feat(scroll): adapter and spokepool #381
Conversation
|
New dependencies detected. Learn more about Socket for GitHub ↗︎
|
james-a-morris
force-pushed
the
james/acx-1757-create-scroll-adapter
branch
2 times, most recently
from
cc2df44 to
4d1ea9e
Compare
james-a-morris
force-pushed
the
james/acx-1757-create-scroll-adapter
branch
from
19dc2de to
be030e4
Compare
james-a-morris
force-pushed
the
james/acx-1757-create-scroll-adapter
branch
from
c25b598 to
052c15e
Compare
james-a-morris
force-pushed
the
james/acx-1757-create-scroll-adapter
branch
from
2f99efd to
2130bf9
Compare
james-a-morris
changed the base branch from
master
to
james/rework-deploy-proxy
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Co-authored-by: Paul <108695806+pxrl@users.noreply.github.com>
james-a-morris
force-pushed
the
james/acx-1757-create-scroll-adapter
branch
from
8bd2e50 to
7be19cc
Compare
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
| // and it will not forward any ETH to the target contract on L2. However, | ||
| // we need to set the payable value to msg.value to ensure that the Scroll | ||
| // Bridge has enough gas to forward the message to L2. | ||
| l1ScrollMessenger.sendMessage{ value: _generateRelayerFee() }(target, 0, message, l2GasLimit); |
There was a problem hiding this comment.
If our gas limit is too high and gas is left unused on the destination, does that money get lost or is it refunded somehow?
There was a problem hiding this comment.
Per the TG group chat with the Scroll team, our ETH may get burned if we overestimate our gas limit. However, we were told in a previous message that 250,000 is an acceptable amount.
|
@nicholaspai @mrice32 @pxrl updated the test txns in this PR's description to the latest txn tests as of 300735d |
| // the address that sent the message from L1 to L2. If the calling contract | ||
| // isn't the Scroll messenger, then the xdomainMessageSender will be the zero | ||
| // address and *NOT* cross domain admin. | ||
| address _xDomainSender = l2ScrollMessenger.xDomainMessageSender(); |
There was a problem hiding this comment.
Can xDomainMessageSender be set to whatever a malicious contract wants it to or is it always the contract that is the target of the L1 to L2 message?
There was a problem hiding this comment.
(I'm going to go through each call in the stack so this might be longform, but tl;dr I believe we should be fine as long as we trust the chain)
Per master on scroll's official github ( link ), the xDomainMessenger is set to be the _from sender (sender of the L1 txn) here. The transaction stack is l2TokenMessenger calls relayMessage -> _executeMessage.
_executeMessage
function _executeMessage(
address _from,
address _to,
uint256 _value,
bytes memory _message,
bytes32 _xDomainCalldataHash
) internal {
// @note check more `_to` address to avoid attack in the future when we add more gateways.
require(_to != messageQueue, "Forbid to call message queue");
_validateTargetAddress(_to);
// @note This usually will never happen, just in case.
require(_from != xDomainMessageSender, "Invalid message sender");
the last line of this snippet always set to be the DEFAULT_XDOMAIN_MESSAGE_SENDER outside of this specific case. This is a call to ensure that doesn't happen
xDomainMessageSender = _from;
// solhint-disable-next-line avoid-low-level-calls
(bool success, ) = _to.call{value: _value}(_message);
// reset value to refund gas.
xDomainMessageSender = ScrollConstants.DEFAULT_XDOMAIN_MESSAGE_SENDER; <--- Immediately resets
...
}
In the above ^ it's only set to be read within the context of _to.call(...) and then is immediately reset
relayMessage
function relayMessage(
address _from,
address _to,
uint256 _value,
uint256 _nonce,
bytes memory _message
) external override whenNotPaused {
// It is impossible to deploy a contract with the same address, reentrance is prevented in nature.
require(AddressAliasHelper.undoL1ToL2Alias(_msgSender()) == counterpart, "Caller is not L1ScrollMessenger");
bytes32 _xDomainCalldataHash = keccak256(_encodeXDomainCalldata(_from, _to, _value, _nonce, _message));
require(!isL1MessageExecuted[_xDomainCalldataHash], "Message was already successfully executed");
_executeMessage(_from, _to, _value, _message, _xDomainCalldataHash);
}
From the above, what we're really looking for is that _msgSender() which is the msg.sender is the counterpart domain of the L1ScrollMessenger. Ergo if we pass that require, it must be the case that the calling contract is the trusted L2ScrollMessenger.
L2ScrollMessenger
We have an implicit trust that the L2ScrollMessenger is going to set things right.
|
@nicholaspai @mrice32 @dohaki I've added a second gas limit so that we can differentiate between arbitrary messages & token relays |
| * @notice Generates the relayer fee for a message to be sent to L2. | ||
| * @dev Function will revert if the contract does not have enough ETH to pay the fee. | ||
| */ | ||
| function _generateRelayerFeeForMessageRelay() internal view returns (uint256 l2Fee) { |
There was a problem hiding this comment.
would have implemented this with a single internal function where you pass in uint256 l2GasLimit.
Then, within relayTokens and relayMessage you pass in a different constant
There was a problem hiding this comment.
Done: e9b4443
Co-authored-by: nicholaspai <9457025+nicholaspai@users.noreply.github.com>
Signed-off-by: james-a-morris <jaamorris@cs.stonybrook.edu>
This PR creates the Chain Adapter for Scroll.
Sepolia Deployments for
L1 -> L2communication:Deployments:
Closes ACX-1753, ACX-1757, ACX-1765, ACX-1780