Merge pull request #35 from OffchainLabs/merge-nitro-v2.3.4

Merge nitro v2.3.4 (rc3)
OffchainLabs · Apr 9, 2024 · e9f26af · e9f26af
2 parents 9cca05a + 3b23020
commit e9f26af
Show file tree

Hide file tree

Showing 58 changed files with 16,113 additions and 6,054 deletions.
diff --git a/.github/workflows/audit-ci.yml b/.github/workflows/audit-ci.yml
@@ -0,0 +1,48 @@
+name: Audit NPM packages
+
+on:
+  workflow_dispatch:
+  pull_request:
+  merge_group:
+  push:
+    branches:
+      - main
+      - develop
+
+jobs:
+  install:
+    name: 'Install'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [16, 18, 20]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Install node_modules
+        uses: OffchainLabs/actions/node-modules/install@main
+
+  yarn-audit:
+    name: Audit
+    runs-on: ubuntu-latest
+    needs: install
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Restore node_modules
+        uses: OffchainLabs/actions/node-modules/restore@main
+
+      - name: Run audit
+        run: yarn audit:ci
diff --git a/.github/workflows/contract-tests.yml b/.github/workflows/contract-tests.yml
@@ -88,6 +88,9 @@ jobs:
       - name: Test Storage Layouts
         run: yarn run test:storage
 
+      - name: Test function signatures
+        run: yarn run test:signatures
+
       - name: Run coverage
         run: yarn hardhat coverage --testfiles "test/contract/*.spec.ts"
 

diff --git a/.github/workflows/slither.yml b/.github/workflows/slither.yml
@@ -0,0 +1,24 @@
+name: Slither Analysis
+
+on:
+  workflow_dispatch:
+  pull_request:
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Slither
+        uses: crytic/[email protected]
+        id: slither
+        with:
+          sarif: results.sarif
+          fail-on: medium
+
+      - name: Upload SARIF file
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.slither.outputs.sarif }}
diff --git a/.gitignore b/.gitignore
@@ -5,6 +5,7 @@ deployments/
 /test/prover/proofs/*.json
 /test/prover/spec-proofs/*.json
 /test/storage/*-old
+/test/signatures/*-old
 scripts/config.ts
 forge-cache/
 out/

diff --git a/.solhint.json b/.solhint.json
@@ -11,7 +11,7 @@
     "no-empty-blocks": "off",
     "reason-string": ["warn", { "maxLength": 128 }],
     "not-rely-on-time": "off",
-    "max-states-count": ["warn", 30],
+    "max-states-count": ["warn", 40],
     "no-inline-assembly": "off"
   },
   "plugins": ["prettier"]

diff --git a/LICENSE → LICENSE.md b/LICENSE → LICENSE.md
@@ -16,17 +16,19 @@ Additional Use Grant: You may use the Licensed Work in a production environment
                       to provide a point of interface to permit end users or applications
                       utilizing the Covered Arbitrum Chains to interact and query the
                       state of a Covered Arbitrum Chain, including without limitation
-                      validating the correctness of the posted chain state. For purposes
-                      of this Additional Use Grant, the "Covered Arbitrum Chains" are
-                      means (a) Arbitrum One (chainid:42161), Arbitrum Nova (chainid:42170),
-                      Arbitrum Rinkeby testnet/Rinkarby (chainid:421611), and
-                      Arbitrum Nitro Goerli testnet (chainid:421613) (b) any future
-                      blockchains authorized to be designated as Covered Arbitrum Chains
-                      by the decentralized autonomous organization governing the Arbitrum
-                      network; and (c) any “Layer 3” Arbitrum-based blockchain that is built
-                      on and settles to another Covered Arbitrum Chain.
-
-
+                      validating the correctness of the posted chain state, or to deploy
+                      and operate (x) a blockchain that settles to a Covered Arbitrum Chain
+                      or (y) a blockchain in accordance with, and subject to, the [Arbitrum
+                      Expansion Program Term of Use](https://docs.arbitrum.foundation/assets/files/Arbitrum%20Expansion%20Program%20Jan182024-4f08b0c2cb476a55dc153380fa3e64b0.pdf). For purposes of this
+                      Additional Use Grant, the "Covered Arbitrum Chains" are 
+                      (a) Arbitrum One (chainid:42161), Arbitrum Nova (chainid:42170), 
+                      rbitrum Rinkeby testnet/Rinkarby (chainid:421611),Arbitrum Nitro
+                      Goerli testnet (chainid:421613), and Arbitrum Sepolia Testnet
+                      (chainid:421614); (b) any future blockchains authorized to be
+                      designated as Covered Arbitrum Chains by the decentralized autonomous
+                      organization governing the Arbitrum network; and (c) any “Layer 3”
+                      Arbitrum-based blockchain that is built on and settles to another
+                      Covered Arbitrum Chain.
 
