@layerzerolabs/protocol-stellar-v2 0.2.34 → 0.2.35

package/contracts/endpoint-v2/src/tests/messaging_channel/burn.rs

@@ -84,9 +84,6 @@ fn test_burn_success_with_stored_payload() {
     let nonce = 1u64;
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
 
-    // Boundary condition: burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, nonce);
-
     // Store a payload hash first.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
@@ -128,9 +125,6 @@ fn test_burn_with_delegate() {
     // Set delegate for receiver.
     env.as_contract(&endpoint_client.address, || storage::EndpointStorage::set_delegate(env, &receiver, &delegate));
 
-    // Burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 1);
-
     // Store a payload hash first.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
 
@@ -169,9 +163,6 @@ fn test_burn_multiple_payloads() {
     let nonce1 = 1;
     let nonce2 = 2;
 
-    // Burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 2);
-
     // Store multiple payload hashes.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce1, &payload_hash1);
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce2, &payload_hash2);
@@ -203,12 +194,6 @@ fn test_burn_different_paths() {
     let nonce = 1;
     let payload_hash = BytesN::from_array(env, &[0xefu8; 32]);
 
-    // Burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver1, src_eid1, &sender1, 1);
-    context.set_lazy_inbound_nonce(&receiver2, src_eid1, &sender1, 1);
-    context.set_lazy_inbound_nonce(&receiver1, src_eid2, &sender1, 1);
-    context.set_lazy_inbound_nonce(&receiver1, src_eid1, &sender2, 1);
-
     // Store payload hashes for different paths.
     context.inbound_as_verified(&receiver1, src_eid1, &sender1, nonce, &payload_hash);
     context.inbound_as_verified(&receiver2, src_eid1, &sender1, nonce, &payload_hash);
@@ -247,9 +232,6 @@ fn test_burn_payload_hash_not_found_when_mismatch() {
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
     let wrong_payload_hash = BytesN::from_array(env, &[0x11u8; 32]);
 
-    // Burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, nonce);
-
     // Store a payload hash first.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
@@ -270,8 +252,8 @@ fn test_burn_payload_hash_not_found_when_storage_none() {
     let nonce = 1u64;
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
 
-    // Even if nonce <= lazy_nonce, burn must fail without a stored payload hash.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, nonce);
+    // Burn must fail without a stored payload hash.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, nonce);
     let result = try_burn_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &payload_hash);
     assert_eq!(result.err().unwrap().ok().unwrap(), EndpointError::PayloadHashNotFound.into());
 }
@@ -288,9 +270,11 @@ fn test_burn_invalid_nonce_when_greater_than_lazy_nonce() {
     let nonce = 2u64;
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
 
-    // lazy nonce is 1, trying to burn nonce 2 should fail.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 1);
-    context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
+    // inbound nonce is 1, trying to burn nonce 2 should fail (even if a payload hash exists).
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 1);
+    env.as_contract(&context.endpoint_client.address, || {
+        storage::EndpointStorage::set_inbound_payload_hash(env, &receiver, src_eid, &sender, nonce, &payload_hash);
+    });
 
     let result = try_burn_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &payload_hash);
     assert_eq!(result.err().unwrap().ok().unwrap(), EndpointError::InvalidNonce.into());

package/contracts/endpoint-v2/src/tests/messaging_channel/clear_payload.rs

@@ -36,7 +36,7 @@ fn clear_payload(
     });
 }
 
-// Internal clear_payload() removes verified payload and advances lazy nonce
+// Internal clear_payload() removes verified payload and does not change inbound nonce
 #[test]
 fn test_clear_payload_success() {
     let context = setup();
@@ -55,11 +55,11 @@ fn test_clear_payload_success() {
     clear_payload(&context, &receiver, src_eid, &sender, nonce, &payload);
 
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), None);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), nonce);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), nonce);
 }
 
 #[test]
-fn test_clear_payload_with_lazy_nonce_update_skipping_intermediate() {
+fn test_clear_payload_keeps_other_payload_hashes_intact() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -76,21 +76,21 @@ fn test_clear_payload_with_lazy_nonce_update_skipping_intermediate() {
     let hash2 = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 2, &payload2);
     let hash3 = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
 
