feat: L1 contract etherscan verification

Author: spypsy

l1-contracts/scripts/verify-from-json.sh

@@ -0,0 +1,214 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Usage:
+#   scripts/verify-from-json.sh <path-to-l1-verify.json> [--api-key <etherscan-api-key>]
+#
+# Notes:
+# - This script is used to verify contracts from a JSON file generated by the deploy-l1-contracts command.
+# - The format of the JSON file is as follows:
+#   {
+#     "chainId": <chain-id>,
+#     "records": [
+#       {
+#         "name": <contract-name>,
+#         "address": <contract-address>,
+#         "constructorArgsHex": <constructor-args-hex>,
+#         "libraries": [
+#           {
+#             "file": <library-file>,
+#             "contract": <library-contract>,
+#             "address": <library-address>
+#           }
+#         ]
+#       }
+#     ]
+#   }
+# - The script will verify each contract in the JSON file.
+# - Runs from repo root automatically to ensure paths resolve, then returns to l1-contracts.
+# - Expects Foundry (forge) and jq available.
+
+ROOT_DIR=$(git rev-parse --show-toplevel)
+cd "$ROOT_DIR/l1-contracts"
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "jq is required" >&2
+  exit 1
+fi
+if ! command -v forge >/dev/null 2>&1; then
+  echo "forge is required" >&2
+  exit 1
+fi
+if ! command -v curl >/dev/null 2>&1; then
+  echo "curl is required" >&2
+  exit 1
+fi
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: scripts/verify-from-json.sh <path-to-l1-verify.json> [--chain <id|name>] [--api-key <key>]" >&2
+  exit 1
+fi
+
+JSON_PATH="$1"
+shift || true
+
+API_KEY_ARG=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --api-key)
+      API_KEY_ARG="$2"
+      shift 2
+      ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ ! -f "$JSON_PATH" ]]; then
+  echo "File not found: $JSON_PATH" >&2
+  exit 1
+fi
+
+# Derive chain and api key
+CHAIN_ID_FROM_JSON=$(jq -r .chainId "$JSON_PATH")
+CHAIN_VALUE="$CHAIN_ID_FROM_JSON"
+API_KEY_VALUE="${API_KEY_ARG:-${ETHERSCAN_API_KEY:-}}"
+
+if [[ -z "$API_KEY_VALUE" ]]; then
+  echo "ETHERSCAN API key not provided. Set env ETHERSCAN_API_KEY or pass --api-key <key>." >&2
+  exit 1
+fi
+
+# Sourcify server (can override via $SOURCIFY_SERVER_URL)
+SOURCIFY_SERVER_URL="${SOURCIFY_SERVER_URL:-https://sourcify.dev/server}"
+
+# Import a verified contract from Etherscan into Sourcify v2
+sourcify_import() {
+  local address="$1"
+  local chain_id="$CHAIN_VALUE"
+  local endpoint="$SOURCIFY_SERVER_URL/v2/verify/etherscan/$chain_id/$address"
+  local payload
+  # Only etherscanApiKey is required in body for this endpoint
+  payload=$(jq -n --arg key "$API_KEY_VALUE" '{apiKey:$key}')
+  echo "    Importing to Sourcify: $address (chain $chain_id)"
+  curl -sS -X POST -H 'Content-Type: application/json' -d "$payload" "$endpoint" | sed 's/^/      sourcify: /'
+}
+
+# Map deployment "name" to FQN "<path>:<ContractName>"
+resolve_fqn() {
+  local name="$1"
+  case "$name" in
+    FeeAsset|StakingAsset)
+      echo "src/mock/TestERC20.sol:TestERC20" ;;
+    GSE)
+      echo "src/governance/GSE.sol:GSE" ;;
+    Registry)
+      echo "src/governance/Registry.sol:Registry" ;;
+    GovernanceProposer)
+      echo "src/governance/proposer/GovernanceProposer.sol:GovernanceProposer" ;;
+    Governance)
+      echo "src/governance/Governance.sol:Governance" ;;
+    CoinIssuer)
+      echo "src/governance/CoinIssuer.sol:CoinIssuer" ;;
+    FeeAssetHandler)
+      echo "src/mock/FeeAssetHandler.sol:FeeAssetHandler" ;;
+    StakingAssetHandler)
+      echo "src/mock/StakingAssetHandler.sol:StakingAssetHandler" ;;
+    MockVerifier)
