fix(PRIV-2006): resolve ASR initialize args before vm.broadcast#350
Merged
robriks merged 1 commit intoJun 23, 2026
Merged
Conversation
registerAggregateVerifier armed vm.broadcast(msg.sender) and then passed
artifacts.mustGetAddress(...) / cfg.* directly as initialize() arguments.
Solidity evaluates those cheatcode staticcalls after the broadcast is armed,
which Foundry rejects ("staticcalls are not allowed after broadcast"), so the
post-genesis one-shot reverted and the AnchorStateRegistry was never seeded
(anchor stayed uninitialized -> proposer/prover could not generate proofs).
Hoist the SystemConfig/DisputeGameFactory lookups and the starting-anchor
Proposal into locals before vm.broadcast so only the initialize() call is
broadcast. Verified on web3-shared-dev: the real genesis output root was
computed (0xa53d466c...) but initialize reverted on this ordering.
Co-authored-by: Cursor <cursoragent@cursor.com>
patnir
approved these changes
Jun 23, 2026
hughy
approved these changes
Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
registerAggregateVerifierarmedvm.broadcast(msg.sender)and then passedartifacts.mustGetAddress(...)/cfg.multiproofGenesisBlockNumber()directly asanchorStateRegistry.initialize(...)arguments. Solidity evaluates those cheatcode staticcalls after the broadcast is armed, which Foundry forbids:So the post-genesis one-shot reverted and the
AnchorStateRegistrywas never seeded — the anchor stayed uninitialized and the proposer/prover could not generate proofs.Fix
Hoist the
SystemConfig/DisputeGameFactorylookups and the starting-anchorProposalinto locals beforevm.broadcast, so only theinitialize()call itself is broadcast. (Locals areanchor-prefixed to avoid shadowing the laterdisputeGameFactoryin the same function.)Evidence
Verified live on
web3-shared-devwith the deployed image (Commit hash cd6c8a2d): the register one-shot correctly computed the real genesis output root (multiproofGenesisOutputRoot() → 0xa53d466c…, gameType 621) and the ASR was correctly deferred/uninitialized — only theinitialize()call reverted on this cheatcode ordering.Type
Bug fix.
Risk
Low — reordering of local variable resolution; no behavioral change to the on-chain
initializecall.forge buildpasses.Follow-up
The existing deferred-init unit test calls
ASR.initializedirectly and so didn't exercise the broadcast path; a follow-up could driveregisterAggregateVerifierend-to-end.Made with Cursor