[codex] batcher consensus proof of concept

[opsuperchain]

Summary

This draft PR adds a blob-mode-only batcher consensus proof of concept.

• adds a rollup config verifier address and batcher proof endpoint wiring
• attaches proof calldata to blob batcher transactions without changing blob batch data
• verifies blob transaction calldata in op-node derivation via block-hash eth_call to an L1 verifier contract and skips invalid proofs
• adds verifier logs, metrics, and unit coverage for batcher, derivation, L1 client, and verifier helpers
• adds DevStack verifier and sidecar options, valid/invalid acceptance tests, OP Up demo mode, and op-up smoke-batcher-consensus
• adds a Rust proof sidecar that runs Commonware Simplex over a simulated 4-validator network and emits the resulting finalization certificate
• switches the Simplex certificate scheme to Commonware secp256r1 so the certificate signatures are EVM-checkable
• carries a CWSIMPLX1 || digest || marker || fixed POC envelope || Commonware certificate calldata envelope for the Commonware sidecar path
• verifies the Commonware Simplex finalization certificate in the DevStack L1 verifier by checking the proposal digest, signer bitmap, quorum signatures, and P256 signatures over sha256(union_unique(finalize_namespace, proposal.encode()))
• activates Osaka on the DevStack L1 preset used by the Commonware verifier so the L1 eth_call path has the P256 precompile available
• makes the OP Up batcher-consensus demo self-contained by using the no-fault-proofs single-chain preset and adding --l2-rpc-port for running valid and invalid demo networks side by side

POC Caveat

The current sidecar runs a deterministic in-process Commonware Simplex network for the POC. The verifier now directly checks the Commonware secp256r1 certificate signatures in EVM, but the certificate layout and validator set are still fixed for this proof of concept rather than a production configurable committee/verifier contract.

Validation

cargo test --manifest-path op-batcher-consensus-sidecar/Cargo.toml

go test ./op-service/batchconsensus ./op-devstack/sysgo -run 'TestBuild|TestBatchConsensusMockVerifier|TestBuildCommonware|TestBuildSigned' -count=1 -v

DEVSTACK_L2EL_KIND=op-geth RUST_JIT_BUILD=1 go test ./op-acceptance-tests/tests/batcher_consensus -run 'TestBatchConsensusValidProofAdvancesSafeHead' -count=1 -v

DEVSTACK_L2EL_KIND=op-geth RUST_JIT_BUILD=1 go test ./op-acceptance-tests/tests/batcher_consensus -run 'TestBatchConsensusInvalidProofDoesNotAdvanceSafeHead' -count=1 -v

go test ./op-up -run '^$'
go run ./op-up --help
go run ./op-up smoke-batcher-consensus all --help

# live OP Up demo smoke, with one shell per long-running devnet:
DEVSTACK_L2EL_KIND=op-geth RUST_JIT_BUILD=1 go run ./op-up --dir /tmp/op-up-batcher-consensus-valid --batcher-consensus-poc
DEVSTACK_L2EL_KIND=op-geth RUST_JIT_BUILD=1 go run ./op-up --dir /tmp/op-up-batcher-consensus-invalid --batcher-consensus-poc --batcher-consensus-poc-invalid --l2-rpc-port 8546
go run ./op-up smoke-batcher-consensus all

git diff --check

The DevStack acceptance tests show valid Commonware consensus proof calldata advancing local-safe, and invalid proof calldata being rejected with false batch consensus verifier result while local-safe remains at genesis.

The live OP Up smoke run started a valid proof demo on http://localhost:8545 and an invalid proof demo on http://localhost:8546; smoke-batcher-consensus all observed the valid safe head reach the submitted transfer block and the invalid safe head stay below the submitted transfer block for 20 seconds.

Note: the DevStack and OP Up runs used DEVSTACK_L2EL_KIND=op-geth in this environment because op-reth was not built locally.

[wiz-0f98cca50a]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	-
SAST Findings	1
Software Management Findings	-
Total	1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[wiz-0f98cca50a]

 SAST Finding

Uncontrolled Resource Consumption in Go HTTP Server (CWE-400)

More Details

The Go net/http package's default serve functions (http.ListenAndServe, http.ListenAndServeTLS, http.Serve, and http.ServeTLS) do not have configurable timeouts, making them vulnerable to resource consumption attacks like Slowloris. In a Slowloris attack, an adversary opens many connections to the server but sends data very slowly, eventually overwhelming the server's resources and preventing it from accepting new connections.

Failing to set appropriate timeouts on the HTTP server can lead to resource exhaustion, causing a denial of service. This could disrupt the application's availability and potentially enable further attacks if the server crashes or becomes unstable. To mitigate this risk, timeouts should be configured on the http.Server before starting the server.

Attribute	Value
Impact
Likelihood

Remediation

The Go net/http package's default serve functions (http.ListenAndServe, http.ListenAndServeTLS, http.Serve, and http.ServeTLS) do not have configurable timeouts, making them vulnerable to resource consumption attacks like Slowloris. In a Slowloris attack, an adversary opens many connections to the server but sends data very slowly, eventually overwhelming the server's resources and preventing it from accepting new connections. This can lead to a denial of service, disrupting the application's availability and potentially enabling further attacks if the server crashes or becomes unstable.

To mitigate this risk, you should configure appropriate timeouts on the http.Server before starting the server. This can be done by creating a new http.Server instance with the desired timeout values and using its ListenAndServe or ListenAndServeTLS methods instead of the package-level functions.

Code examples

// VULNERABLE CODE - Default serve functions without timeouts
http.ListenAndServe(":8080", nil)

// SECURE CODE - Configure timeouts on http.Server
server := &http.Server{
    Addr:              ":8080",
    ReadHeaderTimeout: 5 * time.Second, // Timeout for reading the entire request header
    ReadTimeout:       10 * time.Second, // Timeout for reading the entire request body
    WriteTimeout:      10 * time.Second, // Timeout for writing the response
    IdleTimeout:       120 * time.Second, // Timeout for idle connections
}
log.Fatal(server.ListenAndServe())

Additional recommendations

• Follow the principle of least privilege and set timeouts as low as reasonably possible for your application's needs.
• Consider using a reverse proxy or load balancer with timeout configurations to add an additional layer of protection.
• Implement monitoring and alerting for slow or hanging requests to detect potential attacks early.
• Refer to the OWASP Denial of Service guidance and CWE-400 for best practices in mitigating resource consumption vulnerabilities.
• Regularly review and update timeout configurations as your application's requirements change.

Rule ID: WS-I011-GO-00018

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate