Use Owner pattern to switch betweern batcher.

Author: philippecamacho

op-batcher/bindings/batch_authenticator.go

@@ -6,5 +6,5 @@ interface IBatchInbox {
 
     function version() external view returns (string memory);
 
-    function __constructor__(address _nonTeeBatcher, address _batchAuthenticator) external;
+    function __constructor__(address _nonTeeBatcher, address _batchAuthenticator, address _owner) external;
 }

op-batcher/bindings/batch_inbox.go

@@ -76,7 +76,7 @@ contract DeployEspresso is Script {
     function run(DeployEspressoInput input, DeployEspressoOutput output, address deployerAddress) public {
         IEspressoTEEVerifier teeVerifier = deployTEEVerifier(input);
         IBatchAuthenticator batchAuthenticator = deployBatchAuthenticator(input, output, teeVerifier, deployerAddress);
-        deployBatchInbox(input, output, batchAuthenticator);
+        deployBatchInbox(input, output, batchAuthenticator, deployerAddress);
         checkOutput(output);
     }
 
@@ -123,7 +123,8 @@ contract DeployEspresso is Script {
     function deployBatchInbox(
         DeployEspressoInput input,
         DeployEspressoOutput output,
-        IBatchAuthenticator batchAuthenticator
+        IBatchAuthenticator batchAuthenticator,
+        address owner
     )
         public
     {
@@ -134,7 +135,7 @@ contract DeployEspresso is Script {
                 _name: "BatchInbox",
                 _salt: salt,
                 _args: DeployUtils.encodeConstructor(
-                    abi.encodeCall(IBatchInbox.__constructor__, (input.nonTeeBatcher(), address(batchAuthenticator)))
+                    abi.encodeCall(IBatchInbox.__constructor__, (input.nonTeeBatcher(), address(batchAuthenticator), owner))
                 )
             })
         );

packages/contracts-bedrock/interfaces/L1/IBatchInbox.sol

@@ -1,12 +1,13 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.28;
 
+import { Ownable } from "@openzeppelin/contracts/access/Ownable.sol";
 import { IBatchAuthenticator } from "interfaces/L1/IBatchAuthenticator.sol";
 
 /// @title BatchInbox
 /// @notice Receives batches from either a TEE batcher or a non-TEE batcher and enforces
 ///         that TEE batches are authenticated by the configured batch authenticator.
-contract BatchInbox {
+contract BatchInbox is Ownable {
     /// @notice Address of the TEE-based batcher.
     address public immutable teeBatcher;
 
@@ -24,16 +25,17 @@ contract BatchInbox {
     ///         and the batch authenticator.
     /// @param _nonTeeBatcher Address of the non-TEE batcher.
     /// @param _batchAuthenticator Address of the batch authenticator contract.
-    constructor(address _nonTeeBatcher, IBatchAuthenticator _batchAuthenticator) {
+    constructor(address _nonTeeBatcher, IBatchAuthenticator _batchAuthenticator, address _owner) Ownable() {
         require(_nonTeeBatcher != address(0), "BatchInbox: zero address for non tee batcher");
         nonTeeBatcher = _nonTeeBatcher;
         batchAuthenticator = _batchAuthenticator;
         // By default, start with the TEE batcher active
         activeIsTee = true;
+        _transferOwnership(_owner);
     }
 
     /// @notice Toggles the active batcher between the TEE and non-TEE batcher.
-    function switchBatcher() external {
+    function switchBatcher() external onlyOwner {
         activeIsTee = !activeIsTee;
     }
 

packages/contracts-bedrock/scripts/deploy/DeployEspresso.s.sol

@@ -35,7 +35,7 @@ contract BatchInbox_Test is Test {
 
     function setUp() public virtual {
         authenticator = new MockBatchAuthenticator();
-        inbox = new BatchInbox(nonTeeBatcher, IBatchAuthenticator(address(authenticator)));
+        inbox = new BatchInbox(nonTeeBatcher, IBatchAuthenticator(address(authenticator)), deployer);
     }
 }
 
