Add prechecker address filtering via dry-run ProduceBlockAdvanced

Add address filtering to the prechecker by running the full block production
pipeline on a throwaway statedb. For each RPC-submitted transaction, when
filtering is enabled, the prechecker calls ProduceBlockAdvanced(dryRun=true)
through a thin PrefiltererSequencingHooks adapter that implements the same
TouchAddress/IsAddressFiltered logic the sequencer uses. This catches direct
address touches, direct redeems, contract-triggered redeems (where a contract
internally calls ArbRetryableTx.redeem), event-filter hits, and cascading
redeem chains -- all with zero coupling to retryable internals.

The approach is unified: every tx goes through ProduceBlockAdvanced rather than
trying to detect redeem-related transactions statically. A regular contract can
call ArbRetryableTx.redeem(ticketId) internally, making static detection
impossible. Running the real block processor as a black box sidesteps this
entirely.

Key design decisions:

- No isRedeemTx gate: the unified approach runs ALL txs through
  ProduceBlockAdvanced when filtering is enabled. A static gate on
  To == 0x6e misses contract-triggered redeems. The only gate is
  addressChecker != nil.

- No statedb.Copy(): each PublishTransaction opens its own statedb via
  bc.StateAt, never uses it after the dry-run, and ProduceBlockAdvanced
  doesn't call Commit. The statedb is passed directly and GC'd on return.
  This eliminates the main cost objection to running the full pipeline.

- dryRun mode: a new bool parameter on ProduceBlockAdvanced causes an early
  return after the tx processing loop, skipping FinalizeBlock (which calls
  IntermediateRoot -- likely the dominant fixed overhead per call),
  receipt construction, block assembly, and balance delta checks. The
  prechecker only needs hooks.filtered, not a valid block.

- Forwarder-only wiring: on the sequencer node, the sequencer already returns
  ErrArbTxFilter synchronously from real block production so the prechecker
  dry-run is redundant. The addressChecker/eventFilter are only wired to
  TxPreChecker on forwarder nodes (which don't run a sequencer and relay
  to a remote sequencer after prechecking).

- Config refactor: TransactionFilteringConfig is moved from SequencerConfig to
  a top-level execution.transaction-filtering.* namespace. Forwarders don't
  have a Sequencer component, so they couldn't access the filter config when
  it lived under execution.sequencer. The new location makes it available to
  any node role.

Author: Tristan-Wilson

arbos/block_processor.go

@@ -198,7 +198,7 @@ func ProduceBlock(
 	hooks := NewNoopSequencingHooks(txes)
 
 	return ProduceBlockAdvanced(
-		message.Header, delayedMessagesRead, lastBlockHeader, statedb, chainContext, hooks, isMsgForPrefetch, runCtx, exposeMultiGas,
+		message.Header, delayedMessagesRead, lastBlockHeader, statedb, chainContext, hooks, isMsgForPrefetch, runCtx, exposeMultiGas, false,
 	)
 }
 
@@ -213,6 +213,7 @@ func ProduceBlockAdvanced(
 	isMsgForPrefetch bool,
 	runCtx *core.MessageRunContext,
 	exposeMultiGas bool,
+	dryRun bool,
 ) (*types.Block, types.Receipts, error) {
 
 	arbState, err := arbosState.OpenSystemArbosState(statedb, nil, false)
@@ -638,6 +639,13 @@ func ProduceBlockAdvanced(
 		}
 	}
 
+	if dryRun {
+		// Filtering decisions are already recorded in the hooks.
+		// Skip all post-loop finalization -- the caller only needs
+		// hooks state, not a valid block.
+		return nil, nil, nil
+	}
+
 	// Flush deferred Finalise for the last clean group
 	if activeGroupCP != nil {
 		statedb.Finalise(true)

contracts-local/src/mocks/AddressFilterTest.sol

@@ -69,6 +69,15 @@ contract AddressFilterTest {
         return address(uint160(uint256(hash)));
     }
 
