@aztec/p2p 0.0.1-commit.f504929 → 0.0.1-commit.f5d02921e

package/src/services/reqresp/README.md

@@ -0,0 +1,229 @@
+# ReqResp Protocols
+
+This module implements libp2p request-response protocols for the Aztec P2P network. All protocols share common transport-level validation (rate limiting, timeouts, Snappy decompression, error penalties) with protocol-specific logic layered on top.
+
+## Common Transport Validation
+
+### Rate Limiting (Responder Side)
+
+Applied before the protocol handler runs.
+
+| Protocol | Peer Limit | Global Limit | File |
+|----------|-----------|-------------|------|
+| PING | 5/s | 10/s | `rate-limiter/rate_limits.ts` |
+| STATUS | 5/s | 10/s | same |
+| AUTH | 5/s | 10/s | same |
+| GOODBYE | 5/s | 10/s | same |
+| BLOCK | 2/s | 5/s | same |
+| BLOCK_TXS | 10/s | 200/s | same |
+| TX | (see rate limits file) | (see rate limits file) | same |
+
+- Per-peer limit exceeded: `HighToleranceError` penalty + `RATE_LIMIT_EXCEEDED` status. Penalty fires inside `RequestResponseRateLimiter.allow()`, not the stream handler.
+- Global limit exceeded: `RATE_LIMIT_EXCEEDED` status only (no peer penalty).
+
+### Response Status Byte (Requester Side)
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| First chunk must be exactly 1 byte | `ReqRespStatusError(UNKNOWN)` | `status.ts` |
+| Byte must be valid `ReqRespStatus` enum (0-4, 126, 127) | `ReqRespStatusError(UNKNOWN)` | same |
+
+Note: `prettyPrintReqRespStatus` is missing a `NOT_FOUND` case (minor logging bug).
+
+### Snappy Decompression (Requester Side)
+
+Per-protocol size limits checked via preamble before decompression.
+
+### Timeouts (Requester Side)
+
+| Timeout | Default | Penalty |
+|---------|---------|---------|
+| Individual request | 10s | HighToleranceError |
+| Dial | 5s | HighToleranceError |
+
+### Error Penalty Categorization (Requester Side)
+
+| Error Type | Severity |
+|------------|----------|
+| GOODBYE subprotocol errors | None |
+| `CollectiveReqRespTimeoutError` / `InvalidResponseError` | None |
+| `AbortError` / connection close / muxer closed | None |
+| `ECONNRESET` / `EPIPE` / `ECONNREFUSED` / `ERR_UNEXPECTED_EOF` | HighToleranceError |
+| `ERR_UNSUPPORTED_PROTOCOL` | HighToleranceError |
+| `IndividualReqRespTimeoutError` / `TimeoutError` | HighToleranceError |
+| Catch-all | HighToleranceError |
+
+### Request Error Penalty (Responder Side)
+
+| Error Type | Severity |
+|------------|----------|
+| `BADLY_FORMED_REQUEST` | LowToleranceError |
+| All others | None |
+
+### Notes
+
+- Request payloads are NOT snappy-compressed (asymmetric: only responses use snappy).
+
+---
+
+## Handshake Protocols
+
+### Connection-Level Gating (Before Any Handshake)
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Deny inbound connection from IP/peerId with too many failed auth handshakes | Connection denied | `libp2p_service.ts` |
+| Threshold: `p2pMaxFailedAuthAttemptsAllowed` (default 3) | Tracked per peerId AND per IP | `peer_manager.ts` |
+| Failed auth entries expire after 1 hour | Peer can reconnect; no escalating penalty for repeat offenders | same |
+
+### Handshake Trigger Logic (`peer:connect`)
+
+1. `p2pDisableStatusHandshake` = true: no handshake
+2. `p2pAllowOnlyValidators` = false: STATUS handshake
+3. Peer is protected (trusted/private/preferred): STATUS handshake
+4. Otherwise: AUTH handshake (superset of STATUS)
+
+Config constraint: `p2pDisableStatusHandshake && p2pAllowOnlyValidators` is disallowed.
