feat: electra timing fix (#1620)

# v1.6.1 Electra Timing Fix

Fixes a bug on EigenPods regarding partial withdrawals for Electra.
Please read the
[explainer](https://hackmd.io/@rNlehaDSRBydbF_i_McDcw/ByyodLJ9ex) for a
detailed description of the bug. **No action is needed and no customer
funds are at risk.**

## Release Manager

@ypatil12 @nadir-akhtar @gpsanant 

## Highlights

🐛 *Bug Fixes*
- Update the `EigenPod.requestWithdrawal` function to ensure that
validators are pointed to the pod, matching the behavior of
`requestConsolidation`

🔧 *Improvements*
- Update the `EigenPod.verifyWithdrawalCredentials` function to only
accept `beaconTimestamps` that are after the
`latestCheckpointTimestamp`. This enables the eigenpod state machine to
be easier to be reasoned about

**Full Changelog**:
v1.6.0...1.6.1

Author: ypatil12

CHANGELOG/CHANGELOG-1.6.1.md

@@ -0,0 +1,16 @@
+# v1.6.1 Electra Timing Fix
+
+Fixes a bug on EigenPods regarding partial withdrawals for Electra. Please read the [explainer](https://hackmd.io/@rNlehaDSRBydbF_i_McDcw/ByyodLJ9ex) for a detailed description of the bug. **No action is needed and no customer funds are at risk.**
+
+## Release Manager
+
+@ypatil12 
+
+## Highlights
+
+🐛 *Bug Fixes*
+- Update the `EigenPod.requestWithdrawal` function to ensure that validators are pointed to the pod, matching the behavior of `requestConsolidation`
+
+🔧 *Improvements*
+- Update the `EigenPod.verifyWithdrawalCredentials` function to only accept `beaconTimestamps` that are after the `latestCheckpointTimestamp`. This enables the eigenpod state machine to be easier to be reasoned about 
+

