fix(l1): address PR #6521 bot review findings

Two bot reviews (Codex, Claude) + one code reviewer (Greptile) flagged 7
issues. All 7 verified real and fixed in-PR per user request.

Critical (L2 consensus/liveness):

- `crates/l2/sequencer/block_producer/payload_builder.rs` now enforces
  the EIP-8037 PR #2703 per-tx 2D inclusion check against the L2's
  `configured_block_gas_limit` before executing each tx, matching the
  L1 builder. Without this, the L2 builder could reject valid txs or
  accept txs that violate one dimension of the block cap.

- `fill_transactions` now snapshots and restores
  `block_regular_gas_used` / `block_state_gas_used` around
  `apply_plain_transaction` on the `undo_last_tx` rollback path
  (invalid L2 out-message). Previously those two counters stayed
  inflated after a rejected tx, polluting `gas_used()` and the final
  header `gas_used`.

High (mempool DoS avenue):

- `crates/blockchain/mempool.rs::transaction_intrinsic_gas` now
  enforces `max(intrinsic_regular + intrinsic_state, floor)` for
  Amsterdam+, matching the VM's `validate_min_gas_limit` check.
  Previously a tx with mostly zero calldata could pass mempool
  admission at the weighted EIP-2028 cost (400 gas for 100 zero
  bytes) but fail the VM's 6400-gas unweighted floor at block
  inclusion, polluting the pool.

  New standalone helper `intrinsic_gas_floor(tx, fork)` added in
  `crates/vm/levm/src/utils.rs` mirroring `VM::get_min_gas_used` so
  the mempool / payload builder can compute the floor without a VM
  instance. Re-exported from `ethrex-vm`.

Medium:

- `crates/vm/backends/levm/mod.rs` withdrawal index computation
  switched from `.map(|n| n + 1)` to `.map(|n| n.saturating_add(1))`.
  The prior form wraps to 0 in release builds when `n == u32::MAX`
  (the `debug_assert` only fires in debug).

- `crates/vm/levm/src/opcode_handlers/system.rs` adds `debug_assert!`
  at the two reservoir-revert sites verifying
  `outstanding_delta >= credit_against_drain_delta`. If that invariant
  is ever violated, the `saturating_sub` silently mischarges the
  block's regular dimension; a loud debug panic is preferable.

Style:

- `crates/vm/levm/src/gas_cost.rs::access_list_bytes` — replace
  `keys.len() as u64` with `u64::try_from(...).unwrap_or(u64::MAX)`
  for consistency with the rest of the codebase.

- `crates/vm/levm/src/hooks/default_hook.rs::refund_sender` — rename
  the currently-unused `gas_used_pre_refund` parameter to
  `_gas_used_pre_refund` at the signature and drop the interior
  `let _ =` that was silencing it. Expanded doc explains it's kept
  in the signature for future reintroduction.

All 478 tests pass; no behavior changes except the three
intentional ones (mempool floor, L2 2D check, L2 counter rollback)
plus the already-exercised saturation edge.

Author: edg-l

crates/blockchain/mempool.rs

@@ -21,7 +21,7 @@ use ethrex_common::{
     },
 };
 use ethrex_storage::error::StoreError;
-use ethrex_vm::intrinsic_gas_dimensions;
+use ethrex_vm::{intrinsic_gas_dimensions, intrinsic_gas_floor};
 use tracing::warn;
 
 #[derive(Debug, Default)]
@@ -517,14 +517,24 @@ pub fn transaction_intrinsic_gas(
     // `REGULAR_GAS_CREATE = 9000` + `STATE_BYTES_PER_NEW_ACCOUNT * cpsb` for CREATE
     // instead of the legacy `TX_CREATE_GAS_COST = 53000`. Mempool admission must
     // match VM charge or we spuriously reject (or admit) transactions.
-    // EIP-7981 access-list data bytes + EIP-7976 floor are also handled there.
+    //
+    // The VM enforces `gas_limit >= max(intrinsic_regular + intrinsic_state,
+    // floor)` via two separate checks in `validate_gas_allowance` +
+    // `validate_min_gas_limit`. Apply the same max here so we don't admit
+    // txs whose calldata floor exceeds the weighted intrinsic — those would
+    // pass mempool and then fail at block inclusion, polluting the pool.
     if config.is_amsterdam_activated(header.timestamp) {
         let fork = config.fork(header.timestamp);
         let (regular, state) = intrinsic_gas_dimensions(tx, fork, header.gas_limit)
             .map_err(|_| MempoolError::TxGasOverflowError)?;
-        return regular
+        let intrinsic = regular
             .checked_add(state)
-            .ok_or(MempoolError::TxGasOverflowError);
+            .ok_or(MempoolError::TxGasOverflowError)?;
+        let floor = intrinsic_gas_floor(tx, fork).map_err(|_| MempoolError::TxGasOverflowError)?;
+        // Block-level gas = max(regular_dim, state_dim); regular_dim itself is
+        // `max(tx_regular, calldata_floor)` per EIP-7778. Use the same max so
+        // admission mirrors the VM's effective minimum.
+        return Ok(intrinsic.max(floor));
     }
 