+
+### STATUS Protocol (`/aztec/req/status/1.0.0`)
+
+**Requester side** (`peer_manager.ts`):
+
+| Rule | Consequence |
+|------|-------------|
+| Response status must be SUCCESS | Peer scheduled for disconnect |
+| `compressedComponentsVersion` must match | Peer scheduled for disconnect |
+| Any exception | Peer scheduled for disconnect |
+
+`StatusMessage.validate()` currently only checks `compressedComponentsVersion`. Fields `latestBlockNumber`, `latestBlockHash`, `finalizedBlockNumber` are NOT validated (TODO in code).
+
+**Responder side**: no validation of incoming request content (always responds with own status). This means the requester leaks its blockchain state to any peer before validation.
+
+**Deserialization bounds**: `MAX_VERSION_STRING_LENGTH` = 64 bytes, `MAX_BLOCK_HASH_STRING_LENGTH` = 128 bytes. Expected response size: 1 KB.
+
+### AUTH Protocol (`/aztec/req/auth/1.0.0`)
+
+**Requester side** (`peer_manager.ts`):
+
+| # | Rule | Consequence |
+|---|------|-------------|
+| 1 | Response status is SUCCESS | `markAuthHandshakeFailed` + disconnect |
+| 2 | `compressedComponentsVersion` match | `markAuthHandshakeFailed` + disconnect |
+| 3 | Valid ECDSA signature recovery from challenge response | `markAuthHandshakeFailed` + disconnect |
+| 4 | Recovered address is a registered validator | `markAuthHandshakeFailed` + disconnect |
+| 5 | Validator address not already authenticated to different peerId | Silent return (no disconnect, no failure marking -- peer stays connected but unauthenticated) |
+| 6 | Any exception | `markAuthHandshakeFailed` + disconnect |
+
+Challenge: random `Fr`, payload = `keccak256("Aztec Validator Challenge:" + challenge)`, signed with `eth_sign` style. Challenge is NOT bound to peer identity (transport encryption via Noise is the binding layer).
+
+On success: peer added to authenticated maps, prior failures cleared (including IP-based ones -- shared-IP peers benefit from a legitimate validator's success).
+
+**Responder side** (`validator-client/src/validator.ts` + `peer_manager.ts`):
+
+| # | Rule | Consequence |
+|---|------|-------------|
+| 1 | Peer must be protected (`shouldTrustWithIdentity` in `peer_manager.ts`) | Returns empty buffer (SUCCESS status + empty payload -> requester gets parse error -> `markAuthHandshakeFailed`) |
+| 2 | Node must have registered validator address | Returns empty buffer (same consequence) |
+
+**Unauthenticated peer gossip**: when `p2pAllowOnlyValidators` is true, unauthenticated peers get `appSpecificScore = -Infinity`, completely excluding them from all gossip.
+
+### PING Protocol (`/aztec/req/ping/1.0.0`)
+
+No validation on either side. Responder returns `Buffer.from('pong')`. Expected response: 1 KB.
+
+### GOODBYE Protocol (`/aztec/req/goodbye/1.0.0`)
+
+**Responder**: buffer must be 1 byte (defaults to `UNKNOWN` on invalid length). Goodbye reason byte is NOT validated against the enum -- any byte 0-255 accepted. Peer scheduled for disconnect regardless of reason.
+
+**Requester**: response errors are never penalized (GOODBYE subprotocol exempt from error categorization).
+
+### Periodic Re-validation
+
+| Rule | Interval | File |
+|------|----------|------|
+| Authenticated validators re-checked against current validator set | Every heartbeat (`peerCheckIntervalMS`) | `peer_manager.ts` |
+| If validator address no longer registered, auth entry removed | Same | same |
+
+Protected peers (private/trusted/preferred) are always considered "authenticated" without AUTH handshake.
