fix(spec-specs): Track code per auth; filter pre at tx frame

Author: fselmo

src/ethereum/forks/amsterdam/block_access_lists/builder.py

@@ -515,8 +515,7 @@ def build_block_access_list(
         add_nonce_change(builder, address, block_access_index, new_nonce)
 
     # Add all code changes
-    # Net-zero filtering for code changes should happen at the
-    # transaction level (in merge_on_success), not at the block level.
+    # Filtering happens at transaction level in eoa_delegation.py
     for (
         address,
         block_access_index,

src/ethereum/forks/amsterdam/state.py

@@ -655,6 +655,53 @@ def write_code(sender: Account) -> None:
         track_code_change(state_changes, address, code)
 
 
+def set_authority_code(
+    state: State,
+    address: Address,
+    code: Bytes,
+    state_changes: StateChanges,
+    current_code: Bytes,
+) -> None:
+    """
+    Sets authority account code for EIP-7702 delegation.
+
+    This function is used specifically for setting authority code within
+    EIP-7702 Set Code Transactions. Unlike set_code(), it tracks changes based
+    on the current code rather than pre_code to handle multiple authorizations
+    to the same address within a single transaction correctly.
+
+    Parameters
+    ----------
+    state:
+        The current state.
+
+    address:
+        Address of the authority account whose code needs to be set.
+
+    code:
+        The delegation designation bytecode to set.
+
+    state_changes:
+        State changes frame for tracking (EIP-7928).
+
+    current_code:
+        The current code before this change. Used to determine if tracking
+        is needed (only track if code actually changes from current value).
+
+    """
+
+    def write_code(sender: Account) -> None:
+        sender.code = code
+
+    modify_state(state, address, write_code)
+
+    # Only track if code is actually changing from current value
+    # This allows multiple auths to same address to be tracked individually
+    # Net-zero filtering happens in commit_transaction_frame
+    if current_code != code:
+        track_code_change(state_changes, address, code)
+
+
 def get_storage_original(state: State, address: Address, key: Bytes32) -> U256:
     """
     Get the original value in a storage slot i.e. the value before the current

src/ethereum/forks/amsterdam/state_tracker.py

@@ -372,7 +372,7 @@ def merge_on_success(child_frame: StateChanges) -> None:
             parent_frame.pre_storage[slot] = value
     for addr, code in child_frame.pre_code.items():
         if addr not in parent_frame.pre_code:
-            parent_frame.pre_code[addr] = code
+            capture_pre_code(parent_frame, addr, code)
 
     # Merge storage operations, filtering noop writes
     parent_frame.storage_reads.update(child_frame.storage_reads)
@@ -458,9 +458,13 @@ def commit_transaction_frame(tx_frame: StateChanges) -> None:
     for addr, idx, nonce in tx_frame.nonce_changes:
         block_frame.nonce_changes.add((addr, idx, nonce))
 
-    # Merge code changes
+    # Merge code changes - filter net-zero changes within the transaction
+    # Compare final code against transaction's pre-code
     for (addr, idx), final_code in tx_frame.code_changes.items():
-        block_frame.code_changes[(addr, idx)] = final_code
+        pre_code = tx_frame.pre_code.get(addr, b"")
+        if pre_code != final_code:
+            block_frame.code_changes[(addr, idx)] = final_code
+        # else: Net-zero change within this transaction - skip
 
 
 def merge_on_failure(child_frame: StateChanges) -> None:

src/ethereum/forks/amsterdam/vm/eoa_delegation.py

@@ -14,7 +14,12 @@
 
 # track_address_access removed - now using state_changes.track_address()
 from ..fork_types import Address, Authorization
-from ..state import account_exists, get_account, increment_nonce, set_code
+from ..state import (
+    account_exists,
+    get_account,
+    increment_nonce,
+    set_authority_code,
+)
 from ..state_tracker import capture_pre_code, track_address
 from ..utils.hexadecimal import hex_to_address
 from ..vm.gas import GAS_COLD_ACCOUNT_ACCESS, GAS_WARM_ACCESS
@@ -253,8 +258,16 @@ def set_delegation(message: Message) -> U256:
             or message.block_env.block_state_changes
         )
 
