@aztec/p2p 0.0.1-commit.ffe5b04ea → 0.0.1-commit.fff30aa

package/src/services/reqresp/README.md

@@ -0,0 +1,229 @@
+# ReqResp Protocols
+
+This module implements libp2p request-response protocols for the Aztec P2P network. All protocols share common transport-level validation (rate limiting, timeouts, Snappy decompression, error penalties) with protocol-specific logic layered on top.
+
+## Common Transport Validation
+
+### Rate Limiting (Responder Side)
+
+Applied before the protocol handler runs.
+
+| Protocol | Peer Limit | Global Limit | File |
+|----------|-----------|-------------|------|
+| PING | 5/s | 10/s | `rate-limiter/rate_limits.ts` |
+| STATUS | 5/s | 10/s | same |
+| AUTH | 5/s | 10/s | same |
+| GOODBYE | 5/s | 10/s | same |
+| BLOCK | 2/s | 5/s | same |
+| BLOCK_TXS | 10/s | 200/s | same |
+| TX | (see rate limits file) | (see rate limits file) | same |
+
+- Per-peer limit exceeded: `HighToleranceError` penalty + `RATE_LIMIT_EXCEEDED` status. Penalty fires inside `RequestResponseRateLimiter.allow()`, not the stream handler.
+- Global limit exceeded: `RATE_LIMIT_EXCEEDED` status only (no peer penalty).
+
+### Response Status Byte (Requester Side)
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| First chunk must be exactly 1 byte | `ReqRespStatusError(UNKNOWN)` | `status.ts` |
+| Byte must be valid `ReqRespStatus` enum (0-4, 126, 127) | `ReqRespStatusError(UNKNOWN)` | same |
+
+Note: `prettyPrintReqRespStatus` is missing a `NOT_FOUND` case (minor logging bug).
+
+### Snappy Decompression (Requester Side)
+
+Per-protocol size limits checked via preamble before decompression.
+
+### Timeouts (Requester Side)
+
+| Timeout | Default | Penalty |
+|---------|---------|---------|
+| Individual request | 10s | HighToleranceError |
+| Dial | 5s | HighToleranceError |
+
+### Error Penalty Categorization (Requester Side)
+
+| Error Type | Severity |
+|------------|----------|
+| GOODBYE subprotocol errors | None |
+| `CollectiveReqRespTimeoutError` / `InvalidResponseError` | None |
+| `AbortError` / connection close / muxer closed | None |
+| `ECONNRESET` / `EPIPE` / `ECONNREFUSED` / `ERR_UNEXPECTED_EOF` | HighToleranceError |
+| `ERR_UNSUPPORTED_PROTOCOL` | HighToleranceError |
+| `IndividualReqRespTimeoutError` / `TimeoutError` | HighToleranceError |
+| Catch-all | HighToleranceError |
+
+### Request Error Penalty (Responder Side)
+
+| Error Type | Severity |
+|------------|----------|
+| `BADLY_FORMED_REQUEST` | LowToleranceError |
+| All others | None |
+
+### Notes
+
+- Request payloads are NOT snappy-compressed (asymmetric: only responses use snappy).
+
+---
+
+## Handshake Protocols
+
+### Connection-Level Gating (Before Any Handshake)
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Deny inbound connection from IP/peerId with too many failed auth handshakes | Connection denied | `libp2p_service.ts` |
+| Threshold: `p2pMaxFailedAuthAttemptsAllowed` (default 3) | Tracked per peerId AND per IP | `peer_manager.ts` |
+| Failed auth entries expire after 1 hour | Peer can reconnect; no escalating penalty for repeat offenders | same |
+
+### Handshake Trigger Logic (`peer:connect`)
+
+1. `p2pDisableStatusHandshake` = true: no handshake
+2. `p2pAllowOnlyValidators` = false: STATUS handshake
+3. Peer is protected (trusted/private/preferred): STATUS handshake
+4. Otherwise: AUTH handshake (superset of STATUS)
+
+Config constraint: `p2pDisableStatusHandshake && p2pAllowOnlyValidators` is disallowed.
+
+### STATUS Protocol (`/aztec/req/status/1.0.0`)
+
+**Requester side** (`peer_manager.ts`):
+
+| Rule | Consequence |
+|------|-------------|
+| Response status must be SUCCESS | Peer scheduled for disconnect |
+| `compressedComponentsVersion` must match | Peer scheduled for disconnect |
