evm-ee: defer state root verification to merge to avoid state clone in zkVM

Author: purusang

Cargo.lock

@@ -314,6 +314,7 @@ reth-cli = { git = "https://github.com/paradigmxyz/reth", tag = "v1.8.2" }
 reth-cli-commands = { git = "https://github.com/paradigmxyz/reth", tag = "v1.8.2" }
 reth-cli-runner = { git = "https://github.com/paradigmxyz/reth", tag = "v1.8.2" }
 reth-cli-util = { git = "https://github.com/paradigmxyz/reth", tag = "v1.8.2" }
+reth-consensus-common = { git = "https://github.com/paradigmxyz/reth", tag = "v1.8.2" }
 reth-db = { git = "https://github.com/paradigmxyz/reth", tag = "v1.8.2" }
 reth-engine-local = { git = "https://github.com/paradigmxyz/reth", tag = "v1.8.2" }
 reth-engine-primitives = { git = "https://github.com/paradigmxyz/reth", tag = "v1.8.2" }

Cargo.toml

@@ -6,10 +6,10 @@ edition = "2024"
 [dependencies]
 borsh.workspace = true
 serde.workspace = true
-thiserror.workspace = true
 strata-codec.workspace = true
 strata-identifiers.workspace = true
 strata-msg-fmt.workspace = true
+thiserror.workspace = true
 
 [lints]
 workspace = true

crates/asm/manifest-types/Cargo.toml

@@ -18,6 +18,7 @@ rsp-mpt.workspace = true
 alpen-reth-evm.workspace = true
 alpen-reth-primitives.workspace = true
 reth-chainspec.workspace = true
+reth-consensus-common.workspace = true
 reth-errors.workspace = true
 reth-evm.workspace = true
 reth-evm-ethereum.workspace = true

crates/evm-ee/Cargo.toml

@@ -8,14 +8,15 @@ use std::sync::Arc;
 use alloy_consensus::Header;
 use alpen_reth_evm::{accumulate_logs_bloom, evm::AlpenEvmFactory, extract_withdrawal_intents};
 use reth_chainspec::ChainSpec;
+use reth_consensus_common::validation::validate_body_against_header;
 use reth_evm::execute::{BasicBlockExecutor, Executor};
 use reth_evm_ethereum::EthEvmConfig;
 use reth_primitives::EthPrimitives;
 use revm::database::WrapDatabaseRef;
 use rsp_client_executor::BlockValidator;
 use strata_acct_types::{AccountId, BitcoinAmount, MsgPayload, SentMessage};
 use strata_ee_acct_types::{
-    BlockAssembler, EnvError, EnvResult, ExecBlockOutput, ExecHeader, ExecPayload,
+    BlockAssembler, EnvError, EnvResult, ExecBlockOutput, ExecPartialState, ExecPayload,
     ExecutionEnvironment,
 };
 use strata_ee_chain_types::{BlockInputs, BlockOutputs};
@@ -93,7 +94,11 @@ impl ExecutionEnvironment for EvmExecutionEnvironment {
         )
         .map_err(|_| EnvError::InvalidBlock)?;
 
-        // Step 2a: Validate deposits from BlockInputs against block withdrawals
+        // Step 2b: Validate body against header (transactions_root, ommers_hash, withdrawals_root)
+        validate_body_against_header(block.body(), block.header())
+            .map_err(|_| EnvError::InvalidBlock)?;
+
+        // Step 2c: Validate deposits from BlockInputs against block withdrawals
         // The withdrawals header field is hijacked to represent deposits from the OL.
         // We need to ensure the authenticated deposits from BlockInputs match what's in the block.
         validate_deposits_against_block(&block, inputs)?;
@@ -129,14 +134,17 @@ impl ExecutionEnvironment for EvmExecutionEnvironment {
             extract_withdrawal_intents(&transactions, &execution_output.receipts).collect();
 
         // Step 9: Convert execution outcome to HashedPostState
-        let block_number = exec_payload.header_intrinsics().number;
-        let hashed_post_state = compute_hashed_post_state(execution_output, block_number);
+        let header_intrinsics = exec_payload.header_intrinsics();
+        let hashed_post_state =
+            compute_hashed_post_state(execution_output, header_intrinsics.number);
 
-        // Step 10: Compute state root
-        let state_root = pre_state.compute_state_root_with_changes(&hashed_post_state);
+        // Step 10: Get state root from header intrinsics (verification happens during merge)
+        // This avoids an expensive state clone that would be needed to compute the root here.
+        let intrinsics_state_root = header_intrinsics.state_root;
 
