feat: oracle version check (#16435)

Fixes #14979

This PR implements a version compatibility system between Aztec.nr
contracts and the PXE oracle interface to prevent ambiguous errors from
version mismatches. The oracle version is expected to be manually
updated but to ensure that this does not get forgotten the build throws
an error if an oracle interface hash constant needs updating.

Author: benesjan

noir-projects/aztec-nr/aztec/src/macros/functions/utils.nr

@@ -151,7 +151,9 @@ pub(crate) comptime fn transform_private(f: FunctionDefinition) {
 
     let context_finish = quote { context.finish() };
 
+    // A quote to be injected at the beginning of the function body.
     let to_prepend = quote {
+        dep::aztec::oracle::version::assert_compatible_oracle_version();
         $args_hasher
         $context_creation
         $assert_initializer
@@ -305,9 +307,9 @@ pub(crate) comptime fn transform_utility(f: FunctionDefinition) {
     // (`sync_private_state` function gets invoked by PXE::getPrivateEvents function).
     let message_discovery_call = create_message_discovery_call();
 
-    // Inject context creation, storage initialization, and message discovery call at the beginning of the function
-    // body.
+    // A quote to be injected at the beginning of the function body.
     let to_prepend = quote {
+        dep::aztec::oracle::version::assert_compatible_oracle_version();
         $context_creation
         $storage_init
         $message_discovery_call
@@ -375,7 +377,7 @@ pub(crate) comptime fn create_message_discovery_call() -> Quoted {
 ///   if (!from.eq(context.msg_sender())) {
 ///         assert_current_call_valid_authwit::<N>(&mut context, from);
 ///     } else {
-///         assert(authwit_nonce, "Invalid auhtwit nonce. When 'from' and 'msg_sender' are the same, authwit_nonce must be zero");
+///         assert(authwit_nonce, "Invalid authwit nonce. When 'from' and 'msg_sender' are the same, authwit_nonce must be zero");
 ///     }
 /// ```
 /// where `from` and `authwit_nonce` are the names of the parameters that are expected to be present in the function definition.

noir-projects/aztec-nr/aztec/src/oracle/mod.nr

@@ -22,6 +22,7 @@ pub mod logs;
 pub mod message_processing;
 pub mod notes;
 pub mod offchain_effect;
+pub mod version;
 pub mod random;
 pub mod shared_secret;
 pub mod storage;

noir-projects/aztec-nr/aztec/src/oracle/version.nr

@@ -0,0 +1,38 @@
+/// The ORACLE_VERSION constant is used to check that the oracle interface is in sync between PXE and Aztec.nr. We need
+/// to version the oracle interface to ensure that developers get a reasonable error message if they use incompatible
+/// versions of Aztec.nr and PXE. The TypeScript counterpart is in `oracle_version.ts`.
+///
+/// @dev Whenever a contract function or Noir test is run, the `utilityAssertCompatibleOracleVersion` oracle is called and
+/// if the oracle version is incompatible an error is thrown.
+pub global ORACLE_VERSION: Field = 1;
+
+/// Asserts that the version of the oracle is compatible with the version expected by the contract.
+pub fn assert_compatible_oracle_version() {
+    // Safety: This oracle call returns nothing: we only call it to check Aztec.nr and Oracle interface versions are
+    // compatible. It is therefore always safe to call.
+    unsafe {
+        assert_compatible_oracle_version_wrapper();
+    }
+}
+
+unconstrained fn assert_compatible_oracle_version_wrapper() {
+    assert_compatible_oracle_version_oracle(ORACLE_VERSION);
+}
+
+#[oracle(utilityAssertCompatibleOracleVersion)]
+unconstrained fn assert_compatible_oracle_version_oracle(version: Field) {}
+
+mod test {
+    use super::{assert_compatible_oracle_version_oracle, ORACLE_VERSION};
+
+    #[test]
+    unconstrained fn compatible_oracle_version() {
+        assert_compatible_oracle_version_oracle(ORACLE_VERSION);
+    }
+
+    #[test(should_fail_with = "Incompatible oracle version. PXE is using version '1', but got a request for '318183437'.")]
+    unconstrained fn incompatible_oracle_version() {
+        let arbitrary_incorrect_version = 318183437;
+        assert_compatible_oracle_version_oracle(arbitrary_incorrect_version);
+    }
+}

noir-projects/aztec-nr/aztec/src/test/helpers/test_environment.nr

@@ -9,7 +9,11 @@ use crate::{
         ReturnsHash, UtilityCallInterface, UtilityContext,
     },
     hash::hash_args,
-    oracle::{execution::{get_block_number, get_timestamp}, execution_cache},
+    oracle::{
+        execution::{get_block_number, get_timestamp},
+        execution_cache,
+        version::assert_compatible_oracle_version,
+    },
     test::helpers::{txe_oracles, utils::ContractDeployment},
 };
 
