@layerzerolabs/protocol-stellar-v2 0.2.34 → 0.2.35

package/contracts/endpoint-v2/src/tests/messaging_channel/skip.rs

@@ -53,7 +53,7 @@ fn test_skip_requires_auth_even_when_caller_is_receiver() {
     endpoint_client.skip(&receiver, &receiver, &src_eid, &sender, &nonce);
 }
 
-// Successful skip updates inbound/lazy nonces and emits InboundNonceSkipped
+// Successful skip updates inbound nonce and emits InboundNonceSkipped
 #[test]
 fn test_skip_success() {
     let context = setup();
@@ -65,13 +65,10 @@ fn test_skip_success() {
     let sender = BytesN::from_array(env, &[1u8; 32]);
     let nonce = 1;
 
-    // Verify initial state: lazy inbound nonce should be 0.
-    let initial_lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(initial_lazy_nonce, 0, "Initial lazy inbound nonce should be 0");
-
     // Initially, inbound nonce should be 0.
     let initial_nonce = endpoint_client.inbound_nonce(&receiver, &src_eid, &sender);
     assert_eq!(initial_nonce, 0);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 
     // Skip nonce 1 (expected nonce is initial_nonce + 1 = 1).
     skip_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce);
@@ -86,10 +83,7 @@ fn test_skip_success() {
     // Verify inbound nonce reflects the skip via public interface.
     let updated_nonce = endpoint_client.inbound_nonce(&receiver, &src_eid, &sender);
     assert_eq!(updated_nonce, nonce);
-
-    // Verify lazy inbound nonce was updated.
-    let lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(lazy_nonce, nonce);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 }
 
 // Multiple sequential skips update to the latest nonce
@@ -111,13 +105,10 @@ fn test_skip_multiple_nonces() {
     let nonce2 = 2;
     skip_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce2);
 
-    // Verify lazy inbound nonce was updated to nonce2.
-    let lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(lazy_nonce, nonce2);
-
     // Verify inbound nonce reflects the latest skip.
     let updated_nonce = endpoint_client.inbound_nonce(&receiver, &src_eid, &sender);
     assert_eq!(updated_nonce, nonce2);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 }
 
 // Delegate authorization (delegate(receiver) is allowed)
@@ -146,9 +137,8 @@ fn test_skip_with_delegate() {
         InboundNonceSkipped { src_eid, sender: sender.clone(), receiver: receiver.clone(), nonce },
     );
 
-    // Verify lazy inbound nonce was updated.
-    let lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(lazy_nonce, nonce);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), nonce);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 }
 
 // Path isolation (receiver/src_eid/sender are isolated)
@@ -176,11 +166,11 @@ fn test_skip_different_paths() {
     // Skip for different senders.
     skip_with_auth(&context, &receiver1, &receiver1, src_eid1, &sender2, nonce);
 
-    // Verify all paths have independent lazy nonces.
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver1, &src_eid1, &sender1), nonce);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver2, &src_eid1, &sender1), nonce);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver1, &src_eid2, &sender1), nonce);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver1, &src_eid1, &sender2), nonce);
+    // Verify all paths have independent inbound nonces.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver1, &src_eid1, &sender1), nonce);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver2, &src_eid1, &sender1), nonce);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver1, &src_eid2, &sender1), nonce);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver1, &src_eid1, &sender2), nonce);
 }
 
 // Invalid nonce rejection (must match expected nonce)
@@ -224,10 +214,10 @@ fn test_skip_next_nonce_accounts_for_verified_payload_hashes() {
     let result = endpoint_client.try_skip(&receiver, &receiver, &src_eid, &sender, &1);
     assert_eq!(result.err().unwrap().ok().unwrap(), EndpointError::InvalidNonce.into());
 
-    // Skipping 2 should succeed and advance lazy inbound nonce to 2.
+    // Skipping 2 should succeed and advance inbound nonce to 2.
     skip_with_auth(&context, &receiver, &receiver, src_eid, &sender, 2);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 2);
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 
     // skip() does not clear any existing payload hashes.
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1), Some(payload_hash_1));
@@ -251,8 +241,8 @@ fn test_skip_closes_gap_and_advances_inbound_nonce() {
 
     // Skip nonce 1 to close the gap. This should allow inbound_nonce to advance to 2.
     skip_with_auth(&context, &receiver, &receiver, src_eid, &sender, 1);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 1);
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 
     // Payload hash at nonce 2 remains intact.
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2), Some(payload_hash_2));
@@ -271,7 +261,7 @@ fn test_skip_rejects_repeated_same_nonce() {
 
