From 7ee57f61f2e4d7866a337e3e897d6eea1587a6d8 Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 09:24:17 -0400 Subject: [PATCH 01/11] remove NotImplemented error (finding 2) --- src/multiproof/tee/NitroEnclaveVerifier.sol | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/multiproof/tee/NitroEnclaveVerifier.sol b/src/multiproof/tee/NitroEnclaveVerifier.sol index d774a9a1..a8064121 100644 --- a/src/multiproof/tee/NitroEnclaveVerifier.sol +++ b/src/multiproof/tee/NitroEnclaveVerifier.sol @@ -116,9 +116,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Thrown when the first certificate in a chain does not match the stored root certificate error RootCertMismatch(bytes32 expected, bytes32 actual); - /// @dev Thrown when calling verifyWithProgramId or batchVerifyWithProgramId, which are intentionally disabled - error NotImplemented(); - /// @dev Error thrown when a zero maxTimeDiff is provided error ZeroMaxTimeDiff(); From 567a3a06f3454b801d4e4ad5d47ce7bcff699429 Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 11:49:42 -0400 Subject: [PATCH 02/11] remove verifier/aggregator ID sets and EnumerableSet (findings 3 and 11) --- .../multiproof/tee/INitroEnclaveVerifier.sol | 60 ---------- src/multiproof/tee/NitroEnclaveVerifier.sol | 109 +----------------- test/multiproof/NitroEnclaveVerifier.t.sol | 90 --------------- 3 files changed, 1 insertion(+), 258 deletions(-) diff --git a/interfaces/multiproof/tee/INitroEnclaveVerifier.sol b/interfaces/multiproof/tee/INitroEnclaveVerifier.sol index a3edb91c..2b286bc0 100644 --- a/interfaces/multiproof/tee/INitroEnclaveVerifier.sol +++ b/interfaces/multiproof/tee/INitroEnclaveVerifier.sol @@ -165,42 +165,6 @@ interface INitroEnclaveVerifier { */ function getZkConfig(ZkCoProcessorType _zkCoProcessor) external view returns (ZkCoProcessorConfig memory); - /** - * @dev Returns all supported verifier program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported verifier program IDs - */ - function getVerifierIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory); - - /** - * @dev Returns all supported aggregator program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported aggregator program IDs - */ - function getAggregatorIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory); - - /** - * @dev Checks if a verifier program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to check - * @return True if the ID is supported - */ - function isVerifierIdSupported(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external view returns (bool); - - /** - * @dev Checks if an aggregator program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to check - * @return True if the ID is supported - */ - function isAggregatorIdSupported( - ZkCoProcessorType _zkCoProcessor, - bytes32 _aggregatorId - ) - external - view - returns (bool); - /** * @dev Gets the verifier address for a specific route * @param _zkCoProcessor Type of ZK coprocessor @@ -317,30 +281,6 @@ interface INitroEnclaveVerifier { */ function updateAggregatorId(ZkCoProcessorType _zkCoProcessor, bytes32 _newAggregatorId) external; - /** - * @dev Removes a verifier program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to remove - * - * Requirements: - * - Only callable by contract owner - * - Cannot remove the currently active (latest) verifier ID - * - ID must exist in the supported set - */ - function removeVerifierId(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external; - - /** - * @dev Removes an aggregator program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to remove - * - * Requirements: - * - Only callable by contract owner - * - Cannot remove the currently active (latest) aggregator ID - * - ID must exist in the supported set - */ - function removeAggregatorId(ZkCoProcessorType _zkCoProcessor, bytes32 _aggregatorId) external; - /** * @dev Adds a route-specific verifier override * @param _zkCoProcessor Type of ZK coprocessor diff --git a/src/multiproof/tee/NitroEnclaveVerifier.sol b/src/multiproof/tee/NitroEnclaveVerifier.sol index a8064121..f1e2efcd 100644 --- a/src/multiproof/tee/NitroEnclaveVerifier.sol +++ b/src/multiproof/tee/NitroEnclaveVerifier.sol @@ -2,7 +2,6 @@ pragma solidity ^0.8.0; import { Ownable } from "@solady/auth/Ownable.sol"; -import { EnumerableSet } from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol"; import { INitroEnclaveVerifier, ZkCoProcessorType, @@ -43,8 +42,6 @@ import { ISP1Verifier } from "lib/sp1-contracts/contracts/src/ISP1Verifier.sol"; * - Timestamp validation prevents replay attacks within the configured time window */ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { - using EnumerableSet for EnumerableSet.Bytes32Set; - /// @dev Sentinel address to indicate a route has been permanently frozen address private constant FROZEN = address(0xdead); @@ -63,12 +60,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Hash of the trusted AWS Nitro Enclave root certificate bytes32 public rootCert; - /// @dev Set of all supported verifier program IDs per coprocessor - mapping(ZkCoProcessorType => EnumerableSet.Bytes32Set) private _verifierIdSet; - - /// @dev Set of all supported aggregator program IDs per coprocessor - mapping(ZkCoProcessorType => EnumerableSet.Bytes32Set) private _aggregatorIdSet; - /// @dev Route-specific verifier overrides (selector -> verifier address) mapping(ZkCoProcessorType => mapping(bytes4 selector => address zkVerifier)) private _zkVerifierRoutes; @@ -80,9 +71,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Error thrown when an unsupported or unknown ZK coprocessor type is used error Unknown_Zk_Coprocessor(); - /// @dev Error thrown when attempting to remove the currently active (latest) program ID - error CannotRemoveLatestProgramId(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Error thrown when a ZK route has been permanently frozen error ZkRouteFrozen(ZkCoProcessorType zkCoProcessor, bytes4 selector); @@ -101,9 +89,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Thrown when attempting to set a program ID that is already the latest error ProgramIdAlreadyLatest(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Thrown when attempting to remove or operate on a program ID that does not exist in the set - error ProgramIdNotFound(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Thrown when a zero address is provided where a verifier address is required error ZeroVerifierAddress(); @@ -127,9 +112,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Emitted when a new aggregator program ID is added/updated event AggregatorIdUpdated(ZkCoProcessorType indexed zkCoProcessor, bytes32 indexed newId); - /// @dev Emitted when a program ID is removed from the supported set - event ProgramIdRemoved(ZkCoProcessorType indexed zkCoProcessor, bytes32 indexed programId, bool isAggregator); - /// @dev Emitted when a route-specific verifier is added event ZkRouteAdded(ZkCoProcessorType indexed zkCoProcessor, bytes4 indexed selector, address verifier); @@ -186,51 +168,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { return zkConfig[_zkCoProcessor]; } - /** - * @dev Returns all supported verifier program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported verifier program IDs - */ - function getVerifierIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory) { - return _verifierIdSet[_zkCoProcessor].values(); - } - - /** - * @dev Returns all supported aggregator program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported aggregator program IDs - */ - function getAggregatorIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory) { - return _aggregatorIdSet[_zkCoProcessor].values(); - } - - /** - * @dev Checks if a verifier program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to check - * @return True if the ID is supported - */ - function isVerifierIdSupported(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external view returns (bool) { - return _verifierIdSet[_zkCoProcessor].contains(_verifierId); - } - - /** - * @dev Checks if an aggregator program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to check - * @return True if the ID is supported - */ - function isAggregatorIdSupported( - ZkCoProcessorType _zkCoProcessor, - bytes32 _aggregatorId - ) - external - view - returns (bool) - { - return _aggregatorIdSet[_zkCoProcessor].contains(_aggregatorId); - } - /** * @dev Gets the verifier address for a specific route * @param _zkCoProcessor Type of ZK coprocessor @@ -355,12 +292,9 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { // Auto-add program IDs to the version sets and store verifierProofId mapping if (_config.verifierId != bytes32(0)) { - _verifierIdSet[_zkCoProcessor].add(_config.verifierId); _verifierProofIds[_zkCoProcessor][_config.verifierId] = _verifierProofId; } - if (_config.aggregatorId != bytes32(0)) { - _aggregatorIdSet[_zkCoProcessor].add(_config.aggregatorId); - } + emit ZKConfigurationUpdated(_zkCoProcessor, _config, _verifierProofId); } @@ -403,7 +337,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { } zkConfig[_zkCoProcessor].verifierId = _newVerifierId; - _verifierIdSet[_zkCoProcessor].add(_newVerifierId); _verifierProofIds[_zkCoProcessor][_newVerifierId] = _newVerifierProofId; emit VerifierIdUpdated(_zkCoProcessor, _newVerifierId, _newVerifierProofId); @@ -421,50 +354,10 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { } zkConfig[_zkCoProcessor].aggregatorId = _newAggregatorId; - _aggregatorIdSet[_zkCoProcessor].add(_newAggregatorId); emit AggregatorIdUpdated(_zkCoProcessor, _newAggregatorId); } - /** - * @dev Removes a verifier program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to remove - */ - function removeVerifierId(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external onlyOwner { - if (!