Enable and test Transparent proxy upgradability and batcher address update

.github/workflows/docker-images.yml

@@ -50,6 +50,9 @@ jobs:
       - name: Compile contracts
         run: cd packages/contracts-bedrock && just build
 
+      - name: Fix Proxy artifact bytecode
+        run: cd packages/contracts-bedrock && just fix-proxy-artifact
+
       - name: Prepare allocations
         run: |
           cd espresso

.github/workflows/espresso-devnet-tests.yaml

@@ -56,7 +56,8 @@ jobs:
         uses: actions/setup-go@v5
 
       - name: Compile contracts
-        run: just compile-contracts
+        working-directory: packages/contracts-bedrock
+        run: just build
 
       - name: Load environment variables
         run: |
@@ -75,7 +76,9 @@ jobs:
           cd op-deployer
           just
           export PATH=$PATH:$PWD/bin
-          cd ../espresso
+          cd ../packages/contracts-bedrock
+          just fix-proxy-artifact
+          cd ../../espresso
           ./scripts/prepare-allocs.sh
           docker compose build
           docker compose pull l1-validator espresso-dev-node l1-data-init

.github/workflows/espresso-integration.yaml

@@ -37,6 +37,9 @@ jobs:
       - name: Compile contracts
         run: just compile-contracts
 
+      - name: Fix Proxy artifact bytecode
+        run: cd packages/contracts-bedrock && just fix-proxy-artifact
+
       - name: Load environment variables
         run: |
           while IFS= read -r line; do

espresso/devnet-tests/key_rotation_test.go

@@ -7,8 +7,10 @@ import (
 	"testing"
 
 	"github.com/ethereum-optimism/optimism/op-batcher/bindings"
+	e2ebindings "github.com/ethereum-optimism/optimism/op-e2e/bindings"
 	"github.com/ethereum-optimism/optimism/op-e2e/e2eutils/wait"
 	"github.com/ethereum/go-ethereum/accounts/abi/bind"
+	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/stretchr/testify/require"
 )
@@ -49,6 +51,27 @@ func TestChangeBatchInboxOwner(t *testing.T) {
 	bobAddress := d.secrets.Addresses().Bob
 	require.NotEqual(t, currentOwner, bobAddress)
 
+	// Get the ProxyAdmin address from the BatchAuthenticator proxy
+	proxyContract, err := e2ebindings.NewProxy(config.BatchAuthenticatorAddress, d.L1)
+	require.NoError(t, err)
+
+	var result []interface{}
+	proxyRaw := &e2ebindings.ProxyRaw{Contract: proxyContract}
+	err = proxyRaw.Call(&bind.CallOpts{}, &result, "admin")
+	require.NoError(t, err)
+	require.Len(t, result, 1, "admin() should return one value")
+	proxyAdminAddress := result[0].(common.Address)
+	require.NotEqual(t, proxyAdminAddress, common.Address{}, "ProxyAdmin address should not be zero")
+
+	// Get ProxyAdmin contract binding
+	proxyAdmin, err := e2ebindings.NewProxyAdmin(proxyAdminAddress, d.L1)
+	require.NoError(t, err)
+
+	// Verify current owner matches
+	proxyAdminOwner, err := proxyAdmin.Owner(&bind.CallOpts{})
+	require.NoError(t, err)
+	require.Equal(t, currentOwner, proxyAdminOwner, "BatchAuthenticator owner should match ProxyAdmin owner")
+
 	// Use batch authenticator owner key to sign the transaction
 	batchAuthenticatorPrivateKeyHex := os.Getenv("BATCH_AUTHENTICATOR_OWNER_PRIVATE_KEY")
 	require.NotEmpty(t, batchAuthenticatorPrivateKeyHex, "BATCH_AUTHENTICATOR_OWNER_PRIVATE_KEY must be set")
@@ -60,8 +83,8 @@ func TestChangeBatchInboxOwner(t *testing.T) {
 	batchAuthenticatorOwnerOpts, err := bind.NewKeyedTransactorWithChainID(batchAuthenticatorKey, l1ChainID)
 	require.NoError(t, err)
 
-	// Call TransferOwnership
-	tx, err := batchAuthenticator.TransferOwnership(batchAuthenticatorOwnerOpts, bobAddress)
+	// Call TransferOwnership on the ProxyAdmin directly
+	tx, err := proxyAdmin.TransferOwnership(batchAuthenticatorOwnerOpts, bobAddress)
 	require.NoError(t, err)
 
 	// Wait for transaction receipt and check if it succeeded

justfile

@@ -48,7 +48,7 @@ run-l1-espresso-contracts-tests: compile-contracts
  (cd packages/contracts-bedrock && forge test --match-path "/**/test/L1/Batch*.t.sol")
 
 compile-contracts-fast:
- (cd packages/contracts-bedrock && forge build --offline --skip "/**/test/**")
+ (cd packages/contracts-bedrock && forge build --offline --skip "/**/test/**" && just fix-proxy-artifact)
 
 build-batcher-enclave-image:
  (cd kurtosis-devnet && just op-batcher-enclave-image)

packages/contracts-bedrock/interfaces/L1/IBatchAuthenticator.sol

@@ -1,23 +1,30 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.0;
 