     // Skip nonce 1 successfully.
     skip_with_auth(&context, &receiver, &receiver, src_eid, &sender, 1);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 
     // Skipping nonce 1 again should fail since the next expected nonce is now 2.
     context.mock_auth(&receiver, "skip", (&receiver, &receiver, &src_eid, &sender, &1u64));

package/contracts/layerzero-views/src/layerzero_view.rs

@@ -104,9 +104,9 @@ impl LayerZeroView {
         let empty_hash = empty_payload_hash(env);
         let nil_hash = nil_payload_hash(env);
 
-        // Executed: payload hash has been cleared (None) and nonce <= lazy_inbound_nonce
+        // Executed: payload hash has been cleared (None) and nonce <= inbound_nonce
         if payload_hash.is_none()
-            && origin.nonce <= messaging_channel.lazy_inbound_nonce(receiver, &origin.src_eid, &origin.sender)
+            && origin.nonce <= messaging_channel.inbound_nonce(receiver, &origin.src_eid, &origin.sender)
         {
             return ExecutionState::Executed;
         }

package/contracts/layerzero-views/src/tests/layerzero_view_tests.rs

@@ -206,9 +206,9 @@ fn test_executable_state_executed() {
     let receiver = test_setup.register_oapp();
     let sender = soroban_sdk::Address::generate(&test_setup.env);
 
-    // Clear payload hash (None) and set lazy_inbound_nonce >= nonce = Executed
+    // Clear payload hash (None) and set inbound_nonce >= nonce = Executed
     test_setup.set_payload_hash(&receiver, REMOTE_EID, &sender, 1, &None);
-    test_setup.set_lazy_inbound_nonce(&receiver, REMOTE_EID, &sender, 1);
+    test_setup.set_inbound_nonce(&receiver, REMOTE_EID, &sender, 1);
 
     let origin = Origin { src_eid: REMOTE_EID, sender: address_to_bytes32(&sender), nonce: 1 };
 
@@ -262,9 +262,8 @@ fn test_executable_multiple_nonces_in_sequence() {
     assert_eq!(test_setup.view_client.executable(&origin_2, &receiver), ExecutionState::VerifiedButNotExecutable);
     assert_eq!(test_setup.view_client.executable(&origin_3, &receiver), ExecutionState::VerifiedButNotExecutable);
 
-    // Now execute nonce 1 (set lazy_inbound_nonce)
+    // Now execute nonce 1 (clear payload hash, advance inbound_nonce)
     test_setup.set_payload_hash(&receiver, REMOTE_EID, &sender, 1, &None);
-    test_setup.set_lazy_inbound_nonce(&receiver, REMOTE_EID, &sender, 1);
     test_setup.set_inbound_nonce(&receiver, REMOTE_EID, &sender, 2);
 
     assert_eq!(test_setup.view_client.executable(&origin_1, &receiver), ExecutionState::Executed);

package/contracts/layerzero-views/src/tests/setup.rs

@@ -30,7 +30,6 @@ mod endpoint_storage {
         Initializable(Address, u32, BytesN<32>),
         Verifiable(Address, u32, BytesN<32>),
         // State for executable tests
-        LazyInboundNonce(Address, u32, BytesN<32>),
         InboundNonce(Address, u32, BytesN<32>),
         InboundPayloadHash(Address, u32, BytesN<32>, u64),
         ReceiveLibrary(Address, u32),
@@ -91,13 +90,6 @@ impl MockEndpoint {
             .set(&endpoint_storage::MockEndpointStorage::Verifiable(receiver.clone(), *src_eid, sender.clone()), value);
     }
 
-    pub fn set_lazy_inbound_nonce(env: &Env, receiver: &Address, src_eid: &u32, sender: &BytesN<32>, nonce: &u64) {
-        env.storage().persistent().set(
-            &endpoint_storage::MockEndpointStorage::LazyInboundNonce(receiver.clone(), *src_eid, sender.clone()),
-            nonce,
-        );
-    }
-
     pub fn set_inbound_nonce(env: &Env, receiver: &Address, src_eid: &u32, sender: &BytesN<32>, nonce: &u64) {
         env.storage().persistent().set(
             &endpoint_storage::MockEndpointStorage::InboundNonce(receiver.clone(), *src_eid, sender.clone()),
@@ -135,13 +127,6 @@ impl MockEndpoint {
     // Getters required by LayerZeroView
     // =========================================================================
 