-    // Clearing nonce 3 advances lazy nonce from 0 -> 3, but only if 1..=3 all exist.
+    // Clearing nonce 3 removes only nonce 3's payload hash.
     clear_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 3);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &3), None);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1), Some(hash1));
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2), Some(hash2));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
     let _ = hash3; // hash3 is only used to ensure it was computed and stored for nonce 3.
 }
 
-// Clearing a nonce <= lazy nonce does not update lazy nonce
+// Clearing a nonce <= inbound nonce does not update inbound nonce
 #[test]
-fn test_clear_payload_does_not_update_lazy_nonce_when_nonce_is_not_greater() {
+fn test_clear_payload_does_not_update_inbound_nonce_when_nonce_is_not_greater() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -99,22 +99,25 @@ fn test_clear_payload_does_not_update_lazy_nonce_when_nonce_is_not_greater() {
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    // Pretend we already checkpointed to 5.
+    // Pretend we already advanced inbound nonce to 5.
     env.as_contract(&endpoint_client.address, || {
-        storage::EndpointStorage::set_lazy_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
     });
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 5);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
 
     // Store a payload hash at nonce 3, then clear it.
     let nonce = 3u64;
     let payload = Bytes::from_array(env, &[0xaa, 0xbb, 0xcc]);
-    let payload_hash = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, nonce, &payload);
-    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash));
+    let payload_hash = BytesN::from_array(env, &env.crypto().keccak256(&payload).to_array());
+    env.as_contract(&endpoint_client.address, || {
+        storage::EndpointStorage::set_inbound_payload_hash(env, &receiver, src_eid, &sender, nonce, &payload_hash)
+    });
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
 
     clear_payload(&context, &receiver, src_eid, &sender, nonce, &payload);
 
-    // Clearing an older nonce should not mutate lazy_inbound_nonce.
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 5);
+    // Clearing an older nonce should not mutate inbound_nonce.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), None);
 }
 
@@ -132,9 +135,9 @@ fn test_clear_payload_payload_hash_not_found_when_nonce_is_checkpointed_but_miss
     // nonce <= lazy_nonce, so clear_payload will NOT run the "has_payload for all intermediate nonces" check.
     // It should fail at the payload hash check instead.
     env.as_contract(&endpoint_client.address, || {
-        storage::EndpointStorage::set_lazy_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
     });
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 5);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
 
     // No payload hash is stored for nonce 3.
     let nonce = 3u64;
@@ -188,16 +191,16 @@ fn test_clear_payload_missing_intermediate_nonce() {
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    // Store only nonce 1 and 3, skip nonce 2
+    // Store only nonce 1 and 3, skip nonce 2.
     let payload1 = Bytes::from_array(env, &[0x01]);
     let payload3 = Bytes::from_array(env, &[0x03]);
 
     let _ = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 1, &payload1);
     let _ = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 
-    // Clearing nonce 1 advances lazy nonce from 0 -> 1.
+    // Clearing nonce 1 succeeds.
     clear_payload(&context, &receiver, src_eid, &sender, 1, &payload1);
 
-    // Try to clear nonce 3 - should panic because nonce 2 is missing
+    // Try to clear nonce 3 - should panic because inbound_nonce is still 1 (nonce 3 is out-of-order).
     clear_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 }

package/contracts/endpoint-v2/src/tests/messaging_channel/inbound.rs

@@ -1,6 +1,6 @@
 use soroban_sdk::{testutils::Address as _, Address, BytesN};
 
-use crate::{endpoint_v2::EndpointV2, tests::endpoint_setup::setup};
+use crate::{endpoint_v2::EndpointV2, storage, tests::endpoint_setup::setup};
 
