feat: Elastic verifier, that allows owner to set multiple VKs (#1599)

Author: mm-zk

l1-contracts/contracts/state-transition/chain-deps/GatewayCTMDeployer.sol

@@ -188,7 +188,7 @@ contract GatewayCTMDeployer {
             _isZKsyncOS: _config.isZKsyncOS,
             _deployedContracts: contracts
         });
-        _deployVerifier(salt, _config.testnetVerifier, contracts);
+        _deployVerifier(salt, _config.testnetVerifier, contracts, _config.aliasedGovernanceAddress);
 
         _deployProxyAdmin(salt, _config.aliasedGovernanceAddress, contracts);
 
@@ -299,23 +299,25 @@ contract GatewayCTMDeployer {
     /// @param _salt Salt used for CREATE2 deployments.
     /// @param _testnetVerifier Whether testnet verifier should be used.
     /// @param _deployedContracts The struct with deployed contracts, that will be mofiied
+    /// @param _verifierOwner The owner that can add additional verification keys.
     /// in the process of the execution of this function.
     function _deployVerifier(
         bytes32 _salt,
         bool _testnetVerifier,
-        DeployedContracts memory _deployedContracts
+        DeployedContracts memory _deployedContracts,
+        address _verifierOwner
     ) internal {
         L1VerifierFflonk fflonkVerifier = new L1VerifierFflonk{salt: _salt}();
         _deployedContracts.stateTransition.verifierFflonk = address(fflonkVerifier);
         L1VerifierPlonk verifierPlonk = new L1VerifierPlonk{salt: _salt}();
         _deployedContracts.stateTransition.verifierPlonk = address(verifierPlonk);
         if (_testnetVerifier) {
             _deployedContracts.stateTransition.verifier = address(
-                new TestnetVerifier{salt: _salt}(fflonkVerifier, verifierPlonk)
+                new TestnetVerifier{salt: _salt}(fflonkVerifier, verifierPlonk, _verifierOwner)
             );
         } else {
             _deployedContracts.stateTransition.verifier = address(
-                new DualVerifier{salt: _salt}(fflonkVerifier, verifierPlonk)
+                new DualVerifier{salt: _salt}(fflonkVerifier, verifierPlonk, _verifierOwner)
             );
         }
     }

l1-contracts/contracts/state-transition/verifiers/DualVerifier.sol

@@ -22,12 +22,6 @@ error UnsupportedChainIdForMockVerifier();
 /// contract, while abusing on of the fields (`_recursiveAggregationInput`) for proof verification type. The contract is
 /// needed for the smooth transition from PLONK based verifier to the FFLONK verifier.
 contract DualVerifier is IVerifier {
-    /// @notice The latest FFLONK verifier contract.
-    IVerifierV2 public immutable FFLONK_VERIFIER;
-
-    /// @notice PLONK verifier contract.
-    IVerifier public immutable PLONK_VERIFIER;
-
     /// @notice Type of verification for FFLONK verifier.
     uint256 internal constant FFLONK_VERIFICATION_TYPE = 0;
 
@@ -39,11 +33,31 @@ contract DualVerifier is IVerifier {
     // @notice This is test only verifier (mock), and must be removed before prod.
     uint256 internal constant OHBENDER_MOCK_VERIFICATION_TYPE = 3;
 
+    address public ctmOwner;
+
+    mapping(uint32 => IVerifierV2) public fflonkVerifiers;
+    mapping(uint32 => IVerifier) public plonkVerifiers;
+
     /// @param _fflonkVerifier The address of the FFLONK verifier contract.
     /// @param _plonkVerifier The address of the PLONK verifier contract.
-    constructor(IVerifierV2 _fflonkVerifier, IVerifier _plonkVerifier) {
-        FFLONK_VERIFIER = _fflonkVerifier;
-        PLONK_VERIFIER = _plonkVerifier;
+    /// @param _ctmOwner The address of the contract owner, who can add or remove verifiers.
+    constructor(IVerifierV2 _fflonkVerifier, IVerifier _plonkVerifier, address _ctmOwner) {
+        ctmOwner = _ctmOwner;
+        fflonkVerifiers[0] = _fflonkVerifier;
+        plonkVerifiers[0] = _plonkVerifier;
+    }
+
+    function addVerifier(uint32 version, IVerifierV2 _fflonkVerifier, IVerifier _plonkVerifier) external {
+        require(msg.sender == ctmOwner, "Only ctmOwner can add verifiers");
+        // Add logic to add verifiers
+        fflonkVerifiers[version] = _fflonkVerifier;
+        plonkVerifiers[version] = _plonkVerifier;
+    }
+
+    function removeVerifier(uint32 version) external {
+        require(msg.sender == ctmOwner, "Only ctmOwner can remove verifiers");
+        delete fflonkVerifiers[version];
+        delete plonkVerifiers[version];
     }
 
     /// @notice Routes zk-SNARK proof verification to the appropriate verifier (FFLONK or PLONK) based on the proof type.
@@ -61,16 +75,23 @@ contract DualVerifier is IVerifier {
         }
 
