0age/simple-fraud-proof-l2-for-scalable-token-transfers.md

## simple-fraud-proof-l2-for-scalable-token-transfers.md

      
    Raw
  

              simple-fraud-proof-l2-for-scalable-token-transfers.md
            
          
    Simple Fraud Proof L2 for Scalable Token Transfers

Authors: @0age & @d1ll0n
This spec outlines an initial implementation of a simple Layer Two construction based on fraud proofs (i.e., Optimistic Rollup). It endeavors to remain as simple as possible while still affording important security guarantees and significant efficiency improvements. It is designed to support scalable token transfers in the near term, with an expectation that eventually more mature, generic L2 as production-ready platforms will become available.
Table of Contents


Overview
State
Transactions

Deposits
Transfers
Withdrawals
Signer Modification


Block Production
Fraud Proofs

Verification Functions
Block Header Fraud Proofs

Fraudulent State Size
Fraudulent Transactions Root


Hard Transaction Fraud Proofs

Fraudulent Hard Transaction Range
Fraudulent Hard Transaction Source


Execution Fraud Proofs

Invalid Signature
Duplicate Account Creation
Transaction Execution Fraud


Overview

This spec has been designed to meet the following requirements:

The system must be able to support deposits, transfers, and withdrawals of a single ERC20 token.
All participants must remain in control of their tokens, with any transfer requiring their authorization via a valid signature,  and with the ability to exit the system of their own volition.
All participants must be able to locally recreate the current state of the system based on publicly available data, and to roll back an invalid state during a challenge period by submitting a proof of an invalid state transition.
The system should be able to scale out to support a large user base, allowing for faster L2 transactions and reducing gas costs by at least an order of magnitude compared to L1.

In contrast, certain properties are explicitly not required in the initial spec:

Transactions do not require strong guarantees of censorship resistance (as long as unprocessed deposits and exits remain uncensorable) — A dedicated operator will act as the sole block producer, thereby simplifying many aspects of the system.
Generic EVM support (indeed, even support for any functionality beyond token transfers) is not required — this greatly simplifies the resultant state, transaction, block production, and fraud proof mechanics.
Scalability does not need to be maximal, only sufficient to support usage in the near-term under realistic scenarios — we only need to hold out until more efficient data-availability oracles or zero-knowledge circuits and provers become production-ready.

State

The world state will be represented as a collection of accounts, each designated by a unique 32-bit index (for a maximum of 4,294,967,296 accounts), as well as by a 32-bit stateSize value that tracks the total number of accounts. Each account will contain:

the address of the account (represented by a 160-bit value)
the nonce of the account (represented by a 24-bit value, capped at 16,777,216 transactions per account)
the balance of the account (represented by a 56-bit value, capped at 720,575,940 tokens per account assuming eight decimals)
an array of unique signing addresses (represented by concatenated 160 bit addresses, with a maximum of 10 signing addresses per account, in order of assignment)


The state is represented as a merkle root, composed by constructing a sparse merkle tree with accounts as leaves. Each leaf hash is the hash of keccak256(address ++ nonce ++ balance ++ signing_addresses).
Accounts that have not yet been assigned are represented by 0, the value of an empty leaf node in the sparse merkle tree.
Accounts are only added, and stateSize incremented, when processing deposits or transfers to accounts that were previously empty (also note that stateSize is never decremented). The state root will be updated accordingly whenever accounts are added or modified.
Transactions

Each transaction contains a concise representation of the fields used to apply the given state transaction, as well as the intermediate state root that represents the state right after the transaction has been applied. There are two general classes of transaction: those intitiated from the Ethereum mainnet by calling into the contract that mediates interactions with layer two, and those intitiated from layer two directly via signature from a signing key on the account.
Hard Transaction Types

Transactions initiated from mainnet, referred to throughout as "hard" transactions, fall into three general categories:

HARD_CREATE: Deposits to accounts that do not yet exist on layer two
HARD_DEPOSIT: Deposits to accounts that already exist on layer two
HARD_WITHDRAW: Explicit withdrawal requests, or "hard withdrawals"


Note: Inclusion of a HARD_CHANGE_SIGNER transaction type would help remediate various shortcomings of the signer modification process as currently proposed. Since there are known workarounds, and because it adds additional scope and complexity, the current specification omits this transaction type.

Whenever the mediating contract on mainnet receives a hard transaction request, it will increment a hardTransasctionIndex value and associate that index with the supplied transaction. Then, whenever the block producer proposes new blocks that include hard transactions, it must include a set with continuous indexes that starts at the last processed hard transaction index — in other words, the block producer determines the number of hard transactions to process in each block, but specific hard transactions cannot be "skipped".

Note: while the requirement to process each hard transaction protects against censorship of specific transactions, it does not guard against system-wide censorship — the block producer may refuse to process any hard transactions. Various remediations to this issue include instituting additional block producers, including "dead-man switch" mechanics, or allowing for users to update state directly under highly specific circumstances, but the implementation thereof is currently outside the scope of this spec.

Soft Transaction Types

In contrast, "soft" transactions are initiated from layer two directly, with their inclusion in blocks at the discretion of the block producer. These include:

SOFT_WITHDRAW: Transfers from an account to the account at index zero, or "soft withdrawals"
SOFT_CREATE: Transfers from one account to another account that does not yet exist on layer two
SOFT_TRANSFER: Transfers between accounts that already exist on layer two
SOFT_CHANGE_SIGNER: Addition or removal of a signing key from an account

Each soft transaction must bear a signature  that resolves to one of the signing keys on the account initiating the transaction in order to be considered valid. Hard transactions, on the other hand, do not require signatures — the caller on mainnet has already demonstrated control over the relevant account.
Transaction Merkle Root

The set of transactions for each block is represented as a merkle root, composed by taking each ordered transaction and constructing a standard indexed merkle tree, designating a value for each leaf by taking the particular transcation type (with the format of each outlined below), prefixing with a one-byte type identifier, and deriving the keccak256 hash of the combination. The one-byte prefix for each transaction type is as follows:

HARD_CREATE: 0x00
HARD_DEPOSIT: 0x01
HARD_WITHDRAW: 0x02
SOFT_WITHDRAW: 0x03
SOFT_CREATE: 0x04
SOFT_TRANSFER: 0x05
SOFT_CHANGE_SIGNER: 0x06

Once this information has been committed into a single root hash, it is concatenated with the most recent hardTransactionIndex, as well as with newHardTransactionCount (or the total number of hard transactions in the block) and hashed once more to arrive at the final transaction root.
Data Availability Format

Additionally, all transaction data is provided whenever new blocks are produced so that it can be made available for fraud proofs. This data is prefixed with an eight-byte header containing the following information:

transactionSerializationVersion (16 bits)
newAccountCreationDeposits (16 bits)
newDefaultDeposits (16 bits)
newHardWithdrawals (16 bits)
newSoftWithdrawals (16 bits)
newAccountCreationTransfers (16 bits)
newDefaultTransfers (16 bits)
newSignerChanges (16 bits)

Each value in the header designates the number of transactions in each batch — this gives an upper limit of 65,536 of each type of transaction per block. Each transaction type has a fixed size depending on the type, and all transaction types end in a 32-byte intermediate state root that is used to determine invalid execution in the respective fraud proof.

Note: intermediate state roots can optionally be applied to chunks of transactions rather than to each transaction, with the trade-off of increased complexity in the required fraud proof.

Transaction type serialization formats and other details are outlined in each relevant section below.
Deposits

Upon deposit into a dedicated contract on L1, a deposit address (or, in the case of multisig support, multiple addresses and a threshold) will be specified. Next, the hardTransasctionIndex is incremented and assigned to the deposit.
The block producer will then reference that index in order to construct a valid transaction that credits an account specified by the depositor with the respective token balance. Therefore, all deposits are "hard" transactions.

