Espresso 1: Contracts#443
Conversation
QuentinI
force-pushed
the
ag/contracts
branch
2 times, most recently
from
4bc5939 to
cbd97f9
Compare
Adds the Espresso-introduced contracts and the minimum supporting changes
required for them to compile, test, and pass the contract checks.
New contracts and scripts:
- src/L1/BatchAuthenticator.sol and interfaces/L1/IBatchAuthenticator.sol
(upgradeable contract that authenticates batch transactions, with switching
between Espresso and fallback batchers)
- scripts/deploy/DeployBatchAuthenticator.s.sol and
scripts/deploy/DeployEspresso.s.sol
- test/L1/BatchAuthenticator.t.sol and test/mocks/MockEspressoTEEVerifiers.sol
- snapshots/{abi,storageLayout}/BatchAuthenticator.json
- snapshots/semver-lock.json entry for BatchAuthenticator
New submodules:
- lib/espresso-tee-contracts (interfaces required by BatchAuthenticator)
- lib/openzeppelin-contracts-upgradeable-v5 (OZ v5 used by BatchAuthenticator
via OwnableUpgradeable)
Supporting changes (Espresso-driven):
- foundry.toml: remappings for OZ v5 and espresso-tee-contracts; ignored
warning codes for vendored libs; OOM-safe jobs settings; via-ir profile.
- justfile: fix-proxy-artifact recipe to handle OZ v5 shadowing Proxy/ProxyAdmin
artifacts; build/coverage hooks.
- src/universal/Proxy.sol, src/universal/ProxyAdmin.sol: pin pragma to exact
0.8.15 so they stay in their own compilation group and never emit PUSH0.
- src/universal/ReinitializableBase.sol: loosen pragma to ^0.8.15 so
BatchAuthenticator (compiled with OZ v5) can import it.
- scripts/* and test/*: disambiguate Proxy artifact lookups to
src/universal/Proxy.sol:Proxy (avoids OZ v5 proxy/Proxy.sol shadow).
- scripts/checks: bypass interface checks for artifacts originating from lib/;
add Espresso-related contract names to exclude lists; pragma exclusions for
Proxy/ProxyAdmin/BatchAuthenticator.
- test/vendor/Initializable.t.sol: exclude BatchAuthenticator (deployed by a
separate Espresso script).
Co-authored-by: OpenCode <noreply@opencode.ai>
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ee2d984108
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| vm.prank(proxyAdminOwner); | ||
| authenticator.switchBatcher(); | ||
| assertFalse(authenticator.activeIsEspresso()); | ||
| } |
There was a problem hiding this comment.
The tests currently seem to be missing tests of batch authentication behaviour when running in fallback mode and also a test of authentication behaviour when in fallback and paused.
I've added two tests which I think covers these cases in this commit 5d0a803
Co-authored-by: piersy <pierspowlesland@gmail.com>
| @@ -0,0 +1,287 @@ | |||
| // SPDX-License-Identifier: MIT | |||
| pragma solidity 0.8.25; | |||
There was a problem hiding this comment.
I would recommend to double check versioning in each file for consistency.
OP source contracts follow 0.8.15, but files like BatchAuthenticator.sol & contracts in espresso-tee-contracts follow ^0.8.0 (which is fine I guess).
OP scripts usually follow ^0.8.0, but here scripts follow 0.8.25 - could you tell more about the motivation for it?
There was a problem hiding this comment.
Relaxed to ^0.8.0 - I don't remember any specific reason for us doing this, going to assume there wasn't one since nothing seems to break doing this.
| address payable _addr; | ||
| assembly { _addr := create(0, add(_initCode, 0x20), mload(_initCode)) } | ||
| require(_addr != address(0), "DeployBatchAuthenticator: ProxyAdmin deployment failed"); | ||
| proxyAdmin = IProxyAdmin(_addr); |
There was a problem hiding this comment.
Should separate ProxyAdmin be deployed just for BatchAuthenticator or would it be possible to re-use existing ProxyAdmin from our OP Stack deployment?
There was a problem hiding this comment.
I don't think there's a technical reason
cc @shenkeyao is there a governance reason for this?
There was a problem hiding this comment.
I think technically we can reuse the existing ProxyAdmin, but that would require the OP stack to participate in every future batchAuthenticator upgrade, which is an undesirable governance dependency. Looks like this was introduced in this commit, so cc @jjeangal, who might have more context.
| checkOutput(_output); | ||
| } | ||
|
|
||
| function deployBatchAuthenticator( |
There was a problem hiding this comment.
