Merge pull request #4591 from OffchainLabs/braga/disable-arbowner-flag

Add flag to disable ArbOwner outside on-chain execution

Author: joshuacolvin0

changelog/bragaigor-nit-4744.md

@@ -0,0 +1,2 @@
+### Configuration
+- Add `--execution.disable-arbowner-ethcall` flag to disable ArbOwner precompile calls outside on-chain execution

execution/gethexec/node.go

@@ -38,6 +38,7 @@ import (
 	"github.com/offchainlabs/nitro/execution/gethexec/addressfilter"
 	"github.com/offchainlabs/nitro/execution/gethexec/eventfilter"
 	executionrpcserver "github.com/offchainlabs/nitro/execution/rpcserver"
+	"github.com/offchainlabs/nitro/gethhook"
 	"github.com/offchainlabs/nitro/solgen/go/precompilesgen"
 	"github.com/offchainlabs/nitro/timeboost"
 	"github.com/offchainlabs/nitro/util"
@@ -181,6 +182,7 @@ type Config struct {
 	ExposeMultiGas              bool                       `koanf:"expose-multi-gas"`
 	RPCServer                   rpcserver.Config           `koanf:"rpc-server"`
 	ConsensusRPCClient          rpcclient.ClientConfig     `koanf:"consensus-rpc-client" reload:"hot"`
+	DisableArbOwnerEthCall      bool                       `koanf:"disable-arbowner-ethcall"`
 
 	forwardingTarget string
 }
@@ -236,6 +238,7 @@ func ConfigAddOptions(prefix string, f *pflag.FlagSet) {
 	f.Uint64(prefix+".block-metadata-api-cache-size", ConfigDefault.BlockMetadataApiCacheSize, "size (in bytes) of lru cache storing the blockMetadata to service arb_getRawBlockMetadata")
 	f.Uint64(prefix+".block-metadata-api-blocks-limit", ConfigDefault.BlockMetadataApiBlocksLimit, "maximum number of blocks allowed to be queried for blockMetadata per arb_getRawBlockMetadata query. Enabled by default, set 0 to disable the limit")
 	f.Bool(prefix+".expose-multi-gas", false, "experimental: expose multi-dimensional gas in transaction receipts")
+	f.Bool(prefix+".disable-arbowner-ethcall", ConfigDefault.DisableArbOwnerEthCall, "disable ArbOwner precompile calls outside on-chain execution (ethcall, gas estimation)")
 	LiveTracingConfigAddOptions(prefix+".vmtrace", f)
 	rpcserver.ConfigAddOptions(prefix+".rpc-server", "execution", f)
 	rpcclient.RPCClientAddOptions(prefix+".consensus-rpc-client", f, &ConfigDefault.ConsensusRPCClient)
@@ -276,6 +279,7 @@ var ConfigDefault = Config{
 	BlockMetadataApiBlocksLimit: 100,
 	VmTrace:                     DefaultLiveTracingConfig,
 	ExposeMultiGas:              false,
+	DisableArbOwnerEthCall:      false,
 
 	RPCServer: rpcserver.DefaultConfig,
 	ConsensusRPCClient: rpcclient.ClientConfig{
@@ -518,6 +522,13 @@ func (n *ExecutionNode) MarkFeedStart(to arbutil.MessageIndex) containers.Promis
 
 func (n *ExecutionNode) Initialize(ctx context.Context) error {
 	config := n.configFetcher.Get()
+	if config.DisableArbOwnerEthCall {
+		ownerPC := gethhook.GetOwnerPrecompile()
+		if ownerPC == nil {
+			return fmt.Errorf("cannot enable disable-arbowner-ethcall: ArbOwner precompile not found")
+		}
+		ownerPC.SetDisableEthCall(true)
+	}
 	err := n.ExecEngine.Initialize(config.Caching.StylusLRUCacheCapacity, &config.StylusTarget)
 	if err != nil {
 		return fmt.Errorf("error initializing execution engine: %w", err)

gethhook/geth-hook.go

@@ -10,13 +10,22 @@ import (
 	"github.com/ethereum/go-ethereum/arbitrum/multigas"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/core"
+	"github.com/ethereum/go-ethereum/core/types"
 	"github.com/ethereum/go-ethereum/core/vm"
 	"github.com/ethereum/go-ethereum/log"
 
