Nimbus Verified Proxy

[chirag-parmar]

No description provided.

[bhartnett]

The approach you've taken here is interesting.

Unfortunately, it will only work if the RPC provider returns the correct access list. We don't want to trust the RPC provider and so we can't really trust that they will provide a correct access list. They could for example provide you with an access list that will cause the eth_call result to be completely different, even though you are verifying the account and storage proofs of each account and slot there is no way to verify that you are looking up the correct pre-state before the transaction is executed.

I think using the access list purely as a performance optimization would be ok as long as the EVM itself still looks up the correct state during transaction execution. In this scenarios the worst that the RPC provider could do is a DOS by sending you a very large fake access list but since the RPC provider can already effectively DOS your application by not responding to requests this is likely acceptable.

[bhartnett]

Unfortunately, it will only work if the RPC provider returns the correct access list. We don't want to trust the RPC provider and so we can't really trust that they will provide a correct access list. They could for example provide you with an access list that will cause the eth_call result to be completely different, even though you are verifying the account and storage proofs of each account and slot there is no way to verify that you are looking up the correct pre-state before the transaction is executed.

You might be able to solve this problem by building up the access list yourself by executing the in memory EVM multiple times, each time collecting more of the access list keys and state until eventually executing the transaction against the full state which will give you the result for eth_call.

Here is the algorithm:

- Fetch code to be executed
- while the evm execution is not successful or the touched account,code,slots have changed since the last execution:
    - execute the code using in memory EVM
    - collect the touched account,code,slots from the evm state
    - fetch all touched account,code,slots concurrently and pass into a new evm state

The last execution will be successful and should be using the correct keys.

You can use the makeMultiKeys function in ledger.nim to collect the touched account keys and storage slots from the EVM state after executing the transaction. You might also be able to use the accessList functions for this.

[kdeme]

I think it would be a good plan to already put this PR in a cleaned-up state that would be ready to review / ready to merge.

Your changes into using the json-rpc API instead of the libp2p enabled block cache right now is already a good improvement that can go into the code base. No need to wait for other improvements/features, those can go in other PRs (this avoids to-big-to-review PRs and brings quicker improvements to the web3 verifier purifier)

[kdeme]

Suggested change

	# initialze verified proxy
	# initialize verified proxy

[kdeme]

remove?

[kdeme]

Suggested change

	# initiialize beacon node genesis data, beacon clock and forkDigests
	# initialize beacon node genesis data, beacon clock and forkDigests

[kdeme]

This registers the basic protocol that allows for ping/getMetadata/goodbye for a node in libp2p.
I think it should remain available for basic communication with nodes on the network.

Eventually when you move to add the REST API sync version, this can be either be removed if we are to only support REST. Or if we want to support both modes, this gets disabled in case of REST mode.

[chirag-parmar]

I think I forgot the comment in there. Thank you for the explanation

[kdeme]

add {.push raises: [].}

[kdeme]

I guess it works the use an LruCache because of the way you have implemented it (using peek for the getters and scanning over the cache before add), but to me it does feel like a non-intuitive way to use an LruCache.

It is basically being used/selected mostly for its "automatic" pruning of the oldest headers here, but not at all for keeping its most "touched" content, hence the use of only peek and the requirement to add only new data.

The required full scan on add also makes the efficient add of the lru cache undone, but with the set max value of 64 that's probably not really an issue currently.

This implementation is also easy to make mistakes against in future changes, so it should at least have a big warning on how to use (already has this warning on the add currently).

[kdeme]

FYI: I do realize that the original BlockCache was implemented in a similar way, and that you improved it somewhat by using peek (peek was not part of the API at creation of BlockCache I believe). But as you are reworking this I mostly wanted to point out that I do not think it is something we necessarily need to stick with as solution for this cache.

Also, as @bhartnett pointed out, there is an issue with pruning the number-to-hashes-mapping table, which will be more difficult to solve cleanly as the LRU prunes behind the scenes (without hook into it). But I guess you could delete numbers lower than n - max size on the add of a new header.

[bhartnett]

We have existing users of the Nimbus Verified Proxy and so we need to be careful not to break any of the functionality, so in my opinion this PR is too big to be merged, especially because we don't have a staging branch etc. I also noticed that there are no tests added.

I would suggest treating this as a draft PR to get feedback and then create smaller PRs with smaller subsets of the features and have some unit tests covering the changes in each PR. Just my thoughts, curious to hear what others in the team think. @kdeme @tersec

Another option I guess would be to create a staging branch where the changes can be tested a bit longer before being merged into master but this would not be my preferred approach.

[bhartnett]

Why did you need to introduce this CORS change when it previously wasn't needed?

[chirag-parmar]

So I rearranged the boot code for the verified proxy to have a proper initialization flow. I did that to understand the verified proxy's workings and the interplay of the light client with it.

The CORS change is just a rearrangement diff i.e it existed before.

cc: @kdeme

[bhartnett]

You shouldn't need to pass in a CommonRef directly. I'm not sure if this could lead to problems if the in memory database used by the evm isn't empty. I did provide the NetworkId parameter in the above init proc which is the one you should use.

[chirag-parmar]

I did not want to initialize two instances CommonRef. More so because the other instance is merely used for gas price APIs (which internally use CommonRef for fork calculation, I assume)

[bhartnett]

We probably don't need an instance of CommonRef in the NVP just for determining a fork. After looking at that area of code, it appears that you should be able to do something like this to get the fork without creating an instance of CommonRef:

let forkTransitionTable = config.toForkTransitionTable() # store this somewhere precomputed

ToEVMFork[toHardFork(forkTransitionTable, forkDeterminationInfo(header))]

I haven't tried this by it should be possible even with some small changes to Nimbus code if needed.

