local audit fix: restrict SSZ→JSON retry to 406/415 per builder-spec

Author: JasonVranek

crates/common/src/utils.rs

@@ -130,8 +130,8 @@ pub async fn read_chunked_body_with_max(
     }
 
     // Break if content length is provided but it's too big
-    if let Some(length) = content_length
-        && length as usize > max_size
+    if let Some(length) = content_length &&
+        length as usize > max_size
     {
         return Err(ResponseReadError::PayloadTooLarge {
             max: max_size,
@@ -818,47 +818,47 @@ fn get_ssz_value_offset_for_fork(fork: ForkName) -> Option<usize> {
         ForkName::Bellatrix => {
             // Message goes header -> value -> pubkey
             Some(
-                get_message_offset::<BuilderBidBellatrix>()
-                    + <ExecutionPayloadHeaderBellatrix as ssz::Decode>::ssz_fixed_len(),
+                get_message_offset::<BuilderBidBellatrix>() +
+                    <ExecutionPayloadHeaderBellatrix as ssz::Decode>::ssz_fixed_len(),
             )
         }
 
         ForkName::Capella => {
             // Message goes header -> value -> pubkey
             Some(
-                get_message_offset::<BuilderBidCapella>()
-                    + <ExecutionPayloadHeaderCapella as ssz::Decode>::ssz_fixed_len(),
+                get_message_offset::<BuilderBidCapella>() +
+                    <ExecutionPayloadHeaderCapella as ssz::Decode>::ssz_fixed_len(),
             )
         }
 
         ForkName::Deneb => {
             // Message goes header -> blob_kzg_commitments -> value -> pubkey
             Some(
-                get_message_offset::<BuilderBidDeneb>()
-                    + <ExecutionPayloadHeaderDeneb as ssz::Decode>::ssz_fixed_len()
-                    + <KzgCommitments as ssz::Decode>::ssz_fixed_len(),
+                get_message_offset::<BuilderBidDeneb>() +
+                    <ExecutionPayloadHeaderDeneb as ssz::Decode>::ssz_fixed_len() +
+                    <KzgCommitments as ssz::Decode>::ssz_fixed_len(),
             )
         }
 
         ForkName::Electra => {
             // Message goes header -> blob_kzg_commitments -> execution_requests -> value ->
             // pubkey
             Some(
-                get_message_offset::<BuilderBidElectra>()
-                    + <ExecutionPayloadHeaderElectra as ssz::Decode>::ssz_fixed_len()
-                    + <KzgCommitments as ssz::Decode>::ssz_fixed_len()
-                    + <ExecutionRequests as ssz::Decode>::ssz_fixed_len(),
+                get_message_offset::<BuilderBidElectra>() +
+                    <ExecutionPayloadHeaderElectra as ssz::Decode>::ssz_fixed_len() +
+                    <KzgCommitments as ssz::Decode>::ssz_fixed_len() +
+                    <ExecutionRequests as ssz::Decode>::ssz_fixed_len(),
             )
         }
 
         ForkName::Fulu => {
             // Message goes header -> blob_kzg_commitments -> execution_requests -> value ->
             // pubkey
             Some(
-                get_message_offset::<BuilderBidFulu>()
-                    + <ExecutionPayloadHeaderFulu as ssz::Decode>::ssz_fixed_len()
-                    + <KzgCommitments as ssz::Decode>::ssz_fixed_len()
-                    + <ExecutionRequests as ssz::Decode>::ssz_fixed_len(),
+                get_message_offset::<BuilderBidFulu>() +
+                    <ExecutionPayloadHeaderFulu as ssz::Decode>::ssz_fixed_len() +
+                    <KzgCommitments as ssz::Decode>::ssz_fixed_len() +
+                    <ExecutionRequests as ssz::Decode>::ssz_fixed_len(),
             )
         }
 

crates/pbs/src/mev_boost/submit_block.rs

@@ -173,8 +173,8 @@ async fn submit_block_with_timeout(
                 // The caller (routes/submit_block.rs) serialises Full/Light responses
                 // with the caller's negotiated encoding, independent of which endpoint
                 // the relay actually served.
-                if request_api_version == BuilderApiVersion::V1
-                    && proposal_info.api_version != request_api_version
+                if request_api_version == BuilderApiVersion::V1 &&
+                    proposal_info.api_version != request_api_version
                 {
                     warn!(
                         relay_id = relay.id.as_ref(),
@@ -472,12 +472,17 @@ async fn send_submit_block_impl(
         }
     };
 
