eth/protocols/wit, consensus/bor: WIT2 — BP-signed witness announcements with transitive relay and pre-import serving

[lucca30]

Summary

Adds WIT2 (witness protocol version 3): block producers sign a commitment over each witness, peers verify the signature and relay the announce at network-RTT speed without executing the block, and any peer that has fetched the body can serve it pre-import from an in-memory cache. The slow part of witness propagation — re-execution before relay — is removed from the critical path. Mixed mesh with WIT1 nodes is tolerated; no flag-day rollout required.

Devnet result (4 scenarios, post-fork-only window, hop-chain topology with +300 ms per-hop import knob):

• Stateless validator at hop 2 — milestone-vote lag p95 425 ms → 1.0 ms (−99.8%).
• Stateless validator at hop 3 — milestone-vote lag p95 719 ms → 260 ms (−64%).
• Mixed-version meshes (only stateless WIT2; only one BP WIT2): zero errors, no peer drops, full sample counts. Backward compatible.

What we're solving

Today on Polygon mainnet, witness propagation through a stateless validator that is multiple hops away from a block producer accumulates a per-hop ~500 ms execution gate: each intermediate node must finish executing the block before it will relay the witness downstream. This serialises along the path and shows up at the receiver as milestone-voting latency — slow milestone votes on a fraction of blocks at multi-hop stateless validators. Adding more peers does not help; the chain of dependencies is fan-in × execution time.

The deliverable is to detach announce from execute so witness availability propagates at gossip speed, while keeping the same byte-correctness guarantee (hash check at the requester, with on-chain blame) and the same content-correctness guarantee (state-root, with BP blame).

How the code achieves it

1. BP-signed witness commitment

The producer needs to commit to which witness bytes are correct without paying ~88 ms of single-thread keccak on the announce path (otherwise we re-introduce the same gate we're trying to remove, just on a different node). See Signing-scheme evaluation below — short version: chunked-parallel keccak at 1 MiB chunks beats the next-best viable candidate by a clear margin and keeps the WIT1 wire format intact.

• core/stateless/witness_commit.go::WitnessCommitHash(bytes) = keccak256(concat(per-1MiB-chunk-keccak)). Each 1 MiB chunk is hashed in parallel; final aggregate is one extra keccak over <1 KiB of chunk hashes. ~13.5 ms wall-clock for 50 MiB witnesses on 8 cores vs ~88 ms single-shot keccak — 6.5× speedup, no wire-format change. Producer and verifier agree on the chunk size as a protocol constant.
• Producer signs the commitment via consensus/bor.SignBytes reusing the engine's SignerFn, with a dedicated mimetype application/x-bor-wit2-announce and a domain-separated digest tag — replay-resistant at both the digest and signer-call levels.
• Operator note: validators running Clef must whitelist the new mimetype, otherwise the producer falls back to unsigned WIT1 announces.

2. Verify-and-relay without execution

• New protocol version WIT2 = 3 (eth/protocols/wit/protocol.go), new message SignedNewWitnessHashesMsg = 0x06 carrying up to 64 announcements per packet.
• eth/handler_wit2.go::handleSignedWitnessAnnouncements does ecrecover against the scheduled producer for the announced block; on success the announce is cached and immediately relayed to peers that have not seen this hash. No state execution is touched.
• Header-not-yet-local case is handled as a deferral (no strike, retry on the next packet for the same hash) so the block-cosend race does not punish honest relayers. Strikes (rate-limited disconnect at 5/min) are reserved for confirmed misbehaviour: bad signature, signer ≠ scheduled producer with a known header.

3. Pre-import serving cache

• pendingWitnessBodies (capacity 10) in the WIT2 handler is fed from the paged-fetch path the moment byte-correctness verification against the BP-signed WitnessHash passes — i.e. before chain write. handleGetWitness consults this cache before chain storage, so a peer that just received the body can serve it to a downstream stateless node before it has finished executing.
• Entries are gated on the BP-signed WitnessHash being on file — relayers never cache unverified bytes, and WIT1 fallback paths skip the cache entirely (no path to mix unsigned and signed bytes).

4. Blame model preserved

• Byte-correctness: requester verifies the body against the BP's signed WitnessHash; failure attaches to the server that returned the bytes.
• Content-correctness (state-root): same as today — failure attaches to the BP that signed.
• Conflicting WitnessHash for the same BlockHash is rejected via signedWitnessCache.putIfNewer, so a peer cannot equivocate witnesses across announcements.

5. Rate-limits & DoS shape

• Per-(blockHash, peer) relay rate-limit: 200 ms.
• Announcement TTL: 30 s.
• Per-peer token bucket: burst 256, refill 64/s.
• Strike disconnect at 5 invalid signed announces / minute.

6. Compatibility

• WIT1 peers continue using NewWitnessHashes. Mixed WIT1/WIT2 mesh is tolerated: WIT2 nodes downgrade to WIT1 wire when peering with WIT1 peers (relay handler skips peers with Version() < wit.WIT2).
• New WitnessHash field on WitnessMetadataResponse is set by WIT2 servers and ignored by WIT1 readers — wire forward-compatible.

Signing-scheme evaluation

Picking the right commitment function for the announce signature is load-bearing for the whole PR: too slow on the producer and we just move the per-hop gate from "execute the block" to "hash the witness"; too weak and we lose the byte-blame property that lets a downstream node disconnect a peer that returned tampered bytes. Four candidates were evaluated end-to-end on synthetic 1–50 MiB witnesses (Apple M4 Pro, Go 1.26.2, go test -benchtime=3s -count=3, median of three).

Candidates

Candidate	Mechanism	Wire change
A — current baseline	keccak256(canonical_RLP(witness)) single-thread	none
B — chunked-parallel keccak	keccak(chunk0_hash ‖ … ‖ chunkN_hash), chunks hashed concurrently	none
C — per-node Merkle	hash every state node, sort, build Merkle tree, sign root	none
D — intrinsic (drop separate hash)	sign nothing extra; rely on header.StateRoot to detect bad bytes	shrinks announce, bumps to WIT3

Result at 50 MiB — verifier wall-clock (best parallel config)

Candidate	Best wall-clock	Speedup vs A	Producer cost	Allocs/op	Notes
A	88.4 ms (1 thread)	1.0×	88 ms	1	scales 1× even on 12-core hardware
B (1 MiB chunks, 8 cores)	13.5 ms	6.5×	13.5 ms	16	wire identical, only producer's signing input changes
B (15 MiB pages, 4 cores)	26.7 ms	3.3×	27 ms	16	one chunk per wire page; less internal parallelism
C (per-node Merkle, 4 cores)	122 ms	0.7× (worse)	~50 ms (precomputed hashes)	614 k	Merkle build over 204k node hashes overwhelms the parallel keccak win
D (intrinsic, 4 cores)	44 ms	2.0×	0 ms	410 k	rejected — see below

Why D was rejected post-bench

D had the most attractive numbers (zero producer cost, 2× verifier speedup, no signature on the announce path) — but a peer can serve a truncated witness whose included nodes all hash consistently up to the BP-signed header.StateRoot. Branch nodes embed child references as 32-byte hashes inside their own bytes, so dropping a subtree leaves the parent branch nodes' hashes unchanged. The intrinsic walker has no way to distinguish "this hash-reference belongs to a path that was never touched and is intentionally absent" from "this hash-reference belongs to a path that was touched and was adversarially omitted" — only attempting execution would. That destroys pre-execute byte-blame, which is the whole reason WIT2 introduced a content commitment in the first place. A/B/C all preserve byte-blame because they sign over content; truncation changes the commitment, signature mismatch, peer dropped pre-execute.

