feat(sidecar): add commitment signing key + holesky deployment scripts

bolt-sidecar/.env.example

@@ -1,10 +1,16 @@
-
-# node + PBS URLs
+# Ethereum node connections
 BOLT_SIDECAR_EXECUTION_API_URL=http://localhost:4485
 BOLT_SIDECAR_BEACON_API_URL=http://localhost:4400
 BOLT_SIDECAR_ENGINE_API_URL=http://localhost:4451
+BOLT_SIDECAR_ENGINE_JWT_HEX=
+
+# Constraint URL: should point to the constraint API sidecar.
+# Usually this corresponds to `mev-boost` or `bolt-boost`
 BOLT_SIDECAR_CONSTRAINTS_URL=http://localhost:19550
+
+# Commit-boost specific options (optional)
 BOLT_SIDECAR_CB_SIGNER_URL=http://localhost:19551
+BOLT_SIDECAR_CB_JWT_HEX=
 
 # server ports
 BOLT_SIDECAR_PORT=8000
@@ -15,14 +21,13 @@ BOLT_SIDECAR_MAX_COMMITMENTS=128
 BOLT_SIDECAR_MAX_COMMITTED_GAS=10000000
 
 # chain configs
-BOLT_SIDECAR_CHAIN=helder
+BOLT_SIDECAR_CHAIN=holesky
 BOLT_SIDECAR_COMMITMENT_DEADLINE=8000
 BOLT_SIDECAR_SLOT_TIME=12
 
 # sidecar security configs
 BOLT_SIDECAR_VALIDATOR_INDEXES=
-BOLT_SIDECAR_JWT_HEX=
-BOLT_SIDECAR_CB_JWT_HEX=
 BOLT_SIDECAR_FEE_RECIPIENT=
 BOLT_SIDECAR_BUILDER_PRIVATE_KEY=
-BOLT_SIDECAR_PRIVATE_KEY=
+BOLT_SIDECAR_CONSTRAINT_PRIVATE_KEY=
+BOLT_SIDECAR_COMMITMENT_PRIVATE_KEY=

bolt-sidecar/.gitignore

@@ -1,3 +1,4 @@
 target/
 .env
-.env.dev
+.env.*
+!.env.example

bolt-sidecar/bin/sidecar.rs

@@ -18,14 +18,14 @@ async fn main() -> Result<()> {
 
     info!(chain = opts.chain.name(), "Starting Bolt sidecar");
 
-    if opts.signing.private_key.is_some() {
+    if opts.constraint_signing.constraint_private_key.is_some() {
         match SidecarDriver::with_local_signer(&opts).await {
             Ok(driver) => driver.run_forever().await,
             Err(err) => {
                 bail!("Failed to initialize the sidecar driver with local signer: {:?}", err)
             }
         }
-    } else if opts.signing.commit_boost_jwt_hex.is_some() {
+    } else if opts.constraint_signing.commit_boost_signer_url.is_some() {
         match SidecarDriver::with_commit_boost_signer(&opts).await {
             Ok(driver) => driver.run_forever().await,
             Err(err) => {

bolt-sidecar/src/builder/payload_builder.rs

@@ -57,7 +57,7 @@ impl FallbackPayloadBuilder {
     pub fn new(config: &Opts, beacon_api_client: BeaconClient, genesis_time: u64) -> Self {
         let engine_hinter = EngineHinter {
             client: reqwest::Client::new(),
-            jwt_hex: config.jwt_hex.to_string(),
+            jwt_hex: config.engine_jwt_hex.to_string(),
             engine_rpc_url: config.engine_api_url.clone(),
         };
 

bolt-sidecar/src/common.rs

@@ -5,7 +5,7 @@ use std::{
     path::Path,
 };
 
-use alloy::primitives::U256;
+use alloy::{primitives::U256, signers::k256::ecdsa::SigningKey};
 use blst::min_pk::SecretKey;
 use rand::{Rng, RngCore};
 use reth_primitives::PooledTransactionsElement;
@@ -139,6 +139,50 @@ impl fmt::Display for BlsSecretKeyWrapper {
     }
 }
 
