perf(l1): disable balance check for prewarming to avoid early reverts

[ilitteri]

Motivation

During block execution, the prewarmer thread runs transactions speculatively to warm storage slots and account state into the cache. However, when a sender has insufficient balance, the prewarmer reverts early in validate_sender_balance / deduct_caller, missing the opportunity to warm the storage slots that the transaction would have touched deeper in execution.

Description

• Add disable_balance_check flag to the LEVM Environment struct
• Skip validate_sender_balance and deduct_caller when the flag is set
• Pass disable_balance_check: true only from the prewarmer path, false for normal execution
• This lets the prewarmer reach deeper into the transaction's execution path, warming more storage slots and improving cache hit rates for the actual executor

[github-actions]

🤖 Kimi Code Review

Security & Correctness Review

1. Critical Security Issue: Balance Check Bypass in Production

File: crates/vm/backends/levm/mod.rs
Lines: 235, 354, 485, 518, 1006

The disable_balance_check flag is being set to false in the main execution path (line 235) but true in the prewarmer (line 354). However, there's no validation preventing this flag from being accidentally enabled in production. This could allow:

• Balance bypass attacks where transactions with insufficient balance are executed
• State corruption if the flag is mistakenly enabled in production

Recommendation: Add a compile-time or runtime assertion ensuring disable_balance_check is only used in prewarming contexts:

#[cfg(not(feature = "prewarm"))]
if disable_balance_check {
    return Err(EvmError::InvalidConfiguration(
        "Balance checks cannot be disabled in production".to_string()
    ));
}

2. Missing Gas Accounting Validation

File: crates/vm/levm/src/hooks/default_hook.rs
Lines: 488-491, 527-530

While balance checks are skipped, gas limit validation is not. This creates an inconsistency where:

• A transaction with insufficient balance but valid gas limit will proceed
• The transaction may later fail during execution due to actual balance shortage
• This could lead to incorrect gas estimation or state inconsistencies

Recommendation: Either:

1. Skip both balance and gas limit checks in prewarm mode, or
2. Add explicit documentation that gas checks still apply

3. State Consistency Risk

File: crates/vm/backends/levm/mod.rs
Lines: 518-520

The disable_balance_check flag affects deduct_caller() but doesn't prevent state modifications. This means:

• Storage slots may be warmed for accounts that would normally fail balance checks
• The warmed state might not reflect actual execution conditions
• Could lead to cache poisoning where invalid state is cached

Recommendation: Document this limitation clearly and ensure prewarm caches are invalidated before real execution.

4. Code Clarity Issue

File: crates/vm/backends/levm/mod.rs
Lines: 518-520

The parameter name disable_balance_check is passed as a positional boolean (false, true), making the call sites unclear:

Self::execute_tx(..., false)  // What does false mean?
Self::execute_tx(..., true)   // What does true mean?

Recommendation: Use an enum or named struct:

enum ExecutionMode {
    Normal,
    Prewarm,
}

Self::execute_tx(..., ExecutionMode::Normal)

5. Missing Tests

No test files were modified to verify:

• Balance check bypass behavior
• State warming with insufficient balances
• Edge cases around the new flag

Recommendation: Add tests in levm/tests/ covering:

• Prewarm execution with insufficient balance
• State consistency between prewarm and real execution
• Flag validation in different build configurations

---

Automated review by Kimi (Moonshot AI) · custom prompt

[github-actions]

🤖 Codex Code Review

Findings

1. Consensus safety risk if disable_balance_check escapes prewarm-only use. execute_tx_in_block now accepts a disable_balance_check flag and prewarm_state (the parallel sender groups) passes true. If any code path ever reuses this for real block execution or stateful simulation, it would bypass validate_sender_balance and deduct_caller, producing state transitions that violate consensus (no upfront cost or balance validation). Consider encapsulating this flag behind a prewarm-only API or making it non-public to prevent accidental use, plus a debug assert that it’s only set in prewarm code paths. References: crates/vm/backends/levm/mod.rs:350-358, crates/vm/backends/levm/mod.rs:510-525, crates/vm/levm/src/hooks/default_hook.rs:490-532.

