apollo_consensus_orchestrator: add SNIP-35 fee_proposal validation

sirandreww-starkware · sirandreww-starkware · commit 6bd60bb3c2af · 2026-04-19T20:05:26.000+03:00
diff --git a/crates/apollo_consensus_orchestrator/src/sequencer_consensus_context.rs b/crates/apollo_consensus_orchestrator/src/sequencer_consensus_context.rs
@@ -734,6 +734,7 @@ impl ConsensusContext for SequencerConsensusContext {
                         .override_l2_gas_price_fri
                         .map(GasPrice)
                         .unwrap_or(self.l2_gas_price),
+                    fee_actual: self.compute_fee_actual(),
                 };
                 self.validate_current_round_proposal(
                     init,
@@ -988,6 +989,7 @@ impl ConsensusContext for SequencerConsensusContext {
                 .override_l2_gas_price_fri
                 .map(GasPrice)
                 .unwrap_or(self.l2_gas_price),
+            fee_actual: self.compute_fee_actual(),
         };
         self.validate_current_round_proposal(
             init,
diff --git a/crates/apollo_consensus_orchestrator/src/validate_proposal.rs b/crates/apollo_consensus_orchestrator/src/validate_proposal.rs
@@ -35,6 +35,7 @@ use strum::{EnumDiscriminants, EnumIter, IntoStaticStr, VariantNames};
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, info, instrument, warn};
 
+use crate::fee_market::{FEE_PROPOSAL_MARGIN_PPT, PPT_DENOMINATOR};
 use crate::metrics::{
     CONSENSUS_NUM_BATCHES_IN_PROPOSAL,
     CONSENSUS_NUM_TXS_IN_PROPOSAL,
@@ -76,6 +77,8 @@ pub(crate) struct ProposalInitValidation {
     pub previous_proposal_init: Option<PreviousProposalInitInfo>,
     pub l1_da_mode: L1DataAvailabilityMode,
     pub l2_gas_price_fri: GasPrice,
+    /// SNIP-35: fee_actual from the sliding window. None during initiation (<10 blocks).
+    pub fee_actual: Option<GasPrice>,
 }
 
 /// Parameters for deadline and cancellation handling during proposal finalization.
@@ -320,6 +323,29 @@ async fn is_proposal_init_valid(
             ),
         ));
     }
+
+    // SNIP-35: validate fee_proposal is within the configured margin of fee_actual.
+    // During initiation (fee_actual is None, <window_size blocks), bounds are not enforced.
+    if let Some(fee_actual) = proposal_init_validation.fee_actual {
+        let fee_proposal = init_proposed.fee_proposal;
+        let margin_ppt = FEE_PROPOSAL_MARGIN_PPT;
+        let lower_bound =
+            fee_actual.0.saturating_mul(PPT_DENOMINATOR) / (PPT_DENOMINATOR + margin_ppt);
+        let upper_bound =
+            fee_actual.0.saturating_mul(PPT_DENOMINATOR + margin_ppt) / PPT_DENOMINATOR;
+        if fee_proposal.0 < lower_bound || fee_proposal.0 > upper_bound {
+            return Err(ValidateProposalError::InvalidProposalInit(
+                init_proposed.clone(),
+                proposal_init_validation.clone(),
+                format!(
+                    "Fee proposal out of SNIP-35 bounds: fee_actual={}, fee_proposal={}, allowed \
+                     range=[{lower_bound}, {upper_bound}]",
+                    fee_actual.0, fee_proposal.0
+                ),
+            ));
+        }
+    }
+
     Ok(())
 }
 
diff --git a/crates/apollo_consensus_orchestrator/src/validate_proposal_test.rs b/crates/apollo_consensus_orchestrator/src/validate_proposal_test.rs
@@ -94,6 +94,7 @@ fn create_proposal_validate_arguments()
         previous_proposal_init: None,
         l1_da_mode: L1DataAvailabilityMode::Blob,
         l2_gas_price_fri: VersionedConstants::latest_constants().min_gas_price,
+        fee_actual: None,
     };
     let proposal_id = ProposalId(1);
     let timeout = TIMEOUT;