-    pub fn lazy_inbound_nonce(env: &Env, receiver: &Address, src_eid: &u32, sender: &BytesN<32>) -> u64 {
-        env.storage()
-            .persistent()
-            .get(&endpoint_storage::MockEndpointStorage::LazyInboundNonce(receiver.clone(), *src_eid, sender.clone()))
-            .unwrap_or(0)
-    }
-
     pub fn inbound_nonce(env: &Env, receiver: &Address, src_eid: &u32, sender: &BytesN<32>) -> u64 {
         env.storage()
             .persistent()
@@ -282,12 +267,6 @@ impl<'a> TestSetup<'a> {
         self.endpoint_client.set_verifiable(receiver, &src_eid, &sender_bytes32, &value);
     }
 
-    /// Set lazy inbound nonce (marks messages up to this nonce as processed).
-    pub fn set_lazy_inbound_nonce(&self, receiver: &Address, src_eid: u32, sender: &Address, nonce: u64) {
-        let sender_bytes32 = address_to_bytes32(sender);
-        self.endpoint_client.set_lazy_inbound_nonce(receiver, &src_eid, &sender_bytes32, &nonce);
-    }
-
     /// Set inbound nonce (marks messages up to this nonce as verified and executable).
     pub fn set_inbound_nonce(&self, receiver: &Address, src_eid: u32, sender: &Address, nonce: u64) {
         let sender_bytes32 = address_to_bytes32(sender);

package/contracts/message-libs/blocked-message-lib/src/lib.rs

@@ -15,12 +15,12 @@
 #[cfg(test)]
 mod tests;
 
-use common_macros::{contract_error, contract_impl};
+use common_macros::contract_error;
 use endpoint_v2::{
     FeesAndPacket, IMessageLib, ISendLib, MessageLibType, MessageLibVersion, MessagingFee, OutboundPacket,
     SetConfigParam,
 };
-use soroban_sdk::{contract, panic_with_error, Address, Bytes, Env, Vec};
+use soroban_sdk::{contract, contractimpl, panic_with_error, Address, Bytes, Env, Vec};
 
 #[contract_error]
 pub enum BlockedMessageLibError {
@@ -31,7 +31,7 @@ pub enum BlockedMessageLibError {
 #[contract]
 pub struct BlockedMessageLib;
 
-#[contract_impl]
+#[contractimpl]
 impl IMessageLib for BlockedMessageLib {
     /// Always panics - config modification is not supported.
     fn set_config(env: &Env, _oapp: &Address, _param: &Vec<SetConfigParam>) {
@@ -59,7 +59,7 @@ impl IMessageLib for BlockedMessageLib {
     }
 }
 
-#[contract_impl]
+#[contractimpl]
 impl ISendLib for BlockedMessageLib {
     /// Always panics - quoting is blocked.
     fn quote(env: &Env, _packet: &OutboundPacket, _options: &Bytes, _pay_in_zro: bool) -> MessagingFee {

package/contracts/message-libs/uln-302/src/send_uln.rs

@@ -45,7 +45,7 @@ impl ISendLib for Uln302 {
 
         // Treasury fee
         let workers_fee = executor_fee + dvns_fee;
-        let (_, treasury_fee) = Self::quote_treasury(env, &packet.sender, packet.dst_eid, &workers_fee, &pay_in_zro);
+        let (_, treasury_fee) = Self::quote_treasury(env, &packet.sender, packet.dst_eid, workers_fee, pay_in_zro);
 
         if pay_in_zro {
             MessagingFee { native_fee: workers_fee, zro_fee: treasury_fee }
@@ -91,7 +91,7 @@ impl ISendLib for Uln302 {
         // Treasury fee
         let total_worker_fee = native_fee_recipients.iter().map(|fee| fee.amount).sum();
         let (treasury_addr, treasury_fee) =
-            Self::quote_treasury(env, &packet.sender, packet.dst_eid, &total_worker_fee, &pay_in_zro);
+            Self::quote_treasury(env, &packet.sender, packet.dst_eid, total_worker_fee, pay_in_zro);
 
