@aztec/p2p 0.0.1-commit.f504929 → 0.0.1-commit.f81dbcf

package/src/msg_validators/proposal_validator/proposal_validator.ts

@@ -1,15 +1,21 @@
 import type { EpochCacheInterface } from '@aztec/epoch-cache';
 import { NoCommitteeError } from '@aztec/ethereum/contracts';
 import { type Logger, createLogger } from '@aztec/foundation/log';
-import { BlockProposal, CheckpointProposal, PeerErrorSeverity, type ValidationResult } from '@aztec/stdlib/p2p';
+import {
+  type BlockProposal,
+  type CheckpointProposalCore,
+  PeerErrorSeverity,
+  type ValidationResult,
+} from '@aztec/stdlib/p2p';
 
 import { isWithinClockTolerance } from '../clock_tolerance.js';
 
-export abstract class ProposalValidator<TProposal extends BlockProposal | CheckpointProposal> {
-  protected epochCache: EpochCacheInterface;
-  protected logger: Logger;
-  protected txsPermitted: boolean;
-  protected maxTxsPerBlock?: number;
+/** Validates header-level and tx-level fields of block and checkpoint proposals. */
+export class ProposalValidator {
+  private epochCache: EpochCacheInterface;
+  private logger: Logger;
+  private txsPermitted: boolean;
+  private maxTxsPerBlock?: number;
 
   constructor(
     epochCache: EpochCacheInterface,
@@ -22,7 +28,8 @@ export abstract class ProposalValidator<TProposal extends BlockProposal | Checkp
     this.logger = createLogger(loggerName);
   }
 
-  public async validate(proposal: TProposal): Promise<ValidationResult> {
+  /** Validates header-level fields: slot, signature, and proposer. */
+  public async validate(proposal: BlockProposal | CheckpointProposalCore): Promise<ValidationResult> {
     try {
       // Slot check
       const { currentSlot, nextSlot } = this.epochCache.getCurrentAndNextSlot();
@@ -44,38 +51,6 @@ export abstract class ProposalValidator<TProposal extends BlockProposal | Checkp
         return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
       }
 
-      // Transactions permitted check
-      const embeddedTxCount = proposal.txs?.length ?? 0;
-      if (!this.txsPermitted && (proposal.txHashes.length > 0 || embeddedTxCount > 0)) {
-        this.logger.warn(
-          `Penalizing peer for proposal with ${proposal.txHashes.length} transaction(s) when transactions are not permitted`,
-        );
-        return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
-      }
-
-      // Max txs per block check
-      if (this.maxTxsPerBlock !== undefined && proposal.txHashes.length > this.maxTxsPerBlock) {
-        this.logger.warn(
-          `Penalizing peer for proposal with ${proposal.txHashes.length} transaction(s) when max is ${this.maxTxsPerBlock}`,
-        );
-        return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
-      }
-
-      // Embedded txs must be listed in txHashes
-      const hashSet = new Set(proposal.txHashes.map(h => h.toString()));
-      const missingTxHashes =
-        embeddedTxCount > 0
-          ? proposal.txs!.filter(tx => !hashSet.has(tx.getTxHash().toString())).map(tx => tx.getTxHash().toString())
-          : [];
-      if (embeddedTxCount > 0 && missingTxHashes.length > 0) {
-        this.logger.warn('Penalizing peer for embedded transaction(s) not included in txHashes', {
-          embeddedTxCount,
-          txHashesLength: proposal.txHashes.length,
-          missingTxHashes,
-        });
-        return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
-      }
-
       // Proposer check
       const expectedProposer = await this.epochCache.getProposerAttesterAddressInSlot(slotNumber);
       if (expectedProposer !== undefined && !proposer.equals(expectedProposer)) {
@@ -86,15 +61,6 @@ export abstract class ProposalValidator<TProposal extends BlockProposal | Checkp
         return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
       }
 
