refactor: add template logic back to universal NFT/FT

[fadeev]

Universal NFT/FT example were basically one-liner imports from standard-contracts. Made it easier to keep them always up-to-date, but also kind of useless, because for any sort of changes, you'd have to copy and paste the underlying code.

Now, the NFT/FT example is a copy of:

https://github.com/zeta-chain/standard-contracts/blob/main/contracts/token/contracts/zetachain/UniversalToken.sol

In other words, when a new user runs

npx zetachain@next create --example nft

They will get a standard OpenZeppelin ERC-721 with ZetaChain features.

If we change the template, we'd have to manually keep these examples updated.

Summary by CodeRabbit

• New NFT Contracts

  • Launched upgradeable NFT solutions with controlled minting, pause management, and seamless upgrade capabilities to enhance collection handling.

• New Token Contracts

  • Released upgradeable token solutions featuring secure minting, state controls, and integrated payment reception for improved management and transactions.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces new upgradeable NFT and token contracts. Two NFT contracts (EVMUniversalNFT and ZetaChainUniversalNFT) and two token contracts (EVMUniversalToken and ZetaChainUniversalToken) now extend multiple OpenZeppelin upgradeable contracts. Each contract features an initializer function to set immutable parameters; functions for minting, pausing/unpausing, and upgrade authorization; and overrides for core functionality to ensure compatibility with the extended libraries.

Changes

File(s)	Change Summary
examples/nft/contracts/...EVMUniversalNFT.sol examples/nft/contracts/...ZetaChainUniversalNFT.sol	Added upgradeable NFT contracts with an initialize method for setting contract parameters, safeMint for token creation, pause/unpause for state control, and _authorizeUpgrade for secure upgrades. Overrides include _update, tokenURI, and supportsInterface to integrate with UniversalNFTCore.
examples/token/contracts/...EVMUniversalToken.sol examples/token/contracts/...ZetaChainUniversalToken.sol	Introduced upgradeable token contracts featuring an initialize function with essential parameters, a mint function for token issuance, and pause/unpause operations. Both contracts override _update; the ZetaChain version additionally supports receiving ETH and accepts an extra parameter (uniswapRouterAddress) during initialization.

Sequence Diagram(s)

sequenceDiagram
    participant Owner as Contract Owner
    participant NFT as NFT Contract
    Owner->>NFT: initialize(initialOwner, name, symbol, gatewayAddress, gas)
    Owner->>NFT: safeMint(to, uri)
    Owner->>NFT: pause() / unpause()
    NFT-->>Owner: Confirmation & state update

Loading

sequenceDiagram
    participant Owner as Contract Owner
    participant Token as Token Contract
    Owner->>Token: initialize(initialOwner, name, symbol, gatewayAddress, gas[, uniswapRouterAddress])
    Owner->>Token: mint(to, amount)
    Owner->>Token: pause() / unpause()
    Token-->>Owner: Confirmation & state update

Loading

Possibly related PRs

• NFT: improvements to make production-ready #217: Updates similar NFT initialization and state-control functions, reflecting a shared approach with the current PR.
• ERC-20 token transfer example and improvements to NFT #209: Modifications to NFT operations, such as minting and pausing, align closely with the changes introduced here.

Suggested reviewers

• andresaiello

Tip

⚡🧪 Multi-step agentic review comment chat (experimental)

• We're introducing multi-step agentic chat in review comments. This experimental feature enhances review discussions with the CodeRabbit agentic chat by enabling advanced interactions, including the ability to create pull requests directly from comments.
  - To enable this feature, set early_access to true under in the settings.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• ERC-721: Entity not found: Issue - Could not find referenced Issue.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (12)

examples/token/contracts/EVMUniversalToken.sol (3)

14-22: Adopt a documented inheritance diagram or short remarks.
This multi-inheritance approach is perfectly valid. However, documenting each parent contract’s purpose (e.g., ERC20Upgradeable for standard token logic, OwnableUpgradeable for restricted access, etc.) would help future maintainers quickly grasp your design.

---

43-49: Pause and unpause functionality is clear.
Leveraging the built-in pausing from OpenZeppelin is a solid approach. Make sure to confirm that external integrations handle paused states gracefully.

---

51-53: Uncapped token supply by design.
Be aware that allowing the owner to mint at will can lead to infinite supply. If this is intended, proceed. Otherwise, consider implementing a supply cap or additional logic.

examples/nft/contracts/EVMUniversalNFT.sol (3)

2-11: Stay mindful of pinned Solidity and imported library versions.
Similar to the token contract, you're pinning compiler and library versions. This fosters consistency but should be revisited periodically to incorporate patches and enhancements.

