@aztec/validator-client 0.0.1-commit.f2ce05ee → 0.0.1-commit.f5d02921e

package/src/validator.ts

@@ -9,20 +9,18 @@ import {
   SlotNumber,
 } from '@aztec/foundation/branded-types';
 import { Fr } from '@aztec/foundation/curves/bn254';
-import { TimeoutError } from '@aztec/foundation/error';
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { Signature } from '@aztec/foundation/eth-signature';
 import { type LogData, type Logger, createLogger } from '@aztec/foundation/log';
-import { retryUntil } from '@aztec/foundation/retry';
 import { RunningPromise } from '@aztec/foundation/running-promise';
 import { sleep } from '@aztec/foundation/sleep';
 import { DateProvider } from '@aztec/foundation/timer';
 import type { KeystoreManager } from '@aztec/node-keystore';
-import type { DuplicateProposalInfo, P2P, PeerId } from '@aztec/p2p';
+import type { DuplicateAttestationInfo, DuplicateProposalInfo, P2P, PeerId } from '@aztec/p2p';
 import { AuthRequest, AuthResponse, BlockProposalValidator, ReqRespSubProtocol } from '@aztec/p2p';
 import { OffenseType, WANT_TO_SLASH_EVENT, type Watcher, type WatcherEmitter } from '@aztec/slasher';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
-import type { CommitteeAttestationsAndSigners, L2Block, L2BlockSink, L2BlockSource } from '@aztec/stdlib/block';
+import type { CommitteeAttestationsAndSigners, L2BlockSink, L2BlockSource } from '@aztec/stdlib/block';
 import { getEpochAtSlot } from '@aztec/stdlib/epoch-helpers';
 import type {
   CreateCheckpointProposalLastBlockData,
@@ -31,32 +29,37 @@ import type {
   ValidatorClientFullConfig,
   WorldStateSynchronizer,
 } from '@aztec/stdlib/interfaces/server';
-import { type L1ToL2MessageSource, accumulateCheckpointOutHashes } from '@aztec/stdlib/messaging';
-import type {
-  BlockProposal,
-  BlockProposalOptions,
-  CheckpointAttestation,
-  CheckpointProposalCore,
-  CheckpointProposalOptions,
+import type { L1ToL2MessageSource } from '@aztec/stdlib/messaging';
+import {
+  type BlockProposal,
+  type BlockProposalOptions,
+  type CheckpointAttestation,
+  CheckpointProposal,
+  type CheckpointProposalCore,
+  type CheckpointProposalOptions,
 } from '@aztec/stdlib/p2p';
-import { CheckpointProposal } from '@aztec/stdlib/p2p';
 import type { CheckpointHeader } from '@aztec/stdlib/rollup';
-import type { BlockHeader, CheckpointGlobalVariables, Tx } from '@aztec/stdlib/tx';
+import type { BlockHeader, Tx } from '@aztec/stdlib/tx';
 import { AttestationTimeoutError } from '@aztec/stdlib/validators';
 import { type TelemetryClient, type Tracer, getTelemetryClient } from '@aztec/telemetry-client';
-import { createHASigner } from '@aztec/validator-ha-signer/factory';
-import { DutyType, type SigningContext } from '@aztec/validator-ha-signer/types';
+import {
+  createHASigner,
+  createLocalSignerWithProtection,
+  createSignerFromSharedDb,
+} from '@aztec/validator-ha-signer/factory';
+import { DutyType, type SigningContext, type SlashingProtectionDatabase } from '@aztec/validator-ha-signer/types';
+import type { ValidatorHASigner } from '@aztec/validator-ha-signer/validator-ha-signer';
 
 import { EventEmitter } from 'events';
 import type { TypedDataDefinition } from 'viem';
 
-import { BlockProposalHandler, type BlockProposalValidationFailureReason } from './block_proposal_handler.js';
 import type { FullNodeCheckpointsBuilder } from './checkpoint_builder.js';
 import { ValidationService } from './duties/validation_service.js';
 import { HAKeyStore } from './key_store/ha_key_store.js';
 import type { ExtendedValidatorKeyStore } from './key_store/interface.js';
 import { NodeKeystoreAdapter } from './key_store/node_keystore_adapter.js';
 import { ValidatorMetrics } from './metrics.js';
+import { type BlockProposalValidationFailureReason, ProposalHandler } from './proposal_handler.js';
 
