Automata DCAP Attestation Audit Submission For Release (November 2024) (

#6) * p256 configuration to use RIP7212 precompile if available * forge install: sp1-contracts v3.0.0 * zk verifier contract interface compatible with risczero, succinct, other zk-coprocessors we may support in the future * added DCAP Attestation with Fee contract and refactored code * minor fix: pausable * forge update: on-chain pccs * pccs router update and all contracts must read collaterals via the pccs router * added the ability to simulate gas cost directly from contract * code formatting * pccs router caller check and minor fix for deployment script * upgrade tests to run verification on sp1 v3 proofs * forge-update: on-chain pccs to sync with audit submission * v4 tee check * NatSpec comment updates * use revert when the script cannot find a p256 verifier * fixed test code * updated README.md * store slither report as sarif * commenting out sp1 groth16 test code because its failing ci due to compiler config * fee base contract updates * zk function signature updates * forge update: automata-on-chain-pccs fmspc tcb parser * advisory ids in verified output * forge-update: succinctlabs/sp1-contracts * env, scripts and forge-test updates * minor updates on contract, and removed AutomataDcapAttestation.sol * broadcast and contract commenting minor fixes * forge-update: risc0/risc0-ethereum to v1.1.3 * risczero passes unit test * CI uses incorrect image ID * fixed incorrect pck crl hash matching * forge-update: automata-on-chain-pccs to match with latest commit * broadcasts and .env.example updates * forge update: automata-on-chain-pccs to point to the main branch * README and env updates to reflect testnet deployment
automata-network · Nov 20, 2024 · 1041bde · 1041bde
1 parent 339d981
commit 1041bde
Show file tree

Hide file tree

Showing 46 changed files with 1,210 additions and 566 deletions.
diff --git a/.env.example b/.env.example
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -9,7 +9,7 @@ on:
     workflow_dispatch:
 
 env:
-  DCAP_IMAGE_ID: "0x4052beb38db7869b15596d53c2d5c02c9307faffca9215e69b0f0d0e1812a6c2"
+  DCAP_RISCZERO_IMAGE_ID: "0x83613a8beec226d1f29714530f1df791fa16c2c4dfcf22c50ab7edac59ca637f"
 
 jobs:
   check:

diff --git a/.github/workflows/slither.yml b/.github/workflows/slither.yml
@@ -27,16 +27,21 @@ jobs:
         with:
           fail-on: none
           slither-args: --checklist --show-ignored-findings --markdown-root ${{ env.commit_url }}
-
+          sarif: results.sarif
 
-      - name: Create/update checklist as PR comment
-        uses: actions/github-script@v7
-        if: github.event_name == 'pull_request'
-        env:
-          REPORT: ${{ steps.slither.outputs.stdout }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          script: |
-            const script = require('.github/scripts/slither-comment')
-            const header = '# Slither report'
-            const body = process.env.REPORT
-            await script({ github, context, header, body })
+          sarif_file: ${{ steps.slither.outputs.sarif }}
+
+      # - name: Create/update checklist as PR comment
+      #   uses: actions/github-script@v7
+      #   if: github.event_name == 'pull_request'
+      #   env:
+      #     REPORT: ${{ steps.slither.outputs.stdout }}
+      #   with:
+      #     script: |
+      #       const script = require('.github/scripts/slither-comment')
+      #       const header = '# Slither report'
+      #       const body = process.env.REPORT
+      #       await script({ github, context, header, body })
diff --git a/.gitmodules b/.gitmodules
@@ -1,6 +1,9 @@
 [submodule "lib/forge-std"]
 	path = lib/forge-std
 	url = https://github.com/foundry-rs/forge-std
+[submodule "lib/sp1-contracts"]
+	path = lib/sp1-contracts
+	url = https://github.com/succinctlabs/sp1-contracts
 [submodule "lib/risc0-ethereum"]
 	path = lib/risc0-ethereum
 	url = https://github.com/risc0/risc0-ethereum

diff --git a/README.md b/README.md
@@ -19,15 +19,15 @@ Automata DCAP Attestation consists of three parts:
 
 - Quote Verifier(s): This contract provides the full implementation on verifying a given quote specific to its version. This contract is intended to be called only from the Automata DCAP Attestation contract.
 
