Move DisburserKey to AWS KMS (Teleporter)

integration-tests/test/alt-l2/teleportation.spec.ts

@@ -146,14 +146,21 @@ describe('teleportation', () => {
       teleportationAddress: useBnb
         ? TeleportationBNB.address
         : Teleportation.address,
-      disburserWallet: wallet1,
       selectedBobaChains: useBnb ? selectedBobaChainsBnb : selectedBobaChains,
       // only defined one other for the routing tests (so idx 0 = own origin network)
       ownSupportedAssets: useBnb
         ? selectedBobaChains[0].supportedAssets
         : selectedBobaChainsBnb[0].supportedAssets,
       pollingInterval,
       blockRangePerPolling,
+      awsConfig: {
+        // Default values for local kms endpoint
+        awsKmsAccessKey: process.env.TELEPORTATION_AWS_KMS_ACCESS_KEY ?? '1',
+        awsKmsSecretKey: process.env.TELEPORTATION_AWS_KMS_SECRET_KEY ?? '2',
+        awsKmsKeyId: process.env.TELEPORTATION_AWS_KMS_KEY_ID ?? '3',
+        awsKmsEndpoint: process.env.TELEPORTATION_AWS_KMS_ENDPOINT ?? 'http://kms:8888/',
+        awsKmsRegion: process.env.TELEPORTATION_AWS_KMS_REGION ?? 'us-east-1',
+      },
     })
   }
 

integration-tests/test/eth-l2/teleportation.spec.ts

@@ -26,7 +26,6 @@ import {
   historyDataRepository,
 } from '@boba/teleportation/src/data-source'
 import { OptimismEnv } from './shared/env'
-import { getContractFactory, predeploys } from '@eth-optimism/contracts'
 
 describe('teleportation', () => {
   let env: OptimismEnv
@@ -146,14 +145,21 @@ describe('teleportation', () => {
       teleportationAddress: useBnb
         ? TeleportationBNB.address
         : Teleportation.address,
-      disburserWallet: wallet1,
       selectedBobaChains: useBnb ? selectedBobaChainsBnb : selectedBobaChains,
       // only defined one other for the routing tests (so idx 0 = own origin network)
       ownSupportedAssets: useBnb
         ? selectedBobaChains[0].supportedAssets
         : selectedBobaChainsBnb[0].supportedAssets,
       pollingInterval,
       blockRangePerPolling,
+      awsConfig: {
+        // Default values for local kms endpoint
+        awsKmsAccessKey: process.env.TELEPORTATION_AWS_KMS_ACCESS_KEY ?? '1',
+        awsKmsSecretKey: process.env.TELEPORTATION_AWS_KMS_SECRET_KEY ?? '2',
+        awsKmsKeyId: process.env.TELEPORTATION_AWS_KMS_KEY_ID ?? '3',
+        awsKmsEndpoint: process.env.TELEPORTATION_AWS_KMS_ENDPOINT ?? 'http://kms:8888/',
+        awsKmsRegion: process.env.TELEPORTATION_AWS_KMS_REGION ?? 'us-east-1',
+      },
     })
   }
 

ops/.env-template

@@ -1,4 +1,7 @@
-# Encrypted Disburser Key
-TELEPORTATION_DISBURSER_KEY_ENC=
-# Disburser Key AWS ID
-TELEPORTATION_DISBURSER_KEY_AWS_ID=
+# Config works for integration tests
+TELEPORTATION_AWS_KMS_ACCESS_KEY=1
+TELEPORTATION_AWS_KMS_SECRET_KEY=2
+TELEPORTATION_AWS_KMS_KEY_ID=3
+# Prod endpoints: https://docs.aws.amazon.com/general/latest/gr/kms.html
+TELEPORTATION_AWS_KMS_ENDPOINT=http://kms:8888/
+TELEPORTATION_AWS_KMS_REGION=us-east-1

