Add bytecode verification doc

[maurelian]

A proposal for incorporating bytecode verification into our release process.

[mds1]

nit, could combine these two args?

Suggested change

	op-deployer verify-bytecode --dangerously-use-remote-artifacts --artifacts-locator tag://op-contracts/vX.Y.Z
	op-deployer verify-bytecode --dangerously-set-artifacts-locator tag://op-contracts/vX.Y.Z

[maurelian]

I somewhat prefer it as is because --artifacts-locator already exists, so we're just adding a new simple boolean flag, rather than a flag that is kind of an alternative to an existing one.

[mds1]

Does this create a circular dependency, in that the monorepo depends on the superchain-registry and now the superchain-registry depends on the monorepo for op-deployer? i.e. how do we know this will work in practice?

More broadly, what value does the op-deployer wrapper add? I can instead imagine the superchain-registry CI just cloning the monorepo at the required commit/tag, then running the forge script VerifyOPCM.s.sol script in CI

[maurelian]

Good questions which clarify the reason for the op-deployer wrapper:

1. op-deployer can be easily/quickly installed from a binary by downloading, so we don't actually introduce a circular dependency.
2. I expect it will be pretty slow to clone/check out the monorepo at a commit, build the contracts, then run the script.

Although there is a sense in which rebuilding is safer than relying on a download, in both cases the build is occurring on cloud infrastructure, so I don't think we get a ton of benefit from the rebuild. That's why it is important to have it run in at least step 2 here.

[bitwiseguy]

This seems contradictory to the Problem Statement, which states:

Currently, there is no enforced mechanism to ensure that the OPCM used in an upgrade is built from a
trusted commit, which should be one labelled as an `op-contracts/vX.Y.Z` tag, and approved by
governance.

If the above statement is true, it seems the command should default to verifying bytecode against an op-contracts git tag + remote artifacts and the flag should be --dangerously-use-local-artifacts

[bitwiseguy]

In other words, which do we think is more dangerous: verifying bytecode against local or remote artifacts?

[bitwiseguy]

If this flag is passed, where are the addresses pulled from? Assuming we'd still need the following addresses:

• upgrade-controller
• superchain-config: from standard-versions-<network>.toml>
• protocol-versions: from standard-versions-<network>.toml>
• superchain-proxy-admin

[bitwiseguy]

Why is it important for multiple people to run this? What are the risks if only one person runs the verification?

[bitwiseguy]

Should this ci job only be triggered when the standard-versions-[mainnet|sepolia].toml files are modified?

[maurelian]

Yes, that makes sense.

[maurelian]

More detail:

• scheduled job that looks at each tag in the SCR's standard-versions*.toml
• uses tag locator to get artifacts
• calculates checksum and artifacts hash
• compares to those in standard.go

Ideally we begin storing these hashes in the SCR.

[maurelian]

We need a strategy for ensuring that VerifyOPCM remains complete, so that if a new contract is added to the system, that will be identified.

[maurelian]

Ideally we want to be ensuring parity between:

1. the remote tagged artifact
2. the locally built artifact
3. the actual deployed contract.

We should consider parallelization so that we can have that property in CI.

[maurelian]

worst case, have the local process be the more complete of the two.

[maurelian]

1. Optional for signers but documented how to run opd verify-bytecode
2. Need a process in ops repo CI to ensure that the opcm being used in the config.toml is the correct one for the upgrade tag.

[maurelian]

in order to remove this reliance, we need to get the initcode another way.
Can do that with binary search on create2 deployer calls.