-    // If we got a client error, retry with JSON - the spec says that this should be
-    // a 406 or 415, but we're a little more permissive here
-    if res.status().is_client_error() {
+    // Retry as JSON only on the two status codes the builder-spec defines as
+    // "media type is the problem": 406 Not Acceptable and 415 Unsupported
+    // Media Type (RFC 7231 §6.5.13). Any other 4xx (400 malformed, 401/403
+    // auth, 409 conflict, 429 rate limit, etc.) is orthogonal to encoding
+    // and MUST surface unchanged — retrying pollutes observability, doubles
+    // load on the relay, and can mask real errors behind a JSON-path reply.
+    if matches!(res.status(), StatusCode::NOT_ACCEPTABLE | StatusCode::UNSUPPORTED_MEDIA_TYPE,) {
         warn!(
             relay_id = relay.id.as_ref(),
-            "relay does not support SSZ, resubmitting block with JSON content-type"
+            status = %res.status(),
+            "relay rejected SSZ content-type, resubmitting block with JSON content-type"
         );
         res = match relay
             .client
@@ -631,12 +636,12 @@ fn validate_unblinded_block(
     fork_name: ForkName,
 ) -> Result<(), PbsError> {
     match fork_name {
-        ForkName::Base
-        | ForkName::Altair
-        | ForkName::Bellatrix
-        | ForkName::Capella
-        | ForkName::Deneb
-        | ForkName::Gloas => Err(PbsError::Validation(ValidationError::UnsupportedFork)),
+        ForkName::Base |
+        ForkName::Altair |
+        ForkName::Bellatrix |
+        ForkName::Capella |
+        ForkName::Deneb |
+        ForkName::Gloas => Err(PbsError::Validation(ValidationError::UnsupportedFork)),
         ForkName::Electra => validate_unblinded_block_electra(
             expected_block_hash,
             got_block_hash,
@@ -665,9 +670,9 @@ fn validate_unblinded_block_electra(
         }));
     }
 
-    if expected_commitments.len() != blobs_bundle.blobs.len()
-        || expected_commitments.len() != blobs_bundle.commitments.len()
-        || expected_commitments.len() != blobs_bundle.proofs.len()
+    if expected_commitments.len() != blobs_bundle.blobs.len() ||
+        expected_commitments.len() != blobs_bundle.commitments.len() ||
+        expected_commitments.len() != blobs_bundle.proofs.len()
     {
         return Err(PbsError::Validation(ValidationError::KzgCommitments {
             expected_blobs: expected_commitments.len(),
@@ -704,9 +709,9 @@ fn validate_unblinded_block_fulu(
         }));
     }
 
-    if expected_commitments.len() != blobs_bundle.blobs.len()
-        || expected_commitments.len() != blobs_bundle.commitments.len()
-        || expected_commitments.len() * CELLS_PER_EXT_BLOB != blobs_bundle.proofs.len()
+    if expected_commitments.len() != blobs_bundle.blobs.len() ||
+        expected_commitments.len() != blobs_bundle.commitments.len() ||
+        expected_commitments.len() * CELLS_PER_EXT_BLOB != blobs_bundle.proofs.len()
     {
         return Err(PbsError::Validation(ValidationError::KzgCommitments {
             expected_blobs: expected_commitments.len(),

tests/src/mock_relay.rs

@@ -63,6 +63,12 @@ pub struct MockRelayState {
     large_body: bool,
     supports_submit_block_v2: bool,
     use_not_found_for_submit_block: bool,
+    /// If set, `handle_submit_block_v1`/`v2` short-circuits with this status
+    /// when the inbound request carries `Content-Type:
+    /// application/octet-stream`. The counter is still incremented before
+    /// the short-circuit so tests can observe the attempt. Used to drive C3
+    /// (retry-as-JSON) tests.
+    submit_block_ssz_status_override: Option<StatusCode>,
     received_get_header: Arc<AtomicU64>,
     received_get_status: Arc<AtomicU64>,
     received_register_validator: Arc<AtomicU64>,
@@ -93,6 +99,9 @@ impl MockRelayState {
     pub fn use_not_found_for_submit_block(&self) -> bool {
         self.use_not_found_for_submit_block
     }
+    pub fn submit_block_ssz_status_override(&self) -> Option<StatusCode> {
+        self.submit_block_ssz_status_override
+    }
     pub fn set_response_override(&self, status: StatusCode) {
         *self.response_override.write().unwrap() = Some(status);
     }
@@ -106,6 +115,7 @@ impl MockRelayState {
             large_body: false,
             supports_submit_block_v2: true,
             use_not_found_for_submit_block: false,
+            submit_block_ssz_status_override: None,
             received_get_header: Default::default(),
             received_get_status: Default::default(),
             received_register_validator: Default::default(),
@@ -136,6 +146,14 @@ impl MockRelayState {
     pub fn with_not_found_for_submit_block(self) -> Self {
         Self { use_not_found_for_submit_block: true, ..self }
     }
+
+    /// Make `handle_submit_block_v1`/`v2` respond with `status` whenever the
+    /// request comes in as SSZ (`Content-Type: application/octet-stream`).
+    /// JSON requests still go through the normal happy path, which lets a
+    /// single test cover the SSZ→JSON retry behavior.
+    pub fn with_submit_block_ssz_status(self, status: StatusCode) -> Self {
+        Self { submit_block_ssz_status_override: Some(status), ..self }
+    }
 }
 
