Merge branch 'develop' into jg/remove_println

go.mod

@@ -62,7 +62,7 @@ require (
 	github.com/deckarep/golang-set/v2 v2.1.0 // indirect
 	github.com/decred/dcrd/crypto/blake256 v1.0.0 // indirect
 	github.com/deepmap/oapi-codegen v1.8.2 // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/edsrzf/mmap-go v1.1.0 // indirect
 	github.com/elastic/gosigar v0.14.2 // indirect

go.sum

@@ -124,8 +124,8 @@ github.com/dgraph-io/ristretto v0.0.2 h1:a5WaUrDa0qm0YrAAS1tUykT5El3kt62KNZZeMxQ
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dlclark/regexp2 v1.7.0 h1:7lJfhqlPssTb1WQx4yvTHN0uElPEv52sbaECrAQxjAo=
-github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
-github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v20.10.24+incompatible h1:Ugvxm7a8+Gz6vqQYQQ2W7GYq5EUPaAiuPgIfVyI3dYE=
 github.com/docker/docker v20.10.24+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=

op-challenger/flags/flags_test.go

@@ -40,7 +40,7 @@ func TestCorrectEnvVarPrefix(t *testing.T) {
 		if envVar == "" {
 			t.Errorf("Failed to find EnvVar for flag %v", flag.GetName())
 		}
-		if envVar[:len("OP_CHALLENGER_")] != "OP_CHALLENGER_" {
+		if !strings.HasPrefix(envVar, "OP_CHALLENGER_") {
 			t.Errorf("Flag %v env var (%v) does not start with OP_CHALLENGER_", flag.GetName(), envVar)
 		}
 		if strings.Contains(envVar, "__") {

op-program/host/flags/flags_test.go

@@ -40,7 +40,7 @@ func TestCorrectEnvVarPrefix(t *testing.T) {
 		if envVar == "" {
 			t.Errorf("Failed to find EnvVar for flag %v", flag.GetName())
 		}
-		if envVar[:len("OP_PROGRAM_")] != "OP_PROGRAM_" {
+		if !strings.HasPrefix(envVar, "OP_PROGRAM_") {
 			t.Errorf("Flag %v env var (%v) does not start with OP_PROGRAM_", flag.GetName(), envVar)
 		}
 		if strings.Contains(envVar, "__") {

op-program/verify/cmd/goerli.go

@@ -56,6 +56,7 @@ func Run(l1RpcUrl string, l2RpcUrl string, l2OracleAddr common.Address) error {
 	if err != nil {
 		return fmt.Errorf("get l2 safe head: %w", err)
 	}
+	fmt.Printf("Found L2 finalized head number: %v hash: %v\n", l2FinalizedHead.NumberU64(), l2FinalizedHead.Hash())
 
 	// Find L1 finalized block. Can't be re-orged and must contain all batches for the L2 finalized block
 	l1BlockNum := big.NewInt(int64(rpc.FinalizedBlockNumber))
@@ -63,18 +64,28 @@ func Run(l1RpcUrl string, l2RpcUrl string, l2OracleAddr common.Address) error {
 	if err != nil {
 		return fmt.Errorf("find L1 head: %w", err)
 	}
+	fmt.Printf("Found l1 head block number: %v hash: %v\n", l1HeadBlock.NumberU64(), l1HeadBlock.Hash())
 
 	// Get the most published L2 output from before the finalized block
 	callOpts := &bind.CallOpts{Context: ctx}
 	outputIndex, err := outputOracle.GetL2OutputIndexAfter(callOpts, l2FinalizedHead.Number())
 	if err != nil {
-		return fmt.Errorf("get output index after finalized block: %w", err)
+		fmt.Println("Failed to get output index after finalized block. Checking latest output", "finalized", l2FinalizedHead.Number(), "err", err)
+		outputIndex, err = outputOracle.LatestOutputIndex(callOpts)
+		if err != nil {
+			return fmt.Errorf("get latest output index: %w", err)
+		}
+	} else {
+		outputIndex = outputIndex.Sub(outputIndex, big.NewInt(1))
 	}
-	outputIndex = outputIndex.Sub(outputIndex, big.NewInt(1))
 	output, err := outputOracle.GetL2Output(callOpts, outputIndex)
 	if err != nil {
 		return fmt.Errorf("retrieve latest output: %w", err)
 	}
+	// Check we wound up with an output prior to the finalized block
+	if output.L2BlockNumber.Uint64() > l2FinalizedHead.NumberU64() {
+		return fmt.Errorf("selected output is after finalized head output block: %v, finalized block: %v", output.L2BlockNumber.Uint64(), l2FinalizedHead.NumberU64())
+	}
 