Why B at 1 MiB chunks won

A chunk-size sweep at 50 MiB / 8 cores:

chunk size	wall-clock	aggregate throughput	speedup vs A
512 KiB	13.5 ms	3.9 GB/s	6.5×
1 MiB	13.8 ms	3.85 GB/s	6.4×
2 MiB	15.9 ms	3.3 GB/s	5.6×
4 MiB	17.1 ms	3.1 GB/s	5.2×
15 MiB (= one wire page)	27.7 ms	1.9 GB/s	3.2×

512 KiB shaves a tenth of a ms over 1 MiB at the cost of doubling the chunk count and the per-chunk overhead — 1 MiB is the knee of the curve. Below 512 KiB, per-chunk setup starts dominating. The 4 GB/s ceiling is the M4 Pro's aggregate keccak throughput across 8 P-cores; further parallelism doesn't help with the current keccak primitive.

Verifier-side scaling — B beats A non-trivially only ≥ 30 MiB

witness size	A (single-thread)	B (1 MiB chunks, 8 cores)
1 MiB	1.8 ms	1.8 ms (one chunk, no parallelism)
5 MiB	8.9 ms	4.0 ms (~2.2×)
15 MiB	26.6 ms	6.2 ms (~4.3×)
30 MiB	53.2 ms	9.1 ms (~5.8×)
50 MiB	88.4 ms	13.5 ms (~6.5×)

For the small witnesses Polygon emits today (typically 1–10 MiB) B is comparable to A; for the large witnesses we already see at the upper tail (30–50 MiB) B is the difference between the producer/verifier paying a ~90 ms gate vs ~14 ms. The fix is most impactful exactly where the problem is worst.

Why not C

C is dominated by every other viable candidate on these numbers: slower verifier than A (122 ms vs 88 ms), 91 MiB / 614 k allocations per verify at 50 MiB, no wire saving. C only becomes interesting if a future design needs sub-witness proofs (proving a specific node belongs to the committed set without sending the full body) — that's not on the roadmap, so C is a no-vote here.

Sensitivity caveats

• Synthetic 256-byte avg node size; real mainnet shape may shift C/D's relative position but not B vs A — B operates on contiguous bytes regardless of node distribution.
• Producer cost for B reuses the same parallel-keccak; not amortized into anything else, so it's a real wall-clock cost on the announce path. 14 ms is well under the per-hop savings (~500 ms) so the change is a net win even at 50 MiB.
• A faster hash primitive (BLAKE3 / KangarooTwelve) would push verifier toward ~5 ms but adds a non-Ethereum dependency; out of scope, can be re-evaluated separately if 14 ms is still too slow.

Full bench artifact (raw numbers, reproduction commands, allocation breakdown): agent-zero/investigations/witness-propagation/witness-commit-bench.md.

Local devnet validation

A 9-node hop-chain devnet on kurtosis-pos: 4 BPs full-mesh, two relay full-nodes (F1/F2) carrying a +300 ms per-hop import-delay knob to amplify the gate without heavy tx loads, and three stateless validators at hop distances 1 / 2 / 3 from the closest BP (S1 ↔ BP1, S2 ↔ F1, S3 ↔ F2). Topology was enforced post-launch via admin_removePeer after every node imported past Giugliano (block 128 + 72-block settle), so the measurement window is post-fork and post-prune only — pre-fork blocks (different code path) are excluded.

Four scenarios, ~30 measured blocks each:

#	Image map	Headline result
1	All 9 = bor:develop (control)	Reproduces the bug. S2 milestone-lag p95 425 ms / max 482 ms. S3 p95 719 ms / max 898 ms.
2	All 9 = bor:wit2	S2 p95 1.0 ms (−99.8%). S3 p95 260 ms (−64%). 700–1000 RX_SIGNED_ANNOUNCE per node confirms protocol active end-to-end.
3	S1/S2/S3 = bor:wit2, rest = bor:develop	Same lag as develop (no relay path for signed announces because intermediate hops are WIT1), but zero errors, no peer drops, full sample counts; WIT2 stateless nodes correctly downgrade to WIT1 wire and serve develop peers via the chain path.
4	BP1 = bor:wit2, rest = bor:develop	Same as scenario 3 from the other direction. BP1 served 195 witnesses on the WIT1 chain path; develop validators kept whitelisting milestones throughout.

F2 import-lag (the relay just before S3) shows the mechanism: median drops 805 → 305 ms in scenario 2 — one full per-hop inject overlapped with WIT2 announcement-driven pre-fetch, exactly what the design predicts.

S3's residual p95 of 260 ms in scenario 2 is the single +300 ms inject on F2 still in the critical path: WIT2 lets the F1 hop overlap, but F2 still has to receive and execute the block before serving S3. Without the artificial knob (i.e., on mainnet), the natural per-hop gate is ~50–100 ms and this residual shrinks proportionally.

Full report (per-scenario logs, lag tables, errors/warnings, peer-count snapshots, prune timestamps, image map): agent-zero/investigations/witness-propagation/devnet-validation-2026-04-30b.md.

Re-validation at the current head (2026-06-09, commit 8c16b39): the s2 all-WIT2 scenario was re-run at the convergence-review head with per-node Prometheus capture, which surfaced a defect all code review rounds missed — any node holding a signer key signed announces for foreign blocks, causing honest validators to strike each other. Fixed by binding the sign path to the scheduled producer (maySignAnnouncementForBlock, regression-tested) with a truthful WIT1 hash-announce fallback for non-producers. Post-fix: strikes 0 across all validators, RX_SIGNED +20%, latency unchanged. A Phase-2 large-witness scenario (~18.9 MB witnesses, above the 16 MiB push/gossip cap) verified the multi-page pull path end-to-end: all stateless nodes imported every padded block in lockstep.