+| Any exception | Peer scheduled for disconnect |
+
+`StatusMessage.validate()` currently only checks `compressedComponentsVersion`. Fields `latestBlockNumber`, `latestBlockHash`, `finalizedBlockNumber` are NOT validated (TODO in code).
+
+**Responder side**: no validation of incoming request content (always responds with own status). This means the requester leaks its blockchain state to any peer before validation.
+
+**Deserialization bounds**: `MAX_VERSION_STRING_LENGTH` = 64 bytes, `MAX_BLOCK_HASH_STRING_LENGTH` = 128 bytes. Expected response size: 1 KB.
+
+### AUTH Protocol (`/aztec/req/auth/1.0.0`)
+
+**Requester side** (`peer_manager.ts`):
+
+| # | Rule | Consequence |
+|---|------|-------------|
+| 1 | Response status is SUCCESS | `markAuthHandshakeFailed` + disconnect |
+| 2 | `compressedComponentsVersion` match | `markAuthHandshakeFailed` + disconnect |
+| 3 | Valid ECDSA signature recovery from challenge response | `markAuthHandshakeFailed` + disconnect |
+| 4 | Recovered address is a registered validator | `markAuthHandshakeFailed` + disconnect |
+| 5 | Validator address not already authenticated to different peerId | Silent return (no disconnect, no failure marking -- peer stays connected but unauthenticated) |
+| 6 | Any exception | `markAuthHandshakeFailed` + disconnect |
+
+Challenge: random `Fr`, payload = `keccak256("Aztec Validator Challenge:" + challenge)`, signed with `eth_sign` style. Challenge is NOT bound to peer identity (transport encryption via Noise is the binding layer).
+
+On success: peer added to authenticated maps, prior failures cleared (including IP-based ones -- shared-IP peers benefit from a legitimate validator's success).
+
+**Responder side** (`validator-client/src/validator.ts` + `peer_manager.ts`):
+
+| # | Rule | Consequence |
+|---|------|-------------|
+| 1 | Peer must be protected (`shouldTrustWithIdentity` in `peer_manager.ts`) | Returns empty buffer (SUCCESS status + empty payload -> requester gets parse error -> `markAuthHandshakeFailed`) |
+| 2 | Node must have registered validator address | Returns empty buffer (same consequence) |
+
+**Unauthenticated peer gossip**: when `p2pAllowOnlyValidators` is true, unauthenticated peers get `appSpecificScore = -Infinity`, completely excluding them from all gossip.
+
+### PING Protocol (`/aztec/req/ping/1.0.0`)
+
+No validation on either side. Responder returns `Buffer.from('pong')`. Expected response: 1 KB.
+
+### GOODBYE Protocol (`/aztec/req/goodbye/1.0.0`)
+
+**Responder**: buffer must be 1 byte (defaults to `UNKNOWN` on invalid length). Goodbye reason byte is NOT validated against the enum -- any byte 0-255 accepted. Peer scheduled for disconnect regardless of reason.
+
+**Requester**: response errors are never penalized (GOODBYE subprotocol exempt from error categorization).
+
+### Periodic Re-validation
+
+| Rule | Interval | File |
+|------|----------|------|
+| Authenticated validators re-checked against current validator set | Every heartbeat (`peerCheckIntervalMS`) | `peer_manager.ts` |
+| If validator address no longer registered, auth entry removed | Same | same |
+
+Protected peers (private/trusted/preferred) are always considered "authenticated" without AUTH handshake.
+
+---
+
+## Block Data Protocols
+
+### BLOCK Protocol (`/aztec/req/block/1.0.0`)
+
+**Server side**:
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Request must parse as `Fr` | `BADLY_FORMED_REQUEST` + LowToleranceError | `protocols/block.ts` |
+| Block lookup throws | `INTERNAL_ERROR` status | same |
+| Block not found | SUCCESS + empty buffer (design choice; no `NOT_FOUND` status used) | same |
+
+**Requester side** (Snappy limit: 3 MB):
