fix: update empire digest (#16475)

Please read [contributing guidelines](CONTRIBUTING.md) and remove this
line.

For audit-related pull requests, please use the [audit PR
template](?expand=1&template=audit.md).

Author: just-mitch

l1-contracts/gas_benchmark.md

@@ -29,7 +29,7 @@
 |----------------------|---------|---------|---------------|--------------|
 | propose              | 206,977 | 226,338 |         2,852 |       45,632 |
 | submitEpochRootProof | 679,690 | 701,700 |         5,092 |       81,472 |
-| aggregate3           | 256,810 | 286,606 |             - |            - |
+| aggregate3           | 244,745 | 264,110 |             - |            - |
 | setupEpoch           |  38,145 | 327,074 |             - |            - |
 
 **Avg Gas Cost per Second**: 1,229.6 gas/second
@@ -65,7 +65,7 @@
 |----------------------|---------|---------|---------------|--------------|
 | propose              | 334,025 | 351,385 |         4,580 |       73,280 |
 | submitEpochRootProof | 895,025 | 933,081 |         6,308 |      100,928 |
-| aggregate3           | 386,274 | 412,016 |             - |            - |
+| aggregate3           | 372,157 | 389,520 |             - |            - |
 | setupEpoch           |  49,728 | 542,190 |             - |            - |
 
 **Avg Gas Cost per Second**: 10,875.5 gas/second

l1-contracts/gas_benchmark_results.json

@@ -55,10 +55,10 @@
       },
       "aggregate3": {
         "calls": 100,
-        "min": 243874,
-        "mean": 256810,
-        "median": 253736,
-        "max": 286606
+        "min": 238466,
+        "mean": 244745,
+        "median": 245098,
+        "max": 264110
       }
     }
   },
@@ -118,10 +118,10 @@
       },
       "aggregate3": {
         "calls": 100,
-        "min": 362682,
-        "mean": 386274,
-        "median": 384758,
-        "max": 412016
+        "min": 356583,
+        "mean": 372157,
+        "median": 372603,
+        "max": 389520
       }
     }
   }

l1-contracts/src/governance/proposer/EmpireBase.sol

@@ -84,7 +84,7 @@ struct CompressedRoundAccounting {
  * 1. Direct signal: Current signaler calls `signal()`
  * 2. Delegated signal: Anyone submits with signaler's signature via `signalWithSig()`
  *    - Uses EIP-712 for signature verification
- *    - Includes nonce and round number to prevent replay attacks
+ *    - Includes slot and instance to prevent replay attacks
  *
  * @dev ABSTRACT FUNCTIONS:
  * Implementing contracts must provide:
@@ -107,8 +107,7 @@ abstract contract EmpireBase is EIP712, IEmpire {
   using CompressedTimeMath for CompressedSlot;
 
   // EIP-712 type hash for the Signal struct
-  bytes32 public constant SIGNAL_TYPEHASH =
-    keccak256("Signal(address payload,uint256 nonce,uint256 round,address instance)");
+  bytes32 public constant SIGNAL_TYPEHASH = keccak256("Signal(address payload,uint256 slot,address instance)");
 
   // The number of signals needed for a payload to be considered submittable.
   uint256 public immutable QUORUM_SIZE;
@@ -121,8 +120,6 @@ abstract contract EmpireBase is EIP712, IEmpire {
 
   // Mapping of instance to round number to round accounting.
   mapping(address instance => mapping(uint256 roundNumber => CompressedRoundAccounting)) internal rounds;
-  // Mapping of instance signaler to nonce. Used to prevent replay attacks.
-  mapping(address signaler => uint256 nonce) public nonces;
 
   constructor(uint256 _quorumSize, uint256 _roundSize, uint256 _lifetimeInRounds, uint256 _executionDelayInRounds)
     EIP712("EmpireBase", "1")
@@ -269,8 +266,8 @@ abstract contract EmpireBase is EIP712, IEmpire {
     return Slot.unwrap(_slot) / ROUND_SIZE;
   }
 
-  function getSignalSignatureDigest(IPayload _payload, address _signaler, uint256 _round) public view returns (bytes32) {
-    return _hashTypedDataV4(keccak256(abi.encode(SIGNAL_TYPEHASH, _payload, nonces[_signaler], _round, getInstance())));
+  function getSignalSignatureDigest(IPayload _payload, Slot _slot) public view returns (bytes32) {
+    return _hashTypedDataV4(keccak256(abi.encode(SIGNAL_TYPEHASH, _payload, _slot, getInstance())));
   }
 