-      // Validate tx hashes for all txs embedded in the proposal
-      if (!(await Promise.all(proposal.txs?.map(tx => tx.validateTxHash()) ?? [])).every(v => v)) {
-        this.logger.warn(`Penalizing peer for invalid tx hashes in proposal`, {
-          proposer,
-          slotNumber,
-        });
-        return { result: 'reject', severity: PeerErrorSeverity.LowToleranceError };
-      }
-
       return { result: 'accept' };
     } catch (e) {
       if (e instanceof NoCommitteeError) {
@@ -103,4 +69,47 @@ export abstract class ProposalValidator<TProposal extends BlockProposal | Checkp
       throw e;
     }
   }
+
+  /** Validates transaction-related fields of a block proposal. */
+  public async validateTxs(proposal: BlockProposal): Promise<ValidationResult> {
+    // Transactions permitted check
+    const embeddedTxCount = proposal.txs?.length ?? 0;
+    if (!this.txsPermitted && (proposal.txHashes.length > 0 || embeddedTxCount > 0)) {
+      this.logger.warn(
+        `Penalizing peer for proposal with ${proposal.txHashes.length} transaction(s) when transactions are not permitted`,
+      );
+      return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
+    }
+
+    // Max txs per block check
+    if (this.maxTxsPerBlock !== undefined && proposal.txHashes.length > this.maxTxsPerBlock) {
+      this.logger.warn(
+        `Penalizing peer for proposal with ${proposal.txHashes.length} transaction(s) when max is ${this.maxTxsPerBlock}`,
+      );
+      return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
+    }
+
+    // Embedded txs must be listed in txHashes
+    const hashSet = new Set(proposal.txHashes.map(h => h.toString()));
+    const missingTxHashes =
+      embeddedTxCount > 0
+        ? proposal.txs!.filter(tx => !hashSet.has(tx.getTxHash().toString())).map(tx => tx.getTxHash().toString())
+        : [];
+    if (embeddedTxCount > 0 && missingTxHashes.length > 0) {
+      this.logger.warn('Penalizing peer for embedded transaction(s) not included in txHashes', {
+        embeddedTxCount,
+        txHashesLength: proposal.txHashes.length,
+        missingTxHashes,
+      });
+      return { result: 'reject', severity: PeerErrorSeverity.MidToleranceError };
+    }
+
+    // Validate tx hashes for all txs embedded in the proposal
+    if (!(await Promise.all(proposal.txs?.map(tx => tx.validateTxHash()) ?? [])).every(v => v)) {
+      this.logger.warn(`Penalizing peer for invalid tx hashes in proposal`);
+      return { result: 'reject', severity: PeerErrorSeverity.LowToleranceError };
+    }
+
+    return { result: 'accept' };
+  }
 }

package/src/msg_validators/tx_validator/allowed_public_setup.ts

@@ -1,49 +1,30 @@
-import { TokenContractArtifact } from '@aztec/noir-contracts.js/Token';
 import { ProtocolContractAddress } from '@aztec/protocol-contracts';
-import { FunctionSelector } from '@aztec/stdlib/abi';
-import { getContractClassFromArtifact } from '@aztec/stdlib/contract';
+import { AuthRegistryArtifact } from '@aztec/protocol-contracts/auth-registry';
+import { FeeJuiceArtifact } from '@aztec/protocol-contracts/fee-juice';
 import type { AllowedElement } from '@aztec/stdlib/interfaces/server';
 
+import { buildAllowedElement } from './allowed_setup_helpers.js';
+
 let defaultAllowedSetupFunctions: AllowedElement[] | undefined;
 