+import { IEspressoTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoTEEVerifier.sol";
+
 interface IBatchAuthenticator {
-    event Initialized(uint8 version);
-    event OwnershipTransferred(
-        address indexed previousOwner,
-        address indexed newOwner
-    );
+    /// @notice Error thrown when an invalid address (zero address) is provided.
+    error InvalidAddress(address contract_);
+
+    /// @notice Emitted when a batch info is authenticated.
+    event BatchInfoAuthenticated(bytes32 indexed commitment, address indexed signer);
+
+    /// @notice Emitted when a signer registration is initiated through this contract.
+    event SignerRegistrationInitiated(address indexed caller);
+
+    /// @notice Emitted when the TEE batcher address is updated.
+    event TeeBatcherUpdated(address indexed oldTeeBatcher, address indexed newTeeBatcher);
+
+    /// @notice Emitted when the non-TEE batcher address is updated.
+    event NonTeeBatcherUpdated(address indexed oldNonTeeBatcher, address indexed newNonTeeBatcher);
 
     function authenticateBatchInfo(
         bytes32 commitment,
         bytes memory _signature
     ) external;
 
-    function decodeAttestationTbs(
-        bytes memory attestation
-    ) external view returns (bytes memory, bytes memory);
-
-    function espressoTEEVerifier() external view returns (address);
+    function espressoTEEVerifier() external view returns (IEspressoTEEVerifier);
 
     function nitroValidator() external view returns (address);
 
@@ -32,20 +39,13 @@ interface IBatchAuthenticator {
         bytes memory signature
     ) external;
 
-    function renounceOwnership() external;
-
-    function transferOwnership(address newOwner) external;
-
     function validBatchInfo(bytes32) external view returns (bool);
 
     function activeIsTee() external view returns (bool);
 
     function switchBatcher() external;
 
-    function __constructor__(
-        address _espressoTEEVerifier,
-        address _teeBatcher,
-        address _nonTeeBatcher,
-        address _owner
-    ) external;
+    function setTeeBatcher(address _newTeeBatcher) external;
+
+    function setNonTeeBatcher(address _newNonTeeBatcher) external;
 }

packages/contracts-bedrock/justfile

@@ -47,6 +47,20 @@ build-go-ffi:
 clean:
   rm -rf ./artifacts ./forge-artifacts ./cache ./scripts/go-ffi/go-ffi ./deployments/hardhat/*
 
+# Fixes Proxy and ProxyAdmin artifact bytecode if empty or missing.
+# Foundry generates .json files with empty bytecode when multiple compiler versions are used.
+fix-proxy-artifact:
+  @sh -c 'for contract in Proxy ProxyAdmin; do \
+    if [ -f "forge-artifacts/${contract}.sol/${contract}.0.8.15.json" ]; then \
+      if [ ! -f "forge-artifacts/${contract}.sol/${contract}.json" ]; then \
+        cp "forge-artifacts/${contract}.sol/${contract}.0.8.15.json" "forge-artifacts/${contract}.sol/${contract}.json"; \
+        echo "Created ${contract}.json from ${contract}.0.8.15.json"; \
+      else \
+        python3 -c "import json; main = json.load(open(\"forge-artifacts/${contract}.sol/${contract}.json\")); versioned = json.load(open(\"forge-artifacts/${contract}.sol/${contract}.0.8.15.json\")); bytecode_obj = main.get(\"bytecode\", {}).get(\"object\", \"0x\"); (main.update({\"bytecode\": versioned[\"bytecode\"], \"deployedBytecode\": versioned[\"deployedBytecode\"]}) or json.dump(main, open(\"forge-artifacts/${contract}.sol/${contract}.json\", \"w\"), indent=2) or print(\"Fixed ${contract}.json bytecode from ${contract}.0.8.15.json\")) if len(bytecode_obj) <= 2 else print(\"${contract}.json already has bytecode, skipping fix\")"; \
+      fi; \
+    fi; \
+  done'
+
 
 ########################################################
 #                         TEST                         #

packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol

@@ -11,6 +11,11 @@ import { IEspressoNitroTEEVerifier } from "@espresso-tee-contracts/interface/IEs
 import { IEspressoSGXTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoSGXTEEVerifier.sol";
 import { IEspressoTEEVerifier } from "@espresso-tee-contracts/interface/IEspressoTEEVerifier.sol";
 import { EspressoTEEVerifier } from "@espresso-tee-contracts/EspressoTEEVerifier.sol";
+import { IProxyAdmin } from "interfaces/universal/IProxyAdmin.sol";
+import { IProxy } from "interfaces/universal/IProxy.sol";
+import { ProxyAdmin } from "src/universal/ProxyAdmin.sol";
+import { Proxy } from "src/universal/Proxy.sol";
+import { BatchAuthenticator } from "src/L1/BatchAuthenticator.sol";
 import { console2 as console } from "forge-std/console2.sol";
 
 contract DeployEspressoInput is BaseDeployIO {
@@ -82,7 +87,7 @@ contract DeployEspressoOutput is BaseDeployIO {
 
