feat: Enable the use of multiple EOAs (#16272)

This PR integrates the node key store and enables the use of multiple
EOAs for publishing to L1.

The primary changes are:

1. `SequencerPublisher` is now stateless. Slashing state has been moved
into the `Sequencer`. A new publisher is created every block using an
appropriate publisher account.
2. Publisher accounts and values of `coinbase` and `feeRecipient` are
selected with every new block and come from the key store.
3. L1TxUtils now tracks some state to determine where the account
can/should be used.
4. Signing of all transactions is no longer performed by viem's wallet
client, instead it is deferred to the key store allowing abstractions
such as remote signers.

Author: alexghr

yarn-project/aztec-node/package.json

@@ -76,6 +76,7 @@
     "@aztec/kv-store": "workspace:^",
     "@aztec/l1-artifacts": "workspace:^",
     "@aztec/merkle-tree": "workspace:^",
+    "@aztec/node-keystore": "workspace:^",
     "@aztec/node-lib": "workspace:^",
     "@aztec/noir-protocol-circuits-types": "workspace:^",
     "@aztec/p2p": "workspace:^",

yarn-project/aztec-node/src/aztec-node/config.test.ts

@@ -0,0 +1,241 @@
+import { EthAddress } from '@aztec/foundation/eth-address';
+import type { AztecAddressHex, EthAddressHex, EthPrivateKey } from '@aztec/node-keystore';
+import type { SharedNodeConfig } from '@aztec/node-lib/config';
+import type { SequencerClientConfig, TxSenderConfig } from '@aztec/sequencer-client/config';
+import { AztecAddress } from '@aztec/stdlib/aztec-address';
+import type { ValidatorClientConfig } from '@aztec/validator-client/config';
+
+import { generatePrivateKey, privateKeyToAddress } from 'viem/accounts';
+
+import { createKeyStoreForValidator } from './config.js';
+
+describe('createKeyStoreForValidator', () => {
+  const mockValidatorKey1 = generatePrivateKey() as EthPrivateKey;
+  const mockValidatorKey2 = generatePrivateKey() as EthPrivateKey;
+  const mockPublisherKey1 = generatePrivateKey() as EthPrivateKey;
+  const mockPublisherKey2 = generatePrivateKey() as EthPrivateKey;
+  const mockCoinbase = EthAddress.random().toString() as EthAddressHex;
+  const web3SignerUrl = 'http://web3signer:1000';
+  const mockValidatorAddresses = [mockValidatorKey1, mockValidatorKey2].map(privateKeyToAddress);
+  const mockPublisherAddresses = [mockPublisherKey1, mockPublisherKey2].map(privateKeyToAddress);
+  let mockFeeRecipient: AztecAddressHex;
+
+  const createMockConfig = (
+    validatorKeys: string[] = [],
+    publisherKeys: string[] = [],
+    coinbase?: string,
+    feeRecipient?: string,
+    web3SignerUrl?: string,
+    validatorAddresses: string[] = [],
+    publisherAddresses: string[] = [],
+  ): TxSenderConfig & ValidatorClientConfig & SequencerClientConfig & SharedNodeConfig => {
+    const mockValidatorPrivateKeys =
+      validatorKeys.length > 0
+        ? {
+            getValue: () => validatorKeys,
+          }
+        : undefined;
+
+    const mockPublisherPrivateKeys =
+      publisherKeys.length > 0 ? publisherKeys.map(key => ({ getValue: () => key })) : undefined;
+
+    return {
+      validatorPrivateKeys: mockValidatorPrivateKeys,
+      publisherPrivateKeys: mockPublisherPrivateKeys,
+      coinbase: coinbase ? { toString: () => coinbase } : undefined,
+      feeRecipient: feeRecipient ? { toString: () => feeRecipient } : undefined,
+      web3SignerUrl,
+      validatorAddresses: validatorAddresses.map(addr => EthAddress.fromString(addr)),
+      publisherAddresses: publisherAddresses.map(addr => EthAddress.fromString(addr)),
+    } as TxSenderConfig & ValidatorClientConfig & SequencerClientConfig & SharedNodeConfig;
+  };
+
+  beforeAll(async () => {
+    mockFeeRecipient = (await AztecAddress.random()).toString() as AztecAddressHex;
+  });
+
+  it('should return undefined when no validator keys are provided', () => {
+    const config = createMockConfig([]);
+    const result = createKeyStoreForValidator(config);
+    expect(result).toBeUndefined();
+  });
+
+  it('should return undefined when validatorPrivateKeys is undefined', () => {
+    const config = {
+      validatorPrivateKeys: undefined,
+      publisherPrivateKeys: undefined,
+      coinbase: undefined,
+      feeRecipient: undefined,
+    } as unknown as TxSenderConfig & ValidatorClientConfig & SequencerClientConfig & SharedNodeConfig;
+    const result = createKeyStoreForValidator(config);
+    expect(result).toBeUndefined();
+  });
+
+  it('should create keystore with single validator key and default coinbase/feeRecipient', () => {
+    const config = createMockConfig([mockValidatorKey1]);
+    const result = createKeyStoreForValidator(config);
+
+    const expectedCoinbase = privateKeyToAddress(mockValidatorKey1);
+    const expectedFeeRecipient = AztecAddress.ZERO.toString();
+