CHANGELOG/CHANGELOG-1.8.0-all.md

@@ -0,0 +1,66 @@
+# v1.8.0-testnet-final
+
+The below release notes cover the updated version release candidate for multichain and hourglass
+
+# Release Manager
+
+@ypatil12 @eigenmikem @rajath0x
+
+# Multichain
+
+## Highlights
+
+⛔ Breaking Changes
+- The leaves of merkle trees used by the `OperatorTableUpdater` and `BN254CertificateVerifier` are now salted. The [`LeafCalculatorMixin`]() is used by:
+   - `OperatorTableUpdater`: To salt the `operatorTableLeaf` via `calculateOperatorTableLeaf`. This change is also reflected in the [offchain transporter](https://github.com/Layr-Labs/multichain-go/pull/19)
+   - `BN254CertificateVerifier`: To salt the `operatorInfoLeaf` via `calculateOperatorInfoLeaf`. BN254 OperatorSets MUST update their table calculators to use the new `BN254TableCalculatorBase` in the [`middleware repo`](https://github.com/Layr-Labs/eigenlayer-middleware/blob/dev/src/middlewareV2/tableCalculator/BN254TableCalculatorBase.sol)
+- Nonsigners in the `BN254CertificateVerifier` are now sorted by operator index. See [PR #1615](https://github.com/layr-labs/eigenlayer-contracts/pull/1615). All offchain aggregators MUST sort nonsigners by operator index
+- The `BN254CertificateVerifier` now requires signatures over the `referenceTimestamp` via `calculateCertificateDigest`. See [PR #1610](https://github.com/layr-labs/eigenlayer-contracts/pull/1610)
+
+🛠️ Security Fixes
+- The merkle library has been updated to address minor audit issues. No breaking changes. See [PR #1606](https://github.com/layr-labs/eigenlayer-contracts/pull/1606)
+- Audit fixes for the `ReleaseManager`. See [PR #1608](https://github.com/layr-labs/eigenlayer-contracts/pull/1608)
+
+🔧 Improvements
+- Introspection for operatorSets with active generation reservations: `hasActiveGenerationReservation`. See [PR #1589](https://github.com/layr-labs/eigenlayer-contracts/pull/1589)
+- Clearer error messages/natspec:
+   - [PR #1602](https://github.com/layr-labs/eigenlayer-contracts/pull/1602)
+   - [PR #1587](https://github.com/layr-labs/eigenlayer-contracts/pull/1587)
+   - [PR #1585](https://github.com/layr-labs/eigenlayer-contracts/pull/1585)
+   - [PR #1562](https://github.com/layr-labs/eigenlayer-contracts/pull/1562)
+   - [PR #1567](https://github.com/layr-labs/eigenlayer-contracts/pull/1567)
+- Require `KeyType` to be set when creating a generation reservation. See [PR #1561](https://github.com/layr-labs/eigenlayer-contracts/pull/1561)
+
+🐛 Bug Fixes
+- Add pagination for querying active generation reservations. See [PR #1569](https://github.com/layr-labs/eigenlayer-contracts/pull/1569)
+- Fix race conditions on offchain table updates. See [PR #1575](https://github.com/layr-labs/eigenlayer-contracts/pull/1575)
+- Remove restrictive check on ECDSA certificates required to be confirmed against the latest `referenceTimestamp`. See [PR #1582](https://github.com/layr-labs/eigenlayer-contracts/pull/1582)
+
+## What's Changed
+- fix: enforce ordering of nonsigners in bn254CV [PR #1615](https://github.com/layr-labs/eigenlayer-contracts/pull/1615)
+- fix: releaseManager audit fixes [PR #1608](https://github.com/layr-labs/eigenlayer-contracts/pull/1608)
+- fix: include timestamp with BN254CertificateVerifier certificate generation [PR #1610](https://github.com/layr-labs/eigenlayer-contracts/pull/1610)
+- fix(audit): merkle library audit fixes [PR #1606](https://github.com/layr-labs/eigenlayer-contracts/pull/1606)
+- chore: clearer error message [PR #1602](https://github.com/layr-labs/eigenlayer-contracts/pull/1602)
+- chore: fmt and bindings
+- fix: elm-08
+- fix: elm-11(2) middleware ref typo
+- chore: bindings
+- fix: add `hasActiveGenerationReservation` [PR #1589](https://github.com/layr-labs/eigenlayer-contracts/pull/1589)
+- fix(h-03): add pagination [PR #1569](https://github.com/layr-labs/eigenlayer-contracts/pull/1569)
+- fix(docs): correct hash value in natspec [PR #1587](https://github.com/layr-labs/eigenlayer-contracts/pull/1587)
+- fix(h-04): race condition [PR #1575](https://github.com/layr-labs/eigenlayer-contracts/pull/1575)
+- docs: multichain natspec [PR #1584](https://github.com/layr-labs/eigenlayer-contracts/pull/1584)
+- fix(audit): add salt to Merkle leaf hashing [PR #1580](https://github.com/layr-labs/eigenlayer-contracts/pull/1580)
+- fix: check for key upon gen reservation [PR #1561](https://github.com/layr-labs/eigenlayer-contracts/pull/1561)
+- fix: remove unused imports [PR #1585](https://github.com/layr-labs/eigenlayer-contracts/pull/1585)
+- feat: update generator script [PR #1581](https://github.com/layr-labs/eigenlayer-contracts/pull/1581)
+- fix(m-01): remove restrictive check [PR #1582](https://github.com/layr-labs/eigenlayer-contracts/pull/1582)
+- fix(I-01): check input lengths [PR #1564](https://github.com/layr-labs/eigenlayer-contracts/pull/1564)
+- chore: clean up interfaces [PR #1562](https://github.com/layr-labs/eigenlayer-contracts/pull/1562)
+- fix: addressing pr comments [PR #1568](https://github.com/layr-labs/eigenlayer-contracts/pull/1568)
+- fix: correct ecdsa message hash check [PR #1563](https://github.com/layr-labs/eigenlayer-contracts/pull/1563)
+- fix: Release Manager internal review fixes [PR #1571](https://github.com/layr-labs/eigenlayer-contracts/pull/1571)
+- docs: multichain [PR #1567](https://github.com/layr-labs/eigenlayer-contracts/pull/1567)
+
+# Hourglass

