feat: fix verifier

Author: karlem

fendermint/app/src/cmd/proof_cache.rs

@@ -57,8 +57,8 @@ fn inspect_cache(db_path: &Path) -> anyhow::Result<()> {
 
         println!(
             "{:<12} {:<20?} {:<15} {:<15}",
-            entry.instance_id,
-            entry.finalized_epochs,
+            entry.certificate.gpbft_instance,
+            entry.certificate.ec_chain.suffix(),
             format!("{} bytes", proof_size),
             format!("{} signers", entry.certificate.signers.len())
         );
@@ -85,8 +85,14 @@ fn show_stats(db_path: &Path) -> anyhow::Result<()> {
     println!("Last Committed: {:?}", last_committed);
     println!(
         "Instances: {} - {}",
-        entries.first().map(|e| e.instance_id).unwrap_or(0),
-        entries.last().map(|e| e.instance_id).unwrap_or(0)
+        entries
+            .first()
+            .map(|e| e.certificate.gpbft_instance)
+            .unwrap_or(0),
+        entries
+            .last()
+            .map(|e| e.certificate.gpbft_instance)
+            .unwrap_or(0)
     );
     println!();
 
@@ -138,9 +144,8 @@ fn get_proof(db_path: &Path, instance_id: u64) -> anyhow::Result<()> {
             println!("  Instance ID: {}", entry.certificate.gpbft_instance);
             println!(
                 "  Finalized Epochs: {:?}",
-                &entry.certificate.finalized_epochs()
+                &entry.certificate.ec_chain.suffix()
             );
-            println!("  Power Table CID: {}", entry.certificate.power_table_delta);
             println!(
                 "  BLS Signature: {} bytes",
                 entry.certificate.signature.len()
@@ -158,13 +163,18 @@ fn get_proof(db_path: &Path, instance_id: u64) -> anyhow::Result<()> {
                 proof_bundle_size,
                 proof_bundle_size as f64 / 1024.0
             );
-            println!(
-                "  Storage Proofs: {}",
-                entry.proof_bundle.storage_proofs.len()
-            );
-            println!("  Event Proofs: {}", entry.proof_bundle.event_proofs.len());
-            println!("  Witness Blocks: {}", entry.proof_bundle.blocks.len());
-            println!();
+
+            if let Some(proof_bundle) = &entry.proof_bundle {
+                println!(
+                    "  Storage Proofs: {}",
+                    entry.proof_bundle.storage_proofs.len()
+                );
+                println!("  Event Proofs: {}", entry.proof_bundle.event_proofs.len());
+                println!("  Witness Blocks: {}", entry.proof_bundle.blocks.len());
+                println!();
+            } else {
+                println!("  No proof bundle found");
+            }
 
             // Metadata
             println!("Metadata:");

fendermint/vm/topdown/proof-service/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fendermint_vm_topdown_proof_service"
-description = "Proof generator service for F3-based parent finality"
+description = "Proof generator service"
 version = "0.1.0"
 edition.workspace = true
 license.workspace = true

fendermint/vm/topdown/proof-service/src/assembler.rs

@@ -29,13 +29,13 @@ use url::Url;
 /// Event signature for NewTopDownMessage from LibGateway.sol
 /// Event: NewTopDownMessage(address indexed subnet, IpcEnvelope message, bytes32 indexed id)
 /// Bindings: contract_bindings::lib_gateway::NewTopDownMessageFilter
-const NEW_TOPDOWN_MESSAGE_SIGNATURE: &str = "NewTopDownMessage(address,IpcEnvelope,bytes32)";
+pub const NEW_TOPDOWN_MESSAGE_SIGNATURE: &str = "NewTopDownMessage(address,IpcEnvelope,bytes32)";
 
 /// Event signature for NewPowerChangeRequest from LibPowerChangeLog.sol
 /// Event: NewPowerChangeRequest(PowerOperation op, address validator, bytes payload, uint64 configurationNumber)
 /// Bindings: contract_bindings::lib_power_change_log::NewPowerChangeRequestFilter
 /// This captures validator power changes that need to be reflected in the subnet
-const NEW_POWER_CHANGE_REQUEST_SIGNATURE: &str =
+pub const NEW_POWER_CHANGE_REQUEST_SIGNATURE: &str =
     "NewPowerChangeRequest(PowerOperation,address,bytes,uint64)";
 
 /// Storage slot offset for topDownNonce in the Subnet struct

fendermint/vm/topdown/proof-service/src/config.rs

@@ -6,6 +6,9 @@ use ipc_api::subnet_id::SubnetID;
 use serde::{Deserialize, Serialize};
 use std::time::Duration;
 
