BM-233: ProofMarket upgrade via UUPS (github#56)

- Add Proof market upgradability via the UUPS pattern
- Deploy the `RiscZeroSetVerifier` contract behind the `RiscZeroVerifierRouter`
- Add contract management scripts

The deployment should look like:
![Screenshot 2024-10-26 at 00 55
39](https://github.com/user-attachments/assets/07dc1bd5-d241-4679-b10f-9db63e949f43)

Closes github#52 

---------

Co-authored-by: Victor Graf <victor@risczero.com>

Author: capossele

.env

@@ -1,3 +1,6 @@
+# Foundry configuration 
+FOUNDRY_OUT=contracts/out
+
 # URL RPC node
 
 RPC_URL="http://localhost:8545"
@@ -15,3 +18,4 @@ PROOF_MARKET_ADDRESS="0xb3e579794B6ce24bC7233713289790d9bBEB656c"
 ### Wallets private keys ###
 
 PRIVATE_KEY="0x7c852118294e51e653712a81e05800f419141751be58f605c371e15141b007a6"
+ADDRESS="0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"

.gitignore

@@ -8,6 +8,9 @@ out/
 /broadcast/*/11155111/
 /broadcast/**/dry-run/
 
+# Ignore the file with RPC and Etherscan API keys for deployment.
+deployment_secrets.toml
+
 # Devnet logs
 /logs
 

.gitmodules

@@ -4,6 +4,12 @@
 [submodule "lib/openzeppelin-contracts"]
 	path = lib/openzeppelin-contracts
 	url = https://github.com/OpenZeppelin/openzeppelin-contracts
+[submodule "lib/openzeppelin-contracts-upgradeable"]
+	path = lib/openzeppelin-contracts-upgradeable
+	url = https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
 [submodule "lib/risc0-ethereum"]
 	path = lib/risc0-ethereum
 	url = https://github.com/risc0/risc0-ethereum
+[submodule "lib/openzeppelin-foundry-upgrades"]
+	path = lib/openzeppelin-foundry-upgrades
+	url = https://github.com/OpenZeppelin/openzeppelin-foundry-upgrades

Makefile

@@ -7,8 +7,11 @@
 ANVIL_PORT = 8545
 ANVIL_BLOCK_TIME = 2
 RISC0_DEV_MODE = 1
+CHAIN_KEY = "anvil"
 RUST_LOG = info,broker=debug,boundless_market=debug
+DEPLOYER_PRIVATE_KEY = 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
 PRIVATE_KEY = 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
+ADMIN_ADDRESS = 0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266
 DEPOSIT_AMOUNT = 10
 
 LOGS_DIR = logs
@@ -28,15 +31,20 @@ devnet-up: check-deps
 	forge build || { echo "Failed to build contracts"; $(MAKE) devnet-down; exit 1; }
 	echo "Building Rust project..."
 	cargo build --bin broker || { echo "Failed to build broker binary"; $(MAKE) devnet-down; exit 1; }
-	echo "Starting Anvil..."
-	anvil -b $(ANVIL_BLOCK_TIME) > $(LOGS_DIR)/anvil.txt 2>&1 & echo $$! >> $(PID_FILE)
-	sleep 5
+	# Check if Anvil is already running
+	if nc -z localhost $(ANVIL_PORT); then \
+		echo "Anvil is already running on port $(ANVIL_PORT). Reusing existing instance."; \
+	else \
+		echo "Starting Anvil..."; \
+		anvil -b $(ANVIL_BLOCK_TIME) > $(LOGS_DIR)/anvil.txt 2>&1 & echo $$! >> $(PID_FILE); \
+		sleep 5; \
+	fi
 	echo "Deploying contracts..."
-	RISC0_DEV_MODE=$(RISC0_DEV_MODE) forge script contracts/scripts/Deploy.s.sol --rpc-url http://localhost:$(ANVIL_PORT) --broadcast -vv || { echo "Failed to deploy contracts"; $(MAKE) devnet-down; exit 1; }
+	DEPLOYER_PRIVATE_KEY=$(DEPLOYER_PRIVATE_KEY) CHAIN_KEY=${CHAIN_KEY} RISC0_DEV_MODE=$(RISC0_DEV_MODE) PROOF_MARKET_OWNER=$(ADMIN_ADDRESS) forge script contracts/scripts/Deploy.s.sol --rpc-url http://localhost:$(ANVIL_PORT) --broadcast -vv || { echo "Failed to deploy contracts"; $(MAKE) devnet-down; exit 1; }
 	echo "Fetching contract addresses..."
 	{ \
 		SET_VERIFIER_ADDRESS=$$(jq -re '.transactions[] | select(.contractName == "RiscZeroSetVerifier") | .contractAddress' ./broadcast/Deploy.s.sol/31337/run-latest.json); \
-		PROOF_MARKET_ADDRESS=$$(jq -re '.transactions[] | select(.contractName == "ProofMarket") | .contractAddress' ./broadcast/Deploy.s.sol/31337/run-latest.json); \
+		PROOF_MARKET_ADDRESS=$$(jq -re '.transactions[] | select(.contractName == "ERC1967Proxy") | .contractAddress' ./broadcast/Deploy.s.sol/31337/run-latest.json); \
 		echo "Contract deployed at addresses:"; \
 		echo "SET_VERIFIER_ADDRESS=$$SET_VERIFIER_ADDRESS"; \
 		echo "PROOF_MARKET_ADDRESS=$$PROOF_MARKET_ADDRESS"; \

