1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
package withdrawals
import (
"bytes"
"context"
"errors"
"fmt"
"math/big"
"github.com/ethereum/go-ethereum/accounts/abi"
"github.com/ethereum/go-ethereum/accounts/abi/bind"
"github.com/ethereum/go-ethereum/common"
"github.com/ethereum/go-ethereum/core/types"
"github.com/ethereum/go-ethereum/crypto"
"github.com/ethereum/go-ethereum/ethclient/gethclient"
"github.com/ethereum-optimism/optimism/op-bindings/bindings"
"github.com/ethereum-optimism/optimism/op-bindings/predeploys"
)
var MessagePassedTopic = crypto.Keccak256Hash([]byte("MessagePassed(uint256,address,address,uint256,uint256,bytes,bytes32)"))
type ProofClient interface {
GetProof(context.Context, common.Address, []string, *big.Int) (*gethclient.AccountResult, error)
}
type ReceiptClient interface {
TransactionReceipt(context.Context, common.Hash) (*types.Receipt, error)
}
// ProvenWithdrawalParameters is the set of parameters to pass to the ProveWithdrawalTransaction
// and FinalizeWithdrawalTransaction functions
type ProvenWithdrawalParameters struct {
Nonce *big.Int
Sender common.Address
Target common.Address
Value *big.Int
GasLimit *big.Int
L2OutputIndex *big.Int
Data []byte
OutputRootProof bindings.TypesOutputRootProof
WithdrawalProof [][]byte // List of trie nodes to prove L2 storage
}
// ProveWithdrawalParameters queries L1 & L2 to generate all withdrawal parameters and proof necessary to prove a withdrawal on L1.
// The header provided is very important. It should be a block (timestamp) for which there is a submitted output in the L2 Output Oracle
// contract. If not, the withdrawal will fail as it the storage proof cannot be verified if there is no submitted state root.
func ProveWithdrawalParameters(ctx context.Context, proofCl ProofClient, l2ReceiptCl ReceiptClient, txHash common.Hash, header *types.Header, l2OutputOracleContract *bindings.L2OutputOracleCaller) (ProvenWithdrawalParameters, error) {
// Transaction receipt
receipt, err := l2ReceiptCl.TransactionReceipt(ctx, txHash)
if err != nil {
return ProvenWithdrawalParameters{}, err
}
// Parse the receipt
ev, err := ParseMessagePassed(receipt)
if err != nil {
return ProvenWithdrawalParameters{}, err
}
// Generate then verify the withdrawal proof
withdrawalHash, err := WithdrawalHash(ev)
if !bytes.Equal(withdrawalHash[:], ev.WithdrawalHash[:]) {
return ProvenWithdrawalParameters{}, errors.New("Computed withdrawal hash incorrectly")
}
if err != nil {
return ProvenWithdrawalParameters{}, err
}
slot := StorageSlotOfWithdrawalHash(withdrawalHash)
p, err := proofCl.GetProof(ctx, predeploys.L2ToL1MessagePasserAddr, []string{slot.String()}, header.Number)
if err != nil {
return ProvenWithdrawalParameters{}, err
}
// Fetch the L2OutputIndex from the L2 Output Oracle caller (on L1)
l2OutputIndex, err := l2OutputOracleContract.GetL2OutputIndexAfter(&bind.CallOpts{}, header.Number)
if err != nil {
return ProvenWithdrawalParameters{}, fmt.Errorf("failed to get l2OutputIndex: %w", err)
}
// TODO: Could skip this step, but it's nice to double check it
err = VerifyProof(header.Root, p)
if err != nil {
return ProvenWithdrawalParameters{}, err
}
if len(p.StorageProof) != 1 {
return ProvenWithdrawalParameters{}, errors.New("invalid amount of storage proofs")
}
// Encode it as expected by the contract
trieNodes := make([][]byte, len(p.StorageProof[0].Proof))
for i, s := range p.StorageProof[0].Proof {
trieNodes[i] = common.FromHex(s)
}
return ProvenWithdrawalParameters{
Nonce: ev.Nonce,
Sender: ev.Sender,
Target: ev.Target,
Value: ev.Value,
GasLimit: ev.GasLimit,
L2OutputIndex: l2OutputIndex,
Data: ev.Data,
OutputRootProof: bindings.TypesOutputRootProof{
Version: [32]byte{}, // Empty for version 1
StateRoot: header.Root,
MessagePasserStorageRoot: p.StorageHash,
LatestBlockhash: header.Hash(),
},
WithdrawalProof: trieNodes,
}, nil
}
// Standard ABI types copied from golang ABI tests
var (
Uint256Type, _ = abi.NewType("uint256", "", nil)
BytesType, _ = abi.NewType("bytes", "", nil)
AddressType, _ = abi.NewType("address", "", nil)
)
// WithdrawalHash computes the hash of the withdrawal that was stored in the L2toL1MessagePasser
// contract state.
// TODO:
// - I don't like having to use the ABI Generated struct
// - There should be a better way to run the ABI encoding
// - These needs to be fuzzed against the solidity
func WithdrawalHash(ev *bindings.L2ToL1MessagePasserMessagePassed) (common.Hash, error) {
// abi.encode(nonce, msg.sender, _target, msg.value, _gasLimit, _data)
args := abi.Arguments{
{Name: "nonce", Type: Uint256Type},
{Name: "sender", Type: AddressType},
{Name: "target", Type: AddressType},
{Name: "value", Type: Uint256Type},
{Name: "gasLimit", Type: Uint256Type},
{Name: "data", Type: BytesType},
}
enc, err := args.Pack(ev.Nonce, ev.Sender, ev.Target, ev.Value, ev.GasLimit, ev.Data)
if err != nil {
return common.Hash{}, fmt.Errorf("failed to pack for withdrawal hash: %w", err)
}
return crypto.Keccak256Hash(enc), nil
}
// ParseMessagePassed parses MessagePassed events from
// a transaction receipt. It does not support multiple withdrawals
// per receipt.
func ParseMessagePassed(receipt *types.Receipt) (*bindings.L2ToL1MessagePasserMessagePassed, error) {
contract, err := bindings.NewL2ToL1MessagePasser(common.Address{}, nil)
if err != nil {
return nil, err
}
for _, log := range receipt.Logs {
if len(log.Topics) == 0 || log.Topics[0] != MessagePassedTopic {
continue
}
ev, err := contract.ParseMessagePassed(*log)
if err != nil {
return nil, fmt.Errorf("failed to parse log: %w", err)
}
return ev, nil
}
return nil, errors.New("Unable to find MessagePassed event")
}
// StorageSlotOfWithdrawalHash determines the storage slot of the L2ToL1MessagePasser contract to look at
// given a WithdrawalHash
func StorageSlotOfWithdrawalHash(hash common.Hash) common.Hash {
// The withdrawals mapping is the 0th storage slot in the L2ToL1MessagePasser contract.
// To determine the storage slot, use keccak256(withdrawalHash ++ p)
// Where p is the 32 byte value of the storage slot and ++ is concatenation
buf := make([]byte, 64)
copy(buf, hash[:])
return crypto.Keccak256Hash(buf)
}