@aztec/p2p 0.0.1-commit.f650c0a5c → 0.0.1-commit.f7ea82942

package/src/msg_validators/tx_validator/gas_validator.ts

@@ -36,6 +36,18 @@ export interface HasGasLimitData {
   };
 }
 
+/** Structural interface for types that carry max fee per gas data, used by {@link MaxFeePerGasValidator}. */
+export interface HasMaxFeePerGasData {
+  txHash: { toString(): string };
+  data: {
+    constants: {
+      txContext: {
+        gasSettings: { maxFeesPerGas: GasFees };
+      };
+    };
+  };
+}
+
 /**
  * Validates that a transaction's gas limits are within acceptable bounds.
  *
@@ -124,15 +136,60 @@ export class GasLimitsValidator<T extends HasGasLimitData> implements TxValidato
   }
 }
 
+/**
+ * Validates that a transaction's max fee per gas meets the current block's gas fees.
+ *
+ * Rejects transactions whose maxFeesPerGas is below the current block's gas fees
+ * on either dimension (DA or L2). This is a cheap, stateless check.
+ *
+ * Generic over T so it can validate both full {@link Tx} objects and {@link TxMetaData}
+ * (used during pending pool migration).
+ *
+ * Used by: pending pool migration (via factory), and indirectly by {@link GasTxValidator}.
+ */
+export class MaxFeePerGasValidator<T extends HasMaxFeePerGasData> implements TxValidator<T> {
+  #log: Logger;
+  #gasFees: GasFees;
+
+  constructor(gasFees: GasFees, bindings?: LoggerBindings) {
+    this.#log = createLogger('sequencer:tx_validator:tx_gas', bindings);
+    this.#gasFees = gasFees;
+  }
+
+  validateTx(tx: T): Promise<TxValidationResult> {
+    return Promise.resolve(this.validateMaxFeePerGas(tx));
+  }
+
+  /** Checks maxFeesPerGas >= current block gas fees on both dimensions. */
+  validateMaxFeePerGas(tx: T): TxValidationResult {
+    const maxFeesPerGas = tx.data.constants.txContext.gasSettings.maxFeesPerGas;
+    const notEnoughMaxFees =
+      maxFeesPerGas.feePerDaGas < this.#gasFees.feePerDaGas || maxFeesPerGas.feePerL2Gas < this.#gasFees.feePerL2Gas;
+
+    if (notEnoughMaxFees) {
+      this.#log.verbose(`Rejecting transaction ${tx.txHash.toString()} due to insufficient fee per gas`, {
+        txMaxFeesPerGas: maxFeesPerGas.toInspect(),
+        currentGasFees: this.#gasFees.toInspect(),
+      });
+      return {
+        result: 'invalid',
+        reason: [
+          `${TX_ERROR_INSUFFICIENT_FEE_PER_GAS} (maxFee=da:${maxFeesPerGas.feePerDaGas},l2:${maxFeesPerGas.feePerL2Gas} required=da:${this.#gasFees.feePerDaGas},l2:${this.#gasFees.feePerL2Gas})`,
+        ],
+      };
+    }
+    return { result: 'valid' };
+  }
+}
+
 /**
  * Validates that a transaction can pay its gas fees.
  *
  * Runs three checks in order:
  * 1. **Gas limits** (delegates to {@link GasLimitsValidator}) — rejects if limits are
  *    out of bounds.
- * 2. **Max fee per gas** — skips (not rejects) the tx if its maxFeesPerGas is below
- *    the current block's gas fees. We skip rather than reject because the tx may
- *    become eligible in a later block with lower fees.
+ * 2. **Max fee per gas** — rejects the tx if its maxFeesPerGas is below
+ *    the current block's gas fees.
  * 3. **Fee payer balance** — reads the fee payer's FeeJuice balance from public state,
  *    adds any pending claim from a setup-phase `_increase_public_balance` call, and
  *    rejects if the total is less than the tx's fee limit (gasLimits * maxFeePerGas).
@@ -166,39 +223,15 @@ export class GasTxValidator implements TxValidator<Tx> {
       bindings: this.bindings,
     }).validateGasLimit(tx);
     if (gasLimitValidation.result === 'invalid') {
-      return Promise.resolve(gasLimitValidation);
+      return gasLimitValidation;
     }
-    const skipReason = this.#getSkipReason(tx);
-    if (skipReason) {
-      return Promise.resolve({ result: 'skipped', reason: [skipReason] });
+    const maxFeeValidation = new MaxFeePerGasValidator(this.#gasFees, this.bindings).validateMaxFeePerGas(tx);
+    if (maxFeeValidation.result === 'invalid') {
+      return maxFeeValidation;
     }
     return await this.validateTxFee(tx);
   }
 
