feat: electra state machine updates

* fix: active validator

* chore: remove stale submodule

* fix: require credential proofs after latest checkpoint timestamp

* fix: integration tests

* chore: format

* chore: test

feat: eigenpod withdrawal updates (#59)

* fix: active validator

* chore: remove stale submodule

* fix: integration tests

* chore: format

* chore: update

* chore: minor updates

Author: ypatil12

CHANGELOG/CHANGELOG-1.6.1.md

@@ -0,0 +1,16 @@
+# v1.6.1 Moocow Updates
+
+## Release Manager
+
+@ypatil12 
+
+## Highlights
+
+🔧 **Improvements**
+- Make `EigenPod.validatorStatus` public to use internally as a helper
+- Update the `EigenPod.verifyWithdrawalCredentials` function to only accept `beaconTimestamps` that are after the `latestCheckpointTimestamp`. This enables the eigenpod state machine to be easier to be reasoned about 
+- Update the `EigenPod.requestWithdrawal` function to ensure that validators are pointed to the pod, matching the behavior of `requestConsolidation`
+
+## Changelog
+
+TODO

docs/core/EigenPod.md

@@ -117,7 +117,7 @@ A withdrawal credential proof uses a validator's [`ValidatorIndex`][custom-types
 * `exit_epoch`: Initially set to `type(uint64).max`, this value is updated when a validator initiates exit from the beacon chain. **This method requires that a validator has not initiated an exit from the beacon chain.**
   * If a validator has been exited prior to calling `verifyWithdrawalCredentials`, their ETH can be accounted for, awarded shares, and/or withdrawn via the checkpoint system (see [Checkpointing Validators](#checkpointing-validators)).
 
-_Note that it is not required to verify your validator's withdrawal credentials_, unless you want to receive shares for ETH on the beacon chain. You may choose to use your `EigenPod` without verifying withdrawal credentials; you will still be able to withdraw yield (or receive shares for yield) via the [checkpoint system](#checkpointing-validators).
+_Note that it is not required to verify your validator's withdrawal credentials_, unless you want to receive shares for ETH on the beacon chain. You may choose to use your `EigenPod` without verifying withdrawal credentials; you will still be able to withdraw yield (or receive shares for yield) via the [checkpoint system](#checkpointing-validators). To account for ETH held on the beacon chain and to make execution layer partial withdrawal or full exits, this function *MUST* be called. 
 
 *Effects*:
 * For each set of unique verified withdrawal credentials:
@@ -135,6 +135,7 @@ _Note that it is not required to verify your validator's withdrawal credentials_
 * Input array lengths MUST be equal
 * `beaconTimestamp`:
     * MUST be greater than `currentCheckpointTimestamp`
+    * MUST be greater than `latestCheckpointTimestamp`
     * MUST be queryable via the [EIP-4788 oracle][eip-4788]. Generally, this means `beaconTimestamp` corresponds to a valid beacon block created within the last 8192 blocks (~27 hours).
 * `stateRootProof` MUST verify a `beaconStateRoot` against the `beaconBlockRoot` returned from the EIP-4788 oracle
 * For each validator:
@@ -411,6 +412,7 @@ This method allows the pod owner or proof submitter to submit validator withdraw
 * "Partial withdrawals" will exit a portion of a validator's balance from the beacon chain, down to 32 ETH. Any amount requested that would bring a validator's balance below 32 ETH is ignored.
 
 In order to initiate a withdrawal request:
+* The [`verifyWithdrawalCredentials`](#verifywithdrawalcredentials) function must be called to prove the validator exists within the pod
 * The predeploy requires a fee for each request. The current fee for the block can be queried using `getWithdrawalRequestFee`. This should be multiplied for each request in the passed-in `requests` array and provided as `msg.value`. The predeploy updates its fee each block depending on how many withdrawal requests are queued vs how many are processed.
     * Note that any unused fee is transferred back to `msg.sender` at the end of this method.
 * For partial withdrawals, note that the beacon chain will only process these if the validator has 0x02 withdrawal credentials.
@@ -430,7 +432,8 @@ Note that the beacon chain may "skip" a withdrawal request for many reasons. Thi
 * Pause status MUST NOT be set: `PAUSED_WITHDRAWAL_REQUESTS`
 * `msg.value` MUST be at least `getWithdrawalRequestFee() * requests.length`
 * For each `request` in `requests`:
-    * `request.pubkey` MUST have a length of 48
+    * The validator MUST have been proven to the pod
+    * `request.pubkey` MUST correspond to a validator whose withdrawal credentials are proven to point at the pod (`VALIDATOR_STATUS.ACTIVE`)
 * If excess `msg.value` was provided, the transfer of the excess back to `msg.sender` MUST succeed.
 