Backward compatibility — explicit checks

Property	Check	Result
WIT2 binary in develop mesh	scenario 4 (BP1 only) and scenario 3 (S* only)	full sample counts, zero ERRORs, no peer isolation
WIT1 fallback path	pendingWitnessBodies skipped when no signed WitnessHash on file	gated check in eth/handler_wit2.go::resolveWitnessBytes
Mixed-version metadata	new WitnessHash field on WitnessMetadataResponse ignored by WIT1 readers	served-chain path serves both equally
Replay across forks/networks	mimetype + domain tag in consensus/bor.SignBytes	covered by consensus/bor/signbytes_test.go

Deployment & rollout safety — why a mixed mesh has no downside

Rollout is fully incremental: no flag day, no coordinated upgrade, no config change. The wit protocol negotiates per-connection at handshake (ProtocolVersions = [WIT2, WIT1, WIT0], highest mutual version wins), so one node simultaneously speaks WIT2 to upgraded peers and WIT1 to old peers. The new message (SignedNewWitnessHashesMsg = 0x06) is outside WIT1's message range and every send site is gated on peer.Version() >= WIT2 — an old node can never receive a frame it doesn't understand. The witness body transfer (paged GetWitness pull) is byte-identical in both versions.

Per-peer announce split (producer side). When a producer (or any node holding the witness) announces, each recipient gets the variant its negotiated version supports: WIT2 peers the signed announcement, WIT1/WIT0 peers the legacy unsigned NewWitnessHashes. Both are truthful (every announce path is gated on HasWitness) and both lead to the same paged pull. Old peers observe exactly the protocol they ran before this PR. The signature is computed once per produced block (cached; ~14 ms keccak + ~100 µs ECDSA) and the same announcement struct is reused across all peers, both broadcast phases, and every relay hop — relayers forward the producer's signature verbatim and cannot re-sign.

WIT2 → WIT1 boundary. A node that learns of a witness via a signed announce does not translate it for WIT1 peers at receive time (the transitive relay deliberately skips peers below WIT2 — at that point the node only knows a hash, and the WIT1 announce contract is "I have this witness"). The WIT1 peer is served on the node's post-import announce instead, and can even pull the body from the WIT2 node's in-flight cache pre-import. Net effect: WIT1 peers keep today's latency profile exactly; WIT2's pre-import fast path simply doesn't extend through them.

No cross-version discipline risk. Strike-disconnect only triggers on signed announcements (bad signature / signer ≠ scheduled producer). WIT1 peers physically cannot send those, so an old peer can never be struck and never strikes anyone. On the WIT2 side, only the block's sealer signs announcements (producer binding on the sign path, maySignAnnouncementForBlock), an announce racing ahead of its header is deferred rather than punished, and rate limiting drops packets without striking — devnet-verified at zero strikes across all honest topologies.

Benefits track validator adoption; the upgrade is inert until then. No signed announces exist until block producers run the new version, so a WIT2 full/RPC node in an old mesh behaves byte-for-byte like a WIT1 node. Deploying sentries/RPC/archive first is safe and changes nothing; each validator upgrade then switches on the latency win for its blocks. The worst case anywhere in a mixed mesh is today's propagation behavior, never worse — a WIT2 island reachable only through WIT1 hops degrades to the status quo (measured: scenarios 3/4 above, zero errors, no peer drops).

Suggested rollout order. Upgrade a validator together with its sentries as a unit — the signed announce dies at the first WIT1 hop, so a validator behind old sentries gets no benefit past hop 1. On canaries watch the eth_wit2_* meters: strike_disconnect, invalid_sig, not_validator should be ~0 in an honest mesh (non-zero = a buggy/malicious peer being handled); header_unknown and deferred counts are non-zero by design (announce/block races absorbed by the deferral queue).

No hardfork gate. WIT2 negotiates immediately at handshake; what gates real traffic is witness production/consumption, which is already live. The PR changes announcement transport and serving, not witness semantics, block validity, or consensus.

Test plan

• Unit tests: core/stateless/witness_commit_test.go, witness_commit_bench_test.go, consensus/bor/signbytes_test.go, eth/handler_wit2_test.go, eth/handler_wit_test.go, eth/peerset_test.go, eth/protocols/wit/protocol_wit2_test.go, eth/fetcher/witness_manager_wit2_test.go.
• Local devnet validation, 4 scenarios, post-fork-only measurement window — see report above.
• Reviewers: confirm the chunk-size choice (1 MiB) for the parallel keccak — small enough to be useful on smaller witnesses, large enough to amortise goroutine overhead.
• Reviewers: confirm the cache capacity (10) for pendingWitnessBodies. We don't expect more than a few in-flight unique witnesses at a time, but worth a second opinion under burst conditions.
• Operator readiness: comms to validators running Clef about the new mimetype application/x-bor-wit2-announce.

Diffguard / quality-gate notes

• Dead code: clean (earlier leftovers removed).
• eth/handler_wit2.go split into three files (handler_wit2.go ~410 lines, handler_wit2_bodies.go, handler_wit2_announces.go) — all under the 500-line threshold.
• handleWitnessBroadcast refactored into three accept-path helpers (was 96 lines / complexity 17, now within thresholds); deferredAnnounceCache.put eviction extracted (complexity 13 → under 10).
• WitnessCommitHash complexity (was 18) resolved by extracting the worker-pool fan-out into hashWitnessChunks / witnessCommitWorkerCount; commitment recipe unchanged (pinned by the shape tests).
• witness_manager.go growth (+161 vs base, over the oversized-file delta tolerance) resolved by moving the PR-added WIT2 code (byte-verification, pre-import serving handoff, empty-response backoff) into eth/fetcher/witness_manager_wit2.go.
• Remaining flags are pre-existing legacy hot spots this PR touches but does not own (newHandler, BroadcastBlock, handleGetWitness, file sizes of handler.go/bor.go/block_fetcher.go/peer.go) plus one accepted item: (Peer).broadcastWitness complexity 12 — upstream-shaped select loop; this PR adds one case.
• govulncheck failures are unrelated to this PR: two Go 1.26.3 standard-library vulns (GO-2026-5039 net/textproto, GO-2026-5037 crypto/x509, both fixed in go1.26.4) reached through pre-existing code (node/endpoints.go, ethstats, internal/cli); develop's latest Govuln run fails identically. Needs a repo-wide toolchain bump, separate from this PR.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[claude]

test

[claude]

Code Review

3 issues found. Checked for bugs and CLAUDE.md compliance.

---

1. Performance: redundant witness encoding

File: eth/fetcher/witness_manager.go L670-L680

verifyAgainstSignedHash (line 671) encodes the witness via encodedWitnessHash and computes WitnessCommitHash, then cacheVerifiedWitnessForServing (line 679) repeats the exact same EncodeRLP + WitnessCommitHash. Neither call reuses the other's result.

On a 50 MiB witness this adds ~100–300 ms of redundant CPU work per verified fetch — meaningful given WIT2's goal of eliminating per-hop latency.

