Fix QBFT ProposalPayload backward compatibility with pre-26.1.0 Besu versions (#9977)

jframe · web-flow · commit 4721226ed93c · 2026-03-06T11:04:48.000+10:00
Signed-off-by: Jason Frame &lt;jason.frame@consensys.net&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@
 
 ### Bug fixes
 - BFT forks that change block period on time-based forks don't take effect [9681](https://github.com/hyperledger/besu/issues/9681)
+- Fix QBFT `RLPException` when decoding proposals from pre-26.1.0 nodes that do not include the `blockAccessList` field [#9977](https://github.com/hyperledger/besu/pull/9977)
 
 ### Additions and Improvements
 - Add IPv6 dual-stack support for DiscV5 peer discovery (enabled via `--Xv5-discovery-enabled`): new `--p2p-host-ipv6`, `--p2p-interface-ipv6`, and `--p2p-port-ipv6` CLI options enable a second UDP discovery socket; `--p2p-ipv6-outbound-enabled` controls whether IPv6 is preferred for outbound connections when a peer advertises both address families [#9763](https://github.com/hyperledger/besu/pull/9763); RLPx now also binds a second TCP socket on the IPv6 interface so IPv6-only peers can establish connections [#9873](https://github.com/hyperledger/besu/pull/9873)
diff --git a/consensus/qbft-core/src/main/java/org/hyperledger/besu/consensus/qbft/core/payload/ProposalPayload.java b/consensus/qbft-core/src/main/java/org/hyperledger/besu/consensus/qbft/core/payload/ProposalPayload.java
@@ -154,6 +154,10 @@ public String toString() {
   }
 
   private static Optional<BlockAccessList> readBlockAccessList(final RLPInput rlpInput) {
+    if (rlpInput.isEndOfCurrentList()) {
+      // Backward compatibility: pre-26.1.0 messages do not include blockAccessList
+      return Optional.empty();
+    }
     if (!rlpInput.nextIsNull()) {
       return Optional.of(BlockAccessListDecoder.decode(rlpInput));
     }
diff --git a/consensus/qbft-core/src/test/java/org/hyperledger/besu/consensus/qbft/core/messagewrappers/ProposalTest.java b/consensus/qbft-core/src/test/java/org/hyperledger/besu/consensus/qbft/core/messagewrappers/ProposalTest.java
@@ -33,6 +33,8 @@
 import org.hyperledger.besu.datatypes.Address;
 import org.hyperledger.besu.ethereum.core.Util;
 import org.hyperledger.besu.ethereum.mainnet.block.access.list.BlockAccessList;
+import org.hyperledger.besu.ethereum.rlp.RLPInput;
+import org.hyperledger.besu.ethereum.rlp.RLPOutput;
 
 import java.util.List;
 import java.util.Optional;
@@ -104,6 +106,54 @@ private SignedData<RoundChangePayload> createRoundChange(final NodeKey nodeKey)
         nodeKey.sign(Bytes32.wrap(roundChangePayload.hashForSignature().getBytes())));
   }
 
+  @Test
+  public void canDecodeProposalMessageFromLegacyNodeWithoutBlockAccessList() {
+    // Simulate a pre-26.1.0 validator that encodes ProposalPayload WITHOUT the blockAccessList
+    // field.
+    // Old format payload list: [seqNum, roundNum, block]       (3 items)
+    // New format payload list: [seqNum, roundNum, block, null] (4 items)
+
+    // The mock must consume the block bytes written by the legacy writeTo override, otherwise the
+    // RLP cursor remains on the block hash and readBlockAccessList sees it instead of end-of-list.
+    when(blockEncoder.readFrom(any()))
+        .thenAnswer(
+            inv -> {
+              inv.<RLPInput>getArgument(0).skipNext();
+              return BLOCK;
+            });
+
+    final NodeKey nodeKey = NodeKeyUtils.generate();
+    final ConsensusRoundIdentifier roundIdentifier = new ConsensusRoundIdentifier(1, 1);
+
+    // ProposalPayload subclass that overrides writeTo() to omit the blockAccessList field,
+    // reproducing the pre-26.1.0 wire format
+    final ProposalPayload oldFormatPayload =
+        new ProposalPayload(roundIdentifier, BLOCK, blockEncoder) {
+          @Override
+          public void writeTo(final RLPOutput output) {
+            output.startList();
+            writeConsensusRound(output);
+            output.writeBytes(BLOCK.getHash().getBytes());
+            // No blockAccessList field — simulates pre-26.1.0 encoding
+            output.endList();
+          }
+        };
+
+    final SignedData<ProposalPayload> signedPayload =
+        SignedData.create(
+            oldFormatPayload,
+            nodeKey.sign(Bytes32.wrap(oldFormatPayload.hashForSignature().getBytes())));
+
+    final Proposal proposal =
+        Proposal.decode(new Proposal(signedPayload, List.of(), List.of()).encode(), blockEncoder);
+
+    assertThat(proposal.getBlockAccessList()).isEmpty();
+    assertThat(proposal.getSignedPayload().getPayload().getRoundIdentifier())
+        .isEqualTo(roundIdentifier);
+    assertThat(proposal.getSignedPayload().getPayload().getProposedBlock().getHash())
+        .isEqualTo(BLOCK.getHash());
+  }
+
   private void assertProposal(
       final Proposal decodedProposal,
       final Address expectedAddr,

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,10 @@ public String toString() {`
`154`	`154`	`}`
`155`	`155`
`156`	`156`	`private static Optional<BlockAccessList> readBlockAccessList(final RLPInput rlpInput) {`
	`157`	`+ if (rlpInput.isEndOfCurrentList()) {`
	`158`	`+ // Backward compatibility: pre-26.1.0 messages do not include blockAccessList`
	`159`	`+ return Optional.empty();`
	`160`	`+ }`
`157`	`161`	`if (!rlpInput.nextIsNull()) {`
`158`	`162`	`return Optional.of(BlockAccessListDecoder.decode(rlpInput));`
`159`	`163`	`}`