Merge pull request #6913 from ethereum-optimism/fpvm-status

cannon,op-challenger,dispute-game: VM Status prefix byte in claim hash

Merge pull request #6913 from ethereum-optimism/fpvm-status
cannon,op-challenger,dispute-game: VM Status prefix byte in claim hash
db94109b · OptimismBot · GitHub · 302500e9 · 7feb2e1f · db94109b
Commit db94109b authored Sep 07, 2023 by OptimismBot Committed by GitHub Sep 07, 2023
32 changed files
--- a/cannon/cmd/run.go
+++ b/cannon/cmd/run.go
@@ -9,7 +9,6 @@ import (
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/common/hexutil"
-	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/log"
 	"github.com/urfave/cli/v2"
@@ -331,12 +330,18 @@ func Run(ctx *cli.Context) error {
 		}
 		if proofAt(state) {
-			preStateHash := crypto.Keccak256Hash(state.EncodeWitness())
+			preStateHash, err := state.EncodeWitness().StateHash()
+			if err != nil {
+				return fmt.Errorf("failed to hash prestate witness: %w", err)
+			}
 			witness, err := stepFn(true)
 			if err != nil {
 				return fmt.Errorf("failed at proof-gen step %d (PC: %08x): %w", step, state.PC, err)
 			}
-			postStateHash := crypto.Keccak256Hash(state.EncodeWitness())
+			postStateHash, err := state.EncodeWitness().StateHash()
+			if err != nil {
+				return fmt.Errorf("failed to hash poststate witness: %w", err)
+			}
 			proof := &Proof{
 				Step:      step,
 				Pre:       preStateHash,

--- a/cannon/cmd/witness.go
+++ b/cannon/cmd/witness.go
@@ -5,7 +5,6 @@ import (
 	"os"
 	"github.com/ethereum-optimism/optimism/cannon/mipsevm"
-	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/urfave/cli/v2"
 )
@@ -31,7 +30,10 @@ func Witness(ctx *cli.Context) error {
 		return fmt.Errorf("invalid input state (%v): %w", input, err)
 	}
 	witness := state.EncodeWitness()
-	h := crypto.Keccak256Hash(witness)
+	h, err := witness.StateHash()
+	if err != nil {
+		return fmt.Errorf("failed to compute witness hash: %w", err)
+	}
 	if output != "" {
 		if err := os.WriteFile(output, witness, 0755); err != nil {
 			return fmt.Errorf("writing output to %v: %w", output, err)

--- a/cannon/mipsevm/evm_test.go
+++ b/cannon/mipsevm/evm_test.go
@@ -15,7 +15,6 @@ import (
 	"github.com/ethereum/go-ethereum/common/hexutil"
 	"github.com/ethereum/go-ethereum/core/state"
 	"github.com/ethereum/go-ethereum/core/vm"
-	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/eth/tracers/logger"
 	"github.com/stretchr/testify/require"
@@ -92,7 +91,10 @@ func (m *MIPSEVM) Step(t *testing.T, stepWitness *StepWitness) []byte {
 	logs := m.evmState.Logs()
 	require.Equal(t, 1, len(logs), "expecting a log with post-state")
 	evmPost := logs[0].Data
-	require.Equal(t, crypto.Keccak256Hash(evmPost), postHash, "logged state must be accurate")
+	stateHash, err := StateWitness(evmPost).StateHash()
+	require.NoError(t, err, "state hash could not be computed")
+	require.Equal(t, stateHash, postHash, "logged state must be accurate")
 	m.env.StateDB.RevertToSnapshot(snap)
 	t.Logf("EVM step took %d gas, and returned stateHash %s", startingGas-leftOverGas, postHash)

--- a/cannon/mipsevm/state.go
+++ b/cannon/mipsevm/state.go
@@ -2,11 +2,16 @@ package mipsevm
 import (
 	"encoding/binary"
+	"fmt"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/common/hexutil"
+	"github.com/ethereum/go-ethereum/crypto"
 )
+// StateWitnessSize is the size of the state witness encoding in bytes.
+var StateWitnessSize = 226
 type State struct {
 	Memory *Memory `json:"memory"`
@@ -37,7 +42,11 @@ type State struct {
 	LastHint hexutil.Bytes `json:"lastHint,omitempty"`
 }
-func (s *State) EncodeWitness() []byte {
+func (s *State) VMStatus() uint8 {
+	return vmStatus(s.Exited, s.ExitCode)
+}
+func (s *State) EncodeWitness() StateWitness {
 	out := make([]byte, 0)
 	memRoot := s.Memory.MerkleRoot()
 	out = append(out, memRoot[:]...)
@@ -60,3 +69,41 @@ func (s *State) EncodeWitness() []byte {
 	}
 	return out
 }
+type StateWitness []byte
+const (
+	VMStatusValid      = 0
+	VMStatusInvalid    = 1
+	VMStatusPanic      = 2
+	VMStatusUnfinished = 3
+)
+func (sw StateWitness) StateHash() (common.Hash, error) {
+	if len(sw) != 226 {
+		return common.Hash{}, fmt.Errorf("Invalid witness length. Got %d, expected at least 88", len(sw))
+	}
+	hash := crypto.Keccak256Hash(sw)
+	offset := 32*2 + 4*6
+	exitCode := sw[offset]
+	exited := sw[offset+1]
+	status := vmStatus(exited == 1, exitCode)
+	hash[0] = status
+	return hash, nil
+}
+func vmStatus(exited bool, exitCode uint8) uint8 {
+	if !exited {
+		return VMStatusUnfinished
+	}
+	switch exitCode {
+	case 0:
+		return VMStatusValid
+	case 1:
+		return VMStatusInvalid
+	default:
+		return VMStatusPanic
+	}
+}
--- a/cannon/mipsevm/state_test.go
+++ b/cannon/mipsevm/state_test.go
@@ -82,6 +82,53 @@ func TestState(t *testing.T) {
 	}
 }
+// Run through all permutations of `exited` / `exitCode` and ensure that the
+// correct witness, state hash, and VM Status is produced.
+func TestStateHash(t *testing.T) {
+	cases := []struct {
+		exited   bool
+		exitCode uint8
+	}{
+		{exited: false, exitCode: 0},
+		{exited: false, exitCode: 1},
+		{exited: false, exitCode: 2},
+		{exited: false, exitCode: 3},
+		{exited: true, exitCode: 0},
+		{exited: true, exitCode: 1},
+		{exited: true, exitCode: 2},
+		{exited: true, exitCode: 3},
+	}
+	exitedOffset := 32*2 + 4*6
+	for _, c := range cases {
+		state := &State{
+			Memory:   NewMemory(),
+			Exited:   c.exited,
+			ExitCode: c.exitCode,
+		}
+		actualWitness := state.EncodeWitness()
+		actualStateHash, err := StateWitness(actualWitness).StateHash()
+		require.NoError(t, err, "Error hashing witness")
+		require.Equal(t, len(actualWitness), StateWitnessSize, "Incorrect witness size")
+		expectedWitness := make(StateWitness, 226)
+		memRoot := state.Memory.MerkleRoot()
+		copy(expectedWitness[:32], memRoot[:])
+		expectedWitness[exitedOffset] = c.exitCode
+		var exited uint8
+		if c.exited {
+			exited = 1
+		}
+		expectedWitness[exitedOffset+1] = uint8(exited)
+		require.Equal(t, expectedWitness[:], actualWitness[:], "Incorrect witness")
+		expectedStateHash := crypto.Keccak256Hash(actualWitness)
+		expectedStateHash[0] = vmStatus(c.exited, c.exitCode)
+		require.Equal(t, expectedStateHash, actualStateHash, "Incorrect state hash")
+	}
+}
 func TestHello(t *testing.T) {
 	elfProgram, err := elf.Open("../example/bin/hello.elf")
 	require.NoError(t, err, "open ELF file")