ops/docker-compose-avalanche-side.yml

@@ -109,6 +109,13 @@ services:
       target: teleportation
     deploy:
       replicas: 0
+    environment:
+      # KMS setup (incl. defaults)
+      TELEPORTATION_AWS_KMS_ACCESS_KEY: "${TELEPORTATION_AWS_KMS_ACCESS_KEY:-1}"
+      TELEPORTATION_AWS_KMS_SECRET_KEY: "${TELEPORTATION_AWS_KMS_SECRET_KEY:-2}"
+      TELEPORTATION_AWS_KMS_KEY_ID: "${TELEPORTATION_AWS_KMS_KEY_ID:-3}"
+      TELEPORTATION_AWS_KMS_ENDPOINT: "${TELEPORTATION_AWS_KMS_ENDPOINT:-http://kms:8888/}"
+      TELEPORTATION_AWS_KMS_REGION: "${TELEPORTATION_AWS_KMS_REGION:-us-east-1}"
 
   teleportation_db:
     image: postgres

ops/docker-compose-bnb-side.yml

@@ -109,6 +109,13 @@ services:
       target: teleportation
     deploy:
       replicas: 0
+    environment:
+      # KMS setup (incl. defaults)
+      TELEPORTATION_AWS_KMS_ACCESS_KEY: "${TELEPORTATION_AWS_KMS_ACCESS_KEY:-1}"
+      TELEPORTATION_AWS_KMS_SECRET_KEY: "${TELEPORTATION_AWS_KMS_SECRET_KEY:-2}"
+      TELEPORTATION_AWS_KMS_KEY_ID: "${TELEPORTATION_AWS_KMS_KEY_ID:-3}"
+      TELEPORTATION_AWS_KMS_ENDPOINT: "${TELEPORTATION_AWS_KMS_ENDPOINT:-http://kms:8888/}"
+      TELEPORTATION_AWS_KMS_REGION: "${TELEPORTATION_AWS_KMS_REGION:-us-east-1}"
 
   teleportation_db:
     image: postgres

ops/docker-compose-fantom-side.yml

@@ -109,6 +109,13 @@ services:
       target: teleportation
     deploy:
       replicas: 0
+    environment:
+      # KMS setup (incl. defaults)
+      TELEPORTATION_AWS_KMS_ACCESS_KEY: "${TELEPORTATION_AWS_KMS_ACCESS_KEY:-1}"
+      TELEPORTATION_AWS_KMS_SECRET_KEY: "${TELEPORTATION_AWS_KMS_SECRET_KEY:-2}"
+      TELEPORTATION_AWS_KMS_KEY_ID: "${TELEPORTATION_AWS_KMS_KEY_ID:-3}"
+      TELEPORTATION_AWS_KMS_REGION: "${TELEPORTATION_AWS_KMS_REGION:-us-east-1}"
+      TELEPORTATION_AWS_KMS_ENDPOINT: "${TELEPORTATION_AWS_KMS_ENDPOINT:-http://kms:8888/}"
 
   teleportation_db:
     image: postgres

ops/docker-compose-moonbeam-side.yml

@@ -109,6 +109,13 @@ services:
       target: teleportation
     deploy:
       replicas: 0
+    environment:
+      # KMS setup (incl. defaults)
+      TELEPORTATION_AWS_KMS_ACCESS_KEY: "${TELEPORTATION_AWS_KMS_ACCESS_KEY:-1}"
+      TELEPORTATION_AWS_KMS_SECRET_KEY: "${TELEPORTATION_AWS_KMS_SECRET_KEY:-2}"
+      TELEPORTATION_AWS_KMS_KEY_ID: "${TELEPORTATION_AWS_KMS_KEY_ID:-3}"
+      TELEPORTATION_AWS_KMS_REGION: "${TELEPORTATION_AWS_KMS_REGION:-us-east-1}"
+      TELEPORTATION_AWS_KMS_ENDPOINT: "${TELEPORTATION_AWS_KMS_ENDPOINT:-http://kms:8888/}"
 