Note: In practice, it is likely that users will not generally make deposits via L1, and will instead purchase L2 tokens through other means.

Default Deposits

The default deposit transaction type entails depositing funds to a non-empty account. It contains the following fields:

hardTransasctionIndex (40 bits)
to: accountIndex (32 bits)
value (56 bits)
intermediateStateRoot (256 bits)

This gives a serialized default deposit transaction length of 384 bits, or 48 bytes.
Create Deposits

In addition, there is an "account creation" deposit transaction type that is used when transferring to an account that has never been used before. These transaction types are only valid in cases where both the account in question and its corresponding address do not yet exist, and where the specified to index is equal to the current stateSize value.
Account creation deposit transaction types extend the default deposit transaction type as follows:

hardTransasctionIndex (40 bits)
to: accountIndex (32 bits)
value (56 bits)
toAddress (160 bits)
initialSigningKey (160 bits)
intermediateStateRoot (256 bits)

This gives a serialized account creation deposit transaction length of 704 bits, or 88 bytes.
Batch Serialization

Each deposit transaction in the batch is processed before any soft transactions and applied to the state. They must be ordered and processed in sequence, along with any hard withdrawals, by hardTransasctionIndex.
Transfers

In order to transfer tokens between accounts in L2, anyone with a signing key attached to a given account can produce a signature authorizing a transfer to a particular recipient.
The block producer will then use that signature to construct a valid transaction that debits the respective amount from the balance of the signer's account and credits it to the recipient specified by the signer. Note that all transfers are "soft" transactions.
Default Transfers

The default transfer transaction type entails sending funds between two non-empty accounts. They contains the following fields:

from: accountIndex (32 bits)
to: accountIndex (32 bits)
nonce (24 bits)
value (56 bits)
signature (520 bits)
intermediateStateRoot (256 bits)

This gives a serialized default transfer transaction length of 920 bits, or 115 bytes.
Create Transfers

In addition, there is an "account creation" transfer transaction type that is used when transferring to an account that has never been used before. These transaction types are only valid in cases where both the account in question and its corresponding address do not yet exist, and where the specified to index is equal to the current stateSize value.
Account creation transfer transaction types extend the default transfer transaction type as follows:

from: accountIndex (32 bits)
to: accountIndex (32 bits)
nonce (24 bits)
value (56 bits)
toAddress (160 bits)
initialSigningKey (160 bits)
signature (520 bits)
intermediateStateRoot (256 bits)

This gives a serialized account creation transfer transaction length of 1240 bits, or 155 bytes.
Batch Serialization

Each transfer transaction in the batch is processed in sequence, after all deposits and withdrawals and before any signature modifications have been processed, and applied to the state. As a simplifying restriction, all account creation transfer transactions must occur before any default transfer transactions in a given block.
Withdrawals

Withdrawals come in two forms: "soft" withdrawals (submitted as L2 transactions) and "hard" withdrawals (submitted as L1 transactions).
Soft Withdrawals

Any account can construct a "soft" withdrawal transaction to a designated address on L1 by supplying the following fields:

from: accountIndex (32 bits)
withdrawalAddress (160 bits)
nonce (24 bits)
value (56 bits)
signature (520 bits)
intermediateStateRoot (256 bits)

This gives a serialized soft withdrawal transaction length of 1048 bits, or 131 bytes.
Once a batch of soft withdrawal transactions have been included in a block, a 24-hour challenge period must transpire before a proof can be submitted to the L1 contract to disburse the funds to the specified addresses.
This challenge period is to ensure that any fraudulent block has a sufficient window of time for a challenge to be submitted, proving the fraud and rolling back to the latest good block.

Note: In practice, the operator will likely facilitate early exits from L2 withdrawals by serving as a counterparty and settling through other means once sufficient confidence in the accuracy of prior block submissions has been established.

Each withdrawal proof verifies that the associated transactions are present and valid for each withdrawal to process, then updates the respective historical transaction root and corresponding block root to reflect that the withdrawal has been processed. Notably, all other relevant state remains intact, meaning fraud proofs may still be submitted that reference the modified transaction roots.
Hard Withdrawals

Additionally, users may call into a dedicated contract on L1 to schedule a "hard" withdrawal from an account on L2 if the caller's account has a balance on L2. In doing so, the hardTransasctionIndex is incremented and assigned to the withdrawal.
The block producer will then reference that index in order to construct a valid transaction that debits the caller's account on L2 and enables the caller to retrieve the funds once the 24-hour finalization window has elapsed.
The hard withdrawal transaction type contains the following fields:

transactionIndex (40 bits)
from: accountIndex (32 bits)
value (56 bits)
intermediateStateRoot (256 bits)

This gives a serialized hard withdrawal transaction length of 384 bits, or 48 bytes.
Batch Serialization

Each withdrawal transaction in the batch is processed before any transfer or signer modification transactions and applied to the state. Hard withdrawals must be ordered and processed in sequence, along with any deposits, by hardTransasctionIndex. Soft withdrawals must be provided after any hard transactions and before any other soft transactions.
Signer Modification

All soft transactions must be signed by one of the signing keys attached to the originating account. The initial signing key is set during account creation as part of a deposit or transfer — an independent transaction is required in order to add additional keys or remove an extisting key.
Default Signer Modification

The SOFT_CHANGE_SIGNER transaction type is used in order to add or remove signing keys from non-empty accounts. They contains the following fields:

accountIndex (32 bits)
nonce (24 bits)
signingAddress (160 bits)
modificationCategory (8 bits)
signature (520 bits)
intermediateStateRoot (256 bits)

This gives a serialized signer modification transaction length of 1000 bits, or 125 bytes.
The modificationCategory value will initially have only two possible values: 0x00 for adding a key and 0x01 for removing a key. Keys can only be added if they are not already set on a given account, and are added to the end of the array of signing keys. They can only be removed if the key in question is currently set on the given account, and are "sliced" out of the array.

Note: If all signing keys are removed from an account, it will no longer be possible to submit soft transactions from that account. Recovering funds from the address in question will require intervention from layer one via a hard withdrawal.

Batch Serialization

Each signer modification transaction in the batch is processed in sequence, after all other transactions have been processed, and applied to the state.
Block Production

The operator will produce successive blocks via calls from a single, configurable hot key to a dedicated contract on the Ethereum mainnet (based on the assumption that a less expensive, equally-reliable data availability layer is currently unavailable).
This contract endpoint will take five arguments:

uint32 newBlockNumber: The block number of the new block, which must be one greater than that of the last produced block.
uint32 newStateSize: An updated total count of the number of non-empty accounts, derived by applying the supplied account creation deposits and transfers.
bytes32 newStateRoot: An updated state root derived from the last state root by applying the supplied deposits and transfers.
bytes32 transactionsRoot: The merkle root of all transactions supplied as part of the current block (including an intermediate state root for each).
bytes calldata transactions: The transactions header concatenated with each batch of deposits, withdrawals, and transfers as specified in their respective sections.

The final block header is derived by first calculating transactionsHash as the keccak256 hash of transactions, then by calculating newHardTransactionCount as the result of collecting and summing all deposits and hard withdrawals from the transactions header. Finally, the new block hash is stored as keccak256(newBlockNumber ++ newStateSize ++ newStateRoot ++ newHardTransactionCount ++ transactionsRoot ++ transactionsHash).
The block producer must include a "bonded" commitment of. stablecoins worth ~$100 with each block. The block will be finalized, and the commitment returned to the block producer, at the end of the challenge period (explained below) if no successful fraud proof is submitted during said period.