 	l1Head := l1HeadBlock.Hash()
 	l2Claim := common.Hash(output.OutputRoot)

packages/contracts-periphery/contracts/foundry-tests/AdminFaucetAuthModule.t.sol

+//SPDX-License-Identifier: MIT
+pragma solidity 0.8.15;
+
+import { Test } from "forge-std/Test.sol";
+import { AdminFaucetAuthModule } from "../universal/faucet/authmodules/AdminFaucetAuthModule.sol";
+import { Faucet } from "../universal/faucet/Faucet.sol";
+import { FaucetHelper } from "../testing/helpers/FaucetHelper.sol";
+
+/**
+ * @title  AdminFaucetAuthModuleTest
+ * @notice Tests the AdminFaucetAuthModule contract.
+ */
+contract AdminFaucetAuthModuleTest is Test {
+    /**
+     * @notice The admin of the `AdminFaucetAuthModule` contract.
+     */
+    address internal admin;
+    /**
+     * @notice Private key of the `admin`.
+     */
+    uint256 internal adminKey;
+    /**
+     * @notice Not an admin of the `AdminFaucetAuthModule` contract.
+     */
+    address internal nonAdmin;
+    /**
+     * @notice Private key of the `nonAdmin`.
+     */
+    uint256 internal nonAdminKey;
+    /**
+     * @notice An instance of the `AdminFaucetAuthModule` contract.
+     */
+    AdminFaucetAuthModule internal adminFam;
+    /**
+     * @notice An instance of the `FaucetHelper` contract.
+     */
+    FaucetHelper internal faucetHelper;
+    string internal adminFamName = "AdminFAM";
+    string internal adminFamVersion = "1";
+
+    /**
+     * @notice Deploy the `AdminFaucetAuthModule` contract.
+     */
+    function setUp() external {
+        adminKey = 0xB0B0B0B0;
+        admin = vm.addr(adminKey);
+
+        nonAdminKey = 0xC0C0C0C0;
+        nonAdmin = vm.addr(nonAdminKey);
+
+        adminFam = new AdminFaucetAuthModule(admin, adminFamName, adminFamVersion);
+
+        faucetHelper = new FaucetHelper();
+    }
+
+    /**
+     * @notice Get signature as a bytes blob.
+     *
+     */
+    function _getSignature(uint256 _signingPrivateKey, bytes32 _digest)
+        internal
+        pure
+        returns (bytes memory)
+    {
+        (uint8 v, bytes32 r, bytes32 s) = vm.sign(_signingPrivateKey, _digest);
+
+        bytes memory signature = abi.encodePacked(r, s, v);
+        return signature;
+    }
+
+    /**
+     * @notice Signs a proof with the given private key and returns the signature using
+     *         the given EIP712 domain separator. This assumes that the issuer's address is the
+     *         corresponding public key to _issuerPrivateKey.
+     */
+    function issueProofWithEIP712Domain(
+        uint256 _issuerPrivateKey,
+        bytes memory _eip712Name,
+        bytes memory _contractVersion,
+        uint256 _eip712Chainid,
+        address _eip712VerifyingContract,
+        address recipient,
+        bytes memory id,
+        bytes32 nonce
+    ) internal view returns (bytes memory) {
+        AdminFaucetAuthModule.Proof memory proof = AdminFaucetAuthModule.Proof(
+            recipient,
+            nonce,
+            id
+        );
+        return
+            _getSignature(
+                _issuerPrivateKey,
