add galileo CodecV9

[georgehao]

Purpose or design rationale of this PR

This PR adds CodecV9 for Galileo. This codec is identical with CodecV8, except that it uses version 9 in both the batch header and blob envelope.

PR title

Your PR title must follow conventional commits (as we are doing squash merge for each PR), so it must start with one of the following types:

• feat: A new feature

Breaking change label

Does this PR have the breaking-change label?

• No, this PR is not a breaking change
• Yes

Summary by CodeRabbit

• New Features

  • Adds Codec V9 support (selected when Galileo hardfork is active), including V9-aware compression, blob construction, and L1 commit size estimation for batches/chunks.

• Tests

  • Adds tests verifying Codec V9 selection and mapping, plus an error case for a future version.

• Chores

  • Bumps Go toolchain to 1.22 and refreshes cryptography/KZG-related dependencies; updates testify to v1.10.0.

[coderabbitai]

Walkthrough

Adds CodecV9 support: a new DACodecV9 type embedding DACodecV8, V9-specific compression/compatibility/blob construction and size-estimation logic, updates codec selection to return V9 when Galileo is active, expands DA compatibility checks for V9, updates tests, and bumps Go/tooling and crypto/KZG dependencies.

Changes

Cohort / File(s)	Summary
New codec type & constructor encoding/codecv9.go	Adds type DACodecV9 struct { DACodecV8 } and func NewDACodecV9() *DACodecV9. Implements V9 overrides: compression compatibility checks, blob construction, NewDABatch, and size-estimation helpers tied to CodecV9.
Codec version enum & factories encoding/interfaces.go, encoding/interfaces_test.go	Adds CodecV9 constant; CodecFromVersion returns NewDACodecV9() for V9; CodecFromConfig now selects V9 when Galileo is active. Tests updated to include V9 and related config cases.
DA hardfork / compatibility logic encoding/da.go	Adds checkCompressedDataCompatibilityV9, treats Galileo as hardfork name, returns CodecV9 post-Galileo, and wires V9 into chunk/batch compression gating and compatibility checks.
Dependency/tooling updates go.mod	Bumps Go toolchain to 1.22; updates go-ethereum, testify; adds/updates KZG and crypto-related transitive dependencies (e.g., go-eth-kzg, c-kzg-4844, gnark-crypto, blst, x/crypto, x/sync, bitset).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Config as Config
  participant Factory as CodecFromConfig
  participant ForkCheck as IsGalileo
  participant V9 as NewDACodecV9
  participant V8 as NewDACodecV8

  Config->>Factory: request codec for blockTimestamp
  Factory->>ForkCheck: IsGalileo(blockTimestamp)?
  alt Galileo active
    ForkCheck-->>Factory: true
    Factory->>V9: return NewDACodecV9()
    V9-->>Factory: *DACodecV9 instance*
  else Galileo not active
    ForkCheck-->>Factory: false
    Factory->>V8: evaluate other forks -> NewDACodecV8()
    V8-->>Factory: *DACodecV8 instance*
  end

Loading

sequenceDiagram
  autonumber
  participant Caller as NewDABatch caller
  participant Codec as DACodecV9
  participant Compressor as Compressor/Zstd
  participant Blob as BlobBuilder

  Caller->>Codec: NewDABatch(batch)
  Codec->>Codec: validate batch non-empty & consistency
  Codec->>Compressor: compress payload (maybe)
  alt compression compatible
    Compressor-->>Codec: compressed payload
    Codec->>Blob: constructBlob(metadata, compressed)
    Blob-->>Codec: canonical blob, commit, versioned hash
    Codec-->>Caller: DABatch with blob, commitment, hash
  else incompatible
    Compressor-->>Codec: indicate not compatible / skip
    Codec->>Blob: constructBlob(uncompressed)
    Codec-->>Caller: DABatch with uncompressed blob
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Areas needing extra attention:
  • encoding/codecv9.go: correctness of embedded initialization, forcedVersion wiring, and correctness of V9-specific compression gating and size calculations.
  • encoding/da.go: full correctness of new checkCompressedDataCompatibilityV9 (RLE/zstd handling, bounds, last-block checks).
  • go.mod: KZG/crypto dependency bumps may require verification in build/test environment.
  • encoding/interfaces.go and tests: ensure codec-selection logic matches intended hardfork timing and test coverage.

