Move the switching logic between batchers inside the Batch Authenticator contract.

philippecamacho · philippecamacho · commit f5587dca614e · 2025-12-03T19:04:34.000-03:00
diff --git a/espresso/scripts/prepare-allocs.sh b/espresso/scripts/prepare-allocs.sh
@@ -74,7 +74,10 @@ op-deployer init --l1-chain-id "${L1_CHAIN_ID}" \
 
 dasel put -f "${DEPLOYER_DIR}/intent.toml" -s .chains.[0].espressoEnabled -t bool -v true
 
+# Configure Espresso batchers for devnet. We reuse the operator address for both
+# the non-TEE and TEE batchers to ensure they are non-zero and consistent.
 dasel put -f "${DEPLOYER_DIR}/intent.toml" -s .chains.[0].nonTeeBatcher -v "${OPERATOR_ADDRESS}"
+dasel put -f "${DEPLOYER_DIR}/intent.toml" -s .chains.[0].teeBatcher -v "${OPERATOR_ADDRESS}"
 dasel put -f "${DEPLOYER_DIR}/intent.toml" -s .l1ContractsLocator -v "${ARTIFACTS_DIR}"
 dasel put -f "${DEPLOYER_DIR}/intent.toml" -s .l2ContractsLocator -v "${ARTIFACTS_DIR}"
 dasel put -f "${DEPLOYER_DIR}/intent.toml" -s .opcmAddress -v `jq -r .opcmAddress < ${DEPLOYER_DIR}/bootstrap_implementations.json`
diff --git a/justfile b/justfile
@@ -30,6 +30,9 @@ golint:
 compile-contracts:
  (cd packages/contracts-bedrock && just build-dev)
 
+run-l1-espresso-contracts-tests: compile-contracts
+ (cd packages/contracts-bedrock && forge test --match-path "/**/test/L1/Batch*.t.sol")
+
 compile-contracts-fast:
  (cd packages/contracts-bedrock && forge build --offline --skip "/**/test/**")
 
diff --git a/op-batcher/bindings/batch_authenticator.go b/op-batcher/bindings/batch_authenticator.go
diff --git a/op-batcher/bindings/batch_inbox.go b/op-batcher/bindings/batch_inbox.go
diff --git a/op-deployer/pkg/deployer/opcm/espresso.go b/op-deployer/pkg/deployer/opcm/espresso.go
@@ -19,6 +19,7 @@ type DeployEspressoInput struct {
 	Salt             common.Hash
 	NitroTEEVerifier common.Address
 	NonTeeBatcher    common.Address
+	TeeBatcher       common.Address
 }
 
 type DeployEspressoOutput struct {
diff --git a/op-deployer/pkg/deployer/pipeline/espresso.go b/op-deployer/pkg/deployer/pipeline/espresso.go
@@ -51,6 +51,7 @@ func DeployEspresso(env *Env, intent *state.Intent, st *state.State, chainID com
 		Salt:             st.Create2Salt,
 		NitroTEEVerifier: nvo.NitroTEEVerifierAddress,
 		NonTeeBatcher:    chainIntent.NonTeeBatcher,
+		TeeBatcher:       chainIntent.TeeBatcher,
 	}, batchAuthenticatorOwnwerAddress)
 	if err != nil {
 		return fmt.Errorf("failed to deploy espresso contracts: %w", err)
diff --git a/packages/contracts-bedrock/interfaces/L1/IBatchAuthenticator.sol b/packages/contracts-bedrock/interfaces/L1/IBatchAuthenticator.sol
@@ -23,7 +23,9 @@ interface IBatchAuthenticator {
 
     function owner() external view returns (address);
 
-    function preApprovedBatcher() external view returns (address);
+    function teeBatcher() external view returns (address);
+
+    function nonTeeBatcher() external view returns (address);
 
     function registerSigner(
         bytes memory attestationTbs,
@@ -36,9 +38,14 @@ interface IBatchAuthenticator {
 
     function validBatchInfo(bytes32) external view returns (bool);
 
