feat: transactions with retry

[sbackend123]

Checklist

• I have read the coding guide.
• My change requires a documentation update, and I have done it.
• I have added tests to cover my changes.
• I have filled out the description and linked the related issues.

Description

Add automatic gas-fee retry for Ethereum transactions in Bee. Transactions that stay unconfirmed are re-broadcast with the same nonce and an escalated priority fee, using dynamic fees from eth_feeHistory. Retry behaviour is configurable, survives node restarts, and is used for redistribution and postage operations.

Diagram in miro

What changed

1. Transaction retry (pkg/transaction)
   New SendWithRetry on the transaction service: sends EIP-1559 transactions with dynamic fee estimation from eth_feeHistory and automatic escalation across priority tiers. Requires automatic gas pricing: a request carrying an explicit Gas-Price is rejected.

Fees are derived from fresh fee history (default window: last 100 blocks) at percentiles 10 / 50 / 90, mapped to tiers low / market / aggressive. maxFeePerGas = 2 × baseFee + tip.

Sending walks a tier range [start_tier … end_tier]. Each tier gets 2 broadcast attempts (internal constant). If no receipt arrives within the retry delay, the tx is rebroadcast — reusing the same nonce — at the same tier (with fresh fee history) or escalated to the next tier once the per-tier budget is spent.

Persists retry state in the state store and resumes in-flight retries after restart, skipping nonces already confirmed on-chain.

Stops on non-retryable errors.

2. Configuration (cmd/bee, pkg/node)
   CLI flags (defaults: start market, ceiling aggressive, 1 min delay, no price cap):

--transaction-fee-priority — starting fee tier (low / market / aggressive), default market
--transaction-fee-priority-max — escalation ceiling tier, default aggressive
--transaction-retry-delay — wait for a receipt before escalating, default 1m
--transaction-fee-max-tx-price-wei — max maxFeePerGas in wei, 0 = no limit
--fee-history-block-count — fee-history window depth, default 100

Constraint: priority <= priority-max, otherwise the node fails to start. Number of attempts per tier and the +15% bump are internal, not exposed as flags.

3. Call sites
   Redistribution (pkg/storageincentives/redistribution): commit / reveal / claim use SendWithRetry via sendAndWait. Config-only — no header overrides.

Postage (pkg/postage/postagecontract): batch create, top-up, dilute, approve use SendWithRetry when retry is not disabled; otherwise fall back to Send + WaitForReceipt.

More detailed description is in doc

Open API Spec Version Changes (if applicable)

Motivation and Context (Optional)

Related Issue (Optional)

#5114

Screenshots (if appropriate):

AI Disclosure

• This PR contains code that has been generated by an LLM.
• I have reviewed the AI generated code thoroughly.
• I possess the technical expertise to responsibly review the code generated in this PR.

[acud]

lots and lots of code here, i think some complexity can be reduced and readability can be improved

[acud]

since we already have the same logic in the cmd package (which precedes this package execution on runtime), wouldn't it make sense to build the config just once and pass it to this package as the right type?

[acud]

i find this a bit confusing. why do we need this? why not just inject the default value and eliminate the choices here?

[acud]

slight headache from this method: long variable names and this comment that tries to explain it all makes it really difficult to read for the amount of lines that it has. i'd rather convert this comment to inline comments explaining the branching, and reduce the variable/method names in the PR in general (adding more words to the method name doesn't necessarily add value when reading it)

[acud]

this is really hard to review. i'm not sure about this. also, i'm not sure i fully understand why statestore persistence is needed. do we really need to persist all of the data every time we submit a transaction? apart from the nonce and the transaction data, there's no guarantee that the extra data persisted around a transaction will be relevant once a node restarts (it can just be again inferred via RPC calls and configuration)

[sbackend123]

We discussed this briefly on the call, but leaving it here for the record:

I think persistence is needed because:

1. We choose the next transaction nonce based in part on the transactions we are currently tracking. In this case, we cannot avoid persisting the transaction altogether. And we cannot persist it only once — with each rebroadcast the hash changes because the fees change, and from a monitoring perspective we would end up with several “stuck” transactions sharing the same nonce.

2. With the default 1 min delay, in the worst case — even with just two adjacent tiers (low → market, market → aggressive) and a price spike — retries can take 3–4 minutes. If the node is shut down during that window, the transaction may already be in the mempool and even mined, but user would have no way to know. As a result, user would send it again and lose fees, and that is exactly the scenario we are trying to avoid in the first place.

