fix(program): check next_validators hash (#44)

* fix: verify next_validators hash

* chore: bump patches, add elf check ci

* fix: select on run so propagate error, bump vkey in contract

* fix: set link to deploy from public

* fix: pr comments

.github/workflows/pr.yml

@@ -37,4 +37,37 @@ jobs:
       - name: Run cargo clippy
         run: cargo clippy --all-features --all-targets -- -D warnings -A incomplete-features
         env:
-          CARGO_INCREMENTAL: 1
+          CARGO_INCREMENTAL: 1
+
+          name: ELF
+
+  elf:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Install SP1 toolchain
+        run: |
+          curl -L https://sp1.succinct.xyz | bash
+          ~/.sp1/bin/sp1up 
+          ~/.sp1/bin/cargo-prove prove --version
+          source ~/.bashrc
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Verify the SP1 Blobstream  Binary
+        run: |
+          # Build the binaries
+          cd program
+          ~/.sp1/bin/cargo-prove prove build --elf-name blobstream-elf --docker --tag v4.0.0-rc.10 --output-directory ../elf
+          cd ../
+
+          # Check for any changes in the elf directory
+          if [ -n "$(git status --porcelain elf/)" ]; then
+            echo "❌ ELF files changed during build!"
+            git diff elf/
+            exit 1
+          else
+            echo "✅ ELF files remained unchanged"
+          fi

Cargo.toml

@@ -1,9 +1,5 @@
 [workspace]
-members = [
-    "primitives",
-    "script",
-    "program",
-]
+members = ["primitives", "script", "program"]
 resolver = "2"
 
 [workspace.dependencies]
@@ -34,10 +30,10 @@ csv = "1.3.1"
 sha2 = "0.10"
 
 # sp1
-sp1-sdk = "4.0.0-rc.9"
-sp1-zkvm = "4.0.0-rc.9"
+sp1-sdk = "4.0.0"
+sp1-zkvm = "4.0.0"
 
 [patch.crates-io]
-sha2-v0-9-9 = { git = "https://github.com/sp1-patches/RustCrypto-hashes", package = "sha2", tag = "patch-sha2-0.9.9-sp1-4.0.0-rc.3" }
-sha2-v0-10-8 = { git = "https://github.com/sp1-patches/RustCrypto-hashes", package = "sha2", tag = "patch-sha2-0.10.8-sp1-4.0.0-rc.3" }
-curve25519-dalek-ng = { git = "https://github.com/sp1-patches/curve25519-dalek-ng", tag = "patch-4.1.1-sp1-4.0.0-rc.3" }
+sha2-v0-9-9 = { git = "https://github.com/sp1-patches/RustCrypto-hashes", package = "sha2", tag = "patch-sha2-0.9.9-sp1-4.0.0" }
+sha2-v0-10-8 = { git = "https://github.com/sp1-patches/RustCrypto-hashes", package = "sha2", tag = "patch-sha2-0.10.8-sp1-4.0.0" }
+curve25519-dalek-ng = { git = "https://github.com/sp1-patches/curve25519-dalek-ng", tag = "patch-4.1.1-sp1-4.0.0" }

contracts/script/UpdateVkey.s.sol

@@ -24,6 +24,6 @@ contract UpdateVkeyScript is BaseScript {
         SP1Blobstream sp1Blobstream = SP1Blobstream(address(existingProxyAddress));
 
         // v4 program vkey
-        sp1Blobstream.updateProgramVkey(0x00e30cadab0b8ad6a5f115c5131a14afce4ec4bbf8acf7c821951778a2d97660);
+        sp1Blobstream.updateProgramVkey(0x00b6c8c78a73630fae80e45b2888a00d9ab0cc05a77cd7c027446a6ae2289928);
     }
 }

primitives/src/lib.rs

@@ -19,6 +19,12 @@ pub fn get_header_update_verdict(trusted_block: &LightBlock, target_block: &Ligh
 
     let vp = ProdVerifier::default();
 
+    // Check the next validators hash is correct.
+    assert_eq!(
+        trusted_block.next_validators.hash(),
+        trusted_block.as_trusted_state().next_validators_hash
+    );
+
     // Note: The zkVM has no notion of time, so no header will be rejected for being too
     // far in the past, which is a potential issue. Deployers must ensure that the target block is not
     // too far in the past, i.e. the light client must be relatively synced with the chain (i.e.