Events example does not constrain execution environment #75
Description
Hi! We at Veridise have been conducting research into common vulnerabilities found in the usage of zkVMs, particularly surrounding the lack of committing the chain configuration or actively executing fork to the journal during smart contract calls.
As you are aware, the ClientExecutor::execute() method returns the ContractPublicValues which includes the chain_config_hash. This hash is based on the chainID and name of the actively executing fork. Notably, only committing the chainID is not enough as a custom Genesis with a spoofed chainID can be provided to the ClientExecutor::new() method, leading to diverging fork parameters or gas accounting logic compared to the real execution environment.
During our analysis, we noticed that the example in examples/events/client/src/main.rs does not commit these values like the other examples do. Additionally, it does not commit the blockhash. The other examples do commit these values via either committing the ContractPublicValues directly or by calling execute_and_commit(). We suggest repeating this behavior in the events example so that users are aware they need to always include this information in the proofs they generate.