_verifierIdSet[_zkCoProcessor].contains(_verifierId)) { - revert ProgramIdNotFound(_zkCoProcessor, _verifierId); - } - - // Cannot remove the latest verifier ID - must update to a new one first - if (zkConfig[_zkCoProcessor].verifierId == _verifierId) { - revert CannotRemoveLatestProgramId(_zkCoProcessor, _verifierId); - } - - _verifierIdSet[_zkCoProcessor].remove(_verifierId); - delete _verifierProofIds[_zkCoProcessor][_verifierId]; - emit ProgramIdRemoved(_zkCoProcessor, _verifierId, false); - } - - /** - * @dev Removes an aggregator program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to remove - */ - function removeAggregatorId(ZkCoProcessorType _zkCoProcessor, bytes32 _aggregatorId) external onlyOwner { - if (!_aggregatorIdSet[_zkCoProcessor].contains(_aggregatorId)) { - revert ProgramIdNotFound(_zkCoProcessor, _aggregatorId); - } - - // Cannot remove the latest aggregator ID - must update to a new one first - if (zkConfig[_zkCoProcessor].aggregatorId == _aggregatorId) { - revert CannotRemoveLatestProgramId(_zkCoProcessor, _aggregatorId); - } - - _aggregatorIdSet[_zkCoProcessor].remove(_aggregatorId); - emit ProgramIdRemoved(_zkCoProcessor, _aggregatorId, true); - } - /** * @dev Adds a route-specific verifier override * @param _zkCoProcessor Type of ZK coprocessor diff --git a/test/multiproof/NitroEnclaveVerifier.t.sol b/test/multiproof/NitroEnclaveVerifier.t.sol index 604e555b..54174a85 100644 --- a/test/multiproof/NitroEnclaveVerifier.t.sol +++ b/test/multiproof/NitroEnclaveVerifier.t.sol @@ -137,8 +137,6 @@ contract NitroEnclaveVerifierTest is Test { assertEq(stored.aggregatorId, AGGREGATOR_ID); assertEq(stored.zkVerifier, mockRiscZeroVerifier); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); assertEq(verifier.getVerifierProofId(ZkCoProcessorType.RiscZero, VERIFIER_ID), VERIFIER_PROOF_ID); } @@ -183,8 +181,6 @@ contract NitroEnclaveVerifierTest is Test { ZkCoProcessorConfig memory config = verifier.getZkConfig(ZkCoProcessorType.RiscZero); assertEq(config.verifierId, newVerifierId); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, newVerifierId)); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); assertEq(verifier.getVerifierProofId(ZkCoProcessorType.RiscZero, newVerifierId), newVerifierProofId); } @@ -221,8 +217,6 @@ contract NitroEnclaveVerifierTest is Test { ZkCoProcessorConfig memory config = verifier.getZkConfig(ZkCoProcessorType.RiscZero); assertEq(config.aggregatorId, newAggregatorId); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, newAggregatorId)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); } function testUpdateAggregatorIdRevertsIfZero() public { @@ -248,90 +242,6 @@ contract NitroEnclaveVerifierTest is Test { verifier.updateAggregatorId(ZkCoProcessorType.RiscZero, keccak256("new")); } - // ============ removeVerifierId Tests ============ - - function testRemoveVerifierId() public { - _setUpRiscZeroConfig(); - - bytes32 newId = keccak256("new-verifier-id"); - verifier.updateVerifierId(ZkCoProcessorType.RiscZero, newId, keccak256("proof")); - - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - assertFalse(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, newId)); - } - - function testRemoveVerifierIdRevertsIfLatest() public { - _setUpRiscZeroConfig(); - - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.CannotRemoveLatestProgramId.selector, ZkCoProcessorType.RiscZero, VERIFIER_ID - ) - ); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - } - - function testRemoveVerifierIdRevertsIfNotExists() public { - _setUpRiscZeroConfig(); - bytes32 nonexistent = keccak256("nonexistent"); - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.ProgramIdNotFound.selector, ZkCoProcessorType.RiscZero, nonexistent - ) - ); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, nonexistent); - } - - function testRemoveVerifierIdRevertsIfNotOwner() public { - _setUpRiscZeroConfig(); - vm.prank(submitter); - vm.expectRevert(); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - } - - // ============ removeAggregatorId Tests ============ - - function testRemoveAggregatorId() public { - _setUpRiscZeroConfig(); - - bytes32 newId = keccak256("new-aggregator-id"); - verifier.updateAggregatorId(ZkCoProcessorType.RiscZero, newId); - - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - assertFalse(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, newId)); - } - - function testRemoveAggregatorIdRevertsIfLatest() public { - _setUpRiscZeroConfig(); - - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.CannotRemoveLatestProgramId.selector, ZkCoProcessorType.RiscZero, AGGREGATOR_ID - ) - ); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - } - - function testRemoveAggregatorIdRevertsIfNotExists() public { - _setUpRiscZeroConfig(); - bytes32 nonexistent = keccak256("nonexistent"); - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.ProgramIdNotFound.selector, ZkCoProcessorType.RiscZero, nonexistent - ) - ); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, nonexistent); - } - - function testRemoveAggregatorIdRevertsIfNotOwner() public { - _setUpRiscZeroConfig(); - vm.prank(submitter); - vm.expectRevert(); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - } - // ============ addVerifyRoute / freezeVerifyRoute Tests ============ function testAddVerifyRoute() public { From e86119a9a748696564ff3f49b8425a7084d0a862 Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 