fix(audit): add salt to Merkle leaf hashing (#1580)

**Motivation:**

As part of an audit finding, to protect against [second preimage
attacks](https://flawed.net.nz/2018/02/21/attacking-merkle-trees-with-a-second-preimage-attack/),
we add a salt to the leaf similar to the RewardsCoordinator to
significantly reduce the likelihood of an internal node being used to
produce an unintentional proof.

**Modifications:**

* Created new `LeafCalculatorMixin` with `getOperatorInfoLeaf` and
`getOperatorTableLeaf` calculations, which take in salt
* Updated tests to use `getOperatorInfoLeaf` and `getOperatorTableLeaf`
for hash calculation

**Result:**

Significantly diminished likelihood of second preimage attack

---------

Co-authored-by: Yash Patil <[email protected]>

Author: nadir-akhtar

pkg/bindings/BN254CertificateVerifier/binding.go

@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.27;
+
+import {IOperatorTableCalculatorTypes} from "../interfaces/IOperatorTableCalculator.sol";
+
+/**
+ * @title LeafCalculatorMixin
+ * @notice Reusable mixin for calculating operator info and operator table leaf hashes
+ * @dev Provides standardized leaf calculation functions for use across multiple contracts and repositories.
+ *      This mixin centralizes the leaf hashing logic to ensure consistency across the EigenLayer ecosystem
+ *      and maintains proper cryptographic security through salt-based domain separation.
+ */
+abstract contract LeafCalculatorMixin {
+    /// @dev Salt for operator info leaf hash calculation
+    /// @dev The salt is used to prevent against second preimage attacks: attacks where an
+    /// attacker can create a partial proof using an internal node rather than a leaf to
+    /// validate a proof. The salt ensures that leaves cannot be concatenated together to
+    /// form a valid proof, as well as reducing the likelihood of an internal node matching
+    /// the salt prefix.
+    /// @dev Value derived from keccak256("OPERATOR_INFO_LEAF_SALT") = 0x38...
+    /// This ensures collision resistance and semantic meaning.
+    uint8 public constant OPERATOR_INFO_LEAF_SALT = 0x75;
+
+    /// @dev Salt for operator table leaf hash calculation
+    /// @dev The salt is used to prevent against second preimage attacks: attacks where an
+    /// attacker can create a partial proof using an internal node rather than a leaf to
+    /// validate a proof. The salt ensures that leaves cannot be concatenated together to
+    /// form a valid proof, as well as reducing the likelihood of an internal node matching
+    /// the salt prefix.
+    /// @dev Value derived from keccak256("OPERATOR_TABLE_LEAF_SALT") = 0x7d...
+    /// This ensures collision resistance and semantic meaning.
+    uint8 public constant OPERATOR_TABLE_LEAF_SALT = 0x8e;
+
+    /**
+     * @notice Calculate the leaf hash for an operator info
+     * @param operatorInfo The BN254 operator info struct containing the operator's public key and stake weights
+     * @return The leaf hash (keccak256 of salt and encoded operator info)
+     * @dev The salt is used to prevent against second preimage attacks: attacks where an
+     * attacker can create a partial proof using an internal node rather than a leaf to
+     * validate a proof. The salt ensures that leaves cannot be concatenated together to
+     * form a valid proof, as well as reducing the likelihood of an internal node matching
+     * the salt prefix.
+     *
+     * This is a standard "domain separation" technique in Merkle tree implementations
+     * to ensure leaf nodes and internal nodes can never be confused with each other.
+     * See Section 2.1 of <https://www.rfc-editor.org/rfc/rfc9162#name-merkle-trees> for more.
+     *
+     * Uses abi.encodePacked for the salt and abi.encode for the struct to handle complex types
+     * (structs with dynamic arrays) while maintaining gas efficiency where possible.
+     */
+    function calculateOperatorInfoLeaf(
+        IOperatorTableCalculatorTypes.BN254OperatorInfo memory operatorInfo
+    ) public pure returns (bytes32) {
+        return keccak256(abi.encodePacked(OPERATOR_INFO_LEAF_SALT, abi.encode(operatorInfo)));
+    }
+
+    /**
+     * @notice Calculate the leaf hash for an operator table
+     * @param operatorTableBytes The encoded operator table as bytes containing operator set data
+     * @return The leaf hash (keccak256 of salt and operator table bytes)
+     * @dev The salt is used to prevent against second preimage attacks: attacks where an
+     * attacker can create a partial proof using an internal node rather than a leaf to
+     * validate a proof. The salt ensures that leaves cannot be concatenated together to
+     * form a valid proof, as well as reducing the likelihood of an internal node matching
+     * the salt prefix.
+     *
+     * This is a standard "domain separation" technique in Merkle tree implementations
+     * to ensure leaf nodes and internal nodes can never be confused with each other.
+     * See Section 2.1 of <https://www.rfc-editor.org/rfc/rfc9162#name-merkle-trees> for more.
+     *
+     * Uses abi.encodePacked for both salt and bytes for optimal gas efficiency since both
+     * are simple byte arrays without complex nested structures.
+     */
+    function calculateOperatorTableLeaf(
+        bytes calldata operatorTableBytes
+    ) public pure returns (bytes32) {
+        return keccak256(abi.encodePacked(OPERATOR_TABLE_LEAF_SALT, operatorTableBytes));
+    }
+}