 contract DeployEspresso is Script {
     function run(DeployEspressoInput input, DeployEspressoOutput output, address deployerAddress) public {
-        IEspressoTEEVerifier teeVerifier = deployTEEVerifier(input);
+        IEspressoTEEVerifier teeVerifier = deployTEEVerifier(input, deployerAddress);
         IBatchAuthenticator batchAuthenticator = deployBatchAuthenticator(input, output, teeVerifier, deployerAddress);
         deployBatchInbox(input, output, batchAuthenticator, deployerAddress);
         checkOutput(output);
@@ -92,32 +97,66 @@ contract DeployEspresso is Script {
         DeployEspressoInput input,
         DeployEspressoOutput output,
         IEspressoTEEVerifier teeVerifier,
-        address owner
+        address deployerAddress
     )
         public
         returns (IBatchAuthenticator)
     {
-        bytes32 salt = input.salt();
+        // Deploy the proxy admin, the proxy, and the batch authenticator implementation.
+        // We create ProxyAdmin with msg.sender as the owner to ensure broadcasts come from
+        // the expected address, then transfer ownership to deployerAddress afterward.
+        // Use DeployUtils.create1 to ensure artifacts are available for vm.getCode calls.
         vm.broadcast(msg.sender);
-        IBatchAuthenticator impl = IBatchAuthenticator(
-            DeployUtils.create2({
-                _name: "BatchAuthenticator",
-                _salt: salt,
-                _args: DeployUtils.encodeConstructor(
-                    abi.encodeCall(
-                        IBatchAuthenticator.__constructor__,
-                        (address(teeVerifier), input.teeBatcher(), input.nonTeeBatcher(), owner)
-                    )
-                )
-            })
+        ProxyAdmin proxyAdmin = ProxyAdmin(
+            payable(
+                DeployUtils.create1({
+                    _name: "ProxyAdmin",
+                    _args: DeployUtils.encodeConstructor(abi.encodeCall(IProxyAdmin.__constructor__, (msg.sender)))
+                })
+            )
+        );
+        vm.label(address(proxyAdmin), "BatchAuthenticatorProxyAdmin");
+        vm.broadcast(msg.sender);
+        Proxy proxy = Proxy(
+            payable(
+                DeployUtils.create1({
+                    _name: "Proxy",
+                    _args: DeployUtils.encodeConstructor(abi.encodeCall(IProxy.__constructor__, (address(proxyAdmin))))
+                })
+            )
         );
+        vm.label(address(proxy), "BatchAuthenticatorProxy");
+        vm.broadcast(msg.sender);
+        proxyAdmin.setProxyType(address(proxy), ProxyAdmin.ProxyType.ERC1967);
+        vm.broadcast(msg.sender);
+        BatchAuthenticator impl = new BatchAuthenticator();
         vm.label(address(impl), "BatchAuthenticatorImpl");
 
-        output.set(output.batchAuthenticatorAddress.selector, address(impl));
-        return impl;
+        // Initialize the proxy.
+        bytes memory initData =
+            abi.encodeCall(BatchAuthenticator.initialize, (teeVerifier, input.teeBatcher(), input.nonTeeBatcher()));
+        vm.broadcast(msg.sender);
+        proxyAdmin.upgradeAndCall(payable(address(proxy)), address(impl), initData);
+
+        // Transfer ownership to the desired deployerAddress if it differs from msg.sender.
+        if (deployerAddress != msg.sender) {
+            vm.broadcast(msg.sender);
+            proxyAdmin.transferOwnership(deployerAddress);
+        }
+
+        // Return the proxied contract.
+        IBatchAuthenticator batchAuthenticator = IBatchAuthenticator(address(proxy));
+        output.set(output.batchAuthenticatorAddress.selector, address(batchAuthenticator));
+        return batchAuthenticator;
     }
 
-    function deployTEEVerifier(DeployEspressoInput input) public returns (IEspressoTEEVerifier) {
+    function deployTEEVerifier(
+        DeployEspressoInput input,
+        address /* deployerAddress */
+    )
+        public
+        returns (IEspressoTEEVerifier)
+    {
         IEspressoNitroTEEVerifier nitroTEEVerifier = IEspressoNitroTEEVerifier(input.nitroTEEVerifier());
         vm.broadcast(msg.sender);
         IEspressoTEEVerifier impl = new EspressoTEEVerifier(
@@ -133,7 +172,7 @@ contract DeployEspresso is Script {
         DeployEspressoInput input,
         DeployEspressoOutput output,
         IBatchAuthenticator batchAuthenticator,
-        address owner
+        address deployerAddress
     )
         public
     {
@@ -144,7 +183,7 @@ contract DeployEspresso is Script {
                 _name: "BatchInbox",
                 _salt: salt,
                 _args: DeployUtils.encodeConstructor(
-                    abi.encodeCall(IBatchInbox.__constructor__, (address(batchAuthenticator), owner))
+                    abi.encodeCall(IBatchInbox.__constructor__, (address(batchAuthenticator), deployerAddress))
                 )
             })
         );