09:24:17 -0400 Subject: [PATCH 03/11] remove NotImplemented error (finding 2) --- src/multiproof/tee/NitroEnclaveVerifier.sol | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/multiproof/tee/NitroEnclaveVerifier.sol b/src/multiproof/tee/NitroEnclaveVerifier.sol index 17d4e004..fd8cbb4d 100644 --- a/src/multiproof/tee/NitroEnclaveVerifier.sol +++ b/src/multiproof/tee/NitroEnclaveVerifier.sol @@ -116,9 +116,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Thrown when the first certificate in a chain does not match the stored root certificate error RootCertMismatch(bytes32 expected, bytes32 actual); - /// @dev Thrown when calling verifyWithProgramId or batchVerifyWithProgramId, which are intentionally disabled - error NotImplemented(); - /// @dev Error thrown when a zero maxTimeDiff is provided error ZeroMaxTimeDiff(); From d6a9be5c8fd2a780fb2d25667d4cb7abf1874659 Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 11:49:42 -0400 Subject: [PATCH 04/11] remove verifier/aggregator ID sets and EnumerableSet (findings 3 and 11) --- .../multiproof/tee/INitroEnclaveVerifier.sol | 60 ---------- src/multiproof/tee/NitroEnclaveVerifier.sol | 108 ------------------ test/multiproof/NitroEnclaveVerifier.t.sol | 90 --------------- 3 files changed, 258 deletions(-) diff --git a/interfaces/multiproof/tee/INitroEnclaveVerifier.sol b/interfaces/multiproof/tee/INitroEnclaveVerifier.sol index a3edb91c..2b286bc0 100644 --- a/interfaces/multiproof/tee/INitroEnclaveVerifier.sol +++ b/interfaces/multiproof/tee/INitroEnclaveVerifier.sol @@ -165,42 +165,6 @@ interface INitroEnclaveVerifier { */ function getZkConfig(ZkCoProcessorType _zkCoProcessor) external view returns (ZkCoProcessorConfig memory); - /** - * @dev Returns all supported verifier program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported verifier program IDs - */ - function getVerifierIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory); - - /** - * @dev Returns all supported aggregator program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported aggregator program IDs - */ - function getAggregatorIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory); - - /** - * @dev Checks if a verifier program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to check - * @return True if the ID is supported - */ - function isVerifierIdSupported(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external view returns (bool); - - /** - * @dev Checks if an aggregator program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to check - * @return True if the ID is supported - */ - function isAggregatorIdSupported( - ZkCoProcessorType _zkCoProcessor, - bytes32 _aggregatorId - ) - external - view - returns (bool); - /** * @dev Gets the verifier address for a specific route * @param _zkCoProcessor Type of ZK coprocessor @@ -317,30 +281,6 @@ interface INitroEnclaveVerifier { */ function updateAggregatorId(ZkCoProcessorType _zkCoProcessor, bytes32 _newAggregatorId) external; - /** - * @dev Removes a verifier program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to remove - * - * Requirements: - * - Only callable by contract owner - * - Cannot remove the currently active (latest) verifier ID - * - ID must exist in the supported set - */ - function removeVerifierId(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external; - - /** - * @dev Removes an aggregator program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to remove - * - * Requirements: - * - Only callable by contract owner - * - Cannot remove the currently active (latest) aggregator ID - * - ID must exist in the supported set - */ - function removeAggregatorId(ZkCoProcessorType _zkCoProcessor, bytes32 _aggregatorId) external; - /** * @dev Adds a route-specific verifier override * @param _zkCoProcessor Type of ZK coprocessor diff --git a/src/multiproof/tee/NitroEnclaveVerifier.sol b/src/multiproof/tee/NitroEnclaveVerifier.sol index fd8cbb4d..008fb580 100644 --- a/src/multiproof/tee/NitroEnclaveVerifier.sol +++ b/src/multiproof/tee/NitroEnclaveVerifier.sol @@ -2,7 +2,6 @@ pragma solidity ^0.8.0; import { Ownable } from "@solady/auth/Ownable.sol"; -import { EnumerableSet } from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol"; import { INitroEnclaveVerifier, ZkCoProcessorType, @@ -43,8 +42,6 @@ import { ISP1Verifier } from "lib/sp1-contracts/contracts/src/ISP1Verifier.sol"; * - Timestamp validation prevents replay attacks within the configured time window */ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { - using EnumerableSet for EnumerableSet.Bytes32Set; - /// @dev Sentinel address to indicate a route has been permanently frozen address private constant FROZEN = address(0xdead); @@ -63,12 +60,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Hash of the trusted AWS Nitro Enclave root certificate bytes32 public rootCert; - /// @dev Set of all supported verifier program IDs per coprocessor - mapping(ZkCoProcessorType => EnumerableSet.Bytes32Set) private _verifierIdSet; - - /// @dev Set of all supported aggregator program IDs