@arbitrum/nitro-contracts 1.0.0-beta.8 → 1.0.1

package/src/bridge/ISequencerInbox.sol

@@ -8,6 +8,7 @@ pragma experimental ABIEncoderV2;
 
 import "../libraries/IGasRefunder.sol";
 import "./IDelayedMessageProvider.sol";
+import "./IBridge.sol";
 
 interface ISequencerInbox is IDelayedMessageProvider {
     struct MaxTimeVariation {
@@ -51,33 +52,109 @@ interface ISequencerInbox is IDelayedMessageProvider {
     /// @dev a keyset was invalidated
     event InvalidateKeyset(bytes32 indexed keysetHash);
 
+    function totalDelayedMessagesRead() external view returns (uint256);
+
+    function bridge() external view returns (IBridge);
+
+    /// @dev The size of the batch header
+    // solhint-disable-next-line func-name-mixedcase
+    function HEADER_LENGTH() external view returns (uint256);
+
+    /// @dev If the first batch data byte after the header has this bit set,
+    ///      the sequencer inbox has authenticated the data. Currently not used.
+    // solhint-disable-next-line func-name-mixedcase
+    function DATA_AUTHENTICATED_FLAG() external view returns (bytes1);
+
+    function rollup() external view returns (IOwnable);
+
+    function isBatchPoster(address) external view returns (bool);
+
+    struct DasKeySetInfo {
+        bool isValidKeyset;
+        uint64 creationBlock;
+    }
+
+    // https://github.com/ethereum/solidity/issues/11826
+    // function maxTimeVariation() external view returns (MaxTimeVariation calldata);
+    // function dasKeySetInfo(bytes32) external view returns (DasKeySetInfo calldata);
+
+    /// @notice Remove force inclusion delay after a L1 chainId fork
+    function removeDelayAfterFork() external;
+
+    /// @notice Force messages from the delayed inbox to be included in the chain
+    ///         Callable by any address, but message can only be force-included after maxTimeVariation.delayBlocks and
+    ///         maxTimeVariation.delaySeconds has elapsed. As part of normal behaviour the sequencer will include these
+    ///         messages so it's only necessary to call this if the sequencer is down, or not including any delayed messages.
+    /// @param _totalDelayedMessagesRead The total number of messages to read up to
+    /// @param kind The kind of the last message to be included
+    /// @param l1BlockAndTime The l1 block and the l1 timestamp of the last message to be included
+    /// @param baseFeeL1 The l1 gas price of the last message to be included
+    /// @param sender The sender of the last message to be included
+    /// @param messageDataHash The messageDataHash of the last message to be included
+    function forceInclusion(
+        uint256 _totalDelayedMessagesRead,
+        uint8 kind,
+        uint64[2] calldata l1BlockAndTime,
+        uint256 baseFeeL1,
+        address sender,
+        bytes32 messageDataHash
+    ) external;
+
     function inboxAccs(uint256 index) external view returns (bytes32);
 
     function batchCount() external view returns (uint256);
 
-    function addSequencerL2Batch(
+    function isValidKeysetHash(bytes32 ksHash) external view returns (bool);
+
+    /// @notice the creation block is intended to still be available after a keyset is deleted
+    function getKeysetCreationBlock(bytes32 ksHash) external view returns (uint256);
+
+    // ---------- BatchPoster functions ----------
+
+    function addSequencerL2BatchFromOrigin(
         uint256 sequenceNumber,
         bytes calldata data,
         uint256 afterDelayedMessagesRead,
         IGasRefunder gasRefunder
     ) external;
 
-    // Methods only callable by rollup owner
+    function addSequencerL2Batch(
+        uint256 sequenceNumber,
+        bytes calldata data,
+        uint256 afterDelayedMessagesRead,
+        IGasRefunder gasRefunder,
+        uint256 prevMessageCount,
+        uint256 newMessageCount
+    ) external;
+
+    // ---------- onlyRollupOrOwner functions ----------
 
     /**
-     * @notice Set max time variation from actual time for sequencer inbox
-     * @param timeVariation the maximum time variation parameters
+     * @notice Set max delay for sequencer inbox
+     * @param maxTimeVariation_ the maximum time variation parameters
      */
-    function setMaxTimeVariation(MaxTimeVariation memory timeVariation) external;
+    function setMaxTimeVariation(MaxTimeVariation memory maxTimeVariation_) external;
 