-## On-Chain vs RiscZero Attestations
+## On-Chain vs SNARK Attestations
 
 Automata DCAP Attestation contract implements two attestation methods available to users. Here is a quick comparison:
 
-|  | On-Chain | SNARK Proof with RiscZero |
-| --- | --- | --- |
-| Quote Verification Time | Instant | Proving takes 2 - 5 minutes, instant verification |
-| Gas Cost | ~4M gas | 300k gas |
-| Execution | Runs fully on-chain | The execution runs in a Guest program on Bonsai, which is then issued with a [Receipt](https://dev.risczero.com/api/zkvm/receipts). Verifiers should make sure the Receipt contains the expected Image ID, which can be generated directly from the Guest source code. After a successful execution of the Guest program, the proof is sent on-chain to be verified. |
+|  | On-Chain | Groth16 Proof Verification with RiscZero | Groth16 Proof Verification with SP1 V3 | Plonk Proof Verification with SP1 V3| 
+| --- | --- | --- | --- | --- |
+| Quote Verification Time | Instant | Proving takes 2 - 5 minutes, instant verification | Proving takes <2 minutes, instant verification  | Proving takes <2 minutes, instant verification |
+| Gas Cost | ~4M gas | 267k gas | 234k gas | 310k gas |
+| Execution | Runs fully on-chain | Execution proven by remote prover Bonsai | Execution proven by the SP1 Network | Execution proven by the SP1 Network |
 
