feat: minimal set of features to support gateway (#430)

## What ❔

2 features to support gateway:
- read multichain root from `MesageRoot` contract and include it in the
full logs root
- support free(0 gas price) l1 -> l2 transactions

## Is this a breaking change?
- [x] Yes
- [ ] No

It's backward compatible for forward run(taking into account that there
are no 0 gas price l1 -> l2 transactions).
But full logs root changed(changes in the sequencer required)

## Checklist

<!-- Check your PR fulfills the following items. -->
<!-- For draft PRs check the boxes as you complete them. -->

- [x] PR title corresponds to the body of PR (we generate changelog
entries from PRs).
- [x] Tests for the changes have been added / updated.
- [x] Documentation comments have been added / updated.
- [x] Code has been formatted.

---------

Co-authored-by: antoniolocascio <antonio.locascio1@gmail.com>
Co-authored-by: Vladislav Volosnikov <Volosnikov.apmath@gmail.com>

Author: 3 people

basic_bootloader/src/bootloader/block_flow/zk/batch_data.rs

@@ -27,6 +27,7 @@ pub struct ZKBatchDataKeeper<A: alloc::alloc::Allocator, O: IOOracle> {
     pub logs_storage: ArrayVec<Bytes32, 16384>,
     enforced_txs_accumulator: TransactionsRollingKeccakHasher,
     upgrade_tx_hash: Option<Bytes32>,
+    multichain_root: Bytes32,
     interop_roots_rolling_hash: Bytes32,
     settlement_layer_chain_id: Option<U256>,
 }
@@ -46,6 +47,7 @@ impl<A: alloc::alloc::Allocator, O: IOOracle> ZKBatchDataKeeper<A, O> {
             // keccak256([])
             enforced_txs_accumulator: TransactionsRollingKeccakHasher::empty(),
             upgrade_tx_hash: None,
+            multichain_root: Bytes32::zero(),
             interop_roots_rolling_hash: Bytes32::ZERO,
             settlement_layer_chain_id: None,
         }
@@ -62,6 +64,7 @@ impl<A: alloc::alloc::Allocator, O: IOOracle> ZKBatchDataKeeper<A, O> {
         block_timestamp: u64,
         chain_id: U256,
         upgrade_tx_hash: Bytes32,
+        multichain_root: Bytes32,
         interop_roots: impl Iterator<Item = &'a InteropRoot>,
         settlement_layer_chain_id: U256,
     ) {
@@ -88,6 +91,8 @@ impl<A: alloc::alloc::Allocator, O: IOOracle> ZKBatchDataKeeper<A, O> {
                 Some(settlement_layer_chain_id)
             );
         }
+        // we always override multichain root with latest
+        self.multichain_root = multichain_root;
 
         self.interop_roots_rolling_hash = calculate_interop_roots_rolling_hash(
             self.interop_roots_rolling_hash,
@@ -102,10 +107,10 @@ impl<A: alloc::alloc::Allocator, O: IOOracle> ZKBatchDataKeeper<A, O> {
     pub fn into_public_input(self, mut logger: impl Logger, oracle: &mut O) -> BatchPublicInput {
         assert!(!self.is_first_block);
 
-        let mut full_root_hasher = crypto::sha3::Keccak256::new();
-        full_root_hasher.update(Self::l2_logs_root(self.logs_storage).as_u8_ref());
-        full_root_hasher.update([0u8; 32]); // aggregated root 0 for now
-        let full_l2_to_l1_logs_root = full_root_hasher.finalize();
+        let mut chain_batch_root_hasher = crypto::sha3::Keccak256::new();
+        chain_batch_root_hasher.update(Self::l2_logs_root(self.logs_storage).as_u8_ref());
+        chain_batch_root_hasher.update(self.multichain_root.as_u8_ref());
+        let chain_batch_root = chain_batch_root_hasher.finalize();
 
