fix: guard against updateat timestampin future

Author: rube-de

contracts/contracts/sapphire/CrossChainPaymaster.sol

@@ -361,6 +361,8 @@ contract CrossChainPaymaster is
      */
     function _decodeRlpUint(bytes memory rlp) internal pure returns (uint256) {
         bytes memory b = rlp.toRLPItem().readBytes();
+        // Guard: uint256 can only hold 32 bytes max; larger values cause overflow
+        if (b.length > 32) revert InvalidEvent();
         uint256 number;
         for (uint256 i = 0; i < b.length; i++) {
             number = number + uint256(uint8(b[i])) * (2 ** (8 * (b.length - (i + 1))));
@@ -390,7 +392,8 @@ contract CrossChainPaymaster is
         // Validate token price
         if (tPrice <= 0) revert InvalidPrice(tPrice);
         if (tAnsweredIn < tRound) revert StalePrice(0, 0);
-        if (tUpdated == 0 || (block.timestamp > tUpdated && block.timestamp - tUpdated > stalenessThreshold)) revert StalePrice(tUpdated, stalenessThreshold);
+        if (tUpdated > block.timestamp) revert FuturePriceTimestamp(tUpdated, block.timestamp);
+        if (tUpdated == 0 || block.timestamp - tUpdated > stalenessThreshold) revert StalePrice(tUpdated, stalenessThreshold);
 
         // Get ROSE/USD price (single aggregated feed from ROFL oracle)
         AggregatorV3Interface roseFeed = AggregatorV3Interface(roseUsdFeed);
@@ -399,7 +402,8 @@ contract CrossChainPaymaster is
         // Validate ROSE price
         if (rPrice <= 0) revert InvalidPrice(rPrice);
         if (rAnsweredIn < rRound) revert StalePrice(0, 0);
-        if (rUpdated == 0 || (block.timestamp > rUpdated && block.timestamp - rUpdated > stalenessThreshold)) revert StalePrice(rUpdated, stalenessThreshold);
+        if (rUpdated > block.timestamp) revert FuturePriceTimestamp(rUpdated, block.timestamp);
+        if (rUpdated == 0 || block.timestamp - rUpdated > stalenessThreshold) revert StalePrice(rUpdated, stalenessThreshold);
 
         uint8 tokenDec = tokenDecimals[token];
         if (tokenDec == 0) tokenDec = 18;

contracts/contracts/sapphire/interfaces/ICrossChainPaymaster.sol

@@ -79,6 +79,7 @@ interface ICrossChainPaymaster {
     error InvalidPriceFeed();
     error NoPriceFeedForToken(address token);
     error StalePrice(uint256 timestamp, uint256 threshold);
+    error FuturePriceTimestamp(uint256 priceTimestamp, uint256 blockTimestamp);
     error InvalidPrice(int256 price);
     error ChainDisabled(uint256 chainId);
     error VaultNotAuthorized(uint256 chainId, address vault);

paymaster-relayer/paymaster_relayer/event_processor.py

@@ -215,8 +215,15 @@ async def process_matched_payment(self, payment_event: PaymentEvent) -> None:
                 payment_event, paymaster_address
             )
 
+            if tx_hash is None:
+                logger.warning(
+                    f"Proof submission failed for tx {payment_event.tx_hash}, "
+                    "will retry on next cycle"
+                )
+                return
+
             logger.info(f"Proof submitted successfully: {tx_hash}")
-            # Remove from pending structures
+            # Remove from pending structures only on success
             block_payments = self.pending_payments.get(payment_event.block_number, [])
             if payment_event in block_payments:
                 block_payments.remove(payment_event)

paymaster-relayer/paymaster_relayer/proof_manager.py

@@ -5,6 +5,7 @@
 for cross-chain message verification using the Hashi protocol format.
 """
 
