add minimum batch size check to updateRange (#49)

* forge install: openzeppelin-contracts-upgradeable

v5.0.2

* wip UUPS

* forge install: openzeppelin-contracts

v5.0.2

* update test and deployment for new proxy pattern

* forge fmt

* bump blobstream contracts

* update manual command address

* Add upgradability utils

* update docs for ownership commands

* remove forge script for maintainability

* add println for CLI upgrade

* add minimum batch size check to updateRange

Author: austinabell

.env.local

@@ -6,6 +6,7 @@ ETH_ADDRESS=0xe7f1725E7734CE288F8367e1Bb143E90bb3F0512
 PRIVATE_KEY_HEX=0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
 
 BATCH_SIZE=64
+MIN_BATCH_SIZE=7
 
 TENDERMINT_RPC=https://celestia-testnet.brightlystake.com
 TM_HEIGHT=9

cli/src/main.rs

@@ -111,6 +111,10 @@ struct DeployArgs {
     #[clap(long, env)]
     tm_block_hash: String,
 
+    /// Minimum batch size for head updates. The batch size must be larger than this value.
+    #[clap(long, env)]
+    min_batch_size: u64,
+
     /// If deploying verifier, will it deploy the mock verifier
     #[clap(long)]
     dev: bool,
@@ -207,6 +211,7 @@ async fn main() -> anyhow::Result<()> {
                     _verifier: verifier_address,
                     _trustedHash: FixedBytes::<32>::from_hex(deploy.tm_block_hash)?,
                     _trustedHeight: deploy.tm_height,
+                    _minBatchSize: deploy.min_batch_size,
                 }
                 .abi_encode()
                 .into(),

cli/tests/e2e_test.rs

@@ -101,6 +101,7 @@ async fn e2e_basic_range() -> anyhow::Result<()> {
             _verifier: verifier.address().clone(),
             _trustedHash: trusted_block_hash,
             _trustedHeight: BATCH_START as u64 - 1,
+            _minBatchSize: 0,
         }
         .abi_encode()
         .into(),

contracts/artifacts/Blobstream0.json

@@ -56,6 +56,11 @@ contract Blobstream0 is IDAOracle, Initializable, UUPSUpgradeable, Ownable2StepU
     /// @notice Trusted block hash does not equal the commitment from the new batch.
     error InvalidTrustedHeaderHash();
 
+    /// @notice Minimum number of blocks required for a valid batch update. The batch size must be
+    ///         larger than this value.
+    /// @dev This is to ensure there is no DOS condition from doing single/small batch updates.
+    uint64 public minBatchSize;
+
     /// @notice RISC Zero verifier contract address.
     IRiscZeroVerifier public verifier;
 
@@ -85,10 +90,13 @@ contract Blobstream0 is IDAOracle, Initializable, UUPSUpgradeable, Ownable2StepU
     /// @dev DO NOT REMOVE! It is mandatory for upgradability.
     function _authorizeUpgrade(address newImplementation) internal override onlyOwner {}
 
-    function initialize(address _admin, IRiscZeroVerifier _verifier, bytes32 _trustedHash, uint64 _trustedHeight)
-        public
-        initializer
-    {
+    function initialize(
+        address _admin,
+        IRiscZeroVerifier _verifier,
+        bytes32 _trustedHash,
+        uint64 _trustedHeight,
+        uint64 _minBatchSize
+    ) public initializer {
         __Ownable_init(_admin);
         __Ownable2Step_init();
         __UUPSUpgradeable_init();
@@ -97,6 +105,7 @@ contract Blobstream0 is IDAOracle, Initializable, UUPSUpgradeable, Ownable2StepU
         latestBlockHash = _trustedHash;
         latestHeight = _trustedHeight;
         imageId = ImageID.LIGHT_CLIENT_GUEST_ID;
+        minBatchSize = _minBatchSize;
 
         // Proof nonce initialized as 1 to maintain compatibility with existing implementations and
         // avoid default value confusion.
@@ -123,7 +132,7 @@ contract Blobstream0 is IDAOracle, Initializable, UUPSUpgradeable, Ownable2StepU
     function updateRange(bytes calldata _commitBytes, bytes calldata _seal) external {
         RangeCommitment memory commit = abi.decode(_commitBytes, (RangeCommitment));
 
-        if (commit.newHeight <= latestHeight) {
+        if (commit.newHeight <= latestHeight + minBatchSize) {
             revert InvalidTargetHeight();
         }
         if (commit.trustedHeaderHash != latestBlockHash) {

contracts/src/Blobstream0.sol

@@ -20,5 +20,5 @@ pragma solidity ^0.8.20;
 
 library ImageID {
     bytes32 public constant LIGHT_CLIENT_GUEST_ID =
-        bytes32(0x30878c4c4fce996894bd391bad03495861edd2381461948834355849c1db637a);
+        bytes32(0x6dce022c2aea568a4484a24c36aa59bad7b10186205272b4e4f11157c9ad1421);
 }

contracts/src/ImageID.sol

@@ -17,6 +17,7 @@ RUST_LOG=info cargo run -p blobstream0 -- deploy \
 	--private-key-hex 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80 \
 	--tm-height 9 \
 	--tm-block-hash 5C5451567973D8658A607D58F035BA9078291E33D880A0E6E67145C717E6B11B \
+	--min-batch-size 7 \
 	--dev
 ```
 
@@ -56,7 +57,8 @@ RUST_LOG=info,blobstream0=debug cargo run -p blobstream0 -- deploy \
 	--eth-rpc http://127.0.0.1:8545 \
 	--private-key-hex 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80 \
 	--tm-height 9 \
-	--tm-block-hash 5C5451567973D8658A607D58F035BA9078291E33D880A0E6E67145C717E6B11B
+	--tm-block-hash 5C5451567973D8658A607D58F035BA9078291E33D880A0E6E67145C717E6B11B \
+	--min-batch-size 7
 ```
 
 ### Sepolia
@@ -74,7 +76,8 @@ RUST_LOG=info,blobstream0=debug cargo run -p blobstream0 -- deploy \
 	--private-key-hex <ADD KEY HERE> \
 	--tm-height 1802142 \
 	--tm-block-hash 6D8FD8ADC8FBD5E7765EC557D9DF86041F63F9109202A888D8D246B3BCC3B46A \
-	--verifier-address 0x925d8331ddc0a1F0d96E68CF073DFE1d92b69187
+	--verifier-address 0x925d8331ddc0a1F0d96E68CF073DFE1d92b69187 \
+	--min-batch-size 7
 ```
 
 Run the service with `RISC0_DEV_MODE=true` if you chose the mock verifier.