@layerzerolabs/protocol-stellar-v2 0.2.33 → 0.2.35

package/Cargo.lock

@@ -1755,9 +1755,9 @@ dependencies = [
 
 [[package]]
 name = "soroban-ledger-snapshot"
-version = "25.1.0"
+version = "25.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "99c5285c83e7a5581879b7a65033eae53b24ac9689975aa6887f1d8ee3e941c9"
+checksum = "66d569a1315f05216d024653ad87541aa15d3ff26dad9f8a98719cb53ccf2bf3"
 dependencies = [
  "serde",
  "serde_json",
@@ -1769,9 +1769,9 @@ dependencies = [
 
 [[package]]
 name = "soroban-sdk"
-version = "25.1.0"
+version = "25.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1262aa83e99a0fb3e8cd56d6e5ca4c28ac4f9871ac7173f65301a8b9a12c20f"
+checksum = "add8d19cfd2c9941bbdc7c8223c3cf9d7ff9af4554ba3bd4ae93e16b19b08aea"
 dependencies = [
  "arbitrary",
  "bytes-lit",
@@ -1793,9 +1793,9 @@ dependencies = [
 
 [[package]]
 name = "soroban-sdk-macros"
-version = "25.1.0"
+version = "25.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93b62c526917a1e77b6dce3cd841b6c271f0fff344ea93ad92a8c45afe8051b6"
+checksum = "2a0107e34575ec704ce29407695462e79e6b0e13ce7af6431b2f15c313e34464"
 dependencies = [
  "darling 0.20.11",
  "heck 0.5.0",
@@ -1813,9 +1813,9 @@ dependencies = [
 
 [[package]]
 name = "soroban-spec"
-version = "25.1.0"
+version = "25.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0186c943a78de7038ce7eee478f521f7a7665440101ae0d24b4a59833fb6d833"
+checksum = "53a1c9f6ccc6aa78518545e3cf542bd26f11d9085328a2e1c06c90514733fe15"
 dependencies = [
  "base64 0.22.1",
  "stellar-xdr",
@@ -1825,9 +1825,9 @@ dependencies = [
 
 [[package]]
 name = "soroban-spec-rust"
-version = "25.1.0"
+version = "25.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a948196ed0633be3a4125e0c7a4fc0bb6337942e538813b1f171331738f9058"
+checksum = "e8247d3c6256b544b2461606c6892351bb22978d751e07c1aea744377053d852"
 dependencies = [
  "prettyplease",
  "proc-macro2",

package/Cargo.toml

@@ -14,7 +14,7 @@ license = "MIT"
 version = "0.0.1"
 
 [workspace.dependencies]
-soroban-sdk = { version = "25.1.0", features = ["hazmat-address", "hazmat-crypto"] }
+soroban-sdk = { version = "25.1.1", features = ["hazmat-address", "hazmat-crypto"] }
 soroban-spec-typescript = "25.1.0" # used in tools/ts-bindings-gen
 
 # Third-party dependencies (production)

package/contracts/common-macros/src/storage.rs

@@ -119,7 +119,7 @@ fn gen_accessor_methods(enum_name: &Ident, variant: &Variant) -> TokenStream {
 
     // Getter: returns the value directly (with default) or wrapped in Option.
     let (ret_type, ret_expr) = match &config.default_value {
-        Some(default) => (quote! { #value_type }, quote! { value.unwrap_or(#default) }),
+        Some(default) => (quote! { #value_type }, quote! { value.unwrap_or_else(|| #default) }),
         None => (quote! { Option<#value_type> }, quote! { value }),
     };
     let ttl_on_get = extend_ttl.as_ref().map(|call| quote! { if value.is_some() { #call } });
@@ -131,10 +131,12 @@ fn gen_accessor_methods(enum_name: &Ident, variant: &Variant) -> TokenStream {
     };
 
     // TTL extender method — only for persistent/temporary storage (instance has no per-key TTL).
-    let ttl_extender_method = (config.kind != StorageKind::Instance).then(|| quote! {
-        pub fn #ttl_extender(#params, threshold: u32, extend_to: u32) {
-            let key = #key;
-            #accessor.extend_ttl(&key, threshold, extend_to);
+    let ttl_extender_method = (config.kind != StorageKind::Instance).then(|| {
+        quote! {
+            pub fn #ttl_extender(#params, threshold: u32, extend_to: u32) {
+                let key = #key;
+                #accessor.extend_ttl(&key, threshold, extend_to);
+            }
         }
     });
 

package/contracts/common-macros/src/tests/storage/snapshots/common_macros__tests__storage__generate_storage__snapshot_generated_storage_code.snap