Suggested fix: Have verifyAgainstSignedHash return the encoded bytes and hash on success, then pass them directly to parentCacheWitnessForServing instead of re-encoding.

---

2. Performance: unconditional encode+hash before signed-announcement check

File: eth/handler_wit.go L95-L119

EncodeRLP (line 96–97) and WitnessCommitHash (line 101) run before checking whether a signed announcement exists (line 102). On the WIT1 fallback path (default case, lines 112–118), the encoded bytes and hash are discarded.

Every witness broadcast — including from WIT1 peers — pays the full encode+hash cost (~150–450 ms on 50 MiB witnesses) even when the result is never used.

Suggested fix: Check signedWitnesses.get(hash) first. Only encode+hash when hasSigned is true. This mirrors the pattern already used in cacheVerifiedWitnessForServing in witness_manager.go (lines 697–701), which correctly checks before encoding.

---

3. Bug: peer dropped on local EncodeRLP failure

File: eth/fetcher/witness_manager.go L725-L730

When encodedWitnessHash fails (line 725–726), the non-empty peer string is passed to handleWitnessFetchFailureExt (line 728), which calls parentDropPeer(peer). An EncodeRLP failure on a successfully-decoded Witness is a local error (the peer delivered valid RLP that decoded fine), not evidence of peer misbehavior.

This is inconsistent with the pattern in cacheVerifiedWitnessForServing just below (line 704–705), which correctly logs the failure without dropping anyone.

Suggested fix: Change peer to "" on line 728:

m.handleWitnessFetchFailureExt(hash, "", fmt.Errorf("witness encode failed: %w", err), false)

[codecov]

Codecov Report

❌ Patch coverage is 92.42718% with 78 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.96%. Comparing base (a79d527) to head (13d0536).

Files with missing lines	Patch %	Lines
eth/handler_wit2.go	87.85%	26 Missing ⚠️
eth/handler_wit.go	92.57%	10 Missing and 5 partials ⚠️
eth/fetcher/witness_manager_wit2.go	81.96%	8 Missing and 3 partials ⚠️
core/stateless/witness_commit.go	84.74%	6 Missing and 3 partials ⚠️
eth/handler.go	86.20%	6 Missing and 2 partials ⚠️
eth/peerset.go	73.91%	3 Missing and 3 partials ⚠️
eth/handler_eth.go	66.66%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #2208      +/-   ##
===========================================
+ Coverage    53.67%   53.96%   +0.28%     
===========================================
  Files          897      901       +4     
  Lines       160369   161206     +837     
===========================================
+ Hits         86086    86994     +908     
+ Misses       68946    68864      -82     
- Partials      5337     5348      +11     

Files with missing lines	Coverage Δ
accounts/accounts.go	100.00% <ø> (ø)
consensus/bor/bor.go	85.73% <100.00%> (+0.20%)	⬆️
core/stateless/encoding.go	65.15% <100.00%> (+1.65%)	⬆️
eth/fetcher/block_fetcher.go	73.80% <100.00%> (+0.06%)	⬆️
eth/fetcher/witness_manager.go	91.03% <100.00%> (+2.41%)	⬆️
eth/handler_wit2_announces.go	100.00% <100.00%> (ø)
eth/handler_wit2_bodies.go	100.00% <100.00%> (ø)
eth/peer.go	95.80% <ø> (ø)
eth/protocols/wit/broadcast.go	54.16% <100.00%> (+15.27%)	⬆️
eth/protocols/wit/handler.go	29.33% <100.00%> (+1.93%)	⬆️
... and 10 more

... and 24 files with indirect coverage changes

Files with missing lines	Coverage Δ
accounts/accounts.go	100.00% <ø> (ø)
consensus/bor/bor.go	85.73% <100.00%> (+0.20%)	⬆️
core/stateless/encoding.go	65.15% <100.00%> (+1.65%)	⬆️
eth/fetcher/block_fetcher.go	73.80% <100.00%> (+0.06%)	⬆️
eth/fetcher/witness_manager.go	91.03% <100.00%> (+2.41%)	⬆️
eth/handler_wit2_announces.go	100.00% <100.00%> (ø)
eth/handler_wit2_bodies.go	100.00% <100.00%> (ø)
eth/peer.go	95.80% <ø> (ø)
eth/protocols/wit/broadcast.go	54.16% <100.00%> (+15.27%)	⬆️
eth/protocols/wit/handler.go	29.33% <100.00%> (+1.93%)	⬆️
... and 10 more

... and 24 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lucca30]

Review responses

All 3 review issues addressed in 12368a3:

1. Redundant witness encoding — verifyAgainstSignedHash now returns the canonically-encoded body and signed hash on success; cacheVerifiedWitnessForServing reuses them directly instead of re-encoding (~14 ms saved per verified fetch on 50 MiB witnesses on the bench machine).
2. Unconditional encode+hash on WIT1 path — signedWitnesses.get(hash) is now hoisted above EncodeRLP/WitnessCommitHash in handleBroadcastWitness. WIT1 broadcasts (no signed announcement) short-circuit before paying the encode/hash cost.
3. Peer drop on local EncodeRLP failure — re-encoding RLP bytes the peer already delivered as valid is a local invariant violation, not peer misbehavior. Now logs without dropping, mirroring the cache path.

The wit2_test.go no-signed-hash regression test was retargeted onto verifyAgainstSignedHash where the invariant now lives.

CI status

• ✅ All review issues addressed.
• ⚠️ diffguard (Quality metrics) failed at install, not on this PR's diff: upstream tool break — *Language does not implement lang.Language (missing method DeadCodeDetector) in github.com/0xPolygon/diffguard@latest. Fix belongs in the diffguard repo.
• ⚠️ Kurtosis Stateless E2E Tests Test 4 (extreme network latency recovery) failed because validator node-2 stayed at block 397 while all other 8 nodes recovered fully (768+, milestone lag 0). This same test has flaked on develop recently (Apr 27, Apr 16). I'll retrigger.
• ⚠️ codecov patch coverage 52%: WIT2 protocol paths exercised by integration/devnet tests rather than unit tests; matches coverage profile of the existing WIT1 handler code.
• ⚠️ SonarCloud duplication 5.3%: concentrated in _test.go files (witness_manager_test.go, witness_manager_wit2_test.go) — table-driven test setup, not production-code duplication.

[lucca30]

Adversarial-review findings — addressed via TDD

Codex flagged 3 high-severity issues in an adversarial pass. For each I wrote a failing regression test first, then implemented the smallest correct fix, then confirmed all 919 tests across eth, eth/fetcher, eth/protocols/wit, consensus/bor, and core/stateless still pass. Pushed as 9485452.

