fix: add a way to verify current apphashes

[tac0turtle]

Overview

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Dec 16, 2025, 6:24 PM

[claude]

Claude finished @tac0turtle's task in 1m 51s —— View job

---

Comprehensive Code Review

I've completed a thorough review of this PR focusing on AppHash verification improvements. The changes successfully address a critical issue around ensuring block headers contain correct post-execution AppHashes. Here's my detailed analysis:

---

1. Code Quality & Architecture ✅

Strengths:

• Clean separation of concerns: AppHash validation logic is appropriately placed in the executor and syncer components where execution happens
• Idiomatic Go: Code follows Go conventions with proper error handling, consistent naming, and appropriate use of bytes.Equal for hash comparisons
• Well-structured switch logic in executor.go:392-404 handles three distinct cases for AppHash validation clearly

Observations:

• The removal of AppHash validation from types/state.go is correct - state should not validate execution results, that's the executor's responsibility
• The hash candidate retry mechanism in execution.go adds resilience when dealing with varying execution client behaviors

Minor Suggestion:

• In executor.go:392-404, consider Gemini's suggestion to combine the empty and current-state cases since they perform the same action. This would reduce redundancy:

switch {
case bytes.Equal(header.AppHash, newState.AppHash):
    // already matches
case len(header.AppHash) == 0, bytes.Equal(header.AppHash, currentState.AppHash):
    header.AppHash = bytes.Clone(newState.AppHash)
    headerModified = true
default:
    return fmt.Errorf("header app hash mismatch...")
}

---

2. Error Handling & Resilience ✅

Strengths:

• Proper error wrapping: All errors include context with fmt.Errorf and %w for error chains
• Clear failure modes: Distinguishes between temporary failures (empty AppHash) and permanent failures (mismatch)
• Graceful degradation: The hash candidate retry logic in execution.go tries multiple approaches before failing

Concerns:

• Line 609-611 in syncer.go: The validation if len(header.AppHash) != 0 && !bytes.Equal(...) means blocks with empty AppHash pass validation. While this may be intentional for backwards compatibility, it should be documented with a comment explaining why empty AppHash is acceptable.

Recommendation:

// Validate header's AppHash against execution result (if header has an AppHash set)
// Empty AppHash is tolerated for backwards compatibility with blocks produced
// before this validation was added.
if len(header.AppHash) != 0 && !bytes.Equal(header.AppHash, newState.AppHash) {
    return fmt.Errorf("header app hash mismatch - got: %x, want: %x", header.AppHash, newState.AppHash)
}

---

3. Security 🔒

Strengths:

• Prevents state divergence: The AppHash validation ensures syncing nodes verify execution results match the header
• Defense in depth: Validation happens in both block production (executor) and block syncing (syncer)
• No sensitive data exposure: Error messages properly truncate hashes and don't expose internal state

Critical Security Note:

• The PR correctly prevents accepting blocks where execution produces a different AppHash than advertised in the header. This is essential for consensus security - without it, malicious sequencers could advertise incorrect state roots.

No security vulnerabilities identified ✅

---

4. Performance & Resource Efficiency ⚡

Strengths:

• Minimal allocations: Uses bytes.Clone() only when necessary (when modifying header)
• Early returns: Switch statement exits early on matches, avoiding unnecessary work
• Efficient retry logic: Hash candidate iteration in execution.go is bounded and fails fast

Observations:

• The hash candidate retry adds at most 1-2 extra RPC calls to the execution engine in the worst case, which is acceptable for correctness
• Code duplication (as noted by Gemini): The retry logic in execution.go appears twice (lines 217-259 for InitChain, lines 345-426 for ExecuteTxs)

Recommendation:
Extract the retry logic into a helper function to reduce duplication and maintenance burden:

func (c *EngineClient) tryHashCandidates(
    ctx context.Context,
    candidates []common.Hash,
    operation string,
    fn func(common.Hash) error,
) error {
    var lastErr error
    for idx, candidate := range candidates {
        err := fn(candidate)
        if err == nil {
            return nil
        }
        lastErr = err
        if errors.Is(err, ErrInvalidPayloadStatus) && idx+1 < len(candidates) {
            c.logger.Warn().
                Str("blockHash", candidate.Hex()).
                Msg(operation + ": execution engine rejected hash candidate, trying alternate")
            continue
        }
        return err
    }
    return lastErr
}

---

5. Testing & Reliability 🧪

Strengths:

• Good test coverage additions: execution_status_test.go adds comprehensive testing for the new validation logic
• Test updates in syncer_test.go: Properly updates tests to use post-execution AppHash values (lines 190-192, 245-247, 256-258)
• Realistic test scenarios: Tests cover both empty and non-empty data cases

Coverage Gap (from Codecov):

• 38.88% patch coverage with 11 lines missing:
  • executor.go: 7 missing + 1 partial line (lines 393-403 switch cases likely not fully covered)
  • syncer.go: 3 missing lines (line 609-611 validation likely not covered)

Recommendations:

1. Add test for executor AppHash mismatch: Test the default case in executor.go:402-404 where AppHash doesn't match any valid case
2. Add test for syncer AppHash mismatch: Test syncer.go:609-611 with a header that has a non-empty but incorrect AppHash
3. Add test for hash candidate fallback: Test the execution engine rejecting the first hash candidate and accepting the second

Example test to add:

func TestExecutor_produceBlock_AppHashMismatch(t *testing.T) {
    // Setup executor with mock that returns unexpected AppHash
    // Expect error: "header app hash mismatch"
}

func TestSyncer_AppHashMismatchRejection(t *testing.T) {
    // Create block with incorrect post-exec AppHash
    // Verify syncer rejects it with proper error
}

---

6. Documentation & Developer Experience 📚

Strengths:

• Clear comments: The code includes helpful comments explaining the logic (e.g., lines 390-391, 608)
• Good error messages: Errors include hex hashes for debugging (e.g., got: %x, want: %x)

Areas for Improvement:

1. PR description is empty: The PR overview section has no description of what problem this solves or how it works
2. Missing comment on why empty AppHash is allowed in syncer validation (line 609)
3. No ADR or design doc explaining the AppHash verification strategy

Recommendation:
Add a PR description like:

## Overview

This PR adds robust AppHash verification to ensure block headers contain the correct post-execution state root.

