absolutebi/serai
1
0
Fork 0
mirror of https://github.com/serai-dex/serai.git synced 2025-12-08 20:29:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Re-arrange coordinator/

Browse Source 
coordinator/tributary was tributary-chain. This crate has been renamed
tributary-sdk and moved to coordinator/tributary-sdk.

coordinator/src/tributary was our instantion of a Tributary, the Transaction
type and scan task. This has been moved to coordinator/tributary.

The main reason for this was due to coordinator/main.rs becoming untidy. There
is now a collection of clean, independent APIs present in the codebase.
coordinator/main.rs is to compose them. Sometimes, these compositions are a bit
silly (reading from a channel just to forward the message to a distinct
channel). That's more than fine as the code is still readable and the value
from the cleanliness of the APIs composed far exceeds the nits from having
these odd compositions.

This breaks down a bit as we now define a global database, and have some APIs
interact with multiple other APIs.

coordinator/src/tributary was a self-contained, clean API. The recently added
task present in coordinator/tributary/mod.rs, which bound it to the rest of the
Coordinator, wasn't.

Now, coordinator/src is solely the API compositions, and all self-contained
APIs are their own crates.
This commit is contained in:
Luke Parker
2025-01-11 04:14:21 -05:00
parent c05b0c9eba
commit 3c664ff05f
56 changed files with 1719 additions and 1570 deletions
Download Patch File Download Diff File Expand all files Collapse all files

271
coordinator/tributary/src/block.rs
View File

@@ -1,271 +0,0 @@
use std::{
io,
collections::{VecDeque, HashSet, HashMap},
};
use thiserror::Error;
use blake2::{Digest, Blake2s256};
use tendermint::ext::{Network, Commit};
use crate::{
transaction::{
TransactionError, Signed, TransactionKind, Transaction as TransactionTrait, GAIN,
verify_transaction,
},
BLOCK_SIZE_LIMIT, ReadWrite, merkle, Transaction,
tendermint::tx::verify_tendermint_tx,
};
#[derive(Clone, PartialEq, Eq, Debug, Error)]
pub enum BlockError {
/// Block was too large.
#[error("block exceeded size limit")]
TooLargeBlock,
/// Header specified a parent which wasn't the chain tip.
#[error("header doesn't build off the chain tip")]
InvalidParent,
/// Header specified an invalid transactions merkle tree hash.
#[error("header transactions hash is incorrect")]
InvalidTransactions,
/// An unsigned transaction which was already added to the chain was present again.
#[error("an unsigned transaction which was already added to the chain was present again")]
UnsignedAlreadyIncluded,
/// A provided transaction which was already added to the chain was present again.
#[error("an provided transaction which was already added to the chain was present again")]
ProvidedAlreadyIncluded,
/// Transactions weren't ordered as expected (Provided, followed by Unsigned, followed by Signed).
#[error("transactions weren't ordered as expected (Provided, Unsigned, Signed)")]
WrongTransactionOrder,
/// The block had a provided transaction this validator has yet to be provided.
#[error("block had a provided transaction not yet locally provided: {0:?}")]
NonLocalProvided([u8; 32]),
/// The provided transaction was distinct from the locally provided transaction.
#[error("block had a distinct provided transaction")]
DistinctProvided,
/// An included transaction was invalid.
#[error("included transaction had an error")]
TransactionError(TransactionError),
}
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct BlockHeader {
pub parent: [u8; 32],
pub transactions: [u8; 32],
}
impl ReadWrite for BlockHeader {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
let mut header = BlockHeader { parent: [0; 32], transactions: [0; 32] };
reader.read_exact(&mut header.parent)?;
reader.read_exact(&mut header.transactions)?;
Ok(header)
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
writer.write_all(&self.parent)?;
writer.write_all(&self.transactions)
}
}
impl BlockHeader {
pub fn hash(&self) -> [u8; 32] {
Blake2s256::digest([b"tributary_block".as_ref(), &self.serialize()].concat()).into()
}
}
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct Block<T: TransactionTrait> {
pub header: BlockHeader,
pub transactions: Vec<Transaction<T>>,
}
impl<T: TransactionTrait> ReadWrite for Block<T> {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
let header = BlockHeader::read(reader)?;
let mut txs = [0; 4];
reader.read_exact(&mut txs)?;
let txs = u32::from_le_bytes(txs);
let mut transactions = Vec::with_capacity(usize::try_from(txs).unwrap());
for _ in 0 .. txs {
transactions.push(Transaction::read(reader)?);
}
Ok(Block { header, transactions })
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
self.header.write(writer)?;
writer.write_all(&u32::try_from(self.transactions.len()).unwrap().to_le_bytes())?;
for tx in &self.transactions {
tx.write(writer)?;
}
Ok(())
}
}
impl<T: TransactionTrait> Block<T> {
/// Create a new block.
///
/// mempool is expected to only have valid, non-conflicting transactions, sorted by nonce.
pub(crate) fn new(parent: [u8; 32], provided: Vec<T>, mempool: Vec<Transaction<T>>) -> Self {
let mut txs = vec![];
for tx in provided {
txs.push(Transaction::Application(tx))
}
let mut signed = vec![];
let mut unsigned = vec![];
for tx in mempool {
match tx.kind() {
TransactionKind::Signed(_, _) => signed.push(tx),
TransactionKind::Unsigned => unsigned.push(tx),
TransactionKind::Provided(_) => panic!("provided transaction entered mempool"),
}
}
// unsigned first
txs.extend(unsigned);
// then signed
txs.extend(signed);
// Check TXs are sorted by nonce.
let nonce = |tx: &Transaction<T>| {
if let TransactionKind::Signed(_, Signed { nonce, .. }) = tx.kind() {
nonce
} else {
0
}
};
let mut last = 0;
for tx in &txs {
let nonce = nonce(tx);
if nonce < last {
panic!("TXs in mempool weren't ordered by nonce");
}
last = nonce;
}
let mut res =
Block { header: BlockHeader { parent, transactions: [0; 32] }, transactions: txs };
while res.serialize().len() > BLOCK_SIZE_LIMIT {
assert!(res.transactions.pop().is_some());
}
let hashes = res.transactions.iter().map(Transaction::hash).collect::<Vec<_>>();
res.header.transactions = merkle(&hashes);
res
}
pub fn parent(&self) -> [u8; 32] {
self.header.parent
}
pub fn hash(&self) -> [u8; 32] {
self.header.hash()
}
#[allow(clippy::too_many_arguments)]
pub(crate) fn verify<N: Network, G: GAIN>(
&self,
genesis: [u8; 32],
last_block: [u8; 32],
mut locally_provided: HashMap<&'static str, VecDeque<T>>,
get_and_increment_nonce: &mut G,
schema: &N::SignatureScheme,
commit: impl Fn(u64) -> Option<Commit<N::SignatureScheme>>,
provided_or_unsigned_in_chain: impl Fn([u8; 32]) -> bool,
allow_non_local_provided: bool,
) -> Result<(), BlockError> {
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
enum Order {
Provided,
Unsigned,
Signed,
}
impl From<Order> for u8 {
fn from(order: Order) -> u8 {
match order {
Order::Provided => 0,
Order::Unsigned => 1,
Order::Signed => 2,
}
}
}
if self.serialize().len() > BLOCK_SIZE_LIMIT {
Err(BlockError::TooLargeBlock)?;
}
if self.header.parent != last_block {
Err(BlockError::InvalidParent)?;
}
let mut last_tx_order = Order::Provided;
let mut included_in_block = HashSet::new();
let mut txs = Vec::with_capacity(self.transactions.len());
for tx in &self.transactions {
let tx_hash = tx.hash();
txs.push(tx_hash);
let current_tx_order = match tx.kind() {
TransactionKind::Provided(order) => {
if provided_or_unsigned_in_chain(tx_hash) {
Err(BlockError::ProvidedAlreadyIncluded)?;
}
if let Some(local) = locally_provided.get_mut(order).and_then(VecDeque::pop_front) {
// Since this was a provided TX, it must be an application TX
let Transaction::Application(tx) = tx else {
Err(BlockError::NonLocalProvided(txs.pop().unwrap()))?
};
if tx != &local {
Err(BlockError::DistinctProvided)?;
}
} else if !allow_non_local_provided {
Err(BlockError::NonLocalProvided(txs.pop().unwrap()))?
};
Order::Provided
}
TransactionKind::Unsigned => {
// check we don't already have the tx in the chain
if provided_or_unsigned_in_chain(tx_hash) || included_in_block.contains(&tx_hash) {
Err(BlockError::UnsignedAlreadyIncluded)?;
}
included_in_block.insert(tx_hash);
Order::Unsigned
}
TransactionKind::Signed(..) => Order::Signed,
};
// enforce Provided => Unsigned => Signed order
if u8::from(current_tx_order) < u8::from(last_tx_order) {
Err(BlockError::WrongTransactionOrder)?;
}
last_tx_order = current_tx_order;
match tx {
Transaction::Tendermint(tx) => match verify_tendermint_tx::<N>(tx, schema, &commit) {
Ok(()) => {}
Err(e) => Err(BlockError::TransactionError(e))?,
},
Transaction::Application(tx) => {
match verify_transaction(tx, genesis, get_and_increment_nonce) {
Ok(()) => {}
Err(e) => Err(BlockError::TransactionError(e))?,
}
}
}
}
if merkle(&txs) != self.header.transactions {
Err(BlockError::InvalidTransactions)?;
}
Ok(())
}
}