+                faucetHelper.getDigestWithEIP712Domain(
+                    proof,
+                    _eip712Name,
+                    _contractVersion,
+                    _eip712Chainid,
+                    _eip712VerifyingContract
+                )
+            );
+    }
+
+    /**
+     * @notice assert that verify returns true for valid proofs signed by admins.
+     */
+    function test_adminProof_verify_returnsTrue() external {
+        bytes32 nonce = faucetHelper.consumeNonce();
+        address fundsReceiver = makeAddr("fundsReceiver");
+        bytes memory proof = issueProofWithEIP712Domain(
+            adminKey,
+            bytes(adminFamName),
+            bytes(adminFamVersion),
+            block.chainid,
+            address(adminFam),
+            fundsReceiver,
+            abi.encodePacked(fundsReceiver),
+            nonce
+        );
+
+        vm.prank(nonAdmin);
+        assertEq(
+            adminFam.verify(
+                Faucet.DripParameters(payable(fundsReceiver), nonce),
+                abi.encodePacked(fundsReceiver),
+                proof
+            ),
+            true
+        );
+    }
+
+    /**
+     * @notice assert that verify returns false for proofs signed by nonadmins.
+     */
+    function test_nonAdminProof_verify_returnsFalse() external {
+        bytes32 nonce = faucetHelper.consumeNonce();
+        address fundsReceiver = makeAddr("fundsReceiver");
+        bytes memory proof = issueProofWithEIP712Domain(
+            nonAdminKey,
+            bytes(adminFamName),
+            bytes(adminFamVersion),
+            block.chainid,
+            address(adminFam),
+            fundsReceiver,
+            abi.encodePacked(fundsReceiver),
+            nonce
+        );
+
+        vm.prank(admin);
+        assertEq(
+            adminFam.verify(
+                Faucet.DripParameters(payable(fundsReceiver), nonce),
+                abi.encodePacked(fundsReceiver),
+                proof
+            ),
+            false
+        );
+    }
+
+    /**
+     * @notice assert that verify returns false for proofs where the id in the proof is different
+     * than the id in the call to verify.
+     */
+    function test_proofWithWrongId_verify_returnsFalse() external {
+        bytes32 nonce = faucetHelper.consumeNonce();
+        address fundsReceiver = makeAddr("fundsReceiver");
+        address randomAddress = makeAddr("randomAddress");
+        bytes memory proof = issueProofWithEIP712Domain(
+            adminKey,
+            bytes(adminFamName),
+            bytes(adminFamVersion),
+            block.chainid,
+            address(adminFam),
+            fundsReceiver,
+            abi.encodePacked(fundsReceiver),
+            nonce
+        );
+
+        vm.prank(admin);
+        assertEq(
+            adminFam.verify(
+                Faucet.DripParameters(payable(fundsReceiver), nonce),
+                abi.encodePacked(randomAddress),
+                proof
+            ),
+            false
+        );
+    }
+}

