@arbitrum/nitro-contracts 1.0.0-beta.5 → 1.0.0-beta.6

package/src/bridge/Inbox.sol

@@ -5,6 +5,7 @@
 pragma solidity ^0.8.4;
 
 import "./IInbox.sol";
+import "./ISequencerInbox.sol";
 import "./IBridge.sol";
 
 import "./Messages.sol";
@@ -20,7 +21,6 @@ import {
 } from "../libraries/MessageTypes.sol";
 import {MAX_DATA_SIZE} from "../libraries/Constants.sol";
 
-import "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
 import "@openzeppelin/contracts-upgradeable/utils/AddressUpgradeable.sol";
 import "@openzeppelin/contracts-upgradeable/security/PausableUpgradeable.sol";
 
@@ -31,27 +31,72 @@ import "@openzeppelin/contracts-upgradeable/security/PausableUpgradeable.sol";
  */
 contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
     IBridge public override bridge;
+    ISequencerInbox public sequencerInbox;
 
-    modifier onlyOwner() {
-        // whoevever owns the Bridge, also owns the Inbox. this is usually the rollup contract
-        address bridgeOwner = OwnableUpgradeable(address(bridge)).owner();
-        if (msg.sender != bridgeOwner) revert NotOwner(msg.sender, bridgeOwner);
+    /// ------------------------------------ allow list start ------------------------------------ ///
+
+    bool public allowListEnabled;
+    mapping(address => bool) public isAllowed;
+
+    event AllowListAddressSet(address indexed user, bool val);
+    event AllowListEnabledUpdated(bool isEnabled);
+
+    function setAllowList(address[] memory user, bool[] memory val) external onlyRollupOrOwner {
+        require(user.length == val.length, "INVALID_INPUT");
+
+        for (uint256 i = 0; i < user.length; i++) {
+            isAllowed[user[i]] = val[i];
+            emit AllowListAddressSet(user[i], val[i]);
+        }
+    }
+
+    function setAllowListEnabled(bool _allowListEnabled) external onlyRollupOrOwner {
+        require(_allowListEnabled != allowListEnabled, "ALREADY_SET");
+        allowListEnabled = _allowListEnabled;
+        emit AllowListEnabledUpdated(_allowListEnabled);
+    }
+
+    /// @dev this modifier checks the tx.origin instead of msg.sender for convenience (ie it allows
+    /// allowed users to interact with the token bridge without needing the token bridge to be allowList aware).
+    /// this modifier is not intended to use to be used for security (since this opens the allowList to
+    /// a smart contract phishing risk).
+    modifier onlyAllowed() {
+        if (allowListEnabled && !isAllowed[tx.origin]) revert NotAllowedOrigin(tx.origin);
+        _;
+    }
+
+    /// ------------------------------------ allow list end ------------------------------------ ///
+
+    modifier onlyRollupOrOwner() {
+        IOwnable rollup = bridge.rollup();
+        if (msg.sender != address(rollup)) {
+            address rollupOwner = rollup.owner();
+            if (msg.sender != rollupOwner) {
+                revert NotRollupOrOwner(msg.sender, address(rollup), rollupOwner);
+            }
+        }
         _;
     }
 
     /// @notice pauses all inbox functionality
-    function pause() external onlyOwner {
+    function pause() external onlyRollupOrOwner {
         _pause();
     }
 
     /// @notice unpauses all inbox functionality
-    function unpause() external onlyOwner {
+    function unpause() external onlyRollupOrOwner {
         _unpause();
     }
 
-    function initialize(IBridge _bridge) external initializer onlyDelegated {
+    function initialize(IBridge _bridge, ISequencerInbox _sequencerInbox)
+        external
+        initializer
+        onlyDelegated
+    {
         if (address(bridge) != address(0)) revert AlreadyInit();
         bridge = _bridge;
+        sequencerInbox = _sequencerInbox;
+        allowListEnabled = false;
         __Pausable_init();
     }
 
@@ -64,26 +109,19 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
                 sstore(i, 0)
             }
         }
+        allowListEnabled = false;
         bridge = _bridge;
     }
 