--- a/op-bindings/bindings/alphabetvm.go
+++ b/op-bindings/bindings/alphabetvm.go
--- a/op-bindings/bindings/alphabetvm_more.go
+++ b/op-bindings/bindings/alphabetvm_more.go
@@ -13,7 +13,7 @@ const AlphabetVMStorageLayoutJSON = "{\"storage\":[{\"astId\":1000,\"contract\":
 var AlphabetVMStorageLayout = new(solc.StorageLayout)
-var AlphabetVMDeployedBin = "0x608060405234801561001057600080fd5b50600436106100365760003560e01c80637dc0d1d01461003b578063f8e0cb9614610085575b600080fd5b60005461005b9073ffffffffffffffffffffffffffffffffffffffff1681565b60405173ffffffffffffffffffffffffffffffffffffffff90911681526020015b60405180910390f35b6100986100933660046101a8565b6100a6565b60405190815260200161007c565b60008060007f000000000000000000000000000000000000000000000000000000000000000087876040516100dc929190610214565b60405180910390200361010057600091506100f986880188610224565b905061011f565b61010c8688018861023d565b90925090508161011b8161028e565b9250505b8161012b8260016102c6565b6040805160208101939093528201526060016040516020818303038152906040528051906020012092505050949350505050565b60008083601f84011261017157600080fd5b50813567ffffffffffffffff81111561018957600080fd5b6020830191508360208285010111156101a157600080fd5b9250929050565b600080600080604085870312156101be57600080fd5b843567ffffffffffffffff808211156101d657600080fd5b6101e28883890161015f565b909650945060208701359150808211156101fb57600080fd5b506102088782880161015f565b95989497509550505050565b8183823760009101908152919050565b60006020828403121561023657600080fd5b5035919050565b6000806040838503121561025057600080fd5b50508035926020909101359150565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b60007fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff82036102bf576102bf61025f565b5060010190565b600082198211156102d9576102d961025f565b50019056fea164736f6c634300080f000a"
+var AlphabetVMDeployedBin = "0x608060405234801561001057600080fd5b50600436106100365760003560e01c80637dc0d1d01461003b578063f8e0cb9614610085575b600080fd5b60005461005b9073ffffffffffffffffffffffffffffffffffffffff1681565b60405173ffffffffffffffffffffffffffffffffffffffff90911681526020015b60405180910390f35b610098610093366004610212565b6100a6565b60405190815260200161007c565b600080600060087f0000000000000000000000000000000000000000000000000000000000000000901b600888886040516100e292919061027e565b6040518091039020901b0361010857600091506101018688018861028e565b9050610127565b610114868801886102a7565b909250905081610123816102f8565b9250505b81610133826001610330565b604080516020810193909352820152606001604080517fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe081840301815291905280516020909101207effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff167f010000000000000000000000000000000000000000000000000000000000000017979650505050505050565b60008083601f8401126101db57600080fd5b50813567ffffffffffffffff8111156101f357600080fd5b60208301915083602082850101111561020b57600080fd5b9250929050565b6000806000806040858703121561022857600080fd5b843567ffffffffffffffff8082111561024057600080fd5b61024c888389016101c9565b9096509450602087013591508082111561026557600080fd5b50610272878288016101c9565b95989497509550505050565b8183823760009101908152919050565b6000602082840312156102a057600080fd5b5035919050565b600080604083850312156102ba57600080fd5b50508035926020909101359150565b7f4e487b7100000000000000000000000000000000000000000000000000000000600052601160045260246000fd5b60007fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8203610329576103296102c9565b5060010190565b60008219821115610343576103436102c9565b50019056fea164736f6c634300080f000a"
 func init() {
 	if err := json.Unmarshal([]byte(AlphabetVMStorageLayoutJSON), AlphabetVMStorageLayout); err != nil {