Possibly related PRs

• fix: consider RLE blocks in zstd compatibility check #64 — Related changes to compressed-data compatibility checks and RLE/zstd handling (overlaps with V9 compatibility additions).
• feat(CodecV7): add CodecV7 to support upgrade 5.2 Euclid phase2 #33 — Adds new codec version types and updates codec selection/hardfork routing (overlaps factory/hardfork changes).
• fix: check v7 batch compressed data compatibility #52 — Introduces version-specific compressed-data compatibility checks similar in nature to V9 wiring.

Suggested reviewers

• jonastheis
• colinlyguo
• Thegaram

Poem

🐰
A ninth codec hops in, neat and spry,
Embeds the eighth and aims up high.
Galileo whistles — compress or not,
Blobs are built, commitments got.
Hop, hop, code onward — carrot stockpile nigh! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'add galileo CodecV9' lacks the required conventional commit type prefix and is not sufficiently specific about the primary change.	Update the title to follow conventional commits format (e.g., 'feat: add CodecV9 codec for Galileo hardfork') to meet the repository's squash-merge requirements.
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.73% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description includes the required template sections with 'feat' type properly selected and breaking-change status confirmed, providing adequate context.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/galileo1

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5ea6bf2 and 7861003.

📒 Files selected for processing (2)

• encoding/codecv9.go (1 hunks)
• encoding/da.go (5 hunks)

🧰 Additional context used

🧠 Learnings (14)

📓 Common learnings

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/interfaces.go:95-108
Timestamp: 2024-10-17T04:13:14.579Z
Learning: In the `CodecFromConfig` function in the Go `encoding/interfaces.go` file, if none of the chain configuration conditions match, it's acceptable to default to returning `&DACodecV0{}` because, in the current logic, we can only deduce the codec version as the function implements, and the logic is complete.

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv0.go:387-401
Timestamp: 2024-10-17T05:40:03.610Z
Learning: In `DACodecV0`, methods like `EstimateChunkL1CommitBatchSizeAndBlobSize`, `EstimateBatchL1CommitBatchSizeAndBlobSize`, and `JSONFromBytes` are intentionally left as no-ops (returning zero or nil) to maintain a consistent interface across codecs and prevent the caller from needing conditional logic.

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv1_types.go:105-116
Timestamp: 2024-10-18T03:40:09.800Z
Learning: The code in `encoding/codecv1_types.go`, specifically the `Encode` method in `daBatchV1`, has been updated. Previous comments regarding hardcoded byte offsets may be outdated.

📚 Learning: 2024-10-18T03:40:09.800Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv1_types.go:105-116
Timestamp: 2024-10-18T03:40:09.800Z
Learning: The code in `encoding/codecv1_types.go`, specifically the `Encode` method in `daBatchV1`, has been updated. Previous comments regarding hardcoded byte offsets may be outdated.

Applied to files:

• encoding/codecv9.go
• encoding/da.go

📚 Learning: 2024-10-17T05:40:03.610Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv0.go:387-401
Timestamp: 2024-10-17T05:40:03.610Z
Learning: In `DACodecV0`, methods like `EstimateChunkL1CommitBatchSizeAndBlobSize`, `EstimateBatchL1CommitBatchSizeAndBlobSize`, and `JSONFromBytes` are intentionally left as no-ops (returning zero or nil) to maintain a consistent interface across codecs and prevent the caller from needing conditional logic.

Applied to files:

• encoding/codecv9.go
• encoding/da.go

📚 Learning: 2024-10-17T04:13:14.579Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/interfaces.go:95-108
Timestamp: 2024-10-17T04:13:14.579Z
Learning: In the `CodecFromConfig` function in the Go `encoding/interfaces.go` file, if none of the chain configuration conditions match, it's acceptable to default to returning `&DACodecV0{}` because, in the current logic, we can only deduce the codec version as the function implements, and the logic is complete.

