[codex] add evm-only giga executor path

[codchen]

Summary

• add giga/evmonly as the final-form EVM-only giga execution path boundary
• define raw Ethereum RLP block input and commit-neutral outputs as an EVM-native state changeset plus receipts
• port the core sei-v3-style execution shape directly into giga/evmonly:
  • raw RLP tx parsing and sender recovery
  • go-ethereum execution against an SDK-free native vm.StateDB
  • key-addressable EVM-native balance, nonce, code, and storage state reads
  • deterministic post-block StateChangeSet output
  • Ethereum receipt and per-tx metadata construction
• add a map-backed MemoryState backend for tests and early integration
• leave custom precompiles as fail-closed placeholders behind an SDK-free registry/context
• refresh the README to describe the current implementation, input/output contract, and known limitations

Notes

Custom precompile behavior is intentionally still open. Registered custom precompile addresses return ErrCustomPrecompilesOpen, including through geth's precompile map, so calls fail closed instead of silently executing as empty accounts.

The current port is sequential. The state boundary and changeset shape are intended to be replaceable with the sei-v3 OCC scheduler/store once that layer is brought over.

Historical BLOCKHASH lookups beyond the parent block are not wired yet; BlockHash is currently used for receipt/log metadata.

Validation

go test ./giga/evmonly/...
go test ./giga/...

[codecov]

Codecov Report

❌ Patch coverage is 75.82988% with 233 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.27%. Comparing base (0ff5a52) to head (10c3108).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
giga/evmonly/state_db.go	70.54%	129 Missing and 18 partials ⚠️
giga/evmonly/occ.go	73.93%	31 Missing and 18 partials ⚠️
giga/evmonly/executor.go	85.71%	16 Missing and 7 partials ⚠️
giga/evmonly/state.go	88.63%	5 Missing and 5 partials ⚠️
giga/evmonly/parser.go	80.00%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3583      +/-   ##
==========================================
- Coverage   59.16%   58.27%   -0.89%     
==========================================
  Files        2262     2176      -86     
  Lines      187009   176766   -10243     
==========================================
- Hits       110643   103012    -7631     
+ Misses      66430    64706    -1724     
+ Partials     9936     9048     -888     

Flag	Coverage Δ
sei-chain-pr	75.82% <75.82%> (?)
sei-db	70.41% <ø> (ø)
sei-db-state-db	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
giga/evmonly/config.go	100.00% <100.00%> (ø)
giga/evmonly/parser.go	80.00% <80.00%> (ø)
giga/evmonly/state.go	88.63% <88.63%> (ø)
giga/evmonly/executor.go	85.71% <85.71%> (ø)
giga/evmonly/occ.go	73.93% <73.93%> (ø)
giga/evmonly/state_db.go	70.54% <70.54%> (ø)

... and 168 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	Jun 29, 2026, 12:34 PM

[cursor]

PR Summary

Medium Risk
New core execution path with OCC merge logic and broad EVM/state semantics; isolated in a new package with heavy tests but correctness of parallel fallback and changeset merging matters for future production wiring.

Overview
Introduces giga/evmonly, a Cosmos-free execution boundary for the final-form giga path: ExecuteBlock takes ordered raw Ethereum RLP txs plus block context and returns a commit-neutral StateChangeSet (post-block balances, nonces, code, storage) and Ethereum receipts / TxResult metadata.

Execution runs through go-ethereum core.ApplyMessage on a new SDK-free nativeStateDB backed by StateReader / MemoryState. Block-level policy covers min gas price, optional nonce/gas-price checks, and BLOCKHASH limited to the parent hash for now.

When OCCWorkers > 1 and there are no registered custom precompiles, txs can run speculatively in parallel with read/write conflict detection; on conflict or gas-limit violations the executor falls back to sequential execution. Custom precompile addresses in the registry are wired as fail-closed placeholders returning ErrCustomPrecompilesOpen.

A precompiles subpackage defines the future SDK-free precompile Registry, Context, and State API. Documentation in README.md describes the I/O contract and known gaps (full precompile port, durable state backend, historical block hashes).

^{Reviewed by Cursor Bugbot for commit 10c3108. Bugbot is set up for automated code reviews on this repo. Configure here.}

[philipsu522]

does "SDK" mean Cosmos?