…nnet (PEPE) - Sigma Prime - Jul 2024.pdf … Prime - Jul 2024 - Updated Aug 2025.pdfaudits/M4 Mainnet (PEPE) - Sigma Prime - Jul 2024.pdf renamed to audits/M4 Mainnet (PEPE) - Sigma Prime - Jul 2024 - Updated Aug 2025.pdf audits/M4 Mainnet (PEPE) - Sigma Prime - Jul 2024.pdf renamed to audits/M4 Mainnet (PEPE) - Sigma Prime - Jul 2024 - Updated Aug 2025.pdf

@@ -117,7 +117,7 @@ A withdrawal credential proof uses a validator's [`ValidatorIndex`][custom-types
 * `exit_epoch`: Initially set to `type(uint64).max`, this value is updated when a validator initiates exit from the beacon chain. **This method requires that a validator has not initiated an exit from the beacon chain.**
   * If a validator has been exited prior to calling `verifyWithdrawalCredentials`, their ETH can be accounted for, awarded shares, and/or withdrawn via the checkpoint system (see [Checkpointing Validators](#checkpointing-validators)).
 
-_Note that it is not required to verify your validator's withdrawal credentials_, unless you want to receive shares for ETH on the beacon chain. You may choose to use your `EigenPod` without verifying withdrawal credentials; you will still be able to withdraw yield (or receive shares for yield) via the [checkpoint system](#checkpointing-validators).
+_Note that it is not required to verify your validator's withdrawal credentials_, unless you want to receive shares for ETH on the beacon chain. You may choose to use your `EigenPod` without verifying withdrawal credentials; you will still be able to withdraw yield (or receive shares for yield) via the [checkpoint system](#checkpointing-validators). To account for ETH held on the beacon chain and to make execution layer partial withdrawal or full exits, this function *MUST* be called. 
 
 *Effects*:
 * For each set of unique verified withdrawal credentials:
@@ -135,6 +135,7 @@ _Note that it is not required to verify your validator's withdrawal credentials_
 * Input array lengths MUST be equal
 * `beaconTimestamp`:
     * MUST be greater than `currentCheckpointTimestamp`
+    * MUST be greater than `latestCheckpointTimestamp`
     * MUST be queryable via the [EIP-4788 oracle][eip-4788]. Generally, this means `beaconTimestamp` corresponds to a valid beacon block created within the last 8192 blocks (~27 hours).
 * `stateRootProof` MUST verify a `beaconStateRoot` against the `beaconBlockRoot` returned from the EIP-4788 oracle
 * For each validator:
@@ -411,6 +412,7 @@ This method allows the pod owner or proof submitter to submit validator withdraw
 * "Partial withdrawals" will exit a portion of a validator's balance from the beacon chain, down to 32 ETH. Any amount requested that would bring a validator's balance below 32 ETH is ignored.
 
