@aztec/p2p 4.0.0-devnet.2-patch.4 → 4.0.0-devnet.3-patch.0

package/src/msg_validators/tx_validator/gas_validator.ts

@@ -1,4 +1,10 @@
-import { AVM_MAX_PROCESSABLE_L2_GAS, FIXED_DA_GAS, FIXED_L2_GAS } from '@aztec/constants';
+import {
+  MAX_PROCESSABLE_DA_GAS_PER_CHECKPOINT,
+  MAX_PROCESSABLE_L2_GAS,
+  PRIVATE_TX_L2_GAS_OVERHEAD,
+  PUBLIC_TX_L2_GAS_OVERHEAD,
+  TX_DA_GAS_OVERHEAD,
+} from '@aztec/constants';
 import { type Logger, type LoggerBindings, createLogger } from '@aztec/foundation/log';
 import { computeFeePayerBalanceStorageSlot } from '@aztec/protocol-contracts/fee-juice';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
@@ -16,26 +22,138 @@ import {
 
 import { getFeePayerClaimAmount, getTxFeeLimit } from './fee_payer_balance.js';
 
+/** Structural interface for types that carry gas limit data, used by {@link GasLimitsValidator}. */
+export interface HasGasLimitData {
+  txHash: { toString(): string };
+  data: {
+    // We just need to know whether there is something here or not
+    forPublic?: unknown;
+    constants: {
+      txContext: {
+        gasSettings: { gasLimits: Gas };
+      };
+    };
+  };
+}
+
+/**
+ * Validates that a transaction's gas limits are within acceptable bounds.
+ *
+ * Rejects transactions whose gas limits fall below the fixed minimums (FIXED_DA_GAS,
+ * FIXED_L2_GAS) or exceed the AVM's maximum processable L2 gas. This is a cheap,
+ * stateless check that operates on gas settings alone.
+ *
+ * Generic over T so it can validate both full {@link Tx} objects and {@link TxMetaData}
+ * (used during pending pool migration).
+ *
+ * Used by: pending pool migration (via factory), and indirectly by {@link GasTxValidator}.
+ */
+export class GasLimitsValidator<T extends HasGasLimitData> implements TxValidator<T> {
+  #log: Logger;
+  #effectiveMaxL2Gas: number;
+  #effectiveMaxDAGas: number;
+  #rollupManaLimit: number;
+  #maxBlockL2Gas: number;
+  #maxBlockDAGas: number;
+
+  constructor(opts?: {
+    rollupManaLimit?: number;
+    maxBlockL2Gas?: number;
+    maxBlockDAGas?: number;
+    bindings?: LoggerBindings;
+  }) {
+    this.#log = createLogger('sequencer:tx_validator:tx_gas', opts?.bindings);
+    this.#rollupManaLimit = opts?.rollupManaLimit ?? Infinity;
+    this.#maxBlockL2Gas = opts?.maxBlockL2Gas ?? Infinity;
+    this.#maxBlockDAGas = opts?.maxBlockDAGas ?? Infinity;
+    this.#effectiveMaxL2Gas = Math.min(MAX_PROCESSABLE_L2_GAS, this.#rollupManaLimit, this.#maxBlockL2Gas);
+    this.#effectiveMaxDAGas = Math.min(MAX_PROCESSABLE_DA_GAS_PER_CHECKPOINT, this.#maxBlockDAGas);
+  }
+
+  validateTx(tx: T): Promise<TxValidationResult> {
