fix: introduce snapshotted escape hatch

Author: LHerskind

l1-contracts/src/core/EscapeHatch.sol

@@ -275,28 +275,45 @@ contract EscapeHatch is IEscapeHatch {
 
     require(block.timestamp >= data.exitableAt, Errors.EscapeHatch__NotExitableYet(data.exitableAt, block.timestamp));
 
+    // Check if this contract was the active escape hatch for the entire active period.
+    // If not, the proposer may have been unable to fulfill duties due to governance change.
+    Epoch firstActiveEpoch = _getFirstEpoch(_hatch);
+    Epoch lastActiveEpoch = firstActiveEpoch + Epoch.wrap(ACTIVE_DURATION - 1);
+    bool wasActiveAtStart = address(ROLLUP.getEscapeHatchForEpoch(firstActiveEpoch)) == address(this);
+    bool wasActiveAtEnd = address(ROLLUP.getEscapeHatchForEpoch(lastActiveEpoch)) == address(this);
+    bool wasActiveEntirePeriod = wasActiveAtStart && wasActiveAtEnd;
+
     bool success = true;
     uint256 punishment = 0;
 
-    // Check success conditions:
-    // 1. Something must have been proposed
-    if (data.lastCheckpointNumber == 0) {
-      success = false;
-    }
-
-    // 2. Proofs must have been submitted at least up to this checkpoint
-    if (success && ROLLUP.getProvenCheckpointNumber() < data.lastCheckpointNumber) {
-      success = false;
-    }
-
-    // 3. The checkpoint archive must still be in the chain (not pruned)
-    if (success && ROLLUP.archiveAt(data.lastCheckpointNumber) != data.lastSubmittedArchive) {
-      success = false;
-    }
-
-    if (!success) {
-      punishment = FAILED_HATCH_PUNISHMENT;
-      data.amount -= FAILED_HATCH_PUNISHMENT;
+    if (!wasActiveEntirePeriod && data.lastCheckpointNumber == 0) {
+      // Escape hatch was deactivated during the active window and proposer did nothing.
+      // This is acceptable - they couldn't (or chose not to) propose during disruption.
+      // Skip punishment, transition to EXITING.
+    } else {
+      // Normal validation: either was active the entire time, or proposer proposed something
+      // (if they proposed, they're on the hook regardless of escape hatch changes,
+      // since proofs go to the rollup directly and are unaffected by escape hatch changes).
+
+      // 1. Something must have been proposed
+      if (data.lastCheckpointNumber == 0) {
+        success = false;
+      }
+
+      // 2. Proofs must have been submitted at least up to this checkpoint
+      if (success && ROLLUP.getProvenCheckpointNumber() < data.lastCheckpointNumber) {
+        success = false;
+      }
+
+      // 3. The checkpoint archive must still be in the chain (not pruned)
+      if (success && ROLLUP.archiveAt(data.lastCheckpointNumber) != data.lastSubmittedArchive) {
+        success = false;
+      }
+
+      if (!success) {
+        punishment = FAILED_HATCH_PUNISHMENT;
+        data.amount -= FAILED_HATCH_PUNISHMENT;
+      }
     }
 
     data.status = Status.EXITING;
@@ -547,6 +564,14 @@ contract EscapeHatch is IEscapeHatch {
    * @custom:reverts EscapeHatch__SetUnstable if called before the freeze timestamp (defense in depth)
    */
   function selectCandidates() public override(IEscapeHatchCore) {
+    // Don't select new candidates if this contract is no longer the active escape hatch.
+    // We check the latest value rather than the epoch-stable one since we sample for the future,
+    // so if the current differs, the future will as well.
+    // Early return (not revert) is important because initiateExit() calls selectCandidates() internally.
+    if (address(ROLLUP.getEscapeHatch()) != address(this)) {
+      return;
+    }
+
     Hatch currentHatch = getCurrentHatch();
     Hatch targetHatch = currentHatch + Hatch.wrap(LAG_IN_HATCHES);
 

l1-contracts/src/core/Rollup.sol

@@ -412,6 +412,15 @@ contract Rollup is IStaking, IValidatorSelection, IRollup, RollupCore {
     return ValidatorOperationsExtLib.getEscapeHatch();
   }
 
