@layerzerolabs/protocol-stellar-v2 0.2.34 → 0.2.36

package/contracts/endpoint-v2/src/messaging_channel.rs

@@ -7,7 +7,7 @@ use crate::{
     util::{compute_guid, keccak256},
 };
 use common_macros::contract_impl;
-use soroban_sdk::{assert_with_error, Address, Bytes, BytesN, Env};
+use soroban_sdk::{assert_with_error, Address, Bytes, BytesN, Env, Vec};
 
 /// Represents an empty payload hash (equivalent to bytes32(uint256(0)) in Solidity)
 const EMPTY_PAYLOAD_HASH_BYTES: [u8; 32] = [0u8; 32];
@@ -15,6 +15,9 @@ const EMPTY_PAYLOAD_HASH_BYTES: [u8; 32] = [0u8; 32];
 /// Represents a nilified payload hash (equivalent to bytes32(type(uint256).max) in Solidity)
 const NIL_PAYLOAD_HASH_BYTES: [u8; 32] = [0xffu8; 32];
 
+/// Max number of out-of-order nonces in the pending list.
+pub(super) const PENDING_INBOUND_NONCE_MAX_LEN: u64 = 256;
+
 #[contract_impl]
 impl IMessagingChannel for EndpointV2 {
     /// Skips the next expected inbound nonce without verifying.
@@ -25,7 +28,7 @@ impl IMessagingChannel for EndpointV2 {
 
         let next_nonce = Self::inbound_nonce(env, receiver, src_eid, sender) + 1;
         assert_with_error!(env, nonce == next_nonce, EndpointError::InvalidNonce);
-        EndpointStorage::set_lazy_inbound_nonce(env, receiver, src_eid, sender, &nonce);
+        Self::insert_and_drain_pending_nonces(env, receiver, src_eid, sender, nonce);
 
         InboundNonceSkipped { src_eid, sender: sender.clone(), receiver: receiver.clone(), nonce }.publish(env);
     }
@@ -45,10 +48,14 @@ impl IMessagingChannel for EndpointV2 {
         Self::require_oapp_auth(env, caller, receiver);
 
         let cur_payload_hash = Self::inbound_payload_hash(env, receiver, src_eid, sender, nonce);
-        let lazy_nonce = Self::lazy_inbound_nonce(env, receiver, src_eid, sender);
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
 
         assert_with_error!(env, payload_hash == &cur_payload_hash, EndpointError::PayloadHashNotFound);
-        assert_with_error!(env, nonce > lazy_nonce || cur_payload_hash.is_some(), EndpointError::InvalidNonce);
+        assert_with_error!(env, nonce > inbound_nonce || cur_payload_hash.is_some(), EndpointError::InvalidNonce);
+
+        if nonce > inbound_nonce {
+            Self::insert_and_drain_pending_nonces(env, receiver, src_eid, sender, nonce);
+        }
         EndpointStorage::set_inbound_payload_hash(env, receiver, src_eid, sender, nonce, &Self::nil_payload_hash(env));
 
         PacketNilified {
@@ -77,9 +84,9 @@ impl IMessagingChannel for EndpointV2 {
         let cur_payload_hash = Self::inbound_payload_hash(env, receiver, src_eid, sender, nonce);
         assert_with_error!(env, cur_payload_hash.as_ref() == Some(payload_hash), EndpointError::PayloadHashNotFound);
 
-        // Check if nonce is at or below the lazy nonce
-        let lazy_nonce = Self::lazy_inbound_nonce(env, receiver, src_eid, sender);
-        assert_with_error!(env, nonce <= lazy_nonce, EndpointError::InvalidNonce);
+        // Check if nonce is at or below the inbound nonce
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
+        assert_with_error!(env, nonce <= inbound_nonce, EndpointError::InvalidNonce);
 
