fix: address tmnt-144 (#16436)

Please read [contributing guidelines](CONTRIBUTING.md) and remove this
line.

For audit-related pull requests, please use the [audit PR
template](?expand=1&template=audit.md).

Author: AztecBot

l1-contracts/gas_benchmark.md

@@ -16,23 +16,23 @@
 
 | Function             | Avg Gas | Max Gas | Calldata Size | Calldata Gas |
 |----------------------|---------|---------|---------------|--------------|
-| propose              | 152,636 | 169,163 |         1,060 |       16,960 |
-| submitEpochRootProof | 569,702 | 592,918 |         3,812 |       60,992 |
-| setupEpoch           |  40,827 | 108,414 |             - |            - |
+| propose              | 142,569 | 157,723 |         1,060 |       16,960 |
+| submitEpochRootProof | 567,842 | 591,073 |         3,812 |       60,992 |
+| setupEpoch           |  31,585 | 108,397 |             - |            - |
 
-**Avg Gas Cost per Second**: 923.0 gas/second
+**Avg Gas Cost per Second**: 869.2 gas/second
 *Epoch duration*: 2h 33m 36s
 
 ### Validators (IGNITION)
 
 | Function             | Avg Gas | Max Gas | Calldata Size | Calldata Gas |
 |----------------------|---------|---------|---------------|--------------|
-| propose              | 210,504 | 227,206 |         2,852 |       45,632 |
-| submitEpochRootProof | 680,098 | 703,302 |         5,092 |       81,472 |
-| aggregate3           | 257,879 | 281,656 |             - |            - |
-| setupEpoch           |  47,388 | 327,101 |             - |            - |
+| propose              | 206,977 | 226,338 |         2,852 |       45,632 |
+| submitEpochRootProof | 679,690 | 701,700 |         5,092 |       81,472 |
+| aggregate3           | 256,679 | 286,474 |             - |            - |
+| setupEpoch           |  38,145 | 327,074 |             - |            - |
 
-**Avg Gas Cost per Second**: 1,249.1 gas/second
+**Avg Gas Cost per Second**: 1,229.6 gas/second
 *Epoch duration*: 2h 33m 36s
 
 
@@ -52,22 +52,22 @@
 
 | Function             | Avg Gas | Max Gas | Calldata Size | Calldata Gas |
 |----------------------|---------|---------|---------------|--------------|
-| propose              | 230,591 | 247,557 |         1,060 |       16,960 |
-| submitEpochRootProof | 689,363 | 728,218 |         3,812 |       60,992 |
-| setupEpoch           |  42,002 | 110,935 |             - |            - |
+| propose              | 219,926 | 235,984 |         1,060 |       16,960 |
+| submitEpochRootProof | 687,107 | 726,001 |         3,812 |       60,992 |
+| setupEpoch           |  32,376 | 108,397 |             - |            - |
 
-**Avg Gas Cost per Second**: 7,638.6 gas/second
+**Avg Gas Cost per Second**: 7,330.1 gas/second
 *Epoch duration*: 0h 19m 12s
 
 ### Validators (Alpha)
 
 | Function             | Avg Gas | Max Gas | Calldata Size | Calldata Gas |
 |----------------------|---------|---------|---------------|--------------|
-| propose              | 337,553 | 355,991 |         4,580 |       73,280 |
-| submitEpochRootProof | 897,057 | 935,029 |         6,308 |      100,928 |
-| aggregate3           | 389,910 | 411,588 |             - |            - |
-| setupEpoch           |  59,354 | 544,742 |             - |            - |
+| propose              | 334,025 | 351,385 |         4,580 |       73,280 |
+| submitEpochRootProof | 895,025 | 933,081 |         6,308 |      100,928 |
+| aggregate3           | 386,141 | 411,884 |             - |            - |
+| setupEpoch           |  49,728 | 542,190 |             - |            - |
 