 	"github.com/offchainlabs/nitro/arbos"
 	"github.com/offchainlabs/nitro/precompiles"
 )
 
+// arbOwnerPrecompile holds the *OwnerPrecompile retrieved from the precompile map during init().
+// ExecutionNode.Initialize() configures it later when the node config is available.
+var arbOwnerPrecompile *precompiles.OwnerPrecompile
+
+func GetOwnerPrecompile() *precompiles.OwnerPrecompile {
+	return arbOwnerPrecompile
+}
+
 type ArbosPrecompileWrapper struct {
 	inner precompiles.ArbosPrecompile
 }
@@ -59,7 +68,13 @@ func init() {
 
 	// process arbos precompiles
 	precompileErrors := make(map[[4]byte]abi.Error)
-	for addr, precompile := range precompiles.Precompiles() {
+	arbosPrecompiles := precompiles.Precompiles()
+	if ownerPC, ok := arbosPrecompiles[types.ArbOwnerAddress].(*precompiles.OwnerPrecompile); ok {
+		arbOwnerPrecompile = ownerPC
+	} else {
+		panic("ArbOwner precompile is not an *OwnerPrecompile, disable-arbowner-ethcall flag will not work")
+	}
+	for addr, precompile := range arbosPrecompiles {
 		for _, errABI := range precompile.Precompile().GetErrorABIs() {
 			precompileErrors[[4]byte(errABI.ID.Bytes())] = errABI
 		}

precompiles/wrapper.go

@@ -61,8 +61,9 @@ func (wrapper *DebugPrecompile) Name() string {
 
 // OwnerPrecompile is a precompile wrapper for those only chain owners may use
 type OwnerPrecompile struct {
-	precompile  ArbosPrecompile
-	emitSuccess func(mech, bytes4, addr, []byte) error
+	precompile     ArbosPrecompile
+	emitSuccess    func(mech, bytes4, addr, []byte) error
+	disableEthCall bool
 }
 
 func ownerOnly(address addr, impl ArbosPrecompile, emit func(mech, bytes4, addr, []byte) error) (addr, ArbosPrecompile) {
@@ -72,6 +73,10 @@ func ownerOnly(address addr, impl ArbosPrecompile, emit func(mech, bytes4, addr,
 	}
 }
 
+func (wrapper *OwnerPrecompile) SetDisableEthCall(disable bool) {
+	wrapper.disableEthCall = disable
+}
+
 func (wrapper *OwnerPrecompile) Address() common.Address {
 	return wrapper.precompile.Address()
 }
@@ -85,6 +90,10 @@ func (wrapper *OwnerPrecompile) Call(
 	gasSupplied uint64,
 	evm *vm.EVM,
 ) ([]byte, uint64, multigas.MultiGas, error) {
+	if wrapper.disableEthCall && evm.ProcessingHook.MsgIsNonMutating() {
+		return nil, gasSupplied, multigas.ZeroGas(), errors.New("ArbOwner precompile is disabled outside on-chain execution")
+	}
+
 	con := wrapper.precompile
 
 	burner := &Context{

system_tests/precompile_test.go

@@ -10,11 +10,13 @@ import (
 	"math/big"
 	"slices"
 	"sort"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
 