     /**
-     * @notice Send a generic L2 message to the chain
-     * @dev This method is an optimization to avoid having to emit the entirety of the messageData in a log. Instead validators are expected to be able to parse the data from the transaction's input
+     * @dev DEPRECATED in favor of sendL2Message
      * @param messageData Data of the message being sent
      */
     function sendL2MessageFromOrigin(bytes calldata messageData)
         external
-        whenNotPaused
         returns (uint256)
     {
-        // solhint-disable-next-line avoid-tx-origin
-        if (msg.sender != tx.origin) revert NotOrigin();
-        if (messageData.length > MAX_DATA_SIZE)
-            revert DataTooLarge(messageData.length, MAX_DATA_SIZE);
-        uint256 msgNum = deliverToBridge(L2_MSG, msg.sender, keccak256(messageData));
-        emit InboxMessageDeliveredFromOrigin(msgNum);
-        return msgNum;
+        return sendL2Message(messageData);
     }
 
     /**
@@ -92,9 +130,10 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
      * @param messageData Data of the message being sent
      */
     function sendL2Message(bytes calldata messageData)
-        external
+        public
         override
         whenNotPaused
+        onlyAllowed
         returns (uint256)
     {
         return _deliverMessage(L2_MSG, msg.sender, messageData);
@@ -106,7 +145,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 nonce,
         address to,
         bytes calldata data
-    ) external payable virtual override whenNotPaused returns (uint256) {
+    ) external payable virtual override whenNotPaused onlyAllowed returns (uint256) {
         return
             _deliverMessage(
                 L1MessageType_L2FundedByL1,
@@ -128,7 +167,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 maxFeePerGas,
         address to,
         bytes calldata data
-    ) external payable virtual override whenNotPaused returns (uint256) {
+    ) external payable virtual override whenNotPaused onlyAllowed returns (uint256) {
         return
             _deliverMessage(
                 L1MessageType_L2FundedByL1,
@@ -151,7 +190,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         address to,
         uint256 value,
         bytes calldata data
-    ) external virtual override whenNotPaused returns (uint256) {
+    ) external virtual override whenNotPaused onlyAllowed returns (uint256) {
         return
             _deliverMessage(
                 L2_MSG,
@@ -174,7 +213,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         address to,
         uint256 value,
         bytes calldata data
-    ) external virtual override whenNotPaused returns (uint256) {
+    ) external virtual override whenNotPaused onlyAllowed returns (uint256) {
         return
             _deliverMessage(
                 L2_MSG,
@@ -209,43 +248,51 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
     /// @dev this does not trigger the fallback function when receiving in the L2 side.
     /// Look into retryable tickets if you are interested in this functionality.
     /// @dev this function should not be called inside contract constructors
-    function depositEth() public payable override whenNotPaused returns (uint256) {
-        address sender = msg.sender;
+    function depositEth() public payable override whenNotPaused onlyAllowed returns (uint256) {
+        address dest = msg.sender;
 
         // solhint-disable-next-line avoid-tx-origin
-        if (!AddressUpgradeable.isContract(sender) && tx.origin == msg.sender) {
+        if (AddressUpgradeable.isContract(msg.sender) || tx.origin != msg.sender) {
             // isContract check fails if this function is called during a contract's constructor.
             // We don't adjust the address for calls coming from L1 contracts since their addresses get remapped
             // If the caller is an EOA, we adjust the address.
             // This is needed because unsigned messages to the L2 (such as retryables)
             // have the L1 sender address mapped.
-            // Here we preemptively reverse the mapping for EOAs so deposits work as expected
-            sender = AddressAliasHelper.undoL1ToL2Alias(sender);
+            dest = AddressAliasHelper.applyL1ToL2Alias(msg.sender);
         }
 
         return
             _deliverMessage(
                 L1MessageType_ethDeposit,
-                sender, // arb-os will add the alias to this value
-                abi.encodePacked(msg.value)
+                msg.sender,
+                abi.encodePacked(dest, msg.value)
             );
     }
 
     /// @notice deprecated in favour of depositEth with no parameters
-    function depositEth(uint256) external payable virtual override whenNotPaused returns (uint256) {
+    function depositEth(uint256)
+        external
+        payable
+        virtual
+        override
+        whenNotPaused
+        onlyAllowed
+        returns (uint256)
+    {
         return depositEth();
     }
 