2. Prewarm DB mutation behavior is still stateful, just with balance checks bypassed. Prewarm uses a fresh GeneralizedDatabase per sender group, but VM execution still mutates balances, nonces, storage, etc. The flag now skips balance deduction, which is good for “warm more storage”, but ensure prewarm results are never merged into canonical state (even indirectly via caches). If there’s any shared caching layer behind store.clone(), consider documenting or enforcing that prewarm writes are discarded. References: crates/vm/backends/levm/mod.rs:342-358, crates/vm/levm/src/hooks/default_hook.rs:525-555.

If this is strictly prewarm-only and state is fully discarded, the change looks fine.

No other correctness, security, gas, or EVM behavior issues spotted in this diff.

Possible next steps:

1. Add a small test that prewarm executes a tx with insufficient balance and does not error, while normal execution still errors.
2. Add a dedicated prewarm execution helper that hardcodes balance checks off and is not exposed outside prewarm.

---

Automated review by OpenAI Codex · custom prompt

[greptile-apps]

Greptile Summary

This PR adds a disable_balance_check flag to skip balance validation during prewarming, allowing the prewarmer to reach deeper into transaction execution and warm more storage slots. The implementation correctly:

• Adds the flag to the Environment struct with clear documentation
• Skips validate_sender_balance and deduct_caller when the flag is set
• Passes true only from the warm_block prewarmer path, false for normal execution

Issue found:

• The L2 hook's deduct_caller_fee_token function doesn't respect the disable_balance_check flag, meaning L2 transactions with fee tokens will still revert early during prewarming, reducing the effectiveness of this optimization for L2

Confidence Score: 4/5

• Safe to merge with minor incompleteness for L2 fee token transactions
• The implementation is correct for L1 transactions and the change is well-scoped. However, the L2 hook's balance deduction isn't updated, which means L2 transactions with fee tokens won't benefit from this optimization during prewarming. This doesn't break existing functionality but reduces the optimization's effectiveness for L2
• Check crates/vm/levm/src/hooks/l2_hook.rs if L2 transactions with fee tokens need the same optimization

Important Files Changed

Filename	Overview
crates/vm/levm/src/environment.rs	Added disable_balance_check flag to Environment struct with clear documentation
crates/vm/levm/src/hooks/default_hook.rs	Added early returns in validate_sender_balance and deduct_caller when flag is set, but L2 hook's deduct_caller_fee_token not updated
crates/vm/backends/levm/mod.rs	Correctly passes disable_balance_check: true only from prewarmer path (warm_block), false elsewhere

_{Last reviewed commit: 48a115e}

[github-actions]

Lines of code report

Total lines added: 13
Total lines removed: 0
Total lines changed: 13

Detailed view

+-------------------------------------------------+-------+------+
| File                                            | Lines | Diff |
+-------------------------------------------------+-------+------+
| ethrex/crates/vm/backends/levm/mod.rs           | 829   | +6   |
+-------------------------------------------------+-------+------+
| ethrex/crates/vm/levm/src/environment.rs        | 97    | +1   |
+-------------------------------------------------+-------+------+
| ethrex/crates/vm/levm/src/hooks/default_hook.rs | 409   | +6   |
+-------------------------------------------------+-------+------+

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

The L2 hook's deduct_caller_fee_token function (called from L2 transaction validation) doesn't check disable_balance_check, which means L2 transactions with fee tokens will still revert early during prewarming. Consider applying the same pattern to l2_hook::deduct_caller_fee_token at crates/vm/levm/src/hooks/l2_hook.rs:557

Prompt To Fix With AI

This is a comment left during a code review.
Path: crates/vm/levm/src/hooks/default_hook.rs
Line: 490-493

Comment:
The L2 hook's `deduct_caller_fee_token` function (called from L2 transaction validation) doesn't check `disable_balance_check`, which means L2 transactions with fee tokens will still revert early during prewarming. Consider applying the same pattern to `l2_hook::deduct_caller_fee_token` at crates/vm/levm/src/hooks/l2_hook.rs:557

How can I resolve this? If you propose a fix, please make it concise.

[github-actions]

🤖 Claude Code Review

Now I have enough context to write a thorough review.