pkg/bindings/LeafCalculatorMixin/binding.go

@@ -8,6 +8,7 @@ import "../libraries/BN254SignatureVerifier.sol";
 import "../libraries/Merkle.sol";
 import "../libraries/OperatorSetLib.sol";
 import "../mixins/SemVerMixin.sol";
+import "../mixins/LeafCalculatorMixin.sol";
 import "./BN254CertificateVerifierStorage.sol";
 
 /**
@@ -16,7 +17,12 @@ import "./BN254CertificateVerifierStorage.sol";
  * @dev This contract uses BN254 curves for signature verification and
  *      caches operator information for efficient verification
  */
-contract BN254CertificateVerifier is Initializable, BN254CertificateVerifierStorage, SemVerMixin {
+contract BN254CertificateVerifier is
+    Initializable,
+    BN254CertificateVerifierStorage,
+    SemVerMixin,
+    LeafCalculatorMixin
+{
     using Merkle for bytes;
     using BN254 for BN254.G1Point;
 
@@ -282,7 +288,7 @@ contract BN254CertificateVerifier is Initializable, BN254CertificateVerifierStor
         BN254OperatorInfo memory operatorInfo,
         bytes memory proof
     ) internal view returns (bool verified) {
-        bytes32 leaf = keccak256(abi.encode(operatorInfo));
+        bytes32 leaf = calculateOperatorInfoLeaf(operatorInfo);
         bytes32 root = _operatorSetInfos[operatorSetKey][referenceTimestamp].operatorInfoTreeRoot;
         return proof.verifyInclusionKeccak(root, leaf, operatorIndex);
     }

pkg/bindings/OperatorTableUpdater/binding.go

@@ -15,6 +15,8 @@ abstract contract BN254CertificateVerifierStorage is IBN254CertificateVerifier {
     /// @dev Basis point unit denominator for division
     uint256 internal constant BPS_DENOMINATOR = 10_000;
 
+    // OPERATOR_INFO_LEAF_SALT is now inherited from LeafCalculatorMixin
+
     // Immutables
 
     /// @dev The address that can update operator tables

src/contracts/mixins/LeafCalculatorMixin.sol

@@ -8,6 +8,7 @@ import "@openzeppelin-upgrades/contracts/security/ReentrancyGuardUpgradeable.sol
 import "../libraries/Merkle.sol";
 import "../permissions/Pausable.sol";
 import "../mixins/SemVerMixin.sol";
+import "../mixins/LeafCalculatorMixin.sol";
 import "./OperatorTableUpdaterStorage.sol";
 
 contract OperatorTableUpdater is
@@ -16,6 +17,7 @@ contract OperatorTableUpdater is
     Pausable,
     OperatorTableUpdaterStorage,
     SemVerMixin,
+    LeafCalculatorMixin,
     ReentrancyGuardUpgradeable
 {
     /**
@@ -148,7 +150,7 @@ contract OperatorTableUpdater is
             globalTableRoot: globalTableRoot,
             operatorSetIndex: operatorSetIndex,
             proof: proof,
-            operatorSetLeafHash: keccak256(operatorTableBytes)
+            operatorSetLeafHash: calculateOperatorTableLeaf(operatorTableBytes)
         });
 
         // Update the operator table

src/contracts/multichain/BN254CertificateVerifier.sol

@@ -14,6 +14,8 @@ abstract contract OperatorTableUpdaterStorage is IOperatorTableUpdater {
     /// @notice Index for flag that pauses calling `updateOperatorTable`
     uint8 internal constant PAUSED_OPERATOR_TABLE_UPDATE = 1;
 
+    // OPERATOR_TABLE_LEAF_SALT is now inherited from LeafCalculatorMixin
+
     bytes32 public constant GLOBAL_TABLE_ROOT_CERT_TYPEHASH =
         keccak256("GlobalTableRootCert(bytes32 globalTableRoot,uint32 referenceTimestamp,uint32 referenceBlockNumber)");
 

src/contracts/multichain/BN254CertificateVerifierStorage.sol

@@ -768,7 +768,7 @@ abstract contract MultichainIntegrationBase is IntegrationBase {
         );
 
