Verify proof with hashed key

Author: james-toussaint

contracts/utils/cryptography/TrieProof.sol

@@ -35,6 +35,7 @@ library TrieProof {
         INVALID_INTERNAL_NODE_HASH, // Internal node hash doesn't match expected value
         EMPTY_VALUE, // The value to verify is empty
         INVALID_EXTRA_PROOF_ELEMENT, // Proof contains unexpected additional elements
+        MISMATCH_LEAF_PATH_KEY_REMAINDERS, // Leaf path remainder doesn't match key remainder
         INVALID_PATH_REMAINDER, // Path remainder doesn't match expected value
         INVALID_KEY_REMAINDER, // Key remainder doesn't match expected value
         UNKNOWN_NODE_PREFIX, // Node prefix is not recognized
@@ -129,7 +130,6 @@ library TrieProof {
                 // Otherwise, continue down the branch specified by the next nibble in the key
                 uint8 branchKey = uint8(key[keyIndex]);
                 (nodeId, keyIndex) = (_id(node.decoded[branchKey]), keyIndex + 1);
-                nodeId = node.decoded[11].readBytes(); // test
             } else if (nodeLength == LEAF_OR_EXTENSION_NODE_LENGTH) {
                 return _processLeafOrExtension(node, trieProof, key, nodeId, keyIndex, i);
             }
@@ -172,14 +172,16 @@ library TrieProof {
         uint256 i
     ) private pure returns (bytes memory value, ProofError err) {
         bytes memory path = _path(node);
-        uint8 prefix = uint8(path[0] >> 4);
+        uint8 prefix = uint8(path[0]);
         uint8 offset = 2 - (prefix % 2); // Calculate offset based on even/odd path length
         bytes memory pathRemainder = Bytes.slice(path, offset); // Path after the prefix
         bytes memory keyRemainder = Bytes.slice(key, keyIndex); // Remaining key to match
         if (prefix > uint8(type(Prefix).max)) return ("", ProofError.UNKNOWN_NODE_PREFIX);
 
         // Leaf node (terminal) - return its value if key matches completely
         if (Prefix(prefix) == Prefix.LEAF_EVEN || Prefix(prefix) == Prefix.LEAF_ODD) {
+            if (!string(pathRemainder).equal(string(keyRemainder)))
+                return ("", ProofError.MISMATCH_LEAF_PATH_KEY_REMAINDERS);
             if (keyRemainder.length == 0) return ("", ProofError.INVALID_KEY_REMAINDER);
             return _validateLastItem(node.decoded[1], trieProof, i);
         }
@@ -227,7 +229,7 @@ library TrieProof {
      */
     function _id(Memory.Slice node) private pure returns (bytes memory) {
         bytes memory raw = node.readBytes();
-        return raw.length < 32 ? raw : bytes.concat(keccak256(raw));
+        return raw.length <= 32 ? raw : bytes.concat(keccak256(raw));
     }
 
     /**
@@ -256,7 +258,7 @@ library TrieProof {
         uint256 length = value.length;
         bytes memory nibbles_ = new bytes(length * 2);
         for (uint256 i = 0; i < length; i++) {
-            (nibbles_[i * 2], nibbles_[i * 2 + 1]) = (value[i] & 0xf0, value[i] & 0x0f);
+            (nibbles_[i * 2], nibbles_[i * 2 + 1]) = ((value[i] & 0xf0) >> 4, value[i] & 0x0f);
         }
         return nibbles_;
     }

test/utils/cryptography/TrieProof.test.js

@@ -14,11 +14,12 @@ const ProofError = {
   INVALID_INTERNAL_NODE_HASH: 5,
   EMPTY_VALUE: 6,
   INVALID_EXTRA_PROOF_ELEMENT: 7,
-  INVALID_PATH_REMAINDER: 8,
-  INVALID_KEY_REMAINDER: 9,
-  UNKNOWN_NODE_PREFIX: 10,
-  UNPARSEABLE_NODE: 11,
-  INVALID_PROOF: 12,
+  MISMATCH_LEAF_PATH_KEY_REMAINDERS: 8,
+  INVALID_PATH_REMAINDER: 9,
+  INVALID_KEY_REMAINDER: 10,
+  UNKNOWN_NODE_PREFIX: 11,
+  UNPARSEABLE_NODE: 12,
+  INVALID_PROOF: 13,
 };
 