@@ -1,5 +1,5 @@
 ---
-source: contracts/common-macros/src/tests/storage.rs
+source: contracts/common-macros/src/tests/storage/generate_storage.rs
 assertion_line: 409
 expression: formatted
 ---
@@ -20,7 +20,7 @@ impl StorageKeys {
     pub fn counter(env: &soroban_sdk::Env) -> u32 {
         let key = StorageKeys::Counter;
         let value = env.storage().instance().get::<_, u32>(&key);
-        value.unwrap_or(0)
+        value.unwrap_or_else(|| 0)
     }
     pub fn set_counter(env: &soroban_sdk::Env, value: &u32) {
         let key = StorageKeys::Counter;
@@ -46,7 +46,7 @@ impl StorageKeys {
         if value.is_some() {
             utils::ttl_configurable::extend_persistent_ttl(env, &key);
         }
-        value.unwrap_or(String::from_str(env, "hello"))
+        value.unwrap_or_else(|| String::from_str(env, "hello"))
     }
     pub fn set_message(env: &soroban_sdk::Env, sender: &Address, value: &String) {
         let key = StorageKeys::Message(sender.clone());

package/contracts/endpoint-v2/src/endpoint_v2.rs

@@ -1,4 +1,5 @@
 use crate::{
+    endpoint_v2::messaging_channel::PENDING_INBOUND_NONCE_MAX_LEN,
     errors::EndpointError,
     events::{DelegateSet, LzReceiveAlert, PacketDelivered, PacketSent, PacketVerified, ZroSet},
     interfaces::{ILayerZeroEndpointV2, IMessageLibManager, IMessagingChannel, MessagingFee, MessagingReceipt, Origin},
@@ -165,14 +166,14 @@ impl ILayerZeroEndpointV2 for EndpointV2 {
 
     /// Checks if a messaging path can be/has been initialized for the given origin and receiver.
     fn initializable(env: &Env, origin: &Origin, receiver: &Address) -> bool {
-        let lazy_inbound_nonce = Self::lazy_inbound_nonce(env, receiver, origin.src_eid, &origin.sender);
-        lazy_inbound_nonce > 0 || LayerZeroReceiverClient::new(env, receiver).allow_initialize_path(origin)
+        let inbound_nonce = Self::inbound_nonce(env, receiver, origin.src_eid, &origin.sender);
+        inbound_nonce > 0 || LayerZeroReceiverClient::new(env, receiver).allow_initialize_path(origin)
     }
 
     /// Checks if a message can be verified for the given origin and receiver.
     fn verifiable(env: &Env, origin: &Origin, receiver: &Address) -> bool {
-        let lazy_inbound_nonce = Self::lazy_inbound_nonce(env, receiver, origin.src_eid, &origin.sender);
-        origin.nonce > lazy_inbound_nonce
+        let inbound_nonce = Self::inbound_nonce(env, receiver, origin.src_eid, &origin.sender);
+        (origin.nonce > inbound_nonce && origin.nonce <= inbound_nonce + PENDING_INBOUND_NONCE_MAX_LEN)
             || EndpointStorage::has_inbound_payload_hash(env, receiver, origin.src_eid, &origin.sender, origin.nonce)
     }
 

package/contracts/endpoint-v2/src/interfaces/messaging_channel.rs

@@ -1,4 +1,4 @@
-use soroban_sdk::{contractclient, Address, BytesN, Env};
+use soroban_sdk::{contractclient, Address, BytesN, Env, Vec};
 
 /// EndpointV2's Interface for managing messaging channels, nonces, and payload hashes.
 #[contractclient(name = "MessagingChannelClient")]
@@ -78,19 +78,18 @@ pub trait IMessagingChannel {
     /// The current outbound nonce (0 if no messages sent yet)
     fn outbound_nonce(env: &Env, sender: &Address, dst_eid: u32, receiver: &BytesN<32>) -> u64;
 