-  /**
-   * Check whether the tx's max fees are valid for the current block, and return a skip reason if not.
-   * We skip instead of invalidating since the tx may become eligible later.
-   * Note that circuits check max fees even if fee payer is unset, so we
-   * keep this validation even if the tx does not pay fees.
-   */
-  #getSkipReason(tx: Tx): string | undefined {
-    const gasSettings = tx.data.constants.txContext.gasSettings;
-
-    // Skip the tx if its max fees are not enough for the current block's gas fees.
-    const maxFeesPerGas = gasSettings.maxFeesPerGas;
-    const notEnoughMaxFees =
-      maxFeesPerGas.feePerDaGas < this.#gasFees.feePerDaGas || maxFeesPerGas.feePerL2Gas < this.#gasFees.feePerL2Gas;
-
-    if (notEnoughMaxFees) {
-      this.#log.verbose(`Skipping transaction ${tx.getTxHash().toString()} due to insufficient fee per gas`, {
-        txMaxFeesPerGas: maxFeesPerGas.toInspect(),
-        currentGasFees: this.#gasFees.toInspect(),
-      });
-      return `${TX_ERROR_INSUFFICIENT_FEE_PER_GAS} (maxFee=da:${maxFeesPerGas.feePerDaGas},l2:${maxFeesPerGas.feePerL2Gas} required=da:${this.#gasFees.feePerDaGas},l2:${this.#gasFees.feePerL2Gas})`;
-    }
-    return undefined;
-  }
-
   /**
    * Checks the fee payer has enough FeeJuice balance to cover the tx's fee limit.
    * Accounts for any pending claim from a setup-phase `_increase_public_balance` call.

package/src/services/data_store.ts

@@ -28,8 +28,6 @@ export class AztecDatastore implements Datastore {
   #memoryDatastore: Map<string, MemoryItem>;
   #dbDatastore: AztecAsyncMap<string, Uint8Array>;
 
-  #batchOps: BatchOp[] = [];
-
   private maxMemoryItems: number;
 
   constructor(db: AztecAsyncKVStore, { maxMemoryItems } = { maxMemoryItems: 50 }) {
@@ -92,23 +90,17 @@ export class AztecDatastore implements Datastore {
   }
 
   batch(): Batch {
+    const ops: BatchOp[] = [];
     return {
       put: (key, value) => {
-        this.#batchOps.push({
-          type: 'put',
-          key,
-          value,
-        });
+        ops.push({ type: 'put', key, value });
       },
       delete: key => {
-        this.#batchOps.push({
-          type: 'del',
-          key,
-        });
+        ops.push({ type: 'del', key });
       },
       commit: async () => {
         await this.#db.transactionAsync(async () => {
-          for (const op of this.#batchOps) {
+          for (const op of ops) {
             if (op.type === 'put' && op.value) {
               await this.put(op.key, op.value);
             } else if (op.type === 'del') {
@@ -116,7 +108,7 @@ export class AztecDatastore implements Datastore {
             }
           }
         });
-        this.#batchOps = []; // Clear operations after commit
+        ops.length = 0;
       },
     };
   }

package/src/services/dummy_service.ts

@@ -287,6 +287,7 @@ export class DummyPeerManager implements PeerManagerInterface {
 
 export class DummyReqResp implements ReqRespInterface {
   updateConfig(_config: Partial<P2PReqRespConfig>): void {}
+  setShouldRejectPeer(): void {}
   start(
     _subProtocolHandlers: ReqRespSubProtocolHandlers,
     _subProtocolValidators: ReqRespSubProtocolValidators,

package/src/services/gossipsub/topic_score_params.ts

@@ -1,5 +1,5 @@
 import { TopicType, createTopicString } from '@aztec/stdlib/p2p';
-import { calculateMaxBlocksPerSlot } from '@aztec/stdlib/timetable';
+import { createCheckpointTimingModel } from '@aztec/stdlib/timetable';
 
 import { createTopicScoreParams } from '@chainsafe/libp2p-gossipsub/score';
 