#	Codex finding	Fix	Regression test
1	Header-race: signed announce arriving before header silently degrades to unsigned-fallback because AddKnownAnnounce was called before the verification gate, suppressing recovery via re-relay	Move AddKnownAnnounce into the acceptSignedAnnouncement success branch so the announce-known bit only reflects verified delivery. Re-receipt now drives recovery.	TestHandleSignedWitnessAnnouncementsBadSigDoesNotMarkAnnounceKnown
2	pendingWitnessBodies TTL never actually evicted: get() returned false on expiry but left entries in the map; gcLocked only ran from put(). Up to 10 × ~50 MiB blobs could persist indefinitely past the 30s TTL.	get() now upgrades to a write lock and deletes the expired entry (re-checking the entry pointer under the write lock to avoid clobbering a concurrent put).	TestPendingWitnessBodyCacheGetEvictsExpired
3	verifyAgainstSignedHash dropped the byte-server on every signed-hash mismatch, but the announcement only proves some BP signed some hash. A faulty/malicious scheduled producer signing bogus could weaponise this to disconnect honest peers serving canonical witnesses.	On mismatch, reject the bytes (no serving cache) and back off the request without dropping the byte-server. Existing TestProcessWitnessResponseDropsOnHashMismatch was replaced — its policy reversed — with TestProcessWitnessResponseDoesNotDropOnByteMismatch. TODO comment for the proper long-term fix (signer quarantine), which needs (signer, relayer) provenance the manager doesn't currently track.	TestProcessWitnessResponseDoesNotDropOnByteMismatch

What's still out of scope (filed as TODOs at the call site, not in this PR)

• Signer quarantine ban-list (real long-term fix for finding 3) — requires plumbing announcement signer + relayer pair through to the witness manager.
• Deferred-announce queue with chain-head drain (more complete fix for finding 1) — re-gossip already drives recovery in practice; the queue is overkill for this PR.
• Byte-budgeted witness body cache cap (finding 2 follow-up) — current capacity-10 cap with working TTL eviction is enough to close the leak.

[lucca30]

Adversarial review — all 4 items now closed

Pushed b3cb00e: deferred-announce queue closes the cosend race.

Codex finding	Status	Test
Header-race: announce arriving before header silently downgrades to WIT1 fallback	done	TestDeferredSignedAnnounceDrainedAfterHeaderArrives
pendingWitnessBodies TTL never evicts	done	TestPendingWitnessBodyCacheGetEvictsExpired
AddKnownAnnounce set on rejected announces	done	TestHandleSignedWitnessAnnouncementsBadSigDoesNotMarkAnnounceKnown
Honest byte-server dropped on bad commitment	done	TestProcessWitnessResponseDoesNotDropOnByteMismatch

A small in-memory cache (capacity 256, TTL 30s) holds signed announcements whose producer-binding could not be checked at receive time because the matching block header wasn't local yet. handler.Start subscribes to ChainHeadEvent; on each new block, drainDeferredAnnouncesFor(blockHash) re-runs verification, caches the announcement on success, credits the original sender as announce-known, and relays. Mirrors the existing pendingWitnessBodyCache lifecycle.

isScheduledProducer was also tightened: header presence is now checked first regardless of consensus engine. The previous non-bor early-return skipped the header check entirely, which was incorrect on its own — an announce we can't tie to a local block is unverifiable here.

920/920 tests pass across eth, eth/fetcher, eth/protocols/wit, consensus/bor, core/stateless. go build ./... clean.

Still deferred (not adversarial-review-flagged): signer-quarantine ban-list (needs signer/relayer provenance plumbed to the witness manager — TODO at the call site); byte-budgeted cap on pendingWitnessBodies (count cap of 10 with working TTL is bounded; future-proofing item).

[sonarqubecloud]

Quality Gate failed

Failed conditions
4.8% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[lucca30]

Follow-up: stateless-sync fix + devnet validation (fe20334b7)

While validating this PR on a Kurtosis devnet I found and fixed a stateless-consumer sync regression, and rebased the branch onto current develop (it had been sitting on an older base, so the diff against develop is now smaller/cleaner).

Problem

In an all-WIT2 fleet the witness body is never pushed — both WIT1 and WIT2 are announce-then-pull, and the full-body broadcast path is unused. WIT2 relays the signed announce transitively, ahead of the body, and a relayer is (correctly) only marked announce-known, not body-known. So a stateless consumer always pulls the body from a relayer that doesn't hold it yet → empty response → re-poll until that relayer catches up. WIT1 stays in lockstep because it only announces a witness it already holds (and that announce marks the sender a body-holder), so the first pull lands.

Fix

• Push the body to waiters. Record a peer that asks for a body we don't yet hold but have a BP-signed announcement for (bounded registry + 30 s TTL), and push the full witness to it the moment we obtain the body. Three triggers cover how a node comes to hold a body: our own verified fetch, a gossip broadcast, and — the dominant case for producing/full nodes — generating it during native block import (flushed from the chain-head loop). Restores the WIT1-style hand-off without flooding: ≤ 1 body per peer that actually asked, exactly what the pull would have cost.
• Back off empty fetches. Route empty ("body not ready yet") responses to a dedicated backoff (first retries immediate, then exponential to a 1 s cap) instead of a tight re-poll loop; never drop the request (the witness provably exists) or penalise the responder.

Observed gains (Kurtosis devnet, 9-node hop chain, all-WIT2, instrumented build)

Stateless node S1's only peer is the producing validator BP1 (the case the native-import trigger targets):

metric	before fix	after fix
S1 milestone-lag p50	646 ms	0.9 ms
stateless height vs BP1 (at teardown)	4–6 blocks behind	0–1
S1 blocks served in ≤ 2 fetches	—	35 / 38 (92 %)

The median-lag collapse (646 ms → 0.9 ms) is only explicable if the body is pushed the instant BP1 imports the block, rather than discovered on a later poll. All stateless nodes end height-locked within 0–1 of BP1, versus 4–6 behind before.

It took two iterations: a first version with only the fetch + broadcast triggers showed no improvement, because S1's peer (a producing node) obtains witnesses by generating them on import — which fired neither hook. The chain-head trigger closed that gap.

Honest residual

A p95 tail of ~1.3–2 s remains, from a few straggler blocks per node (3 of 38 on S1) where the consumer's sole relayer is itself slow to obtain the block — no push can deliver a body the relayer doesn't yet hold. This is partly inherent to single-source stateless sync and is present in pre-regression (develop-era) runs too; it is not the witness-fetch regression. Numbers are from a single short run — the p50 signal is robust, the p95 noisier.

Tests

TestEmptyGetWitnessForSignedHashPushesBodyOnArrival, TestFlushWitnessWaitersForImportedPushesFromChainStorage, and TestEmptyResponseBacksOffToAvoidHammering — each fails before the fix and passes after.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[sonarqubecloud]

Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.6% Duplication on New Code

See analysis details on SonarQube Cloud

[vbhattaccmu]

@claude review

[Copilot]

Pull request overview

This PR introduces WIT2 (wit protocol v3) to speed up witness propagation by allowing block-producer–signed witness announcements to be verified and relayed without executing/importing blocks, plus an in-memory pre-import witness-body serving cache to reduce multi-hop latency for stateless validators.

