[ENG-1296] set cap on expired orders processed per block

[anmolagrawal345]

Changelist

This change builds off the same pattern for setting caps on deleveraging and liquidations per block. We need to cap the expired orders removal per block to prevent the situation in which the end blocker is stuck removing a large number of orders (a potential attack vector).

Test Plan

[Describe how this PR was tested (if applicable)]

Author/Reviewer Checklist

• If this PR has changes that result in a different app state given the same prior state and transaction list, manually add the state-breaking label.
• If the PR has breaking postgres changes to the indexer add the indexer-postgres-breaking label.
• If this PR isn't state-breaking but has changes that modify behavior in PrepareProposal or ProcessProposal, manually add the label proposal-breaking.
• If this PR is one of many that implement a specific feature, manually label them all feature:[feature-name].
• If you wish to for mergify-bot to automatically create a PR to backport your change to a release branch, manually add the label backport/[branch-name].
• Manually add any of the following labels: refactor, chore, bug.

Summary by CodeRabbit

• New Features

  • Added block limits configuration system to control the rate of expired stateful order removal per block.
  • Added new gRPC query endpoint and CLI command to retrieve block limits configuration.
  • Added governance message to update block limits configuration.

• Improvements

  • Enhanced telemetry to track the count of expired orders removed during block processing.

[linear]

ENG-1296 Cap the number of endBlocker order removals

[coderabbitai]

Walkthrough

This PR implements a per-block cap mechanism for removing expired stateful orders in the CLOB module. It introduces a BlockLimitsConfig message with a MaxStatefulOrderRemovalsPerBlock parameter, modifies the RemoveExpiredStatefulOrders keeper method to enforce this cap with batching across blocks, adds telemetry tracking, and exposes query and update endpoints for governance-mediated configuration changes.

Changes

Cohort / File(s)	Change Summary
Proto definitions proto/dydxprotocol/clob/block_limits_config.proto, proto/dydxprotocol/clob/query.proto, proto/dydxprotocol/clob/tx.proto	New BlockLimitsConfig message with max_stateful_order_removals_per_block field; new QueryBlockLimitsConfigurationRequest/Response messages and RPC; new MsgUpdateBlockLimitsConfig/Response messages and RPC for governance updates
TypeScript codegen – clob module indexer/packages/v4-protos/src/codegen/dydxprotocol/clob/block_limits_config.ts, query.lcd.ts, query.rpc.Query.ts, query.ts, tx.rpc.msg.ts, tx.ts	Generated TypeScript interfaces, encode/decode logic, and client methods for BlockLimitsConfig, QueryBlockLimitsConfiguration, and MsgUpdateBlockLimitsConfig
TypeScript codegen – bundle reorganization indexer/packages/v4-protos/src/codegen/dydxprotocol/bundle.ts, gogoproto/bundle.ts, google/bundle.ts	Re-mapped internal module alias spreads throughout dydxprotocol namespaces and nested modules; updated vest and ClientFactory exports
Go keeper – block limits config protocol/x/clob/keeper/block_limits_config.go, grpc_query_block_limits_configuration.go, msg_server_update_block_limits_config.go	New keeper methods GetBlockLimitsConfig, UpdateBlockLimitsConfig, and gRPC query handler; new message server handler for governance updates
Go keeper – stateful order removal with cap protocol/x/clob/keeper/stateful_order_state.go	Modified RemoveExpiredStatefulOrders to enforce per-block cap via MaxStatefulOrderRemovalsPerBlock; adds early-break logic for batching across blocks
Go types and interfaces protocol/x/clob/types/block_limits_config_keeper.go, clob_keeper.go, keys.go	New BlockLimitsConfigKeeper interface, BlockLimitsConfig_Default constant, BlockLimitsConfigKey state key; updated ClobKeeper to embed BlockLimitsConfigKeeper
CLI and query protocol/x/clob/client/cli/query.go, query_block_limits_configuration.go	New CLI command CmdGetBlockLimitsConfiguration integrated into query command set
EndBlocker telemetry protocol/x/clob/abci.go	Added telemetry gauge recording count of expired orders removed
Mocks and test support protocol/mocks/ClobKeeper.go, QueryClient.go	Added mock methods GetBlockLimitsConfig, UpdateBlockLimitsConfig on ClobKeeper; added BlockLimitsConfiguration mock on QueryClient; replaced GetLeverage mock; updated related liquidation/leverage mock methods
Tests protocol/x/clob/keeper/stateful_order_state_test.go, grpc_query_block_limits_configuration_test.go	Added comprehensive tests for cap-aware removal batching; added gRPC query handler test with success and nil-request error cases
App-level message registration protocol/app/msgs/all_msgs.go, internal_msgs.go, internal_msgs_test.go	Registered MsgUpdateBlockLimitsConfig and response in all-messages and internal-messages maps; updated test expectations
Ante handler protocol/lib/ante/internal_msg.go	Added clob.MsgUpdateBlockLimitsConfig to internal message type recognition
Module test protocol/x/clob/module_test.go	Updated expected interface registration count and query command set to reflect new block-limits-config command
GitHub Actions .github/workflows/protocol-build-and-push.yml	Added branch trigger for anmol/eng-1296

