fix(malachite): tighten proposal validation bounds

[ukint-vs]

Addresses the bounded-memory proposal-validation portion of #5473.

Summary

• Adds bounded Malachite proposal-part stream reassembly with per-stream, per-peer, and global caps.
• Evicts stale proposal streams instead of rejecting all new streams once caps are reached.
• Rejects proposal parts too far ahead of the current height before persisting pending proposal data.
• Tightens injected-transaction validation and refreshes the DB type metadata hash for the bounded payload changes.

Validator identity and peer-admission config was split to #5536.

Tests

• rtk cargo nextest run -p ethexe-common db::tests::ensure_types_unchanged
• rtk cargo nextest run -p ethexe-malachite-core
• rtk cargo nextest run -p ethexe-malachite
• rtk cargo clippy -p ethexe-malachite -p ethexe-malachite-core --all-targets -- -D warnings
• rtk git diff --check origin/master...HEAD

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request strengthens the security and stability of the Malachite validation path by enforcing resource constraints on injected transactions and proposal stream reassembly. Additionally, it updates the ethexe contracts to maintain compatibility with recent changes in vendored dependencies and helper APIs.

Highlights

• Injected Transaction Validation: Added strict validation for injected transactions, including a cumulative encoded size cap per block and a check for duplicate transaction hashes.
• Proposal Stream Management: Implemented per-peer and global caps on in-flight proposal streams and ensured immediate cleanup of completed streams to prevent unbounded state growth.
• Contract Helper Migration: Updated Mirror and Router contracts to utilize the latest Foundry and frost helper APIs, alongside submodule pointer updates.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces several security and correctness improvements to the ethexe module. In ethexe/malachite/core/src/streaming.rs, it resolves a potential denial-of-service vulnerability (unbounded memory growth) by introducing per-peer and total stream limits (MAX_STREAMS_PER_PEER, MAX_STREAMS_TOTAL) and automatically evicting malformed far-future streams. In ethexe/malachite/service/src/externalities.rs, it adds participant-side validation to reject blocks that exceed cumulative injected transaction size limits or contain duplicate injected transactions. Additionally, minor updates were made to the Solidity contracts to use Memory.writeWord and Hashes.efficientKeccak256 directly, and subproject commits for forge-std and frost-secp256k1-evm were updated. No review comments were provided, so there is no feedback to filter.

[ukint-vs]

/gemini review

[gemini-code-assist]

Code Review

This pull request enhances the security and robustness of the Malachite consensus engine in ethexe by introducing validator identities that bind Ethereum addresses to both secp256k1 public keys and libp2p peer IDs, allowing the engine to drop proposal parts from non-validator peers before buffering. Additionally, it implements strict resource limits on proposal streams (caps on stream messages, per-peer streams, and total streams with LRU eviction) to prevent denial-of-service attacks, and adds validation checks to reject blocks exceeding injected transaction size caps or containing duplicate transactions. There are no review comments, and I have no feedback to provide.