[acud]

the mining while node is shut down is a separate use case that needs to be handled separately by the startup logic. what i meant is that if the node is offline, the fee pricing fee goes "out-of-fashion" just because the fee snapshot may be completely different with different values once you start the node next time.

[acud]

why do we need the register call? why can't you just use t.logger

[acud]

why are you using t.logger here and not loggerV1, not sure why both usages are needed

[acud]

quite a few cases here of log and return error which is against the style guide. in general a bit too much logging i'd say, not sure if this is needed for merging into trunk but ok for now if it is needed for debugging purposes

[acud]

notRetriable?

[martinconic]

Gas-Price header is broken for postage stamp ops. SendWithRetry rejects any request with an explicit GasPrice (send_tx_with_retry.go:51-56), but the postage call sites (postagecontract/contract.go:168 and :212) still copy GasPrice from the header and route to SendWithRetry by default. So POST /stamps/... with Gas-Price set and no Disable-Retry always fails and since the error isn't a matched sentinel, it surfaces as an opaque HTTP 500 instead of a 400. This is a regression (the old Send path honored Gas-Price) and it affects bee-js.

[sbackend123]

Thanks for catching that.

I see three possible approaches:

1. Make the error explicit and add Disable-Retry usage in bee-js when Gas-Price is set. This is a breaking change, but on the other hand we are introducing new functionality.

2. If Gas-Price is set, automatically route to Send without retry.

3. Keep the old behavior as the default, and instead of a Disable-Retry flag, introduce the opposite — e.g. a With-Retry opt-in flag.

Given existing clients, option 3 seems the most logical to me. I don’t like option 2 because it’s implicit behavior, and we may end up having to revisit it in a later release anyway — which would likely bring us back to option 1.

@gacevicljubisa WDYT?

[gacevicljubisa]

Gas-Price is a spend ceiling, retry contradicts it, and it should act as a client override. I would go with option 2. I would even consider droping the Disable-Retry, if you set Gas-Price you've already opted out of retry. If Gas-Price is not used, pricing is given to the node and retry is just part of that. But we should document this in Swarm.yaml that Gas-Price disables escalation.

[martinconic]

This PR adds new API headers like Disable-Retry and Fee-Priority, but they're not documented in the OpenAPI spec. Please add all necessary parameters in the corresponding yaml files

[martinconic]

Both To and Value and will cause a panic if nil, right?

[gacevicljubisa]

The same floor should apply to the fee cap as well, not only for the tip?

[gacevicljubisa]

Previous attempt for gas limit as well can be reused

[gacevicljubisa]

if keepLast, should we call t.waitForPendingTx(state.LastTxHash) because the last one may still be mined?

[acud]

this is now just used in one place (agent.go) and i wonder if that callsite also needs to be migrated or if it is covered in a subsequent PR

[acud]

not to slow things down about this, but if there's no entries here, does it mean that all subsequent transactions sent using this quantile's tip value will fail because the value they're using is 0?

[acud]

what's this function needed for? why can't you just inline the inner unexported function here?

[acud]

nit: i have a feeling this is a little bit misplaced. also, the fact that another metrics collector has been created here (which also partially overlaps with the metrics collector in the wrapped package smells like it should really be there alongside, and you should just reuse the existing metrics collector there.

[acud]

so if the suggest gas fee failed for whatever reason, then the whole transaction is fail and not even sent? there is a soft-fail there which fails when fh is empty

[acud]

danger... this will only unlock once the whole method runs to completion.
see example here: https://go.dev/play/p/Cg6j6EpNtKl

[acud]

the mining while node is shut down is a separate use case that needs to be handled separately by the startup logic. what i meant is that if the node is offline, the fee pricing fee goes "out-of-fashion" just because the fee snapshot may be completely different with different values once you start the node next time.

[acud]

don't understand what is monitorLast... it is just a bool, what does it mean

[acud]

are you sure you're not ending up with stale zombie db records here? for me this bool toggle is a bit tricky since the downstream logic may or may not remove some of the database records and that may lead to statestore growth. i see that there is some unit test coverage for db entry assertion (for deletion) but it's another 1000 lines of machine written code to go through