Sequence Diagram(s)

sequenceDiagram
    auctor ->> EndBlocker: Trigger
    EndBlocker ->> RemoveExpiredStatefulOrders: Remove expired orders
    Note over RemoveExpiredStatefulOrders: Check MaxStatefulOrderRemovalsPerBlock cap
    
    alt Cap enabled and reached
        RemoveExpiredStatefulOrders -->> RemoveExpiredStatefulOrders: Break early, return partial batch
        RemoveExpiredStatefulOrders ->> EndBlocker: Return expired IDs (up to cap)
    else Cap disabled or not reached
        RemoveExpiredStatefulOrders ->> RemoveExpiredStatefulOrders: Continue processing all
        RemoveExpiredStatefulOrders ->> EndBlocker: Return all expired IDs
    end
    
    EndBlocker ->> Telemetry: Record gauge (expired order count)
    EndBlocker ->> EndBlocker: Emit event

Loading

sequenceDiagram
    Client ->> CLI: query clob block-limits-config
    CLI ->> QueryClient: BlockLimitsConfiguration(request)
    QueryClient ->> gRPC: Call BlockLimitsConfiguration
    gRPC ->> ClobKeeper: BlockLimitsConfiguration(ctx, req)
    ClobKeeper ->> StateStore: GetBlockLimitsConfig
    StateStore -->> ClobKeeper: BlockLimitsConfig
    ClobKeeper -->> gRPC: QueryBlockLimitsConfigurationResponse
    gRPC -->> QueryClient: Response
    QueryClient -->> CLI: Response
    CLI -->> Client: Display config

Loading

sequenceDiagram
    Governance ->> MsgServer: UpdateBlockLimitsConfig(authority, config)
    MsgServer ->> Authority: Verify HasAuthority
    
    alt Authority valid
        Authority -->> MsgServer: OK
        MsgServer ->> ClobKeeper: UpdateBlockLimitsConfig(ctx, config)
        ClobKeeper ->> StateStore: setBlockLimitsConfig
        StateStore -->> ClobKeeper: Stored
        ClobKeeper -->> MsgServer: Success
        MsgServer -->> Governance: MsgUpdateBlockLimitsConfigResponse
    else Authority invalid
        Authority -->> MsgServer: ErrInvalidSigner
        MsgServer -->> Governance: Error
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

Areas requiring extra attention:

• Cap enforcement logic in stateful_order_state.go: Verify the early-break condition correctly halts processing at MaxStatefulOrderRemovalsPerBlock and that the logic properly resumes in subsequent blocks.
• TypeScript codegen re-mapping: The extensive alias re-mapping in bundle.ts and related files is mechanical but error-prone; confirm the new spreads correctly reference all required modules and don't introduce unintended symbol collisions.
• Test coverage for batching: Ensure TestRemoveExpiredStatefulOrders_WithCap thoroughly exercises edge cases—orders at exactly the cap limit, orders spanning multiple time slices, and behavior when the cap is disabled (default).
• Mock consistency: Verify that mock methods in ClobKeeper.go and QueryClient.go (especially the removal of GetLeverage and reorganization of leverage/liquidation mocks) align with updated keeper and query signatures.

