feat(p2p): add tx validator for contract instance deployment addresses#21771
Merged
PhilWindle merged 1 commit intomerge-train/spartanfrom Mar 19, 2026
Merged
Conversation
Validates that contract instance deployment logs contain correct addresses by recomputing the address from the event fields and rejecting mismatches. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
spalladino
added
ci-no-fail-fast
PhilWindle
approved these changes
Mar 19, 2026
AztecBot
pushed a commit
that referenced
this pull request
Mar 19, 2026
#21771) ## Motivation When a contract instance is deployed, a `ContractInstancePublishedEvent` is emitted as a private log containing the contract address and all fields needed to recompute it. Currently the archiver blindly trusts these addresses. A malicious or buggy client could submit a tx with an incorrect address, poisoning the archiver's contract data. ## Approach Added a new stateless tx validator that extracts `ContractInstancePublishedEvent` logs from a tx's private logs, recomputes the contract address via `computeContractAddressFromInstance`, and rejects the tx if the claimed address doesn't match. The validator is wired into all tx entry points (gossip, JSON-RPC, req/resp, and block proposals). ## Changes - **stdlib**: Added `TX_ERROR_INCORRECT_CONTRACT_ADDRESS` and `TX_ERROR_MALFORMED_CONTRACT_INSTANCE_LOG` error constants - **p2p**: New `ContractInstanceTxValidator` that validates contract instance deployment addresses in private logs - **p2p**: Wired the validator into all three entry-point factory functions (gossip stage 1, req/resp + block proposals, JSON-RPC) - **p2p (tests)**: Unit tests for the new validator (correct address, wrong address, malformed log, no instance logs) and updated factory tests
Collaborator
|
✅ Successfully backported to backport-to-v4-staging #21783. |
PhilWindle
added a commit
that referenced
this pull request
Mar 19, 2026
…21787) ## Motivation The archiver blindly stores contract instance data extracted from private logs without verifying that the claimed address matches the instance fields. While the p2p tx validator (#21771) catches this at the network layer, blocks received via req/resp or proposals skip that check. This adds a second line of defense at the storage layer. ## Approach Before storing contract instances, the archiver now recomputes the address from the instance fields via `computeContractAddressFromInstance` and filters out any with mismatched addresses. The check is skipped during delete operations since we need to remove instances regardless. ## Changes - **archiver**: Validate contract instance addresses in `updateDeployedContractInstances` before storing, filtering out mismatches with a warning log - **stdlib (tests)**: Add elapsed timing to `computeContractAddressFromInstance` test (~1.3ms per call)
AztecBot
pushed a commit
that referenced
this pull request
Mar 19, 2026
…21787) ## Motivation The archiver blindly stores contract instance data extracted from private logs without verifying that the claimed address matches the instance fields. While the p2p tx validator (#21771) catches this at the network layer, blocks received via req/resp or proposals skip that check. This adds a second line of defense at the storage layer. ## Approach Before storing contract instances, the archiver now recomputes the address from the instance fields via `computeContractAddressFromInstance` and filters out any with mismatched addresses. The check is skipped during delete operations since we need to remove instances regardless. ## Changes - **archiver**: Validate contract instance addresses in `updateDeployedContractInstances` before storing, filtering out mismatches with a warning log - **stdlib (tests)**: Add elapsed timing to `computeContractAddressFromInstance` test (~1.3ms per call)
AztecBot
added a commit
that referenced
this pull request
Mar 19, 2026
BEGIN_COMMIT_OVERRIDE feat(p2p): add tx validator for contract instance deployment addresses (#21771) END_COMMIT_OVERRIDE
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 20, 2026
BEGIN_COMMIT_OVERRIDE feat(p2p): add tx validator for contract instance deployment addresses (#21771) fix: always deploy IRM for testnet (#21755) fix: avoid mutating caller's array via splice in snapshot sync (A-718) (#21759) chore: update network logs skill (#21785) feat(archiver): validate contract instance addresses before storing (#21787) fix: ensure no division by 0 (#21786) feat: support private fork releases via ci-release (#21778) fix: restrict scenario deployments to only nightly (#21798) fix(stdlib): zero-pad bufferFromFields when declared length exceeds payload (#21802) test(protocol-contracts): verify max-size bytecode fits in contract class log (#21818) fix: wire BOT_DA_GAS_LIMIT through helm/terraform for staging-public (#21809) fix: remove jest-mock-extended from worker processes + fix parallelize_strict silent failures (#21821) fix(archiver): throw on duplicate contract class or instance additions (#21799) chore: remove broadcasted function events (#21805) fix: sync dateProvider from anvil stdout on every mined block (#21829) fix(sequencer): use wall-clock time instead of L1 block timestamp for slot estimation (#21769) fix: use correct EthCheatCodes method name in epochs_missed_l1_slot test (#21848) feat(p2p): add tx validator for contract class id verification (#21788) feat: publisher funding (#21631) feat: batch chonk verifier TS integration (#21823) fix(sequencer): remove l1 block timestamp check (#21853) fix: use local IVC inputs for batch_verifier bench test (#21857) fix(p2p): centralize gossipsub penalization and fix inconsistencies (#21863) chore: publish GitHub releases to AztecProtocol/barretenberg (#21775) END_COMMIT_OVERRIDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
When a contract instance is deployed, a
ContractInstancePublishedEventis emitted as a private log containing the contract address and all fields needed to recompute it. Currently the archiver blindly trusts these addresses. A malicious or buggy client could submit a tx with an incorrect address, poisoning the archiver's contract data.Approach
Added a new stateless tx validator that extracts
ContractInstancePublishedEventlogs from a tx's private logs, recomputes the contract address viacomputeContractAddressFromInstance, and rejects the tx if the claimed address doesn't match. The validator is wired into all tx entry points (gossip, JSON-RPC, req/resp, and block proposals).Changes
TX_ERROR_INCORRECT_CONTRACT_ADDRESSandTX_ERROR_MALFORMED_CONTRACT_INSTANCE_LOGerror constantsContractInstanceTxValidatorthat validates contract instance deployment addresses in private logs