-    /// Returns the max index of the longest gapless sequence of verified nonces.
-    /// Example: `[1,2,3,4,6,7] => 4`, `[1,2,6,8,10] => 2`
+    /// Returns the current inbound nonce for a specific path.
     ///
     /// # Arguments
     /// * `receiver` - The receiver OApp address
     /// * `src_eid` - The source endpoint ID
-    /// * `sender` - The sender address on the source chain
+    /// * `sender` - The sender OApp address on the source chain
     ///
     /// # Returns
-    /// The highest nonce in the gapless sequence starting from lazy_inbound_nonce
+    /// The current inbound nonce (0 if no messages received yet)
     fn inbound_nonce(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> u64;
 
-    /// Returns the lazy inbound nonce (last checkpoint) for a specific path.
+    /// Returns the pending inbound nonces for a specific path.
     ///
     /// # Arguments
     /// * `receiver` - The receiver OApp address
@@ -98,8 +97,8 @@ pub trait IMessagingChannel {
     /// * `sender` - The sender OApp address on the source chain
     ///
     /// # Returns
-    /// The lazy inbound nonce, updated when messages are cleared/executed
-    fn lazy_inbound_nonce(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> u64;
+    /// The pending inbound nonces
+    fn pending_inbound_nonces(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> Vec<u64>;
 
     /// Returns the payload hash for a specific inbound nonce.
     ///

package/contracts/endpoint-v2/src/messaging_channel.rs

@@ -7,7 +7,7 @@ use crate::{
     util::{compute_guid, keccak256},
 };
 use common_macros::contract_impl;
-use soroban_sdk::{assert_with_error, Address, Bytes, BytesN, Env};
+use soroban_sdk::{assert_with_error, Address, Bytes, BytesN, Env, Vec};
 
 /// Represents an empty payload hash (equivalent to bytes32(uint256(0)) in Solidity)
 const EMPTY_PAYLOAD_HASH_BYTES: [u8; 32] = [0u8; 32];
@@ -15,6 +15,9 @@ const EMPTY_PAYLOAD_HASH_BYTES: [u8; 32] = [0u8; 32];
 /// Represents a nilified payload hash (equivalent to bytes32(type(uint256).max) in Solidity)
 const NIL_PAYLOAD_HASH_BYTES: [u8; 32] = [0xffu8; 32];
 
+/// Max number of out-of-order nonces in the pending list.
+pub(super) const PENDING_INBOUND_NONCE_MAX_LEN: u64 = 256;
+
 #[contract_impl]
 impl IMessagingChannel for EndpointV2 {
     /// Skips the next expected inbound nonce without verifying.
@@ -25,7 +28,7 @@ impl IMessagingChannel for EndpointV2 {
 
         let next_nonce = Self::inbound_nonce(env, receiver, src_eid, sender) + 1;
         assert_with_error!(env, nonce == next_nonce, EndpointError::InvalidNonce);
-        EndpointStorage::set_lazy_inbound_nonce(env, receiver, src_eid, sender, &nonce);
+        Self::insert_and_drain_pending_nonces(env, receiver, src_eid, sender, nonce);
 
         InboundNonceSkipped { src_eid, sender: sender.clone(), receiver: receiver.clone(), nonce }.publish(env);
     }
@@ -45,10 +48,14 @@ impl IMessagingChannel for EndpointV2 {
         Self::require_oapp_auth(env, caller, receiver);
 
         let cur_payload_hash = Self::inbound_payload_hash(env, receiver, src_eid, sender, nonce);
-        let lazy_nonce = Self::lazy_inbound_nonce(env, receiver, src_eid, sender);
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
 
         assert_with_error!(env, payload_hash == &cur_payload_hash, EndpointError::PayloadHashNotFound);
-        assert_with_error!(env, nonce > lazy_nonce || cur_payload_hash.is_some(), EndpointError::InvalidNonce);
+        assert_with_error!(env, nonce > inbound_nonce || cur_payload_hash.is_some(), EndpointError::InvalidNonce);
+
+        if nonce > inbound_nonce {
+            Self::insert_and_drain_pending_nonces(env, receiver, src_eid, sender, nonce);
+        }
         EndpointStorage::set_inbound_payload_hash(env, receiver, src_eid, sender, nonce, &Self::nil_payload_hash(env));
 
         PacketNilified {
@@ -77,9 +84,9 @@ impl IMessagingChannel for EndpointV2 {
         let cur_payload_hash = Self::inbound_payload_hash(env, receiver, src_eid, sender, nonce);
         assert_with_error!(env, cur_payload_hash.as_ref() == Some(payload_hash), EndpointError::PayloadHashNotFound);
 
