Skip to content

feat: surge actual real time proving#891

Merged
smartprogrammer93 merged 16 commits intosurge-real-time-pocfrom
surge-real-time-proving
Mar 29, 2026
Merged

feat: surge actual real time proving#891
smartprogrammer93 merged 16 commits intosurge-real-time-pocfrom
surge-real-time-proving

Conversation

@AnshuJalan
Copy link
Copy Markdown
Collaborator

@AnshuJalan AnshuJalan commented Mar 6, 2026

No description provided.

@smartprogrammer93
Copy link
Copy Markdown
Contributor

smartprogrammer93 commented Mar 9, 2026

@claude please review

1 similar comment
@smartprogrammer93
Copy link
Copy Markdown
Contributor

smartprogrammer93 commented Mar 10, 2026

@claude please review

@claude
Copy link
Copy Markdown

claude bot commented Mar 10, 2026
edited
Loading

Claude finished @smartprogrammer93's task in 2m 31s —— View job

PR Review: feat: surge actual real time proving

  • Gather context and read changed files
  • Review core architecture and design
  • Review L1 execution layer
  • Review L2 execution layer and Taiko integration
  • Review node and proposal manager
  • Review Raiko integration
  • Review documentation
  • Compile final review

Overview

This PR introduces a new realtime crate implementing a "Real Time Proving" mode for the Surge fork of Taiko. The architecture is sound overall — it reuses much of the existing Catalyst infrastructure (common L1, slot clock, operator, taiko driver) and adds a RealTimeInbox contract integration with synchronous ZK proof fetching from Raiko before on-chain proposal submission.

Critical Issues

🔴 Hardcoded Private Key — Must Fix Before Merge

realtime/src/node/proposal_manager/bridge_handler.rs:183-188

// Surge: Hard coding the private key for the POC
l1_call_proof_signer: alloy::signers::local::PrivateKeySigner::from_bytes(
    &"0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
        .parse::<alloy::primitives::FixedBytes<32>>()?,
)?,

This is the well-known Hardhat/Anvil account #0 private key (0xf39Fd6e51...). The l1_call_proof_signer is used to sign signal slot hashes as "proofs" for L1 bridge calls. Anyone who knows this key (and effectively everyone does) can forge these proofs. Even marked as a POC, this must be replaced with a configurable key loaded from an environment variable before merging onto any shared or potentially public branch.

Fix this →

High Priority Issues

🟠 Bridging Guard vs. Bridge Handler Contradiction

realtime/src/lib.rs:35-39

if !config.disable_bridging {
    return Err(anyhow::anyhow!(
        "Bridging is not implemented. Exiting RealTime node creation."
    ));
}

lib.rs hard-exits if bridging is enabled, but then the node unconditionally initializes a BridgeHandler (including a jsonrpsee RPC server on 127.0.0.1:4545) and exposes surge_sendUserOp and surge_userOpStatus endpoints. If disable_bridging is always required to be true, the bridge handler and its RPC server should be conditionally created, or the guard should be removed if bridging is in fact supported. As written, bridging-related infrastructure is always initialized but never reachable.

🟠 Duplicate RaikoClient Construction

realtime/src/l1/execution_layer.rs:99-102 and realtime/src/lib.rs:136

RaikoClient is constructed twice — once in ELTrait::new() within ExecutionLayer and once in create_realtime_node(). The ExecutionLayer exposes a get_raiko_client() method but the RaikoClient in the actual submission pipeline (AsyncSubmitter) comes from the separate instance created in lib.rs. The one inside ExecutionLayer appears unused in the submission path. This creates two independent HTTP clients with potentially different configs, and is a maintenance burden. RealtimeConfig is also read from env vars twice as a result.

Fix this →

🟠 Only First User Op and L1 Call Processed

realtime/src/l1/proposal_tx_builder.rs:97-122

if !batch.user_ops.is_empty()
    && let Some(user_op) = batch.user_ops.first()
{
    // ...only this one is added to multicall
}

if !batch.l1_calls.is_empty()
    && let Some(l1_call) = batch.l1_calls.first()
{
    // ...only this one is added to multicall
}

If a batch somehow accumulates more than one user op or L1 call (the rest of the code currently seems to add at most one per batch, but nothing enforces this structurally), only the first would be included in the multicall. The remaining would be silently ignored. Either explicitly enforce a max-of-one invariant with an assertion, or loop over all entries.

🟠 assert! Panic in AsyncSubmitter::submit()

realtime/src/node/proposal_manager/async_submitter.rs:68

assert!(
    !self.is_busy(),
    "Cannot submit while another submission is in flight"
);

Using assert! (which panics and can crash the whole node process) is inappropriate here. The callsite in try_start_submission checks is_busy() before calling submit(), but relying on this coordination is fragile. Return a Result<(), Error> instead to make the error recoverable.