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Response block number must match requested | LowToleranceError; rejected | `libp2p_service.ts` (`validateRequestedBlock`) |
+| Local block must exist for hash verification | Rejected (no penalty) | same |
+| Response block hash must equal local block hash | MidToleranceError; rejected | same |
+
+**Limitation**: the local-block requirement means BLOCK req/resp is unusable for initial P2P-only sync (before L1 sync provides local copies for verification). A TODO in the code acknowledges this.
+
+### BLOCK_TXS Protocol (`/aztec/req/block_txs/1.0.0`)
+
+**Server side**:
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Request must parse as `BlockTxsRequest` (Fr + TxHashArray + BitVector) | `BADLY_FORMED_REQUEST` + LowToleranceError | `protocols/block_txs/block_txs_handler.ts` |
+| BitVector length: non-negative and <= `MAX_TXS_PER_BLOCK` (65536) | Deserialization throws -> `BADLY_FORMED_REQUEST` | `protocols/block_txs/bitvector.ts` |
+| Archive root not found and no explicit txHashes | `NOT_FOUND` status | handler |
+| Internal error during lookup | Unhandled exception -> stream abort (no `INTERNAL_ERROR` status, unlike BLOCK) | handler |
+
+Conditional registration: BLOCK_TXS handler only registered when `config.disableTransactions` is false. Otherwise peers get `ERR_UNSUPPORTED_PROTOCOL`.
+
+**Requester side via `sendBatchRequest`** (Snappy limit: `max(N, 1) * 512 + 1` KB):
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Archive root must match request | MidToleranceError | `libp2p_service.ts` (`validateRequestedBlockTxs`) |
+| BitVector length must match request | MidToleranceError | same |
+| No duplicate tx hashes | MidToleranceError | same |
+| Tx count within bounds | MidToleranceError | same |
+| Local block proposal must exist for archive root | Rejected (no penalty) | same |
+| All tx hashes must be in proposal's tx list at allowed indices | LowToleranceError | same |
+| Txs in strictly increasing index order | LowToleranceError | same |
+| Each tx passes well-formedness (Metadata [4 fields], Size, Data, Proof) | LowToleranceError | same |
+
+**Requester side via `BatchTxRequester`** (separate validation path):
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Non-SUCCESS status: `FAILURE`/`UNKNOWN` | HighToleranceError + "bad peer" tracking | `batch-tx-requester/batch_tx_requester.ts` |
+| `RATE_LIMIT_EXCEEDED` | Peer marked rate-limited (cooldown) | same |
+| `NOT_FOUND` / `BADLY_FORMED_REQUEST` / `INTERNAL_ERROR` | Falls through silently (no penalty) | same |
+| Each tx validated (Metadata + Size + Data + Proof) | LowToleranceError per invalid tx; valid txs from same response still accepted | same |
+| Archive root match + non-empty txIndices | No penalty on mismatch; peer not promoted to "smart" | same |
+
+**Double penalty on transport errors**: when `BatchTxRequester` encounters a transport error (e.g., ECONNRESET), both `sendRequestToPeer`'s internal handler and the `BatchTxRequester`'s catch block penalize the peer, resulting in double HighToleranceError.
+
+See [BatchTxRequester README](batch-tx-requester/README.md) for the full architecture (peer classification, worker model, wire protocol).
+
+### TX Protocol (`/aztec/req/tx/1.0.0`)
+
+**Server side**:
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Request must parse as `TxHashArray` | `BADLY_FORMED_REQUEST` + LowToleranceError | `protocols/tx.ts` |
+
+**Requester side** (validator registered at startup, not the default noop):
+
+| Rule | Consequence | File |
+|------|-------------|------|
+| Each returned tx hash must be in the requested set | MidToleranceError | `libp2p_service.ts` (`validateRequestedTxs`) |
+| Each tx passes well-formedness (Metadata + Size + Data + Proof) | LowToleranceError | same |
+
+Snappy limit: `max(N, 1) * 512 + 1` KB.
+