per coprocessor - mapping(ZkCoProcessorType => EnumerableSet.Bytes32Set) private _aggregatorIdSet; - /// @dev Route-specific verifier overrides (selector -> verifier address) mapping(ZkCoProcessorType => mapping(bytes4 selector => address zkVerifier)) private _zkVerifierRoutes; @@ -80,9 +71,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Error thrown when an unsupported or unknown ZK coprocessor type is used error Unknown_Zk_Coprocessor(); - /// @dev Error thrown when attempting to remove the currently active (latest) program ID - error CannotRemoveLatestProgramId(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Error thrown when a ZK route has been permanently frozen error ZkRouteFrozen(ZkCoProcessorType zkCoProcessor, bytes4 selector); @@ -101,9 +89,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Thrown when attempting to set a program ID that is already the latest error ProgramIdAlreadyLatest(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Thrown when attempting to remove or operate on a program ID that does not exist in the set - error ProgramIdNotFound(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Thrown when a zero address is provided where a verifier address is required error ZeroVerifierAddress(); @@ -127,9 +112,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Emitted when a new aggregator program ID is added/updated event AggregatorIdUpdated(ZkCoProcessorType indexed zkCoProcessor, bytes32 indexed newId); - /// @dev Emitted when a program ID is removed from the supported set - event ProgramIdRemoved(ZkCoProcessorType indexed zkCoProcessor, bytes32 indexed programId, bool isAggregator); - /// @dev Emitted when a route-specific verifier is added event ZkRouteAdded(ZkCoProcessorType indexed zkCoProcessor, bytes4 indexed selector, address verifier); @@ -200,51 +182,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { return zkConfig[_zkCoProcessor]; } - /** - * @dev Returns all supported verifier program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported verifier program IDs - */ - function getVerifierIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory) { - return _verifierIdSet[_zkCoProcessor].values(); - } - - /** - * @dev Returns all supported aggregator program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported aggregator program IDs - */ - function getAggregatorIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory) { - return _aggregatorIdSet[_zkCoProcessor].values(); - } - - /** - * @dev Checks if a verifier program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to check - * @return True if the ID is supported - */ - function isVerifierIdSupported(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external view returns (bool) { - return _verifierIdSet[_zkCoProcessor].contains(_verifierId); - } - - /** - * @dev Checks if an aggregator program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to check - * @return True if the ID is supported - */ - function isAggregatorIdSupported( - ZkCoProcessorType _zkCoProcessor, - bytes32 _aggregatorId - ) - external - view - returns (bool) - { - return _aggregatorIdSet[_zkCoProcessor].contains(_aggregatorId); - } - /** * @dev Gets the verifier address for a specific route * @param _zkCoProcessor Type of ZK coprocessor @@ -406,7 +343,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { } zkConfig[_zkCoProcessor].verifierId = _newVerifierId; - _verifierIdSet[_zkCoProcessor].add(_newVerifierId); _verifierProofIds[_zkCoProcessor][_newVerifierId] = _newVerifierProofId; emit VerifierIdUpdated(_zkCoProcessor, _newVerifierId, _newVerifierProofId); @@ -424,50 +360,10 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { } zkConfig[_zkCoProcessor].aggregatorId = _newAggregatorId; - _aggregatorIdSet[_zkCoProcessor].add(_newAggregatorId); emit AggregatorIdUpdated(_zkCoProcessor, _newAggregatorId); } - /** - * @dev Removes a verifier program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to remove - */ - function removeVerifierId(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external onlyOwner { - if (!_verifierIdSet[_zkCoProcessor].contains(_verifierId)) { - revert ProgramIdNotFound(_zkCoProcessor, _verifierId); - } - - // Cannot remove the latest verifier ID - must update to a new one first - if (zkConfig[_zkCoProcessor].verifierId == _verifierId) { - revert CannotRemoveLatestProgramId(_zkCoProcessor, _verifierId); - } - - _verifierIdSet[_zkCoProcessor].remove(_verifierId); - delete _verifierProofIds[_zkCoProcessor][_verifierId]; - emit ProgramIdRemoved(_zkCoProcessor, _verifierId, false); - } - - /** - * @dev Removes an aggregator program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to remove - */ - function removeAggregatorId(ZkCoProcessorType _zkCoProcessor, bytes32 _aggregatorId) external onlyOwner { - if (!