fix: Make EVM Execution more robust

[Manav-Aggarwal]

Overview

• Use a mutex lock in EVM execution methods in EngineClient
• Call fork choice updated method correctly in EVM execution
• Add E2E test for running an EVM sequencer
• Refactor evm helper methods for use in e2e test
• Modify docker compose files to expose ws port and genesis json to include address for testing

Summary by CodeRabbit

• New Features

  • Introduced a new end-to-end test for the EVM aggregator, enabling comprehensive integration testing with a local data availability service, EVM node, and aggregator node.
  • Added helper utilities for automated testing of EVM interactions in Docker environments, including transaction creation, submission, and verification.
  • Enabled WebSocket support for the EVM node in Docker Compose configurations.
  • Added new accounts with balances to EVM genesis configurations.

• Bug Fixes

  • Improved transaction execution reliability by allowing invalid transactions to be skipped without crashing the node.

• Refactor

  • Simplified and modularized test setup by delegating container orchestration and transaction helpers to external functions.
  • Enhanced concurrency safety by tracking forkchoice block hashes with mutex protection.
  • Adjusted test assertions to better verify block height consistency.

• Chores

  • Updated and expanded dependencies across multiple modules to support enhanced testing, cloud, container, and telemetry features.
  • Added a new Go module for end-to-end testing with relevant dependencies and configuration.
  • Updated test scripts to support new build and test flows.
  • Updated example commands and environment variables to reflect new genesis hash values.

[coderabbitai]

Walkthrough

This update introduces new test helpers and an end-to-end test for the EVM aggregator, refactors EVM execution and test code to use external helpers, and expands dependency lists in several Go modules. The Makefile is updated to support the new test flow. No public APIs are removed; new helpers and fields are added.

Changes

Files / Groups	Change Summary
apps/evm/based/go.mod, apps/evm/single/go.mod	Significantly expanded indirect dependencies, including cloud SDKs, container tools, telemetry, cryptography, Kubernetes, and developer tooling. Some dependency versions updated. No removals or direct changes.
execution/evm/execution.go	Added mutex and block hash fields to EngineClient for concurrency; changed error handling in transaction execution; improved forkchoice state management; added clarifying comments.
execution/evm/execution_test.go	Refactored to remove embedded Docker/JWT setup; now uses external helpers for engine setup, transaction creation, and submission; removed related imports and package-level functions.
execution/evm/test_helpers.go	New file: Provides Docker-based Reth engine setup, JWT secret generation, transaction creation/submission, and block inclusion helpers for tests.
scripts/test.mk	Updated test-e2e target to depend on build-evm-single; test command now runs in test/e2e with new binary arguments; minor target signature changes.
test/e2e/evm_aggregator_e2e_test.go	New file: Adds an E2E test orchestrating aggregator, DA service, and EVM node, including transaction submission and block inclusion checks.
test/e2e/go.mod	New file: Declares new Go module for E2E tests with required dependencies and replace directives for local development.
apps/evm/single/chain/genesis.json, execution/evm/docker/chain/genesis.json	Added a new funded account entry with a specified balance to the genesis allocation.
apps/evm/single/docker-compose.yml, execution/evm/docker/docker-compose.yml	Enabled WebSocket support on port 8546 for the reth service; updated image version and environment variables in single app compose file; added WS flags in execution compose file.
apps/evm/single/README.md	Updated example command's --evm.genesis-hash flag to a new hash value.
node/single_sequencer_integration_test.go	Reversed inequality assertion comparing current block height and last recorded block height for consistency check.

Sequence Diagram(s)

sequenceDiagram
    participant Test as E2E Test
    participant Docker as Docker Compose
    participant Reth as Reth Engine
    participant Agg as Aggregator Node
    participant DA as DA Service

    Test->>Docker: Start Reth Engine container with JWT
    Docker->>Reth: Launch
    Test->>Agg: Start Aggregator Node (with flags)
    Agg->>DA: Connect to DA Service
    Test->>Reth: Submit Transaction (via JSON-RPC)
    Reth->>Agg: Block production
    Agg->>Test: Aggregator available
    Test->>Reth: Poll for transaction inclusion
    Reth->>Test: Transaction included in block

Loading

Possibly related PRs

• rollkit/rollkit#2249: Builds on the EVM execution client, adding concurrency, improved error handling, and refactoring test setup to external helpers—directly related to the changes in this PR.
• rollkit/rollkit#2324: Updates genesis hashes and configurations related to EVM genesis state, partially overlapping with genesis changes here.
• rollkit/rollkit#2330: Modifies Docker Compose configurations for the reth service, related to Ethereum client startup parameter changes in this PR.