-**Avg Gas Cost per Second**: 10,985.4 gas/second
+**Avg Gas Cost per Second**: 10,875.5 gas/second
 *Epoch duration*: 0h 19m 12s
 

l1-contracts/gas_benchmark_results.json

@@ -3,125 +3,125 @@
     "no_validators": {
       "propose": {
         "calls": 100,
-        "min": 149608,
-        "mean": 152636,
-        "median": 152418,
-        "max": 169163,
+        "min": 139463,
+        "mean": 142569,
+        "median": 142433,
+        "max": 157723,
         "calldata_size": 1060,
         "calldata_gas": 16960
       },
       "setupEpoch": {
         "calls": 100,
-        "min": 37692,
-        "mean": 40827,
-        "median": 39692,
-        "max": 108414
+        "min": 29235,
+        "mean": 31585,
+        "median": 29235,
+        "max": 108397
       },
       "submitEpochRootProof": {
         "calls": 2,
-        "min": 546487,
-        "mean": 569702,
-        "median": 569702,
-        "max": 592918,
+        "min": 544611,
+        "mean": 567842,
+        "median": 567842,
+        "max": 591073,
         "calldata_size": 3812,
         "calldata_gas": 60992
       }
     },
     "validators": {
       "propose": {
         "calls": 100,
-        "min": 204064,
-        "mean": 210504,
-        "median": 209860,
-        "max": 227206,
+        "min": 200706,
+        "mean": 206977,
+        "median": 207326,
+        "max": 226338,
         "calldata_size": 2852,
         "calldata_gas": 45632
       },
       "setupEpoch": {
         "calls": 100,
-        "min": 37692,
-        "mean": 47388,
-        "median": 39692,
-        "max": 327101
+        "min": 29235,
+        "mean": 38145,
+        "median": 29235,
+        "max": 327074
       },
       "submitEpochRootProof": {
         "calls": 2,
-        "min": 656895,
-        "mean": 680098,
-        "median": 680098,
-        "max": 703302,
+        "min": 657681,
+        "mean": 679690,
+        "median": 679690,
+        "max": 701700,
         "calldata_size": 5092,
         "calldata_gas": 81472
       },
       "aggregate3": {
         "calls": 100,
-        "min": 247273,
-        "mean": 257879,
-        "median": 255561,
-        "max": 281656
+        "min": 243742,
+        "mean": 256679,
+        "median": 253598,
+        "max": 286474
       }
     }
   },
   "alpha": {
     "no_validators": {
       "propose": {
         "calls": 100,
-        "min": 221621,
-        "mean": 230591,
-        "median": 229876,
-        "max": 247557,
+        "min": 212503,
+        "mean": 219926,
+        "median": 219136,
+        "max": 235984,
         "calldata_size": 1060,
         "calldata_gas": 16960
       },
       "setupEpoch": {
         "calls": 100,
-        "min": 37692,
-        "mean": 42002,
-        "median": 39692,
-        "max": 110935
+        "min": 29235,
+        "mean": 32376,
+        "median": 29235,
+        "max": 108397
       },
       "submitEpochRootProof": {
         "calls": 3,
-        "min": 669888,
-        "mean": 689363,
-        "median": 669984,
-        "max": 728218,
+        "min": 667612,
+        "mean": 687107,
+        "median": 667708,
+        "max": 726001,
         "calldata_size": 3812,
         "calldata_gas": 60992
       }
     },
     "validators": {
       "propose": {
         "calls": 100,
-        "min": 323268,
-        "mean": 337553,
-        "median": 337214,
-        "max": 355991,
+        "min": 318448,
+        "mean": 334025,
+        "median": 334471,
+        "max": 351385,
         "calldata_size": 4580,
         "calldata_gas": 73280
       },
       "setupEpoch": {
         "calls": 100,
-        "min": 37692,
-        "mean": 59354,
-        "median": 39692,
-        "max": 544742
+        "min": 29235,
+        "mean": 49728,
+        "median": 29235,
+        "max": 542190
       },
       "submitEpochRootProof": {
         "calls": 3,
-        "min": 876819,
-        "mean": 897057,
-        "median": 879324,
-        "max": 935029,
+        "min": 874800,
+        "mean": 895025,
+        "median": 877195,
+        "max": 933081,
         "calldata_size": 6308,
         "calldata_gas": 100928
       },
       "aggregate3": {
         "calls": 100,
-        "min": 366564,
-        "mean": 389910,
-        "median": 389226,
-        "max": 411588
+        "min": 362550,
+        "mean": 386141,
+        "median": 384626,
+        "max": 411884
       }
     }
   }