+    expect(result).toEqual({
+      schemaVersion: 1,
+      slasher: undefined,
+      prover: undefined,
+      remoteSigner: undefined,
+      validators: [
+        {
+          attester: [mockValidatorKey1],
+          feeRecipient: expectedFeeRecipient,
+          coinbase: expectedCoinbase,
+          remoteSigner: undefined,
+          publisher: [],
+        },
+      ],
+    });
+  });
+
+  it('should create keystore with multiple validator keys', () => {
+    const config = createMockConfig([mockValidatorKey1, mockValidatorKey2]);
+    const result = createKeyStoreForValidator(config);
+
+    const expectedCoinbase = privateKeyToAddress(mockValidatorKey1);
+
+    expect(result).toEqual({
+      schemaVersion: 1,
+      slasher: undefined,
+      prover: undefined,
+      remoteSigner: undefined,
+      validators: [
+        {
+          attester: [mockValidatorKey1, mockValidatorKey2],
+          feeRecipient: AztecAddress.ZERO.toString(),
+          coinbase: expectedCoinbase,
+          remoteSigner: undefined,
+          publisher: [],
+        },
+      ],
+    });
+  });
+
+  it('should create keystore with custom coinbase and feeRecipient', () => {
+    const config = createMockConfig([mockValidatorKey1], [], mockCoinbase, mockFeeRecipient);
+    const result = createKeyStoreForValidator(config);
+
+    expect(result).toEqual({
+      schemaVersion: 1,
+      slasher: undefined,
+      prover: undefined,
+      remoteSigner: undefined,
+      validators: [
+        {
+          attester: [mockValidatorKey1],
+          feeRecipient: mockFeeRecipient,
+          coinbase: mockCoinbase,
+          remoteSigner: undefined,
+          publisher: [],
+        },
+      ],
+    });
+  });
+
+  it('should create keystore with publisher keys', () => {
+    const config = createMockConfig([mockValidatorKey1], [mockPublisherKey1, mockPublisherKey2]);
+    const result = createKeyStoreForValidator(config);
+
+    const expectedCoinbase = privateKeyToAddress(mockValidatorKey1);
+
+    expect(result).toEqual({
+      schemaVersion: 1,
+      slasher: undefined,
+      prover: undefined,
+      remoteSigner: undefined,
+      validators: [
+        {
+          attester: [mockValidatorKey1],
+          feeRecipient: AztecAddress.ZERO.toString(),
+          coinbase: expectedCoinbase,
+          remoteSigner: undefined,
+          publisher: [mockPublisherKey1, mockPublisherKey2],
+        },
+      ],
+    });
+  });
+
+  it('should create keystore with all fields populated', () => {
+    const config = createMockConfig(
+      [mockValidatorKey1, mockValidatorKey2],
+      [mockPublisherKey1],
+      mockCoinbase,
+      mockFeeRecipient,
+    );
+    const result = createKeyStoreForValidator(config);
+
+    expect(result).toEqual({
+      schemaVersion: 1,
+      slasher: undefined,
+      prover: undefined,
+      remoteSigner: undefined,
+      validators: [
+        {
+          attester: [mockValidatorKey1, mockValidatorKey2],
+          feeRecipient: mockFeeRecipient,
+          coinbase: mockCoinbase,
+          remoteSigner: undefined,
+          publisher: [mockPublisherKey1],
+        },
+      ],
+    });
+  });
+
+  it('should handle empty publisher keys array', () => {
+    const config = createMockConfig([mockValidatorKey1], []);
+    const result = createKeyStoreForValidator(config);
+
+    expect(result?.validators?.[0]?.publisher).toEqual([]);
+  });
+
+  it('should use first validator key for coinbase when no coinbase provided', () => {
+    const config = createMockConfig([mockValidatorKey1, mockValidatorKey2]);
+    const result = createKeyStoreForValidator(config);
+
+    const expectedCoinbase = privateKeyToAddress(mockValidatorKey1);
+    expect(result?.validators?.[0]?.coinbase).toBe(expectedCoinbase);
+  });
+
+  it('should use AztecAddress.ZERO for feeRecipient when not provided', () => {
+    const config = createMockConfig([mockValidatorKey1]);
+    const result = createKeyStoreForValidator(config);
+
+    expect(result?.validators?.[0]?.feeRecipient).toBe(AztecAddress.ZERO.toString());
+  });
+
+  it('should create keystore with remote signer details', () => {
+    const config = createMockConfig(
+      [],
+      [],
+      mockCoinbase,
+      mockFeeRecipient,
+      web3SignerUrl,
+      mockValidatorAddresses,
+      mockPublisherAddresses,
+    );
+    const result = createKeyStoreForValidator(config);
+
+    expect(result).toEqual({
+      schemaVersion: 1,
+      slasher: undefined,
+      prover: undefined,
+      remoteSigner: undefined,
+      validators: [
+        {
+          attester: mockValidatorAddresses,
+          feeRecipient: mockFeeRecipient,
+          coinbase: mockCoinbase,
+          remoteSigner: web3SignerUrl,
+          publisher: mockPublisherAddresses,
+        },
+      ],
+    });
+  });
+});