package/src/services/reqresp/batch-tx-requester/batch_tx_requester.ts

@@ -8,6 +8,7 @@ import { PeerErrorSeverity } from '@aztec/stdlib/p2p';
 import { Tx, TxArray, TxHash } from '@aztec/stdlib/tx';
 
 import type { PeerId } from '@libp2p/interface';
+import { peerIdFromString } from '@libp2p/peer-id';
 
 import type { IMissingTxsTracker } from '../../tx_collection/missing_txs_tracker.js';
 import { ReqRespSubProtocol } from '.././interface.js';
@@ -89,9 +90,10 @@ export class BatchTxRequester {
     if (this.opts.peerCollection) {
       this.peers = this.opts.peerCollection;
     } else {
+      const initialPeers = this.p2pService.connectionSampler.getPeerListSortedByConnectionCountAsc();
       const badPeerThreshold = this.opts.badPeerThreshold ?? DEFAULT_BATCH_TX_REQUESTER_BAD_PEER_THRESHOLD;
       this.peers = new PeerCollection(
-        this.p2pService.connectionSampler,
+        initialPeers,
         this.pinnedPeer,
         this.dateProvider,
         badPeerThreshold,
@@ -225,6 +227,7 @@ export class BatchTxRequester {
    * Starts dumb worker loops
    * */
   private async dumbRequester() {
+    const nextPeerIndex = this.makeRoundRobinIndexer();
     const nextBatchIndex = this.makeRoundRobinIndexer();
 
     // Chunk missing tx hashes into batches of txBatchSize, wrapping around to ensure no peer gets less than txBatchSize
@@ -260,9 +263,15 @@ export class BatchTxRequester {
       return { blockRequest, txs };
     };
 
-    const workerCount = this.dumbParallelWorkerCount;
+    const nextPeer = () => {
+      const peers = this.peers.getDumbPeersToQuery();
+      const idx = nextPeerIndex(() => peers.length);
+      return idx === undefined ? undefined : peerIdFromString(peers[idx]);
+    };
+
+    const workerCount = Math.min(this.dumbParallelWorkerCount, this.peers.getAllPeers().size);
     const workers = Array.from({ length: workerCount }, (_, index) =>
-      this.dumbWorkerLoop(this.peers.nextDumbPeerToQuery.bind(this.peers), makeRequest, index + 1),
+      this.dumbWorkerLoop(nextPeer, makeRequest, index + 1),
     );
 
     await Promise.allSettled(workers);
@@ -323,6 +332,14 @@ export class BatchTxRequester {
    * Starts smart worker loops
    * */
   private async smartRequester() {
+    const nextPeerIndex = this.makeRoundRobinIndexer();
+
+    const nextPeer = () => {
+      const peers = this.peers.getSmartPeersToQuery();
+      const idx = nextPeerIndex(() => peers.length);
+      return idx === undefined ? undefined : peerIdFromString(peers[idx]);
+    };
+
     const makeRequest = (pid: PeerId) => {
       const txs = this.txsMetadata.getTxsToRequestFromThePeer(pid);
       const blockRequest = BlockTxsRequest.fromTxsSourceAndMissingTxs(this.blockTxsSource, txs);
@@ -333,8 +350,9 @@ export class BatchTxRequester {
       return { blockRequest, txs };
     };
 
-    const workers = Array.from({ length: this.smartParallelWorkerCount }, (_, index) =>
-      this.smartWorkerLoop(this.peers.nextSmartPeerToQuery.bind(this.peers), makeRequest, index + 1),
+    const workers = Array.from(
+      { length: Math.min(this.smartParallelWorkerCount, this.peers.getAllPeers().size) },
+      (_, index) => this.smartWorkerLoop(nextPeer, makeRequest, index + 1),
     );
 
     await Promise.allSettled(workers);
@@ -369,18 +387,26 @@ export class BatchTxRequester {
         if (weRanOutOfPeersToQuery) {
           this.logger.debug(`Worker loop smart: No more peers to query`);
 
-          // If we have rate limited peers wait for them.
-          const nextSmartPeerDelay = this.peers.getNextSmartPeerAvailabilityDelayMs();
-          const thereAreSomeRateLimitedSmartPeers = nextSmartPeerDelay !== undefined;
-          if (thereAreSomeRateLimitedSmartPeers) {
-            await this.sleepClampedToDeadline(nextSmartPeerDelay);
-            continue;
+          // If there are no more dumb peers to query then none of our peers can become smart,
+          // thus we can simply exit this worker
+          const noMoreDumbPeersToQuery = this.peers.getDumbPeersToQuery().length === 0;
+          if (noMoreDumbPeersToQuery) {
+            // These might be either smart peers that will get unblocked after _some time_
+            const nextSmartPeerDelay = this.peers.getNextSmartPeerAvailabilityDelayMs();
+            const thereAreSomeRateLimitedSmartPeers = nextSmartPeerDelay !== undefined;
+            if (thereAreSomeRateLimitedSmartPeers) {
+              await this.sleepClampedToDeadline(nextSmartPeerDelay);
+              continue;
+            }
+
+            this.logger.debug(`Worker loop smart: No more smart peers to query killing ${workerIndex}`);
+            break;
           }
 