### Problem
Previously, blocks could be produced/synced with incorrect or missing AppHash values, leading to state divergence.

### Solution
- **Executor**: Updates header AppHash after execution if empty or stale, rejects mismatches
- **Syncer**: Validates synced block headers have correct post-execution AppHash
- **Execution Client**: Tries multiple hash candidates for resilience to varying client behaviors

### Testing
- Added comprehensive tests for hash validation logic
- Updated existing tests to use correct post-execution AppHash values

---

Summary & Verdict

✅ Approve with Minor Suggestions

This is a solid, necessary improvement to ensure state consistency across the network. The core logic is sound and the implementation is clean.

Priority Improvements:

1. HIGH: Add tests to cover the missing 11 lines (executor mismatch case, syncer validation)
2. MEDIUM: Extract duplicate hash candidate retry logic into a helper function
3. MEDIUM: Add PR description explaining the changes
4. LOW: Add comment explaining why empty AppHash is tolerated in syncer

Code Quality: 8.5/10

• Well-structured, idiomatic Go
• Minor duplication that should be refactored

Test Coverage: 7/10

• Good additions but gaps remain (39% patch coverage)
• Missing critical error path tests

Security: 10/10

• No vulnerabilities
• Correctly prevents state divergence attacks

Overall: 8/10 - Ready to merge with follow-up improvements

---

Action Items for Author:

• Add test for executor.go:402-404 (AppHash mismatch case)
• Add test for syncer.go:609-611 (non-empty incorrect AppHash)
• Consider refactoring duplicate retry logic in execution.go
• Add PR description

[gemini-code-assist]

Summary of Changes

Hello @tac0turtle, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the system's ability to correctly handle and verify application hashes, which are crucial for maintaining state consistency. By introducing flexible hash candidate selection during interactions with the execution engine and centralizing app hash validation, the changes ensure that blocks are processed and synced reliably, even when the execution environment presents slightly different hash values for the same state. This reduces potential points of failure and enhances the overall stability of the blockchain.

Highlights

• Enhanced App Hash Verification: Implemented more robust validation for application hashes (AppHash) in block execution and syncing processes to ensure state consistency.
• Flexible Execution Engine Interaction: Introduced a mechanism to try multiple hash candidates when communicating with the execution engine, improving resilience to varying hash reporting and preventing failures due to discrepancies.
• Refactored State Validation: Centralized app hash validation logic from the generic State type into the specific execution and syncing components, allowing for more nuanced checks.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a more robust mechanism for verifying and handling application hashes (AppHashes) from the execution client. The changes ensure that block headers contain the correct post-execution AppHash, both during block production and synchronization. Key changes include:

• In block/internal/executing/executor.go, logic is added to update the header's AppHash after block execution, handling cases where it might be empty or contain a pre-execution hash.
• In block/internal/syncing/syncer.go, validation is added to ensure that a synced block's header AppHash matches the post-execution AppHash.
• In execution/evm/execution.go, the client now attempts multiple hash candidates (block hash and state root) for genesis and parent blocks when interacting with the execution engine, increasing compatibility.
• The now-incorrect AppHash validation in types/state.go has been removed.

The changes are well-implemented and improve the node's resilience. I have a couple of suggestions for minor refactoring to improve code clarity and reduce duplication.

[gemini-code-assist]

The logic in this switch statement can be simplified by combining the cases that result in the same action. The cases for an empty AppHash and an AppHash matching the currentState both update the header. Grouping them improves readability and reduces redundancy.

switch {
	case bytes.Equal(header.Header.AppHash, newState.AppHash):
		// already matches expected state root
	case len(header.Header.AppHash) == 0, bytes.Equal(header.Header.AppHash, currentState.AppHash):
		// header has no apphash or previous state's apphash; update it to the new post-state value
		header.Header.AppHash = bytes.Clone(newState.AppHash)
		headerModified = true
	default:
		return fmt.Errorf("header app hash mismatch - got: %x, want: %x", header.Header.AppHash, newState.AppHash)
	}

[gemini-code-assist]

The logic for iterating through hash candidates and retrying engine_forkchoiceUpdatedV3 is duplicated here and in the ExecuteTxs function (lines 369-426). This duplication increases maintenance overhead. Consider extracting this loop into a private helper method to promote code reuse and simplify both functions. The helper could accept the list of candidates and a function to perform the specific forkchoice update logic.

[codecov]

Codecov Report

❌ Patch coverage is 46.66667% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.10%. Comparing base (afcd6bd) to head (83efcf0).

Files with missing lines	Patch %	Lines
block/internal/executing/executor.go	53.84%	6 Missing ⚠️
block/internal/syncing/syncer.go	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2921      +/-   ##
==========================================
- Coverage   60.14%   60.10%   -0.04%     
==========================================
  Files          88       88              
  Lines        8427     8440      +13     
==========================================
+ Hits         5068     5073       +5     
- Misses       2787     2794       +7     
- Partials      572      573       +1     

Flag	Coverage Δ
combined	60.10% <46.66%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.