selfxyz · Nesopie · Sep 11, 2025 · Sep 11, 2025
diff --git a/contracts/contracts/IdentityVerificationHubImplV2.sol b/contracts/contracts/IdentityVerificationHubImplV2.sol
@@ -624,6 +624,7 @@ contract IdentityVerificationHubImplV2 is ImplRoot {
         // Scope 2: Root and date checks
         {
             _performRootCheck(header.attestationId, vcAndDiscloseProof, indices);
+            _performOfacCheck(header.attestationId, vcAndDiscloseProof, indices);
             if (header.attestationId == AttestationId.AADHAAR) {
                 _performNumericCurrentDateCheck(vcAndDiscloseProof, indices);
             } else {
@@ -705,11 +706,11 @@ contract IdentityVerificationHubImplV2 is ImplRoot {
             }
         } else if (attestationId == AttestationId.AADHAAR) {
             uint256 timestamp = registerCircuitProof.pubSignals[CircuitConstantsV2.AADHAAR_TIMESTAMP_INDEX];
-            if (timestamp < block.timestamp - 20 minutes) {
+            if (timestamp < (block.timestamp - 20 minutes)) {
                 revert InvalidUidaiTimestamp();
             }
 
-            if (timestamp > block.timestamp + 20 minutes) {
+            if (timestamp > (block.timestamp + 20 minutes)) {
                 revert InvalidUidaiTimestamp();
             }
 
@@ -884,6 +885,46 @@ contract IdentityVerificationHubImplV2 is ImplRoot {
         }
     }
 
+    function _performOfacCheck(
+        bytes32 attestationId,
+        GenericProofStruct memory vcAndDiscloseProof,
+        CircuitConstantsV2.DiscloseIndices memory indices
+    ) internal view {
+        IdentityVerificationHubStorage storage $ = _getIdentityVerificationHubStorage();
+
+        if (attestationId == AttestationId.E_PASSPORT) {
+            if (
+                !IIdentityRegistryV1($._registries[attestationId]).checkOfacRoots(
+                    vcAndDiscloseProof.pubSignals[indices.passportNoSmtRootIndex],
+                    vcAndDiscloseProof.pubSignals[indices.namedobSmtRootIndex],
+                    vcAndDiscloseProof.pubSignals[indices.nameyobSmtRootIndex]
+                )
+            ) {
+                revert InvalidOfacRoots();
+            }
+        } else if (attestationId == AttestationId.EU_ID_CARD) {
+            if (
+                !IIdentityRegistryIdCardV1($._registries[attestationId]).checkOfacRoots(
+                    vcAndDiscloseProof.pubSignals[indices.namedobSmtRootIndex],
+                    vcAndDiscloseProof.pubSignals[indices.nameyobSmtRootIndex]
+                )
+            ) {
+                revert InvalidOfacRoots();
+            }
+        } else if (attestationId == AttestationId.AADHAAR) {
+            if (
+                !IIdentityRegistryAadhaarV1($._registries[attestationId]).checkOfacRoots(
+                    vcAndDiscloseProof.pubSignals[indices.namedobSmtRootIndex],
+                    vcAndDiscloseProof.pubSignals[indices.nameyobSmtRootIndex]
+                )
+            ) {
+                revert InvalidOfacRoots();
+            }
+        } else {
+            revert InvalidAttestationId();
+        }
+    }
+
     /**
      * @notice Performs current date validation
      */

diff --git a/contracts/contracts/interfaces/IIdentityRegistryAadhaarV1.sol b/contracts/contracts/interfaces/IIdentityRegistryAadhaarV1.sol
@@ -77,16 +77,9 @@ interface IIdentityRegistryAadhaarV1 {
      * @notice Checks if the provided OFAC roots match the stored OFAC roots.
      * @param nameAndDobRoot The name and date of birth OFAC root to verify.
      * @param nameAndYobRoot The name and year of birth OFAC root to verify.
-     * @param nameAndDobReverseRoot The name and date of birth OFAC root to verify.
-     * @param nameAndYobReverseRoot The name and year of birth OFAC root to verify.
      * @return True if all provided roots match the stored values, false otherwise.
      */
-    function checkOfacRoots(
-        uint256 nameAndDobRoot,
-        uint256 nameAndYobRoot,
-        uint256 nameAndDobReverseRoot,
-        uint256 nameAndYobReverseRoot
-    ) external view returns (bool);
+    function checkOfacRoots(uint256 nameAndDobRoot, uint256 nameAndYobRoot) external view returns (bool);
 