+
+---
+
+## Block Data Protocols
+
+### BLOCK Protocol (`/aztec/req/block/1.0.0`)
+
+**Server side**:
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Request must parse as `Fr` | `BADLY_FORMED_REQUEST` + LowToleranceError | `protocols/block.ts` |
+| Block lookup throws | `INTERNAL_ERROR` status | same |
+| Block not found | SUCCESS + empty buffer (design choice; no `NOT_FOUND` status used) | same |
+
+**Requester side** (Snappy limit: 3 MB):
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Response block number must match requested | LowToleranceError; rejected | `libp2p_service.ts` (`validateRequestedBlock`) |
+| Local block must exist for hash verification | Rejected (no penalty) | same |
+| Response block hash must equal local block hash | MidToleranceError; rejected | same |
+
+**Limitation**: the local-block requirement means BLOCK req/resp is unusable for initial P2P-only sync (before L1 sync provides local copies for verification). A TODO in the code acknowledges this.
+
+### BLOCK_TXS Protocol (`/aztec/req/block_txs/1.0.0`)
+
+**Server side**:
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Request must parse as `BlockTxsRequest` (Fr + TxHashArray + BitVector) | `BADLY_FORMED_REQUEST` + LowToleranceError | `protocols/block_txs/block_txs_handler.ts` |
+| BitVector length: non-negative and <= `MAX_TXS_PER_BLOCK` (65536) | Deserialization throws -> `BADLY_FORMED_REQUEST` | `protocols/block_txs/bitvector.ts` |
+| Archive root not found and no explicit txHashes | `NOT_FOUND` status | handler |
+| Internal error during lookup | Unhandled exception -> stream abort (no `INTERNAL_ERROR` status, unlike BLOCK) | handler |
+
+Conditional registration: BLOCK_TXS handler only registered when `config.disableTransactions` is false. Otherwise peers get `ERR_UNSUPPORTED_PROTOCOL`.
+
+**Requester side via `sendBatchRequest`** (Snappy limit: `max(N, 1) * 512 + 1` KB):
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Archive root must match request | MidToleranceError | `libp2p_service.ts` (`validateRequestedBlockTxs`) |
+| BitVector length must match request | MidToleranceError | same |
+| No duplicate tx hashes | MidToleranceError | same |
+| Tx count within bounds | MidToleranceError | same |
+| Local block proposal must exist for archive root | Rejected (no penalty) | same |
+| All tx hashes must be in proposal's tx list at allowed indices | LowToleranceError | same |
+| Txs in strictly increasing index order | LowToleranceError | same |
+| Each tx passes well-formedness (Metadata [4 fields], Size, Data, Proof) | LowToleranceError | same |
+
+**Requester side via `BatchTxRequester`** (separate validation path):
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Non-SUCCESS status: `FAILURE`/`UNKNOWN` | HighToleranceError + "bad peer" tracking | `batch-tx-requester/batch_tx_requester.ts` |
+| `RATE_LIMIT_EXCEEDED` | Peer marked rate-limited (cooldown) | same |
+| `NOT_FOUND` / `BADLY_FORMED_REQUEST` / `INTERNAL_ERROR` | Falls through silently (no penalty) | same |
+| Each tx validated (Metadata + Size + Data + Proof) | LowToleranceError per invalid tx; valid txs from same response still accepted | same |
+| Archive root match + non-empty txIndices | No penalty on mismatch; peer not promoted to "smart" | same |
+
+**Double penalty on transport errors**: when `BatchTxRequester` encounters a transport error (e.g., ECONNRESET), both `sendRequestToPeer`'s internal handler and the `BatchTxRequester`'s catch block penalize the peer, resulting in double HighToleranceError.
+
+See [BatchTxRequester README](batch-tx-requester/README.md) for the full architecture (peer classification, worker model, wire protocol).
