fix: fee related overflows (#20362)

There were a couple of potential issues with fee related overflows.

- The prover cost was stored in 63 bits but it is possible to overflow
that in multiple cases:
- The prover cost per mana could be up to 64 bits, so as long as aztec <
ether it can overflow for any sufficiently large prover cost per mana
defined by governance
- The L1 costs could be very high which together with token price and
the raw proving cost moves it beyond the limit
- The congestion cost likewise get impacted by the L1 costs and prover
costs, but also the congestion multiplier of.
- Given sufficiently high excess mana, it is possible for the congestion
multiplier computation to overflow.
- Given sufficiently high excess mana, it is possible for the next
header to overflow when trying to compress it.

To encounter any of these, the values must be absurd, e.g., we are
talking multiple thousands if not millions of gwei in gasprices on L1,
thousands of x of congestion multiplier and large small aztec token
prices.

However, as they are fairly simple to mitigate we will be doing so.
Mitigation for the congestion multiplier is especially important, since
overflows in there could be impossible to leave again as they "lag" and
only depends on the excess.

---

Mitigations:
- For the fee header we apply to the values that does not depend on the
current values only, e.g., `excessMana`, `congestionCost` and
`proverCost`
- When computing the summed fee we make a bound at uint128
- When computing the congestion multiplier we allow at most 100x the
denominator to keep it safe, but still insanely high.

The issues were pointed by spearbit, but as diving in found issues
around the max value `summedMinFee` being potentially larger then
`uint128` which would make it impossible to provide a matching header,
thereby causing infinite reverts. Similar for the `excessMana` as it
only depends on historical values could end up always reverting if
overflowing.

Hitting any of those cases is completely unrealistic (fee would be
e^100). But better safe than sorry on this, as it could happen and that
case would be a real pain.

Author: LHerskind

l1-contracts/src/core/libraries/compressed-data/fees/FeeStructs.sol

@@ -3,6 +3,7 @@
 pragma solidity >=0.8.27;
 
 import {CompressedSlot} from "@aztec/shared/libraries/CompressedTimeMath.sol";
+import {Math} from "@oz/utils/math/Math.sol";
 import {SafeCast} from "@oz/utils/math/SafeCast.sol";
 
 // We are using a type instead of a struct as we don't want to throw away a full 8 bits
@@ -102,13 +103,14 @@ library FeeHeaderLib {
   function compress(FeeHeader memory _feeHeader) internal pure returns (CompressedFeeHeader) {
     uint256 value = 0;
     value |= uint256(_feeHeader.manaUsed.toUint32());
-    value |= uint256(_feeHeader.excessMana.toUint48()) << 32;
+    // Cap excessMana to uint48 max to prevent overflow during compression.
+    value |= Math.min(_feeHeader.excessMana, MASK_48_BITS) << 32;
     value |= uint256(_feeHeader.ethPerFeeAsset.toUint48()) << 80;
-    value |= uint256(_feeHeader.congestionCost.toUint64()) << 128;
-
-    uint256 proverCost = uint256(_feeHeader.proverCost.toUint64());
-    require(proverCost == proverCost & MASK_63_BITS);
-    value |= proverCost << 192;
+    // Cap congestionCost to uint64 max to prevent overflow during compression.
+    // The uncapped value is still used for fee validation; this only affects storage.
+    value |= Math.min(_feeHeader.congestionCost, MASK_64_BITS) << 128;
+    // Cap proverCost to uint63 max to prevent overflow during compression.
+    value |= Math.min(_feeHeader.proverCost, MASK_63_BITS) << 192;
 
     // Preheat
     value |= 1 << 255;

l1-contracts/src/core/libraries/rollup/FeeLib.sol

@@ -309,7 +309,11 @@ library FeeLib {
 
   function congestionMultiplier(uint256 _numerator) internal view returns (uint256) {
     FeeStore storage feeStore = getStorage();
-    return fakeExponential(MINIMUM_CONGESTION_MULTIPLIER, _numerator, feeStore.config.getCongestionUpdateFraction());
+    uint256 denominator = feeStore.config.getCongestionUpdateFraction();
+    // Cap the exponent to prevent overflow in the Taylor series.
+    // At e^100, the multiplier is ~2.69e43 * MINIMUM_CONGESTION_MULTIPLIER, more than enough
+    uint256 cappedNumerator = Math.min(_numerator, denominator * 100);
+    return fakeExponential(MINIMUM_CONGESTION_MULTIPLIER, cappedNumerator, denominator);
   }
 
   function computeManaLimit(uint256 _manaTarget) internal pure returns (uint256) {
@@ -342,7 +346,10 @@ library FeeLib {
   }
 
   function summedMinFee(ManaMinFeeComponents memory _components) internal pure returns (uint256) {
-    return _components.sequencerCost + _components.proverCost + _components.congestionCost;
+    // Cap at uint128 max to ensure the fee can always be represented in the proposal header's
+    // feePerL2Gas field (uint128). Without this cap, extreme congestion or parameter combinations
+    // could produce fees that no valid header can represent, causing a liveness failure.
+    return Math.min(_components.sequencerCost + _components.proverCost + _components.congestionCost, type(uint128).max);
   }
 
   function getStorage() internal pure returns (FeeStore storage storageStruct) {