near · dndll · Feb 22, 2024 · Feb 22, 2024 · Feb 22, 2024 · Feb 22, 2024
diff --git a/.env.example b/.env.example
@@ -0,0 +1,3 @@
+ETH_PRIVATE_KEY=0x
+ETH_PUBLIC_KEY=0x
+ETHERSCAN_API_KEY=
diff --git a/.github/workflows/dependency_audit.yml b/.github/workflows/dependency_audit.yml
diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml
@@ -48,7 +48,9 @@ jobs:
           cache-workspaces: |-
             .
       - name: "Install cargo-nextest"
-        run: cargo install cargo-nextest
+        uses: taiki-e/install-action@v2
+        with:
+          tool: nextest        
       - name: Build and archive tests
         run: cargo nextest archive -r --workspace --archive-file nextest-archive.tar.zst --locked
       - name: Upload archive to workflow
@@ -70,7 +72,9 @@ jobs:
           cache-workspaces: |-
             .
       - name: "Install cargo-nextest"
-        run: cargo install cargo-nextest
+        uses: taiki-e/install-action@v2
+        with:
+          tool: nextest        
       - name: Download archive
         uses: actions/download-artifact@v3
         with:
@@ -102,7 +106,9 @@ jobs:
           cache-workspaces: |-
             .
       - name: "Install cargo-nextest"
-        run: cargo install cargo-nextest
+        uses: taiki-e/install-action@v2
+        with:
+          tool: nextest        
       - name: Download archive
         uses: actions/download-artifact@v3
         with:
@@ -117,7 +123,10 @@ jobs:
   test-solidity-contracts:
     name: "Test Solidity Contracts"
     runs-on:
-      group: ubuntu-22.04-16core
+      group: ubuntu-22.04-8core
+    defaults:
+      run:
+        working-directory: ./nearx/contract        
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -128,14 +137,12 @@ jobs:
         with:
           cache-workspaces: |-
             .
-      - name: "Install Foundry"
-        uses: taiki-e/cache-cargo-install-action@v1
-        with:
-          git: https://github.com/foundry-rs/foundry
-          tool: forge
-          rev: 6ee3e88d2a48c7df48c85986e67f73cd2e6403d8
-      - name: "Forge install"
-        run: cd nearx/contract && forge install
+      - name: Install Foundry
+        uses: "foundry-rs/foundry-toolchain@v1"            
+      - name: Add build summary
+        run: |
+          echo "## Build result" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Passed" >> $GITHUB_STEP_SUMMARY          
       - name: "Run tests"
-        run: cd nearx/contract && forge test -vv            
+        run: forge test -vv            
 
diff --git a/Makefile b/Makefile
@@ -16,66 +16,28 @@ test:
 beefy-test:
 	RUST_LOG=debug cargo test --workspace --ignored --release
 
-BUILDCIRCUIT := cargo build --release --bin near-light-clientx --features
-MVCIRCUIT := mv -f target/release/near-light-clientx
-
-build-sync-circuit:
-	$(BUILDCIRCUIT) sync
-	$(MVCIRCUIT) build/sync
-	RUST_LOG=debug ./build/sync build
-.PHONY: build-sync-circuit
-
-prove-sync-circuit:
-	RUST_LOG=debug ./build/sync prove input.json
-
-# TODO: build various parameters of NUM:BATCH, e.g 1024x64 2x1, 128x4, etc
-build-verify-circuit:
-	$(BUILDCIRCUIT) verify
-	$(MVCIRCUIT) build/verify
-	RUST_LOG=debug ./build/verify build
-.PHONY: build-verify-circuit
-
-prove-verify-circuit:
-	RUST_LOG=debug ./build/verify prove input.json
-
 # TODO: these should be configurable and need updating
-SYNC_FUNCTION_ID=0x350c2939eb7ff2185612710a2b641b4b46faab68e1e2c57b6f15e0af0674f5e9
-VERIFY_FUNCTION_ID=0x39fb2562b80725bb7538dd7d850126964e565a1a837d2d7f2a018e185b08fc0e
-ETH_RPC=https://rpc.goerli.eth.gateway.fm
+SYNC_FUNCTION_ID=0x38a03ba7ecace39a1c7315d798cc9689418eceba384e154c01d6e2897bf000a9
+VERIFY_FUNCTION_ID=0x76918ea14fc7b8d8e4919c970be635e1d0ed57576771cdc1f6fa581bce7fd418
+GATEWAY_ID=0x6c7a05e0ae641c6559fd76ac56641778b6ecd776
 NEAR_CHECKPOINT_HEADER_HASH=0x63b87190ffbaa36d7dab50f918fe36f70ab26910a0e9d797161e2356561598e3
+ETH_RPC=https://rpc.goerli.eth.gateway.fm
 CHAIN_ID=5
-CD_CONTRACTS=cd ./circuits/plonky2x/contract
+
+FORGE=cd ./nearx/contract && forge
+FORGEREST= --rpc-url $(ETH_RPC) --private-key $$ETH_PRIVATE_KEY --broadcast --verify --verifier etherscan -vv
 