         // Remove the payload hash from storage
         EndpointStorage::remove_inbound_payload_hash(env, receiver, src_eid, sender, nonce);
@@ -112,25 +119,15 @@ impl IMessagingChannel for EndpointV2 {
     /// Returns the max index of the longest gapless sequence of verified message nonces.
     ///
     /// The uninitialized value is 0. The first nonce is always 1.
-    /// It starts from the `lazy_inbound_nonce` (last checkpoint) and iteratively checks
-    /// if the next nonce has been verified.
     ///
     /// Note: OApp explicitly skipped nonces count as "verified" for these purposes.
-    ///
-    /// Examples: `[1,2,3,4,6,7] => 4`, `[1,2,6,8,10] => 2`, `[1,3,4,5,6] => 1`
     fn inbound_nonce(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> u64 {
-        let mut nonce_cursor = Self::lazy_inbound_nonce(env, receiver, src_eid, sender);
-
-        // Find the effective inbound current nonce
-        while EndpointStorage::has_inbound_payload_hash(env, receiver, src_eid, sender, nonce_cursor + 1) {
-            nonce_cursor += 1;
-        }
-        nonce_cursor
+        EndpointStorage::inbound_nonce(env, receiver, src_eid, sender)
     }
 
-    /// Returns the lazy inbound nonce (last checkpoint) for a specific path.
-    fn lazy_inbound_nonce(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> u64 {
-        EndpointStorage::lazy_inbound_nonce(env, receiver, src_eid, sender)
+    /// Returns the pending inbound nonces for a specific path.
+    fn pending_inbound_nonces(env: &Env, receiver: &Address, src_eid: u32, sender: &BytesN<32>) -> Vec<u64> {
+        EndpointStorage::pending_inbound_nonces(env, receiver, src_eid, sender)
     }
 
     /// Returns the payload hash for a specific inbound nonce.
@@ -162,9 +159,8 @@ impl EndpointV2 {
 
     /// Records an inbound message payload hash for a specific nonce on a specific path.
     ///
-    /// Inbound won't update the nonce eagerly to allow unordered verification.
-    /// Instead, it will update the nonce lazily when the message is received.
-    /// Messages can only be cleared in order to preserve censorship-resistance.
+    /// When nonce > inbound_nonce, inserts into the pending list and drains consecutive
+    /// nonces to update the effective inbound nonce.
     ///
     /// # Arguments
     /// * `receiver` - The receiver OApp address
@@ -181,22 +177,27 @@ impl EndpointV2 {
         payload_hash: &BytesN<32>,
     ) {
         assert_with_error!(env, payload_hash != &Self::empty_payload_hash(env), EndpointError::InvalidPayloadHash);
+
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
+
+        // Only allow to verify new nonces or re-verify unexecuted nonces.
+        assert_with_error!(
+            env,
+            nonce > inbound_nonce || EndpointStorage::has_inbound_payload_hash(env, receiver, src_eid, sender, nonce),
+            EndpointError::InvalidNonce
+        );
+
+        if nonce > inbound_nonce {
+            Self::insert_and_drain_pending_nonces(env, receiver, src_eid, sender, nonce);
+        }
+
         EndpointStorage::set_inbound_payload_hash(env, receiver, src_eid, sender, nonce, payload_hash);
     }
 
-    /// Clears a stored message payload and increments the lazy inbound nonce.
-    ///
-    /// Calling this function will clear the stored message and increment the
-    /// `lazy_inbound_nonce` to the provided nonce.
+    /// Clears a stored message payload.
     ///
-    /// Note: This function does not change `inbound_nonce`, it only changes
-    /// the `lazy_inbound_nonce` up to the provided nonce.
-    ///
-    /// # EVM Alignment
-    /// This implementation aligns with the EVM endpoint behavior. Executors should call
-    /// `clear` from lower nonce to higher nonce sequentially. This ensures the range check
-    /// `(current_nonce + 1..=nonce)` remains small, avoiding long iteration when verifying
-    /// that all intermediate nonces have been verified.
+    /// Requires nonce <= inbound_nonce (no iteration, O(1) check). The inbound_nonce
+    /// is updated during verify when consecutive nonces are drained from the pending list.
     ///
     /// # Arguments
     /// * `receiver` - The receiver OApp address
@@ -212,15 +213,8 @@ impl EndpointV2 {
         nonce: u64,
         payload: &Bytes,
     ) {
-        let current_nonce = Self::lazy_inbound_nonce(env, receiver, src_eid, sender);
-
-        // Try to update the lazy inbound nonce until the target nonce
-        if nonce > current_nonce {
-            let has_payload = (current_nonce + 1..=nonce)
-                .all(|n| EndpointStorage::has_inbound_payload_hash(env, receiver, src_eid, sender, n));
-            assert_with_error!(env, has_payload, EndpointError::InvalidNonce);
-            EndpointStorage::set_lazy_inbound_nonce(env, receiver, src_eid, sender, &nonce);
-        }
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
+        assert_with_error!(env, nonce <= inbound_nonce, EndpointError::InvalidNonce);
 