 /** Returns the default list of functions allowed to run in the setup phase of a transaction. */
 export async function getDefaultAllowedSetupFunctions(): Promise<AllowedElement[]> {
   if (defaultAllowedSetupFunctions === undefined) {
-    const tokenClassId = (await getContractClassFromArtifact(TokenContractArtifact)).id;
-    const setAuthorizedInternalSelector = await FunctionSelector.fromSignature('_set_authorized((Field),Field,bool)');
-    const setAuthorizedSelector = await FunctionSelector.fromSignature('set_authorized(Field,bool)');
-    const increaseBalanceSelector = await FunctionSelector.fromSignature('_increase_public_balance((Field),u128)');
-    const transferInPublicSelector = await FunctionSelector.fromSignature(
-      'transfer_in_public((Field),(Field),u128,Field)',
-    );
-
-    defaultAllowedSetupFunctions = [
+    defaultAllowedSetupFunctions = await Promise.all([
       // AuthRegistry: needed for authwit support via private path (set_authorized_private enqueues _set_authorized)
-      {
-        address: ProtocolContractAddress.AuthRegistry,
-        selector: setAuthorizedInternalSelector,
-      },
+      buildAllowedElement(AuthRegistryArtifact, { address: ProtocolContractAddress.AuthRegistry }, '_set_authorized', {
+        onlySelf: true,
+        rejectNullMsgSender: true,
+      }),
       // AuthRegistry: needed for authwit support via public path (PublicFeePaymentMethod calls set_authorized directly)
-      {
-        address: ProtocolContractAddress.AuthRegistry,
-        selector: setAuthorizedSelector,
-      },
+      buildAllowedElement(AuthRegistryArtifact, { address: ProtocolContractAddress.AuthRegistry }, 'set_authorized', {
+        rejectNullMsgSender: true,
+      }),
       // FeeJuice: needed for claiming on the same tx as a spend (claim_and_end_setup enqueues this)
-      {
-        address: ProtocolContractAddress.FeeJuice,
-        selector: increaseBalanceSelector,
-      },
-      // Token: needed for private transfers via FPC (transfer_to_public enqueues this)
-      {
-        classId: tokenClassId,
-        selector: increaseBalanceSelector,
-      },
-      // Token: needed for public transfers via FPC (fee_entrypoint_public enqueues this)
-      {
-        classId: tokenClassId,
-        selector: transferInPublicSelector,
-      },
-    ];
+      buildAllowedElement(FeeJuiceArtifact, { address: ProtocolContractAddress.FeeJuice }, '_increase_public_balance', {
+        onlySelf: true,
+      }),
+    ]);
   }
   return defaultAllowedSetupFunctions;
 }

package/src/msg_validators/tx_validator/allowed_setup_helpers.ts

@@ -0,0 +1,31 @@
+import type { Fr } from '@aztec/foundation/curves/bn254';
+import { FunctionSelector, countArgumentsSize, getAllFunctionAbis } from '@aztec/stdlib/abi';
+import type { ContractArtifact } from '@aztec/stdlib/abi';
+import type { AztecAddress } from '@aztec/stdlib/aztec-address';
+import type { AllowedElement } from '@aztec/stdlib/interfaces/server';
+
+/**
+ * Builds an AllowedElement from a contract artifact, deriving both the function selector
+ * and calldata length from the artifact instead of hardcoding signature strings.
+ */
+export async function buildAllowedElement(
+  artifact: ContractArtifact,
+  target: { address: AztecAddress } | { classId: Fr },
+  functionName: string,
+  opts?: { onlySelf?: boolean; rejectNullMsgSender?: boolean },
+): Promise<AllowedElement> {
+  const allFunctions = getAllFunctionAbis(artifact);
+  const fn = allFunctions.find(f => f.name === functionName);
+  if (!fn) {
+    throw new Error(`Unknown function ${functionName} in artifact ${artifact.name}`);
+  }
+  const selector = await FunctionSelector.fromNameAndParameters(fn.name, fn.parameters);
+  const calldataLength = 1 + countArgumentsSize(fn);
+  return {
+    ...target,
+    selector,
+    calldataLength,
+    ...(opts?.onlySelf ? { onlySelf: true } : {}),
+    ...(opts?.rejectNullMsgSender ? { rejectNullMsgSender: true } : {}),
+  } as AllowedElement;
+}

