Injectable Skill: State Sync and Pruning

L1 trigger: L1_PATTERN=true AND (sync/ OR snap_sync OR fast_sync OR statesync OR pruning OR snapshot/ detected in recon subsystem map) Inject Into: depth-state-trace or depth-edge-case Language: Go and Rust Finding prefix: [SS-N] Status: v0.1 draft, Round 4 exemplars pending

Orchestrator Decomposition Guide

Sections 1, 2: depth-state-trace (sync protocol state)
Sections 3, 4: depth-edge-case (pruning races, growth)
Section 5: depth-external (checkpoint trust)

When This Skill Activates

Recon identifies state sync or pruning code. State sync is the mechanism by which a new node catches up without replaying the entire history; pruning is how an existing node garbage-collects old state. Both are subtle: a bug in either can corrupt the node's state silently, leading to later divergence.

1. Sync Mode Fingerprinting

Identify the sync mode(s) supported:

| Mode | Description | Trust model | |---|---|---| | Full sync | Replay every block from genesis | Trustless (modulo consensus rules) | | Fast sync | Download headers + recent state trie | Trusts weak subjectivity checkpoint | | Snap sync (Ethereum) | Download flat account snapshots in ranges | Healing phase verifies root | | Warp sync (Parity) | Download a snapshot of state at a past block | Trusts snapshot root | | State sync (Cosmos) | Download state at a trusted height from peers | Trusts a configured height/hash | | Checkpoint sync (Beacon) | Trusts a recent finalized checkpoint root | Weak subjectivity | | Portal Network | Content-addressed historical storage | Trustless per item |

Write the mode(s) into the finding header.

2. Root / Checkpoint Trust

Every non-full sync mode depends on a root or checkpoint. Verify the trust chain:

Where does the checkpoint come from? Hardcoded? CLI flag? RPC? Config file?
What signs it? Nothing (pure trust)? A hardcoded key? The current validator set?
Validity period: is the checkpoint rejected if older than X? Stale checkpoints permit long-range attacks.
Rollback: if a checkpoint turns out to be invalid mid-sync, does the node recover cleanly?

Tag: [SYNC-TRUST:{source}:{validation}]

Historical exemplar class: unsigned-checkpoint sync in early Cosmos clients; trust-anchor bypass in early beacon chain clients.

3. Snapshot Integrity

For any sync mode that downloads bulk state (snap, warp, state sync):

3a. Chunk verification

State is downloaded in chunks. Is each chunk verified against the root as it arrives?
Or is all data downloaded first, then verified at the end (bad — wasted bandwidth on poisoned chunks)?
What happens if a peer serves a chunk that hashes correctly but whose content violates invariants (e.g., negative balance)?

3b. Duplicate account / missing account

Can the same account appear in two chunks? How is the conflict resolved?
Can an account be missing from all chunks? Is there a completeness check?

3c. Healing phase

After bulk download, the "healing" phase typically walks the trie and fetches missing nodes. Verify:
- Is the healing phase bounded in time/attempts?
- Can a malicious peer serve nodes that hash correctly but belong to a different subtrie?

3d. Parallel peer downloads

If multiple peers serve chunks in parallel, how are conflicts resolved?
Can a slow peer hold up the whole sync?

Tag: [SNAPSHOT:{integrity-class}]

4. Pruning Safety

Pruning removes old state to save disk. Bugs here corrupt the active state.

4a. Reference counting

Most pruning uses reference counts on trie nodes. Is the ref count atomic with state writes?
On reorg, are ref counts correctly adjusted? Frequent bug source.

4b. In-flight reads

Can a pruning operation race with an active read? (e.g., RPC eth_getProof reading historical state while pruner deletes it)
Is there a read lock, a MVCC snapshot, or a pruning-delay grace period?

4c. Pruning boundaries

Which blocks are pruned? How deep is the retained window?
Is the window configurable? What's the minimum safe window vs fork-choice requirements?
Beacon chain: pruning cannot go past the latest finalized checkpoint. Is this enforced?