 // We maintain a set of proposers who have proposed invalid blocks.
 // Just cap the set to avoid unbounded growth.
@@ -76,29 +79,37 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
   private validationService: ValidationService;
   private metrics: ValidatorMetrics;
   private log: Logger;
-
   // Whether it has already registered handlers on the p2p client
   private hasRegisteredHandlers = false;
 
-  // Used to check if we are sending the same proposal twice
-  private previousProposal?: BlockProposal;
+  /** Tracks the last block proposal we created, to detect duplicate proposal attempts. */
+  private lastProposedBlock?: BlockProposal;
+
+  /** Tracks the last checkpoint proposal we created. */
+  private lastProposedCheckpoint?: CheckpointProposal;
 
   private lastEpochForCommitteeUpdateLoop: EpochNumber | undefined;
   private epochCacheUpdateLoop: RunningPromise;
+  /** Tracks the last epoch in which each attester successfully submitted at least one attestation. */
+  private lastAttestedEpochByAttester: Map<string, EpochNumber> = new Map();
 
   private proposersOfInvalidBlocks: Set<string> = new Set();
 
+  /** Tracks the last checkpoint proposal we attested to, to prevent equivocation. */
+  private lastAttestedProposal?: CheckpointProposalCore;
+
   protected constructor(
     private keyStore: ExtendedValidatorKeyStore,
     private epochCache: EpochCache,
     private p2pClient: P2P,
-    private blockProposalHandler: BlockProposalHandler,
+    private proposalHandler: ProposalHandler,
     private blockSource: L2BlockSource,
     private checkpointsBuilder: FullNodeCheckpointsBuilder,
     private worldState: WorldStateSynchronizer,
     private l1ToL2MessageSource: L1ToL2MessageSource,
     private config: ValidatorClientFullConfig,
     private blobClient: BlobClientInterface,
+    private slashingProtectionSigner: ValidatorHASigner,
     private dateProvider: DateProvider = new DateProvider(),
     telemetry: TelemetryClient = getTelemetryClient(),
     log = createLogger('validator'),
@@ -152,6 +163,7 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
         this.log.trace(`No committee found for slot`);
         return;
       }
+      this.metrics.setCurrentEpoch(epoch);
       if (epoch !== this.lastEpochForCommitteeUpdateLoop) {
         const me = this.getValidatorAddresses();
         const committeeSet = new Set(committee.map(v => v.toString()));
@@ -185,12 +197,14 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
     blobClient: BlobClientInterface,
     dateProvider: DateProvider = new DateProvider(),
     telemetry: TelemetryClient = getTelemetryClient(),
+    slashingProtectionDb?: SlashingProtectionDatabase,
   ) {
     const metrics = new ValidatorMetrics(telemetry);
     const blockProposalValidator = new BlockProposalValidator(epochCache, {
       txsPermitted: !config.disableTransactions,
+      maxTxsPerBlock: config.validateMaxTxsPerBlock,
     });
-    const blockProposalHandler = new BlockProposalHandler(
+    const proposalHandler = new ProposalHandler(
       checkpointsBuilder,
       worldState,
       blockSource,
@@ -199,33 +213,53 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
       blockProposalValidator,
       epochCache,
       config,
+      blobClient,
       metrics,
       dateProvider,
       telemetry,
     );
 