 // Internal inbound() stores payload hash per nonce and rejects empty payload hash
 #[test]
@@ -92,3 +92,96 @@ fn test_inbound_rejects_empty_payload_hash() {
         EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, nonce, &empty_hash)
     });
 }
+
+#[test]
+fn test_inbound_out_of_order_populates_pending_and_drains_when_gap_closed() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    let hash_2 = BytesN::from_array(env, &[0x22u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 2, &hash_2)
+    });
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 2u64]);
+
+    let hash_1 = BytesN::from_array(env, &[0x11u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 1, &hash_1)
+    });
+
+    // Gap is closed, so pending drains and inbound nonce advances to 2.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1u64), Some(hash_1));
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64), Some(hash_2));
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_inbound_rejects_nonce_beyond_pending_window() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+    let hash = BytesN::from_array(env, &[0xabu8; 32]);
+
+    // inbound_nonce is 0, so nonce 257 is out of range (max is 256).
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 257, &hash)
+    });
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_inbound_rejects_reverify_when_nonce_leq_inbound_and_payload_missing() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Force inbound_nonce to 1 without storing any payload hashes.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 1);
+
+    let hash = BytesN::from_array(env, &[0xabu8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 1, &hash)
+    });
+}
+
+#[test]
+fn test_inbound_allows_reverify_when_nonce_leq_inbound_and_payload_exists() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    let old_hash = BytesN::from_array(env, &[0xabu8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        storage::EndpointStorage::set_inbound_payload_hash(env, &receiver, src_eid, &sender, 1u64, &old_hash);
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &1u64);
+    });
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1u64), Some(old_hash));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
+
+    let new_hash = BytesN::from_array(env, &[0xcdu8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 1u64, &new_hash)
+    });
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1u64), Some(new_hash));
+}

package/contracts/endpoint-v2/src/tests/messaging_channel/inbound_nonce.rs

@@ -1,4 +1,4 @@
-use soroban_sdk::{testutils::Address as _, Address, BytesN};
+use soroban_sdk::{testutils::Address as _, vec, Address, BytesN};
 
 use crate::tests::endpoint_setup::{setup, TestSetup};
 
@@ -25,13 +25,13 @@ fn test_inbound_nonce_initially_zero() {
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 0);
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 }
 
-// Lazy nonce is the baseline when there are no consecutive payload hashes
+// Stored inbound nonce is the baseline when there are no pending nonces
 #[test]
-fn test_inbound_nonce_equals_lazy_nonce_when_no_payload_hashes() {
+fn test_inbound_nonce_equals_stored_value_when_no_pending_nonces() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -40,9 +40,9 @@ fn test_inbound_nonce_equals_lazy_nonce_when_no_payload_hashes() {
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 5);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 5);
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 5);
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 }
 
 // The inbound_nonce advances through the longest gapless consecutive sequence
@@ -56,13 +56,14 @@ fn test_inbound_nonce_advances_through_consecutive_verified_payload_hashes() {
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    // Start from lazy_nonce = 2 and add payloads at 3,4,5.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 2);
+    // Start from inbound_nonce = 2 and add payloads at 3,4,5.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 2);
     inbound_as_verified_with_fixed_hash(&context, &receiver, src_eid, &sender, 3);
     inbound_as_verified_with_fixed_hash(&context, &receiver, src_eid, &sender, 4);
     inbound_as_verified_with_fixed_hash(&context, &receiver, src_eid, &sender, 5);
 
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 }
 
 #[test]
@@ -75,12 +76,13 @@ fn test_inbound_nonce_stops_at_first_gap() {
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    // Start from lazy_nonce = 2 and add payloads at 3 and 5 (gap at 4).
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 2);
+    // Start from inbound_nonce = 2 and add payloads at 3 and 5 (gap at 4).
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 2);
     inbound_as_verified_with_fixed_hash(&context, &receiver, src_eid, &sender, 3);
     inbound_as_verified_with_fixed_hash(&context, &receiver, src_eid, &sender, 5);
 
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), vec![env, 5u64]);
 }
 
 // Path isolation (receiver/src_eid/sender are isolated)
@@ -97,22 +99,22 @@ fn test_inbound_nonce_isolated_by_path() {
     let sender_a = BytesN::from_array(env, &[1u8; 32]);
     let sender_b = BytesN::from_array(env, &[2u8; 32]);
 
-    // Path A: lazy 10 + payload at 11 => inbound_nonce 11.
-    context.set_lazy_inbound_nonce(&receiver_a, src_eid_a, &sender_a, 10);
+    // Path A: inbound 10 + payload at 11 => inbound_nonce 11.
+    context.set_inbound_nonce(&receiver_a, src_eid_a, &sender_a, 10);
     inbound_as_verified_with_fixed_hash(&context, &receiver_a, src_eid_a, &sender_a, 11);
     assert_eq!(endpoint_client.inbound_nonce(&receiver_a, &src_eid_a, &sender_a), 11);
 