packages/contracts-periphery/contracts/testing/helpers/FaucetHelper.sol

+//SPDX-License-Identifier: MIT
+pragma solidity 0.8.15;
+
+import {
+    AdminFaucetAuthModule
+} from "../../universal/faucet/authmodules/AdminFaucetAuthModule.sol";
+import {
+    ECDSAUpgradeable
+} from "@openzeppelin/contracts-upgradeable/utils/cryptography/ECDSAUpgradeable.sol";
+
+/**
+ * Simple helper contract that helps with testing the Faucet contract.
+ */
+contract FaucetHelper {
+    /**
+     * @notice EIP712 typehash for the Proof type.
+     */
+    bytes32 public constant PROOF_TYPEHASH =
+        keccak256("Proof(address recipient,bytes32 nonce,bytes id)");
+
+    /**
+     * @notice EIP712 typehash for the EIP712Domain type that is included as part of the signature.
+     */
+    bytes32 public constant EIP712_DOMAIN_TYPEHASH =
+        keccak256(
+            "EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"
+        );
+
+    /**
+     * @notice Keeps track of current nonce to generate new nonces for each drip.
+     */
+    uint256 public currentNonce;
+
+    /**
+     * @notice Returns a bytes32 nonce that should change everytime. In practice, people should use
+     *         pseudorandom nonces.
+     *
+     * @return Nonce that should be used as part of drip parameters.
+     */
+    function consumeNonce() public returns (bytes32) {
+        return bytes32(keccak256(abi.encode(currentNonce++)));
+    }
+
+    /**
+     * @notice Returns the hash of the struct Proof.
+     *
+     * @param _proof Proof struct to hash.
+     *
+     * @return EIP-712 typed struct hash.
+     */
+    function getProofStructHash(AdminFaucetAuthModule.Proof memory _proof)
+        public
+        pure
+        returns (bytes32)
+    {
+        return keccak256(abi.encode(PROOF_TYPEHASH, _proof.recipient, _proof.nonce, _proof.id));
+    }
+
+    /**
+     * @notice Computes the EIP712 digest with the given domain parameters.
+     *         Used for testing that different domain parameters fail.
+     *
+     * @param _proof             Proof struct to hash.
+     * @param _name              Contract name to use in the EIP712 domain.
+     * @param _version           Contract version to use in the EIP712 domain.
+     * @param _chainid           Chain ID to use in the EIP712 domain.
+     * @param _verifyingContract Address to use in the EIP712 domain.
+     * @param _verifyingContract Address to use in the EIP712 domain.
+     * @param _verifyingContract Address to use in the EIP712 domain.
+     *
+     * @return EIP-712 compatible digest.
+     */
+    function getDigestWithEIP712Domain(
+        AdminFaucetAuthModule.Proof memory _proof,
+        bytes memory _name,
+        bytes memory _version,
+        uint256 _chainid,
+        address _verifyingContract
+    ) public pure returns (bytes32) {
+        bytes32 domainSeparator = keccak256(
+            abi.encode(
+                EIP712_DOMAIN_TYPEHASH,
+                keccak256(_name),
+                keccak256(_version),
+                _chainid,
+                _verifyingContract
+            )
+        );
+        return ECDSAUpgradeable.toTypedDataHash(domainSeparator, getProofStructHash(_proof));
+    }
+}

