Address filtering for retryable submissions, redeems, and delayed events

Extend address filtering to cover ArbitrumSubmitRetryableTx, retryable
redeem execution, and event-based filtering in the delayed message path.

What was missing
----------------

ArbitrumSubmitRetryableTx filtering: PostTxFilter touches sender and tx.To()
but not the retryable-specific fields (Beneficiary, FeeRefundAddr, RetryTo).
When the onchain filter contains the tx hash, StartTxHook had no handling
for the retryable case, so funds would flow to filtered addresses.

Redeem inner execution filtering: When a retryable is redeemed (auto or
manual), the ArbitrumRetryTx runs with hooks = nil in the block processor,
so PostTxFilter never fires. The EVM execution touches filtered addresses
via PushContract/opSelfdestruct but nobody checks IsAddressFiltered()
afterwards.

Event filter in delayed path: The event filter (Transfer, TransferSingle,
TransferBatch log scanning) only ran in the sequencer's postTxFilter, not
in DelayedFilteringSequencingHooks.PostTxFilter.

Solution
--------

Filtered retryable redirect: In StartTxHook for ArbitrumSubmitRetryableTx,
when the tx hash is in the onchain filter, redirect Beneficiary and
FeeRefundAddr to a configurable filteredFundsRecipient (new ArbOS state
field, with ArbOwner precompile accessors, fallback to networkFeeAccount).
Skip auto-redeem scheduling. Set ErrFilteredTx as result.Err so PostTxFilter
knows to skip re-halting.

RedeemFilter: New RedeemFilter(*state.StateDB) error method on the
SequencingHooks interface. Called in the block processor's result filter
closure when the current tx is a redeem. Runs the event filter on logs then
checks IsAddressFiltered(). Returns ErrArbTxFilter to revert the snapshot
and drop the redeem from the block.

Delayed event filter: Pass the event filter to
DelayedFilteringSequencingHooks. Shared applyEventFilter() helper called in
both PostTxFilter and RedeemFilter.

PostTxFilter retryable field touching: New touchRetryableAddresses() helper
touches Beneficiary, FeeRefundAddr, RetryTo, and their de-aliased versions
(InverseRemapL1Address). Called in both sequencer and delayed PostTxFilter.

Design Decisions
----------------

Redirect instead of reject: Retryable submissions are L1 delayed messages
that cannot be rejected. Funds are already deposited on L2. Rejecting would
leave them stuck in escrow with an unreachable beneficiary.

Skip auto-redeem for filtered retryables: The RetryData calldata may target
filtered addresses. The redirected beneficiary can manually redeem if
appropriate.

ErrFilteredTx in result.Err: Without this marker, PostTxFilter sees the
original (still-filtered) Beneficiary via touchRetryableAddresses and
re-halts. The error signals that the onchain filter already handled this tx.

RedeemFilter via sequencingHooks not hooks: hooks is intentionally nil for
redeems - it gates sequencer policies (PreTxFilter nonce checking,
PostTxFilter nonce cache updates/revert gas rejection, InsertLastTxError,
DiscardInvalidTxsEarly) that don't apply to protocol-scheduled transactions.
RedeemFilter is called on sequencingHooks (the function parameter, always
non-nil) directly to get only the narrow redeem filtering behavior.

Dropping redeems is safe: State reverts via RevertToSnapshot. The retryable
ticket survives (DeleteRetryable only runs on successful redeem in
EndTxHook). Ticket can be manually redeemed later or expires to beneficiary.
This is a sequencing-level decision - NoopSequencingHooks.RedeemFilter
returns nil during replay/validation.

De-aliased address touching: The L1 Inbox aliases contract addresses for
Beneficiary and FeeRefundAddr. We touch both the aliased and original
(InverseRemapL1Address) versions so filtering catches the L1 address.

DeleteFree commented out: For symmetry with other filtered tx paths,
deletion from the onchain filter is handled by the external tx authority
service.

