Implement checkpoint-and-revert for cascading redeem filtering

When a retryable auto-redeem's inner execution touches a filtered address,
simply dropping the redeem causes consensus divergence: redeems are generated
inside ProduceBlockAdvanced via ScheduledTxes(), so during replay the redeem
re-executes (NoopSequencingHooks.RedeemFilter returns nil), producing a
different state root than the sequencer's block.

The fix is checkpoint-and-revert: take a state snapshot before each user tx
and process it with all its redeems tentatively (skipFinalise). If any redeem
triggers RedeemFilter, revert the entire group (user tx + all redeems) so the
redeem is never generated in the first place. Both sequencer and replay then
see the same block without the tx, maintaining consensus.

For the delayed path, the group revert reports the originating tx hash via
ReportGroupRevert, which halts the delayed sequencer. The the hash is added to
the onchain filter via the transaction-filterer service, and the
submission re-processes with redirected beneficiary and no auto-redeem.

Key design decisions:
- skipFinalise defers statedb.Finalise during tentative group processing so
  that RevertToSnapshot can cleanly undo the entire group across tx boundaries
  (Finalise destroys the journal and promotes dirtyStorage to pendingStorage,
  making cross-tx revert impossible)
- SubRefund drains the EVM refund counter before each tx in a tentative group,
  mimicking what Finalise normally does - without this, the leaked refund
  causes GasUsed divergence (consensus break). SubRefund is journaled so group
  revert restores it automatically
- ReportGroupRevert is a new SequencingHooks method that lets the block
  processor signal a group revert to the hooks layer without coupling to
  specific hook implementations

Author: Tristan-Wilson

arbos/block_processor.go

@@ -111,6 +111,17 @@ func createNewHeader(prevHeader *types.Header, l1info *L1Info, baseFee *big.Int,
 
 type ConditionalOptionsForTx []*arbitrum_types.ConditionalOptions
 
+// ErrFilteredCascadingRedeem is returned via ReportGroupRevert when a redeem's
+// inner execution touches a filtered address, requiring the entire tx group
+// (originating user tx + all its redeems) to be reverted.
+type ErrFilteredCascadingRedeem struct {
+	OriginatingTxHash common.Hash
+}
+
+func (e *ErrFilteredCascadingRedeem) Error() string {
+	return fmt.Sprintf("cascading redeem filtered: originating tx %s", e.OriginatingTxHash.Hex())
+}
+
 type SequencingHooks interface {
 	NextTxToSequence() (*types.Transaction, *arbitrum_types.ConditionalOptions, error)
 	DiscardInvalidTxsEarly() bool
@@ -119,6 +130,7 @@ type SequencingHooks interface {
 	RedeemFilter(*state.StateDB) error
 	BlockFilter(*types.Header, *state.StateDB, types.Transactions, types.Receipts) error
 	InsertLastTxError(error)
+	ReportGroupRevert(error)
 }
 
 type NoopSequencingHooks struct {
@@ -160,6 +172,8 @@ func (n *NoopSequencingHooks) RedeemFilter(db *state.StateDB) error {
 
 func (n *NoopSequencingHooks) InsertLastTxError(err error) {}
 
+func (n *NoopSequencingHooks) ReportGroupRevert(error) {}
+
 func NewNoopSequencingHooks(txes types.Transactions) *NoopSequencingHooks {
 	return &NoopSequencingHooks{txs: txes}
 }
@@ -252,6 +266,50 @@ func ProduceBlockAdvanced(
 
 	firstTx := types.NewTx(startTx)
 
+	// Group checkpoint state for cascading redeem filtering. We take a state
+	// checkpoint before each user tx and process it with all its redeems
+	// tentatively (skipFinalise). If any redeem hits RedeemFilter, we revert
+	// the entire group. If all redeems are clean, we flush Finalise.
+	// lint:require-exhaustive-initialization
+	type groupCheckpoint struct {
+		snap                 int
+		headerGasUsed        uint64
+		blockGasLeft         uint64
+		expectedBalanceDelta *big.Int
+		completeLen          int
+		receiptsLen          int
+		userTxsProcessed     int
+		gethGas              core.GasPool
+		userTxHash           common.Hash
+	}
+	var activeGroupCP *groupCheckpoint
+
+	// revertToGroupCheckpoint reverts statedb and non-statedb state to the group
+	// checkpoint, reports the cascading redeem error to sequencing hooks, and
+	// deactivates the group. Returns an error only on fatal failures.
+	revertToGroupCheckpoint := func() error {
+		statedb.RevertToSnapshot(activeGroupCP.snap)
+		statedb.ClearTxFilter()
+		header.GasUsed = activeGroupCP.headerGasUsed
+		blockGasLeft = activeGroupCP.blockGasLeft
+		expectedBalanceDelta.Set(activeGroupCP.expectedBalanceDelta)
+		complete = complete[:activeGroupCP.completeLen]
+		receipts = receipts[:activeGroupCP.receiptsLen]
+		userTxsProcessed = activeGroupCP.userTxsProcessed
+		gethGas = activeGroupCP.gethGas
+		redeems = redeems[:0]
+		var reopenErr error
+		arbState, reopenErr = arbosState.OpenSystemArbosState(statedb, nil, true)
+		if reopenErr != nil {
+			return reopenErr
+		}
+		sequencingHooks.ReportGroupRevert(&ErrFilteredCascadingRedeem{
+			OriginatingTxHash: activeGroupCP.userTxHash,
+		})
+		activeGroupCP = nil
+		return nil
+	}
+
 	for {
 		// repeatedly process the next tx, doing redeems created along the way in FIFO order
 