---

Review: perf(l1): disable balance check for prewarming to avoid early reverts

Summary

The motivation and approach are sound. The speculative prewarmer previously bailed out early for underfunded senders, missing deeper storage touches. Bypassing validate_sender_balance / deduct_caller for the prewarmer path is a reasonable strategy.

The change is minimal and well-scoped, with false defaulted in all non-prewarmer paths. No correctness risk exists for actual block execution.

---

Issues

1. Inaccurate doc comment (environment.rs:44–46)

/// When true, skip balance deduction in `deduct_caller`. Used by the prewarmer
/// to avoid early reverts on insufficient balance so that warming touches more storage.

The flag also skips validate_sender_balance — which is the primary early-exit. The comment only mentions deduct_caller. Update to cover both functions:

/// When true, skip balance validation (`validate_sender_balance`) and deduction
/// (`deduct_caller`). Used by the prewarmer to avoid early reverts on insufficient
/// balance, allowing deeper execution and more storage slot warming.

---

2. L2 fee token path is not covered (l2_hook.rs:496, 566)

deduct_caller_fee_token has no disable_balance_check guard:

// l2_hook.rs ~line 566
vm.decrease_account_balance(sender_address, value)
    .map_err(|_| TxValidationError::InsufficientAccountFunds)?;

For PrivilegedL2Transaction / fee-token transactions, the prewarmer will still revert early on decrease_account_balance when the sender has no native ETH for msg.value. This makes the improvement ineffective for that transaction class.

If L2 fee token transactions are within scope for this optimization, the same guard should be applied to deduct_caller_fee_token. If intentionally out of scope, it should be documented (e.g. a // TODO comment or PR note).

---

3. Phantom balance accumulation within a sender group (design trade-off)

For sequential transactions within the same sender group in the prewarmer:

• deduct_caller is skipped → sender balance is never reduced
• refund_sender still runs → sender receives a phantom gas refund (vm.increase_account_balance(origin, wei_return_amount))
• transfer_value still runs → recipient gets credited without the sender being debited

Each transaction in the group leaves the sender with a progressively larger phantom balance. This causes tx[N+1] to operate in a state that diverges from real execution (sender appears wealthier than it is), potentially warming storage slots that actual execution would not reach.

This is probably acceptable as a speculative-warming trade-off, but it should be acknowledged. The commit message references "warming more storage slots", so over-warming is by design; the possible under-warning scenario is when a later tx would revert in real execution but doesn't in prewarming because the sender has phantom balance.

---

4. No tests for the new flag

Given that disable_balance_check bypasses fundamental transaction validation, at minimum one unit test would be valuable:

• A transaction where sender balance < upfront cost should fail normally (flag = false) but succeed and execute past the balance check (flag = true), reaching storage slots it would otherwise miss.

This guards against regressions where the flag accidentally gets set on the execution path, or the guard accidentally gets removed.

---

Minor Observations

• The two-step initialization pattern (setup_env initializes to false, then execute_tx_in_block overwrites it) is slightly redundant. It is safe — setup_env is also called directly by execute_tx which relies on the false default — but a comment on setup_env's struct literal noting "always false; callers may override" would clarify intent.

• The true literal at mod.rs:357 is a magic boolean argument. Adding a named constant (const DISABLE_BALANCE_CHECK_FOR_PREWARMER: bool = true) or converting the parameter to a more descriptive type would improve readability at call sites.

---

Verdict

The core logic is correct and does not introduce any execution-path risk. The two actionable items are:

• Fix the doc comment (trivial).
• Decide on L2 fee token coverage and either extend the guard or explicitly document the gap.

---

Automated review by Claude (Anthropic) · custom prompt

[Copilot]

Pull request overview

This PR adds a performance optimization for the L1 LEVM prewarmer by introducing a disable_balance_check flag that allows the prewarmer to skip early balance validation and deduction checks. This enables the prewarmer to reach deeper into transaction execution paths, warming more storage slots even for transactions that would normally revert due to insufficient balance.