 pub fn mock_relay_app_router(state: Arc<MockRelayState>) -> Router {
@@ -301,6 +319,14 @@ async fn handle_submit_block_v1(
         return StatusCode::NOT_FOUND.into_response();
     }
     state.received_submit_block.fetch_add(1, Ordering::Relaxed);
+    // Short-circuit SSZ requests with an overridden status so tests can
+    // drive the PBS SSZ→JSON retry logic. JSON requests still take the
+    // normal path so a single mock run can exercise both attempts.
+    if let Some(status) = state.submit_block_ssz_status_override() &&
+        get_content_type(&headers) == EncodingType::Ssz
+    {
+        return (status, "forced ssz override").into_response();
+    }
     let accept_types = get_accept_types(&headers)
         .map_err(|e| (StatusCode::BAD_REQUEST, format!("error parsing accept header: {e}")));
     if let Err(e) = accept_types {
@@ -391,6 +417,13 @@ async fn handle_submit_block_v2(
         return StatusCode::NOT_FOUND.into_response();
     }
     state.received_submit_block.fetch_add(1, Ordering::Relaxed);
+    // See comment in `handle_submit_block_v1`. Override SSZ with the
+    // injected status so C3 tests can assert retry / no-retry behavior.
+    if let Some(status) = state.submit_block_ssz_status_override() &&
+        get_content_type(&headers) == EncodingType::Ssz
+    {
+        return (status, "forced ssz override").into_response();
+    }
     let content_type = get_content_type(&headers);
     if !state.supported_content_types.contains(&content_type) {
         return (StatusCode::NOT_ACCEPTABLE, "No acceptable content type found".to_string())