Suggested labels

T:testing

Suggested reviewers

• tac0turtle
• julienrbrt
• randygrok

Poem

In the warren where code does hop,
Helpers and tests now never stop.
With Docker spun and JWT in paw,
Transactions leap, no fatal flaw!
The aggregator hums, the blocks align—
This bunny’s E2E is simply divine.
🐇✨

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (1.64.8)

Error: you are using a configuration file for golangci-lint v2 with golangci-lint v1: please use golangci-lint v2
Failed executing command with error: you are using a configuration file for golangci-lint v2 with golangci-lint v1: please use golangci-lint v2

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8c1d952 and e065dc1.

📒 Files selected for processing (1)

• node/single_sequencer_integration_test.go (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (7)

• GitHub Check: rollkit-docker / docker-build (GHCR; ghcr.io/rollkit/rollkit)
• GitHub Check: test / Run Unit Tests
• GitHub Check: test / Build All Rollkit Binaries
• GitHub Check: test / Run EVM Execution Tests
• GitHub Check: test / Run E2E System Tests
• GitHub Check: Analyze (go)
• GitHub Check: Summary

🔇 Additional comments (1)

node/single_sequencer_integration_test.go (1)

147-147: LGTM: Corrected height comparison logic.

This fix properly validates that the store height is greater than or equal to the state's last block height, which is the correct relationship in blockchain systems where blocks are stored before state updates are applied.

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

The latest Buf updates on your PR. Results from workflow CI and Release / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Jun 8, 2025, 7:06 PM

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 14 lines in your changes missing coverage. Please review.

Project coverage is 56.35%. Comparing base (1604652) to head (e065dc1).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
execution/evm/execution.go	0.00%	14 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2327      +/-   ##
==========================================
+ Coverage   54.89%   56.35%   +1.45%     
==========================================
  Files          82       82              
  Lines        7503     7504       +1     
==========================================
+ Hits         4119     4229     +110     
+ Misses       2963     2866      -97     
+ Partials      421      409      -12     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Manav-Aggarwal]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (1)

apps/evm/based/go.mod (1)

30-378: 💡 Verification agent

🧩 Analysis chain

LGTM! Dependency updates support new EVM testing infrastructure.

The extensive addition of indirect dependencies aligns well with the PR objectives of adding E2E tests for EVM execution. The new dependencies include:

• Docker/containerd ecosystem: Support for container orchestration in tests
• AWS SDK v2: Cloud infrastructure integration
• Kubernetes client libraries: Container management capabilities
• OpenTelemetry: Observability and instrumentation
• testcontainers: Testing framework for containerized services

These additions are consistent with the new EVM testing infrastructure that uses Docker Compose to orchestrate Reth engine containers.

Please verify that all new dependencies are from trusted sources and check for any security advisories:

---

🏁 Script executed:

#!/bin/bash
# Check for security vulnerabilities in new dependencies
go list -m -json all | jq -r '.Path' | grep -E "(aws|docker|containerd|testcontainers)" | head -20 | while read dep; do
  echo "Checking $dep..."
  gh api graphql -f query="
  {
    securityVulnerabilities(first: 5, ecosystem: GO, package: \"$dep\") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
      }
    }
  }"
done

Length of output: 223

---

I've updated the verification script to run within the correct module directory and enumerate only the relevant dependencies before querying the GitHub API. This should surface any advisories for aws, docker, containerd, and testcontainers packages.

---

🏁 Script executed:

#!/bin/bash
set -e

# Switch to the EVM module containing go.mod
cd apps/evm/based

# List all modules, filter for our key dependencies, and dedupe
deps=$(go list -m all | awk '{print $1}' | grep -E "(aws|docker|containerd|testcontainers)" | sort -u)

# For each dependency, query GitHub security advisories
for dep in $deps; do
  echo "Checking $dep..."
  gh api graphql -f query="
  {
    securityVulnerabilities(first: 5, ecosystem: GO, package: \"$dep\") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
      }
    }
  }"
done

Length of output: 35232

---

Action Required: Upgrade AWS SDK v1 to Mitigate CVEs

The indirect module github.com/aws/aws-sdk-go has multiple moderate-severity CVEs in S3 Crypto SDK for versions < 1.34.0. Please confirm the resolved version in apps/evm/based/go.mod and bump it to ≥ 1.34.0:

• CBC padding oracle issue (MODERATE) – vulnerable < 1.34.0
• In-band key negotiation issue (LOW) – vulnerable < 1.34.0
• Unencrypted MD5 hash in metadata (MODERATE) – vulnerable < 1.34.0
• Unencrypted plaintext hash metadata (MODERATE) – vulnerable < 1.34.0

All other “aws-sdk-go-v2”, Docker/containerd, and Testcontainers packages are at versions outside the reported vulnerable ranges. No additional high-severity advisories were detected for:

• Docker/containerd ecosystem
• testcontainers-go
• AWS SDK v2
• Kubernetes clients
• OpenTelemetry

Please update or remove the v1 SDK as appropriate to eliminate these known vulnerabilities.