341
coordinator/tributary/src/blockchain.rs
View File

@@ -1,341 +0,0 @@
use std::collections::{VecDeque, HashSet};
use ciphersuite::{group::GroupEncoding, Ciphersuite, Ristretto};
use serai_db::{Get, DbTxn, Db};
use scale::Decode;
use tendermint::ext::{Network, Commit};
use crate::{
ReadWrite, ProvidedError, ProvidedTransactions, BlockError, Block, Mempool, Transaction,
transaction::{Signed, TransactionKind, TransactionError, Transaction as TransactionTrait},
};
#[derive(Debug)]
pub(crate) struct Blockchain<D: Db, T: TransactionTrait> {
db: Option<D>,
genesis: [u8; 32],
block_number: u64,
tip: [u8; 32],
participants: HashSet<<Ristretto as Ciphersuite>::G>,
provided: ProvidedTransactions<D, T>,
mempool: Mempool<D, T>,
pub(crate) next_block_notifications: VecDeque<tokio::sync::oneshot::Sender<()>>,
}
impl<D: Db, T: TransactionTrait> Blockchain<D, T> {
fn tip_key(genesis: [u8; 32]) -> Vec<u8> {
D::key(b"tributary_blockchain", b"tip", genesis)
}
fn block_number_key(&self) -> Vec<u8> {
D::key(b"tributary_blockchain", b"block_number", self.genesis)
}
fn block_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
D::key(b"tributary_blockchain", b"block", [genesis, hash].concat())
}
fn block_hash_key(genesis: &[u8], block_number: u64) -> Vec<u8> {
D::key(b"tributary_blockchain", b"block_hash", [genesis, &block_number.to_le_bytes()].concat())
}
fn commit_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
D::key(b"tributary_blockchain", b"commit", [genesis, hash].concat())
}
fn block_after_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
D::key(b"tributary_blockchain", b"block_after", [genesis, hash].concat())
}
fn unsigned_included_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
D::key(b"tributary_blockchain", b"unsigned_included", [genesis, hash].concat())
}
fn provided_included_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
D::key(b"tributary_blockchain", b"provided_included", [genesis, hash].concat())
}
fn next_nonce_key(
genesis: &[u8; 32],
signer: &<Ristretto as Ciphersuite>::G,
order: &[u8],
) -> Vec<u8> {
D::key(
b"tributary_blockchain",
b"next_nonce",
[genesis.as_ref(), signer.to_bytes().as_ref(), order].concat(),
)
}
pub(crate) fn new(
db: D,
genesis: [u8; 32],
participants: &[<Ristretto as Ciphersuite>::G],
) -> Self {
let mut res = Self {
db: Some(db.clone()),
genesis,
participants: participants.iter().copied().collect(),
block_number: 0,
tip: genesis,
provided: ProvidedTransactions::new(db.clone(), genesis),
mempool: Mempool::new(db, genesis),
next_block_notifications: VecDeque::new(),
};
if let Some((block_number, tip)) = {
let db = res.db.as_ref().unwrap();
db.get(res.block_number_key()).map(|number| (number, db.get(Self::tip_key(genesis)).unwrap()))
} {
res.block_number = u64::from_le_bytes(block_number.try_into().unwrap());
res.tip.copy_from_slice(&tip);
}
res
}
pub(crate) fn tip(&self) -> [u8; 32] {
self.tip
}
pub(crate) fn block_number(&self) -> u64 {
self.block_number
}
pub(crate) fn block_from_db(db: &D, genesis: [u8; 32], block: &[u8; 32]) -> Option<Block<T>> {
db.get(Self::block_key(&genesis, block))
.map(|bytes| Block::<T>::read::<&[u8]>(&mut bytes.as_ref()).unwrap())
}
pub(crate) fn commit_from_db(db: &D, genesis: [u8; 32], block: &[u8; 32]) -> Option<Vec<u8>> {
db.get(Self::commit_key(&genesis, block))
}
pub(crate) fn block_hash_from_db(db: &D, genesis: [u8; 32], block: u64) -> Option<[u8; 32]> {
db.get(Self::block_hash_key(&genesis, block)).map(|h| h.try_into().unwrap())
}
pub(crate) fn commit(&self, block: &[u8; 32]) -> Option<Vec<u8>> {
Self::commit_from_db(self.db.as_ref().unwrap(), self.genesis, block)
}
pub(crate) fn block_hash(&self, block: u64) -> Option<[u8; 32]> {
Self::block_hash_from_db(self.db.as_ref().unwrap(), self.genesis, block)
}
pub(crate) fn commit_by_block_number(&self, block: u64) -> Option<Vec<u8>> {
self.commit(&self.block_hash(block)?)
}
pub(crate) fn block_after(db: &D, genesis: [u8; 32], block: &[u8; 32]) -> Option<[u8; 32]> {
db.get(Self::block_after_key(&genesis, block)).map(|bytes| bytes.try_into().unwrap())
}
pub(crate) fn locally_provided_txs_in_block(
db: &D,
genesis: &[u8; 32],
block: &[u8; 32],
order: &str,
) -> bool {
let local_key = ProvidedTransactions::<D, T>::locally_provided_quantity_key(genesis, order);
let local = db.get(local_key).map_or(0, |bytes| u32::from_le_bytes(bytes.try_into().unwrap()));
let block_key =
ProvidedTransactions::<D, T>::block_provided_quantity_key(genesis, block, order);
let block = db.get(block_key).map_or(0, |bytes| u32::from_le_bytes(bytes.try_into().unwrap()));
local >= block
}
pub(crate) fn tip_from_db(db: &D, genesis: [u8; 32]) -> [u8; 32] {
db.get(Self::tip_key(genesis)).map_or(genesis, |bytes| bytes.try_into().unwrap())
}
pub(crate) fn add_transaction<N: Network>(
&mut self,
internal: bool,
tx: Transaction<T>,
schema: &N::SignatureScheme,
) -> Result<bool, TransactionError> {
let db = self.db.as_ref().unwrap();
let genesis = self.genesis;
let commit = |block: u64| -> Option<Commit<N::SignatureScheme>> {
let hash = Self::block_hash_from_db(db, genesis, block)?;
// we must have a commit per valid hash
let commit = Self::commit_from_db(db, genesis, &hash).unwrap();
// commit has to be valid if it is coming from our db
Some(Commit::<N::SignatureScheme>::decode(&mut commit.as_ref()).unwrap())
};
let unsigned_in_chain =
|hash: [u8; 32]| db.get(Self::unsigned_included_key(&self.genesis, &hash)).is_some();
self.mempool.add::<N, _>(
|signer, order| {
if self.participants.contains(&signer) {
Some(
db.get(Self::next_nonce_key(&self.genesis, &signer, &order))
.map_or(0, |bytes| u32::from_le_bytes(bytes.try_into().unwrap())),
)
} else {
None
}
},
internal,
tx,
schema,
unsigned_in_chain,
commit,
)
}
pub(crate) fn provide_transaction(&mut self, tx: T) -> Result<(), ProvidedError> {
self.provided.provide(tx)
}
pub(crate) fn next_nonce(
&self,
signer: &<Ristretto as Ciphersuite>::G,
order: &[u8],
) -> Option<u32> {
if let Some(next_nonce) = self.mempool.next_nonce_in_mempool(signer, order.to_vec()) {
return Some(next_nonce);
}
if self.participants.contains(signer) {
Some(
self
.db
.as_ref()
.unwrap()
.get(Self::next_nonce_key(&self.genesis, signer, order))
.map_or(0, |bytes| u32::from_le_bytes(bytes.try_into().unwrap())),
)
} else {
None
}
}
pub(crate) fn build_block<N: Network>(&mut self, schema: &N::SignatureScheme) -> Block<T> {
let block = Block::new(
self.tip,
self.provided.transactions.values().flatten().cloned().collect(),
self.mempool.block(),
);
// build_block should not return invalid blocks
self.verify_block::<N>(&block, schema, false).unwrap();
block
}
pub(crate) fn verify_block<N: Network>(
&self,
block: &Block<T>,
schema: &N::SignatureScheme,
allow_non_local_provided: bool,
) -> Result<(), BlockError> {
let db = self.db.as_ref().unwrap();
let provided_or_unsigned_in_chain = |hash: [u8; 32]| {
db.get(Self::unsigned_included_key(&self.genesis, &hash)).is_some() ||
db.get(Self::provided_included_key(&self.genesis, &hash)).is_some()
};
let commit = |block: u64| -> Option<Commit<N::SignatureScheme>> {
let commit = self.commit_by_block_number(block)?;
// commit has to be valid if it is coming from our db
Some(Commit::<N::SignatureScheme>::decode(&mut commit.as_ref()).unwrap())
};
let mut txn_db = db.clone();
let mut txn = txn_db.txn();
let res = block.verify::<N, _>(
self.genesis,
self.tip,
self.provided.transactions.clone(),
&mut |signer, order| {
if self.participants.contains(signer) {
let key = Self::next_nonce_key(&self.genesis, signer, order);
let next = txn
.get(&key)
.map_or(0, |next_nonce| u32::from_le_bytes(next_nonce.try_into().unwrap()));
txn.put(key, (next + 1).to_le_bytes());
Some(next)
} else {
None
}
},
schema,
&commit,
provided_or_unsigned_in_chain,
allow_non_local_provided,
);
// Drop this TXN's changes as we're solely verifying the block
drop(txn);
res
}
/// Add a block.
pub(crate) fn add_block<N: Network>(
&mut self,
block: &Block<T>,
commit: Vec<u8>,
schema: &N::SignatureScheme,
) -> Result<(), BlockError> {
self.verify_block::<N>(block, schema, true)?;
log::info!(
"adding block {} to tributary {} with {} TXs",
hex::encode(block.hash()),
hex::encode(self.genesis),
block.transactions.len(),
);
// None of the following assertions should be reachable since we verified the block
// Take it from the Option so Rust doesn't consider self as mutably borrowed thanks to the
// existence of the txn
let mut db = self.db.take().unwrap();
let mut txn = db.txn();
self.tip = block.hash();
txn.put(Self::tip_key(self.genesis), self.tip);
self.block_number += 1;
txn.put(self.block_number_key(), self.block_number.to_le_bytes());
txn.put(Self::block_hash_key(&self.genesis, self.block_number), self.tip);
txn.put(Self::block_key(&self.genesis, &self.tip), block.serialize());
txn.put(Self::commit_key(&self.genesis, &self.tip), commit);
txn.put(Self::block_after_key(&self.genesis, &block.parent()), block.hash());
for tx in &block.transactions {
match tx.kind() {
TransactionKind::Provided(order) => {
let hash = tx.hash();
self.provided.complete(&mut txn, order, self.tip, hash);
txn.put(Self::provided_included_key(&self.genesis, &hash), []);
}
TransactionKind::Unsigned => {
let hash = tx.hash();
// Save as included on chain
txn.put(Self::unsigned_included_key(&self.genesis, &hash), []);
// remove from the mempool
self.mempool.remove(&hash);
}
TransactionKind::Signed(order, Signed { signer, nonce, .. }) => {
let next_nonce = nonce + 1;
txn.put(Self::next_nonce_key(&self.genesis, &signer, &order), next_nonce.to_le_bytes());
self.mempool.remove(&tx.hash());
}
}
}
txn.commit();
self.db = Some(db);
for tx in self.next_block_notifications.drain(..) {
let _ = tx.send(());
}
Ok(())
}
}