Note: A bonding commitment of $100 per block would result in a total commitment of $576,000 at maximum capacity, i.e. with blocks being committed for every new block on the Ethereum mainnet — this would imply that ~5000 transactions are being processed each minute over the entirety of a 24-hour period. A more realistic total commitment would likely be at least an order of magnitude lower than this maximum.

Fraud Proofs

Once blocks are submitted, they must undergo a 24-hour "challenge" period before they become finalized. During this period, any block containing an invalid operation can be challenged by any party containing the necessary information by which to prove that the block in question was invalid. In doing so, the state will be rolled back to the point when the fraudulent block was submitted and the proven correction will be applied. Furthermore, the bonded stake provided when submitting the fraudulent block, as well as the stake of each subsequent block, will be seized, with half irrevocably burned (with the equivalent backing collateral distributed amongst all token holders via an increase in the exchange rate) and half provided to the submitter as a reward.
Various categories of fraud proof cover corresponding types of invalid operations, including:

Supplying an incorrect value for newStateSize that does not accurately increment the prior stateSize by the total number of account creation transactions in a block (Fraudulent State Size).
Supplying transaction data that cannot be decoded into a valid set of transactions, due to an improperly-formatted transaction, an incorrect number of any transaction type, an incorrect number of "hard" transactions, or an invalid transaction merkle root (Fraudulent Transactions Root).
Supplying a range of hard transactions wherein a transaction has incorrectly specified the number of hard transactions, where a duplicate hard transaction is included, or where a given hard transaction index is not included in the range, i.e. a hard transaction is skipped (Fraudulent Hard Transaction Range).
Supplying a hard transaction where the transaction is inconsistent with the input fields provided by the submitter to the contract on the Ethereum mainnet, has been submitted previously to L2, or does not exist on L1 (Fraudulent Hard Transaction Source).
Supplying a transaction with an invalid signature (Invalid Signature).
Supplying an account creation transaction for an account that already exists in the state (Duplicate Account Creation).
Supplying an intermediate state root that does not accurately reflect the execution of a given transaction, either default type or account creation type (Transaction Execution Fraud).


Note: certain simple operations do not need fraud proofs as they can be checked upon block submission. For example, supplying a new block with an incorrect value for newBlockNumber that does not accurately increment the prior blockNumber by one will revert.

Overview

Without a scheme where blocks can be proven correct by construction (such as ZK Snarks) it is necessary for the L1 to have contracts capable of auditing L2 block execution in order to keep the L2 chain in a valid state. These contracts do not fully reproduce L2 execution and thus do not explicitly verify blocks as being correct; instead, each fraud proof is capable of making only a determination of whether a particular aspect of a block (and thus the entire block) is definitely fraudulent or not definitely fraudulent.
An individual fraud proof makes certain assumptions about the validity of parts of the block which it is not explicitly auditing. These assumptions are only sound given the availability of other fraud proofs capable of auditing those parts of the block it does not itself validate.
Each fraud proof is designed to perform minimal computation with the least calldata possible to audit a single aspect of a block. This is to ensure that large blocks which would be impossible or extremely expensive to audit on the L1 chain can be presumed secure without arbitrarily restricting their capacity to what the L1 could fully reproduce.
Definitions

Certain terms are used throughout which are important to clearly define the meaning of to avoid confusion:

prove, verify, assert are used interchangeably in the following sections to refer to conditional branching where the transaction reverts upon a negative result.
check and compare are used for conditional branching where execution does not necessarily halt based on a negative result. When these are used, the result of each condition will be explicitly specified.


Block Header Encoding

Encoding of the block header, i.e. <BlockHeader>. Note that each block also has a transactions buffer, represented in the header by both transactionsRoot and transactionsHash.


Element
Size (b)


number
4


stateSize
4


stateRoot
32


hardTransactionCount
5


transactionsRoot
32


transactionsHash
32


Total Block Header
109


Transaction Encoding

Transactions Buffer

Encoding of a transaction in the block.transactions buffer.


Type
Size (b)
Size w/ root (b)


HARD_CREATE
56
88


HARD_DEPOSIT
16
48


HARD_WITHDRAW
16
48


SOFT_WITHDRAW
99
131


SOFT_CREATE
123
155


SOFT_TRANSFER
83
115


SOFT_CHANGE_SIGNER
93
125


Leaf Encoding

Encoding of a transaction in the transactions merkle tree.


Type
Prefix
Size (b)
Size w/ root and prefix (b)


HARD_CREATE
0x00
56
89


HARD_DEPOSIT
0x01
16
49


HARD_WITHDRAW
0x02
16
49


SOFT_WITHDRAW
0x03
99
132


SOFT_CREATE
0x04
123
156


SOFT_TRANSFER
0x05
83
116


SOFT_CHANGE_SIGNER
0x06
93
126


Verification Functions

We have several basic functions that will be re-used throughout the fraud proofs. These are used to verify specific assertions being made by a challenger attempting to claim fraud, but do not independently make a positive determination that a block is fraudulent. All verification functions assert correctness of conditional arguments and cause the fraud proof to fail if they do not return a positive result.
Block Is Pending

blockIsPending(blockHeader) { ... }

Input


blockHeader <BlockHeader> - The block header being checked for pending status.

Description

Proves that the supplied block header is committed and pending.
Process


Calculate the hash of the header as blockHash.
Read blockHeader.number and retrieve the committed block hash for that number from the pending blocks mapping.
Assert that blockHash is equal to the retrieved block hash.


Block Is Pending And Has Parent

blockIsPendingAndHasParent(blockHeader, previousBlockHeader)

Input


blockHeader <BlockHeader> - Block header to check for pending status.
previousBlockHeader <BlockHeader> - Block header prior to blockHeader.

Description

Verifies that blockHeader is a committed pending block and that previousBlockHeader is either pending or confirmed and has a block number one less than that of blockHeader.
Process


Assert that blockHeader.number is equal to previousBlockHeader.number + 1.
Call blockIsPending(blockHeader) to assert that blockHeader represents a pending committed block.
Calculate the hash of previousBlockHeader as previousBlockHash and read the block hash from the mapping of pending blocks at the key previousBlockHeader.number.

Assert that the block hash retrieved either matches previousBlockHash or is null
If the block hash matches, return
If the block hash is null, retrieve the confirmed block hash for previousBlockHeader.number
Assert that the retrieved block hash is equal to previousBlockHash


Merkleize Transactions Tree

calculateTransactionsRoot(transactionHashes) {...}

Input


transactionHashes <bytes32[]> - Array of hashes of prefixed transactions

Description

Calculates the root hash of a transactions merkle tree.
Process


Process taken from RollupMerkleUtils.sol in Pigi with modifications.


Set nextLevelLength to the length of transactionHashes
Set currentLevel to 0
If nextLevelLength == 1, return transactionHashes[0]
Initialize a new byte32 array named nodes with length nextLevelLength + 1
Check if nextLevelLength is odd:

If it is, set nodes[nextLevelLength] = 0 and set nextLeveLength += 1


Loop while nextLevelLength > 1

Set currentLevel += 1
Calculate the nodes for the current level:

Set i = 0
Execute a for loop with condition i < nextLevelLength / 2, incrementing i by 1 each loop
Set nodes[i] = sha3(nodes[i*2] ++ nodes[i*2 + 1])


Set nextLevelLength = nextLevelLength / 2
Check if nextLevelLength is odd and not equal to 1:

If it is, set nodes[nextLevelLength] = 0
Set nextLevelLength += 1


Return nodes[0]


Merkle Tree Has Leaf

verifyMerkleRoot(rootHash, leafNode, leafIndex, siblings) { ... }

Input


rootHash <bytes32> - The root hash of a merkle tree.
leafNode <bytes> - An arbitrarily encoded leaf node.
leafIndex <uint> - The index of the leaf in the merkle tree.
siblings <bytes32[]> - The neighboring nodes of the leaf going up the merkle tree.

