apollo_consensus_orchestrator: add SNIP-35 fee_proposal validation (#13819)

Author: sirandreww-starkware

crates/apollo_consensus_orchestrator/src/sequencer_consensus_context.rs

@@ -828,6 +828,7 @@ impl ConsensusContext for SequencerConsensusContext {
                         .map(GasPrice)
                         .unwrap_or(self.l2_gas_price),
                     starknet_version: StarknetVersion::LATEST,
+                    fee_actual: compute_fee_actual(&self.fee_proposals_window, init.height),
                 };
                 self.validate_current_round_proposal(
                     init,
@@ -1094,6 +1095,7 @@ impl ConsensusContext for SequencerConsensusContext {
                 .map(GasPrice)
                 .unwrap_or(self.l2_gas_price),
             starknet_version: StarknetVersion::LATEST,
+            fee_actual: compute_fee_actual(&self.fee_proposals_window, init.height),
         };
         self.validate_current_round_proposal(
             init,

crates/apollo_consensus_orchestrator/src/test_utils.rs

@@ -426,11 +426,8 @@ pub(crate) fn proposal_init(height: BlockNumber, round: u32) -> ProposalInit {
         l1_data_gas_price_wei,
         starknet_version: starknet_api::block::StarknetVersion::LATEST,
         version_constant_commitment: Default::default(),
-        // Match the proposer's default-fallback fee_proposal: empty sliding window →
-        // `compute_fee_actual` returns `None` → `compute_snip35_fee_proposal` falls back to
-        // `self.l2_gas_price` (= `min_gas_price` = 8 gwei). Validator-side tests reuse this
-        // helper to fabricate an init that matches what the proposer emits, so proposer and
-        // validator agree on the proposal commitment hash.
+        // SNIP-35: required because LATEST >= V0_14_3. Match the proposer's default-fallback
+        // fee_proposal.
         fee_proposal_fri: Some(GasPrice(8_000_000_000)),
     }
 }

crates/apollo_consensus_orchestrator/src/validate_proposal.rs

@@ -42,7 +42,7 @@ use crate::metrics::{
     CONSENSUS_PROPOSAL_FIN_MISMATCH,
 };
 use crate::sequencer_consensus_context::{BuiltProposals, SequencerConsensusContextDeps};
-use crate::snip35::proposal_commitment_from;
+use crate::snip35::{fee_proposal_bounds, proposal_commitment_from, FEE_PROPOSAL_MARGIN_PPT};
 use crate::utils::{
     convert_to_sn_api_block_info,
     get_l1_prices_in_fri_and_wei,
@@ -78,6 +78,9 @@ pub(crate) struct ProposalInitValidation {
     pub l1_da_mode: L1DataAvailabilityMode,
     pub l2_gas_price_fri: GasPrice,
     pub starknet_version: StarknetVersion,
+    /// SNIP-35: fee_actual from the sliding window. `None` until the window has accumulated
+    /// `FEE_PROPOSAL_WINDOW_SIZE` entries (startup / near-genesis).
+    pub fee_actual: Option<GasPrice>,
 }
 
 /// Parameters for deadline and cancellation handling during proposal finalization.
@@ -346,6 +349,52 @@ async fn is_proposal_init_valid(
             ),
         ));
     }
+
+    // SNIP-35: fee_proposal is required iff Starknet version >= V0_14_3.
+    let snip35_active = init_proposed.starknet_version >= StarknetVersion::V0_14_3;
+    match (init_proposed.fee_proposal_fri, snip35_active) {
+        (Some(_), false) => {
+            return Err(ValidateProposalError::InvalidProposalInit(
+                init_proposed.clone(),
+                proposal_init_validation.clone(),
+                format!(
+                    "fee_proposal must be absent before V0_14_3, got Some at version {}",
+                    init_proposed.starknet_version
+                ),
+            ));
+        }
+        (None, true) => {
+            return Err(ValidateProposalError::InvalidProposalInit(
+                init_proposed.clone(),
+                proposal_init_validation.clone(),
+                format!(
+                    "fee_proposal is required at V0_14_3+, got None at version {}",
+                    init_proposed.starknet_version
+                ),
+            ));
+        }
+        _ => {}
+    }
+
+    // SNIP-35: validate fee_proposal is within the configured margin of fee_actual.
+    // During initiation (fee_actual is None, <window_size blocks), bounds are not enforced.
+    if let (Some(fee_actual), Some(fee_proposal)) =
+        (proposal_init_validation.fee_actual, init_proposed.fee_proposal_fri)
+    {
+        let (lower_bound, upper_bound) = fee_proposal_bounds(fee_actual, FEE_PROPOSAL_MARGIN_PPT);
+        if fee_proposal.0 < lower_bound || fee_proposal.0 > upper_bound {
+            return Err(ValidateProposalError::InvalidProposalInit(
+                init_proposed.clone(),
+                proposal_init_validation.clone(),
+                format!(
+                    "Fee proposal out of SNIP-35 bounds: fee_actual={}, fee_proposal={}, allowed \
+                     range=[{lower_bound}, {upper_bound}]",
+                    fee_actual.0, fee_proposal.0
+                ),
+            ));
+        }
+    }
+
     Ok(())
 }
 