449
coordinator/tributary/src/db.rs Normal file
View File

@@ -0,0 +1,449 @@
use std::collections::HashMap;
use scale::Encode;
use borsh::{BorshSerialize, BorshDeserialize};
use serai_client::{primitives::SeraiAddress, validator_sets::primitives::ValidatorSet};
use messages::sign::{VariantSignId, SignId};
use serai_db::*;
use crate::transaction::SigningProtocolRound;
/// A topic within the database which the group participates in
#[derive(Clone, Copy, PartialEq, Eq, Debug, Encode, BorshSerialize, BorshDeserialize)]
pub(crate) enum Topic {
/// Vote to remove a participant
RemoveParticipant { participant: SeraiAddress },
// DkgParticipation isn't represented here as participations are immediately sent to the
// processor, not accumulated within this databse
/// Participation in the signing protocol to confirm the DKG results on Substrate
DkgConfirmation { attempt: u32, round: SigningProtocolRound },
/// The local view of the SlashReport, to be aggregated into the final SlashReport
SlashReport,
/// Participation in a signing protocol
Sign { id: VariantSignId, attempt: u32, round: SigningProtocolRound },
}
enum Participating {
Participated,
Everyone,
}
impl Topic {
// The topic used by the next attempt of this protocol
fn next_attempt_topic(self) -> Option<Topic> {
#[allow(clippy::match_same_arms)]
match self {
Topic::RemoveParticipant { .. } => None,
Topic::DkgConfirmation { attempt, round: _ } => Some(Topic::DkgConfirmation {
attempt: attempt + 1,
round: SigningProtocolRound::Preprocess,
}),
Topic::SlashReport { .. } => None,
Topic::Sign { id, attempt, round: _ } => {
Some(Topic::Sign { id, attempt: attempt + 1, round: SigningProtocolRound::Preprocess })
}
}
}
// The topic for the re-attempt to schedule
fn reattempt_topic(self) -> Option<(u32, Topic)> {
#[allow(clippy::match_same_arms)]
match self {
Topic::RemoveParticipant { .. } => None,
Topic::DkgConfirmation { attempt, round } => match round {
SigningProtocolRound::Preprocess => {
let attempt = attempt + 1;
Some((
attempt,
Topic::DkgConfirmation { attempt, round: SigningProtocolRound::Preprocess },
))
}
SigningProtocolRound::Share => None,
},
Topic::SlashReport { .. } => None,
Topic::Sign { id, attempt, round } => match round {
SigningProtocolRound::Preprocess => {
let attempt = attempt + 1;
Some((attempt, Topic::Sign { id, attempt, round: SigningProtocolRound::Preprocess }))
}
SigningProtocolRound::Share => None,
},
}
}
// The SignId for this topic
//
// Returns None if Topic isn't Topic::Sign
pub(crate) fn sign_id(self, set: ValidatorSet) -> Option<messages::sign::SignId> {
#[allow(clippy::match_same_arms)]
match self {
Topic::RemoveParticipant { .. } => None,
Topic::DkgConfirmation { .. } => None,
Topic::SlashReport { .. } => None,
Topic::Sign { id, attempt, round: _ } => Some(SignId { session: set.session, id, attempt }),
}
}
/// The topic which precedes this topic as a prerequisite
///
/// The preceding topic must define this topic as succeeding
fn preceding_topic(self) -> Option<Topic> {
#[allow(clippy::match_same_arms)]
match self {
Topic::RemoveParticipant { .. } => None,
Topic::DkgConfirmation { attempt, round } => match round {
SigningProtocolRound::Preprocess => None,
SigningProtocolRound::Share => {
Some(Topic::DkgConfirmation { attempt, round: SigningProtocolRound::Preprocess })
}
},
Topic::SlashReport { .. } => None,
Topic::Sign { id, attempt, round } => match round {
SigningProtocolRound::Preprocess => None,
SigningProtocolRound::Share => {
Some(Topic::Sign { id, attempt, round: SigningProtocolRound::Preprocess })
}
},
}
}
/// The topic which succeeds this topic, with this topic as a prerequisite
///
/// The succeeding topic must define this topic as preceding
fn succeeding_topic(self) -> Option<Topic> {
#[allow(clippy::match_same_arms)]
match self {
Topic::RemoveParticipant { .. } => None,
Topic::DkgConfirmation { attempt, round } => match round {
SigningProtocolRound::Preprocess => {
Some(Topic::DkgConfirmation { attempt, round: SigningProtocolRound::Share })
}
SigningProtocolRound::Share => None,
},
Topic::SlashReport { .. } => None,
Topic::Sign { id, attempt, round } => match round {
SigningProtocolRound::Preprocess => {
Some(Topic::Sign { id, attempt, round: SigningProtocolRound::Share })
}
SigningProtocolRound::Share => None,
},
}
}
fn requires_whitelisting(&self) -> bool {
#[allow(clippy::match_same_arms)]
match self {
// We don't require whitelisting to remove a participant
Topic::RemoveParticipant { .. } => false,
// We don't require whitelisting for the first attempt, solely the re-attempts
Topic::DkgConfirmation { attempt, .. } => *attempt != 0,
// We don't require whitelisting for the slash report
Topic::SlashReport { .. } => false,
// We do require whitelisting for every sign protocol
Topic::Sign { .. } => true,
}
}
fn required_participation(&self, n: u64) -> u64 {
let _ = self;
// All of our topics require 2/3rds participation
((2 * n) / 3) + 1
}
fn participating(&self) -> Participating {
#[allow(clippy::match_same_arms)]
match self {
Topic::RemoveParticipant { .. } => Participating::Everyone,
Topic::DkgConfirmation { .. } => Participating::Participated,
Topic::SlashReport { .. } => Participating::Everyone,
Topic::Sign { .. } => Participating::Participated,
}
}
}
pub(crate) trait Borshy: BorshSerialize + BorshDeserialize {}
impl<T: BorshSerialize + BorshDeserialize> Borshy for T {}
/// The resulting data set from an accumulation
pub(crate) enum DataSet<D: Borshy> {
/// Accumulating this did not produce a data set to act on
/// (non-existent, not ready, prior handled, not participating, etc.)
None,
/// The data set was ready and we are participating in this event
Participating(HashMap<SeraiAddress, D>),
}
create_db!(
CoordinatorTributary {
// The last handled tributary block's (number, hash)
LastHandledTributaryBlock: (set: ValidatorSet) -> (u64, [u8; 32]),
// The slash points a validator has accrued, with u64::MAX representing a fatal slash.
SlashPoints: (set: ValidatorSet, validator: SeraiAddress) -> u64,
// The latest Substrate block to cosign.
LatestSubstrateBlockToCosign: (set: ValidatorSet) -> [u8; 32],
// The hash of the block we're actively cosigning.
ActivelyCosigning: (set: ValidatorSet) -> [u8; 32],
// If this block has already been cosigned.
Cosigned: (set: ValidatorSet, substrate_block_hash: [u8; 32]) -> (),
// The weight accumulated for a topic.
AccumulatedWeight: (set: ValidatorSet, topic: Topic) -> u64,
// The entries accumulated for a topic, by validator.
Accumulated: <D: Borshy>(set: ValidatorSet, topic: Topic, validator: SeraiAddress) -> D,
// Topics to be recognized as of a certain block number due to the reattempt protocol.
Reattempt: (set: ValidatorSet, block_number: u64) -> Vec<Topic>,
}
);
db_channel!(
CoordinatorTributary {
ProcessorMessages: (set: ValidatorSet) -> messages::CoordinatorMessage,
}
);
pub(crate) struct TributaryDb;
impl TributaryDb {
pub(crate) fn last_handled_tributary_block(
getter: &impl Get,
set: ValidatorSet,
) -> Option<(u64, [u8; 32])> {
LastHandledTributaryBlock::get(getter, set)
