value for m_numOps and we can't determine the value statically *)
set m_needToIncNumOps true
end;
(* determine the bit to set for this owner. *)
let ownerIndexBit : uint = 2**ownerIndex;
(* make sure we (the message sender) haven't confirmed this operation previously. *)
if (deref pending->ownersDone) bit_and ownerIndexBit = 0 then
(* emit Confirmation(msg.sender, _operation); *)
(* ok - check if count is enough to go ahead. *)
if deref pending->yetNeeded <= 1 then
(* enough confirmations: reset and run interior. *)
set m_pendingIndex[m_pending[_operation].index] 0;
clear_PendingState (pending);
(* debug_log _operation; *)
(* debug_log "passed"; *)
true
else
(* not enough: record that this owner in particular confirmed. *)
modify &pending->yetNeeded dec;
modify &pending->ownersDone |= ownerIndexBit;
(* debug_log (deref pending->ownersDone, deref pending->yetNeeded); *)
false
end
else
false
end
(* multi-sig function modifier: the operation must have an intrinsic hash in order *)
(* that later attempts can be realised as the same underlying operation and *)
(* thus count as confirmations. *)
fun onlymanyowners {n : Nat} (_operation : bytes32) () pre {m_numOps : n} =
require(%confirmAndCheck(_operation))
(* METHODS *)
(* constructor is given number of sigs required to do protected "onlymanyowners" transactions *)
(* as well as the selection of addresses capable of confirming them. *)
fun constructor {len : Nat} (_owners : array address {len}, _required : uint) pre {m_numOwners : 0} post {m_numOwners : len+1} =
set m_numOwners array_len _owners #+ #1;
set m_owners[1] msg.sender;
set m_ownerIndex[msg.sender] 1;
(* for (i : uint = 0; i < length _owners; inc) *)
(* (* PW: is 2+i<256 ? *) *)
(* set m_owners[2 + i] uint(_owners[i]); *)
(* set m_ownerIndex[uint(_owners[i])] 2 + i *)
(* end; *)
%for_ (#0, array_len _owners, (), fn {i | 0 <= i /\ i < len} (i : nat {i}, ()) =>
let i' = nat2int i;
set m_owners[2 + i'] array_get (_owners, i);
set m_ownerIndex[array_get(_owners, i)] 2 + i'
);
m_required ::= _required
(* Revokes a prior confirmation of the given operation *)
external fun revoke (_operation : bytes32) guard onlyOwner =
let ownerIndex = m_ownerIndex[msg.sender : uint];
let ownerIndexBit : uint = 2**ownerIndex;
let pending = &m_pending->[_operation];
if deref pending->ownersDone bit_and ownerIndexBit > 0 then
modify &pending->yetNeeded inc;
modify &pending->ownersDone -= ownerIndexBit
(* ;debug_log "revoked" *)
(* emit Revoke(msg.sender, _operation) *)
end
internal fun clearPending {len : Nat} () pre {m_numOps : len} post {m_numOps : 0} guard numOpsGood =
let length = !!m_numOps;
(* for (i : uint = 0; i < length; inc) *)
(* if m_pendingIndex[i] != 0 then *)
(* set m_pending [m_pendingIndex[i] ] zero *)
(* end *)
(* end; *)
%for_ (#0, length, (), fn {i | 0 <= i /\ i < len} (i : nat {i}, ()) =>
(* debug_log i; *)
let i = nat2int i;
let opr = m_pendingIndex[i];
if opr != 0 then
clear_PendingState (&m_pending->[opr])
end;
set m_pendingIndex[i] 0
);
set m_numOps #0
(* Replaces an owner `_from` with another `_to`. *)
(* PW: why should we put block.number in the hash? Do we require the first and last attempts of this operations to be in the same block? *)
external fun changeOwner {len : Nat} (_from : address, _to : address) pre {m_numOps : len} post {m_numOps : 0} guard %onlymanyowners(sha3(msg.data, block.number)), numOpsGood =
require (isOwner(_from));
require (not isOwner(_to));
let ownerIndex = m_ownerIndex[_from];
%clearPending();
set m_owners[ownerIndex] _to;
set m_ownerIndex[_from] 0;
set m_ownerIndex[_to] ownerIndex
(* emit OwnerChanged(_from, _to) *)
fun hasConfirmed (_operation : bytes32, _owner : address) guard onlyOwner =
let ownerIndex : uint = m_ownerIndex[_owner];
(* determine the bit to set for this owner. *)
let ownerIndexBit : uint = 2**ownerIndex;