+
+### TX Protocol (`/aztec/req/tx/1.0.0`)
+
+**Server side**:
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Request must parse as `TxHashArray` | `BADLY_FORMED_REQUEST` + LowToleranceError | `protocols/tx.ts` |
+
+**Requester side** (validator registered at startup, not the default noop):
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Each returned tx hash must be in the requested set | MidToleranceError | `libp2p_service.ts` (`validateRequestedTxs`) |
+| Each tx passes well-formedness (Metadata + Size + Data + Proof) | LowToleranceError | same |
+
+Snappy limit: `max(N, 1) * 512 + 1` KB.
+

package/src/services/reqresp/batch-tx-requester/README.md

@@ -170,6 +170,37 @@ class BlockTxsResponse {
 
 The `BitVector` is a compact representation where each bit corresponds to a transaction index in the block proposal. This allows efficient capability advertisement without repeating full hashes.
 
+## Cancellation
+
+All cancellation is managed by a single `RequestTracker` instance, shared across the entire collection
+flow. The `RequestTracker` owns the deadline, tracks which txs are still missing, and exposes a
+`cancellationToken` promise that resolves when the request should stop (deadline hit, all txs fetched,
+or external `cancel()` call).
+
+Cancellation propagates from the deepest stack level upward:
+
+```
+RequestTracker.finish()
+  ├── resolves cancellationToken promise
+  │
+  ├── BatchTxRequester workers (deepest)
+  │     ├── shouldStop() checks requestTracker.cancelled → exit loop
+  │     ├── sleepClampedToDeadline races sleep vs cancellationToken → wakes
+  │     └── semaphore.acquire races vs cancellationToken → wakes
+  │           │
+  │           ▼ workers settle → txQueue.end() → generator returns
+  │
+  ├── Node collection loops
+  │     ├── notFinished() checks requestTracker.cancelled → exit loop
+  │     └── inter-retry sleep races vs cancellationToken → wakes
+  │           │
+  │           ▼ all node loops settle
+  │
+  └── collectFast (outermost)
+        awaits Promise.allSettled([reqresp, nodes]) → settles after inner tasks
+        finally: requestTracker.cancel() (idempotent), cleanup
+```
+
 ## Key Files
 
 | File | Description |
@@ -179,15 +210,16 @@ The `BitVector` is a compact representation where each bit corresponds to a tran
 | `peer_collection.ts` | Manages peer classification (dumb/smart/bad) and rate limiting |
 | `interface.ts` | Type definitions for dependencies |
 | `../protocols/block_txs/` | Wire protocol definitions (`BlockTxsRequest`, `BlockTxsResponse`, `BitVector`) |
+| `../../tx_collection/request_tracker.ts` | Centralized deadline, missing tx tracking, and cancellation signal |
 
 ## Stopping Conditions
 
-The `BatchTxRequester` stops when any of these conditions are met:
+The `BatchTxRequester` stops when any of these conditions are met, all managed by the `RequestTracker`:
 
-1. **All transactions fetched** - Success!