         let (priority_operations_hash, number_of_layer_1_txs) =
             self.enforced_txs_accumulator.finish();
@@ -117,7 +122,7 @@ impl<A: alloc::alloc::Allocator, O: IOOracle> ZKBatchDataKeeper<A, O> {
             pubdata_commitment: self.da_commitment_generator.unwrap().finalize(oracle),
             number_of_layer_1_txs: U256::from(number_of_layer_1_txs),
             priority_operations_hash,
-            l2_logs_tree_root: full_l2_to_l1_logs_root.into(),
+            l2_logs_tree_root: chain_batch_root.into(),
             upgrade_tx_hash: self.upgrade_tx_hash.unwrap(),
             interop_roots_rolling_hash: self.interop_roots_rolling_hash,
             settlement_layer_chain_id: self.settlement_layer_chain_id.unwrap(),

basic_bootloader/src/bootloader/block_flow/zk/post_tx_op/mod.rs

@@ -5,7 +5,7 @@ use basic_system::system_implementation::system::FullIO;
 use core::alloc::Allocator;
 use crypto::MiniDigest;
 use ruint::aliases::U256;
-use system_hooks::addresses_constants::SYSTEM_CONTEXT_ADDRESS;
+use system_hooks::addresses_constants::{MESSAGE_ROOT_ADDRESS, SYSTEM_CONTEXT_ADDRESS};
 use zk_ee::common_structs::interop_root_storage::InteropRoot;
 use zk_ee::memory::stack_trait::StackFactory;
 use zk_ee::oracle::IOOracle;
@@ -162,3 +162,136 @@ pub fn read_settlement_layer_chain_id<
         .expect("must read SystemContext SL chain id");
     U256::from_be_bytes(chain_id.as_u8_array())
 }
+
+///
+/// Reads multichain root from the L2MessageRoot(0x10005) contract.
+///
+/// Multichain root is the commitment to l2 to l1 logs from the chains that settles on top of current.
+/// It's not zero if the current chain is used as the settlement layer.
+///
+pub fn read_multichain_root<
+    A: Allocator + Clone + Default,
+    R: Resources,
+    P: StorageAccessPolicy<R, Bytes32> + Default,
+    SF: StackFactory<N>,
+    const N: usize,
+    O: IOOracle,
+    const PROOF_ENV: bool,
+>(
+    io: &mut FullIO<
+        A,
+        R,
+        P,
+        SF,
+        N,
+        O,
+        FlatTreeWithAccountsUnderHashesStorageModel<A, R, P, SF, N, PROOF_ENV>,
+        PROOF_ENV,
+    >,
+) -> Bytes32 {
+    use zk_ee::system::IOSubsystem;
+
+    const SHARED_TREE_HEIGHT_STORAGE_SLOT: [u8; 32] = [
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 4,
+    ];
+    let mut inf_resources = R::FORMAL_INFINITE;
+
+    // we need to read self._nodes[self._height][0]
+    let tree_height = io
+        .storage_read::<false>(
+            ExecutionEnvironmentType::NoEE,
+            &mut inf_resources,
+            &MESSAGE_ROOT_ADDRESS,
+            &Bytes32::from_array(SHARED_TREE_HEIGHT_STORAGE_SLOT),
+        )
+        .expect("must read MessageRoot shared tree height");
+
+    let root_slot = calculate_multichain_root_slot(tree_height);
+
+    io.storage_read::<false>(
+        ExecutionEnvironmentType::NoEE,
+        &mut inf_resources,
+        &MESSAGE_ROOT_ADDRESS,
+        &root_slot,
+    )
+    .expect("must read MessageRoot shared tree height")
+}
+
+///
+/// Calculates storage slot of multichain tree root in L2MessageRoot(0x10005) contract.
+///
+/// By convention storage slot for it should stay the same(depend only on `tree_height`).
+/// In fact, it's solidity dynamic array access `_nodes[height][0]`, which is located on slot 6.
+///
+fn calculate_multichain_root_slot(tree_height: Bytes32) -> Bytes32 {
+    use core::ops::Add;
+    // keccak256(0x0000000000000000000000000000000000000000000000000000000000000006)