+const FILECOIN_MAINNET_CHAIN_ID: u64 = 314;
+const FILECOIN_CALIBRATION_CHAIN_ID: u64 = 314159;
+
 /// Represents a value that can be either a numeric Actor ID or an Ethereum address string.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
@@ -50,8 +53,8 @@ impl ProofServiceConfig {
         let root_id = self.subnet_id.root_id();
 
         match root_id {
-            314 => "mainnet".to_string(),
-            314159 => "calibrationnet".to_string(),
+            FILECOIN_MAINNET_CHAIN_ID => "mainnet".to_string(),
+            FILECOIN_CALIBRATION_CHAIN_ID => "calibrationnet".to_string(),
             _ => {
                 tracing::warn!(
                     root_id,

fendermint/vm/topdown/proof-service/src/lib.rs

@@ -23,7 +23,7 @@ pub use cache::ProofCache;
 pub use config::{CacheConfig, ProofServiceConfig};
 pub use service::ProofGeneratorService;
 pub use types::{CacheEntry, SerializableF3Certificate};
-pub use verifier::verify_proof_bundle;
+pub use verifier::ProofsVerifier;
 
 use anyhow::{Context, Result};
 use std::sync::Arc;

fendermint/vm/topdown/proof-service/src/verifier.rs

@@ -5,151 +5,104 @@
 //! Provides deterministic verification of proof bundles against F3 certificates.
 //! Used by validators during block attestation to verify parent finality proofs.
 
-use crate::types::SerializableF3Certificate;
-use anyhow::{Context, Result};
-use proofs::proofs::common::bundle::{ProofBlock, UnifiedProofBundle};
-use proofs::proofs::storage::{bundle::StorageProof, verifier::verify_storage_proof};
-use tracing::debug;
-
-/// Verify a unified proof bundle against a certificate
-///
-/// This performs deterministic verification of:
-/// - Storage proofs (contract state at parent height)
-/// - Event proofs (emitted events at parent height)
-///
-/// # Arguments
-/// * `bundle` - The proof bundle to verify
-/// * `certificate` - The certificate containing finalized epochs
-///
-/// # Returns
-/// `Ok(())` if all proofs are valid, `Err` otherwise
-///
-/// # Usage in Block Attestation
-///
-/// ```ignore
-/// // When validator receives block with parent finality data
-/// if cache.contains(cert.instance_id) {
-///     // Already validated - just verify proofs
-///     let cached = cache.get(cert.instance_id).unwrap();
-///     verify_proof_bundle(&cached.proof_bundle, &cached.certificate)?;
-/// } else {
-///     // Not cached - need full crypto validation first
-///     let validated = f3_client.fetch_and_validate(cert.instance_id).await?;
-///     let serializable_cert = SerializableF3Certificate::from(&certificate);
-///     verify_proof_bundle(&proof_bundle, &serializable_cert)?;
-/// }
-/// ```
-pub fn verify_proof_bundle(
-    bundle: &UnifiedProofBundle,
-    certificate: &SerializableF3Certificate,
-) -> Result<()> {
-    debug!(
-        gpbft_instance = certificate.gpbft_instance,
-        storage_proofs = bundle.storage_proofs.len(),
-        event_proofs = bundle.event_proofs.len(),
-        witness_blocks = bundle.blocks.len(),
-        "Verifying proof bundle"
-    );
-
-    // Verify all storage proofs
-    for (idx, storage_proof) in bundle.storage_proofs.iter().enumerate() {
-        verify_storage_proof_internal(storage_proof, &bundle.blocks, certificate)
-            .with_context(|| format!("Storage proof {} failed verification", idx))?;
-    }
-
-    // Event proof verification uses a bundle-level API
-    // For now, we verify that the bundle structure is valid
-    // Full event proof verification will be added when the proofs library API is finalized
-    if !bundle.event_proofs.is_empty() {
-        debug!(
-            event_proofs = bundle.event_proofs.len(),
-            "Event proofs present (verification to be implemented with proofs library API)"
-        );
-    }
-
-    debug!(
-        gpbft_instance = certificate.gpbft_instance,
-        "Proof bundle verified successfully"
-    );
-
-    Ok(())
+use crate::assembler::{NEW_POWER_CHANGE_REQUEST_SIGNATURE, NEW_TOPDOWN_MESSAGE_SIGNATURE};
+use anyhow::Result;
+use cid::Cid;
+use filecoin_f3_certs::FinalityCertificate;
+use proofs::proofs::common::bundle::{UnifiedProofBundle, UnifiedVerificationResult};
+use proofs::proofs::events::bundle::EventProofBundle;
+use proofs::proofs::events::verifier::verify_event_proof;
+use proofs::proofs::storage::verifier::verify_storage_proof;
+
+use proofs::proofs::common::evm::{ascii_to_bytes32, extract_evm_log, hash_event_signature};
+
+pub struct ProofsVerifier {
+    events: Vec<Vec<[u8; 32]>>,
 }
 
