feat: improve build and security

.goreleaser.yml

@@ -1,7 +1,7 @@
 version: 1
 
 project_name: mev-commit-geth
-dist: /tmp/goreleaser/mev-commit-geth
+dist: /tmp/dist/mev-commit-geth
 
 builds:
   - env:
@@ -45,15 +45,9 @@ archives:
       - src: ./external/geth/geth-poa/entrypoint.sh
         dst: ./
         strip_parent: true
-      - src: ./external/geth/geth-poa/genesis.json
-        dst: ./
-        strip_parent: true
       - src: ./external/geth/geth-poa/util/deploy_create2.sh
         dst: ./
         strip_parent: true
-      - src: ./external/geth/geth-poa/signer-node*/**/*
-        dst: ./
-        strip_parent: false
 
 checksum:
   name_template: >-

geth-poa/entrypoint.sh

@@ -10,7 +10,7 @@ GETH_SYNC_MODE=${GETH_SYNC_MODE:-full}
 GETH_DATA_DIR=${GETH_DATA_DIR:-/data}
 GETH_CHAINDATA_DIR="$GETH_DATA_DIR/geth/chaindata"
 GETH_KEYSTORE_DIR="$GETH_DATA_DIR/keystore"
-MEV_COMMIT_GETH_PASSWORD=${MEV_COMMIT_GETH_PASSWORD:-"pwd"}
+GETH_KEYSTORE_PASSWORD=${GETH_KEYSTORE_PASSWORD:-"primev"}
 CHAIN_ID=$(cat "$GENESIS_L1_PATH" | jq -r .config.chainId)
 RPC_PORT="${RPC_PORT:-8545}"
 WS_PORT="${WS_PORT:-8546}"
@@ -25,7 +25,7 @@ fi
 # Generate signer key if needed
 if [ "$GETH_NODE_TYPE" = "signer" ]; then
 	if [ ! -f "$GETH_DATA_DIR/password" ]; then
-		echo -n "$MEV_COMMIT_GETH_PASSWORD" > "$GETH_DATA_DIR"/password
+		echo -n "$GETH_KEYSTORE_PASSWORD" > "$GETH_DATA_DIR"/password
 	fi
 	if [ ! -d "$GETH_KEYSTORE_DIR" ]; then
 		if [ -n "$BLOCK_SIGNER_PRIVATE_KEY" ]; then

geth-poa/util/deploy_create2.sh

@@ -1,49 +1,77 @@
 #!/bin/sh
 
-# Deploys create2 proxy according to https://github.com/primev/deterministic-deployment-proxy
+set -ex
 
-set -e
+# Deploys create2 proxy according to https://github.com/primev/deterministic-deployment-proxy
 
-# Use the first command line argument, if provided. Otherwise, use the environment variable.
-JSON_RPC="${1:-$JSON_RPC_URL}"
+PROXY_ADDRESS="0x4e59b44847b379578588920ca78fbf26c0b4956c"
+SIGNER_ADDRESS="0x3fab184622dc19b6109349b94811493bf2a45362"
+# The following transaction string contains fixed from address corresponding to the signer address: 0x3fab184622dc19b6109349b94811493bf2a45362
+TRANSACTION="0xf8a58085174876e800830186a08080b853604580600e600039806000f350fe7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe03601600081602082378035828234f58015156039578182fd5b8082525050506014600cf31ba02222222222222222222222222222222222222222222222222222222222222222a02222222222222222222222222222222222222222222222222222222222222222"
 
-if [ -z "${JSON_RPC}" ]; then
-    echo "Usage: $0 <JSON_RPC_URL> or set the JSON_RPC_URL environment variable."
+help() {
+    echo "Usage: $0 <RPC_URL>"
+    echo "  RPC_URL: URL of the JSON RPC endpoint"
     exit 1
-fi
+}
 
-if ! [ -x "$(command -v curl)" ]; then
-    echo "Curl must be installed to deploy the create2 proxy" >&2
-    exit 1
+RPC_URL="${1:-$RPC_URL}"
+if [ -z "${RPC_URL}" ]; then
+    help
 fi
 