+    return Promise.resolve(this.validateGasLimit(tx));
+  }
+
+  /** Checks gas limits are >= fixed minimums and <= effective max gas (L2 and DA). */
+  validateGasLimit(tx: T): TxValidationResult {
+    const gasLimits = tx.data.constants.txContext.gasSettings.gasLimits;
+    const minGasLimits = new Gas(
+      TX_DA_GAS_OVERHEAD,
+      tx.data.forPublic ? PUBLIC_TX_L2_GAS_OVERHEAD : PRIVATE_TX_L2_GAS_OVERHEAD,
+    );
+
+    if (minGasLimits.gtAny(gasLimits)) {
+      this.#log.verbose(`Rejecting transaction due to the gas limit(s) not being above the minimum gas limit`, {
+        gasLimits,
+        minGasLimits,
+      });
+      return { result: 'invalid', reason: [TX_ERROR_INSUFFICIENT_GAS_LIMIT] };
+    }
+
+    if (gasLimits.l2Gas > this.#effectiveMaxL2Gas) {
+      this.#log.verbose(`Rejecting transaction due to the L2 gas limit being higher than the effective maximum`, {
+        gasLimits,
+        effectiveMaxL2Gas: this.#effectiveMaxL2Gas,
+        rollupManaLimit: this.#rollupManaLimit,
+        maxBlockL2Gas: this.#maxBlockL2Gas,
+      });
+      return { result: 'invalid', reason: [TX_ERROR_GAS_LIMIT_TOO_HIGH] };
+    }
+
+    if (gasLimits.daGas > this.#effectiveMaxDAGas) {
+      this.#log.verbose(`Rejecting transaction due to the DA gas limit being higher than the effective maximum`, {
+        gasLimits,
+        effectiveMaxDAGas: this.#effectiveMaxDAGas,
+        maxBlockDAGas: this.#maxBlockDAGas,
+      });
+      return { result: 'invalid', reason: [TX_ERROR_GAS_LIMIT_TOO_HIGH] };
+    }
+
+    return { result: 'valid' };
+  }
+}
+
+/**
+ * Validates that a transaction can pay its gas fees.
+ *
+ * Runs three checks in order:
+ * 1. **Gas limits** (delegates to {@link GasLimitsValidator}) — rejects if limits are
+ *    out of bounds.
+ * 2. **Max fee per gas** — skips (not rejects) the tx if its maxFeesPerGas is below
+ *    the current block's gas fees. We skip rather than reject because the tx may
+ *    become eligible in a later block with lower fees.
+ * 3. **Fee payer balance** — reads the fee payer's FeeJuice balance from public state,
+ *    adds any pending claim from a setup-phase `_increase_public_balance` call, and
+ *    rejects if the total is less than the tx's fee limit (gasLimits * maxFeePerGas).
+ *
+ * Used by: gossip (stage 1), RPC, and block building validators.
+ */
 export class GasTxValidator implements TxValidator<Tx> {
   #log: Logger;
   #publicDataSource: PublicStateSource;
   #feeJuiceAddress: AztecAddress;
   #gasFees: GasFees;
+  #gasLimitOpts?: { rollupManaLimit?: number; maxBlockL2Gas?: number; maxBlockDAGas?: number };
 