-2. **Deadline exceeded** - Timeout configured by caller
-3. **Abort signal** - External cancellation
-4. **No transactions to fetch** - Nothing was missing
+1. **All transactions fetched** - `markFetched()` removes the last missing tx, triggering `finish()`
+2. **Deadline exceeded** - `setTimeout` in `RequestTracker` fires, triggering `finish()`
+3. **External cancellation** - `RequestTracker.cancel()` called (e.g., from `stop()`, `stopCollectingForBlocksUpTo`)
+4. **No transactions to fetch** - Empty hash set at construction, `RequestTracker` finishes immediately
 
 ## Configuration
 
@@ -228,11 +260,15 @@ Request to peer fails
 ## Usage Example
 
 ```typescript
+const requestTracker = RequestTracker.create(
+  missingTxHashes,                          // TxHash[] - what we need
+  new Date(Date.now() + 5_000),             // deadline
+);
+
 const requester = new BatchTxRequester(
-  missingTxHashes,      // TxHash[] - what we need
+  requestTracker,       // IRequestTracker - tracks missing txs, deadline, and cancellation
   blockTxsSource,       // BlockTxsSource - the proposal or block we need txs for
   pinnedPeer,           // PeerId | undefined - peer expected to have the txs
-  timeoutMs,            // number - how long to try
   p2pService,           // BatchTxRequesterLibP2PService
 );
 
@@ -273,6 +309,8 @@ const txs = await BatchTxRequester.collectAllTxs(requester.run());
 │  1. Try RPC nodes first (fast)    │   │  Periodic polling of RPC nodes      │
 │  2. Fall back to BatchTxRequester │   │  and peers for missing txs          │
 │                                   │   │                                     │
+│  Creates RequestTracker per       │   │                                     │
+│  request with deadline            │   │                                     │
 └───────────────────┬───────────────┘   └─────────────────────────────────────┘
                     │
                     │ For 'proposal' and 'block' requests
@@ -281,6 +319,7 @@ const txs = await BatchTxRequester.collectAllTxs(requester.run());
 │                           BatchTxRequester                                  │
 │                                                                             │
 │  Aggressive parallel fetching from multiple peers                           │
+│  Shares RequestTracker with FastTxCollection for unified cancellation       │
 │  Uses BLOCK_TXS sub-protocol for efficient batching                         │
 └───────────────────┬─────────────────────────────────────────────────────────┘
                     │

package/src/services/reqresp/batch-tx-requester/batch_tx_requester.ts

@@ -1,15 +1,14 @@
 import { chunkWrapAround } from '@aztec/foundation/collection';
-import { TimeoutError } from '@aztec/foundation/error';
 import { type Logger, createLogger } from '@aztec/foundation/log';
 import { FifoMemoryQueue, type ISemaphore, Semaphore } from '@aztec/foundation/queue';
 import { sleep } from '@aztec/foundation/sleep';
-import { DateProvider, executeTimeout } from '@aztec/foundation/timer';
+import { DateProvider } from '@aztec/foundation/timer';
 import { PeerErrorSeverity } from '@aztec/stdlib/p2p';
 import { Tx, TxArray, TxHash } from '@aztec/stdlib/tx';
 
 import type { PeerId } from '@libp2p/interface';
 
-import type { IMissingTxsTracker } from '../../tx_collection/missing_txs_tracker.js';
+import type { IRequestTracker } from '../../tx_collection/request_tracker.js';
 import { ReqRespSubProtocol } from '.././interface.js';
 import { BlockTxsRequest, BlockTxsResponse, type BlockTxsSource } from '.././protocols/index.js';
 import { ReqRespStatus } from '.././status.js';
@@ -42,16 +41,14 @@ import { BatchRequestTxValidator, type IBatchRequestTxValidator } from './tx_val
  *    - Is the peer which was unable to send us successful response N times in a row
  * */
 export class BatchTxRequester {
+  private readonly requestTracker: IRequestTracker;
   private readonly blockTxsSource: BlockTxsSource;
   private readonly pinnedPeer: PeerId | undefined;
-  private readonly timeoutMs: number;
   private readonly p2pService: BatchTxRequesterLibP2PService;
   private readonly logger: Logger;
-  private readonly dateProvider: DateProvider;
   private readonly opts: BatchTxRequesterOptions;
   private readonly peers: IPeerCollection;
   private readonly txsMetadata: ITxMetadataCollection;
-  private readonly deadline: number;
   private readonly smartRequesterSemaphore: ISemaphore;
   private readonly txQueue: FifoMemoryQueue<Tx>;
