chore: bump libp2p version

[MegaRedHand]

This PR bumps the libp2p version to 2f14d0ec9665a01cfb6a02326c90628c4bba521c (the commit is in our fork).

Changelog

Here's the summary of meaningful changes from upstream master:

Gossipsub Changes (likely fixed our issue)

5d47d9d - Port of 55e4a64 (biggest change)

Multiple gossipsub fixes to Instant arithmetic and backoff handling:

• GRAFT flood penalty fix: Replaced unsafe Instant subtraction (which can panic/overflow) with checked_sub + saturating_duration_since. The old code computed (backoff_time + graft_flood_threshold) - prune_backoff which could panic if the arithmetic overflowed. This is likely the fix that resolved cross-client mesh issues: if a peer's GRAFT was incorrectly penalized due to arithmetic overflow, it would never join the mesh.
• IWANT followup time: Added checked_add to prevent Instant overflow
• Fanout TTL check: Replaced Instant addition with saturating_duration_since
• IDONTWANT timeout: Same pattern, safer arithmetic
• Max PRUNE backoff cap: Added MAX_REMOTE_PRUNE_BACKOFF_SECONDS = 3600 to prevent a remote peer from requesting an absurdly long backoff

a7d59cb - CVE fix (GHSA-gc42-3jg7-rxr2)

Security fix: Ignore oversized PRUNE backoff values. A malicious peer could send a PRUNE with a backoff duration so large that Instant::now() + time would overflow, causing a panic. Now uses checked_add and ignores invalid values.

7637c23 - Optimize IDONTWANT send

Only send IDONTWANT for first-seen large messages, deduplicating redundant messages.

aa7a9ec - Partial messages extension

New gossipsub feature for partial message delivery (spec: libp2p/specs#704).

055186d - Fix duplicate metrics

Bug fix for double-counted metrics.

Other Changes

• 8541b83 - Remove async_trait from request_response (this caused our codec.rs compile fix)
• b6b79b2 - MSRV bump to 1.88.0, Rust edition 2024
• aad1f8e - Remove unused rpc.rs
• 7cbf7c1 - TLS key logging via SSLKEYLOGFILE
• 3f88b30 - Rendezvous protocol port
• ~35 dependency bumps

Root Cause Analysis

The GRAFT flood penalty fix in 5d47d9d is almost certainly what fixed our cross-client block propagation. The old code had unsafe Instant arithmetic that could overflow when zeam peers (with slightly different timing) sent GRAFT requests. The overflow would cause the penalty check to always trigger, causing ethlambda to PRUNE zeam peers from the block topic mesh. Attestations worked because they used fanout (bypasses mesh/GRAFT entirely).

[github-actions]

🤖 Kimi Code Review

Review for PR #280: libp2p 0.57 upgrade

This PR upgrades the libp2p networking stack from a pre-0.57 revision to 0.57.0 (commit 2f14d0e). The changes appear correct and follow the upstream migration patterns.

Critical Observations

1. Native async traits migration (Line 20, crates/net/p2p/src/req_resp/codec.rs)

• The removal of #[async_trait::async_trait] is correct. libp2p 0.57 migrated to native async traits (RPITIT) in libp2p-request-response, eliminating the async-trait dependency.
• Action required: Verify that no other trait implementations in the codebase (e.g., NetworkBehaviour, ConnectionHandler) still use #[async_trait] against libp2p traits. The compiler will catch mismatches, but a global search for async_trait combined with libp2p types is recommended.

2. Timer runtime change in futures-bounded (Cargo.lock)

• futures-bounded 0.3.0 switched from futures-timer to tokio (lines 2662-2668 in lockfile). This is a transitive dependency via libp2p.
• Risk: Low, assuming the project uses Tokio as the async runtime (standard for libp2p). If using async-std or another runtime, timeouts may misbehave.

3. SSZ/Consensus safety

• No changes to consensus logic, state transitions, fork choice, or XMSS signature verification. The PR is isolated to the networking layer.

Security & Correctness

• Dependency integrity: The lockfile updates 25+ libp2p-related crates. Ensure the git revision 2f14d0ec9665a01cfb6a02326c90628c4bba521c is tagged or originates from a trusted branch in your fork.
• Protocol compatibility: libp2p 0.57 includes breaking changes in request-response. Confirm that the Codec implementation methods (read_request, write_request, etc.) match the new trait signatures. The diff shows no method signature changes, implying the original code used async fn syntax which is compatible with both async-trait and native async.

Minor Points

• Hashlink 0.11: The update from 0.10.0 to 0.11.0 (hashbrown 0.15.5 → 0.16.1) is straightforward with no API changes affecting this codebase.

Verdict

Approve with the caveat that you verify no other files require removal of #[async_trait] macros for libp2p trait implementations. The upgrade follows upstream conventions correctly.

---

Automated review by Kimi (Moonshot AI) · kimi-k2.5 · custom prompt

[github-actions]

🤖 Claude Code Review

Review: chore: bump libp2p version (PR 280)

This is a straightforward dependency bump from libp2p 0.56.1 → 0.57.0 (LambdaClass fork commit cd6cc3b → 2f14d0e). The scope is appropriate and focused.

---

Changes summary

• Cargo.lock: All libp2p sub-crates bump by one minor version each, consistently pointing to the new fork commit.
• crates/net/p2p/Cargo.toml: Rev updated to match.
• crates/net/p2p/src/req_resp/codec.rs: #[async_trait::async_trait] attribute removed from the Codec impl.

