Skip to content

[codex] batcher consensus proof of concept#20844

Draft
opsuperchain wants to merge 11 commits into
ethereum-optimism:developfrom
karlfloersch:batcher-consensus-poc
Draft

[codex] batcher consensus proof of concept#20844
opsuperchain wants to merge 11 commits into
ethereum-optimism:developfrom
karlfloersch:batcher-consensus-poc

Conversation

@opsuperchain
Copy link
Copy Markdown
Contributor

@opsuperchain opsuperchain commented May 18, 2026
edited
Loading

Summary

This draft PR adds a blob-mode-only batcher consensus proof of concept.

  • adds a rollup config verifier address and batcher proof endpoint wiring
  • attaches proof calldata to blob batcher transactions without changing blob batch data
  • verifies blob transaction calldata in op-node derivation via block-hash eth_call to an L1 verifier contract and skips invalid proofs
  • adds verifier logs, metrics, and unit coverage for batcher, derivation, L1 client, and verifier helpers
  • adds DevStack verifier and sidecar options, valid/invalid acceptance tests, OP Up demo mode, and op-up smoke-batcher-consensus
  • adds a Rust proof sidecar that runs Commonware Simplex over a simulated 4-validator network and emits the resulting finalization certificate
  • switches the Simplex certificate scheme to Commonware secp256r1 so the certificate signatures are EVM-checkable
  • carries a CWSIMPLX1 || digest || marker || fixed POC envelope || Commonware certificate calldata envelope for the Commonware sidecar path
  • adds a deployable contracts-bedrock Solidity verifier for the Commonware Simplex certificate, with a raw fallback entrypoint for the op-node eth_call path
  • makes the Solidity verifier constructor-configurable for committee public keys and quorum, validates proof length/bitmap/signature count, rejects duplicate/invalid verifier configuration, and checks P256 signatures against the configured quorum
  • wires DevStack to load the compiled Solidity verifier runtime from the Foundry artifact and seed the POC committee/quorum in genesis storage instead of using handwritten Go bytecode
  • verifies the Commonware Simplex finalization certificate by checking the proposal digest, signer bitmap, quorum signatures, and P256 signatures over sha256(union_unique(finalize_namespace, proposal.encode()))
  • activates Osaka on the DevStack L1 preset used by the Commonware verifier so the L1 eth_call path has the P256 precompile available
  • makes the OP Up batcher-consensus demo self-contained by using the no-fault-proofs single-chain preset and adding --l2-rpc-port for running valid and invalid demo networks side by side

POC Caveat

The current sidecar runs a deterministic in-process Commonware Simplex network for the POC. The verifier now directly checks the Commonware secp256r1 certificate signatures in Solidity/EVM against a configured committee and quorum; the remaining POC-specific part is the batch-consensus calldata envelope/certificate layout used by the sidecar path.

Validation

cargo test --manifest-path op-batcher-consensus-sidecar/Cargo.toml

forge test --match-path test/L1/CommonwareSimplexBatchConsensusVerifier.t.sol --skip test/L2/L2ContractsManager.t.sol -vvv

forge build --skip '/**/test/**' --skip '/**/scripts/**' --deny never

go test ./op-service/batchconsensus ./op-devstack/sysgo -run 'TestBuild|TestBatchConsensusMockVerifier|TestBuildCommonware|TestBuildSigned' -count=1 -v

DEVSTACK_L2EL_KIND=op-geth RUST_JIT_BUILD=1 go test ./op-acceptance-tests/tests/batcher_consensus -run 'TestBatchConsensusValidProofAdvancesSafeHead' -count=1 -v

DEVSTACK_L2EL_KIND=op-geth RUST_JIT_BUILD=1 go test ./op-acceptance-tests/tests/batcher_consensus -run 'TestBatchConsensusInvalidProofDoesNotAdvanceSafeHead' -count=1 -v

go test ./op-up -run '^$'
go run ./op-up --help
go run ./op-up smoke-batcher-consensus all --help