Changes:

• Added disable_balance_check boolean field to the Environment struct with documentation
• Modified validate_sender_balance and deduct_caller hooks to skip checks when the flag is enabled
• Threaded the new parameter through execute_tx_in_block, passing false for normal execution and true only for the prewarmer path

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
crates/vm/levm/src/environment.rs	Added disable_balance_check field to Environment struct with documentation explaining its use in the prewarmer
crates/vm/levm/src/hooks/default_hook.rs	Added early return checks in validate_sender_balance and deduct_caller when disable_balance_check is true
crates/vm/backends/levm/mod.rs	Added disable_balance_check parameter to execute_tx_in_block, initialized the field in environment constructors, and passed appropriate values (false for normal execution, true for prewarmer)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Environment construction in the system contract call function is missing the explicit initialization of the disable_balance_check field. While it will default to false through the Default trait, for consistency and clarity with other Environment constructions in this file (lines 461-489 and 988-1015), this field should be explicitly set to false.

[Copilot]

The comment states that skipping balance checks is used by the prewarmer to "avoid early reverts on insufficient balance", but the check being skipped in validate_sender_balance is critical for transaction validity. While this is acceptable for the prewarmer (since it's only warming the cache and not actually executing transactions), the comment should clarify that the prewarmer results are discarded and not used for actual transaction execution. Consider adding a warning comment that this flag MUST NEVER be set to true for actual transaction execution, only for cache warming.

Suggested change

	/// When true, skip balance deduction in `deduct_caller`. Used by the prewarmer
	/// to avoid early reverts on insufficient balance so that warming touches more storage.
	/// When true, skip balance deduction in `deduct_caller`.
	///
	/// This flag is intended **only** for the prewarmer to avoid early reverts on
	/// insufficient balance so that cache warming can touch more storage/state.
	///
	/// Any execution performed with this flag set to `true` must have its results
	/// discarded and MUST NOT be used for actual transaction execution, validation,
	/// or consensus-critical state transitions. This flag MUST NEVER be set to
	/// `true` in normal transaction processing; it is for cache warming only.

[github-actions]

Benchmark Results Comparison

Benchmark Results: MstoreBench

Command	Mean [s]	Min [s]	Max [s]	Relative
main_revm_MstoreBench	319.5 ± 109.0	264.5	528.0	1.46 ± 0.50
main_levm_MstoreBench	234.6 ± 50.7	215.5	378.6	1.07 ± 0.23
pr_revm_MstoreBench	269.9 ± 4.6	265.7	280.4	1.24 ± 0.02

Detailed Results

Benchmark Results: BubbleSort

Command	Mean [s]	Min [s]	Max [s]	Relative
main_revm_BubbleSort	2.948 ± 0.020	2.924	2.973	1.08 ± 0.01
main_levm_BubbleSort	2.723 ± 0.019	2.697	2.756	1.00
pr_revm_BubbleSort	3.020 ± 0.069	2.961	3.177	1.11 ± 0.03
pr_levm_BubbleSort	2.756 ± 0.024	2.730	2.813	1.01 ± 0.01

Benchmark Results: ERC20Approval

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_ERC20Approval	976.3 ± 5.7	966.1	983.1	1.00 ± 0.01
main_levm_ERC20Approval	1032.4 ± 12.3	1019.8	1064.2	1.06 ± 0.02
pr_revm_ERC20Approval	976.2 ± 9.1	962.9	988.7	1.00
pr_levm_ERC20Approval	1049.2 ± 10.7	1038.9	1075.1	1.07 ± 0.01

Benchmark Results: ERC20Mint

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_ERC20Mint	134.6 ± 1.8	133.3	138.1	1.01 ± 0.02
main_levm_ERC20Mint	156.6 ± 2.2	154.8	162.0	1.18 ± 0.02
pr_revm_ERC20Mint	133.0 ± 1.4	131.1	135.6	1.00
pr_levm_ERC20Mint	159.2 ± 1.8	158.0	163.9	1.20 ± 0.02

Benchmark Results: ERC20Transfer

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_ERC20Transfer	235.1 ± 3.5	231.4	240.2	1.01 ± 0.02
main_levm_ERC20Transfer	265.7 ± 3.0	259.6	269.2	1.14 ± 0.02
pr_revm_ERC20Transfer	233.5 ± 4.0	229.8	240.7	1.00
pr_levm_ERC20Transfer	273.3 ± 8.7	265.3	294.0	1.17 ± 0.04