+        # Capture pre-code before any changes (first-write-wins)
         capture_pre_code(state_changes, authority, authority_code)
-        set_code(state, authority, code_to_set, state_changes)
+
+        # Set delegation code
+        # Uses authority_code (current) for tracking to handle multiple auths
+        # Net-zero filtering happens in commit_transaction_frame
+        set_authority_code(
+            state, authority, code_to_set, state_changes, authority_code
+        )
+
         increment_nonce(state, authority, state_changes)
 
     if message.code_address is None:

tests/amsterdam/eip7928_block_level_access_lists/test_block_access_lists_eip7702.py

@@ -663,3 +663,168 @@ def test_bal_7702_null_address_delegation_no_code_change(
             bob: Account(balance=10),
         },
     )
+
+
+def test_bal_7702_double_auth_reset(
+    pre: Alloc,
+    blockchain_test: BlockchainTestFiller,
+) -> None:
+    """
+    Ensure BAL captures the net code change when multiple authorizations
+    occur in the same transaction (double auth).
+
+    This test verifies that when:
+    1. First auth sets delegation to CONTRACT_A
+    2. Second auth resets delegation to empty (address 0)
+
+    The BAL should show the NET change (empty -> empty), not intermediate
+    states. This is a regression test for the bug where the BAL showed
+    the first auth's code but the final state was empty.
+    """
+    alice = pre.fund_eoa()
+    bob = pre.fund_eoa(amount=0)
+    relayer = pre.fund_eoa()
+
+    contract_a = pre.deploy_contract(code=Op.STOP)
+
+    # Transaction with double auth:
+    # 1. First sets delegation to contract_a
+    # 2. Second resets to empty
+    tx = Transaction(
+        sender=relayer,
+        to=bob,
+        value=10,
+        gas_limit=1_000_000,
+        gas_price=0xA,
+        authorization_list=[
+            AuthorizationTuple(
+                address=contract_a,
+                nonce=0,
+                signer=alice,
+            ),
+            AuthorizationTuple(
+                address=0,  # Reset to empty
+                nonce=1,
+                signer=alice,
+            ),
+        ],
+    )
+
+    blockchain_test(
+        pre=pre,
+        blocks=[
+            Block(
+                txs=[tx],
+                expected_block_access_list=BlockAccessListExpectation(
+                    account_expectations={
+                        alice: BalAccountExpectation(
+                            nonce_changes=[
+                                BalNonceChange(tx_index=1, post_nonce=2)
+                            ],
+                            code_changes=[],
+                        ),
+                        bob: BalAccountExpectation(
+                            balance_changes=[
+                                BalBalanceChange(tx_index=1, post_balance=10)
+                            ]
+                        ),
+                        relayer: BalAccountExpectation(
+                            nonce_changes=[
+                                BalNonceChange(tx_index=1, post_nonce=1)
+                            ],
+                        ),
+                        contract_a: None,
+                    }
+                ),
+            )
+        ],
+        post={
+            alice: Account(nonce=2, code=b""),  # Final code is empty
+            bob: Account(balance=10),
+            relayer: Account(nonce=1),
+        },
+    )
+
+
+def test_bal_7702_double_auth_swap(
+    pre: Alloc,
+    blockchain_test: BlockchainTestFiller,
+) -> None:
+    """
+    Ensure BAL captures the net code change when double auth swaps
+    delegation targets.
+
+    This test verifies that when:
+    1. First auth sets delegation to CONTRACT_A
+    2. Second auth changes delegation to CONTRACT_B
+
+    The BAL should show the final code change (empty -> CONTRACT_B),
+    not the intermediate CONTRACT_A.
+    """
+    alice = pre.fund_eoa()
+    bob = pre.fund_eoa(amount=0)
+    relayer = pre.fund_eoa()
+
+    contract_a = pre.deploy_contract(code=Op.STOP)
+    contract_b = pre.deploy_contract(code=Op.STOP)
+
+    tx = Transaction(
+        sender=relayer,
+        to=bob,
+        value=10,
+        gas_limit=1_000_000,
+        gas_price=0xA,
+        authorization_list=[
+            AuthorizationTuple(
+                address=contract_a,
+                nonce=0,
+                signer=alice,
+            ),
+            AuthorizationTuple(
+                address=contract_b,  # Override to contract_b
+                nonce=1,
+                signer=alice,
+            ),
+        ],
+    )
+
+    account_expectations = {
+        alice: BalAccountExpectation(
+            nonce_changes=[BalNonceChange(tx_index=1, post_nonce=2)],
+            code_changes=[
+                # Should show final code (CONTRACT_B), not CONTRACT_A
+                BalCodeChange(
+                    tx_index=1,
+                    new_code=Spec7702.delegation_designation(contract_b),
+                )
+            ],
+        ),
+        bob: BalAccountExpectation(
+            balance_changes=[BalBalanceChange(tx_index=1, post_balance=10)]
+        ),
+        relayer: BalAccountExpectation(
+            nonce_changes=[BalNonceChange(tx_index=1, post_nonce=1)],
+        ),
+        # Neither contract appears in BAL during delegation setup
+        contract_a: None,
+        contract_b: None,
+    }
+
+    blockchain_test(
+        pre=pre,
+        blocks=[
+            Block(
+                txs=[tx],
+                expected_block_access_list=BlockAccessListExpectation(
+                    account_expectations=account_expectations
+                ),
+            )
+        ],
+        post={
+            alice: Account(
+                nonce=2, code=Spec7702.delegation_designation(contract_b)
+            ),
+            bob: Account(balance=10),
+            relayer: Account(nonce=1),
+        },
+    )