Description

Computes a merkle root by hashing together nodes going up the tree and compares it to a supplied root.
Process


Assert that the length of leafNode is not 32

This prevents invalid merkle proofs of nodes higher than the bottom level.


Set currentHash to keccak256(leafNode)

Loop through each sibling in siblings, set the index to $n$

Read the $n^{th}$ bit from the right of leafIndex to determine parity

If it is zero, set currentHash to keccak256(currentHash ++ sibling)

If it is one, set currentHash to keccak256(sibling ++ currentHash)


Return true if currentHash is equal to rootHash, otherwise return false.


Verify and Update Merkle Tree

verifyAndUpdate(rootHash, leafNode, newLeafNode, leafIndex, siblings) 
{...}

Input


rootHash <bytes32> - The root hash of a merkle tree.
leafNode <bytes> - The leaf node to prove inclusion of.
newLeafNode <bytes> - The leaf node to replace leafNode with in the tree.
leafIndex <uint> - The index of the leaf in the merkle tree.
siblings <bytes32[]> - The neighboring nodes of the leaf going up the merkle tree.

Description

Verifies the value of a leaf node in a merkle tree at a particular index and calculates a new root for that tree where the leaf node has a different value.
Process


Assert that the length of leafNode is not 32

This prevents invalid merkle proofs of nodes higher than the bottom level.


Assert that the length of newLeafNode is not 32

This prevents invalid merkle proofs of nodes higher than the bottom level.


Set currentHash to keccak256(leafNode)

Set newHash to keccak256(newLeafNode)

Loop through each sibling in siblings, set the index to $n$

Read the $n^{th}$ bit from the right of leafIndex to determine parity

If it is zero

set currentHash to keccak256(currentHash ++ sibling)

set newHash to keccak256(newHash ++ sibling)


If it is one

set currentHash to keccak256(sibling ++ currentHash)

set newHash to keccak256(sibling ++ newHash)


Set return value valid to rootHash == currentHash

Set return value newRoot to newHash


Verify and Push to Merkle Tree

verifyAndPush(
  rootHash, leafValue, leafIndex, siblings
) {...}

Input


rootHash <bytes32> - The root hash of a merkle tree.
leafNode <bytes> - The leaf node to add to the tree.
leafIndex <uint> - The index of the leaf in the merkle tree.
siblings <bytes32[]> - The neighboring nodes of the leaf going up the merkle tree.

Description

Same as verifyAndUpate, except that the old value used for the proof is just the default leaf value.
Process

Return the value given by calling verifyAndUpate(rootHash, 0, leafNode, leafIndex, siblings).

Transaction Exists in Transactions Tree

rootHasTransaction(transactionsRoot, transaction, transactionIndex, siblings)
{ ... }

Input


transactionsRoot <bytes32> - The root hash of a transactions merkle tree.
transaction <bytes> - An encoded transaction of any type.
transactionIndex <uint> - The index of the transaction in the merkle tree.
siblings <bytes32[]> - The neighboring nodes of the transactions going up the merkle tree.

Description

Proves that a single transaction exists in the supplied transactions root by verifying the supplied merkle proof (transactionIndex, siblings).
Process


Return verifyMerkleRoot(transactionsRoot, transaction, transactionIndex, siblings)


Transaction Exists in Transactions Tree

rootHasTransaction(transactionsRoot, transaction, transactionIndex, siblings)
{ ... }

Input


transactionsRoot <bytes32> - The root hash of a transactions merkle tree.
transaction <bytes> - An encoded transaction of any type.
transactionIndex <uint> - The index of the transaction in the merkle tree.
siblings <bytes32[]> - The neighboring nodes of the transactions going up the merkle tree.

Description

Proves that a single transaction exists in the supplied transactions root by verifying the supplied merkle proof (transactionIndex, siblings).
Process


Return verifyMerkleRoot(transactionsRoot, transaction, transactionIndex, siblings)


Transaction Had Previous State

provePriorState(bytes previousSource, bytes blockHeader, uint40 transactionIndex) {
  // If `transactionIndex` is zero, `previousSource` must be a block header.
  // Otherwise, it must be a transaction inclusion proof.
  if (transactionIndex == 0) {
    // Verify that `previousSource` is a committed pending or confirmed
    // block header with a block number one less than `blockHeader`.
    assert(blockIsPendingAndHasParent(blockHeader, previousSource))
    
    // `decodeHeaderStateRoot` reads the state root from a header buffer.
    return decodeHeaderStateRoot(previousSource)
  } else {
    // If `transactionIndex` is not zero, `previousSource` is a tuple of
    // (uint8 siblingCount, bytes32[] siblings, bytes transaction).
    // If the transaction index is zero, the previous root must be
    // proven with a block header.
    // Read the first 8 bits of `previousSource` as `siblingCount`
    uint siblingCount = previousSource >> 248;
    // `decodeSiblings` decodes `previousSource` into an array of siblings by
    // reading previousSource.slice(1, siblingCount*32)
    bytes32[siblingCount] siblings = previousSource.slice(1, siblingCount * 32)
    // Read intermediate root from the end of the transaction.
    bytes32 previousRoot = previousSource.slice(-32)
    
    // Read the transactions root 
    bytes transactionData = previousSource.slice(1 + siblingCount * 32)
    assert(verifyMerkleProof(previousRoot, transactionData, transactionIndex, siblings))
  }
}

Description

The first transaction in a block has a starting state root equal to the ending state of the previous block, and every transaction thereafter has a starting state root equal to the intermediate root of the previous transaction. This function takes a block header and a transaction index which represent the absolute position in the L2 history at which the function will prove the previous state root.
If the provided transaction index is zero, it can determine the previous state root by proving that previousSource is a valid, committed header which came immediately before the given blockHeader parameter. If the transaction index is not zero, the function will determine whether the provided data is the source of the previous state root by attempting to prove that it existed in the same block at the previous transaction index.
Input


previousSource <BlockHeader | TransactionProof> - Data used to prove the state prior to a given transaction.

Type union of BlockHeader or TransactionProof
TransactionProof is a tuple of (uint8 siblingsCount, bytes32[] siblings, bytes transaction)

siblings are neighboring nodes in a merkle tree used to verify inclusion of a value against a merkle root


blockHeader <BlockHeader> - The header which contains the transaction whose prior state is being proven.
transactionIndex <uint40> - The index of the transaction whose prior state is being proven.

Process


If transactionIndex is zero, previousSource must be a block header.

Use blockIsPendingAndHasParent(blockHeader, previousSource) to assert that the provided block header is committed and came immediately before blockHeader
Decode previousSource.stateRoot by slicing 32 bytes from the buffer starting at byte 8


Otherwise, previousSource must contain a merkle proof of the previous transaction.

Read the first 8 bits of previousSource as siblingsCount
Assert that the length of previousSource is not less than the minimum length the proof data could have

Siblings count: 1 byte
Siblings array: (32 * siblingsCount) bytes
Minimum transaction size: 48 bytes (hard deposit + state root)
Total Minimum: 49 + siblingsCount * 32


Decode the siblings array as siblings by reading bytes 1 to siblingsCount * 32
Read the state root as previousRoot by slicing from the 32nd to last byte of previousSource until the end of the buffer
Read the transaction data as transactionData by slicing from 1 + siblingsCount * 32 to the 32nd to last byte
Verify the provided merkle proof with rootHasTransaction(blockHeader.transactionsRoot, transactionData, transactionIndex - 1, siblings)
Return previousRoot


Account Has Signer

accountHasSigner(account, address) {...}

Input


account - An encoded account
address - An address to search for in the account

Description

Searches an account for a particular address and returns a boolean stating whether the account has it as a signer.
Process


If address == address(0), return false
Set a variable nextOffset to 30 (pointer to beginning of first signer address)
Execute a while loop with condition (nextOffset < account.length) to read each signer address in the account

Read bytes (nextOffset...nextOffset+20) from account as nextSigner
If signer == nextSigner break and return true
Set nextOffset += 20


If the loop finishes, return false


Block Header Fraud Proofs

Fraudulent State Size

proveStateSizeError(previousBlockHeader, blockHeader, transactions) { ... }

Input


previousBlockHeader <BlockHeader> - The block header prior to the block being challenged.
blockHeader <BlockHeader> - The block header being challenged.
transactions <bytes> - Transactions buffer for the block identified by header.

