{"id":30134790,"url":"https://github.com/zktx-io/multichain-mvr-poc","last_synced_at":"2025-09-09T08:33:05.616Z","repository":{"id":299747459,"uuid":"1004054098","full_name":"zktx-io/multichain-mvr-poc","owner":"zktx-io","description":null,"archived":false,"fork":false,"pushed_at":"2025-06-18T05:18:57.000Z","size":75,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-18T05:26:43.281Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zktx-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-18T03:50:37.000Z","updated_at":"2025-06-18T05:19:00.000Z","dependencies_parsed_at":"2025-06-18T05:26:50.407Z","dependency_job_id":"4e08d4e7-84db-482e-9bc1-ed8eabd83d73","html_url":"https://github.com/zktx-io/multichain-mvr-poc","commit_stats":null,"previous_names":["zktx-io/multichain-mvr-poc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/zktx-io/multichain-mvr-poc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zktx-io%2Fmultichain-mvr-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zktx-io%2Fmultichain-mvr-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zktx-io%2Fmultichain-mvr-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zktx-io%2Fmultichain-mvr-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zktx-io","download_url":"https://codeload.github.com/zktx-io/multichain-mvr-poc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zktx-io%2Fmultichain-mvr-poc/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269793969,"owners_count":24476731,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-10T02:00:08.965Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-10T21:39:21.379Z","updated_at":"2025-08-10T21:39:21.972Z","avatar_url":"https://github.com/zktx-io.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"## 🧚 Multichain Verifiable Registry (MVR) – PoC\n\nThis repository demonstrates a proof-of-concept for extending [Sui's MVR (Move Registry)](https://github.com/MystenLabs/mvr) to support **Ethereum smart contracts**.\n\n### ✅ Goal\n\nCross-chain trust layers help verify the integrity of smart contracts across blockchains, making sure provenance is clear and reducing risks.\n\n* Prove the **origin**, **build**, and **deployment** of a Solidity smart contract.\n* Register the result as a verifiable `.intoto.jsonl` provenance file.\n* Use **Sui MVR** as a cross-chain trust layer.\n\n---\n\n### ⚙️ Workflow\n\nThe [SLSA GitHub Generator](https://github.com/slsa-framework/slsa-github-generator) is used in this workflow to generate an `intoto.jsonl` file that formally attests to how the contract was built and deployed, following the SLSA (Supply-chain Levels for Software Artifacts) provenance standard.\n\nThis project uses **GitHub Actions** to:\n\n1. **Compile** a Solidity contract (`Lock.sol`)\n2. **Deploy** to Ethereum testnet (e.g., Holesky)\n3. **Sign** the bytecode using a Sui key\n4. **Generate** a provenance proof (`mvr.proof.json`)\n5. **Encode** file hashes in base64\n6. **Produce** an `intoto.jsonl` via [SLSA GitHub Generator](https://github.com/slsa-framework/slsa-github-generator)\n7. **Register** the smart contract in MVR via app\\_info\n\n---\n\n### 📁 Key Files\n\n* `contracts/Lock.sol` – Example Solidity contract\n* `scripts/deploy.js` – Deploys the contract and generates `mvr.proof.json`\n* `scripts/mvr.js` – Registers the contract and metadata into MVR\n* `.github/workflows/build-deploy.yml` – GitHub Actions automation\n* `mvr.proof.json` – Contains signatures and deployment metadata\n* `mvr.intoto.jsonl` – Final verifiable provenance document\n\n---\n\n### 🔐 Requirements\n\nIn addition to secrets, GitHub Actions must be granted appropriate permissions (e.g., `id-token: write`, `contents: read`, and `actions: read`) to execute workflows involving provenance and reusable workflows like the SLSA generator.\n\n* GitHub Secrets:\n\n  * `PRIVATE_KEY_ETH` – Ethereum wallet private key\n  * `PRIVATE_KEY_SUI` – Base64-encoded Sui secret key\n\n---\n\n### 📦 Outputs\n\n* Verifiable build+deploy provenance\n* Compatible with Sui MVR or tools like [notary.wal.app](https://notary.wal.app)\n\n---\n\n### 🦪 Example Use Case\n\n```json\n{\n  \"mvr\": {\n    \"publicKey\": \"0x...