 ## Integration
 
@@ -48,14 +48,14 @@ Then, add the following to your `remappings.txt`
 ### Example
 
 ```solidity
-import "@automata-network/dcap-attestation/AutomataDcapAttestation.sol";
+import "@automata-network/dcap-attestation/AutomataDcapAttestationFee.sol";
 
 contract ExampleDcapContract {
 
-    AutomataDcapAttestation attest;
+    AutomataDcapAttestationFee attest;
 
     constructor(address _attest) {
-        attest = AutomataDcapAttestation(_attest);
+        attest = AutomataDcapAttestationFee(_attest);
     }
 
     // On-Chain Attestation example
@@ -70,12 +70,18 @@ contract ExampleDcapContract {
         }
     }
 
-    // RiscZero Attestation example
-    function attestWithRiscZero(bytes calldata journal, bytes calldata seal) public 
+    // SNARK Attestation example
+    // ZkCoProcessorType can either be RiscZero or Succinct
+    function attestWithSnark(
+        bytes calldata output,
+        ZkCoProcessorType zkvm,
+        bytes calldata proofBytes
+    ) public 
     {
         (bool success, bytes memory output) = attest.verifyAndAttestWithZKProof(
-            journal,
-            seal
+            output,
+            zkvm,
+            proofBytes
         );
 
         if (success) {
@@ -161,30 +167,22 @@ forge script AttestationScript --rpc-url $RPC_URL --broadcast -vvvv --sig "confi
 
 #### Deployment Information
 
-The ImageID currently used for the DCAP RiscZero Guest Program is `4052beb38db7869b15596d53c2d5c02c9307faffca9215e69b0f0d0e1812a6c2`.
+The [ImageID](https://dev.risczero.com/terminology#image-id) currently used for the DCAP RiscZero Guest Program is `83613a8beec226d1f29714530f1df791fa16c2c4dfcf22c50ab7edac59ca637f`.
 
-##### Testnet
+The [VKEY](https://docs.succinct.xyz/verification/onchain/solidity-sdk.html?#finding-your-program-vkey) currently used for the DCAP SP1 Program is
+`0043e4e0c286cf4a2c03472ca2384f35a008558bc5de4e0f39d1d1bc989badca`.
 
-| Contract | Network | Address |
-| --- | --- | --- |
-| `PCCSRouter.sol` | Automata Testnet | [0xbFDeE7A1f1bFA2267cD0DA50BE76D8c4a3864543](https://explorer-testnet.ata.network/address/0xbFDeE7A1f1bFA2267cD0DA50BE76D8c4a3864543) |
-|  | Ethereum Holesky | [0xdE5e69A2ca2556fe46883d754d987703bF28Cc51](https://holesky.etherscan.io/address/0xdE5e69A2ca2556fe46883d754d987703bF28Cc51) |
-|  | Ethereum Sepolia | [0xdc7dcF60b9580980128539Ed805D03BC60F84fd4](https://sepolia.etherscan.io/address/0xdc7dcF60b9580980128539Ed805D03BC60F84fd4) |
-| `AutomataDcapAttestation.sol` | Automata Testnet | [0xefE368b17D137E86298eec8EbC5502fb56d27832](https://explorer-testnet.ata.network/address/0xefE368b17D137E86298eec8EbC5502fb56d27832) |
-|  | Ethereum Holesky | [0x133303659F51d75ED216FD98a0B70CbCD75339b2](https://holesky.etherscan.io/address/0x133303659F51d75ED216FD98a0B70CbCD75339b2) |
-|  | Ethereum Sepolia | [0x76A3657F2d6c5C66733e9b69ACaDadCd0B68788b](https://sepolia.etherscan.io/address/0x76A3657F2d6c5C66733e9b69ACaDadCd0B68788b) |
-| `V3QuoteVerifier.sol` | Automata Testnet | [0x67042D171b8B7Da1A4a98Df787bDce79190DAc3c](https://explorer-testnet.ata.network/address/0x67042D171b8B7Da1A4a98Df787bDce79190DAc3c) |
-|  | Ethereum Holesky | [0x12d7d59Ae1e4dbF83b08C82958Ac3FcEB84fB164](https://holesky.etherscan.io/address/0x12d7d59Ae1e4dbF83b08C82958Ac3FcEB84fB164) |
-|  | Ethereum Sepolia | [0x85E156d702bb3e45690DAa812238C1A841E2c3C5](https://sepolia.etherscan.io/address/0x85E156d702bb3e45690DAa812238C1A841E2c3C5) |
-| `V4QuoteVerifier.sol` | Automata Testnet | [0x921B8F6Ec83E405B715111eC1AE8B54A3ea063EB](https://explorer-testnet.ata.network/address/0x921B8F6Ec83E405B715111eC1AE8B54A3ea063EB) |
-|  | Ethereum Holesky | [0x3Cb24c454a29e796edF47a96dF32DD1855058258](https://holesky.etherscan.io/address/0x3Cb24c454a29e796edF47a96dF32DD1855058258) |