   // Virtual functions
@@ -299,8 +296,7 @@ abstract contract EmpireBase is EIP712, IEmpire {
     if (_sig.isEmpty()) {
       require(msg.sender == signaler, Errors.GovernanceProposer__OnlyProposerCanSignal(msg.sender, signaler));
     } else {
-      bytes32 digest = getSignalSignatureDigest(_payload, signaler, roundNumber);
-      nonces[signaler]++;
+      bytes32 digest = getSignalSignatureDigest(_payload, currentSlot);
 
       // _sig.verify will throw if invalid, it is more my sanity that I am doing this for.
       require(_sig.verify(signaler, digest), Errors.GovernanceProposer__OnlyProposerCanSignal(msg.sender, signaler));

l1-contracts/test/benchmark/happy.t.sol

@@ -353,14 +353,14 @@ contract BenchmarkRollupTest is FeeModelTestPoints, DecoderBase {
    * @param _payload The payload to signal
    * @return The EIP-712 signature
    */
-  function createSignalSignature(address _signer, IPayload _payload, uint256 _round)
+  function createSignalSignature(address _signer, IPayload _payload, Slot _slot)
     internal
     view
     returns (Signature memory)
   {
     uint256 privateKey = attesterPrivateKeys[_signer];
     require(privateKey != 0, "Private key not found for signer");
-    bytes32 digest = slashingProposer.getSignalSignatureDigest(_payload, _signer, _round);
+    bytes32 digest = slashingProposer.getSignalSignatureDigest(_payload, _slot);
 
     (uint8 v, bytes32 r, bytes32 s) = vm.sign(privateKey, digest);
 
@@ -383,7 +383,7 @@ contract BenchmarkRollupTest is FeeModelTestPoints, DecoderBase {
 
       if (_slashing && !warmedUp && rollup.getCurrentSlot() == Slot.wrap(EPOCH_DURATION * 2)) {
         address proposer = rollup.getCurrentProposer();
-        Signature memory sig = createSignalSignature(proposer, slashPayload, round);
+        Signature memory sig = createSignalSignature(proposer, slashPayload, rollup.getCurrentSlot());
         slashingProposer.signalWithSig(slashPayload, sig);
         warmedUp = true;
       }
@@ -404,7 +404,7 @@ contract BenchmarkRollupTest is FeeModelTestPoints, DecoderBase {
         blockAttestations[currentBlockNumber] = AttestationLib.packAttestations(b.attestations);
 
         if (_slashing) {
-          Signature memory sig = createSignalSignature(proposer, slashPayload, round);
+          Signature memory sig = createSignalSignature(proposer, slashPayload, rollup.getCurrentSlot());
           Multicall3.Call3[] memory calls = new Multicall3.Call3[](2);
           calls[0] = Multicall3.Call3({
             target: address(rollup),

l1-contracts/test/compression/PreHeating.t.sol

@@ -405,25 +405,4 @@ contract PreHeatingTest is FeeModelTestPoints, DecoderBase {
     Signature memory emptySignature = Signature({v: 0, r: 0, s: 0});
     return CommitteeAttestation({addr: _signer, signature: emptySignature});
   }
-
-  /**
-   * @notice Creates an EIP-712 signature for signalWithSig
-   * @param _signer The address that should sign (must match a block proposer)
-   * @param _payload The payload to signal
-   * @param _round The round to signal in
-   * @return The EIP-712 signature
-   */
-  function createSignalSignature(address _signer, IPayload _payload, uint256 _round)
-    internal
-    view
-    returns (Signature memory)
-  {
-    uint256 privateKey = attesterPrivateKeys[_signer];
-    require(privateKey != 0, "Private key not found for signer");
-    bytes32 digest = slashingProposer.getSignalSignatureDigest(_payload, _signer, _round);
-
-    (uint8 v, bytes32 r, bytes32 s) = vm.sign(privateKey, digest);
-
-    return Signature({v: v, r: r, s: s});
-  }
 }

l1-contracts/test/governance/governance-proposer/scenario/15123.t.sol

@@ -55,39 +55,23 @@ contract Test15123 is GovernanceProposerBase {
     vm.warp(Timestamp.unwrap(validatorSelection.getTimestampForSlot(Slot.wrap(1))));
 
     uint256 round = governanceProposer.getCurrentRound();
-    signature = createSignature(privateKey, address(proposal), 0, round);
+    signature = createSignature(privateKey, proposal, validatorSelection.getCurrentSlot());
 
     governanceProposer.signalWithSig(proposal, signature);
 