Medium Priority Issues

🟡 Hardcoded Bridge Handler Addresses / Paths

  • realtime/src/node/proposal_manager/mod.rs:80: Bridge handler RPC address is hardcoded to "127.0.0.1:4545". Should be configurable via RealtimeConfig.
  • realtime/src/node/proposal_manager/bridge_handler.rs:106: sled DB path is hardcoded to "data/user_op_status". Should be configurable.

🟡 Unbounded Warmup Loop

realtime/src/node/mod.rs:447-459

The warmup() loop polls get_last_proposal_hash() indefinitely until the RealTimeInbox is activated (non-zero hash), sleeping 12 seconds between retries. There is no maximum timeout or retry count. A stuck or misconfigured node would spin here forever without surfacing a clear error after a reasonable period.

🟡 Raiko Polling: No Cancellation Token Respected

realtime/src/raiko/mod.rs:81-128

The get_proof() polling loop runs up to 60 × 10s = 600 seconds in the worst case, with no way to cancel it early via the CancellationToken. If the node is shutting down while a proof is being awaited, the background submission task (AsyncSubmitter::submit) will block for up to 10 minutes before exiting. The abort() method on AsyncSubmitter does call handle.abort(), which would cancel the task at any await point, so this is partially mitigated, but explicit cancellation token checking in the polling loop would be cleaner.

🟡 anchor_state_root: B256::ZERO

realtime/src/node/proposal_manager/proposal.rs:98

anchor_state_root: B256::ZERO, // Not used in RealTime anchor

This zero value is passed through to advance_head_to_new_l2_block and then into the Checkpoint struct used in the anchor transaction. If the RealTimeInbox or Anchor contract ever validates stateRoot, this would silently produce invalid proofs. Deserves a more explicit explanation or a real value if it is actually consumed by any contract.

🟡 Missing bridge Address in RealtimeConfig::Display

realtime/src/utils/config.rs:56-63

The bridge address is stored in RealtimeConfig but not printed in the Display implementation, making startup logging incomplete for debugging.

Low Priority / Minor Issues

🔵 #[allow(dead_code)] Module-Level Suppression

realtime/src/l2/taiko.rs:1

A module-level #[allow(dead_code)] suppresses warnings for potentially unused methods. The dead code should either be removed or the #[allow] should be scoped to specific items.

🔵 batches_ready_to_send Hardcoded to 0

realtime/src/node/mod.rs:333

let batches_ready_to_send = 0;

This is always 0 without explanation. If this parameter affects mempool filtering or tx selection in get_pending_l2_tx_list, the intent should be documented or derived from the actual state.

🔵 transfer_eth_from_l2_to_l1 is a Stub

realtime/src/l2/execution_layer.rs:141-149

pub async fn transfer_eth_from_l2_to_l1(...) -> Result<(), Error> {
    warn!("Implement bridge transfer logic here");
    Ok(())
}

Returns Ok(()) silently. Since bridging is gated behind disable_bridging, this may never be called, but it should at minimum return an error rather than silently succeeding with a warning.

🔵 get_l2_height_from_taiko_inbox Always Returns 0

realtime/src/l1/execution_layer.rs:164-166

async fn get_l2_height_from_taiko_inbox(&self) -> Result<u64, Error> {
    Ok(0)
}

Returns a hardcoded 0. Callers should be verified to handle this sentinel value correctly.

Summary

The overall structure of the RealTime proving module is clean and the integration with the existing Catalyst node architecture (slot clock, operator, taiko driver, common EL) is thoughtfully done. The async submission model decoupling preconfirmation from proof fetching is a solid design. The main concerns are:

  1. The hardcoded Hardhat private key must be removed before this can be deployed anywhere — even for a fork/testnet.
  2. The bridging guard in lib.rs conflicts with always-initialized bridging infrastructure.
  3. Duplicate RaikoClient construction should be cleaned up.
  4. A few hardcoded values (RPC address, DB path) should be made configurable.

AnshuJalan and others added 14 commits March 16, 2026 11:32
@AnshuJalan
fix: preconfing
68738c9
@AnshuJalan
raiko interaction
d04e641
@AnshuJalan
feat: connect with surge verifier
f9252ba
@AnshuJalan
fix: proof body
88d3285
@AnshuJalan
feat: recovery
2229f7d
@AnshuJalan
feat: update catalyst
69684cd
@AnshuJalan
fix: bind server to 0.0.0.0
564fa12
@AnshuJalan
fix: bind server to 0.0.0.0
026d5e8
@AnshuJalan
feat: add faster polling
d811389
@AnshuJalan
feat: hop proving
077b6bc
@nmjustinchan
fix: temp push image to prod
32f681f
@AnshuJalan
feat: resilience
6c1b268
@smartprogrammer93 @claude @AnshuJalan
feat(realtime): L2 UserOps for bridge-out withdrawals (#922)
b2adb37 
* feat(realtime): support L2 UserOps for bridge-out (L2→L1 withdrawals)

Add the ability for users to submit UserOps that execute on L2, enabling
bridge-out functionality. The catalyst now processes both L1→L2 deposits
and L2→L1 withdrawals in the same block.

