withdrawal_safety heuristic

.devnet/addresses.json

@@ -0,0 +1,28 @@
+{
+  "AddressManager": "0x07F7735fEb88Db1560Cd783e2dC6A08a8fC8a656",
+  "BlockOracle": "0x042deb7f12Dad67215b7dD433f53B50C1C1bcb85",
+  "DisputeGameFactory": "0x1D76cd1460239F99516F165578b6A80EFb70f3C6",
+  "DisputeGameFactoryProxy": "0xF4544d11a7E18B129684212dE25FE4Efaff6eCE9",
+  "L1CrossDomainMessenger": "0xDa2332D0a7608919Cd331B1304Cd179129a90495",
+  "L1CrossDomainMessengerProxy": "0xcEc3E8946719ec314496898964e177c56d6dC0c0",
+  "L1ERC721Bridge": "0x806C2d0d2BDDFf9279CB2A8722F9117f0b0aDE73",
+  "L1ERC721BridgeProxy": "0x7Cabc92821a83c27122730685e689AE576Dcc003",
+  "L1StandardBridge": "0xcfBCbA6d9E84A3c4FaE0eda9684cE39a09aa2c8A",
+  "L1StandardBridgeProxy": "0xC8F10Ed818723152E782FCa54E782aA2C0fbE29f",
+  "L2OutputOracle": "0x8203dEBE6cD849358473715fD46FE9b1aE44C44D",
+  "L2OutputOracleProxy": "0x971196d5a89635821Ea8Bddb7345B5B5046Abff4",
+  "Mips": "0xc5E3069cF714625A6f4339549058ED310B15017E",
+  "OptimismMintableERC20Factory": "0x373B66bd178cb2716D5A9596B1a42Ed39b87A535",
+  "OptimismMintableERC20FactoryProxy": "0x8cF55BA8cd44749618d68613577aE51194A72d9E",
+  "OptimismPortal": "0xD14AA6C7B6D92803F3910Ec1DADCCd0757341862",
+  "OptimismPortalProxy": "0x98e5D81f309284d009e95774E6CF81dCBF741E86",
+  "PreimageOracle": "0xC1327F8a7819f4ed1708Afb2e5cE4C810d3B6195",
+  "ProtocolVersions": "0x42F0bD8313ad456A38061308857b2383fe2c72a0",
+  "ProtocolVersionsProxy": "0xfa42a44338A39a08482A2B7b068B15988831BB68",
+  "ProxyAdmin": "0x9c788232CCDD4F0ff3F0e1E17cd874c9edba5932",
+  "SafeProxyFactory": "0x45d2490cC9EC86342BCa60F34D0cF720AbB0c015",
+  "SafeSingleton": "0x0628D5cD59439Ff8C39E2ADA97164766DedC60f7",
+  "SystemConfig": "0x3b6090d4ba84B94C20a789436B9010F340AaaC70",
+  "SystemConfigProxy": "0x1df7b00Fd625F3BC07afe8f93Ba946DA0cCAE75F",
+  "SystemOwnerSafe": "0xc97CbC808F98888b47777281534eeE6a0996A464"
+}