@@ -9,12 +9,18 @@ import { createTopicScoreParams } from '@chainsafe/libp2p-gossipsub/score';
 export type TopicScoringNetworkParams = {
   /** L2 slot duration in milliseconds */
   slotDurationMs: number;
+  /** L1 slot duration in seconds */
+  ethereumSlotDuration: number;
   /** Gossipsub heartbeat interval in milliseconds */
   heartbeatIntervalMs: number;
   /** Target committee size (number of validators expected to attest per slot) */
   targetCommitteeSize: number;
   /** Duration per block in milliseconds when building multiple blocks per slot. If undefined, single block mode. */
   blockDurationMs?: number;
+  /** Time budget in seconds reserved for L1 publishing. Defaults to ethereumSlotDuration. */
+  l1PublishingTime?: number;
+  /** One-way proposal/attestation propagation budget in seconds. */
+  p2pPropagationTime?: number;
   /** Expected number of block proposals per slot for scoring override. 0 disables scoring, undefined falls back to blocksPerSlot - 1. */
   expectedBlockProposalsPerSlot?: number;
 };
@@ -25,10 +31,32 @@ export type TopicScoringNetworkParams = {
  *
  * @param slotDurationMs - L2 slot duration in milliseconds
  * @param blockDurationMs - Duration per block in milliseconds (undefined = single block mode)
+ * @param opts - Shared checkpoint timing inputs used by the sequencer and validators
  * @returns Number of blocks per slot
  */
-export function calculateBlocksPerSlot(slotDurationMs: number, blockDurationMs: number | undefined): number {
-  return calculateMaxBlocksPerSlot(slotDurationMs / 1000, blockDurationMs ? blockDurationMs / 1000 : undefined);
+export function calculateBlocksPerSlot(
+  slotDurationMs: number,
+  blockDurationMs: number | undefined,
+  opts?: {
+    ethereumSlotDuration: number;
+    l1PublishingTime?: number;
+    p2pPropagationTime?: number;
+  },
+): number {
+  if (!opts) {
+    return createCheckpointTimingModel({
+      aztecSlotDuration: slotDurationMs / 1000,
+      blockDuration: blockDurationMs ? blockDurationMs / 1000 : undefined,
+    }).calculateMaxBlocksPerSlot();
+  }
+
+  return createCheckpointTimingModel({
+    aztecSlotDuration: slotDurationMs / 1000,
+    ethereumSlotDuration: opts.ethereumSlotDuration,
+    blockDuration: blockDurationMs ? blockDurationMs / 1000 : undefined,
+    l1PublishingTime: opts.l1PublishingTime ?? opts.ethereumSlotDuration,
+    p2pPropagationTime: opts.p2pPropagationTime,
+  }).calculateMaxBlocksPerSlot();
 }
 
 /**
@@ -279,7 +307,11 @@ export class TopicScoreParamsFactory {
     const { slotDurationMs, heartbeatIntervalMs, blockDurationMs } = params;
 
     // Compute values that are the same for all topics
-    this.blocksPerSlot = calculateBlocksPerSlot(slotDurationMs, blockDurationMs);
+    this.blocksPerSlot = calculateBlocksPerSlot(slotDurationMs, blockDurationMs, {
+      ethereumSlotDuration: params.ethereumSlotDuration,
+      l1PublishingTime: params.l1PublishingTime,
+      p2pPropagationTime: params.p2pPropagationTime,
+    });
     this.heartbeatsPerSlot = slotDurationMs / heartbeatIntervalMs;
     this.invalidDecay = computeDecay(heartbeatIntervalMs, slotDurationMs, INVALID_DECAY_WINDOW_SLOTS);
 

package/src/services/libp2p/instrumentation.ts

@@ -18,6 +18,7 @@ export class P2PInstrumentation {
   private messagePrevalidationCount: UpDownCounter;
   private messageLatency: Histogram;
   private txReceivedCount: UpDownCounter;
+  private slowValidationCount: UpDownCounter;
 
   private aggLatencyHisto = new Map<TopicType, RecordableHistogram>();
   private aggValidationHisto = new Map<TopicType, RecordableHistogram>();
@@ -48,6 +49,15 @@ export class P2PInstrumentation {
 
     this.txReceivedCount = createUpDownCounterWithDefault(meter, Metrics.P2P_GOSSIP_TX_RECEIVED_COUNT);
 