🧹 Nitpick comments (3)

test/e2e/evm_aggregator_e2e_test.go (2)

19-21: Consider making the Docker path configurable.

The hard-coded Docker path works for the current structure but could be made more flexible for different deployment scenarios.

Consider making this configurable via environment variable or test flag:

 const (
-	DOCKER_PATH = "../../execution/evm/docker"
+	defaultDockerPath = "../../execution/evm/docker"
 )
+
+func getDockerPath() string {
+	if path := os.Getenv("EVM_DOCKER_PATH"); path != "" {
+		return path
+	}
+	return defaultDockerPath
+}

---

31-90: Comprehensive E2E test with good structure.

The test effectively covers the complete EVM aggregator workflow:

Strengths:

• Proper setup and teardown via SystemUnderTest
• Good use of helper functions from execution/evm package
• Realistic transaction flow testing
• Appropriate timeout handling for async operations

Areas for improvement:

• Hard-coded values could be extracted to constants
• Error messages could be more descriptive

Consider extracting magic values to constants for better maintainability:

+const (
+	LocalDAStartDelay = 500 * time.Millisecond
+	BlockTime = "1s"
+	NodeAwaitTimeout = 10 * time.Second
+	TxInclusionTimeout = 20 * time.Second
+	TxPollInterval = 1 * time.Second
+	// Test transaction parameters
+	TestPrivateKey = "cece4f25ac74deb1468965160c7185e07dff413f23fcadb611b05ca37ab0a52e"
+	TestToAddress = "0x944fDcD1c868E3cC566C78023CcB38A32cDA836E"
+	TestChainID = "1234"
+	TestGasLimit = uint64(22000)
+)

And improve error message specificity:

-	require.True(t, found, "Transaction not included in EVM block after waiting")
+	require.True(t, found, "Transaction %s not included in EVM block after %d seconds", tx.Hash().Hex(), TxInclusionTimeout/time.Second)

execution/evm/evm_helpers.go (1)

61-92: Consider test isolation for parallel execution.

The Docker setup is well-structured with proper cleanup. However, if multiple tests run in parallel with the same JWT filename, they might conflict when writing to the same file path.

Consider using a unique filename per test (e.g., including the test name or a random suffix) to ensure proper isolation.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2a732cf and 8159c4b.

⛔ Files ignored due to path filters (3)

• apps/evm/based/go.sum is excluded by !**/*.sum
• apps/evm/single/go.sum is excluded by !**/*.sum
• test/e2e/go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• apps/evm/based/go.mod (8 hunks)
• apps/evm/single/go.mod (8 hunks)
• block/submitter.go (3 hunks)
• execution/evm/evm_helpers.go (1 hunks)
• execution/evm/execution.go (8 hunks)
• execution/evm/execution_test.go (5 hunks)
• scripts/test.mk (2 hunks)
• test/e2e/evm_aggregator_e2e_test.go (1 hunks)
• test/e2e/go.mod (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (3)

test/e2e/evm_aggregator_e2e_test.go (2)

execution/evm/evm_helpers.go (5)

• SetupTestRethEngine (61-92)
• GetGenesisHash (184-198)
• GetRandomTransaction (143-165)
• SubmitTransaction (167-172)
• CheckTxIncluded (174-181)

test/e2e/sut_helper.go (1)

• NewSystemUnderTest (47-57)

block/submitter.go (2)

types/block.go (1)

• Data (33-36)

types/tx.go (2)

• Txs (7-7)
• Tx (4-4)

execution/evm/execution_test.go (2)

execution/evm/evm_helpers.go (3)

• SetupTestRethEngine (61-92)
• GetRandomTransaction (143-165)
• SubmitTransaction (167-172)

test/e2e/evm_aggregator_e2e_test.go (1)

• DOCKER_PATH (20-20)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: test / Run EVM Execution Tests
• GitHub Check: test / Run Unit Tests
• GitHub Check: test / Run E2E System Tests
• GitHub Check: Analyze (go)
• GitHub Check: Summary

🔇 Additional comments (21)

apps/evm/single/go.mod (1)

31-378: LGTM! Consistent dependency updates across EVM modules.

The dependency additions mirror those in apps/evm/based/go.mod, ensuring consistent dependency management across both EVM modules. This coordinated approach supports the new containerized testing infrastructure while maintaining module compatibility.

The additions include the same categories of dependencies needed for the E2E testing infrastructure:

• Container orchestration libraries
• Testing frameworks
• Cloud SDK components
• Observability tools

scripts/test.mk (2)

14-16: LGTM! Proper integration of EVM testing into build system.

