Layr-Labs
diff --git a/‎docs/multichain/destination/CertificateVerifier.md
Lines changed: 1 addition & 0 deletions b/‎docs/multichain/destination/CertificateVerifier.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/multichain/destination/OperatorTableUpdater.md
Lines changed: 215 additions & 0 deletions b/‎docs/multichain/destination/OperatorTableUpdater.md
Lines changed: 215 additions & 0 deletions
@@ -135,6 +135,7 @@ Verifies an ECDSA certificate by checking individual signatures from operators.
 * The certificate MUST NOT be stale (based on `maxStalenessPeriod`)
 * The root at `referenceTimestamp` MUST be valid (not disabled)
 * The operator table MUST exist for the `referenceTimestamp`
+* Signatures MUST be proper length
 * Signatures MUST be ordered by signer address (ascending)
 * All signers MUST be registered operators
 * Each signature MUST be valid
 
@@ -0,0 +1,215 @@
+## OperatorTableUpdater
+
+| File | Type | Proxy |
+| -------- | -------- |  -------- | 
+| [`OperatorTableUpdater.sol`](../../../src/contracts/multichain/OperatorTableUpdater.sol) | Singleton | Transparent Proxy |
+
+Libraries and Mixins:
+
+| File | Notes |
+| -------- | -------- |
+| [`OwnableUpgradeable.sol`](https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/v4.9.0/contracts/access/OwnableUpgradeable.sol) | Access control |
+| [`SemVerMixin.sol`](../../../src/contracts/mixins/SemVerMixin.sol) | Versioning |
+| [`Merkle.sol`](../../../src/contracts/libraries/Merkle.sol) | Merkle proof verification |
+
+## Overview
+
+The `OperatorTableUpdater` is responsible for updating the `GlobalTableRoot` and updating operator tables from merkle proofs against the `GlobalTableRoot`. The contract is deployed on every destination chain. The contract maintains a set of valid global table roots that are confirmed by a designated global root confirmer set, and allows updating individual operator tables by providing merkle proofs against these roots.
+
+The contract supports both BN254 and ECDSA operator tables and routes updates to the appropriate certificate verifier based on the curve type.
+
+## Parameterization
+Upon initialization, the `globalRootConfirmerSet` (ie. `Generator`) is updated. This operatorSet is a *"shadow-operatorSet"*. It does not exist in the core protocol, does not have stake backing it, and is not transported to other chains via the multichain protocol. It can only be updated upon initialization or by a [privileged role](#updateglobalrootconfirmerset). This entity is the same across all destination chains. 
+
+* `GlobalRootConfirmerSet`, also known as the `Generator`, is an EigenLabs-run entity that signs off on `GlobalTableRoots`. The operatorSet is of size 1. 
+* `maxStalenessPeriod`: 0. Set to zero to confirm roots without updating the `globalConfirmerOperatorSet`. See [`CertificateVerifier`](./CertificateVerifier.md#overview) for specifics
+* `globalRootConfirmationThreshold`: 10000. The threshold in basis points required for global root confirmation. Since the operatorSet is of size 1 a single signature is needed
+* `referenceTimestamp`: A past timestamp at which the `globalRootConfirmerSet` is generated. This value is set to the initial `latestReferenceTimestamp` in the `OperatorTableUpdater. It is the same across all destination chains, even for destination chains that are supported after the initial deployment
+
+
+---
+
+## Global Root Confirmation
+
+Global table roots must be confirmed by the `globalRootConfirmerSet` (ie. `Generator`) before operator tables can be updated against them.
+
+### `confirmGlobalTableRoot`
+
+```solidity
+/**
+ * @notice Confirms Global operator table root
+ * @param globalTableRootCert certificate of the root
+ * @param globalTableRoot merkle root of all operatorSet tables
+ * @param referenceTimestamp timestamp of the root
+ * @param referenceBlockNumber block number of the root
+ * @dev Any entity can submit with a valid certificate signed off by the `globalRootConfirmerSet`
+ * @dev The `msgHash` in the `globalOperatorTableRootCert` is the hash of the `globalOperatorTableRoot`
+ */
+function confirmGlobalTableRoot(
+    BN254Certificate calldata globalTableRootCert,
+    bytes32 globalTableRoot,
+    uint32 referenceTimestamp,
+    uint32 referenceBlockNumber
+) external;
+```
+
+Confirms a new global table root by verifying a BN254 certificate signed by the `globalRootConfirmerSet`. See [`BN254CertificateVerifier`](./CertificateVerifier.md#bn254certificateverifier) for certificate verification. Roots are append only and cannot be overridden, only [disabled](#disableroot). 
+
+*Effects*:
+* Updates `_latestReferenceTimestamp` to the new `referenceTimestamp`
+* Sets `_referenceBlockNumbers[referenceTimestamp]` to `referenceBlockNumber`
+* Sets `_referenceTimestamps[referenceBlockNumber]` to `referenceTimestamp`
+* Sets `_globalTableRoots[referenceTimestamp]` to `globalTableRoot`
+* Sets `_isRootValid[globalTableRoot]` to `true`
+* Emits a `NewGlobalTableRoot` event
+
+*Requirements*:
+* The `referenceTimestamp` MUST NOT be in the future
+* The `referenceTimestamp` MUST be greater than `_latestReferenceTimestamp`
+* The certificate's `messageHash` MUST match the expected EIP-712 hash
+* The certificate MUST be valid according to the `globalRootConfirmationThreshold`
+
+---
+
+## Operator Table Updates
+
+Once a global root is confirmed, individual operator tables can be updated by providing merkle proofs against the root. 