Possibly related PRs

• [CT-1160] add relevant protos to dydxprotocol #2162: Modifies dydxprotocol proto bundle exports and codegen re-mapping (similar alias reorganization pattern in bundle.ts).
• chore: update rust proto with the latest changes #3060: Regenerates Rust protobufs to incorporate the protocol-level BlockLimitsConfig and related message/client additions introduced here.
• Check Leverage On Order Placement #3141: Updates ClobKeeper-related interfaces and mocks in similar fashion, affecting keeper expectations and query client surfaces.

Suggested reviewers

• teddyding
• vincentwschau

Poem

🐰 Per-block we cap, no rush, no race,
Expired orders vanish at steady pace,
Batch by batch, no overflow fright,
BlockLimits config shines so bright! 🌟

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 10.53% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	❓ Inconclusive	The PR description includes the required Changelist section explaining the purpose of the cap, but the Test Plan section is incomplete with only a placeholder, and the checklist items are unchecked.	Complete the Test Plan section describing how the cap functionality was tested, and consider checking relevant checklist items based on whether this change affects app state or requires backporting.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically describes the main change: implementing a per-block cap on expired order removals, which is the core objective of this changeset.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch anmol/eng-1296

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e1c3947 and c369ff1.

📒 Files selected for processing (1)

• protocol/x/clob/keeper/block_limits_config.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• protocol/x/clob/keeper/block_limits_config.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (42)

• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-vulcan / (vulcan) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-auxo-lambda / (auxo) Build and Push Lambda
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-bazooka-lambda / (bazooka) Build and Push Lambda
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-roundtable / (roundtable) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-socks / (socks) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-comlink / (comlink) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-ender / (ender) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-bazooka-lambda / (bazooka) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-auxo-lambda / (auxo) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-vulcan / (vulcan) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-roundtable / (roundtable) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-socks / (socks) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-ender / (ender) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-comlink / (comlink) Build and Push
• GitHub Check: call-build-ecs-service-roundtable / (roundtable) Check docker image build
• GitHub Check: call-build-ecs-service-socks / (socks) Check docker image build
• GitHub Check: call-build-ecs-service-vulcan / (vulcan) Check docker image build
• GitHub Check: call-build-ecs-service-comlink / (comlink) Check docker image build
• GitHub Check: check-build-auxo
• GitHub Check: check-build-bazooka
• GitHub Check: call-build-ecs-service-ender / (ender) Check docker image build
• GitHub Check: test / run_command
• GitHub Check: unit-end-to-end-and-integration
• GitHub Check: test-coverage-upload
• GitHub Check: liveness-test
• GitHub Check: test-race
• GitHub Check: build-and-push-testnet
• GitHub Check: golangci-lint
• GitHub Check: check-sample-pregenesis-up-to-date
• GitHub Check: run_command
• GitHub Check: lint
• GitHub Check: build
• GitHub Check: build-and-push-mainnet
• GitHub Check: benchmark
• GitHub Check: container-tests
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Summary
• GitHub Check: build-and-push-dev
• GitHub Check: build-and-push-dev2
• GitHub Check: build-and-push-dev4
• GitHub Check: build-and-push-staging

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c462a7a and 9d44760.

📒 Files selected for processing (6)

• .github/workflows/protocol-build-and-push.yml (1 hunks)
• protocol/x/clob/abci.go (1 hunks)
• protocol/x/clob/flags/flags.go (6 hunks)
• protocol/x/clob/flags/flags_test.go (5 hunks)
• protocol/x/clob/keeper/stateful_order_state.go (2 hunks)
• protocol/x/clob/keeper/stateful_order_state_test.go (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: hwray
Repo: dydxprotocol/v4-chain PR: 2597
File: indexer/services/ender/src/scripts/handlers/dydx_update_perpetual_v1_handler.sql:16-20
Timestamp: 2024-11-22T18:12:04.606Z
Learning: Avoid suggesting changes to deprecated functions such as `dydx_update_perpetual_v1_handler` in `indexer/services/ender/src/scripts/handlers/dydx_update_perpetual_v1_handler.sql` if they are unchanged in the PR.

Learnt from: anmolagrawal345
Repo: dydxprotocol/v4-chain PR: 2780
File: protocol/x/clob/keeper/twap_order_state.go:137-138
Timestamp: 2025-04-15T16:57:26.546Z
Learning: TWAP order cancellations and expiries will be handled in a dedicated follow-up PR, separate from the initial implementation of TWAP order functionality in the end blocker.