+    function activeIsTee() external view returns (bool);
+
+    function switchBatcher() external;
+
     function __constructor__(
         address _espressoTEEVerifier,
-        address _preApprovedBatcher,
+        address _teeBatcher,
+        address _nonTeeBatcher,
         address _owner
     ) external;
 }
diff --git a/packages/contracts-bedrock/interfaces/L1/IBatchInbox.sol b/packages/contracts-bedrock/interfaces/L1/IBatchInbox.sol
@@ -6,5 +6,5 @@ interface IBatchInbox {
 
     function version() external view returns (string memory);
 
-    function __constructor__(address _nonTeeBatcher, address _batchAuthenticator, address _owner) external;
+    function __constructor__(address _batchAuthenticator, address _owner) external;
 }
diff --git a/packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol b/packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol
@@ -16,6 +16,7 @@ contract DeployEspressoInput is BaseDeployIO {
     bytes32 internal _salt;
     address internal _nitroTEEVerifier;
     address internal _nonTeeBatcher;
+    address internal _teeBatcher;
 
     function set(bytes4 _sel, bytes32 _val) public {
         if (_sel == this.salt.selector) _salt = _val;
@@ -27,6 +28,8 @@ contract DeployEspressoInput is BaseDeployIO {
             _nitroTEEVerifier = _val;
         } else if (_sel == this.nonTeeBatcher.selector) {
             _nonTeeBatcher = _val;
+        } else if (_sel == this.teeBatcher.selector) {
+            _teeBatcher = _val;
         } else {
             revert("DeployEspressoInput: unknown selector");
         }
@@ -44,6 +47,10 @@ contract DeployEspressoInput is BaseDeployIO {
     function nonTeeBatcher() public view returns (address) {
         return _nonTeeBatcher;
     }
+
+    function teeBatcher() public view returns (address) {
+        return _teeBatcher;
+    }
 }
 
 contract DeployEspressoOutput is BaseDeployIO {
@@ -97,7 +104,8 @@ contract DeployEspresso is Script {
                 _salt: salt,
                 _args: DeployUtils.encodeConstructor(
                     abi.encodeCall(
-                        IBatchAuthenticator.__constructor__, (address(teeVerifier), input.nonTeeBatcher(), owner)
+                        IBatchAuthenticator.__constructor__,
+                        (address(teeVerifier), input.teeBatcher(), input.nonTeeBatcher(), owner)
                     )
                 )
             })
@@ -135,7 +143,7 @@ contract DeployEspresso is Script {
                 _name: "BatchInbox",
                 _salt: salt,
                 _args: DeployUtils.encodeConstructor(
-                    abi.encodeCall(IBatchInbox.__constructor__, (input.nonTeeBatcher(), address(batchAuthenticator), owner))
+                    abi.encodeCall(IBatchInbox.__constructor__, (address(batchAuthenticator), owner))
                 )
             })
         );
diff --git a/packages/contracts-bedrock/src/L1/BatchAuthenticator.sol b/packages/contracts-bedrock/src/L1/BatchAuthenticator.sol
@@ -4,7 +4,6 @@ pragma solidity ^0.8.0;
 import { ECDSA } from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
 import { Ownable } from "@openzeppelin/contracts/access/Ownable.sol";
 import { ISemver } from "interfaces/universal/ISemver.sol";
-import { EspressoTEEVerifier } from "@espresso-tee-contracts/EspressoTEEVerifier.sol";
 import { IEspressoTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoTEEVerifier.sol";
 
 interface INitroValidator {
@@ -22,22 +21,48 @@ contract BatchAuthenticator is ISemver, Ownable {
     /// @notice Mapping of batches verified by this contract
     mapping(bytes32 => bool) public validBatchInfo;
 
-    address public immutable preApprovedBatcher;
+    /// @notice Address of the TEE batcher whose signatures may authenticate batches.
+    address public immutable teeBatcher;
 