Tests (11 new):
---------------

Retryable redirect (halt-and-wait pattern):
- TestFilteredRetryableRedirectWithExplicitRecipient
- TestFilteredRetryableRedirectFallbackToNetworkFee
- TestFilteredRetryableNoRedirectWhenNotFiltered
- TestFilteredRetryableWithCallValue
- TestFilteredRetryableSequencerDoesNotReHalt

RedeemFilter (verify redeem dropped, ticket survives):
- TestRetryableAutoRedeemCallsFilteredAddress
- TestRetryableAutoRedeemCreatesAtFilteredAddress
- TestRetryableAutoRedeemSelfDestructsToFilteredAddress
- TestRetryableAutoRedeemStaticCallsFilteredAddress
- TestRetryableAutoRedeemEmitsTransferToFilteredAddress
- TestDelayedMessageFilterCatchesEventFilter

Delayed event filter:
- TestDelayedMessageFilterCatchesEventFilter

Author: Tristan-Wilson

arbos/block_processor.go

@@ -116,6 +116,7 @@ type SequencingHooks interface {
 	DiscardInvalidTxsEarly() bool
 	PreTxFilter(*params.ChainConfig, *types.Header, *state.StateDB, *arbosState.ArbosState, *types.Transaction, *arbitrum_types.ConditionalOptions, common.Address, *L1Info) error
 	PostTxFilter(*types.Header, *state.StateDB, *arbosState.ArbosState, *types.Transaction, common.Address, uint64, *core.ExecutionResult) error
+	RedeemFilter(*state.StateDB) error
 	BlockFilter(*types.Header, *state.StateDB, types.Transactions, types.Receipts) error
 	InsertLastTxError(error)
 }
@@ -153,6 +154,10 @@ func (n *NoopSequencingHooks) BlockFilter(header *types.Header, db *state.StateD
 	return nil
 }
 
+func (n *NoopSequencingHooks) RedeemFilter(db *state.StateDB) error {
+	return nil
+}
+
 func (n *NoopSequencingHooks) InsertLastTxError(err error) {}
 
 func NewNoopSequencingHooks(txes types.Transactions) *NoopSequencingHooks {
@@ -254,12 +259,14 @@ func ProduceBlockAdvanced(
 		var options *arbitrum_types.ConditionalOptions
 		var hooks SequencingHooks
 		isUserTx := false
+		isRedeem := false
 		if firstTx != nil {
 			tx = firstTx
 			firstTx = nil
 		} else if len(redeems) > 0 {
 			tx = redeems[0]
 			redeems = redeems[1:]
+			isRedeem = true
 
 			retry, ok := (tx.GetInner()).(*types.ArbitrumRetryTx)
 			if !ok {
@@ -375,6 +382,14 @@ func ProduceBlockAdvanced(
 					if hooks != nil {
 						return hooks.PostTxFilter(header, statedb, arbState, tx, sender, dataGas, result)
 					}
+					// hooks is intentionally nil for redeems - it gates sequencer policies
+					// (PreTxFilter, PostTxFilter, nonce checking, error tracking) that don't
+					// apply to protocol-scheduled transactions. RedeemFilter is called on
+					// sequencingHooks directly to get the narrow redeem filtering behavior
+					// without enabling those other policies.
+					if isRedeem {
+						return sequencingHooks.RedeemFilter(statedb)
+					}
 					return nil
 				},
 			)

arbos/tx_processor.go

@@ -202,11 +202,36 @@ func (p *TxProcessor) StartTxHook() (endTxNow bool, multiGasUsed multigas.MultiG
 		defer (startTracer())()
 		statedb := evm.StateDB
 		ticketId := underlyingTx.Hash()
+
 		escrow := retryables.RetryableEscrowAddress(ticketId)
 		networkFeeAccount, _ := p.state.NetworkFeeAccount()
 		from := tx.From
 		scenario := util.TracingDuringEVM
 