     /**
      * @notice Updates whether an address is authorized to be a batch poster at the sequencer inbox
      * @param addr the address
-     * @param isBatchPoster if the specified address should be authorized as a batch poster
+     * @param isBatchPoster_ if the specified address should be authorized as a batch poster
      */
-    function setIsBatchPoster(address addr, bool isBatchPoster) external;
+    function setIsBatchPoster(address addr, bool isBatchPoster_) external;
 
+    /**
+     * @notice Makes Data Availability Service keyset valid
+     * @param keysetBytes bytes of the serialized keyset
+     */
     function setValidKeyset(bytes calldata keysetBytes) external;
 
+    /**
+     * @notice Invalidates a Data Availability Service keyset
+     * @param ksHash hash of the keyset
+     */
     function invalidateKeysetHash(bytes32 ksHash) external;
+
+    // ---------- initializer ----------
+
+    function initialize(IBridge bridge_, MaxTimeVariation calldata maxTimeVariation_) external;
 }

package/src/bridge/Inbox.sol

@@ -15,7 +15,10 @@ import {
     InsufficientSubmissionCost,
     NotAllowedOrigin,
     RetryableData,
-    NotRollupOrOwner
+    NotRollupOrOwner,
+    L1Forked,
+    NotForked,
+    GasLimitTooLarge
 } from "../libraries/Error.sol";
 import "./IInbox.sol";
 import "./ISequencerInbox.sol";
@@ -32,7 +35,8 @@ import {
     L2MessageType_unsignedEOATx,
     L2MessageType_unsignedContractTx
 } from "../libraries/MessageTypes.sol";
-import {MAX_DATA_SIZE} from "../libraries/Constants.sol";
+import {MAX_DATA_SIZE, UNISWAP_L1_TIMELOCK, UNISWAP_L2_FACTORY} from "../libraries/Constants.sol";
+import "../precompiles/ArbSys.sol";
 
 import "@openzeppelin/contracts-upgradeable/utils/AddressUpgradeable.sol";
 import "@openzeppelin/contracts-upgradeable/security/PausableUpgradeable.sol";
@@ -43,7 +47,7 @@ import "@openzeppelin/contracts-upgradeable/security/PausableUpgradeable.sol";
  * to await inclusion in the SequencerInbox
  */
 contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
-    IBridge public override bridge;
+    IBridge public bridge;
     ISequencerInbox public sequencerInbox;
 
     /// ------------------------------------ allow list start ------------------------------------ ///
@@ -92,12 +96,18 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         _;
     }
 
-    /// @notice pauses all inbox functionality
+    uint256 internal immutable deployTimeChainId = block.chainid;
+
+    function _chainIdChanged() internal view returns (bool) {
+        return deployTimeChainId != block.chainid;
+    }
+
+    /// @inheritdoc IInbox
     function pause() external onlyRollupOrOwner {
         _pause();
     }
 
-    /// @notice unpauses all inbox functionality
+    /// @inheritdoc IInbox
     function unpause() external onlyRollupOrOwner {
         _unpause();
     }
@@ -107,37 +117,23 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         initializer
         onlyDelegated
     {
-        if (address(bridge) != address(0)) revert AlreadyInit();
         bridge = _bridge;
         sequencerInbox = _sequencerInbox;
         allowListEnabled = false;
         __Pausable_init();
     }
 
-    /// @dev function to be called one time during the inbox upgrade process
-    /// this is used to fix the storage slots
-    function postUpgradeInit(IBridge _bridge) external onlyDelegated onlyProxyOwner {
-        uint8 slotsToWipe = 3;
-        for (uint8 i = 0; i < slotsToWipe; i++) {
-            assembly {
-                sstore(i, 0)
-            }
-        }
-        allowListEnabled = false;
-        bridge = _bridge;
-    }
+    /// @inheritdoc IInbox
+    function postUpgradeInit(IBridge) external onlyDelegated onlyProxyOwner {}
 