 ---

src/contracts/interfaces/IEigenPod.sol

@@ -76,6 +76,8 @@ interface IEigenPodErrors {
     error MsgValueNot32ETH();
     /// @dev Thrown when provided `beaconTimestamp` is too far in the past.
     error BeaconTimestampTooFarInPast();
+    /// @dev Thrown when provided `beaconTimestamp` is before the last checkpoint
+    error BeaconTimestampBeforeLatestCheckpoint();
     /// @dev Thrown when the pectraForkTimestamp returned from the EigenPodManager is zero
     error ForkTimestampZero();
 }

src/contracts/pods/EigenPod.sol

@@ -225,6 +225,10 @@ contract EigenPod is
         // on an existing checkpoint.
         require(beaconTimestamp > currentCheckpointTimestamp, BeaconTimestampTooFarInPast());
 
+        // For sanity, we want to ensure that a newly-verified validator cannot be proven against state
+        // that has already been checkpointed. This check makes the state transitions easier to reason about.
+        require(beaconTimestamp > lastCheckpointTimestamp, BeaconTimestampBeforeLatestCheckpoint());
+
         // Verify passed-in `beaconStateRoot` against the beacon block root
         // forgefmt: disable-next-item
         BeaconChainProofs.verifyStateRoot({
@@ -321,8 +325,7 @@ contract EigenPod is
             // Ensure target has verified withdrawal credentials pointed at this pod
             bytes32 sourcePubkeyHash = _calcPubkeyHash(request.srcPubkey);
             bytes32 targetPubkeyHash = _calcPubkeyHash(request.targetPubkey);
-            ValidatorInfo memory target = validatorPubkeyHashToInfo(targetPubkeyHash);
-            require(target.status == VALIDATOR_STATUS.ACTIVE, ValidatorNotActiveInPod());
+            require(validatorStatus(targetPubkeyHash) == VALIDATOR_STATUS.ACTIVE, ValidatorNotActiveInPod());
 
             // Call the predeploy
             bytes memory callData = bytes.concat(request.srcPubkey, request.targetPubkey);
@@ -353,6 +356,9 @@ contract EigenPod is
             WithdrawalRequest calldata request = requests[i];
             bytes32 pubkeyHash = _calcPubkeyHash(request.pubkey);
 
+            // Ensure validator has verified withdrawal credentials pointed at this pod
+            require(validatorStatus(pubkeyHash) == VALIDATOR_STATUS.ACTIVE, ValidatorNotActiveInPod());
+
             // Call the predeploy
             bytes memory callData = abi.encodePacked(request.pubkey, request.amountGwei);
             (bool ok,) = WITHDRAWAL_REQUEST_ADDRESS.call{value: fee}(callData);
@@ -736,7 +742,7 @@ contract EigenPod is
     /// @inheritdoc IEigenPod
     function validatorStatus(
         bytes32 pubkeyHash
-    ) external view returns (VALIDATOR_STATUS) {
+    ) public view returns (VALIDATOR_STATUS) {
         return _validatorPubkeyHashToInfo[pubkeyHash].status;
     }
 

src/test/integration/tests/DualSlashing.t.sol

@@ -327,7 +327,10 @@ contract Integration_DualSlashing_FullSlashes is Integration_DualSlashing_Base {
         );
 
         // 11. Exit remaining validators & checkpoint
-        staker.exitValidators(newValidators);
+        // Exit validators directly on beacon chain
+        for (uint i = 0; i < newValidators.length; ++i) {
+            beaconChain.exitValidator(newValidators[i]);
+        }
         beaconChain.advanceEpoch_NoRewards();
         staker.startCheckpoint();
         check_StartCheckpoint_WithPodBalance_State(staker, addedBeaconBalanceGwei);

src/test/integration/tests/eigenpod/VerifyWC_StartCP_CompleteCP.t.sol

@@ -213,7 +213,13 @@ contract Integration_VerifyWC_StartCP_CompleteCP is IntegrationCheckUtils {
         (User staker,,) = _newRandomStaker();
 