-        // Step 11: Create WriteBatch with computed metadata
-        let write_batch = EvmWriteBatch::new(hashed_post_state, state_root.into(), logs_bloom);
+        // Step 11: Create WriteBatch with intrinsics state root (to be verified during merge)
+        let write_batch =
+            EvmWriteBatch::new(hashed_post_state, intrinsics_state_root.into(), logs_bloom);
 
         // Step 12: Create BlockOutputs with withdrawal intent messages
         let mut outputs = BlockOutputs::new_empty();
@@ -147,22 +155,16 @@ impl ExecutionEnvironment for EvmExecutionEnvironment {
 
     fn verify_outputs_against_header(
         &self,
-        header: &<Self::Block as strata_ee_acct_types::ExecBlock>::Header,
-        outputs: &ExecBlockOutput<Self>,
+        _header: &<Self::Block as strata_ee_acct_types::ExecBlock>::Header,
+        _outputs: &ExecBlockOutput<Self>,
     ) -> EnvResult<()> {
-        // Verify that the outputs match what's committed in the header
-
-        // Check state root matches
-        let computed_state_root = outputs.write_batch().state_root();
-        let header_state_root = header.get_state_root();
-
-        if computed_state_root != header_state_root {
-            //FIXME: is it correct enum to represent this error?
-            return Err(EnvError::MismatchedCurStateData);
-        }
-
-        // Note: transactions_root and receipts_root are verified during execution
-        // by validate_block_post_execution() in execute_block_body()
+        // State root verification is deferred to merge_write_into_state to avoid
+        // an expensive state clone. The actual verification happens when the state
+        // is mutated and we can compute the root directly without cloning.
+        //
+        // Note: The following are verified during execution in execute_block_body():
+        // - transactions_root, ommers_hash, withdrawals_root: by validate_body_against_header()
+        // - receipts_root, logs_bloom, gas_used: by validate_block_post_execution()
 
         Ok(())
     }
@@ -174,6 +176,16 @@ impl ExecutionEnvironment for EvmExecutionEnvironment {
     ) -> EnvResult<()> {
         // Merge the HashedPostState into the EthereumState
         state.merge_write_batch(wb);
+
+        // Verify state root AFTER merge (avoids expensive clone that would be needed
+        // to compute the root before mutation)
+        let computed_state_root = state.compute_state_root()?;
+        let intrinsics_state_root = wb.intrinsics_state_root();
+
+        if computed_state_root != intrinsics_state_root {
+            return Err(EnvError::InvalidBlock);
+        }
+
         Ok(())
     }
 }
@@ -185,7 +197,7 @@ impl BlockAssembler for EvmExecutionEnvironment {
         output: &ExecBlockOutput<Self>,
     ) -> EnvResult<<Self::Block as strata_ee_acct_types::ExecBlock>::Header> {
         let intrinsics = exec_payload.header_intrinsics();
-        let state_root = output.write_batch().state_root();
+        let state_root = output.write_batch().intrinsics_state_root();
         let logs_bloom = output.write_batch().logs_bloom();
 
         let header = Header {

crates/evm-ee/src/execution.rs

@@ -167,19 +167,6 @@ impl EvmPartialState {
         WitnessDB::new(&self.ethereum_state, &self.block_hashes, &self.bytecodes)
     }
 
-    /// Computes the new state root by merging hashed post state changes into this state.
-    ///
-    /// This clones the current state, applies the changes from the hashed post state,
-    /// and computes the resulting state root.
-    pub fn compute_state_root_with_changes(
-        &self,
-        hashed_post_state: &reth_trie::HashedPostState,
-    ) -> revm_primitives::B256 {
-        let mut updated_state = self.ethereum_state.clone();
-        updated_state.update(hashed_post_state);
-        updated_state.state_root()
-    }
-
     /// Merges a write batch into this state by applying the hashed post state changes.
     ///
     /// This updates the internal EthereumState with the changes from the write batch.

crates/evm-ee/src/types/partial_state.rs

@@ -224,19 +224,22 @@ fn test_evm_write_batch_codec_roundtrip() {
 
     // Create a simple write batch with default values
     let hashed_post_state = HashedPostState::default();
-    let state_root = [42u8; 32];
+    let intrinsics_state_root = [42u8; 32];
     let logs_bloom = Bloom::from([0xAB; 256]);
 
-    let write_batch = EvmWriteBatch::new(hashed_post_state, state_root, logs_bloom);
+    let write_batch = EvmWriteBatch::new(hashed_post_state, intrinsics_state_root, logs_bloom);
 
     // Encode
     let encoded = encode_to_vec(&write_batch).expect("encode failed");
 
