Add support for ZK attestation service #294
Conversation
…tems/optimism-espresso-integration into enable-zk-verifier
…tems/optimism-espresso-integration into enable-zk-verifier
There was a problem hiding this comment.
Pull request overview
This PR introduces support for ZK attestation verification by replacing on-chain attestation verification with on-chain ZK proof verification. The changes integrate a new attestation verifier service that generates ZK proofs from Nitro attestations, and updates the deployment and testing infrastructure to support this new workflow.
Key changes:
- Integration of ZK proof generation service for attestation verification
- Removal of deprecated direct attestation verification methods from contracts
- Addition of mock verifier contract for development/testing environments
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/contracts-bedrock/test/L1/BatchInbox.t.sol | Updated Solidity version to use caret range |
| packages/contracts-bedrock/test/L1/BatchAuthenticator.t.sol | Updated Solidity version and removed deprecated mock verifier methods |
| packages/contracts-bedrock/src/L1/BatchInbox.sol | Updated Solidity version to ^0.8.24 |
| packages/contracts-bedrock/src/L1/BatchAuthenticator.sol | Removed deprecated attestation verification methods and nitroValidator interface |
| packages/contracts-bedrock/scripts/deploy/DeployAWSNitroVerifier.s.sol | Added mock verifier contract and support for optional nitro enclave verifier deployment |
| packages/contracts-bedrock/lib/espresso-tee-contracts | Updated submodule reference to newer commit |
| packages/contracts-bedrock/foundry.toml | Removed deprecated compilation restrictions and added new remapping |
| op-deployer/pkg/deployer/pipeline/espresso.go | Added environment variable support for nitro enclave verifier address and enclave hash |
| op-deployer/pkg/deployer/opcm/espresso.go | Extended input struct with NitroEnclaveVerifier field |
| op-batcher/enclave-entrypoint.bash | Added espresso-attestation-service to URL argument regex |
| op-batcher/bindings/batch_inbox.go | Regenerated bindings reflecting Solidity version change |
| op-batcher/bindings/batch_authenticator.go | Regenerated bindings removing deprecated methods |
| op-batcher/batcher/service.go | Added attestation service URL configuration and changed attestation storage from Result to bytes |
| op-batcher/batcher/espresso.go | Replaced direct attestation verification with ZK proof generation via HTTP service |
| op-batcher/batcher/driver.go | Added EspressoOnchainProof struct and changed Attestation type to bytes |
| espresso/environment/optitmism_espresso_test_helpers.go | Added attestation verifier ZK service to Docker launch configuration |
| espresso/environment/espresso_docker_helpers.go | Enhanced Docker container support with platform and name options |
| espresso/environment/enclave_helpers.go | Added attestation service argument to enclave batcher setup |
| espresso/environment/5_batch_authentication_test.go | Updated tests to use raw attestation bytes and fixed private key usage |
| espresso/docker/op-batcher-tee/run-enclave.sh | Added required ATTESTATION_SERVICE_URL environment variable |
| espresso/docker-compose.yml | Added attestation-service-zk container configuration |
| espresso/cli.go | Added AttestationServiceFlagName and EspressoAttestationService configuration |
| .github/workflows/espresso-integration.yaml | Updated runner to ubuntu-24.04-8core |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sneh1999
force-pushed
the
enable-zk-verifier
branch
from
7b34765 to
4ea1a68
Compare
Sneh1999
requested review from
QuentinI,
dailinsubjam,
miguelCyclone,
philippecamacho and
shenkeyao
There was a problem hiding this comment.