+#[derive(Clone, Debug)]
+pub struct EcdsaSecretKeyWrapper(pub SigningKey);
+
+impl EcdsaSecretKeyWrapper {
+    /// Generate a new random ECDSA secret key.
+    #[allow(dead_code)]
+    pub fn random() -> Self {
+        Self(SigningKey::random(&mut rand::thread_rng()))
+    }
+}
+
+impl<'de> Deserialize<'de> for EcdsaSecretKeyWrapper {
+    fn deserialize<D>(deserializer: D) -> Result<EcdsaSecretKeyWrapper, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let sk = String::deserialize(deserializer)?;
+        Ok(EcdsaSecretKeyWrapper::from(sk.as_str()))
+    }
+}
+
+impl From<&str> for EcdsaSecretKeyWrapper {
+    fn from(sk: &str) -> Self {
+        let hex_sk = sk.strip_prefix("0x").unwrap_or(sk);
+        let bytes = hex::decode(hex_sk).expect("valid hex");
+        let sk = SigningKey::from_slice(&bytes).expect("valid sk");
+        EcdsaSecretKeyWrapper(sk)
+    }
+}
+
+impl Display for EcdsaSecretKeyWrapper {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "0x{}", hex::encode(self.0.to_bytes()))
+    }
+}
+
+impl Deref for EcdsaSecretKeyWrapper {
+    type Target = SigningKey;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct JwtSecretConfig(pub String);
 

bolt-sidecar/src/config/signing.rs → bolt-sidecar/src/config/constraint_signing.rs

@@ -6,21 +6,21 @@ use serde::Deserialize;
 
 use crate::common::{BlsSecretKeyWrapper, JwtSecretConfig};
 
-/// Command-line options for signing
+/// Command-line options for signing constraint messages
 #[derive(Args, Deserialize)]
 #[clap(
     group = ArgGroup::new("signing-opts").required(true)
-        .args(&["private_key", "commit_boost_address", "keystore_password", "keystore_secrets_path"])
+        .args(&["constraint_private_key", "commit_boost_signer_url", "keystore_password", "keystore_secrets_path"])
 )]
-pub struct SigningOpts {
-    /// Private key to use for signing preconfirmation requests
-    #[clap(long, env = "BOLT_SIDECAR_PRIVATE_KEY")]
-    pub private_key: Option<BlsSecretKeyWrapper>,
+pub struct ConstraintSigningOpts {
+    /// Private key to use for signing constraint messages
+    #[clap(long, env = "BOLT_SIDECAR_CONSTRAINT_PRIVATE_KEY")]
+    pub constraint_private_key: Option<BlsSecretKeyWrapper>,
     /// Socket address for the commit-boost sidecar
     #[clap(long, env = "BOLT_SIDECAR_CB_SIGNER_URL", requires("commit_boost_jwt_hex"))]
-    pub commit_boost_address: Option<SocketAddr>,
+    pub commit_boost_signer_url: Option<SocketAddr>,
     /// JWT in hexadecimal format for authenticating with the commit-boost service
-    #[clap(long, env = "BOLT_SIDECAR_CB_JWT_HEX", requires("commit_boost_address"))]
+    #[clap(long, env = "BOLT_SIDECAR_CB_JWT_HEX", requires("commit_boost_signer_url"))]
     pub commit_boost_jwt_hex: Option<JwtSecretConfig>,
     /// The password for the ERC-2335 keystore.
     /// Reference: https://eips.ethereum.org/EIPS/eip-2335
@@ -39,11 +39,11 @@ pub struct SigningOpts {
 }
 
 // Implement Debug manually to hide the keystore_password field
-impl fmt::Debug for SigningOpts {
+impl fmt::Debug for ConstraintSigningOpts {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         f.debug_struct("SigningOpts")
-            .field("private_key", &self.private_key)
-            .field("commit_boost_address", &self.commit_boost_address)
+            .field("constraint_private_key", &"********") // Hides the actual private key
+            .field("commit_boost_signer_url", &self.commit_boost_signer_url)
             .field("commit_boost_jwt_hex", &self.commit_boost_jwt_hex)
             .field("keystore_password", &"********") // Hides the actual password
             .field("keystore_path", &self.keystore_path)

bolt-sidecar/src/config/mod.rs

@@ -12,16 +12,16 @@ pub use validator_indexes::ValidatorIndexes;
 pub mod chain;
 pub use chain::ChainConfig;
 
-pub mod signing;
-pub use signing::SigningOpts;
+pub mod constraint_signing;
+pub use constraint_signing::ConstraintSigningOpts;
 
 pub mod telemetry;
 use telemetry::TelemetryOpts;
 
 pub mod limits;
 use limits::LimitsOpts;
 
-use crate::common::{BlsSecretKeyWrapper, JwtSecretConfig};
+use crate::common::{BlsSecretKeyWrapper, EcdsaSecretKeyWrapper, JwtSecretConfig};
 