 
 

diff --git a/README.md b/README.md
@@ -17,3 +17,17 @@ cd nitro-contracts
 yarn install
 yarn build
 ```
+
+## License
+
+Nitro is currently licensed under a [Business Source License](./LICENSE), similar to our friends at Uniswap and Aave, with an "Additional Use Grant" to ensure that everyone can have full comfort using and running nodes on all public Arbitrum chains.
+
+The Additional Use Grant also permits the deployment of the Nitro software, in a permissionless fashion and without cost, as a new blockchain provided that the chain settles to either Arbitrum One or Arbitrum Nova.
+
+For those that prefer to deploy the Nitro software either directly on Ethereum (i.e. an L2) or have it settle to another Layer-2 on top of Ethereum, the [Arbitrum Expansion Program (the "AEP")](https://docs.arbitrum.foundation/assets/files/Arbitrum%20Expansion%20Program%20Jan182024-4f08b0c2cb476a55dc153380fa3e64b0.pdf) was recently established. The AEP allows for the permissionless deployment in the aforementioned fashion provided that 10% of net revenue is contributed back to the Arbitrum community in accordance with the requirements of the AEP.
+
+## Contact
+
+Discord - [Arbitrum](https://discord.com/invite/5KE54JwyTs)
+
+Twitter: [Arbitrum](https://twitter.com/arbitrum)
diff --git a/audit-ci.jsonc b/audit-ci.jsonc
@@ -0,0 +1,52 @@
+{
+  "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+  "low": true,
+  "allowlist": [
+    // OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
+    "GHSA-4g63-c64m-25w9",
+    // OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals
+    "GHSA-xrc4-737v-9q75",
+    // OpenZeppelin Contracts's ERC165Checker may revert instead of returning false
+    "GHSA-qh9x-gcfh-pcrw",
+    // OpenZeppelin Contracts vulnerable to ECDSA signature malleability. Only an issue for the functions that take a single `bytes` argument, and not the functions that take `r, v, s` or `r, vs` as separate arguments.
+    "GHSA-4h98-2769-gh6h",
+    // GovernorCompatibilityBravo may trim proposal calldata
+    "GHSA-93hq-5wgc-jc82",
+    // OpenZeppelin Contracts ERC165Checker unbounded gas consumption
+    "GHSA-7grf-83vw-6f5x",
+    // OpenZeppelin: Using ERC2771Context with a custom forwarder can yield address(0)
+    "GHSA-g4vp-m682-qqmp",
+    // OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
+    "GHSA-mx2q-35m2-x2rh",
+    // OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning
+    "GHSA-5h3x-9wvq-w4m2",
+    // axios cookies data-privacy issue; used only in hardhat-deploy and sol2uml (dev deps)
+    "GHSA-wf5p-g6vw-rhxx",
+    // flat vulnerable to Prototype Pollution
+    "GHSA-2j2x-2gpw-g8fm",
+    // regular expression DoS in debug
+    "GHSA-gxpj-cx7g-858c",
+    // tough-cookie Prototype Pollution vulnerability; used only via eth-gas-reporter
+    "GHSA-72xf-g2v4-qvf3",
+    // minimatch ReDoS vulnerability
+    "GHSA-f8q6-p94x-37v3",
+    // Server-Side Request Forgery in Request
+    "GHSA-p8p7-x288-28g6",
+    //  OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees; unused
+    "GHSA-wprv-93r4-jj2p",
+    //  follow-redirects improperly handles URLs in the url.parse() function
+    "GHSA-jchw-25xp-jwwc",
+    // yargs-parser Vulnerable to Prototype Pollution
+    "GHSA-p9pc-299p-vxgp",
+    // Axios vulnerable to Server-Side Request Forgery
+    "GHSA-4w2v-q235-vp99",
+    // axios Inefficient Regular Expression Complexity vulnerability
+    "GHSA-cph5-m8f7-6c5x",
+    // Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects
+    "GHSA-pw2r-vq6v-hr8c",
+    // Exposure of sensitive information in follow-redirects
+    "GHSA-74fj-2j2h-c42q",
+    // Open Zeppelin: Base64 encoding may read from potentially dirty memory
+    "GHSA-9vx6-7xxf-x967"
+  ]
+}