}
pub(crate) fn set_last_handled_tributary_block(
txn: &mut impl DbTxn,
set: ValidatorSet,
block_number: u64,
block_hash: [u8; 32],
) {
LastHandledTributaryBlock::set(txn, set, &(block_number, block_hash));
}
pub(crate) fn latest_substrate_block_to_cosign(
getter: &impl Get,
set: ValidatorSet,
) -> Option<[u8; 32]> {
LatestSubstrateBlockToCosign::get(getter, set)
}
pub(crate) fn set_latest_substrate_block_to_cosign(
txn: &mut impl DbTxn,
set: ValidatorSet,
substrate_block_hash: [u8; 32],
) {
LatestSubstrateBlockToCosign::set(txn, set, &substrate_block_hash);
}
pub(crate) fn actively_cosigning(txn: &mut impl DbTxn, set: ValidatorSet) -> Option<[u8; 32]> {
ActivelyCosigning::get(txn, set)
}
pub(crate) fn start_cosigning(
txn: &mut impl DbTxn,
set: ValidatorSet,
substrate_block_hash: [u8; 32],
substrate_block_number: u64,
) {
assert!(
ActivelyCosigning::get(txn, set).is_none(),
"starting cosigning while already cosigning"
);
ActivelyCosigning::set(txn, set, &substrate_block_hash);
TributaryDb::recognize_topic(
txn,
set,
Topic::Sign {
id: VariantSignId::Cosign(substrate_block_number),
attempt: 0,
round: SigningProtocolRound::Preprocess,
},
);
}
pub(crate) fn finish_cosigning(txn: &mut impl DbTxn, set: ValidatorSet) {
assert!(ActivelyCosigning::take(txn, set).is_some(), "finished cosigning but not cosigning");
}
pub(crate) fn mark_cosigned(
txn: &mut impl DbTxn,
set: ValidatorSet,
substrate_block_hash: [u8; 32],
) {
Cosigned::set(txn, set, substrate_block_hash, &());
}
pub(crate) fn cosigned(
txn: &mut impl DbTxn,
set: ValidatorSet,
substrate_block_hash: [u8; 32],
) -> bool {
Cosigned::get(txn, set, substrate_block_hash).is_some()
}
pub(crate) fn recognize_topic(txn: &mut impl DbTxn, set: ValidatorSet, topic: Topic) {
AccumulatedWeight::set(txn, set, topic, &0);
}
pub(crate) fn start_of_block(txn: &mut impl DbTxn, set: ValidatorSet, block_number: u64) {
for topic in Reattempt::take(txn, set, block_number).unwrap_or(vec![]) {
/*
TODO: Slash all people who preprocessed but didn't share, and add a delay to their
participations in future protocols. When we call accumulate, if the participant has no
delay, their accumulation occurs immediately. Else, the accumulation occurs after the
specified delay.
This means even if faulty validators are first to preprocess, they won't be selected for
the signing set unless there's a lack of less faulty validators available.
We need to decrease this delay upon successful partipations, and set it to the maximum upon
`f + 1` validators voting to fatally slash the validator in question. This won't issue the
fatal slash but should still be effective.
*/
Self::recognize_topic(txn, set, topic);
if let Some(id) = topic.sign_id(set) {
Self::send_message(txn, set, messages::sign::CoordinatorMessage::Reattempt { id });
}
}
}
pub(crate) fn fatal_slash(
txn: &mut impl DbTxn,
set: ValidatorSet,
validator: SeraiAddress,
reason: &str,
) {
log::warn!("{validator} fatally slashed: {reason}");
SlashPoints::set(txn, set, validator, &u64::MAX);
}
pub(crate) fn is_fatally_slashed(
getter: &impl Get,
set: ValidatorSet,
validator: SeraiAddress,
) -> bool {
SlashPoints::get(getter, set, validator).unwrap_or(0) == u64::MAX
}
#[allow(clippy::too_many_arguments)]
pub(crate) fn accumulate<D: Borshy>(
txn: &mut impl DbTxn,
set: ValidatorSet,
validators: &[SeraiAddress],
total_weight: u64,
block_number: u64,
topic: Topic,
validator: SeraiAddress,
validator_weight: u64,
data: &D,
) -> DataSet<D> {
// This function will only be called once for a (validator, topic) tuple due to how we handle
// nonces on transactions (deterministically to the topic)
let accumulated_weight = AccumulatedWeight::get(txn, set, topic);
if topic.requires_whitelisting() && accumulated_weight.is_none() {
Self::fatal_slash(txn, set, validator, "participated in unrecognized topic");
return DataSet::None;
}
let mut accumulated_weight = accumulated_weight.unwrap_or(0);
// Check if there's a preceding topic, this validator participated
let preceding_topic = topic.preceding_topic();
if let Some(preceding_topic) = preceding_topic {
if Accumulated::<D>::get(txn, set, preceding_topic, validator).is_none() {
Self::fatal_slash(
txn,
set,
validator,
"participated in topic without participating in prior",
);
return DataSet::None;
}
}
// The complete lack of validation on the data by these NOPs opens the potential for spam here
// If we've already accumulated past the threshold, NOP
if accumulated_weight >= topic.required_participation(total_weight) {
return DataSet::None;
}
// If this is for an old attempt, NOP
if let Some(next_attempt_topic) = topic.next_attempt_topic() {
if AccumulatedWeight::get(txn, set, next_attempt_topic).is_some() {
return DataSet::None;
}
}
// Accumulate the data
accumulated_weight += validator_weight;
AccumulatedWeight::set(txn, set, topic, &accumulated_weight);
Accumulated::set(txn, set, topic, validator, data);
// Check if we now cross the weight threshold
if accumulated_weight >= topic.required_participation(total_weight) {
// Queue this for re-attempt after enough time passes
let reattempt_topic = topic.reattempt_topic();
if let Some((attempt, reattempt_topic)) = reattempt_topic {
// 5 minutes
#[cfg(not(feature = "longer-reattempts"))]
const BASE_REATTEMPT_DELAY: u32 =
(5u32 * 60 * 1000).div_ceil(tributary_sdk::tendermint::TARGET_BLOCK_TIME);
// 10 minutes, intended for latent environments like the GitHub CI
#[cfg(feature = "longer-reattempts")]
const BASE_REATTEMPT_DELAY: u32 =
(10u32 * 60 * 1000).div_ceil(tributary_sdk::tendermint::TARGET_BLOCK_TIME);
// Linearly scale the time for the protocol with the attempt number
let blocks_till_reattempt = u64::from(attempt * BASE_REATTEMPT_DELAY);
let recognize_at = block_number + blocks_till_reattempt;
let mut queued = Reattempt::get(txn, set, recognize_at).unwrap_or(Vec::with_capacity(1));
queued.push(reattempt_topic);
Reattempt::set(txn, set, recognize_at, &queued);
}
// Register the succeeding topic
let succeeding_topic = topic.succeeding_topic();
if let Some(succeeding_topic) = succeeding_topic {
Self::recognize_topic(txn, set, succeeding_topic);
}
// Fetch and return all participations
let mut data_set = HashMap::with_capacity(validators.len());
for validator in validators {
if let Some(data) = Accumulated::<D>::get(txn, set, topic, *validator) {
// Clean this data up if there's not a re-attempt topic
// If there is a re-attempt topic, we clean it up upon re-attempt
if reattempt_topic.is_none() {
Accumulated::<D>::del(txn, set, topic, *validator);
}
data_set.insert(*validator, data);
}
}
let participated = data_set.contains_key(&validator);
match topic.participating() {
Participating::Participated => {
if participated {
DataSet::Participating(data_set)
} else {
DataSet::None
}
}
Participating::Everyone => DataSet::Participating(data_set),
}
} else {
DataSet::None
}
}
pub(crate) fn send_message(
txn: &mut impl DbTxn,
set: ValidatorSet,
message: impl Into<messages::CoordinatorMessage>,
) {
ProcessorMessages::send(txn, set, &message.into());
}
}