📚 Learning: 2025-04-15T16:58:46.335Z

Learnt from: anmolagrawal345
Repo: dydxprotocol/v4-chain PR: 2780
File: protocol/x/clob/keeper/twap_order_state_test.go:191-209
Timestamp: 2025-04-15T16:58:46.335Z
Learning: For TWAP orders, message validation in message_place_order.go handles edge cases with comprehensive checks for parameters like durations and intervals, making it unnecessary to test invalid parameters in twap_order_state_test.go which only receives pre-validated inputs.

Applied to files:

• protocol/x/clob/keeper/stateful_order_state_test.go
• protocol/x/clob/flags/flags_test.go

🧬 Code graph analysis (4)

protocol/x/clob/abci.go (4)

protocol/lib/metrics/lib.go (1)

• SetGauge (38-40)

protocol/x/clob/types/keys.go (1)

• ModuleName (6-6)

protocol/lib/metrics/metric_keys.go (1)

• EndBlocker (91-91)

protocol/lib/metrics/constants.go (1)

• Count (9-9)

protocol/x/clob/keeper/stateful_order_state.go (2)

protocol/app/flags/flags.go (1)

• Flags (13-36)

protocol/x/clob/flags/flags.go (1)

• MaxStatefulOrderRemovalsPerBlock (30-30)

protocol/x/clob/keeper/stateful_order_state_test.go (4)

protocol/testutil/constants/stateful_orders.go (5)

• ConditionalOrder_Alice_Num0_Id0_Clob0_Buy5_Price10_GTBT15_StopLoss20 (457-470)
• ConditionalOrder_Alice_Num1_Id0_Clob0_Sell5_Price10_GTB15 (932-943)
• LongTermOrder_Alice_Num0_Id0_Clob0_Buy5_Price10_GTBT20 (131-142)
• ConditionalOrder_Alice_Num1_Id1_Clob0_Sell50_Price5_GTB30 (944-955)
• LongTermOrder_Alice_Num1_Id1_Clob0_Sell25_Price30_GTBT10 (191-202)

protocol/x/clob/memclob/memclob.go (1)

• NewMemClobPriceTimePriority (57-66)

protocol/testutil/keeper/clob.go (1)

• NewClobKeepersTestContext (61-73)

protocol/x/clob/flags/flags.go (1)

• MaxStatefulOrderRemovalsPerBlock (30-30)

protocol/x/clob/flags/flags_test.go (1)

protocol/x/clob/flags/flags.go (2)

• MaxStatefulOrderRemovalsPerBlock (30-30)
• DefaultMaxStatefulOrderRemovalsPerBlock (44-44)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (32)

• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-vulcan / (vulcan) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-auxo-lambda / (auxo) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-ender / (ender) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-bazooka-lambda / (bazooka) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-vulcan / (vulcan) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-bazooka-lambda / (bazooka) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-roundtable / (roundtable) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-socks / (socks) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-socks / (socks) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-comlink / (comlink) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-ender / (ender) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-auxo-lambda / (auxo) Build and Push Lambda
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-comlink / (comlink) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-roundtable / (roundtable) Build and Push
• GitHub Check: golangci-lint
• GitHub Check: benchmark
• GitHub Check: test-coverage-upload
• GitHub Check: build
• GitHub Check: liveness-test
• GitHub Check: test-race
• GitHub Check: unit-end-to-end-and-integration
• GitHub Check: check-sample-pregenesis-up-to-date
• GitHub Check: container-tests
• GitHub Check: build-and-push-testnet
• GitHub Check: build-and-push-mainnet
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)
• GitHub Check: Summary
• GitHub Check: build-and-push-dev2
• GitHub Check: build-and-push-dev4
• GitHub Check: build-and-push-staging
• GitHub Check: build-and-push-dev

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

proto/dydxprotocol/clob/block_limits_config.proto (1)

6-12: Consider enhancing documentation with value guidance.

While the documentation clearly explains the purpose, it would be helpful to document:

• What the default/recommended value is
• What constitutes a reasonable range (e.g., minimum value > 0)
• Impact of setting this value too low (order backlog) vs. too high (reduced protection)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81f5054aae5768d51e3719725abda55bf6e2550c and 8341eb0.