@@ -272,12 +330,19 @@ func ProduceBlockAdvanced(
 			if !ok {
 				return nil, nil, errors.New("retryable tx is somehow not a retryable")
 			}
+
 			retryable, _ := arbState.RetryableState().OpenRetryable(retry.TicketId, time)
 			if retryable == nil {
 				// retryable was already deleted
 				continue
 			}
 		} else {
+			// Flush previous clean group's deferred Finalise before starting new work
+			if activeGroupCP != nil {
+				statedb.Finalise(true)
+				activeGroupCP = nil
+			}
+
 			var conditionalOptions *arbitrum_types.ConditionalOptions
 			tx, conditionalOptions, err = sequencingHooks.NextTxToSequence()
 			if err != nil {
@@ -291,11 +356,36 @@ func ProduceBlockAdvanced(
 				isUserTx = true
 				options = conditionalOptions
 			}
+
+			// Take group checkpoint before processing user tx
+			if isUserTx {
+				activeGroupCP = &groupCheckpoint{
+					snap:                 statedb.Snapshot(),
+					headerGasUsed:        header.GasUsed,
+					blockGasLeft:         blockGasLeft,
+					expectedBalanceDelta: new(big.Int).Set(expectedBalanceDelta),
+					completeLen:          len(complete),
+					receiptsLen:          len(receipts),
+					userTxsProcessed:     userTxsProcessed,
+					gethGas:              gethGas,
+					userTxHash:           tx.Hash(),
+				}
+			}
 		}
 
+		// Without Finalise between txs in a tentative group, the EVM refund
+		// counter leaks across tx boundaries. During replay, Finalise IS called
+		// between txs so each starts with refund=0. A nonzero starting refund
+		// here would cause GasUsed divergence (consensus break). SubRefund
+		// drains the counter to 0, mimicking Finalise. It's journaled, so
+		// group revert undoes it.
 		startRefund := statedb.GetRefund()
 		if startRefund != 0 {
-			return nil, nil, fmt.Errorf("at beginning of tx statedb has non-zero refund %v", startRefund)
+			if activeGroupCP != nil {
+				statedb.SubRefund(startRefund)
+			} else {
+				return nil, nil, fmt.Errorf("at beginning of tx statedb has non-zero refund %v", startRefund)
+			}
 		}
 
 		var sender common.Address
@@ -392,6 +482,15 @@ func ProduceBlockAdvanced(
 					}
 					return nil
 				},
+				// skipFinalise: Normally Finalise runs after every committed tx,
+				// promoting dirtyStorage -> pendingStorage, clearing the journal,
+				// and zeroing the refund counter. After that, RevertToSnapshot
+				// can't undo past that boundary (journal gone, pendingStorage not
+				// journaled, snapshot IDs invalidated). We need to revert the
+				// entire group if any redeem is filtered, so we skip Finalise
+				// while a group checkpoint is active. It's flushed at group
+				// boundaries: before the next user tx or at end of block.
+				activeGroupCP != nil,
 			)
 			if err != nil {
 				// Ignore this transaction if it's invalid under the state transition function
@@ -416,6 +515,18 @@ func ProduceBlockAdvanced(
 		}
 
 		if err != nil {
+			// Cascading redeem filtering: if a redeem was filtered and we have an
+			// active group checkpoint, revert the entire group (user tx + all redeems)
+			if isRedeem && activeGroupCP != nil && errors.Is(err, state.ErrArbTxFilter) {
+				if err := revertToGroupCheckpoint(); err != nil {
+					return nil, nil, err
+				}
+				continue
+			}
+			// If the user tx itself failed, deactivate the group (no redeems generated)
+			if isUserTx && activeGroupCP != nil {
+				activeGroupCP = nil
+			}
 			logLevel := log.Debug
 			if chainConfig.DebugMode() {
 				logLevel = log.Warn
@@ -527,6 +638,12 @@ func ProduceBlockAdvanced(
 		}
 	}
 