825
coordinator/tributary/src/lib.rs
View File

@@ -1,388 +1,513 @@
use core::{marker::PhantomData, fmt::Debug, future::Future};
use std::{sync::Arc, io};
#![cfg_attr(docsrs, feature(doc_auto_cfg))]
#![doc = include_str!("../README.md")]
#![deny(missing_docs)]
use zeroize::Zeroizing;
use core::{marker::PhantomData, future::Future};
use std::collections::HashMap;
use ciphersuite::{Ciphersuite, Ristretto};
use ciphersuite::group::GroupEncoding;
use scale::Decode;
use futures_channel::mpsc::UnboundedReceiver;
use futures_util::{StreamExt, SinkExt};
use ::tendermint::{
ext::{BlockNumber, Commit, Block as BlockTrait, Network},
SignedMessageFor, SyncedBlock, SyncedBlockSender, SyncedBlockResultReceiver, MessageSender,
TendermintMachine, TendermintHandle,
use serai_client::{
primitives::SeraiAddress,
validator_sets::primitives::{ValidatorSet, Slash},
};
pub use ::tendermint::Evidence;
use serai_db::*;
use serai_task::ContinuallyRan;
use serai_db::Db;
use tributary_sdk::{
tendermint::{
tx::{TendermintTx, Evidence, decode_signed_message},
TendermintNetwork,
},
Signed as TributarySigned, TransactionKind, TransactionTrait,
Transaction as TributaryTransaction, Block, TributaryReader, P2p,
};
use tokio::sync::RwLock;
use serai_cosign::Cosigning;
use serai_coordinator_substrate::NewSetInformation;
mod merkle;
pub(crate) use merkle::*;
use messages::sign::VariantSignId;
pub mod transaction;
pub use transaction::{TransactionError, Signed, TransactionKind, Transaction as TransactionTrait};
mod transaction;
pub(crate) use transaction::{SigningProtocolRound, Signed};
pub use transaction::Transaction;
use crate::tendermint::tx::TendermintTx;
mod db;
use db::*;
mod provided;
pub(crate) use provided::*;
pub use provided::ProvidedError;
mod block;
pub use block::*;
mod blockchain;
pub(crate) use blockchain::*;
mod mempool;
pub(crate) use mempool::*;
pub mod tendermint;
pub(crate) use crate::tendermint::*;
#[cfg(any(test, feature = "tests"))]
pub mod tests;
/// Size limit for an individual transaction.
// This needs to be big enough to participate in a 101-of-150 eVRF DKG with each element taking
// `MAX_KEY_LEN`. This also needs to be big enough to pariticpate in signing 520 Bitcoin inputs
// with 49 key shares, and signing 120 Monero inputs with 49 key shares.
// TODO: Add a test for these properties
pub const TRANSACTION_SIZE_LIMIT: usize = 2_000_000;
/// Amount of transactions a single account may have in the mempool.
pub const ACCOUNT_MEMPOOL_LIMIT: u32 = 50;
/// Block size limit.
// This targets a growth limit of roughly 30 GB a day, under load, in order to prevent a malicious
// participant from flooding disks and causing out of space errors in order processes.
pub const BLOCK_SIZE_LIMIT: usize = 2_001_000;
pub(crate) const TENDERMINT_MESSAGE: u8 = 0;
pub(crate) const TRANSACTION_MESSAGE: u8 = 1;
#[allow(clippy::large_enum_variant)]
#[derive(Clone, PartialEq, Eq, Debug)]
pub enum Transaction<T: TransactionTrait> {
Tendermint(TendermintTx),
Application(T),
/// Messages to send to the Processors.
pub struct ProcessorMessages;
impl ProcessorMessages {
/// Try to receive a message to send to a Processor.
pub fn try_recv(txn: &mut impl DbTxn, set: ValidatorSet) -> Option<messages::CoordinatorMessage> {
db::ProcessorMessages::try_recv(txn, set)
}
}
impl<T: TransactionTrait> ReadWrite for Transaction<T> {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
let mut kind = [0];
reader.read_exact(&mut kind)?;
match kind[0] {
0 => {
let tx = TendermintTx::read(reader)?;
Ok(Transaction::Tendermint(tx))
}
1 => {
let tx = T::read(reader)?;
Ok(Transaction::Application(tx))
}
_ => Err(io::Error::other("invalid transaction type")),
struct ScanBlock<'a, CD: Db, TD: Db, TDT: DbTxn, P: P2p> {
_td: PhantomData<TD>,
_p2p: PhantomData<P>,
cosign_db: &'a CD,
tributary_txn: &'a mut TDT,
set: ValidatorSet,
validators: &'a [SeraiAddress],
total_weight: u64,
validator_weights: &'a HashMap<SeraiAddress, u64>,
}
impl<'a, CD: Db, TD: Db, TDT: DbTxn, P: P2p> ScanBlock<'a, CD, TD, TDT, P> {
fn potentially_start_cosign(&mut self) {
// Don't start a new cosigning instance if we're actively running one
if TributaryDb::actively_cosigning(self.tributary_txn, self.set).is_some() {
return;
}
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
match self {
Transaction::Tendermint(tx) => {
writer.write_all(&[0])?;
tx.write(writer)
}
Transaction::Application(tx) => {
writer.write_all(&[1])?;
tx.write(writer)
}
}
}
}
impl<T: TransactionTrait> Transaction<T> {
pub fn hash(&self) -> [u8; 32] {
match self {
Transaction::Tendermint(tx) => tx.hash(),
Transaction::Application(tx) => tx.hash(),
}
}
pub fn kind(&self) -> TransactionKind {
match self {
Transaction::Tendermint(tx) => tx.kind(),
Transaction::Application(tx) => tx.kind(),
}
}
}
/// An item which can be read and written.
pub trait ReadWrite: Sized {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self>;
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()>;
fn serialize(&self) -> Vec<u8> {
// BlockHeader is 64 bytes and likely the smallest item in this system
let mut buf = Vec::with_capacity(64);
self.write(&mut buf).unwrap();
buf
}
}
pub trait P2p: 'static + Send + Sync + Clone {
/// Broadcast a message to all other members of the Tributary with the specified genesis.
///
/// The Tributary will re-broadcast consensus messages on a fixed interval to ensure they aren't
/// prematurely dropped from the P2P layer. THe P2P layer SHOULD perform content-based
/// deduplication to ensure a sane amount of load.
fn broadcast(&self, genesis: [u8; 32], msg: Vec<u8>) -> impl Send + Future<Output = ()>;
}
impl<P: P2p> P2p for Arc<P> {
fn broadcast(&self, genesis: [u8; 32], msg: Vec<u8>) -> impl Send + Future<Output = ()> {
P::broadcast(self, genesis, msg)
}
}
#[derive(Clone)]
pub struct Tributary<D: Db, T: TransactionTrait, P: P2p> {
db: D,
genesis: [u8; 32],
network: TendermintNetwork<D, T, P>,
synced_block: Arc<RwLock<SyncedBlockSender<TendermintNetwork<D, T, P>>>>,
synced_block_result: Arc<RwLock<SyncedBlockResultReceiver>>,
messages: Arc<RwLock<MessageSender<TendermintNetwork<D, T, P>>>>,
}
impl<D: Db, T: TransactionTrait, P: P2p> Tributary<D, T, P> {
pub async fn new(
db: D,
genesis: [u8; 32],
start_time: u64,
key: Zeroizing<<Ristretto as Ciphersuite>::F>,
validators: Vec<(<Ristretto as Ciphersuite>::G, u64)>,
p2p: P,
) -> Option<Self> {
log::info!("new Tributary with genesis {}", hex::encode(genesis));
let validators_vec = validators.iter().map(|validator| validator.0).collect::<Vec<_>>();
let signer = Arc::new(Signer::new(genesis, key));
let validators = Arc::new(Validators::new(genesis, validators)?);
let mut blockchain = Blockchain::new(db.clone(), genesis, &validators_vec);
let block_number = BlockNumber(blockchain.block_number());
let start_time = if let Some(commit) = blockchain.commit(&blockchain.tip()) {
Commit::<Validators>::decode(&mut commit.as_ref()).unwrap().end_time
} else {
start_time
// Fetch the latest intended-to-be-cosigned block
let Some(latest_substrate_block_to_cosign) =
TributaryDb::latest_substrate_block_to_cosign(self.tributary_txn, self.set)
else {
return;
};
let proposal = TendermintBlock(
blockchain.build_block::<TendermintNetwork<D, T, P>>(&validators).serialize(),
// If it was already cosigned, return
if TributaryDb::cosigned(self.tributary_txn, self.set, latest_substrate_block_to_cosign) {
return;
}
let Some(substrate_block_number) =
Cosigning::<CD>::finalized_block_number(self.cosign_db, latest_substrate_block_to_cosign)
else {
// This is a valid panic as we shouldn't be scanning this block if we didn't provide all
// Provided transactions within it, and the block to cosign is a Provided transaction
panic!("cosigning a block our cosigner didn't index")
};
// Mark us as actively cosigning
TributaryDb::start_cosigning(
self.tributary_txn,
self.set,
latest_substrate_block_to_cosign,
substrate_block_number,
);
let blockchain = Arc::new(RwLock::new(blockchain));
let network = TendermintNetwork { genesis, signer, validators, blockchain, p2p };
let TendermintHandle { synced_block, synced_block_result, messages, machine } =
TendermintMachine::new(
db.clone(),
network.clone(),
genesis,
block_number,
start_time,
proposal,
)
.await;
tokio::spawn(machine.run());
Some(Self {
db,
genesis,
network,
synced_block: Arc::new(RwLock::new(synced_block)),
synced_block_result: Arc::new(RwLock::new(synced_block_result)),
messages: Arc::new(RwLock::new(messages)),
})
}
pub fn block_time() -> u32 {
TendermintNetwork::<D, T, P>::block_time()
}
pub fn genesis(&self) -> [u8; 32] {
self.genesis
}
pub async fn block_number(&self) -> u64 {
self.network.blockchain.read().await.block_number()