The updates correctly:

• Add build-evm-single dependency to ensure the EVM binary is available
• Include EVM-specific build tags (e2e evm)
• Pass both regular and EVM binary paths as test parameters

The 15-minute timeout is appropriate for E2E tests that involve container orchestration.

---

33-35: Well-structured EVM test target.

The new test-evm target provides a focused way to run EVM-specific tests with proper build dependencies and tags. The structure follows the established pattern from other test targets.

test/e2e/evm_aggregator_e2e_test.go (2)

1-3: LGTM! Proper build constraint usage.

The build constraints ensure this test only runs when the evm tag is specified, preventing it from running in environments where EVM dependencies aren't available.

---

75-75:

Details

❓ Verification inconclusive

Verify transaction parameters are realistic.

The hard-coded private key and transaction parameters should be validated to ensure they represent realistic test scenarios.

Please verify the test transaction parameters:

---

🏁 Script executed:

#!/bin/bash
# Check if the private key is valid and corresponds to expected address
echo "Verifying test transaction parameters..."

# You could add a simple Go script to validate the private key format
python3 -c "
import binascii
try:
    key = 'cece4f25ac74deb1468965160c7185e07dff413f23fcadb611b05ca37ab0a52e'
    bytes.fromhex(key)
    print(f'Private key format valid: {len(key)} characters')
    if len(key) == 64:
        print('✓ Valid 32-byte private key')
    else:
        print('✗ Invalid private key length')
except ValueError:
    print('✗ Invalid hex format')
"

Length of output: 565

---

Validate E2E test transaction parameters for realism

We’ve confirmed the private key is a valid 32-byte hex string. Before merging, please:

• Derive and assert the public address from the key matches the hard-coded recipient (0x944fDcD1c868E3cC566C78023CcB38A32cDA836E).
• Consider using standard chain IDs (e.g. 1 for mainnet, 1337 for Ganache) instead of “1234,” or document why a custom ID is needed.
• Adjust the gas limit to a realistic value (21 000 for a basic ETH transfer) or explain why 22 000 was chosen here.

block/submitter.go (2)

207-210: Log message appropriately simplified.

The removal of partial submission tracking from the log message aligns with the new all-or-nothing submission approach.

---

223-231: All-or-nothing submission correctly implemented.

The code properly creates a types.Data object from the batch transactions and updates the data cache on successful submission. The immediate return on success aligns with the simplified submission approach.

execution/evm/execution_test.go (3)

65-65: Test setup properly refactored to use external helper.

Good use of the exported SetupTestRethEngine helper function for improved modularity.

---

85-86: Proper nonce management implemented.

The use of a pointer to lastNonce allows the helper function to maintain proper nonce sequencing across multiple transactions.

Also applies to: 95-95

---

98-98: Transaction submission properly delegated to helper.

Good refactoring to use the external SubmitTransaction helper for cleaner test code.

Also applies to: 262-262

execution/evm/evm_helpers.go (3)

31-58: JWT helper functions are well-implemented.

The JWT secret generation, decoding, and token creation follow best practices with appropriate secret length and token expiry.

---

95-140: Comprehensive container readiness check.

The function properly validates both RPC endpoints with appropriate timeout and polling intervals. JWT authentication for the Engine API is correctly implemented.

---

184-198: Genesis hash helper properly implemented.

The function correctly retrieves the genesis hash with proper error handling and resource cleanup.

execution/evm/execution.go (8)

12-12: LGTM: Sync import added for mutex support.

The addition of the sync package import is necessary for the mutex functionality introduced in this PR.

---

51-51: LGTM: Constructor renamed for clarity.

The function rename from NewPureEngineExecutionClient to NewEngineExecutionClient improves clarity and aligns with the updated architecture.

---

95-96: LGTM: Proper mutex locking for thread safety.

The mutex locking in InitChain correctly protects the shared state during initialization.

---

127-128: LGTM: Proper mutex locking for thread safety.

The mutex locking in GetTxs correctly protects access to shared state during transaction retrieval.

---

166-167: LGTM: Proper mutex locking for thread safety.

The mutex locking in ExecuteTxs correctly protects the shared state during transaction execution.

---

183-183: Excellent improvement: Enhanced robustness through error tolerance.

Changing from return to continue makes the execution more robust by allowing the batch to proceed even if individual transactions fail. This prevents a single failed transaction from stopping the entire execution flow.

---

278-299: Well-designed forkchoice state management with proper error handling.

The refactored setFinal method correctly manages forkchoice state by:

• Tracking and using stored hash values appropriately
• Handling both finalization and non-finalization cases
• Adding proper error checking for invalid payload status

This is a significant improvement over the previous implementation.

---

319-320: LGTM: Proper mutex locking for thread safety.

The mutex locking in SetFinal correctly protects the shared state during finalization operations.

[Manav-Aggarwal]

We have one PFB transaction per signed data so this was unnecessary

[tzdybal]

Nice catch 👍

Left some comments. Nothing critical.