+    const NODES_FIRST_ELEMENT_SLOT: [u8; 32] = [
+        0xf6, 0x52, 0x22, 0x23, 0x13, 0xe2, 0x84, 0x59, 0x52, 0x8d, 0x92, 0x0b, 0x65, 0x11, 0x5c,
+        0x16, 0xc0, 0x4f, 0x3e, 0xfc, 0x82, 0xaa, 0xed, 0xc9, 0x7b, 0xe5, 0x9f, 0x3f, 0x37, 0x7c,
+        0x0d, 0x3f,
+    ];
+
+    // _nodes[height] slot
+    let nodes_height_array_slot = U256::from_be_bytes(NODES_FIRST_ELEMENT_SLOT)
+        .add(U256::from_be_bytes(tree_height.as_u8_array()));
+    let mut hasher = crypto::sha3::Keccak256::new();
+    hasher.update(nodes_height_array_slot.to_be_bytes::<32>());
+    // _nodes[height][0]
+    Bytes32::from_array(hasher.finalize())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // test cases data was made using actual solidity implementation and debug data for read tx:
+    // height 1: 0x768c3a22b1e4688c94525eb9bc2cf1ce7601fc9e871dc6e10fc44f0f06340ce1
+    // height 3: 0x38ace9b5569ba016113e31884532182bc747997e743c0b7f9c307302b5f83760
+    // height 4: 0x35817d789b7a6dbe8b95b0f21e189fb26d3d329de699cac7a267a9568298e0a5
+    #[test]
+    fn test_calculate_multichain_root_slot_tree_height_1() {
+        let tree_height = [
+            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+            0, 0, 1,
+        ];
+        let root_slot = calculate_multichain_root_slot(Bytes32::from_array(tree_height));
+
+        assert_eq!(
+            root_slot.as_u8_array().to_vec(),
+            hex::decode("768c3a22b1e4688c94525eb9bc2cf1ce7601fc9e871dc6e10fc44f0f06340ce1")
+                .unwrap()
+        );
+    }
+
+    #[test]
+    fn test_calculate_multichain_root_slot_tree_height_3() {
+        let tree_height = [
+            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+            0, 0, 3,
+        ];
+        let root_slot = calculate_multichain_root_slot(Bytes32::from_array(tree_height));
+
+        assert_eq!(
+            root_slot.as_u8_array().to_vec(),
+            hex::decode("38ace9b5569ba016113e31884532182bc747997e743c0b7f9c307302b5f83760")
+                .unwrap()
+        );
+    }
+
+    #[test]
+    fn test_calculate_multichain_root_slot_tree_height_4() {
+        let tree_height = [
+            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+            0, 0, 4,
+        ];
+        let root_slot = calculate_multichain_root_slot(Bytes32::from_array(tree_height));
+
+        assert_eq!(
+            root_slot.as_u8_array().to_vec(),
+            hex::decode("35817d789b7a6dbe8b95b0f21e189fb26d3d329de699cac7a267a9568298e0a5")
+                .unwrap()
+        );
+    }
+}

basic_bootloader/src/bootloader/block_flow/zk/post_tx_op/post_tx_op_proving_multiblock_batch.rs

@@ -119,6 +119,8 @@ where
             assert_eq!(new_settlement_layer_chain_id, &settlement_layer_chain_id)
         }
 
+        let multichain_root = read_multichain_root(&mut io);
+
         let (mut state_commitment, last_block_timestamp) = {
             let proof_data: ProofData<FlatStorageCommitment<TREE_HEIGHT>> =
                 ZKProofDataQuery::get(&mut io.oracle, &())
@@ -182,6 +184,7 @@ where
             metadata.block_timestamp(),
             U256::from(metadata.chain_id()),
             upgrade_tx_hash,
+            multichain_root,
             io.interop_root_storage.iter(),
             settlement_layer_chain_id,
         );

basic_bootloader/src/bootloader/block_flow/zk/post_tx_op/post_tx_op_proving_singleblock_batch.rs