}
pub async fn tip(&self) -> [u8; 32] {
self.network.blockchain.read().await.tip()
}
pub fn reader(&self) -> TributaryReader<D, T> {
TributaryReader(self.db.clone(), self.genesis, PhantomData)
}
pub async fn provide_transaction(&self, tx: T) -> Result<(), ProvidedError> {
self.network.blockchain.write().await.provide_transaction(tx)
}
pub async fn next_nonce(
&self,
signer: &<Ristretto as Ciphersuite>::G,
order: &[u8],
) -> Option<u32> {
self.network.blockchain.read().await.next_nonce(signer, order)
}
// Returns Ok(true) if new, Ok(false) if an already present unsigned, or the error.
// Safe to be &self since the only meaningful usage of self is self.network.blockchain which
// successfully acquires its own write lock
pub async fn add_transaction(&self, tx: T) -> Result<bool, TransactionError> {
let tx = Transaction::Application(tx);
let mut to_broadcast = vec![TRANSACTION_MESSAGE];
tx.write(&mut to_broadcast).unwrap();
let res = self.network.blockchain.write().await.add_transaction::<TendermintNetwork<D, T, P>>(
true,
tx,
&self.network.signature_scheme(),
// Send the message for the processor to start signing
TributaryDb::send_message(
self.tributary_txn,
self.set,
messages::coordinator::CoordinatorMessage::CosignSubstrateBlock {
session: self.set.session,
block_number: substrate_block_number,
block: latest_substrate_block_to_cosign,
},
);
if res == Ok(true) {
self.network.p2p.broadcast(self.genesis, to_broadcast).await;
}
res
}
fn handle_application_tx(&mut self, block_number: u64, tx: Transaction) {
let signer = |signed: Signed| SeraiAddress(signed.signer().to_bytes());
async fn sync_block_internal(
&self,
block: Block<T>,
commit: Vec<u8>,
result: &mut UnboundedReceiver<bool>,
) -> bool {
let (tip, block_number) = {
let blockchain = self.network.blockchain.read().await;
(blockchain.tip(), blockchain.block_number())
};
if block.header.parent != tip {
log::debug!("told to sync a block whose parent wasn't our tip");
return false;
if let TransactionKind::Signed(_, TributarySigned { signer, .. }) = tx.kind() {
// Don't handle transactions from those fatally slashed
// TODO: The fact they can publish these TXs makes this a notable spam vector
if TributaryDb::is_fatally_slashed(
self.tributary_txn,
self.set,
SeraiAddress(signer.to_bytes()),
) {
return;
}
}
let block = TendermintBlock(block.serialize());
let mut commit_ref = commit.as_ref();
let Ok(commit) = Commit::<Arc<Validators>>::decode(&mut commit_ref) else {
log::error!("sent an invalidly serialized commit");
return false;
};
// Storage DoS vector. We *could* truncate to solely the relevant portion, trying to save this,
// yet then we'd have to test the truncation was performed correctly.
if !commit_ref.is_empty() {
log::error!("sent an commit with additional data after it");
return false;
}
if !self.network.verify_commit(block.id(), &commit) {
log::error!("sent an invalid commit");
return false;
}
match tx {
// Accumulate this vote and fatally slash the participant if past the threshold
Transaction::RemoveParticipant { participant, signed } => {
let signer = signer(signed);
let number = BlockNumber(block_number + 1);
self.synced_block.write().await.send(SyncedBlock { number, block, commit }).await.unwrap();
result.next().await.unwrap()
}
// Sync a block.
// TODO: Since we have a static validator set, we should only need the tail commit?
pub async fn sync_block(&self, block: Block<T>, commit: Vec<u8>) -> bool {
let mut result = self.synced_block_result.write().await;
self.sync_block_internal(block, commit, &mut result).await
}
// Return true if the message should be rebroadcasted.
pub async fn handle_message(&self, msg: &[u8]) -> bool {
match msg.first() {
Some(&TRANSACTION_MESSAGE) => {
let Ok(tx) = Transaction::read::<&[u8]>(&mut &msg[1 ..]) else {
log::error!("received invalid transaction message");
return false;
};
// TODO: Sync mempools with fellow peers
// Can we just rebroadcast transactions not included for at least two blocks?
let res =
self.network.blockchain.write().await.add_transaction::<TendermintNetwork<D, T, P>>(
false,
tx,
&self.network.signature_scheme(),
// Check the participant voted to be removed actually exists
if !self.validators.iter().any(|validator| *validator == participant) {
TributaryDb::fatal_slash(
self.tributary_txn,
self.set,
signer,
"voted to remove non-existent participant",
);
log::debug!("received transaction message. valid new transaction: {res:?}");
res == Ok(true)
}
return;
}
Some(&TENDERMINT_MESSAGE) => {
let Ok(msg) =
SignedMessageFor::<TendermintNetwork<D, T, P>>::decode::<&[u8]>(&mut &msg[1 ..])
else {
log::error!("received invalid tendermint message");
return false;
match TributaryDb::accumulate(
self.tributary_txn,
self.set,
self.validators,
self.total_weight,
block_number,
Topic::RemoveParticipant { participant },
signer,
self.validator_weights[&signer],
&(),
) {
DataSet::None => {}
DataSet::Participating(_) => {
TributaryDb::fatal_slash(self.tributary_txn, self.set, participant, "voted to remove");
}
};
self.messages.write().await.send(msg).await.unwrap();
false
}
_ => false,
// Send the participation to the processor
Transaction::DkgParticipation { participation, signed } => {
TributaryDb::send_message(
self.tributary_txn,
self.set,
messages::key_gen::CoordinatorMessage::Participation {
session: self.set.session,
participant: todo!("TODO"),
participation,
},
);
}
Transaction::DkgConfirmationPreprocess { attempt, preprocess, signed } => {
// Accumulate the preprocesses into our own FROST attempt manager
todo!("TODO")
}
Transaction::DkgConfirmationShare { attempt, share, signed } => {
// Accumulate the shares into our own FROST attempt manager
todo!("TODO")
}
Transaction::Cosign { substrate_block_hash } => {
// Update the latest intended-to-be-cosigned Substrate block
TributaryDb::set_latest_substrate_block_to_cosign(
self.tributary_txn,
self.set,
substrate_block_hash,
);
// Start a new cosign if we aren't already working on one
self.potentially_start_cosign();
}
Transaction::Cosigned { substrate_block_hash } => {
/*
We provide one Cosigned per Cosign transaction, but they have independent orders. This
means we may receive Cosigned before Cosign. In order to ensure we only start work on
not-yet-Cosigned cosigns, we flag all cosigned blocks as cosigned. Then, when we choose
the next block to work on, we won't if it's already been cosigned.
*/
TributaryDb::mark_cosigned(self.tributary_txn, self.set, substrate_block_hash);
// If we aren't actively cosigning this block, return
// This occurs when we have Cosign TXs A, B, C, we received Cosigned for A and start on C,
// and then receive Cosigned for B
if TributaryDb::actively_cosigning(self.tributary_txn, self.set) !=
Some(substrate_block_hash)
{
return;
}
// Since this is the block we were cosigning, mark us as having finished cosigning
TributaryDb::finish_cosigning(self.tributary_txn, self.set);
// Start working on the next cosign
self.potentially_start_cosign();
}
Transaction::SubstrateBlock { hash } => {
// Whitelist all of the IDs this Substrate block causes to be signed
todo!("TODO")
}
Transaction::Batch { hash } => {
// Whitelist the signing of this batch, publishing our own preprocess
todo!("TODO")
}
Transaction::SlashReport { slash_points, signed } => {
let signer = signer(signed);
if slash_points.len() != self.validators.len() {
TributaryDb::fatal_slash(
self.tributary_txn,
self.set,
signer,
"slash report was for a distinct amount of signers",
);
return;
}
// Accumulate, and if past the threshold, calculate *the* slash report and start signing it
match TributaryDb::accumulate(
self.tributary_txn,
self.set,
self.validators,
self.total_weight,
block_number,
Topic::SlashReport,
signer,
self.validator_weights[&signer],
&slash_points,
) {
DataSet::None => {}
DataSet::Participating(data_set) => {
// Find the median reported slashes for this validator
/*
TODO: This lets 34% perform a fatal slash. That shouldn't be allowed. We need
to accept slash reports for a period past the threshold, and only fatally slash if we
have a supermajority agree the slash should be fatal. If there isn't a supermajority,
but the median believe the slash should be fatal, we need to fallback to a large
constant.
Also, TODO, each slash point should probably be considered as
`MAX_KEY_SHARES_PER_SET * BLOCK_TIME` seconds of downtime. As this time crosses
various thresholds (1 day, 3 days, etc), a multiplier should be attached.
*/
let mut median_slash_report = Vec::with_capacity(self.validators.len());
for i in 0 .. self.validators.len() {
let mut this_validator =
data_set.values().map(|report| report[i]).collect::<Vec<_>>();