+          // Otherwise there are still some dumb peers that could become smart.
           // We end up here when all known smart peers became temporarily unavailable via combination of
           // (bad, in-flight, or rate-limited) or in some weird scenario all current smart peers turn bad which is permanent
-          // but there are dumb peers that could be promoted
-          // or new peer can join as dumb and be promoted later
+          // but dumb peers still exist that could become smart.
           //
           // When a dumb peer responds with valid txIndices, it gets
           // promoted to smart and releases the semaphore, waking this worker.
@@ -573,7 +599,9 @@ export class BatchTxRequester {
     this.markTxsPeerHas(peerId, response);
 
     // Unblock smart workers
-    this.smartRequesterSemaphore.release();
+    if (this.peers.getSmartPeersToQuery().length <= this.smartParallelWorkerCount) {
+      this.smartRequesterSemaphore.release();
+    }
   }
 
   private isBlockResponseValid(response: BlockTxsResponse): boolean {

package/src/services/reqresp/batch-tx-requester/peer_collection.ts

@@ -2,22 +2,18 @@ import type { DateProvider } from '@aztec/foundation/timer';
 import type { PeerErrorSeverity } from '@aztec/stdlib/p2p';
 
 import type { PeerId } from '@libp2p/interface';
-import { peerIdFromString } from '@libp2p/peer-id';
 
-import type { ConnectionSampler } from '../connection-sampler/connection_sampler.js';
 import { DEFAULT_BATCH_TX_REQUESTER_BAD_PEER_THRESHOLD } from './config.js';
 import type { IPeerPenalizer } from './interface.js';
 
 export const RATE_LIMIT_EXCEEDED_PEER_CACHE_TTL = 1000; // 1s
 
 export interface IPeerCollection {
+  getAllPeers(): Set<string>;
+  getSmartPeers(): Set<string>;
   markPeerSmart(peerId: PeerId): void;
-
-  /** Sample next peer in round-robin fashion. No smart peers if returns undefined */
-  nextSmartPeerToQuery(): PeerId | undefined;
-  /** Sample next peer in round-robin fashion. No dumb peers if returns undefined */
-  nextDumbPeerToQuery(): PeerId | undefined;
-
+  getSmartPeersToQuery(): Array<string>;
+  getDumbPeersToQuery(): Array<string>;
   thereAreSomeDumbRatelimitExceededPeers(): boolean;
   penalisePeer(peerId: PeerId, severity: PeerErrorSeverity): void;
   unMarkPeerAsBad(peerId: PeerId): void;
@@ -32,6 +28,8 @@ export interface IPeerCollection {
 }
 
 export class PeerCollection implements IPeerCollection {
+  private readonly peers;
+
   private readonly smartPeers = new Set<string>();
   private readonly inFlightPeers = new Set<string>();
   private readonly rateLimitExceededPeers = new Map<string, number>();
@@ -39,60 +37,46 @@ export class PeerCollection implements IPeerCollection {
   private readonly badPeers = new Set<string>();
 
   constructor(
-    private readonly connectionSampler: Pick<ConnectionSampler, 'getPeerListSortedByConnectionCountAsc'>,
+    initialPeers: PeerId[],
     private readonly pinnedPeerId: PeerId | undefined,
     private readonly dateProvider: DateProvider,
     private readonly badPeerThreshold: number = DEFAULT_BATCH_TX_REQUESTER_BAD_PEER_THRESHOLD,
     private readonly peerPenalizer?: IPeerPenalizer,
   ) {
-    // Pinned peer is treated specially, always mark it as in-flight
+    this.peers = new Set(initialPeers.map(peer => peer.toString()));
+
+    // Pinned peer is treaded specially, always mark it as in-flight
     // and never return it as part of smart/dumb peers
     if (this.pinnedPeerId) {
       const peerIdStr = this.pinnedPeerId.toString();
       this.inFlightPeers.add(peerIdStr);
+      this.peers.delete(peerIdStr);
     }
   }
 