---

27-27: Tracking _nextTokenId is straightforward.
_nextTokenId is used when generating token IDs via hashing. This is a valid approach, but ensure the ID creation logic meets your desired uniqueness requirements.

---

51-66: Secure minting process but deterministic ID approach.
Using a hash of (address(this), block.number, _nextTokenId++) provides semi-unique IDs, but it’s not truly unpredictable. Miners could potentially influence block properties if a specific ID is valuable. If full unpredictability is essential, consider VRF-based randomness.

examples/token/contracts/ZetaChainUniversalToken.sol (3)

2-2: Solidity pinned to 0.8.26.
As with the other contracts, revisit this periodically to pull in later compiler optimizations or security patches.

---

58-60: Minting logic.
Similar to EVMUniversalToken, ensure you intend for an unbounded supply. Otherwise, enforce a capacity check.

---

76-76: receive() fallback is helpful.
Accepting Ether directly can be beneficial for cross-chain bridging fees. Confirm that it’s used intentionally.

examples/nft/contracts/ZetaChainUniversalNFT.sol (3)

52-67: Consider a purely incremental or externally verifiable token ID approach.
While hashing with address(this), block.number, and _nextTokenId produces a pseudo-unique ID, collisions remain theoretically possible. A deterministic counter-based ID or a more robust randomness mechanism (e.g., Chainlink VRF) might be preferable, depending on requirements.

-uint256 hash = uint256(
-    keccak256(
-        abi.encodePacked(address(this), block.number, _nextTokenId++)
-    )
-);
-uint256 tokenId = hash & 0x00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF;
+uint256 tokenId = _nextTokenId++;

---

129-132: Pause function is clear and straightforward.
This ensures the contract can be halted for maintenance or risk mitigation. Be sure to include this in test coverage.

---

133-135: Unpause function mirrors pause functionality.
Having both pause and unpause ensures flexible contract lifecycle management. Similarly, remember to cover unpause logic in tests.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d0556d and a242f36.

📒 Files selected for processing (4)

• examples/nft/contracts/EVMUniversalNFT.sol (1 hunks)
• examples/nft/contracts/ZetaChainUniversalNFT.sol (1 hunks)
• examples/token/contracts/EVMUniversalToken.sol (1 hunks)
• examples/token/contracts/ZetaChainUniversalToken.sol (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: slither (examples/swap, swap.sarif)
• GitHub Check: slither (examples/call, call.sarif)
• GitHub Check: slither (examples/hello, hello.sarif)
• GitHub Check: test (examples/call)

🔇 Additional comments (34)

examples/token/contracts/EVMUniversalToken.sol (5)

23-26: Constructor pattern is correct for UUPS.
Disabling initializers in the constructor is a recommended safeguard against accidental re-initialization. No issues here.

---

28-41: Initialization parameters seem comprehensive.
The initialize() function covers naming, ownership, and gateway logic. This is a robust setup. Just ensure you re-run initializer tests if you modify the contract signature in the future.

---

55-57: Upgrade authorization logic is secure.
Restricting _authorizeUpgrade to onlyOwner is standard for UUPS-proxied contracts. No concerns here.

---

61-67: Override _update ensures compatibility.
This override pattern is typical when combining ERC20 with Pausable. Good job invoking super._update to preserve parent functionality.

---

2-9:

✅ Verification successful

Ensure continued alignment with future OpenZeppelin updates.
Pinning Solidity to 0.8.26 and importing specific OpenZeppelin versions helps maintain consistency, but keep an eye on potential security updates or improvements in newer releases. A periodic review to upgrade dependencies is advisable.

You can run a quick check of newer compiler and OpenZeppelin versions if you'd like to confirm you are on the recommended stable release.

---

🏁 Script executed:

#!/bin/bash
# Check for the latest stable Solidity release from GitHub
curl -s https://api.github.com/repos/ethereum/solidity/releases | jq -r '.[0].tag_name'

# Check for newer minor versions of OpenZeppelin
rg "openzeppelin" -A 2

Length of output: 24113

---

Action: Periodically Review and Validate Dependency Versions
After verification, the code in examples/token/contracts/EVMUniversalToken.sol remains consistent with the current pinned OpenZeppelin packages (v5.2.0 as seen in the yarn lock files). However, note that while Solidity is explicitly pinned to 0.8.26, the latest stable release is now 0.8.29. Although explicit version pinning helps ensure compatibility and reproducibility, you may want to:

• Consider Testing an Upgrade: Evaluate the impact of upgrading the Solidity version from 0.8.26 to 0.8.29 to take advantage of the latest bug fixes and security improvements.
• Monitor OpenZeppelin Updates: Keep an eye on future updates to OpenZeppelin contracts that might offer enhanced features or critical security patches.
• Maintain Consistency: Continue pinning versions to avoid unexpected changes unless thorough testing confirms that an upgrade is safe.