contracts/deployment.toml

@@ -0,0 +1,40 @@
+[chains.anvil]
+name = "Anvil"
+id = 31337
+etherscan-url = ""
+
+# Accounts
+admin = "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"
+
+# Contracts
+router = "0x0000000000000000000000000000000000000000"
+set-verifier = "0x0000000000000000000000000000000000000000"
+proof-market = "0x0000000000000000000000000000000000000000"
+
+# Guests info
+set-builder-image-id = "0xa6d595680f98dddcf6649199cb65a374f2e7d4a234c22cd28799d67f027db065"
+set-builder-guest-url = "https://gateway.pinata.cloud/ipfs/QmPobaLheQtpbSLn2QPGjnSM9Yy475hV9xAbMpyUXZ3zZA"
+assessor-image-id = "0x4b379fe9f76ae2fda4afa7962f5cf502af02e95022fcc089f1629fb444dbf18e"
+assessor-guest-url = "https://gateway.pinata.cloud/ipfs/QmbaAMsfA12WX5xeqjT1k1tzBZKCC11UMM5naQqtEaVw1R"
+
+
+###
+
+[chains.ethereum-sepolia]
+name = "Ethereum Sepolia"
+id = 11155111
+etherscan-url = "https://sepolia.etherscan.io/"
+
+# Accounts
+admin = "0x3a54A45E44a71020Bd0Af42063B9f23e8b9E387D"
+
+# Contracts
+router = "0x925d8331ddc0a1F0d96E68CF073DFE1d92b69187"
+set-verifier = "0x6860e6cC6E4705309b3e946947706b4a346422DB"
+proof-market = "0x0000000000000000000000000000000000000000"
+
+# Guests info
+set-builder-image-id = "0xa6d595680f98dddcf6649199cb65a374f2e7d4a234c22cd28799d67f027db065"
+set-builder-guest-url = "https://gateway.pinata.cloud/ipfs/QmPobaLheQtpbSLn2QPGjnSM9Yy475hV9xAbMpyUXZ3zZA"
+assessor-image-id = "0x4b379fe9f76ae2fda4afa7962f5cf502af02e95022fcc089f1629fb444dbf18e"
+assessor-guest-url = "https://gateway.pinata.cloud/ipfs/QmbaAMsfA12WX5xeqjT1k1tzBZKCC11UMM5naQqtEaVw1R"