Description

This proof will determine that fraud has occurred if the transaction type counts in the prefix of the transactions buffer in a block is inconsistent with the difference between the block's newStateSize and the state size of the previous block.
This function enforces the assumption of a reliable state size in the block header which is needed for other fraud proofs.
Process

1. Verify that the inputs are valid


Call blockIsPendingAndHasParent(blockHeader, previousBlockHeader) to assert that both headers are committed and that blockHeader immediately follows previousBlockHeader
Hash the transactions buffer and assert that the hash matches blockHeader.transactionsHash

2. Check if the state size is valid


Read newAccountCreationDeposits as createDeposits from transactions at bytes (2...4).
Read newAccountCreationTransfers as createTransfers from transactions at bytes (10...12).
Read previousBlockHeader.newStateSize as oldStateSize.
Read blockHeader.newStateSize as newStateSize.
Compare (oldStateSize + createDeposits + createTransfers) to newStateSize

If they are not equal, determine that fraud has occurred.


Fraudulent Transactions Root

proveTransactionsRootError(blockHeader, transactions)

Input


blockHeader <BlockHeader> - Block header being claimed as fraudulent.
transactions <bytes> - Transactions buffer from the block.

Description

This proof handles the case where a block header has an invalid transactionsRoot value. The contract for this function will decode the transactions buffer, derive the merkle root and compare it to the block header.
This function enforces the assumption of a valid transaction tree, which is required for the other fraud proofs to function.
The following table contains information about the transaction type encoding.


Meta Variable
Type
Prefix
size (w/ root)


hardCreates
HARD_CREATE
0x00
88


defaultDeposits
HARD_DEPOSIT
0x01
48


hardWithdrawals
HARD_WITHDRAW
0x02
48


softWithdrawals
SOFT_WITHDRAW
0x03
131


softCreates
SOFT_CREATE
0x04
155


softTransfers
SOFT_TRANSFER
0x05
115


softChangeSigners
SOFT_CHANGE_SIGNER
0x06
125


Process

1. Verify that the inputs are valid


Call blockIsPending(blockHeader) to assert that blockHeader represents a committed pending block
Hash the transactions buffer and assert that the hash matches blockHeader.transactionsHash

2. Read the transaction type counts


Initialize two uint256 variables as totalCount and totalSize with values of zero.
Read newAccountCreationDeposits as hardCreates from transactions at bytes (2...4).

Increment totalCount by hardCreates
Increment totalSize by hardCreates * 88


Read newDefaultDeposits as defaultDeposits from transactions at bytes (4...6).

Increment totalCount by defaultDeposits
Increment totalSize by defaultDeposits * 48


Read newHardWithdrawals as hardWithdrawals from transactions at bytes (6...8).

Increment totalCount by hardWithdrawals
Increment totalSize by hardWithdrawals * 48


Read newSoftWithdrawals as softWithdrawals from transactions at bytes (8...10).

Increment totalCount by softWithdrawals
Increment totalSize by softWithdrawals * 131


Read newAccountCreationTransfers as softCreates from transactions at bytes (10...12).

Increment totalCount by softCreates
Increment totalSize by softCreates * 155


Read newDefaultTransfers as softTransfers from transactions at bytes (12...14)

Increment totalCount by softTransfers
Increment totalSize by softTransfers * 115


Read newChangeSigners as softChangeSigners from transactions at bytes (14...16)

Increment totalCount by softChangeSigners
Increment totalSize by softChangeSigners * 125


3. Check if transactions is the right size


Compare totalSize to transactions.length - 14

If they do not match, determine fraud has been committed.
Otherwise, continue.


4. Collect the leaf nodes


Initialize a variable offset with value 14 to skip the metadata in the transactions buffer

This is the pointer to the next transaction


Initialize a leafHashes variable as a bytes32[] with length equal to totalCount.

We use bytes32 here instead of bytes to skip a step in the merkle root calculation
We could derive the merkle root directly as we pull the transactions, but for simplicity this will initially feed into an array and then derive the root


Initialize a hashBuffer variable as a bytes with length 136 (maximum total size of a transaction including prefix)
Initialize a transactionIndex variable as a uint256 with value 0
For t in types (refer to table in description):

Set the first byte in hashBuffer to t.prefix
t.count refers to the value of the variable matching the "meta field" in the types table
For i in (0...t.count):

Copy the next transaction from transactions calldata at bytes offset with length t.size into hashBuffer starting at index 1 in hashBuffer
Set leafHashes[transactionIndex++] to the hash of hashBuffer
Increment offset by t.size


5. Derive and compare the merkle root


Derive the merkle root as expectedRoot by calling calculateTransactionsRoot(leafHashes)
Compare expectedRoot to blockHeader.transactionsRoot
If they do not match, determine that fraud has occurred.


Hard Transaction Fraud Proofs


Fraudulent Hard Transaction Range

proveHardTransactionRangeError(previousBlockHeader, blockHeader, transactions)
{ ... }

Description

When a new block is posted, any nodes monitoring the rollup contract can compare the header's newHardTransactionCount to the same value in the previous block's header and compare the block's hard transactions to the expected new hard transactions.
This function will determine fraud has occurred if any of the following are true:

the block has less hard transactions than the difference between the new and previous block's newHardTransactionCount fields
the block contains a duplicate hard transaction index
the block is missing an index in the expected range (last hard count...new hard count)

Input


previousBlockHeader <BlockHeader> - The block header with a number one less than header.
blockHeader <BlockHeader> - The block header being challenged.
transactions <bytes> - The transactions buffer from blockHeader.

Process

1. Verify that the inputs are valid


Assert that previousBlockHeader and blockHeader are for committed pending blocks using blockIsPending
Assert that blockHeader has a block number one higher than the block number of previousBlockHeader
Hash transactions and assert that the hash is equal to blockHeader.transactionsHash

2. Check if the transactions metadata is consistent with the block header


Read previousBlockHeader.newHardTransactionCount as previousHardTransactionCount
Read blockHeader.newHardTransactionCount as newHardTransactionCount
Calculate expectedHardTransactionCount as the difference between newHardTransactionCount and previousHardTransactionCount
Read newAccountCreationDeposits from transactions at bytes (2...4) as createDepositsCount
ReadnewDefaultDeposits from transactions at bytes (4...6) as defaultDepositsCount
Read newHardWithdrawals from transactions at bytes (6...8) as hardWithdrawalsCount
Compare (createDepositsCount + defaultDepositsCount + hardWithdrawalsCount) to expectedHardTransactionCount

If they do not match, determine fraud has occurred.
Otherwise, continue.


3. Check for duplicate or missing transactions


Allocate an empty memory buffer with length expectedHardTransactionCount bits and set binaryPointer as the memory pointer to the beginning of the buffer

This will be a bitfield used to search for missing and duplicate transactions


Set transactionOffset to the memory or calldata location of transactions plus 14 bytes

Sets the offset into transactions of the beginning of the transactions data.