+      echo "src/mock/MockVerifier.sol:MockVerifier" ;;
+    Rollup)
+      echo "src/core/Rollup.sol:Rollup" ;;
+    SlashFactory)
+      echo "src/periphery/SlashFactory.sol:SlashFactory" ;;
+    Inbox)
+      echo "src/core/messagebridge/Inbox.sol:Inbox" ;;
+    Outbox)
+      echo "src/core/messagebridge/Outbox.sol:Outbox" ;;
+    *)
+      echo "" ;;
+  esac
+}
+
+# Append libraries as separate flags: --libraries file:Contract:address
+append_libraries_flags() {
+  local record_json="$1"
+  local -n __cmd_ref=$2
+  while IFS= read -r lib; do
+    [[ -z "$lib" ]] && continue
+    local file contract address
+    file=$(echo "$lib" | jq -r .file)
+    contract=$(echo "$lib" | jq -r .contract)
+    address=$(echo "$lib" | jq -r .address)
+    if [[ -n "$file" && -n "$contract" && -n "$address" ]]; then
+      __cmd_ref+=(--libraries "$file:$contract:$address")
+    fi
+  done < <(echo "$record_json" | jq -c '.libraries[]?')
+}
+
+# Iterate records
+records_len=$(jq '.records | length' "$JSON_PATH")
+echo "Verifying $records_len contracts from $JSON_PATH on chain $CHAIN_VALUE"
+
+# First, verify all unique libraries referenced across records
+declare -A __libs_seen
+mapfile -t __all_libs < <(jq -c '.records[].libraries[]?' "$JSON_PATH")
+if [[ ${#__all_libs[@]} -gt 0 ]]; then
+  echo "Found ${#__all_libs[@]} library references. Verifying unique libraries first..."
+  for lib in "${__all_libs[@]}"; do
+    file=$(echo "$lib" | jq -r .file)
+    contract=$(echo "$lib" | jq -r .contract)
+    address=$(echo "$lib" | jq -r .address)
+    key="$file:$contract:$address"
+    if [[ -z "${__libs_seen[$key]:-}" ]]; then
+      __libs_seen[$key]=1
+      echo "==> Verifying library $contract at $address"
+      echo "    FQN: $file:$contract"
+      forge verify-contract \
+        --chain "$CHAIN_VALUE" \
+        --etherscan-api-key "$API_KEY_VALUE" \
+        "$address" "$file:$contract" \
+        --compiler-version v0.8.27
+
+      sourcify_import "$address"
+    fi
+  done
+fi
+
+for i in $(seq 0 $((records_len - 1))); do
+  rec=$(jq -c ".records[$i]" "$JSON_PATH")
+  name=$(echo "$rec" | jq -r .name)
+  addr=$(echo "$rec" | jq -r .address)
+  ctor=$(echo "$rec" | jq -r .constructorArgsHex)
+  fqn=$(resolve_fqn "$name")
+
+  if [[ -z "$fqn" ]]; then
+    echo "[skip] Unknown contract name '$name' at $addr" >&2
+    continue
+  fi
+
+  cmd=(forge verify-contract --chain "$CHAIN_VALUE" --etherscan-api-key "$API_KEY_VALUE" "$addr" "$fqn" --compiler-version v0.8.27)
+  if [[ -n "$ctor" && "$ctor" != "0x" ]]; then
+    cmd+=(--constructor-args "$ctor")
+  fi
+  append_libraries_flags "$rec" cmd
+
+  echo "==> Verifying $name at $addr"
+  echo "    FQN: $fqn"
+  libs_summary=$(echo "$rec" | jq -r '.libraries[]? | "\(.file):\(.contract):\(.address)"' | paste -sd "," -)
+  if [[ -n "$libs_summary" ]]; then echo "    Libraries: $libs_summary"; fi
+  if [[ -n "$ctor" && "$ctor" != "0x" ]]; then echo "    Constructor args: (hex) ${#ctor} bytes"; fi
+
+  "${cmd[@]}"
+
+  # Wait a bit to ensure etherscan verification is complete
+  sleep 5
+
+  sourcify_import "$addr"
+done
+
+echo "All verification commands executed."
+
+

yarn-project/cli/src/cmds/l1/deploy_l1_contracts.ts

@@ -19,6 +19,7 @@ export async function deployL1Contracts(
   sponsoredFPC: boolean,
   acceleratedTestDeployments: boolean,
   json: boolean,
+  createVerificationJson: string | false,
   initialValidators: EthAddress[],
   realVerifier: boolean,
   log: LogFn,
@@ -50,6 +51,7 @@ export async function deployL1Contracts(
     acceleratedTestDeployments,
     config,
     realVerifier,
+    createVerificationJson,
     debugLogger,
   );
 