   private readonly txValidator: IBatchRequestTxValidator;
@@ -60,21 +57,19 @@ export class BatchTxRequester {
   private readonly txBatchSize: number;
 
   constructor(
-    missingTxsTracker: IMissingTxsTracker,
+    requestTracker: IRequestTracker,
     blockTxsSource: BlockTxsSource,
     pinnedPeer: PeerId | undefined,
-    timeoutMs: number,
     p2pService: BatchTxRequesterLibP2PService,
     logger?: Logger,
     dateProvider?: DateProvider,
     opts?: BatchTxRequesterOptions,
   ) {
+    this.requestTracker = requestTracker;
     this.blockTxsSource = blockTxsSource;
     this.pinnedPeer = pinnedPeer;
-    this.timeoutMs = timeoutMs;
     this.p2pService = p2pService;
     this.logger = logger ?? createLogger('p2p:reqresp_batch');
-    this.dateProvider = dateProvider ?? new DateProvider();
     this.opts = opts ?? {};
 
     this.smartParallelWorkerCount =
@@ -82,7 +77,6 @@ export class BatchTxRequester {
     this.dumbParallelWorkerCount =
       this.opts.dumbParallelWorkerCount ?? DEFAULT_BATCH_TX_REQUESTER_DUMB_PARALLEL_WORKER_COUNT;
     this.txBatchSize = this.opts.txBatchSize ?? DEFAULT_BATCH_TX_REQUESTER_TX_BATCH_SIZE;
-    this.deadline = this.dateProvider.now() + this.timeoutMs;
     this.txQueue = new FifoMemoryQueue(this.logger);
     this.txValidator = this.opts.txValidator ?? new BatchRequestTxValidator(this.p2pService.txValidatorConfig);
 
@@ -93,12 +87,12 @@ export class BatchTxRequester {
       this.peers = new PeerCollection(
         this.p2pService.connectionSampler,
         this.pinnedPeer,
-        this.dateProvider,
+        dateProvider ?? new DateProvider(),
         badPeerThreshold,
         this.p2pService.peerScoring,
       );
     }
-    this.txsMetadata = new MissingTxMetadataCollection(missingTxsTracker, this.txBatchSize);
+    this.txsMetadata = new MissingTxMetadataCollection(requestTracker, this.txBatchSize);
     this.smartRequesterSemaphore = this.opts.semaphore ?? new Semaphore(0);
   }
 
@@ -106,40 +100,30 @@ export class BatchTxRequester {
    * Fetches all missing transactions and yields them  one by one
    * */
   public async *run(): AsyncGenerator<Tx, Tx | undefined, unknown> {
-    // Our timeout is represented in milliseconds but queue expects seconds
-    // We also want to make sure we wait at least 1 second in case of very low timeouts
-    const timeoutQueueAfter = Math.max(Math.ceil(this.timeoutMs / 1_000), 1);
     try {
       if (this.txsMetadata.getMissingTxHashes().size === 0) {
         return undefined;
       }
 
-      // Start workers in background
-      const workersPromise = executeTimeout(
-        () => Promise.allSettled([this.smartRequester(), this.dumbRequester(), this.pinnedPeerRequester()]),
-        this.timeoutMs,
-      ).finally(() => {
+      // Start workers in background. Workers stop themselves via requestTracker.checkCancelled().
+      const workersPromise = Promise.allSettled([
+        this.smartRequester(),
+        this.dumbRequester(),
+        this.pinnedPeerRequester(),
+      ]).finally(() => {
         this.txQueue.end();
       });
 
+      // Yield txs as workers put them on the queue. The queue's end() drains remaining items
+      // before returning null, so we don't lose any txs.
       while (true) {
-        const tx = await this.txQueue.get(timeoutQueueAfter);
+        const tx = await this.txQueue.get();
 
-        // null indicates that the queue has ended
         if (tx === null) {
           break;
         }
 
         yield tx;
-
-        if (this.shouldStop()) {
-          // Drain queue before ending
-          let remaining;
-          while ((remaining = this.txQueue.getImmediate()) !== undefined) {
-            yield remaining;
-          }
-          break;
-        }
       }
 
       this.unlockSmartRequesterSemaphores();
@@ -360,7 +344,10 @@ export class BatchTxRequester {
   ) {
     try {
       this.logger.trace(`Smart worker ${workerIndex} started`);
-      await executeTimeout((_: AbortSignal) => this.smartRequesterSemaphore.acquire(), this.timeoutMs);
+      await Promise.race([this.smartRequesterSemaphore.acquire(), this.requestTracker.cancellationToken]);
+      if (this.requestTracker.checkCancelled()) {
+        return;
+      }
       this.logger.trace(`Smart worker ${workerIndex} acquired semaphore`);
 
       while (!this.shouldStop()) {
@@ -384,7 +371,10 @@ export class BatchTxRequester {
           //
           // When a dumb peer responds with valid txIndices, it gets
           // promoted to smart and releases the semaphore, waking this worker.