\",\n    \"signature\": \"...\"\n  },\n  \"network\": {\n    \"chain\": \"eth::0x13882\",\n    \"txHash\": \"0x1234...\",\n    \"signature\": \"...\",\n    \"contractAddress\": \"...\"\n  }\n}\n```\n\n---\n\n## 🚀 PoC Purpose and Structure\n\n### 1. Workflow\n\n  1. Build and deploy an Ethereum smart contract.\n  1. Sign the generated bytecode using both Sui and Ethereum keys to create a deployment proof.\n  1. Generate a provenance artifact (`mvr.proof.json`) containing the bytecode, signatures, and transaction hashes.\n  1. Generate an `mvr.intoto.jsonl` file with this information and register it in the MVR.\n  1. Ethereum lacks upgrade capability, so the provenance can only be registered under `app_info` rather than `package_info`.  \n   As a result, GitHub metadata such as repository URL, commit hash, and versioning information cannot currently be attached to these entries.\n\n---\n\n### 2. Extended Ideas\n\n  1. Multi-chain Expansion\n\n      1. This could take the form of either extending the current `PackageInfo` structure or introducing a new type (e.g., `CrossChainPackageInfo`) for multi-chain scenarios—whichever direction aligns better with MVR’s design principles.\n\n  1. Interaction with Multi-chain Smart Contracts\n\n      1. Depending on the use case, this could involve deploying a Sui smart contract to interact with other blockchains and either reusing the existing `PackageInfo` structure or introducing a dedicated object for proxy-based interaction provenance.\n      1. With MVR serving as the common provenance layer, such interactions could be mutually verifiable — enabling cross-chain smart contracts to trust each other’s origin and integrity.\n      1. With MVR serving as the common provenance layer, such interactions could be mutually verifiable — enabling cross-chain smart contracts to trust each other’s origin and integrity.\n\n  1. Integration with Real-world IoT Devices\n\n      1. To support trusted interaction from physical devices, this could involve either extending MVR's metadata structures or creating a new object type designed specifically for device-level provenance.\n      1. Once both the device and the smart contract are registered in MVR, their interaction could be mutually verifiable — ensuring that only trusted hardware is allowed to trigger trusted on-chain logic.\n\n---\n\nThis PoC shows how Sui MVR can serve as a practical and trustworthy hub for verifying provenance across blockchain and real-world scenarios.\n\n---\n\n### 3. Deployment Test Results\n\n  1. **GitHub Workflow Run: View on GitHub Actions:** [View on GitHub Actions](https://github.com/zktx-io/multichain-mvr-poc/actions/runs/15723947452)\n  1. **Ethereum Deployment Transaction:** [View on Etherscan](https://holesky.etherscan.io/tx/0x0d3a0dd673048eeb444be94760657cdac0095a128180dc4fcdde4130c4a885d0)\n  1. **Ethereum Contract Address:**: [View on Etherscan](https://holesky.etherscan.io/address/0x4df9f24ae3116787df90befe89a69fb39662e86f)\n  1. **Sui Deployment Transaction:** [View on Sui Explorer](https://suiscan.xyz/mainnet/tx/6quYPRJdgrJvbKj98P5UeYffrMvv7JpBJyPvHN6Pouf4)\n  1. **Sui MVR App Record Object:** [View MVR App Record Object](https://suiscan.xyz/mainnet/object/0xd6693e672db5230f064d16cb4306ca4102c5adcf5856327b0fe5d838b025a76f/fields)\n\n![pic0](images/pic0.png)\n![pic1](images/pic1.png)\n![pic2](images/pic2.png)\n\n\n### 4. TODO (Implement a verification script)\n  \n  1. Fetches the registered MVR object on Sui\n  1. Reconstructs the original mvr.proof.json  *(Note: some fields are currently omitted during registration—this will be addressed in a future update.)*  \n  1. Compares it with the deployed Ethereum contract to ensure consistency\n\n  These steps are expected to help confirm that the on-chain MVR record aligns with the deployed Ethereum contract, strengthening verifiability.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzktx-io%2Fmultichain-mvr-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzktx-io%2Fmultichain-mvr-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzktx-io%2Fmultichain-mvr-poc/lists"}