Changes:
- New `surge_sendL2UserOp` RPC method for submitting L2-targeted UserOps
- L2 UserOp execution transactions are constructed and included in L2 blocks
- After block execution, existing `find_l1_call()` detects the resulting
  bridge MessageSent events and relays them to L1 via processMessage
- Block building handles mixed deposit + withdrawal transactions
- Remove `disable_bridging` gate that prevented bridge handler startup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: remove unused deposit watcher and plan doc

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* refactor(realtime): single surge_sendUserOp RPC with auto chain detection

Instead of separate RPC methods for L1 and L2 UserOps, the single
surge_sendUserOp endpoint now auto-detects the target chain by parsing
the EIP-712 signature in the executeBatch calldata.

The UserOpsSubmitter's EIP-712 domain includes chainId, so the signature
is only valid for one chain. We compute the EIP-712 digest for both L1
and L2 chain IDs, ecrecover each, and route accordingly:

- L1 signature → L1→L2 deposit flow (simulate on L1, processMessage on L2)
- L2 signature → L2 direct execution (UserOp tx in L2 block, L2→L1 relay via find_l1_call)

Both types can coexist in the same block.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* refactor(realtime): use explicit chainId param instead of signature detection

The surge_sendUserOp RPC now accepts an optional chainId field in the
UserOp params. If chainId matches L2, the UserOp is executed directly
on L2. Otherwise defaults to L1 (backwards compatible).

Removes the EIP-712 signature parsing logic which was unreliable
(ecrecover always returns a non-zero address).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(realtime): increase L2 tx gas limit to 3M

processMessage and L2 UserOp transactions need more gas for operations
that deploy contracts (e.g. CREATE2 smart wallet deployment via bridge
relay). 1M gas was insufficient — the bridge's post-call gas check
was failing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(realtime): only increase gas for bridge/UserOp txs, not anchor

The anchor tx has a required gas limit enforced by the L2 engine.
Revert anchor to 1M, keep processMessage and UserOp txs at 3M.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(realtime): track L2 UserOp status through proving and submission

L2 direct UserOps now get ProvingBlock and Executed/Rejected status
updates, same as L1 UserOps. Added l2_user_op_ids to Proposal struct
and included them in the async submitter's status tracking.

Also adds cleanup: status entries are removed from sled after 60s
to prevent unbounded disk growth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address code review feedback on L2 UserOps PR

- Fix misleading Processing(zero_hash) status: remove premature status
  update for L2Direct UserOps; status remains Pending until async_submitter
  sets ProvingBlock
- Propagate add_l2_user_op_id error instead of silently ignoring with let _,
  which could leave status entries orphaned forever
- Remove redundant target_chain variable, simplify to direct chain_id comparison
- Fix doc comment: routing is based on chainId field, not EIP-712 signature
- Add SAFETY comment for Recovered::new_unchecked explaining why it's correct

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address second round of review feedback

- Mark L2 UserOp IDs as Rejected on L1 multicall failure (were stuck at ProvingBlock)
- Track L2 UserOp ID before inserting tx into block (prevents executed-but-Rejected state)
- Reject UserOps with unknown chainId instead of silently treating as L1

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: clarify debug log when L2Direct UserOp is handled

The "No pending UserOps" log was misleading when an L2Direct op was
processed, since add_pending_user_ops_to_draft_block returns None for
both "nothing queued" and "L2Direct handled". Updated to distinguish.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* logs

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: AnshuJalan <anshujalan206@gmail.com>
@smartprogrammer93 @claude
fix: apply cargo fmt to resolve CI lint failures
c865eb4 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@smartprogrammer93 smartprogrammer93 marked this pull request as ready for review March 29, 2026 20:38
@smartprogrammer93 smartprogrammer93 merged commit 7315f40 into surge-real-time-poc Mar 29, 2026
0 of 2 checks passed
@smartprogrammer93 smartprogrammer93 deleted the surge-real-time-proving branch March 29, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nmjustinchan nmjustinchan Awaiting requested review from nmjustinchan nmjustinchan is a code owner

@derrix060 derrix060 Awaiting requested review from derrix060 derrix060 is a code owner

@mskrzypkows mskrzypkows Awaiting requested review from mskrzypkows mskrzypkows is a code owner

@mikhailUshakoff mikhailUshakoff Awaiting requested review from mikhailUshakoff mikhailUshakoff is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AnshuJalan @smartprogrammer93 @nmjustinchan