-    /**
-     * @notice Send a generic L2 message to the chain
-     * @dev This method is an optimization to avoid having to emit the entirety of the messageData in a log. Instead validators are expected to be able to parse the data from the transaction's input
-     * @param messageData Data of the message being sent
-     */
+    /// @inheritdoc IInbox
     function sendL2MessageFromOrigin(bytes calldata messageData)
         external
         whenNotPaused
         onlyAllowed
         returns (uint256)
     {
+        if (_chainIdChanged()) revert L1Forked();
         // solhint-disable-next-line avoid-tx-origin
         if (msg.sender != tx.origin) revert NotOrigin();
         if (messageData.length > MAX_DATA_SIZE)
@@ -147,18 +143,14 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         return msgNum;
     }
 
-    /**
-     * @notice Send a generic L2 message to the chain
-     * @dev This method can be used to send any type of message that doesn't require L1 validation
-     * @param messageData Data of the message being sent
-     */
+    /// @inheritdoc IInbox
     function sendL2Message(bytes calldata messageData)
         external
-        override
         whenNotPaused
         onlyAllowed
         returns (uint256)
     {
+        if (_chainIdChanged()) revert L1Forked();
         return _deliverMessage(L2_MSG, msg.sender, messageData);
     }
 
@@ -168,7 +160,11 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 nonce,
         address to,
         bytes calldata data
-    ) external payable virtual override whenNotPaused onlyAllowed returns (uint256) {
+    ) external payable whenNotPaused onlyAllowed returns (uint256) {
+        // arbos will discard unsigned tx with gas limit too large
+        if (gasLimit > type(uint64).max) {
+            revert GasLimitTooLarge();
+        }
         return
             _deliverMessage(
                 L1MessageType_L2FundedByL1,
@@ -190,7 +186,11 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 maxFeePerGas,
         address to,
         bytes calldata data
-    ) external payable virtual override whenNotPaused onlyAllowed returns (uint256) {
+    ) external payable whenNotPaused onlyAllowed returns (uint256) {
+        // arbos will discard unsigned tx with gas limit too large
+        if (gasLimit > type(uint64).max) {
+            revert GasLimitTooLarge();
+        }
         return
             _deliverMessage(
                 L1MessageType_L2FundedByL1,
@@ -213,7 +213,11 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         address to,
         uint256 value,
         bytes calldata data
-    ) external virtual override whenNotPaused onlyAllowed returns (uint256) {
+    ) external whenNotPaused onlyAllowed returns (uint256) {
+        // arbos will discard unsigned tx with gas limit too large
+        if (gasLimit > type(uint64).max) {
+            revert GasLimitTooLarge();
+        }
         return
             _deliverMessage(
                 L2_MSG,
@@ -236,7 +240,11 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         address to,
         uint256 value,
         bytes calldata data
-    ) external virtual override whenNotPaused onlyAllowed returns (uint256) {
+    ) external whenNotPaused onlyAllowed returns (uint256) {
+        // arbos will discard unsigned tx with gas limit too large
+        if (gasLimit > type(uint64).max) {
+            revert GasLimitTooLarge();
+        }
         return
             _deliverMessage(
                 L2_MSG,
@@ -252,13 +260,104 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
             );
     }
 
