security: PQVM-01 CREATE nonce, C-2 batch gas pre-check, PQVM-02/03 intrinsic gas

[LucienSong]

Summary

• Fix PQVM-01 in crates/pqvm-interpreter/src/lib.rs:969-1019 by rejecting CREATE collisions when the derived target already has code or storage, and by incrementing the creator nonce only after successful deployment state writes.
• Fix C-2 in crates/pqvm-precompiles/src/lib.rs:16,101-115,206-250 by adding MAX_BATCH_SIGNATURES, parsing the batch count up front, charging ML_DSA_65_BATCH_VERIFY gas before verification work, and rejecting oversized batches.
• Fix PQVM-02/03 in crates/pqvm/src/lib.rs:134-315 by computing intrinsic gas (including calldata cost), escrowing gas_limit * max_fee before execution, refunding unused gas, and limiting signature verification to the post-intrinsic gas budget instead of u64::MAX.
• Add regression coverage in crates/pqvm-interpreter/src/lib.rs:1776-1874, crates/pqvm-precompiles/src/lib.rs:314-372, and crates/pqvm/src/lib.rs:532-596.

Validation

• cargo fmt --all -- --check
• cargo clippy --workspace -- -D warnings
• cargo test --workspace

Impact-Deferred

• shell-chain: Not run in this PQVM security-fix session; downstream cargo test --workspace / make e2e remain to be executed against the updated executor.
• shell-sdk: Not run in this PQVM security-fix session; downstream SDK/API validation remains pending.
• shell-dex: Not run in this PQVM security-fix session; downstream frontend smoke/build checks remain pending.
• shell-explorer: Not run in this PQVM security-fix session; downstream decode/render smoke checks remain pending.
• shella-chrome-wallet: Not run in this PQVM security-fix session; downstream sign/send and keystore checks remain pending.
• shell-site: Not run in this PQVM security-fix session; downstream docs/build/link checks remain pending.
• shell-chain-white-paper: Not updated here; if these gas-accounting semantics are intended as spec changes, the illustrative text should be reviewed separately.

[Copilot]

Pull request overview

This PR implements several security hardenings across PQVM transaction execution, precompiles, and the interpreter, with accompanying regression tests. It primarily tightens CREATE collision rules, adds batch signature size/gas pre-checks, and enforces intrinsic gas + bounded signature verification within the transaction gas budget.

Changes:

• Add intrinsic gas calculation (incl. calldata costs), escrow gas_limit * max_fee, refund unused gas fees, and cap signature verification gas to the post-intrinsic budget.
• Add MAX_BATCH_SIGNATURES and upfront batch-count parsing + gas charging for ML_DSA_65_BATCH_VERIFY, rejecting oversized batches.
• Reject CREATE collisions when the derived target has existing code or storage, and adjust nonce increment timing; add has_storage to the DB trait/state plus regression coverage.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
crates/pqvm/tests/conformance_vectors.rs	Updates conformance checks for new gas constants and DB trait (has_storage) in test scaffolding.
crates/pqvm/src/lib.rs	Implements intrinsic gas + fee escrow/refund and limits signature verification gas; adds related tests.
crates/pqvm-state/src/lib.rs	Extends PqvmDatabase with has_storage and adds a PqvmState implementation.
crates/pqvm-precompiles/src/lib.rs	Adds batch-size limit + pre-charged gas behavior for batch signature verification; adds tests.
crates/pqvm-interpreter/src/lib.rs	Adds CREATE collision detection (code/storage) and defers creator nonce increment until successful deployment; adds tests.
crates/pqvm-gas/src/lib.rs	Introduces calldata byte gas constants used by intrinsic gas calculation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.