         // Check the hash of the payload to verify the executor has given the proper payload that has been verified
         let actual_hash = keccak256(env, payload);
@@ -231,6 +225,45 @@ impl EndpointV2 {
         EndpointStorage::remove_inbound_payload_hash(env, receiver, src_eid, sender, nonce);
     }
 
+    /// Inserts a nonce into a sorted pending list, then drains consecutive nonces from the front
+    /// to advance `inbound_nonce`.
+    ///
+    /// Bounded by `PENDING_INBOUND_NONCE_MAX_LEN` to prevent DDoS via unbounded list growth.
+    fn insert_and_drain_pending_nonces(
+        env: &Env,
+        receiver: &Address,
+        src_eid: u32,
+        sender: &BytesN<32>,
+        new_nonce: u64,
+    ) {
+        let inbound_nonce = Self::inbound_nonce(env, receiver, src_eid, sender);
+        assert_with_error!(
+            env,
+            new_nonce > inbound_nonce && new_nonce <= inbound_nonce + PENDING_INBOUND_NONCE_MAX_LEN,
+            EndpointError::InvalidNonce
+        );
+
+        let mut pending_nonces = Self::pending_inbound_nonces(env, receiver, src_eid, sender);
+
+        // Allow to re-verify at the same nonce and insert the new nonce if it doesn't already exist.
+        // When the binary_search returns an error, the nonce is not in the list and should be inserted.
+        if let Err(i) = pending_nonces.binary_search(new_nonce) {
+            pending_nonces.insert(i, new_nonce);
+
+            // Drain consecutive nonces from the front to advance the inbound nonce
+            let mut new_inbound_nonce = inbound_nonce;
+            while !pending_nonces.is_empty() && pending_nonces.first_unchecked() == new_inbound_nonce + 1 {
+                new_inbound_nonce = pending_nonces.pop_front_unchecked();
+            }
+
+            // Update the pending nonces and inbound nonce if needed
+            EndpointStorage::set_pending_inbound_nonces(env, receiver, src_eid, sender, &pending_nonces);
+            if new_inbound_nonce > inbound_nonce {
+                EndpointStorage::set_inbound_nonce(env, receiver, src_eid, sender, &new_inbound_nonce);
+            }
+        }
+    }
+
     /// Represents an empty payload hash
     fn empty_payload_hash(env: &Env) -> BytesN<32> {
         BytesN::from_array(env, &EMPTY_PAYLOAD_HASH_BYTES)

package/contracts/endpoint-v2/src/storage.rs

@@ -1,6 +1,6 @@
 use crate::Timeout;
 use common_macros::storage;
-use soroban_sdk::{Address, BytesN};
+use soroban_sdk::{Address, BytesN, Vec};
 
 #[storage]
 pub enum EndpointStorage {
@@ -24,10 +24,15 @@ pub enum EndpointStorage {
     /// Messaging Channel
     /// ============================================================================================
 
-    /// The lazy inbound nonce for a receiver
+    /// Sorted list of out-of-order verified nonces
+    #[persistent(Vec<u64>)]
+    #[default(Vec::new(env))]
+    PendingInboundNonces { receiver: Address, src_eid: u32, sender: BytesN<32> },
+
+    /// The current inbound nonce for a receiver
     #[persistent(u64)]
     #[default(0)]
-    LazyInboundNonce { receiver: Address, src_eid: u32, sender: BytesN<32> },
+    InboundNonce { receiver: Address, src_eid: u32, sender: BytesN<32> },
 