@@ -77,6 +79,7 @@ export async function deployL1Contracts(
     log(`SlashFactory Address: ${l1ContractAddresses.slashFactoryAddress?.toString()}`);
     log(`FeeAssetHandler Address: ${l1ContractAddresses.feeAssetHandlerAddress?.toString()}`);
     log(`StakingAssetHandler Address: ${l1ContractAddresses.stakingAssetHandlerAddress?.toString()}`);
+    log(`ZK Passport Verifier Address: ${l1ContractAddresses.zkPassportVerifierAddress?.toString()}`);
     log(`Initial funded accounts: ${initialFundedAccounts.map(a => a.toString()).join(', ')}`);
     log(`Initial validators: ${initialValidators.map(a => a.toString()).join(', ')}`);
     log(`Genesis archive root: ${genesisArchiveRoot.toString()}`);

yarn-project/cli/src/cmds/l1/index.ts

@@ -46,6 +46,7 @@ export function injectCommands(program: Command, log: LogFn, debugLogger: Logger
     .option('--sponsored-fpc', 'Populate genesis state with a testing sponsored FPC contract')
     .option('--accelerated-test-deployments', 'Fire and forget deployment transactions, use in testing only', false)
     .option('--real-verifier', 'Deploy the real verifier', false)
+    .option('--create-verification-json [path]', 'Create JSON file for etherscan contract verification', false)
     .action(async options => {
       const { deployL1Contracts } = await import('./deploy_l1_contracts.js');
 
@@ -62,6 +63,7 @@ export function injectCommands(program: Command, log: LogFn, debugLogger: Logger
         options.sponsoredFpc,
         options.acceleratedTestDeployments,
         options.json,
+        options.createVerificationJson,
         initialValidators,
         options.realVerifier,
         log,

yarn-project/cli/src/utils/aztec.ts

@@ -58,6 +58,7 @@ export async function deployAztecContracts(
   acceleratedTestDeployments: boolean,
   config: L1ContractsConfig,
   realVerifier: boolean,
+  createVerificationJson: string | false,
   debugLogger: Logger,
 ): Promise<DeployL1ContractsReturnType> {
   const { createEthereumChain, deployL1Contracts } = await import('@aztec/ethereum');
@@ -70,7 +71,7 @@ export async function deployAztecContracts(
 
   const { getVKTreeRoot } = await import('@aztec/noir-protocol-circuits-types/vk-tree');
 
-  return await deployL1Contracts(
+  const result = await deployL1Contracts(
     chain.rpcUrls,
     account,
     chain.chainInfo,
@@ -87,7 +88,10 @@ export async function deployAztecContracts(
       ...config,
     },
     config,
+    createVerificationJson,
   );
+
+  return result;
 }
 
 export async function deployNewRollupContracts(

yarn-project/ethereum/package.json

@@ -32,6 +32,7 @@
   ],
   "dependencies": {
     "@aztec/blob-lib": "workspace:^",
+    "@aztec/constants": "workspace:^",
     "@aztec/foundation": "workspace:^",
     "@aztec/l1-artifacts": "workspace:^",
     "@viem/anvil": "^0.0.10",

yarn-project/ethereum/src/contracts/registry.test.ts

@@ -63,6 +63,9 @@ describe('Registry', () => {
       'stakingAssetHandlerAddress',
       'zkPassportVerifierAddress',
     );
+    // Updating the coin issuer address to the deployer address bc we don't yet set CoinIssuer contract as the owner of the fee asset
+    // TODO: should remove once #16630 is merged
+    deployedAddresses.coinIssuerAddress = EthAddress.fromString(privateKey.address);
     registry = new RegistryContract(l1Client, deployedAddresses.registryAddress);
 
     const rollup = new RollupContract(l1Client, deployedAddresses.rollupAddress);