-    assertEq(governanceProposer.signalCount(address(validatorSelection), 0, proposal), 1, "invalid number of votes");
+    assertEq(governanceProposer.signalCount(address(validatorSelection), round, proposal), 1, "invalid number of votes");
 
     vm.warp(Timestamp.unwrap(validatorSelection.getTimestampForSlot(Slot.wrap(2))));
 
     vm.expectRevert();
     governanceProposer.signalWithSig(proposal, signature);
 
-    assertEq(governanceProposer.signalCount(address(validatorSelection), 0, proposal), 1, "invalid number of votes");
+    assertEq(governanceProposer.signalCount(address(validatorSelection), round, proposal), 1, "invalid number of votes");
   }
 
-  function createSignature(uint256 _privateKey, address _payload, uint256 _nonce, uint256 _round)
-    internal
-    view
-    returns (Signature memory)
-  {
-    bytes32 TYPE_HASH = keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)");
-    bytes32 hashedName = keccak256(bytes("EmpireBase"));
-    bytes32 hashedVersion = keccak256(bytes("1"));
-    bytes32 domainSeparator =
-      keccak256(abi.encode(TYPE_HASH, hashedName, hashedVersion, block.chainid, address(governanceProposer)));
-    bytes32 digest = MessageHashUtils.toTypedDataHash(
-      domainSeparator,
-      keccak256(
-        abi.encode(governanceProposer.SIGNAL_TYPEHASH(), _payload, _nonce, _round, governanceProposer.getInstance())
-      )
-    );
-
+  function createSignature(uint256 _privateKey, IPayload _payload, Slot _slot) internal view returns (Signature memory) {
+    bytes32 digest = governanceProposer.getSignalSignatureDigest(_payload, _slot);
     (uint8 v, bytes32 r, bytes32 s) = vm.sign(_privateKey, digest);
-
     return Signature({v: v, r: r, s: s});
   }
 }

l1-contracts/test/governance/governance-proposer/scenario/tmnt144.t.sol

@@ -38,7 +38,7 @@ contract TestTmnt144 is GovernanceProposerBase {
 
     // Create a signature for the proposer
     uint256 round = governanceProposer.getCurrentRound();
-    signature = createSignature(privateKey, address(proposal), round);
+    signature = createSignature(privateKey, address(proposal), rollup1.getCurrentSlot());
 
     // For some reason, before he signals, the time progresses and he is no longer the proposer!
     // It is not even the same round actually
@@ -67,13 +67,8 @@ contract TestTmnt144 is GovernanceProposerBase {
     assertEq(governanceProposer.signalCount(address(rollup2), 0, proposal), 0, "invalid number of votes");
   }
 
-  function createSignature(uint256 _privateKey, address _payload, uint256 _round)
-    internal
-    view
-    returns (Signature memory)
-  {
-    address signer = vm.addr(_privateKey);
-    bytes32 digest = governanceProposer.getSignalSignatureDigest(IPayload(_payload), signer, _round);
+  function createSignature(uint256 _privateKey, address _payload, Slot _slot) internal view returns (Signature memory) {
+    bytes32 digest = governanceProposer.getSignalSignatureDigest(IPayload(_payload), _slot);
 
     (uint8 v, bytes32 r, bytes32 s) = vm.sign(_privateKey, digest);
 

l1-contracts/test/governance/governance-proposer/scenario/tmnt150.t.sol

@@ -69,26 +69,21 @@ contract TestTmnt150 is GovernanceProposerBase {
 
     // Create a signature for the proposer
     uint256 round = governanceProposer.getCurrentRound();
-    signature = createSignature(privateKey, address(proposal), round);
+    signature = createSignature(privateKey, address(proposal), rollup1.getCurrentSlot());
 
     rollup1.maliciousValues(5, governanceProposer, proposal);
 
-    assertEq(governanceProposer.signalCount(address(rollup1), 0, proposal), 0, "invalid number of votes");
+    assertEq(governanceProposer.signalCount(address(rollup1), round, proposal), 0, "invalid number of votes");
 
     vm.expectRevert(abi.encodeWithSelector(Errors.GovernanceProposer__SignalAlreadyCastForSlot.selector, 1));
 
     rollup1.commenceAttack();
 
-    assertEq(governanceProposer.signalCount(address(rollup1), 0, proposal), 0, "invalid number of votes");
+    assertEq(governanceProposer.signalCount(address(rollup1), round, proposal), 0, "invalid number of votes");
   }
 