     /**
      * @notice deprecated in favour of unsafeCreateRetryableTicket
      * @dev deprecated in favour of unsafeCreateRetryableTicket
+     * @dev Gas limit and maxFeePerGas should not be set to 1 as that is used to trigger the RetryableData error
      * @param to destination L2 contract address
      * @param l2CallValue call value for retryable L2 message
      * @param maxSubmissionCost Max gas deducted from user's L2 balance to cover base submission fee
      * @param excessFeeRefundAddress gasLimit x maxFeePerGas - execution cost gets credited here on L2 balance
      * @param callValueRefundAddress l2Callvalue gets credited here on L2 if retryable txn times out or gets cancelled
-     * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution
-     * @param maxFeePerGas price bid for L2 execution
+     * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
+     * @param maxFeePerGas price bid for L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
      * @param data ABI encoded data of L2 message
      * @return unique id for retryable transaction (keccak256(requestID, uint(0) )
      */
@@ -258,7 +305,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 gasLimit,
         uint256 maxFeePerGas,
         bytes calldata data
-    ) external payable virtual whenNotPaused returns (uint256) {
+    ) external payable virtual whenNotPaused onlyAllowed returns (uint256) {
         return
             unsafeCreateRetryableTicket(
                 to,
@@ -275,13 +322,14 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
     /**
      * @notice Put a message in the L2 inbox that can be reexecuted for some fixed amount of time if it reverts
      * @dev all msg.value will deposited to callValueRefundAddress on L2
+     * @dev Gas limit and maxFeePerGas should not be set to 1 as that is used to trigger the RetryableData error
      * @param to destination L2 contract address
      * @param l2CallValue call value for retryable L2 message
      * @param maxSubmissionCost Max gas deducted from user's L2 balance to cover base submission fee
      * @param excessFeeRefundAddress gasLimit x maxFeePerGas - execution cost gets credited here on L2 balance
      * @param callValueRefundAddress l2Callvalue gets credited here on L2 if retryable txn times out or gets cancelled
-     * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution
-     * @param maxFeePerGas price bid for L2 execution
+     * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
+     * @param maxFeePerGas price bid for L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
      * @param data ABI encoded data of L2 message
      * @return unique id for retryable transaction (keccak256(requestID, uint(0) )
      */
@@ -294,10 +342,14 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 gasLimit,
         uint256 maxFeePerGas,
         bytes calldata data
-    ) external payable virtual override whenNotPaused returns (uint256) {
+    ) external payable virtual override whenNotPaused onlyAllowed returns (uint256) {
         // ensure the user's deposit alone will make submission succeed
-        if (msg.value < maxSubmissionCost + l2CallValue)
-            revert InsufficientValue(maxSubmissionCost + l2CallValue, msg.value);
+        if (msg.value < (maxSubmissionCost + l2CallValue + gasLimit * maxFeePerGas)) {
+            revert InsufficientValue(
+                maxSubmissionCost + l2CallValue + gasLimit * maxFeePerGas,
+                msg.value
+            );
+        }
 
         // if a refund address is a contract, we apply the alias to it
         // so that it can access its funds on the L2
@@ -311,7 +363,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         }
 