tests/amsterdam/eip7928_block_level_access_lists/test_cases.md

@@ -39,7 +39,9 @@
 | `test_bal_7702_invalid_nonce_authorization` | Ensure BAL handles failed authorization due to wrong nonce | `Relayer` sends sponsored transaction to Bob (10 wei transfer succeeds) but Alice's authorization to delegate to `Oracle` uses incorrect nonce, causing silent authorization failure | BAL **MUST** include Alice with empty changes (account access), Bob with `balance_changes` (receives 10 wei), Relayer with `nonce_changes`. **MUST NOT** include `Oracle` (authorization failed, no delegation) | ✅ Completed |
 | `test_bal_7702_invalid_chain_id_authorization` | Ensure BAL handles failed authorization due to wrong chain id | `Relayer` sends sponsored transaction to Bob (10 wei transfer succeeds) but Alice's authorization to delegate to `Oracle` uses incorrect chain id, causing authorization failure before account access | BAL **MUST** include Bob with `balance_changes` (receives 10 wei), Relayer with `nonce_changes`. **MUST NOT** include Alice (authorization fails before loading account) or `Oracle` (authorization failed, no delegation) | ✅ Completed |
 | `test_bal_7702_delegated_via_call_opcode` | Ensure BAL captures delegation target when a contract uses *CALL opcodes to call a delegated account | Pre-deployed contract `Alice` delegated to `Oracle`. `Caller` contract uses CALL/CALLCODE/DELEGATECALL/STATICCALL to call `Alice`. Bob sends transaction to `Caller`. | BAL **MUST** include Bob: `nonce_changes`. `Caller`: empty changes (account access). `Alice`: empty changes (account access - delegated account being called). `Oracle`: empty changes (delegation target access). | ✅ Completed |
-| `test_bal_7702_null_address_delegation` | Ensure BAL does not record spurious code changes for net-zero code operations | Alice sends transaction with authorization delegating to NULL_ADDRESS (0x0), which sets code to `b""` on an account that already has `b""` code. Transaction sends 10 wei to Bob. | BAL **MUST** include Alice with `nonce_changes` (tx nonce + auth nonce increment) but **MUST NOT** include `code_changes` (setting `b"" -> b""` is net-zero and filtered out). Bob: `balance_changes` (receives 10 wei). This ensures net-zero code change is not recorded.
+| `test_bal_7702_null_address_delegation` | Ensure BAL does not record spurious code changes for net-zero code operations | Alice sends transaction with authorization delegating to NULL_ADDRESS (0x0), which sets code to `b""` on an account that already has `b""` code. Transaction sends 10 wei to Bob. | BAL **MUST** include Alice with `nonce_changes` (tx nonce + auth nonce increment) but **MUST NOT** include `code_changes` (setting `b"" -> b""` is net-zero and filtered out). Bob: `balance_changes` (receives 10 wei). This ensures net-zero code change is not recorded. | ✅ Completed |
