From d244eddbb676182d0d15cbdca216d80c2d1d2acd Mon Sep 17 00:00:00 2001 From: Sneh Koul Date: Tue, 13 Jan 2026 18:07:47 -0500 Subject: [PATCH 1/2] Remove pre authenticated batcher --- .../interfaces/L1/IBatchAuthenticator.sol | 1 - .../scripts/deploy/DeployEspresso.s.sol | 18 +---------------- .../src/L1/BatchAuthenticator.sol | 16 ++++----------- .../test/L1/BatchAuthenticator.t.sol | 20 ++++++------------- .../test/L1/BatchInbox.t.sol | 9 +++------ 5 files changed, 14 insertions(+), 50 deletions(-) diff --git a/packages/contracts-bedrock/interfaces/L1/IBatchAuthenticator.sol b/packages/contracts-bedrock/interfaces/L1/IBatchAuthenticator.sol index ebaf9ad3026..b23f92a3480 100644 --- a/packages/contracts-bedrock/interfaces/L1/IBatchAuthenticator.sol +++ b/packages/contracts-bedrock/interfaces/L1/IBatchAuthenticator.sol @@ -46,7 +46,6 @@ interface IBatchAuthenticator { address _espressoTEEVerifier, address _teeBatcher, address _nonTeeBatcher, - address _preRegisteredBatcher, address _owner ) external; } diff --git a/packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol b/packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol index 3992fae8ddd..0e13b72cbe2 100644 --- a/packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol +++ b/packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol @@ -18,7 +18,6 @@ contract DeployEspressoInput is BaseDeployIO { address internal _nitroTEEVerifier; address internal _nonTeeBatcher; address internal _teeBatcher; - address internal _preRegisteredBatcher; function set(bytes4 _sel, bytes32 _val) public { if (_sel == this.salt.selector) _salt = _val; @@ -32,8 +31,6 @@ contract DeployEspressoInput is BaseDeployIO { _nonTeeBatcher = _val; } else if (_sel == this.teeBatcher.selector) { _teeBatcher = _val; - } else if (_sel == this.preRegisteredBatcher.selector) { - _preRegisteredBatcher = _val; } else { revert("DeployEspressoInput: unknown selector"); } @@ -55,10 +52,6 @@ contract DeployEspressoInput is BaseDeployIO { function teeBatcher() public view returns (address) { return _teeBatcher; } - - function preRegisteredBatcher() public view returns (address) { - return _preRegisteredBatcher; - } } contract DeployEspressoOutput is BaseDeployIO { @@ -106,9 +99,6 @@ contract DeployEspresso is Script { { bytes32 salt = input.salt(); vm.broadcast(msg.sender); - if (input.preRegisteredBatcher() != address(0)) { - console.log("WARNING: preRegisteredBatcher is set. This should not happen in production deployments"); - } IBatchAuthenticator impl = IBatchAuthenticator( DeployUtils.create2({ _name: "BatchAuthenticator", @@ -116,13 +106,7 @@ contract DeployEspresso is Script { _args: DeployUtils.encodeConstructor( abi.encodeCall( IBatchAuthenticator.__constructor__, - ( - address(teeVerifier), - input.teeBatcher(), - input.nonTeeBatcher(), - input.preRegisteredBatcher(), - owner - ) + (address(teeVerifier), input.teeBatcher(), input.nonTeeBatcher(), owner) ) ) }) diff --git a/packages/contracts-bedrock/src/L1/BatchAuthenticator.sol b/packages/contracts-bedrock/src/L1/BatchAuthenticator.sol index d0d9ef7ae35..cd08d05b19d 100644 --- a/packages/contracts-bedrock/src/L1/BatchAuthenticator.sol +++ b/packages/contracts-bedrock/src/L1/BatchAuthenticator.sol @@ -26,10 +26,6 @@ contract BatchAuthenticator is ISemver, Ownable { /// @notice Address of the non-TEE (fallback) batcher that can post when TEE is inactive. address public immutable nonTeeBatcher; - /// @notice Key of pre-registered TEE batcher that can authenticate batches without - /// calling registerSigner first. For testing only. - address public immutable preRegisteredBatcher; - IEspressoTEEVerifier public immutable espressoTEEVerifier; /// @notice Flag indicating which batcher is currently active. @@ -40,7 +36,6 @@ contract BatchAuthenticator is ISemver, Ownable { IEspressoTEEVerifier _espressoTEEVerifier, address _teeBatcher, address _nonTeeBatcher, - address _preRegisteredBatcher, address _owner ) Ownable() @@ -53,7 +48,6 @@ contract BatchAuthenticator is ISemver, Ownable { nonTeeBatcher = _nonTeeBatcher; // By default, start with the TEE batcher active. activeIsTee = true; - preRegisteredBatcher = _preRegisteredBatcher; _transferOwnership(_owner); } @@ -75,12 +69,10 @@ contract