+		// Check if this transaction is in the onchain filter. If so, redirect FeeRefundAddr
+		// and Beneficiary to the filteredFundsRecipient (or networkFeeAccount as fallback).
+		// filteredErr is set as result.Err so that PostTxFilter can detect the tx was
+		// already handled by the onchain filter and skip halting.
+		var filteredErr error
+		isFiltered := false
+		if p.state.ArbOSVersion() >= params.ArbosVersion_TransactionFiltering &&
+			p.state.FilteredTransactions().IsFilteredFree(ticketId) {
+			recipient, err := p.state.FilteredFundsRecipientOrDefault()
+			if err != nil {
+				return true, multigas.ZeroGas(), err, nil
+			}
+			// For symmetry with other filtered tx paths, deletion from the onchain filter
+			// is handled by the external tx authority service rather than here.
+			// Note: deletion here *would* be committed despite the ErrFilteredTx in
+			// result.Err, because endTxNow=true means the outer error is nil and state
+			// is not reverted. May move to direct deletion here in future.
+			// p.state.FilteredTransactions().DeleteFree(ticketId)
+			tx.FeeRefundAddr = recipient
+			tx.Beneficiary = recipient
+			isFiltered = true
+			filteredErr = &core.ErrFilteredTx{TxHash: ticketId}
+		}
+
 		// mint funds with the deposit, then charge fees later
 		availableRefund := new(big.Int).Set(tx.DepositValue)
 		takeFunds(availableRefund, tx.RetryValue)
@@ -306,7 +331,7 @@ func (p *TxProcessor) StartTxHook() (endTxNow bool, multiGasUsed multigas.MultiG
 				// should never happen as from's balance should be at least availableRefund at this point
 				log.Error("failed to transfer gasCostRefund", "err", err)
 			}
-			return true, multigas.ZeroGas(), nil, ticketId.Bytes()
+			return true, multigas.ZeroGas(), filteredErr, ticketId.Bytes()
 		}
 
 		// pay for the retryable's gas and update the pools
@@ -323,15 +348,15 @@ func (p *TxProcessor) StartTxHook() (endTxNow bool, multiGasUsed multigas.MultiG
 				infraCost = takeFunds(networkCost, infraCost)
 				if err := transfer(&tx.From, &infraFeeAccount, infraCost, tracing.BalanceIncreaseInfraFee); err != nil {
 					log.Error("failed to transfer gas cost to infrastructure fee account", "err", err)
-					return true, multigas.ZeroGas(), nil, ticketId.Bytes()
+					return true, multigas.ZeroGas(), filteredErr, ticketId.Bytes()
 				}
 			}
 		}
 		if arbmath.BigGreaterThan(networkCost, common.Big0) {
 			if err := transfer(&tx.From, &networkFeeAccount, networkCost, tracing.BalanceIncreaseNetworkFee); err != nil {
 				// should be impossible because we just checked the tx.From balance
 				log.Error("failed to transfer gas cost to network fee account", "err", err)
-				return true, multigas.ZeroGas(), nil, ticketId.Bytes()
+				return true, multigas.ZeroGas(), filteredErr, ticketId.Bytes()
 			}
 		}
 
@@ -348,6 +373,14 @@ func (p *TxProcessor) StartTxHook() (endTxNow bool, multiGasUsed multigas.MultiG
 		availableRefund.Add(availableRefund, withheldGasFunds)
 		availableRefund.Add(availableRefund, withheldSubmissionFee)
 
+		// For filtered retryables, skip auto-redeem scheduling. The retryable
+		// is created with a redirected beneficiary who can redeem manually.
+		// This prevents the auto-redeem from executing calls against
+		// potentially filtered addresses.
+		if isFiltered {
+			return true, multigas.L2CalldataGas(usergas), filteredErr, ticketId.Bytes()
+		}
+
 		// emit RedeemScheduled event
 		retryTxInner, err := retryable.MakeTx(
 			underlyingTx.ChainId(),

contracts-local/src/mocks/AddressFilterTest.sol

@@ -72,7 +72,7 @@ contract AddressFilterTest {
     /// @notice Selfdestructs this contract and sends balance to beneficiary
     function selfDestructTo(
         address payable beneficiary
-    ) external {
+    ) external payable {
         selfdestruct(beneficiary);
     }
 

execution/gethexec/executionengine.go

@@ -46,9 +46,11 @@ import (
 	"github.com/offchainlabs/nitro/arbos/filteredTransactions"
 	"github.com/offchainlabs/nitro/arbos/l1pricing"
 	"github.com/offchainlabs/nitro/arbos/programs"
+	arbosutil "github.com/offchainlabs/nitro/arbos/util"
 	"github.com/offchainlabs/nitro/arbutil"
 	"github.com/offchainlabs/nitro/consensus"
 	"github.com/offchainlabs/nitro/execution"
+	"github.com/offchainlabs/nitro/execution/gethexec/eventfilter"
 	"github.com/offchainlabs/nitro/util/arbmath"
 	"github.com/offchainlabs/nitro/util/containers"
 	"github.com/offchainlabs/nitro/util/sharedmetrics"
@@ -95,10 +97,14 @@ var ErrDelayedTxFiltered = errors.New("delayed transaction filtered")
 type DelayedFilteringSequencingHooks struct {
 	arbos.NoopSequencingHooks
 	FilteredTxHashes []common.Hash
+	eventFilter      *eventfilter.EventFilter
 }
 