+import asyncio
 import logging
 from typing import TYPE_CHECKING, Any
 
@@ -23,6 +24,10 @@
 
 logger = logging.getLogger(__name__)
 
+FUTURE_PRICE_TIMESTAMP_ERROR_B64 = "4B8j6Q"
+FUTURE_PRICE_RETRY_DELAY = 6  # seconds to wait before retry
+FUTURE_PRICE_MAX_RETRIES = 3  # maximum retry attempts
+
 
 class ProofManager:
     """Handles proof generation and submission for cross-chain messages."""
@@ -176,16 +181,19 @@ async def generate_proof(self, payment_event: PaymentEvent) -> list[Any]:
         )
         return proof
 
-    async def submit_proof(self, proof: list[Any], paymaster_address: str) -> str:
+    async def submit_proof(self, proof: list[Any], paymaster_address: str) -> str | None:
         """
         Submit proof to CrossChainPaymaster contract.
 
+        Includes retry logic for FuturePriceTimestamp errors, which occur when
+        the price oracle's timestamp is slightly ahead of the block timestamp.
+
         Args:
             proof: The generated proof array
             paymaster_address: Address of the CrossChainPaymaster contract
 
         Returns:
-            Transaction hash of the submission
+            Transaction hash of the submission, or None if all retries failed
         """
         logger.info(f"Submitting proof to CrossChainPaymaster at {paymaster_address}")
 
@@ -210,7 +218,7 @@ async def submit_proof(self, proof: list[Any], paymaster_address: str) -> str:
         )
 
         if self.rofl_util:
-            # ROFL mode: build transaction for rofl_util
+            # ROFL mode: build transaction for rofl_util with retry logic
             tx_params: TxParams = {
                 "from": "0x0000000000000000000000000000000000000000",  # ROFL will override
                 "gas": 3000000,
@@ -220,14 +228,41 @@ async def submit_proof(self, proof: list[Any], paymaster_address: str) -> str:
             tx_data = contract.functions.processPayment(
                 receipt_proof_struct
             ).build_transaction(tx_params)
-            success = await self.rofl_util.submit_tx(tx_data)
-            if success:
-                logger.info("Proof submitted successfully via ROFL")
-                # Return a success indicator since ROFL doesn't provide tx hash
-                return "ROFL_SUBMITTED"
-            else:
-                logger.error("Failed to submit proof via ROFL")
-                raise Exception("ROFL submission failed")
+
+            # Retry loop for FuturePriceTimestamp errors
+            for attempt in range(FUTURE_PRICE_MAX_RETRIES):
+                try:
+                    success = await self.rofl_util.submit_tx(tx_data)
+                    if success:
+                        logger.info("Proof submitted successfully via ROFL")
+                        return "ROFL_SUBMITTED"
+                    else:
+                        logger.error("Failed to submit proof via ROFL (no success)")
+                        return None
+                except Exception as e:
+                    error_msg = str(e)
+                    if FUTURE_PRICE_TIMESTAMP_ERROR_B64 in error_msg:
+                        remaining = FUTURE_PRICE_MAX_RETRIES - attempt - 1
+                        if remaining > 0:
+                            logger.warning(
+                                f"FuturePriceTimestamp error (oracle ahead of block), "
+                                f"retrying in {FUTURE_PRICE_RETRY_DELAY}s... "
+                                f"({remaining} retries left)"
+                            )
+                            await asyncio.sleep(FUTURE_PRICE_RETRY_DELAY)
+                            continue
+                        else:
+                            logger.error(
+                                f"FuturePriceTimestamp error persisted after "
+                                f"{FUTURE_PRICE_MAX_RETRIES} attempts, giving up: {error_msg}"
+                            )
+                            return None
+                    else:
+                        # Non-retryable error
+                        logger.error(f"ROFL submission failed with error: {error_msg}")
+                        return None
+
+            return None
         else:
             # Local mode
             tx_hash = contract.functions.processPayment(receipt_proof_struct).transact(