BatchAuthenticator is ISemver, Ownable { require(signer != address(0), "BatchAuthenticator: invalid signature"); - if (signer != preRegisteredBatcher) { - require( - espressoTEEVerifier.espressoNitroTEEVerifier().registeredSigners(signer), - "BatchAuthenticator: invalid signer" - ); - } + require( + espressoTEEVerifier.espressoNitroTEEVerifier().registeredSigners(signer), + "BatchAuthenticator: invalid signer" + ); validBatchInfo[commitment] = true; emit BatchInfoAuthenticated(commitment, signer); diff --git a/packages/contracts-bedrock/test/L1/BatchAuthenticator.t.sol b/packages/contracts-bedrock/test/L1/BatchAuthenticator.t.sol index c6aadbc1a3b..57f432601d1 100644 --- a/packages/contracts-bedrock/test/L1/BatchAuthenticator.t.sol +++ b/packages/contracts-bedrock/test/L1/BatchAuthenticator.t.sol @@ -81,7 +81,6 @@ contract BatchAuthenticator_SwitchBatcher_Test is Test { address public teeBatcher = address(0x1234); address public nonTeeBatcher = address(0x5678); - address public preRegisteredBatcher = address(0x9ABC); MockNitroTEEVerifier public nitroVerifier; MockEspressoTEEVerifier public teeVerifier; @@ -92,9 +91,8 @@ contract BatchAuthenticator_SwitchBatcher_Test is Test { teeVerifier = new MockEspressoTEEVerifier(nitroVerifier); vm.prank(deployer); - authenticator = new BatchAuthenticator( - IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, nonTeeBatcher, preRegisteredBatcher, deployer - ); + authenticator = + new BatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, nonTeeBatcher, deployer); } /// @notice Test that only the owner can switch the active batcher @@ -117,7 +115,6 @@ contract BatchAuthenticator_SwitchBatcher_Test is Test { contract BatchAuthenticator_Constructor_Test is Test { address public teeBatcher = address(0x1234); address public nonTeeBatcher = address(0x5678); - address public preRegisteredBatcher = address(0x9ABC); address public owner = address(0xBEEF); @@ -131,22 +128,17 @@ contract BatchAuthenticator_Constructor_Test is Test { function test_constructor_revertsWhenTeeBatcherIsZero() external { vm.expectRevert("BatchAuthenticator: zero tee batcher"); - new BatchAuthenticator( - IEspressoTEEVerifier(address(teeVerifier)), address(0), nonTeeBatcher, preRegisteredBatcher, owner - ); + new BatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), address(0), nonTeeBatcher, owner); } function test_constructor_revertsWhenNonTeeBatcherIsZero() external { vm.expectRevert("BatchAuthenticator: zero non-tee batcher"); - new BatchAuthenticator( - IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, address(0), preRegisteredBatcher, owner - ); + new BatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, address(0), owner); } function test_constructor_succeedsWithValidAddresses() external { - BatchAuthenticator authenticator = new BatchAuthenticator( - IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, nonTeeBatcher, preRegisteredBatcher, owner - ); + BatchAuthenticator authenticator = + new BatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, nonTeeBatcher, owner); assertEq(authenticator.teeBatcher(), teeBatcher); assertEq(authenticator.nonTeeBatcher(), nonTeeBatcher); } diff --git a/packages/contracts-bedrock/test/L1/BatchInbox.t.sol b/packages/contracts-bedrock/test/L1/BatchInbox.t.sol index 819c733f598..35e469cd191 100644 --- a/packages/contracts-bedrock/test/L1/BatchInbox.t.sol +++ b/packages/contracts-bedrock/test/L1/BatchInbox.t.sol @@ -17,10 +17,9 @@ contract TestBatchAuthenticator is BatchAuthenticator { IEspressoTEEVerifier _espressoTEEVerifier, address _teeBatcher, address _nonTeeBatcher, - address _preRegisteredBatcher, address _owner ) - BatchAuthenticator(_espressoTEEVerifier, _teeBatcher, _nonTeeBatcher, _preRegisteredBatcher, _owner) + BatchAuthenticator(_espressoTEEVerifier, _teeBatcher, _nonTeeBatcher, _owner) { } // Test helper to bypass signature verification in authenticateBatchInfo. @@ -40,7 +39,6 @@ contract BatchInbox_Test is Test { address public teeBatcher = address(0x1234); address public nonTeeBatcher = address(0x5678); - address public preRegisteredBatcher = address(0x9ABC); address public deployer = address(0xDEF0); address public unauthorized = address(0xDEAD); @@ -49,9 +47,8 @@ contract BatchInbox_Test