+    this.slowValidationCount = createUpDownCounterWithDefault(meter, Metrics.P2P_GOSSIP_SLOW_VALIDATION_COUNT, {
+      [Attributes.TOPIC_NAME]: [
+        TopicType.tx,
+        TopicType.block_proposal,
+        TopicType.checkpoint_proposal,
+        TopicType.checkpoint_attestation,
+      ],
+    });
+
     this.aggLatencyMetrics = {
       avg: meter.createObservableGauge(Metrics.P2P_GOSSIP_AGG_MESSAGE_LATENCY_AVG),
       max: meter.createObservableGauge(Metrics.P2P_GOSSIP_AGG_MESSAGE_LATENCY_MAX),
@@ -87,6 +97,10 @@ export class P2PInstrumentation {
     this.txReceivedCount.add(count);
   }
 
+  public incSlowValidation(topicName: TopicType) {
+    this.slowValidationCount.add(1, { [Attributes.TOPIC_NAME]: topicName });
+  }
+
   public incMessagePrevalidationStatus(passed: boolean, topicName: TopicType | undefined) {
     this.messagePrevalidationCount.add(1, { [Attributes.TOPIC_NAME]: topicName, [Attributes.OK]: passed });
   }

package/src/services/libp2p/libp2p_service.ts

@@ -8,7 +8,7 @@ import type { AztecAsyncKVStore } from '@aztec/kv-store';
 import { protocolContractsHash } from '@aztec/protocol-contracts';
 import type { EthAddress, L2BlockSource } from '@aztec/stdlib/block';
 import type { ContractDataSource } from '@aztec/stdlib/contract';
-import { GasFees } from '@aztec/stdlib/gas';
+import { type BlockMinFeesProvider, GasFees } from '@aztec/stdlib/gas';
 import type { ClientProtocolCircuitVerifier, PeerInfo, WorldStateSynchronizer } from '@aztec/stdlib/interfaces/server';
 import {
   BlockProposal,
@@ -146,8 +146,6 @@ export class LibP2PService extends WithTracer implements P2PService {
   private protocolVersion = '';
   private topicStrings: Record<TopicType, string> = {} as Record<TopicType, string>;
 
-  private feesCache: { blockNumber: BlockNumber; gasFees: GasFees } | undefined;
-
   /** Callback invoked when a duplicate proposal is detected (triggers slashing). */
   private duplicateProposalCallback?: (info: {
     slot: SlotNumber;
@@ -197,6 +195,7 @@ export class LibP2PService extends WithTracer implements P2PService {
     private epochCache: EpochCacheInterface,
     private proofVerifier: ClientProtocolCircuitVerifier,
     private worldStateSynchronizer: WorldStateSynchronizer,
+    private blockMinFeesProvider: BlockMinFeesProvider,
     telemetry: TelemetryClient,
     logger: Logger = createLogger('p2p:libp2p_service'),
   ) {
@@ -228,15 +227,19 @@ export class LibP2PService extends WithTracer implements P2PService {
       this.protocolVersion,
     );
 
+    const p2pPropagationTime = config.attestationPropagationTime;
     const proposalValidatorOpts = {
       txsPermitted: !config.disableTransactions,
       maxTxsPerBlock: config.validateMaxTxsPerBlock ?? config.validateMaxTxsPerCheckpoint,
+      p2pPropagationTime,
     };
     this.blockProposalValidator = new BlockProposalValidator(epochCache, proposalValidatorOpts);
     this.checkpointProposalValidator = new CheckpointProposalValidator(epochCache, proposalValidatorOpts);
     this.checkpointAttestationValidator = config.fishermanMode
-      ? new FishermanAttestationValidator(epochCache, mempools.attestationPool, telemetry)
-      : new CheckpointAttestationValidator(epochCache);
+      ? new FishermanAttestationValidator(epochCache, mempools.attestationPool, telemetry, {
+          l1PublishingTime: config.l1PublishingTime,
+        })
+      : new CheckpointAttestationValidator(epochCache, { l1PublishingTime: config.l1PublishingTime });
 
     this.gossipSubEventHandler = this.handleGossipSubEvent.bind(this);
 