-    let validatorKeyStore: ExtendedValidatorKeyStore = NodeKeystoreAdapter.fromKeyStoreManager(keyStoreManager);
-    if (config.haSigningEnabled) {
+    const nodeKeystoreAdapter = NodeKeystoreAdapter.fromKeyStoreManager(keyStoreManager);
+    let slashingProtectionSigner: ValidatorHASigner;
+    if (slashingProtectionDb) {
+      // Shared database mode: use a pre-existing database (e.g. for testing HA setups).
+      ({ signer: slashingProtectionSigner } = createSignerFromSharedDb(slashingProtectionDb, config, {
+        telemetryClient: telemetry,
+        dateProvider,
+      }));
+    } else if (config.haSigningEnabled) {
+      // Multi-node HA mode: use PostgreSQL-backed distributed locking.
       // If maxStuckDutiesAgeMs is not explicitly set, compute it from Aztec slot duration
       const haConfig = {
         ...config,
         maxStuckDutiesAgeMs: config.maxStuckDutiesAgeMs ?? epochCache.getL1Constants().slotDuration * 2 * 1000,
       };
-      const { signer } = await createHASigner(haConfig);
-      validatorKeyStore = new HAKeyStore(validatorKeyStore, signer);
+      ({ signer: slashingProtectionSigner } = await createHASigner(haConfig, {
+        telemetryClient: telemetry,
+        dateProvider,
+      }));
+    } else {
+      // Single-node mode: use LMDB-backed local signing protection.
+      // This prevents double-signing if the node crashes and restarts mid-proposal.
+      ({ signer: slashingProtectionSigner } = await createLocalSignerWithProtection(config, {
+        telemetryClient: telemetry,
+        dateProvider,
+      }));
     }
+    const validatorKeyStore: ExtendedValidatorKeyStore = new HAKeyStore(nodeKeystoreAdapter, slashingProtectionSigner);
 
     const validator = new ValidatorClient(
       validatorKeyStore,
       epochCache,
       p2pClient,
-      blockProposalHandler,
+      proposalHandler,
       blockSource,
       checkpointsBuilder,
       worldState,
       l1ToL2MessageSource,
       config,
       blobClient,
+      slashingProtectionSigner,
       dateProvider,
       telemetry,
     );
@@ -239,8 +273,8 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
       .filter(addr => !this.config.disabledValidators.some(disabled => disabled.equals(addr)));
   }
 
-  public getBlockProposalHandler() {
-    return this.blockProposalHandler;
+  public getProposalHandler() {
+    return this.proposalHandler;
   }
 
   public signWithAddress(addr: EthAddress, msg: TypedDataDefinition, context: SigningContext) {
@@ -263,6 +297,12 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
     this.config = { ...this.config, ...config };
   }
 
+  public reloadKeystore(newManager: KeystoreManager): void {
+    const newAdapter = NodeKeystoreAdapter.fromKeyStoreManager(newManager);
+    this.keyStore = new HAKeyStore(newAdapter, this.slashingProtectionSigner);
+    this.validationService = new ValidationService(this.keyStore, this.log.createChild('validation-service'));
+  }
+
   public async start() {
     if (this.epochCacheUpdateLoop.isRunning()) {
       this.log.warn(`Validator client already started`);
@@ -307,13 +347,18 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
         checkpoint: CheckpointProposalCore,
         proposalSender: PeerId,
       ): Promise<CheckpointAttestation[] | undefined> => this.attestToCheckpointProposal(checkpoint, proposalSender);
-      this.p2pClient.registerCheckpointProposalHandler(checkpointHandler);
+      this.p2pClient.registerValidatorCheckpointProposalHandler(checkpointHandler);
 
       // Duplicate proposal handler - triggers slashing for equivocation
       this.p2pClient.registerDuplicateProposalCallback((info: DuplicateProposalInfo) => {
         this.handleDuplicateProposal(info);
       });
 
+      // Duplicate attestation handler - triggers slashing for attestation equivocation
+      this.p2pClient.registerDuplicateAttestationCallback((info: DuplicateAttestationInfo) => {
+        this.handleDuplicateAttestation(info);
+      });
+
       const myAddresses = this.getValidatorAddresses();
       this.p2pClient.registerThisValidatorAddresses(myAddresses);
 
@@ -341,6 +386,14 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
       return false;
     }
 
+    // Log self-proposals from HA peers (same validator key on different nodes)
+    if (this.getValidatorAddresses().some(addr => addr.equals(proposer))) {
+      this.log.verbose(`Processing block proposal from HA peer for slot ${slotNumber}`, {
+        proposer: proposer.toString(),
+        slotNumber,
+      });
+    }
+
     // Check if we're in the committee (for metrics purposes)
     const inCommittee = await this.epochCache.filterInCommittee(slotNumber, this.getValidatorAddresses());
     const partOfCommittee = inCommittee.length > 0;
@@ -354,25 +407,25 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
 