 In order to initiate a withdrawal request:
+* The [`verifyWithdrawalCredentials`](#verifywithdrawalcredentials) function must be called to prove the validator exists within the pod
 * The predeploy requires a fee for each request. The current fee for the block can be queried using `getWithdrawalRequestFee`. This should be multiplied for each request in the passed-in `requests` array and provided as `msg.value`. The predeploy updates its fee each block depending on how many withdrawal requests are queued vs how many are processed.
     * Note that any unused fee is transferred back to `msg.sender` at the end of this method.
 * For partial withdrawals, note that the beacon chain will only process these if the validator has 0x02 withdrawal credentials.
@@ -430,7 +432,8 @@ Note that the beacon chain may "skip" a withdrawal request for many reasons. Thi
 * Pause status MUST NOT be set: `PAUSED_WITHDRAWAL_REQUESTS`
 * `msg.value` MUST be at least `getWithdrawalRequestFee() * requests.length`
 * For each `request` in `requests`:
-    * `request.pubkey` MUST have a length of 48
+    * The validator MUST have been proven to the pod
+    * `request.pubkey` MUST correspond to a validator whose withdrawal credentials are proven to point at the pod (`VALIDATOR_STATUS.ACTIVE`)
 * If excess `msg.value` was provided, the transfer of the excess back to `msg.sender` MUST succeed.
 
 ---

docs/core/EigenPod.md

@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.12;
+
+import {EOADeployer} from "zeus-templates/templates/EOADeployer.sol";
+import "../Env.sol";
+
+import "@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol";
+import "@openzeppelin/contracts/proxy/transparent/ProxyAdmin.sol";
+import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+
+/**
+ * Purpose: use an EOA to deploy all of the new contracts for this upgrade.
+ */
+contract Deploy is EOADeployer {
+    using Env for *;
+
+    /// forgefmt: disable-next-item
+    function _runAsEOA() internal override {
+        vm.startBroadcast();
+
+
+        // We are upgrading 1 contract: EigenPod
+        deployImpl({
+            name: type(EigenPod).name,
+            deployedTo: address(
+                new EigenPod({
+                    _ethPOS: Env.ethPOS(),
+                    _eigenPodManager: Env.proxy.eigenPodManager(),
+                    _version: Env.deployVersion()
+                })
+            )
+        });
+
+        vm.stopBroadcast();
+    }
+
+    function testScript() public virtual {
+        super.runAsEOA();
+
+        _validateNewImplAddresses({areMatching: false});
+        _validateProxyAdmins();
+        _validateImplConstructors();
+        _validateImplsInitialized();
+        _validateVersion();
+    }
+
+    /// @dev Validate that the `Env.impl` addresses are updated to be distinct from what the proxy
+    /// admin reports as the current implementation address.
+    ///
+    /// Note: The upgrade script can call this with `areMatching == true` to check that these impl
+    /// addresses _are_ matches.
+    function _validateNewImplAddresses(
+        bool areMatching
+    ) internal view {
+        function (bool, string memory) internal pure assertion = areMatching ? _assertTrue : _assertFalse;
+
+        assertion(Env.beacon.eigenPod().implementation() == address(Env.impl.eigenPod()), "eigenPod impl failed");
+    }
+
+    /// @dev Ensure each deployed TUP/beacon is owned by the proxyAdmin/executorMultisig
+    function _validateProxyAdmins() internal view {
+        assertTrue(Env.beacon.eigenPod().owner() == Env.executorMultisig(), "eigenPod beacon owner incorrect");
+    }
+
+    /// @dev Validate the immutables set in the new implementation constructors
+    function _validateImplConstructors() internal view {
+        {
+            /// EigenPod
+            EigenPod eigenPod = Env.impl.eigenPod();
+            assertTrue(eigenPod.ethPOS() == Env.ethPOS(), "ep.ethPOS invalid");
+            assertTrue(eigenPod.eigenPodManager() == Env.proxy.eigenPodManager(), "ep.epm invalid");
+            assertTrue(_strEq(eigenPod.version(), Env.deployVersion()), "ep.version failed");
+        }
+    }
+
+    /// @dev Call initialize on all deployed implementations to ensure initializers are disabled
+    function _validateImplsInitialized() internal {
+        bytes memory errInit = "Initializable: contract is already initialized";
+
+        /// EigenPod
+        EigenPod eigenPod = Env.impl.eigenPod();
+        vm.expectRevert(errInit);
+        eigenPod.initialize(address(0));
+    }
+
+    function _validateVersion() internal view {
+        // On future upgrades, just tick the major/minor/patch to validate
+        string memory expected = Env.deployVersion();
+
+        assertEq(Env.impl.eigenPod().version(), expected, "eigenPod version mismatch");
+    }
+
+    /// @dev Query and return `proxyAdmin.getProxyImplementation(proxy)`
+    function _getProxyImpl(
+        address proxy
+    ) internal view returns (address) {
+        return ProxyAdmin(Env.proxyAdmin()).getProxyImplementation(ITransparentUpgradeableProxy(proxy));
+    }
+
+    /// @dev Query and return `proxyAdmin.getProxyAdmin(proxy)`
+    function _getProxyAdmin(
+        address proxy
+    ) internal view returns (address) {
+        return ProxyAdmin(Env.proxyAdmin()).getProxyAdmin(ITransparentUpgradeableProxy(proxy));
+    }
+
+    function _assertTrue(bool b, string memory err) private pure {
+        assertTrue(b, err);
+    }
+
+    function _assertFalse(bool b, string memory err) private pure {
+        assertFalse(b, err);
+    }
+
+    function _strEq(string memory a, string memory b) private pure returns (bool) {
+        return keccak256(bytes(a)) == keccak256(bytes(b));
+    }
+}