yarn-project/aztec-node/src/aztec-node/config.ts

@@ -7,16 +7,34 @@ import {
 } from '@aztec/ethereum';
 import { type ConfigMappingsType, booleanConfigHelper, getConfigFromMappings } from '@aztec/foundation/config';
 import { type DataStoreConfig, dataConfigMappings } from '@aztec/kv-store/config';
+import {
+  type AztecAddressHex,
+  type EthAddressHex,
+  type EthPrivateKey,
+  type EthRemoteSignerAccount,
+  type Hex,
+  type KeyStore,
+  type KeyStoreConfig,
+  type ValidatorKeyStore,
+  keyStoreConfigMappings,
+} from '@aztec/node-keystore';
 import { type SharedNodeConfig, sharedNodeConfigMappings } from '@aztec/node-lib/config';
 import { type P2PConfig, p2pConfigMappings } from '@aztec/p2p/config';
 import { type ProverClientUserConfig, proverClientConfigMappings } from '@aztec/prover-client/config';
-import { type SequencerClientConfig, sequencerClientConfigMappings } from '@aztec/sequencer-client/config';
+import {
+  type SequencerClientConfig,
+  type TxSenderConfig,
+  sequencerClientConfigMappings,
+} from '@aztec/sequencer-client/config';
 import { slasherConfigMappings } from '@aztec/slasher';
+import { AztecAddress } from '@aztec/stdlib/aztec-address';
 import { type NodeRPCConfig, nodeRpcConfigMappings } from '@aztec/stdlib/config';
 import type { SlasherConfig } from '@aztec/stdlib/interfaces/server';
 import { type ValidatorClientConfig, validatorClientConfigMappings } from '@aztec/validator-client/config';
 import { type WorldStateConfig, worldStateConfigMappings } from '@aztec/world-state/config';
 
+import { privateKeyToAddress } from 'viem/accounts';
+
 import { type SentinelConfig, sentinelConfigMappings } from '../sentinel/config.js';
 
 export { sequencerClientConfigMappings, type SequencerClientConfig };
@@ -32,6 +50,7 @@ export type AztecNodeConfig = ArchiverConfig &
   Pick<ProverClientUserConfig, 'bbBinaryPath' | 'bbWorkingDirectory' | 'realProofs'> &
   P2PConfig &
   DataStoreConfig &
+  KeyStoreConfig &
   SentinelConfig &
   SharedNodeConfig &
   GenesisStateConfig &
@@ -45,6 +64,7 @@ export type AztecNodeConfig = ArchiverConfig &
 