 /// Default port for the JSON-RPC server exposed by the sidecar.
 pub const DEFAULT_RPC_PORT: u16 = 8000;
@@ -46,10 +46,18 @@ pub struct Opts {
     #[clap(long, env = "BOLT_SIDECAR_ENGINE_API_URL", default_value = "http://localhost:8551")]
     pub engine_api_url: Url,
     /// URL for the Constraint sidecar client to use
-    #[clap(long, env = "BOLT_SIDECAR_CONSTRAINTS_URL", default_value = "http://localhost:3030")]
-    pub constraints_url: Url,
+    #[clap(
+        long,
+        env = "BOLT_SIDECAR_CONSTRAINTS_API_URL",
+        default_value = "http://localhost:3030"
+    )]
+    pub constraints_api_url: Url,
     /// Constraint proxy server port to use
-    #[clap(long, env = "BOLT_SIDECAR_CONSTRAINTS_PROXY_PORT", default_value_t = DEFAULT_CONSTRAINTS_PROXY_PORT)]
+    #[clap(
+        long,
+        env = "BOLT_SIDECAR_CONSTRAINTS_PROXY_PORT",
+        default_value_t = DEFAULT_CONSTRAINTS_PROXY_PORT
+    )]
     pub constraints_proxy_port: u16,
     /// Validator indexes of connected validators that the sidecar
     /// should accept commitments on behalf of. Accepted values:
@@ -62,26 +70,30 @@ pub struct Opts {
     ///
     /// It can either be a hex-encoded string or a file path to a file
     /// containing the hex-encoded secret.
-    #[clap(long, env = "BOLT_SIDECAR_JWT_HEX", default_value_t)]
-    pub jwt_hex: JwtSecretConfig,
+    #[clap(long, env = "BOLT_SIDECAR_ENGINE_JWT_HEX")]
+    pub engine_jwt_hex: JwtSecretConfig,
     /// The fee recipient address for fallback blocks
-    #[clap(long, env = "BOLT_SIDECAR_FEE_RECIPIENT", default_value_t = Address::ZERO)]
+    #[clap(long, env = "BOLT_SIDECAR_FEE_RECIPIENT")]
     pub fee_recipient: Address,
     /// Secret BLS key to sign fallback payloads with (If not provided, a random key will be used)
-    #[clap(long, env = "BOLT_SIDECAR_BUILDER_PRIVATE_KEY", default_value_t = BlsSecretKeyWrapper::random())]
+    #[clap(long, env = "BOLT_SIDECAR_BUILDER_PRIVATE_KEY")]
     pub builder_private_key: BlsSecretKeyWrapper,
+    /// Secret ECDSA key to sign commitment messages with
+    #[clap(long, env = "BOLT_SIDECAR_COMMITMENT_PRIVATE_KEY")]
+    pub commitment_private_key: EcdsaSecretKeyWrapper,
     /// Operating limits for the sidecar
     #[clap(flatten)]
     pub limits: LimitsOpts,
     /// Chain config for the chain on which the sidecar is running
     #[clap(flatten)]
     pub chain: ChainConfig,
-    /// Commitment signing options.
+    /// Constraint signing options
     #[clap(flatten)]
-    pub signing: SigningOpts,
+    pub constraint_signing: ConstraintSigningOpts,
     /// Telemetry options
     #[clap(flatten)]
     pub telemetry: TelemetryOpts,
+
     /// Additional unrecognized arguments. Useful for CI and testing
     /// to avoid issues on potential extra flags provided (e.g. "--exact" from cargo nextest).
     #[cfg(test)]
@@ -105,6 +117,12 @@ impl Opts {
 mod tests {
     use super::*;
 
+    #[test]
+    fn test_validate_cli_flags() {
+        use clap::CommandFactory;
+        Opts::command().debug_assert();
+    }
+
     #[test]
     fn test_parse_url() {
         let url = "http://0.0.0.0:3030";
@@ -123,7 +141,7 @@ mod tests {
             assert_eq!(config.execution_api_url, Url::parse("http://localhost:8545").unwrap());
             assert_eq!(config.beacon_api_url, Url::parse("http://localhost:5052").unwrap());
             assert_eq!(config.engine_api_url, Url::parse("http://localhost:8551").unwrap());
-            assert_eq!(config.constraints_url, Url::parse("http://localhost:3030").unwrap());
+            assert_eq!(config.constraints_api_url, Url::parse("http://localhost:3030").unwrap());
             assert_eq!(config.constraints_proxy_port, 18551);
         }
     }

bolt-sidecar/src/driver.rs

@@ -90,13 +90,17 @@ impl SidecarDriver<StateClient, PrivateKeySigner> {
 
         // Constraints are signed with a BLS private key
         let constraint_signer = SignerBLS::Local(LocalSigner::new(
-            opts.signing.private_key.clone().expect("local signer").0,
+            opts.constraint_signing
+                .constraint_private_key
+                .clone()
+                .expect("local constraint signing key")
+                .0,
             opts.chain,
         ));
 
         // Commitment responses are signed with a regular Ethereum wallet private key.
         // This is now generated randomly because slashing is not yet implemented.
-        let commitment_signer = PrivateKeySigner::random();
+        let commitment_signer = PrivateKeySigner::from_slice("".as_bytes().to_vec().as_slice())?;
 