-    EspressoTEEVerifier public immutable espressoTEEVerifier;
+    /// @notice Address of the non-TEE (fallback) batcher that can post when TEE is inactive.
+    address public immutable nonTeeBatcher;
+
+    IEspressoTEEVerifier public immutable espressoTEEVerifier;
     INitroValidator public immutable nitroValidator;
 
-    constructor(EspressoTEEVerifier _espressoTEEVerifier, address _preApprovedBatcher, address _owner) Ownable() {
+    /// @notice Flag indicating which batcher is currently active.
+    /// @dev When true the TEE batcher is active; when false the non-TEE batcher is active.
+    bool public activeIsTee;
+
+    constructor(
+        IEspressoTEEVerifier _espressoTEEVerifier,
+        address _teeBatcher,
+        address _nonTeeBatcher,
+        address _owner
+    )
+        Ownable()
+    {
+        require(_teeBatcher != address(0), "BatchAuthenticator: zero tee batcher");
+        require(_nonTeeBatcher != address(0), "BatchAuthenticator: zero non-tee batcher");
+
         espressoTEEVerifier = _espressoTEEVerifier;
-        preApprovedBatcher = _preApprovedBatcher;
+        teeBatcher = _teeBatcher;
+        nonTeeBatcher = _nonTeeBatcher;
         nitroValidator = INitroValidator(address(espressoTEEVerifier.espressoNitroTEEVerifier()));
+        // By default, start with the TEE batcher active.
+        activeIsTee = true;
         _transferOwnership(_owner);
     }
 
     function decodeAttestationTbs(bytes memory attestation) external view returns (bytes memory, bytes memory) {
         return nitroValidator.decodeAttestationTbs(attestation);
     }
 
+    /// @notice Toggles the active batcher between the TEE and non-TEE batcher.
+    function switchBatcher() external onlyOwner {
+        activeIsTee = !activeIsTee;
+    }
+
     function authenticateBatchInfo(bytes32 commitment, bytes calldata _signature) external {
         // https://github.com/ethereum/go-ethereum/issues/19751#issuecomment-504900739
         bytes memory signature = _signature;
@@ -52,7 +77,7 @@ contract BatchAuthenticator is ISemver, Ownable {
             revert("Invalid signature");
         }
 
-        if (!espressoTEEVerifier.espressoNitroTEEVerifier().registeredSigners(signer) && signer != preApprovedBatcher) {
+        if (!espressoTEEVerifier.espressoNitroTEEVerifier().registeredSigners(signer) && signer != teeBatcher) {
             revert("Invalid signer");
         }
 
diff --git a/packages/contracts-bedrock/src/L1/BatchInbox.sol b/packages/contracts-bedrock/src/L1/BatchInbox.sol
@@ -14,36 +14,23 @@ contract BatchInbox is Ownable {
     /// @notice Contract responsible for authenticating TEE batch commitments.
     IBatchAuthenticator public immutable batchAuthenticator;
 
-    /// @notice Flag indicating which batcher is currently active.
-    /// @dev When true the TEE batcher is active; when false the non-TEE batcher is active.
-    bool public activeIsTee;
-
-    /// @notice Initializes the contract with the TEE and non-TEE batcher addresses
-    ///         and the batch authenticator.
-    /// @param _nonTeeBatcher Address of the non-TEE batcher.
+    /// @notice Initializes the contract with the batch authenticator.
     /// @param _batchAuthenticator Address of the batch authenticator contract.
-    constructor(address _nonTeeBatcher, IBatchAuthenticator _batchAuthenticator, address _owner) Ownable() {
-        require(_nonTeeBatcher != address(0), "BatchInbox: zero address for non tee batcher");
+    constructor(IBatchAuthenticator _batchAuthenticator, address _owner) Ownable() {
+        address _nonTeeBatcher = _batchAuthenticator.nonTeeBatcher();
         nonTeeBatcher = _nonTeeBatcher;
         batchAuthenticator = _batchAuthenticator;
-        // By default, start with the TEE batcher active
-        activeIsTee = true;
         _transferOwnership(_owner);
     }
 