if m_pending[_operation].ownersDone bit_and ownerIndexBit = 0 then
false
else
true
end
state m_newNumOwners : cell uint
state m_needToSetNumOwners : icell
(* fun numOwnersGood () = require (not !!m_needToSetNumOwners) *)
(* fun numOwnersBad () = require (!!m_needToSetNumOwners) *)
fun setNumOwners {old new : Nat} (new : nat {new}) pre {m_numOwners : old, m_needToSetNumOwners : 1} post {m_numOwners : new, m_needToSetNumOwners : 0} =
require(nat2int new = !!m_newNumOwners);
set m_numOwners new;
set m_needToSetNumOwners #0
fun getNewNumOwners () = !!m_newNumOwners
private fun reorganizeOwners {len : Nat} () pre {m_numOwners : len, m_needToSetNumOwners : 0} post {m_numOwners : len, m_needToSetNumOwners : 1} =
let free = ref 1;
(* while (!free < m_numOwners) *)
(* while (!free < m_numOwners && m_owners[!free] != 0) modify free inc end; *)
(* while (m_numOwners > 1 && m_owners[m_numOwners] = 0) modify m_numOwners dec end; *)
(* if !free < m_numOwners && m_owners[m_numOwners] != 0 && m_owners[!free] = 0 then *)
(* set m_owners[!free] m_owners[m_numOwners]; *)
(* set m_ownerIndex[m_owners[!free] ] (!free); *)
(* set m_owners[m_numOwners] 0 *)
(* end *)
(* end; *)
let len = !!m_numOwners;
let len' = nat2int len;
let notfree = ref len';
(* for (i = 1; i <= len; ++i) *)
(* if !free < !notfree && m_owners[!free] <> 0 then unop_ref free ++ *)
(* elseif !notfree > 1 && m_owners[!notfree] = 0 then unop_ref notfree -- *)
(* elseif !free < !notfree && m_owners[!notfree] <> 0 && m_owners[!free] = 0 then *)
(* set m_owners[!free] m_owners[!notfree]; *)
(* set m_ownerIndex[m_owners[!free] ] !free; *)
(* set m_owners[!notfree] 0 *)
(* end *)
(* end; *)
%for_ (#0, len, (), fn {i | 0 <= i /\ i < len} (i : nat {i}, ()) =>
if !free < !notfree && m_owners[!free] <> 0 then free := !free + 1
elseif !notfree > 1 && m_owners[!notfree] = 0 then notfree := !notfree - 1
elseif !free < !notfree && m_owners[!notfree] <> 0 && m_owners[!free] = 0 then
set m_owners[!free] m_owners[!notfree];
set m_ownerIndex[m_owners[!free] ] !free;
set m_owners[!notfree] 0
(* ; debug_log (!free, !notfree) *)
end
);
set m_newNumOwners !notfree;
(* we need to rely on the users to update m_numOwners since the post-condition must specify a value for m_numOwners and we can't determine the value statically *)
set m_needToSetNumOwners #1
external fun addOwner {len1 len2 : Nat} (_owner : address) pre {m_numOwners : len1, m_numOps : len2, m_needToSetNumOwners : 0} post {m_numOwners : len1, m_numOps : 0, m_needToSetNumOwners : 1} guard %onlymanyowners(sha3(msg.data, block.number)) =
require (not isOwner(_owner));
%clearPending();
if nat2int !!m_numOwners >= c_maxOwners then
%reorganizeOwners()
else
set m_needToSetNumOwners #1
end;
require (!!m_newNumOwners < c_maxOwners);
modify m_newNumOwners inc;
let index = !!m_newNumOwners;
set m_owners[index] _owner;
set m_ownerIndex[_owner] index
(* emit OwnerAdded(_owner) *)
external fun removeOwner {len1 len2 : Nat} (_owner : address) pre {m_numOwners : len1, m_numOps : len2, m_needToSetNumOwners : 0} post {m_numOwners : len1, m_numOps : 0, m_needToSetNumOwners : 1} guard %onlymanyowners(sha3(msg.data, block.number)) =
require (isOwner(_owner));
let ownerIndex : uint = m_ownerIndex[_owner];
require(!!m_required <= nat2int !!m_numOwners - 1);
set m_owners[ownerIndex] 0;
set m_ownerIndex[_owner] 0;
%clearPending();
%reorganizeOwners()
(* emit OwnerRemoved(_owner) *)
external fun changeRequirement {len1 len2 : Nat} (_newRequired : uint) pre {m_numOwners : len1, m_numOps : len2, m_needToSetNumOwners : 0} post {m_numOwners : len1, m_numOps : 0, m_needToSetNumOwners : 0} guard %onlymanyowners(sha3(msg.data, block.number)) =
require (_newRequired <= nat2int !!m_numOwners);
set m_required _newRequired;
%clearPending()
(* emit RequirementChanged(_newRequired) *)
end
(* // inheritable "property" contract that enables methods to be protected by placing a linear limit (specifiable) *)
