SeismicSystems · matthias-wright · Mar 12, 2026 · Mar 9, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/application/src/actor.rs b/application/src/actor.rs
@@ -46,6 +46,7 @@ pub struct Actor<
     built_block: Arc<Mutex<Option<(Block, Round)>>>,
     genesis_hash: [u8; 32],
     epocher: ES,
+    allowed_timestamp_future_ms: u64,
     cancellation_token: CancellationToken,
     _scheme_marker: PhantomData<S>,
     _key_marker: PhantomData<P>,
@@ -76,6 +77,7 @@ impl<
                 built_block: Arc::new(Mutex::new(None)),
                 genesis_hash,
                 epocher: cfg.epocher,
+                allowed_timestamp_future_ms: cfg.allowed_timestamp_future.as_millis() as u64,
                 cancellation_token: cfg.cancellation_token,
                 _scheme_marker: PhantomData,
                 _key_marker: PhantomData,
@@ -234,7 +236,8 @@ impl<
                                 let mut syncer = syncer.clone();
                                 let mut finalizer_clone = finalizer.clone();
                                 let epocher = self.epocher.clone();
-                                move |_| async move {
+                                let allowed_timestamp_future_ms = self.allowed_timestamp_future_ms;
+                                move |context| async move {
                                     let requester = try_join(parent_request, block_request);
                                     select! {
                                         result = requester => {
@@ -278,7 +281,8 @@ impl<
                                                     histogram!("handle_verify_aux_data_duration_millis").record(aux_data_duration);
                                                 }
 
-                                                if handle_verify(&block, parent, &epocher, &aux_data) {
+                                                let now_millis = context.current().epoch_millis();
+                                                if handle_verify(&block, parent, &epocher, &aux_data, now_millis, allowed_timestamp_future_ms) {
                                                     // persist valid block
                                                     syncer.verified(round, block).await;
 
@@ -576,6 +580,8 @@ fn handle_verify<ES: Epocher>(
     parent: Block,
     epocher: &ES,
     aux_data: &BlockAuxData,
+    now_millis: u64,
+    allowed_timestamp_future_ms: u64,
 ) -> bool {
     // You can only re-propose the same block if it's the last height in the epoch.
     if parent.digest() == block.digest() {
@@ -598,6 +604,13 @@ fn handle_verify<ES: Epocher>(
         warn!("block timestamp not increasing");
         return false;
     }
+    if block.timestamp() > now_millis + allowed_timestamp_future_ms {
+        warn!(
+            block_timestamp = block.timestamp(),
+            now_millis, allowed_timestamp_future_ms, "block timestamp too far in the future"
+        );
+        return false;
+    }
 
     // Validate consensus trie state root
     if block.header.parent_beacon_block_root != aux_data.state_root {

diff --git a/application/src/config.rs b/application/src/config.rs
@@ -1,4 +1,5 @@
 use commonware_consensus::types::Epocher;
+use std::time::Duration;
 use summit_types::EngineClient;
 use tokio_util::sync::CancellationToken;
 
@@ -17,5 +18,11 @@ pub struct ApplicationConfig<C: EngineClient, ES: Epocher> {
     /// Epocher for determining epoch boundaries.
     pub epocher: ES,
 
+    /// Maximum allowed delta between a block's timestamp and the
+    /// local wall clock. Blocks with timestamps that differ from
+    /// the local time by more than this are rejected during
+    /// verification.
+    pub allowed_timestamp_future: Duration,
+
     pub cancellation_token: CancellationToken,
 }
diff --git a/node/src/engine.rs b/node/src/engine.rs
@@ -42,6 +42,7 @@ const BUFFER_POOL_PAGE_SIZE: u16 = 4_096; // 4KB
 const BUFFER_POOL_CAPACITY: NonZero<usize> = NZUsize!(8_192); // 32MB
 const PRUNABLE_ITEMS_PER_SECTION: NonZero<u64> = NZU64!(4_096);
 const IMMUTABLE_ITEMS_PER_SECTION: NonZero<u64> = NZU64!(262_144);
+const ALLOWED_TIMESTAMP_FUTURE: Duration = Duration::from_secs(10);
 const FREEZER_TABLE_RESIZE_FREQUENCY: u8 = 4;
 const FREEZER_TABLE_RESIZE_CHUNK_SIZE: u32 = 2u32.pow(16); // 3MB
 const FREEZER_JOURNAL_TARGET_SIZE: u64 = 1024 * 1024 * 1024; // 1GB
@@ -172,6 +173,7 @@ where
                 partition_prefix: cfg.partition_prefix.clone(),
                 genesis_hash: cfg.genesis_hash,
                 epocher: epocher.clone(),
+                allowed_timestamp_future: ALLOWED_TIMESTAMP_FUTURE,
                 cancellation_token: cancellation_token.clone(),
             },
         )