--- a/op-bindings/bindings/faultdisputegame.go
+++ b/op-bindings/bindings/faultdisputegame.go
--- a/op-bindings/bindings/faultdisputegame_more.go
+++ b/op-bindings/bindings/faultdisputegame_more.go
--- a/op-bindings/bindings/mips.go
+++ b/op-bindings/bindings/mips.go
--- a/op-bindings/bindings/mips_more.go
+++ b/op-bindings/bindings/mips_more.go
--- a/op-challenger/game/fault/loader.go
+++ b/op-challenger/game/fault/loader.go
@@ -139,16 +139,15 @@ func (l *loader) FetchClaims(ctx context.Context) ([]types.Claim, error) {
 }
 // FetchAbsolutePrestateHash fetches the hashed absolute prestate from the fault dispute game.
-func (l *loader) FetchAbsolutePrestateHash(ctx context.Context) ([]byte, error) {
+func (l *loader) FetchAbsolutePrestateHash(ctx context.Context) (common.Hash, error) {
 	callOpts := bind.CallOpts{
 		Context: ctx,
 	}
 	absolutePrestate, err := l.caller.ABSOLUTEPRESTATE(&callOpts)
 	if err != nil {
-		return nil, err
+		return common.Hash{}, err
 	}
-	returnValue := absolutePrestate[:]
-	return returnValue, nil
+	return absolutePrestate, nil
 }
--- a/op-challenger/game/fault/player.go
+++ b/op-challenger/game/fault/player.go
@@ -16,7 +16,6 @@ import (
 	"github.com/ethereum-optimism/optimism/op-service/txmgr"
 	"github.com/ethereum/go-ethereum/accounts/abi/bind"
 	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/log"
 )
@@ -159,22 +158,21 @@ func (g *GamePlayer) logGameStatus(ctx context.Context, status gameTypes.GameSta
 }
 type PrestateLoader interface {
-	FetchAbsolutePrestateHash(ctx context.Context) ([]byte, error)
+	FetchAbsolutePrestateHash(ctx context.Context) (common.Hash, error)
 }
 // ValidateAbsolutePrestate validates the absolute prestate of the fault game.
 func ValidateAbsolutePrestate(ctx context.Context, trace types.TraceProvider, loader PrestateLoader) error {
-	providerPrestate, err := trace.AbsolutePreState(ctx)
+	providerPrestateHash, err := trace.AbsolutePreStateCommitment(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get the trace provider's absolute prestate: %w", err)
 	}
-	providerPrestateHash := crypto.Keccak256(providerPrestate)
 	onchainPrestate, err := loader.FetchAbsolutePrestateHash(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get the onchain absolute prestate: %w", err)
 	}
-	if !bytes.Equal(providerPrestateHash, onchainPrestate) {
+	if !bytes.Equal(providerPrestateHash[:], onchainPrestate[:]) {
-		return fmt.Errorf("trace provider's absolute prestate does not match onchain absolute prestate")
+		return fmt.Errorf("trace provider's absolute prestate does not match onchain absolute prestate: Provider: %s | Chain %s", providerPrestateHash.Hex(), onchainPrestate.Hex())
 	}
 	return nil
 }
--- a/op-challenger/game/fault/player_test.go
+++ b/op-challenger/game/fault/player_test.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"testing"
+	"github.com/ethereum-optimism/optimism/cannon/mipsevm"
 	"github.com/ethereum-optimism/optimism/op-challenger/game/fault/types"
 	gameTypes "github.com/ethereum-optimism/optimism/op-challenger/game/types"
 	"github.com/ethereum-optimism/optimism/op-node/testlog"
@@ -120,8 +121,9 @@ func TestValidateAbsolutePrestate(t *testing.T) {
 	t.Run("ValidPrestates", func(t *testing.T) {
 		prestate := []byte{0x00, 0x01, 0x02, 0x03}
 		prestateHash := crypto.Keccak256(prestate)
+		prestateHash[0] = mipsevm.VMStatusUnfinished
 		mockTraceProvider := newMockTraceProvider(false, prestate)
-		mockLoader := newMockPrestateLoader(false, prestateHash)
+		mockLoader := newMockPrestateLoader(false, common.BytesToHash(prestateHash))
 		err := ValidateAbsolutePrestate(context.Background(), mockTraceProvider, mockLoader)
 		require.NoError(t, err)
 	})
@@ -129,7 +131,7 @@ func TestValidateAbsolutePrestate(t *testing.T) {
 	t.Run("TraceProviderErrors", func(t *testing.T) {
 		prestate := []byte{0x00, 0x01, 0x02, 0x03}
 		mockTraceProvider := newMockTraceProvider(true, prestate)
-		mockLoader := newMockPrestateLoader(false, prestate)
+		mockLoader := newMockPrestateLoader(false, common.BytesToHash(prestate))
 		err := ValidateAbsolutePrestate(context.Background(), mockTraceProvider, mockLoader)
 		require.ErrorIs(t, err, mockTraceProviderError)
 	})
@@ -137,14 +139,14 @@ func TestValidateAbsolutePrestate(t *testing.T) {
 	t.Run("LoaderErrors", func(t *testing.T) {
 		prestate := []byte{0x00, 0x01, 0x02, 0x03}
 		mockTraceProvider := newMockTraceProvider(false, prestate)
-		mockLoader := newMockPrestateLoader(true, prestate)
+		mockLoader := newMockPrestateLoader(true, common.BytesToHash(prestate))
 		err := ValidateAbsolutePrestate(context.Background(), mockTraceProvider, mockLoader)
 		require.ErrorIs(t, err, mockLoaderError)
 	})
 	t.Run("PrestateMismatch", func(t *testing.T) {
 		mockTraceProvider := newMockTraceProvider(false, []byte{0x00, 0x01, 0x02, 0x03})
-		mockLoader := newMockPrestateLoader(false, []byte{0x00})
+		mockLoader := newMockPrestateLoader(false, common.BytesToHash([]byte{0x00}))
 		err := ValidateAbsolutePrestate(context.Background(), mockTraceProvider, mockLoader)
 		require.Error(t, err)
 	})
@@ -210,21 +212,31 @@ func (m *mockTraceProvider) AbsolutePreState(ctx context.Context) ([]byte, error
 	}
 	return m.prestate, nil
 }
+func (m *mockTraceProvider) AbsolutePreStateCommitment(ctx context.Context) (common.Hash, error) {
+	prestate, err := m.AbsolutePreState(ctx)
+	if err != nil {
+		return common.Hash{}, err
+	}
+	hash := common.BytesToHash(crypto.Keccak256(prestate))
+	hash[0] = mipsevm.VMStatusUnfinished
+	return hash, nil
+}
 type mockLoader struct {
 	prestateError bool
-	prestate      []byte
+	prestate      common.Hash
 }
-func newMockPrestateLoader(prestateError bool, prestate []byte) *mockLoader {
+func newMockPrestateLoader(prestateError bool, prestate common.Hash) *mockLoader {
 	return &mockLoader{
 		prestateError: prestateError,
 		prestate:      prestate,
 	}
 }
-func (m *mockLoader) FetchAbsolutePrestateHash(ctx context.Context) ([]byte, error) {
+func (m *mockLoader) FetchAbsolutePrestateHash(ctx context.Context) (common.Hash, error) {
 	if m.prestateError {
-		return nil, mockLoaderError
+		return common.Hash{}, mockLoaderError
 	}
 	return m.prestate, nil
 }
--- a/op-challenger/game/fault/solver/solver.go
+++ b/op-challenger/game/fault/solver/solver.go
 package solver
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -132,7 +133,7 @@ func (s *Solver) defend(ctx context.Context, claim types.Claim) (*types.Claim, e
 // agreeWithClaim returns true if the claim is correct according to the internal [TraceProvider].
 func (s *Solver) agreeWithClaim(ctx context.Context, claim types.ClaimData) (bool, error) {
 	ourValue, err := s.traceAtPosition(ctx, claim.Position)
-	return ourValue == claim.Value, err
+	return bytes.Equal(ourValue[:], claim.Value[:]), err
 }
 // traceAtPosition returns the [common.Hash] from internal [TraceProvider] at the given [Position].