Changes:

• Add WIT2 wire protocol support (new signed-announce message, signing digest helpers, peer queues, handler routing).
• Implement WIT2 relay/verification path, deferred-announce handling, rate limiting/strikes, and a pre-import witness-body cache with waiter push semantics.
• Add a chunked-parallel witness commitment hash (WitnessCommitHash) and make witness RLP encoding deterministic (sorted state nodes), with extensive tests/benches.

Reviewed changes

Copilot reviewed 39 out of 40 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
eth/protocols/wit/protocol.go	Adds WIT2 version/message, signed announcement types, and signing preimage/hash helpers.
eth/protocols/wit/protocol_wit2_test.go	Pins WIT2 signing-hash format and handshake advertising.
eth/protocols/wit/peer.go	Adds announce-known cache + signed-announce queueing/sending for WIT2 peers.
eth/protocols/wit/peer_wit2_test.go	Exercises signed-announce wire round-trip and queue/known-set semantics.
eth/protocols/wit/handlers.go	Adds decode-time cap and handler for SignedNewWitnessHashes (WIT2).
eth/protocols/wit/handler.go	Adds WIT2 handler map and dispatch by negotiated version.
eth/protocols/wit/broadcast.go	Broadcast loop now sends queued signed announcements.
eth/peerset.go	Adds announce-only fallback peer selection + peersWithoutSignedAnnounce for relay dedup.
eth/peerset_test.go	Tests preference/fallback behavior for witness fetch peer selection.
eth/peer.go	Extends WitnessPeer interface with WIT2 announce-known operations + signed announce send.
eth/peer_test.go	Adds regression test documenting duplicate-page misreconstruction gap.
eth/peer_mock.go	Updates gomock witness-peer mock to include new WIT2 methods.
eth/handler.go	Wires WIT2 caches/trackers/waiters and hooks into BlockFetcher construction + head loop.
eth/handler_wit2.go	Implements WIT2 signing/verification helpers, strike policy, cosend, and deferred drain loop.
eth/handler_wit2_caches_test.go	Comprehensive tests for WIT2 caches, deferral, rate limits, strikes, and serving behavior.
eth/handler_wit2_bodies.go	Implements pending witness-body cache + witness-waiter registry.
eth/handler_wit2_announces.go	Implements per-peer token bucket + strike tracker, deferred announce cache, signed announce cache.
eth/handler_wit.go	Adds signed-announce handling, pre-import serving integration, request entry cap, and serving changes.
eth/handler_wit_test.go	Adds tests for new request bounds and deferred-relayer fetch fallback.
eth/handler_eth.go	Adds resolveWitnessFetchPeer with deferred-relayer fallback.
eth/fetcher/witness_manager.go	Adds WIT2 empty-response behavior, byte-check hook, and serving-cache callback integration.
eth/fetcher/witness_manager_wit2.go	Implements WIT2 byte-correctness verification, empty-response backoff, and serving-cache callback.
eth/fetcher/witness_manager_wit2_test.go	Tests WIT2 byte-check, empty-response backoff, and cache callback wiring.
eth/fetcher/witness_manager_test.go	Updates witness-manager tests for new constructor parameters.
eth/fetcher/metrics.go	Adds metric for witness byte mismatch (WIT2).
eth/fetcher/block_fetcher.go	Extends BlockFetcher ctor to pass WIT2 signed-hash lookup + cache callback into witness manager.
eth/fetcher/block_fetcher_test.go	Updates BlockFetcher tests for new constructor signature.
eth/fetcher/block_fetcher_race_test.go	Updates race tests for new constructor signature.
core/stateless/witness_commit.go	Adds chunked-parallel witness commitment hash (WIT2 WitnessHash).
core/stateless/witness_commit_test.go	Tests commitment determinism, worker invariance, and shape properties.
core/stateless/witness_commit_helpers_test.go	Adds benchmark/candidate helpers for witness-commit evaluation.
core/stateless/witness_commit_bench_test.go	Adds benches for candidate schemes + correctness guards.
core/stateless/witness_bench_test.go	Adds benches for witness encode/hash/sign cost by size.
core/stateless/encoding.go	Makes witness EncodeRLP deterministic by sorting state nodes.
core/stateless/encoding_test.go	Tests EncodeRLP determinism across insertion order and repeat calls.
consensus/bor/signbytes_test.go	Adds tests for SignBytes mimetype forwarding/rejection and signer handling.
consensus/bor/bor.go	Adds SignBytes + CurrentSigner APIs for WIT2 signing.
codecov.yml	Excludes generated mock from Codecov.
accounts/accounts.go	Adds mimetype constant for WIT2 witness announcement signing.

Files not reviewed (1)

• eth/peer_mock.go: Generated file

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[claude]

🔴 deferredAnnounceCache.put has two defects on the existing-key (overwrite) branch (eth/handler_wit2_announces.go:173-186): (1) it unconditionally overwrites the cached announcement without verifying that the new WitnessHash matches the existing one — asymmetric with signedWitnessCache.putIfNewer which DOES reject WitnessHash conflicts at lines 313-332; (2) it increments c.perPeer[peerID] at line 178 with no perPeerCap check, defeating the explicit DoS bound the function comment commits to (the cap check at line 190 only runs on the new-hash branch). Together, any peer within ordinary rate-limit budget can silently downgrade WIT2 byte-correctness for arbitrary deferred blocks: re-announce a victim hash with a forged signature, the overwrite replaces the honest entry without per-peer accounting protection; on block import the attacker's entry fails producer-binding and is dropped, signedWitnesses stays empty, witness fetches skip byte-verification (parentSignedWitnessHash returns ok=false → verifyAgainstSignedHash short-circuits). Fix mirrors the sibling cache: reject overwrites whose WitnessHash differs from the existing entry (surface via wit2ConflictingWitnessHashMeter), AND enforce the perPeerCap check before perPeer[peerID]++ when existing.peerID != peerID.

Extended reasoning...

What the bug is

deferredAnnounceCache.put at eth/handler_wit2_announces.go:173-205 combines two distinct flaws on the overwrite branch:

(1) No WitnessHash conflict check. When an entry for ann.BlockHash already exists, the function unconditionally overwrites the announcement with whatever the new caller passed, with no check that the new WitnessHash matches the existing one. The sibling signedWitnessCache.putIfNewer at lines 313-332 enforces exactly this guard and surfaces conflicts via wit2ConflictingWitnessHashMeter — but the deferred cache adopts the opposite policy.