         (uint40[] memory validators,,) = staker.startValidators();
-        staker.exitValidators(validators);
+
+        // We use the beacon chain mock directly instead of the user contract since the
+        // user contract uses the precompile to exit validators. The pod expects validators
+        // to be proven to use the precompile.
+        for (uint i = 0; i < validators.length; i++) {
+            beaconChain.exitValidator(validators[i]);
+        }
         beaconChain.advanceEpoch_NoRewards();
 
         cheats.expectRevert(IEigenPodErrors.ValidatorIsExitingBeaconChain.selector);

src/test/unit/EigenPodUnit.t.sol

@@ -665,6 +665,20 @@ contract EigenPodUnitTests_verifyWithdrawalCredentials is EigenPodUnitTests, Pro
         staker.verifyWithdrawalCredentials(validators);
     }
 
+    /// @notice beaconTimestamp must be after the last checkpoint
+    function test_revert_beaconTimestampBeforeCheckpoint() public {
+        (EigenPodUser staker,) = _newEigenPodStaker({rand: 0});
+        (uint40[] memory validators,,) = staker.startValidators();
+
+        // Start a checkpoint so `currentCheckpointTimestamp` is nonzero
+        staker.startCheckpoint();
+        assertGt(staker.pod().lastCheckpointTimestamp(), 0, "lastCheckpointTimestamp should be nonzero");
+
+        // Try to verify withdrawal credentials at the current block, right at the checkpoint timestamp
+        cheats.expectRevert(IEigenPodErrors.BeaconTimestampBeforeLatestCheckpoint.selector);
+        staker.verifyWithdrawalCredentials(validators);
+    }
+
     /// @notice Check for revert on input array mismatch lengths
     function testFuzz_revert_inputArrayLengthsMismatch(uint rand) public {
         (EigenPodUser staker,) = _newEigenPodStaker({rand: rand});
@@ -774,7 +788,11 @@ contract EigenPodUnitTests_verifyWithdrawalCredentials is EigenPodUnitTests, Pro
         (uint40[] memory validators,,) = staker.startValidators();
 
         // Exit validators from beacon chain and withdraw to pod
-        staker.exitValidators(validators);
+        // We use the beacon chain mock directly instead of the user contract since the
+        // user contract uses the precompile to exit validators.
+        for (uint i = 0; i < validators.length; i++) {
+            beaconChain.exitValidator(validators[i]);
+        }
         beaconChain.advanceEpoch();
 
         // now that validators are exited, ensure we can't verify them
@@ -1747,6 +1765,31 @@ contract EigenPodUnitTests_PectraFeatures is EigenPodUnitTests {
         pod.requestWithdrawal(new WithdrawalRequest[](0));
     }
 
+    /// @notice Revert when the validator is not active in the pod
+    function testFuzz_revert_validatorNotActiveInPod() public {
+        (EigenPodUser staker,) = _newEigenPodStaker(64 ether);
+        EigenPod pod = staker.pod();
+        address podOwner = pod.podOwner();
+
+        (uint40[] memory validators,,) = staker.startValidators();
+        staker.verifyWithdrawalCredentials(validators);
+
+        WithdrawalRequest[] memory requests = new WithdrawalRequest[](validators.length);
+        for (uint i = 0; i < validators.length; i++) {
+            bytes memory pubkey = validators[i].toPubkey();
+            // Mutate pubkey to be invalid
+            pubkey[0] = bytes1(uint8(pubkey[0]) + 1);
+            requests[i] = WithdrawalRequest({pubkey: pubkey, amountGwei: 0});
+        }
+
+        uint fee = pod.getWithdrawalRequestFee() * requests.length;
+
+        cheats.deal(podOwner, address(podOwner).balance + fee);
+        cheats.prank(podOwner);
+        cheats.expectRevert(IEigenPodErrors.ValidatorNotActiveInPod.selector);
+        pod.requestWithdrawal{value: fee}(requests);
+    }
+
     /// @notice Revert when the caller does not supply enough msg.value for the fee
     function testFuzz_revert_insufficientFunds(uint randConsolidations, uint randWithdrawals) public {
         randConsolidations = bound(randConsolidations, 2, 10);