This periodic review strategy will help maintain a balanced approach between stability and benefiting from the latest improvements.

examples/nft/contracts/EVMUniversalNFT.sol (10)

13-14: UniversalNFTCore import is suitable.
Inheriting from UniversalNFTCore centralizes bridging and cross-chain features. This is a clean approach.

---

16-25: Multi-contract inheritance is well-structured.
Declaring upgradeable NFT functionalities (Enumerable, Burnable, Pausable) in one place simplifies reference for future audits.

---

29-32: Constructor properly disables initializers.
This pattern is consistent with UUPS best practices. No issues noted.

---

34-49: Initialization covers essential fields.
The gatewayAddress and gas parameters are set alongside standard NFT initializers. This design is succinct.

---

68-74: Pause/unpause logic is standard.
As with your token contract, ensure external callers handle paused states robustly.

---

76-79: UUPS upgrade guard.
Restricting _authorizeUpgrade to onlyOwner is straightforward.

---

82-96: Override _update for multiple inheritance.
Good use of super._update to unify the logic from ERC721Upgradeable, ERC721EnumerableUpgradeable, and ERC721PausableUpgradeable.

---

98-104: Consistent override of _increaseBalance.
Applying the enumerability approach here helps maintain the correct token balance count across multiple parent classes.

---

105-118: Robust token URI resolution.
Deferring to the parent implementations is typical and ensures uniform handling of token URIs.

---

120-134: Merged supportsInterface checks.
Combining the parent interface IDs in one function is best practice. This ensures runtime consistency of all inherited interfaces.

examples/token/contracts/ZetaChainUniversalToken.sol (7)

17-18: Import of UniversalTokenCore is appropriate.
This is consistent with the design of your other universal token contracts.

---

20-28: Multi-inheritance preserves key functionalities.
Composing multiple OpenZeppelin modules plus UniversalTokenCore helps unify cross-chain token features with standard token capabilities.

---

30-32: Constructor logic correct.
Disabling initializers is crucial. No issues here.

---

34-48: Initialization approach mirrors EVMUniversalToken.
Inclusion of the uniswapRouterAddress parameter for cross-chain or cross-token swaps is a good extension. Ensure to test this thoroughly with your bridging/gateway logic.

---

50-56: Pausing and unpausing are standard.
Matches your other implementations, providing consistent admin control.

---

62-64: Owner-only upgrade guard.
Limits upgrade initiation to the contract owner, which is the canonical approach for UUPS upgrades.

---

68-74: Override _update for multi-parent synergy.
Maintains compatibility across all inherited functionalities, with no apparent conflicts.

examples/nft/contracts/ZetaChainUniversalNFT.sol (12)

4-11: Use of upgradeable contract imports looks appropriate.
All selected imports are consistent with OpenZeppelin's upgradeable contract patterns. Ensure they are pinned to specific versions in your dependency files to avoid unexpected breakage on future releases.

---

13-15: UniversalNFTCore import is consistent with project goals.
The import statement indicates clear intent to layer universal NFT functionality on top of OpenZeppelin. No issues observed.

---

27-27: Simple private variable storage is valid.
_nextTokenId suits a straightforward minting flow. No immediate concerns.

---

29-32: Constructor disabling initializers is standard for upgradeable contracts.
This is a recommended best practice to prevent direct contract usage without initialization. Good job.

---

34-50: Initialization logic is comprehensive.
All relevant OpenZeppelin initializers are invoked, and universal core is properly set up. Be mindful of upgrading from one version to another and double-check that no re-initialization is required elsewhere.

---

69-85: Override of _update is well-structured.
This override references multiple parents. Ensure the final call to super._update is indeed capturing the combined logic from ERC721Upgradeable, ERC721EnumerableUpgradeable, and ERC721PausableUpgradeable without unintended side effects.

---

87-92: Balance tracking override aligns with enumerability requirements.
The implemented override calls super._increaseBalance, ensuring the enumerability and standard ERC721 logic remain consistent. No issues found.

---

94-107: tokenURI override merges multiple parents.
Relying on super.tokenURI(tokenId) addresses conflicts between ERC721, ERC721URIStorage, and UniversalNFTCore. This looks correct; ensure metadata expansion or modifications happen consistently if you add any specialized logic.

