Slash malevolent validators (#294)

* add slash tx

* ignore unsigned tx replays

* verify that provided evidence is valid

* fix clippy + fmt

* move application tx handling to another module

* partially handle the tendermint txs

* fix pr comments

* support unsigned app txs

* add slash target to the votes

* enforce provided, unsigned, signed tx ordering within a block

* bug fixes

* add unit test for tendermint txs

* bug fixes

* update tests for tendermint txs

* add tx ordering test

* tidy up tx ordering test

* cargo +nightly fmt

* Misc fixes from rebasing

* Finish resolving clippy

* Remove sha3 from tendermint-machine

* Resolve a DoS in SlashEvidence's read

Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.

* Make lazy_static a dev-depend for tributary

* Various small tweaks

One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).

The extra protection added here sorts signed, then concats.

* Fix Tributary tests I broke, start review on tendermint/tx.rs

* Finish reviewing everything outside tests and empty_signature

* Remove empty_signature

empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.

We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.

This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.

* Remove async_sequential for tokio::test

There was no competition for resources forcing them to be run sequentially.

* Modify block order test to be statistically significant without multiple runs

* Clean tests

---------

Co-authored-by: Luke Parker <lukeparker5132@gmail.com>

coordinator/tributary/src/tests/mempool.rs

@@ -1,50 +1,132 @@
-use std::collections::HashMap;
+use std::{sync::Arc, collections::HashMap};
 
 use zeroize::Zeroizing;
 use rand::{RngCore, rngs::OsRng};
 
 use ciphersuite::{group::ff::Field, Ciphersuite, Ristretto};
 
+use tendermint::ext::Commit;
+
 use serai_db::MemDb;
 
 use crate::{
+  transaction::Transaction as TransactionTrait,
+  tendermint::{TendermintBlock, Validators, Signer, TendermintNetwork},
   ACCOUNT_MEMPOOL_LIMIT, Transaction, Mempool,
-  tests::{SignedTransaction, signed_transaction},
+  tests::{
+    SignedTransaction, signed_transaction, p2p::DummyP2p, random_vote_tx, random_evidence_tx,
+  },
 };
 
-fn new_mempool<T: Transaction>() -> ([u8; 32], MemDb, Mempool<MemDb, T>) {
+type N = TendermintNetwork<MemDb, SignedTransaction, DummyP2p>;
+
+fn new_mempool<T: TransactionTrait>() -> ([u8; 32], MemDb, Mempool<MemDb, T>) {
   let mut genesis = [0; 32];
   OsRng.fill_bytes(&mut genesis);
   let db = MemDb::new();
   (genesis, db.clone(), Mempool::new(db, genesis))
 }
 
-#[test]
-fn mempool_addition() {
+#[tokio::test]
+async fn mempool_addition() {
   let (genesis, db, mut mempool) = new_mempool::<SignedTransaction>();
-
+  let commit = |_: u32| -> Option<Commit<Arc<Validators>>> {
+    Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
+  };
+  let unsigned_in_chain = |_: [u8; 32]| false;
   let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
 
   let first_tx = signed_transaction(&mut OsRng, genesis, &key, 0);
   let signer = first_tx.1.signer;
   assert_eq!(mempool.next_nonce(&signer), None);
 
+  // validators
+  let validators = Arc::new(Validators::new(genesis, vec![(signer, 1)]).unwrap());
+
   // Add TX 0
   let mut blockchain_next_nonces = HashMap::from([(signer, 0)]);
-  assert!(mempool.add(&blockchain_next_nonces, true, first_tx.clone()));
+  assert!(mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Application(first_tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
+  ));
   assert_eq!(mempool.next_nonce(&signer), Some(1));
 
+  // add a tendermint vote tx
+  let vote_tx = random_vote_tx(&mut OsRng, genesis);
+  assert!(mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Tendermint(vote_tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
+  ));
+
+  // add a tendermint evidence tx
+  let evidence_tx =
+    random_evidence_tx::<N>(Signer::new(genesis, key.clone()).into(), TendermintBlock(vec![]))
+      .await;
+  assert!(mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Tendermint(evidence_tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
+  ));
+
   // Test reloading works
   assert_eq!(mempool, Mempool::new(db, genesis));
 