-          await executeTimeout((_: AbortSignal) => this.smartRequesterSemaphore.acquire(), this.timeoutMs);
+          await Promise.race([this.smartRequesterSemaphore.acquire(), this.requestTracker.cancellationToken]);
+          if (this.requestTracker.checkCancelled()) {
+            break;
+          }
           this.logger.debug(`Worker loop smart: acquired next smart peer`);
           continue;
         }
@@ -411,11 +401,7 @@ export class BatchTxRequester {
         });
       }
     } catch (err: any) {
-      if (err instanceof TimeoutError) {
-        this.logger.debug(`Smart worker ${workerIndex} timed out waiting for semaphore`);
-      } else {
-        this.logger.error(`Smart worker ${workerIndex} encountered an error: ${err}`);
-      }
+      this.logger.error(`Smart worker ${workerIndex} encountered an error: ${err}`);
     } finally {
       this.logger.debug(`Smart worker ${workerIndex} finished`);
     }
@@ -463,9 +449,18 @@ export class BatchTxRequester {
    *   this implies we will query these peers couple of more times and give them a chance to "redeem" themselves before completely ignoring them
    */
   private handleFailResponseFromPeer(peerId: PeerId, responseStatus: ReqRespStatus) {
-    //TODO: Should we ban these peers?
     if (responseStatus === ReqRespStatus.FAILURE || responseStatus === ReqRespStatus.UNKNOWN) {
       this.peers.penalisePeer(peerId, PeerErrorSeverity.HighToleranceError);
+      this.peers.markPeerDumb(peerId);
+      this.txsMetadata.clearPeerData(peerId);
+      return;
+    }
+
+    // NOT_FOUND means the peer pruned its block proposal — it can no longer serve
+    // index-based requests, but this is a legitimate state so we don't penalize.
+    if (responseStatus === ReqRespStatus.NOT_FOUND) {
+      this.peers.markPeerDumb(peerId);
+      this.txsMetadata.clearPeerData(peerId);
       return;
     }
 
@@ -519,6 +514,9 @@ export class BatchTxRequester {
     });
 
     if (hasInvalidTx) {
+      this.logger.warn(`Penalizing peer ${peerId.toString()} for sending invalid transactions in batch response`, {
+        peerId,
+      });
       this.peers.penalisePeer(peerId, PeerErrorSeverity.LowToleranceError);
     } else {
       // If we have received successful response from the peer, they have "redeemed" themselves and not considered bad anymore
@@ -555,10 +553,9 @@ export class BatchTxRequester {
       return;
     }
 
-    // If block response is invalid we still want to query this peer in the future
-    // Because they sent successful response, so they might become smart peer in the future
-    // Or send us needed txs
-    if (!this.isBlockResponseValid(response)) {
+    const hasArchiveRootMismatch = this.blockTxsSource.archive.toString() !== response.archiveRoot.toString();
+    if (hasArchiveRootMismatch) {
+      this.handleArchiveRootMismatch(peerId, response);
       return;
     }
 
@@ -576,13 +573,25 @@ export class BatchTxRequester {
     this.smartRequesterSemaphore.release();
   }
 
-  private isBlockResponseValid(response: BlockTxsResponse): boolean {
-    const archiveRootsMatch = this.blockTxsSource.archive.toString() === response.archiveRoot.toString();
-    const peerHasSomeTxsFromProposal = !response.txIndices.isEmpty();
-    return archiveRootsMatch && peerHasSomeTxsFromProposal;
+  /**
+   * Handles an archive root mismatch between local state and peer response.