For i in the range (0...createDepositsCount):

Read the hardTransactionIndex of the next create deposit from memory as the buffer starting at transactionOffset with length 5 bytes
If hardTransactionIndex is greater than previousHardTransactionCount, determine that fraud has occurred
Set relativePointer as the difference between previousHardTransactionCount and hardTransactionIndex
Read the bit at binaryPointer + relativePointer

If it is set to 1, determine that fraud has occurred
Otherwise, set the bit to 1


Increment transactionOffset by 88 bytes to move the pointer past this deposit


For i in the range (0...defaultDepositsCount):

Read the hardTransactionIndex of the next default deposit from memory as the buffer starting at transactionOffset with length 5 bytes
If hardTransactionIndex is greater than previousHardTransactionCount, determine that fraud has occurred
Set relativePointer as the difference between previousHardTransactionCount and hardTransactionIndex
Read the bit at binaryPointer + relativePointer

If it is set to 1, determine that fraud has occurred
Otherwise, set the bit to 1


Increment transactionOffset by 48 bytes to move the pointer past this deposit


For i in the range (0...hardWithdrawalsCount):

Read the hardTransactionIndex of the next hard withdrawal from memory as the buffer starting at transactionOffset with length 5 bytes
If hardTransactionIndex is greater than previousHardTransactionCount, determine that fraud has occurred.
Set relativePointer as the difference between previousHardTransactionCount and hardTransactionIndex
Read the bit at binaryPointer + relativePointer

If it is set to 1, determine that fraud has occurred.
Otherwise, set the bit to 1


Increment transactionOffset by 48 bytes to move the pointer past this withdrawal


Check if there are any missing hard transactions

Loop through each word of memory (or sub-word for low hard transaction counts / final word) in the bitfield, comparing the value in memory to 1 + 2**(bitLength - 1) (where bitLength is the number of bits being compared in each buffer)

If any of these comparisons return false, determine that fraud has occurred.


Fraudulent Hard Transaction Source

proveHardTransactionSourceError(
    blockHeader, transaction, transactionIndex, siblings, stateProof
) { ... }

Input


blockHeader <BlockHeader> - The block header being challenged.
transaction <bytes> - The transaction being claimed to have a bad source.

Transactions in leaf nodes, as this parameter is, are prefixed with a byte specifying the transaction type.


transactionIndex <uint40> - The index of the transaction in the transactions tree.
siblings <bytes32[]> - The merkle siblings of the transaction.
stateProof <bytes> - Additional proof data specific to the type of transaction being proven to have a fraudulent source. If not used, equal to bytes("")

Description

This fraud proof handles the case where a block contains a hard transaction with an invalid source, i.e. a transactionIndex which is inconsistent with the escrow contract.
Process

1. Verify that the inputs are valid


Assert that blockHeader is for a pending committed block using blockIsPending(blockHeader)
Assert that the transaction has a valid merkle proof using rootHasTransaction(blockHeader.transactionsRoot, transaction, transactionIndex, siblings)

2. Decode the transaction


Read the first byte of transaction as prefix
Assert that prefix is less than 0x03

0x02 is the maximum value of a hard transaction prefix


Read transactionIndex from transaction at bytes (1...6)
Read accountIndex from transaction at bytes (6...10)
Read value from transaction at bytes (10...17)

3. Query the expected transaction


Query the transaction data using getHardTransaction(transactionIndex) and set the result to expectedTransaction

If expectedTransaction is null, determine that fraud has occurred.


4. Compare the transactions


If prefix is 0x00, it is a HARD_CREATE transaction

The transaction retrieved from the escrow should have fields (value, address)
Check if expectedTransaction has a length of 27 bytes

If it does not, determine that fraud has occurred.
Otherwise, continue.


Check value

Read expectedValue from expectedTransaction at bytes (0...7)
Compare value to expectedValue

If they do not match, determine that fraud has occurred.
Otherwise, continue


Check address

Read expectedAddress from expectedTransaction at bytes (7...27)
Read address from transaction at bytes (17...37)
Compare expectedAddress to address

If they do not match, determine that fraud has occurred.


If prefix is 0x01, it is a HARD_DEPOSIT transaction

The transaction retrieved from the escrow should have fields (value, address)
Check if expectedTransaction has a length of 27 bytes.

If it does not, determine that fraud has occurred.
Otherwise, continue.


Check value

Read expectedValue from expectedTransaction at bytes (0...7)
Compare value to expectedValue

If they do not match, determine that fraud has occurred.


Prove the account at accountIndex

Assert that stateProof is not null.
Read stateRoot from transaction at bytes (17...49)

We could use the state in the previous transaction, but since this is not a create transaction, if the state has changed since the last transaction that can be proven through execution fraud proofs.


Decode stateProof as a tuple of (account, siblingCount, siblings)

Read account from stateProof at bytes (0...30)
Read siblingCount from stateProof at bytes (30...38)
Read siblings[siblingCount] from stateProof at bytes (38...(38 + 32 * siblingCount))


Assert that the provided merkle proof is valid with stateHasAccount(stateRoot, account, accountIndex, siblings)


Check address

Read expectedAddress from expectedTransaction at bytes (7...27)
Read address from account at bytes (0...20)
Compare expectedAddress to address

If they do not match, determine that fraud has occurred.


If prefix is 0x02, it is a HARD_WITHDRAW transaction

The transaction retrieved from the escrow should have fields (fromIndex, value)
Check if accountIndex is equal to fromIndex

If not, determine that fraud has occurred.


Check if value is equal to expectedTransaction.value

If not, determine that fraud has occurred.


Execution Fraud Proofs

Invalid Signature

proveSignatureError(
  blockHeader, priorStateProof, transactionProof, accountProof
)

Input


blockHeader <BlockHeader> - Header of the block being claimed as fraudulent.
priorStateProof <PriorStateProof> - Proof of the state prior to executing the transaction. Type union of <BlockHeader | TransactionProof>
transactionProof <TransactionProof> - Merkle proof of the transaction being challenged.

transaction
transactionIndex
siblings


accountProof <AccountProof> - Merkle proof of the caller's account.

account
accountIndex
siblings


Process

1. Verify inputs


Assert that blockHeader represents a committed and pending block using blockIsPending(blockHeader)
Assert that the provided transactionProof is valid using rootHasTransaction(blockHeader.stateRoot, transactionProof.transaction, transactionProof.transactionIndex, transactionProof.siblings)
Assert that priorStateProof is valid using provePriorState(priorStateProof, blockHeader, transactionProof.transactionIndex), which if successful returns priorStateRoot

2. Check if the transaction should be signed and recover the signer


Read the transaction prefix from the first byte as prefix
Verify the transaction should be signed

If the prefix is 0x03 it is a SOFT_WITHDRAW
If the prefix is 0x04 it is a SOFT_CREATE
If the prefix is 0x05 it is a SOFT_TRANSFER
If the prefix is 0x06 it is a SOFT_CHANGE_SIGNER
If it is a different value, revert


Set a value signatureOffset to the length of transactionProof.transaction minus 97.

This is the offset to the beginning of the signature.


Read bytes (1...signatureOffset) from transactionProof.transaction as transactionData.
Read bytes (signatureOffset...signatureOffset + 1) from transactionProof.transaction as SIG_V.

if SIG_V != 0x1B && SIG_V != 0x1C, the signature is potentially malleable and therefore invalid: determine fraud has occurred.


Read bytes (signatureOffset + 1...signatureOffset + 33) from transactionProof.transaction as SIG_R.
Read bytes (signatureOffset + 33...signatureOffset + 65) from transactionProof.transaction as SIG_S.

if SIG_S > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0, the signature is potentially malleable and therefore invalid: determine fraud has occurred.


Calculate the hash of transactionData as transactionHash.
Use ecrecover to recover the address from the signature, set signer to the return value.