+	// Flush deferred Finalise for the last clean group
+	if activeGroupCP != nil {
+		statedb.Finalise(true)
+		activeGroupCP = nil
+	}
+
 	if statedb.IsTxFiltered() {
 		return nil, nil, state.ErrArbTxFilter
 	}

arbos/tx_processor.go

@@ -214,8 +214,7 @@ func (p *TxProcessor) StartTxHook() (endTxNow bool, multiGasUsed multigas.MultiG
 		// already handled by the onchain filter and skip halting.
 		var filteredErr error
 		isFiltered := false
-		if p.state.ArbOSVersion() >= params.ArbosVersion_TransactionFiltering &&
-			p.state.FilteredTransactions().IsFilteredFree(ticketId) {
+		if p.state.FilteredTransactions().IsFilteredFree(ticketId) {
 			recipient, err := p.state.FilteredFundsRecipientOrDefault()
 			if err != nil {
 				return true, multigas.ZeroGas(), err, nil

changelog/Tristan-Wilson-cascading-redeem-filtering-NIT-4453.md

@@ -0,0 +1,2 @@
+### Added
+- Checkpoint-and-revert mechanism for filtering retryable submissions whose redeems touch filtered addresses.

execution/gethexec/executionengine.go

@@ -118,6 +118,10 @@ func (f *DelayedFilteringSequencingHooks) PostTxFilter(header *types.Header, db
 	if tx.To() != nil {
 		db.TouchAddress(*tx.To())
 	}
+	// For tx types that alias the sender (unsigned contract txs, retryables),
+	// also check the original L1 address. The sender in the tx is already
+	// aliased by the L1 bridge, but the restricted address list contains
+	// original (non-aliased) addresses.
 	txType := tx.Type()
 	if arbosutil.DoesTxTypeAlias(&txType) {
 		db.TouchAddress(arbosutil.InverseRemapL1Address(sender))
@@ -147,6 +151,17 @@ func (f *DelayedFilteringSequencingHooks) RedeemFilter(db *state.StateDB) error
 	return nil
 }
 
+// ReportGroupRevert extracts the originating tx hash from ErrFilteredCascadingRedeem
+// and appends it to FilteredTxHashes. After ProduceBlockAdvanced returns, the existing
+// check at executionengine.go fires ErrFilteredDelayedMessage, causing the delayed
+// sequencer to halt and the transaction-filterer to add the hash to the onchain filter.
+func (f *DelayedFilteringSequencingHooks) ReportGroupRevert(err error) {
+	var cascadingErr *arbos.ErrFilteredCascadingRedeem
+	if errors.As(err, &cascadingErr) {
+		f.FilteredTxHashes = append(f.FilteredTxHashes, cascadingErr.OriginatingTxHash)
+	}
+}
+
 func applyEventFilter(ef *eventfilter.EventFilter, db *state.StateDB) {
 	if ef == nil {
 		return

execution/gethexec/sequencer.go

@@ -842,7 +842,6 @@ func (s *Sequencer) postTxFilter(header *types.Header, statedb *state.StateDB, _
 			}
 		}
 	}
-	touchRetryableAddresses(statedb, tx)
 
 	if statedb.IsTxFiltered() || statedb.IsAddressFiltered() {
 		return state.ErrArbTxFilter
@@ -1153,6 +1152,20 @@ func (s *FullSequencingHooks) BlockFilter(header *types.Header, db *state.StateD
 	return nil
 }
 
+// ReportGroupRevert replaces the last txErrors entry with the group revert
+// error. Redeems don't get txErrors entries (only user txs from
+// NextTxToSequence do), so a group (user tx + all its redeems) has exactly
+// one entry - the originating user tx's nil. Replacing it with the error
+// excludes the tx from the block (MessageFromTxes skips non-nil entries)
+// and returns the error to the RPC caller via resultChan.
+func (s *FullSequencingHooks) ReportGroupRevert(err error) {
+	if len(s.txErrors) > 0 {
+		s.txErrors[len(s.txErrors)-1] = err
+	} else {
+		log.Error("ReportGroupRevert called with empty txErrors")
+	}
+}
+
 func MakeSequencingHooks(
 	items []txQueueItem,
 	maxSequencedTxsSize int,