         // Create global table root containing the operator table
-        bytes32 operatorSetLeafHash = keccak256(operatorTable);
+        bytes32 operatorSetLeafHash = operatorTableUpdater.calculateOperatorTableLeaf(operatorTable);
         bytes32[] memory leaves = new bytes32[](1);
         leaves[0] = operatorSetLeafHash;
         bytes32 globalTableRoot = Merkle.merkleizeKeccak(leaves);
@@ -798,7 +798,7 @@ abstract contract MultichainIntegrationBase is IntegrationBase {
         );
 
         // Create global table root containing the operator table
-        bytes32 operatorSetLeafHash = keccak256(operatorTable);
+        bytes32 operatorSetLeafHash = operatorTableUpdater.calculateOperatorTableLeaf(operatorTable);
         bytes32[] memory leaves = new bytes32[](1);
         leaves[0] = operatorSetLeafHash;
         bytes32 globalTableRoot = Merkle.merkleizeKeccak(leaves);

src/contracts/multichain/OperatorTableUpdater.sol

@@ -54,7 +54,7 @@ contract Multichain_Timing_Tests is MultichainIntegrationCheckUtils {
             abi.encode(operatorSetInfo)
         );
 
-        bytes32 operatorSetLeafHash = keccak256(operatorTable);
+        bytes32 operatorSetLeafHash = operatorTableUpdater.calculateOperatorTableLeaf(operatorTable);
         bytes32[] memory leaves = new bytes32[](1);
         leaves[0] = operatorSetLeafHash;
         bytes32 globalTableRoot = Merkle.merkleizeKeccak(leaves);
@@ -119,7 +119,7 @@ contract Multichain_Timing_Tests is MultichainIntegrationCheckUtils {
             abi.encode(operatorSetInfo)
         );
 
-        bytes32 operatorSetLeafHash = keccak256(operatorTable);
+        bytes32 operatorSetLeafHash = operatorTableUpdater.calculateOperatorTableLeaf(operatorTable);
         bytes32[] memory leaves = new bytes32[](1);
         leaves[0] = operatorSetLeafHash;
         bytes32 globalTableRoot = Merkle.merkleizeKeccak(leaves);
@@ -243,7 +243,7 @@ contract Multichain_Timing_Tests is MultichainIntegrationCheckUtils {
             abi.encode(operatorSetInfo)
         );
 
-        bytes32 operatorSetLeafHash = keccak256(operatorTable);
+        bytes32 operatorSetLeafHash = operatorTableUpdater.calculateOperatorTableLeaf(operatorTable);
         bytes32[] memory leaves = new bytes32[](1);
         leaves[0] = operatorSetLeafHash;
         bytes32 globalTableRoot = Merkle.merkleizeKeccak(leaves);
@@ -277,7 +277,7 @@ contract Multichain_Timing_Tests is MultichainIntegrationCheckUtils {
             abi.encode(operatorSetInfo)
         );
 
-        bytes32 operatorSetLeafHash = keccak256(operatorTable);
+        bytes32 operatorSetLeafHash = operatorTableUpdater.calculateOperatorTableLeaf(operatorTable);
         bytes32[] memory leaves = new bytes32[](1);
         leaves[0] = operatorSetLeafHash;
         bytes32 globalTableRoot = Merkle.merkleizeKeccak(leaves);
@@ -626,7 +626,7 @@ contract Multichain_Timing_Tests is MultichainIntegrationCheckUtils {
         );
 
         // Create global table root containing the operator table
-        bytes32 operatorSetLeafHash = keccak256(operatorTable);
+        bytes32 operatorSetLeafHash = operatorTableUpdater.calculateOperatorTableLeaf(operatorTable);
         bytes32[] memory leaves = new bytes32[](1);
         leaves[0] = operatorSetLeafHash;
         bytes32 globalTableRoot = Merkle.merkleizeKeccak(leaves);
@@ -659,7 +659,7 @@ contract Multichain_Timing_Tests is MultichainIntegrationCheckUtils {
         );
 
         // Create global table root containing the operator table
-        bytes32 operatorSetLeafHash = keccak256(operatorTable);
+        bytes32 operatorSetLeafHash = operatorTableUpdater.calculateOperatorTableLeaf(operatorTable);
         bytes32[] memory leaves = new bytes32[](1);
         leaves[0] = operatorSetLeafHash;
         bytes32 globalTableRoot = Merkle.merkleizeKeccak(leaves);