Txpool Rate Limiting & DoS Guardrails

Source: src/txpool.rs, docs-site/src/content/docs/internals/txpool-policy.md

Overview

The txpool enforces gas‑weighted rate limiting to prevent sender‑level DoS and memory exhaustion. This replaces simple count‑based limits as the primary guardrail.

The policy combines:

Per‑sender gas budget (primary limit)
Per‑sender tx count (secondary limit)
Per‑lane queue length (nonce lane guard)
Global pool size / eviction rules

Gas‑Weighted Rate Limit (Primary)

Each sender has a budget max_gas_per_sender. The pool computes a rate‑limit cost per tx:

rate_limit_cost = base_cost + (gas_limit * weight_bps / 10_000)

Defaults (see txpool::Config):

max_gas_per_sender = 100_000_000
gas_rate_limit_base_cost = 21_000
gas_rate_limit_weight_bps = 10_000 (1:1)

If current_sender_gas + rate_limit_cost > max_gas_per_sender, the tx is rejected and the txpool_gas_rate_limited_total metric is incremented.

Secondary Limits

These limits apply after the gas‑budget check:

max_txs_per_sender: cap on total pending txs per sender
max_txs_per_lane: cap on pending txs in a (sender, nonce_space) lane
max_lanes_per_sender: cap on lane proliferation

Eviction Policy

When the pool exceeds max_txs, eviction removes the lowest fee entries first, using (max_fee, priority_tip) as the primary key and (inserted_at_ms, tx_hash) as a tiebreaker.

Sealed (private) mempool entries are evicted FIFO by arrival time.

Metrics

txpool_gas_rate_limited_total: total gas‑rate‑limit rejections
txpool_inserts_total: total inserts by result (inserted, rejected, evicted)

Tuning Guidance

If the pool is too permissive (spam risk):

Lower max_gas_per_sender
Increase gas_rate_limit_base_cost
Decrease max_txs_per_sender

If the pool is too strict (legit txs rejected):

Increase max_gas_per_sender
Lower gas_rate_limit_base_cost

docs-site/src/content/docs/internals/txpool-policy.md
docs-site/src/content/docs/reference/rpc-api.md