-        // Check if nonce is at or below the lazy nonce
-        let lazy_nonce = Self::lazy_inbound_nonce(env, receiver, src_eid, sender);
-        assert_with_error!(env, nonce <= lazy_nonce, EndpointError::InvalidNonce);
+        // Check if nonce is at or below the inbound nonce
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
+        assert_with_error!(env, nonce <= inbound_nonce, EndpointError::InvalidNonce);
 
         // Remove the payload hash from storage
         EndpointStorage::remove_inbound_payload_hash(env, receiver, src_eid, sender, nonce);
@@ -112,25 +119,15 @@ impl IMessagingChannel for EndpointV2 {
     /// Returns the max index of the longest gapless sequence of verified message nonces.
     ///
     /// The uninitialized value is 0. The first nonce is always 1.
-    /// It starts from the `lazy_inbound_nonce` (last checkpoint) and iteratively checks
-    /// if the next nonce has been verified.
     ///
     /// Note: OApp explicitly skipped nonces count as "verified" for these purposes.
-    ///
-    /// Examples: `[1,2,3,4,6,7] => 4`, `[1,2,6,8,10] => 2`, `[1,3,4,5,6] => 1`
     fn inbound_nonce(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> u64 {
-        let mut nonce_cursor = Self::lazy_inbound_nonce(env, receiver, src_eid, sender);
-
-        // Find the effective inbound current nonce
-        while EndpointStorage::has_inbound_payload_hash(env, receiver, src_eid, sender, nonce_cursor + 1) {
-            nonce_cursor += 1;
-        }
-        nonce_cursor
+        EndpointStorage::inbound_nonce(env, receiver, src_eid, sender)
     }
 
-    /// Returns the lazy inbound nonce (last checkpoint) for a specific path.
-    fn lazy_inbound_nonce(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> u64 {
-        EndpointStorage::lazy_inbound_nonce(env, receiver, src_eid, sender)
+    /// Returns the pending inbound nonces for a specific path.
+    fn pending_inbound_nonces(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> Vec<u64> {
+        EndpointStorage::pending_inbound_nonces(env, receiver, src_eid, sender)
     }
 
     /// Returns the payload hash for a specific inbound nonce.
@@ -162,9 +159,8 @@ impl EndpointV2 {
 
     /// Records an inbound message payload hash for a specific nonce on a specific path.
     ///
-    /// Inbound won't update the nonce eagerly to allow unordered verification.
-    /// Instead, it will update the nonce lazily when the message is received.
-    /// Messages can only be cleared in order to preserve censorship-resistance.
+    /// When nonce > inbound_nonce, inserts into the pending list and drains consecutive
+    /// nonces to update the effective inbound nonce.
     ///
     /// # Arguments
     /// * `receiver` - The receiver OApp address
@@ -181,22 +177,27 @@ impl EndpointV2 {
         payload_hash: &BytesN<32>,
     ) {
         assert_with_error!(env, payload_hash != &Self::empty_payload_hash(env), EndpointError::InvalidPayloadHash);
+
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
+
+        // Only allow to verify new nonces or re-verify unexecuted nonces.
+        assert_with_error!(
+            env,
+            nonce > inbound_nonce || EndpointStorage::has_inbound_payload_hash(env, receiver, src_eid, sender, nonce),
+            EndpointError::InvalidNonce
+        );
+
+        if nonce > inbound_nonce {
+            Self::insert_and_drain_pending_nonces(env, receiver, src_eid, sender, nonce);
+        }
+
         EndpointStorage::set_inbound_payload_hash(env, receiver, src_eid, sender, nonce, payload_hash);
     }
 