-# Check if contract already deployed
-DATA='{"jsonrpc":"2.0","method":"eth_getCode","params":["0x4e59b44847b379578588920ca78fbf26c0b4956c", "latest"],"id":1}'
-RESPONSE=$(curl -s -X POST --data "${DATA}" -H "Content-Type: application/json" "${JSON_RPC}")
-CODE=$(echo "${RESPONSE}" | jq -r '.result')
+RESPONSE=$(
+  curl \
+    --silent \
+    --request POST \
+    --header "Content-Type: application/json" \
+    --data '{
+      "jsonrpc": "2.0",
+      "method": "eth_getCode",
+      "params": ["'"${PROXY_ADDRESS}"'", "latest"],
+      "id": 1
+    }' \
+  "${RPC_URL}")
 if [ -z "${RESPONSE}" ] || [ "${RESPONSE}" = "null" ]; then
-    echo "Error: No response from JSON RPC at ${JSON_RPC}"
+    echo "Error: No response from JSON RPC at ${RPC_URL}"
     exit 1
 fi
-if [ "${CODE}" != "0x" ]; then
-    echo "Contract already deployed at 0x4e59b44847b379578588920ca78fbf26c0b4956c"
+if [ "$(echo "${RESPONSE}" | jq -r '.result')" != "0x" ]; then
+    echo "Contract already deployed at ${PROXY_ADDRESS}"
     exit 0
-else
-    echo "No contract deployed at 0x4e59b44847b379578588920ca78fbf26c0b4956c. Deploying..."
 fi
 
-# Note deployement signer account needs at least 10000000000000000 wei allocated on genesis to send tx
-
-# Set presigned transaction 
-TRANSACTION="0xf8a58085174876e800830186a08080b853604580600e600039806000f350fe7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe03601600081602082378035828234f58015156039578182fd5b8082525050506014600cf31ba02222222222222222222222222222222222222222222222222222222222222222a02222222222222222222222222222222222222222222222222222222222222222"
-
-# deploy contract 
-curl -s "${JSON_RPC}" -X 'POST' -H 'Content-Type: application/json' --data "{\"jsonrpc\":\"2.0\", \"id\":1, \"method\": \"eth_sendRawTransaction\", \"params\": [\"$TRANSACTION\"]}"
-
+echo "No contract deployed at ${PROXY_ADDRESS}, deploying..."
+curl \
+  --silent "${RPC_URL}" \
+  --request 'POST' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "id": 1,
+    "method": "eth_sendRawTransaction",
+    "params": ["'"${TRANSACTION}"'"]
+  }'
 sleep 5
 
 # For prod we'll have to set gas params s.t. no ether is leftover here. For now we warn
-RESPONSE=$(curl -s -X POST --data '{"jsonrpc":"2.0","method":"eth_getBalance","params":["0x3fab184622dc19b6109349b94811493bf2a45362", "latest"],"id":1}' -H "Content-Type: application/json" "${JSON_RPC}")
-if [ "$(echo "${RESPONSE}" | jq -r '.result')" != "0x0" ]; then
-    echo "WARNING: Deployment signer (0x3fab184622dc19b6109349b94811493bf2a45362) has leftover balance of $(echo "${RESPONSE}" | jq -r '.result') wei"
+RESPONSE=$(
+  curl \
+    --silent \
+    --request POST \
+    --header "Content-Type: application/json" \
+    --data '{
+      "jsonrpc": "2.0",
+      "method": "eth_getBalance",
+      "params": ["'"${SIGNER_ADDRESS}"'", "latest"],
+      "id": 1
+    }' \
+  "${RPC_URL}")
+if [ -z "${RESPONSE}" ] || [ "${RESPONSE}" = "null" ]; then
+    echo "Error: No response from JSON RPC at ${RPC_URL}"
+    exit 1
+fi
+RESULT="$(echo "${RESPONSE}" | jq -r '.result')"
+if [ "${RESULT}" != "0x0" ]; then
+    echo "WARNING: Deployment signer (${SIGNER_ADDRESS}) has leftover balance of ${RESULT} wei."
 fi