l1-contracts/src/governance/proposer/EmpireBase.sol

@@ -107,7 +107,8 @@ abstract contract EmpireBase is EIP712, IEmpire {
   using CompressedTimeMath for CompressedSlot;
 
   // EIP-712 type hash for the Signal struct
-  bytes32 public constant SIGNAL_TYPEHASH = keccak256("Signal(address payload,uint256 nonce,uint256 round)");
+  bytes32 public constant SIGNAL_TYPEHASH =
+    keccak256("Signal(address payload,uint256 nonce,uint256 round,address instance)");
 
   // The number of signals needed for a payload to be considered submittable.
   uint256 public immutable QUORUM_SIZE;
@@ -269,7 +270,7 @@ abstract contract EmpireBase is EIP712, IEmpire {
   }
 
   function getSignalSignatureDigest(IPayload _payload, address _signaler, uint256 _round) public view returns (bytes32) {
-    return _hashTypedDataV4(keccak256(abi.encode(SIGNAL_TYPEHASH, _payload, nonces[_signaler], _round)));
+    return _hashTypedDataV4(keccak256(abi.encode(SIGNAL_TYPEHASH, _payload, nonces[_signaler], _round, getInstance())));
   }
 
   // Virtual functions

l1-contracts/test/governance/governance-proposer/scenario/15123.t.sol

@@ -80,7 +80,10 @@ contract Test15123 is GovernanceProposerBase {
     bytes32 domainSeparator =
       keccak256(abi.encode(TYPE_HASH, hashedName, hashedVersion, block.chainid, address(governanceProposer)));
     bytes32 digest = MessageHashUtils.toTypedDataHash(
-      domainSeparator, keccak256(abi.encode(governanceProposer.SIGNAL_TYPEHASH(), _payload, _nonce, _round))
+      domainSeparator,
+      keccak256(
+        abi.encode(governanceProposer.SIGNAL_TYPEHASH(), _payload, _nonce, _round, governanceProposer.getInstance())
+      )
     );
 
     (uint8 v, bytes32 r, bytes32 s) = vm.sign(_privateKey, digest);

