fix: lower zone chain ID base to stay within EIP-2294 safe range (#361)

decofe · danrobinson · web-flow · commit 08c5e9c729e3 · 2026-04-10T16:12:14.000-04:00
* fix: lower zone chain ID base to stay within EIP-2294 safe range Co-authored-by: Daniel Robinson <1187252+danrobinson@users.noreply.github.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d54ae-a5ca-74b9-bd73-f71e8add4cad * fix: wrap zone chain IDs to stay within safe range Use modular arithmetic so zone chain IDs never exceed 2^31 - 1. Sequencers are responsible for ensuring their derived chain ID does not collide with any active chain. Co-authored-by: Daniel Robinson <1187252+danrobinson@users.noreply.github.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d54ae-a5ca-74b9-bd73-f71e8add4cad --------- Co-authored-by: Daniel Robinson <1187252+danrobinson@users.noreply.github.com>
diff --git a/crates/primitives/src/constants.rs b/crates/primitives/src/constants.rs
@@ -83,14 +83,67 @@ pub const ZONE_OUTBOX_LAST_BATCH_INDEX_SLOT: U256 = {
     U256::from_le_bytes(le)
 };
 
-/// Base offset for deriving zone chain IDs: `4217000000 + zone_id`.
+/// Base offset for deriving **mainnet** zone chain IDs.
 ///
 /// Each zone gets a unique EIP-155 chain ID derived from its on-chain zone ID
-/// assigned by the `ZoneFactory` contract. The prefix `4217` comes from the
-/// Tempo L1 chain ID.
-pub const ZONE_CHAIN_ID_BASE: u64 = 4_217_000_000;
+/// assigned by the `ZoneFactory` contract:
+///
+/// ```text
+/// chain_id = ZONE_CHAIN_ID_BASE + (zone_id % ZONE_CHAIN_ID_RANGE)
+/// ```
+///
+/// # Range safety
+///
+/// EIP-2294 and ENSIP-11 reserve bit 31 (`0x8000_0000`) for coin-type flags,
+/// making chain IDs ≥ 2^31 (2,147,483,647) unsafe in parts of the ecosystem
+/// (ENS multi-chain address resolution, some JavaScript tooling that uses
+/// 32-bit integers, etc.).
+///
+/// The ranges are chosen so that both mainnet and testnet zones stay well below
+/// that limit while remaining non-overlapping:
+///
+/// | Network  | Base            | Range size        | Chain ID span                         |
+/// |----------|-----------------|-------------------|---------------------------------------|
+/// | Mainnet  | `421_700_000`   | `1_002_610_000`   | `421_700_000 ..  1_424_310_000`       |
+/// | Testnet  | `1_424_310_000` | `723_173_648`     | `1_424_310_000 .. 2_147_483_648`      |
+///
+/// Zone IDs wrap around via modular arithmetic so that chain IDs never leave
+/// their designated range, even with arbitrarily large zone IDs. Because
+/// wrapping can reuse a chain ID that was previously assigned to a different
+/// zone, it is the responsibility of the sequencer to ensure — after deploying
+/// a zone — that the derived chain ID does not correspond to any active chain,
+/// including any zone that has previously used that chain ID.
+pub const ZONE_CHAIN_ID_BASE: u64 = 421_700_000;
+
+/// Number of distinct mainnet zone chain IDs before wrapping.
+///
+/// Equal to `ZONE_CHAIN_ID_BASE_TESTNET - ZONE_CHAIN_ID_BASE`, keeping the
+/// mainnet range strictly below the testnet range.
+pub const ZONE_CHAIN_ID_RANGE: u64 = 1_002_610_000;
 