--- a/op-challenger/game/fault/trace/alphabet/provider.go
+++ b/op-challenger/game/fault/trace/alphabet/provider.go
@@ -6,6 +6,7 @@ import (
 	"math/big"
 	"strings"
+	"github.com/ethereum-optimism/optimism/cannon/mipsevm"
 	"github.com/ethereum-optimism/optimism/op-challenger/game/fault/types"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
@@ -58,7 +59,7 @@ func (ap *AlphabetTraceProvider) Get(ctx context.Context, i uint64) (common.Hash
 	if err != nil {
 		return common.Hash{}, err
 	}
-	return crypto.Keccak256Hash(claimBytes), nil
+	return alphabetStateHash(claimBytes), nil
 }
 // AbsolutePreState returns the absolute pre-state for the alphabet trace.
@@ -66,11 +67,27 @@ func (ap *AlphabetTraceProvider) AbsolutePreState(ctx context.Context) ([]byte,
 	return common.Hex2Bytes("0000000000000000000000000000000000000000000000000000000000000060"), nil
 }
+func (ap *AlphabetTraceProvider) AbsolutePreStateCommitment(ctx context.Context) (common.Hash, error) {
+	prestate, err := ap.AbsolutePreState(ctx)
+	if err != nil {
+		return common.Hash{}, err
+	}
+	hash := common.BytesToHash(crypto.Keccak256(prestate))
+	hash[0] = mipsevm.VMStatusUnfinished
+	return hash, nil
+}
 // BuildAlphabetPreimage constructs the claim bytes for the index and state item.
 func BuildAlphabetPreimage(i uint64, letter string) []byte {
 	return append(IndexToBytes(i), LetterToBytes(letter)...)
 }
+func alphabetStateHash(state []byte) common.Hash {
+	h := crypto.Keccak256Hash(state)
+	h[0] = mipsevm.VMStatusInvalid
+	return h
+}
 // IndexToBytes converts an index to a byte slice big endian
 func IndexToBytes(i uint64) []byte {
 	big := new(big.Int)

--- a/op-challenger/game/fault/trace/alphabet/provider_test.go
+++ b/op-challenger/game/fault/trace/alphabet/provider_test.go
@@ -6,12 +6,11 @@ import (
 	"testing"
 	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/stretchr/testify/require"
 )
 func alphabetClaim(index uint64, letter string) common.Hash {
-	return crypto.Keccak256Hash(BuildAlphabetPreimage(index, letter))
+	return alphabetStateHash(BuildAlphabetPreimage(index, letter))
 }
 // TestAlphabetProvider_Get_ClaimsByTraceIndex tests the [fault.AlphabetProvider] Get function.
@@ -60,7 +59,7 @@ func FuzzIndexToBytes(f *testing.F) {
 // returns the correct pre-image for a index.
 func TestGetStepData_Succeeds(t *testing.T) {
 	ap := NewTraceProvider("abc", 2)
-	expected := BuildAlphabetPreimage(0, "a'")
+	expected := BuildAlphabetPreimage(0, "a")
 	retrieved, proof, data, err := ap.GetStepData(context.Background(), uint64(1))
 	require.NoError(t, err)
 	require.Equal(t, expected, retrieved)

--- a/op-challenger/game/fault/trace/cannon/provider.go
+++ b/op-challenger/game/fault/trace/cannon/provider.go
@@ -15,9 +15,10 @@ import (
 	"github.com/ethereum/go-ethereum/accounts/abi/bind"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/common/hexutil"
-	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/ethclient"
 	"github.com/ethereum/go-ethereum/log"
+	"github.com/ethereum-optimism/optimism/cannon/mipsevm"
 )
 const (
@@ -25,7 +26,7 @@ const (
 )
 type proofData struct {
-	ClaimValue   hexutil.Bytes `json:"post"`
+	ClaimValue   common.Hash   `json:"post"`
 	StateData    hexutil.Bytes `json:"state-data"`
 	ProofData    hexutil.Bytes `json:"proof-data"`
 	OracleKey    hexutil.Bytes `json:"oracle-key,omitempty"`
@@ -86,7 +87,7 @@ func (p *CannonTraceProvider) Get(ctx context.Context, i uint64) (common.Hash, e
 	if err != nil {
 		return common.Hash{}, err
 	}
-	value := common.BytesToHash(proof.ClaimValue)
+	value := proof.ClaimValue
 	if value == (common.Hash{}) {
 		return common.Hash{}, errors.New("proof missing post hash")
@@ -122,6 +123,18 @@ func (p *CannonTraceProvider) AbsolutePreState(ctx context.Context) ([]byte, err
 	return state.EncodeWitness(), nil
 }
+func (p *CannonTraceProvider) AbsolutePreStateCommitment(ctx context.Context) (common.Hash, error) {
+	state, err := p.AbsolutePreState(ctx)
+	if err != nil {
+		return common.Hash{}, fmt.Errorf("cannot load absolute pre-state: %w", err)
+	}
+	hash, err := mipsevm.StateWitness(state).StateHash()
+	if err != nil {
+		return common.Hash{}, fmt.Errorf("cannot hash absolute pre-state: %w", err)
+	}
+	return hash, nil
+}
 // loadProof will attempt to load or generate the proof data at the specified index
 // If the requested index is beyond the end of the actual trace it is extended with no-op instructions.
 func (p *CannonTraceProvider) loadProof(ctx context.Context, i uint64) (*proofData, error) {
@@ -151,9 +164,13 @@ func (p *CannonTraceProvider) loadProof(ctx context.Context, i uint64) (*proofDa
 				// Extend the trace out to the full length using a no-op instruction that doesn't change any state
 				// No execution is done, so no proof-data or oracle values are required.
 				witness := state.EncodeWitness()
+				witnessHash, err := mipsevm.StateWitness(witness).StateHash()
+				if err != nil {
+					return nil, fmt.Errorf("cannot hash witness: %w", err)
+				}
 				proof := &proofData{
-					ClaimValue:   crypto.Keccak256(witness),
+					ClaimValue:   witnessHash,
-					StateData:    witness,
+					StateData:    hexutil.Bytes(witness),
 					ProofData:    []byte{},
 					OracleKey:    nil,
 					OracleValue:  nil,