script/releases/v1.6.1-moocow-updates/1-deployContracts.s.sol

@@ -0,0 +1,71 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.12;
+
+import {Deploy} from "./1-deployContracts.s.sol";
+import "../Env.sol";
+
+import {MultisigBuilder} from "zeus-templates/templates/MultisigBuilder.sol";
+import {Encode, MultisigCall} from "zeus-templates/utils/Encode.sol";
+
+import {TimelockController} from "@openzeppelin/contracts/governance/TimelockController.sol";
+
+/**
+ * Purpose:
+ *      * enqueue a multisig transaction which;
+ *             - upgrades EP
+ *  This should be run via the operations multisig.
+ */
+contract QueueUpgrade is MultisigBuilder, Deploy {
+    using Env for *;
+    using Encode for *;
+
+    function _runAsMultisig() internal virtual override prank(Env.communityMultisig()) {
+        bytes memory calldata_to_executor = _getCalldataToExecutor();
+
+        (bool success,) = address(Env.executorMultisig()).call(calldata_to_executor);
+        assertTrue(success, "Upgrade failed");
+    }
+
+    /// @dev Get the calldata to be sent from the timelock to the executor
+    function _getCalldataToExecutor() internal returns (bytes memory) {
+        /// forgefmt: disable-next-item
+        MultisigCall[] storage executorCalls = Encode.newMultisigCalls().append({
+            to: address(Env.beacon.eigenPod()),
+            data: Encode.upgradeableBeacon.upgradeTo({
+                newImpl: address(Env.impl.eigenPod())
+            })
+        });
+
+        return Encode.gnosisSafe.execTransaction({
+            from: address(Env.communityMultisig()),
+            to: Env.multiSendCallOnly(),
+            op: Encode.Operation.DelegateCall,
+            data: Encode.multiSend(executorCalls)
+        });
+    }
+
+    function testScript() public virtual override {
+        runAsEOA();
+
+        execute();
+
+        _validateNewImplAddresses({areMatching: true});
+        _validateProxyAdmins();
+        _validateProxyConstructors();
+    }
+
+    /// @dev Mirrors the checks done in 1-deployContracts, but now we check each contract's
+    /// proxy, as the upgrade should mean that each proxy can see these methods/immutables
+    function _validateProxyConstructors() internal view {
+        {
+            UpgradeableBeacon eigenPodBeacon = Env.beacon.eigenPod();
+            assertTrue(eigenPodBeacon.implementation() == address(Env.impl.eigenPod()), "eigenPodBeacon.impl invalid");
+
+            /// EigenPod
+            EigenPod eigenPod = Env.impl.eigenPod();
+            assertTrue(eigenPod.ethPOS() == Env.ethPOS(), "ep.ethPOS invalid");
+            assertTrue(eigenPod.eigenPodManager() == Env.proxy.eigenPodManager(), "ep.epm invalid");
+            assertEq(eigenPod.version(), Env.deployVersion(), "ep.version failed");
+        }
+    }
+}