4d. Archive vs pruned mode

If the node supports archive mode, is the code path strictly disabled when pruning is enabled? Mixed-mode bugs exist.

4e. Persistence atomicity across logical units

A persistence unit is any tuple of writes that must commit or abort together for higher-level state to stay consistent (block body + receipts + state root; header + total-difficulty + canonical-hash mapping; snapshot chunk + chunk manifest). A node crash BETWEEN the writes of a logical unit leaves partially-applied state that the restart path may silently accept.

Methodology — enumerate as a table, one row per logical unit:

For each row:

Read the write sequence from the code. Do all writes happen under the SAME DB transaction / batch that commits atomically, or are they split across multiple commits?
If split, what happens if the process dies between commits? Does the next start detect and roll back, complete the remaining writes, or silently accept the partial state?
OS-level torn writes: for any write that bypasses the DB's own atomicity (direct write + fsync to a file), verify that either the write is ≤ 4 KiB (page-atomic on most filesystems) or the file uses a write-then-rename pattern with fsync on the parent directory.
Windows-specific: rename is NOT atomic over an existing file on pre-Windows-10 / some network filesystems; MoveFileEx with MOVEFILE_REPLACE_EXISTING is required. Flag any code that assumes POSIX rename semantics cross-platform.
CUDA / async-DMA writes: a pinned-buffer write the kernel has acknowledged may not be durable until the next host fsync.

Tag: [PERSIST-ATOMIC:{unit}:{torn-scenario}]. Severity High by default (silent state corruption on restart is a safety violation); Critical when the partial state is accepted as canonical without any reconciliation.

Tag: [PRUNE:{race-or-boundary}]

5. State Growth Attacks

Attacker crafts transactions that bloat state at low cost, outpacing pruning.

5a. Storage cost mismatch

Is every state-writing opcode priced to cover the amortized storage cost?
Ethereum SSTORE_REFUND has been tuned multiple times — check if the current pricing is sufficient.

5b. Account creation bomb

How cheap is it to create an empty account? Ethereum's Shanghai fork patched a variant of this.
Is there a spam check on account creation?

5c. Unbounded storage arrays

Smart contract arrays (unbounded SSTORE of a key) — not a client bug but a client should bound per-tx state growth

Tag: [STATE-GROW:{mechanism}:{cost}]

6. Boundary conditions

| State | Test | Expected | Observed | |---|---|---|---| | Genesis-only sync | no blocks to sync | idempotent | | | Sync from stale checkpoint | checkpoint from N finality periods ago | rejected | | | Peer serves wrong root | chunks that verify against a different root | detected + peer banned | | | Reorg mid-sync | fork-choice changes head during sync | handled cleanly | | | Prune to latest | pruning window = 0 | refuses if below consensus safety | | | Prune across finality | prune past finalized | refused | | | Disk full during sync | out-of-space | graceful error | |

7. Output schema

Layer: storage (sync) or state
Bug class: checkpoint-trust / snapshot-integrity / pruning-race / state-growth
Preferred evidence tags: [CONFORMANCE-PASS] (sync correctness test) > [FUZZ-PASS] > [LSP-TRACE]
Severity baseline: High for silent state corruption; Medium for resource exhaustion; Critical if a poisoned snapshot can be finalized