   constructor(
     publicDataSource: PublicStateSource,
     feeJuiceAddress: AztecAddress,
     gasFees: GasFees,
-    bindings?: LoggerBindings,
+    private bindings?: LoggerBindings,
+    opts?: { rollupManaLimit?: number; maxBlockL2Gas?: number; maxBlockDAGas?: number },
   ) {
     this.#log = createLogger('sequencer:tx_validator:tx_gas', bindings);
     this.#publicDataSource = publicDataSource;
     this.#feeJuiceAddress = feeJuiceAddress;
     this.#gasFees = gasFees;
+    this.#gasLimitOpts = opts;
   }
 
   async validateTx(tx: Tx): Promise<TxValidationResult> {
-    const gasLimitValidation = this.#validateGasLimit(tx);
+    const gasLimitValidation = new GasLimitsValidator({
+      ...this.#gasLimitOpts,
+      bindings: this.bindings,
+    }).validateGasLimit(tx);
     if (gasLimitValidation.result === 'invalid') {
       return Promise.resolve(gasLimitValidation);
     }
@@ -69,31 +187,9 @@ export class GasTxValidator implements TxValidator<Tx> {
   }
 
   /**
-   * Check whether the tx's gas limit is above the minimum amount.
+   * Checks the fee payer has enough FeeJuice balance to cover the tx's fee limit.
+   * Accounts for any pending claim from a setup-phase `_increase_public_balance` call.
    */
-  #validateGasLimit(tx: Tx): TxValidationResult {
-    const gasLimits = tx.data.constants.txContext.gasSettings.gasLimits;
-    const minGasLimits = new Gas(FIXED_DA_GAS, FIXED_L2_GAS);
-
-    if (minGasLimits.gtAny(gasLimits)) {
-      this.#log.verbose(`Rejecting transaction due to the gas limit(s) not being above the minimum gas limit`, {
-        gasLimits,
-        minGasLimits,
-      });
-      return { result: 'invalid', reason: [TX_ERROR_INSUFFICIENT_GAS_LIMIT] };
-    }
-
-    if (gasLimits.l2Gas > AVM_MAX_PROCESSABLE_L2_GAS) {
-      this.#log.verbose(`Rejecting transaction due to the gas limit(s) being higher than the maximum processable gas`, {
-        gasLimits,
-        minGasLimits,
-      });
-      return { result: 'invalid', reason: [TX_ERROR_GAS_LIMIT_TOO_HIGH] };
-    }
-
-    return { result: 'valid' };
-  }
-
   public async validateTxFee(tx: Tx): Promise<TxValidationResult> {
     const feePayer = tx.data.feePayer;
 

package/src/msg_validators/tx_validator/index.ts

@@ -8,7 +8,9 @@ export * from './gas_validator.js';
 export * from './phases_validator.js';
 export * from './test_utils.js';
 export * from './allowed_public_setup.js';
+export * from './allowed_setup_helpers.js';
 export * from './archive_cache.js';
 export * from './tx_permitted_validator.js';
 export * from './timestamp_validator.js';
 export * from './size_validator.js';
+export * from './factory.js';

package/src/msg_validators/tx_validator/nullifier_cache.ts

@@ -0,0 +1,30 @@
+import type { NullifierSource } from '@aztec/p2p';
+import type { MerkleTreeReadOperations } from '@aztec/stdlib/interfaces/server';
+import { MerkleTreeId } from '@aztec/stdlib/trees';
+
+/**
+ * Implements a nullifier source by checking a DB and an in-memory collection.
+ * Intended for validating transactions as they are added to a block.
+ */
+export class NullifierCache implements NullifierSource {
+  nullifiers: Set<string>;
+
+  constructor(private db: MerkleTreeReadOperations) {
+    this.nullifiers = new Set();
+  }
+
+  public async nullifiersExist(nullifiers: Buffer[]): Promise<boolean[]> {
+    const cacheResults = nullifiers.map(n => this.nullifiers.has(n.toString()));
+    const toCheckDb = nullifiers.filter((_n, index) => !cacheResults[index]);
+    const dbHits = await this.db.findLeafIndices(MerkleTreeId.NULLIFIER_TREE, toCheckDb);
+
+    let dbIndex = 0;
+    return nullifiers.map((_n, index) => cacheResults[index] || dbHits[dbIndex++] !== undefined);
+  }
+
+  public addNullifiers(nullifiers: Buffer[]) {
+    for (const nullifier of nullifiers) {
+      this.nullifiers.add(nullifier.toString());
+    }
+  }
+}