@@ -281,6 +284,7 @@ export class LibP2PService extends WithTracer implements P2PService {
       proofVerifier: ClientProtocolCircuitVerifier;
       worldStateSynchronizer: WorldStateSynchronizer;
       peerStore: AztecAsyncKVStore;
+      blockMinFeesProvider: BlockMinFeesProvider;
       telemetry: TelemetryClient;
       logger: Logger;
       packageVersion: string;
@@ -293,6 +297,7 @@ export class LibP2PService extends WithTracer implements P2PService {
       mempools,
       proofVerifier,
       peerStore,
+      blockMinFeesProvider,
       telemetry,
       logger,
       packageVersion,
@@ -346,9 +351,12 @@ export class LibP2PService extends WithTracer implements P2PService {
     const l1Constants = epochCache.getL1Constants();
     const topicScoreParams = createAllTopicScoreParams(protocolVersion, {
       slotDurationMs: l1Constants.slotDuration * 1000,
+      ethereumSlotDuration: l1Constants.ethereumSlotDuration,
       heartbeatIntervalMs: config.gossipsubInterval,
       targetCommitteeSize: l1Constants.targetCommitteeSize,
       blockDurationMs: config.blockDurationMs,
+      l1PublishingTime: config.l1PublishingTime,
+      p2pPropagationTime: config.attestationPropagationTime,
       expectedBlockProposalsPerSlot: config.expectedBlockProposalsPerSlot,
     });
 
@@ -473,6 +481,9 @@ export class LibP2PService extends WithTracer implements P2PService {
       epochCache,
     );
 
+    // Gate req/resp data protocols for unauthenticated peers when p2pAllowOnlyValidators is enabled
+    reqresp.setShouldRejectPeer(peerId => peerManager.shouldDisableP2PGossip(peerId));
+
     // Configure application-specific scoring for gossipsub.
     // The weight scales app score to align with gossipsub thresholds:
     // - Disconnect (-50) × 10 = -500 = gossipThreshold (stops receiving gossip)
@@ -493,6 +504,7 @@ export class LibP2PService extends WithTracer implements P2PService {
       epochCache,
       proofVerifier,
       worldStateSynchronizer,
+      blockMinFeesProvider,
       telemetry,
       logger,
     );
@@ -907,6 +919,17 @@ export class LibP2PService extends WithTracer implements P2PService {
       this.logger.error(`Error validating gossipsub message`, err, { msgId, source: source.toString(), topicType });
     }
 
+    const validationTimeMs = timer.ms();
+    const mcacheWindowMs = this.config.gossipsubMcacheLength * this.config.gossipsubInterval;
+    if (validationTimeMs > mcacheWindowMs * 0.75) {
+      this.instrumentation.incSlowValidation(topicType);
+      this.logger.warn(
+        `Gossip validation for ${topicType} took ${validationTimeMs}ms, approaching mcache eviction window of ${mcacheWindowMs}ms. ` +
+          `Message forwarding may be skipped if validation exceeds the window.`,
+        { msgId, source: source.toString(), topicType, validationTimeMs, mcacheWindowMs },
+      );
+    }
+
     if (resultAndObj.result === TopicValidatorResult.Accept) {
       this.logger.debug(`Message ${topicType} accepted by validator`, { msgId, source: source.toString(), topicType });
       this.instrumentation.recordMessageValidation(topicType, timer);
@@ -1595,15 +1618,8 @@ export class LibP2PService extends WithTracer implements P2PService {
     });
   }
 
-  private async getGasFees(blockNumber: BlockNumber): Promise<GasFees> {
-    if (blockNumber === this.feesCache?.blockNumber) {
-      return this.feesCache.gasFees;
-    }
-
-    const header = await this.archiver.getBlockHeader(blockNumber);
-    const gasFees = header?.globalVariables.gasFees ?? GasFees.empty();
-    this.feesCache = { blockNumber, gasFees };
-    return gasFees;
+  private getGasFees(): Promise<GasFees> {
+    return this.blockMinFeesProvider.getCurrentMinFees();
   }
 