   teleportation_db:
     image: postgres

ops/docker-compose-side.yml

@@ -71,9 +71,12 @@ services:
     deploy:
       replicas: 0
     environment:
-      # TODO: Further compare KMS setup with BatchSubmitter
-      TELEPORTATION_DISBURSER_KEY_ID: "${TELEPORTATION_DISBURSER_KEY_ID}"
-      TELEPORTATION_DISBURSER_KEY_ENC: "${TELEPORTATION_DISBURSER_KEY_ENC}"
+      # KMS setup (incl. defaults)
+      TELEPORTATION_AWS_KMS_ACCESS_KEY: "${TELEPORTATION_AWS_KMS_ACCESS_KEY:-1}"
+      TELEPORTATION_AWS_KMS_SECRET_KEY: "${TELEPORTATION_AWS_KMS_SECRET_KEY:-2}"
+      TELEPORTATION_AWS_KMS_KEY_ID: "${TELEPORTATION_AWS_KMS_KEY_ID:-3}"
+      TELEPORTATION_AWS_KMS_REGION: "${TELEPORTATION_AWS_KMS_REGION:-us-east-1}"
+      TELEPORTATION_AWS_KMS_ENDPOINT: "${TELEPORTATION_AWS_KMS_ENDPOINT:-http://kms:8888/}"
 
   teleportation_db:
     image: postgres

ops/seed-avalanche.yaml

@@ -11,10 +11,18 @@ Keys:
           KeyUsage: SIGN_VERIFY
           Description: ECC key for PROPOSER with curve secp256k1
         PrivateKeyHex: 67f8f3c9fa467b28ead9e08c4e78d089166ebe871f482330860d1c71f613de9e
+      - Metadata:
+          KeyId: 3
+          KeyUsage: SIGN_VERIFY
+          Description: Teleportation disburser key
+        PrivateKeyHex: ee7fa2988cf373f3f6b96e622e740734f5b6a969435f037c7f4f58feea419437
 
 Aliases:
   - AliasName: alias/0x91ef3b19cdb344c5010358718e9347dd5cb2f362
     TargetKeyId: 0x91ef3b19cdb344c5010358718e9347dd5cb2f362
 
   - AliasName: alias/0xf31ca20d67bf4e3ddb4d7546c4a0983f3fa6ffea
     TargetKeyId: 0xf31ca20d67bf4e3ddb4d7546c4a0983f3fa6ffea
+
+  - AliasName: alias/3
+    TargetKeyId: 3

ops/seed-bnb.yaml

@@ -11,10 +11,18 @@ Keys:
           KeyUsage: SIGN_VERIFY
           Description: ECC key for PROPOSER with curve secp256k1
         PrivateKeyHex: c484de1ef84e998869d59752d1f09bffa161673d54250ea152ec82d684e2f154
+      - Metadata:
+          KeyId: 3
+          KeyUsage: SIGN_VERIFY
+          Description: Teleportation disburser key
+        PrivateKeyHex: 81f43b0303746bfacbaae64947850e86deca412d3b39b1f8d3c89bf483d615f3
 
 Aliases:
   - AliasName: alias/0x91ef3b19cdb344c5010358718e9347dd5cb2f362
     TargetKeyId: 0x91ef3b19cdb344c5010358718e9347dd5cb2f362
 
   - AliasName: alias/0xf31ca20d67bf4e3ddb4d7546c4a0983f3fa6ffea
     TargetKeyId: 0xf31ca20d67bf4e3ddb4d7546c4a0983f3fa6ffea
+
+  - AliasName: alias/3
+    TargetKeyId: 3

ops/seed-fantom.yaml

@@ -11,10 +11,18 @@ Keys:
           KeyUsage: SIGN_VERIFY
           Description: ECC key for PROPOSER with curve secp256k1
         PrivateKeyHex: 154f06858ef1600eddc8c2e10ca995569363b056fc0fdd56cfd1186b557ef1c8
+      - Metadata:
+          KeyId: 3
+          KeyUsage: SIGN_VERIFY
+          Description: Teleportation disburser key
+        PrivateKeyHex: c526ee95bf44d8fc405a158bb884d9d1238d99f0612e9f33d006bb0789009aaa
 
 Aliases:
   - AliasName: alias/0x6236C601FfD52c4793e3B49B15bcdc1137E6339D
     TargetKeyId: 0x6236C601FfD52c4793e3B49B15bcdc1137E6339D
 