     // Reexecute txs if we are part of the committee, or if slashing is enabled, or if we are configured to always reexecute.
     // In fisherman mode, we always reexecute to validate proposals.
-    const { validatorReexecute, slashBroadcastedInvalidBlockPenalty, alwaysReexecuteBlockProposals, fishermanMode } =
-      this.config;
+    const { slashBroadcastedInvalidBlockPenalty, alwaysReexecuteBlockProposals, fishermanMode } = this.config;
     const shouldReexecute =
       fishermanMode ||
-      (slashBroadcastedInvalidBlockPenalty > 0n && validatorReexecute) ||
-      (partOfCommittee && validatorReexecute) ||
+      slashBroadcastedInvalidBlockPenalty > 0n ||
+      partOfCommittee ||
       alwaysReexecuteBlockProposals ||
       this.blobClient.canUpload();
 
-    const validationResult = await this.blockProposalHandler.handleBlockProposal(
+    const validationResult = await this.proposalHandler.handleBlockProposal(
       proposal,
       proposalSender,
       !!shouldReexecute && !escapeHatchOpen,
     );
 
     if (!validationResult.isValid) {
-      this.log.warn(`Block proposal validation failed: ${validationResult.reason}`, proposalInfo);
-
       const reason = validationResult.reason || 'unknown';
+
+      this.log.warn(`Block proposal validation failed: ${reason}`, proposalInfo);
+
       // Classify failure reason: bad proposal vs node issue
       const badProposalReasons: BlockProposalValidationFailureReason[] = [
         'invalid_proposal',
@@ -427,53 +480,50 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
     proposal: CheckpointProposalCore,
     _proposalSender: PeerId,
   ): Promise<CheckpointAttestation[] | undefined> {
-    const slotNumber = proposal.slotNumber;
+    const proposalSlotNumber = proposal.slotNumber;
     const proposer = proposal.getSender();
 
     // If escape hatch is open for this slot's epoch, do not attest.
-    if (await this.epochCache.isEscapeHatchOpenAtSlot(slotNumber)) {
-      this.log.warn(`Escape hatch open for slot ${slotNumber}, skipping checkpoint attestation handling`);
+    if (await this.epochCache.isEscapeHatchOpenAtSlot(proposalSlotNumber)) {
+      this.log.warn(`Escape hatch open for slot ${proposalSlotNumber}, skipping checkpoint attestation handling`);
       return undefined;
     }
 
-    // Reject proposals with invalid signatures
-    if (!proposer) {
-      this.log.warn(`Received checkpoint proposal with invalid signature for slot ${slotNumber}`);
+    // Ignore proposals from ourselves (may happen in HA setups)
+    if (proposer && this.getValidatorAddresses().some(addr => addr.equals(proposer))) {
+      this.log.debug(`Ignoring block proposal from self for slot ${proposalSlotNumber}`, {
+        proposer: proposer.toString(),
+        proposalSlotNumber,
+      });
       return undefined;
     }
 
-    // Check that I have any address in current committee before attesting
-    const inCommittee = await this.epochCache.filterInCommittee(slotNumber, this.getValidatorAddresses());
+    // Check that I have any address in the committee where this checkpoint will land before attesting
+    const inCommittee = await this.epochCache.filterInCommittee(proposalSlotNumber, this.getValidatorAddresses());
     const partOfCommittee = inCommittee.length > 0;
 
     const proposalInfo = {
-      slotNumber,
+      proposalSlotNumber,
       archive: proposal.archive.toString(),
-      proposer: proposer.toString(),
-      txCount: proposal.txHashes.length,
+      proposer: proposer?.toString(),
     };
-    this.log.info(`Received checkpoint proposal for slot ${slotNumber}`, {
+    this.log.info(`Received checkpoint proposal for slot ${proposalSlotNumber}`, {
       ...proposalInfo,
-      txHashes: proposal.txHashes.map(t => t.toString()),
       fishermanMode: this.config.fishermanMode || false,
     });
 