+  /**
+   * @notice  Get the escape hatch contract that was active at the start of a given epoch
+   * @param _epoch The epoch to look up the escape hatch for
+   * @return The escape hatch contract interface that was active at the epoch start
+   */
+  function getEscapeHatchForEpoch(Epoch _epoch) external view override(IValidatorSelection) returns (IEscapeHatch) {
+    return ValidatorOperationsExtLib.getEscapeHatchForEpoch(_epoch);
+  }
+
   /**
    * @notice  Get the sample seed for the current epoch
    *

l1-contracts/src/core/interfaces/IValidatorSelection.sol

@@ -12,11 +12,12 @@ struct ValidatorSelectionStorage {
   mapping(Epoch => bytes32 committeeCommitment) committeeCommitments;
   // Checkpointed map of epoch -> randao value
   Checkpoints.Trace224 randaos;
-  // The following 3 uint32s + address pack into a single slot (12 + 20 = 32 bytes)
+  // The following 3 uint32s pack into a single slot (12 bytes)
   uint32 targetCommitteeSize;
   uint32 lagInEpochsForValidatorSet;
   uint32 lagInEpochsForRandao;
-  IEscapeHatch escapeHatch;
+  // Checkpointed escape hatch addresses (key = timestamp, value = address as uint160)
+  Checkpoints.Trace160 escapeHatchCheckpoints;
 }
 
 interface IValidatorSelectionCore {
@@ -60,4 +61,5 @@ interface IValidatorSelection is IValidatorSelectionCore, IEmperor {
   function getTargetCommitteeSize() external view returns (uint256);
 
   function getEscapeHatch() external view returns (IEscapeHatch);
+  function getEscapeHatchForEpoch(Epoch _epoch) external view returns (IEscapeHatch);
 }

l1-contracts/src/core/libraries/rollup/EpochProofLib.sol

@@ -308,9 +308,11 @@ library EpochProofLib {
     Epoch epoch = STFLib.getEpochForCheckpoint(_endCheckpointNumber);
 
     // Check if this is an escape hatch epoch - skip attestation verification if so
-    // since escape hatch blocks are proposed without committee attestations
+    // since escape hatch blocks are proposed without committee attestations.
+    // Uses epoch-stable lookup so proof verification uses the escape hatch that was
+    // active when the epoch started, not whatever is currently configured.
     {
-      IEscapeHatch escapeHatch = ValidatorSelectionLib.getEscapeHatch();
+      IEscapeHatch escapeHatch = ValidatorSelectionLib.getEscapeHatchForEpoch(epoch);
       if (address(escapeHatch) != address(0)) {
         (bool isOpen,) = escapeHatch.isHatchOpen(epoch);
         if (isOpen) {

l1-contracts/src/core/libraries/rollup/InvalidateLib.sol

@@ -215,9 +215,11 @@ library InvalidateLib {
     Epoch epoch = checkpointLog.slotNumber.decompress().epochFromSlot();
 
     // Check if this is an escape hatch epoch - escape hatch checkpoints cannot be invalidated
-    // since they have no committee attestations by design
+    // since they have no committee attestations by design.
+    // Uses epoch-stable lookup so invalidation rules use the escape hatch that was
+    // active when the epoch started, not whatever is currently configured.
     {
-      IEscapeHatch escapeHatch = ValidatorSelectionLib.getEscapeHatch();
+      IEscapeHatch escapeHatch = ValidatorSelectionLib.getEscapeHatchForEpoch(epoch);
       if (address(escapeHatch) != address(0)) {
         (bool isOpen,) = escapeHatch.isHatchOpen(epoch);
         require(!isOpen, Errors.Rollup__CannotInvalidateEscapeHatch());

l1-contracts/src/core/libraries/rollup/ProposeLib.sol

@@ -199,8 +199,9 @@ library ProposeLib {
     v.headerHash = ProposedHeaderLib.hash(v.header);
 