--- a/op-challenger/game/fault/trace/cannon/provider_test.go
+++ b/op-challenger/game/fault/trace/cannon/provider_test.go
@@ -15,7 +15,6 @@ import (
 	"github.com/ethereum-optimism/optimism/op-node/testlog"
 	"github.com/ethereum-optimism/optimism/op-service/ioutil"
 	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/ethereum/go-ethereum/log"
 	"github.com/stretchr/testify/require"
 )
@@ -43,7 +42,9 @@ func TestGet(t *testing.T) {
 		value, err := provider.Get(context.Background(), 7000)
 		require.NoError(t, err)
 		require.Contains(t, generator.generated, 7000, "should have tried to generate the proof")
-		require.Equal(t, crypto.Keccak256Hash(generator.finalState.EncodeWitness()), value)
+		stateHash, err := generator.finalState.EncodeWitness().StateHash()
+		require.NoError(t, err)
+		require.Equal(t, stateHash, value)
 	})
 	t.Run("MissingPostHash", func(t *testing.T) {
@@ -86,7 +87,7 @@ func TestGetStepData(t *testing.T) {
 			Exited: true,
 		}
 		generator.proof = &proofData{
-			ClaimValue:   common.Hash{0xaa}.Bytes(),
+			ClaimValue:   common.Hash{0xaa},
 			StateData:    []byte{0xbb},
 			ProofData:    []byte{0xcc},
 			OracleKey:    common.Hash{0xdd}.Bytes(),
@@ -111,7 +112,7 @@ func TestGetStepData(t *testing.T) {
 			Exited: true,
 		}
 		generator.proof = &proofData{
-			ClaimValue:   common.Hash{0xaa}.Bytes(),
+			ClaimValue:   common.Hash{0xaa},
 			StateData:    []byte{0xbb},
 			ProofData:    []byte{0xcc},
 			OracleKey:    common.Hash{0xdd}.Bytes(),
@@ -185,7 +186,7 @@ func TestAbsolutePreState(t *testing.T) {
 			Step:           0,
 			Registers:      [32]uint32{},
 		}
-		require.Equal(t, state.EncodeWitness(), preState)
+		require.Equal(t, []byte(state.EncodeWitness()), preState)
 	})
 }

--- a/op-challenger/game/fault/types/types.go
+++ b/op-challenger/game/fault/types/types.go
@@ -74,6 +74,9 @@ type TraceProvider interface {
 	// AbsolutePreState is the pre-image value of the trace that transitions to the trace value at index 0
 	AbsolutePreState(ctx context.Context) (preimage []byte, err error)
+	// AbsolutePreStateCommitment is the commitment of the pre-image value of the trace that transitions to the trace value at index 0
+	AbsolutePreStateCommitment(ctx context.Context) (hash common.Hash, err error)
 }
 // ClaimData is the core of a claim. It must be unique inside a specific game.

--- a/op-e2e/faultproof_test.go
+++ b/op-e2e/faultproof_test.go
@@ -65,8 +65,8 @@ func TestMultipleCannonGames(t *testing.T) {
 		challenger.WithAgreeProposedOutput(true),
 	)
-	game1 := gameFactory.StartCannonGame(ctx, common.Hash{0xaa})
+	game1 := gameFactory.StartCannonGame(ctx, common.Hash{0x01, 0xaa})
-	game2 := gameFactory.StartCannonGame(ctx, common.Hash{0xbb})
+	game2 := gameFactory.StartCannonGame(ctx, common.Hash{0x01, 0xbb})
 	game1.WaitForClaimCount(ctx, 2)
 	game2.WaitForClaimCount(ctx, 2)
@@ -261,7 +261,7 @@ func TestCannonDisputeGame(t *testing.T) {
 			t.Cleanup(sys.Close)
 			disputeGameFactory := disputegame.NewFactoryHelper(t, ctx, sys.cfg.L1Deployments, l1Client)
-			game := disputeGameFactory.StartCannonGame(ctx, common.Hash{0xaa})
+			game := disputeGameFactory.StartCannonGame(ctx, common.Hash{0x01, 0xaa})
 			require.NotNil(t, game)
 			game.LogGameData(ctx)
@@ -310,7 +310,7 @@ func TestCannonDefendStep(t *testing.T) {
 	t.Cleanup(sys.Close)
 	disputeGameFactory := disputegame.NewFactoryHelper(t, ctx, sys.cfg.L1Deployments, l1Client)
-	game := disputeGameFactory.StartCannonGame(ctx, common.Hash{0xaa})
+	game := disputeGameFactory.StartCannonGame(ctx, common.Hash{0x01, 0xaa})
 	require.NotNil(t, game)
 	game.LogGameData(ctx)

--- a/packages/contracts-bedrock/.gas-snapshot
+++ b/packages/contracts-bedrock/.gas-snapshot
--- a/packages/contracts-bedrock/deploy-config/devnetL1.json
+++ b/packages/contracts-bedrock/deploy-config/devnetL1.json
@@ -43,7 +43,7 @@
  "eip1559Elasticity": 6,
  "l1GenesisBlockTimestamp": "0x64c811bf",
  "l2GenesisRegolithTimeOffset": "0x0",
-  "faultGameAbsolutePrestate": "0x41c7ae758795765c6664a5d39bf63841c71ff191e9189522bad8ebff5d4eca98",
+  "faultGameAbsolutePrestate": "0x03c7ae758795765c6664a5d39bf63841c71ff191e9189522bad8ebff5d4eca98",
  "faultGameMaxDepth": 30,
  "faultGameMaxDuration": 1200,
  "systemConfigStartBlock": 0

