From fef4ab0579f57ed3759f2b2ac346b1670e65e6a0 Mon Sep 17 00:00:00 2001
From: Stephen Buttolph <stephen@avalabs.org>
Date: Mon, 7 Apr 2025 15:33:26 -0400
Subject: [PATCH 1/3] Verify key length in range proofs

---
 trie/proof.go             |  4 ++++
 trie/proof.libevm_test.go | 48 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 trie/proof.libevm_test.go

diff --git a/trie/proof.go b/trie/proof.go
index a7874afd35b..cb8fc858196 100644
--- a/trie/proof.go
+++ b/trie/proof.go
@@ -487,6 +487,10 @@ func VerifyRangeProof(rootHash common.Hash, firstKey []byte, keys [][]byte, valu
 	}
 	// Ensure the received batch is monotonic increasing and contains no deletions
 	for i := 0; i < len(keys)-1; i++ {
+		// See: https://github.com/ava-labs/coreth/issues/907
+		if len(keys[i]) != len(keys[i+1]) {
+			return false, errors.New("keys do not have constant length")
+		}
 		if bytes.Compare(keys[i], keys[i+1]) >= 0 {
 			return false, errors.New("range is not monotonically increasing")
 		}
diff --git a/trie/proof.libevm_test.go b/trie/proof.libevm_test.go
new file mode 100644
index 00000000000..97d672145a3
--- /dev/null
+++ b/trie/proof.libevm_test.go
@@ -0,0 +1,48 @@
+// Copyright 2015 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+package trie
+
+import (
+	"testing"
+
+	"github.com/ava-labs/libevm/common"
+)
+
+func TestRangeProofKeysWithDifferentLengths(t *testing.T) {
+	var (
+		root  = common.HexToHash("0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
+		start = common.Hex2Bytes("0000000000000000000000000000000000000000000000000000000000000000")
+		keys  = [][]byte{
+			common.Hex2Bytes("1000000000000000000000000000000"),
+			common.Hex2Bytes("1000000000000000000000000000000000000000000000000000000000000000"),
+		}
+		values = [][]byte{
+			common.Hex2Bytes("02"),
+			common.Hex2Bytes("03"),
+		}
+	)
+	_, err := VerifyRangeProof(
+		root,
+		start,
+		keys,
+		values,
+		nil, // force it to use stacktrie
+	)
+	if err == nil {
+		t.Fatalf("unexpectedly verified invalid range proof: %v", err)
+	}
+}

From cfc3b2e76682ad021415799dcd354cfc2351c060 Mon Sep 17 00:00:00 2001
From: Stephen Buttolph <stephen@avalabs.org>
Date: Mon, 7 Apr 2025 15:34:56 -0400
Subject: [PATCH 2/3] update license

---
 trie/proof.libevm_test.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/trie/proof.libevm_test.go b/trie/proof.libevm_test.go
index 97d672145a3..cdf4acc483a 100644
--- a/trie/proof.libevm_test.go
+++ b/trie/proof.libevm_test.go
@@ -1,18 +1,18 @@
-// Copyright 2015 The go-ethereum Authors
-// This file is part of the go-ethereum library.
+// Copyright 2025 the libevm authors.
 //
-// The go-ethereum library is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Lesser General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
+// The libevm additions to go-ethereum are free software: you can redistribute
+// them and/or modify them under the terms of the GNU Lesser General Public License
+// as published by the Free Software Foundation, either version 3 of the License,
+// or (at your option) any later version.
 //
-// The go-ethereum library is distributed in the hope that it will be useful,
+// The libevm additions are distributed in the hope that they will be useful,
 // but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU Lesser General Public License for more details.
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
+// General Public License for more details.
 //
 // You should have received a copy of the GNU Lesser General Public License
-// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+// along with the go-ethereum library. If not, see
+// <http://www.gnu.org/licenses/>.
 
 package trie
 

From 3cbe139602ba8c5facf565680be7f4af344ee001 Mon Sep 17 00:00:00 2001
From: Stephen Buttolph <stephen@avalabs.org>
Date: Mon, 7 Apr 2025 16:52:28 -0400
Subject: [PATCH 3/3] Use global error

---
 trie/proof.go             |  2 +-
 trie/proof.libevm.go      | 23 +++++++++++++++++++++++
 trie/proof.libevm_test.go |  6 +++---
 3 files changed, 27 insertions(+), 4 deletions(-)
 create mode 100644 trie/proof.libevm.go

diff --git a/trie/proof.go b/trie/proof.go
index cb8fc858196..e8ba8be7eb6 100644
--- a/trie/proof.go
+++ b/trie/proof.go
@@ -489,7 +489,7 @@ func VerifyRangeProof(rootHash common.Hash, firstKey []byte, keys [][]byte, valu
 	for i := 0; i < len(keys)-1; i++ {
 		// See: https://github.com/ava-labs/coreth/issues/907
 		if len(keys[i]) != len(keys[i+1]) {
-			return false, errors.New("keys do not have constant length")
+			return false, errKeysHaveDifferentLengths
 		}
 		if bytes.Compare(keys[i], keys[i+1]) >= 0 {
 			return false, errors.New("range is not monotonically increasing")
diff --git a/trie/proof.libevm.go b/trie/proof.libevm.go
new file mode 100644
index 00000000000..b7b63ac66a1
--- /dev/null
+++ b/trie/proof.libevm.go
@@ -0,0 +1,23 @@
+// Copyright 2025 the libevm authors.
+//
+// The libevm additions to go-ethereum are free software: you can redistribute
+// them and/or modify them under the terms of the GNU Lesser General Public License
+// as published by the Free Software Foundation, either version 3 of the License,
+// or (at your option) any later version.
+//
+// The libevm additions are distributed in the hope that they will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
+// General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see
+// <http://www.gnu.org/licenses/>.
+
+package trie
+
+import (
+	"errors"
+)
+
+var errKeysHaveDifferentLengths = errors.New("keys have different lengths")
diff --git a/trie/proof.libevm_test.go b/trie/proof.libevm_test.go
index cdf4acc483a..17b2ddc398d 100644
--- a/trie/proof.libevm_test.go
+++ b/trie/proof.libevm_test.go
@@ -19,6 +19,8 @@ package trie
 import (
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	"github.com/ava-labs/libevm/common"
 )
 
@@ -42,7 +44,5 @@ func TestRangeProofKeysWithDifferentLengths(t *testing.T) {
 		values,
 		nil, // force it to use stacktrie
 	)
-	if err == nil {
-		t.Fatalf("unexpectedly verified invalid range proof: %v", err)
-	}
+	require.ErrorIs(t, err, errKeysHaveDifferentLengths)
 }