@@ -102,6 +106,7 @@ impl PrivateContextOptions {
 impl TestEnvironment {
     /// Creates a new `TestEnvironment`. This function should only be called once per test.
     pub unconstrained fn new() -> Self {
+        assert_compatible_oracle_version();
         Self {
             light_account_secret: Counter::new(),
             contract_account_secret: Counter::new(),

noir-projects/aztec-nr/aztec/src/test/helpers/test_environment/test.nr

@@ -1,4 +1,5 @@
-use crate::test::helpers::test_environment::TestEnvironment;
+use crate::{oracle::version::ORACLE_VERSION, test::helpers::test_environment::TestEnvironment};
+use std::test::OracleMock;
 
 mod accounts;
 mod deployment;
@@ -310,3 +311,13 @@ unconstrained fn private_public_and_utility_context_share_default_chain_id() {
     assert_eq(private_chain_id, public_chain_id);
     assert_eq(private_chain_id, utility_chain_id);
 }
+
+#[test]
+unconstrained fn oracle_version_is_checked_upon_env_creation() {
+    let mock = OracleMock::mock("utilityAssertCompatibleOracleVersion");
+
+    let _env = TestEnvironment::new();
+
+    assert_eq(mock.times_called(), 1);
+    assert_eq(mock.get_last_params::<Field>(), ORACLE_VERSION);
+}

noir-projects/noir-contracts/Nargo.toml

@@ -46,6 +46,7 @@ members = [
     "contracts/test/no_constructor_contract",
     "contracts/test/note_getter_contract",
     "contracts/test/offchain_effect_contract",
+    "contracts/test/oracle_version_check_contract",
     "contracts/test/parent_contract",
     "contracts/test/pending_note_hashes_contract",
     "contracts/test/public_immutable_contract",

noir-projects/noir-contracts/contracts/test/oracle_version_check_contract/Nargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "oracle_version_check_contract"
+authors = [""]
+compiler_version = ">=0.25.0"
+type = "contract"
+
+[dependencies]
+aztec = { path = "../../../../aztec-nr/aztec" }

noir-projects/noir-contracts/contracts/test/oracle_version_check_contract/src/main.nr

@@ -0,0 +1,17 @@
+use aztec::macros::aztec;
+
+/// Used to test that the oracle version check is performed when a private or utility function is called.
+#[aztec]
+pub contract OracleVersionCheck {
+    use aztec::macros::functions::{private, utility};
+
+    #[private]
+    fn private_function() -> Field {
+        0
+    }
+
+    #[utility]
+    unconstrained fn utility_function() -> Field {
+        0
+    }
+}

yarn-project/bootstrap.sh

@@ -70,6 +70,10 @@ function compile_all {
 
   get_projects | compile_project
 
+  # Run oracle version check for pxe after compilation
+  cd pxe && yarn check_oracle_version
+  cd ..
+
   cmds=('format --check')
   if [ "${TYPECHECK:-0}" -eq 1 ] || [ "${CI:-0}" -eq 1 ]; then
     # Fully type check and lint.

yarn-project/pxe/package.json

@@ -17,7 +17,8 @@
     "clean": "rm -rf ./dest .tsbuildinfo ./src/config/package_info.ts",
     "test": "NODE_NO_WARNINGS=1 node --experimental-vm-modules ../node_modules/.bin/jest --passWithNoTests --maxWorkers=${JEST_MAX_WORKERS:-8}",
     "start": "LOG_LEVEL=${LOG_LEVEL:-debug} && node ./dest/bin/index.js",
-    "generate": "node ./scripts/generate_package_info.js"
+    "generate": "node ./scripts/generate_package_info.js",
+    "check_oracle_version": "node ./dest/bin/check_oracle_version.js"
   },
   "inherits": [
     "../package.common.json",
@@ -75,6 +76,7 @@
     "@aztec/protocol-contracts": "workspace:^",
     "@aztec/simulator": "workspace:^",
     "@aztec/stdlib": "workspace:^",
+    "json-stringify-deterministic": "1.0.12",
     "koa": "^2.16.1",
     "koa-router": "^12.0.0",
     "lodash.omit": "^4.5.0",