⛔ Files ignored due to path filters (1)

• protocol/x/clob/types/block_limits_config.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (3)

• proto/dydxprotocol/clob/block_limits_config.proto (1 hunks)
• proto/dydxprotocol/clob/tx.proto (3 hunks)
• protocol/x/clob/module_test.go (2 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: hwray
Repo: dydxprotocol/v4-chain PR: 2597
File: indexer/services/ender/src/scripts/handlers/dydx_update_perpetual_v1_handler.sql:16-20
Timestamp: 2024-11-22T18:12:04.606Z
Learning: Avoid suggesting changes to deprecated functions such as `dydx_update_perpetual_v1_handler` in `indexer/services/ender/src/scripts/handlers/dydx_update_perpetual_v1_handler.sql` if they are unchanged in the PR.

Learnt from: anmolagrawal345
Repo: dydxprotocol/v4-chain PR: 2780
File: protocol/x/clob/keeper/twap_order_state.go:137-138
Timestamp: 2025-04-15T16:57:26.546Z
Learning: TWAP order cancellations and expiries will be handled in a dedicated follow-up PR, separate from the initial implementation of TWAP order functionality in the end blocker.

📚 Learning: 2025-05-24T00:45:00.519Z

Learnt from: anmolagrawal345
Repo: dydxprotocol/v4-chain PR: 2837
File: proto/dydxprotocol/clob/order.proto:4-4
Timestamp: 2025-05-24T00:45:00.519Z
Learning: In the dydxprotocol/v4-chain repository, cosmos_proto dependencies are managed through buf.yaml configuration rather than being physically present in the repository. The import "cosmos_proto/cosmos.proto" is a standard pattern used across 28+ proto files for cosmos address annotations like (cosmos_proto.scalar) = "cosmos.AddressString".

Applied to files:

• proto/dydxprotocol/clob/block_limits_config.proto
• proto/dydxprotocol/clob/tx.proto

📚 Learning: 2024-11-15T16:17:29.092Z

Learnt from: hwray
Repo: dydxprotocol/v4-chain PR: 2551
File: protocol/x/clob/types/expected_keepers.go:86-90
Timestamp: 2024-11-15T16:17:29.092Z
Learning: The function `GetCrossInsuranceFundBalance` in `protocol/x/clob/types/expected_keepers.go` already existed and was just moved in this PR; changes to its error handling may be out of scope.

Applied to files:

• protocol/x/clob/module_test.go

📚 Learning: 2025-10-06T20:00:48.549Z

Learnt from: anmolagrawal345
Repo: dydxprotocol/v4-chain PR: 3079
File: protocol/x/clob/types/leverage.go:10-56
Timestamp: 2025-10-06T20:00:48.549Z
Learning: In the leverage update flow for protocol/x/clob, the `ValidateUpdateLeverageMsg` function performs basic validation (non-nil checks, non-zero leverage, unique IDs, valid clob pair existence), while maximum leverage validation against `GetMaxLeverageForPerpetual` is intentionally deferred to the `UpdateLeverage` keeper method.

Applied to files:

• proto/dydxprotocol/clob/tx.proto

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (42)

• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-auxo-lambda / (auxo) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-comlink / (comlink) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-bazooka-lambda / (bazooka) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-vulcan / (vulcan) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-roundtable / (roundtable) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-socks / (socks) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-ender / (ender) Build and Push
• GitHub Check: check-sample-pregenesis-up-to-date
• GitHub Check: call-build-ecs-service-roundtable / (roundtable) Check docker image build
• GitHub Check: call-build-ecs-service-vulcan / (vulcan) Check docker image build
• GitHub Check: call-build-ecs-service-socks / (socks) Check docker image build
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-roundtable / (roundtable) Build and Push
• GitHub Check: build-and-push-testnet
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-bazooka-lambda / (bazooka) Build and Push Lambda
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-vulcan / (vulcan) Build and Push
• GitHub Check: call-build-ecs-service-ender / (ender) Check docker image build
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-socks / (socks) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-auxo-lambda / (auxo) Build and Push Lambda
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-ender / (ender) Build and Push
• GitHub Check: call-build-ecs-service-comlink / (comlink) Check docker image build
• GitHub Check: check-build-auxo
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-comlink / (comlink) Build and Push
• GitHub Check: check-build-bazooka
• GitHub Check: unit-end-to-end-and-integration
• GitHub Check: liveness-test
• GitHub Check: test / run_command
• GitHub Check: test-coverage-upload
• GitHub Check: test-race
• GitHub Check: container-tests
• GitHub Check: lint
• GitHub Check: build-and-push-mainnet
• GitHub Check: run_command
• GitHub Check: build
• GitHub Check: benchmark
• GitHub Check: golangci-lint
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build-and-push-staging
• GitHub Check: build-and-push-dev4
• GitHub Check: build-and-push-dev
• GitHub Check: build-and-push-dev2
• GitHub Check: Summary