packages/contracts-periphery/contracts/universal/faucet/Faucet.sol

+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.15;
+
+import { IFaucetAuthModule } from "./authmodules/IFaucetAuthModule.sol";
+
+/**
+ * @title  SafeSend
+ * @notice Sends ETH to a recipient account without triggering any code.
+ */
+contract SafeSend {
+    /**
+     * @param _recipient Account to send ETH to.
+     */
+    constructor(address payable _recipient) payable {
+        selfdestruct(_recipient);
+    }
+}
+
+/**
+ * @title  Faucet
+ * @notice Faucet contract that drips ETH to users.
+ */
+contract Faucet {
+    /**
+     * @notice Emitted on each drip.
+     *
+     * @param authModule The type of authentication that was used for verifying the drip.
+     * @param userId     The id of the user that requested the drip.
+     * @param amount     The amount of funds sent.
+     * @param recipient  The recipient of the drip.
+     */
+    event Drip(
+        string indexed authModule,
+        bytes indexed userId,
+        uint256 amount,
+        address indexed recipient
+    );
+
+    /**
+     * @notice Parameters for a drip.
+     */
+    struct DripParameters {
+        address payable recipient;
+        bytes32 nonce;
+    }
+
+    /**
+     * @notice Parameters for authentication.
+     */
+    struct AuthParameters {
+        IFaucetAuthModule module;
+        bytes id;
+        bytes proof;
+    }
+
+    /**
+     * @notice Configuration for an authentication module.
+     */
+    struct ModuleConfig {
+        string name;
+        bool enabled;
+        uint256 ttl;
+        uint256 amount;
+    }
+
+    /**
+     * @notice Admin address that can configure the faucet.
+     */
+    address public immutable ADMIN;
+
+    /**
+     * @notice Mapping of authentication modules to their configurations.
+     */
+    mapping(IFaucetAuthModule => ModuleConfig) public modules;
+
+    /**
+     * @notice Mapping of authentication IDs to the next timestamp at which they can be used.
+     */
+    mapping(IFaucetAuthModule => mapping(bytes => uint256)) public timeouts;
+
+    /**
+     * @notice Maps from id to nonces to whether or not they have been used.
+     */
+    mapping(bytes => mapping(bytes32 => bool)) public nonces;
+
+    /**
+     * @notice Modifier that makes a function admin priviledged.
+     */
+    modifier priviledged() {
+        require(msg.sender == ADMIN, "Faucet: function can only be called by admin");
+        _;
+    }
+
+    /**
+     * @param _admin Admin address that can configure the faucet.
+     */
+    constructor(address _admin) {
+        ADMIN = _admin;
+    }
+
+    /**
+     * @notice Allows users to donate ETH to this contract.
+     */
+    receive() external payable {
+        // Thank you!
+    }
+
+    /**
+     * @notice Allows the admin to withdraw funds.
+     *
+     * @param _recipient Address to receive the funds.
+     * @param _amount    Amount of ETH in wei to withdraw.
+     */
+    function withdraw(address payable _recipient, uint256 _amount) public priviledged {
+        new SafeSend{ value: _amount }(_recipient);
+    }
+
+    /**
+     * @notice Allows the admin to configure an authentication module.
+     *
+     * @param _module Authentication module to configure.
+     * @param _config Configuration to set for the module.
+     */
+    function configure(IFaucetAuthModule _module, ModuleConfig memory _config) public priviledged {
+        modules[_module] = _config;
+    }
+
+    /**
+     * @notice Drips ETH to a recipient account.
+     *
+     * @param _params Drip parameters.
+     * @param _auth   Authentication parameters.
+     */
+    function drip(DripParameters memory _params, AuthParameters memory _auth) public {
+        // Grab the module config once.
+        ModuleConfig memory config = modules[_auth.module];
+
+        // Make sure we're using a supported security module.
+        require(config.enabled, "Faucet: provided auth module is not supported by this faucet");
+
+        // The issuer's signature commits to a nonce to prevent replay attacks.
+        // This checks that the nonce has not been used for this issuer before. The nonces are
+        // scoped to the issuer address, so the same nonce can be used by different issuers without
+        // clashing.
+        require(nonces[_auth.id][_params.nonce] == false, "Faucet: nonce has already been used");
+
+        // Make sure the timeout has elapsed.
+        require(
+            timeouts[_auth.module][_auth.id] < block.timestamp,
+            "Faucet: auth cannot be used yet because timeout has not elapsed"
+        );
+
+        // Verify the proof.
+        require(
+            _auth.module.verify(_params, _auth.id, _auth.proof),
+            "Faucet: drip parameters could not be verified by security module"
+        );
+
+        // Set the next timestamp at which this auth id can be used.
+        timeouts[_auth.module][_auth.id] = block.timestamp + config.ttl;
+
+        // Mark the nonce as used.
+        nonces[_auth.id][_params.nonce] = true;
+
+        // Execute a safe transfer of ETH to the recipient account.
+        new SafeSend{ value: config.amount }(_params.recipient);
+
+        emit Drip(config.name, _auth.id, config.amount, _params.recipient);
+    }
+}

packages/contracts-periphery/contracts/universal/faucet/authmodules/AdminFaucetAuthModule.sol