package/src/msg_validators/tx_validator/phases_validator.ts

@@ -1,11 +1,17 @@
+import { NULL_MSG_SENDER_CONTRACT_ADDRESS } from '@aztec/constants';
 import { type Logger, type LoggerBindings, createLogger } from '@aztec/foundation/log';
 import { PublicContractsDB, getCallRequestsWithCalldataByPhase } from '@aztec/simulator/server';
+import { AztecAddress } from '@aztec/stdlib/aztec-address';
 import type { ContractDataSource } from '@aztec/stdlib/contract';
 import type { AllowedElement } from '@aztec/stdlib/interfaces/server';
 import {
   type PublicCallRequestWithCalldata,
   TX_ERROR_DURING_VALIDATION,
   TX_ERROR_SETUP_FUNCTION_NOT_ALLOWED,
+  TX_ERROR_SETUP_FUNCTION_UNKNOWN_CONTRACT,
+  TX_ERROR_SETUP_NULL_MSG_SENDER,
+  TX_ERROR_SETUP_ONLY_SELF_WRONG_SENDER,
+  TX_ERROR_SETUP_WRONG_CALLDATA_LENGTH,
   Tx,
   TxExecutionPhase,
   type TxValidationResult,
@@ -34,7 +40,7 @@ export class PhasesTxValidator implements TxValidator<Tx> {
       // which are needed for public FPC flows, but fail if the account contract hasnt been deployed yet,
       // which is what we're trying to do as part of the current txs.
       // We only need to create/revert checkpoint here because of this addNewContracts call.
-      await this.contractsDB.addNewContracts(tx);
+      this.contractsDB.addNewContracts(tx);
 
       if (!tx.data.forPublic) {
         this.#log.debug(
@@ -45,7 +51,8 @@ export class PhasesTxValidator implements TxValidator<Tx> {
 
       const setupFns = getCallRequestsWithCalldataByPhase(tx, TxExecutionPhase.SETUP);
       for (const setupFn of setupFns) {
-        if (!(await this.isOnAllowList(setupFn, this.setupAllowList))) {
+        const rejectionReason = await this.checkAllowList(setupFn, this.setupAllowList);
+        if (rejectionReason) {
           this.#log.verbose(
             `Rejecting tx ${tx.getTxHash().toString()} because it calls setup function not on allow list: ${
               setupFn.request.contractAddress
@@ -53,7 +60,7 @@ export class PhasesTxValidator implements TxValidator<Tx> {
             { allowList: this.setupAllowList },
           );
 
-          return { result: 'invalid', reason: [TX_ERROR_SETUP_FUNCTION_NOT_ALLOWED] };
+          return { result: 'invalid', reason: [rejectionReason] };
         }
       }
 
@@ -66,53 +73,101 @@ export class PhasesTxValidator implements TxValidator<Tx> {
     }
   }
 
-  private async isOnAllowList(
+  /** Returns a rejection reason if the call is not on the allow list, or undefined if it is allowed. */
+  private async checkAllowList(
     publicCall: PublicCallRequestWithCalldata,
     allowList: AllowedElement[],
-  ): Promise<boolean> {
+  ): Promise<string | undefined> {
     if (publicCall.isEmpty()) {
-      return true;
+      return undefined;
     }
 
     const contractAddress = publicCall.request.contractAddress;
     const functionSelector = publicCall.functionSelector;
 
-    // do these checks first since they don't require the contract class
+    // Check address-based entries first since they don't require the contract class.
     for (const entry of allowList) {
-      if ('address' in entry && !('selector' in entry)) {
-        if (contractAddress.equals(entry.address)) {
-          return true;
-        }
-      }
-
-      if ('address' in entry && 'selector' in entry) {
+      if ('address' in entry) {
         if (contractAddress.equals(entry.address) && entry.selector.equals(functionSelector)) {
-          return true;
+          if (entry.calldataLength !== undefined && publicCall.calldata.length !== entry.calldataLength) {
+            return TX_ERROR_SETUP_WRONG_CALLDATA_LENGTH;
+          }
+          if (entry.onlySelf && !publicCall.request.msgSender.equals(contractAddress)) {
+            return TX_ERROR_SETUP_ONLY_SELF_WRONG_SENDER;
+          }
+          if (
+            entry.rejectNullMsgSender &&
+            publicCall.request.msgSender.equals(AztecAddress.fromBigInt(NULL_MSG_SENDER_CONTRACT_ADDRESS))
+          ) {
+            return TX_ERROR_SETUP_NULL_MSG_SENDER;
+          }
+          return undefined;
         }
       }
+    }
 