--- a/packages/contracts-bedrock/semver-lock.json
+++ b/packages/contracts-bedrock/semver-lock.json
@@ -16,7 +16,7 @@
  "src/L2/L2StandardBridge.sol": "0xe025dcccbf21d48828ecf588941c9ba04c91b87bdd177a653d3f1b265b0b02a8",
  "src/L2/L2ToL1MessagePasser.sol": "0xda56ba2e5b2c28fa8ca2df24077d49e96155a00ecc99cd0778d681be6ed166fe",
  "src/L2/SequencerFeeVault.sol": "0x37816035c992d38cf7e3d5a1846b02d017dd7bdca46abe6e5c5171b9ee6225ab",
-  "src/dispute/FaultDisputeGame.sol": "0x72c917e8513d17f274753a391bdbddc1f4daeca1a392f79492df29a1107c3525",
+  "src/dispute/FaultDisputeGame.sol": "0x7b8462c29d003e96a73491c644001e1a9034bcc45c5be2a7bac3caf80d521635",
  "src/legacy/DeployerWhitelist.sol": "0xf2129ec3da75307ba8e21bc943c332bb04704642e6e263149b5c8ee92dbcb7a8",
  "src/legacy/L1BlockNumber.sol": "0x30aae1fc85103476af0226b6e98c71c01feebbdc35d93401390b1ad438a37be6",
  "src/legacy/LegacyMessagePasser.sol": "0x5c08b0a663cc49d30e4e38540f6aefab19ef287c3ecd31c8d8c3decd5f5bd497",

--- a/packages/contracts-bedrock/src/cannon/MIPS.sol
+++ b/packages/contracts-bedrock/src/cannon/MIPS.sol
@@ -103,7 +103,9 @@ contract MIPS {
            from, to := copyMem(from, to, 4) // lo
            from, to := copyMem(from, to, 4) // hi
            from, to := copyMem(from, to, 4) // heap
+            let exitCode := mload(from)
            from, to := copyMem(from, to, 1) // exitCode
+            let exited := mload(from)
            from, to := copyMem(from, to, 1) // exited
            from, to := copyMem(from, to, 8) // step
            from := add(from, 32) // offset to registers
@@ -117,8 +119,24 @@ contract MIPS {
            // Log the resulting MIPS state, for debugging
            log0(start, sub(to, start))
-            // Compute the hash of the resulting MIPS state
+            // Determine the VM status
+            let status := 0
+            switch exited
+            case 1 {
+                switch exitCode
+                // VMStatusValid
+                case 0 { status := 0 }
+                // VMStatusInvalid
+                case 1 { status := 1 }
+                // VMStatusPanic
+                default { status := 2 }
+            }
+            // VMStatusUnfinished
+            default { status := 3 }
+            // Compute the hash of the resulting MIPS state and set the status byte
            out_ := keccak256(start, sub(to, start))
+            out_ := or(and(not(shl(248, 0xFF)), out_), shl(248, status))
        }
    }

--- a/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol
+++ b/packages/contracts-bedrock/src/dispute/FaultDisputeGame.sol
@@ -85,7 +85,7 @@ contract FaultDisputeGame is IFaultDisputeGame, Clone, Semver {
    /// @param _blockOracle The block oracle, used for loading block hashes further back
    ///                     than the `BLOCKHASH` opcode allows as well as their estimated
    ///                     timestamps.
-    /// @custom:semver 0.0.7
+    /// @custom:semver 0.0.9
    constructor(
        GameType _gameType,
        Claim _absolutePrestate,
@@ -95,7 +95,7 @@ contract FaultDisputeGame is IFaultDisputeGame, Clone, Semver {
        L2OutputOracle _l2oo,
        BlockOracle _blockOracle
    )
-        Semver(0, 0, 8)
+        Semver(0, 0, 9)
    {
        GAME_TYPE = _gameType;
        ABSOLUTE_PRESTATE = _absolutePrestate;
@@ -149,7 +149,11 @@ contract FaultDisputeGame is IFaultDisputeGame, Clone, Semver {
        // INVARIANT: The prestate is always invalid if the passed `_stateData` is not the
        //            preimage of the prestate claim hash.
-        if (keccak256(_stateData) != Claim.unwrap(preStateClaim)) revert InvalidPrestate();
+        //            We ignore the highest order byte of the digest because it is used to
+        //            indicate the VM Status and is added after the digest is computed.
+        if (keccak256(_stateData) << 8 != Claim.unwrap(preStateClaim) << 8) {
+            revert InvalidPrestate();
+        }
        // INVARIANT: If a step is an attack, the poststate is valid if the step produces
        //            the same poststate hash as the parent claim's value.
@@ -434,9 +438,18 @@ contract FaultDisputeGame is IFaultDisputeGame, Clone, Semver {
    function initialize() external {
        // SAFETY: Any revert in this function will bubble up to the DisputeGameFactory and
        // prevent the game from being created.
+        //
        // Implicit assumptions:
        // - The `gameStatus` state variable defaults to 0, which is `GameStatus.IN_PROGRESS`
+        // The VMStatus must indicate (1) 'invalid', to argue that disputed thing is invalid.
+        // Games that agree with the existing outcome are not allowed.
+        // NOTE(clabby): This assumption will change in Alpha Chad.
+        uint8 vmStatus = uint8(Claim.unwrap(rootClaim())[0]);
+        if (!(vmStatus == VMStatus.unwrap(VMStatuses.INVALID) || vmStatus == VMStatus.unwrap(VMStatuses.PANIC))) {
+            revert UnexpectedRootClaim(rootClaim());
+        }
        // Set the game's starting timestamp
        createdAt = Timestamp.wrap(uint64(block.timestamp));

--- a/packages/contracts-bedrock/src/libraries/DisputeErrors.sol
+++ b/packages/contracts-bedrock/src/libraries/DisputeErrors.sol
@@ -15,6 +15,11 @@ error NoImplementation(GameType gameType);
 /// @param uuid The UUID of the dispute game that already exists.
 error GameAlreadyExists(Hash uuid);
+/// @notice Thrown when the root claim has an unexpected VM status.
+///         Some games can only start with a root-claim with a specific status.
+/// @param rootClaim is the claim that was unexpected.
+error UnexpectedRootClaim(Claim rootClaim);
 ////////////////////////////////////////////////////////////////
 //                 `FaultDisputeGame` Errors                  //
 ////////////////////////////////////////////////////////////////