[codchen]

yep

[philipsu522]

do we need to set acct.Created = false?

[codchen]

Created is used to decided whether SelfDestruct6780 should early return, and I think the behavior of SelfDestruct6780 is to not early return if selfdestruct is called multiple times, so I think we shouldn't set Created to false upon selfdestruct (consistent with geth)

[philipsu522]

is this dangerous? could someone maliciously set gasLimit = 0 to bypass any limits we may have?

[codchen]

gasLimit here is the block gas limit, so it'd be decided by consensus and not set by tx senders

[philipsu522]

this is a lot of critical state changing code. i think we need a lot of tests here. Could we use AI to generate a ton of unit cases, interleaving ordering of contract creation/deletion, invalid txs (out of gas, invalid state transition, invalid nonce, verify receipt outputs...etc).

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

Want higher recall? High effort reviews run extra passes and find more bugs. A team admin can switch effort levels in the Cursor dashboard.

^{Reviewed by Cursor Bugbot for commit 5e36ab5. Configure here.}

[cursor]

Self-destruct omits unstaged storage

High Severity

When a contract is self-destructed or recreated via CreateAccount, Finalise clears only the in-memory storage map. ChangeSet compares storage using keys from base.Storage, which is populated lazily via ensureStorage. Slots that still exist in the persistent StateReader but were never read or written in that block never appear in the changeset, so ApplyChangeSet leaves orphaned storage at that address.

Additional Locations (1)

• giga/evmonly/state_db.go#L132-L140

 

^{Reviewed by Cursor Bugbot for commit 5e36ab5. Configure here.}

[seidroid]

A new, self-contained giga/evmonly package adds an SDK-free EVM-only block executor with a go-ethereum-backed vm.StateDB, changeset output, receipts, and extensive tests. It is not wired into the production app path, but contains two genuine EVM-semantics correctness bugs (EXTCODEHASH for existing code-less accounts, and storage clearing on legacy SELFDESTRUCT/SetStorage) plus a notable per-snapshot deep-copy performance cost that should be addressed before this becomes the live giga path.

Findings: 2 blocking | 5 non-blocking | 3 posted inline

Blockers

• None at the file/PR level.
• 2 blocking issue(s) flagged inline on specific lines.

Non-blocking

• cursor-review.md was empty — the Cursor second-opinion pass produced no output, so only this review and Codex's findings were merged.
• GetStorageRoot always returns the zero hash, so the CREATE/CREATE2 collision check (nonce != 0 || codeHash != EmptyCodeHash || storageRoot != EmptyRootHash) can miss collisions against a pre-existing account that has storage but no code/nonce. Combined with the GetCodeHash issue this narrows collision detection to nonce-only for storage-only accounts. Edge case, but worth documenting alongside the known limitations.
• EIP-158/161 empty-account deletion is not implemented in Finalise (touched-but-empty accounts are not pruned). For the value-based changeset this is mostly benign since no diff is recorded, but it diverges from go-ethereum StateDB semantics and is worth a note in the README limitations.
• Consider adding tests that exercise the two correctness gaps above: EXTCODEHASH against a funded code-less EOA (expect EmptyCodeHash, not 0x0), and a legacy SELFDESTRUCT of a pre-existing contract whose persisted storage slots were never read in-block (expect deletes in the changeset).
• 1 suggestion(s)/nit(s) flagged inline on specific lines.

[seidroid]

[blocker] EXTCODEHASH semantics bug: this returns common.Hash{} (0x0) whenever code is empty, conflating "account does not exist" with "account exists but has no code". go-ethereum's StateDB returns types.EmptyCodeHash (keccak256 of empty) for an existing account with no code and only common.Hash{} for a non-existent account. As written, EXTCODEHASH on a funded/active EOA returns 0x0 instead of the empty-code hash, so contracts observe incorrect account existence/code state. Distinguish existence (e.g. via Exist(addr)) and return types.EmptyCodeHash for existing code-less accounts.

