OTP Module

[zZoMROT]

Static Code Analysis (readability, compactness):

Implements an abstract OtpModule that allows protecting specific external functions using OTP-based authentication via the onlyOTP modifier. Logic is cleanly separated into helper methods for packing/unpacking and validating OTPs. Storage is optimized via tight packing of hash and counter into a single uint256.

Dynamic Code Analysis (external APIs, interaction flows):

The OTP flow requires the user to precompute and register a hash chain off-chain. The protected function must explicitly use the onlyOTP modifier, OTPs are not enforced globally. Each successful call consumes one code (k_i) validated as keccak256(k_i | user), and updates the internal state for the next expected hash. Since the sender's address (msg.sender) is included in the hash, OTP codes are user-specific and cannot be front-run or reused by other accounts.

Efficiency (gas costs, computational complexity, memory requirements):

• Stores only the lower 28 bytes of the hash (224 bits) to save gas.
• Packs both the hash and usage counter into one slot (256 bits total).
• No iteration or dynamic memory use; validation is a single hash and comparison.
• Minimal storage writes: one SSTORE per valid OTP use.

Opinion, trade-offs and other thoughts (optional):

The design is intentionally minimal and opt-in, only functions explicitly decorated with onlyOTP are protected. Security/gas trade-off of using 224-bit hashes is considered acceptable given the context (one-time, user-specific keys).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!