+    /// @notice Redeems a retryable ticket by calling ArbRetryableTx.redeem()
+    function redeemTicket(
+        bytes32 ticketId
+    ) external {
+        // ArbRetryableTx lives at address 110 (0x6e)
+        (bool success,) = address(110).call(abi.encodeWithSignature("redeem(bytes32)", ticketId));
+        require(success, "redeem failed");
+    }
+
     /// @notice Selfdestructs this contract and sends balance to beneficiary
     function selfDestructTo(
         address payable beneficiary

execution/gethexec/executionengine.go

@@ -683,6 +683,7 @@ func (s *ExecutionEngine) sequenceTransactionsWithBlockMutex(header *arbostypes.
 		false,
 		core.NewMessageCommitContext(s.wasmTargets),
 		s.exposeMultiGas,
+		false,
 	)
 	if err != nil {
 		return nil, err
@@ -908,6 +909,7 @@ func (s *ExecutionEngine) createBlockFromNextMessage(msg *arbostypes.MessageWith
 			isMsgForPrefetch,
 			runCtx,
 			s.exposeMultiGas,
+			false,
 		)
 		if err != nil {
 			return nil, nil, nil, err

execution/gethexec/node.go

@@ -34,6 +34,8 @@ import (
 	"github.com/offchainlabs/nitro/consensus"
 	"github.com/offchainlabs/nitro/consensus/consensusrpcclient"
 	"github.com/offchainlabs/nitro/execution"
+	"github.com/offchainlabs/nitro/execution/gethexec/addressfilter"
+	"github.com/offchainlabs/nitro/execution/gethexec/eventfilter"
 	executionrpcserver "github.com/offchainlabs/nitro/execution/rpcserver"
 	"github.com/offchainlabs/nitro/solgen/go/precompilesgen"
 	"github.com/offchainlabs/nitro/util"
@@ -118,25 +120,26 @@ func TxIndexerConfigAddOptions(prefix string, f *pflag.FlagSet) {
 }
 
 type Config struct {
-	ParentChainReader           headerreader.Config    `koanf:"parent-chain-reader" reload:"hot"`
-	Sequencer                   SequencerConfig        `koanf:"sequencer" reload:"hot"`
-	RecordingDatabase           BlockRecorderConfig    `koanf:"recording-database"`
-	TxPreChecker                TxPreCheckerConfig     `koanf:"tx-pre-checker" reload:"hot"`
-	Forwarder                   ForwarderConfig        `koanf:"forwarder"`
-	ForwardingTarget            string                 `koanf:"forwarding-target"`
-	SecondaryForwardingTarget   []string               `koanf:"secondary-forwarding-target"`
-	Caching                     CachingConfig          `koanf:"caching"`
-	RPC                         arbitrum.Config        `koanf:"rpc"`
-	TxIndexer                   TxIndexerConfig        `koanf:"tx-indexer"`
-	EnablePrefetchBlock         bool                   `koanf:"enable-prefetch-block"`
-	SyncMonitor                 SyncMonitorConfig      `koanf:"sync-monitor"`
-	StylusTarget                StylusTargetConfig     `koanf:"stylus-target"`
-	BlockMetadataApiCacheSize   uint64                 `koanf:"block-metadata-api-cache-size"`
-	BlockMetadataApiBlocksLimit uint64                 `koanf:"block-metadata-api-blocks-limit"`
-	VmTrace                     LiveTracingConfig      `koanf:"vmtrace"`
-	ExposeMultiGas              bool                   `koanf:"expose-multi-gas"`
-	RPCServer                   rpcserver.Config       `koanf:"rpc-server"`
-	ConsensusRPCClient          rpcclient.ClientConfig `koanf:"consensus-rpc-client" reload:"hot"`
+	ParentChainReader           headerreader.Config        `koanf:"parent-chain-reader" reload:"hot"`
+	Sequencer                   SequencerConfig            `koanf:"sequencer" reload:"hot"`
+	RecordingDatabase           BlockRecorderConfig        `koanf:"recording-database"`
+	TxPreChecker                TxPreCheckerConfig         `koanf:"tx-pre-checker" reload:"hot"`
+	TransactionFiltering        TransactionFilteringConfig `koanf:"transaction-filtering" reload:"hot"`
+	Forwarder                   ForwarderConfig            `koanf:"forwarder"`
+	ForwardingTarget            string                     `koanf:"forwarding-target"`
+	SecondaryForwardingTarget   []string                   `koanf:"secondary-forwarding-target"`
+	Caching                     CachingConfig              `koanf:"caching"`
+	RPC                         arbitrum.Config            `koanf:"rpc"`
+	TxIndexer                   TxIndexerConfig            `koanf:"tx-indexer"`
+	EnablePrefetchBlock         bool                       `koanf:"enable-prefetch-block"`
+	SyncMonitor                 SyncMonitorConfig          `koanf:"sync-monitor"`
+	StylusTarget                StylusTargetConfig         `koanf:"stylus-target"`
+	BlockMetadataApiCacheSize   uint64                     `koanf:"block-metadata-api-cache-size"`
+	BlockMetadataApiBlocksLimit uint64                     `koanf:"block-metadata-api-blocks-limit"`
+	VmTrace                     LiveTracingConfig          `koanf:"vmtrace"`
+	ExposeMultiGas              bool                       `koanf:"expose-multi-gas"`
+	RPCServer                   rpcserver.Config           `koanf:"rpc-server"`
+	ConsensusRPCClient          rpcclient.ClientConfig     `koanf:"consensus-rpc-client" reload:"hot"`
 