[bhartnett]

It appears that the hashes table only grows and the entries never get deleted. Maybe you should use a LRUCache here as well.

[chirag-parmar]

In retrospect, that makes a lot of sense, i'll add it in. Initially, it did not hurt to let it grow because even a million blocks would amount to only ~32MB but since we are probably also aiming for resource constrained embedded devices and not just smartphone wallets it makes sense to add a limit. Regardless of the resource constraints, it still does make sense to add a limit and just set it to a high number

[bhartnett]

Yeah it can hold more items but it should still be bounded.

[bhartnett]

Why not just store the earliest and latest block number (or hash) and then use them to return the earliest and latest headers.

[bhartnett]

Note that chainId is not always the same as networkId. This chainConfigForNetwork function expects a networkId so I'm not sure if there might be an issue here.

[bhartnett]

This rpcClient template is defined in each file. Would be better to define this in just one place and then import.

[bhartnett]

It appears that this function is now defined in two places. The other one in validate_proof.nim

[bhartnett]

Why is tag not implemented? Looks like this was just copied from Fluffy.

[chirag-parmar]

Indeed most of the code for evm execution was taken directly from fluffy. I'm fairly sure I removed this bit of code, but I think I lost the diff while stashing some changes for the Pr on AsyncEVM. Will add it back in(i.e. remove the code)

[bhartnett]

Same here. Tag should be supported.

[bhartnett]

In order to get reasonable performance you should create a cache for the most recently fetched accounts, slots and code. This should be populated after validation when fetching this data from the downstream RPC provider.

[bhartnett]

As a performance optimization, before executing call on the evm, I would suggest calling eth_createAccessList on the downstream RPC provider and then using the returned keys to concurrently fetch the accounts and storage slots to populate a cache which should be used by the AsyncEvm backend.

[tersec]

We have existing users of the Nimbus Verified Proxy and so we need to be careful not to break any of the functionality, so in my opinion this PR is too big to be merged, especially because we don't have a staging branch etc. I also noticed that there are no tests added.

I would suggest treating this as a draft PR to get feedback and then create smaller PRs with smaller subsets of the features and have some unit tests covering the changes in each PR. Just my thoughts, curious to hear what others in the team think. @kdeme @tersec

Another option I guess would be to create a staging branch where the changes can be tested a bit longer before being merged into master but this would not be my preferred approach.

I'd echo this. Also, yes, it's possible to keep it in staging longer, unless it needs to be a larger PR, it would better to split out individual changes from this to review and merge, then this branch can be updated to reflect those being merged.

[kdeme]

Just my thoughts, curious to hear what others in the team think.

Verified proxy is definitely lacking a good set of tests which currently makes it difficult making changes without breaking things. In the past the only testing done was basically running it with a wallet (e.g. Metamask) and testing some end-to-end functionality there.

Now as going forward and moving this "PoC" into a properly maintained and developed product, and adding more functionality to it, we should definitely have more unit testing (and especially for this newly added functionality). To be fair, the current version does not really have much functionality, libp2p consensus light client, which is already tested, some basic proving and this block cache.
In terms of testing the JSON-RPC functionality (end-to-end tests), I think we can have tests with some static response data (mock the response basically) and load that in the tests just to verify the underlying logic of our JSON-RPC methods.

Regarding smaller PRs: Yes, I always prefer to have features split up (easier to review, to test, to revert, etc.). Practically for this PR I think the block cache changes could be a PR that gets merged (once comments are addressed), and the addition and usage of async EVM could be another (or even several depending on which API method starts to use them already). I noticed that there is currently an issue that causes a lot of the JSON-RPC code to be commented. Separating PRs would allow us to already get some of this functionality merged without that commented code holding it back.

A staging branch I personally do not prefer, in general, but also in this case specifically because we do not have a way to really verify/test that it works for users. Aside from using it ourselves for some time.
Note that this sort of also applies to the big vs smaller PRs comment, but with that difference that with smaller PRs we can potentially diagnose issues quicker (git bisect, etc.) and revert them cleaner.
And in a way, our master is basically the staging branch, as we are not doing releases yet :)

[tersec]

Large chunks of commented-out code shouldn't usually be merged

[tersec]

https://status-im.github.io/nim-style-guide/language.proc.html

Prefer func - use proc when side effects cannot conveniently be avoided.

But there appear to be no side effects here to begin with.

[tersec]

How is this file from 2022-2024? It pops into existence in this PR.

[tersec]

This file appears to have no pre-2025 existence.

[tersec]

https://status-im.github.io/nim-style-guide/language.proc.html

Prefer func - use proc when side effects cannot conveniently be avoided.

Also for add (probably, I don't see the side effects at least), latest, etc.

[kdeme]

I think we should have some limit here of how much back in time you can request a block.

[tersec]

func (etc)

also https://status-im.github.io/nim-style-guide/language.result.html

Avoid using result for returning values.

[tersec]

func + avoid result + probably can be mapIt(toReceipt(it))

[tersec]

More commented-out code. This is fine as an implementation tracking thing in a draft PR, but preferably not to merge.

[tersec]

Large chunk of commented code (as before, reasonable as progress-tracking stand-in, not reasonable to merge)

[tersec]

Don't need any of these three returns explicitly, that way it becomes a case expression rather than a case statement and Nim effectively statically checks that this is either the last thing in a block/function or is discarded.

[chirag-parmar]

Separating PRs would allow us to already get some of this functionality merged without that commented code holding it back.

@bhartnett @tersec @kdeme the reasoning is very sound. I'll create smaller PRs which addresses the reviews and also seperates out code. I'll link the new PRs in your reviews here. Thanks a ton for these reviews, learning a lot