-  public markPeerSmart(peerId: PeerId): void {
-    this.smartPeers.add(peerId.toString());
-  }
-
-  // We keep track of all peers that are queried for peer sampling algorithm
-  private queriedSmartPeers: Set<string> = new Set<string>();
-  private queriedDumbPeers: Set<string> = new Set<string>();
-
-  private static nextPeer(allPeers: Set<string>, queried: Set<string>): PeerId | undefined {
-    if (allPeers.size === 0) {
-      return undefined;
-    }
-    const availablePeers = allPeers.difference(queried);
-    let [first] = availablePeers;
-    if (first === undefined) {
-      // We queried all peers. Start over
-      [first] = allPeers;
-      queried.clear();
-    }
-    queried.add(first);
-    return peerIdFromString(first);
+  public getAllPeers(): Set<string> {
+    return this.peers;
   }
 
-  public nextSmartPeerToQuery(): PeerId | undefined {
-    return PeerCollection.nextPeer(this.availableSmartPeers, this.queriedSmartPeers);
+  public getSmartPeers(): Set<string> {
+    return this.smartPeers;
   }
 
-  public nextDumbPeerToQuery(): PeerId | undefined {
-    return PeerCollection.nextPeer(this.availableDumbPeers, this.queriedDumbPeers);
+  public markPeerSmart(peerId: PeerId): void {
+    this.smartPeers.add(peerId.toString());
   }
 
-  private get availableSmartPeers(): Set<string> {
-    return this.peers.intersection(
+  public getSmartPeersToQuery(): Array<string> {
+    return Array.from(
       this.smartPeers.difference(this.getBadPeers().union(this.inFlightPeers).union(this.getRateLimitExceededPeers())),
     );
   }
 
-  private get availableDumbPeers(): Set<string> {
-    return this.peers.difference(
-      this.smartPeers.union(this.getBadPeers()).union(this.inFlightPeers).union(this.getRateLimitExceededPeers()),
+  public getDumbPeersToQuery(): Array<string> {
+    return Array.from(
+      this.peers.difference(
+        this.smartPeers.union(this.getBadPeers()).union(this.inFlightPeers).union(this.getRateLimitExceededPeers()),
+      ),
     );
   }
 
@@ -218,27 +202,4 @@ export class PeerCollection implements IPeerCollection {
 
     return minExpiry! - now;
   }
-
-  private orderedPeers: Set<string> = new Set();
-
-  private get peers(): Set<string> {
-    const pinnedStr = this.pinnedPeerId?.toString();
-    const currentlyConnected = new Set(
-      this.connectionSampler
-        .getPeerListSortedByConnectionCountAsc()
-        .map(p => p.toString())
-        .filter(p => p !== pinnedStr),
-    );
-
-    // Remove disconnected peers, preserving order of the rest.
-    this.orderedPeers = this.orderedPeers.intersection(currentlyConnected);
-
-    // Append newly connected peers at the end (lowest priority).
-    for (const peer of currentlyConnected) {
-      if (!this.orderedPeers.has(peer)) {
-        this.orderedPeers.add(peer);
-      }
-    }
-    return this.orderedPeers;
-  }
 }

package/src/services/reqresp/rate-limiter/rate_limiter.ts

@@ -97,9 +97,10 @@ export function prettyPrintRateLimitStatus(status: RateLimitStatus) {
  * 2. Individual rate limits for each peer.
  *
  * How it works:
- * - When a request comes in, it first checks against the global rate limit.
- * - If the global limit allows, it then checks against the specific peer's rate limit.
- * - The request is only allowed if both the global and peer-specific limits allow it.
+ * - When a request comes in, it first checks against the peer's individual rate limit.
+ * - If the peer limit allows, it then checks against the global rate limit.
+ * - The request is only allowed if both the peer-specific and global limits allow it.
+ * - Checking peer limit first ensures a rate-limited peer cannot exhaust the global quota.
  * - It automatically creates and manages rate limiters for new peers as they make requests.
  * - It periodically cleans up rate limiters for inactive peers to conserve memory.
  *
@@ -119,10 +120,6 @@ export class SubProtocolRateLimiter {
   }
 