         // Handle ZRO fee recipients
         let mut zro_fee_recipients = vec![env];
@@ -280,12 +280,12 @@ impl Uln302 {
         env: &Env,
         sender: &Address,
         dst_eid: u32,
-        workers_fee: &i128,
-        pay_in_zro: &bool,
+        workers_fee: i128,
+        pay_in_zro: bool,
     ) -> (Address, i128) {
         let treasury_addr = Self::treasury(env);
         let treasury_fee =
-            LayerZeroTreasuryClient::new(env, &treasury_addr).get_fee(sender, &dst_eid, workers_fee, pay_in_zro);
+            LayerZeroTreasuryClient::new(env, &treasury_addr).get_fee(sender, &dst_eid, &workers_fee, &pay_in_zro);
         assert_with_error!(env, treasury_fee >= 0, Uln302Error::InvalidFee);
         (treasury_addr, treasury_fee)
     }

package/contracts/oapps/counter/src/counter.rs

@@ -67,6 +67,12 @@ impl Counter {
         }
     }
 
+    #[only_auth]
+    pub fn withdraw(env: &Env, to: &Address, amount: i128) {
+        let native_token = LayerZeroEndpointV2Client::new(env, &Self::endpoint(env)).native_token();
+        TokenClient::new(env, &native_token).transfer(&env.current_contract_address(), to, &amount);
+    }
+
     // ============================================================================================
     // View functions
     // ============================================================================================

package/contracts/oapps/oapp/src/oapp_sender.rs

@@ -3,7 +3,7 @@ use crate::{
     oapp_core::{endpoint_client, get_peer_or_panic, OAppCore},
 };
 use endpoint_v2::{MessagingFee, MessagingParams, MessagingReceipt};
-use soroban_sdk::{token::TokenClient, Address, Bytes, Env};
+use soroban_sdk::{contracttype, token::TokenClient, Address, Bytes, Env};
 use utils::option_ext::OptionExt;
 
 /// The version of the OAppSender implementation.
@@ -22,7 +22,8 @@ pub const SENDER_VERSION: u64 = 1;
 /// - `Verified` — Caller asserts that `require_auth()` has already been called.
 ///   Use this to avoid a duplicate `require_auth()` node in the Soroban auth tree
 ///   (e.g., when the same address was already authorized as the message sender).
-#[derive(Clone)]
+#[contracttype]
+#[derive(Clone, Debug, Eq, PartialEq)]
 pub enum FeePayer {
     /// The fee payer has **not** been authorized yet.
     /// `__lz_send` will call `fee_payer.require_auth()` before transferring fees.

package/contracts/oapps/oft/src/extensions/oft_fee.rs

@@ -122,6 +122,11 @@ pub trait OFTFee: OFTFeeInternal + Auth {
         Self::__effective_fee_bps(env, dst_eid)
     }
 
+    /// Returns true if the OFT has a fee rate greater than 0 for the specified destination
+    fn has_oft_fee(env: &soroban_sdk::Env, dst_eid: u32) -> bool {
+        Self::__effective_fee_bps(env, dst_eid) > 0
+    }
+
     /// Returns the fee deposit address.
     fn fee_deposit_address(env: &soroban_sdk::Env) -> Option<soroban_sdk::Address> {
         Self::__fee_deposit_address(env)

package/contracts/oapps/oft/src/oft.rs

@@ -80,21 +80,22 @@ impl OFTInternal for OFT {
     /// Overrides default to add pausable check and fee calculation.
     ///
     /// Dust handling (consistent with EVM):
-    /// - fee = 0: dust stays with sender (amount_sent_ld has dust removed)
-    /// - fee > 0: dust is absorbed into the charged fee (amount_sent_ld is the full amount)
+    /// - no fee: dust stays with sender (amount_sent_ld has dust removed)
+    /// - has fee: dust is absorbed into the charged fee (amount_sent_ld is the full amount)
     fn __debit_view(env: &Env, amount_ld: i128, min_amount_ld: i128, dst_eid: u32) -> (i128, i128) {
         Self::__assert_not_paused(env);
 
         let conversion_rate = Self::__decimal_conversion_rate(env);
-        let fee = Self::__fee_view(env, dst_eid, amount_ld);
+        let has_fee = Self::has_oft_fee(env, dst_eid);
 