+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.15;
+
+import { EIP712 } from "@openzeppelin/contracts/utils/cryptography/draft-EIP712.sol";
+import { SignatureChecker } from "@openzeppelin/contracts/utils/cryptography/SignatureChecker.sol";
+import { IFaucetAuthModule } from "./IFaucetAuthModule.sol";
+import { Faucet } from "../Faucet.sol";
+
+/**
+ * @title  AdminFaucetAuthModule
+ * @notice FaucetAuthModule that allows an admin to sign off on a given faucet drip. Takes an admin
+ *         as the constructor argument.
+ */
+contract AdminFaucetAuthModule is IFaucetAuthModule, EIP712 {
+    /**
+     * @notice Admin address that can sign off on drips.
+     */
+    address public immutable ADMIN;
+
+    /**
+     * @notice EIP712 typehash for the Proof type.
+     */
+    bytes32 public constant PROOF_TYPEHASH =
+        keccak256("Proof(address recipient,bytes32 nonce,bytes id)");
+
+    /**
+     * @notice Struct that represents a proof that verifies the admin.
+     *
+     * @custom:field recipient Address that will be receiving the faucet funds.
+     * @custom:field nonce     Pseudorandom nonce to prevent replay attacks.
+     * @custom:field id        id for the user requesting the faucet funds.
+     */
+    struct Proof {
+        address recipient;
+        bytes32 nonce;
+        bytes id;
+    }
+
+    /**
+     * @param _admin   Admin address that can sign off on drips.
+     * @param _name    Contract name.
+     * @param _version The current major version of the signing domain.
+     */
+    constructor(
+        address _admin,
+        string memory _name,
+        string memory _version
+    ) EIP712(_name, _version) {
+        ADMIN = _admin;
+    }
+
+    /**
+     * @inheritdoc IFaucetAuthModule
+     */
+    function verify(
+        Faucet.DripParameters memory _params,
+        bytes memory _id,
+        bytes memory _proof
+    ) external view returns (bool) {
+        // Generate a EIP712 typed data hash to compare against the proof.
+        return
+            SignatureChecker.isValidSignatureNow(
+                ADMIN,
+                _hashTypedDataV4(
+                    keccak256(abi.encode(PROOF_TYPEHASH, _params.recipient, _params.nonce, _id))
+                ),
+                _proof
+            );
+    }
+}

packages/contracts-periphery/contracts/universal/faucet/authmodules/IFaucetAuthModule.sol

+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.15;
+
+import { Faucet } from "../Faucet.sol";
+
+/**
+ * @title  IFaucetAuthModule
+ * @notice Interface for faucet authentication modules.
+ */
+interface IFaucetAuthModule {
+    /**
+     * @notice Verifies that the given drip parameters are valid.
+     *
+     * @param _params Drip parameters to verify.
+     * @param _id     Authentication ID to verify.
+     * @param _proof  Authentication proof to verify.
+     */
+    function verify(
+        Faucet.DripParameters memory _params,
+        bytes memory _id,
+        bytes memory _proof
+    ) external view returns (bool);
+}

packages/fault-detector/src/service.ts

@@ -7,7 +7,14 @@ import {
   waitForProvider,
 } from '@eth-optimism/common-ts'
 import { getChainId, sleep, toRpcHexString } from '@eth-optimism/core-utils'
-import { CrossChainMessenger } from '@eth-optimism/sdk'
+import {
+  CONTRACT_ADDRESSES,
+  CrossChainMessenger,
+  DeepPartial,
+  getOEContract,
+  L2ChainID,
+  OEL1ContractsLike,
+} from '@eth-optimism/sdk'
 import { Provider } from '@ethersproject/abstract-provider'
 import { ethers, Transaction } from 'ethers'
 import dateformat from 'dateformat'
@@ -26,6 +33,8 @@ type Options = {
   l2RpcProvider: Provider
   startBatchIndex: number
   bedrock: boolean
+  optimismPortalAddress?: string
+  stateCommitmentChainAddress?: string
 }
 
 type Metrics = {
@@ -73,6 +82,18 @@ export class FaultDetector extends BaseServiceV2<Options, Metrics, State> {
           desc: 'Whether or not the service is running against a Bedrock chain',
           public: true,
         },
+        optimismPortalAddress: {
+          validator: validators.str,
+          default: ethers.constants.AddressZero,
+          desc: '[Bedrock] Deployed OptimismPortal contract address. Used to retrieve necessary info for ouput verification. **Required** for custom op chains',
+          public: true,
+        },
+        stateCommitmentChainAddress: {
+          validator: validators.str,
+          default: ethers.constants.AddressZero,
+          desc: '[Legacy] Deployed StateCommitmentChain contract address. Used to fetch necessary info for output verification. **Required** for custom op chains',
+          public: true,
+        },
       },
       metricsSpec: {
         highestBatchIndex: {
@@ -93,6 +114,74 @@ export class FaultDetector extends BaseServiceV2<Options, Metrics, State> {
     })
   }
 