-      const contractClass = await this.contractsDB.getContractInstance(contractAddress, this.timestamp);
-
-      if (!contractClass) {
-        throw new Error(`Contract not found: ${contractAddress}`);
+    // Check class-based entries. Fetch the contract instance lazily (only once).
+    let contractClassId: undefined | { value: string | undefined };
+    for (const entry of allowList) {
+      if (!('classId' in entry)) {
+        continue;
       }
 
-      if ('classId' in entry && !('selector' in entry)) {
-        if (contractClass.currentContractClassId.equals(entry.classId)) {
-          return true;
+      if (contractClassId === undefined) {
+        const instance = await this.contractsDB.getContractInstance(contractAddress, this.timestamp);
+        contractClassId = { value: instance?.currentContractClassId.toString() };
+        if (!contractClassId.value) {
+          return TX_ERROR_SETUP_FUNCTION_UNKNOWN_CONTRACT;
         }
       }
 
-      if ('classId' in entry && 'selector' in entry) {
+      if (contractClassId.value === entry.classId.toString() && entry.selector.equals(functionSelector)) {
+        if (entry.calldataLength !== undefined && publicCall.calldata.length !== entry.calldataLength) {
+          return TX_ERROR_SETUP_WRONG_CALLDATA_LENGTH;
+        }
+        if (entry.onlySelf && !publicCall.request.msgSender.equals(contractAddress)) {
+          return TX_ERROR_SETUP_ONLY_SELF_WRONG_SENDER;
+        }
         if (
-          contractClass.currentContractClassId.equals(entry.classId) &&
-          (entry.selector === undefined || entry.selector.equals(functionSelector))
+          entry.rejectNullMsgSender &&
+          publicCall.request.msgSender.equals(AztecAddress.fromBigInt(NULL_MSG_SENDER_CONTRACT_ADDRESS))
         ) {
-          return true;
+          return TX_ERROR_SETUP_NULL_MSG_SENDER;
         }
+        return undefined;
       }
     }
 
-    return false;
+    return TX_ERROR_SETUP_FUNCTION_NOT_ALLOWED;
+  }
+}
+
+/** Structural interface for the allowed-setup-calls flag check. */
+export interface HasAllowedSetupCallsData {
+  txHash: { toString(): string };
+  allowedSetupCalls: boolean;
+}
+
+/**
+ * Validates that a transaction's setup-phase calls were allowed at receipt time.
+ *
+ * Checks the precomputed `allowedSetupCalls` flag on TxMetaData. The flag is
+ * computed by running the PhasesTxValidator on the full Tx when it first enters
+ * the pool. This lightweight validator is used during pending pool migration to
+ * reject txs whose setup calls are not on the allow list.
+ */
+export class AllowedSetupCallsMetaValidator<T extends HasAllowedSetupCallsData> implements TxValidator<T> {
+  #log: Logger;
+
+  constructor(bindings?: LoggerBindings) {
+    this.#log = createLogger('sequencer:tx_validator:tx_phases_meta', bindings);
+  }
+
+  validateTx(tx: T): Promise<TxValidationResult> {
+    if (!tx.allowedSetupCalls) {
+      this.#log.verbose(`Rejecting tx ${tx.txHash} because its setup calls are not on the allow list`);
+      return Promise.resolve({ result: 'invalid', reason: [TX_ERROR_SETUP_FUNCTION_NOT_ALLOWED] });
+    }
+    return Promise.resolve({ result: 'valid' });
   }
 }

package/src/services/dummy_service.ts

@@ -1,6 +1,6 @@
 import type { EthAddress } from '@aztec/foundation/eth-address';
 import type { PeerInfo } from '@aztec/stdlib/interfaces/server';
-import type { Gossipable, PeerErrorSeverity } from '@aztec/stdlib/p2p';
+import type { Gossipable, PeerErrorSeverity, TopicType } from '@aztec/stdlib/p2p';
 import { Tx, TxHash } from '@aztec/stdlib/tx';
 
 import type { PeerId } from '@libp2p/interface';
@@ -44,6 +44,10 @@ export class DummyP2PService implements P2PService {
     return [];
   }
 