# live OP Up demo smoke, with one shell per long-running devnet:
DEVSTACK_L2EL_KIND=op-geth RUST_JIT_BUILD=1 go run ./op-up --dir /tmp/op-up-batcher-consensus-valid --batcher-consensus-poc
DEVSTACK_L2EL_KIND=op-geth RUST_JIT_BUILD=1 go run ./op-up --dir /tmp/op-up-batcher-consensus-invalid --batcher-consensus-poc --batcher-consensus-poc-invalid --l2-rpc-port 8546
go run ./op-up smoke-batcher-consensus all

git diff --check
forge fmt --check src/L1/CommonwareSimplexBatchConsensusVerifier.sol test/L1/CommonwareSimplexBatchConsensusVerifier.t.sol

The DevStack acceptance tests show valid Commonware consensus proof calldata advancing local-safe, and invalid proof calldata being rejected with false batch consensus verifier result while local-safe remains at genesis.

The live OP Up smoke run started a valid proof demo on http://localhost:8545 and an invalid proof demo on http://localhost:8546; smoke-batcher-consensus all observed the valid safe head reach the submitted transfer block and the invalid safe head stay below the submitted transfer block for 20 seconds.

Note: the direct Solidity build used --deny never because a normal forge build is blocked in this checkout by existing repo lint warnings outside this verifier change. The DevStack and OP Up runs used DEVSTACK_L2EL_KIND=op-geth in this environment because op-reth was not built locally.

@wiz-0f98cca50a
Copy link
Copy Markdown

wiz-0f98cca50a Bot commented May 18, 2026
edited
Loading

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities -
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations -
SAST Finding SAST Findings 2 Medium
Software Management Finding Software Management Findings -
Total 2 Medium

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

wiz-0f98cca50a[bot]
wiz-0f98cca50a Bot reviewed May 18, 2026
View reviewed changes
Comment thread op-devstack/sysgo/batch_consensus_sidecar.go
})
listener, err := net.Listen("tcp", "127.0.0.1:0")
t.Require().NoError(err)
server := &http.Server{Handler: mux}
Copy link
Copy Markdown

@wiz-0f98cca50a wiz-0f98cca50a Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium SAST Finding

Uncontrolled Resource Consumption in Go HTTP Server (CWE-400)

More Details

The Go net/http package's default serve functions (http.ListenAndServe, http.ListenAndServeTLS, http.Serve, and http.ServeTLS) do not have configurable timeouts, making them vulnerable to resource consumption attacks like Slowloris. In a Slowloris attack, an adversary opens many connections to the server but sends data very slowly, eventually overwhelming the server's resources and preventing it from accepting new connections.

Failing to set appropriate timeouts on the HTTP server can lead to resource exhaustion, causing a denial of service. This could disrupt the application's availability and potentially enable further attacks if the server crashes or becomes unstable. To mitigate this risk, timeouts should be configured on the http.Server before starting the server.

Attribute Value
Impact Medium
Likelihood Medium

Remediation

The Go net/http package's default serve functions (http.ListenAndServe, http.ListenAndServeTLS, http.Serve, and http.ServeTLS) do not have configurable timeouts, making them vulnerable to resource consumption attacks like Slowloris. In a Slowloris attack, an adversary opens many connections to the server but sends data very slowly, eventually overwhelming the server's resources and preventing it from accepting new connections. This can lead to a denial of service, disrupting the application's availability and potentially enabling further attacks if the server crashes or becomes unstable.

To mitigate this risk, you should configure appropriate timeouts on the http.Server before starting the server. This can be done by creating a new http.Server instance with the desired timeout values and using its ListenAndServe or ListenAndServeTLS methods instead of the package-level functions.