[tzdybal]

I think we shouldn't export most of the functions, as they are test oriented.

[Manav-Aggarwal]

Yes I wanted to but in that case, we'd need to duplicate them in end to end tests. Should we do that instead?

[alpe]

you can also introduce a testing package for clean separation. But IMHO it is fair to have useful testing code next to the production code. Nevertheless some methods can be private as they are not used by e2e.

How about renaming to test_support.go , test_helpers.go or test_utils.go to make the testing scope explicit? "evm" is in the package name already

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (5)

execution/evm/evm_helpers.go (5)

31-58: Consider making test helper functions unexported.

Based on previous feedback, these JWT helper functions are test-oriented and should likely be unexported to follow Go conventions for internal test utilities.

Apply this diff to make the functions unexported:

-func GenerateJWTSecret() (string, error) {
+func generateJWTSecret() (string, error) {

-func DecodeSecret(jwtSecret string) ([]byte, error) {
+func decodeSecret(jwtSecret string) ([]byte, error) {

-func GetAuthToken(jwtSecret []byte) (string, error) {
+func getAuthToken(jwtSecret []byte) (string, error) {

The implementation logic is solid with proper error handling and secure random generation.

---

61-92: Improve identifier sanitization and consider function visibility.

Two improvements to consider:

1. Function visibility: This is a test helper and should likely be unexported based on previous feedback.

2. Identifier sanitization: The string replacements for the Docker compose identifier could be more robust.

Apply this diff for better identifier handling:

-func SetupTestRethEngine(t *testing.T, dockerPath, jwtFilename string) string {
+func setupTestRethEngine(t *testing.T, dockerPath, jwtFilename string) string {
	dockerAbsPath, err := filepath.Abs(dockerPath)
	require.NoError(t, err)
	jwtPath := filepath.Join(dockerAbsPath, "jwttoken")
	err = os.MkdirAll(jwtPath, 0750)
	require.NoError(t, err)
-	jwtSecret, err := GenerateJWTSecret()
+	jwtSecret, err := generateJWTSecret()
	require.NoError(t, err)
	jwtFile := filepath.Join(jwtPath, jwtFilename)
	err = os.WriteFile(jwtFile, []byte(jwtSecret), 0600)
	require.NoError(t, err)
	t.Cleanup(func() { _ = os.Remove(jwtFile) })
	composeFilePath := filepath.Join(dockerAbsPath, "docker-compose.yml")
-	identifier := tc.StackIdentifier(strings.ToLower(t.Name()))
-	identifier = tc.StackIdentifier(strings.ReplaceAll(string(identifier), "/", "_"))
-	identifier = tc.StackIdentifier(strings.ReplaceAll(string(identifier), " ", "_"))
+	// Sanitize test name for Docker compose stack identifier
+	sanitizedName := strings.ToLower(t.Name())
+	sanitizedName = strings.ReplaceAll(sanitizedName, "/", "_")
+	sanitizedName = strings.ReplaceAll(sanitizedName, " ", "_")
+	// Remove other problematic characters for Docker naming
+	sanitizedName = strings.ReplaceAll(sanitizedName, "-", "_")
+	identifier := tc.StackIdentifier(sanitizedName)

---

95-140: Consider making function unexported.

This function is well-implemented with proper timeout handling, resource cleanup, and error management. However, as a test helper function, it should likely be unexported based on previous feedback.

Apply this diff to make the function unexported and update internal calls:

-func WaitForRethContainer(t *testing.T, jwtSecret, ethURL, engineURL string) error {
+func waitForRethContainer(t *testing.T, jwtSecret, ethURL, engineURL string) error {
	t.Helper()
	client := &http.Client{Timeout: 100 * time.Millisecond}
	timer := time.NewTimer(30 * time.Second)
	defer timer.Stop()
	for {
		select {
		case <-timer.C:
			return fmt.Errorf("timeout waiting for reth container to be ready")
		default:
			rpcReq := strings.NewReader(`{"jsonrpc":"2.0","method":"net_version","params":[],"id":1}`)
			resp, err := client.Post(ethURL, "application/json", rpcReq)
			if err == nil {
				if err := resp.Body.Close(); err != nil {
					return fmt.Errorf("failed to close response body: %w", err)
				}
				if resp.StatusCode == http.StatusOK {
					req, err := http.NewRequest("POST", engineURL, strings.NewReader(`{"jsonrpc":"2.0","method":"engine_getClientVersionV1","params":[],"id":1}`))
					if err != nil {
						return err
					}
					req.Header.Set("Content-Type", "application/json")
-					secret, err := DecodeSecret(jwtSecret)
+					secret, err := decodeSecret(jwtSecret)
					if err != nil {
						return err
					}
-					authToken, err := GetAuthToken(secret)
+					authToken, err := getAuthToken(secret)

And update the call in setupTestRethEngine:

-	err = WaitForRethContainer(t, jwtSecret, "http://localhost:8545", "http://localhost:8551")
+	err = waitForRethContainer(t, jwtSecret, "http://localhost:8545", "http://localhost:8551")

---

143-165: Consider function visibility and improve nonce handling clarity.