-    // Validate the checkpoint proposal before attesting (unless skipCheckpointProposalValidation is set)
+    // Validate the checkpoint proposal before attesting (unless skipCheckpointProposalValidation is set).
+    // Uses the cached result from the all-nodes callback if available (avoids double validation).
     if (this.config.skipCheckpointProposalValidation) {
-      this.log.warn(`Skipping checkpoint proposal validation for slot ${slotNumber}`, proposalInfo);
+      this.log.warn(`Skipping checkpoint proposal validation for slot ${proposalSlotNumber}`, proposalInfo);
     } else {
-      const validationResult = await this.validateCheckpointProposal(proposal, proposalInfo);
+      const validationResult = await this.proposalHandler.handleCheckpointProposal(proposal, proposalInfo);
       if (!validationResult.isValid) {
         this.log.warn(`Checkpoint proposal validation failed: ${validationResult.reason}`, proposalInfo);
         return undefined;
       }
     }
 
-    // Upload blobs to filestore if we can (fire and forget)
-    if (this.blobClient.canUpload()) {
-      void this.uploadBlobsForCheckpoint(proposal, proposalInfo);
-    }
-
     // Check that I have any address in current committee before attesting
     // In fisherman mode, we still create attestations for validation even if not in committee
     if (!partOfCommittee && !this.config.fishermanMode) {
@@ -482,14 +532,28 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
     }
 
     // Provided all of the above checks pass, we can attest to the proposal
-    this.log.info(`${partOfCommittee ? 'Attesting to' : 'Validated'} checkpoint proposal for slot ${slotNumber}`, {
-      ...proposalInfo,
-      inCommittee: partOfCommittee,
-      fishermanMode: this.config.fishermanMode || false,
-    });
+    this.log.info(
+      `${partOfCommittee ? 'Attesting to' : 'Validated'} checkpoint proposal for slot ${proposalSlotNumber}`,
+      {
+        ...proposalInfo,
+        inCommittee: partOfCommittee,
+        fishermanMode: this.config.fishermanMode || false,
+      },
+    );
 
     this.metrics.incSuccessfulAttestations(inCommittee.length);
 
+    // Track epoch participation per attester: count each (attester, epoch) pair at most once
+    const proposalEpoch = getEpochAtSlot(proposalSlotNumber, this.epochCache.getL1Constants());
+    for (const attester of inCommittee) {
+      const key = attester.toString();
+      const lastEpoch = this.lastAttestedEpochByAttester.get(key);
+      if (lastEpoch === undefined || proposalEpoch > lastEpoch) {
+        this.lastAttestedEpochByAttester.set(key, proposalEpoch);
+        this.metrics.incAttestedEpochCount(attester);
+      }
+    }
+
     // Determine which validators should attest
     let attestors: EthAddress[];
     if (partOfCommittee) {
@@ -508,172 +572,59 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
 
     if (this.config.fishermanMode) {
       // bail out early and don't save attestations to the pool in fisherman mode
-      this.log.info(`Creating checkpoint attestations for slot ${slotNumber}`, {
+      this.log.info(`Creating checkpoint attestations for slot ${proposalSlotNumber}`, {
         ...proposalInfo,
         attestors: attestors.map(a => a.toString()),
       });
       return undefined;
     }
 
-    return this.createCheckpointAttestationsFromProposal(proposal, attestors);
-  }
-
-  private async createCheckpointAttestationsFromProposal(
-    proposal: CheckpointProposalCore,
-    attestors: EthAddress[] = [],
-  ): Promise<CheckpointAttestation[]> {
-    const attestations = await this.validationService.attestToCheckpointProposal(proposal, attestors);
-    await this.p2pClient.addOwnCheckpointAttestations(attestations);
-    return attestations;
+    return await this.createCheckpointAttestationsFromProposal(proposal, attestors);
   }
 
   /**
-   * Validates a checkpoint proposal by building the full checkpoint and comparing it with the proposal.
-   * @returns Validation result with isValid flag and reason if invalid.
+   * Checks if we should attest to a slot based on equivocation prevention rules.
+   * @returns true if we should attest, false if we should skip
    */
-  private async validateCheckpointProposal(
-    proposal: CheckpointProposalCore,
-    proposalInfo: LogData,
-  ): Promise<{ isValid: true } | { isValid: false; reason: string }> {
-    const slot = proposal.slotNumber;
-    const timeoutSeconds = 10; // TODO(palla/mbps): This should map to the timetable settings
+  private shouldAttestToSlot(slotNumber: SlotNumber): boolean {
+    // If attestToEquivocatedProposals is true, always allow
+    if (this.config.attestToEquivocatedProposals) {
+      return true;
+    }
 