   - AliasName: alias/0x814B1fac2aE5AbBf40Bb289b263ED4c367C50AA9
     TargetKeyId: 0x814B1fac2aE5AbBf40Bb289b263ED4c367C50AA9
+
+  - AliasName: alias/3
+    TargetKeyId: 3

ops/seed-moonbeam.yaml

@@ -11,10 +11,18 @@ Keys:
           KeyUsage: SIGN_VERIFY
           Description: ECC key for PROPOSER with curve secp256k1
         PrivateKeyHex: 0b6e18cafb6ed99687ec547bd28139cafdd2bffe70e6b688025de6b445aa5c5b
+      - Metadata:
+          KeyId: 3
+          KeyUsage: SIGN_VERIFY
+          Description: Teleportation disburser key
+        PrivateKeyHex: c526ee95bf44d8fc405a158bb884d9d1238d99f0612e9f33d006bb0789009aaa
 
 Aliases:
   - AliasName: alias/0x70997970c51812dc3a010c7d01b50e0d17dc79c8
     TargetKeyId: 0x70997970c51812dc3a010c7d01b50e0d17dc79c8
 
   - AliasName: alias/0x3c44cdddb6a900fa2b585dd299e03d12fa4293bc
     TargetKeyId: 0x3c44cdddb6a900fa2b585dd299e03d12fa4293bc
+
+  - AliasName: alias/3
+    TargetKeyId: 3

ops/seed.yaml

@@ -11,10 +11,18 @@ Keys:
           KeyUsage: SIGN_VERIFY
           Description: ECC key for PROPOSER with curve secp256k1
         PrivateKeyHex: 5de4111afa1a4b94908f83103eb1f1706367c2e68ca870fc3fb9a804cdab365a
+      - Metadata:
+          KeyId: 3
+          KeyUsage: SIGN_VERIFY
+          Description: Teleportation disburser key
+        PrivateKeyHex: c526ee95bf44d8fc405a158bb884d9d1238d99f0612e9f33d006bb0789009aaa
 
 Aliases:
   - AliasName: alias/0x70997970c51812dc3a010c7d01b50e0d17dc79c8
     TargetKeyId: 0x70997970c51812dc3a010c7d01b50e0d17dc79c8
 
   - AliasName: alias/0x3c44cdddb6a900fa2b585dd299e03d12fa4293bc
     TargetKeyId: 0x3c44cdddb6a900fa2b585dd299e03d12fa4293bc
+
+  - AliasName: alias/3
+    TargetKeyId: 3

packages/boba/contracts/src/hardhat-deploy-ethers.ts

@@ -112,8 +112,11 @@ export const deployBobaContract = async (
 export const getBobaContractAt = async (
   name: string,
   address: string,
-  signer: any
+  signer?: any
 ) => {
+  if (!signer) {
+    return new Contract(address, getContractArtifact(name).abi)
+  }
   return new Contract(address, getContractArtifact(name).abi, signer)
 }
 

packages/boba/teleportation/.env.example

@@ -1,10 +1,13 @@
 L2_NODE_WEB3_URL=
-TELEPORTATION_DISBURSER_KEY=
-# Optional
-TELEPORTATION_POLLING_INTERVAL=
-TELEPORTATION_BLOCK_RANGE_PER_POLLING=
 TELEPORTATION_POSTGRES_PASSWORD=abcdef
 TELEPORTATION_POSTGRES_DB_HOST=teleportation_db
 TELEPORTATION_POSTGRES_DB=postgres
 TELEPORTATION_POSTGRES_PORT=5432
 TELEPORTATION_POSTGRES_USER=postgres
+TELEPORTATION_AWS_KMS_ACCESS_KEY=
+TELEPORTATION_AWS_KMS_SECRET_KEY=
+TELEPORTATION_AWS_KMS_KEY_ID=
+# Optional
+TELEPORTATION_POLLING_INTERVAL=
+TELEPORTATION_BLOCK_RANGE_PER_POLLING=
+

