fix: enforce ordering of nonsigners in bn254CV (#1615)

**Motivation:**

Currently there is no ordering check for non-signers in the BN254CV,
which can present some edge cases with duplicate non-signers.

**Modifications:**

Ordering check for non-signers.

**Result:**

Addresses minor issue brought up in audit.

Author: eigenmikem

docs/multichain/destination/CertificateVerifier.md

@@ -427,6 +427,7 @@ The contract supports 3 verification patterns:
  * @param signature the G1 signature of the message. The signature is over the signable digest, which is calculated by `calculateCertificateDigest`
  * @param apk the G2 aggregate public key
  * @param nonSignerWitnesses an array of witnesses of non-signing operators
+ * @dev Non-signer witnesses MUST be strictly increasing by `operatorIndex`
  * @dev The `referenceTimestamp` is used to key into the operatorSet's stake weights. It is NOT the timestamp at which the certificate was generated off-chain
  */
 struct BN254Certificate {
@@ -475,6 +476,7 @@ Verifies a BN254 certificate by checking the aggregated signature against the op
 * The root at the `referenceTimestamp` MUST not be disabled
 * The operator set info MUST exist for the `referenceTimestamp`
 * The `operatorIndex` must be valid for the non signer
+* The non-signer witnesses MUST be strictly increasing by `operatorIndex`
 * All merkle proofs for nonsigners MUST be valid
 * The BLS signature MUST verify correctly
 

src/contracts/interfaces/IBN254CertificateVerifier.sol

@@ -31,6 +31,7 @@ interface IBN254CertificateVerifierTypes is IOperatorTableCalculatorTypes {
      * @param signature the G1 signature of the message. The signature is over the signable digest, which is calculated by `calculateCertificateDigest`
      * @param apk the G2 aggregate public key
      * @param nonSignerWitnesses an array of witnesses of non-signing operators
+     * @dev Non-signer witnesses MUST be strictly increasing by `operatorIndex`
      * @dev The `referenceTimestamp` is used to key into the operatorSet's stake weights. It is NOT the timestamp at which the certificate was generated off-chain
      */
     struct BN254Certificate {
@@ -52,6 +53,11 @@ interface IBN254CertificateVerifierErrors {
     /// @dev Error code: 0x03f4a78e
     /// @dev We enforce that operator indices are within valid bounds to prevent out-of-bounds access in the merkle tree verification
     error InvalidOperatorIndex();
+
+    /// @notice thrown when the non-signer witnesses are not strictly increasing by operatorIndex
+    /// @dev Error code: 0xec6268b8
+    /// @dev We enforce strictly increasing order to prevent duplicates and ensure deterministic processing
+    error NonSignerIndicesNotSorted();
 }
 
 /// @notice An interface for verifying BN254 certificates
@@ -128,6 +134,7 @@ interface IBN254CertificateVerifier is
      *      - ReferenceTimestampDoesNotExist: No operator table exists for the referenceTimestamp
      *      - RootDisabled: The global table root for this timestamp has been disabled
      *      - InvalidOperatorIndex: Operator index provided in nonSigner witness is invalid
+     *      - NonSignerIndicesNotSorted: Non-signer witnesses are not strictly increasing by operatorIndex
      *      - VerificationFailed: Merkle proof verification failed or BLS signature verification failed
      */
     function verifyCertificate(
@@ -156,6 +163,7 @@ interface IBN254CertificateVerifier is
      *      - ReferenceTimestampDoesNotExist: No operator table exists for the referenceTimestamp
      *      - RootDisabled: The global table root for this timestamp has been disabled
      *      - InvalidOperatorIndex: Operator index provided in nonSigner witness is invalid
+     *      - NonSignerIndicesNotSorted: Non-signer witnesses are not strictly increasing by operatorIndex
      *      - VerificationFailed: Merkle proof verification failed or BLS signature verification failed
      *      - ArrayLengthMismatch: signedStakes length does not equal totalStakeProportionThresholds length
      */
@@ -186,6 +194,7 @@ interface IBN254CertificateVerifier is
      *      - ReferenceTimestampDoesNotExist: No operator table exists for the referenceTimestamp
      *      - RootDisabled: The global table root for this timestamp has been disabled
      *      - InvalidOperatorIndex: Operator index provided in nonSigner witness is invalid
+     *      - NonSignerIndicesNotSorted: Non-signer witnesses are not strictly increasing by operatorIndex
      *      - VerificationFailed: Merkle proof verification failed or BLS signature verification failed
      *      - ArrayLengthMismatch: signedStakes length does not equal totalStakeNominalThresholds length
      */

src/contracts/multichain/BN254CertificateVerifier.sol

@@ -202,10 +202,16 @@ contract BN254CertificateVerifier is
         BN254Certificate memory cert
     ) internal returns (BN254.G1Point memory nonSignerApk) {
         nonSignerApk = BN254.G1Point(0, 0);
+        uint32 previousOperatorIndex = 0;
 
         for (uint256 i = 0; i < cert.nonSignerWitnesses.length; i++) {
             BN254OperatorInfoWitness memory witness = cert.nonSignerWitnesses[i];
 
+            if (i > 0) {
+                // Enforce strictly increasing order of non-signer operator indices
+                require(witness.operatorIndex > previousOperatorIndex, NonSignerIndicesNotSorted());
+            }
+
             require(witness.operatorIndex < ctx.operatorSetInfo.numOperators, InvalidOperatorIndex());
 
             BN254OperatorInfo memory operatorInfo =
@@ -219,6 +225,8 @@ contract BN254CertificateVerifier is
                     ctx.totalSignedStakeWeights[j] -= operatorInfo.weights[j];
                 }
             }
+
+            previousOperatorIndex = witness.operatorIndex;
         }
     }