leonardoalt
commented
1 year ago Superseded by https://github.com/trollup/trollup/pull/60
Closed r0qs closed 1 year ago
leonardoalt
commented
1 year ago Superseded by https://github.com/trollup/trollup/pull/60
This PR can eventually fix https://github.com/trollup/trollup/issues/12, but require some design discussions ;)
On second thought about my initial approach (which I started to implement here), I actually think we need a merkle tree of onchain deposits as well, so the merkle path can be verified inside the circuit. i.e., there is a path from a leaf (e.g.
poseidon(to.id, tx.value, deposit_counter)) to thedepositRoot. Then the circuit compute the new L2 state using zero address as sender and minting thetx.valuein L2.In the contract we check if this deposit was not minted yet (we should also keep a map of nullifiers to mark minted deposits) The leaf hash could be the nullifier in this case (assuming that only the contract increments the counter and it always do that at every deposit). So, the withdraw would be only allowed from minted deposits that exists for the latest deposit root (which can also be checked in the circuit), and the contract would mark them as consumed/used after receive a withdraw block. Thus a deposit would have 3 states (none, minted, used) or something like that.