+  /**
+   * Provides the required set of addresses used by the fault detector. For recognized op-chains, this
+   * will fallback to the pre-defined set of addresses from options, otherwise aborting if unset.
+   *
+   * Required Contracts
+   * - Bedrock: OptimismPortal (used to also fetch L2OutputOracle address variable). This is the preferred address
+   * since in early versions of bedrock, OptimismPortal holds the FINALIZATION_WINDOW variable instead of L2OutputOracle.
+   * The retrieved L2OutputOracle address from OptimismPortal is used to query for output roots.
+   * - Legacy: StateCommitmentChain to query for output roots.
+   *
+   * @param l2ChainId op chain id
+   * @returns DeepPartial<OEL1ContractsLike> addresses needed just for the fault detector
+   */
+  async getOEL1Contracts(
+    l2ChainId: number
+  ): Promise<DeepPartial<OEL1ContractsLike>> {
+    let contracts = {} as OEL1ContractsLike
+    const chainType = this.options.bedrock ? 'bedrock' : 'legacy'
+    this.logger.info(`Setting contracts for OP chain type: ${chainType}`)
+
+    const knownChainId = L2ChainID[l2ChainId] !== undefined
+    if (knownChainId) {
+      this.logger.info(`Recognized L2 chain id ${L2ChainID[l2ChainId]}`)
+
+      // fallback to the predefined defaults for this chain id
+      contracts = CONTRACT_ADDRESSES[l2ChainId].l1
+    }
+
+    this.logger.info('checking contract address options...')
+    if (this.options.bedrock) {
+      const address = this.options.optimismPortalAddress
+      if (!knownChainId && address === ethers.constants.AddressZero) {
+        this.logger.error('OptimismPortal contract unspecified')
+        throw new Error(
+          '--optimismportalcontractaddress needs to set for custom bedrock op chains'
+        )
+      }
+
+      if (address !== ethers.constants.AddressZero) {
+        this.logger.info('set OptimismPortal contract override')
+        contracts.OptimismPortal = address
+
+        this.logger.info('fetching L2OutputOracle contract from OptimismPortal')
+        const opts = { address, signerOrPovider: this.options.l1RpcProvider }
+        const portalContract = getOEContract('OptimismPortal', l2ChainId, opts)
+        contracts.L2OutputOracle = await portalContract.L2_ORACLE()
+      }
+
+      // ... for a known chain ids without an override, the L2OutputOracle will already
+      // be set via the hardcoded default
+    } else {
+      const address = this.options.stateCommitmentChainAddress
+      if (!knownChainId && address === ethers.constants.AddressZero) {
+        this.logger.error('StateCommitmentChain contract unspecified')
+        throw new Error(
+          '--statecommitmentchainaddress needs to set for custom legacy op chains'
+        )
+      }
+
+      if (address !== ethers.constants.AddressZero) {
+        this.logger.info('set StateCommitmentChain contract override')
+        contracts.StateCommitmentChain = address
+      }
+    }
+
+    return contracts
+  }
+
   async init(): Promise<void> {
     // Connect to L1.
     await waitForProvider(this.options.l1RpcProvider, {
@@ -106,12 +195,15 @@ export class FaultDetector extends BaseServiceV2<Options, Metrics, State> {
       name: 'L2',
     })
 
+    const l1ChainId = await getChainId(this.options.l1RpcProvider)
+    const l2ChainId = await getChainId(this.options.l2RpcProvider)
     this.state.messenger = new CrossChainMessenger({
       l1SignerOrProvider: this.options.l1RpcProvider,
       l2SignerOrProvider: this.options.l2RpcProvider,
-      l1ChainId: await getChainId(this.options.l1RpcProvider),
-      l2ChainId: await getChainId(this.options.l2RpcProvider),
+      l1ChainId,
+      l2ChainId,
       bedrock: this.options.bedrock,
+      contracts: { l1: await this.getOEL1Contracts(l2ChainId) },
     })
 
     // Not diverged by default.