+  getGossipMeshPeerCount(_topicType: TopicType): number {
+    return 0;
+  }
+
   /**
    * Starts the dummy implementation.
    * @returns A resolved promise.
@@ -137,14 +141,10 @@ export class DummyP2PService implements P2PService {
     return undefined;
   }
 
-  validate(_txs: Tx[]): Promise<void> {
+  validateTxsReceivedInBlockProposal(_txs: Tx[]): Promise<void> {
     return Promise.resolve();
   }
 
-  validatePropagatedTx(_tx: Tx, _peerId: PeerId): Promise<boolean> {
-    return Promise.resolve(true);
-  }
-
   addReqRespSubProtocol(
     _subProtocol: ReqRespSubProtocol,
     _handler: ReqRespSubProtocolHandler,

package/src/services/encoding.ts

@@ -1,14 +1,22 @@
 // Taken from lodestar: https://github.com/ChainSafe/lodestar
-import { sha256 } from '@aztec/foundation/crypto/sha256';
 import { createLogger } from '@aztec/foundation/log';
 import { MAX_TX_SIZE_KB, TopicType, getTopicFromString } from '@aztec/stdlib/p2p';
 
 import type { RPC } from '@chainsafe/libp2p-gossipsub/message';
 import type { DataTransform } from '@chainsafe/libp2p-gossipsub/types';
 import type { Message } from '@libp2p/interface';
+import { webcrypto } from 'node:crypto';
 import { compressSync, uncompressSync } from 'snappy';
 import xxhashFactory from 'xxhash-wasm';
 
+/** Thrown when a Snappy-compressed response exceeds the allowed decompressed size. */
+export class OversizedSnappyResponseError extends Error {
+  constructor(decompressedSize: number, maxSizeKb: number) {
+    super(`Decompressed size ${decompressedSize} exceeds maximum allowed size of ${maxSizeKb}kb`);
+    this.name = 'OversizedSnappyResponseError';
+  }
+}
+
 // Load WASM
 const xxhash = await xxhashFactory();
 
@@ -44,11 +52,10 @@ export function msgIdToStrFn(msgId: Uint8Array): string {
  * @param message - The libp2p message
  * @returns The message identifier
  */
-export function getMsgIdFn(message: Message) {
-  const { topic } = message;
-
-  const vec = [Buffer.from(topic), message.data];
-  return sha256(Buffer.concat(vec)).subarray(0, 20);
+export async function getMsgIdFn({ topic, data }: Message): Promise<Uint8Array> {
+  const buffer = Buffer.concat([Buffer.from(topic), data]);
+  const hash = await webcrypto.subtle.digest('SHA-256', buffer);
+  return Buffer.from(hash.slice(0, 20));
 }
 
 const DefaultMaxSizesKb: Record<TopicType, number> = {
@@ -87,7 +94,7 @@ export class SnappyTransform implements DataTransform {
     const { decompressedSize } = readSnappyPreamble(data);
     if (decompressedSize > maxSizeKb * 1024) {
       this.logger.warn(`Decompressed size ${decompressedSize} exceeds maximum allowed size of ${maxSizeKb}kb`);
-      throw new Error(`Decompressed size ${decompressedSize} exceeds maximum allowed size of ${maxSizeKb}kb`);
+      throw new OversizedSnappyResponseError(decompressedSize, maxSizeKb);
     }
 
     return Buffer.from(uncompressSync(data, { asBuffer: true }));

package/src/services/gossipsub/README.md

@@ -40,7 +40,7 @@ We configure all parameters (P1-P4) with values calculated dynamically from netw
 | P3b: meshFailurePenalty | -34 per topic | Sticky penalty after pruning |
 | P4: invalidMessageDeliveries | -20 per message | Attack detection |
 