Awesome that we have the zk verifier now! It's just that for those hard-coded values, I think we could handle them in a cleaner way, but we can leave this to the last-round changes. I don't have many comments on the changes in espresso.go or the mock Nitro verifier contract, they look good to me, although more comments would always be helpful. Would love to hear others’ thoughts as well.
espresso/docker-compose.yml
Outdated
| # This is a demo private key for tests, it doesnt contain any funds | ||
| NETWORK_PRIVATE_KEY: "0x71f8e55f7555c946eadd5a2b5897465a9813b3ee493d6ef4ba6f1505a6e97af3" | ||
| NETWORK_RPC_URL: "https://rpc.mainnet.succinct.xyz" | ||
| SP1_PROVER: "mock" | ||
| RPC_URL: "https://rpc.ankr.com/eth_sepolia/ece75e2d2d01c537031b3b31a619b7830674b9cd1b9fe6bc957a3d393c035dbb" | ||
| NITRO_VERIFIER_ADDRESS: "0x2D7fbBAD6792698Ba92e67b7e180f8010B9Ec788" | ||
| USE_DOCKER: "1" | ||
| SKIP_TIME_VALIDITY_CHECK: "true" | ||
| RUST_LOG: "info" | ||
| HOST: "0.0.0.0" | ||
| PORT: "8080" |
There was a problem hiding this comment.
we have a .env to put these variables, especially for URL and Private key, I'd recommend we put them there.
| launcher := new(env.EspressoDevNodeLauncherDocker) | ||
|
|
||
| privateKey, err := crypto.GenerateKey() | ||
| privateKey, err := crypto.HexToECDSA("841c29acb9520a7ea8a48e7686cd825b93e8a3ecd966b62cb396ff8a2cd7e80e") |
There was a problem hiding this comment.
Would appreciate a comment on where this hex come from.
There was a problem hiding this comment.
Why do we need to hardcode the key here?
There was a problem hiding this comment.
Basically this test is checking if a given key has been registered or not and based on that batcher should not be able to submit batches. Because we are now using Mock contract - it doesnt actually verify the ZK proof to determine if the key should be registered or not. It just always returns true so the way to make this test work we make a special condition for mock contract to return false - thats why I have a hardcoded private key. Then we can see if the batcher stops posting or not and test the whole flow end to end
I also added comments to this line 096c4e0
There was a problem hiding this comment.
Ok, makes sense. Thanks!
| const ESPRESSO_SEQUENCER_API_PORT = "24000" | ||
| const ESPRESSO_DEV_NODE_PORT = "24002" | ||
|
|
||
| const ATTESTATION_VERIFIER_ZK_SERVER_DOCKER_IMAGE = "ghcr.io/espressosystems/attestation-verifier-zk:sha-0e987c3" |
There was a problem hiding this comment.
Would appreciate a ESPRESSO_ prefix for them or there must be a better way to deal with these hard-coded consts. Will wait to see others' ideas.
There was a problem hiding this comment.
Makes sense, since other consts in this file all have this prefix.
| } | ||
| defer res.Body.Close() | ||
|
|
||
| responseData, err := io.ReadAll(res.Body) |
There was a problem hiding this comment.
Should we also check the StatusCode of this response?
| const ESPRESSO_SEQUENCER_API_PORT = "24000" | ||
| const ESPRESSO_DEV_NODE_PORT = "24002" | ||
|
|
||
| const ATTESTATION_VERIFIER_ZK_SERVER_DOCKER_IMAGE = "ghcr.io/espressosystems/attestation-verifier-zk:sha-0e987c3" |
There was a problem hiding this comment.
Makes sense, since other consts in this file all have this prefix.
op-batcher/enclave-entrypoint.bash
Outdated
| # URL argument regex pattern | ||
| URL_ARG_RE='^(--altda\.da-server|--espresso\.urls|--espresso\.l1-url|--espresso\.rollup-l1-url|--l1-eth-rpc|--l2-eth-rpc|--rollup-rpc|--signer\.endpoint)(=|$)' | ||
|
|
||
| # Line 156 |
There was a problem hiding this comment.
Nit: Should we remove this comment?
…tems/optimism-espresso-integration into enable-zk-verifier
Sneh1999
force-pushed
the
enable-zk-verifier
branch
from
82b870d to
096c4e0
Compare
philippecamacho
left a comment
philippecamacho
left a comment
There was a problem hiding this comment.
Great work Sneh!
Sneh1999
force-pushed
the
enable-zk-verifier
branch
from
bd57513 to
d61708f
Compare
This PR:
Key places to review:
espresso.go