-    /// @notice Toggles the active batcher between the TEE and non-TEE batcher.
-    function switchBatcher() external onlyOwner {
-        activeIsTee = !activeIsTee;
-    }
-
     /// @notice Fallback entry point for batch submissions.
     /// @dev Enforces that the caller matches the currently active batcher and, when
     ///      the TEE batcher is active, that the batch commitment is approved by
     ///      the batch authenticator. For non-TEE batches, only the caller check
     ///      is enforced.
     fallback() external {
         // TEE batchers require batch authentication
-        if (activeIsTee) {
+        if (batchAuthenticator.activeIsTee()) {
             if (blobhash(0) != 0) {
                 bytes memory concatenatedHashes = new bytes(0);
                 uint256 currentBlob = 0;
diff --git a/packages/contracts-bedrock/test/L1/BatchAuthenticator.t.sol b/packages/contracts-bedrock/test/L1/BatchAuthenticator.t.sol
@@ -0,0 +1,163 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// Testing
+import { Test } from "forge-std/Test.sol";
+
+// Contracts
+import { BatchAuthenticator } from "src/L1/BatchAuthenticator.sol";
+import { IEspressoTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoTEEVerifier.sol";
+import { IEspressoNitroTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoNitroTEEVerifier.sol";
+import { IEspressoSGXTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoSGXTEEVerifier.sol";
+
+contract MockNitroTEEVerifier is IEspressoNitroTEEVerifier {
+    mapping(address => bool) private _registeredSigners;
+
+    function registeredSigners(address signer) external view override returns (bool) {
+        return _registeredSigners[signer];
+    }
+
+    function registeredEnclaveHash(bytes32) external pure override returns (bool) {
+        return false;
+    }
+
+    function registerSigner(bytes calldata, bytes calldata) external pure override { }
+
+    function registerSignerWithoutAttestationVerification(
+        bytes32,
+        bytes calldata,
+        bytes calldata,
+        address
+    )
+        external
+        pure
+        override
+    { }
+
+    function verifyCACert(bytes calldata, bytes32) external pure override { }
+
+    function verifyClientCert(bytes calldata, bytes32) external pure override { }
+
+    function certVerified(bytes32) external pure override returns (bool) {
+        return false;
+    }
+
+    function setEnclaveHash(bytes32, bool) external pure override { }
+
+    function deleteRegisteredSigners(address[] memory) external pure override { }
+
+    // Test helper
+    function setRegisteredSigner(address signer, bool value) external {
+        _registeredSigners[signer] = value;
+    }
+}
+
+contract MockEspressoTEEVerifier is IEspressoTEEVerifier {
+    IEspressoNitroTEEVerifier public nitro;
+    IEspressoSGXTEEVerifier public sgx;
+
+    constructor(IEspressoNitroTEEVerifier _nitro) {
+        nitro = _nitro;
+        sgx = IEspressoSGXTEEVerifier(address(0));
+    }
+
+    function espressoNitroTEEVerifier() external view override returns (IEspressoNitroTEEVerifier) {
+        return nitro;
+    }
+
+    function espressoSGXTEEVerifier() external view override returns (IEspressoSGXTEEVerifier) {
+        return sgx;
+    }
+
+    function verify(bytes memory, bytes32, TeeType) external pure override returns (bool) {
+        return true;
+    }
+
+    function registerSigner(bytes calldata, bytes calldata, TeeType) external pure override { }
+
+    function registeredSigners(address, TeeType) external pure override returns (bool) {
+        return false;
+    }
+
+    function registeredEnclaveHashes(bytes32, TeeType) external pure override returns (bool) {
+        return false;
+    }
+
+    function setEspressoSGXTEEVerifier(IEspressoSGXTEEVerifier _sgx) external override {