         return
-            unsafeCreateRetryableTicket(
+            unsafeCreateRetryableTicketInternal(
                 to,
                 l2CallValue,
                 maxSubmissionCost,
@@ -329,17 +381,18 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
      * come from the deposit alone, rather than falling back on the user's L2 balance
      * @dev Advanced usage only (does not rewrite aliases for excessFeeRefundAddress and callValueRefundAddress).
      * createRetryableTicket method is the recommended standard.
+     * @dev Gas limit and maxFeePerGas should not be set to 1 as that is used to trigger the RetryableData error
      * @param to destination L2 contract address
      * @param l2CallValue call value for retryable L2 message
      * @param maxSubmissionCost Max gas deducted from user's L2 balance to cover base submission fee
      * @param excessFeeRefundAddress gasLimit x maxFeePerGas - execution cost gets credited here on L2 balance
      * @param callValueRefundAddress l2Callvalue gets credited here on L2 if retryable txn times out or gets cancelled
-     * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution
-     * @param maxFeePerGas price bid for L2 execution
+     * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
+     * @param maxFeePerGas price bid for L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
      * @param data ABI encoded data of L2 message
      * @return unique id for retryable transaction (keccak256(requestID, uint(0) )
      */
-    function unsafeCreateRetryableTicket(
+    function unsafeCreateRetryableTicketInternal(
         address to,
         uint256 l2CallValue,
         uint256 maxSubmissionCost,
@@ -348,7 +401,23 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 gasLimit,
         uint256 maxFeePerGas,
         bytes calldata data
-    ) public payable virtual override whenNotPaused returns (uint256) {
+    ) internal virtual whenNotPaused onlyAllowed returns (uint256) {
+        // gas price and limit of 1 should never be a valid input, so instead they are used as
+        // magic values to trigger a revert in eth calls that surface data without requiring a tx trace
+        if (gasLimit == 1 || maxFeePerGas == 1)
+            revert RetryableData(
+                msg.sender,
+                to,
+                l2CallValue,
+                msg.value,
+                maxSubmissionCost,
+                excessFeeRefundAddress,
+                callValueRefundAddress,
+                gasLimit,
+                maxFeePerGas,
+                data
+            );
+
         uint256 submissionFee = calculateRetryableSubmissionFee(data.length, block.basefee);
         if (maxSubmissionCost < submissionFee)
             revert InsufficientSubmissionCost(submissionFee, maxSubmissionCost);
@@ -372,6 +441,19 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
             );
     }
 
+    function unsafeCreateRetryableTicket(
+        address,
+        uint256,
+        uint256,
+        address,
+        address,
+        uint256,
+        uint256,
+        bytes calldata
+    ) public payable override returns (uint256) {
+        revert("UNSAFE_RETRYABLES_TEMPORARILY_DISABLED");
+    }
+
     function _deliverMessage(
         uint8 _kind,
         address _sender,
@@ -379,7 +461,11 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
     ) internal returns (uint256) {
         if (_messageData.length > MAX_DATA_SIZE)
             revert DataTooLarge(_messageData.length, MAX_DATA_SIZE);
-        uint256 msgNum = deliverToBridge(_kind, _sender, keccak256(_messageData));
+        uint256 msgNum = deliverToBridge(
+            _kind,
+            AddressAliasHelper.applyL1ToL2Alias(_sender),
+            keccak256(_messageData)
+        );
         emit InboxMessageDelivered(msgNum, _messageData);
         return msgNum;
     }

package/src/bridge/Outbox.sol

@@ -9,11 +9,14 @@ import "./IOutbox.sol";
 import "../libraries/MerkleLib.sol";
 import "../libraries/DelegateCallAware.sol";
 
+/// @dev this error is thrown since certain functions are only expected to be used in simulations, not in actual txs
+error SimulationOnlyEntrypoint();
+
 contract Outbox is DelegateCallAware, IOutbox {
     address public rollup; // the rollup contract
     IBridge public bridge; // the bridge contract
 
-    mapping(uint256 => bool) public spent; // maps leaf number => if spent
+    mapping(uint256 => bytes32) public spent; // packed spent bitmap
     mapping(bytes32 => bytes32) public roots; // maps root hashes => L2 block hash
 
     struct L2ToL1Context {
@@ -27,12 +30,31 @@ contract Outbox is DelegateCallAware, IOutbox {
     // Therefore their values don't need to be maintained, and their slots will
     // be empty outside of transactions
     L2ToL1Context internal context;
+
+    // default context values to be used in storage instead of zero, to save on storage refunds
+    // it is assumed that arb-os never assigns these values to a valid leaf to be redeemed
+    uint128 private constant L2BLOCK_DEFAULT_CONTEXT = type(uint128).max;
+    uint128 private constant L1BLOCK_DEFAULT_CONTEXT = type(uint128).max;
+    uint128 private constant TIMESTAMP_DEFAULT_CONTEXT = type(uint128).max;
+    bytes32 private constant OUTPUTID_DEFAULT_CONTEXT = bytes32(type(uint256).max);
+    address private constant SENDER_DEFAULT_CONTEXT = address(type(uint160).max);
+
     uint128 public constant OUTBOX_VERSION = 2;
 