 build-contracts:
-	$(CD_CONTRACTS) && forge build
+	$(FORGE) build
 
 deploy: build-contracts
-	$(CD_CONTRACTS) && forge script Deploy \
-		--rpc-url $(ETH_RPC) \
-		--private-key $$ETH_PRIVATE_KEY \
-		--broadcast \
-		--verify \
-		--verifier etherscan
+	$(FORGE) script Deploy $(FORGEREST)
 
 initialise: 
-	$(CD_CONTRACTS) && forge script Initialise \
-		--rpc-url $(ETH_RPC) \
-		--private-key $$ETH_PRIVATE_KEY \
-		--broadcast \
-		--verify \
-		--verifier etherscan
+	$(FORGE) script Initialise $(FORGEREST)
+
 upgrade:
-	$(CD_CONTRACTS) && forge script Upgrade \
-		--rpc-url $(ETH_RPC) \
-		--private-key $$ETH_PRIVATE_KEY \
-		--broadcast \
-		--verify \
-		--verifier etherscan
-verify:
-	$(CD_CONTRACTS) && forge script Verify \
-		--rpc-url $(ETH_RPC) \
-		--private-key $$ETH_PRIVATE_KEY \
-		--broadcast \
-		--verify \
-		--verifier etherscan
+	$(FORGE) script Upgrade $(FORGEREST)
 
+verify:
+	$(FORGE) script Verify $(FORGEREST)
diff --git a/nearx/contract/foundry.toml b/nearx/contract/foundry.toml
@@ -1,8 +1,12 @@
 [profile.default]
 fs_permissions = [ { access = "read", path = "./broadcast" } ]
-libs           = [ "lib" ]
-optimizer      = true
-optimizer-runs = 1_000_000
-out            = "out"
-remappings     = [ "@openzeppelin/contracts=lib/openzeppelin-contracts/contracts", "@openzeppelin/contracts-upgradeable=lib/openzeppelin-contracts-upgradeable/contracts" ]
-src            = "src"
+libs = [ "lib" ]
+optimizer = false # This was breaking verification for some reason
+optimizer-runs = 100_000
+out = "out"
+remappings = [
+  "forge-std=lib/forge-std/src",
+  "@openzeppelin/contracts=lib/openzeppelin-contracts/contracts",
+  "@openzeppelin/contracts-upgradeable=lib/openzeppelin-contracts-upgradeable/contracts",
+]
+src = "src"
diff --git a/nearx/contract/script/Deploy.s.sol b/nearx/contract/script/Deploy.s.sol
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: UNLICENSED
-pragma solidity ^0.8.19;
+pragma solidity ^0.8.20;
 
 import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
 import {NearX} from "../src/NearX.sol";
@@ -9,20 +9,25 @@ contract Deploy is Script {
     function setUp() public {}
 
     function run() external returns (address) {
+        vm.startBroadcast();
+
         address proxy = deployNearX();
+        init(proxy);
+
+        vm.stopBroadcast();
         return proxy;
     }
 
     function deployNearX() public returns (address) {
-        vm.startBroadcast();
-
         NearX lightClient = new NearX();
 