diff --git a/deploy/SequencerInboxStubCreator.js b/deploy/SequencerInboxStubCreator.js
@@ -6,7 +6,9 @@ module.exports = async hre => {
   const { deployer } = await getNamedAccounts()
 
   const bridge = await ethers.getContract('BridgeStub')
-  const reader4844 = await Toolkit4844.deployReader4844(await ethers.getSigner(deployer))
+  const reader4844 = await Toolkit4844.deployReader4844(
+    await ethers.getSigner(deployer)
+  )
   const maxTime = {
     delayBlocks: 10000,
     futureBlocks: 10000,
@@ -21,6 +23,7 @@ module.exports = async hre => {
       maxTime,
       117964,
       reader4844.address,
+      false,
     ],
   })
 }

diff --git a/foundry.toml b/foundry.toml
@@ -5,7 +5,7 @@ libs = ['node_modules', 'lib']
 test = 'test/foundry'
 cache_path  = 'forge-cache/sol'
 optimizer = true
-optimizer_runs = 20000
+optimizer_runs = 100
 via_ir = false
 solc_version = '0.8.9'
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@arbitrum/nitro-contracts",
-  "version": "1.1.0",
+  "version": "1.2.1",
   "description": "Layer 2 precompiles and rollup for Arbitrum Nitro",
   "author": "Offchain Labs, Inc.",
   "license": "BUSL-1.1",
@@ -11,13 +11,16 @@
   "files": [
     "src/",
     "build/contracts/src",
-    "build/contracts/@openzeppelin"
+    "build/contracts/@openzeppelin",
+    "out/yul/Reader4844.yul/Reader4844.json"
   ],
   "bugs": {
     "url": "https://github.com/offchainlabs/nitro-contracts/issues"
   },
   "scripts": {
-    "prepublishOnly": "hardhat clean && hardhat compile",
+    "audit:ci": "audit-ci --config ./audit-ci.jsonc",
+    "audit:fix": "yarn-audit-fix",
+    "prepublishOnly": "hardhat clean && forge clean && hardhat compile && yarn build:forge:yul",
     "build:all": "yarn build && yarn build:forge",
     "build": "hardhat compile",
     "build:forge:sol": "forge build --skip *.yul",
@@ -26,13 +29,14 @@
     "lint:test": "eslint ./test",
     "solhint": "solhint -f table src/**/*.sol",
     "prettier:solidity": "prettier --write src/**/*.sol",
-    "format": "prettier './**/*.{js,json,md,ts,yml,sol}' --write && yarn run lint:test --fix",
+    "format": "prettier './**/*.{js,json,ts,yml,sol}' --write && yarn run lint:test --fix",
     "build:0.6": "INTERFACE_TESTER_SOLC_VERSION=0.6.9 yarn run build",
     "build:0.7": "INTERFACE_TESTER_SOLC_VERSION=0.7.0 yarn run build",
     "test": "DISABLE_GAS_REPORTER=true hardhat --network hardhat test test/contract/*.spec.ts",
     "test:4844": "DISABLE_GAS_REPORTER=true hardhat --network hardhat test test/contract/*.spec.4844.ts",
     "test:compatibility": "yarn run build:0.6 && yarn run build:0.7",
     "test:storage": "./test/storage/test.bash",
+    "test:signatures": "./test/signatures/test-sigs.bash",
     "test:e2e": "hardhat test test/e2e/*.ts",
     "postinstall": "patch-package",
     "deploy-factory": "hardhat run scripts/deployment.ts",
@@ -61,14 +65,15 @@
     "@typescript-eslint/eslint-plugin": "^5.14.0",
     "@typescript-eslint/eslint-plugin-tslint": "^5.27.1",
     "@typescript-eslint/parser": "^5.14.0",
+    "audit-ci": "^6.6.1",
     "chai": "^4.3.4",
     "dotenv": "^16.3.1",
     "eslint": "^8.23.1",
     "eslint-config-prettier": "^8.3.0",
     "eslint-plugin-mocha": "^9.0.0",
     "eslint-plugin-prettier": "^4.0.0",
-    "ethereum-waffle": "^3.4.0",
-    "ethers": "^5.5.2",
+    "ethereum-waffle": "^4.0.10",
+    "ethers": "^5.5.4",
     "hardhat": "^2.17.2",
     "hardhat-deploy": "^0.11.37",
     "hardhat-gas-reporter": "^1.0.9",
@@ -81,10 +86,8 @@
     "solidity-coverage": "^0.8.4",
     "ts-node": "^10.4.0",
     "tslint": "^6.1.3",
-    "typechain": "^8.0.0",
-    "typescript": "^4.5.4"
-  },
-  "optionalDependencies": {
-    "sol2uml": "2.2.0"
+    "typechain": "^8.3.2",
+    "typescript": "^4.5.4",
+    "yarn-audit-fix": "^10.0.7"
   }
 }