Benchmark Results: Factorial

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_Factorial	229.7 ± 1.5	228.5	233.5	1.00
main_levm_Factorial	249.8 ± 6.3	245.6	266.2	1.09 ± 0.03
pr_revm_Factorial	233.3 ± 10.5	226.7	262.8	1.02 ± 0.05
pr_levm_Factorial	250.7 ± 4.6	245.2	258.0	1.09 ± 0.02

Benchmark Results: FactorialRecursive

Command	Mean [s]	Min [s]	Max [s]	Relative
main_revm_FactorialRecursive	1.601 ± 0.047	1.476	1.641	1.00
main_levm_FactorialRecursive	8.412 ± 0.054	8.325	8.484	5.25 ± 0.16
pr_revm_FactorialRecursive	1.628 ± 0.023	1.591	1.661	1.02 ± 0.03
pr_levm_FactorialRecursive	8.471 ± 0.028	8.432	8.524	5.29 ± 0.16

Benchmark Results: Fibonacci

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_Fibonacci	210.6 ± 0.7	209.3	211.3	1.00
main_levm_Fibonacci	226.2 ± 3.6	223.5	232.9	1.07 ± 0.02
pr_revm_Fibonacci	211.0 ± 2.0	206.9	213.9	1.00 ± 0.01
pr_levm_Fibonacci	229.2 ± 9.1	224.5	253.7	1.09 ± 0.04

Benchmark Results: FibonacciRecursive

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_FibonacciRecursive	842.2 ± 10.9	829.9	859.1	1.25 ± 0.02
main_levm_FibonacciRecursive	671.3 ± 4.4	663.7	676.5	1.00
pr_revm_FibonacciRecursive	846.1 ± 6.1	833.5	853.2	1.26 ± 0.01
pr_levm_FibonacciRecursive	680.3 ± 7.8	670.2	693.9	1.01 ± 0.01

Benchmark Results: ManyHashes

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_ManyHashes	8.4 ± 0.1	8.3	8.5	1.00 ± 0.01
main_levm_ManyHashes	9.6 ± 0.1	9.5	9.8	1.15 ± 0.01
pr_revm_ManyHashes	8.4 ± 0.1	8.3	8.5	1.00
pr_levm_ManyHashes	9.8 ± 0.2	9.7	10.2	1.17 ± 0.02

Benchmark Results: MstoreBench

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_MstoreBench	319.5 ± 109.0	264.5	528.0	1.46 ± 0.50
main_levm_MstoreBench	234.6 ± 50.7	215.5	378.6	1.07 ± 0.23
pr_revm_MstoreBench	269.9 ± 4.6	265.7	280.4	1.24 ± 0.02
pr_levm_MstoreBench	218.4 ± 2.1	216.0	222.5	1.00

Benchmark Results: Push

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_Push	293.8 ± 1.2	292.0	295.8	1.07 ± 0.01
main_levm_Push	279.1 ± 9.2	273.2	299.8	1.01 ± 0.04
pr_revm_Push	318.3 ± 71.5	292.7	521.7	1.15 ± 0.26
pr_levm_Push	275.6 ± 3.3	273.0	283.8	1.00

Benchmark Results: SstoreBench_no_opt

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_SstoreBench_no_opt	167.3 ± 2.5	164.1	170.9	1.55 ± 0.03
main_levm_SstoreBench_no_opt	108.1 ± 0.8	106.7	108.6	1.00
pr_revm_SstoreBench_no_opt	172.3 ± 6.0	166.6	184.4	1.59 ± 0.06
pr_levm_SstoreBench_no_opt	109.7 ± 5.6	106.4	125.5	1.02 ± 0.05

[github-actions]

Benchmark Block Execution Results Comparison Against Main

Command	Mean [s]	Min [s]	Max [s]	Relative
base	64.903 ± 0.285	64.408	65.431	1.00
head	65.535 ± 0.413	64.750	66.238	1.01 ± 0.01

[ElFantasma]

nit: bare boolean at the call site (true / false) doesn't convey intent. Reads a bit better with a /* disable_balance_check */ comment or a constant, e.g.

const WARMING_MODE: bool = true;

Same applies to the false at the normal execution call site (line 238).