-|  | Ethereum Sepolia | [0xdc25e1c7ACAdBdE8C1E2c2b9511B7Dbd98B44700](https://sepolia.etherscan.io/address/0xdc25e1c7ACAdBdE8C1E2c2b9511B7Dbd98B44700) |
-
-##### Mainnet
+> ℹ️ **Note**: 
+>
+> The deployment addresses shown here are currently based on the latest [changes](https://github.com/automata-network/automata-dcap-attestation/pull/6) made.
+>
+> To view deployments on the previous version (will be deprecated soon), you may refer to this [branch](https://github.com/automata-network/automata-dcap-attestation/tree/v0).
+
+##### Testnet
 
 | Contract | Network | Address |
 | --- | --- | --- |
-| `PCCSRouter.sol` | Automata Mainnet | [0xb76834729717868fa203b9D90fc88F859A4E594D](https://explorer.ata.network/address/0xb76834729717868fa203b9D90fc88F859A4E594D) |
-| `AutomataDcapAttestation.sol` | Automata Mainnet | [0xE26E11B257856B0bEBc4C759aaBDdea72B64351F](https://explorer.ata.network/address/0xE26E11B257856B0bEBc4C759aaBDdea72B64351F) |
-| `V3QuoteVerifier.sol` | Automata Mainnet | [0xF38a49322cAA0Ead71D4B1cF2afBb6d02BE5FC96](https://explorer.ata.network/address/0xF38a49322cAA0Ead71D4B1cF2afBb6d02BE5FC96) |
-| `V4QuoteVerifier.sol` | Automata Mainnet | [0xfF47ecA64898692a86926CDDa794807be3f6567D](https://explorer.ata.network/address/0xfF47ecA64898692a86926CDDa794807be3f6567D) |
+| `PCCSRouter.sol` | Automata Testnet | [0x3095741175094128ae9F451fa3693B2d23719940](https://explorer-testnet.ata.network/address/0x3095741175094128ae9F451fa3693B2d23719940) |
+| `AutomataDcapAttestationFee.sol` | Automata Testnet | [0x6D67Ae70d99A4CcE500De44628BCB4DaCfc1A145](https://explorer-testnet.ata.network/address/0x6D67Ae70d99A4CcE500De44628BCB4DaCfc1A145) |
+| `V3QuoteVerifier.sol` | Automata Testnet | [0x6cc70fDaB6248b374A7fD4930460F7b017190872](https://explorer-testnet.ata.network/address/0x6cc70fDaB6248b374A7fD4930460F7b017190872) |
+| `V4QuoteVerifier.sol` | Automata Testnet | [0x015E89a5fF935Fbc361DcB4Bac71e5cD8a5CeEe3](https://explorer-testnet.ata.network/address/0x015E89a5fF935Fbc361DcB4Bac71e5cD8a5CeEe3) |
diff --git a/broadcast/AttestationScript.s.sol/1398243/configVerifier-latest.json b/broadcast/AttestationScript.s.sol/1398243/configVerifier-latest.json
@@ -1,21 +1,21 @@
 {
   "transactions": [
     {
-      "hash": "0x70606e8085881b807fba358dd24cd873e36c65d13b114376cb23c30da3455136",
+      "hash": "0x9de75045206e2f644b264c66bdab9524d178b75d7be99e921ee0924694c140df",
       "transactionType": "CALL",
       "contractName": null,
-      "contractAddress": "0xefe368b17d137e86298eec8ebc5502fb56d27832",
+      "contractAddress": "0x6d67ae70d99a4cce500de44628bcb4dacfc1a145",
       "function": "setQuoteVerifier(address)",
       "arguments": [
-        "0x921B8F6Ec83E405B715111eC1AE8B54A3ea063EB"
+        "0x72221D7D8eB8949383404B1d1027E5eBd39fE53C"
       ],
       "transaction": {
         "from": "0x3d089c2f2cb86d4efde153c81cabd4579784430b",
-        "to": "0xefe368b17d137e86298eec8ebc5502fb56d27832",
-        "gas": "0xadbb",
+        "to": "0x6d67ae70d99a4cce500de44628bcb4dacfc1a145",
+        "gas": "0xae04",
         "value": "0x0",
-        "input": "0xce3fe7ee000000000000000000000000921b8f6ec83e405b715111ec1ae8b54a3ea063eb",
-        "nonce": "0x14f",
+        "input": "0xce3fe7ee00000000000000000000000072221d7d8eb8949383404b1d1027e5ebd39fe53c",
+        "nonce": "0x232",
         "chainId": "0x1555e3"
       },
       "additionalContracts": [],
@@ -25,31 +25,31 @@
   "receipts": [
     {
       "status": "0x1",
-      "cumulativeGasUsed": "0x1292e",
+      "cumulativeGasUsed": "0x1294b",
       "logs": [],
       "logsBloom": "0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
       "type": "0x2",
-      "transactionHash": "0x70606e8085881b807fba358dd24cd873e36c65d13b114376cb23c30da3455136",