   allow(peerId: PeerId): RateLimitStatus {
-    if (!this.globalLimiter.allow()) {
-      return RateLimitStatus.DeniedGlobal;
-    }
-
     const peerIdStr = peerId.toString();
     let peerLimiter: PeerRateLimiter | undefined = this.peerLimiters.get(peerIdStr);
     if (!peerLimiter) {
@@ -135,10 +132,17 @@ export class SubProtocolRateLimiter {
     } else {
       peerLimiter.lastAccess = Date.now();
     }
-    const peerLimitAllowed = peerLimiter.limiter.allow();
-    if (!peerLimitAllowed) {
+
+    // Check peer limit first: a rate-limited peer must not consume global quota,
+    // otherwise one spamming peer can starve all others by exhausting the global bucket.
+    if (!peerLimiter.limiter.allow()) {
       return RateLimitStatus.DeniedPeer;
     }
+
+    if (!this.globalLimiter.allow()) {
+      return RateLimitStatus.DeniedGlobal;
+    }
+
     return RateLimitStatus.Allowed;
   }
 

package/src/services/reqresp/reqresp.ts

@@ -16,7 +16,7 @@ import {
   IndividualReqRespTimeoutError,
   InvalidResponseError,
 } from '../../errors/reqresp.error.js';
-import { SnappyTransform } from '../encoding.js';
+import { OversizedSnappyResponseError, SnappyTransform } from '../encoding.js';
 import type { PeerScoring } from '../peer-manager/peer_scoring.js';
 import {
   DEFAULT_INDIVIDUAL_REQUEST_TIMEOUT_MS,
@@ -462,7 +462,7 @@ export class ReqResp implements ReqRespInterface {
       );
       return resp;
     } catch (e: any) {
-      this.logger.warn(`SUBPROTOCOL: ${subProtocol}\n`, e);
+      this.logger.debug(`SUBPROTOCOL: ${subProtocol}\n`, e);
       // On error we immediately abort the stream, this is preferred way,
       // because it signals to the sender that error happened, whereas
       // closing the stream only closes our side and is much slower
@@ -553,16 +553,10 @@ export class ReqResp implements ReqRespInterface {
         data: message,
       };
     } catch (e: any) {
+      // All errors (invalid status bytes, oversized snappy responses, corrupt data, etc.)
+      // are re-thrown so the caller can penalize the peer via handleResponseError.
       this.logger.debug(`Reading message failed: ${e.message}`);
-
-      let status = ReqRespStatus.UNKNOWN;
-      if (e instanceof ReqRespStatusError) {
-        status = e.status;
-      }
-
-      return {
-        status,
-      };
+      throw e;
     }
   }
 
@@ -627,9 +621,7 @@ export class ReqResp implements ReqRespInterface {
         // and that this stream should be dropped
         const isMessageToNotWarn =
           err instanceof Error &&
-          ['stream reset', 'Cannot push value onto an ended pushable', 'read ECONNRESET'].some(msg =>
-            err.message.includes(msg),
-          );
+          ['stream reset', 'Cannot push value onto an ended pushable'].some(msg => err.message.includes(msg));
         const level = isMessageToNotWarn ? 'debug' : 'warn';
         this.logger[level]('Unknown stream error while handling the stream, aborting', {
           protocol,
@@ -780,6 +772,20 @@ export class ReqResp implements ReqRespInterface {
       return undefined;
     }
 
+    // Invalid status byte: the peer sent a status byte that doesn't match any known status code.
+    // This is a protocol violation, penalize harshly.
+    if (e instanceof ReqRespStatusError) {
+      this.logger.warn(`Invalid status byte from peer ${peerId.toString()} in ${subProtocol}: ${e.message}`, logTags);
+      return PeerErrorSeverity.LowToleranceError;
+    }
+
+    // Oversized snappy response: the peer is sending data that exceeds the allowed size.
+    // This is a protocol violation that wastes bandwidth, so penalize harshly.
+    if (e instanceof OversizedSnappyResponseError) {
+      this.logger.warn(`Oversized response from peer ${peerId.toString()} in ${subProtocol}: ${e.message}`, logTags);
+      return PeerErrorSeverity.LowToleranceError;
+    }
+
     return this.categorizeConnectionErrors(e, peerId, subProtocol);
   }