-func NewDelayedFilteringSequencingHooks(txes types.Transactions) *DelayedFilteringSequencingHooks {
-	return &DelayedFilteringSequencingHooks{NoopSequencingHooks: *arbos.NewNoopSequencingHooks(txes)}
+func NewDelayedFilteringSequencingHooks(txes types.Transactions, ef *eventfilter.EventFilter) *DelayedFilteringSequencingHooks {
+	return &DelayedFilteringSequencingHooks{
+		NoopSequencingHooks: *arbos.NewNoopSequencingHooks(txes),
+		eventFilter:         ef,
+	}
 }
 
 // PostTxFilter touches To/From addresses and checks IsAddressFiltered.
@@ -109,6 +115,8 @@ func (f *DelayedFilteringSequencingHooks) PostTxFilter(header *types.Header, db
 	if tx.To() != nil {
 		db.TouchAddress(*tx.To())
 	}
+	touchRetryableAddresses(db, tx)
+	applyEventFilter(f.eventFilter, db)
 
 	if db.IsAddressFiltered() {
 		// If the STF already handled this tx via the onchain filter mechanism,
@@ -124,6 +132,42 @@ func (f *DelayedFilteringSequencingHooks) PostTxFilter(header *types.Header, db
 	return nil
 }
 
+func (f *DelayedFilteringSequencingHooks) RedeemFilter(db *state.StateDB) error {
+	applyEventFilter(f.eventFilter, db)
+	if db.IsAddressFiltered() {
+		return state.ErrArbTxFilter
+	}
+	return nil
+}
+
+func applyEventFilter(ef *eventfilter.EventFilter, db *state.StateDB) {
+	if ef == nil {
+		return
+	}
+	logs := db.GetCurrentTxLogs()
+	for _, l := range logs {
+		for _, addr := range ef.AddressesForFiltering(l.Topics, l.Data, l.Address, common.Address{}) {
+			db.TouchAddress(addr)
+		}
+	}
+}
+
+// touchRetryableAddresses touches addresses from retryable inner fields
+// (Beneficiary, FeeRefundAddr, RetryTo) so the address filter can detect them.
+// Also touches de-aliased versions to catch L1 contract addresses that were
+// aliased by the Inbox contract.
+func touchRetryableAddresses(db *state.StateDB, tx *types.Transaction) {
+	if inner, ok := tx.GetInner().(*types.ArbitrumSubmitRetryableTx); ok {
+		db.TouchAddress(inner.Beneficiary)
+		db.TouchAddress(inner.FeeRefundAddr)
+		if inner.RetryTo != nil {
+			db.TouchAddress(*inner.RetryTo)
+		}
+		db.TouchAddress(arbosutil.InverseRemapL1Address(inner.Beneficiary))
+		db.TouchAddress(arbosutil.InverseRemapL1Address(inner.FeeRefundAddr))
+	}
+}
+
 type L1PriceDataOfMsg struct {
 	callDataUnits            uint64
 	cummulativeCallDataUnits uint64
@@ -170,6 +214,7 @@ type ExecutionEngine struct {
 	runningMaintenance atomic.Bool
 
 	addressChecker state.AddressChecker
+	eventFilter    *eventfilter.EventFilter
 }
 
 func NewL1PriceData() *L1PriceData {
@@ -828,7 +873,7 @@ func (s *ExecutionEngine) createBlockFromNextMessage(msg *arbostypes.MessageWith
 			log.Warn("error parsing incoming message for filtering", "err", err)
 			txes = types.Transactions{}
 		}
-		filteringHooks := NewDelayedFilteringSequencingHooks(txes)
+		filteringHooks := NewDelayedFilteringSequencingHooks(txes, s.eventFilter)
 
 		block, receipts, err := arbos.ProduceBlockAdvanced(
 			msg.Message.Header,
@@ -1238,6 +1283,10 @@ func (s *ExecutionEngine) SetAddressChecker(checker state.AddressChecker) {
 	s.addressChecker = checker
 }
 