package/src/msg_validators/tx_validator/contract_instance_validator.ts

@@ -0,0 +1,56 @@
+import { type Logger, type LoggerBindings, createLogger } from '@aztec/foundation/log';
+import { ContractInstancePublishedEvent } from '@aztec/protocol-contracts/instance-registry';
+import { computeContractAddressFromInstance } from '@aztec/stdlib/contract';
+import {
+  TX_ERROR_INCORRECT_CONTRACT_ADDRESS,
+  TX_ERROR_MALFORMED_CONTRACT_INSTANCE_LOG,
+  type Tx,
+  type TxValidationResult,
+  type TxValidator,
+} from '@aztec/stdlib/tx';
+
+/** Validates that contract instance deployment logs contain correct addresses. */
+export class ContractInstanceTxValidator implements TxValidator<Tx> {
+  #log: Logger;
+
+  constructor(bindings?: LoggerBindings) {
+    this.#log = createLogger('p2p:tx_validator:contract_instance', bindings);
+  }
+
+  async validateTx(tx: Tx): Promise<TxValidationResult> {
+    const reason = await this.#hasCorrectContractInstanceAddresses(tx);
+    return reason ? { result: 'invalid', reason: [reason] } : { result: 'valid' };
+  }
+
+  async #hasCorrectContractInstanceAddresses(tx: Tx): Promise<string | undefined> {
+    const privateLogs = tx.data.getNonEmptyPrivateLogs();
+    for (const log of privateLogs) {
+      if (!ContractInstancePublishedEvent.isContractInstancePublishedEvent(log)) {
+        continue;
+      }
+
+      let event;
+      try {
+        event = ContractInstancePublishedEvent.fromLog(log);
+      } catch (e) {
+        this.#log.warn(`Rejecting tx ${tx.getTxHash()}: failed to parse contract instance event: ${e}`);
+        return TX_ERROR_MALFORMED_CONTRACT_INSTANCE_LOG;
+      }
+
+      try {
+        const instance = event.toContractInstance();
+        const computedAddress = await computeContractAddressFromInstance(instance);
+        if (!computedAddress.equals(instance.address)) {
+          this.#log.warn(
+            `Rejecting tx ${tx.getTxHash()}: contract instance address mismatch. Claimed ${instance.address}, computed ${computedAddress}`,
+          );
+          return TX_ERROR_INCORRECT_CONTRACT_ADDRESS;
+        }
+      } catch (e) {
+        this.#log.warn(`Rejecting tx ${tx.getTxHash()}: failed to compute contract instance address: ${e}`);
+        return TX_ERROR_MALFORMED_CONTRACT_INSTANCE_LOG;
+      }
+    }
+    return undefined;
+  }
+}

package/src/msg_validators/tx_validator/factory.ts

@@ -53,6 +53,7 @@ import type { TxMetaData } from '../../mem_pools/tx_pool_v2/tx_metadata.js';
 import { AggregateTxValidator } from './aggregate_tx_validator.js';
 import { ArchiveCache } from './archive_cache.js';
 import { type ArchiveSource, BlockHeaderTxValidator } from './block_header_validator.js';
+import { ContractInstanceTxValidator } from './contract_instance_validator.js';
 import { DataTxValidator } from './data_validator.js';
 import { DoubleSpendTxValidator, type NullifierSource } from './double_spend_validator.js';
 import { GasLimitsValidator, GasTxValidator } from './gas_validator.js';
@@ -97,6 +98,7 @@ export function createFirstStageTxValidationsForGossipedTransactions(
   txsPermitted: boolean,
   allowedInSetup: AllowedElement[] = [],
   bindings?: LoggerBindings,
+  gasLimitOpts?: { rollupManaLimit?: number; maxBlockL2Gas?: number; maxBlockDAGas?: number },
 ): Record<string, TransactionValidator> {
   const merkleTree = worldStateSynchronizer.getCommitted();
 
@@ -158,6 +160,7 @@ export function createFirstStageTxValidationsForGossipedTransactions(
         ProtocolContractAddress.FeeJuice,
         gasFees,
         bindings,
+        gasLimitOpts,
       ),
       severity: PeerErrorSeverity.MidToleranceError,
     },
@@ -165,6 +168,10 @@ export function createFirstStageTxValidationsForGossipedTransactions(
       validator: new DataTxValidator(bindings),
       severity: PeerErrorSeverity.MidToleranceError,
     },
+    contractInstanceValidator: {
+      validator: new ContractInstanceTxValidator(bindings),
+      severity: PeerErrorSeverity.MidToleranceError,
+    },
   };
 }
 
@@ -216,6 +223,7 @@ function createTxValidatorForMinimumTxIntegrityChecks(
     ),
     new SizeTxValidator(bindings),
     new DataTxValidator(bindings),
+    new ContractInstanceTxValidator(bindings),
     new TxProofValidator(verifier, bindings),
   );
 }
@@ -278,6 +286,9 @@ export function createTxValidatorForAcceptingTxsOverRPC(
     timestamp,
     blockNumber,
     txsPermitted,
+    rollupManaLimit,
+    maxBlockL2Gas,
+    maxBlockDAGas,
   }: {
     l1ChainId: number;
     rollupVersion: number;
@@ -287,6 +298,9 @@ export function createTxValidatorForAcceptingTxsOverRPC(
     timestamp: UInt64;
     blockNumber: BlockNumber;
     txsPermitted: boolean;
+    rollupManaLimit: number;
+    maxBlockL2Gas?: number;
+    maxBlockDAGas?: number;
   },
   bindings?: LoggerBindings,
 ): TxValidator<Tx> {
@@ -313,11 +327,16 @@ export function createTxValidatorForAcceptingTxsOverRPC(
     new BlockHeaderTxValidator(new ArchiveCache(db), bindings),
     new DoubleSpendTxValidator(new NullifierCache(db), bindings),
     new DataTxValidator(bindings),
+    new ContractInstanceTxValidator(bindings),
   ];
 