     /// The inbound payload hash for a receiver
     #[persistent(BytesN<32>)]

package/contracts/endpoint-v2/src/tests/endpoint_setup.rs

@@ -270,11 +270,11 @@ impl<'a> TestSetup<'a> {
         self.endpoint_client.send_compose(from, to, guid, &index, message);
     }
 
-    pub fn set_lazy_inbound_nonce(&self, receiver: &Address, src_eid: u32, sender: &BytesN<32>, lazy_nonce: u64) {
+    pub fn set_inbound_nonce(&self, receiver: &Address, src_eid: u32, sender: &BytesN<32>, inbound_nonce: u64) {
         let env = &self.env;
         let endpoint_client = &self.endpoint_client;
         env.as_contract(&endpoint_client.address, || {
-            storage::EndpointStorage::set_lazy_inbound_nonce(env, receiver, src_eid, sender, &lazy_nonce)
+            storage::EndpointStorage::set_inbound_nonce(env, receiver, src_eid, sender, &inbound_nonce)
         });
     }
 

package/contracts/endpoint-v2/src/tests/endpoint_v2/clear.rs

@@ -119,9 +119,9 @@ fn test_clear_emits_packet_delivered_event() {
     assert_eq_event(env, &endpoint_client.address, PacketDelivered { origin: origin.clone(), receiver: receiver.clone() });
 }
 
-// Lazy inbound nonce updates
+// Inbound nonce is advanced during verify, not during clear
 #[test]
-fn test_clear_updates_lazy_inbound_nonce() {
+fn test_clear_does_not_change_inbound_nonce() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -136,15 +136,13 @@ fn test_clear_updates_lazy_inbound_nonce() {
     let (_receive_lib, origin, _payload_hash) =
         arrange_verified_packet_with_auth(&context, src_eid, &sender, &receiver, nonce, &guid, &message);
 
-    // Verify initial lazy inbound nonce
-    let initial_lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(initial_lazy_nonce, 0, "Initial lazy inbound nonce should be 0");
+    // Verify advanced inbound nonce (happens during verify).
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), nonce);
 
     clear_packet_with_auth(&context, &receiver, &origin, &receiver, &guid, &message);
 
-    // Verify lazy inbound nonce was updated via public interface
-    let lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(lazy_nonce, nonce);
+    // Clear does not advance inbound nonce.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), nonce);
 }
 
 // Sequential nonce behavior
@@ -179,9 +177,8 @@ fn test_clear_success_sequential_nonces_update_lazy_nonce_to_latest() {
     verify_packet_with_auth(&context, &receive_lib, &origin2, &receiver, &payload_hash2);
     clear_packet_with_auth(&context, &receiver, &origin2, &receiver, &guid2, &message2);
 
-    // Verify lazy inbound nonce was updated to 2
-    let lazy_nonce = endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender);
-    assert_eq!(lazy_nonce, 2);
+    // Verify advanced inbound nonce.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 }
 
 // Authorization
@@ -410,11 +407,11 @@ fn test_clear_does_not_advance_lazy_nonce_when_clearing_older_nonce() {
     let origin2 = Origin { src_eid, sender: sender.clone(), nonce: 2 };
     verify_packet_with_auth(&context, &receive_lib, &origin2, &receiver, &payload_hash2);
 
-    // Clear nonce 2 first (this advances lazy nonce to 2 because nonce 1..=2 are present).
+    // Clear nonce 2 first. This does not advance inbound nonce (it was advanced during verify).
     clear_packet_with_auth(&context, &receiver, &origin2, &receiver, &guid2, &message2);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 
-    // Clearing an older nonce should not change lazy nonce.
+    // Clearing an older nonce should not change inbound nonce.
     clear_packet_with_auth(&context, &receiver, &origin1, &receiver, &guid1, &message1);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 }

package/contracts/endpoint-v2/src/tests/endpoint_v2/verifiable.rs

@@ -1,6 +1,6 @@
 use soroban_sdk::{testutils::Address as _, BytesN};
 
