Context
Summit's execution layer sends consensus-affecting requests such as deposits, withdrawals, and exits into finalizer state. Requests that must be deferred across a boundary are stored in pending_execution_requests and replayed later so future validator balances and statuses reflect earlier execution activity.
The SSZ state tree supplies the advertised state root used in finalized aux data and proof flows. For that root to bind consensus state, it must cover deferred execution work as well as immediately applied account and committee fields.
Claim
The SSZ state root omits pending_execution_requests even though deferred deposits, withdrawals, and exits are serialized consensus state that affect future transitions.
An honest block transition buffers deferred execution work in pending_execution_requests; the serialized state then differs in deferred deposits, withdrawals, or exits while SszStateTree omits that field, so the advertised SSZ state root and proofs remain unchanged.
Flow
The live start condition is narrower than any execution-request processing: parse_execution_requests first drains existing pending requests with take_pending_execution_requests, then later code can buffer a request such as a last-block active-validator withdrawal with push_pending_execution_request before capture_state_root. The prerequisite is a captured or rebuilt state that contains deferred request bytes; ordinary request replay that leaves the pending vector empty does not demonstrate this issue.
Impact
The parent_beacon_block_root and generated SSZ proofs do not commit to all consensus-relevant state. Checkpoint/restart/proof consumers can agree on a state root while disagreeing about deferred execution requests that schedule future deposits, withdrawals, or exits. That breaks the root-binds-state property expected from finalized roots and checkpoint proofs.
Root Cause
pending_execution_requests were added to serialized consensus state and transition logic but not added as a leaf/input to SszStateTree root construction.
Code
Related Issues/PRs
Related issues cover adjacent deferred execution request, epoch-boundary, and SSZ root omissions that can leave future state unbound.
Fix
- Add
pending_execution_requests to the SSZ state tree with a stable merkleization format.
- Rebuild roots from every consensus field that can affect future state transitions.
- Add a test that changes only
pending_execution_requests and asserts the state root changes.
- Version checkpoint/state-root format if existing roots cannot be made backward compatible.
Context
Summit's execution layer sends consensus-affecting requests such as deposits, withdrawals, and exits into finalizer state. Requests that must be deferred across a boundary are stored in
pending_execution_requestsand replayed later so future validator balances and statuses reflect earlier execution activity.The SSZ state tree supplies the advertised state root used in finalized aux data and proof flows. For that root to bind consensus state, it must cover deferred execution work as well as immediately applied account and committee fields.
Claim
The SSZ state root omits
pending_execution_requestseven though deferred deposits, withdrawals, and exits are serialized consensus state that affect future transitions.An honest block transition buffers deferred execution work in
pending_execution_requests; the serialized state then differs in deferred deposits, withdrawals, or exits whileSszStateTreeomits that field, so the advertised SSZ state root and proofs remain unchanged.Flow
The live start condition is narrower than any execution-request processing:
parse_execution_requestsfirst drains existing pending requests withtake_pending_execution_requests, then later code can buffer a request such as a last-block active-validator withdrawal withpush_pending_execution_requestbeforecapture_state_root. The prerequisite is a captured or rebuilt state that contains deferred request bytes; ordinary request replay that leaves the pending vector empty does not demonstrate this issue.Impact
The
parent_beacon_block_rootand generated SSZ proofs do not commit to all consensus-relevant state. Checkpoint/restart/proof consumers can agree on a state root while disagreeing about deferred execution requests that schedule future deposits, withdrawals, or exits. That breaks the root-binds-state property expected from finalized roots and checkpoint proofs.Root Cause
pending_execution_requestswere added to serialized consensus state and transition logic but not added as a leaf/input toSszStateTreeroot construction.Code
ConsensusStatestorespending_execution_requests: https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/consensus_state.rs#L33.SszStateTreedefines a fixed top-level tree with no leaf forpending_execution_requests: https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/ssz_state_tree.rs#L30, https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/ssz_state_tree.rs#L55.ConsensusState::rebuild_ssz_treelikewise passes no pending execution requests: https://github.com/SeismicSystems/summit/blob/ed2c5c8/types/src/consensus_state.rs#L753.Related Issues/PRs
Related issues cover adjacent deferred execution request, epoch-boundary, and SSZ root omissions that can leave future state unbound.
Fix
pending_execution_requeststo the SSZ state tree with a stable merkleization format.pending_execution_requestsand asserts the state root changes.