Verify proof

james-toussaint · james-toussaint · commit 5b93acbec808 · 2025-11-18T17:02:31.000+01:00
diff --git a/contracts/utils/cryptography/TrieProof.sol b/contracts/utils/cryptography/TrieProof.sol
@@ -5,6 +5,7 @@ import {Bytes} from "../Bytes.sol";
 import {Strings} from "../Strings.sol";
 import {RLP} from "../RLP.sol";
 import {Math} from "../math/Math.sol";
+import {Memory} from "../Memory.sol";
 
 /**
  * @dev Library for verifying Ethereum Merkle-Patricia trie inclusion proofs.
@@ -15,6 +16,7 @@ import {Math} from "../math/Math.sol";
 library TrieProof {
     using Bytes for bytes;
     using RLP for *;
+    using Memory for Memory.Slice;
     using Strings for string;
 
     enum Prefix {
@@ -42,7 +44,7 @@ library TrieProof {
 
     struct Node {
         bytes encoded; // Raw RLP encoded node
-        RLP.Item[] decoded; // Decoded RLP items
+        Memory.Slice[] decoded; // Decoded RLP items
     }
 
     /// @dev The radix of the Ethereum trie (hexadecimal = 16)
@@ -127,6 +129,7 @@ library TrieProof {
                 // Otherwise, continue down the branch specified by the next nibble in the key
                 uint8 branchKey = uint8(key[keyIndex]);
                 (nodeId, keyIndex) = (_id(node.decoded[branchKey]), keyIndex + 1);
+                nodeId = node.decoded[11].readBytes(); // test
             } else if (nodeLength == LEAF_OR_EXTENSION_NODE_LENGTH) {
                 return _processLeafOrExtension(node, trieProof, key, nodeId, keyIndex, i);
             }
@@ -142,11 +145,15 @@ library TrieProof {
         Node memory node,
         uint256 keyIndex
     ) private pure returns (ProofError) {
-        if (keyIndex == 0 && !string(bytes.concat(keccak256(node.encoded))).equal(string(nodeId)))
-            return ProofError.INVALID_ROOT_HASH; // Root node must match root hash
-        if (node.encoded.length >= 32 && !string(bytes.concat(keccak256(node.encoded))).equal(string(nodeId)))
-            return ProofError.INVALID_LARGE_INTERNAL_HASH; // Large nodes are stored as hashes
-        if (!string(node.encoded).equal(string(nodeId))) return ProofError.INVALID_INTERNAL_NODE_HASH; // Small nodes must match directly
+        if (keyIndex == 0) {
+            if (!string(bytes.concat(keccak256(node.encoded))).equal(string(nodeId)))
+                return ProofError.INVALID_ROOT_HASH; // Root node must match root hash
+        } else if (node.encoded.length >= 32) {
+            if (!string(bytes.concat(keccak256(node.encoded))).equal(string(nodeId)))
+                return ProofError.INVALID_LARGE_INTERNAL_HASH; // Large nodes are stored as hashes
+        } else if (!string(node.encoded).equal(string(nodeId))) {
+            return ProofError.INVALID_INTERNAL_NODE_HASH; // Small nodes must match directly
+        }
         return ProofError.NO_ERROR; // No error
     }
 
@@ -165,14 +172,10 @@ library TrieProof {
         uint256 i
     ) private pure returns (bytes memory value, ProofError err) {
         bytes memory path = _path(node);
-        uint8 prefix = uint8(path[0]);
+        uint8 prefix = uint8(path[0] >> 4);
         uint8 offset = 2 - (prefix % 2); // Calculate offset based on even/odd path length
         bytes memory pathRemainder = Bytes.slice(path, offset); // Path after the prefix
         bytes memory keyRemainder = Bytes.slice(key, keyIndex); // Remaining key to match
-        uint256 sharedNibbleLength = _sharedNibbleLength(pathRemainder, keyRemainder);
-
-        // Path must match at least partially with our key
-        if (sharedNibbleLength == 0) return ("", ProofError.INVALID_PATH_REMAINDER);
         if (prefix > uint8(type(Prefix).max)) return ("", ProofError.UNKNOWN_NODE_PREFIX);
 
         // Leaf node (terminal) - return its value if key matches completely
@@ -181,7 +184,12 @@ library TrieProof {
             return _validateLastItem(node.decoded[1], trieProof, i);
         }
 