🔇 Additional comments (4)

protocol/x/clob/module_test.go (2)

153-153: LGTM! Interface registration count correctly updated.

The increase from 20 to 22 registered interfaces is consistent with the addition of MsgUpdateBlockLimitsConfig and MsgUpdateBlockLimitsConfigResponse.

---

258-267: LGTM! Query command test correctly updated.

The test properly reflects the addition of the new get-block-limits-config command and correctly shifts all existing command indices by 1.

proto/dydxprotocol/clob/tx.proto (1)

14-14: LGTM! BlockLimitsConfig transaction messages follow established patterns.

The new import, RPC definition, and message types are consistent with existing configuration update mechanisms in the codebase (e.g., MsgUpdateLiquidationsConfig, MsgUpdateBlockRateLimitConfiguration). The authority-based governance pattern and field annotations are correctly applied.

Also applies to: 51-53, 222-237

proto/dydxprotocol/clob/block_limits_config.proto (1)

11-11: The review comment is based on a misunderstanding. The code explicitly documents that a value of 0 is valid and means no cap (process all expired orders), and the validation function confirms 0 is a valid value meaning "no cap". This is an intentional design choice, not a security vulnerability.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8341eb0 and 0947a81.

📒 Files selected for processing (2)

• protocol/app/msgs/all_msgs.go (1 hunks)
• protocol/app/msgs/normal_msgs.go (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: anmolagrawal345
Repo: dydxprotocol/v4-chain PR: 2780
File: protocol/x/clob/keeper/twap_order_state.go:137-138
Timestamp: 2025-04-15T16:57:26.546Z
Learning: TWAP order cancellations and expiries will be handled in a dedicated follow-up PR, separate from the initial implementation of TWAP order functionality in the end blocker.

Learnt from: hwray
Repo: dydxprotocol/v4-chain PR: 2597
File: indexer/services/ender/src/scripts/handlers/dydx_update_perpetual_v1_handler.sql:16-20
Timestamp: 2024-11-22T18:12:04.606Z
Learning: Avoid suggesting changes to deprecated functions such as `dydx_update_perpetual_v1_handler` in `indexer/services/ender/src/scripts/handlers/dydx_update_perpetual_v1_handler.sql` if they are unchanged in the PR.

📚 Learning: 2025-10-06T20:00:48.549Z

Learnt from: anmolagrawal345
Repo: dydxprotocol/v4-chain PR: 3079
File: protocol/x/clob/types/leverage.go:10-56
Timestamp: 2025-10-06T20:00:48.549Z
Learning: In the leverage update flow for protocol/x/clob, the `ValidateUpdateLeverageMsg` function performs basic validation (non-nil checks, non-zero leverage, unique IDs, valid clob pair existence), while maximum leverage validation against `GetMaxLeverageForPerpetual` is intentionally deferred to the `UpdateLeverage` keeper method.

Applied to files:

• protocol/app/msgs/normal_msgs.go
• protocol/app/msgs/all_msgs.go

🧬 Code graph analysis (1)

protocol/app/msgs/normal_msgs.go (2)

indexer/packages/v4-protos/src/codegen/dydxprotocol/clob/tx.ts (2)

• MsgUpdateBlockLimitsConfig (391-400)
• MsgUpdateBlockLimitsConfig (1438-1484)

protocol/x/clob/types/tx.pb.go (3)

• MsgUpdateBlockLimitsConfig (1096-1102)
• MsgUpdateBlockLimitsConfig (1106-1106)
• MsgUpdateBlockLimitsConfig (1107-1109)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (43)