crates/apollo_consensus_orchestrator/src/validate_proposal_test.rs

@@ -33,7 +33,7 @@ use starknet_types_core::felt::Felt;
 use tokio_util::sync::CancellationToken;
 
 use crate::sequencer_consensus_context::BuiltProposals;
-use crate::snip35::proposal_commitment_from;
+use crate::snip35::{proposal_commitment_from, FEE_PROPOSAL_MARGIN_PPT, PPT_DENOMINATOR};
 use crate::test_utils::{
     create_test_and_network_deps,
     proposal_init,
@@ -104,6 +104,7 @@ fn create_proposal_validate_arguments()
         l1_da_mode: L1DataAvailabilityMode::Blob,
         l2_gas_price_fri: VersionedConstants::latest_constants().min_gas_price,
         starknet_version: StarknetVersion::LATEST,
+        fee_actual: None,
     };
     let proposal_id = ProposalId(1);
     let timeout = TIMEOUT;
@@ -302,6 +303,64 @@ async fn rejects_proposal_init_l1_gas_price_out_of_margin(#[case] field: L1GasPr
     );
 }
 
+// fee_actual = 8 gwei; bounds are derived in-line so they stay correct if the SNIP-35
+// constants change. upper = fee_actual * (PPT + MARGIN) / PPT;
+// lower = fee_actual * PPT / (PPT + MARGIN) (integer-truncated).
+const FEE_ACTUAL_FRI: u128 = 8_000_000_000;
+#[rstest]
+#[case::at_fee_actual(FEE_ACTUAL_FRI, true)]
+#[case::upper_bound_inclusive(
+    FEE_ACTUAL_FRI * (PPT_DENOMINATOR + FEE_PROPOSAL_MARGIN_PPT) / PPT_DENOMINATOR,
+    true,
+)]
+#[case::lower_bound_inclusive(
+    FEE_ACTUAL_FRI * PPT_DENOMINATOR / (PPT_DENOMINATOR + FEE_PROPOSAL_MARGIN_PPT),
+    true,
+)]
+#[case::above_upper_bound(
+    FEE_ACTUAL_FRI * (PPT_DENOMINATOR + FEE_PROPOSAL_MARGIN_PPT) / PPT_DENOMINATOR + 1,
+    false,
+)]
+#[case::below_lower_bound(
+    FEE_ACTUAL_FRI * PPT_DENOMINATOR / (PPT_DENOMINATOR + FEE_PROPOSAL_MARGIN_PPT) - 1,
+    false,
+)]
+#[tokio::test]
+async fn snip35_fee_proposal_within_margin_of_fee_actual(
+    #[case] fee_proposal_fri: u128,
+    #[case] should_accept: bool,
+) {
+    let (proposal_args, _content_sender) = create_proposal_validate_arguments();
+    let TestProposalValidateArguments {
+        deps,
+        mut init,
+        mut proposal_init_validation,
+        gas_price_params,
+        ..
+    } = proposal_args;
+    proposal_init_validation.fee_actual = Some(GasPrice(8_000_000_000));
+    init.fee_proposal_fri = Some(GasPrice(fee_proposal_fri));
+
+    let res = is_proposal_init_valid(
+        &proposal_init_validation,
+        &init,
+        deps.clock.as_ref(),
+        Arc::new(deps.l1_gas_price_provider),
+        &gas_price_params,
+    )
+    .await;
+
+    if should_accept {
+        assert!(res.is_ok(), "expected accept, got {res:?}");
+    } else {
+        assert_matches!(
+            res,
+            Err(ValidateProposalError::InvalidProposalInit(_, _, ref msg))
+                if msg.contains("Fee proposal out of SNIP-35 bounds")
+        );
+    }
+}
+
 #[tokio::test]
 async fn validate_block_fail() {
     let (mut proposal_args, _content_sender) = create_proposal_validate_arguments();