-    // Wait for last block to sync by archive
-    let lastBlockHeader: BlockHeader | undefined;
-    try {
-      lastBlockHeader = await retryUntil(
-        async () => {
-          await this.blockSource.syncImmediate();
-          return this.blockSource.getBlockHeaderByArchive(proposal.archive);
-        },
-        `waiting for block with archive ${proposal.archive.toString()} for slot ${slot}`,
-        timeoutSeconds,
-        0.5,
+    // Check if incoming slot is strictly greater than last attested
+    if (this.lastAttestedProposal && slotNumber <= this.lastAttestedProposal.slotNumber) {
+      this.log.warn(
+        `Refusing to process a proposal for slot ${slotNumber} given we already attested to a proposal for slot ${this.lastAttestedProposal.slotNumber}`,
       );
-    } catch (err) {
-      if (err instanceof TimeoutError) {
-        this.log.warn(`Timed out waiting for block with archive matching checkpoint proposal`, proposalInfo);
-        return { isValid: false, reason: 'last_block_not_found' };
-      }
-      this.log.error(`Error fetching last block for checkpoint proposal`, err, proposalInfo);
-      return { isValid: false, reason: 'block_fetch_error' };
+      return false;
     }
 
-    if (!lastBlockHeader) {
-      this.log.warn(`Last block not found for checkpoint proposal`, proposalInfo);
-      return { isValid: false, reason: 'last_block_not_found' };
-    }
+    return true;
+  }
 
-    // Get all full blocks for the slot and checkpoint
-    const blocks = await this.blockSource.getBlocksForSlot(slot);
-    if (blocks.length === 0) {
-      this.log.warn(`No blocks found for slot ${slot}`, proposalInfo);
-      return { isValid: false, reason: 'no_blocks_for_slot' };
+  private async createCheckpointAttestationsFromProposal(
+    proposal: CheckpointProposalCore,
+    attestors: EthAddress[] = [],
+  ): Promise<CheckpointAttestation[] | undefined> {
+    // Equivocation check: must happen right before signing to minimize the race window
+    if (!this.shouldAttestToSlot(proposal.slotNumber)) {
+      return undefined;
     }
 