_aggregatorIdSet[_zkCoProcessor].contains(_aggregatorId)) { - revert ProgramIdNotFound(_zkCoProcessor, _aggregatorId); - } - - // Cannot remove the latest aggregator ID - must update to a new one first - if (zkConfig[_zkCoProcessor].aggregatorId == _aggregatorId) { - revert CannotRemoveLatestProgramId(_zkCoProcessor, _aggregatorId); - } - - _aggregatorIdSet[_zkCoProcessor].remove(_aggregatorId); - emit ProgramIdRemoved(_zkCoProcessor, _aggregatorId, true); - } - /** * @dev Adds a route-specific verifier override * @param _zkCoProcessor Type of ZK coprocessor @@ -620,12 +516,8 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { // Auto-add program IDs to the version sets and store verifierProofId mapping if (_config.verifierId != bytes32(0)) { - _verifierIdSet[_zkCoProcessor].add(_config.verifierId); _verifierProofIds[_zkCoProcessor][_config.verifierId] = _verifierProofId; } - if (_config.aggregatorId != bytes32(0)) { - _aggregatorIdSet[_zkCoProcessor].add(_config.aggregatorId); - } emit ZKConfigurationUpdated(_zkCoProcessor, _config, _verifierProofId); } diff --git a/test/multiproof/NitroEnclaveVerifier.t.sol b/test/multiproof/NitroEnclaveVerifier.t.sol index d6d77574..b0efde1a 100644 --- a/test/multiproof/NitroEnclaveVerifier.t.sol +++ b/test/multiproof/NitroEnclaveVerifier.t.sol @@ -149,8 +149,6 @@ contract NitroEnclaveVerifierTest is Test { assertEq(stored.aggregatorId, AGGREGATOR_ID); assertEq(stored.zkVerifier, mockRiscZeroVerifier); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); assertEq(verifier.getVerifierProofId(ZkCoProcessorType.RiscZero, VERIFIER_ID), VERIFIER_PROOF_ID); } @@ -195,8 +193,6 @@ contract NitroEnclaveVerifierTest is Test { ZkCoProcessorConfig memory config = verifier.getZkConfig(ZkCoProcessorType.RiscZero); assertEq(config.verifierId, newVerifierId); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, newVerifierId)); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); assertEq(verifier.getVerifierProofId(ZkCoProcessorType.RiscZero, newVerifierId), newVerifierProofId); } @@ -233,8 +229,6 @@ contract NitroEnclaveVerifierTest is Test { ZkCoProcessorConfig memory config = verifier.getZkConfig(ZkCoProcessorType.RiscZero); assertEq(config.aggregatorId, newAggregatorId); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, newAggregatorId)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); } function testUpdateAggregatorIdRevertsIfZero() public { @@ -260,90 +254,6 @@ contract NitroEnclaveVerifierTest is Test { verifier.updateAggregatorId(ZkCoProcessorType.RiscZero, keccak256("new")); } - // ============ removeVerifierId Tests ============ - - function testRemoveVerifierId() public { - _setUpRiscZeroConfig(); - - bytes32 newId = keccak256("new-verifier-id"); - verifier.updateVerifierId(ZkCoProcessorType.RiscZero, newId, keccak256("proof")); - - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - assertFalse(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, newId)); - } - - function testRemoveVerifierIdRevertsIfLatest() public { - _setUpRiscZeroConfig(); - - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.CannotRemoveLatestProgramId.selector, ZkCoProcessorType.RiscZero, VERIFIER_ID - ) - ); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - } - - function testRemoveVerifierIdRevertsIfNotExists() public { - _setUpRiscZeroConfig(); - bytes32 nonexistent = keccak256("nonexistent"); - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.ProgramIdNotFound.selector, ZkCoProcessorType.RiscZero, nonexistent - ) - ); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, nonexistent); - } - - function testRemoveVerifierIdRevertsIfNotOwner() public { - _setUpRiscZeroConfig(); - vm.prank(submitter); - vm.expectRevert(); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - } - - // ============ removeAggregatorId Tests ============ - - function testRemoveAggregatorId() public { - _setUpRiscZeroConfig(); - - bytes32 newId = keccak256("new-aggregator-id"); - verifier.updateAggregatorId(ZkCoProcessorType.RiscZero, newId); - - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - assertFalse(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, newId)); - } - - function testRemoveAggregatorIdRevertsIfLatest() public { - _setUpRiscZeroConfig(); - - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.CannotRemoveLatestProgramId.selector, ZkCoProcessorType.RiscZero, AGGREGATOR_ID - ) - ); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - } - - function testRemoveAggregatorIdRevertsIfNotExists() public { - _setUpRiscZeroConfig(); - bytes32 nonexistent = keccak256("nonexistent"); - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.ProgramIdNotFound.selector, ZkCoProcessorType.RiscZero, nonexistent - ) - ); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, nonexistent); - } - - function testRemoveAggregatorIdRevertsIfNotOwner() public { - _setUpRiscZeroConfig(); - vm.prank(submitter); - vm.expectRevert(); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - } - // ============ addVerifyRoute / freezeVerifyRoute Tests ============ function testAddVerifyRoute() public { From f88f8d0e7aa7ddb8629464d19ed6d72ec8345d3e Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 12:14:14 -0400 Subject: [PATCH 05/11] hardcode the keccak256 length (finding 5) --- src/multiproof/tee/TEEProverRegistry.sol | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/multiproof/tee/TEEProverRegistry.sol b/src/multiproof/tee/TEEProverRegistry.sol index d52e260d..5a39fa6d 100644 --- a/src/multiproof/tee/TEEProverRegistry.sol +++ b/src/multiproof/tee/TEEProverRegistry.sol @@ -155,7 +155,8 @@ contract TEEProverRegistry is OwnableManagedUpgradeable, ISemver { if (pubKey.length != 65) revert InvalidPublicKey(); bytes32 publicKeyHash; assembly { - publicKeyHash := keccak256(add(pubKey, 0x21), sub(mload(pubKey), 1)) + // Length is hardcoded to 64 to skip the 0x04 prefix and hash only the x and y coordinates + publicKeyHash := keccak256(add(pubKey, 0x21), 64) } address enclaveAddress = address(uint160(uint256(publicKeyHash))); From 7acbf62ec2c0c5c167e747e885c069cf2dbf049a Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 12:18:00 -0400 Subject: [PATCH 06/11] Add comment on allowing MAX_AGE old attestations (Finding 7) --- src/multiproof/tee/TEEProverRegistry.sol | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/multiproof/tee/TEEProverRegistry.sol b/src/multiproof/tee/TEEProverRegistry.sol index 5a39fa6d..51de6782 100644 --- a/src/multiproof/tee/TEEProverRegistry.sol +++ b/src/multiproof/tee/TEEProverRegistry.sol @@ -142,6 +142,8 @@ contract TEEProverRegistry is OwnableManagedUpgradeable, ISemver { if (journal.result != VerificationResult.Success) revert AttestationVerificationFailed(); + // We allow attestations up to MAX_AGE old. This means a cert may be expired between when + // the attestation is generated and when it is submitted to this contract. if (journal.timestamp / MS_PER_SECOND + MAX_AGE <= block.timestamp) revert AttestationTooOld(); // Validate PCR0 against the current AggregateVerifier's TEE_IMAGE_HASH From 4719a373330c45c5cc9ad458f876c11f963ddea9 Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 12:23:34 -0400 Subject: [PATCH 07/11] Prevent FROZEN address from being added as a verifier (Finding 8) --- src/multiproof/tee/NitroEnclaveVerifier.sol | 4 ++++ test/multiproof/NitroEnclaveVerifier.t.sol | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/src/multiproof/tee/NitroEnclaveVerifier.sol b/src/multiproof/tee/NitroEnclaveVerifier.sol index 008fb580..8bb7d87f 100644 --- a/src/multiproof/tee/NitroEnclaveVerifier.sol +++ b/src/multiproof/tee/NitroEnclaveVerifier.sol @@ -104,6 +104,9 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { /// @dev Error thrown when a zero maxTimeDiff is provided error ZeroMaxTimeDiff(); + /// @dev Thrown when a zero address is provided for the verifier + error InvalidVerifierAddress(); + // ============ Events ============ /// @dev Emitted when a new verifier program ID is added/updated @@ -372,6 +375,7 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { */ function addVerifyRoute(ZkCoProcessorType _zkCoProcessor, bytes4 _selector, address _verifier) external onlyOwner { if (_verifier == address(0)) revert ZeroVerifierAddress(); + if (_verifier == FROZEN) revert InvalidVerifierAddress(); if (_zkVerifierRoutes[_zkCoProcessor][_selector] == FROZEN) { revert ZkRouteFrozen(_zkCoProcessor, _selector); diff --git a/test/multiproof/NitroEnclaveVerifier.t.sol b/test/multiproof/NitroEnclaveVerifier.t.sol index b0efde1a..51b0d82a 100644 --- a/test/multiproof/NitroEnclaveVerifier.t.sol +++ b/test/multiproof/NitroEnclaveVerifier.t.sol @@ -269,6 +269,11 @@ contract NitroEnclaveVerifierTest is Test { verifier.addVerifyRoute(ZkCoProcessorType.RiscZero, bytes4(uint32(0x01)), address(0)); } + function testAddVerifyRouteRevertsIfFrozenSentinel() public { + vm.expectRevert(NitroEnclaveVerifier.InvalidVerifierAddress.selector); + verifier.addVerifyRoute(ZkCoProcessorType.RiscZero, bytes4(uint32(0x01)), address(0xdead)); + } + function testAddVerifyRouteRevertsIfNotOwner() public { vm.prank(submitter); vm.expectRevert(); From 37edf9219d7c18dd1df9fa4a8c17dc6f08048636 Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 12:27:37 -0400 Subject: [PATCH 08/11] Add stricter time checks (Findings 9 and 10) --- src/multiproof/tee/NitroEnclaveVerifier.sol | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/multiproof/tee/NitroEnclaveVerifier.sol b/src/multiproof/tee/NitroEnclaveVerifier.sol index 8bb7d87f..24cf1c85 100644 --- a/src/multiproof/tee/NitroEnclaveVerifier.sol +++ b/src/multiproof/tee/NitroEnclaveVerifier.sol @@ -580,7 +580,7 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier { } } uint64 timestamp = journal.timestamp / 1000; - if (timestamp + maxTimeDiff < block.timestamp || timestamp > block.timestamp) { + if (timestamp + maxTimeDiff <= block.timestamp || timestamp >= block.timestamp) { journal.result = VerificationResult.InvalidTimestamp; return journal; } From 2f95cc044ef07626e33391377923f707e87042b4 Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 12:39:26 -0400 Subject: [PATCH 09/11] fix tests --- test/multiproof/NitroEnclaveVerifier.t.sol | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/multiproof/NitroEnclaveVerifier.t.sol b/test/multiproof/NitroEnclaveVerifier.t.sol index 51b0d82a..6744628d 100644 --- a/test/multiproof/NitroEnclaveVerifier.t.sol +++ b/test/multiproof/NitroEnclaveVerifier.t.sol @@ -729,7 +729,7 @@ contract NitroEnclaveVerifierTest is Test { return VerifierJournal({ result: VerificationResult.Success, trustedCertsPrefixLen: 2, - timestamp: uint64(block.timestamp) * 1000, + timestamp: uint64(block.timestamp - 1) * 1000, certs: certs, userData: "", nonce: "", From dfe5571d55b4214dbf0ddc3f9a7f7f063d87fb5c Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 12:40:50 -0400 Subject: [PATCH 10/11] semver lock --- snapshots/semver-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/snapshots/semver-lock.json b/snapshots/semver-lock.json index 5c7164c0..884c6323 100644 --- a/snapshots/semver-lock.json +++ b/snapshots/semver-lock.json @@ -240,7 +240,7 @@ "sourceCodeHash": "0x955bd0c9b47e43219865e4e92abf28d916c96de20cbdf2f94c8ab14d02083759" }, "src/multiproof/AggregateVerifier.sol:AggregateVerifier": { - "initCodeHash": "0xe631e0c2e8e86711f83cb97884065ce38d1ff519e0d2dbf8704e7e4c183a56cc", + "initCodeHash": "0xe28eaeecda21594f6db23bb70127daa2b7b71debe38ce65b598f28d78d2561eb", "sourceCodeHash": "0xfa0464c07c06fddc98ba20e9a362ba10ecf94496556d0f7ac88d1986f79a8a6b" }, "src/multiproof/AggregateVerifier.sol:AggregateVerifier:dispute": { @@ -248,19 +248,19 @@ "sourceCodeHash": "0xfa0464c07c06fddc98ba20e9a362ba10ecf94496556d0f7ac88d1986f79a8a6b" }, "src/multiproof/tee/TEEProverRegistry.sol:TEEProverRegistry": { - "initCodeHash": "0x4c89ecad0d48b6da64ef7f489326aae63b7fbcd33f4fed949a496afd1be49009", - "sourceCodeHash": "0x71a4016022b8a15f5ceddf2d597700046fcbe9ce4dbc7d7f2174d68606b3c614" + "initCodeHash": "0x3a50409059ad8313df38cd76747defa6ae976dcc8ca37b8333c78ef85c7661cd", + "sourceCodeHash": "0x4435163589299d9b0bc42a80258ebb3eee12ef94e6f1bd439d144b6628b366c8" }, "src/multiproof/tee/TEEProverRegistry.sol:TEEProverRegistry:dispute": { - "initCodeHash": "0xfd56342b83d37499a848961ec12f982cee40297a4c59c5d448ed5a78795d3751", - "sourceCodeHash": "0x71a4016022b8a15f5ceddf2d597700046fcbe9ce4dbc7d7f2174d68606b3c614" + "initCodeHash": "0x7345fbc8139f09132ad1ee8432a0e30361e6e92b2cca18855cec81093f5f4ea7", + "sourceCodeHash": "0x4435163589299d9b0bc42a80258ebb3eee12ef94e6f1bd439d144b6628b366c8" }, "src/multiproof/tee/TEEVerifier.sol:TEEVerifier": { "initCodeHash": "0xeab3964cb2e6bbf3b660a8dedcd01286b74894bf76cf979d0b415fc7ca140ade", "sourceCodeHash": "0xd5e01b4f4e69313e56e51f2f46b7bbe699ef8dc24b8a6385b8ebac4162e05353" }, "src/multiproof/tee/TEEVerifier.sol:TEEVerifier:dispute": { - "initCodeHash": "0xeab3964cb2e6bbf3b660a8dedcd01286b74894bf76cf979d0b415fc7ca140ade", + "initCodeHash": "0xd65f1d604f979045a86d662e168cb7a867478da8a0ca294181872a90d209a66f", "sourceCodeHash": "0xd5e01b4f4e69313e56e51f2f46b7bbe699ef8dc24b8a6385b8ebac4162e05353" }, "src/revenue-share/FeeDisburser.sol:FeeDisburser": { From c7589c7f9298552c9ce021cbc76706524e34b3d3 Mon Sep 17 00:00:00 2001 From: Roger Bai Date: Wed, 25 Mar 2026 13:06:17 -0400 Subject: [PATCH 11/11] semver lock on clean build --- snapshots/semver-lock.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/snapshots/semver-lock.json b/snapshots/semver-lock.json index 884c6323..d10d2451 100644 --- a/snapshots/semver-lock.json +++ b/snapshots/semver-lock.json @@ -240,7 +240,7 @@ "sourceCodeHash": "0x955bd0c9b47e43219865e4e92abf28d916c96de20cbdf2f94c8ab14d02083759" }, "src/multiproof/AggregateVerifier.sol:AggregateVerifier": { - "initCodeHash": "0xe28eaeecda21594f6db23bb70127daa2b7b71debe38ce65b598f28d78d2561eb", + "initCodeHash": "0xe631e0c2e8e86711f83cb97884065ce38d1ff519e0d2dbf8704e7e4c183a56cc", "sourceCodeHash": "0xfa0464c07c06fddc98ba20e9a362ba10ecf94496556d0f7ac88d1986f79a8a6b" }, "src/multiproof/AggregateVerifier.sol:AggregateVerifier:dispute": { @@ -248,11 +248,11 @@ "sourceCodeHash": "0xfa0464c07c06fddc98ba20e9a362ba10ecf94496556d0f7ac88d1986f79a8a6b" }, "src/multiproof/tee/TEEProverRegistry.sol:TEEProverRegistry": { - "initCodeHash": "0x3a50409059ad8313df38cd76747defa6ae976dcc8ca37b8333c78ef85c7661cd", + "initCodeHash": "0x95bf7d37bd7218dc48a176d443599af7dffcb83b57ed63226bd84a3facd8d5f2", "sourceCodeHash": "0x4435163589299d9b0bc42a80258ebb3eee12ef94e6f1bd439d144b6628b366c8" }, "src/multiproof/tee/TEEProverRegistry.sol:TEEProverRegistry:dispute": { - "initCodeHash": "0x7345fbc8139f09132ad1ee8432a0e30361e6e92b2cca18855cec81093f5f4ea7", + "initCodeHash": "0x3a50409059ad8313df38cd76747defa6ae976dcc8ca37b8333c78ef85c7661cd", "sourceCodeHash": "0x4435163589299d9b0bc42a80258ebb3eee12ef94e6f1bd439d144b6628b366c8" }, "src/multiproof/tee/TEEVerifier.sol:TEEVerifier": { @@ -260,7 +260,7 @@ "sourceCodeHash": "0xd5e01b4f4e69313e56e51f2f46b7bbe699ef8dc24b8a6385b8ebac4162e05353" }, "src/multiproof/tee/TEEVerifier.sol:TEEVerifier:dispute": { - "initCodeHash": "0xd65f1d604f979045a86d662e168cb7a867478da8a0ca294181872a90d209a66f", + "initCodeHash": "0xeab3964cb2e6bbf3b660a8dedcd01286b74894bf76cf979d0b415fc7ca140ade", "sourceCodeHash": "0xd5e01b4f4e69313e56e51f2f46b7bbe699ef8dc24b8a6385b8ebac4162e05353" }, "src/revenue-share/FeeDisburser.sol:FeeDisburser": {