contracts/scripts/Config.s.sol

@@ -0,0 +1,81 @@
+// Copyright (c) 2024 RISC Zero, Inc.
+//
+// All rights reserved.
+
+pragma solidity ^0.8.20;
+
+import {Vm} from "forge-std/Vm.sol";
+import "forge-std/Test.sol";
+
+struct DeploymentConfig {
+    string name;
+    uint256 chainId;
+    address admin;
+    address router;
+    address setVerifier;
+    address proofMarket;
+    bytes32 setBuilderImageId;
+    string setBuilderGuestUrl;
+    bytes32 assessorImageId;
+    string assessorGuestUrl;
+}
+
+library ConfigLoader {
+    /// Reference the vm address without needing to inherit from Script.
+    Vm private constant VM = Vm(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
+
+    function loadConfig(string memory configFilePath)
+        internal
+        view
+        returns (string memory config, string memory chainKey)
+    {
+        // Load the config file
+        config = VM.readFile(configFilePath);
+
+        // Get the config profile from the environment variable, or leave it empty
+        chainKey = VM.envOr("CHAIN_KEY", string(""));
+
+        // If no profile is set, select the default one based on the chainId
+        if (bytes(chainKey).length == 0) {
+            string[] memory chainKeys = VM.parseTomlKeys(config, ".chains");
+            for (uint256 i = 0; i < chainKeys.length; i++) {
+                if (stdToml.readUint(config, string.concat(".chains.", chainKeys[i], ".id")) == block.chainid) {
+                    chainKey = chainKeys[i];
+                    break;
+                }
+            }
+        }
+
+        return (config, chainKey);
+    }
+
+    function loadDeploymentConfig(string memory configFilePath) internal view returns (DeploymentConfig memory) {
+        (string memory config, string memory chainKey) = loadConfig(configFilePath);
+        return ConfigParser.parseConfig(config, chainKey);
+    }
+}
+
+library ConfigParser {
+    function parseConfig(string memory config, string memory chainKey)
+        internal
+        pure
+        returns (DeploymentConfig memory)
+    {
+        DeploymentConfig memory deploymentConfig;
+
+        string memory chain = string.concat(".chains.", chainKey);
+
+        deploymentConfig.name = stdToml.readString(config, string.concat(chain, ".name"));
+        deploymentConfig.chainId = stdToml.readUint(config, string.concat(chain, ".id"));
+        deploymentConfig.admin = stdToml.readAddress(config, string.concat(chain, ".admin"));
+        deploymentConfig.router = stdToml.readAddress(config, string.concat(chain, ".router"));
+        deploymentConfig.setVerifier = stdToml.readAddress(config, string.concat(chain, ".set-verifier"));
+        deploymentConfig.proofMarket = stdToml.readAddress(config, string.concat(chain, ".proof-market"));
+        deploymentConfig.setBuilderImageId = stdToml.readBytes32(config, string.concat(chain, ".set-builder-image-id"));
+        deploymentConfig.setBuilderGuestUrl = stdToml.readString(config, string.concat(chain, ".set-builder-guest-url"));
+        deploymentConfig.assessorImageId = stdToml.readBytes32(config, string.concat(chain, ".assessor-image-id"));
+        deploymentConfig.assessorGuestUrl = stdToml.readString(config, string.concat(chain, ".assessor-guest-url"));
+
+        return deploymentConfig;
+    }
+}

contracts/scripts/Deploy.s.sol

@@ -5,50 +5,109 @@
 pragma solidity ^0.8.20;
 
 import {Script, console2} from "forge-std/Script.sol";
+import "forge-std/Test.sol";
 import {IRiscZeroVerifier} from "risc0/IRiscZeroVerifier.sol";
 import {ControlID, RiscZeroGroth16Verifier} from "risc0/groth16/RiscZeroGroth16Verifier.sol";
 import {RiscZeroCheats} from "risc0/test/RiscZeroCheats.sol";
+import {UnsafeUpgrades, Upgrades} from "openzeppelin-foundry-upgrades/Upgrades.sol";
+import {ConfigLoader, DeploymentConfig} from "./Config.s.sol";
 
 import {ProofMarket} from "../src/ProofMarket.sol";
 import {RiscZeroSetVerifier} from "../src/RiscZeroSetVerifier.sol";
 
 // For local testing:
-import {ImageID as AssesorImgId} from "../src/AssessorImageID.sol";
-import {ImageID as SetBuidlerId} from "../src/SetBuilderImageID.sol";
+// TODO: Uncommenting these lines currently creates a chicken-egg problem in that
+// `cargo build -Ftest-utils` cannot complete without first running `forge build` and `forge build`
+// cannot run without building the guests.
+//import {ImageID as AssesorImgId} from "../src/AssessorImageID.sol";
+//import {ImageID as SetBuidlerId} from "../src/SetBuilderImageID.sol";
 
 contract Deploy is Script, RiscZeroCheats {
+    // Path to deployment config file, relative to the project root.
+    string constant CONFIG_FILE = "contracts/deployment.toml";
+
+    IRiscZeroVerifier verifier;
+    RiscZeroSetVerifier setVerifier;
+    address proofMarketAddress;
+    bytes32 setBuilderImageId;
+    bytes32 assessorImageId;
+
     function run() external {
+        string memory setBuilderGuestUrl = "";
+        string memory assessorGuestUrl = "";
+
         // load ENV variables first
-        uint256 adminKey = vm.envUint("PRIVATE_KEY");
+        uint256 deployerKey = vm.envOr("DEPLOYER_PRIVATE_KEY", uint256(0));
+        require(deployerKey != 0, "No deployer key provided. Please set the env var DEPLOYER_PRIVATE_KEY.");
+        vm.rememberKey(deployerKey);
 
-        vm.startBroadcast(adminKey);
+        address proofMarketOwner = vm.envAddress("PROOF_MARKET_OWNER");
+        console2.log("ProofMarket Owner:", proofMarketOwner);
 