Applied to files:

• encoding/codecv9.go
• encoding/da.go

📚 Learning: 2024-10-17T08:49:05.064Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv2.go:222-223
Timestamp: 2024-10-17T08:49:05.064Z
Learning: In the function `NewDABatchFromBytes` in `encoding/codecv2.go`, the assignments of `parentBatchHash` and `blobVersionedHash` are correct as implemented.

Applied to files:

• encoding/codecv9.go
• encoding/da.go

📚 Learning: 2024-10-17T07:33:28.436Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv2.go:0-0
Timestamp: 2024-10-17T07:33:28.436Z
Learning: In `encoding/codecv2.go`, the `constructBlobPayload` function should remain as is; prefer to keep it without refactoring or additional optimizations.

Applied to files:

• encoding/codecv9.go

📚 Learning: 2024-10-17T04:15:29.946Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv3.go:90-107
Timestamp: 2024-10-17T04:15:29.946Z
Learning: In the function `NewDABatchFromBytes` in `encoding/codecv3.go`, the code already checks that `len(data) == 193` before slicing, so additional length checks are unnecessary.

Applied to files:

• encoding/codecv9.go
• encoding/da.go

📚 Learning: 2024-10-16T18:43:44.520Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv2.go:38-47
Timestamp: 2024-10-16T18:43:44.520Z
Learning: In the `DecodeTxsFromBlob` method in `encoding/codecv2.go`, the `compressedBytes` variable will not be empty, so additional error handling for empty `compressedBytes` is unnecessary.

Applied to files:

• encoding/codecv9.go
• encoding/da.go

📚 Learning: 2024-10-17T05:41:29.398Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv1.go:152-239
Timestamp: 2024-10-17T05:41:29.398Z
Learning: The `constructBlobPayload` method in `encoding/codecv1.go` should remain as is; preferences are to keep it without refactoring or additional optimizations.

Applied to files:

• encoding/codecv9.go

📚 Learning: 2024-10-17T04:16:36.614Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv3.go:33-35
Timestamp: 2024-10-17T04:16:36.614Z
Learning: In the `NewDABatch` function in `encoding/codecv3.go`, it's acceptable for the last block in the last chunk to have no transactions.

Applied to files:

• encoding/codecv9.go

📚 Learning: 2024-10-17T08:47:58.627Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv0_types.go:231-239
Timestamp: 2024-10-17T08:47:58.627Z
Learning: Constants like `daBatchV0OffsetSkippedL1MessageBitmap`, `daBatchOffsetVersion`, `daBatchV0OffsetL1MessagePopped`, and `daBatchOffsetDataHash` are defined in `da.go` file.

Applied to files:

• encoding/codecv9.go
• encoding/da.go

📚 Learning: 2024-10-16T18:17:33.741Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv4.go:307-310
Timestamp: 2024-10-16T18:17:33.741Z
Learning: In `encoding/codecv4.go`, including `batchBytes` and `blobBytes` in warning logs is acceptable for debugging purposes, as they do not contain sensitive information.

Applied to files:

• encoding/codecv9.go

📚 Learning: 2024-10-18T03:41:31.377Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv1_types.go:152-154
Timestamp: 2024-10-18T03:41:31.377Z
Learning: In the `daBatchV1` struct, the `BlobBytes()` method is intentionally returning `nil`.

Applied to files:

• encoding/codecv9.go

📚 Learning: 2024-10-17T03:55:56.330Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv1.go:96-100
Timestamp: 2024-10-17T03:55:56.330Z
Learning: The function `bytesFromBlobCanonical` returns `[maxEffectiveBlobBytes]byte` and does not return an error.