l1-contracts/test/governance/governance-proposer/scenario/tmnt144.t.sol

@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity >=0.8.27;
+
+import {GovernanceProposerBase} from "../Base.t.sol";
+
+import {IPayload} from "@aztec/governance/interfaces/IPayload.sol";
+import {Slot, Timestamp} from "@aztec/core/libraries/TimeLib.sol";
+import {Fakerollup} from "../mocks/Fakerollup.sol";
+import {IRollup} from "@aztec/core/interfaces/IRollup.sol";
+import {Signature} from "@aztec/shared/libraries/SignatureLib.sol";
+import {MessageHashUtils} from "@oz/utils/cryptography/MessageHashUtils.sol";
+
+// https://linear.app/aztec-labs/issue/TMNT-144/spearbit-gov-finding-3-missing-instance-in-digest
+contract TestTmnt144 is GovernanceProposerBase {
+  using MessageHashUtils for bytes32;
+
+  IPayload internal proposal = IPayload(address(0xdeadbeef));
+  address internal proposer = address(0);
+  Fakerollup internal rollup1;
+  Fakerollup internal rollup2;
+
+  uint256 internal privateKey = 0x1234567890;
+  Signature internal signature;
+
+  function setUp() public override {
+    super.setUp();
+  }
+
+  function test_replay() external {
+    rollup1 = new Fakerollup();
+
+    proposer = vm.addr(privateKey);
+    rollup1.setProposer(proposer);
+
+    vm.prank(registry.getGovernance());
+    registry.addRollup(IRollup(address(rollup1)));
+    vm.warp(Timestamp.unwrap(rollup1.getTimestampForSlot(Slot.wrap(1))));
+
+    // Create a signature for the proposer
+    uint256 round = governanceProposer.getCurrentRound();
+    signature = createSignature(privateKey, address(proposal), round);
+
+    // For some reason, before he signals, the time progresses and he is no longer the proposer!
+    // It is not even the same round actually
+    vm.warp(Timestamp.unwrap(rollup1.getTimestampForSlot(Slot.wrap(2 + governanceProposer.ROUND_SIZE()))));
+    rollup1.setProposer(address(0xdead));
+    assertNotEq(round, governanceProposer.getCurrentRound());
+
+    // We therefore expect the tx to revert, but not before it was broadcast, so anyone can pick up the signature
+    vm.expectRevert();
+    governanceProposer.signalWithSig(proposal, signature);
+
+    // A new rollup swings by, and gets added to the registry!
+    rollup2 = new Fakerollup();
+    rollup2.setProposer(proposer);
+    vm.prank(registry.getGovernance());
+    registry.addRollup(IRollup(address(rollup2)));
+
+    vm.warp(Timestamp.unwrap(rollup2.getTimestampForSlot(Slot.wrap(1))));
+
+    // Some random dude that picked up the earlier signature sends it to vote using the new rollup!
+    assertEq(governanceProposer.signalCount(address(rollup2), 0, proposal), 0, "invalid number of votes");
+
+    vm.expectRevert();
+    governanceProposer.signalWithSig(proposal, signature);
+
+    assertEq(governanceProposer.signalCount(address(rollup2), 0, proposal), 0, "invalid number of votes");
+  }
+
+  function createSignature(uint256 _privateKey, address _payload, uint256 _round)
+    internal
+    view
+    returns (Signature memory)
+  {
+    address signer = vm.addr(_privateKey);
+    bytes32 digest = governanceProposer.getSignalSignatureDigest(IPayload(_payload), signer, _round);
+
+    (uint8 v, bytes32 r, bytes32 s) = vm.sign(_privateKey, digest);
+
+    return Signature({v: v, r: r, s: s});
+  }
+}

l1-contracts/test/governance/governance-proposer/voteWithsig.t.sol

@@ -63,6 +63,9 @@ contract SignalWithSigTest is GovernanceProposerBase {
 
     // We jump into the future since slot 0, will behave as if already signald in
     vm.warp(Timestamp.unwrap(validatorSelection.getTimestampForSlot(Slot.wrap(1))));
+
+    // Also we need to generate a signature because it is using the address of the instance as part of it.
+    signature = createSignature(privateKey, proposal);
     _;
   }
 
@@ -359,20 +362,7 @@ contract SignalWithSigTest is GovernanceProposerBase {
 
   function getDigest(uint256 _privateKey, IPayload _payload, uint256 _round) internal view returns (bytes32) {
     address p = vm.addr(_privateKey);
-    uint256 nonce = governanceProposer.nonces(p);
-    bytes32 domainSeparator = keccak256(
-      abi.encode(
-        keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"),
-        keccak256(bytes("EmpireBase")),
-        keccak256(bytes("1")),
-        block.chainid,
-        address(governanceProposer)
-      )
-    );
-    bytes32 digest = MessageHashUtils.toTypedDataHash(
-      domainSeparator, keccak256(abi.encode(governanceProposer.SIGNAL_TYPEHASH(), _payload, nonce, _round))
-    );
-    return digest;
+    return governanceProposer.getSignalSignatureDigest(_payload, p, _round);
   }
 
   function createSignature(uint256 _privateKey, IPayload _payload) internal view returns (Signature memory) {