script/releases/v1.6.1-moocow-updates/2-executeUpgrade.s.sol

@@ -0,0 +1,15 @@
+{
+    "name": "moocow-updates",
+    "from": ">=1.6.0",
+    "to": "1.6.1",
+    "phases": [
+        {
+            "type": "eoa",
+            "filename": "1-deployContracts.s.sol"
+        },
+        {
+            "type": "multisig",
+            "filename": "2-executeUpgrade.s.sol"
+        }
+    ]
+}

script/releases/v1.6.1-moocow-updates/upgrade.json

@@ -76,6 +76,8 @@ interface IEigenPodErrors {
     error MsgValueNot32ETH();
     /// @dev Thrown when provided `beaconTimestamp` is too far in the past.
     error BeaconTimestampTooFarInPast();
+    /// @dev Thrown when provided `beaconTimestamp` is before the last checkpoint
+    error BeaconTimestampBeforeLatestCheckpoint();
     /// @dev Thrown when the pectraForkTimestamp returned from the EigenPodManager is zero
     error ForkTimestampZero();
 }

src/contracts/interfaces/IEigenPod.sol

@@ -225,6 +225,10 @@ contract EigenPod is
         // on an existing checkpoint.
         require(beaconTimestamp > currentCheckpointTimestamp, BeaconTimestampTooFarInPast());
 
+        // For sanity, we want to ensure that a newly-verified validator cannot be proven against state
+        // that has already been checkpointed. This check makes the state transitions easier to reason about.
+        require(beaconTimestamp > lastCheckpointTimestamp, BeaconTimestampBeforeLatestCheckpoint());
+
         // Verify passed-in `beaconStateRoot` against the beacon block root
         // forgefmt: disable-next-item
         BeaconChainProofs.verifyStateRoot({
@@ -321,8 +325,7 @@ contract EigenPod is
             // Ensure target has verified withdrawal credentials pointed at this pod
             bytes32 sourcePubkeyHash = _calcPubkeyHash(request.srcPubkey);
             bytes32 targetPubkeyHash = _calcPubkeyHash(request.targetPubkey);
-            ValidatorInfo memory target = validatorPubkeyHashToInfo(targetPubkeyHash);
-            require(target.status == VALIDATOR_STATUS.ACTIVE, ValidatorNotActiveInPod());
+            require(validatorStatus(targetPubkeyHash) == VALIDATOR_STATUS.ACTIVE, ValidatorNotActiveInPod());
 
             // Call the predeploy
             bytes memory callData = bytes.concat(request.srcPubkey, request.targetPubkey);
@@ -353,6 +356,9 @@ contract EigenPod is
             WithdrawalRequest calldata request = requests[i];
             bytes32 pubkeyHash = _calcPubkeyHash(request.pubkey);
 
+            // Ensure validator has verified withdrawal credentials pointed at this pod
+            require(validatorStatus(pubkeyHash) == VALIDATOR_STATUS.ACTIVE, ValidatorNotActiveInPod());
+
             // Call the predeploy
             bytes memory callData = abi.encodePacked(request.pubkey, request.amountGwei);
             (bool ok,) = WITHDRAWAL_REQUEST_ADDRESS.call{value: fee}(callData);
@@ -736,7 +742,7 @@ contract EigenPod is
     /// @inheritdoc IEigenPod
     function validatorStatus(
         bytes32 pubkeyHash
-    ) external view returns (VALIDATOR_STATUS) {
+    ) public view returns (VALIDATOR_STATUS) {
         return _validatorPubkeyHashToInfo[pubkeyHash].status;
     }