8. Known bug exemplars (v0.2 — Round 4 verified)

Geth snap-sync state corruption after abnormal termination (Issue #30229, 2024) — in one sync cycle, the storage trie for an account was fully synced and persisted but the account trie was not yet flushed. On restart, restart logic missed topmost trie nodes in 1-2 paths, producing inconsistent state that didn't match the synced state root. The node silently went off-consensus. go-ethereum #30229. Skill catch point: Section 4b — crash-recovery atomicity. For every 2PC-like flush sequence, test with kill -9 at each flush boundary.
Snapping Snap Sync — adversarial sync source attacks (USENIX Security '23, Taverna-Paterson) — snap sync protocol trusts peer-provided state without sufficient on-chain verification. Attacker controlling a sync peer can plant invalid state that survives restart, permanently deviating the victim from consensus. Practical Attacks on Go Ethereum Synchronising Nodes. Skill catch point: Section 3a — every received trie node must be verified against the proof root before writing to disk. No provisional writes. No "trust peer now, verify later."
Geth debug_traceTransaction historical DoS — unbounded custom JS tracer, later restricted. Demonstrates the state-growth / resource-exhaustion pattern in sync-adjacent code.
Ethereum Shanghai EIP-3529 (SSTORE refund reform, 2021) — response to state-growth exploits where attackers abused the gas-refund mechanism to inflate state at negative cost. EIP-3529. Skill catch point: Section 5a — storage cost must cover amortized sync cost, not just write cost.

Critical methodology addition from Round 4 (crash-recovery atomicity)

Insert as new Section 4e (MANDATORY test): Geth issue #30229 shows crash-recovery atomicity is a hot bug class. Test methodology:

Identify every 2-phase flush sequence (storage → account → root; proof → data → index; etc.)
For each, inject kill -9 at the boundary between phases
Verify the restart logic either (a) rolls back to a consistent state, or (b) completes the interrupted sequence
Never accept "it works on graceful shutdown" — graceful shutdown is not the interesting case

Tag: [SYNC-ATOMIC:{flush-seq}:{kill-point}]

9. Fallback if primitives unavailable

Find the sync package / module
Read the entry function (usually start_sync / sync_loop)
Map sync phases and trust boundaries
Find the pruner function and read it top-to-bottom

Cross-references

Related: consensus-safety-invariants (fork-choice pruning interaction), execution-client-hardening (storage pricing)
Consumed by: depth-state-trace, depth-edge-case
Severity: docs/l1-mode/severity-matrix.md

Injectable Skill: State Sync and Pruning

L1 trigger: L1_PATTERN=true AND (sync/ OR snap_sync OR fast_sync OR statesync OR pruning OR snapshot/ detected in recon subsystem map) Inject Into: depth-state-trace or depth-edge-case Language: Go and Rust Finding prefix: [SS-N] Status: v0.1 draft, Round 4 exemplars pending

Orchestrator Decomposition Guide

Sections 1, 2: depth-state-trace (sync protocol state)
Sections 3, 4: depth-edge-case (pruning races, growth)
Section 5: depth-external (checkpoint trust)

When This Skill Activates

1. Sync Mode Fingerprinting

Identify the sync mode(s) supported:

Write the mode(s) into the finding header.

2. Root / Checkpoint Trust

Every non-full sync mode depends on a root or checkpoint. Verify the trust chain:

Where does the checkpoint come from? Hardcoded? CLI flag? RPC? Config file?
What signs it? Nothing (pure trust)? A hardcoded key? The current validator set?
Validity period: is the checkpoint rejected if older than X? Stale checkpoints permit long-range attacks.
Rollback: if a checkpoint turns out to be invalid mid-sync, does the node recover cleanly?

Tag: [SYNC-TRUST:{source}:{validation}]

Historical exemplar class: unsigned-checkpoint sync in early Cosmos clients; trust-anchor bypass in early beacon chain clients.

3. Snapshot Integrity

For any sync mode that downloads bulk state (snap, warp, state sync):

3a. Chunk verification

State is downloaded in chunks. Is each chunk verified against the root as it arrives?
Or is all data downloaded first, then verified at the end (bad — wasted bandwidth on poisoned chunks)?
What happens if a peer serves a chunk that hashes correctly but whose content violates invariants (e.g., negative balance)?

3b. Duplicate account / missing account

Can the same account appear in two chunks? How is the conflict resolved?
Can an account be missing from all chunks? Is there a completeness check?

3c. Healing phase

After bulk download, the "healing" phase typically walks the trie and fetches missing nodes. Verify:
- Is the healing phase bounded in time/attempts?
- Can a malicious peer serve nodes that hash correctly but belong to a different subtrie?

