op-node: limit reorg depth with sanity check (#3422)

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

op-node/rollup/sync/start.go

@@ -49,7 +49,7 @@ var ReorgFinalizedErr = errors.New("cannot reorg finalized block")
 var WrongChainErr = errors.New("wrong chain")
 var TooDeepReorgErr = errors.New("reorg is too deep")
 
-const MaxReorgDepth = 500
+const MaxReorgSeqWindows = 5
 
 type FindHeadsResult struct {
 	Unsafe    eth.L2BlockRef
@@ -154,7 +154,7 @@ func FindL2Heads(ctx context.Context, cfg *rollup.Config, l1 L1Chain, l2 L2Chain
 			return nil, fmt.Errorf("%w: finalized %s, got: %s", ReorgFinalizedErr, result.Finalized, n)
 		}
 		// Check we are not reorging L2 incredibly deep
-		if n.Number+MaxReorgDepth < prevUnsafe.Number {
+		if n.L1Origin.Number+(MaxReorgSeqWindows*cfg.SeqWindowSize) < prevUnsafe.L1Origin.Number {
 			// If the reorg depth is too large, something is fishy.
 			// This can legitimately happen if L1 goes down for a while. But in that case,
 			// restarting the L2 node with a bigger configured MaxReorgDepth is an acceptable

op-node/rollup/sync/start_test.go

@@ -221,6 +221,7 @@ func TestFindSyncStart(t *testing.T) {
 			GenesisL1:      'a',
 			GenesisL2:      'A',
 			UnsafeL2Head:   0,
+			SeqWindowSize:  2,
 			ExpectedErr:    WrongChainErr,
 		},
 		{
@@ -234,6 +235,7 @@ func TestFindSyncStart(t *testing.T) {
 			GenesisL1:      'a',
 			GenesisL2:      'X',
 			UnsafeL2Head:   0,
+			SeqWindowSize:  2,
 			ExpectedErr:    WrongChainErr,
 		},
 		{