apollo_consensus_orchestrator: anchor L1 gas-price margin to local reference and harden overflow

[asaf-sw]

What

Fixes M-17. Rewrites within_margin in validate_proposal.rs so the L1 gas-price tolerance band is anchored to the validator's locally-trusted reference price instead of the proposer-supplied value, and replaces an unchecked u128 * u128 with saturating_mul.

Why

is_proposal_init_valid validates proposer-supplied L1 gas prices against the node's own oracle read via within_margin(proposed, reference, margin_percent). The margin was computed as (proposed * margin_percent) / 100 — anchored to the attacker-controlled value.

• Asymmetric band (the finding): because the band width scaled with proposed, a malicious proposer could inflate the price up to ~reference / (1 - m) ≈ 1.111 * reference at the default 10% margin, instead of the intended 1.10 * reference. PoC: proposed=1111, reference=1000, m=10 was accepted (margin = 1111*10/100 = 111, diff = 111) even though 1111 exceeds the intended 1100 ceiling. The extra ~1.1% propagates into user fees on every block the attacker proposes, and stacks with M-1.
• Unchecked overflow (raised in analysis): the same line did a raw u128 * u128. Large WEI prices can make price * margin_percent exceed u128::MAX, panicking in debug / wrapping in release.

Fix

• Anchor the margin to reference (reference.0.saturating_mul(margin_percent) / 100). The accepted band becomes the symmetric [reference*(1-m), reference*(1+m)].
• saturating_mul removes the overflow panic on large legitimate prices.
• Renamed params number1/number2 → proposed/reference so the trusted argument is unambiguous in the signature (the footgun that produced the bug). Call sites already pass (proposed, reference), so no call-site change was required.

Assumptions

• Implemented a symmetric ±m band anchored to the local reference (recommended default; the band shape is a product question — documented in a code comment).
• Kept integer truncation of the margin (marginally stricter than exact %), documented inline.
• Deferred the optional bounds-returning refactor to keep the diff minimal; the anchor + overflow fix fully closes the finding.

Test coverage

Extended test_within_margin and added a dedicated overflow test:

• inflated_proposed_rejected(1111, 1000, 10, false) — the M-17 exploit; verified it FAILS on the pre-fix code and passes after.
• upper_bound_inclusive / lower_bound_inclusive (1100 and 900 vs 1000 at 10%).
• deflated_proposed_rejected(889, 1000, 10, false) — symmetry.
• large_identical_no_overflow / large_within_no_overflow (u128::MAX) and within_margin_large_reference_does_not_overflow — overflow hardening.

All 17 tests pass; clippy clean.

Internal analysis: docs/security-review/M-17.md.

🤖 Generated with Claude Code

[reviewable-StarkWare]

This change is 

[asaf-sw]

• apollo_consensus_orchestrator: anchor L1 gas-price margin to local reference and harden overflow #14589 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.