-use crate::{tests::endpoint_setup::setup, tests::endpoint_setup::TestSetup, Origin};
+use crate::{storage, tests::endpoint_setup::setup, tests::endpoint_setup::TestSetup, Origin};
 
 fn skip_with_auth(context: &TestSetup, receiver: &soroban_sdk::Address, src_eid: u32, sender: &BytesN<32>, nonce: u64) {
     // `skip` requires authorization from `caller` (the receiver or its delegate).
@@ -20,7 +20,7 @@ fn verify_with_auth(
     context.endpoint_client.verify(receive_lib, origin, receiver, payload_hash);
 }
 
-// New path (lazy nonce == 0) => verifiable when origin.nonce > lazy nonce
+// New path (inbound nonce == 0) => verifiable when origin.nonce is within (0, 256]
 #[test]
 fn test_verifiable_new_path_nonce_1_true() {
     let context = setup();
@@ -30,12 +30,12 @@ fn test_verifiable_new_path_nonce_1_true() {
     let sender = BytesN::from_array(&context.env, &[1u8; 32]);
     let origin = Origin { src_eid, sender, nonce: 1 };
 
-    // For a new path (lazy nonce is 0), nonce 1 > 0 should be verifiable.
+    // For a new path (inbound nonce is 0), nonce 1 should be verifiable.
     let result = endpoint_client.verifiable(&origin, &receiver);
     assert!(result);
 }
 
-// Established path (lazy nonce > 0) => verifiable when origin.nonce > lazy nonce
+// Established path => verifiable when origin.nonce is in (inbound_nonce, inbound_nonce + 256]
 #[test]
 fn test_verifiable_after_skip_nonce_gt_lazy_true() {
     let context = setup();
@@ -48,7 +48,7 @@ fn test_verifiable_after_skip_nonce_gt_lazy_true() {
     // Establish the path by skipping nonce 1.
     skip_with_auth(&context, &receiver, src_eid, &sender, 1);
 
-    // Now lazy_nonce = 1, nonce 2 > 1 should be verifiable.
+    // Now inbound_nonce = 1, nonce 2 should be verifiable.
     let origin = Origin { src_eid, sender, nonce: 2 };
     let result = endpoint_client.verifiable(&origin, &receiver);
     assert!(result);
@@ -79,8 +79,8 @@ fn test_verifiable_true_when_nonce_leq_lazy_but_payload_hash_exists() {
     // Advance lazy nonce to 3 while keeping payload hash for 2 (skip sets lazy nonce only).
     skip_with_auth(&context, &receiver, src_eid, &sender, 3);
 
-    // Sanity: lazy nonce was advanced, and the payload hash for nonce 2 still exists.
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 3);
+    // Sanity: inbound nonce was advanced, and the payload hash for nonce 2 still exists.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
     assert!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64).is_some());
 
     // Now nonce 2 <= lazy 3, but payload hash exists -> verifiable should be true.
@@ -98,13 +98,50 @@ fn test_verifiable_nonce_eq_lazy_false_without_payload_hash() {
     let sender = BytesN::from_array(env, &[1u8; 32]);
     let receiver = soroban_sdk::Address::generate(env);
 
-    // Set lazy nonce to 2 without storing any payload hashes.
+    // Advance inbound nonce to 2 without storing any payload hashes at nonce 2.
     skip_with_auth(&context, &receiver, src_eid, &sender, 1);
     skip_with_auth(&context, &receiver, src_eid, &sender, 2);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 
     // nonce == lazy and payload hash missing -> verifiable should be false.
     let origin2 = Origin { src_eid, sender: sender.clone(), nonce: 2u64 };
     assert!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64).is_none());
     assert!(!endpoint_client.verifiable(&origin2, &receiver));
 }
+
+#[test]
+fn test_verifiable_upper_bound_is_enforced() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+    let receiver = soroban_sdk::Address::generate(env);
+
+    // For a new path inbound_nonce=0: 256 is allowed, 257 is not.
+    let origin_256 = Origin { src_eid, sender: sender.clone(), nonce: 256u64 };
+    let origin_257 = Origin { src_eid, sender, nonce: 257u64 };
+    assert!(endpoint_client.verifiable(&origin_256, &receiver));
+    assert!(!endpoint_client.verifiable(&origin_257, &receiver));
+}
+
+#[test]
+fn test_verifiable_upper_bound_is_enforced_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+    let receiver = soroban_sdk::Address::generate(env);
+
+    env.as_contract(&endpoint_client.address, || {
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &100u64)
+    });
+
+    let ok = Origin { src_eid, sender: sender.clone(), nonce: 356u64 }; // 100 + 256
+    let too_far = Origin { src_eid, sender, nonce: 357u64 };
+    assert!(endpoint_client.verifiable(&ok, &receiver));
+    assert!(!endpoint_client.verifiable(&too_far, &receiver));
+}