+func (s *ExecutionEngine) SetEventFilter(ef *eventfilter.EventFilter) {
+	s.eventFilter = ef
+}
+
 func (s *ExecutionEngine) IsTxHashInOnchainFilter(txHash common.Hash) (bool, error) {
 	currentHeader, err := s.getCurrentHeader()
 	if err != nil {

execution/gethexec/sequencer.go

@@ -517,6 +517,7 @@ func NewSequencer(execEngine *ExecutionEngine, l1Reader *headerreader.HeaderRead
 	}
 	s.Pause()
 	execEngine.EnableReorgSequencing()
+	execEngine.SetEventFilter(eventFilter)
 	return s, nil
 }
 
@@ -783,6 +784,7 @@ func (s *Sequencer) postTxFilter(header *types.Header, statedb *state.StateDB, _
 			}
 		}
 	}
+	touchRetryableAddresses(statedb, tx)
 
 	if statedb.IsTxFiltered() || statedb.IsAddressFiltered() {
 		return state.ErrArbTxFilter
@@ -810,6 +812,14 @@ func (s *Sequencer) postTxFilter(header *types.Header, statedb *state.StateDB, _
 	return nil
 }
 
+func (s *Sequencer) redeemFilter(db *state.StateDB) error {
+	applyEventFilter(s.eventFilter, db)
+	if db.IsAddressFiltered() {
+		return state.ErrArbTxFilter
+	}
+	return nil
+}
+
 func (s *Sequencer) CheckHealth(ctx context.Context) error {
 	pauseChan, forwarder := s.GetPauseAndForwarder()
 	if forwarder != nil {
@@ -962,6 +972,7 @@ type FullSequencingHooks struct {
 	txErrors                 []error
 	preTxFilter              func(*params.ChainConfig, *types.Header, *state.StateDB, *arbosState.ArbosState, *types.Transaction, *arbitrum_types.ConditionalOptions, common.Address, *arbos.L1Info) error
 	postTxFilter             func(*types.Header, *state.StateDB, *arbosState.ArbosState, *types.Transaction, common.Address, uint64, *core.ExecutionResult) error
+	redeemFilter             func(*state.StateDB) error
 	blockFilter              func(*types.Header, *state.StateDB, types.Transactions, types.Receipts) error
 }
 
@@ -1068,6 +1079,13 @@ func (s *FullSequencingHooks) PostTxFilter(header *types.Header, db *state.State
 	return nil
 }
 
+func (s *FullSequencingHooks) RedeemFilter(db *state.StateDB) error {
+	if s.redeemFilter != nil {
+		return s.redeemFilter(db)
+	}
+	return nil
+}
+
 func (s *FullSequencingHooks) BlockFilter(header *types.Header, db *state.StateDB, transactions types.Transactions, receipts types.Receipts) error {
 	if s.blockFilter != nil {
 		return s.blockFilter(header, db, transactions, receipts)
@@ -1080,6 +1098,7 @@ func MakeSequencingHooks(
 	maxSequencedTxsSize int,
 	preTxFilter func(*params.ChainConfig, *types.Header, *state.StateDB, *arbosState.ArbosState, *types.Transaction, *arbitrum_types.ConditionalOptions, common.Address, *arbos.L1Info) error,
 	postTxFilter func(*types.Header, *state.StateDB, *arbosState.ArbosState, *types.Transaction, common.Address, uint64, *core.ExecutionResult) error,
+	redeemFilter func(*state.StateDB) error,
 	blockFilter func(*types.Header, *state.StateDB, types.Transactions, types.Receipts) error,
 ) *FullSequencingHooks {
 	res := &FullSequencingHooks{
@@ -1089,6 +1108,7 @@ func MakeSequencingHooks(
 		maxSequencedTxsSize:      maxSequencedTxsSize,
 		preTxFilter:              preTxFilter,
 		postTxFilter:             postTxFilter,
+		redeemFilter:             redeemFilter,
 		blockFilter:              blockFilter,
 	}
 	return res
@@ -1113,6 +1133,7 @@ func MakeZeroTxSizeSequencingHooksForTesting(
 		0,
 		preTxFilter,
 		postTxFilter,
+		nil,
 		blockFilter,
 	)
 }
@@ -1370,6 +1391,7 @@ func (s *Sequencer) createBlock(ctx context.Context) (returnValue bool) {
 		s.config().MaxTxDataSize,
 		s.preTxFilter,
 		s.postTxFilter,
+		s.redeemFilter,
 		nil,
 	)