AZIP-4 L1 Block Header Access via an L1 Portal

[mrzeszutko]

Adds AZIP-4 (Core, status Draft) under AZIPs/azip-4.md.

This proposal is an out-of-protocol alternative to the in-protocol "L1 Block Header Access" design in #24. It reaches roughly the same capability — letting Noir contracts read and prove Ethereum L1 state — with no changes to protocol circuits, the AVM, the kernels, or any deployed application ABI.

1. L1 portal (BlockHashPortal) reads blockhash(block.number - 1), packs {l1BlockNumber, l1BlockHash} into a sha256ToField commitment, and sends it through the existing L1→L2 inbox.
2. L2 standard contract (BlockHashStore) — deterministic address via the standard-contract recipe, not a magic-slot protocol contract — consumes the message once, verifies a witnessed RLP header against the committed hash, and memoizes a Poseidon2 header commitment keyed by L1 block number. Readers verify their RLP header against the commitment with a ~1–2k-gate Poseidon2 check in place of a ~25k-gate keccak.
3. New slashing offense. Proposers MUST include pushLatest() before propose() in their checkpoint multicall; omission or out-of-order placement is a SMALL-severity offense (10e18 wei) decided from the L1 transaction receipt.

Trade-offs vs. #24: higher L1 gas per checkpoint, higher per-read gas for header-field-only reads, and an L1→L2 readability latency floor of LAG × AZTEC_SLOT_DURATION = 144 s. In exchange: no critical-path / circuit / AVM audit, no recompile of deployed application circuits, and no change to the L1 GenesisState — a new standard contract added to a running rollup without a new Rollup version.

Credit for the original out-of-protocol design to @iAmMichaelConnor, seeded as a comment (#12 (comment)) by @joeandrews on the AZIP-4 discussion.

cc @iAmMichaelConnor @joeandrews

[aminsammara]

Is this effectively introducing a proposer slash for missing a checkpoint proposal?

[mrzeszutko]

No — this offense is conditioned on a checkpoint actually being proposed. Detection anchors on the rollup's CheckpointProposed log in the proposer's L1 tx receipt and asks: "did a BlockHashPushed log from the configured portal appear before it?" A slot with no CheckpointProposed log produces no anchor, so this offense doesn't fire.

[spalladino]

Shouldn't secretHash be the hash of zero, instead of zero, in order to consume the message from L2?

[mrzeszutko]

Good catch! Fixed

[spalladino]

Fable found a nasty issue with this slashing offense: it is triggerable by a third party that frontruns the proposer.

propose() authenticates the proposer by their signature inside the attestations, not by msg.sender (ProposeLib.sol — "Only the designated proposer for the current slot can propose a checkpoint, enforced by validating the proposer validator signature among attestations"; only the escape-hatch path checks msg.sender). A checkpoint proposal is therefore relayable: an attacker who observes the proposer's multicall in the public mempool (calldata, attestations, and blob sidecars are all visible) can re-bundle the bare propose() call into their own transaction without pushLatest() and front-run. The checkpoint lands attributed to the honest proposer, the receipt has CheckpointProposed but no BlockHashPushed, and the watcher slashes deterministically with no appeal path — the proposal explicitly states detection is "decided purely by inspection of the proposer's finalized L1 transaction."

This would be the first offense in the framework whose trigger is not solely a function of the validator's own behavior. The cost is bounded (the attacker pays gas + blob fees to burn 10e18 of the victim's stake), but a slashing spec needs to either acknowledge and accept this, recommend private orderflow, or weaken the rule. Section (c) considers accomplice pushes masking an omission but not adversarial re-bundling creating one.

[mrzeszutko]

Thanks a lot for catching this (and kudos to Fable) — this is a serious issue and might even be a blocker for this design. I can see two options to fix this:

1. In-protocol — propose() sends the message itself. Move the blockhash(block.number-1) read + sendL2Message into propose(). Because the send is now atomic with the checkpoint, the frontrun is impossible and the entire slashing offense disappears. Notably this needs no circuit changes (it still rides the existing inbox), so it's far lighter than the in-protocol commitment in PR AZIP-4: L1 Block Header Access #24. On addressing, the L1 side actually simplifies — the standalone portal and its L1ContractAddresses registration go away, and the store just re-pins its expected sender from the portal to the already-configured Rollup address. The one wrinkle is the reverse direction: the Rollup needs the store's L2 address as the message recipient, and since the Rollup is deployed with plain CREATE today, this requires either a deployment-process change (CREATE2-predict the Rollup address, or a one-time setter) or — more cleanly — giving the store a fixed canonical address referenced as a constant (mirroring how FeeJuicePortal references Constants.FEE_JUICE_ADDRESS), which needs no deploy changes. Costs: a critical-path ProposeLib audit, a new Rollup version (so this will not be available soon) and it keeps the inbox LAG.
2. Decouple the push from propose() (standalone tx) with window-based detection (BlockHashPushed within L1 block B ± W). Keeps the immutable-Rollup compatibility, but it's not a clean win: push and checkpoint can now land in different L1 blocks, so a reorg can split them across the window and false-slash an honest proposer — same harm class as the original bug, just rarer/accidental (adjudicating against finalized L1 mitigates most of it). It also makes the offense fuzzier: W becomes a consensus parameter and attribution on total omission is unresolved.