Code examples

// VULNERABLE CODE - Default serve functions without timeouts
http.ListenAndServe(":8080", nil)
// SECURE CODE - Configure timeouts on http.Server
server := &http.Server{
    Addr:              ":8080",
    ReadHeaderTimeout: 5 * time.Second, // Timeout for reading the entire request header
    ReadTimeout:       10 * time.Second, // Timeout for reading the entire request body
    WriteTimeout:      10 * time.Second, // Timeout for writing the response
    IdleTimeout:       120 * time.Second, // Timeout for idle connections
}
log.Fatal(server.ListenAndServe())

Additional recommendations

  • Follow the principle of least privilege and set timeouts as low as reasonably possible for your application's needs.
  • Consider using a reverse proxy or load balancer with timeout configurations to add an additional layer of protection.
  • Implement monitoring and alerting for slow or hanging requests to detect potential attacks early.
  • Refer to the OWASP Denial of Service guidance and CWE-400 for best practices in mitigating resource consumption vulnerabilities.
  • Regularly review and update timeout configurations as your application's requirements change.

Rule ID: WS-I011-GO-00018


To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).


To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

wiz-0f98cca50a[bot]
wiz-0f98cca50a Bot reviewed May 20, 2026
View reviewed changes
Comment thread op-devstack/sysgo/batch_consensus.go
"CommonwareSimplexBatchConsensusVerifier.sol",
"CommonwareSimplexBatchConsensusVerifier.json",
)
data, err := os.ReadFile(artifactPath)
Copy link
Copy Markdown

@wiz-0f98cca50a wiz-0f98cca50a Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium SAST Finding

Improper Path Validation in File Operations (CWE-22)

More Details

This vulnerability arises when an application fails to properly validate file paths or filenames before performing operations on them. If user input is used to construct file paths or filenames without proper sanitization, an attacker could exploit this vulnerability to access unauthorized files or directories on the system.

The consequences of this vulnerability can be severe, as it may allow an attacker to read sensitive data, overwrite critical system files, or even gain elevated privileges on the system. Path traversal attacks, where an attacker attempts to access files outside the intended directory, are a common exploitation technique for this vulnerability.

To mitigate this risk, it is crucial to validate and sanitize all user input used in file operations. This includes properly handling directory separators, removing any path traversal sequences, and restricting access to only the intended directories. Additionally, it is recommended to use a whitelist approach, where only a predefined set of safe paths or filenames are allowed.

Attribute Value
Impact Medium
Likelihood Medium

Remediation

This vulnerability arises when an application fails to properly validate and sanitize user-supplied file paths or filenames before performing file operations. If an attacker can control the file path or filename, they may be able to access unauthorized files or directories on the system, potentially leading to data breaches, system compromise, or privilege escalation.

To mitigate this vulnerability, it is crucial to validate and sanitize all user input used in file operations. This includes properly handling directory separators, removing any path traversal sequences, and restricting access to only the intended directories. It is recommended to use a whitelist approach, where only a predefined set of safe paths or filenames are allowed.

Code examples

// VULNERABLE CODE - User input is used directly in file operations without validation
func handleRequest(r *http.Request) {
    filename := r.URL.Query().Get("file")
    data, err := os.ReadFile(filename)
    // ...
}
// SECURE CODE - User input is validated and sanitized before file operations
import (
    "path/filepath"
    "strings"
)

func handleRequest(r *http.Request) {
    filename := r.URL.Query().Get("file")
    cleanPath := filepath.Clean(filename)
    if !strings.HasPrefix(cleanPath, "/safe/directory/") {
        // Reject the request if the path is not within the allowed directory
        http.Error(w, "Invalid file path", http.StatusBadRequest)
        return
    }
    data, err := os.ReadFile(cleanPath)
    // ...
}

Additional recommendations

  • Use a whitelist approach to restrict file operations to a predefined set of safe paths or filenames.
  • Implement strict input validation and sanitization for all user-supplied data used in file operations.
  • Follow the principle of least privilege and restrict file access permissions as much as possible.
  • Regularly update and patch your software to address known vulnerabilities.
  • Adhere to security best practices and standards, such as the OWASP Top 10 and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
  • Consider using secure coding libraries or frameworks that provide built-in protection against path traversal vulnerabilities.

Rule ID: WS-I011-GO-00013


To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).


To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wiz-0f98cca50a wiz-0f98cca50a[bot] wiz-0f98cca50a[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@opsuperchain