     // Path B: different receiver => independent.
-    context.set_lazy_inbound_nonce(&receiver_b, src_eid_a, &sender_a, 20);
+    context.set_inbound_nonce(&receiver_b, src_eid_a, &sender_a, 20);
     assert_eq!(endpoint_client.inbound_nonce(&receiver_b, &src_eid_a, &sender_a), 20);
 
     // Path C: different src_eid => independent (two consecutive payloads).
-    context.set_lazy_inbound_nonce(&receiver_a, src_eid_b, &sender_a, 30);
+    context.set_inbound_nonce(&receiver_a, src_eid_b, &sender_a, 30);
     inbound_as_verified_with_fixed_hash(&context, &receiver_a, src_eid_b, &sender_a, 31);
     inbound_as_verified_with_fixed_hash(&context, &receiver_a, src_eid_b, &sender_a, 32);
     assert_eq!(endpoint_client.inbound_nonce(&receiver_a, &src_eid_b, &sender_a), 32);
 
     // Path D: different sender => independent.
-    context.set_lazy_inbound_nonce(&receiver_a, src_eid_a, &sender_b, 40);
+    context.set_inbound_nonce(&receiver_a, src_eid_a, &sender_b, 40);
     assert_eq!(endpoint_client.inbound_nonce(&receiver_a, &src_eid_a, &sender_b), 40);
 }

package/contracts/endpoint-v2/src/tests/messaging_channel/mod.rs

@@ -3,7 +3,7 @@ mod clear_payload;
 mod inbound;
 mod inbound_nonce;
 mod inbound_payload_hash;
-mod lazy_inbound_nonce;
+mod pending_inbound_nonces;
 mod next_guid;
 mod nilify;
 mod outbound;

package/contracts/endpoint-v2/src/tests/messaging_channel/nilify.rs

@@ -128,9 +128,9 @@ fn test_nilify_success_with_empty_payload() {
     let sender = BytesN::from_array(env, &[1u8; 32]);
     let nonce = 2;
 
-    // Set lazy nonce to 1 so nonce 2 is greater than lazy nonce.
+    // Set inbound nonce to 1 so nonce 2 is the next expected nonce.
     env.as_contract(&endpoint_client.address, || {
-        storage::EndpointStorage::set_lazy_inbound_nonce(env, &receiver, src_eid, &sender, &1)
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &1)
     });
 
     // Nilify with None.
@@ -147,6 +147,7 @@ fn test_nilify_success_with_empty_payload() {
     let nilified_hash = endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce);
     let expected_nil_hash = nil_hash(&context);
     assert_eq!(nilified_hash, Some(expected_nil_hash));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 }
 
 // Nilify with None counts as "verified" for inbound_nonce (but does not change lazy nonce)
@@ -161,17 +162,53 @@ fn test_nilify_with_none_advances_inbound_nonce_without_changing_lazy_nonce() {
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
     // Initial state.
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 0);
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 
     // Nilify nonce 1 with None (non-verified nonce).
     nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, 1, &None);
 
     // Nilify writes a payload hash, so inbound_nonce can now advance to 1.
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_nilify_closes_gap_and_drains_pending_nonces() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
 
-    // But nilify does not update lazy_inbound_nonce.
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 0);
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Force inbound nonce to 1 and create a gap by verifying nonce 3 first.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 1);
+    let payload_hash_3 = BytesN::from_array(env, &[0x33u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 3u64, &payload_hash_3)
+    });
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 3u64]
+    );
+
+    // Nilify nonce 2 with None closes the gap and should drain pending to advance inbound nonce to 3.
+    nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, 2u64, &None);
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+    assert_eq!(
+        endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64),
+        Some(nil_hash(&context))
+    );
+    assert_eq!(
+        endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &3u64),
+        Some(payload_hash_3)
+    );
 }
 
 // Nilify is allowed when nonce <= lazy nonce if a payload hash exists
@@ -187,14 +224,12 @@ fn test_nilify_allows_when_nonce_is_checkpointed_if_payload_exists() {
     let nonce = 5u64;
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
 