• GitHub Check: golangci-lint
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-auxo-lambda / (auxo) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-bazooka-lambda / (bazooka) Build and Push Lambda
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-vulcan / (vulcan) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-socks / (socks) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-ender / (ender) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-roundtable / (roundtable) Build and Push
• GitHub Check: (Public Testnet) Build and Push ECS Services / call-build-and-push-ecs-service-comlink / (comlink) Build and Push
• GitHub Check: test / run_command
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-roundtable / (roundtable) Build and Push
• GitHub Check: test-coverage-upload
• GitHub Check: liveness-test
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-socks / (socks) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-bazooka-lambda / (bazooka) Build and Push Lambda
• GitHub Check: unit-end-to-end-and-integration
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-vulcan / (vulcan) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-ender / (ender) Build and Push
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-auxo-lambda / (auxo) Build and Push Lambda
• GitHub Check: test-race
• GitHub Check: (Mainnet) Build and Push ECS Services / call-build-and-push-ecs-service-comlink / (comlink) Build and Push
• GitHub Check: benchmark
• GitHub Check: call-build-ecs-service-vulcan / (vulcan) Check docker image build
• GitHub Check: call-build-ecs-service-socks / (socks) Check docker image build
• GitHub Check: call-build-ecs-service-roundtable / (roundtable) Check docker image build
• GitHub Check: check-build-auxo
• GitHub Check: call-build-ecs-service-ender / (ender) Check docker image build
• GitHub Check: check-build-bazooka
• GitHub Check: call-build-ecs-service-comlink / (comlink) Check docker image build
• GitHub Check: container-tests
• GitHub Check: build
• GitHub Check: check-sample-pregenesis-up-to-date
• GitHub Check: build-and-push-testnet
• GitHub Check: protocol-gen
• GitHub Check: lint
• GitHub Check: build-and-push-mainnet
• GitHub Check: run_command
• GitHub Check: build-and-push-dev4
• GitHub Check: build-and-push-staging
• GitHub Check: build-and-push-dev
• GitHub Check: build-and-push-dev2
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)
• GitHub Check: Summary

🔇 Additional comments (1)

protocol/app/msgs/all_msgs.go (1)

213-214: LGTM! Message type registration follows established pattern.

The new message types are correctly added to the AllTypeMessages registry, consistent with similar configuration update messages in the clob module.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify whether this authority-controlled message should be externally submittable.

MsgUpdateBlockLimitsConfig is being added to NormalMsgs, which allows external users to submit it. However, similar authority-controlled configuration messages in the clob module (MsgUpdateBlockRateLimitConfiguration, MsgUpdateEquityTierLimitConfiguration, MsgUpdateLiquidationsConfig) are not present in NormalMsgs, making them governance-only.

Since MsgUpdateBlockLimitsConfig has an authority field and updates system-wide block limits, it likely should follow the same pattern as other config update messages and be excluded from NormalMsgs.

Including it in NormalMsgs would allow any external user to submit this message (though it would fail authorization checks), potentially creating unnecessary gas consumption and an inconsistent message access pattern.

Run the following script to compare the message registration patterns and verify the authorization implementation:

---

🏁 Script executed:

#!/bin/bash
# Description: Check message registration patterns for similar config update messages and verify authorization

echo "=== Checking similar config update messages in normal_msgs.go ==="
rg -n "MsgUpdate.*Config" protocol/app/msgs/normal_msgs.go

echo -e "\n=== Checking all clob config update messages in all_msgs.go ==="
rg -n "dydxprotocol.clob.MsgUpdate.*Config" protocol/app/msgs/all_msgs.go

echo -e "\n=== Checking MsgUpdateBlockLimitsConfig message handler/server implementation ==="
fd -e go -x grep -l "MsgUpdateBlockLimitsConfig" {} \; | head -10

echo -e "\n=== Checking authorization pattern for MsgUpdateBlockLimitsConfig ==="
rg -A 5 "func.*MsgUpdateBlockLimitsConfig.*authority" --type go

Length of output: 1303

---

🏁 Script executed:

#!/bin/bash
# Examine MsgUpdateBlockLimitsConfig handler implementation to verify authorization

echo "=== MsgUpdateBlockLimitsConfig handler implementation ==="
cat protocol/x/clob/keeper/msg_server_update_block_limits_config.go

echo -e "\n=== MsgUpdateBlockLimitsConfig message definition ==="
cat protocol/x/clob/types/message_update_block_limits_config.go

echo -e "\n=== Check if similar config messages appear in normal_msgs.go ==="
rg "MsgUpdateBlockRateLimitConfiguration|MsgUpdateEquityTierLimitConfiguration|MsgUpdateLiquidationsConfig" protocol/app/msgs/normal_msgs.go