package/contracts/endpoint-v2/src/tests/messaging_channel/burn.rs

@@ -84,9 +84,6 @@ fn test_burn_success_with_stored_payload() {
     let nonce = 1u64;
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
 
-    // Boundary condition: burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, nonce);
-
     // Store a payload hash first.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
@@ -128,9 +125,6 @@ fn test_burn_with_delegate() {
     // Set delegate for receiver.
     env.as_contract(&endpoint_client.address, || storage::EndpointStorage::set_delegate(env, &receiver, &delegate));
 
-    // Burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 1);
-
     // Store a payload hash first.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
 
@@ -169,9 +163,6 @@ fn test_burn_multiple_payloads() {
     let nonce1 = 1;
     let nonce2 = 2;
 
-    // Burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 2);
-
     // Store multiple payload hashes.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce1, &payload_hash1);
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce2, &payload_hash2);
@@ -203,12 +194,6 @@ fn test_burn_different_paths() {
     let nonce = 1;
     let payload_hash = BytesN::from_array(env, &[0xefu8; 32]);
 
-    // Burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver1, src_eid1, &sender1, 1);
-    context.set_lazy_inbound_nonce(&receiver2, src_eid1, &sender1, 1);
-    context.set_lazy_inbound_nonce(&receiver1, src_eid2, &sender1, 1);
-    context.set_lazy_inbound_nonce(&receiver1, src_eid1, &sender2, 1);
-
     // Store payload hashes for different paths.
     context.inbound_as_verified(&receiver1, src_eid1, &sender1, nonce, &payload_hash);
     context.inbound_as_verified(&receiver2, src_eid1, &sender1, nonce, &payload_hash);
@@ -247,9 +232,6 @@ fn test_burn_payload_hash_not_found_when_mismatch() {
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
     let wrong_payload_hash = BytesN::from_array(env, &[0x11u8; 32]);
 
-    // Burn requires nonce <= lazy_nonce.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, nonce);
-
     // Store a payload hash first.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
@@ -270,8 +252,8 @@ fn test_burn_payload_hash_not_found_when_storage_none() {
     let nonce = 1u64;
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
 
-    // Even if nonce <= lazy_nonce, burn must fail without a stored payload hash.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, nonce);
+    // Burn must fail without a stored payload hash.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, nonce);
     let result = try_burn_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &payload_hash);
     assert_eq!(result.err().unwrap().ok().unwrap(), EndpointError::PayloadHashNotFound.into());
 }
@@ -288,9 +270,11 @@ fn test_burn_invalid_nonce_when_greater_than_lazy_nonce() {
     let nonce = 2u64;
     let payload_hash = BytesN::from_array(env, &[0xabu8; 32]);
 
-    // lazy nonce is 1, trying to burn nonce 2 should fail.
-    context.set_lazy_inbound_nonce(&receiver, src_eid, &sender, 1);
-    context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
+    // inbound nonce is 1, trying to burn nonce 2 should fail (even if a payload hash exists).
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 1);
+    env.as_contract(&context.endpoint_client.address, || {
+        storage::EndpointStorage::set_inbound_payload_hash(env, &receiver, src_eid, &sender, nonce, &payload_hash);
+    });
 
     let result = try_burn_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &payload_hash);
     assert_eq!(result.err().unwrap().ok().unwrap(), EndpointError::InvalidNonce.into());

package/contracts/endpoint-v2/src/tests/messaging_channel/clear_payload.rs

@@ -36,7 +36,7 @@ fn clear_payload(
     });
 }
 
-// Internal clear_payload() removes verified payload and advances lazy nonce
+// Internal clear_payload() removes verified payload and does not change inbound nonce
 #[test]
 fn test_clear_payload_success() {
     let context = setup();
@@ -55,11 +55,11 @@ fn test_clear_payload_success() {
     clear_payload(&context, &receiver, src_eid, &sender, nonce, &payload);
 