-  function createSignature(uint256 _privateKey, address _payload, uint256 _round)
-    internal
-    view
-    returns (Signature memory)
-  {
-    address signer = vm.addr(_privateKey);
-    bytes32 digest = governanceProposer.getSignalSignatureDigest(IPayload(_payload), signer, _round);
+  function createSignature(uint256 _privateKey, address _payload, Slot _slot) internal view returns (Signature memory) {
+    bytes32 digest = governanceProposer.getSignalSignatureDigest(IPayload(_payload), _slot);
 
     (uint8 v, bytes32 r, bytes32 s) = vm.sign(_privateKey, digest);
 

l1-contracts/test/governance/governance-proposer/voteWithsig.t.sol

@@ -24,6 +24,7 @@ contract SignalWithSigTest is GovernanceProposerBase {
 
   function setUp() public override {
     super.setUp();
+    validatorSelection = new Fakerollup();
   }
 
   // Skipping this test since the it matches the for now skipped check in `EmpireBase::signal`
@@ -54,7 +55,6 @@ contract SignalWithSigTest is GovernanceProposerBase {
   }
 
   modifier givenCanonicalRollupHoldCode() {
-    validatorSelection = new Fakerollup();
     proposer = vm.addr(privateKey);
     validatorSelection.setProposer(proposer);
 
@@ -95,8 +95,7 @@ contract SignalWithSigTest is GovernanceProposerBase {
     // fast forward a round
     vm.warp(block.timestamp + _slotsToFastForward * validatorSelection.getSlotDuration());
 
-    uint256 round = governanceProposer.getCurrentRound();
-    bytes32 digest = getDigest(privateKey, proposal, round);
+    bytes32 digest = getDigest(proposal, validatorSelection.getCurrentSlot());
 
     // signal
     address expectedInvalidSigner = ecrecover(digest, signature.v, signature.r, signature.s);
@@ -186,7 +185,7 @@ contract SignalWithSigTest is GovernanceProposerBase {
     Slot freshSlot = freshInstance.getCurrentSlot();
     uint256 freshRound = governanceProposer.computeRound(freshSlot);
 
-    signature = createSignature(privateKey, proposal);
+    signature = createSignature(privateKey, proposal, freshSlot);
 
     vm.expectEmit(true, true, true, true, address(governanceProposer));
     emit IEmpire.SignalCast(proposal, freshRound, proposer);
@@ -360,14 +359,16 @@ contract SignalWithSigTest is GovernanceProposerBase {
     }
   }
 
-  function getDigest(uint256 _privateKey, IPayload _payload, uint256 _round) internal view returns (bytes32) {
-    address p = vm.addr(_privateKey);
-    return governanceProposer.getSignalSignatureDigest(_payload, p, _round);
+  function getDigest(IPayload _payload, Slot _slot) internal view returns (bytes32) {
+    return governanceProposer.getSignalSignatureDigest(_payload, _slot);
   }
 
   function createSignature(uint256 _privateKey, IPayload _payload) internal view returns (Signature memory) {
-    uint256 round = governanceProposer.getCurrentRound();
-    bytes32 digest = getDigest(_privateKey, _payload, round);
+    return createSignature(_privateKey, _payload, validatorSelection.getCurrentSlot());
+  }
+
+  function createSignature(uint256 _privateKey, IPayload _payload, Slot _slot) internal view returns (Signature memory) {
+    bytes32 digest = getDigest(_payload, _slot);
 
     (uint8 v, bytes32 r, bytes32 s) = vm.sign(_privateKey, digest);
 

yarn-project/ethereum/src/contracts/empire_base.ts

@@ -51,8 +51,7 @@ export function encodeSignalWithSignature(payload: Hex, signature: Signature) {
 export async function signSignalWithSig(
   signer: (msg: TypedDataDefinition) => Promise<Hex>,
   payload: Hex,
-  nonce: bigint,
-  round: bigint,
+  slot: bigint,
   instance: Hex,
   verifyingContract: Hex,
   chainId: number,
@@ -67,16 +66,14 @@ export async function signSignalWithSig(
   const types = {
     Signal: [
       { name: 'payload', type: 'address' },
-      { name: 'nonce', type: 'uint256' },
-      { name: 'round', type: 'uint256' },
+      { name: 'slot', type: 'uint256' },
       { name: 'instance', type: 'address' },
     ],
   };
 
   const message = {
     payload,
-    nonce,
-    round,
+    slot,
     instance,
   };