-**Important:** P1 and P2 are only enabled on topics with P3 enabled (block_proposal, checkpoint_proposal, checkpoint_attestation). The tx topic has all scoring disabled except P4, to prevent free positive score accumulation that would offset penalties from other topics.
+**Important:** P1 and P2 are only enabled on topics with P3 enabled. By default, P3 is enabled for checkpoint_proposal and checkpoint_attestation (2 topics). Block proposal scoring is controlled by `expectedBlockProposalsPerSlot` (current default: `0`, including when env var is unset, so disabled) - see [Block Proposals](#block-proposals-block_proposal) for details. The tx topic has all scoring disabled except P4, to prevent free positive score accumulation that would offset penalties from other topics.
 
 ## Exponential Decay
 
@@ -217,7 +217,21 @@ Transactions are submitted unpredictably by users, so we cannot set meaningful d
 
 ### Block Proposals (block_proposal)
 
-In Multi-Block-Per-Slot (MBPS) mode, N-1 block proposals are gossiped per slot (the last block is bundled with the checkpoint). In single-block mode, this is 0.
+Block proposal scoring is controlled by the `expectedBlockProposalsPerSlot` config (`SEQ_EXPECTED_BLOCK_PROPOSALS_PER_SLOT` env var):
+
+| Config Value | Behavior |
+|-------------|----------|
+| `0` (current default) | Block proposal P3 scoring is **disabled** |
+| Positive number | Uses the provided value as expected proposals per slot |
+| `undefined` | Falls back to `blocksPerSlot - 1` (MBPS mode: N-1, single block: 0) |
+
+**Current behavior note:** In the current implementation, if `SEQ_EXPECTED_BLOCK_PROPOSALS_PER_SLOT` is not set, config mapping applies `0` by default (scoring disabled). The `undefined` fallback above is currently reachable only if the value is explicitly provided as `undefined` in code.
+
+**Future intent:** Once throughput is stable, we may change env parsing/defaults so an unset env var resolves to `undefined` again (re-enabling automatic fallback to `blocksPerSlot - 1`).
+
+**Why disabled by default?** In MBPS mode, gossipsub expects N-1 block proposals per slot. When transaction throughput is low (as expected at launch), fewer blocks are actually built, causing peers to be incorrectly penalized for under-delivering block proposals. The default of 0 disables this scoring. Set to a positive value when throughput increases and block production is consistent.
+
+In MBPS mode (when enabled), N-1 block proposals are gossiped per slot (the last block is bundled with the checkpoint). In single-block mode, this is 0.
 
 ### Checkpoint Proposals (checkpoint_proposal)
 
@@ -241,6 +255,7 @@ The scoring parameters depend on:
 | `targetCommitteeSize` | L1RollupConstants | 48 |
 | `heartbeatInterval` | P2PConfig.gossipsubInterval | 700ms |
 | `blockDurationMs` | P2PConfig.blockDurationMs | undefined (single block) |
+| `expectedBlockProposalsPerSlot` | P2PConfig.expectedBlockProposalsPerSlot | 0 (disabled; current unset-env behavior) |
 
 ## Invalid Message Handling (P4)
 
@@ -320,9 +335,9 @@ Conversely, if topic scores are low, a peer slightly above the disconnect thresh
 
 Topic scores provide **burst response** to attacks, while app score provides **stable baseline**:
 
-- P1 (time in mesh): Max +8 per topic (+24 across 3 topics)
-- P2 (first deliveries): Max +25 per topic (+75 across 3 topics, but decays fast)
-- P3 (under-delivery): Max -34 per topic (-102 across 3 topics in MBPS; -68 in single-block mode)
+- P1 (time in mesh): Max +8 per topic (+16 default, +24 with block proposal scoring enabled)
+- P2 (first deliveries): Max +25 per topic (+50 default, +75 with block proposal scoring, but decays fast)
+- P3 (under-delivery): Max -34 per topic (-68 default with 2 topics, -102 with block proposal scoring enabled)
 - P4 (invalid messages): -20 per invalid message, can spike to -2000+ during attacks
 