         // The first element of `_proof` determines the verifier type (either FFLONK or PLONK).
-        uint256 verifierType = _proof[0];
+        uint256 verifierType = _proof[0] & 255;
+        uint32 verifierVersion = uint32(_proof[0] >> 8);
+        require(
+            fflonkVerifiers[verifierVersion] != IVerifierV2(address(0)) ||
+                plonkVerifiers[verifierVersion] != IVerifier(address(0)),
+            "Unknown verifier version"
+        );
+
         if (verifierType == FFLONK_VERIFICATION_TYPE) {
-            return FFLONK_VERIFIER.verify(_publicInputs, _extractProof(_proof));
+            return fflonkVerifiers[verifierVersion].verify(_publicInputs, _extractProof(_proof));
         } else if (verifierType == PLONK_VERIFICATION_TYPE) {
-            return PLONK_VERIFIER.verify(_publicInputs, _extractProof(_proof));
+            return plonkVerifiers[verifierVersion].verify(_publicInputs, _extractProof(_proof));
         } else if (verifierType == OHBENDER_PLONK_VERIFICATION_TYPE) {
             uint256[] memory args = new uint256[](1);
             args[0] = computeOhBenderHash(_proof[1], _publicInputs);
 
-            return PLONK_VERIFIER.verify(args, _extractOhBenderProof(_proof));
+            return plonkVerifiers[verifierVersion].verify(args, _extractOhBenderProof(_proof));
         } else if (verifierType == OHBENDER_MOCK_VERIFICATION_TYPE) {
             // just for safety - only allowing default anvil chain and sepolia testnet
             if (block.chainid != 31337 && block.chainid != 11155111) {
@@ -104,16 +125,25 @@ contract DualVerifier is IVerifier {
     /// @inheritdoc IVerifier
     /// @dev Used for backward compatibility with older Verifier implementation. Returns PLONK verification key hash.
     function verificationKeyHash() external view returns (bytes32) {
-        return PLONK_VERIFIER.verificationKeyHash();
+        return plonkVerifiers[0].verificationKeyHash();
     }
 
     /// @notice Calculates a keccak256 hash of the runtime loaded verification keys from the selected verifier.
     /// @return The keccak256 hash of the loaded verification keys based on the verifier.
     function verificationKeyHash(uint256 _verifierType) external view returns (bytes32) {
-        if (_verifierType == FFLONK_VERIFICATION_TYPE) {
-            return FFLONK_VERIFIER.verificationKeyHash();
-        } else if (_verifierType == PLONK_VERIFICATION_TYPE) {
-            return PLONK_VERIFIER.verificationKeyHash();
+        uint256 verifierType = _verifierType & 255;
+        uint32 verifierVersion = uint32(verifierType >> 8);
+
+        require(
+            fflonkVerifiers[verifierVersion] != IVerifierV2(address(0)) ||
+                plonkVerifiers[verifierVersion] != IVerifier(address(0)),
+            "Unknown verifier version"
+        );
+
+        if (verifierType == FFLONK_VERIFICATION_TYPE) {
+            return fflonkVerifiers[verifierVersion].verificationKeyHash();
+        } else if (verifierType == PLONK_VERIFICATION_TYPE) {
+            return plonkVerifiers[verifierVersion].verificationKeyHash();
         }
         // If the verifier type is unknown, revert with an error.
         else {

l1-contracts/contracts/state-transition/verifiers/TestnetVerifier.sol

@@ -13,13 +13,20 @@ import {IVerifier} from "../chain-interfaces/IVerifier.sol";
 /// If the proof is not empty, it will verify it using the main verifier contract,
 /// otherwise, it will skip the verification.
 contract TestnetVerifier is DualVerifier {
-    constructor(IVerifierV2 _fflonkVerifier, IVerifier _plonkVerifier) DualVerifier(_fflonkVerifier, _plonkVerifier) {
+    constructor(
+        IVerifierV2 _fflonkVerifier,
+        IVerifier _plonkVerifier,
+        address _ctmOwner
+    ) DualVerifier(_fflonkVerifier, _plonkVerifier, _ctmOwner) {
         assert(block.chainid != 1);
     }
 
     /// @dev Verifies a zk-SNARK proof, skipping the verification if the proof is empty.
     /// @inheritdoc IVerifier
-    function verify(uint256[] calldata _publicInputs, uint256[] calldata _proof) public view override returns (bool) {
+    function verify(
+        uint256[] calldata _publicInputs,
+        uint256[] calldata _proof
+    ) public view override returns (bool) {
         // We allow skipping the zkp verification for the test(net) environment
         // If the proof is not empty, verify it, otherwise, skip the verification
         if (_proof.length == 0) {