   if (!skipFeeEnforcement) {
     validators.push(
-      new GasTxValidator(new DatabasePublicStateSource(db), ProtocolContractAddress.FeeJuice, gasFees, bindings),
+      new GasTxValidator(new DatabasePublicStateSource(db), ProtocolContractAddress.FeeJuice, gasFees, bindings, {
+        rollupManaLimit,
+        maxBlockL2Gas,
+        maxBlockDAGas,
+      }),
     );
   }
 
@@ -403,6 +422,7 @@ export async function createTxValidatorForTransactionsEnteringPendingTxPool(
   worldStateSynchronizer: WorldStateSynchronizer,
   timestamp: bigint,
   blockNumber: BlockNumber,
+  gasLimitOpts: { rollupManaLimit?: number; maxBlockL2Gas?: number; maxBlockDAGas?: number },
   bindings?: LoggerBindings,
 ): Promise<TxValidator<TxMetaData>> {
   await worldStateSynchronizer.syncImmediate();
@@ -419,7 +439,7 @@ export async function createTxValidatorForTransactionsEnteringPendingTxPool(
     },
   };
   return new AggregateTxValidator<TxMetaData>(
-    new GasLimitsValidator<TxMetaData>(bindings),
+    new GasLimitsValidator<TxMetaData>({ ...gasLimitOpts, bindings }),
     new TimestampTxValidator<TxMetaData>({ timestamp, blockNumber }, bindings),
     new DoubleSpendTxValidator<TxMetaData>(nullifierSource, bindings),
     new BlockHeaderTxValidator<TxMetaData>(archiveSource, bindings),

package/src/msg_validators/tx_validator/fee_payer_balance.ts

@@ -1,5 +1,6 @@
+import { FeeJuiceArtifact } from '@aztec/protocol-contracts/fee-juice';
 import { getCallRequestsWithCalldataByPhase } from '@aztec/simulator/server';
-import { FunctionSelector } from '@aztec/stdlib/abi';
+import { FunctionSelector, getAllFunctionAbis } from '@aztec/stdlib/abi';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
 import { type Tx, TxExecutionPhase } from '@aztec/stdlib/tx';
 
@@ -8,7 +9,10 @@ export type FeePayerBalanceDelta = {
   claimAmount: bigint;
 };
 
-const increasePublicBalanceSelectorPromise = FunctionSelector.fromSignature('_increase_public_balance((Field),u128)');
+const increasePublicBalanceSelectorPromise = (() => {
+  const fn = getAllFunctionAbis(FeeJuiceArtifact).find(f => f.name === '_increase_public_balance')!;
+  return FunctionSelector.fromNameAndParameters(fn.name, fn.parameters);
+})();
 
 export function getTxFeeLimit(tx: Tx): bigint {
   return tx.data.constants.txContext.gasSettings.getFeeLimit().toBigInt();