-    function initialize(address _rollup, IBridge _bridge) external onlyDelegated {
-        if (rollup != address(0)) revert AlreadyInit();
-        rollup = _rollup;
+    function initialize(IBridge _bridge) external onlyDelegated {
+        if (address(bridge) != address(0)) revert AlreadyInit();
+        // address zero is returned if no context is set, but the values used in storage
+        // are non-zero to save users some gas (as storage refunds are usually maxed out)
+        // EIP-1153 would help here
+        context = L2ToL1Context({
+            l2Block: L2BLOCK_DEFAULT_CONTEXT,
+            l1Block: L1BLOCK_DEFAULT_CONTEXT,
+            timestamp: TIMESTAMP_DEFAULT_CONTEXT,
+            outputId: OUTPUTID_DEFAULT_CONTEXT,
+            sender: SENDER_DEFAULT_CONTEXT
+        });
         bridge = _bridge;
+        rollup = address(_bridge.rollup());
     }
 
     function updateSendRoot(bytes32 root, bytes32 l2BlockHash) external override {
@@ -45,28 +67,51 @@ contract Outbox is DelegateCallAware, IOutbox {
     /// When the return value is zero, that means this is a system message
     /// @dev the l2ToL1Sender behaves as the tx.origin, the msg.sender should be validated to protect against reentrancies
     function l2ToL1Sender() external view override returns (address) {
-        return context.sender;
+        address sender = context.sender;
+        // we don't return the default context value to avoid a breaking change in the API
+        if (sender == SENDER_DEFAULT_CONTEXT) return address(0);
+        return sender;
     }
 
+    /// @return l2Block return L2 block when the L2 tx was initiated or zero
+    /// if no L2 to L1 transaction is active
     function l2ToL1Block() external view override returns (uint256) {
-        return uint256(context.l2Block);
+        uint128 l2Block = context.l2Block;
+        // we don't return the default context value to avoid a breaking change in the API
+        if (l2Block == L1BLOCK_DEFAULT_CONTEXT) return uint256(0);
+        return uint256(l2Block);
     }
 
+    /// @return l1Block return L1 block when the L2 tx was initiated or zero
+    /// if no L2 to L1 transaction is active
     function l2ToL1EthBlock() external view override returns (uint256) {
-        return uint256(context.l1Block);
+        uint128 l1Block = context.l1Block;
+        // we don't return the default context value to avoid a breaking change in the API
+        if (l1Block == L1BLOCK_DEFAULT_CONTEXT) return uint256(0);
+        return uint256(l1Block);
     }
 
+    /// @return timestamp return L2 timestamp when the L2 tx was initiated or zero
+    /// if no L2 to L1 transaction is active
     function l2ToL1Timestamp() external view override returns (uint256) {
-        return uint256(context.timestamp);
+        uint128 timestamp = context.timestamp;
+        // we don't return the default context value to avoid a breaking change in the API
+        if (timestamp == TIMESTAMP_DEFAULT_CONTEXT) return uint256(0);
+        return uint256(timestamp);
     }
 
-    // @deprecated batch number is now always 0
+    /// @notice batch number is deprecated and now always returns 0
     function l2ToL1BatchNum() external pure override returns (uint256) {
         return 0;
     }
 
+    /// @return outputId returns the unique output identifier of the L2 to L1 tx or
+    /// zero if no L2 to L1 transaction is active
     function l2ToL1OutputId() external view override returns (bytes32) {
-        return context.outputId;
+        bytes32 outputId = context.outputId;
+        // we don't return the default context value to avoid a breaking change in the API
+        if (outputId == OUTPUTID_DEFAULT_CONTEXT) return bytes32(0);
+        return outputId;
     }
 
