fix: prevent malicious peer DoS in block sync

[tomatoishealthy]

Summary by CodeRabbit

Release Notes

• Chores
  • Updated core module and standard library dependencies across the project to maintain system stability and compatibility.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• ops/l2-genesis/go.sum is excluded by !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 624a4bec-d85c-488e-906e-7ffe4fc8b848

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updates Tendermint dependency from v0.3.4 to v0.3.6 across Makefile and eight go.mod files, alongside synchronized updates to golang.org/x/* indirect dependencies and go-resty in select modules.

Changes

Cohort / File(s)	Summary
Build Configuration Makefile	Updated TENDERMINT_TARGET_VERSION constant from v0.3.4 to v0.3.6.
Core Module Dependencies bindings/go.mod, contracts/go.mod, node/go.mod, ops/l2-genesis/go.mod, ops/tools/go.mod	Updated Tendermint replacement to v0.3.6 and bumped golang.org/x/* indirect dependencies (crypto, net, sync, sys, text, time) to newer versions.
Extended Module Dependencies oracle/go.mod, tx-submitter/go.mod	Updated Tendermint replacement to v0.3.6, upgraded github.com/go-resty/resty/v2 from v2.13.1 to v2.17.2, and bumped golang.org/x/* indirect dependencies to newer versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• bump tendermint to version v0.3.3 #858: Updates Tendermint version and replace directives in Makefile and go.mod files.
• feature: update go mod & submodule #914: Modifies Tendermint module pins across Makefile and multiple go.mod files.
• update go-ethereum dependency #748: Bumps TENDERMINT_TARGET_VERSION in Makefile and synchronizes replace entries in go.mod modules.

Suggested reviewers

• Web3Jumb0

Poem

🐰 A version dance across the files we go,
From v0.3.4 to v0.3.6's glow,
Dependencies sync'd with care so fine,
Golang packages in perfect line! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims to fix a DoS vulnerability in block sync, but the changes only update Tendermint and Go module dependencies across multiple go.mod files.	Update the title to accurately reflect the actual changes, such as 'chore: upgrade tendermint to v0.3.6 and golang.org/x dependencies' or clarify what DoS fix is included in the Tendermint upgrade.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/spec-003-blocksync-malicious-peer-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ops/l2-genesis/go.mod`:
- Around line 68-73: Replace the invalid module version for golang.org/x/time in
go.mod: change the entry golang.org/x/time v0.12.0 to a valid release (v0.15.0)
and then update the module graph by running go get golang.org/x/time@v0.15.0 (or
run go mod tidy) so go.sum and dependencies are reconciled; verify the line with
golang.org/x/time now reads v0.15.0 alongside the other golang.org/x/* entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fd80c98c-7ec8-422d-94ab-739a428a3785

📥 Commits

Reviewing files that changed from the base of the PR and between 3be8e7e and c77b1e9.

⛔ Files ignored due to path filters (6)

• bindings/go.sum is excluded by !**/*.sum
• contracts/go.sum is excluded by !**/*.sum
• node/go.sum is excluded by !**/*.sum
• ops/tools/go.sum is excluded by !**/*.sum
• oracle/go.sum is excluded by !**/*.sum
• tx-submitter/go.sum is excluded by !**/*.sum

📒 Files selected for processing (8)

• Makefile
• bindings/go.mod
• contracts/go.mod
• node/go.mod
• ops/l2-genesis/go.mod
• ops/tools/go.mod
• oracle/go.mod
• tx-submitter/go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Are the following golang.org/x package versions valid: crypto v0.41.0, net v0.43.0, sync v0.16.0, sys v0.35.0, text v0.28.0, time v0.12.0?

💡 Result:

No, not all of the specified golang.org/x package versions are valid as of 2026-04-24. While most exist (crypto v0.41.0, net v0.43.0, sync v0.16.0, sys v0.35.0 appears plausible within the range up to v0.43.0, text v0.28.0 plausible within range up to v0.36.0), time v0.12.0 does not exist. The latest for x/time is v0.15.0, with prior versions v0.14.x, v0.13.x, v0.12.1 pseudo-version (not tagged v0.12.0), v0.13.0, etc. No tagged v0.12.0 for x/time is listed in version histories on pkg.go.dev or deps.dev.

Citations:

• 1: https://pkg.go.dev/golang.org/x/crypto
• 2: https://pkg.go.dev/golang.org/x/crypto?tab=versions
• 3: https://pkg.go.dev/golang.org/x/net
• 4: https://pkg.go.dev/golang.org/x/net?tab=versions
• 5: https://pkg.go.dev/golang.org/x/sync
• 6: https://pkg.go.dev/golang.org/x/sync?tab=versions
• 7: https://pkg.go.dev/golang.org/x/sys?tab=versions
• 8: https://pkg.go.dev/golang.org/x/sys
• 9: https://pkg.go.dev/golang.org/x/text?tab=versions
• 10: https://pkg.go.dev/golang.org/x/time
• 11: https://deps.dev/go/golang.org%2Fx%2Ftime/v0.15.0/versions
• 12: https://go.googlesource.com/crypto/%2B/refs/tags/v0.41.0
• 13: https://go.googlesource.com/net/%2B/refs/tags/v0.43.0
• 14: https://pkg.go.dev/golang.org/x/sync@v0.16.0

---

🏁 Script executed:

cat -n ops/l2-genesis/go.mod | grep -A 10 "golang.org/x/crypto"

Repository: morph-l2/morph

Length of output: 615

---

Update golang.org/x/time to a valid version; v0.12.0 does not exist.

The dependency golang.org/x/time v0.12.0 on line 73 is invalid—no such tagged release exists. The latest version is v0.15.0. Update this dependency to a valid version. The other golang.org/x/* packages (crypto v0.41.0, net v0.43.0, sync v0.16.0, sys v0.35.0, text v0.28.0) are valid.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ops/l2-genesis/go.mod` around lines 68 - 73, Replace the invalid module
version for golang.org/x/time in go.mod: change the entry golang.org/x/time
v0.12.0 to a valid release (v0.15.0) and then update the module graph by running
go get golang.org/x/time@v0.15.0 (or run go mod tidy) so go.sum and dependencies
are reconciled; verify the line with golang.org/x/time now reads v0.15.0
alongside the other golang.org/x/* entries.