Verify execution block hashes during finalized sync (#3794)

## Issue Addressed

Recent discussions with other client devs about optimistic sync have revealed a conceptual issue with the optimisation implemented in #3738. In designing that feature I failed to consider that the execution node checks the `blockHash` of the execution payload before responding with `SYNCING`, and that omitting this check entirely results in a degradation of the full node's validation. A node omitting the `blockHash` checks could be tricked by a supermajority of validators into following an invalid chain, something which is ordinarily impossible.

## Proposed Changes

I've added verification of the `payload.block_hash` in Lighthouse. In case of failure we log a warning and fall back to verifying the payload with the execution client.

I've used our existing dependency on `ethers_core` for RLP support, and a new dependency on Parity's `triehash` crate for the Merkle patricia trie. Although the `triehash` crate is currently unmaintained it seems like our best option at the moment (it is also used by Reth, and requires vastly less boilerplate than Parity's generic `trie-root` library).

Block hash verification is pretty quick, about 500us per block on my machine (mainnet).

The optimistic finalized sync feature can be disabled using `--disable-optimistic-finalized-sync` which forces full verification with the EL.

## Additional Info

This PR also introduces a new dependency on our [`metastruct`](https://github.com/sigp/metastruct) library, which was perfectly suited to the RLP serialization method. There will likely be changes as `metastruct` grows, but I think this is a good way to start dogfooding it.

I took inspiration from some Parity and Reth code while writing this, and have preserved the relevant license headers on the files containing code that was copied and modified.

consensus/types/src/execution_block_header.rs

@@ -0,0 +1,74 @@
+// Copyright (c) 2022 Reth Contributors
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+use crate::{Address, EthSpec, ExecutionPayload, Hash256, Hash64, Uint256};
+use metastruct::metastruct;
+
+/// Execution block header as used for RLP encoding and Keccak hashing.
+///
+/// Credit to Reth for the type definition.
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+#[metastruct(mappings(map_execution_block_header_fields()))]
+pub struct ExecutionBlockHeader {
+    pub parent_hash: Hash256,
+    pub ommers_hash: Hash256,
+    pub beneficiary: Address,
+    pub state_root: Hash256,
+    pub transactions_root: Hash256,
+    pub receipts_root: Hash256,
+    pub logs_bloom: Vec<u8>,
+    pub difficulty: Uint256,
+    pub number: Uint256,
+    pub gas_limit: Uint256,
+    pub gas_used: Uint256,
+    pub timestamp: u64,
+    pub extra_data: Vec<u8>,
+    pub mix_hash: Hash256,
+    pub nonce: Hash64,
+    pub base_fee_per_gas: Uint256,
+}
+
+impl ExecutionBlockHeader {
+    pub fn from_payload<E: EthSpec>(
+        payload: &ExecutionPayload<E>,
+        rlp_empty_list_root: Hash256,
+        rlp_transactions_root: Hash256,
+    ) -> Self {
+        // Most of these field mappings are defined in EIP-3675 except for `mixHash`, which is
+        // defined in EIP-4399.
+        ExecutionBlockHeader {
+            parent_hash: payload.parent_hash.into_root(),
+            ommers_hash: rlp_empty_list_root,
+            beneficiary: payload.fee_recipient,
+            state_root: payload.state_root,
+            transactions_root: rlp_transactions_root,
+            receipts_root: payload.receipts_root,
+            logs_bloom: payload.logs_bloom.clone().into(),
+            difficulty: Uint256::zero(),
+            number: payload.block_number.into(),
+            gas_limit: payload.gas_limit.into(),
+            gas_used: payload.gas_used.into(),
+            timestamp: payload.timestamp,
+            extra_data: payload.extra_data.clone().into(),
+            mix_hash: payload.prev_randao,
+            nonce: Hash64::zero(),
+            base_fee_per_gas: payload.base_fee_per_gas,
+        }
+    }
+}

consensus/types/src/lib.rs

@@ -74,6 +74,7 @@ pub mod voluntary_exit;
 #[macro_use]
 pub mod slot_epoch_macros;
 pub mod config_and_preset;
+pub mod execution_block_header;
 pub mod fork_context;
 pub mod participation_flags;
 pub mod participation_list;
@@ -127,6 +128,7 @@ pub use crate::enr_fork_id::EnrForkId;
 pub use crate::eth1_data::Eth1Data;
 pub use crate::eth_spec::EthSpecId;
 pub use crate::execution_block_hash::ExecutionBlockHash;
+pub use crate::execution_block_header::ExecutionBlockHeader;
 pub use crate::execution_payload::{ExecutionPayload, Transaction, Transactions};
 pub use crate::execution_payload_header::ExecutionPayloadHeader;
 pub use crate::fork::Fork;
@@ -179,6 +181,7 @@ pub type Hash256 = H256;
 pub type Uint256 = ethereum_types::U256;
 pub type Address = H160;
 pub type ForkVersion = [u8; 4];
+pub type Hash64 = ethereum_types::H64;
 
 pub use bls::{
     AggregatePublicKey, AggregateSignature, Keypair, PublicKey, PublicKeyBytes, SecretKey,