If ecrecover fails or returns the null address, determine fraud has occurred.


3. Check if the signature is valid


Assert that the provided accountProof is valid using stateHasAccount(priorStateRoot, accountProof.account, accountProof.accountIndex, accountProof.siblings)
Call accountHasSigner(accountProof.account, signer) and set the result to isValid
If isValid is false, determine that fraud has occurred

Signer is not approved for the account


Otherwise, revert


Duplicate Account Creation

proveDuplicateCreateError(
    header, priorStateProof, transactionProof, accountProof
) { ... }

Input


blockHeader <BlockHeader> - Header of the block being claimed as fraudulent.
priorStateProof <PriorStateProof> - Proof of the state prior to executing the transaction. Type union of <BlockHeader | TransactionProof>
transactionProof <TransactionProof> - Merkle proof of the transaction being challenged.

transaction
transactionIndex
siblings


accountProof <AccountProof> - Merkle proof of an account that has the same address as transactionProof.transaction, which already existed at the time it was executed. The merkle proof is made against the state root prior to the transaction.

account
accountIndex
siblings


Description


Note: This is only for proving whether an account already existed in the state. If the intermediate state root for a create transaction is invalid, Invalid Execution (Create) must be used instead.

A creation transaction may only be executed to add an account to the state when it does not already exist. This proof is used if a creation transaction is present in a block where the state already had an account for the target address.
Process

1. Verify the inputs


Assert that the header represents a committed and pending block using blockIsPending(header)
Assert that priorStateProof is valid using provePriorState(priorStateProof, header, transactionProof.transactionIndex), which if successful returns priorStateRoot
Assert that the provided transactionProof is valid using rootHasTransaction(blockHeader.stateRoot, transactionProof.transaction, transactionProof.transactionIndex, transactionProof.siblings)
Assert that the provided state proof is valid using stateHasAccount(stateRoot, accountProof.account, accountProof.accountIndex, accountProof.siblings)

2. Check the transaction


Read the first byte from transactionProof.transaction as prefix.
Assert that prefix is either 0x00 or 0x04
If prefix is 0x00, set transactionAddress to the last 20 bytes of transactionProof.transaction
Otherwise:

Set signatureOffset to transactionProof.transaction.length - 32
Read bytes (signatureOffset - 20...signatureOffset) from transactionProof.transaction as transactionAddress


Read address from accountProof.account at bytes (0...20)
Compare address to transactionAddress

If they match, determine that fraud has occurred.


Transaction Execution Fraud

proveExecutionError(
  blockHeader, priorStateProof, transactionProof, accountProof1, accountProof2
) { ... }

Input


blockHeader <BlockHeader> - Header representing the block with the transaction claimed to be fraudulent.
priorStateProof <PriorStateProof> - Proof of the state prior to executing the transaction. Type union of <BlockHeader | TransactionProof>
transactionProof <TransactionProof> - Merkle proof of the transaction being challenged.

transaction
transactionIndex
siblings


accountProof1 <AccountProof> - Merkle proof of the first account in the previous state.

For a hard transaction, this will be for the recipient account.
Otherwise, it will be the sender's account.
Values:

account
accountIndex
siblings


accountProof2 <AccountProof> - Merkle proof of the second account in the previous state.

For a hard transaction, this will be null.
account
accountIndex
siblings


Description

If a transaction is not executed correctly, it will have a bad intermediate stateRoot which can be proven with this fraud proof.

Note: Hard withdrawal transactions where the caller had insufficient balance results in the new state root being the same as the previous one.

Process

1. Verify the inputs


Assert that the header represents a committed and pending block using blockIsPending(blockHeader)
Assert that priorStateProof is valid using provePriorState(priorStateProof, blockHeader, transactionProof.transactionIndex), which if successful returns priorStateRoot
Assert that the provided transactionProof is valid using rootHasTransaction(blockHeader.stateRoot, transactionProof.transaction, transactionProof.transactionIndex, transactionProof.siblings)
Read the first byte of transactionProof.transaction as prefix
Read newStateRoot as the last 32 bytes of transactionProof.transaction
Use prefix to determine what to do next:

HARD_CREATE: prefix = 0x00

Read toIndex from transactionProof.transaction at bytes (6...10)
Read value from transactionProof.transaction at bytes (10...17)
Read address from transactionProof.transaction at bytes (17...37)
Read initialSigningKey from transactionProof.transaction at bytes (37...57)
Set newNonce to 3 0 bytes
Initialize variable newToAccount as (address ++ newNonce ++ value ++ initialSigningKey)
Call verifyAndPush(calculatedRoot, newToAccount, toIndex, accountProof2.siblings)

If it fails, revert.
Otherwise set calculatedRoot to the return value.


Check ifcalculatedRoot is equal to the new state root.

If it is, revert.
If it is not, determine that fraud has occurred.


SOFT_CREATE: prefix = 0x04

Read fromIndex from transactionProof.transaction at bytes (0...4)
Read toIndex from transactionProof.transaction at bytes (4...8)
Read nonce from transactionProof.transaction at bytes (8...11)
Read value from transactionProof.transaction at bytes (11...18)
Read address from transactionProof.transaction at bytes (18...38)
Read initialSigningKey from transactionProof.transaction at bytes (38...58)
Set variable newFromAccount to a copy of accountProof1.account
Check if newFromAccount.balance > value && newFromAccount.nonce == nonce

If both are true, go to the next step
If not, verify accountProof1 using stateHasAccount(priorStateRoot, accountProof1.account, fromIndex, accountProof1.siblings)

If it succeeds, determine fraud has occurred. (If the account had an insufficient balance or the transaction had a bad nonce, the transaction should not have been in the block.)
Revert otherwise.


Set newFromAccount.nonce to nonce + 1
Set newFromAccount.balance to newFromAccount.balance - value
Call verifyAndUpdate(priorStateRoot, accountProof1.account, newFromAccount, fromIndex, accountProof1.siblings)

If it succeeds, set calculatedRoot to the return value.
If not, revert.


Set newNonce to 3 0 bytes
Initialize variable newToAccount as (address ++ newNonce ++ value ++ initialSigningKey)
Call verifyAndPush(calculatedRoot, newToAccount, toIndex, accountProof2.siblings)

If it fails, revert.
Otherwise set calculatedRoot to the return value.


Check ifcalculatedRoot is equal to the new state root.

If it is, revert.
If it is not, determine that fraud has occurred.


DEPOSIT: prefix = 0x01

Read toIndex from transactionProof.transaction at bytes (6...10)
Read value from transactionProof.transaction at bytes (10...17)
Set a variable newAccount to a copy of accountProof1.account
Set the balance in newAccount to newAccount.balance + value
Call verifyAndUpdate(priorStateRoot, accountProof1.account, newAccount, toIndex, accountProof1.siblings)

If it succeeds, set the new root to calculatedRoot
Revert otherwise.


Assert that calculatedRoot is equal to newStateRoot


HARD_WITHDRAW: prefix = 0x02


Read fromIndex from transactionProof.transaction at bytes (5...9)


Read value from transactionProof.transaction at bytes (9...17)
Set variable newFromAccount to a copy of accountProof1.account
Check if newFromAccount.balance > value

If it is not:

Call verifyMerkleRoot(priorStateRoot, newFromAccount, fromIndex, accountProof1.siblings)
If it succeeds, check if newStateRoot is equal to priorStateRoot (withdrawal rejected)

If not, determine that fraud has occurred
Otherwise, revert


Otherwise, continue.


Set newFromAccount.balance to newFromAccount.balance - value
Call verifyAndUpdate(priorStateRoot, accountProof1.account, newFromAccount, fromIndex, accountProof1.siblings)

If it succeeds, set calculatedRoot to the return value.
If not, revert.