tests/tests/pbs_post_blinded_blocks.rs

@@ -509,7 +509,6 @@ async fn submit_block_impl(
     remove_v2_support: bool,
     force_404s: bool,
 ) -> Result<Response> {
-    // Setup test environment
     setup_test_env();
     let signer = random_secret();
     let pubkey = signer.public_key();
@@ -574,3 +573,152 @@ async fn submit_block_impl(
     assert_eq!(res.status(), expected_code);
     Ok(res)
 }
+
+// Retry-as-JSON trigger must be restricted
+// to 406 Not Acceptable and 415 Unsupported Media Type. Any other 4xx is
+// orthogonal to encoding and MUST surface unchanged.
+
+/// Shared fixture: relay returns `ssz_status` when the PBS sends SSZ,
+/// everything else takes the happy path. Returns `(Response, attempt_count)`.
+/// `api_version` picks v1 or v2 endpoint; `relay_types` controls what the
+/// relay advertises as supported so the happy JSON path works when retried.
+async fn submit_block_ssz_override(
+    api_version: BuilderApiVersion,
+    ssz_status: StatusCode,
+) -> Result<(Response, u64)> {
+    setup_test_env();
+    let signer = random_secret();
+    let pubkey = signer.public_key();
+    let chain = Chain::Holesky;
+    let pbs_listener = get_free_listener().await;
+    let relay_listener = get_free_listener().await;
+    let pbs_port = pbs_listener.local_addr().unwrap().port();
+    let relay_port = relay_listener.local_addr().unwrap().port();
+
+    let mock_relay = generate_mock_relay(relay_port, pubkey)?;
+    let mut mock_relay_state = MockRelayState::new(chain, signer);
+    // Relay only advertises JSON so the retry (which goes out as JSON) lands
+    // on a clean success path. The SSZ-status override below intercepts
+    // before the supported-types check, so the first SSZ attempt still hits
+    // our injected status regardless of what's advertised here.
+    mock_relay_state.supported_content_types = Arc::new(HashSet::from([EncodingType::Json]));
+    mock_relay_state = mock_relay_state.with_submit_block_ssz_status(ssz_status);
+    let mock_state = Arc::new(mock_relay_state);
+    tokio::spawn(start_mock_relay_service_with_listener(mock_state.clone(), relay_listener));
+
+    let pbs_config = get_pbs_config(pbs_port);
+    let config = to_pbs_config(chain, pbs_config, vec![mock_relay]);
+    let state = PbsState::new(config, PathBuf::new());
+    drop(pbs_listener);
+    tokio::spawn(PbsService::run::<(), DefaultBuilderApi>(state));
+
+    tokio::time::sleep(Duration::from_millis(100)).await;
+
+    let signed_blinded_block = load_test_signed_blinded_block();
+    let mock_validator = MockValidator::new(pbs_port)?;
+    // The BN sends SSZ; PBS forwards SSZ first, that's what our override hits.
+    let accept_types = HashSet::from([EncodingType::Ssz, EncodingType::Json]);
+    let res = match api_version {
+        BuilderApiVersion::V1 => {
+            mock_validator
+                .do_submit_block_v1(
+                    Some(signed_blinded_block),
+                    accept_types,
+                    EncodingType::Ssz,
+                    ForkName::Electra,
+                )
+                .await?
+        }
+        BuilderApiVersion::V2 => {
+            mock_validator
+                .do_submit_block_v2(
+                    Some(signed_blinded_block),
+                    accept_types,
+                    EncodingType::Ssz,
+                    ForkName::Electra,
+                )
+                .await?
+        }
+    };
+    Ok((res, mock_state.received_submit_block()))
+}
+
+/// 406 is the spec-defined "retry with a different media type" signal, so we
+/// MUST retry as JSON and succeed.
+#[tokio::test]
+async fn test_submit_block_ssz_retries_as_json_on_406() -> Result<()> {
+    let (res, attempts) =
+        submit_block_ssz_override(BuilderApiVersion::V1, StatusCode::NOT_ACCEPTABLE).await?;
+    assert_eq!(res.status(), StatusCode::OK, "retry-as-JSON must succeed on 406");
+    assert_eq!(attempts, 2, "expected SSZ attempt + JSON retry");
+    Ok(())
+}
+
+/// 415 is the other spec-defined media-type rejection status; same retry.
+#[tokio::test]
+async fn test_submit_block_ssz_retries_as_json_on_415() -> Result<()> {
+    let (res, attempts) =
+        submit_block_ssz_override(BuilderApiVersion::V1, StatusCode::UNSUPPORTED_MEDIA_TYPE)
+            .await?;
+    assert_eq!(res.status(), StatusCode::OK, "retry-as-JSON must succeed on 415");
+    assert_eq!(attempts, 2);
+    Ok(())
+}
+
+/// 400 Bad Request is a validation failure — encoding is not the problem.
+/// Retrying doubles relay load and hides the real error. MUST NOT retry.
+#[tokio::test]
+async fn test_submit_block_ssz_does_not_retry_on_400() -> Result<()> {
+    let (_res, attempts) =
+        submit_block_ssz_override(BuilderApiVersion::V1, StatusCode::BAD_REQUEST).await?;
+    assert_eq!(attempts, 1, "400 is not a media-type error; must not retry");
+    Ok(())
+}
+
+/// 401 Unauthorized — auth problem, not encoding. No retry.
+#[tokio::test]
+async fn test_submit_block_ssz_does_not_retry_on_401() -> Result<()> {
+    let (_res, attempts) =
+        submit_block_ssz_override(BuilderApiVersion::V1, StatusCode::UNAUTHORIZED).await?;
+    assert_eq!(attempts, 1);
+    Ok(())
+}
+
+/// 409 Conflict — state mismatch. No retry.
+#[tokio::test]
+async fn test_submit_block_ssz_does_not_retry_on_409() -> Result<()> {
+    let (_res, attempts) =
+        submit_block_ssz_override(BuilderApiVersion::V1, StatusCode::CONFLICT).await?;
+    assert_eq!(attempts, 1);
+    Ok(())
+}
+
+/// 429 Too Many Requests — `PbsError::should_retry` already excludes this;
+/// retrying as JSON would add insult to injury. No retry.
+#[tokio::test]
+async fn test_submit_block_ssz_does_not_retry_on_429() -> Result<()> {
+    let (_res, attempts) =
+        submit_block_ssz_override(BuilderApiVersion::V1, StatusCode::TOO_MANY_REQUESTS).await?;
+    assert_eq!(attempts, 1);
+    Ok(())
+}
+
+/// Same policy applies to the v2 endpoint.
+#[tokio::test]
+async fn test_submit_block_v2_ssz_retries_as_json_on_415() -> Result<()> {
+    let (res, attempts) =
+        submit_block_ssz_override(BuilderApiVersion::V2, StatusCode::UNSUPPORTED_MEDIA_TYPE)
+            .await?;
+    assert_eq!(res.status(), StatusCode::ACCEPTED, "v2 success is 202 Accepted");
+    assert_eq!(attempts, 2);
+    Ok(())
+}
+
+/// v2 + 400: same no-retry rule as v1.
+#[tokio::test]
+async fn test_submit_block_v2_ssz_does_not_retry_on_400() -> Result<()> {
+    let (_res, attempts) =
+        submit_block_ssz_override(BuilderApiVersion::V2, StatusCode::BAD_REQUEST).await?;
+    assert_eq!(attempts, 1);
+    Ok(())
+}