Merge pull request #356 from OffchainLabs/develop

chore: merge develop with v3.1.1 to main

Author: gzeoneth

.github/workflows/contract-tests.yml

@@ -14,7 +14,7 @@ jobs:
     name: Test unit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -44,7 +44,7 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -55,7 +55,7 @@ jobs:
           cache: false
 
       - name: Setup nodejs
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: '18'
           cache: 'yarn'
@@ -124,7 +124,7 @@ jobs:
     name: 4844 tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -140,7 +140,7 @@ jobs:
           no-token-bridge: true
 
       - name: Setup nodejs
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: 18
           cache: 'yarn'
@@ -159,7 +159,7 @@ jobs:
     name: Test e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -191,7 +191,7 @@ jobs:
     name: Test e2e custom fee token
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -224,7 +224,7 @@ jobs:
     name: Test e2e fee token with 6 decimals and pricer
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -257,7 +257,7 @@ jobs:
   #   name: BOLD upgrade test
   #   runs-on: ubuntu-latest
   #   steps:
-  #     - uses: actions/checkout@v3
+  #     - uses: actions/checkout@v4
   #       with:
   #         submodules: recursive
 

.github/workflows/slither.yml

@@ -9,6 +9,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
 
       - name: Run Slither
         uses: crytic/[email protected]

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "lib/forge-std"]
 	path = lib/forge-std
 	url = https://github.com/foundry-rs/forge-std
+[submodule "src/precompiles"]
+	path = src/precompiles
+	url = https://github.com/OffchainLabs/nitro-precompile-interfaces.git

audit-ci.jsonc

@@ -27,6 +27,10 @@
     // Regular Expression Denial of Service (ReDoS) in cross-spawn
     "GHSA-3xgq-45jj-v275",
     // axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
-    "GHSA-jr5f-v2jv-69x6"
+    "GHSA-jr5f-v2jv-69x6",
+    // Homograph attack allows Unicode lookalike characters to bypass validation
+    "GHSA-xq7p-g2vc-g82p",
+    // brace-expansion Regular Expression Denial of Service vulnerability
+    "GHSA-v6h2-p8h4-qcjw"
   ]
 }

hardhat.config.ts

@@ -262,4 +262,7 @@ module.exports = {
   contractSizer: {
     strict: true,
   },
+  sourcify: {
+    enabled: true,
+  },
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arbitrum/nitro-contracts",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "Layer 2 precompiles and rollup for Arbitrum Nitro",
   "author": "Offchain Labs, Inc.",
   "license": "BUSL-1.1",

scripts/boldUpgradeCommon.ts

@@ -1,8 +1,9 @@
 import { BigNumber, providers } from 'ethers'
-import { parseEther } from 'ethers/lib/utils'
+import { isAddress, parseUnits } from 'ethers/lib/utils'
 import fs from 'fs'
 
 import { configs } from './files/configs'
+import { ERC20__factory } from '../build/types'
 
 export interface DeployedContracts {
   bridge: string
@@ -15,10 +16,6 @@ export interface DeployedContracts {
   challengeManager: string
   boldAction: string
   preImageHashLookup: string
-  prover0: string
-  proverMem: string
-  proverMath: string
-  proverHostIo: string
   osp: string
 }
 
@@ -105,6 +102,7 @@ export const validateConfig = async (
   config: Config,
   l1Rpc: providers.Provider
 ) => {
+  // check all config.contracts
   if ((await l1Rpc.getCode(config.contracts.rollup)).length <= 2) {
     throw new Error('rollup address is not a contract')
   }
@@ -126,11 +124,17 @@ export const validateConfig = async (
   if ((await l1Rpc.getCode(config.contracts.upgradeExecutor)).length <= 2) {
     throw new Error('upgradeExecutor address is not a contract')
   }
+  if (!isAddress(config.contracts.excessStakeReceiver)) {
+    throw new Error('excessStakeReceiver is not a valid address')
+  }
 
   // check all the config.proxyAdmins exist
   if ((await l1Rpc.getCode(config.proxyAdmins.outbox)).length <= 2) {
     throw new Error('outbox proxy admin address is not a contract')
   }
+  if ((await l1Rpc.getCode(config.proxyAdmins.inbox)).length <= 2) {
+    throw new Error('inbox proxy admin address is not a contract')
+  }
   if ((await l1Rpc.getCode(config.proxyAdmins.bridge)).length <= 2) {
     throw new Error('bridge proxy admin address is not a contract')
   }
@@ -142,18 +146,22 @@ export const validateConfig = async (
   }
 
   // check all the settings exist
+  // Note: `challengeGracePeriodBlocks` and `validatorAfkBlocks` can both be 0
   if (config.settings.confirmPeriodBlocks === 0) {
     throw new Error('confirmPeriodBlocks is 0')
   }
-  if (config.settings.stakeToken.length === 0) {
-    throw new Error('stakeToken address is empty')
+  if (config.settings.challengePeriodBlocks === 0) {
+    throw new Error('challengePeriodBlocks is 0')
   }
   if ((await l1Rpc.getCode(config.settings.stakeToken)).length <= 2) {
     throw new Error('stakeToken address is not a contract')
   }
   if (config.settings.chainId === 0) {
     throw new Error('chainId is 0')
   }
+  if (config.settings.minimumAssertionPeriod === 0) {
+    throw new Error('minimumAssertionPeriod is 0')
+  }
   if (config.settings.blockLeafSize === 0) {
     throw new Error('blockLeafSize is 0')
   }
@@ -166,22 +174,45 @@ export const validateConfig = async (
   if (config.settings.numBigStepLevel === 0) {
     throw new Error('numBigStepLevel is 0')
   }
+  if (config.settings.maxDataSize === 0) {
+    throw new Error('maxDataSize is 0')
+  }
 
+  // check stake token amount
   const stakeAmount = BigNumber.from(config.settings.stakeAmt)
-  // check it's more than 1 eth
-  if (stakeAmount.lt(parseEther('1'))) {
-    throw new Error('stakeAmt is less than 1 eth')
+  if (stakeAmount.eq(0)) {
+    throw new Error('stakeAmt is 0')
   }
-  const miniStakeAmounts = config.settings.miniStakeAmounts.map(BigNumber.from)
 
+  // check mini stakes
+  const miniStakeAmounts = config.settings.miniStakeAmounts.map(BigNumber.from)
   if (miniStakeAmounts.length !== config.settings.numBigStepLevel + 2) {
     throw new Error('miniStakeAmts length is not numBigStepLevel + 2')
   }
 
-  if (
-    !config.settings.disableValidatorWhitelist &&
-    config.validators.length === 0
-  ) {
-    throw new Error('no validators')
+  // check validators and whitelist
+  if (!config.settings.disableValidatorWhitelist) {
+    if (config.validators.length === 0) {
+      throw new Error('no validators')
+    }
+
+    for (let i = 0; i < config.validators.length; i++) {
+      if (!isAddress(config.validators[i])) {
+        throw new Error(`Invalid address for validator ${i}`)
+      }
+    }
+  }
+
+  // check delaybuffer settings
+  if (config.settings.isDelayBufferable) {
+    if (config.settings.bufferConfig.max === 0) {
+      throw new Error('bufferConfig.max is 0')
+    }
+    if (config.settings.bufferConfig.threshold === 0) {
+      throw new Error('bufferConfig.threshold is 0')
+    }
+    if (config.settings.bufferConfig.replenishRateInBasis === 0) {
+      throw new Error('bufferConfig.replenishRateInBasis is 0')
+    }
   }
 }