The function implementation is solid, but two improvements to consider:

1. Function visibility: As a test helper, this should likely be unexported.

2. Nonce parameter handling: Modifying the lastNonce parameter in place could be confusing. Consider returning the new nonce or making the side effect more explicit.

Apply this diff for better nonce handling:

-func GetRandomTransaction(t *testing.T, privateKeyHex, toAddressHex, chainID string, gasLimit uint64, lastNonce *uint64) *types.Transaction {
+func getRandomTransaction(t *testing.T, privateKeyHex, toAddressHex, chainID string, gasLimit uint64, nonce uint64) (*types.Transaction, uint64) {
	privateKey, err := crypto.HexToECDSA(privateKeyHex)
	require.NoError(t, err)
	chainId, _ := new(big.Int).SetString(chainID, 10)
	txValue := big.NewInt(1000000000000000000)
	gasPrice := big.NewInt(30000000000)
	toAddress := common.HexToAddress(toAddressHex)
	data := make([]byte, 16)
	_, err = rand.Read(data)
	require.NoError(t, err)
	tx := types.NewTx(&types.LegacyTx{
-		Nonce:    *lastNonce,
+		Nonce:    nonce,
		To:       &toAddress,
		Value:    txValue,
		Gas:      gasLimit,
		GasPrice: gasPrice,
		Data:     data,
	})
-	*lastNonce++
-	signedTx, err := types.SignTx(tx, types.NewEIP155Signer(chainId), privateKey)
+	signedTx, err := types.SignTx(tx, types.NewEIP155Signer(chainId), privateKey)
	require.NoError(t, err)
-	return signedTx
+	return signedTx, nonce + 1
}

---

187-201: Consider function visibility and URL parameterization.

The function is well-implemented with proper resource cleanup and error handling. Two improvements to consider:

1. Function visibility: As a test helper, this should likely be unexported.

2. URL parameterization: The hardcoded "http://localhost:8545" URL could be parameterized for flexibility.

Apply this diff to address these suggestions:

-func GetGenesisHash(t *testing.T) string {
+func getGenesisHash(t *testing.T, rpcURL string) string {
	client := &http.Client{Timeout: 2 * time.Second}
	data := []byte(`{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["0x0", false],"id":1}`)
-	resp, err := client.Post("http://localhost:8545", "application/json", bytes.NewReader(data))
+	resp, err := client.Post(rpcURL, "application/json", bytes.NewReader(data))
	require.NoError(t, err)
	defer resp.Body.Close()
	var result struct {
		Result struct {
			Hash string `json:"hash"`
		} `json:"result"`
	}
	require.NoError(t, json.NewDecoder(resp.Body).Decode(&result))
	require.NotEmpty(t, result.Result.Hash)
	return result.Result.Hash
}

🧹 Nitpick comments (1)

execution/evm/evm_helpers.go (1)

167-184: Resource leak issue resolved, consider remaining improvements.

Good work addressing the previous resource leak concerns by adding defer rpcClient.Close() statements! The functions now properly manage RPC client connections.

Remaining improvements to consider:

1. Function visibility: These test helpers should likely be unexported.

2. URL parameterization: The hardcoded "http://localhost:8545" URL could be parameterized for flexibility.

Apply this diff to address the remaining suggestions:

-func SubmitTransaction(t *testing.T, tx *types.Transaction) {
-	rpcClient, err := ethclient.Dial("http://localhost:8545")
+func submitTransaction(t *testing.T, rpcURL string, tx *types.Transaction) {
+	rpcClient, err := ethclient.Dial(rpcURL)
	require.NoError(t, err)
	defer rpcClient.Close()

	err = rpcClient.SendTransaction(context.Background(), tx)
	require.NoError(t, err)
}

-func CheckTxIncluded(t *testing.T, txHash common.Hash) bool {
-	rpcClient, err := ethclient.Dial("http://localhost:8545")
+func checkTxIncluded(t *testing.T, rpcURL string, txHash common.Hash) bool {
+	rpcClient, err := ethclient.Dial(rpcURL)
	if err != nil {
		return false
	}
	defer rpcClient.Close()
	receipt, err := rpcClient.TransactionReceipt(context.Background(), txHash)
	return err == nil && receipt != nil && receipt.Status == 1
}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8159c4b and 5ccd78a.