So the trade is roughly enforced atomicity (no slashing, but a new Rollup) vs windowed detection (immutable-Rollup-compatible, but reorg-fragile). Do you see any other option to solve this that I'm missing — particularly anything that keeps the immutable-Rollup property without the windowed-attribution complexity?

[joeandrews]

This just feels like we need to make the slashing rule weaker i.e

The proposer is slashed if there is no BlockHashPushed event within N L1 slots from the last checkpoint. You can seperate them out, front run or do whatever, but there must be an event within 6 slots from the last checkpoint or you are slashed.

[spalladino]

As I mentioned on the previous ACD, I think that bundling the L1 root inbox message with the propose call makes the most sense, both in terms of gas efficiency in simplicity. Note that the inbox lag is not a strong enough argument, since we're working to reduce inbox lag for all messages via a different protocol change.

Also, it was mentioned during the last ACD that doing this in-protocol was shot down due to a set of cons, but none of those apply to bundling the L1 calls. They do apply to enshrining reads of L1 specific fields in the protocol.

This then becomes a question of whether we need a solution for this in v5. I'd push for a stopgap solution for v5, that works for the specific apps that require it, and then implementing the proper solution along with v6, especially considering that the slash-based solution will also take time to develop and move the timeline closer to v6.

[spalladino]

Should this be header_commitments[n]? The store mapping is called header_commitments everywhere else in the spec (the submit() pseudocode, (f), and Security Considerations) — blockhashes only appears in the rejected "memoizing the canonical bytes32 block hash" alternative, so this looks like a leftover from that draft.

Suggested change

`submit()` SHOULD emit a `BlockHashMemoized(l1BlockNumber)` public log on the success path (i.e. when memoization actually occurs), mirroring the L1 portal's `BlockHashPushed(n)` event so off-chain indexers, explorers, and keepers can detect "block `n` is now memoized" without polling public state. The log MUST NOT fire on the idempotent early-return branch, so the presence of a log carries the meaning "this call performed the memoization." The log's shape is non-normative; consumers MUST NOT couple to its field encoding. The authoritative signal that block `n` is memoized is `blockhashes[n] != 0` — the log is an off-chain notification convenience, not a substitute for the storage read.

`submit()` SHOULD emit a `BlockHashMemoized(l1BlockNumber)` public log on the success path (i.e. when memoization actually occurs), mirroring the L1 portal's `BlockHashPushed(n)` event so off-chain indexers, explorers, and keepers can detect "block `n` is now memoized" without polling public state. The log MUST NOT fire on the idempotent early-return branch, so the presence of a log carries the meaning "this call performed the memoization." The log's shape is non-normative; consumers MUST NOT couple to its field encoding. The authoritative signal that block `n` is memoized is `header_commitments[n] != 0` — the log is an off-chain notification convenience, not a substitute for the storage read.

[mrzeszutko]

Good catch! Fixed

[spalladino]

How is the L1 portal address baked into the standard contract, given there's no ctor? Immutables? Wouldn't that yield a different address per network?

[mrzeszutko]

You're absolutely right. The address will be different per network. I updated the AZIP with this information

[spalladino]

Question about this part: how do apps gather the rlp_header? Let's say a user interacts with app A, which in turn calls app B, which calls app C (you know where this is going), which eventually needs to do a proof over L1 state. How does the application-code the user is interacting with know that it needs to gather rlp_header for app C? Or how is it wired through the callstack?

We discussed some alternatives today with @nventuro, but it'd be good to cover those in the AZIP as well, in order not to kill composability in apps that require access to that L1 data:

• Adding a new oracle call to fetch that data, which needs to be resolved by a wallet with L1 RPC access
• Storing the entire block header in the public data tree
• Emitting an unencrypted tagged log with the block preimage, and piggybacking on PXE's note-discovery mechanism for loading it
• Abusing capsules, though still requires the app A frontend to know about app C requiring block data
• Implementing some new hook mechanism, which is still unplanned

[mrzeszutko]

That's a really good question where I don't have the immediate answer. Let's discuss on ACD

[spalladino]

only public functions can write public state

We could still run the hashing in a private function, and then call an internal (only_self) public function that writes to public state. This way we save a lot on L2 gas, by keeping the keccack proofs private. Has this mixed approach been considered? In general, I'd try and push expensive operations that don't depend on public mutable state to private-land.

Also, we could keep the entire thing in private-land, and write the poseidon commitment to the block as a nullifier, which can then be read from both private and public.

[mrzeszutko]

I started considering it when thinking if we really need a new opcode if we decide to go in-protocol way.