-        let (amount_sent_ld, amount_received_ld) = if fee == 0 {
+        let (amount_sent_ld, amount_received_ld) = if !has_fee {
             // No fee: dust stays with sender (default OFT behavior)
             let amount_sent_ld = oft_utils::remove_dust(amount_ld, conversion_rate);
             (amount_sent_ld, amount_sent_ld)
         } else {
             // With fee: match EVM OFTFee behavior
             // - sender pays full amount_ld (no dust removed), dust is absorbed into the charged fee
+            let fee = Self::__fee_view(env, dst_eid, amount_ld);
             let amount_received_ld = oft_utils::remove_dust(amount_ld - fee, conversion_rate);
             (amount_ld, amount_received_ld)
         };

package/docs/layerzero-v2-on-stellar.md

@@ -221,12 +221,16 @@ sequenceDiagram
 
 ## Stellar-specific considerations
 
-Two core differences between Soroban and EVM require protocol-level adaptations:
+Several differences between Soroban and EVM require protocol-level adaptations:
 
 1. Stellar's variable-length address model differs from LayerZero's fixed
    bytes32 address abstraction
 2. Soroban's Time-To-Live (TTL)-based storage model requires active state
    maintenance, unlike EVM's persistent storage
+3. Soroban's 200-read-per-transaction storage limit makes the lazy inbound
+   nonce model susceptible to denial-of-service for certain OApps
+4. Soroban prohibits reentrancy, requiring alternative patterns for cross-contract
+   call flows
 
 ### Constraint 1: bytes32 address format mismatch
 
@@ -296,7 +300,47 @@ constraints may evolve.
 - Hard upper cap on extension targets (e.g., 1 year) to prevent excessive fees
 - TTL parameters can be permanently frozen once the ecosystem stabilizes
 
-### Constraint 3: Reentrancy prohibition
+### Constraint 3: Storage read limits
+
+Soroban enforces a hard limit of 200 persistent/temporary storage reads per
+transaction. Under the lazy inbound nonce model used in EVM, the `inbound_nonce`
+is not stored directly — it is computed on the fly by iterating forward from the
+last checkpoint (`lazy_inbound_nonce`) and probing storage for each consecutive
+payload hash. The same iterative check occurs during `clear`, which must verify
+that all nonces between the checkpoint and the target nonce have been verified.
+
+For certain OApps, failed `lz_receive` executions can create nonce gaps that
+grow over time. Under the lazy model, clearing subsequent messages requires
+iterating across these gaps, and the accumulated storage reads can exceed the
+200-read limit, making the messaging path susceptible to denial-of-service.
+
+**Solution: Eager inbound nonce with pending nonce list (Solana model)**
+
+Stellar adopts the same inbound nonce model used by LayerZero V2 on Solana.
+Instead of lazily computing the inbound nonce via storage probing, the
+`inbound_nonce` is stored directly and updated eagerly during verification:
+
+1. **`PendingInboundNonces`**: A sorted list of out-of-order verified nonces is
+   maintained in a single storage entry per path. When a message is verified
+   (or skipped/nilified), its nonce is inserted into this list.
+
+2. **Drain on insert**: After each insertion, consecutive nonces at the front of
+   the list are drained to advance the `inbound_nonce`. For example, if
+   `inbound_nonce = 3` and the pending list becomes `[4, 5, 7]`, nonces 4 and 5
+   are drained, advancing `inbound_nonce` to 5.
+
+3. **O(1) clear**: The `clear_payload` operation becomes a simple comparison
+   (`nonce <= inbound_nonce`) with no iteration or storage probing.
+
+4. **Bounded list size**: The pending list is capped at 256 entries
+   (`PENDING_INBOUND_NONCE_MAX_LEN`). Nonces beyond `inbound_nonce + 256`
+   cannot be verified, preventing unbounded memory growth and limiting the
+   maximum storage reads per verify operation.
+
+This eliminates the iterative storage reads that could cause DoS under the lazy
+model, keeping all operations within Soroban's transaction resource limits.
+
+### Constraint 4: Reentrancy prohibition
 
 Soroban prohibits reentrancy—a contract cannot call itself, directly or
 indirectly, within the same transaction. This fundamental difference from EVM

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@layerzerolabs/protocol-stellar-v2",
-  "version": "0.2.34",
+  "version": "0.2.35",
   "private": false,
   "devDependencies": {
     "@types/node": "^22.18.6",
     "tsx": "^4.19.3",
     "typescript": "^5.8.2",
-    "@layerzerolabs/common-node-utils": "0.2.34",
-    "@layerzerolabs/vm-tooling-stellar": "0.2.34"
+    "@layerzerolabs/common-node-utils": "0.2.35",
+    "@layerzerolabs/vm-tooling-stellar": "0.2.35"
   },
   "publishConfig": {
     "access": "restricted",