-/// Verify a single storage proof
-///
-/// Uses the proofs library's verify_storage_proof function with the witness blocks.
-fn verify_storage_proof_internal(
-    proof: &StorageProof,
-    blocks: &[ProofBlock],
-    certificate: &SerializableF3Certificate,
-) -> Result<()> {
-    // Get finalized epochs from certificate
-    let finalized_epochs = certificate.finalized_epochs();
-
-    // Verify the proof's child epoch is in the certificate's finalized epochs
-    let child_epoch = proof.child_epoch;
-    if !finalized_epochs.contains(&child_epoch) {
-        anyhow::bail!(
-            "Storage proof child epoch {} not in certificate's finalized epochs",
-            child_epoch
-        );
-    }
-
-    // Use the proofs library to verify the storage proof
-    // The is_trusted_child_header function checks if the child epoch is finalized
-    let is_trusted = |epoch: i64, _cid: &cid::Cid| -> bool { finalized_epochs.contains(&epoch) };
-
-    let valid = verify_storage_proof(proof, blocks, &is_trusted)
-        .context("Storage proof verification failed")?;
+impl ProofsVerifier {
+    pub fn new(subnet_id: String) -> Self {
+        let events = vec![
+            vec![
+                hash_event_signature(NEW_TOPDOWN_MESSAGE_SIGNATURE),
+                ascii_to_bytes32(&subnet_id),
+            ],
+            vec![hash_event_signature(NEW_POWER_CHANGE_REQUEST_SIGNATURE)],
+        ];
 
-    if !valid {
-        anyhow::bail!("Storage proof is invalid");
+        Self { events }
     }
-
-    Ok(())
 }
 
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use proofs::proofs::common::bundle::UnifiedProofBundle;
-
-    #[test]
-    fn test_verify_empty_bundle() {
-        let bundle = UnifiedProofBundle {
-            storage_proofs: vec![],
-            event_proofs: vec![],
-            blocks: vec![],
+impl ProofsVerifier {
+    /// Verify a unified proof bundle against a certificate
+    ///
+    /// This performs deterministic verification of:
+    /// - Storage proofs (contract state at parent height)
+    /// - Event proofs (emitted events at parent height)
+    ///
+    /// # Arguments
+    /// * `bundle` - The proof bundle to verify
+    /// * `certificate` - The certificate containing finalized epochs
+    pub fn verify_proof_bundle(
+        &self,
+        bundle: &UnifiedProofBundle,
+        certificate: &FinalityCertificate,
+    ) -> Result<UnifiedVerificationResult> {
+        let tipset_verifier = |epoch: i64, cid: &Cid| -> bool {
+            certificate
+                .ec_chain
+                .iter()
+                .any(|ts| ts.epoch == epoch && ts.key == cid.to_bytes())
         };
 
-        use crate::types::{SerializableECChainEntry, SerializableSupplementalData};
+        // Verify storage proofs
+        let mut storage_results = Vec::new();
+        for proof in &bundle.storage_proofs {
+            let result = verify_storage_proof(proof, &bundle.blocks, &tipset_verifier)?;
+            storage_results.push(result);
+        }
+
+        // Verify event proofs - need to create an EventProofBundle for the verifier
+        let event_bundle = EventProofBundle {
+            proofs: bundle.event_proofs.clone(),
+            blocks: bundle.blocks.clone(),
+        };
 
-        let cert = SerializableF3Certificate {
-            gpbft_instance: 1,
-            ec_chain: vec![
-                SerializableECChainEntry {
-                    epoch: 100,
-                    key: vec![],
-                    power_table: "test_cid".to_string(),
-                    commitments: vec![0u8; 32],
-                },
-                SerializableECChainEntry {
-                    epoch: 101,
-                    key: vec![],
-                    power_table: "test_cid".to_string(),
-                    commitments: vec![0u8; 32],
-                },
-            ],
-            supplemental_data: SerializableSupplementalData {
-                power_table: "test_cid".to_string(),
-                commitments: vec![0u8; 32],
-            },
-            signature: vec![],
-            signers: vec![],
-            power_table_delta: vec![],
+        // TODO Karel - fix the library to take a single CID
+        let parent_tipset_verifier = |epoch: i64, cids: &[Cid]| -> bool {
+            certificate
+                .ec_chain
+                .iter()
+                .any(|ts| ts.epoch == epoch && ts.key == cids.first().unwrap().to_bytes())
         };
 
-        // Empty bundle should verify successfully
-        assert!(verify_proof_bundle(&bundle, &cert).is_ok());
+        let event_results = verify_event_proof(
+            &event_bundle,
+            &parent_tipset_verifier,
+            &tipset_verifier,
+            Some(&self.create_event_filter()),
+        )?;
+
+        Ok(UnifiedVerificationResult {
+            storage_results,
+            event_results,
+        })
+    }
+
+    fn create_event_filter(&self) -> impl Fn(&fvm_shared::event::ActorEvent) -> bool + '_ {
+        |ev: &fvm_shared::event::ActorEvent| -> bool {
+            if let Some(log) = extract_evm_log(ev) {
+                self.events.iter().any(|expected_topics| {
+                    log.topics.len() >= expected_topics.len()
+                        && expected_topics
+                            .iter()
+                            .zip(log.topics.iter())
+                            .all(|(expected, actual)| expected == actual)
+                })
+            } else {
+                false
+            }
+        }
     }
 }