-    // Checkpoint past the target nonce.
+    // Advance inbound nonce past the target nonce and store a payload hash at nonce 5.
     env.as_contract(&endpoint_client.address, || {
-        storage::EndpointStorage::set_lazy_inbound_nonce(env, &receiver, src_eid, &sender, &10)
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &10);
+        storage::EndpointStorage::set_inbound_payload_hash(env, &receiver, src_eid, &sender, nonce, &payload_hash);
     });
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 10);
-
-    // Store a verified payload hash at nonce 5.
-    context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 10);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
 
     // Even though nonce <= lazy_nonce, this should succeed because a payload hash exists.
@@ -430,9 +465,9 @@ fn test_nilify_invalid_nonce_when_already_checkpointed_without_payload() {
     let sender = BytesN::from_array(env, &[1u8; 32]);
     let nonce = 1u64;
 
-    // Set lazy nonce to 1 and ensure there is NO payload for nonce 1.
+    // Set inbound nonce to 1 and ensure there is NO payload for nonce 1.
     env.as_contract(&endpoint_client.address, || {
-        storage::EndpointStorage::set_lazy_inbound_nonce(env, &receiver, src_eid, &sender, &1)
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &1)
     });
 
     let result = try_nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &None);

package/contracts/endpoint-v2/src/tests/messaging_channel/pending_inbound_nonces.rs

@@ -0,0 +1,111 @@
+use soroban_sdk::{testutils::Address as _, vec, Address, BytesN};
+
+use crate::{endpoint_v2::EndpointV2, tests::endpoint_setup::setup};
+
+#[test]
+fn test_pending_inbound_nonces_initially_empty() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+}
+
+#[test]
+fn test_pending_inbound_nonces_sorted_and_no_duplicates() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    let hash_5 = BytesN::from_array(env, &[0x05u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 5u64, &hash_5)
+    });
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), vec![env, 5u64]);
+
+    let hash_2 = BytesN::from_array(env, &[0x02u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 2u64, &hash_2)
+    });
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), vec![env, 2u64, 5u64]);
+
+    let hash_4 = BytesN::from_array(env, &[0x04u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 4u64, &hash_4)
+    });
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), vec![env, 2u64, 4u64, 5u64]);
+
+    // Re-verify the same nonce should not duplicate it in the pending list.
+    let hash_4b = BytesN::from_array(env, &[0x44u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 4u64, &hash_4b)
+    });
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), vec![env, 2u64, 4u64, 5u64]);
+}
+
+#[test]
+fn test_pending_inbound_nonces_drains_when_consecutive_sequence_completed() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    let hash_2 = BytesN::from_array(env, &[0x02u8; 32]);
+    let hash_3 = BytesN::from_array(env, &[0x03u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 2u64, &hash_2);
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 3u64, &hash_3);
+    });
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), vec![env, 2u64, 3u64]);
+
+    // Inserting nonce 1 closes the gap, so pending drains and inbound nonce advances to 3.
+    let hash_1 = BytesN::from_array(env, &[0x01u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 1u64, &hash_1)
+    });
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_pending_inbound_nonces_isolated_by_path() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver_a = Address::generate(env);
+    let receiver_b = Address::generate(env);
+    let src_eid_a = 2u32;
+    let src_eid_b = 3u32;
+    let sender_a = BytesN::from_array(env, &[1u8; 32]);
+    let sender_b = BytesN::from_array(env, &[2u8; 32]);
+
+    let hash = BytesN::from_array(env, &[0xabu8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver_a, src_eid_a, &sender_a, 2u64, &hash);
+        EndpointV2::inbound_for_test(env, &receiver_b, src_eid_a, &sender_a, 2u64, &hash);
+        EndpointV2::inbound_for_test(env, &receiver_a, src_eid_b, &sender_a, 2u64, &hash);
+        EndpointV2::inbound_for_test(env, &receiver_a, src_eid_a, &sender_b, 2u64, &hash);
+    });
+
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver_a, &src_eid_a, &sender_a), vec![env, 2u64]);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver_b, &src_eid_a, &sender_a), vec![env, 2u64]);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver_a, &src_eid_b, &sender_a), vec![env, 2u64]);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver_a, &src_eid_a, &sender_b), vec![env, 2u64]);
+}
+