-    /// Clears a stored message payload and increments the lazy inbound nonce.
-    ///
-    /// Calling this function will clear the stored message and increment the
-    /// `lazy_inbound_nonce` to the provided nonce.
+    /// Clears a stored message payload.
     ///
-    /// Note: This function does not change `inbound_nonce`, it only changes
-    /// the `lazy_inbound_nonce` up to the provided nonce.
-    ///
-    /// # EVM Alignment
-    /// This implementation aligns with the EVM endpoint behavior. Executors should call
-    /// `clear` from lower nonce to higher nonce sequentially. This ensures the range check
-    /// `(current_nonce + 1..=nonce)` remains small, avoiding long iteration when verifying
-    /// that all intermediate nonces have been verified.
+    /// Requires nonce <= inbound_nonce (no iteration, O(1) check). The inbound_nonce
+    /// is updated during verify when consecutive nonces are drained from the pending list.
     ///
     /// # Arguments
     /// * `receiver` - The receiver OApp address
@@ -212,15 +213,8 @@ impl EndpointV2 {
         nonce: u64,
         payload: &Bytes,
     ) {
-        let current_nonce = Self::lazy_inbound_nonce(env, receiver, src_eid, sender);
-
-        // Try to update the lazy inbound nonce until the target nonce
-        if nonce > current_nonce {
-            let has_payload = (current_nonce + 1..=nonce)
-                .all(|n| EndpointStorage::has_inbound_payload_hash(env, receiver, src_eid, sender, n));
-            assert_with_error!(env, has_payload, EndpointError::InvalidNonce);
-            EndpointStorage::set_lazy_inbound_nonce(env, receiver, src_eid, sender, &nonce);
-        }
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
+        assert_with_error!(env, nonce <= inbound_nonce, EndpointError::InvalidNonce);
 
         // Check the hash of the payload to verify the executor has given the proper payload that has been verified
         let actual_hash = keccak256(env, payload);
@@ -231,6 +225,45 @@ impl EndpointV2 {
         EndpointStorage::remove_inbound_payload_hash(env, receiver, src_eid, sender, nonce);
     }
 
+    /// Inserts a nonce into a sorted pending list, then drains consecutive nonces from the front
+    /// to advance `inbound_nonce`.
+    ///
+    /// Bounded by `PENDING_INBOUND_NONCE_MAX_LEN` to prevent DDoS via unbounded list growth.
+    fn insert_and_drain_pending_nonces(
+        env: &Env,
+        receiver: &Address,
+        src_eid: u32,
+        sender: &BytesN<32>,
+        new_nonce: u64,
+    ) {
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
+        assert_with_error!(
+            env,
+            new_nonce > inbound_nonce && new_nonce <= inbound_nonce + PENDING_INBOUND_NONCE_MAX_LEN,
+            EndpointError::InvalidNonce
+        );
+
+        let mut pending_nonces = Self::pending_inbound_nonces(env, receiver, src_eid, sender);
+
+        // Allow to re-verify at the same nonce and insert the new nonce if it doesn't already exist.
+        // When the binary_search returns an error, the nonce is not in the list and should be inserted.
+        if let Err(i) = pending_nonces.binary_search(new_nonce) {
+            pending_nonces.insert(i, new_nonce);
+
+            // Drain consecutive nonces from the front to advance the inbound nonce
+            let mut new_inbound_nonce = inbound_nonce;
+            while !pending_nonces.is_empty() && pending_nonces.first_unchecked() == new_inbound_nonce + 1 {
+                new_inbound_nonce = pending_nonces.pop_front_unchecked();
+            }
+
+            // Update the pending nonces and inbound nonce if needed
+            EndpointStorage::set_pending_inbound_nonces(env, receiver, src_eid, sender, &pending_nonces);
+            if new_inbound_nonce > inbound_nonce {
+                EndpointStorage::set_inbound_nonce(env, receiver, src_eid, sender, &new_inbound_nonce);
+            }
+        }
+    }
+
     /// Represents an empty payload hash
     fn empty_payload_hash(env: &Env) -> BytesN<32> {
         BytesN::from_array(env, &EMPTY_PAYLOAD_HASH_BYTES)

package/contracts/endpoint-v2/src/storage.rs

@@ -1,6 +1,6 @@
 use crate::Timeout;
 use common_macros::storage;
-use soroban_sdk::{Address, BytesN};
+use soroban_sdk::{Address, BytesN, Vec};
 
 #[storage]
 pub enum EndpointStorage {
@@ -24,10 +24,15 @@ pub enum EndpointStorage {
     /// Messaging Channel
     /// ============================================================================================
 
-    /// The lazy inbound nonce for a receiver
+    /// Sorted list of out-of-order verified nonces
+    #[persistent(Vec<u64>)]
+    #[default(Vec::new(env))]
+    PendingInboundNonces { receiver: Address, src_eid: u32, sender: BytesN<32> },
+
+    /// The current inbound nonce for a receiver
     #[persistent(u64)]
     #[default(0)]
-    LazyInboundNonce { receiver: Address, src_eid: u32, sender: BytesN<32> },
+    InboundNonce { receiver: Address, src_eid: u32, sender: BytesN<32> },
 