Length of output: 1697

---

🏁 Script executed:

#!/bin/bash
# Verify similar config messages also have authority checks

echo "=== MsgUpdateBlockRateLimitConfiguration handler ==="
cat protocol/x/clob/keeper/msg_server_update_block_rate_limit_configuration.go 2>/dev/null | head -40

echo -e "\n=== MsgUpdateEquityTierLimitConfiguration handler ==="
cat protocol/x/clob/keeper/msg_server_update_equity_tier_limit_configuration.go 2>/dev/null | head -40

echo -e "\n=== MsgUpdateLiquidationsConfig handler ==="
cat protocol/x/clob/keeper/msg_server_update_liquidations_config.go 2>/dev/null | head -40

echo -e "\n=== Confirm none of these are in normal_msgs.go ==="
grep -c "MsgUpdateBlockRateLimitConfiguration\|MsgUpdateEquityTierLimitConfiguration\|MsgUpdateLiquidationsConfig" protocol/app/msgs/normal_msgs.go || echo "Not found in normal_msgs.go (as expected)"

Length of output: 1109

---

Remove MsgUpdateBlockLimitsConfig from NormalMsgs to align with other authority-controlled configuration messages.

The verification confirms the inconsistency raised in the review comment. MsgUpdateBlockLimitsConfig has an authority check identical to MsgUpdateLiquidationsConfig:

• Both use k.Keeper.HasAuthority(msg.Authority)
• Both return govtypes.ErrInvalidSigner if unauthorized

However, MsgUpdateBlockLimitsConfig is in normal_msgs.go (line 237), while MsgUpdateLiquidationsConfig and other similar config messages are not. This allows external users to submit a governance-controlled message, creating unnecessary gas consumption and breaking the intended access pattern.

Remove lines 237-238 from protocol/app/msgs/normal_msgs.go and verify the message is only registered in all_msgs.go where it belongs.

🤖 Prompt for AI Agents

In protocol/app/msgs/normal_msgs.go around lines 237-238, remove the entries for
"/dydxprotocol.clob.MsgUpdateBlockLimitsConfig" and its response so the message
is no longer registered as a normal message; this message is
authority-controlled and should only be registered in all_msgs.go. Delete those
two lines, run go build/tests to ensure no missing registrations, and confirm
MsgUpdateBlockLimitsConfig remains present only in all_msgs.go (or the
authority-specific registration) so external users cannot submit it via
NormalMsgs.

[jusbar23]

reminder to remove

[jusbar23]

Do we use this? Doesn't seem like we have any validation logic

[anmolagrawal345]

deleted - the only validation logic lives in the server itself which verifies the message came from an authorized address. otherwise, think we can just use the value. dont need to check negative values either since its a uint

[jusbar23]

Do we want to set an upper bound for his?

[anmolagrawal345]

dont think so since its governance protected. if for some reason we need to bump it past any threshold, we'll have to do an upgrade to support it

[shrenujb]

Would this be a gov msg? Are there other limits we already have which we use gov msgs to update?

[anmolagrawal345]

Yep this follows the same pattern as MsgUpdateLiquidationConfig which also seems gov protected.

[northstar456]

Is there a strong reason not to put this under BlockRateLimitConfiguration, which is also stored in state?

Not too concerned about the differences between this field (end blocker) and existing block rate limits (checktx)

Doing that would save us from so many stubs/new messages added in this PR

[northstar456]

For my context, why did we decide to add this recently? Is this an AI from a security report?

[northstar456]

A bit cleaner to put condition in loop guard

	maxRemovals := blockLimitsConfig.MaxStatefulOrderRemovalsPerBlock
	numRemoved := uint32(0)

	// Process orders up to the cap (if set), otherwise process all
	for ; it.Valid() && (maxRemovals == 0 || numRemoved < maxRemovals); it.Next() {
		var orderId types.OrderId
		k.cdc.MustUnmarshal(it.Value(), &orderId)
		expiredOrderIds = append(expiredOrderIds, orderId)
		store.Delete(it.Key())
		numRemoved++
	}
	return expiredOrderIds
}