--- a/packages/contracts-bedrock/src/libraries/DisputeTypes.sol
+++ b/packages/contracts-bedrock/src/libraries/DisputeTypes.sol
@@ -62,6 +62,9 @@ type Position is uint128;
 /// @notice A `GameType` represents the type of game being played.
 type GameType is uint8;
+/// @notice A `VMStatus` represents the status of a VM execution.
+type VMStatus is uint8;
 /// @notice The current status of the dispute game.
 enum GameStatus
 // The game is currently in progress, and has not been resolved.
@@ -85,3 +88,18 @@ library GameTypes {
    /// @dev The game will use a `IDisputeGame` implementation that utilizes attestation proofs.
    GameType internal constant ATTESTATION = GameType.wrap(2);
 }
+/// @title VMStatuses
+library VMStatuses {
+    /// @dev The VM has executed successfully and the outcome is valid.
+    VMStatus internal constant VALID = VMStatus.wrap(0);
+    /// @dev The VM has executed successfully and the outcome is invalid.
+    VMStatus internal constant INVALID = VMStatus.wrap(1);
+    /// @dev The VM has paniced.
+    VMStatus internal constant PANIC = VMStatus.wrap(2);
+    /// @dev The VM execution is still in progress.
+    VMStatus internal constant UNFINISHED = VMStatus.wrap(3);
+}
--- a/packages/contracts-bedrock/test/DisputeGameFactory.t.sol
+++ b/packages/contracts-bedrock/test/DisputeGameFactory.t.sol
@@ -41,6 +41,8 @@ contract DisputeGameFactory_Create_Test is DisputeGameFactory_Init {
    function testFuzz_create_succeeds(uint8 gameType, Claim rootClaim, bytes calldata extraData) public {
        // Ensure that the `gameType` is within the bounds of the `GameType` enum's possible values.
        GameType gt = GameType.wrap(uint8(bound(gameType, 0, 2)));
+        // Ensure the rootClaim has a VMStatus that disagrees with the validity.
+        rootClaim = changeClaimStatus(rootClaim, VMStatuses.INVALID);
        // Set all three implementations to the same `FakeClone` contract.
        for (uint8 i; i < 3; i++) {
@@ -68,6 +70,8 @@ contract DisputeGameFactory_Create_Test is DisputeGameFactory_Init {
    function testFuzz_create_noImpl_reverts(uint8 gameType, Claim rootClaim, bytes calldata extraData) public {
        // Ensure that the `gameType` is within the bounds of the `GameType` enum's possible values.
        GameType gt = GameType.wrap(uint8(bound(gameType, 0, 2)));
+        // Ensure the rootClaim has a VMStatus that disagrees with the validity.
+        rootClaim = changeClaimStatus(rootClaim, VMStatuses.INVALID);
        vm.expectRevert(abi.encodeWithSelector(NoImplementation.selector, gt));
        factory.create(gt, rootClaim, extraData);
@@ -77,6 +81,8 @@ contract DisputeGameFactory_Create_Test is DisputeGameFactory_Init {
    function testFuzz_create_sameUUID_reverts(uint8 gameType, Claim rootClaim, bytes calldata extraData) public {
        // Ensure that the `gameType` is within the bounds of the `GameType` enum's possible values.
        GameType gt = GameType.wrap(uint8(bound(gameType, 0, 2)));
+        // Ensure the rootClaim has a VMStatus that disagrees with the validity.
+        rootClaim = changeClaimStatus(rootClaim, VMStatuses.INVALID);
        // Set all three implementations to the same `FakeClone` contract.
        for (uint8 i; i < 3; i++) {
@@ -99,6 +105,12 @@ contract DisputeGameFactory_Create_Test is DisputeGameFactory_Init {
        );
        factory.create(gt, rootClaim, extraData);
    }
+    function changeClaimStatus(Claim _claim, VMStatus _status) public pure returns (Claim out_) {
+        assembly {
+            out_ := or(and(not(shl(248, 0xFF)), _claim), shl(248, _status))
+        }
+    }
 }
 contract DisputeGameFactory_SetImplementation_Test is DisputeGameFactory_Init {