   /**
@@ -1645,7 +1661,7 @@ export class LibP2PService extends WithTracer implements P2PService {
     currentBlockNumber: BlockNumber,
     nextSlotTimestamp: UInt64,
   ): Promise<Record<string, TransactionValidator>> {
-    const gasFees = await this.getGasFees(currentBlockNumber);
+    const gasFees = await this.getGasFees();
     const allowedInSetup = [
       ...(await getDefaultAllowedSetupFunctions()),
       ...(this.config.txPublicSetupAllowListExtend ?? []),

package/src/services/peer-manager/peer_manager.ts

@@ -728,6 +728,12 @@ export class PeerManager implements PeerManagerInterface {
       return;
     }
 
+    // Don't dial peers that have exceeded the auth failure threshold
+    if (!this.isNodeAllowedToConnect(peerId)) {
+      this.logger.trace(`Skipping peer ${peerId} due to failed auth handshake attempts`);
+      return;
+    }
+
     const [multiaddrTcp] = await Promise.all([enr.getFullMultiaddr('tcp')]);
 
     this.logger.trace(`Handling discovered peer ${peerId} at ${multiaddrTcp?.toString() ?? 'undefined address'}`);
@@ -985,14 +991,14 @@ export class PeerManager implements PeerManagerInterface {
     const peerIdStr = peerId.toString();
 
     const existingEntry = this.failedAuthHandshakes.get(peerIdStr);
+    const failureCount = (existingEntry?.count || 0) + 1;
     this.failedAuthHandshakes.set(peerIdStr, {
-      count: (existingEntry?.count || 0) + 1,
+      count: failureCount,
       lastFailureTimestamp: now,
     });
 
     const connections = this.libP2PNode.getConnections(peerId);
     connections.forEach(conn => {
-      // We mark the IP address
       const address = conn.remoteAddr.nodeAddress().address;
       const existingAddressEntry = this.failedAuthHandshakes.get(address);
       this.failedAuthHandshakes.set(address, {
@@ -1000,6 +1006,15 @@ export class PeerManager implements PeerManagerInterface {
         lastFailureTimestamp: now,
       });
     });
+
+    // Ban the peer from being re-dialed for a cooldown period (exponential backoff)
+    const banTimeMs = this.config.peerFailedBanTimeMs ?? DEFAULT_FAILED_PEER_BAN_TIME_MS;
+    const backoffMs = banTimeMs * Math.pow(2, Math.min(failureCount - 1, 5));
+    this.timedOutPeers.set(peerIdStr, {
+      peerId: peerIdStr,
+      timeoutUntilMs: now + backoffMs,
+    });
+    this.cachedPeers.delete(peerIdStr);
   }
 
   /*

package/src/services/reqresp/config.ts

@@ -1,4 +1,4 @@
-import { type ConfigMapping, booleanConfigHelper, numberConfigHelper } from '@aztec/foundation/config';
+import { type ConfigMappingsType, booleanConfigHelper, numberConfigHelper } from '@aztec/foundation/config';
 
 export const DEFAULT_INDIVIDUAL_REQUEST_TIMEOUT_MS = 10_000;
 export const DEFAULT_OVERALL_REQUEST_TIMEOUT_MS = 10_000; // Not currently used
@@ -27,7 +27,7 @@ export interface P2PReqRespConfig {
   dialTimeoutMs: number;
 }
 
-export const p2pReqRespConfigMappings: Record<keyof P2PReqRespConfig, ConfigMapping> = {
+export const p2pReqRespConfigMappings: ConfigMappingsType<P2PReqRespConfig> = {
   overallRequestTimeoutMs: {
     env: 'P2P_REQRESP_OVERALL_REQUEST_TIMEOUT_MS',
     description: 'The overall timeout for a request response operation.',

package/src/services/reqresp/interface.ts

@@ -95,6 +95,24 @@ export type ReqRespSubProtocolValidators = {
   [S in ReqRespSubProtocol]: ResponseValidator<any, any>;
 };
 
