fix(node): harden transaction inclusion logic to account for fee market

[raulk]

This PR improves correctness of tx inclusion logic on two fronts.

1. Begins rejecting messages with invalid limits at CheckTx time:
   • Gas fee cap below minimal base fee.
   • Gas limit above maximum block gas limit.

Some type shenanigans via downcasts were necessary to deal with #1241. Tested by extending a materializer test.

2. Exclude non-includable messages at proposal time.
   • I removed the MessagesSelector trait because it was unusable. The vector holding selectors cannot used boxed objects because the trait is not object-safe as it has methods with generic parameters. Also, there's no point over-engineering this prematurely.
   • Also removed the decreasing sorting by gas limit; we prefer to randomize for security (otherwise an attacker could drip brutally overestimated transactions just below the block gas limit to DoS the chain).

[LePremierHomme]

What about .max_fee_per_gas(min_base_fee - 1)? it will also help to document how that value can be retrieved.

[raulk]

We just don't have access to the min base fee here; nor is it available through an API. We could technically fetch the block header of the genesis block and take that base fee as the min base fee, but I'm sure it would buy us anything.

[LePremierHomme]

Where/how is it guaranteed?

[raulk]

Good point; I think we should check the min base fee is satisfied here since CheckTx won't be invoked for transactions we never saw but that got included by another validator in a proposal.

[raulk]

Sorry, I was mistaken. This is code is correct. The current gas market conditions are determined by our own state transitions. So here we validate message's gas fee cap is above or equal to the current gas market base fee, as determined by our own state. The EIP1559 gas market actor floors the base fee to the minimal base fee here:

ipc/fendermint/actors/gas_market/eip1559/src/lib.rs

Line 150 in 7e4b87c

self.constants.minimal_base_fee.clone()

[LePremierHomme]

What about doing that in tx selection for block inclusion (as a leader)? When checking for mempool inclusion only the min fee is verified.

[raulk]

@cryptoAtwill do we not already exclude transactions whose gas fee cap is below the network's base fee at block production time? I was strangely not able to find that logic here: https://github.com/consensus-shipyard/ipc/blob/702d49b619623915772fe935a86e59a89744c3b1/fendermint/vm/interpreter/src/selector.rs

(Do we need a second selector?)

[cryptoAtwill]

@raulk I dont remember discussing that in prepare. I think we were mostly discussing the cometbft side of things.

[raulk]

What do you mean with "the CometBFT side of things"? We agreed that we'd assign negative priorities to non-includable transactions in CheckTX, to instruct CometBFT to prefer sending us includable transactions, but we'd still have to filter out non-includable transactions in prepare.

[raulk]

I'll fix it in this PR.

[cryptoAtwill]

if we need to enforce below base fee exclusion, we probably should add the other selector to enforce in fendermint just to be sure. Cometbft should have done one round of selection based on priority.

[cryptoAtwill]

A quick question, why using min_base_fee here? Currently min_base_fee is not updated so I assume it's updated in a system upgrade? Is it a fixed value that can be smaller than base_fee?

[raulk]

This is to reject transactions whose base fee cap is below the minimum acceptable base fee. Otherwise those transactions would sit forever in the mempool because the base fee would never go low enough to include them.

[cryptoAtwill]

I misunderstood, should have no issue here.