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), None);
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), nonce);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), nonce);
 }
 
 #[test]
-fn test_clear_payload_with_lazy_nonce_update_skipping_intermediate() {
+fn test_clear_payload_keeps_other_payload_hashes_intact() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -76,21 +76,21 @@ fn test_clear_payload_with_lazy_nonce_update_skipping_intermediate() {
     let hash2 = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 2, &payload2);
     let hash3 = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
 
-    // Clearing nonce 3 advances lazy nonce from 0 -> 3, but only if 1..=3 all exist.
+    // Clearing nonce 3 removes only nonce 3's payload hash.
     clear_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 3);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &3), None);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1), Some(hash1));
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2), Some(hash2));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
     let _ = hash3; // hash3 is only used to ensure it was computed and stored for nonce 3.
 }
 
-// Clearing a nonce <= lazy nonce does not update lazy nonce
+// Clearing a nonce <= inbound nonce does not update inbound nonce
 #[test]
-fn test_clear_payload_does_not_update_lazy_nonce_when_nonce_is_not_greater() {
+fn test_clear_payload_does_not_update_inbound_nonce_when_nonce_is_not_greater() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -99,22 +99,25 @@ fn test_clear_payload_does_not_update_lazy_nonce_when_nonce_is_not_greater() {
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    // Pretend we already checkpointed to 5.
+    // Pretend we already advanced inbound nonce to 5.
     env.as_contract(&endpoint_client.address, || {
-        storage::EndpointStorage::set_lazy_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
     });
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 5);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
 
     // Store a payload hash at nonce 3, then clear it.
     let nonce = 3u64;
     let payload = Bytes::from_array(env, &[0xaa, 0xbb, 0xcc]);
-    let payload_hash = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, nonce, &payload);
-    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash));
+    let payload_hash = BytesN::from_array(env, &env.crypto().keccak256(&payload).to_array());
+    env.as_contract(&endpoint_client.address, || {
+        storage::EndpointStorage::set_inbound_payload_hash(env, &receiver, src_eid, &sender, nonce, &payload_hash)
+    });
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
 
     clear_payload(&context, &receiver, src_eid, &sender, nonce, &payload);
 
-    // Clearing an older nonce should not mutate lazy_inbound_nonce.
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 5);
+    // Clearing an older nonce should not mutate inbound_nonce.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), None);
 }
 
@@ -132,9 +135,9 @@ fn test_clear_payload_payload_hash_not_found_when_nonce_is_checkpointed_but_miss
     // nonce <= lazy_nonce, so clear_payload will NOT run the "has_payload for all intermediate nonces" check.
     // It should fail at the payload hash check instead.
     env.as_contract(&endpoint_client.address, || {
-        storage::EndpointStorage::set_lazy_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
+        storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
     });
-    assert_eq!(endpoint_client.lazy_inbound_nonce(&receiver, &src_eid, &sender), 5);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
 
     // No payload hash is stored for nonce 3.
     let nonce = 3u64;
@@ -188,16 +191,16 @@ fn test_clear_payload_missing_intermediate_nonce() {
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    // Store only nonce 1 and 3, skip nonce 2
+    // Store only nonce 1 and 3, skip nonce 2.
     let payload1 = Bytes::from_array(env, &[0x01]);
     let payload3 = Bytes::from_array(env, &[0x03]);
 
     let _ = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 1, &payload1);
     let _ = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 
-    // Clearing nonce 1 advances lazy nonce from 0 -> 1.
+    // Clearing nonce 1 succeeds.
     clear_payload(&context, &receiver, src_eid, &sender, 1, &payload1);
 
-    // Try to clear nonce 3 - should panic because nonce 2 is missing
+    // Try to clear nonce 3 - should panic because inbound_nonce is still 1 (nonce 3 is out-of-order).
     clear_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 }