     // Compute current epoch and check escape hatch BEFORE setupEpoch.
+    // Uses epoch-stable lookup so mid-epoch governance changes don't affect current epoch proposals.
     v.currentEpoch = Timestamp.wrap(block.timestamp).epochFromTimestamp();
-    v.escapeHatch = ValidatorSelectionLib.getEscapeHatch();
+    v.escapeHatch = ValidatorSelectionLib.getEscapeHatchForEpoch(v.currentEpoch);
     if (address(v.escapeHatch) != address(0)) {
       (v.isEscapeHatch, v.escapeHatchProposer) = v.escapeHatch.isHatchOpen(v.currentEpoch);
     }

l1-contracts/src/core/libraries/rollup/ValidatorOperationsExtLib.sol

@@ -150,6 +150,10 @@ library ValidatorOperationsExtLib {
     return ValidatorSelectionLib.getEscapeHatch();
   }
 
+  function getEscapeHatchForEpoch(Epoch _epoch) external view returns (IEscapeHatch) {
+    return ValidatorSelectionLib.getEscapeHatchForEpoch(_epoch);
+  }
+
   function getTargetCommitteeSize() external view returns (uint256) {
     return ValidatorSelectionLib.getStorage().targetCommitteeSize;
   }

l1-contracts/src/core/libraries/rollup/ValidatorSelectionLib.sol

@@ -100,6 +100,7 @@ library ValidatorSelectionLib {
   using TimeLib for Epoch;
   using TimeLib for Slot;
   using Checkpoints for Checkpoints.Trace224;
+  using Checkpoints for Checkpoints.Trace160;
   using SafeCast for *;
   using TransientSlot for *;
   using SlotDerivation for string;
@@ -157,7 +158,12 @@ library ValidatorSelectionLib {
    * @param _escapeHatch The address of the EscapeHatch contract, or address(0) to disable
    */
   function updateEscapeHatch(address _escapeHatch) internal {
-    getStorage().escapeHatch = IEscapeHatch(_escapeHatch);
+    // Key the checkpoint to the START of the next epoch so the change never affects
+    // the current epoch. This prevents a same-block governance action from retroactively
+    // altering the escape hatch for an epoch where proposals may have already been made.
+    Epoch nextEpoch = Timestamp.wrap(block.timestamp).epochFromTimestamp() + Epoch.wrap(1);
+    uint96 nextEpochTs = uint96(Timestamp.unwrap(nextEpoch.toTimestamp()));
+    getStorage().escapeHatchCheckpoints.push(nextEpochTs, uint160(_escapeHatch));
   }
 
   /**
@@ -589,12 +595,26 @@ library ValidatorSelectionLib {
   }
 
   /**
-   * @notice Gets the escape hatch contract
-   * @dev Returns the configured escape hatch, or a zero-address IEscapeHatch if disabled
+   * @notice Gets the current escape hatch contract (latest checkpoint)
+   * @dev Returns the most recently configured escape hatch, or a zero-address IEscapeHatch if none set
    * @return The escape hatch contract interface
    */
   function getEscapeHatch() internal view returns (IEscapeHatch) {
-    return getStorage().escapeHatch;
+    return IEscapeHatch(address(getStorage().escapeHatchCheckpoints.latest()));
+  }
+
+  /**
+   * @notice Gets the escape hatch contract that was active at the start of a given epoch
+   * @dev Uses `upperLookupRecent` to find the most recent checkpoint with key <= epoch start timestamp.
+   *      Changes pushed with `block.timestamp` during epoch N take effect for epoch N+1 (since epoch
+   *      N+1's start timestamp > the push timestamp > epoch N's start timestamp), providing implicit
+   *      epoch-boundary activation.
+   * @param _epoch The epoch to look up the escape hatch for
+   * @return The escape hatch contract interface that was active at the start of the epoch
+   */
+  function getEscapeHatchForEpoch(Epoch _epoch) internal view returns (IEscapeHatch) {
+    uint96 ts = uint96(Timestamp.unwrap(TimeLib.toTimestamp(_epoch)));
+    return IEscapeHatch(address(getStorage().escapeHatchCheckpoints.upperLookupRecent(ts)));
   }
 