     let is_contract_creation = tx.is_contract_creation();

crates/l2/sequencer/block_producer/payload_builder.rs

@@ -6,7 +6,9 @@ use ethrex_blockchain::{
 };
 use ethrex_common::{
     U256,
-    types::{Block, EIP1559_DEFAULT_SERIALIZED_LENGTH, SAFE_BYTES_PER_BLOB, Transaction, TxKind},
+    types::{
+        Block, EIP1559_DEFAULT_SERIALIZED_LENGTH, Fork, SAFE_BYTES_PER_BLOB, Transaction, TxKind,
+    },
 };
 use ethrex_l2_common::{
     messages::get_block_l2_out_messages, privileged_transactions::PRIVILEGED_TX_BUDGET,
@@ -20,6 +22,7 @@ use ethrex_metrics::{
 };
 use ethrex_rlp::encode::RLPEncode;
 use ethrex_storage::Store;
+use ethrex_vm::check_2d_gas_allowance;
 use std::sync::Arc;
 use std::{collections::HashMap, ops::Div};
 use tokio::time::Instant;
@@ -110,6 +113,14 @@ pub async fn fill_transactions(
     let chain_config = store.get_chain_config();
     let chain_id = chain_config.chain_id;
 
+    // EIP-8037 (Amsterdam+): the tx inclusion check enforces a 2D budget per
+    // tx so a transaction's worst-case contribution in either dimension fits
+    // in the remaining block budget. Gate on the block's timestamp and apply
+    // in the inclusion loop below; the L2 builder uses
+    // `configured_block_gas_limit` (possibly tighter than
+    // `payload.header.gas_limit`) as the limit, keeping L2 tighter than L1.
+    let is_amsterdam = chain_config.is_amsterdam_activated(context.payload.header.timestamp);
+
     debug!("Fetching transactions from mempool");
     // Fetch mempool transactions
     let latest_block_number = store.get_latest_block_number().await?;
@@ -209,6 +220,25 @@ pub async fn fill_transactions(
             continue;
         }
 
+        // EIP-8037 (Amsterdam+, PR #2703): per-tx 2D inclusion check against
+        // running block totals, using the L2-configured block gas limit
+        // (which may be tighter than the header's). Must run BEFORE we touch
+        // the BAL recorder so a rejected tx doesn't leave a sender/recipient
+        // touch in the BAL.
+        if is_amsterdam
+            && let Err(e) = check_2d_gas_allowance(
+                &head_tx.tx,
+                Fork::Amsterdam,
+                context.block_regular_gas_used,
+                context.block_state_gas_used,
+                configured_block_gas_limit,
+            )
+        {
+            debug!("Skipping tx {tx_hash:#x}: fails 2D inclusion check: {e}");
+            txs.pop();
+            continue;
+        }
+
         // Set BAL index for this transaction (1-indexed per EIP-7928)
         let tx_index =
             u32::try_from(context.payload.body.transactions.len() + 1).unwrap_or(u32::MAX);
@@ -233,10 +263,16 @@ pub async fn fill_transactions(
             }
         }
 
-        // Execute tx
+        // Execute tx. Snapshot every PayloadBuildContext counter that
+        // `apply_plain_transaction` mutates so the invalid-L2-message rollback
+        // below can fully undo a tx's effect. Amsterdam's 2D accounting adds
+        // `block_regular_gas_used` / `block_state_gas_used` to the set that
+        // drive `gas_used()` and the final header `gas_used`.
         let previous_remaining_gas = context.remaining_gas;
         let previous_block_value = context.block_value;
         let previous_cumulative_gas_spent = context.cumulative_gas_spent;
+        let previous_block_regular_gas_used = context.block_regular_gas_used;
+        let previous_block_state_gas_used = context.block_state_gas_used;
         let receipt = match apply_plain_transaction(&head_tx, context) {
             Ok(receipt) => receipt,
             Err(e) => {
@@ -264,6 +300,12 @@ pub async fn fill_transactions(
                 context.remaining_gas = previous_remaining_gas;
                 context.block_value = previous_block_value;
                 context.cumulative_gas_spent = previous_cumulative_gas_spent;
+                // Amsterdam 2D accounting: restore the per-dimension counters
+                // too. Without this, phantom gas from the rejected tx stays in
+                // the payload context and skews subsequent inclusion decisions
+                // plus the final header `gas_used`.
+                context.block_regular_gas_used = previous_block_regular_gas_used;
+                context.block_state_gas_used = previous_block_state_gas_used;
                 // Roll back BAL touches from the aborted tx.
                 if let (Some(recorder), Some(checkpoint)) =
                     (context.vm.db.bal_recorder_mut(), bal_checkpoint)

crates/vm/backends/levm/mod.rs

@@ -443,9 +443,11 @@ impl LEVM {
             // not from db — no need to call send_state_transitions_tx here.
 