 Example attack scenario:
@@ -373,21 +388,21 @@ When a peer is pruned from the mesh:
 3. **P3b captures the penalty**: The P3 deficit at prune time becomes P3b, which decays slowly
 
 After pruning, the peer's score consists mainly of P3b:
-- **Total P3b across 3 topics: -102** (max)
+- **Total P3b: -68** (default, 2 topics) or **-102** (with block proposal scoring enabled, 3 topics)
 - **Recovery time**: P3b decays to ~1% over one decay window (2-5 slots = 2-6 minutes)
 - **Grafting eligibility**: Peer can be grafted when score ≥ 0, but asymptotic decay means recovery is slow
 
 ### Why Non-Contributors Aren't Disconnected
 
-With P3b capped at -102 total after pruning (MBPS mode). In single-block mode, the cap is -68:
+With P3b capped at -68 (default, 2 topics) or -102 (with block proposal scoring, 3 topics) after pruning:
 
 | Threshold | Value | P3b Score | Triggered? |
 |-----------|-------|-----------|------------|
-| gossipThreshold | -500 | -102 (MBPS) / -68 (single) | No |
-| publishThreshold | -1000 | -102 (MBPS) / -68 (single) | No |
-| graylistThreshold | -2000 | -102 (MBPS) / -68 (single) | No |
+| gossipThreshold | -500 | -68 (default) / -102 (block scoring on) | No |
+| publishThreshold | -1000 | -68 (default) / -102 (block scoring on) | No |
+| graylistThreshold | -2000 | -68 (default) / -102 (block scoring on) | No |
 
-**A score of -102 (MBPS) or -68 (single-block) is well above -500**, so non-contributing peers:
+**A score of -68 or -102 is well above -500**, so non-contributing peers:
 - Are pruned from mesh (good - stops them slowing propagation)
 - Still receive gossip (can recover by reconnecting/restarting)
 - Are NOT disconnected unless they also have application-level penalties
@@ -547,7 +562,7 @@ What happens when a peer experiences a network outage and stops delivering messa
 While the peer is disconnected:
 
 1. **P3 penalty accumulates**: The message delivery counter decays toward 0, causing increasing P3 penalty
-2. **Max P3 penalty reached**: Once counter drops below threshold, penalty hits -34 per topic (-102 total in MBPS; -68 single-block)
+2. **Max P3 penalty reached**: Once counter drops below threshold, penalty hits -34 per topic (-68 default, -102 with block proposal scoring)
 3. **Mesh pruning**: Topic score goes negative → peer is pruned from mesh
 4. **P3b captures penalty**: The P3 deficit at prune time becomes P3b (sticky penalty)
 
@@ -569,13 +584,13 @@ Note: If the peer just joined the mesh, P3 penalties only start after
 During a network outage, the peer:
 - **Does NOT send invalid messages** → No P4 penalty
 - **Does NOT violate protocols** → No application-level penalty
-- **Only accumulates topic-level penalties** → Max -102 (P3b, MBPS) or -68 (single-block)
+- **Only accumulates topic-level penalties** → Max -68 (default) or -102 (with block proposal scoring)
 
 This is the crucial difference from malicious behavior:
 
 | Scenario | App Score | Topic Score | Total | Threshold Hit |
 |----------|-----------|-------------|-------|---------------|
-| Network outage | 0 | -102 (MBPS) / -68 (single) | -102 / -68 | None |
+| Network outage | 0 | -68 (default) / -102 (block scoring on) | -68 / -102 | None |
 | Validation failure | -50 | -20 | -520 | gossipThreshold |
 | Malicious peer | -100 | -2000+ | -2100+ | graylistThreshold |