@@ -44,16 +44,17 @@ contract BatchInbox_Test is Test {
 contract BatchInbox_Constructor_Test is Test {
     address nonTeeBatcher = address(0x5678);
     address batchAuthenticator = address(0x9ABC);
+    address owner = address(0xABCD);
 
     /// @notice Test that constructor reverts when non-TEE batcher is zero address
     function test_constructor_revertsWhenNonTeeBatcherIsZero() external {
         vm.expectRevert("BatchInbox: zero address for non tee batcher");
-        new BatchInbox(address(0), IBatchAuthenticator(batchAuthenticator));
+        new BatchInbox(address(0), IBatchAuthenticator(batchAuthenticator), owner);
     }
 
     /// @notice Test that constructor succeeds with valid addresses
     function test_constructor_succeedsWithValidAddresses() external {
-        BatchInbox testInbox = new BatchInbox(nonTeeBatcher, IBatchAuthenticator(batchAuthenticator));
+        BatchInbox testInbox = new BatchInbox(nonTeeBatcher, IBatchAuthenticator(batchAuthenticator), owner);
 
         assertEq(testInbox.nonTeeBatcher(), nonTeeBatcher, "Non-TEE batcher should match");
         assertEq(address(testInbox.batchAuthenticator()), batchAuthenticator, "Batch authenticator should match");
@@ -70,13 +71,25 @@ contract BatchInbox_SwitchBatcher_Test is BatchInbox_Test {
         assertTrue(inbox.activeIsTee(), "Should start with TEE batcher active");
 
         // Switch to non-TEE batcher
+        vm.prank(deployer);
         inbox.switchBatcher();
         assertFalse(inbox.activeIsTee(), "Should switch to non-TEE batcher");
 
         // Switch back to TEE batcher
+        vm.prank(deployer);
         inbox.switchBatcher();
         assertTrue(inbox.activeIsTee(), "Should switch back to TEE batcher");
     }
+
+    /// @notice Test that only the owner can switch the active batcher
+    function test_switchBatcher_revertsForNonOwner() external {
+        // Initially TEE batcher is active
+        assertTrue(inbox.activeIsTee(), "Should start with TEE batcher active");
+
+        vm.prank(unauthorized);
+        vm.expectRevert("Ownable: caller is not the owner");
+        inbox.switchBatcher();
+    }
 }
 
 /// @title BatchInbox_Fallback_Test
@@ -85,6 +98,7 @@ contract BatchInbox_Fallback_Test is BatchInbox_Test {
     /// @notice Test that non-TEE batcher can post after switching
     function test_fallback_nonTeeBatcherCanPostAfterSwitch() external {
         // Switch to non-TEE batcher
+        vm.prank(deployer);
         inbox.switchBatcher();
 
         // Non-TEE batcher should be able to post
@@ -96,6 +110,7 @@ contract BatchInbox_Fallback_Test is BatchInbox_Test {
     /// @notice Test that inactive batcher reverts
     function test_fallback_inactiveBatcherReverts() external {
         // Switch to non-TEE batcher (making TEE batcher inactive)
+        vm.prank(deployer);
         inbox.switchBatcher();
 
         // TEE batcher (now inactive) should revert
@@ -143,6 +158,7 @@ contract BatchInbox_Fallback_Test is BatchInbox_Test {
     /// @notice Test that non-TEE batcher doesn't require authentication
     function test_fallback_nonTeeBatcherDoesNotRequireAuth() external {
         // Switch to non-TEE batcher
+        vm.prank(deployer);
         inbox.switchBatcher();
 
         bytes memory data = "no-auth-needed";
@@ -157,6 +173,7 @@ contract BatchInbox_Fallback_Test is BatchInbox_Test {
     /// @notice Test that unauthorized address cannot post
     function test_fallback_unauthorizedAddressReverts() external {
         // Switch to non-TEE batcher. In this case the batch inbox should revert if the batcher is not authorized.
+        vm.prank(deployer);
         inbox.switchBatcher();
         vm.prank(unauthorized);
         (bool success,) = address(inbox).call("unauthorized");