l1-contracts/deploy-scripts/DeployUtils.s.sol

@@ -416,7 +416,14 @@ abstract contract DeployUtils is Create2FactoryUtils {
         } else if (compareStrings(contractName, "DummyAvailBridge")) {
             return abi.encode();
         } else if (compareStrings(contractName, "Verifier")) {
-            return abi.encode(addresses.stateTransition.verifierFflonk, addresses.stateTransition.verifierPlonk);
+            /// TODO: Currently setting it to owner address (which means whole bridgehub owner).
+            /// In practice we might want to set it to CTM owner (which in production will be less restritive).
+            return
+                abi.encode(
+                    addresses.stateTransition.verifierFflonk,
+                    addresses.stateTransition.verifierPlonk,
+                    config.ownerAddress
+                );
         } else if (compareStrings(contractName, "VerifierFflonk")) {
             return abi.encode();
         } else if (compareStrings(contractName, "VerifierPlonk")) {

l1-contracts/deploy-scripts/gateway/GatewayCTMDeployerHelper.sol

@@ -62,7 +62,7 @@ library GatewayCTMDeployerHelper {
             contracts,
             innerConfig
         );
-        contracts = _deployVerifier(config.testnetVerifier, contracts, innerConfig);
+        contracts = _deployVerifier(config.testnetVerifier, contracts, innerConfig, config.aliasedGovernanceAddress);
 
         contracts.stateTransition.validatorTimelockImplementation = _deployInternal(
             "ValidatorTimelock",
@@ -189,15 +189,16 @@ library GatewayCTMDeployerHelper {
     function _deployVerifier(
         bool _testnetVerifier,
         DeployedContracts memory _deployedContracts,
-        InnerDeployConfig memory innerConfig
+        InnerDeployConfig memory innerConfig,
+        address _verifierOwner
     ) internal returns (DeployedContracts memory) {
         address verifierFflonk = _deployInternal("L1VerifierFflonk", "L1VerifierFflonk.sol", hex"", innerConfig);
         address verifierPlonk = _deployInternal("L1VerifierPlonk", "L1VerifierPlonk.sol", hex"", innerConfig);
 
         _deployedContracts.stateTransition.verifierFflonk = verifierFflonk;
         _deployedContracts.stateTransition.verifierPlonk = verifierPlonk;
 
-        bytes memory constructorParams = abi.encode(verifierFflonk, verifierPlonk);
+        bytes memory constructorParams = abi.encode(verifierFflonk, verifierPlonk, _verifierOwner);
 
         if (_testnetVerifier) {
             _deployedContracts.stateTransition.verifier = _deployInternal(

l1-contracts/test/foundry/l1/unit/concrete/Executor/ExecutorProof.t.sol

@@ -47,7 +47,8 @@ contract TestExecutorFacet is ExecutorFacet {
 contract ExecutorProofTest is Test {
     UtilsFacet internal utilsFacet;
     TestExecutorFacet internal executor;
-    address internal testnetVerifier = address(new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0))));
+    address internal testnetVerifier =
+        address(new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0)), address(0)));
 
     function getTestExecutorFacetSelectors() private pure returns (bytes4[] memory) {
         bytes4[] memory selectors = new bytes4[](3);

l1-contracts/test/foundry/l1/unit/concrete/Executor/_Executor_Shared.t.sol

@@ -224,7 +224,11 @@ contract ExecutorTest is Test {
             timestamp: 0,
             commitment: bytes32("")
         });
-        TestnetVerifier testnetVerifier = new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0)));
+        TestnetVerifier testnetVerifier = new TestnetVerifier(
+            IVerifierV2(address(0)),
+            IVerifier(address(0)),
+            address(0)
+        );
 
         InitializeData memory params = InitializeData({
             // TODO REVIEW

l1-contracts/test/foundry/l1/unit/concrete/state-transition/ChainTypeManager/_ChainTypeManager_Shared.t.sol

@@ -53,7 +53,7 @@ contract ChainTypeManagerTest is Test {
     address internal constant serverNotifier = address(0x7070707);
     address internal newChainAdmin;
     uint256 chainId = 112;
-    address internal testnetVerifier = address(new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0))));
+    address internal testnetVerifier = address(new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0)), address(0)));
     bytes internal forceDeploymentsData = hex"";
 
     uint256 eraChainId = 9;

l1-contracts/test/foundry/l1/unit/concrete/state-transition/chain-deps/DiamondInit/_DiamondInit_Shared.t.sol

@@ -13,7 +13,7 @@ import {IVerifier} from "contracts/state-transition/chain-interfaces/IVerifier.s
 
 contract DiamondInitTest is Test {
     Diamond.FacetCut[] internal facetCuts;
-    address internal testnetVerifier = address(new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0))));
+    address internal testnetVerifier = address(new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0)), address(0)));
 
     function setUp() public virtual {
         facetCuts.push(

l1-contracts/test/foundry/l1/unit/concrete/state-transition/chain-deps/DiamondProxy/DiamondProxy.t.sol

@@ -27,7 +27,7 @@ contract TestFacet is ZKChainBase {
 
 contract DiamondProxyTest is Test {
     Diamond.FacetCut[] internal facetCuts;
-    address internal testnetVerifier = address(new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0))));
+    address internal testnetVerifier = address(new TestnetVerifier(IVerifierV2(address(0)), IVerifier(address(0)), address(0)));
 
     function getTestFacetSelectors() public pure returns (bytes4[] memory selectors) {
         selectors = new bytes4[](1);