Applied to files:

• encoding/da.go

🧬 Code graph analysis (2)

encoding/codecv9.go (4)

encoding/codecv8.go (1)

• DACodecV8 (30-32)

encoding/interfaces.go (2)

• CompressScrollBatchBytes (153-156)
• DABatch (33-43)

encoding/codecv7.go (1)

• DACodecV7 (20-22)

encoding/da.go (4)

• Batch (119-129)
• CheckChunkCompressedDataCompatibility (859-865)
• Chunk (110-116)
• CheckBatchCompressedDataCompatibility (868-874)

encoding/da.go (1)

encoding/interfaces.go (6)

• CodecV8 (96-96)
• CodecV9 (97-97)
• CodecV4 (92-92)
• CodecV5 (93-93)
• CodecV6 (94-94)
• CodecV7 (95-95)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: tests

🔇 Additional comments (8)

encoding/da.go (3)

512-565: V9 compressed-data compatibility helper looks consistent and bounds-safe

The V9-specific parser correctly reuses the existing frame-header logic, adds handling for RLE blocks, and rejects the reserved block type while maintaining length checks and last-block validation. No issues spotted with indexing or loop termination.

---

809-856: Galileo hardfork and codec version mapping follow existing pattern

The added IsGalileo checks in GetHardforkName and GetCodecVersion preserve the “return previous era until the next flag turns true” pattern, mapping:

• pre‑Feynman: euclidV2 / CodecV6
• Feynman–pre‑Galileo: feynman / CodecV7/CodecV8
• Galileo and later: galileo / CodecV9

This sequencing looks coherent with the prior hardfork stages.

---

876-902: Compression enablement extended to CodecV9 in line with V4–V8

Including CodecV9 in the GetChunkEnableCompression and GetBatchEnableCompression switches and delegating to the shared compatibility helpers matches the behavior of V4–V8. The default case still guards against unknown codec versions.

encoding/codecv9.go (5)

29-40: DACodecV9 embedding and constructor wiring mirror existing codecs

Embedding DACodecV8 and initializing DACodecV7.forcedVersion with CodecV9 aligns with the V7/V8 pattern and should ensure Version() reports V9 while reusing existing behavior.

---

42-65: checkCompressedDataCompatibility override matches V9’s fallback semantics

This override reuses the existing compression routine, then runs the new checkCompressedDataCompatibilityV9 sanity check. Returning (nil, false, nil) on compatibility failure (with a warning log) cleanly disables compression without surfacing an error, which matches the comment that incompatible data should be committed uncompressed instead.

---

67-142: Blob construction and challenge digest computation are consistent with V7/V8

NewDABatch and constructBlob:

• Validate batch non‑emptiness and block/chunk consistency,
• Build the V7-style envelope (version byte, size, compressed flag + payload),
• Enforce maxEffectiveBlobBytes,
• Derive the KZG commitment and versioned blob hash using CalcBlobHashV1,
• Compute the challenge digest from the padded blob bytes and blob versioned hash.

This mirrors the established V7/V8 flow while swapping in the V9 compatibility helper; no correctness issues spotted.

---

144-181: Batch/chunk compressed-data checks correctly reuse the V9 helper

CheckChunkCompressedDataCompatibility constructs a minimal Batch wrapper around the chunk, and CheckBatchCompressedDataCompatibility reuses constructBlobPayload together with checkCompressedDataCompatibility(..., false) purely for a sanity check, as described in the comments. The error handling and early validation of empty Blocks mirror the other codec versions.

---

183-221: L1 commit / blob size estimation appears conservative and consistent

The estimation path reconstructs the blob payload, runs the V9 compatibility helper with length checking, and then:

• Uses blobEnvelopeV7OffsetPayload + len(payloadBytes) for the L1 commit batch size, and
• Uses calculatePaddedBlobSize(len(blobBytes)) for the actual blob storage size, where blobBytes includes the envelope and possibly compressed payload.

This yields a conservative estimate in the compressed case and matches the surrounding design; I don’t see any functional issues here.

If you want to double‑check behavior against V8, you can grep for estimateL1CommitBatchSizeAndBlobSize in the repo to confirm the semantics are intentionally identical.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b167b3f and 0225899.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• encoding/codecv9.go (1 hunks)
• encoding/interfaces.go (2 hunks)
• go.mod (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/interfaces.go:95-108
Timestamp: 2024-10-17T04:13:14.579Z
Learning: In the `CodecFromConfig` function in the Go `encoding/interfaces.go` file, if none of the chain configuration conditions match, it's acceptable to default to returning `&DACodecV0{}` because, in the current logic, we can only deduce the codec version as the function implements, and the logic is complete.