+| `test_bal_7702_double_auth_reset` | Ensure BAL captures net code change when double auth resets delegation | `Relayer` sends transaction with two authorizations for Alice: (1) First auth sets delegation to `CONTRACT_A` at nonce=0, (2) Second auth resets delegation to empty (address 0) at nonce=1. Transaction sends 10 wei to Bob. Per EIP-7702, only the last authorization takes effect. | BAL **MUST** include Alice with `nonce_changes` (both auths increment nonce to 2) but **MUST NOT** include `code_changes` (net change is empty → empty). Bob: `balance_changes` (receives 10 wei). Relayer: `nonce_changes`. `CONTRACT_A` **MUST NOT** be in BAL (never accessed). This is a regression test for the bug where BAL showed first auth's code despite final state being empty. | ✅ Completed |
+| `test_bal_7702_double_auth_swap` | Ensure BAL captures final code when double auth swaps delegation targets | `Relayer` sends transaction with two authorizations for Alice: (1) First auth sets delegation to `CONTRACT_A` at nonce=0, (2) Second auth changes delegation to `CONTRACT_B` at nonce=1. Transaction sends 10 wei to Bob. Per EIP-7702, only the last authorization takes effect. | BAL **MUST** include Alice with `nonce_changes` (both auths increment nonce to 2) and `code_changes` (final code is delegation designation for `CONTRACT_B`, not `CONTRACT_A`). Bob: `balance_changes` (receives 10 wei). Relayer: `nonce_changes`. Neither `CONTRACT_A` nor `CONTRACT_B` appear in BAL during delegation setup (never accessed). This ensures BAL shows final state, not intermediate changes. | ✅ Completed |
 | `test_bal_sstore_and_oog` | Ensure BAL handles OOG during SSTORE execution at various gas boundaries (EIP-2200 stipend and implicit SLOAD) | Alice calls contract that attempts `SSTORE` to cold slot `0x01`. Parameterized: (1) OOG at EIP-2200 stipend check (2300 gas after PUSH opcodes) - fails before implicit SLOAD, (2) OOG at stipend + 1 (2301 gas) - passes stipend check but fails after implicit SLOAD, (3) OOG at exact gas - 1, (4) Successful SSTORE with exact gas. | For case (1): BAL **MUST NOT** include slot `0x01` in `storage_reads` or `storage_changes` (fails before implicit SLOAD). For cases (2) and (3): BAL **MUST** include slot `0x01` in `storage_reads` (implicit SLOAD occurred) but **MUST NOT** include in `storage_changes` (write didn't complete). For case (4): BAL **MUST** include slot `0x01` in `storage_changes` only (successful write; read is filtered by builder). | ✅ Completed |
 | `test_bal_sstore_static_context` | Ensure BAL does not capture spurious storage access when SSTORE fails in static context | Alice calls contract with `STATICCALL` which attempts `SSTORE` to slot `0x01`. SSTORE must fail before any storage access occurs. | BAL **MUST NOT** include slot `0x01` in `storage_reads` or `storage_changes`. Static context check happens before storage access, preventing spurious reads. Alice has `nonce_changes` and `balance_changes` (gas cost). Target contract included with empty changes. | ✅ Completed |
 | `test_bal_sload_and_oog` | Ensure BAL handles OOG during SLOAD execution correctly | Alice calls contract that attempts `SLOAD` from cold slot `0x01`. Parameterized: (1) OOG at SLOAD opcode (insufficient gas), (2) Successful SLOAD execution. | For OOG case: BAL **MUST NOT** contain slot `0x01` in `storage_reads` since storage wasn't accessed. For success case: BAL **MUST** contain slot `0x01` in `storage_reads`. | ✅ Completed |