3d. Parallel peer downloads

If multiple peers serve chunks in parallel, how are conflicts resolved?
Can a slow peer hold up the whole sync?

Tag: [SNAPSHOT:{integrity-class}]

4. Pruning Safety

Pruning removes old state to save disk. Bugs here corrupt the active state.

4a. Reference counting

Most pruning uses reference counts on trie nodes. Is the ref count atomic with state writes?
On reorg, are ref counts correctly adjusted? Frequent bug source.

4b. In-flight reads

Can a pruning operation race with an active read? (e.g., RPC eth_getProof reading historical state while pruner deletes it)
Is there a read lock, a MVCC snapshot, or a pruning-delay grace period?

4c. Pruning boundaries

Which blocks are pruned? How deep is the retained window?
Is the window configurable? What's the minimum safe window vs fork-choice requirements?
Beacon chain: pruning cannot go past the latest finalized checkpoint. Is this enforced?

4d. Archive vs pruned mode

If the node supports archive mode, is the code path strictly disabled when pruning is enabled? Mixed-mode bugs exist.

4e. Persistence atomicity across logical units

Methodology — enumerate as a table, one row per logical unit:

For each row:

Read the write sequence from the code. Do all writes happen under the SAME DB transaction / batch that commits atomically, or are they split across multiple commits?
If split, what happens if the process dies between commits? Does the next start detect and roll back, complete the remaining writes, or silently accept the partial state?
OS-level torn writes: for any write that bypasses the DB's own atomicity (direct write + fsync to a file), verify that either the write is ≤ 4 KiB (page-atomic on most filesystems) or the file uses a write-then-rename pattern with fsync on the parent directory.
Windows-specific: rename is NOT atomic over an existing file on pre-Windows-10 / some network filesystems; MoveFileEx with MOVEFILE_REPLACE_EXISTING is required. Flag any code that assumes POSIX rename semantics cross-platform.
CUDA / async-DMA writes: a pinned-buffer write the kernel has acknowledged may not be durable until the next host fsync.

Tag: [PRUNE:{race-or-boundary}]

5. State Growth Attacks

Attacker crafts transactions that bloat state at low cost, outpacing pruning.

5a. Storage cost mismatch

Is every state-writing opcode priced to cover the amortized storage cost?
Ethereum SSTORE_REFUND has been tuned multiple times — check if the current pricing is sufficient.

5b. Account creation bomb

How cheap is it to create an empty account? Ethereum's Shanghai fork patched a variant of this.
Is there a spam check on account creation?

5c. Unbounded storage arrays

Smart contract arrays (unbounded SSTORE of a key) — not a client bug but a client should bound per-tx state growth

Tag: [STATE-GROW:{mechanism}:{cost}]

6. Boundary conditions

7. Output schema

Layer: storage (sync) or state
Bug class: checkpoint-trust / snapshot-integrity / pruning-race / state-growth
Preferred evidence tags: [CONFORMANCE-PASS] (sync correctness test) > [FUZZ-PASS] > [LSP-TRACE]
Severity baseline: High for silent state corruption; Medium for resource exhaustion; Critical if a poisoned snapshot can be finalized