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv1_types.go:105-116
Timestamp: 2024-10-18T03:40:09.800Z
Learning: The code in `encoding/codecv1_types.go`, specifically the `Encode` method in `daBatchV1`, has been updated. Previous comments regarding hardcoded byte offsets may be outdated.

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv0.go:387-401
Timestamp: 2024-10-17T05:40:03.610Z
Learning: In `DACodecV0`, methods like `EstimateChunkL1CommitBatchSizeAndBlobSize`, `EstimateBatchL1CommitBatchSizeAndBlobSize`, and `JSONFromBytes` are intentionally left as no-ops (returning zero or nil) to maintain a consistent interface across codecs and prevent the caller from needing conditional logic.

📚 Learning: 2024-10-17T04:13:14.579Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/interfaces.go:95-108
Timestamp: 2024-10-17T04:13:14.579Z
Learning: In the `CodecFromConfig` function in the Go `encoding/interfaces.go` file, if none of the chain configuration conditions match, it's acceptable to default to returning `&DACodecV0{}` because, in the current logic, we can only deduce the codec version as the function implements, and the logic is complete.

Applied to files:

• encoding/interfaces.go
• go.mod
• encoding/codecv9.go

📚 Learning: 2024-10-18T03:40:09.800Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv1_types.go:105-116
Timestamp: 2024-10-18T03:40:09.800Z
Learning: The code in `encoding/codecv1_types.go`, specifically the `Encode` method in `daBatchV1`, has been updated. Previous comments regarding hardcoded byte offsets may be outdated.

Applied to files:

• encoding/interfaces.go
• go.mod
• encoding/codecv9.go

📚 Learning: 2024-10-17T05:40:03.610Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv0.go:387-401
Timestamp: 2024-10-17T05:40:03.610Z
Learning: In `DACodecV0`, methods like `EstimateChunkL1CommitBatchSizeAndBlobSize`, `EstimateBatchL1CommitBatchSizeAndBlobSize`, and `JSONFromBytes` are intentionally left as no-ops (returning zero or nil) to maintain a consistent interface across codecs and prevent the caller from needing conditional logic.

Applied to files:

• encoding/interfaces.go
• go.mod
• encoding/codecv9.go

📚 Learning: 2024-10-17T08:47:58.627Z

Learnt from: colinlyguo
Repo: scroll-tech/da-codec PR: 25
File: encoding/codecv0_types.go:231-239
Timestamp: 2024-10-17T08:47:58.627Z
Learning: Constants like `daBatchV0OffsetSkippedL1MessageBitmap`, `daBatchOffsetVersion`, `daBatchV0OffsetL1MessagePopped`, and `daBatchOffsetDataHash` are defined in `da.go` file.

Applied to files:

• go.mod

🧬 Code graph analysis (2)

encoding/interfaces.go (1)

encoding/codecv9.go (1)

• NewDACodecV9 (7-14)

encoding/codecv9.go (3)

encoding/codecv8.go (1)

• DACodecV8 (30-32)

encoding/interfaces.go (1)

• CodecV9 (97-97)

encoding/codecv7.go (1)

• DACodecV7 (20-22)

🪛 OSV Scanner (2.2.4)

go.mod

[CRITICAL] 18-18: github.com/btcsuite/btcd 0.20.1-beta: Denial of service in message decoding in github.com/btcsuite/btcd

(GO-2022-1098)

---

[CRITICAL] 18-18: github.com/btcsuite/btcd 0.20.1-beta: Consensus failures in github.com/btcsuite/btcd

(GO-2024-2818)

---

[CRITICAL] 18-18: github.com/btcsuite/btcd 0.20.1-beta: Consensus failure in github.com/btcsuite/btcd

(GO-2024-3189)

---

[CRITICAL] 18-18: github.com/btcsuite/btcd 0.20.1-beta: btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality

(GHSA-27vh-h6mc-q6g8)