 // Method eth_getProof is not supported with default Hardhat Network, so Anvil is used for that.
@@ -80,7 +81,7 @@ describe('TrieProof', function () {
       const slot = ethers.ZeroHash;
       const tx = await call(this.storage, 'setUint256Slot', [slot, 42]);
       const { key, value, proof, storageHash } = await this.getProof(this.storage, slot, tx);
-      const result = await this.mock.$verify(key, value, proof, storageHash);
+      const result = await this.mock.$verify(ethers.keccak256(key), value, proof, storageHash);
       expect(result).is.true;
     });
 
@@ -90,7 +91,7 @@ describe('TrieProof', function () {
       await call(this.storage, 'setUint256Slot', [slot0, 42]);
       const tx = await call(this.storage, 'setUint256Slot', [slot1, 43]);
       const { key, value, proof, storageHash } = await this.getProof(this.storage, slot1, tx);
-      const result = await this.mock.$verify(key, value, proof, storageHash);
+      const result = await this.mock.$verify(ethers.keccak256(key), value, proof, storageHash);
       expect(result).is.true;
     });
 
@@ -126,7 +127,7 @@ describe('TrieProof', function () {
     it.skip('fails to process proof with invalid internal short node', async function () {}); // TODO: INVALID_INTERNAL_NODE_HASH
 
     it('fails to process proof with empty value', async function () {
-      const proof = [ethers.encodeRlp(['0x20', '0x'])]; // Corrupt proof to yield empty value
+      const proof = [ethers.encodeRlp(['0x2000', '0x'])]; // Corrupt proof to yield empty value
       const [processedValue, error] = await this.mock.$processProof('0x00', proof, ethers.keccak256(proof[0]));
       expect(processedValue).to.equal('0x');
       expect(error).to.equal(ProofError.EMPTY_VALUE);
@@ -137,11 +138,26 @@ describe('TrieProof', function () {
       const tx = await call(this.storage, 'setUint256Slot', [slot0, 42]);
       const { key, proof, storageHash } = await this.getProof(this.storage, slot0, tx);
       proof[1] = ethers.encodeRlp([]); // extra proof element
-      const [processedValue, error] = await this.mock.$processProof(key, proof, storageHash);
+      const [processedValue, error] = await this.mock.$processProof(ethers.keccak256(key), proof, storageHash);
       expect(processedValue).to.equal('0x');
       expect(error).to.equal(ProofError.INVALID_EXTRA_PROOF_ELEMENT);
     });
 
+    it('fails to process proof with mismatched leaf path and key remainders', async function () {
+      const slot = ethers.ZeroHash;
+      const key = ethers.keccak256(slot);
+      const value = '0x2a';
+      const proof = [
+        ethers.encodeRlp([
+          '0x20' + ethers.toBeHex(BigInt(key) + 1n).replace('0x', ''), // corrupt end of leaf path
+          value,
+        ]),
+      ];
+      const [processedValue, error] = await this.mock.$processProof(key, proof, ethers.keccak256(proof[0]));
+      expect(processedValue).to.equal('0x');
+      expect(error).to.equal(ProofError.MISMATCH_LEAF_PATH_KEY_REMAINDERS);
+    });
+
     it('fails to process proof with invalid path remainder', async function () {
       const proof = [ethers.encodeRlp(['0x0011', '0x'])]; // Corrupt proof to yield invalid path remainder
       const [processedValue, error] = await this.mock.$processProof(ethers.ZeroHash, proof, ethers.keccak256(proof[0]));