-        // Extension node (non-terminal) - continue to next node
+        // Extension node (non-terminal) - validate shared path & continue to next node
+        uint256 sharedNibbleLength = _sharedNibbleLength(pathRemainder, keyRemainder);
+        if (Prefix(prefix) == Prefix.EXTENSION_EVEN || Prefix(prefix) == Prefix.EXTENSION_ODD) {
+            // Path must match at least partially with our key
+            if (sharedNibbleLength == 0) return ("", ProofError.INVALID_PATH_REMAINDER);
+        }
         // Increment keyIndex by the number of nibbles consumed
         (nodeId, keyIndex) = (_id(node.decoded[1]), keyIndex + sharedNibbleLength);
     }
@@ -191,7 +199,7 @@ library TrieProof {
      * Ensures the value is not empty and no extra proof elements exist.
      */
     function _validateLastItem(
-        RLP.Item memory item,
+        Memory.Slice item,
         Node[] memory trieProof,
         uint256 i
     ) private pure returns (bytes memory value, ProofError) {
@@ -209,16 +217,17 @@ library TrieProof {
         uint256 length = proof.length;
         proof_ = new Node[](length);
         for (uint256 i = 0; i < length; i++) {
-            proof_[i] = Node(proof[i], proof[i].readList());
+            proof_[i] = Node(proof[i], proof[i].decodeList());
         }
     }
 
     /**
      * @dev Extracts the node ID (hash or raw data based on size).
      * For small nodes (<32 bytes), returns the raw bytes; for large nodes, returns the hash.
      */
-    function _id(RLP.Item memory node) private pure returns (bytes memory) {
-        return node.length < 32 ? node.readRawBytes() : node.readBytes();
+    function _id(Memory.Slice node) private pure returns (bytes memory) {
+        bytes memory raw = node.readBytes();
+        return raw.length < 32 ? raw : bytes.concat(keccak256(raw));
     }
 