this_validator.sort_unstable();
// Choose the median, where if there are two median values, the lower one is chosen
let median_index = if (this_validator.len() % 2) == 1 {
this_validator.len() / 2
} else {
(this_validator.len() / 2) - 1
};
median_slash_report.push(this_validator[median_index]);
}
// We only publish slashes for the `f` worst performers to:
// 1) Effect amnesty if there were network disruptions which affected everyone
// 2) Ensure the signing threshold doesn't have a disincentive to do their job
// Find the worst performer within the signing threshold's slash points
let f = (self.validators.len() - 1) / 3;
let worst_validator_in_supermajority_slash_points = {
let mut sorted_slash_points = median_slash_report.clone();
sorted_slash_points.sort_unstable();
// This won't be a valid index if `f == 0`, which means we don't have any validators
// to slash
let index_of_first_validator_to_slash = self.validators.len() - f;
let index_of_worst_validator_in_supermajority = index_of_first_validator_to_slash - 1;
sorted_slash_points[index_of_worst_validator_in_supermajority]
};
// Perform the amortization
for slash_points in &mut median_slash_report {
*slash_points =
slash_points.saturating_sub(worst_validator_in_supermajority_slash_points)
}
let amortized_slash_report = median_slash_report;
// Create the resulting slash report
let mut slash_report = vec![];
for (validator, points) in self.validators.iter().copied().zip(amortized_slash_report) {
if points != 0 {
slash_report.push(Slash { key: validator.into(), points });
}
}
assert!(slash_report.len() <= f);
// Recognize the topic for signing the slash report
TributaryDb::recognize_topic(
self.tributary_txn,
self.set,
Topic::Sign {
id: VariantSignId::SlashReport,
attempt: 0,
round: SigningProtocolRound::Preprocess,
},
);
// Send the message for the processor to start signing
TributaryDb::send_message(
self.tributary_txn,
self.set,
messages::coordinator::CoordinatorMessage::SignSlashReport {
session: self.set.session,
report: slash_report,
},
);
}
};
}
Transaction::Sign { id, attempt, round, data, signed } => {
let topic = Topic::Sign { id, attempt, round };
let signer = signer(signed);
if u64::try_from(data.len()).unwrap() != self.validator_weights[&signer] {
TributaryDb::fatal_slash(
self.tributary_txn,
self.set,
signer,
"signer signed with a distinct amount of key shares than they had key shares",
);
return;
}
match TributaryDb::accumulate(
self.tributary_txn,
self.set,
self.validators,
self.total_weight,
block_number,
topic,
signer,
self.validator_weights[&signer],
&data,
) {
DataSet::None => {}
DataSet::Participating(data_set) => {
let id = topic.sign_id(self.set).expect("Topic::Sign didn't have SignId");
let flatten_data_set = |data_set| todo!("TODO");
let data_set = flatten_data_set(data_set);
TributaryDb::send_message(
self.tributary_txn,
self.set,
match round {
SigningProtocolRound::Preprocess => {
messages::sign::CoordinatorMessage::Preprocesses { id, preprocesses: data_set }
}
SigningProtocolRound::Share => {
messages::sign::CoordinatorMessage::Shares { id, shares: data_set }
}
},
)
}
};
}
}
}
/// Get a Future which will resolve once the next block has been added.
pub async fn next_block_notification(
&self,
) -> impl Send + Sync + core::future::Future<Output = Result<(), impl Send + Sync>> {
let (tx, rx) = tokio::sync::oneshot::channel();
self.network.blockchain.write().await.next_block_notifications.push_back(tx);
rx
fn handle_block(mut self, block_number: u64, block: Block<Transaction>) {
TributaryDb::start_of_block(self.tributary_txn, self.set, block_number);
for tx in block.transactions {
match tx {
TributaryTransaction::Tendermint(TendermintTx::SlashEvidence(ev)) => {
// Since the evidence is on the chain, it will have already been validated
// We can just punish the signer
let data = match ev {
Evidence::ConflictingMessages(first, second) => (first, Some(second)),
Evidence::InvalidPrecommit(first) | Evidence::InvalidValidRound(first) => (first, None),
};
let msgs = (
decode_signed_message::<TendermintNetwork<TD, Transaction, P>>(&data.0).unwrap(),
if data.1.is_some() {
Some(
decode_signed_message::<TendermintNetwork<TD, Transaction, P>>(&data.1.unwrap())
.unwrap(),
)
} else {
None
},
);
// Since anything with evidence is fundamentally faulty behavior, not just temporal
// errors, mark the node as fatally slashed
TributaryDb::fatal_slash(
self.tributary_txn,
self.set,
SeraiAddress(msgs.0.msg.sender),
&format!("invalid tendermint messages: {msgs:?}"),
);
}
TributaryTransaction::Application(tx) => {
self.handle_application_tx(block_number, tx);
}
}
}
}
}
#[derive(Clone)]
pub struct TributaryReader<D: Db, T: TransactionTrait>(D, [u8; 32], PhantomData<T>);
impl<D: Db, T: TransactionTrait> TributaryReader<D, T> {
pub fn genesis(&self) -> [u8; 32] {
self.1
}
/// The task to scan the Tributary, populating `ProcessorMessages`.
pub struct ScanTributaryTask<CD: Db, TD: Db, P: P2p> {
cosign_db: CD,
tributary_db: TD,
set: ValidatorSet,
validators: Vec<SeraiAddress>,
total_weight: u64,
validator_weights: HashMap<SeraiAddress, u64>,
tributary: TributaryReader<TD, Transaction>,
_p2p: PhantomData<P>,
}
// Since these values are static once set, they can be safely read from the database without lock
// acquisition
pub fn block(&self, hash: &[u8; 32]) -> Option<Block<T>> {
Blockchain::<D, T>::block_from_db(&self.0, self.1, hash)
}
pub fn commit(&self, hash: &[u8; 32]) -> Option<Vec<u8>> {
Blockchain::<D, T>::commit_from_db(&self.0, self.1, hash)
}
pub fn parsed_commit(&self, hash: &[u8; 32]) -> Option<Commit<Validators>> {
self.commit(hash).map(|commit| Commit::<Validators>::decode(&mut commit.as_ref()).unwrap())
}
pub fn block_after(&self, hash: &[u8; 32]) -> Option<[u8; 32]> {
Blockchain::<D, T>::block_after(&self.0, self.1, hash)
}
pub fn time_of_block(&self, hash: &[u8; 32]) -> Option<u64> {
self
.commit(hash)
.map(|commit| Commit::<Validators>::decode(&mut commit.as_ref()).unwrap().end_time)
}
impl<CD: Db, TD: Db, P: P2p> ScanTributaryTask<CD, TD, P> {
/// Create a new instance of this task.
pub fn new(
cosign_db: CD,
tributary_db: TD,
new_set: &NewSetInformation,
tributary: TributaryReader<TD, Transaction>,
) -> Self {
let mut validators = Vec::with_capacity(new_set.validators.len());
let mut total_weight = 0;
let mut validator_weights = HashMap::with_capacity(new_set.validators.len());
for (validator, weight) in new_set.validators.iter().copied() {
let validator = SeraiAddress::from(validator);
let weight = u64::from(weight);
validators.push(validator);
total_weight += weight;
validator_weights.insert(validator, weight);
}
pub fn locally_provided_txs_in_block(&self, hash: &[u8; 32], order: &str) -> bool {
Blockchain::<D, T>::locally_provided_txs_in_block(&self.0, &self.1, hash, order)
}
// This isn't static, yet can be read with only minor discrepancy risks
pub fn tip(&self) -> [u8; 32] {
Blockchain::<D, T>::tip_from_db(&self.0, self.1)
ScanTributaryTask {
cosign_db,
tributary_db,
set: new_set.set,
validators,
total_weight,
validator_weights,
tributary,
_p2p: PhantomData,
}
}
}
impl<CD: Db, TD: Db, P: P2p> ContinuallyRan for ScanTributaryTask<CD, TD, P> {
fn run_iteration(&mut self) -> impl Send + Future<Output = Result<bool, String>> {
async move {
let (mut last_block_number, mut last_block_hash) =
TributaryDb::last_handled_tributary_block(&self.tributary_db, self.set)
.unwrap_or((0, self.tributary.genesis()));
let mut made_progress = false;
while let Some(next) = self.tributary.block_after(&last_block_hash) {
let block = self.tributary.block(&next).unwrap();
let block_number = last_block_number + 1;
let block_hash = block.hash();
// Make sure we have all of the provided transactions for this block
for tx in &block.transactions {
let TransactionKind::Provided(order) = tx.kind() else {
continue;
};
// make sure we have all the provided txs in this block locally
if !self.tributary.locally_provided_txs_in_block(&block_hash, order) {
return Err(format!(
"didn't have the provided Transactions on-chain for set (ephemeral error): {:?}",
self.set
));
}
}
let mut tributary_txn = self.tributary_db.txn();
(ScanBlock {
_td: PhantomData::<TD>,
_p2p: PhantomData::<P>,
cosign_db: &self.cosign_db,
tributary_txn: &mut tributary_txn,
set: self.set,
validators: &self.validators,
total_weight: self.total_weight,
validator_weights: &self.validator_weights,
})
.handle_block(block_number, block);
TributaryDb::set_last_handled_tributary_block(
&mut tributary_txn,
self.set,
block_number,
block_hash,
);
last_block_number = block_number;
last_block_hash = block_hash;
tributary_txn.commit();
made_progress = true;
}
Ok(made_progress)
}
}
}