             // Validate BAL entries at the withdrawal index against actual
-            // post-withdrawal/request state.
+            // post-withdrawal/request state. `saturating_add(1)` prevents a
+            // release-build wrap if `n == u32::MAX` (debug_assert on tx count
+            // catches this upstream, but belt-and-braces).
             let withdrawal_idx = u32::try_from(block.body.transactions.len())
-                .map(|n| n + 1)
+                .map(|n| n.saturating_add(1))
                 .unwrap_or(u32::MAX);
             Self::validate_bal_withdrawal_index(db, bal, withdrawal_idx, &validation_index)?;
 

crates/vm/levm/src/gas_cost.rs

@@ -662,7 +662,8 @@ pub fn access_list_bytes(access_list: &AccessList) -> u64 {
     let mut bytes: u64 = 0;
     for (_addr, keys) in access_list {
         bytes = bytes.saturating_add(20);
-        bytes = bytes.saturating_add(32_u64.saturating_mul(keys.len() as u64));
+        let keys_len = u64::try_from(keys.len()).unwrap_or(u64::MAX);
+        bytes = bytes.saturating_add(32_u64.saturating_mul(keys_len));
     }
     bytes
 }

crates/vm/levm/src/hooks/default_hook.rs

@@ -238,9 +238,13 @@ pub fn refund_sender(
     ctx_result: &mut ContextResult,
     refunded_gas: u64,
     gas_spent: u64,
-    // Pre-Amsterdam: gas used for receipt and user refund. Amsterdam+: unused
-    // (block gas is computed dimensionally from vm fields; user pays gas_spent).
-    gas_used_pre_refund: u64,
+    // Historically used pre-Amsterdam for receipt + user refund; Amsterdam+
+    // computes block gas dimensionally from VM fields and the user pays
+    // `gas_spent`, so this parameter is currently unused in both branches.
+    // Kept in the signature for call-site symmetry with pre-Amsterdam usage
+    // and future reintroduction; rename without the `_` prefix once it's
+    // read again.
+    _gas_used_pre_refund: u64,
 ) -> Result<(), VMError> {
     vm.substate.refunded_gas = refunded_gas;
 
@@ -263,8 +267,9 @@ pub fn refund_sender(
             .state_gas_refund_absorbed
             .saturating_add(vm.state_gas_refund_pending);
         let state_gas = vm.state_gas_used.saturating_sub(execution_state_gas_refund);
-        // gas_used_pre_refund here is raw - reservoir_current (user-paid). Compute
-        // raw from scratch to avoid the reservoir-current subtraction interfering.
+        // Compute raw consumption from scratch (gas_limit minus gas_remaining)
+        // to avoid interference from any reservoir-current subtraction baked
+        // into the caller's pre-refund number.
         #[expect(clippy::as_conversions, reason = "gas_remaining is >= 0 here")]
         let gas_remaining = vm.current_call_frame.gas_remaining.max(0) as u64;
         let raw_consumed = vm.env.gas_limit.saturating_sub(gas_remaining);
@@ -280,7 +285,6 @@ pub fn refund_sender(
         ctx_result.gas_spent = gas_spent;
     } else {
         // Pre-Amsterdam: both use post-refund value
-        let _ = gas_used_pre_refund;
         ctx_result.gas_used = gas_spent;
         ctx_result.gas_spent = gas_spent;
     }