 	forwardingTarget string
 }
@@ -168,6 +171,9 @@ func (c *Config) Validate() error {
 	if err := c.ConsensusRPCClient.Validate(); err != nil {
 		return fmt.Errorf("error validating ConsensusRPCClient config: %w", err)
 	}
+	if err := c.TransactionFiltering.Validate(); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -181,6 +187,7 @@ func ConfigAddOptions(prefix string, f *pflag.FlagSet) {
 	f.StringSlice(prefix+".secondary-forwarding-target", ConfigDefault.SecondaryForwardingTarget, "secondary transaction forwarding target URL")
 	AddOptionsForNodeForwarderConfig(prefix+".forwarder", f)
 	TxPreCheckerConfigAddOptions(prefix+".tx-pre-checker", f)
+	TransactionFilteringConfigAddOptions(prefix+".transaction-filtering", f)
 	CachingConfigAddOptions(prefix+".caching", f)
 	SyncMonitorConfigAddOptions(prefix+".sync-monitor", f)
 	f.Bool(prefix+".enable-prefetch-block", ConfigDefault.EnablePrefetchBlock, "enable prefetching of blocks")
@@ -217,6 +224,7 @@ var ConfigDefault = Config{
 	ForwardingTarget:          "",
 	SecondaryForwardingTarget: []string{},
 	TxPreChecker:              DefaultTxPreCheckerConfig,
+	TransactionFiltering:      DefaultTransactionFilteringConfig,
 	Caching:                   DefaultCachingConfig,
 	Forwarder:                 DefaultNodeForwarderConfig,
 	SyncMonitor:               DefaultSyncMonitorConfig,
@@ -262,6 +270,8 @@ type ExecutionNode struct {
 	started                  atomic.Bool
 	bulkBlockMetadataFetcher *BulkBlockMetadataFetcher
 	consensusRPCClient       *consensusrpcclient.ConsensusRPCClient
+	addressFilterService     *addressfilter.FilterService
+	eventFilter              *eventfilter.EventFilter
 }
 
 func CreateExecutionNode(
@@ -318,6 +328,23 @@ func CreateExecutionNode(
 		}
 	}
 