package/src/msg_validators/tx_validator/gas_validator.ts

@@ -1,4 +1,5 @@
 import {
+  MAX_PROCESSABLE_DA_GAS_PER_CHECKPOINT,
   MAX_PROCESSABLE_L2_GAS,
   PRIVATE_TX_L2_GAS_OVERHEAD,
   PUBLIC_TX_L2_GAS_OVERHEAD,
@@ -49,16 +50,31 @@ export interface HasGasLimitData {
  */
 export class GasLimitsValidator<T extends HasGasLimitData> implements TxValidator<T> {
   #log: Logger;
-
-  constructor(bindings?: LoggerBindings) {
-    this.#log = createLogger('sequencer:tx_validator:tx_gas', bindings);
+  #effectiveMaxL2Gas: number;
+  #effectiveMaxDAGas: number;
+  #rollupManaLimit: number;
+  #maxBlockL2Gas: number;
+  #maxBlockDAGas: number;
+
+  constructor(opts?: {
+    rollupManaLimit?: number;
+    maxBlockL2Gas?: number;
+    maxBlockDAGas?: number;
+    bindings?: LoggerBindings;
+  }) {
+    this.#log = createLogger('sequencer:tx_validator:tx_gas', opts?.bindings);
+    this.#rollupManaLimit = opts?.rollupManaLimit ?? Infinity;
+    this.#maxBlockL2Gas = opts?.maxBlockL2Gas ?? Infinity;
+    this.#maxBlockDAGas = opts?.maxBlockDAGas ?? Infinity;
+    this.#effectiveMaxL2Gas = Math.min(MAX_PROCESSABLE_L2_GAS, this.#rollupManaLimit, this.#maxBlockL2Gas);
+    this.#effectiveMaxDAGas = Math.min(MAX_PROCESSABLE_DA_GAS_PER_CHECKPOINT, this.#maxBlockDAGas);
   }
 
   validateTx(tx: T): Promise<TxValidationResult> {
     return Promise.resolve(this.validateGasLimit(tx));
   }
 
-  /** Checks gas limits are >= fixed minimums and <= AVM max processable L2 gas. */
+  /** Checks gas limits are >= fixed minimums and <= effective max gas (L2 and DA). */
   validateGasLimit(tx: T): TxValidationResult {
     const gasLimits = tx.data.constants.txContext.gasSettings.gasLimits;
     const minGasLimits = new Gas(
@@ -74,10 +90,21 @@ export class GasLimitsValidator<T extends HasGasLimitData> implements TxValidato
       return { result: 'invalid', reason: [TX_ERROR_INSUFFICIENT_GAS_LIMIT] };
     }
 
-    if (gasLimits.l2Gas > MAX_PROCESSABLE_L2_GAS) {
-      this.#log.verbose(`Rejecting transaction due to the gas limit(s) being higher than the maximum processable gas`, {
+    if (gasLimits.l2Gas > this.#effectiveMaxL2Gas) {
+      this.#log.verbose(`Rejecting transaction due to the L2 gas limit being higher than the effective maximum`, {
         gasLimits,
-        minGasLimits,
+        effectiveMaxL2Gas: this.#effectiveMaxL2Gas,
+        rollupManaLimit: this.#rollupManaLimit,
+        maxBlockL2Gas: this.#maxBlockL2Gas,
+      });
+      return { result: 'invalid', reason: [TX_ERROR_GAS_LIMIT_TOO_HIGH] };
+    }
+
+    if (gasLimits.daGas > this.#effectiveMaxDAGas) {
+      this.#log.verbose(`Rejecting transaction due to the DA gas limit being higher than the effective maximum`, {
+        gasLimits,
+        effectiveMaxDAGas: this.#effectiveMaxDAGas,
+        maxBlockDAGas: this.#maxBlockDAGas,
       });
       return { result: 'invalid', reason: [TX_ERROR_GAS_LIMIT_TOO_HIGH] };
     }
@@ -106,21 +133,27 @@ export class GasTxValidator implements TxValidator<Tx> {
   #publicDataSource: PublicStateSource;
   #feeJuiceAddress: AztecAddress;
   #gasFees: GasFees;
+  #gasLimitOpts?: { rollupManaLimit?: number; maxBlockL2Gas?: number; maxBlockDAGas?: number };
 
   constructor(
     publicDataSource: PublicStateSource,
     feeJuiceAddress: AztecAddress,
     gasFees: GasFees,
     private bindings?: LoggerBindings,
+    opts?: { rollupManaLimit?: number; maxBlockL2Gas?: number; maxBlockDAGas?: number },
   ) {
     this.#log = createLogger('sequencer:tx_validator:tx_gas', bindings);
     this.#publicDataSource = publicDataSource;
     this.#feeJuiceAddress = feeJuiceAddress;
     this.#gasFees = gasFees;
+    this.#gasLimitOpts = opts;
   }
 