-    /**
-     * @notice Get the L1 fee for submitting a retryable
-     * @dev This fee can be paid by funds already in the L2 aliased address or by the current message value
-     * @dev This formula may change in the future, to future proof your code query this method instead of inlining!!
-     * @param dataLength The length of the retryable's calldata, in bytes
-     * @param baseFee The block basefee when the retryable is included in the chain, if 0 current block.basefee will be used
-     */
+    /// @inheritdoc IInbox
+    function sendL1FundedUnsignedTransactionToFork(
+        uint256 gasLimit,
+        uint256 maxFeePerGas,
+        uint256 nonce,
+        address to,
+        bytes calldata data
+    ) external payable whenNotPaused onlyAllowed returns (uint256) {
+        if (!_chainIdChanged()) revert NotForked();
+        // solhint-disable-next-line avoid-tx-origin
+        if (msg.sender != tx.origin) revert NotOrigin();
+        // arbos will discard unsigned tx with gas limit too large
+        if (gasLimit > type(uint64).max) {
+            revert GasLimitTooLarge();
+        }
+        return
+            _deliverMessage(
+                L1MessageType_L2FundedByL1,
+                // undoing sender alias here to cancel out the aliasing
+                AddressAliasHelper.undoL1ToL2Alias(msg.sender),
+                abi.encodePacked(
+                    L2MessageType_unsignedEOATx,
+                    gasLimit,
+                    maxFeePerGas,
+                    nonce,
+                    uint256(uint160(to)),
+                    msg.value,
+                    data
+                )
+            );
+    }
+
+    /// @inheritdoc IInbox
+    function sendUnsignedTransactionToFork(
+        uint256 gasLimit,
+        uint256 maxFeePerGas,
+        uint256 nonce,
+        address to,
+        uint256 value,
+        bytes calldata data
+    ) external whenNotPaused onlyAllowed returns (uint256) {
+        if (!_chainIdChanged()) revert NotForked();
+        // solhint-disable-next-line avoid-tx-origin
+        if (msg.sender != tx.origin) revert NotOrigin();
+        // arbos will discard unsigned tx with gas limit too large
+        if (gasLimit > type(uint64).max) {
+            revert GasLimitTooLarge();
+        }
+        return
+            _deliverMessage(
+                L2_MSG,
+                // undoing sender alias here to cancel out the aliasing
+                AddressAliasHelper.undoL1ToL2Alias(msg.sender),
+                abi.encodePacked(
+                    L2MessageType_unsignedEOATx,
+                    gasLimit,
+                    maxFeePerGas,
+                    nonce,
+                    uint256(uint160(to)),
+                    value,
+                    data
+                )
+            );
+    }
+
+    /// @inheritdoc IInbox
+    function sendWithdrawEthToFork(
+        uint256 gasLimit,
+        uint256 maxFeePerGas,
+        uint256 nonce,
+        uint256 value,
+        address withdrawTo
+    ) external whenNotPaused onlyAllowed returns (uint256) {
+        if (!_chainIdChanged()) revert NotForked();
+        // solhint-disable-next-line avoid-tx-origin
+        if (msg.sender != tx.origin) revert NotOrigin();
+        // arbos will discard unsigned tx with gas limit too large
+        if (gasLimit > type(uint64).max) {
+            revert GasLimitTooLarge();
+        }
+        return
+            _deliverMessage(
+                L2_MSG,
+                // undoing sender alias here to cancel out the aliasing
+                AddressAliasHelper.undoL1ToL2Alias(msg.sender),
+                abi.encodePacked(
+                    L2MessageType_unsignedEOATx,
+                    gasLimit,
+                    maxFeePerGas,
+                    nonce,
+                    uint256(uint160(address(100))), // ArbSys address
+                    value,
+                    abi.encode(ArbSys.withdrawEth.selector, withdrawTo)
+                )
+            );
+    }
+
+    /// @inheritdoc IInbox
     function calculateRetryableSubmissionFee(uint256 dataLength, uint256 baseFee)
         public
         view
@@ -268,20 +367,13 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         return (1400 + 6 * dataLength) * (baseFee == 0 ? block.basefee : baseFee);
     }
 
-    /// @notice deposit eth from L1 to L2
-    /// @dev this does not trigger the fallback function when receiving in the L2 side.
-    /// Look into retryable tickets if you are interested in this functionality.
-    /// @dev this function should not be called inside contract constructors
-    function depositEth() public payable override whenNotPaused onlyAllowed returns (uint256) {
+    /// @inheritdoc IInbox
+    function depositEth() public payable whenNotPaused onlyAllowed returns (uint256) {
         address dest = msg.sender;
 
         // solhint-disable-next-line avoid-tx-origin
         if (AddressUpgradeable.isContract(msg.sender) || tx.origin != msg.sender) {
             // isContract check fails if this function is called during a contract's constructor.
-            // We don't adjust the address for calls coming from L1 contracts since their addresses get remapped
-            // If the caller is an EOA, we adjust the address.
-            // This is needed because unsigned messages to the L2 (such as retryables)
-            // have the L1 sender address mapped.
             dest = AddressAliasHelper.applyL1ToL2Alias(msg.sender);
         }
 
@@ -294,15 +386,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
     }
 
     /// @notice deprecated in favour of depositEth with no parameters
-    function depositEth(uint256)
-        external
-        payable
-        virtual
-        override
-        whenNotPaused
-        onlyAllowed
-        returns (uint256)
-    {
+    function depositEth(uint256) external payable whenNotPaused onlyAllowed returns (uint256) {
         return depositEth();
     }
 