+   *
+   * - Response archive is Fr.ZERO (peer pruned proposal, legitimate): marks peer dumb.
+   * - Non-zero archive mismatch (malicious response): penalises + marks dumb.
+   */
+  private handleArchiveRootMismatch(peerId: PeerId, response: BlockTxsResponse): void {
+    if (!response.archiveRoot.isZero()) {
+      this.peers.penalisePeer(peerId, PeerErrorSeverity.LowToleranceError);
+    }
+
+    this.peers.markPeerDumb(peerId);
+    this.txsMetadata.clearPeerData(peerId);
   }
 
   private peerHasSomeTxsWeAreMissing(_peerId: PeerId, response: BlockTxsResponse): boolean {
+    if (response.txIndices.isEmpty()) {
+      return false;
+    }
     const txsPeerHas = new Set(this.extractHashesPeerHasFromResponse(response).map(h => h.toString()));
     return this.txsMetadata.getMissingTxHashes().intersection(txsPeerHas).size > 0;
   }
@@ -631,27 +640,14 @@ export class BatchTxRequester {
   }
 
   /*
-   * @returns true if all missing txs have been fetched */
-  private fetchedAllTxs() {
-    return this.txsMetadata.getMissingTxHashes().size == 0;
-  }
-
-  /*
-   * Checks if the BatchTxRequester should stop fetching missing txs
-   * Conditions for stopping are:
-   * - There have been no missing transactions to start with
-   * - All transactions have been fetched
-   * - The deadline has been hit (no more time to fetch)
-   * - This process has been cancelled via abortSignal
-   *
-   * @returns true if BatchTxRequester should stop, otherwise false*/
+   * Checks if the BatchTxRequester should stop fetching missing txs.
+   * Delegates to requestTracker which covers: deadline hit, all txs fetched, or external cancellation. */
   private shouldStop() {
-    const aborted = this.opts.abortSignal?.aborted ?? false;
-    if (aborted) {
+    if (this.requestTracker.checkCancelled()) {
       this.unlockSmartRequesterSemaphores();
     }
 
-    return aborted || this.fetchedAllTxs() || this.dateProvider.now() > this.deadline;
+    return this.requestTracker.checkCancelled();
   }
 
   /*
@@ -669,10 +665,9 @@ export class BatchTxRequester {
    * This ensures we don't sleep past the deadline.
    * */
   private async sleepClampedToDeadline(durationMs: number) {
-    const remaining = this.deadline - this.dateProvider.now();
-    const thereIsTimeRemaining = remaining > 0;
-    if (thereIsTimeRemaining) {
-      await sleep(Math.min(durationMs, remaining));
+    if (this.requestTracker.checkCancelled()) {
+      return;
     }
+    await Promise.race([sleep(durationMs), this.requestTracker.cancellationToken]);
   }
 }

package/src/services/reqresp/batch-tx-requester/interface.ts

@@ -23,6 +23,8 @@ export interface ITxMetadataCollection {
   alreadyFetched(txHash: TxHash): boolean;
   // Returns true if tx was marked as fetched, false if it was already marked as fetched
   markPeerHas(peerId: PeerId, txHashes: TxHash[]): void;
+  /** Remove all tx metadata associations for a peer (e.g. on demotion from smart to dumb). */
+  clearPeerData(peerId: PeerId): void;
 }
 
 /**
@@ -47,7 +49,6 @@ export interface BatchTxRequesterOptions {
   //Injectable for testing purposes
   semaphore?: ISemaphore;
   peerCollection?: IPeerCollection;
-  abortSignal?: AbortSignal;
   /** Optional tx validator for testing - if not provided, one is created from p2pService.txValidatorConfig */
   txValidator?: IBatchRequestTxValidator;
 }