-        IRiscZeroVerifier verifier = deployRiscZeroVerifier();
+        // Read and log the chainID
+        uint256 chainId = block.chainid;
+        console2.log("You are deploying on ChainID %d", chainId);
+
+        // Load the deployment config
+        DeploymentConfig memory deploymentConfig =
+            ConfigLoader.loadDeploymentConfig(string.concat(vm.projectRoot(), "/", CONFIG_FILE));
+
+        // Assign parsed config values to the variables
+        verifier = IRiscZeroVerifier(deploymentConfig.router);
+        setVerifier = RiscZeroSetVerifier(deploymentConfig.setVerifier);
+        setBuilderImageId = deploymentConfig.setBuilderImageId;
+        setBuilderGuestUrl = deploymentConfig.setBuilderGuestUrl;
+        assessorImageId = deploymentConfig.assessorImageId;
+        assessorGuestUrl = deploymentConfig.assessorGuestUrl;
+
+        vm.startBroadcast(deployerKey);
+
+        // Deploy the verifier, if not already deployed.
+        if (address(verifier) == address(0)) {
+            verifier = deployRiscZeroVerifier();
+        } else {
+            console2.log("Using IRiscZeroVerifier contract deployed at", address(verifier));
+        }
+
+        // Set the setBuilderImageId and assessorImageId if not set.
+        if (setBuilderImageId == bytes32(0)) {
+            // TODO: Currently cannot work. See note in imports.
+            //setBuilderImageId = SetBuidlerId.SET_BUILDER_GUEST_ID;
+            revert("set builder image ID must be set in deployment.toml");
+        }
+        if (assessorImageId == bytes32(0)) {
+            // TODO: Currently cannot work. See note in imports.
+            //assessorImageId = AssesorImgId.ASSESSOR_GUEST_ID;
+            revert("assessor image ID must be set in deployment.toml");
+        }
 
-        string memory setBuilderGuestUrl = "";
-        string memory assessorGuestUrl = "";
         if (bytes(vm.envOr("RISC0_DEV_MODE", string(""))).length > 0) {
-            // TODO: Create a more robust way of getting a URI for guests.
+            // TODO: Create a more robust way of getting a URI for guests, and ensure that it is
+            // in-sync with the configured image ID.
             string memory cwd = vm.envString("PWD");
-            setBuilderGuestUrl = string.concat(
-                "file://",
-                cwd,
-                "/target/riscv-guest/riscv32im-risc0-zkvm-elf/release/set-builder-guest"
-            );
+            setBuilderGuestUrl =
+                string.concat("file://", cwd, "/target/riscv-guest/riscv32im-risc0-zkvm-elf/release/set-builder-guest");
             console2.log("Set builder URI", setBuilderGuestUrl);
-            assessorGuestUrl = string.concat(
-                "file://",
-                cwd,
-                "/target/riscv-guest/riscv32im-risc0-zkvm-elf/release/assessor-guest"
-            );
+            assessorGuestUrl =
+                string.concat("file://", cwd, "/target/riscv-guest/riscv32im-risc0-zkvm-elf/release/assessor-guest");
             console2.log("Assessor URI", assessorGuestUrl);
         }
 
-        RiscZeroSetVerifier setVerifier = new RiscZeroSetVerifier(verifier, SetBuidlerId.SET_BUILDER_GUEST_ID, setBuilderGuestUrl);
-        console2.log("Deployed SetVerifier to,", address(setVerifier));
+        // Deploy the setVerifier, if not already deployed.
+        if (address(setVerifier) == address(0)) {
+            setVerifier = new RiscZeroSetVerifier(verifier, setBuilderImageId, setBuilderGuestUrl);
+            console2.log("Deployed RiscZeroSetVerifier to", address(setVerifier));
+        } else {
+            console2.log("Using RiscZeroSetVerifier contract deployed at", address(setVerifier));
+        }
 
-        ProofMarket market = new ProofMarket(setVerifier, AssesorImgId.ASSESSOR_GUEST_ID, assessorGuestUrl);
-        console2.log("Deployed ProofMarket to", address(market));
+        // Deploy the proof market
+        address newImplementation = address(new ProofMarket(setVerifier, assessorImageId));
+        console2.log("Deployed new ProofMarket implementation at", newImplementation);
+        proofMarketAddress = UnsafeUpgrades.deployUUPSProxy(
+            newImplementation, abi.encodeCall(ProofMarket.initialize, (proofMarketOwner, assessorGuestUrl))
+        );
+        console2.log("Deployed ProofMarket (proxy) to", proofMarketAddress);
 
         vm.stopBroadcast();
     }