-/// Derives the EIP-155 chain ID for a zone from its on-chain zone ID.
+/// Base offset for deriving **testnet** (Moderato) zone chain IDs.
+///
+/// See [`ZONE_CHAIN_ID_BASE`] for range-safety rationale.
+pub const ZONE_CHAIN_ID_BASE_TESTNET: u64 = 1_424_310_000;
+
+/// Number of distinct testnet zone chain IDs before wrapping.
+///
+/// Equal to `2^31 - ZONE_CHAIN_ID_BASE_TESTNET`, keeping the testnet range
+/// strictly below the EIP-2294 safe ceiling.
+pub const ZONE_CHAIN_ID_RANGE_TESTNET: u64 = 723_173_648;
+
+/// Derives the EIP-155 chain ID for a **mainnet** zone from its on-chain zone ID.
+///
+/// Wraps via modulo so the result always falls in
+/// `[ZONE_CHAIN_ID_BASE, ZONE_CHAIN_ID_BASE + ZONE_CHAIN_ID_RANGE)`.
 pub const fn zone_chain_id(zone_id: u32) -> u64 {
-    ZONE_CHAIN_ID_BASE + zone_id as u64
+    ZONE_CHAIN_ID_BASE + (zone_id as u64 % ZONE_CHAIN_ID_RANGE)
+}
+
+/// Derives the EIP-155 chain ID for a **testnet** zone from its on-chain zone ID.
+///
+/// Wraps via modulo so the result always falls in
+/// `[ZONE_CHAIN_ID_BASE_TESTNET, ZONE_CHAIN_ID_BASE_TESTNET + ZONE_CHAIN_ID_RANGE_TESTNET)`.
+pub const fn zone_chain_id_testnet(zone_id: u32) -> u64 {
+    ZONE_CHAIN_ID_BASE_TESTNET + (zone_id as u64 % ZONE_CHAIN_ID_RANGE_TESTNET)
 }
diff --git a/docs/ZONES.md b/docs/ZONES.md
@@ -492,7 +492,7 @@ The xtasks use this Moderato `ZoneFactory` as their built-in default: `create-zo
 | `--l1.rpc-url` | (required) | L1 WebSocket RPC URL |
 | `--l1.portal-address` | (from zone.json) | ZonePortal contract on L1 |
 | `--l1.genesis-block-number` | (from zone.json) | L1 block when the zone was created |
-| `--zone.id` | 0 | Zone ID from ZoneFactory (for private RPC auth). The zone's chain ID is derived as `4217000000 + zone_id`. |
+| `--zone.id` | 0 | Zone ID from ZoneFactory (for private RPC auth). The zone's chain ID is derived as `421700000 + (zone_id % 1002610000)` (mainnet) or `1424310000 + (zone_id % 723173648)` (testnet). |
 | `--sequencer-key` | (optional) | Sequencer private key for block production |
 | `--block.interval-ms` | 250 | Block building interval |
 | `--zone.batch-interval-secs` | 60 | Max seconds to accumulate zone blocks before submitting a batch to L1 |
diff --git a/docs/specs/privacy/overview.md b/docs/specs/privacy/overview.md
@@ -62,10 +62,18 @@ The factory deploys a `ZonePortal` that escrows enabled tokens on Tempo and a `Z
 Each zone has a unique EIP-155 chain ID derived deterministically from its on-chain zone ID:
 
 ```
-chain_id = 4217000000 + zone_id
+# Mainnet zones (range: 421,700,000 – 1,424,309,999)
+chain_id = 421700000 + (zone_id % 1002610000)
+
+# Testnet / Moderato zones (range: 1,424,310,000 – 2,147,483,647)
+chain_id = 1424310000 + (zone_id % 723173648)
 ```
 
-The prefix `4217` corresponds to the Tempo L1 chain ID. This ensures replay protection between zones — a transaction signed for one zone cannot be replayed on another. The chain ID is set in the zone's genesis configuration during creation and validated by the zone node at startup.
+Both ranges stay below `2^31 − 1` (2,147,483,647), which is the safe ceiling defined by EIP-2294 and ENSIP-11. Chain IDs above this limit can break ENS multi-chain address resolution and JavaScript tooling that uses 32-bit integers. Zone IDs wrap via modular arithmetic so that the derived chain ID always stays within the designated range.
+
+Because wrapping can reuse a chain ID that was previously assigned to a different zone, it is the responsibility of the sequencer to ensure — after deploying a zone — that the derived chain ID does not correspond to any active chain, including any zone that has previously used that chain ID.
+
+This ensures replay protection between zones — a transaction signed for one zone cannot be replayed on another. The chain ID is set in the zone's genesis configuration during creation and validated by the zone node at startup.
 
 ### Token management
 
diff --git a/zone-genesis/genesis.json b/zone-genesis/genesis.json
@@ -1,6 +1,6 @@
 {
   "config": {
-    "chainId": 4217000001,
+    "chainId": 421700001,
     "homesteadBlock": 0,
     "daoForkSupport": false,
     "eip150Block": 0,

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"config": {`
`3`		`- "chainId": 4217000001,`
	`3`	`+ "chainId": 421700001,`
`4`	`4`	`"homesteadBlock": 0,`
`5`	`5`	`"daoForkSupport": false,`
`6`	`6`	`"eip150Block": 0,`