+	ef, err := eventfilter.NewEventFilterFromConfig(config.TransactionFiltering.EventFilter)
+	if err != nil {
+		return nil, err
+	}
+	addressFilterService, err := addressfilter.NewFilterService(ctx, &config.TransactionFiltering.AddressFilter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create address filter service: %w", err)
+	}
+
+	if config.Sequencer.Enable && config.TransactionFiltering.TransactionFiltererRPCClient.URL != "" {
+		filtererConfigFetcher := func() *rpcclient.ClientConfig {
+			return &configFetcher.Get().TransactionFiltering.TransactionFiltererRPCClient
+		}
+		transactionFiltererRPCClient := NewTransactionFiltererRPCClient(filtererConfigFetcher)
+		execEngine.SetTransactionFiltererRPCClient(transactionFiltererRPCClient)
+	}
+
 	txprecheckConfigFetcher := func() *TxPreCheckerConfig { return &configFetcher.Get().TxPreChecker }
 
 	txPreChecker := NewTxPreChecker(txPublisher, l2BlockChain, txprecheckConfigFetcher)
@@ -371,6 +398,8 @@ func CreateExecutionNode(
 		ParentChainReader:        parentChainReader,
 		ClassicOutbox:            classicOutbox,
 		bulkBlockMetadataFetcher: bulkBlockMetadataFetcher,
+		addressFilterService:     addressFilterService,
+		eventFilter:              ef,
 	}
 
 	if config.ConsensusRPCClient.URL != "" {
@@ -458,6 +487,11 @@ func (n *ExecutionNode) Initialize(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("error initializing transaction publisher: %w", err)
 	}
+	if n.addressFilterService != nil {
+		if err = n.addressFilterService.Initialize(ctx); err != nil {
+			return fmt.Errorf("error initializing address filter service: %w", err)
+		}
+	}
 	err = n.Backend.APIBackend().SetSyncBackend(n.SyncMonitor)
 	if err != nil {
 		return fmt.Errorf("error setting sync backend: %w", err)
@@ -488,6 +522,24 @@ func (n *ExecutionNode) Start(ctxIn context.Context) error {
 		return fmt.Errorf("error starting execution engine: %w", err)
 	}
 
+	if n.addressFilterService != nil {
+		n.addressFilterService.Start(ctx)
+		checker := n.addressFilterService.GetAddressChecker()
+		if n.Sequencer != nil {
+			n.ExecEngine.SetAddressChecker(checker)
+		} else {
+			n.TxPreChecker.SetAddressChecker(checker)
+		}
+	}
+	if n.eventFilter != nil {
+		if n.Sequencer != nil {
+			n.ExecEngine.SetEventFilter(n.eventFilter)
+			n.Sequencer.SetEventFilter(n.eventFilter)
+		} else {
+			n.TxPreChecker.SetEventFilter(n.eventFilter)
+		}
+	}
+
 	err = n.TxPublisher.Start(ctx)
 	if err != nil {
 		return fmt.Errorf("error starting transaction puiblisher: %w", err)
@@ -509,6 +561,9 @@ func (n *ExecutionNode) StopAndWait() {
 	if n.TxPublisher.Started() {
 		n.TxPublisher.StopAndWait()
 	}
+	if n.addressFilterService != nil {
+		n.addressFilterService.StopAndWait()
+	}
 	n.Recorder.OrderlyShutdown()
 	if n.ParentChainReader != nil && n.ParentChainReader.Started() {
 		n.ParentChainReader.StopAndWait()