   // Adding it again should fail
-  assert!(!mempool.add(&blockchain_next_nonces, true, first_tx.clone()));
+  assert!(!mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Application(first_tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
+  ));
+  assert!(!mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Tendermint(vote_tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
+  ));
+  assert!(!mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Tendermint(evidence_tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
+  ));
 
   // Do the same with the next nonce
   let second_tx = signed_transaction(&mut OsRng, genesis, &key, 1);
-  assert!(mempool.add(&blockchain_next_nonces, true, second_tx.clone()));
+  assert!(mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Application(second_tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
+  ));
   assert_eq!(mempool.next_nonce(&signer), Some(2));
-  assert!(!mempool.add(&blockchain_next_nonces, true, second_tx.clone()));
+  assert!(!mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Application(second_tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
+  ));
 
   // If the mempool doesn't have a nonce for an account, it should successfully use the
   // blockchain's
@@ -53,43 +135,68 @@ fn mempool_addition() {
   let second_signer = tx.1.signer;
   assert_eq!(mempool.next_nonce(&second_signer), None);
   blockchain_next_nonces.insert(second_signer, 2);
-  assert!(mempool.add(&blockchain_next_nonces, true, tx.clone()));
+  assert!(mempool.add::<N>(
+    &blockchain_next_nonces,
+    true,
+    Transaction::Application(tx.clone()),
+    validators.clone(),
+    unsigned_in_chain,
+    commit
+  ));
   assert_eq!(mempool.next_nonce(&second_signer), Some(3));
 
   // Getting a block should work
-  assert_eq!(mempool.block(&blockchain_next_nonces).len(), 3);
+  assert_eq!(mempool.block(&blockchain_next_nonces, unsigned_in_chain).len(), 5);
 
   // If the blockchain says an account had its nonce updated, it should cause a prune
   blockchain_next_nonces.insert(signer, 1);
-  let mut block = mempool.block(&blockchain_next_nonces);
-  assert_eq!(block.len(), 2);
+  let mut block = mempool.block(&blockchain_next_nonces, unsigned_in_chain);
+  assert_eq!(block.len(), 4);
   assert!(!block.iter().any(|tx| tx.hash() == first_tx.hash()));
   assert_eq!(mempool.txs(), &block.drain(..).map(|tx| (tx.hash(), tx)).collect::<HashMap<_, _>>());
 
   // Removing should also successfully prune
   mempool.remove(&tx.hash());
-  assert_eq!(mempool.txs(), &HashMap::from([(second_tx.hash(), second_tx)]));
+  mempool.remove(&vote_tx.hash());
+
+  assert_eq!(
+    mempool.txs(),
+    &HashMap::from([
+      (second_tx.hash(), Transaction::Application(second_tx)),
+      (evidence_tx.hash(), Transaction::Tendermint(evidence_tx))
+    ])
+  );
 }
 
 #[test]
 fn too_many_mempool() {
   let (genesis, _, mut mempool) = new_mempool::<SignedTransaction>();
-
+  let validators = Arc::new(Validators::new(genesis, vec![]).unwrap());
+  let commit = |_: u32| -> Option<Commit<Arc<Validators>>> {
+    Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
+  };
+  let unsigned_in_chain = |_: [u8; 32]| false;
   let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
   let signer = signed_transaction(&mut OsRng, genesis, &key, 0).1.signer;
 
   // We should be able to add transactions up to the limit
   for i in 0 .. ACCOUNT_MEMPOOL_LIMIT {
-    assert!(mempool.add(
+    assert!(mempool.add::<N>(
       &HashMap::from([(signer, 0)]),
       false,
-      signed_transaction(&mut OsRng, genesis, &key, i)
+      Transaction::Application(signed_transaction(&mut OsRng, genesis, &key, i)),
+      validators.clone(),
+      unsigned_in_chain,
+      commit,
     ));
   }
   // Yet adding more should fail
-  assert!(!mempool.add(
+  assert!(!mempool.add::<N>(
     &HashMap::from([(signer, 0)]),
     false,
-    signed_transaction(&mut OsRng, genesis, &key, ACCOUNT_MEMPOOL_LIMIT)
+    Transaction::Application(signed_transaction(&mut OsRng, genesis, &key, ACCOUNT_MEMPOOL_LIMIT)),
+    validators.clone(),
+    unsigned_in_chain,
+    commit,
   ));
 }