@@ -318,7 +402,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
      * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
      * @param maxFeePerGas price bid for L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
      * @param data ABI encoded data of L2 message
-     * @return unique id for retryable transaction (keccak256(requestID, uint(0) )
+     * @return unique message number of the retryable transaction
      */
     function createRetryableTicketNoRefundAliasRewrite(
         address to,
@@ -329,7 +413,8 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 gasLimit,
         uint256 maxFeePerGas,
         bytes calldata data
-    ) external payable virtual whenNotPaused onlyAllowed returns (uint256) {
+    ) external payable whenNotPaused onlyAllowed returns (uint256) {
+        // gas limit is validated to be within uint64 in unsafeCreateRetryableTicket
         return
             unsafeCreateRetryableTicket(
                 to,
@@ -343,20 +428,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
             );
     }
 
-    /**
-     * @notice Put a message in the L2 inbox that can be reexecuted for some fixed amount of time if it reverts
-     * @dev all msg.value will deposited to callValueRefundAddress on L2
-     * @dev Gas limit and maxFeePerGas should not be set to 1 as that is used to trigger the RetryableData error
-     * @param to destination L2 contract address
-     * @param l2CallValue call value for retryable L2 message
-     * @param maxSubmissionCost Max gas deducted from user's L2 balance to cover base submission fee
-     * @param excessFeeRefundAddress gasLimit x maxFeePerGas - execution cost gets credited here on L2 balance
-     * @param callValueRefundAddress l2Callvalue gets credited here on L2 if retryable txn times out or gets cancelled
-     * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
-     * @param maxFeePerGas price bid for L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
-     * @param data ABI encoded data of L2 message
-     * @return unique id for retryable transaction (keccak256(requestID, uint(0) )
-     */
+    /// @inheritdoc IInbox
     function createRetryableTicket(
         address to,
         uint256 l2CallValue,
@@ -366,7 +438,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 gasLimit,
         uint256 maxFeePerGas,
         bytes calldata data
-    ) external payable virtual override whenNotPaused onlyAllowed returns (uint256) {
+    ) external payable whenNotPaused onlyAllowed returns (uint256) {
         // ensure the user's deposit alone will make submission succeed
         if (msg.value < (maxSubmissionCost + l2CallValue + gasLimit * maxFeePerGas)) {
             revert InsufficientValue(
@@ -386,6 +458,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
             callValueRefundAddress = AddressAliasHelper.applyL1ToL2Alias(callValueRefundAddress);
         }
 
+        // gas limit is validated to be within uint64 in unsafeCreateRetryableTicket
         return
             unsafeCreateRetryableTicket(
                 to,
@@ -399,23 +472,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
             );
     }
 
-    /**
-     * @notice Put a message in the L2 inbox that can be reexecuted for some fixed amount of time if it reverts
-     * @dev Same as createRetryableTicket, but does not guarantee that submission will succeed by requiring the needed funds
-     * come from the deposit alone, rather than falling back on the user's L2 balance
-     * @dev Advanced usage only (does not rewrite aliases for excessFeeRefundAddress and callValueRefundAddress).
-     * createRetryableTicket method is the recommended standard.
-     * @dev Gas limit and maxFeePerGas should not be set to 1 as that is used to trigger the RetryableData error
-     * @param to destination L2 contract address
-     * @param l2CallValue call value for retryable L2 message
-     * @param maxSubmissionCost Max gas deducted from user's L2 balance to cover base submission fee
-     * @param excessFeeRefundAddress gasLimit x maxFeePerGas - execution cost gets credited here on L2 balance
-     * @param callValueRefundAddress l2Callvalue gets credited here on L2 if retryable txn times out or gets cancelled
-     * @param gasLimit Max gas deducted from user's L2 balance to cover L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
-     * @param maxFeePerGas price bid for L2 execution. Should not be set to 1 (magic value used to trigger the RetryableData error)
-     * @param data ABI encoded data of L2 message
-     * @return unique id for retryable transaction (keccak256(requestID, uint(0) )
-     */
+    /// @inheritdoc IInbox
     function unsafeCreateRetryableTicket(
         address to,
         uint256 l2CallValue,
@@ -425,7 +482,7 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
         uint256 gasLimit,
         uint256 maxFeePerGas,
         bytes calldata data
-    ) public payable virtual override whenNotPaused onlyAllowed returns (uint256) {
+    ) public payable whenNotPaused onlyAllowed returns (uint256) {
         // gas price and limit of 1 should never be a valid input, so instead they are used as
         // magic values to trigger a revert in eth calls that surface data without requiring a tx trace
         if (gasLimit == 1 || maxFeePerGas == 1)
@@ -442,6 +499,11 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
                 data
             );
 