         ERC1967Proxy proxy = new ERC1967Proxy(address(lightClient), "");
 
-        lightClient.initialize();
-
-        vm.stopBroadcast();
         return address(proxy);
     }
+
+    function init(address proxy) public {
+        NearX client = NearX(payable(proxy));
+        client.initialize();
+    }
 }
diff --git a/nearx/contract/script/Initialise.s.sol b/nearx/contract/script/Initialise.s.sol
@@ -19,7 +19,7 @@ contract Initialise is Script {
         NearX lightClient = NearX(payable(proxyAddress));
 
         // Succinct's goerli gateway
-        address initialGateway = 0x6e4f1e9eA315EBFd69d18C2DB974EEf6105FB803;
+        address initialGateway = vm.envAddress("GATEWAY_ID");
         lightClient.updateGateway(initialGateway);
 
         bytes32 syncFunctionId = vm.envBytes32("SYNC_FUNCTION_ID");

diff --git a/nearx/contract/script/Verify.s.sol b/nearx/contract/script/Verify.s.sol
@@ -6,6 +6,7 @@ import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.s
 import {DevOpsTools} from "lib/foundry-devops/src/DevOpsTools.sol";
 import {NearX, TransactionOrReceiptId} from "../src/NearX.sol";
 
+// TODO: refactor for 128, taking the input fixture
 contract Verify is Script {
     function run() external {
         address proxyAddress = DevOpsTools.get_most_recent_deployment(

diff --git a/nearx/contract/src/NearX.sol b/nearx/contract/src/NearX.sol
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.13;
+pragma solidity ^0.8.20;
 
 import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
 import {Initializable} from "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
@@ -9,11 +9,7 @@ import {INearX, TransactionOrReceiptId, ProofVerificationResult, encodePackedIds
 
 /// @notice The NearX contract is a light client for Near.
 contract NearX is INearX, Initializable, OwnableUpgradeable, UUPSUpgradeable {
-    uint32 public constant DEFAULT_GAS_LIMIT = 1000000;
-
-    /// @notice The address of the gateway contract.
-    address public gateway;
-
+    /// @custom:oz-upgrades-unsafe-allow constructor
     constructor() {
         _disableInitializers();
     }
@@ -29,6 +25,11 @@ contract NearX is INearX, Initializable, OwnableUpgradeable, UUPSUpgradeable {
         onlyOwner
     {}
 
+    uint32 public constant DEFAULT_GAS_LIMIT = 1000000;
+
+    /// @notice The address of the gateway contract.
+    address public gateway;
+
     /// @notice Sync function id.
     bytes32 public syncFunctionId;
 
@@ -87,6 +88,7 @@ contract NearX is INearX, Initializable, OwnableUpgradeable, UUPSUpgradeable {
         if (msg.sender != gateway || !ISuccinctGateway(gateway).isCallback()) {
             revert NotFromSuccinctGateway(msg.sender);
         }
+        // TODO: this does mean we trust the gateway, potentially we add a check here
 
         bytes32 targetHeader = abi.decode(_output, (bytes32));
 

diff --git a/nearx/contract/test/NearX.t.sol b/nearx/contract/test/NearX.t.sol
diff --git a/nearx/src/sync.rs b/nearx/src/sync.rs
@@ -24,6 +24,8 @@ impl<const NETWORK: usize> Circuit for SyncCircuit<NETWORK> {
         let fetch_header = FetchHeaderInputs(network);
         let fetch_next_header = FetchNextHeaderInputs(network);
 
+        // TODO: we do need to be defensive to ensure that this is actually the trusted
+        // header hash, do not allow anybody to provide this input.
         let trusted_header_hash = b.evm_read::<CryptoHashVariable>();
 