-    this.log.debug(`Found ${blocks.length} blocks for slot ${slot}`, {
-      ...proposalInfo,
-      blockNumbers: blocks.map(b => b.number),
-    });
-
-    // Get checkpoint constants from first block
-    const firstBlock = blocks[0];
-    const constants = this.extractCheckpointConstants(firstBlock);
-    const checkpointNumber = firstBlock.checkpointNumber;
-
-    // Get L1-to-L2 messages for this checkpoint
-    const l1ToL2Messages = await this.l1ToL2MessageSource.getL1ToL2Messages(checkpointNumber);
-
-    // Compute the previous checkpoint out hashes for the epoch.
-    // TODO: There can be a more efficient way to get the previous checkpoint out hashes without having to fetch the
-    // actual checkpoints and the blocks/txs in them.
-    const epoch = getEpochAtSlot(slot, this.epochCache.getL1Constants());
-    const previousCheckpoints = (await this.blockSource.getCheckpointsForEpoch(epoch))
-      .filter(b => b.number < checkpointNumber)
-      .sort((a, b) => a.number - b.number);
-    const previousCheckpointOutHashes = previousCheckpoints.map(c => c.getCheckpointOutHash());
-
-    // Fork world state at the block before the first block
-    const parentBlockNumber = BlockNumber(firstBlock.number - 1);
-    const fork = await this.worldState.fork(parentBlockNumber);
-
-    try {
-      // Create checkpoint builder with all existing blocks
-      const checkpointBuilder = await this.checkpointsBuilder.openCheckpoint(
-        checkpointNumber,
-        constants,
-        l1ToL2Messages,
-        previousCheckpointOutHashes,
-        fork,
-        blocks,
-        this.log.getBindings(),
-      );
-
-      // Complete the checkpoint to get computed values
-      const computedCheckpoint = await checkpointBuilder.completeCheckpoint();
-
-      // Compare checkpoint header with proposal
-      if (!computedCheckpoint.header.equals(proposal.checkpointHeader)) {
-        this.log.warn(`Checkpoint header mismatch`, {
-          ...proposalInfo,
-          computed: computedCheckpoint.header.toInspect(),
-          proposal: proposal.checkpointHeader.toInspect(),
-        });
-        return { isValid: false, reason: 'checkpoint_header_mismatch' };
-      }
-
-      // Compare archive root with proposal
-      if (!computedCheckpoint.archive.root.equals(proposal.archive)) {
-        this.log.warn(`Archive root mismatch`, {
-          ...proposalInfo,
-          computed: computedCheckpoint.archive.root.toString(),
-          proposal: proposal.archive.toString(),
-        });
-        return { isValid: false, reason: 'archive_mismatch' };
-      }
-
-      // Check that the accumulated epoch out hash matches the value in the proposal.
-      // The epoch out hash is the accumulated hash of all checkpoint out hashes in the epoch.
-      const checkpointOutHash = computedCheckpoint.getCheckpointOutHash();
-      const computedEpochOutHash = accumulateCheckpointOutHashes([...previousCheckpointOutHashes, checkpointOutHash]);
-      const proposalEpochOutHash = proposal.checkpointHeader.epochOutHash;
-      if (!computedEpochOutHash.equals(proposalEpochOutHash)) {
-        this.log.warn(`Epoch out hash mismatch`, {
-          proposalEpochOutHash: proposalEpochOutHash.toString(),
-          computedEpochOutHash: computedEpochOutHash.toString(),
-          checkpointOutHash: checkpointOutHash.toString(),
-          previousCheckpointOutHashes: previousCheckpointOutHashes.map(h => h.toString()),
-          ...proposalInfo,
-        });
-        return { isValid: false, reason: 'out_hash_mismatch' };
-      }
+    const attestations = await this.validationService.attestToCheckpointProposal(proposal, attestors);
 
-      this.log.verbose(`Checkpoint proposal validation successful for slot ${slot}`, proposalInfo);
-      return { isValid: true };
-    } finally {
-      await fork.close();
-    }
-  }
+    // Track the proposal we attested to (to prevent equivocation)
+    this.lastAttestedProposal = proposal;
 
-  /**
-   * Extract checkpoint global variables from a block.
-   */
-  private extractCheckpointConstants(block: L2Block): CheckpointGlobalVariables {
-    const gv = block.header.globalVariables;
-    return {
-      chainId: gv.chainId,
-      version: gv.version,
-      slotNumber: gv.slotNumber,
-      coinbase: gv.coinbase,
-      feeRecipient: gv.feeRecipient,
-      gasFees: gv.gasFees,
-    };
+    await this.p2pClient.addOwnCheckpointAttestations(attestations);
+    return attestations;
   }
 
   /**
    * Uploads blobs for a checkpoint to the filestore (fire and forget).
    */
-  private async uploadBlobsForCheckpoint(proposal: CheckpointProposalCore, proposalInfo: LogData): Promise<void> {
+  protected async uploadBlobsForCheckpoint(proposal: CheckpointProposalCore, proposalInfo: LogData): Promise<void> {
     try {
       const lastBlockHeader = await this.blockSource.getBlockHeaderByArchive(proposal.archive);
       if (!lastBlockHeader) {
@@ -688,7 +639,7 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
       }
 
       const blobFields = blocks.flatMap(b => b.toBlobFields());
-      const blobs: Blob[] = getBlobsPerL1Block(blobFields);
+      const blobs: Blob[] = await getBlobsPerL1Block(blobFields);
       await this.blobClient.sendBlobsToFilestore(blobs);
       this.log.debug(`Uploaded ${blobs.length} blobs to filestore for checkpoint at slot ${proposal.slotNumber}`, {
         ...proposalInfo,
@@ -750,6 +701,28 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
     ]);
   }
 