---

109-123: supportsInterface override properly integrates multiple interfaces.
The combined overrides handle potential collisions from multiple inherited contracts. Good approach to maintain broad compatibility.

---

125-127: Owner-restricted _authorizeUpgrade is standard for UUPS.
Restricting upgrades to the contract owner is a common and appropriate security measure for UUPS proxies.

---

137-137: receive() function properly accepts ETH for gas payments.
No concerns. Make sure to handle possible reentrancy if any subsequent logic is introduced in future expansions.

---

16-26:

❓ Verification inconclusive

Verify inheritance ordering for potential override conflicts.
Multiple parent contracts share hooks or internal functions (e.g., _beforeTokenTransfer). Confirm that the final override resolutions—including those from UniversalNFTCore—are correct and consistent with your design.

---

🏁 Script executed:

#!/bin/bash
# Identify all definitions of _beforeTokenTransfer or similar hooks
rg -A 5 "function _beforeTokenTransfer"

Length of output: 41

---

Action: Validate Inheritance Override Order for Hook Functions

It appears that our automated search did not return any instances of _beforeTokenTransfer in the codebase, which makes it difficult to automatically confirm that the intended override chaining—especially involving UniversalNFTCore—is correctly implemented. Please perform a manual review of the following:

• Verify that any custom override of _beforeTokenTransfer in the inherited contracts (e.g., in OpenZeppelin’s ERC721 modules and UniversalNFTCore) are properly chained with explicit override declarations.
• Confirm that if UniversalNFTCore or any other module introduces additional logic for _beforeTokenTransfer, it calls the relevant parent implementations via super._beforeTokenTransfer.
• Review the final inheritance ordering in ZetaChainUniversalNFT.sol to ensure that the combined logic from all parent contracts executes as designed.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

examples/token/contracts/ZetaChainUniversalToken.sol (1)

75-75: Consider documenting the purpose of the receive function.

While the receive function allows the contract to accept Ether, it lacks documentation explaining its intended purpose. Consider adding a comment explaining when and why this function would be used in the context of this token.

-    receive() external payable {}
+    /// @notice Allows the contract to receive Ether, necessary for gas token swaps and cross-chain operations
+    receive() external payable {}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a242f36 and 1c07455.

📒 Files selected for processing (1)

• examples/token/contracts/ZetaChainUniversalToken.sol (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (7)

• GitHub Check: test (examples/token)
• GitHub Check: test (examples/swap)
• GitHub Check: test (examples/nft)
• GitHub Check: test (examples/call)
• GitHub Check: slither (examples/swap, swap.sarif)
• GitHub Check: slither (examples/call, call.sarif)
• GitHub Check: slither (examples/hello, hello.sarif)

🔇 Additional comments (8)

examples/token/contracts/ZetaChainUniversalToken.sol (8)

2-2: Appropriate use of fixed Solidity version.

Using a fixed version (0.8.26) rather than a floating version (^0.8.26) is preferable for production contracts as it ensures consistent behavior across builds and deployments.

---

4-17: Well-structured imports following a logical pattern.

The imports are organized in a logical manner, starting with ZetaChain-specific dependencies followed by OpenZeppelin upgradeable components. This organization enhances code readability and maintainability.

---

19-27: Robust inheritance structure for upgradeable token.

The contract now follows a comprehensive inheritance pattern that incorporates multiple OpenZeppelin upgradeable components alongside the ZetaChain-specific UniversalTokenCore. This approach provides a solid foundation for an upgradeable token with pause functionality and owner controls.

---

28-31: Correctly implemented constructor pattern for upgradeable contracts.

The constructor with _disableInitializers() follows the recommended OpenZeppelin pattern for upgradeable contracts, preventing the initializer from being called during deployment.

---

33-47: Well-structured initializer with comprehensive parameter set.

The initializer function properly initializes all parent contracts and captures all necessary parameters for token configuration. The use of descriptive parameter names and comments enhances code clarity.

---

49-59: Appropriate owner-restricted token management functions.

The pause, unpause, and mint functions follow security best practices by restricting access to the contract owner. These administrative controls provide essential functionality for managing the token lifecycle.

---

61-63: Secure upgrade authorization mechanism.

The _authorizeUpgrade function correctly restricts upgrade capabilities to the contract owner, aligning with security best practices for upgradeable contracts.

---

67-73: Properly implemented override for ERC20 and Pausable compatibility.

The _update override correctly handles the interaction between ERC20 and Pausable functionality, ensuring that both aspects of the contract work harmoniously.

[fadeev]

@zeta-chain/smart-contracts please, review.

[s2imonovic]

Looks good