         // This is a very interesting trick to be able to get the BPS for the next epoch

diff --git a/nearx/src/variables.rs b/nearx/src/variables.rs
@@ -602,6 +602,7 @@ pub struct HashBpsInputs;
 impl<L: PlonkParameters<D>, const D: usize> Hint<L, D> for HashBpsInputs {
     fn hint(&self, input_stream: &mut ValueStream<L, D>, output_stream: &mut ValueStream<L, D>) {
         let bps = input_stream.read_value::<BpsArr<ValidatorStakeVariable>>();
+        // TODO: if we use a bitmask we wont need default checks
         let default_validator =
             ValidatorStakeVariableValue::<<L as PlonkParameters<D>>::Field>::default();
 
@@ -635,6 +636,14 @@ impl HashBpsInputs {
 }
 
 // TODO: EVM these, maybe macro?
+// TODO: try to optimise the size here, since this directly affects calldata on
+// Eth, limiting queue size.
+// What if we take it in the circuit, but pad/normalise in solidity at the last
+// ACCOUNT_DATA_SEPARATOR, allowing less than MAX_LEN requests at the calldata
+// side.
+// Also, for DA, if we only did receipts then we can preconfigure the receiver
+// to a configurable contract, this would emit 64 bytes from calldata, roughly
+// 2/3 of the request size.
 #[derive(CircuitVariable, Clone, Debug)]
 pub struct TransactionOrReceiptIdVariable {
     pub is_transaction: BoolVariable,

diff --git a/nearx/src/verify.rs b/nearx/src/verify.rs
@@ -45,6 +45,7 @@ impl<const N: usize, const B: usize, const NETWORK: usize> Circuit
         // Init a default result for N
         let zero = b.constant::<CryptoHashVariable>([0u8; 32].into());
         let _false = b._false();
+        // TODO: Introduce some active bitmask here to avoid the need for defaulting
         let default = ProofVerificationResultVariable {
             id: zero,
             result: _false,
@@ -59,6 +60,7 @@ impl<const N: usize, const B: usize, const NETWORK: usize> Circuit
 
                 // TODO[Optimisation]: could parallelise these
                 for ProofInputVariable { id, proof } in proofs.data {
+                    // TODO: default identifiers should be ignored here:
                     let result = b.verify(proof);
                     results.push(ProofVerificationResultVariable { id, result });
                 }

diff --git a/scripts/build-circuit.sh b/scripts/build-circuit.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+export RUST_LOG=debug 
+
+if [ "$1" != "sync" ] && [ "$1" != "verify" ]; then
+  echo "Usage: $0 <sync|verify>"
+  exit
+fi
+
+cargo build --bin near-light-clientx \
+  --release \
+  --features $1
+
+mv -f target/release/near-light-clientx build/$1
+
+TAILARGS="${@: 2}"
+
+build/$1 build $TAILARGS
+
diff --git a/scripts/prove-circuit.sh b/scripts/prove-circuit.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+export RUST_LOG=debug
+
+if [ "$1" != "sync" ] && [ "$1" != "verify" ]; then
+  echo "Usage: $0 <sync|verify>"
+  exit
+fi
+
+# If INPUT is not set, set it to input.json
+if [ -z "$INPUT" ]; then
+  INPUT="input.json"
+fi
+
+TAILARGS="${@: 2}"
+
+# Append the rest of the arguments to this command
+build/$1 prove $INPUT $TAILARGS
+
diff --git a/succinct.json b/succinct.json
@@ -4,7 +4,7 @@
             "name": "sync",
             "framework": "plonky2x",
             "baseDir": ".",
-            "buildCommand": "make build-sync-circuit",
+            "buildCommand": "scripts/build-circuit.sh sync",
             "proveCommand": "RUST_LOG=debug ./build/sync prove input.json",
             "requiredArtifacts": [
                 "sync"
@@ -14,7 +14,7 @@
             "name": "verify",
             "framework": "plonky2x",
             "baseDir": ".",
-            "buildCommand": "make build-verify-circuit",
+            "buildCommand": "scripts/build-circuit.sh verify",
             "proveCommand": "RUST_LOG=debug ./build/verify prove input.json",
             "requiredArtifacts": [
                 "verify"