+        // arbos will discard retryable with gas limit too large
+        if (gasLimit > type(uint64).max) {
+            revert GasLimitTooLarge();
+        }
+
         uint256 submissionFee = calculateRetryableSubmissionFee(data.length, block.basefee);
         if (maxSubmissionCost < submissionFee)
             revert InsufficientSubmissionCost(submissionFee, maxSubmissionCost);
@@ -465,6 +527,84 @@ contract Inbox is DelegateCallAware, PausableUpgradeable, IInbox {
             );
     }
 
+    /// @notice This is an one-time-exception to resolve a misconfiguration of Uniswap Arbitrum deployment
+    ///         Only the Uniswap L1 Timelock may call this function and it is allowed to create a crosschain
+    ///         retryable ticket without address aliasing. More info here:
+    ///         https://gov.uniswap.org/t/consensus-check-fix-the-cross-chain-messaging-bridge-on-arbitrum/18547
+    /// @dev    This function will be removed in future releases
+    function uniswapCreateRetryableTicket(
+        address to,
+        uint256 l2CallValue,
+        uint256 maxSubmissionCost,
+        address excessFeeRefundAddress,
+        address callValueRefundAddress,
+        uint256 gasLimit,
+        uint256 maxFeePerGas,
+        bytes calldata data
+    ) external payable whenNotPaused onlyAllowed returns (uint256) {
+        // this can only be called by UNISWAP_L1_TIMELOCK
+        require(msg.sender == UNISWAP_L1_TIMELOCK, "NOT_UNISWAP_L1_TIMELOCK");
+        // the retryable can only call UNISWAP_L2_FACTORY
+        require(to == UNISWAP_L2_FACTORY, "NOT_TO_UNISWAP_L2_FACTORY");
+
+        // ensure the user's deposit alone will make submission succeed
+        if (msg.value < (maxSubmissionCost + l2CallValue + gasLimit * maxFeePerGas)) {
+            revert InsufficientValue(
+                maxSubmissionCost + l2CallValue + gasLimit * maxFeePerGas,
+                msg.value
+            );
+        }
+
+        // if a refund address is a contract, we apply the alias to it
+        // so that it can access its funds on the L2
+        // since the beneficiary and other refund addresses don't get rewritten by arb-os
+        if (AddressUpgradeable.isContract(excessFeeRefundAddress)) {
+            excessFeeRefundAddress = AddressAliasHelper.applyL1ToL2Alias(excessFeeRefundAddress);
+        }
+        if (AddressUpgradeable.isContract(callValueRefundAddress)) {
+            // this is the beneficiary. be careful since this is the address that can cancel the retryable in the L2
+            callValueRefundAddress = AddressAliasHelper.applyL1ToL2Alias(callValueRefundAddress);
+        }
+
+        // gas price and limit of 1 should never be a valid input, so instead they are used as
+        // magic values to trigger a revert in eth calls that surface data without requiring a tx trace
+        if (gasLimit == 1 || maxFeePerGas == 1)
+            revert RetryableData(
+                msg.sender,
+                to,
+                l2CallValue,
+                msg.value,
+                maxSubmissionCost,
+                excessFeeRefundAddress,
+                callValueRefundAddress,
+                gasLimit,
+                maxFeePerGas,
+                data
+            );
+
+        uint256 submissionFee = calculateRetryableSubmissionFee(data.length, block.basefee);
+        if (maxSubmissionCost < submissionFee)
+            revert InsufficientSubmissionCost(submissionFee, maxSubmissionCost);
+
+        return
+            _deliverMessage(
+                L1MessageType_submitRetryableTx,
+                AddressAliasHelper.undoL1ToL2Alias(msg.sender),
+                abi.encodePacked(
+                    uint256(uint160(to)),
+                    l2CallValue,
+                    msg.value,
+                    maxSubmissionCost,
+                    uint256(uint160(excessFeeRefundAddress)),
+                    uint256(uint160(callValueRefundAddress)),
+                    gasLimit,
+                    maxFeePerGas,
+                    data.length,
+                    data
+                )
+            );
+    }
+
     function _deliverMessage(
         uint8 _kind,
         address _sender,