(2) Per-peer cap bypass. The check if c.perPeer[peerID] >= c.perPeerCap (line 190) sits on the new-hash branch only. The overwrite branch at line 178 does c.perPeer[peerID]++ unconditionally when existing.peerID != peerID, with no cap check. The comment block above the function explicitly markets the per-peer cap as the structural defense ensuring "no single peer can monopolise the cache and evict honest header-racing announces" — but on the overwrite branch that invariant does not hold.

Why existing code does not prevent it

verifySignedAnnouncement (eth/handler_wit2.go:67-79) recovers from ANY 65-byte signature — it has no signer-membership gate, because at deferral time the header is unknown by definition. acceptSignedAnnouncement (eth/handler_wit.go) routes the deferral path silently: no strike, no AddKnownAnnounce, no relay. The attacker stays within their wit2AnnounceBurstCap=256 / 64-per-second rate budget and never accumulates strikes.

Step-by-step proof (the merged attack)

1. Honest P1 receives a legitimate signed announce for blockHash X with WitnessHash Y (BP-signed by the real producer), header for X not yet local on the victim. The victim defers via deferredAnnounces.put(ann_Y, P1) — line 199, new-hash path, perPeer[P1] = 1.
2. Attacker P2 crafts a structurally valid 65-byte ECDSA signature over (X, X_blockNumber, Z) for any chosen WitnessHash Z using a throwaway key. verifySignedAnnouncement recovers some address, isScheduledProducer returns (false, false) (header unknown), and the victim falls into the deferral branch.
3. The put hits the existing-key path. existing.peerID (P1) != peerID (P2) → decPeerLocked(P1) then perPeer[P2]++. The honest entry is silently replaced with (ann_Z, P2) — no WitnessHash check (defect 1).
4. P2 repeats steps 2-3 against other honest peers entries. Each overwrite increments perPeer[P2] unconditionally past perPeerCap (defect 2): with capacity 256 and perPeerCap = 256/8 = 32, P2 can grow to ~256 entries by chaining cross-peer overwrites, bounded only by the global capacity.
5. Block X arrives. drainDeferredAnnouncesFor(X) take()s the attacker entry, re-runs verifySignedAnnouncement (still structurally valid → attacker addr), isScheduledProducer now returns (false, true) since the header is local and attacker != producer. The entry is dropped without promotion (signedWitnesses is never written). The honest P1 entry is gone — overwritten in step 3.
6. lookupSignedWitnessHash(X) returns (_, false). witnessManager.verifyAgainstSignedHash (eth/fetcher/witness_manager_wit2.go) sees no signed hash on file, returns body=nil for the WIT1 path, and cacheVerifiedWitnessForServing no-ops. Subsequent serving peers get bytes accepted without verification against any BP commitment for block X.

Impact

• Defeats the byte-correctness trust property the PR explicitly markets as the WIT2 improvement (bytes verified against the BP-signed WitnessHash pre-execute).
• Defeats the explicit DoS bound the function comment block at lines 117-126 commits to ("no single peer can monopolise the cache and evict honest header-racing announces").
• Within budget for any peer on the gossip mesh — no producer key needed, no strikes accumulate.
• Recoverable in dense honest meshes via re-gossip after import, but fails in sparse / single-route topologies (the exact scenario the PR description warns about for stateless validators behind a single relay).
• Not catastrophic on its own — state-root validation at import still catches bad content, and the failure mode is graceful degradation to WIT1 byte handling. But it silently negates one of the headline security improvements of the PR.

Fix

Mirror the sibling cache policy and enforce the per-peer cap on the overwrite branch:

if existing, exists := c.entries[ann.BlockHash]; exists {
    if existing.announcement.WitnessHash != ann.WitnessHash {
        wit2ConflictingWitnessHashMeter.Mark(1)
        return
    }
    if existing.peerID != peerID {
        if c.perPeer[peerID] >= c.perPeerCap {
            wit2DeferredPerPeerDropMeter.Mark(1)
            return
        }
        c.decPeerLocked(existing.peerID)
        c.perPeer[peerID]++
    }
    c.entries[ann.BlockHash] = &deferredAnnounceEntry{ ... }
    return
}

The two guards compose cleanly: the first kills the byte-correctness downgrade vector (defect 1), the second kills the per-peer monopolization vector (defect 2). Both fixes are symmetric with how the sibling signedWitnessCache.putIfNewer and the new-hash branch already handle the same conflicts.

[claude]

🟡 Minor: pendingWitnessBodyCache.put at eth/handler_wit2_bodies.go:62-83 runs the capacity-driven eviction unconditionally, even when the put is an overwrite for a key already in the cache. When the cache is full (capacity = 10) and a second put arrives for an already-present blockHash — which can happen when cacheVerifiedWitnessForServing (manager fetch success) and acceptSignedBroadcast (handler_wit.go:153, on a near-simultaneous broadcast push) both fire for the same block — the eviction loop drops an unrelated oldest entry and then overwrites the existing slot in place, silently shrinking the live cache to 9 entries. The sibling deferredAnnounceCache.put already handles this correctly (early return on existing-key without consulting capacity). Fix: gate the eviction block on if _, exists := c.entries[blockHash]; !exists so it only fires for genuinely new keys. Functionally minor — the cache is a soft serving hint and self-corrects on the next put — but the asymmetry with the deferred cache reads as oversight and the fix is one line.

Extended reasoning...

What the bug is

pendingWitnessBodyCache.put (eth/handler_wit2_bodies.go:62-83) gates eviction on len(c.entries) >= c.capacity alone, without checking whether blockHash is already in the map. When the cache is full and the incoming put is an overwrite for an existing key, the eviction loop fires anyway: it picks the oldest entry across all hashes, deletes it, and then c.entries[blockHash] = ... simply replaces the existing slot. Net effect: one unrelated live entry was dropped to make room for an entry that didn't actually need a new slot.

The sibling deferredAnnounceCache.put (eth/handler_wit2_announces.go:138-156) handles the same shape correctly — it early-returns on the existing-key branch before consulting the capacity check, since an overwrite is net-zero for slot count. The asymmetry between the two caches is what reads as an oversight.

Why it can manifest in practice

Two distinct call sites can drive pendingWitnessBodies.put for the same blockHash within the same TTL window:

1. witnessManager.cacheVerifiedWitnessForServing → handler.cacheVerifiedWitnessForServing → pendingWitnessBodies.put (eth/handler_wit2.go), fired when the fetcher's paged-pull completes and the bytes verify against the BP-signed WitnessHash.

2. witHandler.acceptSignedBroadcast (eth/handler_wit.go:153), fired when a NewWitness broadcast arrives for the same block and the bytes verify against the same signed commitment.

The race window is real on the WIT2 fast path: a stateless consumer can complete its paged fetch and also receive an unsolicited broadcast for the same block from a different peer in the cosend storm, in either order. The second put for that block becomes an overwrite at capacity.