I see this is the second place that can deploy BatchAuthenticator, so the same question: should separate ProxyAdmin be freshly deployed just for this contract? Or is it possible to use already deployed ProxyAdmin for Celo's OP Stack?
| // Upstream OP stack contracts that intentionally use ^ for broad compatibility. | ||
| "src/universal/Proxy.sol", | ||
| "src/universal/ProxyAdmin.sol", |
There was a problem hiding this comment.
This looks unnecessary, as these files use strict pragmas already:
// SPDX-License-Identifier: MIT
pragma solidity 0.8.15;
| optimizer_runs = 200 | ||
| use_literal_content = false |
There was a problem hiding this comment.
Why do you set these? To match some verification settings?
There was a problem hiding this comment.
Oh, there was some verification changes we did in our fork that I dropped for this PR, didn't catch this. Fixed
| // Generic interfaces | ||
| "IHasSuperchainConfig", | ||
|
|
||
| // Espresso dependencies |
There was a problem hiding this comment.
nit: It would be good to move this to the Celo contracts sections, to remove future rebase conflicts.
| return nil, []error{fmt.Errorf("%s: Interface does not start with 'I'", contractName)} | ||
| } | ||
|
|
||
| // Espresso: skip interface artifacts that originate from lib/ (e.g. OZ v5 interfaces |
There was a problem hiding this comment.
I'm not the biggest fan of all this artifact handling.
I think there's a way around it: 0322873
Let me know what you think.
There was a problem hiding this comment.
This makes sense to me
cc @shenkeyao I think you have more context here
There was a problem hiding this comment.
Makes sense to cherry-pick 0322873! This would help clean up many artifact-related changes.
However, the lib/ skip in this file would still be necessary, because OZ v5 interfaces compiled transitively from espresso-tee-contracts would still land in forge-artifacts/.
| address _owner | ||
| ) | ||
| external | ||
| reinitializer(initVersion()) |
There was a problem hiding this comment.
initialize() is non-idempotent: activeIsEspresso = true on L73 re-runs on every reinitializer(initVersion()) bump and silently undoes any prior switchBatcher() (e.g. a guardian flip to Fallback).
| } | ||
|
|
||
| /// @notice Toggles the active batcher between the Espresso and fallback batcher. | ||
| function switchBatcher() external onlyGuardianOrOwner { |
There was a problem hiding this comment.
It might be better to make this a setter instead of a toggle.
function setActiveIsEspresso(bool _desired) external onlyGuardianOrOwner {
if (activeIsEspresso == _desired) return; // idempotent no-op
activeIsEspresso = _desired;
emit BatcherSwitched(_desired);
}There was a problem hiding this comment.
Agreed, but I'll need to clear that w/ the rest of the team.
- strict-pragma: remove unneeded exclusions for src/universal/Proxy.sol and src/universal/ProxyAdmin.sol — both already use strict 'pragma solidity 0.8.15;', so the entries (and their misleading comment claiming '^') were dead. - interfaces: move the Espresso excludeContracts block out of the upstream-shared area and down next to the Celo block, with one entry per line to match the surrounding style. Localizes future rebase deltas. Co-authored-by: OpenCode <noreply@opencode.ai>
| function paused() public view returns (bool) { | ||
| return systemConfig.paused(); | ||
| } | ||
|
|
There was a problem hiding this comment.
I think the pause should be removed, I can't see any reason to want to stop batches reaching the L1. Also this is delegating to systemConfig.paused() which is intended to pause the bridge, not stop the chain from progressing.
| if (activeIsEspresso) { | ||
| // TEE batcher path: verify via registered TEE signer. | ||
| // Setting TEEType as Nitro because OP integration only supports AWS Nitro currently. | ||
| espressoTEEVerifier.verify(_signature, _commitment, IEspressoTEEVerifier.TeeType.NITRO); |
There was a problem hiding this comment.
Should we assume espressoTEEVerifier.verify() will always revert if there is a problem with the signature? Or should we check here the returned value and explicitly revert here if it's not true?
| /// An attacker would need to compromise governance (to whitelist a malicious enclave hash), forge | ||
| /// an AWS Nitro signature, or break the Succinct ZK proof — all outside the contract's threat model. | ||
| function registerSigner(bytes calldata _verificationData, bytes calldata _data) external { | ||
| if (paused()) revert BatchAuthenticator_Paused(); |
There was a problem hiding this comment.
Is there a reason to not allow registering signers when the contract is paused?
6 participants
This PR pulls in the
BatchAuthenticatorpart of Espresso integration atpackages/contracts-bedrock/src/L1/BatchAuthenticator.sol. All other changes are deployment scripts, tests, and other wiring.BatchAuthenticatoris the contract that the batchers will have to authenticate their batches with; corresponding changes for the derivation pipeline and batchers forthcoming as subsequent PRs.