   /**

l1-contracts/src/core/slashing/TallySlashingProposer.sol

@@ -1020,15 +1020,13 @@ contract TallySlashingProposer is EIP712 {
   function _getEscapeHatchEpochFlags(SlashRound _round) internal view returns (bool[] memory escapeHatchEpochs) {
     escapeHatchEpochs = new bool[](ROUND_SIZE_IN_EPOCHS);
 
-    IEscapeHatch escapeHatch = IValidatorSelection(INSTANCE).getEscapeHatch();
-
-    // If no escape hatch is configured, return all-false quickly
-    if (address(escapeHatch) == address(0)) {
-      return escapeHatchEpochs;
-    }
-
     for (uint256 epochIndex; epochIndex < ROUND_SIZE_IN_EPOCHS; epochIndex++) {
-      (bool isOpen,) = escapeHatch.isHatchOpen(getSlashTargetEpoch(_round, epochIndex));
+      Epoch epoch = getSlashTargetEpoch(_round, epochIndex);
+      IEscapeHatch escapeHatch = IValidatorSelection(INSTANCE).getEscapeHatchForEpoch(epoch);
+      if (address(escapeHatch) == address(0)) {
+        continue;
+      }
+      (bool isOpen,) = escapeHatch.isHatchOpen(epoch);
       escapeHatchEpochs[epochIndex] = isOpen;
     }
   }

l1-contracts/test/escape-hatch/base.sol

@@ -11,6 +11,7 @@ import {Errors} from "@aztec/core/libraries/Errors.sol";
 import {Timestamp, Epoch} from "@aztec/shared/libraries/TimeMath.sol";
 import {IValidatorSelection} from "@aztec/core/interfaces/IValidatorSelection.sol";
 import {FakeRollup} from "./mocks/FakeRollup.sol";
+import {Ownable} from "@oz/access/Ownable.sol";
 
 /// @notice Configuration struct for EscapeHatch deployment
 /// @dev Foundry can fuzz this struct directly when passed as a test parameter
@@ -98,6 +99,10 @@ contract EscapeHatchBase is TestBase {
       DEFAULT_PROPOSING_EXIT_DELAY
     );
 
+    // Register escape hatch with the rollup so selectCandidates deactivation guard passes
+    vm.prank(Ownable(address(rollup)).owner());
+    rollup.updateEscapeHatch(address(escapeHatch));
+
     vm.label(address(rollup), "Rollup");
     vm.label(address(bondToken), "BondToken");
     vm.label(address(escapeHatch), "EscapeHatch");
@@ -132,6 +137,9 @@ contract EscapeHatchBase is TestBase {
       config.proposingExitDelay
     );
     vm.label(address(escapeHatch), "EscapeHatchWithFakeRollup");
+
+    // Register escape hatch with the fake rollup so selectCandidates deactivation guard passes
+    fakeRollup.setEscapeHatch(address(escapeHatch));
   }
 
   function _mintAndApprove(address _candidate, uint256 _amount) internal {
@@ -248,6 +256,14 @@ contract EscapeHatchBase is TestBase {
 
     vm.label(address(escapeHatch), "FuzzedEscapeHatch");
 
+    // Register the new escape hatch so selectCandidates deactivation guard passes
+    if (useFakeRollup) {
+      fakeRollup.setEscapeHatch(address(escapeHatch));
+    } else {
+      vm.prank(Ownable(address(rollup)).owner());
+      rollup.updateEscapeHatch(address(escapeHatch));
+    }
+
     // Warp to safe epoch to avoid HatchTooEarly errors
     _warpToSafeEpoch();
     _;