+/**
+ * Protocols that are always allowed without authentication, even when p2pAllowOnlyValidators is enabled.
+ * These are needed for the handshake and connection management flow.
+ * All other protocols require the remote peer to be authenticated.
+ */
+export const UNAUTHENTICATED_ALLOWED_PROTOCOLS: ReadonlySet<ReqRespSubProtocol> = new Set([
+  ReqRespSubProtocol.PING,
+  ReqRespSubProtocol.STATUS,
+  ReqRespSubProtocol.AUTH,
+  ReqRespSubProtocol.GOODBYE,
+]);
+
+/**
+ * Callback that checks whether a peer should be rejected from req/resp data protocols.
+ * Returns true if the peer should be rejected (i.e. p2pAllowOnlyValidators is on and peer is unauthenticated).
+ */
+export type ShouldRejectPeer = (peerId: string) => boolean;
+
 export const DEFAULT_SUB_PROTOCOL_VALIDATORS: ReqRespSubProtocolValidators = {
   [ReqRespSubProtocol.PING]: noopValidator,
   [ReqRespSubProtocol.STATUS]: noopValidator,
@@ -253,5 +271,8 @@ export interface ReqRespInterface {
 
   updateConfig(config: Partial<P2PReqRespConfig>): void;
 
+  /** Sets the callback used to reject unauthenticated peers on gated req/resp protocols. */
+  setShouldRejectPeer(checker: ShouldRejectPeer): void;
+
   getConnectionSampler(): Pick<ConnectionSampler, 'getPeerListSortedByConnectionCountAsc'>;
 }

package/src/services/reqresp/reqresp.ts

@@ -34,7 +34,9 @@ import {
   type ReqRespSubProtocolHandlers,
   type ReqRespSubProtocolRateLimits,
   type ReqRespSubProtocolValidators,
+  type ShouldRejectPeer,
   type SubProtocolMap,
+  UNAUTHENTICATED_ALLOWED_PROTOCOLS,
   responseFromBuffer,
   subProtocolSizeCalculators,
 } from './interface.js';
@@ -72,6 +74,8 @@ export class ReqResp implements ReqRespInterface {
 
   private snappyTransform: SnappyTransform;
 
+  private shouldRejectPeer: ShouldRejectPeer | undefined;
+
   private metrics: ReqRespMetrics;
 
   constructor(
@@ -108,6 +112,10 @@ export class ReqResp implements ReqRespInterface {
     }
   }
 
+  public setShouldRejectPeer(checker: ShouldRejectPeer): void {
+    this.shouldRejectPeer = checker;
+  }
+
   get tracer() {
     return this.metrics.tracer;
   }
@@ -596,6 +604,15 @@ export class ReqResp implements ReqRespInterface {
         throw new ReqRespStatusError(ReqRespStatus.RATE_LIMIT_EXCEEDED);
       }
 
+      // When p2pAllowOnlyValidators is enabled, reject unauthenticated peers on data protocols
+      if (
+        !UNAUTHENTICATED_ALLOWED_PROTOCOLS.has(protocol) &&
+        (this.shouldRejectPeer?.(connection.remotePeer.toString()) ?? false)
+      ) {
+        this.logger.debug(`Rejecting unauthenticated peer ${connection.remotePeer} on gated protocol ${protocol}`);
+        throw new ReqRespStatusError(ReqRespStatus.FAILURE);
+      }
+
       await this.processStream(protocol, incomingStream);
     } catch (err: any) {
       this.metrics.recordResponseError(protocol);

package/src/test-helpers/make-test-p2p-clients.ts

@@ -5,6 +5,7 @@ import { type Logger, createLogger } from '@aztec/foundation/log';
 import { retryUntil } from '@aztec/foundation/retry';
 import { sleep } from '@aztec/foundation/sleep';
 import { openTmpStore } from '@aztec/kv-store/lmdb-v2';
+import { GasFees } from '@aztec/stdlib/gas';
 import type { WorldStateSynchronizer } from '@aztec/stdlib/interfaces/server';
 import type { DataStoreConfig } from '@aztec/stdlib/kv-store';
 
@@ -102,6 +103,7 @@ export async function makeTestP2PClient(
     proofVerifier,
     mockWorldState,
     mockEpochCache,
+    { getCurrentMinFees: () => Promise.resolve(GasFees.empty()) },
     'test-p2p-client',
     undefined,
     undefined,