+  /**
+   * Handle detection of a duplicate attestation (equivocation).
+   * Emits a slash event when an attester signs attestations for different proposals at the same slot.
+   */
+  private handleDuplicateAttestation(info: DuplicateAttestationInfo): void {
+    const { slot, attester } = info;
+
+    this.log.warn(`Triggering slash event for duplicate attestation from ${attester.toString()} at slot ${slot}`, {
+      attester: attester.toString(),
+      slot,
+    });
+
+    this.emit(WANT_TO_SLASH_EVENT, [
+      {
+        validator: attester,
+        amount: this.config.slashDuplicateAttestationPenalty,
+        offenseType: OffenseType.DUPLICATE_ATTESTATION,
+        epochOrSlot: BigInt(slot),
+      },
+    ]);
+  }
+
   async createBlockProposal(
     blockHeader: BlockHeader,
     indexWithinCheckpoint: IndexWithinCheckpoint,
@@ -759,11 +732,19 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
     proposerAddress: EthAddress | undefined,
     options: BlockProposalOptions = {},
   ): Promise<BlockProposal> {
-    // TODO(palla/mbps): Prevent double proposals properly
-    // if (this.previousProposal?.slotNumber === blockHeader.globalVariables.slotNumber) {
-    //   this.log.verbose(`Already made a proposal for the same slot, skipping proposal`);
-    //   return Promise.resolve(undefined);
-    // }
+    // Validate that we're not creating a proposal for an older or equal position
+    if (this.lastProposedBlock) {
+      const lastSlot = this.lastProposedBlock.slotNumber;
+      const lastIndex = this.lastProposedBlock.indexWithinCheckpoint;
+      const newSlot = blockHeader.globalVariables.slotNumber;
+
+      if (newSlot < lastSlot || (newSlot === lastSlot && indexWithinCheckpoint <= lastIndex)) {
+        throw new Error(
+          `Cannot create block proposal for slot ${newSlot} index ${indexWithinCheckpoint}: ` +
+            `already proposed block for slot ${lastSlot} index ${lastIndex}`,
+        );
+      }
+    }
 
     this.log.info(
       `Assembling block proposal for block ${blockHeader.globalVariables.blockNumber} slot ${blockHeader.globalVariables.slotNumber}`,
@@ -780,25 +761,42 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
         broadcastInvalidBlockProposal: this.config.broadcastInvalidBlockProposal,
       },
     );
-    this.previousProposal = newProposal;
+    this.lastProposedBlock = newProposal;
     return newProposal;
   }
 
   async createCheckpointProposal(
     checkpointHeader: CheckpointHeader,
     archive: Fr,
+    feeAssetPriceModifier: bigint,
     lastBlockInfo: CreateCheckpointProposalLastBlockData | undefined,
     proposerAddress: EthAddress | undefined,
     options: CheckpointProposalOptions = {},
   ): Promise<CheckpointProposal> {
+    // Validate that we're not creating a proposal for an older or equal slot
+    if (this.lastProposedCheckpoint) {
+      const lastSlot = this.lastProposedCheckpoint.slotNumber;
+      const newSlot = checkpointHeader.slotNumber;
+
+      if (newSlot <= lastSlot) {
+        throw new Error(
+          `Cannot create checkpoint proposal for slot ${newSlot}: ` +
+            `already proposed checkpoint for slot ${lastSlot}`,
+        );
+      }
+    }
+
     this.log.info(`Assembling checkpoint proposal for slot ${checkpointHeader.slotNumber}`);
-    return await this.validationService.createCheckpointProposal(
+    const newProposal = await this.validationService.createCheckpointProposal(
       checkpointHeader,
       archive,
+      feeAssetPriceModifier,
       lastBlockInfo,
       proposerAddress,
       options,
     );
+    this.lastProposedCheckpoint = newProposal;
+    return newProposal;
   }
 
   async broadcastBlockProposal(proposal: BlockProposal): Promise<void> {
@@ -820,6 +818,10 @@ export class ValidatorClient extends (EventEmitter as new () => WatcherEmitter)
     this.log.debug(`Collecting ${inCommittee.length} self-attestations for slot ${slot}`, { inCommittee });
     const attestations = await this.createCheckpointAttestationsFromProposal(proposal, inCommittee);
 
+    if (!attestations) {
+      return [];
+    }
+
     // We broadcast our own attestations to our peers so, in case our block does not get mined on L1,
     // other nodes can see that our validators did attest to this block proposal, and do not slash us
     // due to inactivity for missed attestations.