packages/boba/teleportation/package.json

@@ -35,10 +35,16 @@
       "typescript": "4.5.2"
    },
    "dependencies": {
+      "@aws-sdk/client-kms": "^3.363.0",
       "@eth-optimism/common-ts": "0.2.2",
       "@eth-optimism/contracts": "0.5.11",
+      "@ethersproject/keccak256": "^5.7.0",
+      "asn1.js": "^5.4.1",
       "bcfg": "^0.1.6",
+      "bn.js": "^5.2.1",
       "dotenv": "^8.6.0",
+      "ethereumjs-tx": "^2.1.2",
+      "ethereumjs-util": "^7.1.5",
       "ethers": "^5.5.4",
       "lodash": "^4.17.21",
       "pg": "^8.4.0",

packages/boba/teleportation/src/exec/run.ts

@@ -40,9 +40,25 @@ const main = async () => {
   const L2_NODE_WEB3_URL = config.str('l2-node-web3-url', env.L2_NODE_WEB3_URL)
   // This private key is used to send funds to the contract and initiate the tx,
   // so it should have enough BOBA balance
-  const TELEPORTATION_DISBURSER_KEY = config.str(
-    'teleportation-disburser-key',
-    env.TELEPORTATION_DISBURSER_KEY
+  const TELEPORTATION_AWS_KMS_ACCESS_KEY = config.str(
+    'teleportation-aws-kms-access-key',
+    env.TELEPORTATION_AWS_KMS_ACCESS_KEY
+  )
+  const TELEPORTATION_AWS_KMS_SECRET_KEY = config.str(
+    'teleportation-aws-kms-secret-key',
+    env.TELEPORTATION_AWS_KMS_SECRET_KEY
+  )
+  const TELEPORTATION_AWS_KMS_KEY_ID = config.str(
+    'teleportation-aws-kms-key-id',
+    env.TELEPORTATION_AWS_KMS_KEY_ID
+  )
+  const TELEPORTATION_AWS_KMS_REGION = config.str(
+    'teleportation-aws-kms-region',
+    env.TELEPORTATION_AWS_KMS_REGION
+  )
+  const TELEPORTATION_AWS_KMS_ENDPOINT = config.str(
+    'teleportation-aws-kms-endpoint',
+    env.TELEPORTATION_AWS_KMS_ENDPOINT
   )
 
   // Optional
@@ -58,12 +74,17 @@ const main = async () => {
   if (!L2_NODE_WEB3_URL) {
     throw new Error('Must pass L2_NODE_WEB3_URL')
   }
-  if (!TELEPORTATION_DISBURSER_KEY) {
-    throw new Error('Must pass TELEPORTATION_DISBURSER_KEY')
+  if (
+    !TELEPORTATION_AWS_KMS_ACCESS_KEY ||
+    !TELEPORTATION_AWS_KMS_SECRET_KEY ||
+    !TELEPORTATION_AWS_KMS_KEY_ID ||
+    !TELEPORTATION_AWS_KMS_ENDPOINT ||
+    !TELEPORTATION_AWS_KMS_REGION
+  ) {
+    throw new Error('Must pass TELEPORTATION AWS CONFIG ENV')
   }
 
   const l2Provider = new providers.StaticJsonRpcProvider(L2_NODE_WEB3_URL)
-  const disburserWallet = new Wallet(TELEPORTATION_DISBURSER_KEY, l2Provider)
 
   // get all boba chains and exclude the current chain
   const chainId = (await l2Provider.getNetwork()).chainId
@@ -90,11 +111,17 @@ const main = async () => {
     l2RpcProvider: l2Provider,
     chainId,
     teleportationAddress: TELEPORTATION_ADDRESS,
-    disburserWallet,
     selectedBobaChains,
     ownSupportedAssets: originSupportedAssets,
     pollingInterval: POLLING_INTERVAL,
     blockRangePerPolling: BLOCK_RANGE_PER_POLLING,
+    awsConfig: {
+      awsKmsAccessKey: TELEPORTATION_AWS_KMS_ACCESS_KEY,
+      awsKmsSecretKey: TELEPORTATION_AWS_KMS_SECRET_KEY,
+      awsKmsKeyId: TELEPORTATION_AWS_KMS_KEY_ID,
+      awsKmsRegion: TELEPORTATION_AWS_KMS_REGION,
+      awsKmsEndpoint: TELEPORTATION_AWS_KMS_ENDPOINT
+    },
   })
 
   await service.start()