AZIP-4 L1 Block Header Access via an L1 Portal

[mrzeszutko]

Adds AZIP-4 (Core, status Draft) under AZIPs/azip-4.md.

This proposal is an out-of-protocol alternative to the in-protocol "L1 Block Header Access" design in #24. It reaches roughly the same capability — letting Noir contracts read and prove Ethereum L1 state — with no changes to protocol circuits, the AVM, the kernels, or any deployed application ABI.

1. L1 portal (BlockHashPortal) reads blockhash(block.number - 1), packs {l1BlockNumber, l1BlockHash} into a sha256ToField commitment, and sends it through the existing L1→L2 inbox.
2. L2 standard contract (BlockHashStore) — deterministic address via the standard-contract recipe, not a magic-slot protocol contract — consumes the message once, verifies a witnessed RLP header against the committed hash, and memoizes a Poseidon2 header commitment keyed by L1 block number. Readers verify their RLP header against the commitment with a ~1–2k-gate Poseidon2 check in place of a ~25k-gate keccak.
3. New slashing offense. Proposers MUST include pushLatest() before propose() in their checkpoint multicall; omission or out-of-order placement is a SMALL-severity offense (10e18 wei) decided from the L1 transaction receipt.

Trade-offs vs. #24: higher L1 gas per checkpoint, higher per-read gas for header-field-only reads, and an L1→L2 readability latency floor of LAG × AZTEC_SLOT_DURATION = 144 s. In exchange: no critical-path / circuit / AVM audit, no recompile of deployed application circuits, and no change to the L1 GenesisState — a new standard contract added to a running rollup without a new Rollup version.

Credit for the original out-of-protocol design to @iAmMichaelConnor, seeded as a comment (#12 (comment)) by @joeandrews on the AZIP-4 discussion.

cc @iAmMichaelConnor @joeandrews

[aminsammara]

Is this effectively introducing a proposer slash for missing a checkpoint proposal?

[mrzeszutko]

No — this offense is conditioned on a checkpoint actually being proposed. Detection anchors on the rollup's CheckpointProposed log in the proposer's L1 tx receipt and asks: "did a BlockHashPushed log from the configured portal appear before it?" A slot with no CheckpointProposed log produces no anchor, so this offense doesn't fire.

[spalladino]

Shouldn't secretHash be the hash of zero, instead of zero, in order to consume the message from L2?

[spalladino]

Fable found a nasty issue with this slashing offense: it is triggerable by a third party that frontruns the proposer.

propose() authenticates the proposer by their signature inside the attestations, not by msg.sender (ProposeLib.sol — "Only the designated proposer for the current slot can propose a checkpoint, enforced by validating the proposer validator signature among attestations"; only the escape-hatch path checks msg.sender). A checkpoint proposal is therefore relayable: an attacker who observes the proposer's multicall in the public mempool (calldata, attestations, and blob sidecars are all visible) can re-bundle the bare propose() call into their own transaction without pushLatest() and front-run. The checkpoint lands attributed to the honest proposer, the receipt has CheckpointProposed but no BlockHashPushed, and the watcher slashes deterministically with no appeal path — the proposal explicitly states detection is "decided purely by inspection of the proposer's finalized L1 transaction."

This would be the first offense in the framework whose trigger is not solely a function of the validator's own behavior. The cost is bounded (the attacker pays gas + blob fees to burn 10e18 of the victim's stake), but a slashing spec needs to either acknowledge and accept this, recommend private orderflow, or weaken the rule. Section (c) considers accomplice pushes masking an omission but not adversarial re-bundling creating one.

[spalladino]

Should this be header_commitments[n]? The store mapping is called header_commitments everywhere else in the spec (the submit() pseudocode, (f), and Security Considerations) — blockhashes only appears in the rejected "memoizing the canonical bytes32 block hash" alternative, so this looks like a leftover from that draft.

Suggested change

`submit()` SHOULD emit a `BlockHashMemoized(l1BlockNumber)` public log on the success path (i.e. when memoization actually occurs), mirroring the L1 portal's `BlockHashPushed(n)` event so off-chain indexers, explorers, and keepers can detect "block `n` is now memoized" without polling public state. The log MUST NOT fire on the idempotent early-return branch, so the presence of a log carries the meaning "this call performed the memoization." The log's shape is non-normative; consumers MUST NOT couple to its field encoding. The authoritative signal that block `n` is memoized is `blockhashes[n] != 0` — the log is an off-chain notification convenience, not a substitute for the storage read.

`submit()` SHOULD emit a `BlockHashMemoized(l1BlockNumber)` public log on the success path (i.e. when memoization actually occurs), mirroring the L1 portal's `BlockHashPushed(n)` event so off-chain indexers, explorers, and keepers can detect "block `n` is now memoized" without polling public state. The log MUST NOT fire on the idempotent early-return branch, so the presence of a log carries the meaning "this call performed the memoization." The log's shape is non-normative; consumers MUST NOT couple to its field encoding. The authoritative signal that block `n` is memoized is `header_commitments[n] != 0` — the log is an off-chain notification convenience, not a substitute for the storage read.

[spalladino]

How is the L1 portal address baked into the standard contract, given there's no ctor? Immutables? Wouldn't that yield a different address per network?