.devnet/devnetL1.json

@@ -0,0 +1,53 @@
+{
+  "l1ChainID": 900,
+  "l2ChainID": 901,
+  "l2BlockTime": 2,
+  "maxSequencerDrift": 300,
+  "sequencerWindowSize": 200,
+  "channelTimeout": 120,
+  "p2pSequencerAddress": "0x9965507D1a55bcC2695C58ba16FB37d819B0A4dc",
+  "batchInboxAddress": "0xff00000000000000000000000000000000000901",
+  "batchSenderAddress": "0x3C44CdDdB6a900fa2b585dd299e03d12FA4293BC",
+  "cliqueSignerAddress": "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266",
+  "l1UseClique": true,
+  "l1StartingBlockTag": "earliest",
+  "l2OutputOracleSubmissionInterval": 10,
+  "l2OutputOracleStartingTimestamp": 0,
+  "l2OutputOracleStartingBlockNumber": 0,
+  "l2OutputOracleProposer": "0x70997970C51812dc3A010C7d01b50e0d17dc79C8",
+  "l2OutputOracleChallenger": "0x15d34AAf54267DB7D7c367839AAf71A00a2C6A65",
+  "l2GenesisBlockGasLimit": "0x1c9c380",
+  "l1BlockTime": 3,
+  "baseFeeVaultRecipient": "0x14dC79964da2C08b23698B3D3cc7Ca32193d9955",
+  "l1FeeVaultRecipient": "0x23618e81E3f5cdF7f54C3d65f7FBc0aBf5B21E8f",
+  "sequencerFeeVaultRecipient": "0xa0Ee7A142d267C1f36714E4a8F75612F20a79720",
+  "baseFeeVaultMinimumWithdrawalAmount": "0x8ac7230489e80000",
+  "l1FeeVaultMinimumWithdrawalAmount": "0x8ac7230489e80000",
+  "sequencerFeeVaultMinimumWithdrawalAmount": "0x8ac7230489e80000",
+  "baseFeeVaultWithdrawalNetwork": "remote",
+  "l1FeeVaultWithdrawalNetwork": "remote",
+  "sequencerFeeVaultWithdrawalNetwork": "remote",
+  "proxyAdminOwner": "0xa0Ee7A142d267C1f36714E4a8F75612F20a79720",
+  "finalSystemOwner": "0xa0Ee7A142d267C1f36714E4a8F75612F20a79720",
+  "portalGuardian": "0xa0Ee7A142d267C1f36714E4a8F75612F20a79720",
+  "finalizationPeriodSeconds": 2,
+  "fundDevAccounts": true,
+  "l2GenesisBlockBaseFeePerGas": "0x1",
+  "gasPriceOracleOverhead": 2100,
+  "gasPriceOracleScalar": 1000000,
+  "enableGovernance": true,
+  "governanceTokenSymbol": "OP",
+  "governanceTokenName": "Optimism",
+  "governanceTokenOwner": "0xa0Ee7A142d267C1f36714E4a8F75612F20a79720",
+  "eip1559Denominator": 50,
+  "eip1559Elasticity": 6,
+  "l1GenesisBlockTimestamp": "0x64c811bf",
+  "l2GenesisRegolithTimeOffset": "0x0",
+  "l2GenesisSpanBatchTimeOffset": "0x0",
+  "faultGameAbsolutePrestate": "0x03c7ae758795765c6664a5d39bf63841c71ff191e9189522bad8ebff5d4eca98",
+  "faultGameMaxDepth": 30,
+  "faultGameMaxDuration": 1200,
+  "systemConfigStartBlock": 0,
+  "requiredProtocolVersion": "0x0000000000000000000000000000000000000000000000000000000000000000",
+  "recommendedProtocolVersion": "0x0000000000000000000000000000000000000000000000000000000000000000"
+}

.github/workflows/test.yml

@@ -75,13 +75,13 @@ jobs:
       with:
         go-version: 1.21
 
-    - name: Install foundry
-      uses: foundry-rs/foundry-toolchain@v1
+    # - name: Install foundry
+    #   uses: foundry-rs/foundry-toolchain@v1
 
-    - name: Setup devnet Resources
-      id: devnet
-      run: |
-        make devnet-allocs
+    # - name: Setup devnet Resources
+    #   id: devnet
+    #   run: |
+    #     make devnet-allocs
 
     - name: Run E2E Integration Tests
       run: make e2e-test

.gitignore

@@ -4,5 +4,4 @@ config.env
 /.idea
 genesis.json
 alert-routing.yaml
-.devnet
 packages/contracts-bedrock/deploy-config/devnetL1.json