Check ifcalculatedRoot is equal to the new state root.

If it is, revert.
If it is not, determine that fraud has occurred.


SOFT_WITHDRAW: prefix = 0x03

Read fromIndex from transactionProof.transaction at bytes (0...4)
Read nonce from transactionProof.transaction at bytes (24...27)
Read value from transactionProof.transaction at bytes (27...34)
Set variable newFromAccount to a copy of accountProof1.account
Check if newFromAccount.balance > value && newFromAccount.nonce == nonce

If it is not:

Call verifyMerkleRoot(priorStateRoot, newFromAccount, fromIndex, accountProof1.siblings)
If it succeeds, check if newStateRoot is equal to priorStateRoot (withdrawal rejected)

If not, determine that fraud has occurred
Otherwise, revert


Otherwise, continue.


Set newFromAccount.balance to newFromAccount.balance - value
Set newFromAccount.nonce to newFromAccount.nonce + 1
Call verifyAndUpdate(priorStateRoot, accountProof1.account, newFromAccount, fromIndex, accountProof1.siblings)

If it succeeds, set calculatedRoot to the return value.
If not, revert.


Check ifcalculatedRoot is equal to newStateRoot.

If it is, revert.
If it is not, determine that fraud has occurred.


TRANSFER: prefix = 0x05

1. Verify the state of the sender account
2. Make sure it had a sufficient balance and matching nonce.
3. Calculate the new root if the account balance decreases by value.
4. Verify the state of the receiver account. Calculate the new root if its balance increases by value.
Read fromIndex from transactionProof.transaction at bytes (0...4)
Read toIndex from transactionProof.transaction at bytes (4...8)
Read nonce from transactionProof.transaction at bytes (8...11)
Read value from transactionProof.transaction at bytes (11...18)
Read newStateRoot from the last 32 bytes of transactionProof.transaction
Set variable newFromAccount to a copy of accountProof1.account
Check if newFromAccount.balance > value && newFromAccount.nonce == nonce

If either check fails:

Call verifyMerkleRoot(priorStateRoot, newFromAccount, fromIndex, accountProof1.siblings)

If it succeeds, determine that fraud has occurred (inclusion of a transaction where sender had insufficient balance or invalid nonce)


Otherwise, continue.


Set newFromAccount.balance to newFromAccount.balance - value
Set newFromAccount.nonce to newFromAccount.nonce + 1
Call verifyAndUpdate(priorStateRoot, accountProof1.account, newFromAccount, fromIndex, accountProof1.siblings)

If it succeeds, set calculatedRoot to the return value.
If not, revert.


Set newToAccount to a copy of accountProof2.account
Set newToAccount.balance to newToAccount.balance + value
Call verifyAndUpdate(calculatedRoot, accountProof2.account, newToAccount, toIndex, accountProof2.siblings)

If it succeeds, set calculatedRoot to the return value.
If not, revert.


Check ifcalculatedRoot is equal to newStateRoot.

If it is, revert.
If it is not, determine that fraud has occurred.


SOFT_CHANGE_SIGNER: prefix = 0x06

Read accountIndex from bytes (0...4) of transactionProof.transaction
Read nonce from bytes (4...7) of transactionProof.transaction
Read signingAddress from bytes (7...27) of transactionProof.transaction
Read modificationCategory from bytes (27...28) of transactionProof.transaction
Read newStateRoot from the last 32 bytes of transactionProof.transaction
Set variable newAccount to a copy of accountProof1.account
Check if newAccount.nonce == nonce

If it is, go to the next step.
If not, verify accountProof1 using stateHasAccount(priorStateRoot, accountProof1.account, accountIndex, accountProof1.siblings)

If it succeeds, determine fraud has occurred. (If the transaction had a bad nonce, the transaction should not have been in the block.)
If it fails, the challenger gave a bad input - revert.


If modificationCategory is 0, the transaction should add a signer to the account.

Verify that the account can add new signers and that the new signing address is not already present in the account.

Set signerCount to (newAccount.length - 30) / 20
Set redundantSigner to the return value of accountHasSigner(accountProof1, signingAddress)
Check if (signerCount <= 9 && !redundantSigner)

If both are true, go to the next step.
If not, verify accountProof1 using stateHasAccount(priorStateRoot, accountProof1.account, accountIndex, accountProof1.siblings)

If it succeeds, determine fraud has occurred. (The account modification is redundant or exceeds the maximum account size, so the transaction should not have been included.)
If it fails, the challenger gave a bad input - revert.


Execute the state transition and verify the output state root

Copy signingAddress to the end of newAccount
Set newAccount.nonce += 1
Call verifyAndUpdate(priorStateRoot, accountProof1.account, newAccount, accountIndex, accountProof1.siblings)

If it succeeds, set calculatedRoot to the return value.
If not, revert.


Check ifcalculatedRoot is equal to newStateRoot.

If it is, revert.
If it is not, determine that fraud has occurred.


If modificationCategory is 1, the transaction should remove a signer from the account.

Set a variable hasAccount to false
Verify that the account has the specified address

Set a variable nextOffset to 30 (pointer to beginning of first signer address)
Execute a while loop with condition (nextOffset < newAccount.length) to read each signer address in the account

Read bytes (nextOffset...nextOffset+20) from newAccount as nextSigner
If signer == nextSigner set hasAccount = true and break
Set nextOffset += 20


If hasAccount == true go to the next step.
If it is false, verify accountProof1 using stateHasAccount(priorStateRoot, accountProof1.account, accountIndex, accountProof1.siblings)

If it succeeds, determine fraud has occurred. (The account did not include the specified signer address, so the transaction should not have been included.)
If it fails, the challenger gave a bad input - revert.


Execute the state transition and verify the output state root

Copy bytes (0...nextOffset) from newAccount to a new variable prefix
Copy bytes (nextOffset+20...newAccount.length) from newAccount to a new variable suffix
Set newAccount to prefix ++ suffix
Set newAccount.nonce += 1
Call verifyAndUpdate(priorStateRoot, accountProof1.account, newAccount, accountIndex, accountProof1.siblings)

If it succeeds, set calculatedRoot to the return value.
If not, revert.


Check ifcalculatedRoot is equal to newStateRoot.

If it is, revert.
If it is not, determine that fraud has occurred.


If modificationCategory is any other value, determine that fraud has occurred.
Element	Size (b)
number	4
stateSize	4
stateRoot	32
hardTransactionCount	5
transactionsRoot	32
transactionsHash	32
Total Block Header	109
Type	Size (b)	Size w/ root (b)
HARD_CREATE	56	88
HARD_DEPOSIT	16	48
HARD_WITHDRAW	16	48
SOFT_WITHDRAW	99	131
SOFT_CREATE	123	155
SOFT_TRANSFER	83	115
SOFT_CHANGE_SIGNER	93	125
Type	Prefix	Size (b)	Size w/ root and prefix (b)
HARD_CREATE	0x00	56	89
HARD_DEPOSIT	0x01	16	49
HARD_WITHDRAW	0x02	16	49
SOFT_WITHDRAW	0x03	99	132
SOFT_CREATE	0x04	123	156
SOFT_TRANSFER	0x05	83	116
SOFT_CHANGE_SIGNER	0x06	93	126
Meta Variable	Type	Prefix	size (w/ root)
hardCreates	HARD_CREATE	0x00	88
defaultDeposits	HARD_DEPOSIT	0x01	48
hardWithdrawals	HARD_WITHDRAW	0x02	48
softWithdrawals	SOFT_WITHDRAW	0x03	131
softCreates	SOFT_CREATE	0x04	155
softTransfers	SOFT_TRANSFER	0x05	115
softChangeSigners	SOFT_CHANGE_SIGNER	0x06	125