     /**
diff --git a/test/utils/cryptography/TrieProof.test.js b/test/utils/cryptography/TrieProof.test.js
@@ -0,0 +1,178 @@
+const { ethers } = require('hardhat');
+const { expect } = require('chai');
+const { spawn } = require('child_process');
+
+const anvilPort = 8546;
+const ProofError = {
+  NO_ERROR: 0,
+  EMPTY_KEY: 1,
+  INDEX_OUT_OF_BOUNDS: 2,
+  INVALID_ROOT_HASH: 3,
+  INVALID_LARGE_INTERNAL_HASH: 4,
+  INVALID_INTERNAL_NODE_HASH: 5,
+  EMPTY_VALUE: 6,
+  INVALID_EXTRA_PROOF_ELEMENT: 7,
+  INVALID_PATH_REMAINDER: 8,
+  INVALID_KEY_REMAINDER: 9,
+  UNKNOWN_NODE_PREFIX: 10,
+  UNPARSEABLE_NODE: 11,
+  INVALID_PROOF: 12,
+};
+
+async function fixture() {
+  const anvil = spawn('anvil', ['--port', anvilPort], {
+    timeout: 30000,
+  }); // Method eth_getProof is not supported with default Hardhat Network
+  await new Promise(resolve => {
+    anvil.stdout.once('data', resolve);
+  });
+  if (process.env.ANVIL_LOGS === 'true') {
+    anvil.stdout.on('data', function (data) {
+      console.log(data.toString());
+    });
+  }
+  const provider = new ethers.JsonRpcProvider(`http://localhost:${anvilPort}`);
+  const account = await provider.getSigner(0);
+  const mock = (await ethers.deployContract('$TrieProof', account)).connect(account);
+  const storage = (await ethers.deployContract('StorageSlotMock', account)).connect(account);
+  return {
+    anvil,
+    provider,
+    mock,
+    storage,
+  };
+}
+
+describe('TrieProof', function () {
+  beforeEach(async function () {
+    Object.assign(this, await fixture());
+  });
+
+  afterEach(async function () {
+    this.anvil.kill();
+  });
+
+  describe('verify', function () {
+    it('returns true for a valid proof with leaf', async function () {
+      const slot = ethers.ZeroHash;
+      const tx = await this.storage.setUint256Slot(slot, 42);
+      const response = await this.provider.send('eth_getProof', [
+        this.storage.target,
+        [slot],
+        ethers.toBeHex(tx.blockNumber),
+      ]);
+      const { storageHash, storageProof } = response;
+      const { key, value, proof } = storageProof[0];
+      const result = await this.mock.$verify(key, value, proof, storageHash);
+      expect(result).is.true;
+    });
+
+    it('returns true for a valid proof with extension', async function () {
+      const slot0 = ethers.ZeroHash;
+      const slot1 = '0x0000000000000000000000000000000000000000000000000000000000000001';
+      await this.storage.setUint256Slot(slot0, 42);
+      const tx = await this.storage.setUint256Slot(slot1, 43);
+      const response = await this.provider.send('eth_getProof', [
+        this.storage.target,
+        [slot1],
+        ethers.toBeHex(tx.blockNumber),
+      ]);
+      const { storageHash, storageProof } = response;
+      const { key, value, proof } = storageProof[0];
+      const result = await this.mock.$verify(key, value, proof, storageHash);
+      expect(result).is.true;
+    });
+
+    it('fails to process proof with empty key', async function () {
+      const [value, error] = await this.mock.$processProof('0x', [], ethers.ZeroHash);
+      expect(value).to.equal('0x');
+      expect(error).to.equal(ProofError.EMPTY_KEY);
+    });
+
+    it.skip('fails to process proof with key index out of bounds', async function () {}); // TODO: INDEX_OUT_OF_BOUNDS
+
+    it('fails to process proof with invalid root hash', async function () {
+      const slot = ethers.ZeroHash;
+      const tx = await this.storage.setUint256Slot(slot, 42);
+      const { storageHash, storageProof } = await this.provider.send('eth_getProof', [
+        this.storage.target,
+        [slot],
+        ethers.toBeHex(tx.blockNumber),
+      ]);
+      const { key, proof } = storageProof[0];
+      const [processedValue, error] = await this.mock.$processProof(key, proof, ethers.keccak256(storageHash)); // Corrupt root hash
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.INVALID_ROOT_HASH);
+    });
+
+    it('fails to process proof with invalid internal large hash', async function () {
+      const slot0 = ethers.ZeroHash;
+      const slot1 = '0x0000000000000000000000000000000000000000000000000000000000000001';
+      await this.storage.setUint256Slot(slot0, 42);
+      const tx = await this.storage.setUint256Slot(slot1, 43);
+      const { storageHash, storageProof } = await this.provider.send('eth_getProof', [
+        this.storage.target,
+        [slot1],
+        ethers.toBeHex(tx.blockNumber),
+      ]);
+      const { key, proof } = storageProof[0];
+      proof[1] = ethers.toBeHex(BigInt(proof[1]) + 1n); // Corrupt internal large node hash
+      const [processedValue, error] = await this.mock.$processProof(key, proof, storageHash);
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.INVALID_LARGE_INTERNAL_HASH);
+    });
+
+    it.skip('fails to process proof with invalid internal short node', async function () {}); // TODO: INVALID_INTERNAL_NODE_HASH
+
+    it('fails to process proof with empty value', async function () {
+      const proof = [ethers.encodeRlp(['0x20', '0x'])]; // Corrupt proof to yield empty value
+      const [processedValue, error] = await this.mock.$processProof('0x00', proof, ethers.keccak256(proof[0]));
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.EMPTY_VALUE);
+    });
+
+    it('fails to process proof with invalid extra proof', async function () {
+      const slot0 = ethers.ZeroHash;
+      const tx = await this.storage.setUint256Slot(slot0, 42);
+      const { storageHash, storageProof } = await this.provider.send('eth_getProof', [
+        this.storage.target,
+        [slot0],
+        ethers.toBeHex(tx.blockNumber),
+      ]);
+      const { key, proof } = storageProof[0];
+      proof[1] = ethers.encodeRlp([]); // extra proof element
+      const [processedValue, error] = await this.mock.$processProof(key, proof, storageHash);
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.INVALID_EXTRA_PROOF_ELEMENT);
+    });
+
+    it('fails to process proof with invalid path remainder', async function () {
+      const proof = [ethers.encodeRlp(['0x0011', '0x'])]; // Corrupt proof to yield invalid path remainder
+      const [processedValue, error] = await this.mock.$processProof(ethers.ZeroHash, proof, ethers.keccak256(proof[0]));
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.INVALID_PATH_REMAINDER);
+    });
+
+    it.skip('fails to process proof with invalid key remainder', async function () {}); // TODO: INVALID_KEY_REMAINDER
+
+    it('fails to process proof with unknown node prefix', async function () {
+      const proof = [ethers.encodeRlp(['0x40', '0x'])];
+      const [processedValue, error] = await this.mock.$processProof('0x00', proof, ethers.keccak256(proof[0]));
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.UNKNOWN_NODE_PREFIX);
+    });
+
+    it('fails to process proof with unparsable node', async function () {
+      const proof = [ethers.encodeRlp(['0x00', '0x00', '0x00'])];
+      const [processedValue, error] = await this.mock.$processProof('0x00', proof, ethers.keccak256(proof[0]));
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.UNPARSEABLE_NODE);
+    });
+
+    it('fails to process proof with invalid proof', async function () {
+      const [processedValue, error] = await this.mock.$processProof('0x00', [], ethers.ZeroHash);
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.INVALID_PROOF);
+    });
+  });
+});