---

[CRITICAL] 18-18: github.com/btcsuite/btcd 0.20.1-beta: btcd mishandles witness size checking

(GHSA-2chg-86hq-7w38)

---

[CRITICAL] 18-18: github.com/btcsuite/btcd 0.20.1-beta: btcd susceptible to consensus failures

(GHSA-3jgf-r68h-xfqm)

---

[HIGH] 20-20: github.com/consensys/gnark-crypto 0.16.0: Unchecked memory allocation during vector deserialization in github.com/consensys/gnark-crypto

(GO-2025-4087)

---

[HIGH] 20-20: github.com/consensys/gnark-crypto 0.16.0: gnark-crypto allows unchecked memory allocation during vector deserialization

(GHSA-fj2x-735w-74vq)

---

[HIGH] 35-35: golang.org/x/crypto 0.32.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 35-35: golang.org/x/crypto 0.32.0: Potential denial of service in golang.org/x/crypto/ssh/agent

(GO-2025-4116)

---

[HIGH] 35-35: golang.org/x/crypto 0.32.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: tests

🔇 Additional comments (8)

encoding/codecv9.go (2)

3-5: LGTM! Clean codec inheritance pattern.

The struct definition correctly follows the established embedding pattern, inheriting all functionality from CodecV8.

---

7-14: Constructor is correctly implemented.

The NewDACodecV9() function properly initializes the codec with the correct version flag. The IsGalileo method is defined in the external github.com/scroll-tech/go-ethereum/params package and is actively used in the CodecFromConfig routing logic. No issues found.

encoding/interfaces.go (3)

97-97: LGTM! Correct enum extension.

The CodecV9 constant is properly added to the CodecVersion enum following the sequential pattern.

---

121-122: LGTM! Proper codec factory routing.

The CodecV9 case correctly returns NewDACodecV9() following the established pattern for codec instantiation.

---

130-132: LGTM! Correct chronological codec selection.

The IsGalileo check is properly positioned first to ensure the newest codec is selected when applicable, with the previous IsFeynman check correctly moved to the else-if branch.

go.mod (3)

3-3: Verify CI/CD compatibility with Go 1.22.

The toolchain upgrade to Go 1.22 looks appropriate. Ensure that all CI/CD pipelines and development environments support this version.

---

35-35: Update golang.org/x/crypto to a patched version compatible with go-ethereum.

The codebase does not directly import golang.org/x/crypto subpackages (only standard library crypto/sha256 and crypto/rand are used). However, golang.org/x/crypto v0.32.0 is pulled transitively by go-ethereum. GO-2025-3487 is patched in v0.35.0 and GO-2025-4116 is patched in v0.43.0.

Since SSH is not used directly in this codebase, verify whether go-ethereum's internal usage of x/crypto exposes either vulnerability and whether the current go-ethereum version (v1.10.14-0.20251113125950-906b730d541d) is compatible with the patched versions. If so, update go-ethereum to a version requiring a patched x/crypto, or explicitly upgrade x/crypto in go.mod if the go-ethereum constraint allows.

---

7-7: Verify that go-ethereum v1.10.14-0.20251113125950-906b730d541d includes the IsGalileo method.

The codebase calls chainCfg.IsGalileo(startBlockTimestamp) in encoding/interfaces.go:130 to select CodecV9 for Galileo support. However, this method must be provided by the go-ethereum dependency, and I cannot independently confirm it exists in the specified pseudo-version. Ensure this version includes the required IsGalileo method on params.ChainConfig and that the code compiles and runs correctly with the updated dependency.

[Thegaram]

Remember that we need to bump da-codec version in both rollup-relayer and l2geth (I think previously we forgot about l2geth).

[yiweichi]

blob-uploader depends on da-code as well, Do we already have plan to update blob-uploader here to support codecv9?

[yiweichi]

Nevermind, it's already covered on pr https://github.com/scroll-tech/scroll/pull/1752/files#diff-516f715f986f16ab3c638b2e3652d9bf4af757c33fd880a0964dea26c2d48f2dR1053.

[georgehao]

added in this pr scroll-tech/scroll#1752