 export const aztecNodeConfigMappings: ConfigMappingsType<AztecNodeConfig> = {
   ...dataConfigMappings,
+  ...keyStoreConfigMappings,
   ...archiverConfigMappings,
   ...sequencerClientConfigMappings,
   ...validatorClientConfigMappings,
@@ -74,3 +94,90 @@ export const aztecNodeConfigMappings: ConfigMappingsType<AztecNodeConfig> = {
 export function getConfigEnvVars(): AztecNodeConfig {
   return getConfigFromMappings<AztecNodeConfig>(aztecNodeConfigMappings);
 }
+
+type ConfigRequiredToBuildKeyStore = TxSenderConfig & SequencerClientConfig & SharedNodeConfig & ValidatorClientConfig;
+
+function createKeyStoreFromWeb3Signer(config: ConfigRequiredToBuildKeyStore) {
+  const validatorKeyStores: ValidatorKeyStore[] = [];
+
+  if (
+    config.web3SignerUrl === undefined ||
+    config.web3SignerUrl.length === 0 ||
+    config.validatorAddresses === undefined ||
+    config.validatorAddresses.length === 0
+  ) {
+    return undefined;
+  }
+  const coinbase = config.coinbase ? config.coinbase.toString() : config.validatorAddresses[0].toString();
+  const feeRecipient = config.feeRecipient ? config.feeRecipient.toString() : AztecAddress.ZERO.toString();
+
+  const publisherAddresses =
+    config.publisherAddresses && config.publisherAddresses.length > 0
+      ? config.publisherAddresses.map(k => k.toChecksumString() as EthRemoteSignerAccount)
+      : [];
+
+  const attestors = config.validatorAddresses.map(k => k.toChecksumString() as EthRemoteSignerAccount);
+
+  validatorKeyStores.push({
+    attester: attestors,
+    feeRecipient: feeRecipient as AztecAddressHex,
+    coinbase: coinbase as EthAddressHex,
+    remoteSigner: config.web3SignerUrl,
+    publisher: publisherAddresses,
+  });
+
+  const keyStore: KeyStore = {
+    schemaVersion: 1,
+    slasher: undefined,
+    prover: undefined,
+    remoteSigner: undefined,
+    validators: validatorKeyStores,
+  };
+  return keyStore;
+}
+
+function createKeyStoreFromPrivateKeys(config: ConfigRequiredToBuildKeyStore) {
+  const validatorKeyStores: ValidatorKeyStore[] = [];
+  const ethPrivateKeys: EthPrivateKey[] = [];
+  const validatorKeys = config.validatorPrivateKeys ? config.validatorPrivateKeys.getValue() : [];
+  for (let i = 0; i < validatorKeys.length; i++) {
+    const key = validatorKeys[i];
+    const ethPrivateKey: EthPrivateKey = key as Hex<32>;
+    ethPrivateKeys.push(ethPrivateKey);
+  }
+
+  if (!ethPrivateKeys.length) {
+    return undefined;
+  }
+  const coinbase = config.coinbase ? config.coinbase.toString() : privateKeyToAddress(ethPrivateKeys[0]);
+  const feeRecipient = config.feeRecipient ? config.feeRecipient.toString() : AztecAddress.ZERO.toString();
+
+  const publisherKeys = config.publisherPrivateKeys
+    ? config.publisherPrivateKeys.map(k => k.getValue() as EthPrivateKey)
+    : [];
+
+  validatorKeyStores.push({
+    attester: ethPrivateKeys,
+    feeRecipient: feeRecipient as AztecAddressHex,
+    coinbase: coinbase as EthAddressHex,
+    remoteSigner: undefined,
+    publisher: publisherKeys,
+  });
+
+  const keyStore: KeyStore = {
+    schemaVersion: 1,
+    slasher: undefined,
+    prover: undefined,
+    remoteSigner: undefined,
+    validators: validatorKeyStores,
+  };
+  return keyStore;
+}
+
+export function createKeyStoreForValidator(config: TxSenderConfig & SequencerClientConfig & SharedNodeConfig) {
+  if (config.web3SignerUrl !== undefined && config.web3SignerUrl.length > 0) {
+    return createKeyStoreFromWeb3Signer(config);
+  }
+
+  return createKeyStoreFromPrivateKeys(config);
+}