@@ -94,9 +94,11 @@ where
             &mut io,
         );
 
+        let multichain_root = read_multichain_root(&mut io);
+
         let mut full_root_hasher = crypto::sha3::Keccak256::new();
         full_root_hasher.update(io.logs_storage.tree_root().as_u8_ref());
-        full_root_hasher.update([0u8; 32]); // aggregated root 0 for now
+        full_root_hasher.update(multichain_root.as_u8_ref());
         let full_l2_to_l1_logs_root = full_root_hasher.finalize().into();
 
         let (priority_operations_hash, number_of_layer_1_txs) =

basic_bootloader/src/bootloader/block_flow/zk/post_tx_op/public_input.rs

@@ -67,7 +67,7 @@ pub struct BatchOutput {
     /// L2 logs tree root.
     /// Note that it's full root, it's keccak256 of:
     /// - merkle root of l2 -> l1 logs in the batch .
-    /// - aggregated root - commitment to logs emitted on chains that settle on the current.
+    /// - multichain root - commitment to logs emitted on chains that settle on the current.
     pub l2_logs_tree_root: Bytes32,
     /// Protocol upgrade tx hash (0 if there wasn't)
     pub upgrade_tx_hash: Bytes32,

basic_bootloader/src/bootloader/constants.rs

@@ -25,7 +25,7 @@ pub const MAX_CALLSTACK_DEPTH: usize = 1025;
 /// 32 for the suggested_signed_hash and 32 for the offset itself.
 pub const TX_CALLDATA_OFFSET: usize = 0x60;
 
-/// Maximum value of gas that can be represented as ergs in a u64.
+/// Maximum value of gas that can be represented as ergs in an u64.
 pub const MAX_BLOCK_GAS_LIMIT: u64 = u64::MAX / ERGS_PER_GAS;
 
 // Just for EVM compatibility.
@@ -91,6 +91,6 @@ pub const TESTER_NATIVE_PER_GAS: u64 = 25_000;
 // TODO (EVM-1157): find a reasonable value for it.
 pub const L1_TX_NATIVE_PRICE: U256 = U256::from_limbs([10, 0, 0, 0]);
 
-// Upgrade transactions are expected to have ~72 million gas. We will use enough
+// Upgrade, service and gateway mailbox transactions are expected to have ~72 million gas. We will use enough
 // gas to ensure that multiplied by the 72 million they exceed the native computational limit.
-pub const UPGRADE_TX_NATIVE_PER_GAS: u64 = 10000;
+pub const FREE_L1_TX_NATIVE_PER_GAS: u64 = 10000;

