fix(pool): clear pool_nonces on validator update to prevent nonce drift#434
Open
fix(pool): clear pool_nonces on validator update to prevent nonce drift#434
pool_nonces on validator update to prevent nonce drift#434Conversation
pool_nonces tracks the expected next nonce per account based on validated transactions. When update() is called after a block is mined, it replaced the state and block env but never cleared pool_nonces. This caused stale nonce values to persist across block boundaries, allowing transactions with nonces far ahead of the actual state to pass validation. The executor then rejected them with "Invalid transaction nonce" errors. Also adds an early rejection check for tx_nonce < current_nonce to fail fast before reaching the blockifier. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds a test that reproduces the production error through the full pool → executor pipeline, mirroring the actual node setup: 1. Tx submitted to pool via add_transaction (through TxValidator) 2. Tx picked up from pool via pending_transactions (like block producer) 3. Tx executed by blockifier executor 4. Executor rejects with InvalidNonce error The test simulates pool_nonces drift by directly setting the drifted value, then verifies the tx passes pool validation, enters the pool, gets picked up, and is rejected by the executor with the exact error format seen in production: "Invalid transaction nonce of contract at address 0x... Account nonce: 0x0; got: 0x3." Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kariy
changed the title
pool_nonces on validator update to prevent nonce drift
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The pool's
TxValidatormaintains an in-memorypool_noncesmap that tracks the expected next nonce for each account as transactions are validated. This allows sequential transactions from the same sender to be validated without waiting for earlier ones to be committed on-chain. However, whenupdate()is called after a block is mined — replacing the underlying state and block environment —pool_nonceswas never cleared. This meant stale nonce values accumulated across block boundaries and could drift arbitrarily far ahead of the actual committed state nonce.The drift happens naturally under normal operation. Each validated transaction increments
pool_nonces[sender]by one. If, say, 978 transactions from the same account are validated between blocks,pool_noncesadvances by 978. When the next block is produced andupdate()is called with the new post-block state, the committed state nonce reflects only the transactions that were actually executed in that block. Butpool_noncesstill holds the speculative value from validation. Over many blocks this gap compounds, especially under sustained load from a single account.The consequence is that a new transaction whose nonce matches the drifted
pool_noncesvalue passes the validator's nonce check (tx_nonce == current_nonce) and falls through to the blockifier for validation. The pool validator runs blockifier withstrict_nonce_check = false(allowingaccount_nonce <= tx_nonce), so blockifier also accepts it since the real state nonce is lower than the transaction nonce. The transaction enters the pool as valid. When the block producer later picks it up and feeds it to the executor — which uses strict nonce checking (account_nonce == tx_nonce) — the executor rejects it with the error observed in production:Invalid transaction nonce of contract at address 0x4250...bccf. Account nonce: 0x27ed; got: 0x2bbf.The fix is a single line: clear
pool_noncesinupdate()after replacing the state. This forces the validator to re-derive nonces from the authoritative committed state for the next validation cycle, whilepool_noncesis naturally rebuilt as new transactions arrive within the current block interval.This PR also adds an early rejection for
tx_nonce < current_noncein the validator to fail fast before reaching blockifier, and includes two tests: one that verifiespool_noncesis properly cleared afterupdate(), and an end-to-end test that exercises the full pool-to-executor pipeline reproducing the exact production error format.🤖 Generated with Claude Code