(* // on a particular resource per calendar day. is multiowned to allow the limit to be altered. resource that method *)
(* // uses is specified in the modifier. *)
contract daylimit = struct inherit multiowned
(* FIELDS *)
public state m_dailyLimit : cell uint
public state m_spentToday : cell uint
public state m_lastDay : cell uint
(* determines today's index. *)
private fun today () constant return uint = now / day
(* checks to see if there is at least `_value` left from the daily limit today. if there is, subtracts it and *)
(* return true. otherwise just return false. *)
internal fun underLimit (_value : uint) guard onlyOwner return bool =
(* reset the spend limit if we're on a different day to last time. *)
if today() > !!m_lastDay then
m_spentToday ::= 0;
m_lastDay ::= today()
end;
(* check to see if there's enough left - if so, subtract and return true. *)
if !!m_spentToday + _value >= !!m_spentToday && !!m_spentToday + _value <= !!m_dailyLimit then
modify m_spentToday += _value;
true
else
false
end
(* simple modifier for daily limit. *)
fun limitedDaily (_value : uint) =
require(underLimit(_value))
(* constructor - stores initial daily limit and records the present day's index. *)
fun constructor (_limit : uint) =
m_dailyLimit ::= _limit;
m_lastDay ::= today()
(* (re)sets the daily limit. needs many of the owners to confirm. doesn't alter the amount already spent today. *)
external fun setDailyLimit {len : Nat} (_newLimit : uint) pre {m_numOps : len} guard %onlymanyowners(sha3(msg.data, block.number)) =
m_dailyLimit ::= _newLimit
external fun resetSpentToday {len : Nat} () pre {m_numOps : len} guard %onlymanyowners(sha3(msg.data, block.number)) =
m_spentToday ::= 0
end
(* interface contract for multisig proxy contracts; see below for docs. *)
interface multisig = sig
(* EVENTS *)
(* logged events: *)
(* Funds has arrived into the wallet (record how much). *)
event Deposit(from : address, value : uint)
(* Single transaction going out of the wallet (record who signed for it, how much, and to whom it's going). *)
event SingleTransact(owner : address, value : uint, to : address, data : bytes)
(* Multi-sig transaction going out of the wallet (record who signed for it last, the operation hash, how much, and to whom it's going). *)
event MultiTransact(owner : address, operation : bytes32, value : uint, to : address, data : bytes)
(* Confirmation still needed for a transaction. *)
event ConfirmationNeeded(operation : bytes32, initiator : address, value : uint, to : address, data : bytes)
(* FUNCTIONS *)
(* TODO: document *)
external fun changeOwner (_from : address, _to : address)
external fun execute (_to : address, _value : uint, _data : bytes) return bytes32
fun confirm (_h : bytes32) return bool
end
(* *)
(* // usage: *)
(* // bytes32 h = Wallet(w).from(oneOwner).transact(to, value, data); *)
(* // Wallet(w).from(anotherOwner).confirm(h); *)
(* *)
contract Wallet = struct inherit multiowned, daylimit
public val version : uint = 2
(* TYPES *)
(* Transaction structure to remember details of transaction lest it need be saved for a later call. *)
type Transaction = {
to : address,
value : uint,
dataHash : bytes32,
}
(* pending transactions we have at present. *)
state m_txs : map bytes32 (* Transaction *){
to : address,
value : uint,
dataHash : bytes32,
}
(* METHODS *)
(* constructor - just pass on the owner array to the multiowned and *)
(* the limit to daylimit *)
fun constructor {len : Nat} (_owners : array address {len}, _required : uint, _daylimit : uint) pre {m_numOwners : 0} post {m_numOwners : len+1} =
%multiowned..constructor(_owners, _required);
daylimit..constructor(_daylimit)
(* (* kills the contract sending everything to `_to`. *) *)
(* external fun kill {len to : Nat} (_to : nat {to}) pre {m_numOps : len} guard %onlymanyowners(sha3(msg.data, block.number)) = *)