crates/vm/levm/src/opcode_handlers/system.rs

@@ -1186,6 +1186,18 @@ impl<'a> VM<'a> {
                 let credit_against_drain_delta = self
                     .state_gas_credit_against_drain
                     .saturating_sub(state_gas_credit_against_drain_snapshot);
+                // Invariant: credit_against_drain only accumulates the portion
+                // of a clamped refund that was NOT matched against outstanding
+                // spill, so it can never exceed the spill delta in the same
+                // subtree. If this ever fires, the reservoir math silently
+                // clamps (via saturating_sub) and the block's regular
+                // dimension gets mischarged — loud panic in debug is the goal.
+                debug_assert!(
+                    outstanding_delta >= credit_against_drain_delta,
+                    "reservoir revert invariant violated: credit_against_drain_delta \
+                     ({credit_against_drain_delta}) > outstanding_delta \
+                     ({outstanding_delta})"
+                );
                 self.state_gas_used = state_gas_used_snapshot;
                 self.state_gas_refund_pending = state_gas_refund_pending_snapshot;
                 self.state_gas_refund_absorbed = state_gas_refund_absorbed_snapshot;
@@ -1261,6 +1273,18 @@ impl<'a> VM<'a> {
                 let credit_against_drain_delta = self
                     .state_gas_credit_against_drain
                     .saturating_sub(state_gas_credit_against_drain_snapshot);
+                // Invariant: credit_against_drain only accumulates the portion
+                // of a clamped refund that was NOT matched against outstanding
+                // spill, so it can never exceed the spill delta in the same
+                // subtree. If this ever fires, the reservoir math silently
+                // clamps (via saturating_sub) and the block's regular
+                // dimension gets mischarged — loud panic in debug is the goal.
+                debug_assert!(
+                    outstanding_delta >= credit_against_drain_delta,
+                    "reservoir revert invariant violated: credit_against_drain_delta \
+                     ({credit_against_drain_delta}) > outstanding_delta \
+                     ({outstanding_delta})"
+                );
                 self.state_gas_used = state_gas_used_snapshot;
                 self.state_gas_refund_pending = state_gas_refund_pending_snapshot;
                 self.state_gas_refund_absorbed = state_gas_refund_absorbed_snapshot;

crates/vm/levm/src/utils.rs

@@ -750,6 +750,49 @@ pub fn intrinsic_gas_dimensions(
     Ok((regular_gas, state_gas))
 }
 
+/// Standalone EIP-7623/7976/7981 floor gas for a transaction. Mirrors
+/// [`VM::get_min_gas_used`] but operates on the raw transaction + fork, so it
+/// can be called by mempool admission / the payload builder without needing a
+/// VM instance. Returns `TX_BASE_COST + floor_rate * total_floor_tokens`.
+///
+/// Amsterdam+ uses the unweighted EIP-7976 floor (16 gas/token = 64 gas/byte)
+/// and folds EIP-7981 access-list data bytes into the token count. Pre-
+/// Amsterdam uses the weighted EIP-7623 formula.
+///
+/// A mismatch between this and `VM::get_min_gas_used` would cause mempool
+/// admission to drift from VM rejection; keep the two in sync. The
+/// `test_intrinsic_parity_*` suite also guards this.
+pub fn intrinsic_gas_floor(tx: &Transaction, fork: Fork) -> Result<u64, VMError> {
+    // EIP-7976: floor tokens count ALL calldata bytes unweighted. For CREATE
+    // txs the calldata is the init code. Mirrors `get_min_gas_used`.
+    let calldata = tx.data();
+
+    let mut tokens_in_calldata: u64 = if fork >= Fork::Amsterdam {
+        let total_bytes: u64 = calldata
+            .len()
+            .try_into()
+            .map_err(|_| InternalError::TypeConversion)?;
+        total_bytes
+            .checked_mul(STANDARD_TOKEN_COST)
+            .ok_or(InternalError::Overflow)?
+    } else {
+        gas_cost::tx_calldata(calldata)? / STANDARD_TOKEN_COST
+    };
+
+    if fork >= Fork::Amsterdam {
+        let al_floor_tokens = floor_tokens_in_access_list(tx.access_list());
+        tokens_in_calldata = tokens_in_calldata
+            .checked_add(al_floor_tokens)
+            .ok_or(InternalError::Overflow)?;
+    }
+
+    tokens_in_calldata
+        .checked_mul(total_cost_floor_per_token(fork))
+        .ok_or(InternalError::Overflow)?
+        .checked_add(TX_BASE_COST)
+        .ok_or(InternalError::Overflow.into())
+}
+
 /// Converts Account to LevmAccount
 /// The problem with this is that we don't have the storage root.
 pub fn account_to_levm_account(account: Account) -> (LevmAccount, Code) {

crates/vm/lib.rs

@@ -16,6 +16,9 @@ pub use ethrex_levm::precompiles::{PrecompileCache, precompiles_for_fork};
 /// EIP-8037 intrinsic gas split `(regular, state)` for a transaction.
 /// Re-exported for mempool / payload-builder use.
 pub use ethrex_levm::utils::intrinsic_gas_dimensions;
+/// EIP-7623/7976/7981 floor gas for a transaction. Re-exported so the mempool
+/// can match the VM's `validate_min_gas_limit` check at admission time.
+pub use ethrex_levm::utils::intrinsic_gas_floor;
 pub use execution_result::ExecutionResult;
 pub use witness_db::GuestProgramStateWrapper;
 pub mod system_contracts;