Builder deposits optimisation

[pawanjay176]

Issue Addressed

N/A

Proposed Changes

Adds an OnboardBuildersCache to the beacon chain to pre-verify and cache builder deposits. Caching is important in 2 places:

1. onboard_builders_from_pending_deposits is a fork transition function that scales with the number of pending deposits. Under worst case, the pending deposits queue can be dos'd with a number of 1eth deposits to make nodes do more work verifying it at the fork boundary. Even though the pending_deposits queue is effectively capped by the gas limit, this cache makes even a theoretic attack ineffective by doing the full verification in miliseconds instead of seconds.
   Some numbers claude cooked up

Deposits	Capital	Cached	Batch verify (without cache)
10K	$26M	~35ms	~520ms
50K	$130M	~175ms	~2.6s
96K	$250M	271ms (measured)	~5s
100K	$260M	~285ms	~5.2s

2. Post fork, process_operations may need to verify all builder deposits in the hot path. the engine api currently allows max 8192 deposit requests to be sent for block production, so in worst case, we may need to verify 8192 signatures during block processing. The deposits we need to process are received in the payload envelope ~6 seconds into the slot. we process these deposits when a new beacon block that builds on the payload arrives ~3 seconds into the next slot. So we have a lot of time to verify these signatures before we actually need to process them

The cache is threaded to both the per_slot_processing for the first case and per_block_processing for the second case.

Additional Info

tested with the following kurtosis config:

participants_matrix:
     el:
       - el_type: geth
         el_image: ethpandaops/geth:bal-devnet-6
         el_extra_params: ["--rpc.txfeecap=0", "--rpc.gascap=0"]
     cl:
       - cl_type: lighthouse
         cl_image: lighthouse-local:latest
         cl_log_level: debug
         count: 2
       - cl_type: prysm
         cl_image: ethpandaops/prysm-beacon-chain:glamsterdam-devnet-3-deposits
         count: 2
network_params:
  gloas_fork_epoch: 1
  withdrawal_type: "0x01"
  validator_balance: 40000
  gas_limit: 5000000000
  genesis_gaslimit: 5000000000

additional_services:
  - dora
  - assertoor

assertoor_params:
  image: ethpandaops/assertoor:master
  run_stability_check: false
  run_block_proposal_check: false
  tests:
    - file: "https://raw.githubusercontent.com/ethpandaops/assertoor/refs/heads/master/playbooks/gloas-dev/builder-deposit-spam.yaml"
      config:
        batchSize: 256
        pendingBatches: 16 # 8192 deposits per block
        # totalDeposits: 96214
        totalDeposits: 262140
        skipForkActivationCheck: true

dora_params:
  image: ethpandaops/dora:master⏎

[pawanjay176]

This is ready for review now.

[mergify]

Some required checks have failed. Could you please take a look @pawanjay176? 🙏

[eserilev]

looks good on the whole, just some small suggestion, a question and a few nits

[eserilev]

I think we should use one of the scoped rayon pools instead of the global pool

[pawanjay176]

See below comment

[eserilev]

I think we should use a scoped rayon pool here as well

[pawanjay176]

I think instead of using the scoped rayon pool here, which would involve threading the task executor all the way to state_processing, we can instead spawn the tasks that trigger signature verification with the rayon pool. Implemented in 50cd378

[pawanjay176]

The only place where we might call rayon without a scoped pool is in process_deposit_requests when we have cache misses for the signature verification. I think that is okay.

[eserilev]

it looks like we are only running tests for GloasVerificationContext::FullVerification, would be nice to write tests for the other two variants if possible

[pawanjay176]

Added more tests in de89987

[pawanjay176]

@eserilev Removed the GloasVerificationContext::SkipBuilderOnboarding variant because I think it wasn't safe.
partial_state_advance promises to return a valid state just without the roots calculated so not doing the builder onboarding there feels like violating that contract and the assumption that the advanced state doesn't need builders might be misguided with a later refactor. Ended up threading the cache everywhere which is a little ugly but I think its necessary.

[mergify]

Some required checks have failed. Could you please take a look @pawanjay176? 🙏

[jimmygchen]

this may create a large number of spans, we probably don't need the span per validator?

[pawanjay176]

Note to reviewer: Changed process_deposit_requests_post_gloas significantly with 70b8594 which also diverges quite a bit from the spec function to optimise it.

The observation was that with a bigger sized state.builders, inserting a new builder to the builders list was taking a full iteration of the builder list. This is because builder indices are reusable and add_builder_to_registry uses get_index_for_new_builder which iterates through the entire list to check if any index is available for reuse. With higher builder counts, this becomes significant.

We now cache all reusable indices in a first sweep before reusing anything and that dropped the time to insert with big builder count much more manageable. Again, this is highly unlikely on mainnet.

[mergify]

Some required checks have failed. Could you please take a look @pawanjay176? 🙏

[jimmygchen]

i thought about whether its worth de-dup here, but it seems like the risk and potential impact is low?

[pawanjay176]

Yeah i was considering getting rid of cache_pending_deposits post fork so this could make it easier.
I'm happy to consolidate logic in one place though.

[jimmygchen]

Do you see this span when you test it locally?
I think we might have to rename the advance_head span to lh_advance_head so it gets exported to tempo.

[pawanjay176]

I'm happy to just drop it too. I have already tested and benchmarked it with way worse cases than we'll ever see on mainnet and this happens just once at the fork transtion. I think its fine to remove it.

[jimmygchen]

Is this pretty much a no-op after the fork?

[pawanjay176]

yeah it is. Hadn't considered it. can potentially only do this for pre-gloas states and then delete it post gloas

[jimmygchen]

if the builder tops up in the same block and its balance increases, then we could accidentally make this index reusable right? is this possible

lighthouse/consensus/state_processing/src/per_block_processing/process_operations.rs

Lines 1052 to 1058 in 70b8594

	if let Some(builder_index) = builder_index {
	state
	.builders_mut()?
	.get_mut(builder_index as usize)
	.ok_or(BeaconStateError::UnknownBuilder(builder_index))?
	.balance
	.safe_add_assign(deposit_request.amount)?;

[pawanjay176]

awesome catch!

[pawanjay176]

Fixed in 656e70a and added a test as well. Really great catch. I'm going to try and upstream this to the EF tests

[jimmygchen]

This isn't work in the hot path, however i think its fine leaving it high prio, as we want to be ready asap in case if the payload arrive late in the slot? is this what you were thinking?

[pawanjay176]

Yeah pretty much. Better to have everything verified to reduce cache misses in case of late envelopes

[jimmygchen]

nit: move this to the top near the other similar functions

[jimmygchen]

Looks like the failing test here revealed a bug, and the invalid deposit got added to pending deposits.

Might want to skip (continue) if the siganture is invalid here:

lighthouse/consensus/state_processing/src/per_block_processing/process_operations.rs

Line 1080 in 70b8594

if is_valid {

https://github.com/sigp/lighthouse/actions/runs/26260083391/job/77291404904?pr=9311