+      "transactionHash": "0x9de75045206e2f644b264c66bdab9524d178b75d7be99e921ee0924694c140df",
       "transactionIndex": "0x1",
-      "blockHash": "0x4c2dd856ee6921b7045bd765f4483d24f637d9ea65a110752241a90bc4b8de9d",
-      "blockNumber": "0x164c59",
-      "gasUsed": "0x7dc8",
-      "effectiveGasPrice": "0xfd",
+      "blockHash": "0x6552740dad0aa8e8a385d294c5798397363a14aa8eabee0c4312116dae8bdf23",
+      "blockNumber": "0x643a50",
+      "gasUsed": "0x7dfd",
+      "effectiveGasPrice": "0x2dc9b4",
       "from": "0x3d089c2f2cb86d4efde153c81cabd4579784430b",
-      "to": "0xefe368b17d137e86298eec8ebc5502fb56d27832",
+      "to": "0x6d67ae70d99a4cce500de44628bcb4dacfc1a145",
       "contractAddress": null,
       "l1BaseFeeScalar": "0x558",
-      "l1BlobBaseFee": "0x25aa2502a52",
+      "l1BlobBaseFee": "0x1",
       "l1BlobBaseFeeScalar": "0xc5fc5",
-      "l1Fee": "0xbee68bff4584",
-      "l1GasPrice": "0xeb",
+      "l1Fee": "0x1068ec52",
+      "l1GasPrice": "0x77f47e5",
       "l1GasUsed": "0x640"
     }
   ],
   "libraries": [],
   "pending": [],
   "returns": {},
-  "timestamp": 1721788566,
+  "timestamp": 1732002948,
   "chain": 1398243,
-  "commit": "a81325e"
+  "commit": "573b451"
 }
diff --git a/broadcast/AttestationScript.s.sol/1398243/configureZk-latest.json b/broadcast/AttestationScript.s.sol/1398243/configureZk-latest.json
@@ -0,0 +1,56 @@
+{
+  "transactions": [
+    {
+      "hash": "0x10caf4a9ed6ba33a4b7ca43d85091d7bbe77e9cf1d7ee8a3160a43d90e91699a",
+      "transactionType": "CALL",
+      "contractName": null,
+      "contractAddress": "0x6d67ae70d99a4cce500de44628bcb4dacfc1a145",
+      "function": "setZkConfiguration(uint8,(bytes32,address))",
+      "arguments": [
+        "1",
+        "(0x83613a8beec226d1f29714530f1df791fa16c2c4dfcf22c50ab7edac59ca637f, 0xaE7F7EC735b6A90366e55f87780b36e7e6Ec3c65)"
+      ],
+      "transaction": {
+        "from": "0x3d089c2f2cb86d4efde153c81cabd4579784430b",
+        "to": "0x6d67ae70d99a4cce500de44628bcb4dacfc1a145",
+        "gas": "0x1745f",
+        "value": "0x0",
+        "input": "0x25e11c75000000000000000000000000000000000000000000000000000000000000000183613a8beec226d1f29714530f1df791fa16c2c4dfcf22c50ab7edac59ca637f000000000000000000000000ae7f7ec735b6a90366e55f87780b36e7e6ec3c65",
+        "nonce": "0x22e",
+        "chainId": "0x1555e3"
+      },
+      "additionalContracts": [],
+      "isFixedGasLimit": false
+    }
+  ],
+  "receipts": [
+    {
+      "status": "0x1",
+      "cumulativeGasUsed": "0x1b8ce",
+      "logs": [],
+      "logsBloom": "0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+      "type": "0x2",
+      "transactionHash": "0x10caf4a9ed6ba33a4b7ca43d85091d7bbe77e9cf1d7ee8a3160a43d90e91699a",
+      "transactionIndex": "0x1",
+      "blockHash": "0x1ca0b91fed252480811c5a41fc007eb9efb2b558f9d72d75b785cef1f5b8f116",
+      "blockNumber": "0x642c17",
+      "gasUsed": "0x10d98",
+      "effectiveGasPrice": "0x2dc9b4",
+      "from": "0x3d089c2f2cb86d4efde153c81cabd4579784430b",
+      "to": "0x6d67ae70d99a4cce500de44628bcb4dacfc1a145",
+      "contractAddress": null,
+      "l1BaseFeeScalar": "0x558",
+      "l1BlobBaseFee": "0x1",
+      "l1BlobBaseFeeScalar": "0xc5fc5",
+      "l1Fee": "0x1bbf1",
+      "l1GasPrice": "0xb4ae",
+      "l1GasUsed": "0x702"
+    }
+  ],
+  "libraries": [],
+  "pending": [],
+  "returns": {},
+  "timestamp": 1731995666,
+  "chain": 1398243,
+  "commit": "390daf4"
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,7 +9,7 @@ on: @@
         workflow_dispatch:
     env:
-      DCAP_IMAGE_ID: "0x4052beb38db7869b15596d53c2d5c02c9307faffca9215e69b0f0d0e1812a6c2"
+      DCAP_RISCZERO_IMAGE_ID: "0x83613a8beec226d1f29714530f1df791fa16c2c4dfcf22c50ab7edac59ca637f"
     jobs:
       check:
@@ Expand Down @@