📒 Files selected for processing (3)

• execution/evm/evm_helpers.go (1 hunks)
• execution/evm/execution.go (8 hunks)
• test/e2e/go.mod (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• execution/evm/execution.go
• test/e2e/go.mod

⏰ Context from checks skipped due to timeout of 90000ms (7)

• GitHub Check: rollkit-docker / docker-build (GHCR; ghcr.io/rollkit/rollkit)
• GitHub Check: Analyze (go)
• GitHub Check: test / Run Unit Tests
• GitHub Check: test / Build All Rollkit Binaries
• GitHub Check: test / Run E2E System Tests
• GitHub Check: test / Run EVM Execution Tests
• GitHub Check: Summary

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

apps/evm/based/go.mod (2)

30-30: 🛠️ Refactor suggestion

Consolidate mergo dependencies
You have both dario.cat/mergo v1.0.1 (line 30) and github.com/imdario/mergo v0.3.16 (line 154). This can lead to version conflicts and larger binaries. Choose one module path/version, remove the other from go.mod, and update all imports accordingly.

Also applies to: 154-154

---

244-245: 🛠️ Refactor suggestion

Avoid dual go-toml major versions
Currently you depend on github.com/pelletier/go-toml v1.9.5 and github.com/pelletier/go-toml/v2 v2.2.3. Mixing majors can confuse consumers and bloat the binary. Migrate all consumers to /v2 and drop the v1 path.

🧹 Nitpick comments (3)

apps/evm/based/go.mod (1)

26-378: Prune and document indirect dependencies
This module now includes hundreds of indirect requirements, which can inflate build times and binary size. Audit and remove any transitive dependencies not directly used by the EVM execution paths. For optional features (e.g., AWS, Kubernetes, telemetry), consider separate modules or build tags.

execution/evm/test_helpers.go (2)

75-120: Consider optimizing the polling strategy for better performance.

The current implementation polls every 100ms with a 30-second timeout. Consider using exponential backoff or a longer initial delay to reduce unnecessary load.

-			time.Sleep(100 * time.Millisecond)
+			time.Sleep(time.Duration(200+100*attempts) * time.Millisecond) // exponential backoff

---

163-172: Consider logging transaction check failures for better debugging.

The function gracefully handles errors by returning false, but logging the specific error could help with debugging test failures.

func CheckTxIncluded(t *testing.T, txHash common.Hash) bool {
	t.Helper()
	rpcClient, err := ethclient.Dial("http://localhost:8545")
	if err != nil {
+		t.Logf("Failed to dial RPC client: %v", err)
		return false
	}
	defer rpcClient.Close()
	receipt, err := rpcClient.TransactionReceipt(context.Background(), txHash)
+	if err != nil {
+		t.Logf("Failed to get transaction receipt for %s: %v", txHash.Hex(), err)
+	}
	return err == nil && receipt != nil && receipt.Status == 1
}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 47187df and 7660edc.

⛔ Files ignored due to path filters (3)

• apps/evm/based/go.sum is excluded by !**/*.sum
• apps/evm/single/go.sum is excluded by !**/*.sum
• test/e2e/go.sum is excluded by !**/*.sum

📒 Files selected for processing (8)

• apps/evm/based/go.mod (8 hunks)
• apps/evm/single/go.mod (8 hunks)
• execution/evm/execution.go (6 hunks)
• execution/evm/execution_test.go (5 hunks)
• execution/evm/test_helpers.go (1 hunks)
• scripts/test.mk (2 hunks)
• test/e2e/evm_aggregator_e2e_test.go (1 hunks)
• test/e2e/go.mod (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

• test/e2e/evm_aggregator_e2e_test.go
• execution/evm/execution.go
• apps/evm/single/go.mod
• scripts/test.mk
• test/e2e/go.mod

🧰 Additional context used

🧬 Code Graph Analysis (1)

execution/evm/execution_test.go (2)

execution/evm/test_helpers.go (3)

• SetupTestRethEngine (40-72)
• GetRandomTransaction (125-149)
• SubmitTransaction (152-160)

test/e2e/evm_aggregator_e2e_test.go (1)

• DOCKER_PATH (20-20)

⏰ Context from checks skipped due to timeout of 90000ms (7)

• GitHub Check: rollkit-docker / docker-build (GHCR; ghcr.io/rollkit/rollkit)
• GitHub Check: test / Run EVM Execution Tests
• GitHub Check: test / Build All Rollkit Binaries
• GitHub Check: test / Run Unit Tests
• GitHub Check: test / Run E2E System Tests
• GitHub Check: Analyze (go)
• GitHub Check: Summary

🔇 Additional comments (13)

execution/evm/test_helpers.go (6)

1-3: LGTM: Proper build constraints for EVM-specific code.

The build tags correctly ensure this file is only compiled when the evm build tag is present.

---

29-37: LGTM: Cryptographically secure JWT secret generation.

The function correctly uses crypto/rand.Read for cryptographic randomness and proper error handling.