+	"github.com/ethereum/go-ethereum"
 	"github.com/ethereum/go-ethereum/accounts/abi/bind"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/core/types"
@@ -26,6 +28,7 @@ import (
 	"github.com/offchainlabs/nitro/arbos/burn"
 	"github.com/offchainlabs/nitro/arbos/l1pricing"
 	"github.com/offchainlabs/nitro/cmd/chaininfo"
+	"github.com/offchainlabs/nitro/gethhook"
 	"github.com/offchainlabs/nitro/precompiles"
 	"github.com/offchainlabs/nitro/solgen/go/localgen"
 	"github.com/offchainlabs/nitro/solgen/go/precompilesgen"
@@ -1357,3 +1360,85 @@ func TestArbDebugOverwriteContractCode(t *testing.T) {
 		t.Fatal("expected code B to be", testCodeB, "got", code)
 	}
 }
+
+func TestDisableArbOwnerEthCall(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	builder := NewNodeBuilder(ctx).DefaultConfig(t, false).DontParalellise()
+	builder.execConfig.DisableArbOwnerEthCall = true
+	cleanup := builder.Build(t)
+	// The DisableArbOwnerEthCall flag is set on the global OwnerPrecompile singleton,
+	// so it persists across tests running in the same process. We must:
+	// 1. Not run in parallel (DontParalellise above) to avoid affecting concurrent tests
+	// 2. Reset the flag on cleanup to avoid affecting subsequent tests
+	defer func() {
+		gethhook.GetOwnerPrecompile().SetDisableEthCall(false)
+		cleanup()
+	}()
+
+	arbOwnerABI, err := precompilesgen.ArbOwnerMetaData.GetAbi()
+	Require(t, err)
+	calldata, err := arbOwnerABI.Pack("getAllChainOwners")
+	Require(t, err)
+	arbOwnerAddr := types.ArbOwnerAddress
+
+	expectedErrMsg := "ArbOwner precompile is disabled outside on-chain execution"
+
+	// eth_call should fail
+	_, err = builder.L2.Client.CallContract(ctx, ethereum.CallMsg{
+		To:   &arbOwnerAddr,
+		Data: calldata,
+	}, nil)
+	if err == nil || !strings.Contains(err.Error(), expectedErrMsg) {
+		Fatal(t, "eth_call to ArbOwner expected error containing", expectedErrMsg, "got", err)
+	}
+
+	// eth_estimateGas should fail
+	_, err = builder.L2.Client.EstimateGas(ctx, ethereum.CallMsg{
+		To:   &arbOwnerAddr,
+		Data: calldata,
+	})
+	if err == nil || !strings.Contains(err.Error(), expectedErrMsg) {
+		Fatal(t, "eth_estimateGas to ArbOwner expected error containing", expectedErrMsg, "got", err)
+	}
+
+	// On-chain transaction should still succeed
+	auth := builder.L2Info.GetDefaultTransactOpts("Owner", ctx)
+	auth.GasLimit = 32_000_000
+	arbOwner, err := precompilesgen.NewArbOwner(arbOwnerAddr, builder.L2.Client)
+	Require(t, err)
+	tx, err := arbOwner.AddChainOwner(&auth, common.HexToAddress("0xdeadbeef"))
+	Require(t, err)
+	_, err = builder.L2.EnsureTxSucceeded(tx)
+	Require(t, err)
+}
+
+func TestArbOwnerEthCallEnabled(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	builder := NewNodeBuilder(ctx).DefaultConfig(t, false).DontParalellise()
+	cleanup := builder.Build(t)
+	defer cleanup()
+
+	arbOwnerABI, err := precompilesgen.ArbOwnerMetaData.GetAbi()
+	Require(t, err)
+	calldata, err := arbOwnerABI.Pack("getAllChainOwners")
+	Require(t, err)
+	arbOwnerAddr := types.ArbOwnerAddress
+
+	// eth_call should succeed when DisableArbOwnerEthCall is false (default)
+	_, err = builder.L2.Client.CallContract(ctx, ethereum.CallMsg{
+		To:   &arbOwnerAddr,
+		Data: calldata,
+	}, nil)
+	Require(t, err)
+
+	// eth_estimateGas should succeed when DisableArbOwnerEthCall is false (default)
+	_, err = builder.L2.Client.EstimateGas(ctx, ethereum.CallMsg{
+		To:   &arbOwnerAddr,
+		Data: calldata,
+	})
+	Require(t, err)
+}