     /// The inbound payload hash for a receiver
     #[persistent(BytesN<32>)]

package/contracts/endpoint-v2/src/tests/endpoint_setup.rs

@@ -270,11 +270,11 @@ impl<'a> TestSetup<'a> {
         self.endpoint_client.send_compose(from, to, guid, &index, message);
     }
 
-    pub fn set_lazy_inbound_nonce(&self, receiver: &Address, src_eid: u32, sender: &BytesN<32>, lazy_nonce: u64) {
+    pub fn set_inbound_nonce(&self, receiver: &Address, src_eid: u32, sender: &BytesN<32>, inbound_nonce: u64) {
         let env = &self.env;
         let endpoint_client = &self.endpoint_client;
         env.as_contract(&endpoint_client.address, || {
-            storage::EndpointStorage::set_lazy_inbound_nonce(env, receiver, src_eid, sender, &lazy_nonce)
+            storage::EndpointStorage::set_inbound_nonce(env, receiver, src_eid, sender, &inbound_nonce)
         });
     }
 

package/contracts/endpoint-v2/src/tests/endpoint_v2/clear.rs

@@ -119,9 +119,9 @@ fn test_clear_emits_packet_delivered_event() {
     assert_eq_event(env, &endpoint_client.address, PacketDelivered { origin: origin.clone(), receiver: receiver.clone() });
 }
 
-// Lazy inbound nonce updates
+// Inbound nonce is advanced during verify, not during clear
 #[test]
-fn test_clear_updates_lazy_inbound_nonce() {
+fn test_clear_does_not_change_inbound_nonce() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -136,15 +136,13 @@ fn test_clear_updates_lazy_inbound_nonce() {
     let (_receive_lib, origin, _payload_hash) =
         arrange_verified_packet_with_auth(&context, src_eid, &sender, &receiver, nonce, &guid, &message);
 
-    // Verify initial lazy inbound nonce
-    let initial_lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(initial_lazy_nonce, 0, "Initial lazy inbound nonce should be 0");
+    // Verify advanced inbound nonce (happens during verify).
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), nonce);
 
     clear_packet_with_auth(&context, &receiver, &origin, &receiver, &guid, &message);
 
-    // Verify lazy inbound nonce was updated via public interface
-    let lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(lazy_nonce, nonce);
+    // Clear does not advance inbound nonce.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), nonce);
 }
 
 // Sequential nonce behavior
@@ -179,9 +177,8 @@ fn test_clear_success_sequential_nonces_update_lazy_nonce_to_latest() {
     verify_packet_with_auth(&context, &receive_lib, &origin2, &receiver, &payload_hash2);
     clear_packet_with_auth(&context, &receiver, &origin2, &receiver, &guid2, &message2);
 
-    // Verify lazy inbound nonce was updated to 2
-    let lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(lazy_nonce, 2);
+    // Verify advanced inbound nonce.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 }
 
 // Authorization
@@ -410,11 +407,11 @@ fn test_clear_does_not_advance_lazy_nonce_when_clearing_older_nonce() {
     let origin2 = Origin { src_eid, sender: sender.clone(), nonce: 2 };
     verify_packet_with_auth(&context, &receive_lib, &origin2, &receiver, &payload_hash2);
 
-    // Clear nonce 2 first (this advances lazy nonce to 2 because nonce 1..=2 are present).
+    // Clear nonce 2 first. This does not advance inbound nonce (it was advanced during verify).
     clear_packet_with_auth(&context, &receiver, &origin2, &receiver, &guid2, &message2);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 
-    // Clearing an older nonce should not change lazy nonce.
+    // Clearing an older nonce should not change inbound nonce.
     clear_packet_with_auth(&context, &receiver, &origin1, &receiver, &guid1, &message1);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 }

package/contracts/endpoint-v2/src/tests/endpoint_v2/verifiable.rs

@@ -1,6 +1,6 @@
 use soroban_sdk::{testutils::Address as _, BytesN};
 
-use crate::{tests::endpoint_setup::setup, tests::endpoint_setup::TestSetup, Origin};
+use crate::{storage, tests::endpoint_setup::setup, tests::endpoint_setup::TestSetup, Origin};
 
 fn skip_with_auth(context: &TestSetup, receiver: &soroban_sdk::Address, src_eid: u32, sender: &BytesN<32>, nonce: u64) {
     // `skip` requires authorization from `caller` (the receiver or its delegate).
@@ -20,7 +20,7 @@ fn verify_with_auth(
     context.endpoint_client.verify(receive_lib, origin, receiver, payload_hash);
 }
 