---

40-72: Well-structured Docker Compose setup with proper resource management.

The function handles directory creation, JWT file management, and Docker lifecycle correctly. The cleanup functions ensure resources are properly released even if tests fail.

---

125-149: Excellent transaction helper with proper nonce management.

The function correctly handles transaction signing, uses explicit parameters for better testability, and properly manages nonce state through a pointer. The use of legacy transactions is appropriate for testing.

---

152-160: LGTM: Clean transaction submission helper.

Simple, focused function with proper resource cleanup and error handling.

---

175-190: LGTM: Robust genesis hash retrieval.

The function properly handles HTTP requests, JSON decoding, and error validation. The timeout is appropriate for test environments.

execution/evm/execution_test.go (7)

65-65: LGTM: Correct usage of the new helper function.

The call to SetupTestRethEngine with explicit parameters improves clarity and matches the new helper function signature.

---

85-85: Good improvement: Explicit nonce management.

Moving from implicit global nonce to explicit local variable improves test clarity and reduces potential race conditions.

---

95-95: LGTM: Proper usage of the new transaction helper.

The explicit parameter passing for GetRandomTransaction improves testability and makes dependencies clear.

---

98-98: LGTM: Clean transaction submission.

Using the external SubmitTransaction helper maintains consistency and reduces code duplication.

---

144-144: LGTM: Consistent helper usage in sync test.

Proper reuse of the SetupTestRethEngine helper for the sync test phase.

---

255-255: LGTM: Proper nonce initialization for manual test.

Using NonceAt to get the current nonce before generating transactions is the correct approach.

---

261-262: LGTM: Consistent usage of helper functions.

The stress test properly uses the new helper functions with correct parameter passing.

[coderabbitai]

🛠️ Refactor suggestion

Isolate test-only dependencies
Indirect pulls of testcontainers-go modules (v0.37.0) belong in the E2E test module (test/e2e/go.mod), not the production apps/evm/based module. Moving them will keep your production binary lean and dependencies better scoped.

🤖 Prompt for AI Agents

In apps/evm/based/go.mod at lines 301-302, the indirect dependencies on
testcontainers-go modules are included in the production module. Remove these
lines from this file and add them to the test/e2e/go.mod file instead to isolate
test-only dependencies from the production build.

[tac0turtle]

left one suggestion, otherwise lGTM

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

execution/evm/execution_test.go (1)

238-238: Clean up commented debug statement.

The commented log statement should be removed to keep the code clean.

-	//t.Logf("Latest block: height=%d, hash=%s, txs=%d", blockNumber, blockHash.Hex(), txCount)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2635821 and 8c1d952.

📒 Files selected for processing (1)

• execution/evm/execution_test.go (6 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

execution/evm/execution_test.go (2)

execution/evm/test_helpers.go (3)

• SetupTestRethEngine (40-72)
• GetRandomTransaction (125-149)
• SubmitTransaction (152-160)

test/e2e/evm_aggregator_e2e_test.go (1)

• DOCKER_PATH (20-20)

⏰ Context from checks skipped due to timeout of 90000ms (9)

• GitHub Check: rollkit-docker / docker-build (GHCR; ghcr.io/rollkit/rollkit)
• GitHub Check: test / Run EVM Execution Tests
• GitHub Check: test / Run E2E System Tests
• GitHub Check: test / Run Unit Tests
• GitHub Check: test / Build All Rollkit Binaries
• GitHub Check: lint / golangci-lint
• GitHub Check: lint / markdown-lint
• GitHub Check: Analyze (go)
• GitHub Check: Summary

🔇 Additional comments (6)

execution/evm/execution_test.go (6)

24-25: Constants updated to match new genesis configuration.

The genesis hash and state root constants have been updated, which aligns with the Docker environment and genesis configuration changes mentioned in the PR objectives.

---

65-65: Good refactoring to use external helper function.

The SetupTestRethEngine helper function properly encapsulates Docker Compose orchestration and JWT token management, improving code reuse and maintainability.

Also applies to: 144-144

---

85-85: Improved nonce management with local variable.

Using a local variable for nonce tracking instead of package-level globals is a good practice that improves test isolation and thread safety.

---

95-95: Excellent use of helper functions for transaction handling.

The refactoring to use GetRandomTransaction and SubmitTransaction helpers improves code reuse and makes the test more maintainable. The nonce parameter passing with &lastNonce ensures proper sequential nonce management.

Also applies to: 98-98

---

255-255: Consistent nonce management pattern.

The nonce retrieval and management in TestSubmitTransaction follows the same pattern as the main test, ensuring consistency across the test suite.

---

261-262: Proper use of helper functions in stress test.

The stress test correctly uses the same helper functions, maintaining consistency and ensuring the same transaction creation logic is tested under load.