Add deployed bytecode retrieval mitigation

[Spacesai1or]

This PR will query OP mainnet for the contract's deployed bytecode and compare it to the bytecode sourced from ETH mainnet. Because the added contracts from #8281 are all deterministically deployed, the address for the contracts are the same across networks. The thinking of the this mitigation is: if the deployed bytecode on chain A differ from B, then there might be a chain specific consideration that's not accounted for and may affect the validity of using ETH mainnet's deployed bytecode on any OP chain

[Spacesai1or]

Current dependencies on/for this PR:

• develop
  • PR BindGen - local contracts refactor #8279
    • PR Init etherscan client #8280
      • PR Init remote contract generation #8281
        • PR Add deployed bytecode retrieval mitigation #8282 👈
          • PR Bindings and metadata overwrite warning #8283
            • PR Init new bindings #8284
              • PR L2 genesis generation updates #8285
                • PR Init BindGen unit tests #8650
                  • PR Init BindGen E2E tests #8651

This stack of pull requests is managed by Graphite.

[semgrep-app]

Semgrep found 1 import-text-template finding:

• op-bindings/bindgen/generator_local.go: L12

When working with web applications that involve rendering user-generated content, it's important to properly escape any HTML content to prevent Cross-Site Scripting (XSS) attacks. In Go, the text/template package does not automatically escape HTML content, which can leave your application vulnerable to these types of attacks. To mitigate this risk, it's recommended to use the html/template package instead, which provides built-in functionality for HTML escaping. By using html/template to render your HTML content, you can help to ensure that your web application is more secure and less susceptible to XSS vulnerabilities.

_{Ignore this finding from import-text-template.}

[coderabbitai]

Walkthrough

Walkthrough

The recent changes involve integrating Ethereum and Optimism RPC clients into the binding generation process for smart contracts. New global variables for RPC URLs have been added, and the codebase now includes the functionality to compare deployed bytecode with RPC data. This ensures that the generated bindings match the actual deployed contracts on Ethereum and Optimism networks.

Changes

File(s)	Summary
op-bindings/Makefile	Introduced RPC_URL_ETH and RPC_URL_OP variables and updated targets to pass these as command line arguments.
op-bindings/bindgen/generator_remote.go, op-bindings/bindgen/main.go	Added ethclient import and initialized RPC clients for Ethereum and Optimism, including error handling.
op-bindings/bindgen/remote_handlers.go	Included new imports and added a method to compare bytecode from RPC clients with stored bytecode, along with updates to existing handler methods.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on X ?

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• You can reply to a review comment made by CodeRabbit.
• You can tag CodeRabbit on specific lines of code or files in the PR by tagging @coderabbitai in a comment.
• You can tag @coderabbitai in a PR comment and ask one-off questions about the PR and the codebase. Use quoted replies to pass the context for follow-up questions.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[hamdiallam]

Looks good as well. Same feedback as the previous PR with regards to Crit usage within the application

[semgrep-app]

Semgrep found 6 sol-style-return-arg-fmt findings:

• packages/contracts-bedrock/scripts/Deployer.sol: L432, L422, L412, L402, L392, L373

Named return arguments to functions must be appended with an underscore (_)

_{Ignore this finding from sol-style-return-arg-fmt.}

Semgrep found 1 sol-style-input-arg-fmt finding:

• packages/contracts-bedrock/scripts/Deployer.sol: L373

Inputs to functions must be prepended with an underscore (_)

_{Ignore this finding from sol-style-input-arg-fmt.}

[codecov]

Codecov Report

Merging #8282 (5441f06) into develop (816e425) will increase coverage by 4.90%.
The diff coverage is n/a.

❗ Current head 5441f06 differs from pull request most recent head 81951e2. Consider uploading reports for the commit 81951e2 to get more accurate results

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #8282      +/-   ##
===========================================
+ Coverage    34.61%   39.51%   +4.90%     
===========================================
  Files          167      102      -65     
  Lines         7162     3358    -3804     
  Branches      1212      438     -774     
===========================================
- Hits          2479     1327    -1152     
+ Misses        4532     1957    -2575     
+ Partials       151       74      -77     

Flag	Coverage Δ
cannon-go-tests	63.48% <ø> (ø)
chain-mon-tests	?
common-ts-tests	?
contracts-bedrock-tests	21.80% <ø> (+1.47%)	⬆️
contracts-ts-tests	?
core-utils-tests	?
sdk-next-tests	?
sdk-tests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

see 81 files with indirect coverage changes