   async validateTx(tx: Tx): Promise<TxValidationResult> {
-    const gasLimitValidation = new GasLimitsValidator(this.bindings).validateGasLimit(tx);
+    const gasLimitValidation = new GasLimitsValidator({
+      ...this.#gasLimitOpts,
+      bindings: this.bindings,
+    }).validateGasLimit(tx);
     if (gasLimitValidation.result === 'invalid') {
       return Promise.resolve(gasLimitValidation);
     }

package/src/msg_validators/tx_validator/index.ts

@@ -8,6 +8,7 @@ export * from './gas_validator.js';
 export * from './phases_validator.js';
 export * from './test_utils.js';
 export * from './allowed_public_setup.js';
+export * from './allowed_setup_helpers.js';
 export * from './archive_cache.js';
 export * from './tx_permitted_validator.js';
 export * from './timestamp_validator.js';

package/src/msg_validators/tx_validator/phases_validator.ts

@@ -1,5 +1,7 @@
+import { NULL_MSG_SENDER_CONTRACT_ADDRESS } from '@aztec/constants';
 import { type Logger, type LoggerBindings, createLogger } from '@aztec/foundation/log';
 import { PublicContractsDB, getCallRequestsWithCalldataByPhase } from '@aztec/simulator/server';
+import { AztecAddress } from '@aztec/stdlib/aztec-address';
 import type { ContractDataSource } from '@aztec/stdlib/contract';
 import type { AllowedElement } from '@aztec/stdlib/interfaces/server';
 import {
@@ -7,6 +9,9 @@ import {
   TX_ERROR_DURING_VALIDATION,
   TX_ERROR_SETUP_FUNCTION_NOT_ALLOWED,
   TX_ERROR_SETUP_FUNCTION_UNKNOWN_CONTRACT,
+  TX_ERROR_SETUP_NULL_MSG_SENDER,
+  TX_ERROR_SETUP_ONLY_SELF_WRONG_SENDER,
+  TX_ERROR_SETUP_WRONG_CALLDATA_LENGTH,
   Tx,
   TxExecutionPhase,
   type TxValidationResult,
@@ -84,6 +89,18 @@ export class PhasesTxValidator implements TxValidator<Tx> {
     for (const entry of allowList) {
       if ('address' in entry) {
         if (contractAddress.equals(entry.address) && entry.selector.equals(functionSelector)) {
+          if (entry.calldataLength !== undefined && publicCall.calldata.length !== entry.calldataLength) {
+            return TX_ERROR_SETUP_WRONG_CALLDATA_LENGTH;
+          }
+          if (entry.onlySelf && !publicCall.request.msgSender.equals(contractAddress)) {
+            return TX_ERROR_SETUP_ONLY_SELF_WRONG_SENDER;
+          }
+          if (
+            entry.rejectNullMsgSender &&
+            publicCall.request.msgSender.equals(AztecAddress.fromBigInt(NULL_MSG_SENDER_CONTRACT_ADDRESS))
+          ) {
+            return TX_ERROR_SETUP_NULL_MSG_SENDER;
+          }
           return undefined;
         }
       }
@@ -105,6 +122,18 @@ export class PhasesTxValidator implements TxValidator<Tx> {
       }
 
       if (contractClassId.value === entry.classId.toString() && entry.selector.equals(functionSelector)) {
+        if (entry.calldataLength !== undefined && publicCall.calldata.length !== entry.calldataLength) {
+          return TX_ERROR_SETUP_WRONG_CALLDATA_LENGTH;
+        }
+        if (entry.onlySelf && !publicCall.request.msgSender.equals(contractAddress)) {
+          return TX_ERROR_SETUP_ONLY_SELF_WRONG_SENDER;
+        }
+        if (
+          entry.rejectNullMsgSender &&
+          publicCall.request.msgSender.equals(AztecAddress.fromBigInt(NULL_MSG_SENDER_CONTRACT_ADDRESS))
+        ) {
+          return TX_ERROR_SETUP_NULL_MSG_SENDER;
+        }
         return undefined;
       }
     }

package/src/services/libp2p/libp2p_service.ts

@@ -1,5 +1,6 @@
 import type { EpochCacheInterface } from '@aztec/epoch-cache';
 import { BlockNumber, type SlotNumber } from '@aztec/foundation/branded-types';
+import { maxBy } from '@aztec/foundation/collection';
 import { Fr } from '@aztec/foundation/curves/bn254';
 import { type Logger, createLibp2pComponentLogger, createLogger } from '@aztec/foundation/log';
 import { RunningPromise } from '@aztec/foundation/running-promise';
@@ -19,6 +20,7 @@ import {
   P2PMessage,
   type ValidationResult as P2PValidationResult,
   PeerErrorSeverity,
+  PeerErrorSeverityByHarshness,
   TopicType,
   createTopicString,
   getTopicsForConfig,
@@ -222,14 +224,12 @@ export class LibP2PService extends WithTracer implements P2PService {
       this.protocolVersion,
     );
 