+
+### `updateOperatorTable`
+
+```solidity
+/**
+ * @notice Updates an operator table
+ * @param referenceTimestamp the reference block number of the globalTableRoot
+ * @param globalTableRoot the new globalTableRoot
+ * @param operatorSetIndex the index of the given operatorSet being updated
+ * @param proof the proof of the leaf at index against the globalTableRoot
+ * @param operatorTableBytes the bytes of the operator table
+ * @dev Depending on the decoded KeyType, the tableInfo will be decoded
+ */
+function updateOperatorTable(
+    uint32 referenceTimestamp,
+    bytes32 globalTableRoot,
+    uint32 operatorSetIndex,
+    bytes calldata proof,
+    bytes calldata operatorTableBytes
+) external;
+```
+
+Updates an operator table by verifying its inclusion in a confirmed global table root via merkle proof. The function decodes the operator table data and routes the update to the appropriate certificate verifier based on the curve type.
+
+*Effects*:
+* For BN254 operator sets:
+  * Calls `bn254CertificateVerifier.updateOperatorTable` with the decoded operator info
+* For ECDSA operator sets:
+  * Calls `ecdsaCertificateVerifier.updateOperatorTable` with the decoded operator info
+
+*Requirements*:
+* The `globalTableRoot` MUST be valid (not disabled)
+* The `referenceTimestamp` MUST be greater than the latest timestamp for the operator set
+* The merkle proof MUST verify the operator table's inclusion in the global root
+* The `globalTableRoot` at `referenceTimestamp` MUST match the provided root
+* Meets all requirements in [`ecdsaCertificateVerifier.updateOperatorTable`](./CertificateVerifier.md#updateoperatortable) or [`bn254CertificateVerifier.updateOperatorTable`](./CertificateVerifier.md#updateoperatortable-1)
+
+---
+
+## System Configuration
+
+The `owner` can configure the `globalRootConfirmerSet` and confirmation parameters.
+
+### `setGlobalRootConfirmerSet`
+
+```solidity
+/**
+ * @notice Set the operatorSet which certifies against global roots
+ * @param operatorSet the operatorSet which certifies against global roots
+ * @dev The `operatorSet` is used to verify the certificate of the global table root
+ * @dev Only callable by the owner of the contract
+ */
+function setGlobalRootConfirmerSet(
+    OperatorSet calldata operatorSet
+) external;
+```
+
+Updates the operator set responsible for confirming global table roots.
+
+*Effects*:
+* Updates `_globalRootConfirmerSet` to the new `operatorSet`
+* Emits a `GlobalRootConfirmerSetUpdated` event
+
+*Requirements*:
+* Caller MUST be the `owner`
+
+### `setGlobalRootConfirmationThreshold`
+
+```solidity
+/**
+ * @notice The threshold, in bps, for a global root to be signed off on and updated
+ * @param bps The threshold in basis points
+ * @dev Only callable by the owner of the contract
+ */
+function setGlobalRootConfirmationThreshold(
+    uint16 bps
+) external;
+```
+
+Sets the stake proportion threshold required for confirming global table roots.
+
+*Effects*:
+* Updates `globalRootConfirmationThreshold` to `bps`
+* Emits a `GlobalRootConfirmationThresholdUpdated` event
+
+*Requirements*:
+* Caller MUST be the `owner`
+* `bps` MUST NOT exceed `MAX_BPS` (10000)
+
+### `disableRoot`
+
+```solidity
+/**
+ * @notice Disables a global table root
+ * @param globalTableRoot the global table root to disable
+ * @dev Only callable by the owner of the contract
+ */
+function disableRoot(
+    bytes32 globalTableRoot
+) external;
+```
+
+Disables a global table root, preventing further operator table updates against it. This function also prevents the `CertificateVerifier` from verifying certificates. The function is intended to prevent a malicious or invalid root from being used by downstream consumers. 
+
+*Effects*:
+* Sets `_isRootValid[globalTableRoot]` to `false`
+* Emits a `GlobalRootDisabled` event
+
+*Requirements*:
+* Caller MUST be the `owner`
+* The `globalTableRoot` MUST exist and be currently valid
+
+### `updateGlobalRootConfirmerSet`
+
+```solidity
+/**
+ * @notice Updates the operator table for the global root confirmer set
+ * @param referenceTimestamp The reference timestamp of the operator table update
+ * @param globalRootConfirmerSetInfo The operatorSetInfo for the global root confirmer set
+ * @param globalRootConfirmerSetConfig The operatorSetConfig for the global root confirmer set
+ * @dev We have a separate function for updating this operatorSet since it's not transported and updated
+ *      in the same way as the other operatorSets
+ * @dev Only callable by the owner of the contract
+ */
+function updateGlobalRootConfirmerSet(
+    uint32 referenceTimestamp,
+    BN254OperatorSetInfo calldata globalRootConfirmerSetInfo,
+    OperatorSetConfig calldata globalRootConfirmerSetConfig
+) external;
+```
+
+Updates the operator table for the `globalRootConfirmerSet` itself. This operatorSet is a ["shadow-operatorSet"](#parameterization), so it must be updated manually
+
+*Effects*:
+* Calls `bn254CertificateVerifier.updateOperatorTable` for the `globalRootConfirmerSet`
+
+*Requirements*:
+* Caller MUST be the `owner`
+* Meet all requirements in [`bn254CertificateVerifier.updateOperatorTable`](../destination/CertificateVerifier.md#updateoperatortable-1)