     // Decode
     let decoded: EvmWriteBatch = decode_buf_exact(&encoded).expect("decode failed");
 
-    // Verify state_root matches
-    assert_eq!(decoded.state_root(), write_batch.state_root());
+    // Verify intrinsics_state_root matches
+    assert_eq!(
+        decoded.intrinsics_state_root(),
+        write_batch.intrinsics_state_root()
+    );
 
     // Verify logs_bloom matches
     assert_eq!(decoded.logs_bloom(), write_batch.logs_bloom());

crates/evm-ee/src/types/tests.rs

@@ -13,23 +13,33 @@ use crate::codec_shims::{decode_hashed_post_state, encode_hashed_post_state};
 /// in account states and storage slots after executing a block. It's used to
 /// apply state changes to the sparse EthereumState.
 ///
-/// Also stores execution metadata (state root, logs bloom) needed for completing
-/// the block header.
+/// Also stores execution metadata (state root from header intrinsics, logs bloom)
+/// needed for block header completion and state root verification during merge.
 #[derive(Clone, Debug)]
 pub struct EvmWriteBatch {
     hashed_post_state: HashedPostState,
-    /// The computed state root after applying the state changes
-    state_root: Hash,
+    /// The state root extracted from block header intrinsics.
+    ///
+    /// This value is taken directly from `header_intrinsics.state_root` during
+    /// block execution, NOT computed from the pre-state. Actual verification
+    /// occurs in `merge_write_into_state` after the state is mutated, where
+    /// we compute the real state root and compare it against this value.
+    /// This approach avoids an expensive state clone in zkVM.
+    intrinsics_state_root: Hash,
     /// The accumulated logs bloom from all receipts
     logs_bloom: Bloom,
 }
 
 impl EvmWriteBatch {
-    /// Creates a new EvmWriteBatch from a HashedPostState and computed metadata.
-    pub fn new(hashed_post_state: HashedPostState, state_root: Hash, logs_bloom: Bloom) -> Self {
+    /// Creates a new EvmWriteBatch from a HashedPostState and header intrinsics metadata.
+    pub fn new(
+        hashed_post_state: HashedPostState,
+        intrinsics_state_root: Hash,
+        logs_bloom: Bloom,
+    ) -> Self {
         Self {
             hashed_post_state,
-            state_root,
+            intrinsics_state_root,
             logs_bloom,
         }
     }
@@ -39,9 +49,12 @@ impl EvmWriteBatch {
         &self.hashed_post_state
     }
 
-    /// Gets the computed state root.
-    pub fn state_root(&self) -> Hash {
-        self.state_root
+    /// Gets the state root from block header intrinsics.
+    ///
+    /// This value is verified against the actual computed state root
+    /// during `merge_write_into_state`.
+    pub fn intrinsics_state_root(&self) -> Hash {
+        self.intrinsics_state_root
     }
 
     /// Gets the accumulated logs bloom.
@@ -60,8 +73,8 @@ impl Codec for EvmWriteBatch {
         // Encode HashedPostState using custom deterministic encoding
         encode_hashed_post_state(&self.hashed_post_state, enc)?;
 
-        // Encode state_root (32 bytes)
-        enc.write_buf(&self.state_root)?;
+        // Encode intrinsics_state_root (32 bytes)
+        enc.write_buf(&self.intrinsics_state_root)?;
 
         // Encode logs_bloom (256 bytes)
         enc.write_buf(self.logs_bloom.as_slice())?;
@@ -73,9 +86,9 @@ impl Codec for EvmWriteBatch {
         // Decode HashedPostState using custom deterministic decoding
         let hashed_post_state = decode_hashed_post_state(dec)?;
 
-        // Decode state_root (32 bytes)
-        let mut state_root = [0u8; 32];
-        dec.read_buf(&mut state_root)?;
+        // Decode intrinsics_state_root (32 bytes)
+        let mut intrinsics_state_root = [0u8; 32];
+        dec.read_buf(&mut intrinsics_state_root)?;
 
         // Decode logs_bloom (256 bytes)
         let mut logs_bloom_bytes = [0u8; 256];
@@ -84,7 +97,7 @@ impl Codec for EvmWriteBatch {
 
         Ok(Self {
             hashed_post_state,
-            state_root,
+            intrinsics_state_root,
             logs_bloom,
         })
     }

crates/evm-ee/src/types/write_batch.rs

@@ -6,8 +6,8 @@ edition = "2024"
 [dependencies]
 strata-acct-types.workspace = true
 strata-codec.workspace = true
-strata-ledger-types.workspace = true
 strata-identifiers.workspace = true
+strata-ledger-types.workspace = true
 
 thiserror.workspace = true