+        sgx = _sgx;
+    }
+
+    function setEspressoNitroTEEVerifier(IEspressoNitroTEEVerifier _nitro) external override {
+        nitro = _nitro;
+    }
+}
+
+/// @title BatchAuthenticator_SwitchBatcher_Test
+/// @notice Tests ownership restrictions on BatchAuthenticator switchBatcher behavior
+contract BatchAuthenticator_SwitchBatcher_Test is Test {
+    address public deployer = address(0xABCD);
+    address public unauthorized = address(0xDEAD);
+
+    address public teeBatcher = address(0x1234);
+    address public nonTeeBatcher = address(0x5678);
+
+    MockNitroTEEVerifier public nitroVerifier;
+    MockEspressoTEEVerifier public teeVerifier;
+    BatchAuthenticator public authenticator;
+
+    function setUp() public {
+        nitroVerifier = new MockNitroTEEVerifier();
+        teeVerifier = new MockEspressoTEEVerifier(nitroVerifier);
+
+        vm.prank(deployer);
+        authenticator =
+            new BatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, nonTeeBatcher, deployer);
+    }
+
+    /// @notice Test that only the owner can switch the active batcher
+    function test_switchBatcher_revertsForNonOwner() external {
+        // Owner can switch batcher successfully.
+        vm.startPrank(deployer);
+        bool initialIsTee = authenticator.activeIsTee();
+        authenticator.switchBatcher();
+        assertEq(authenticator.activeIsTee(), !initialIsTee, "owner should be able to switch batcher");
+        vm.stopPrank();
+
+        // Non-owner cannot switch batcher.
+        vm.startPrank(unauthorized);
+        vm.expectRevert("Ownable: caller is not the owner");
+        authenticator.switchBatcher();
+        vm.stopPrank();
+    }
+}
+
+contract BatchAuthenticator_Constructor_Test is Test {
+    address public teeBatcher = address(0x1234);
+    address public nonTeeBatcher = address(0x5678);
+    address public owner = address(0xBEEF);
+
+    MockNitroTEEVerifier public nitroVerifier;
+    MockEspressoTEEVerifier public teeVerifier;
+
+    function setUp() public {
+        nitroVerifier = new MockNitroTEEVerifier();
+        teeVerifier = new MockEspressoTEEVerifier(nitroVerifier);
+    }
+
+    function test_constructor_revertsWhenTeeBatcherIsZero() external {
+        vm.expectRevert("BatchAuthenticator: zero tee batcher");
+        new BatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), address(0), nonTeeBatcher, owner);
+    }
+
+    function test_constructor_revertsWhenNonTeeBatcherIsZero() external {
+        vm.expectRevert("BatchAuthenticator: zero non-tee batcher");
+        new BatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, address(0), owner);
+    }
+
+    function test_constructor_succeedsWithValidAddresses() external {
+        BatchAuthenticator authenticator =
+            new BatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, nonTeeBatcher, owner);
+        assertEq(authenticator.teeBatcher(), teeBatcher);
+        assertEq(authenticator.nonTeeBatcher(), nonTeeBatcher);
+    }
+}
diff --git a/packages/contracts-bedrock/test/L1/BatchInbox.t.sol b/packages/contracts-bedrock/test/L1/BatchInbox.t.sol

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ type DeployEspressoInput struct {`
`19`	`19`	`Salt common.Hash`
`20`	`20`	`NitroTEEVerifier common.Address`
`21`	`21`	`NonTeeBatcher common.Address`
	`22`	`+ TeeBatcher common.Address`
`22`	`23`	`}`
`23`	`24`
`24`	`25`	`type DeployEspressoOutput struct {`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,5 @@ interface IBatchInbox {`
`6`	`6`
`7`	`7`	`function version() external view returns (string memory);`
`8`	`8`
`9`		`- function __constructor__(address _nonTeeBatcher, address _batchAuthenticator, address _owner) external;`
	`9`	`+ function __constructor__(address _batchAuthenticator, address _owner) external;`
`10`	`10`	`}`