-// New path (lazy nonce == 0) => verifiable when origin.nonce > lazy nonce
+// New path (inbound nonce == 0) => verifiable when origin.nonce is within (0, 256]
 #[test]
 fn test_verifiable_new_path_nonce_1_true() {
     let context = setup();
@@ -30,12 +30,12 @@ fn test_verifiable_new_path_nonce_1_true() {
     let sender = BytesN::from_array(&context.env, &[1u8; 32]);
     let origin = Origin { src_eid, sender, nonce: 1 };
 
-    // For a new path (lazy nonce is 0), nonce 1 > 0 should be verifiable.
+    // For a new path (inbound nonce is 0), nonce 1 should be verifiable.
     let result = endpoint_client.verifiable(&origin, &receiver);
     assert!(result);
 }
 
-// Established path (lazy nonce > 0) => verifiable when origin.nonce > lazy nonce
+// Established path => verifiable when origin.nonce is in (inbound_nonce, inbound_nonce + 256]
 #[test]
 fn test_verifiable_after_skip_nonce_gt_lazy_true() {
     let context = setup();
@@ -48,7 +48,7 @@ fn test_verifiable_after_skip_nonce_gt_lazy_true() {
     // Establish the path by skipping nonce 1.
     skip_with_auth(&context, &receiver, src_eid, &sender, 1);
 
-    // Now lazy_nonce = 1, nonce 2 > 1 should be verifiable.
+    // Now inbound_nonce = 1, nonce 2 should be verifiable.
     let origin = Origin { src_eid, sender, nonce: 2 };
     let result = endpoint_client.verifiable(&origin, &receiver);
     assert!(result);
@@ -79,8 +79,8 @@ fn test_verifiable_true_when_nonce_leq_lazy_but_payload_hash_exists() {
     // Advance lazy nonce to 3 while keeping payload hash for 2 (skip sets lazy nonce only).
     skip_with_auth(&context, &receiver, src_eid, &sender, 3);
 
-    // Sanity: lazy nonce was advanced, and the payload hash for nonce 2 still exists.
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 3);
+    // Sanity: inbound nonce was advanced, and the payload hash for nonce 2 still exists.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
     assert!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64).is_some());
 
     // Now nonce 2 <= lazy 3, but payload hash exists -> verifiable should be true.
@@ -98,13 +98,50 @@ fn test_verifiable_nonce_eq_lazy_false_without_payload_hash() {
     let sender = BytesN::from_array(env, &[1u8; 32]);
     let receiver = soroban_sdk::Address::generate(env);
 
-    // Set lazy nonce to 2 without storing any payload hashes.
+    // Advance inbound nonce to 2 without storing any payload hashes at nonce 2.
     skip_with_auth(&context, &receiver, src_eid, &sender, 1);
     skip_with_auth(&context, &receiver, src_eid, &sender, 2);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 
     // nonce == lazy and payload hash missing -> verifiable should be false.
     let origin2 = Origin { src_eid, sender: sender.clone(), nonce: 2u64 };
     assert!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64).is_none());
     assert!(!endpoint_client.verifiable(&origin2, &receiver));
 }
+
+#[test]
+fn test_verifiable_upper_bound_is_enforced() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+    let receiver = soroban_sdk::Address::generate(env);
+
+    // For a new path inbound_nonce=0: 256 is allowed, 257 is not.
+    let origin_256 = Origin { src_eid, sender: sender.clone(), nonce: 256u64 };
+    let origin_257 = Origin { src_eid, sender, nonce: 257u64 };
+    assert!(endpoint_client.verifiable(&origin_256, &receiver));
+    assert!(!endpoint_client.verifiable(&origin_257, &receiver));
+}
+
+#[test]
+fn test_verifiable_upper_bound_is_enforced_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+    let receiver = soroban_sdk::Address::generate(env);
+
+    env.as_contract(&endpoint_client.address, || {
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &100u64)
+    });
+
+    let ok = Origin { src_eid, sender: sender.clone(), nonce: 356u64 }; // 100 + 256
+    let too_far = Origin { src_eid, sender, nonce: 357u64 };
+    assert!(endpoint_client.verifiable(&ok, &receiver));
+    assert!(!endpoint_client.verifiable(&too_far, &receiver));
+}