.golangci.yml

@@ -62,11 +62,11 @@ linters-settings:
         # Default: true
         skipRecvDeref: false
 
-  gomnd:
-    # List of function regex patterns to exclude from analysis.
-    # Default: []
-    ignored-functions:
-      -
+  # gomnd:
+  #   # List of function regex patterns to exclude from analysis.
+  #   # Default: []
+  #   ignored-functions:
+  #     - 
   gomodguard:
     blocked:
       # List of blocked modules.
@@ -144,7 +144,7 @@ linters:
     - gocritic # provides diagnostics that check for bugs, performance and style issues
     - gocyclo # computes and checks the cyclomatic complexity of functions
     - goimports # in addition to fixing imports, goimports also formats your code in the same style as gofmt
-    - gomnd # detects magic numbers
+    # - gomnd # detects magic numbers
     - gomodguard # allow and block lists linter for direct Go module dependencies. This is different from depguard where there are different block types for example version constraints and module recommendations
     - goprintffuncname # checks that printf-like functions are named with f at the end
     - gosec # inspects source code for security problems
@@ -207,6 +207,7 @@ issues:
       linters:
         - gocritic
         - unparam
+
     - path: "_test\\.go"
       linters:
         - gocognit

Makefile

@@ -17,7 +17,7 @@ build-app:
 	@CGO_ENABLED=0 go build -a -tags netgo -o bin/$(APP_NAME) ./cmd/
 	@echo "Binary successfully built"
 
-run-app: 
+run-app:
 	@./bin/${APP_NAME}
 
 .PHONY: go-gen-mocks

docs/heuristics.markdown

@@ -74,11 +74,16 @@ curl --location --request POST 'http://localhost:8080/v0/heuristic' \
 }'
 ```
 
-## Withdrawal Enforcement
+## Withdrawal Safety
 
-**NOTE:** This heuristic requires an active RPC connection to both L1 and L2 networks.
+**NOTE:** This heuristic currently requires an active RPC connection to both L1/L2 networks as well as synced OP Indexer instance. Eventually withdrawal safety will be extended to run for `WithdrawalFinalized` and `MessagePassed` events. Using `MessagePassed` wouldn't require using an active OP Indexer instance since the event is emitted on the L2ToL1MessagePasser contract and doesn't have to be correlated from an L1 event.
+
+The hardcoded `withdrawal_safety` heuristic runs a suite of security invariants upon detection of a withdraw event. The invariants ran are as follows:
+1. The L1 withdrawal proven hash is present in the L2ToL1MessagePasser contract's internal state
+2. The withdraw amount isn't greater than the `OptimismPortal` contract's balance
+3. The withdraw amount isn't within `x%` of the `OptimismPortal` contract's balance
+4. The withdraw message hash is a valid L2 message hash
 
-The hardcoded `withdrawal_enforcement` heuristic scans for active `WithdrawalProven` events on an L1Portal contract. Once an event is detected, the heuristic proceeds to scan for the corresponding `withdrawlHash` event on the L2ToL1MesagePasser contract's internal state. If the `withdrawlHash` is not found, the heuristic alerts to slack.
 
 ### Parameters
 
@@ -97,7 +102,7 @@ curl --location --request POST 'http://localhost:8080/v0/heuristic' \
  "params": {
   "network": "layer1",
   "pipeline_type": "live",
-  "type": "withdrawal_enforcement",
+  "type": "withdrawal_safety",
   "start_height":  null,
   "alert_destination": "slack",
     "heuristic_params": {

e2e/alerting_test.go

@@ -71,7 +71,7 @@ func TestMultiDirectiveRouting(t *testing.T) {
 			return false, err
 		}
 
-		return height.Uint64() > receipt.BlockNumber.Uint64(), nil
+		return height != nil && height.Uint64() > receipt.BlockNumber.Uint64(), nil
 	}))
 
 	slackPosts := ts.TestSlackSvr.SlackAlerts()