-    this.blockProposalValidator = new BlockProposalValidator(epochCache, {
+    const proposalValidatorOpts = {
       txsPermitted: !config.disableTransactions,
-      maxTxsPerBlock: config.maxTxsPerBlock,
-    });
-    this.checkpointProposalValidator = new CheckpointProposalValidator(epochCache, {
-      txsPermitted: !config.disableTransactions,
-      maxTxsPerBlock: config.maxTxsPerBlock,
-    });
+      maxTxsPerBlock: config.validateMaxTxsPerBlock ?? config.validateMaxTxsPerCheckpoint,
+    };
+    this.blockProposalValidator = new BlockProposalValidator(epochCache, proposalValidatorOpts);
+    this.checkpointProposalValidator = new CheckpointProposalValidator(epochCache, proposalValidatorOpts);
     this.checkpointAttestationValidator = config.fishermanMode
       ? new FishermanAttestationValidator(epochCache, mempools.attestationPool, telemetry)
       : new CheckpointAttestationValidator(epochCache);
@@ -237,11 +237,11 @@ export class LibP2PService extends WithTracer implements P2PService {
     this.gossipSubEventHandler = this.handleGossipSubEvent.bind(this);
 
     this.blockReceivedCallback = async (block: BlockProposal): Promise<boolean> => {
-      this.logger.debug(
-        `Handler not yet registered: Block received callback not set. Received block for slot ${block.slotNumber} from peer.`,
+      this.logger.warn(
+        `Handler for block received not yet registered on P2P service. Received block ${block.blockNumber} for slot ${block.slotNumber} from peer.`,
         { p2pMessageIdentifier: await block.p2pMessageLoggingIdentifier() },
       );
-      return false;
+      return true;
     };
 
     this.checkpointReceivedCallback = (
@@ -1192,7 +1192,7 @@ export class LibP2PService extends WithTracer implements P2PService {
     // Note: Validators do NOT attest to individual blocks, only to checkpoint proposals.
     const isValid = await this.blockReceivedCallback(block, sender);
     if (!isValid) {
-      this.logger.warn(`Block proposal validation failed for block ${block.blockNumber}`, block.toBlockInfo());
+      this.logger.info(`Block proposal validation failed for block ${block.blockNumber}`, block.toBlockInfo());
     }
   }
 
@@ -1626,6 +1626,7 @@ export class LibP2PService extends WithTracer implements P2PService {
       ...(this.config.txPublicSetupAllowListExtend ?? []),
     ];
     const blockNumber = BlockNumber(currentBlockNumber + 1);
+    const l1Constants = await this.archiver.getL1Constants();
 
     return createFirstStageTxValidationsForGossipedTransactions(
       nextSlotTimestamp,
@@ -1639,6 +1640,11 @@ export class LibP2PService extends WithTracer implements P2PService {
       !this.config.disableTransactions,
       allowedInSetup,
       this.logger.getBindings(),
+      {
+        rollupManaLimit: l1Constants.rollupManaLimit,
+        maxBlockL2Gas: this.config.validateMaxL2BlockGas,
+        maxBlockDAGas: this.config.validateMaxDABlockGas,
+      },
     );
   }
 
@@ -1664,8 +1670,10 @@ export class LibP2PService extends WithTracer implements P2PService {
 
     // A promise that resolves when all validations have been run
     const allValidations = await Promise.all(validationPromises);
-    const failed = allValidations.find(x => !x.isValid);
-    if (failed) {
+    const failures = allValidations.filter(x => !x.isValid);
+    if (failures.length > 0) {
+      // Pick the most severe failure (lowest tolerance = harshest penalty)
+      const failed = maxBy(failures, f => PeerErrorSeverityByHarshness.indexOf(f.severity))!;
       return {
         allPassed: false,
         failure: {