         Self::from_components(opts, constraint_signer, commitment_signer, state_client).await
     }
@@ -108,18 +112,16 @@ impl SidecarDriver<StateClient, PrivateKeySigner> {
         // The default state client simply uses the execution API URL to fetch state updates.
         let state_client = StateClient::new(opts.execution_api_url.clone());
 
-        let signing_opts = &opts.signing;
-
-        let keystore = if let Some(psw) = signing_opts.keystore_password.as_ref() {
+        let keystore = if let Some(psw) = opts.constraint_signing.keystore_password.as_ref() {
             KeystoreSigner::from_password(
-                signing_opts.keystore_path.as_ref().expect("keystore path"),
+                opts.constraint_signing.keystore_path.as_ref().expect("keystore path"),
                 psw.as_ref(),
                 opts.chain,
             )?
         } else {
             KeystoreSigner::from_secrets_directory(
-                signing_opts.keystore_path.as_ref().expect("keystore path"),
-                signing_opts.keystore_secrets_path.as_ref().expect("keystore secrets path"),
+                opts.constraint_signing.keystore_path.as_ref().expect("keystore path"),
+                opts.constraint_signing.keystore_secrets_path.as_ref().expect("keystore secrets"),
                 opts.chain,
             )?
         };
@@ -128,7 +130,8 @@ impl SidecarDriver<StateClient, PrivateKeySigner> {
 
         // Commitment responses are signed with a regular Ethereum wallet private key.
         // This is now generated randomly because slashing is not yet implemented.
-        let commitment_signer = PrivateKeySigner::random();
+        let commitment_key = opts.commitment_private_key.0.clone();
+        let commitment_signer = PrivateKeySigner::from_signing_key(commitment_key);
 
         Self::from_components(opts, keystore_signer, commitment_signer, state_client).await
     }
@@ -141,8 +144,8 @@ impl SidecarDriver<StateClient, CommitBoostSigner> {
         let state_client = StateClient::new(opts.execution_api_url.clone());
 
         let commit_boost_signer = CommitBoostSigner::new(
-            opts.signing.commit_boost_address.expect("CommitBoost URL").to_string(),
-            &opts.signing.commit_boost_jwt_hex.clone().expect("CommitBoost JWT"),
+            opts.constraint_signing.commit_boost_signer_url.expect("CommitBoost URL").to_string(),
+            &opts.constraint_signing.commit_boost_jwt_hex.clone().expect("CommitBoost JWT"),
         )?;
 
         let cb_bls_signer = SignerBLS::CommitBoost(commit_boost_signer.clone());
@@ -178,7 +181,7 @@ impl<C: StateFetcher, ECDSA: SignerECDSA> SidecarDriver<C, ECDSA> {
 
         let (payload_requests_tx, payload_requests_rx) = mpsc::channel(16);
         let builder_proxy_cfg = BuilderProxyConfig {
-            constraints_url: opts.constraints_url.clone(),
+            constraints_url: opts.constraints_api_url.clone(),
             server_port: opts.constraints_proxy_port,
         };
 
@@ -195,10 +198,10 @@ impl<C: StateFetcher, ECDSA: SignerECDSA> SidecarDriver<C, ECDSA> {
         let (api_events_tx, api_events_rx) = mpsc::channel(1024);
         CommitmentsApiServer::new(api_addr).run(api_events_tx).await;
 
-        let mut constraints_client = ConstraintsClient::new(opts.constraints_url.clone());
+        let mut constraints_client = ConstraintsClient::new(opts.constraints_api_url.clone());
 
         // read the delegaitons from disk if they exist and add them to the constraints client
-        if let Some(delegations_file_path) = opts.signing.delegations_path.as_ref() {
+        if let Some(delegations_file_path) = opts.constraint_signing.delegations_path.as_ref() {
             let delegations = read_signed_delegations_from_file(delegations_file_path)?;
             constraints_client.add_delegations(delegations);
         }

bolt-sidecar/src/signer/keystore.rs

@@ -141,7 +141,7 @@ impl KeystoreSigner {
 
 impl Debug for KeystoreSigner {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.debug_struct("Signer")
+        f.debug_struct("KeystoreSigner")
             .field(
                 "pubkeys",
                 &self.keypairs.iter().map(|kp| kp.pk.as_hex_string()).collect::<Vec<_>>(),

bolt-sidecar/src/signer/local.rs

@@ -28,7 +28,7 @@ pub struct LocalSigner {
 
 impl Debug for LocalSigner {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.debug_struct("Signer")
+        f.debug_struct("LocalSigner")
             .field("pubkey", &self.pubkey())
             .field("chain", &self.chain.name())
             .finish()