[execute] filter_invalid_txs validates against pre-system-txn state (TOCTOU)

[keanji-x]

Summary

filter_invalid_txs is called inside create_block_for_executor at lib.rs:615 with the original state view (Arc<Storage::StateView> from L948). However, system transactions have already been executed and their state changes are accumulated in accumulated_state_changes — which is not applied to the state view used for filtering.

TOCTOU window

The state used for balance/nonce validation is stale relative to post-system-txn state:

1. System txns execute → mint precompile adds balance to user A, or a contract callback sends ETH to user A.
2. accumulated_state_changes holds these changes.
3. filter_invalid_txs reads original state → sees user A's old balance → marks A's transaction as invalid (insufficient balance).
4. A's transaction is discarded even though post-system-txn state would make it valid.

The reverse is also possible: a system txn drains a contract, and a user txn that depends on that contract's balance passes validation but fails at execution time.

Impact

• Severity: High
• Valid user transactions may be silently discarded.
• Invalid user transactions may pass validation (caught by the parallel executor later, but with wasted gas accounting).

Suggested investigation

• Apply accumulated_state_changes to the state view before calling filter_invalid_txs, or pass the changes as an overlay.

Files

• crates/pipe-exec-layer-ext-v2/execute/src/lib.rs (L615, L948, L1207-1289)

[github-actions]

This issue is stale because it has been open for 21 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 7 days since being marked as stale.