Step-by-step proof

Capacity is 10 (witnessBodyCacheCapacity). Steady state: blocks A1..A10 in the cache, A2 the oldest.

1. put(A1, newBytes, newHash) is called (second arrival for A1 — fetch already cached it, now a broadcast push arrives, or vice versa).
2. gcLocked() runs; assume nothing expired.
3. len(c.entries) == 10 >= c.capacity evaluates true.
4. The eviction loop scans c.entries, finds A2 as the oldest, delete(c.entries, A2).
5. c.entries[A1] = &pendingWitnessBody{...} replaces A1's existing slot in place.
6. Net: 9 entries; A2 was dropped despite there being no need to make room.

A peer that asks us for A2's body during the pre-import window now gets an empty GetWitness response and has to fall back to chain-storage lookup post-import, instead of being served from the in-flight cache.

Why existing code doesn't prevent it

The check is purely on len(c.entries). There is no _, exists := c.entries[blockHash] branch like the one in deferredAnnounceCache.put at handler_wit2_announces.go:138-156:

if existing, exists := c.entries[ann.BlockHash]; exists {
    // Overwrite for the same hash: net-zero slot change. ...
    return
}
// only then enforce caps + evict

pendingWitnessBodyCache.put skipped that idiom.

Impact

Functionally minor:

• The cache is a soft serving optimization, not authoritative.
• The evicted entry was the oldest, i.e. lowest serving value remaining.
• On the next cacheVerifiedWitnessForServing (manager re-cache after another fetch) the entry returns.
• A peer that wanted the evicted block falls back to GetWitness on chain storage (post-import) or backs off and retries (pre-import).

No correctness implications, no DoS amplification, no peer-discipline interaction. The cost is a small reduction in the pre-import serving window for one unrelated block, per occurrence.

Fix

One line at the top of put:

func (c *pendingWitnessBodyCache) put(blockHash common.Hash, bytes []byte, witnessHash common.Hash) {
    c.mu.Lock()
    defer c.mu.Unlock()
    c.gcLocked()
    if _, exists := c.entries[blockHash]; !exists && len(c.entries) >= c.capacity {
        // ... existing eviction loop ...
    }
    c.entries[blockHash] = &pendingWitnessBody{ ... }
}

Mirrors the existing deferredAnnounceCache.put overwrite branch and brings the two caches into structural alignment.

[claude]

🟡 Deferred WIT2 announces for intermediate blocks of a batched insertChain (e.g. downloader catch-up) are never drained: ChainHeadEvent fires only once per batch with lastCanon, and deferredAnnouncesLoop only drains the head's hash, so announces for blocks N+1..N+k-1 silently expire after the 30s TTL. For those blocks the byte-correctness trust property quietly degrades to unsigned WIT1 handling and the transitive relay is lost. Fix: walk the deferred queue against any header that now resolves locally, or subscribe to per-block ChainEvent.

Extended reasoning...

The defect

eth/handler.go:704-724 — deferredAnnouncesLoop listens to ChainHeadEvent and calls drainDeferredAnnouncesFor(ev.Header.Hash()). drainDeferredAnnouncesFor (eth/handler_wit2.go:340) is a strict hash-keyed take() on the deferred map — it never walks the queue.

core/blockchain.go:3065-3068 fires ChainHeadEvent only once per insertChain batch with lastCanon.Header(). The inline comment at line 2589-2594 is explicit about this: 'Avoid firing too many ChainHeadEvents, we will fire an accumulated ChainHeadEvent and disable fire event here.' The inner writeBlockAndSetHead calls at blockchain.go:3409 and :3613 are made with emitHeadEvent=false.

Net: when the downloader imports blocks N+1..N+k in one batch, deferred announces for intermediate hashes h_{N+1}..h_{N+k-1} sit unmatched in the deferred cache and expire silently after wit2AnnounceTTL (30s).

Consequence

For those intermediate blocks:

• signedWitnesses is never populated, so lookupSignedWitnessHash() returns false.
• verifyAgainstSignedHash short-circuits when no signed hash is on file (witness_manager_wit2.go) — skipping the keccak check against the BP-signed commitment. The 'byte-correctness verified at the receiver against the BP-signed witnessHash' property the PR explicitly introduces silently regresses to unsigned-WIT1 byte handling.
• The transitive relay (relaySignedAnnouncement, only fired from a successful drain) doesn't run, so downstream WIT2 peers never receive these signed announces from this relayer.

Step-by-step proof

1. Peer P relays signed announces for blocks N+1, N+2, N+3 ahead of the matching headers (cosend race).
2. Each is rejected by isScheduledProducer with headerAvailable=false and stashed in deferredAnnounces (handler_wit.go acceptSignedAnnouncement).
3. The downloader catches us up by inserting all three as one batch via insertChain (blockchain.go:3065 deferred ChainHeadEvent.Send(...lastCanon...)).
4. deferredAnnouncesLoop runs drainDeferredAnnouncesFor(h_{N+3}) — only the last hash. deferredAnnounces.take(h_{N+1}) and take(h_{N+2}) are never called.
5. 30s later, gcLocked evicts the two intermediate entries on the next put.
6. A stateless peer asks us for the witness of N+1 or N+2 — signedWitnesses.get misses; verifyAgainstSignedHash returns (nil, _, true) (skip path). The byte verification the PR adds is silently bypassed.

Why existing code doesn't prevent it

The stateless paths (insertChainStatelessParallel at blockchain.go:2866,2896, insertChainStatelessSequential at :3002) DO pass emitHeadEvent=true, so stateless-validator imports fire per-block events and are unaffected. The block fetcher's per-block f.insertChain(types.Blocks{block}, ...) also produces single-block batches that work correctly. Only the regular full-node downloader path is affected — and the PR's deployment recommendation explicitly says to deploy 'sentries/RPC/archive first', i.e. exactly the nodes that exercise this path during reconnection catch-up.

Mitigating factors (why I'm filing this as nit)

• The block fetcher's steady-state path inserts one block at a time, so normal gossip is unaffected.
• A node doing downloader catch-up is itself behind and not serving downstream peers, so the lost pre-import serving cache for intermediate blocks has no real downstream impact in that window.
• Behavior gracefully degrades to WIT1 byte-verification, which is the pre-WIT2 baseline. No security regression — execution still validates content via state-root.
• Bounded by the 30s TTL and per-peer cap, so memory is bounded.

Suggested fix

Either:

• In deferredAnnouncesLoop, after drainDeferredAnnouncesFor(ev.Header.Hash()), walk deferredAnnounces.entries and drain any whose blockHash now resolves to a local header. The set is bounded (capacity 256), so a linear pass on each head event is cheap.
• Or subscribe to ChainEvent (per-block, including reorged blocks) via chainFeed.Send(ChainEvent{...}) at blockchain.go:2576, which fires per-block in writeBlockAndSetHead for both stateless and regular paths.