--- a/packages/contracts-bedrock/test/FaultDisputeGame.t.sol
+++ b/packages/contracts-bedrock/test/FaultDisputeGame.t.sol
@@ -77,9 +77,9 @@ contract FaultDisputeGame_Init is DisputeGameFactory_Init {
 contract FaultDisputeGame_Test is FaultDisputeGame_Init {
    /// @dev The root claim of the game.
-    Claim internal constant ROOT_CLAIM = Claim.wrap(bytes32(uint256(10)));
+    Claim internal constant ROOT_CLAIM = Claim.wrap(bytes32((uint256(1) << 248) | uint256(10)));
    /// @dev The absolute prestate of the trace.
-    Claim internal constant ABSOLUTE_PRESTATE = Claim.wrap(bytes32(uint256(0)));
+    Claim internal constant ABSOLUTE_PRESTATE = Claim.wrap(bytes32((uint256(3) << 248) | uint256(0)));
    function setUp() public override {
        super.init(ROOT_CLAIM, ABSOLUTE_PRESTATE);
@@ -143,6 +143,17 @@ contract FaultDisputeGame_Test is FaultDisputeGame_Init {
        factory.create(GAME_TYPE, ROOT_CLAIM, abi.encode(1800, block.number - 1));
    }
+    /// @dev Tests that the `create` function reverts when the rootClaim does not disagree with the outcome.
+    function testFuzz_initialize_badRootStatus_reverts(Claim rootClaim, bytes calldata extraData) public {
+        // Ensure that the `gameType` is within the bounds of the `GameType` enum's possible values.
+        // Ensure the root claim does not have the correct VM status
+        uint8 vmStatus = uint8(Claim.unwrap(rootClaim)[0]);
+        if (vmStatus == 1 || vmStatus == 2) rootClaim = changeClaimStatus(rootClaim, VMStatuses.VALID);
+        vm.expectRevert(abi.encodeWithSelector(UnexpectedRootClaim.selector, rootClaim));
+        factory.create(GameTypes.FAULT, rootClaim, extraData);
+    }
    /// @dev Tests that the game is initialized with the correct data.
    function test_initialize_correctData_succeeds() public {
        // Starting
@@ -449,6 +460,12 @@ contract FaultDisputeGame_Test is FaultDisputeGame_Init {
        bytes32 h = keccak256(abi.encode(_ident | (1 << 248), address(gameProxy)));
        return bytes32((uint256(h) & ~uint256(0xFF << 248)) | (1 << 248));
    }
+    function changeClaimStatus(Claim _claim, VMStatus _status) public pure returns (Claim out_) {
+        assembly {
+            out_ := or(and(not(shl(248, 0xFF)), _claim), shl(248, _status))
+        }
+    }
 }
 /// @notice A generic game player actor with a configurable trace.
@@ -593,9 +610,11 @@ contract GamePlayer {
    /// @notice Returns the player's claim that commits to a given trace index.
    function claimAt(uint256 _traceIndex) public view returns (Claim claim_) {
-        return Claim.wrap(
+        bytes32 hash =
-            keccak256(abi.encode(_traceIndex >= trace.length ? trace.length - 1 : _traceIndex, traceAt(_traceIndex)))
+            keccak256(abi.encode(_traceIndex >= trace.length ? trace.length - 1 : _traceIndex, traceAt(_traceIndex)));
-        );
+        assembly {
+            claim_ := or(and(hash, not(shl(248, 0xFF))), shl(248, 1))
+        }
    }
    /// @notice Returns the player's claim that commits to a given trace index.
@@ -608,14 +627,15 @@ contract OneVsOne_Arena is FaultDisputeGame_Init {
    /// @dev The absolute prestate of the trace.
    bytes ABSOLUTE_PRESTATE = abi.encode(15);
    /// @dev The absolute prestate claim.
-    Claim internal constant ABSOLUTE_PRESTATE_CLAIM = Claim.wrap(keccak256(abi.encode(15)));
+    Claim internal constant ABSOLUTE_PRESTATE_CLAIM =
+        Claim.wrap(bytes32((uint256(3) << 248) | (~uint256(0xFF << 248) & uint256(keccak256(abi.encode(15))))));
    /// @dev The defender.
    GamePlayer internal defender;
    /// @dev The challenger.
    GamePlayer internal challenger;
    function init(GamePlayer _defender, GamePlayer _challenger, uint256 _finalTraceIndex) public {
-        Claim rootClaim = Claim.wrap(keccak256(abi.encode(_finalTraceIndex, _defender.traceAt(_finalTraceIndex))));
+        Claim rootClaim = _defender.claimAt(_finalTraceIndex);
        super.init(rootClaim, ABSOLUTE_PRESTATE_CLAIM);
        defender = _defender;
        challenger = _challenger;
@@ -874,7 +894,6 @@ contract FaultDisputeGame_ResolvesCorrectly_IncorrectRootFuzz is OneVsOne_Arena
 contract FaultDisputeGame_ResolvesCorrectly_CorrectRootFuzz is OneVsOne_Arena {
    function testFuzz_resolvesCorrectly_succeeds(uint256 _dishonestTraceLength) public {
        _dishonestTraceLength = bound(_dishonestTraceLength, 1, 16);
        for (uint256 i = 0; i < _dishonestTraceLength; i++) {
            uint256 snapshot = vm.snapshot();
@@ -968,7 +987,7 @@ contract AlphabetVM is IBigStepper {
    function step(bytes calldata _stateData, bytes calldata) external view returns (bytes32 postState_) {
        uint256 traceIndex;
        uint256 claim;
-        if (keccak256(_stateData) == Claim.unwrap(ABSOLUTE_PRESTATE)) {
+        if ((keccak256(_stateData) << 8) == (Claim.unwrap(ABSOLUTE_PRESTATE) << 8)) {
            // If the state data is empty, then the absolute prestate is the claim.
            traceIndex = 0;
            (claim) = abi.decode(_stateData, (uint256));
@@ -979,5 +998,8 @@ contract AlphabetVM is IBigStepper {
        }
        // STF: n -> n + 1
        postState_ = keccak256(abi.encode(traceIndex, claim + 1));
+        assembly {
+            postState_ := or(and(postState_, not(shl(248, 0xFF))), shl(248, 1))
+        }
    }
 }
--- a/packages/contracts-bedrock/test/MIPS.t.sol
+++ b/packages/contracts-bedrock/test/MIPS.t.sol
@@ -4,6 +4,7 @@ pragma solidity 0.8.15;
 import { CommonTest } from "./CommonTest.t.sol";
 import { MIPS } from "src/cannon/MIPS.sol";
 import { PreimageOracle } from "src/cannon/PreimageOracle.sol";
+import "src/libraries/DisputeTypes.sol";
 contract MIPS_Test is CommonTest {
    MIPS internal mips;
@@ -1553,10 +1554,29 @@ contract MIPS_Test is CommonTest {
        );
    }
+    /// @dev MIPS VM status codes:
+    ///      0. Exited with success (Valid)
+    ///      1. Exited with success (Invalid)
+    ///      2. Exited with failure (Panic)
+    ///      3. Unfinished
+    function vmStatus(MIPS.State memory state) internal pure returns (VMStatus out_) {
+        if (!state.exited) {
+            return VMStatuses.UNFINISHED;
+        } else if (state.exitCode == 0) {
+            return VMStatuses.VALID;
+        } else if (state.exitCode == 1) {
+            return VMStatuses.INVALID;
+        } else {
+            return VMStatuses.PANIC;
+        }
+    }
    function outputState(MIPS.State memory state) internal pure returns (bytes32 out_) {
        bytes memory enc = encodeState(state);
+        VMStatus status = vmStatus(state);
        assembly {
            out_ := keccak256(add(enc, 0x20), 226)
+            out_ := or(and(not(shl(248, 0xFF)), out_), shl(248, status))
        }
    }

--- a/specs/cannon-fault-proof-vm.md
+++ b/specs/cannon-fault-proof-vm.md
@@ -6,6 +6,7 @@
 - [Overview](#overview)
 - [State](#state)
+  - [State Hash](#state-hash)
 - [Memory](#memory)
  - [Heap](#heap)
 - [Delay Slots](#delay-slots)
@@ -53,6 +54,34 @@ It consists of the following fields:
 The state is represented by packing the above fields, in order, into a 226-byte buffer.
+### State Hash
+The state hash is computed by hashing the 226-byte state buffer with the Keccak256 hash function
+and then setting the high-order byte to the respective VM status.
+The VM status can be derived from the state's `exited` and `exitCode` fields.
+```rs
+enum VmStatus {
+    Valid = 0,
+    Invalid = 1,
+    Panic = 2,
+    Unfinished = 3,
+}
+fn vm_status(exit_code: u8, exited: bool) -> u8 {
+    if exited {
+        match exit_code {
+            0 => VmStatus::Valid,
+            1 => VmStatus::Invalid,
+            _ => VmStatus::Panic,
+        }
+    } else {
+        VmStatus::Unfinished
+    }
+}
+```
 ## Memory
 Memory is represented as a binary merkle tree.