execution/gethexec/prefilterer_hooks.go

@@ -0,0 +1,115 @@
+// Copyright 2026, Offchain Labs, Inc.
+// For license information, see https://github.com/OffchainLabs/nitro/blob/master/LICENSE.md
+
+package gethexec
+
+import (
+	"github.com/ethereum/go-ethereum/arbitrum_types"
+	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/core"
+	"github.com/ethereum/go-ethereum/core/state"
+	"github.com/ethereum/go-ethereum/core/types"
+	"github.com/ethereum/go-ethereum/params"
+
+	"github.com/offchainlabs/nitro/arbos"
+	"github.com/offchainlabs/nitro/arbos/arbosState"
+	"github.com/offchainlabs/nitro/execution/gethexec/eventfilter"
+)
+
+// PrefiltererSequencingHooks implements arbos.SequencingHooks for the
+// prechecker's dry-run filtering. It feeds a single candidate tx into
+// ProduceBlockAdvanced and collects address filtering results.
+type PrefiltererSequencingHooks struct {
+	tx          *types.Transaction
+	delivered   bool
+	txError     error
+	filtered    bool
+	eventFilter *eventfilter.EventFilter
+}
+
+func (h *PrefiltererSequencingHooks) NextTxToSequence() (*types.Transaction, *arbitrum_types.ConditionalOptions, error) {
+	if h.delivered {
+		return nil, nil, nil
+	}
+	h.delivered = true
+	return h.tx, nil, nil
+}
+
+func (h *PrefiltererSequencingHooks) DiscardInvalidTxsEarly() bool {
+	return true
+}
+
+func (h *PrefiltererSequencingHooks) PreTxFilter(
+	_ *params.ChainConfig,
+	_ *types.Header,
+	statedb *state.StateDB,
+	_ *arbosState.ArbosState,
+	tx *types.Transaction,
+	_ *arbitrum_types.ConditionalOptions,
+	sender common.Address,
+	_ *arbos.L1Info,
+) error {
+	statedb.TouchAddress(sender)
+	if tx.To() != nil {
+		statedb.TouchAddress(*tx.To())
+	}
+	if statedb.IsAddressFiltered() {
+		h.filtered = true
+		return state.ErrArbTxFilter
+	}
+	return nil
+}
+
+func (h *PrefiltererSequencingHooks) PostTxFilter(
+	_ *types.Header,
+	statedb *state.StateDB,
+	_ *arbosState.ArbosState,
+	_ *types.Transaction,
+	sender common.Address,
+	_ uint64,
+	_ *core.ExecutionResult,
+) error {
+	// Inline event filtering with actual sender, matching the real sequencer's
+	// postTxFilter. Do NOT use applyEventFilter here -- it passes
+	// common.Address{} as sender, which would miss sender-dependent rules.
+	if h.eventFilter != nil {
+		logs := statedb.GetCurrentTxLogs()
+		for _, l := range logs {
+			for _, addr := range h.eventFilter.AddressesForFiltering(l.Topics, l.Data, l.Address, sender) {
+				statedb.TouchAddress(addr)
+			}
+		}
+	}
+	// The real sequencer's postTxFilter also checks statedb.IsTxFiltered(),
+	// which is the onchain per-tx-hash filter for delayed messages. We omit
+	// it here because the prechecker only processes RPC-submitted txs, never
+	// delayed messages, so IsTxFiltered() would never fire.
+	if statedb.IsAddressFiltered() {
+		h.filtered = true
+		return state.ErrArbTxFilter
+	}
+	return nil
+}
+
+func (h *PrefiltererSequencingHooks) RedeemFilter(statedb *state.StateDB) error {
+	applyEventFilter(h.eventFilter, statedb)
+	if statedb.IsAddressFiltered() {
+		h.filtered = true
+		return state.ErrArbTxFilter
+	}
+	return nil
+}
+
+func (h *PrefiltererSequencingHooks) InsertLastTxError(err error) {
+	h.txError = err
+}
+
+func (h *PrefiltererSequencingHooks) ReportGroupRevert(err error) {
+	h.filtered = true
+}
+
+func (h *PrefiltererSequencingHooks) BlockFilter(
+	_ *types.Header, _ *state.StateDB, _ types.Transactions, _ types.Receipts,
+) error {
+	return nil
+}