8. Known bug exemplars (v0.2 — Round 4 verified)

Geth snap-sync state corruption after abnormal termination (Issue #30229, 2024) — in one sync cycle, the storage trie for an account was fully synced and persisted but the account trie was not yet flushed. On restart, restart logic missed topmost trie nodes in 1-2 paths, producing inconsistent state that didn't match the synced state root. The node silently went off-consensus. go-ethereum #30229. Skill catch point: Section 4b — crash-recovery atomicity. For every 2PC-like flush sequence, test with kill -9 at each flush boundary.
Snapping Snap Sync — adversarial sync source attacks (USENIX Security '23, Taverna-Paterson) — snap sync protocol trusts peer-provided state without sufficient on-chain verification. Attacker controlling a sync peer can plant invalid state that survives restart, permanently deviating the victim from consensus. Practical Attacks on Go Ethereum Synchronising Nodes. Skill catch point: Section 3a — every received trie node must be verified against the proof root before writing to disk. No provisional writes. No "trust peer now, verify later."
Geth debug_traceTransaction historical DoS — unbounded custom JS tracer, later restricted. Demonstrates the state-growth / resource-exhaustion pattern in sync-adjacent code.
Ethereum Shanghai EIP-3529 (SSTORE refund reform, 2021) — response to state-growth exploits where attackers abused the gas-refund mechanism to inflate state at negative cost. EIP-3529. Skill catch point: Section 5a — storage cost must cover amortized sync cost, not just write cost.

Critical methodology addition from Round 4 (crash-recovery atomicity)

Insert as new Section 4e (MANDATORY test): Geth issue #30229 shows crash-recovery atomicity is a hot bug class. Test methodology:

Identify every 2-phase flush sequence (storage → account → root; proof → data → index; etc.)
For each, inject kill -9 at the boundary between phases
Verify the restart logic either (a) rolls back to a consistent state, or (b) completes the interrupted sequence
Never accept "it works on graceful shutdown" — graceful shutdown is not the interesting case

Tag: [SYNC-ATOMIC:{flush-seq}:{kill-point}]

9. Fallback if primitives unavailable

Find the sync package / module
Read the entry function (usually start_sync / sync_loop)
Map sync phases and trust boundaries
Find the pruner function and read it top-to-bottom

Cross-references

Related: consensus-safety-invariants (fork-choice pruning interaction), execution-client-hardening (storage pricing)
Consumed by: depth-state-trace, depth-edge-case
Severity: docs/l1-mode/severity-matrix.md

Adoption

plamentsv/state-sync-pruning

$ install --global

Security Scan Results

SKILL.md

Injectable Skill: State Sync and Pruning

Orchestrator Decomposition Guide

When This Skill Activates

1. Sync Mode Fingerprinting

2. Root / Checkpoint Trust

3. Snapshot Integrity

3a. Chunk verification

3b. Duplicate account / missing account

3c. Healing phase

3d. Parallel peer downloads

4. Pruning Safety

4a. Reference counting

4b. In-flight reads

4c. Pruning boundaries

4d. Archive vs pruned mode

4e. Persistence atomicity across logical units

5. State Growth Attacks

5a. Storage cost mismatch

5b. Account creation bomb

5c. Unbounded storage arrays

6. Boundary conditions

7. Output schema

8. Known bug exemplars (v0.2 — Round 4 verified)

Critical methodology addition from Round 4 (crash-recovery atomicity)

9. Fallback if primitives unavailable

Cross-references

Related Skills

plamentsv/audit-prep

plamentsv/plamen

plamentsv/plamen-wizard

plamentsv/plamen-l1

plamentsv/state-sync-pruning

$ install --global

Security Scan Results

SKILL.md

Injectable Skill: State Sync and Pruning

Orchestrator Decomposition Guide

When This Skill Activates

1. Sync Mode Fingerprinting

2. Root / Checkpoint Trust

3. Snapshot Integrity

3a. Chunk verification

3b. Duplicate account / missing account

3c. Healing phase

3d. Parallel peer downloads

4. Pruning Safety

4a. Reference counting

4b. In-flight reads

4c. Pruning boundaries

4d. Archive vs pruned mode

4e. Persistence atomicity across logical units

5. State Growth Attacks

5a. Storage cost mismatch

5b. Account creation bomb

5c. Unbounded storage arrays

6. Boundary conditions

7. Output schema

8. Known bug exemplars (v0.2 — Round 4 verified)

Critical methodology addition from Round 4 (crash-recovery atomicity)

9. Fallback if primitives unavailable

Cross-references

Related Skills

plamentsv/audit-prep

plamentsv/plamen

plamentsv/plamen-wizard

plamentsv/plamen-l1