test(proof): regression test for range proof mismatched commit by mw2000 · Pull Request #2567 · base/base

mw2000 · 2026-05-07T20:28:38Z

Core issue was fixed by #2581

This PR now adds a regression test for GHSA-5jh4-3p33-85xc

vercel · 2026-05-07T20:28:40Z

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
base	Ignored	Preview	May 11, 2026 10:11pm

cb-heimdall · 2026-05-07T20:28:42Z

✅ Heimdall Review Status

Requirement Status More Info

Reviews

✅ 1/1

Denominator calculation

Show calculation

1 if user is bot 0

1 if user is external 0

2 if repo is sensitive 0

From .codeflow.yml 1

Additional review requirements

Show calculation

Max	0

0

From CODEOWNERS 0

Global minimum 0

Max 1

1

1 if commit is unverified 1

Sum 2

mw2000 · 2026-05-07T20:29:40Z

This is a port of succinctlabs/op-succinct#899

linear · 2026-05-08T04:40:26Z

CHAIN-4349

Approved review 4252328856 from jackchuma is now dismissed due to new commit. Re-request for approval.

mw2000 · 2026-05-08T22:13:12Z

The core issue was fixed by #2581. This main value add of this PR now is just the regression test

Closes GHSA-5jh4-3p33-85xc. advance_to_target silently downgrades the local target on EndOfSource, allowing an adversary to bind a valid output root to a future block number. Add a postcondition in WitnessExecutor::run() that rejects execution when the derived safe head block number differs from the claimed L2 block number. Includes a gated exploit-regression integration test (RUN_GHSA_EXPLOIT_REGRESSION=1) reproducing the attack shape.

github-actions · 2026-05-11T22:15:37Z

Review Summary

The PR extracts the inline block-number mismatch check into ensure_derived_block_matches_claim and adds a thorough exploit-regression test for GHSA-5jh4-3p33-85xc. The code is well-structured and the test methodology (witness mutation + stderr capture + postcondition parsing) is sound.

No new issues found. The existing inline comments from a prior review run appear to be stale — the current revision has already addressed the #[ignore] gating and pub fn visibility suggestions, and the dead-code concern no longer applies since the old inline check was replaced (not duplicated) by ensure_derived_block_matches_claim.

One minor observation (not worth blocking): gag = "1.0" is defined inline rather than in workspace [dependencies]. This is fine for a single-crate dev-dependency, but could be hoisted to workspace deps for consistency if desired.

mw2000 enabled auto-merge May 7, 2026 21:32

mw2000 requested a review from 0x00101010 May 8, 2026 04:40

mw2000 requested a review from danyalprout May 8, 2026 04:40

jackchuma previously approved these changes May 8, 2026

View reviewed changes

mw2000 added this pull request to the merge queue May 8, 2026

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks May 8, 2026

mw2000 added this pull request to the merge queue May 8, 2026

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks May 8, 2026

mw2000 added this pull request to the merge queue May 8, 2026

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks May 8, 2026

mw2000 added this pull request to the merge queue May 8, 2026

github-merge-queue Bot removed this pull request from the merge queue due to failed status checks May 8, 2026

mw2000 force-pushed the mw2000/op-succinct-fix branch from eea1f70 to 06bd6e0 Compare May 8, 2026 20:06