     /**
@@ -93,22 +138,56 @@ contract Outbox is DelegateCallAware, IOutbox {
         uint256 l2Timestamp,
         uint256 value,
         bytes calldata data
-    ) external virtual {
-        bytes32 outputId;
-        {
-            bytes32 userTx = calculateItemHash(
-                l2Sender,
-                to,
-                l2Block,
-                l1Block,
-                l2Timestamp,
-                value,
-                data
-            );
-
-            outputId = recordOutputAsSpent(proof, index, userTx);
-            emit OutBoxTransactionExecuted(to, l2Sender, 0, index);
-        }
+    ) external {
+        bytes32 userTx = calculateItemHash(
+            l2Sender,
+            to,
+            l2Block,
+            l1Block,
+            l2Timestamp,
+            value,
+            data
+        );
+
+        recordOutputAsSpent(proof, index, userTx);
+
+        executeTransactionImpl(index, l2Sender, to, l2Block, l1Block, l2Timestamp, value, data);
+    }
+
+    /// @dev function used to simulate the result of a particular function call from the outbox
+    /// it is useful for things such as gas estimates. This function includes all costs except for
+    /// proof validation (which can be considered offchain as a somewhat of a fixed cost - it's
+    /// not really a fixed cost, but can be treated as so with a fixed overhead for gas estimation).
+    /// We can't include the cost of proof validation since this is intended to be used to simulate txs
+    /// that are included in yet-to-be confirmed merkle roots. The simulation entrypoint could instead pretend
+    /// to confirm a pending merkle root, but that would be less pratical for integrating with tooling.
+    /// It is only possible to trigger it when the msg sender is address zero, which should be impossible
+    /// unless under simulation in an eth_call or eth_estimateGas
+    function executeTransactionSimulation(
+        uint256 index,
+        address l2Sender,
+        address to,
+        uint256 l2Block,
+        uint256 l1Block,
+        uint256 l2Timestamp,
+        uint256 value,
+        bytes calldata data
+    ) external {
+        if (msg.sender != address(0)) revert SimulationOnlyEntrypoint();
+        executeTransactionImpl(index, l2Sender, to, l2Block, l1Block, l2Timestamp, value, data);
+    }
+
+    function executeTransactionImpl(
+        uint256 outputId,
+        address l2Sender,
+        address to,
+        uint256 l2Block,
+        uint256 l1Block,
+        uint256 l2Timestamp,
+        uint256 value,
+        bytes calldata data
+    ) internal {
+        emit OutBoxTransactionExecuted(to, l2Sender, 0, outputId);
 
         // we temporarily store the previous values so the outbox can naturally
         // unwind itself when there are nested calls to `executeTransaction`
@@ -119,7 +198,7 @@ contract Outbox is DelegateCallAware, IOutbox {
             l2Block: uint128(l2Block),
             l1Block: uint128(l1Block),
             timestamp: uint128(l2Timestamp),
-            outputId: outputId
+            outputId: bytes32(outputId)
         });
 
         // set and reset vars around execution so they remain valid during call
@@ -128,11 +207,35 @@ contract Outbox is DelegateCallAware, IOutbox {
         context = prevContext;
     }
 
+    function _calcSpentIndexOffset(uint256 index)
+        internal
+        view
+        returns (
+            uint256,
+            uint256,
+            bytes32
+        )
+    {
+        uint256 spentIndex = index / 255; // Note: Reserves the MSB.
+        uint256 bitOffset = index % 255;
+        bytes32 replay = spent[spentIndex];
+        return (spentIndex, bitOffset, replay);
+    }
+
+    function _isSpent(uint256 bitOffset, bytes32 replay) internal pure returns (bool) {
+        return ((replay >> bitOffset) & bytes32(uint256(1))) != bytes32(0);
+    }
+
+    function isSpent(uint256 index) external view returns (bool) {
+        (, uint256 bitOffset, bytes32 replay) = _calcSpentIndexOffset(index);
+        return _isSpent(bitOffset, replay);
+    }
+
     function recordOutputAsSpent(
         bytes32[] memory proof,
         uint256 index,
         bytes32 item
-    ) internal returns (bytes32) {
+    ) internal {
         if (proof.length >= 256) revert ProofTooLong(proof.length);
         if (index >= 2**proof.length) revert PathNotMinimal(index, 2**proof.length);
 
@@ -140,10 +243,10 @@ contract Outbox is DelegateCallAware, IOutbox {
         bytes32 calcRoot = calculateMerkleRoot(proof, index, item);
         if (roots[calcRoot] == bytes32(0)) revert UnknownRoot(calcRoot);
 
-        if (spent[index]) revert AlreadySpent(index);
-        spent[index] = true;
+        (uint256 spentIndex, uint256 bitOffset, bytes32 replay) = _calcSpentIndexOffset(index);
 
-        return bytes32(index);
+        if (_isSpent(bitOffset, replay)) revert AlreadySpent(index);
+        spent[spentIndex] = (replay | bytes32(1 << bitOffset));
     }
 
     function executeBridgeCall(