(* suicide(_to) *)
(* (* gets called when no other function matches *) *)
(* fun default () = *)
(* (* just being sent some cash? *) *)
(* if msg.value > 0 then *)
(* emit Deposit(msg.sender, msg.value) *)
(* end *)
fun copy_Transaction (t : storage Transaction, s : Transaction) =
&t->to ::= s.to;
&t->value ::= s.value;
&t->dataHash ::= s.dataHash
fun clear_Transaction (t : storage Transaction) =
&t->to ::= 0;
&t->value ::= 0;
&t->dataHash ::= 0
(* confirm a transaction through just the hash. *)
fun confirm {len n : Nat} (_h : bytes32, data : bytes {n}) pre {m_numOps : len} guard %onlymanyowners(_h) return bool =
if m_txs[_h].to != 0 then
require (sha3(data) = m_txs[_h].dataHash);
(* call_with_value () m_txs[_h].to (m_txs[_h].value, data); *)
(* emit MultiTransact(msg.sender, _h, !m_txs[_h].value, !m_txs[_h].to, data); *)
clear_Transaction (&m_txs->[_h]);
true
else
false
end
(* // Outside-visible transact entry point. Executes transacion immediately if below daily spend limit. *)
(* // If not, goes into multisig process. We provide a hash on return to allow the sender to provide *)
(* // shortcuts for the other confirmations (allowing them to avoid replicating the _to, _value *)
(* // and _data arguments). They still get the option of using them if they want, anyways. *)
external fun execute {len n : Nat} (_to : address, _value : uint, _data : bytes {n}) pre {m_numOps : len} guard onlyOwner return bytes32 =
(* first, take the opportunity to check that we're under the daily limit. *)
if underLimit(_value) then
(* emit SingleTransact(msg.sender, _value, _to, _data); *)
(* yes - just execute the call. *)
(* call_with_value () _to (_value, _data); *)
0
else
(* determine our operation hash. *)
let _r = sha3(msg.data, block.number);
if not %confirm(_r, _data) && m_txs[_r].to == 0 then
set m_txs[_r].to _to;
set m_txs[_r].value _value;
set m_txs[_r].dataHash sha3(_data)
(* emit ConfirmationNeeded(_r, msg.sender, _value, _to, _data) *)
end;
_r
end
internal fun clearPending {len : Nat} () pre {m_numOps : len} post {m_numOps : 0} guard numOpsGood =
let length = !!m_numOps;
(* for (i : uint = 0; i < length; inc) *)
(* set m_txs[m_pendingIndex[i] ] zero *)
(* end; *)
%for_ (#0, length, (), fn {i | 0 <= i /\ i < len} (i : nat {i}, ()) =>
let i = nat2int i;
clear_Transaction (&m_txs->[m_pendingIndex[i] ])
);
%multiowned..clearPending()
val _ = %constructor ({0x2, 0x3, 0x4, 0x5, }, 3, 5)
(* val () = &m_pending->[1]->ownersDone ::= 2 *)
(* val () = &m_pending->[1]->yetNeeded ::= 2 *)
(* val () = &m_pending->[1]->ownersDone ::= 6 *)
(* val () = &m_pending->[1]->yetNeeded ::= 1 *)
(* val r = %confirmAndCheck 1 *)
(* val r = %confirmAndCheck 1 *)
(* val r = %incNumOps () *)
(* val r = %confirmAndCheck 2 *)
(* val r = %incNumOps () *)
(* val r = %confirmAndCheck 3 *)
(* val r = %incNumOps () *)
(* val r = %confirmAndCheck 4 *)
(* val r = %incNumOps () *)
(* val r = %confirmAndCheck 5 *)
(* val r = %incNumOps () *)
(* val r = revoke 1 *)
(* val r = %clearPending () *)
(* val () = debug_log (m_owners[1], m_owners[2], m_owners[3], m_owners[4], m_owners[5]) *)
val () = set m_owners[2] 0
val () = set m_ownerIndex[0x2] 0
(* val () = debug_log (m_owners[1], m_owners[2], m_owners[3], m_owners[4], m_owners[5]) *)
(* val () = %reorganizeOwners () *)
(* val () = debug_log (m_owners[1], m_owners[2], m_owners[3], m_owners[4], m_owners[5]) *)
(* val () = debug_log (deref m_pending->[1]->ownersDone, deref m_pending->[1]->yetNeeded) *)
(* val confirmAndCheck' = @confirmAndCheck {0} *)
(* val clearPending' = @clearPending {5} *)
(* val reorganizeOwners' = @reorganizeOwners {5} *)
(* val _ = dispatch {confirmAndCheck = confirmAndCheck', *)
(* revoke = revoke, *)
(* clearPending = clearPending', *)
(* reorganizeOwners = reorganizeOwners', *)
(* } *)
(* Wallet: *)
(* confirm *)
(* execute *)
(* clearPending *)
end