[seidroid]

[blocker] The changeset only diffs storage keys present in base.Storage/acct.Storage, and base.Storage is populated lazily only for slots read via ensureStorage. When Finalise clears a self-destructed account (legacy SELFDESTRUCT) or SetStorage resets an account, persisted slots that were never read in-block are in neither map, so no delete is emitted for them. Applying the changeset to durable state then leaves stale storage behind. Because the backend is key-addressable with no range reads, the executor cannot enumerate those slots — this needs an explicit account-clear/delete signal in the changeset (or a documented constraint) rather than per-slot diffs.

[seidroid]

[suggestion] Snapshot() deep-copies the entire accounts, base, logs, accessList, transientStates, and preimages on every call, and the EVM snapshots on every CALL/CREATE/STATICCALL. This is O(touched-state) per snapshot and will be a severe performance cliff for any non-trivial contract execution. Acceptable for the sequential placeholder, but flag it as a known cost — a journal/undo-log approach (as in go-ethereum) will be needed before this is the live giga path.

[seidroid]

This new, isolated giga/evmonly EVM-only executor is well-structured and well-tested, but contains correctness bugs that diverge from go-ethereum semantics: stale committed-state reads across transactions, an OCC validation gap on per-tx gas reservation, and incorrect EXTCODEHASH for empty-but-existing accounts. The package is not yet wired into app.go (non-app-hash-breaking), so these are not yet consensus-affecting, but must be fixed before integration.

Findings: 2 blocking | 4 non-blocking | 3 posted inline

Blockers

• None at the file/PR level.
• 2 blocking issue(s) flagged inline on specific lines.

Non-blocking

• cursor-review.md is empty — the Cursor second-opinion pass produced no output, so its findings could not be merged.
• Performance/observability: in executeBlockOCC, every transaction that pays a non-zero fee writes the coinbase balance, so the read/write conflict index will mark a coinbase conflict on virtually every multi-tx block and force a full fallback to sequential execution. With real (non-zero) base fees / tips this defeats the OCC fast path entirely. Consider special-casing coinbase fee accrual (e.g. commutative balance additions) and/or logging when OCC falls back so the regression is observable.
• The exported SetTxContext(hash, index) (state_db.go:519) does not set txIndexUint, while the executor relies on the unexported setTxContext(hash, index, indexUint). The exported method is part of the vm.StateDB surface; if any future caller uses it, logs will get a stale/zero TxIndex. Worth unifying or documenting why two variants exist.
• 1 suggestion(s)/nit(s) flagged inline on specific lines.

[seidroid]

[blocker] GetCommittedState always reads from base, which is the pre-block snapshot and is never advanced between transactions (Finalise does not update base). go-ethereum's GetCommittedState must return the slot value as of the start of the current transaction — i.e. it must reflect writes committed by earlier transactions in the same block (geth checks pendingStorage before originStorage). As written, a later transaction's SSTORE net-gas/refund accounting (EIP-2200/3529) uses the block-start value instead of the current-tx-start value, producing incorrect gas used, receipts, and potentially divergent results when two transactions in a block touch the same slot. Add a per-transaction "committed" layer that is advanced on Finalise, rather than reading the block-base directly.

[seidroid]

[blocker] Each speculative transaction is given a fresh full-block gas pool (AddGas(gasLimit)), and validateOCCResults only checks cumulative actual gasUsed against the block gas limit (occ.go:137). Sequential execution instead reserves each tx's GasLimit from a shared pool up front (gp.SubGas(msg.GasLimit) in ApplyMessage). These disagree: e.g. two non-conflicting transfers each with GasLimit=90k in a 100k block each use ~21k, so OCC validation passes (42k ≤ 100k) and commits a block that sequential execution would reject with ErrGasLimitReached after the first tx reserves 90k. OCC must reproduce the sequential gas-reservation semantics (track cumulative reserved msg.GasLimit, not just used gas) or it can accept invalid blocks.

[seidroid]

[suggestion] GetCodeHash returns the zero hash for every account with empty code. Ethereum semantics require zero only for non-existent accounts; an account that exists (non-zero nonce or balance) but has no code must return types.EmptyCodeHash (keccak256 of empty). As written, EXTCODEHASH on a funded codeless account returns 0 instead of EmptyCodeHash, diverging from geth and the existing x/evm keeper. Return types.EmptyCodeHash for existing-but-codeless accounts and zero only when the account is empty/non-existent.