is Test { teeVerifier = new MockEspressoTEEVerifier(nitroVerifier); vm.prank(deployer); - authenticator = new TestBatchAuthenticator( - IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, nonTeeBatcher, preRegisteredBatcher, deployer - ); + authenticator = + new TestBatchAuthenticator(IEspressoTEEVerifier(address(teeVerifier)), teeBatcher, nonTeeBatcher, deployer); inbox = new BatchInbox(IBatchAuthenticator(address(authenticator)), deployer); } From 44e3ef5bc0101fc66dc6b64712142c734580a7b3 Mon Sep 17 00:00:00 2001 From: Sneh Koul Date: Tue, 13 Jan 2026 18:25:32 -0500 Subject: [PATCH 2/2] fix test --- op-deployer/pkg/deployer/opcm/espresso.go | 9 ++++----- op-deployer/pkg/deployer/pipeline/espresso.go | 9 ++++----- op-deployer/pkg/deployer/state/chain_intent.go | 7 +++---- op-e2e/config/init.go | 8 -------- 4 files changed, 11 insertions(+), 22 deletions(-) diff --git a/op-deployer/pkg/deployer/opcm/espresso.go b/op-deployer/pkg/deployer/opcm/espresso.go index e290ac59126..e0d0fe54b25 100644 --- a/op-deployer/pkg/deployer/opcm/espresso.go +++ b/op-deployer/pkg/deployer/opcm/espresso.go @@ -17,11 +17,10 @@ type DeployAWSNitroVerifierOutput struct { } type DeployEspressoInput struct { - Salt common.Hash - NitroTEEVerifier common.Address - NonTeeBatcher common.Address - TeeBatcher common.Address - PreRegisteredBatcher common.Address + Salt common.Hash + NitroTEEVerifier common.Address + NonTeeBatcher common.Address + TeeBatcher common.Address } type DeployEspressoOutput struct { diff --git a/op-deployer/pkg/deployer/pipeline/espresso.go b/op-deployer/pkg/deployer/pipeline/espresso.go index 160b4643b48..99c91663d85 100644 --- a/op-deployer/pkg/deployer/pipeline/espresso.go +++ b/op-deployer/pkg/deployer/pipeline/espresso.go @@ -69,11 +69,10 @@ func DeployEspresso(env *Env, intent *state.Intent, st *state.State, chainID com } eo, err = opcm.DeployEspresso(env.L1ScriptHost, opcm.DeployEspressoInput{ - Salt: st.Create2Salt, - NitroTEEVerifier: nvo.NitroTEEVerifierAddress, - NonTeeBatcher: chainIntent.NonTeeBatcher, - TeeBatcher: chainIntent.TeeBatcher, - PreRegisteredBatcher: chainIntent.PreRegisteredBatcher, + Salt: st.Create2Salt, + NitroTEEVerifier: nvo.NitroTEEVerifierAddress, + NonTeeBatcher: chainIntent.NonTeeBatcher, + TeeBatcher: chainIntent.TeeBatcher, }, batchAuthenticatorOwnwerAddress) if err != nil { return fmt.Errorf("failed to deploy espresso contracts: %w", err) diff --git a/op-deployer/pkg/deployer/state/chain_intent.go b/op-deployer/pkg/deployer/state/chain_intent.go index cbef3cc413a..938c3c8213e 100644 --- a/op-deployer/pkg/deployer/state/chain_intent.go +++ b/op-deployer/pkg/deployer/state/chain_intent.go @@ -76,10 +76,9 @@ type ChainIntent struct { L2DevGenesisParams *L2DevGenesisParams `json:"l2DevGenesisParams,omitempty" toml:"l2DevGenesisParams,omitempty"` // Espresso-specific fields - EspressoEnabled bool `json:"espressoEnabled,omitzero" toml:"espressoEnabled,omitzero"` - NonTeeBatcher common.Address `json:"nonTeeBatcher,omitzero" toml:"nonTeeBatcher,omitzero"` - TeeBatcher common.Address `json:"teeBatcher,omitzero" toml:"teeBatcher,omitzero"` - PreRegisteredBatcher common.Address `json:"preRegisteredBatcher,omitzero" toml:"preRegisteredBatcher,omitzero"` + EspressoEnabled bool `json:"espressoEnabled,omitzero" toml:"espressoEnabled,omitzero"` + NonTeeBatcher common.Address `json:"nonTeeBatcher,omitzero" toml:"nonTeeBatcher,omitzero"` + TeeBatcher common.Address `json:"teeBatcher,omitzero" toml:"teeBatcher,omitzero"` } type ChainRoles struct { diff --git a/op-e2e/config/init.go b/op-e2e/config/init.go index 50b280b2bb5..e8e6950b376 100644 --- a/op-e2e/config/init.go +++ b/op-e2e/config/init.go @@ -318,14 +318,6 @@ func initAllocType(root string, allocType AllocType) { intent.L1DevGenesisParams.Prefund[nonTeeBatcherAddr] = millionEth } - if allocType == AllocTypeEspressoWithoutEnclave { - ephemeralPk, err := crypto.HexToECDSA(ESPRESSO_TESTING_BATCHER_EPHEMERAL_KEY) - if err != nil { - panic(fmt.Errorf("failed to parse batcher private key: %w", err)) - } - intent.Chains[0].PreRegisteredBatcher = crypto.PubkeyToAddress(ephemeralPk.PublicKey) - } - baseUpgradeSchedule := map[string]any{ "l2GenesisRegolithTimeOffset": nil, "l2GenesisCanyonTimeOffset": nil,