---

Findings

Unused dependency left behind (crates/net/p2p/Cargo.toml:20)

async-trait = "0.1"   # still declared, no longer used

The #[async_trait::async_trait] attribute on the Codec impl was the only usage of this crate in the P2P crate. It was correctly removed from codec.rs, but async-trait = "0.1" was not removed from Cargo.toml. This will produce an unused dependency warning under cargo +nightly -Z unused-extern-crates and adds unnecessary compile-time weight. It should be dropped.

---

Correctness of the async_trait removal

The change is correct. libp2p 0.57.0 updated request_response::Codec to use native async functions in traits (AFIT, stable since Rust 1.75). The lock file confirms async-trait was also dropped from libp2p-request-response's own dependency list. The impl as written compiles cleanly against the new trait signature.

Side benefit: native AFIT avoids the Box<dyn Future> heap allocation that async_trait introduced on each codec method call — a small but real improvement for the req-resp hot path.

---

Notable transitive dependency changes

• futures-bounded 0.2.4 → 0.3.0 swaps futures-timer for tokio as its timer backend. No impact since ethlambda already runs on tokio.
• hashbrown 0.15.5 → 0.16.1 (pulled in via hashlink 0.11.0). No API surface exposed to this codebase.
• Several libp2p sub-crates (autonat, dns, rendezvous, request-response) drop their own async-trait dependency. Expected migration alongside the AFIT changes.

---

Verdict

The bump is clean and the only code change (async_trait removal) is necessary and correct. One fix needed before merge: remove async-trait = "0.1" from crates/net/p2p/Cargo.toml.

---

Automated review by Claude (Anthropic) · sonnet · custom prompt

[github-actions]

🤖 Codex Code Review

Findings

• Low: async-trait is now dead weight in crates/net/p2p/Cargo.toml:20. The only touched implementation, crates/net/p2p/src/req_resp/codec.rs:20, has already moved to native async fn in the trait impl, and rg shows no remaining uses in the crate. Removing the dependency trims one proc-macro from the build and avoids carrying an unnecessary dependency in networking code.

No correctness, security, or consensus-layer regressions stood out from the diff itself. The change is effectively a libp2p revision bump plus the codec syntax update; fork choice, attestation processing, justification/finalization, STF, XMSS, and SSZ logic are untouched here.

I could not run a full cargo check or tests in this sandbox because the workspace depends on external git/crates sources that are not available offline, so there is still an integration-risk gap around the libp2p upgrade.

---

Automated review by OpenAI Codex · gpt-5.4 · custom prompt

[greptile-apps]

Greptile Summary

Bumps the ethlambda-p2p crate's pinned libp2p fork rev from cd6cc3b to 2f14d0e, updating Cargo.lock accordingly and adapting codec.rs to the new request_response::Codec trait signature (native async-in-traits, no #[async_trait] attribute required). The functional behaviour of the request/response codec is unchanged.

Confidence Score: 5/5

• Safe to merge; the only finding is a leftover unused async-trait dependency that can be cleaned up separately.
• All changes are mechanical: a rev bump in Cargo.toml, a refreshed Cargo.lock, and a codec adaptation to the new native-async trait API. The single P2 finding (unused async-trait) does not affect correctness or reliability.
• No files require special attention.

Important Files Changed

Filename	Overview
crates/net/p2p/Cargo.toml	libp2p rev bumped from cd6cc3b to 2f14d0e; async-trait dependency is now unused and can be removed
crates/net/p2p/src/req_resp/codec.rs	Codec trait impl updated to use native async-in-traits (no #[async_trait]); logic is correct for the single-root BlocksByRoot pattern used in practice
Cargo.lock	Lock file updated to reflect the new libp2p rev; all fork sources point consistently to the new commit hash

Sequence Diagram

sequenceDiagram
    participant Requester as P2P Node (requester)
    participant Codec
    participant Responder as P2P Node (responder)

    Requester->>Codec: write_request BlocksByRoot single root
    Codec->>Responder: SSZ snappy-framed payload over QUIC substream

    Responder->>Codec: write_response BlocksByRoot blocks
    Note over Responder,Codec: Per block SUCCESS byte + varint + snappy frame

    Codec->>Requester: read_response decode_blocks_by_root_response
    Note over Codec,Requester: Reads response code byte then decode_payload

Loading

Comments Outside Diff (1)

1. crates/net/p2p/Cargo.toml, line 20 (link)

   Unused async-trait dependency

   async-trait is listed as a direct dependency but is not referenced anywhere in the crate's source. Now that the new libp2p commit uses Rust's native async-in-traits for the request_response::Codec implementation (no #[async_trait] attribute needed), this crate has no remaining callers of the macro. It can be removed.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: crates/net/p2p/Cargo.toml
   Line: 20
   
   Comment:
   **Unused `async-trait` dependency**
   
   `async-trait` is listed as a direct dependency but is not referenced anywhere in the crate's source. Now that the new libp2p commit uses Rust's native async-in-traits for the `request_response::Codec` implementation (no `#[async_trait]` attribute needed), this crate has no remaining callers of the macro. It can be removed.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: crates/net/p2p/Cargo.toml
Line: 20

Comment:
**Unused `async-trait` dependency**

`async-trait` is listed as a direct dependency but is not referenced anywhere in the crate's source. Now that the new libp2p commit uses Rust's native async-in-traits for the `request_response::Codec` implementation (no `#[async_trait]` attribute needed), this crate has no remaining callers of the macro. It can be removed.

```suggestion
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "chore: bump libp2p version" | Re-trigger Greptile}