     /**
      * @notice Checks if the provided UIDAI pubkey is stored in the registry and also if it's not expired.

diff --git a/contracts/contracts/registry/IdentityRegistryAadhaarImplV1.sol b/contracts/contracts/registry/IdentityRegistryAadhaarImplV1.sol
@@ -64,12 +64,6 @@ abstract contract IdentityRegistryAadhaarStorageV1 is ImplRoot {
 
     /// @notice Current name and year of birth OFAC root.
     uint256 internal _nameAndYobOfacRoot;
-
-    /// @notice Current name and date of birth reverse OFAC root.
-    uint256 internal _nameAndDobReverseOfacRoot;
-
-    /// @notice Current name and year of birth reverse OFAC root.
-    uint256 internal _nameAndYobReverseOfacRoot;
 }
 
 /**
@@ -253,33 +247,15 @@ contract IdentityRegistryAadhaarImplV1 is IdentityRegistryAadhaarStorageV1, IIde
         return _nameAndYobOfacRoot;
     }
 
-    /// @notice Retrieves the current name and date of birth reverse OFAC root.
-    /// @return The current name and date of birth reverse OFAC root value.
-    function getNameAndDobReverseOfacRoot() external view virtual onlyProxy returns (uint256) {
-        return _nameAndDobReverseOfacRoot;
-    }
-
-    /// @notice Retrieves the current name and year of birth reverse OFAC root.
-    /// @return The current name and year of birth reverse OFAC root value.
-    function getNameAndYobReverseOfacRoot() external view virtual onlyProxy returns (uint256) {
-        return _nameAndYobReverseOfacRoot;
-    }
-
     /// @notice Validates whether the provided OFAC roots match the stored values.
     /// @param nameAndDobRoot The name and date of birth OFAC root to validate.
     /// @param nameAndYobRoot The name and year of birth OFAC root to validate.
     /// @return True if all provided roots match the stored values, false otherwise.
     function checkOfacRoots(
         uint256 nameAndDobRoot,
-        uint256 nameAndYobRoot,
-        uint256 nameAndDobReverseRoot,
-        uint256 nameAndYobReverseRoot
+        uint256 nameAndYobRoot
     ) external view virtual onlyProxy returns (bool) {
-        return
-            _nameAndDobOfacRoot == nameAndDobRoot &&
-            _nameAndYobOfacRoot == nameAndYobRoot &&
-            _nameAndDobReverseOfacRoot == nameAndDobReverseRoot &&
-            _nameAndYobReverseOfacRoot == nameAndYobReverseRoot;
+        return _nameAndDobOfacRoot == nameAndDobRoot && _nameAndYobOfacRoot == nameAndYobRoot;
     }
 
     /// @notice Checks if the provided UIDAI pubkey is stored in the registry and also if it's not expired.
@@ -337,22 +313,6 @@ contract IdentityRegistryAadhaarImplV1 is IdentityRegistryAadhaarStorageV1, IIde
         emit NameAndYobOfacRootUpdated(newNameAndYobOfacRoot);
     }
 
-    /// @notice Updates the name and date of birth reverse OFAC root.
-    /// @dev Callable only via a proxy and restricted to the contract owner.
-    /// @param newNameAndDobReverseOfacRoot The new name and date of birth reverse OFAC root value.
-    function updateNameAndDobReverseOfacRoot(uint256 newNameAndDobReverseOfacRoot) external onlyProxy onlyOwner {
-        _nameAndDobReverseOfacRoot = newNameAndDobReverseOfacRoot;
-        emit NameAndDobReverseOfacRootUpdated(newNameAndDobReverseOfacRoot);
-    }
-
-    /// @notice Updates the name and year of birth reverse OFAC root.
-    /// @dev Callable only via a proxy and restricted to the contract owner.
-    /// @param newNameAndYobReverseOfacRoot The new name and year of birth reverse OFAC root value.
-    function updateNameAndYobReverseOfacRoot(uint256 newNameAndYobReverseOfacRoot) external onlyProxy onlyOwner {
-        _nameAndYobReverseOfacRoot = newNameAndYobReverseOfacRoot;
-        emit NameAndYobReverseOfacRootUpdated(newNameAndYobReverseOfacRoot);
-    }
-
     /// @notice Registers a new UIDAI pubkey commitment.
     /// @dev Callable only via a proxy and restricted to the contract owner.
     /// @param commitment The UIDAI pubkey commitment to register.