basic_bootloader/src/bootloader/transaction_flow/zk/process_l1_transaction.rs

@@ -1,7 +1,7 @@
 use crate::bootloader::config::BasicBootloaderExecutionConfig;
 use crate::bootloader::constants::{
-    L1_TX_INTRINSIC_NATIVE_COST, L1_TX_INTRINSIC_PUBDATA, L1_TX_NATIVE_PRICE,
-    UPGRADE_TX_NATIVE_PER_GAS,
+    FREE_L1_TX_NATIVE_PER_GAS, L1_TX_INTRINSIC_NATIVE_COST, L1_TX_INTRINSIC_PUBDATA,
+    L1_TX_NATIVE_PRICE,
 };
 use crate::bootloader::errors::BootloaderInterfaceError;
 use crate::bootloader::errors::TxError;
@@ -90,7 +90,7 @@ where
         native_per_gas,
         native_per_pubdata,
         minimal_gas_used,
-    } = prepare_and_check_resources::<S, Config>(
+    } = prepare_and_check_resources::<S>(
         system,
         transaction,
         is_priority_op,
@@ -366,11 +366,7 @@ struct ResourceAndFeeInfo<S: EthereumLikeTypes> {
 /// The approach is to use saturating arithmetic and emit a system
 /// log if this situation ever happens.
 ///
-fn prepare_and_check_resources<
-    'a,
-    S: EthereumLikeTypes + 'a,
-    Config: BasicBootloaderExecutionConfig,
->(
+fn prepare_and_check_resources<'a, S: EthereumLikeTypes + 'a>(
     system: &mut System<S>,
     transaction: &AbiEncodedTransaction<S::Allocator>,
     is_priority_op: bool,
@@ -386,17 +382,8 @@ where
     // For L1->L2 txs, we use a constant native price to avoid censorship.
     let native_price = L1_TX_NATIVE_PRICE;
     let native_per_gas = if is_priority_op {
-        if Config::SIMULATION && gas_price.is_zero() {
-            // For simulation, if gas price isn't set, we use base fee
-            // for native calculation
-            u256_try_to_u64(&system.get_eip1559_basefee().div_ceil(native_price))
-                .unwrap_or_else(|| {
-                    system_log!(
-                        system,
-                        "Native per gas calculation for L1 tx simulation overflows, using saturated arithmetic instead"
-                    );
-                    u64::MAX
-                })
+        if gas_price.is_zero() {
+            FREE_L1_TX_NATIVE_PER_GAS
         } else {
             u256_try_to_u64(&gas_price.div_ceil(native_price))
                 .unwrap_or_else(|| {
@@ -407,7 +394,8 @@ where
                 })
         }
     } else {
-        UPGRADE_TX_NATIVE_PER_GAS
+        // Upgrade txs are paid by the protocol, so we use a fixed native per gas
+        FREE_L1_TX_NATIVE_PER_GAS
     };
 
     let native_per_pubdata = (gas_per_pubdata as u64)

system_hooks/src/addresses_constants.rs

@@ -30,16 +30,19 @@ pub const L2_BASE_TOKEN_ADDRESS: B160 = B160::from_limbs([L2_BASE_TOKEN_ADDRESS_
 pub const MINT_HOOK_ADDRESS_LOW: u16 = 0x7100;
 pub const MINT_HOOK_ADDRESS: B160 = B160::from_limbs([MINT_HOOK_ADDRESS_LOW as u64, 0, 0]);
 
-// Treasury contract used for "minting" base tokens on L2
-pub const BASE_TOKEN_HOLDER_ADDRESS_LOW: u32 = 0x10011;
-pub const BASE_TOKEN_HOLDER_ADDRESS: B160 =
-    B160::from_limbs([BASE_TOKEN_HOLDER_ADDRESS_LOW as u64, 0, 0]);
+// L2 message root storage contract
+pub const MESSAGE_ROOT_ADDRESS: B160 = B160::from_limbs([0x10005, 0, 0]);
 
 // L2 interop root storage system contract
 pub const L2_INTEROP_ROOT_STORAGE_ADDRESS_LOW: u32 = 0x10008;
 pub const L2_INTEROP_ROOT_STORAGE_ADDRESS: B160 =
     B160::from_limbs([L2_INTEROP_ROOT_STORAGE_ADDRESS_LOW as u64, 0, 0]);
 
+// Treasury contract used for "minting" base tokens on L2
+pub const BASE_TOKEN_HOLDER_ADDRESS_LOW: u32 = 0x10011;
+pub const BASE_TOKEN_HOLDER_ADDRESS: B160 =
+    B160::from_limbs([BASE_TOKEN_HOLDER_ADDRESS_LOW as u64, 0, 0]);
+
 // ERA VM system contracts (in fact we need implement only the methods that should be available for user contracts)
 // TODO: may be better to implement as ifs inside EraVM EE
 pub const ACCOUNT_CODE_STORAGE_STORAGE_ADDRESS: B160 = B160::from_limbs([0x8002, 0, 0]);