259
coordinator/tributary/src/mempool.rs
View File

@@ -1,259 +0,0 @@
use std::collections::HashMap;
use ciphersuite::{Ciphersuite, Ristretto};
use serai_db::{DbTxn, Db};
use tendermint::ext::{Network, Commit};
use crate::{
ACCOUNT_MEMPOOL_LIMIT, ReadWrite,
transaction::{
Signed, TransactionKind, TransactionError, Transaction as TransactionTrait, verify_transaction,
},
tendermint::tx::verify_tendermint_tx,
Transaction,
};
#[derive(Clone, PartialEq, Eq, Debug)]
pub(crate) struct Mempool<D: Db, T: TransactionTrait> {
db: D,
genesis: [u8; 32],
last_nonce_in_mempool: HashMap<(<Ristretto as Ciphersuite>::G, Vec<u8>), u32>,
txs: HashMap<[u8; 32], Transaction<T>>,
txs_per_signer: HashMap<<Ristretto as Ciphersuite>::G, u32>,
}
impl<D: Db, T: TransactionTrait> Mempool<D, T> {
fn transaction_key(&self, hash: &[u8]) -> Vec<u8> {
D::key(b"tributary_mempool", b"transaction", [self.genesis.as_ref(), hash].concat())
}
fn current_mempool_key(&self) -> Vec<u8> {
D::key(b"tributary_mempool", b"current", self.genesis)
}
// save given tx to the mempool db
fn save_tx(&mut self, tx: Transaction<T>) {
let tx_hash = tx.hash();
let transaction_key = self.transaction_key(&tx_hash);
let current_mempool_key = self.current_mempool_key();
let mut current_mempool = self.db.get(&current_mempool_key).unwrap_or(vec![]);
let mut txn = self.db.txn();
txn.put(transaction_key, tx.serialize());
current_mempool.extend(tx_hash);
txn.put(current_mempool_key, current_mempool);
txn.commit();
self.txs.insert(tx_hash, tx);
}
fn unsigned_already_exist(
&self,
hash: [u8; 32],
unsigned_in_chain: impl Fn([u8; 32]) -> bool,
) -> bool {
unsigned_in_chain(hash) || self.txs.contains_key(&hash)
}
pub(crate) fn new(db: D, genesis: [u8; 32]) -> Self {
let mut res = Mempool {
db,
genesis,
last_nonce_in_mempool: HashMap::new(),
txs: HashMap::new(),
txs_per_signer: HashMap::new(),
};
let current_mempool = res.db.get(res.current_mempool_key()).unwrap_or(vec![]);
for hash in current_mempool.chunks(32) {
let hash: [u8; 32] = hash.try_into().unwrap();
let tx: Transaction<T> =
Transaction::read::<&[u8]>(&mut res.db.get(res.transaction_key(&hash)).unwrap().as_ref())
.unwrap();
debug_assert_eq!(tx.hash(), hash);
match tx {
Transaction::Tendermint(tx) => {
res.txs.insert(hash, Transaction::Tendermint(tx));
}
Transaction::Application(tx) => match tx.kind() {
TransactionKind::Signed(order, Signed { signer, nonce, .. }) => {
let amount = *res.txs_per_signer.get(&signer).unwrap_or(&0) + 1;
res.txs_per_signer.insert(signer, amount);
if let Some(prior_nonce) =
res.last_nonce_in_mempool.insert((signer, order.clone()), nonce)
{
assert_eq!(prior_nonce, nonce - 1);
}
res.txs.insert(hash, Transaction::Application(tx));
}
TransactionKind::Unsigned => {
res.txs.insert(hash, Transaction::Application(tx));
}
_ => panic!("mempool database had a provided transaction"),
},
}
}
res
}
// Returns Ok(true) if new, Ok(false) if an already present unsigned, or the error.
pub(crate) fn add<
N: Network,
F: FnOnce(<Ristretto as Ciphersuite>::G, Vec<u8>) -> Option<u32>,
>(
&mut self,
blockchain_next_nonce: F,
internal: bool,
tx: Transaction<T>,
schema: &N::SignatureScheme,
unsigned_in_chain: impl Fn([u8; 32]) -> bool,
commit: impl Fn(u64) -> Option<Commit<N::SignatureScheme>>,
) -> Result<bool, TransactionError> {
match &tx {
Transaction::Tendermint(tendermint_tx) => {
// All Tendermint transactions should be unsigned
assert_eq!(TransactionKind::Unsigned, tendermint_tx.kind());
// check we have the tx in the pool/chain
if self.unsigned_already_exist(tx.hash(), unsigned_in_chain) {
return Ok(false);
}
// verify the tx
verify_tendermint_tx::<N>(tendermint_tx, schema, commit)?;
}
Transaction::Application(app_tx) => {
match app_tx.kind() {
TransactionKind::Signed(order, Signed { signer, .. }) => {
// Get the nonce from the blockchain
let Some(blockchain_next_nonce) = blockchain_next_nonce(signer, order.clone()) else {
// Not a participant
Err(TransactionError::InvalidSigner)?
};
let mut next_nonce = blockchain_next_nonce;
if let Some(mempool_last_nonce) =
self.last_nonce_in_mempool.get(&(signer, order.clone()))
{
assert!(*mempool_last_nonce >= blockchain_next_nonce);
next_nonce = *mempool_last_nonce + 1;
}
// If we have too many transactions from this sender, don't add this yet UNLESS we are
// this sender
let amount_in_pool = *self.txs_per_signer.get(&signer).unwrap_or(&0) + 1;
if !internal && (amount_in_pool > ACCOUNT_MEMPOOL_LIMIT) {
Err(TransactionError::TooManyInMempool)?;
}
verify_transaction(app_tx, self.genesis, &mut |_, _| Some(next_nonce))?;
self.last_nonce_in_mempool.insert((signer, order.clone()), next_nonce);
self.txs_per_signer.insert(signer, amount_in_pool);
}
TransactionKind::Unsigned => {
// check we have the tx in the pool/chain
if self.unsigned_already_exist(tx.hash(), unsigned_in_chain) {
return Ok(false);
}
app_tx.verify()?;
}
TransactionKind::Provided(_) => Err(TransactionError::ProvidedAddedToMempool)?,
}
}
}
// Save the TX to the pool
self.save_tx(tx);
Ok(true)
}
// Returns None if the mempool doesn't have a nonce tracked.
pub(crate) fn next_nonce_in_mempool(
&self,
signer: &<Ristretto as Ciphersuite>::G,
order: Vec<u8>,
) -> Option<u32> {
self.last_nonce_in_mempool.get(&(*signer, order)).copied().map(|nonce| nonce + 1)
}
/// Get transactions to include in a block.
pub(crate) fn block(&mut self) -> Vec<Transaction<T>> {
let mut unsigned = vec![];
let mut signed = vec![];
for hash in self.txs.keys().copied().collect::<Vec<_>>() {
let tx = &self.txs[&hash];
match tx.kind() {
TransactionKind::Signed(_, Signed { .. }) => {
signed.push(tx.clone());
}
TransactionKind::Unsigned => {
unsigned.push(tx.clone());
}
_ => panic!("provided transaction entered mempool"),
}
}
// Sort signed by nonce
let nonce = |tx: &Transaction<T>| {
if let TransactionKind::Signed(_, Signed { nonce, .. }) = tx.kind() {
nonce
} else {
unreachable!()
}
};
signed.sort_by(|a, b| nonce(a).partial_cmp(&nonce(b)).unwrap());
// unsigned first, then signed.
unsigned.append(&mut signed);
unsigned
}
/// Remove a transaction from the mempool.
pub(crate) fn remove(&mut self, tx: &[u8; 32]) {
let transaction_key = self.transaction_key(tx);
let current_mempool_key = self.current_mempool_key();
let current_mempool = self.db.get(&current_mempool_key).unwrap_or(vec![]);
let mut i = 0;
while i < current_mempool.len() {
if &current_mempool[i .. (i + 32)] == tx {
break;
}
i += 32;
}
// This doesn't have to be atomic with any greater operation
let mut txn = self.db.txn();
txn.del(transaction_key);
if i != current_mempool.len() {
txn
.put(current_mempool_key, [&current_mempool[.. i], &current_mempool[(i + 32) ..]].concat());
}
txn.commit();
if let Some(tx) = self.txs.remove(tx) {
if let TransactionKind::Signed(order, Signed { signer, nonce, .. }) = tx.kind() {
let amount = *self.txs_per_signer.get(&signer).unwrap() - 1;
self.txs_per_signer.insert(signer, amount);
if self.last_nonce_in_mempool.get(&(signer, order.clone())) == Some(&nonce) {
self.last_nonce_in_mempool.remove(&(signer, order));
}
}
}
}
#[cfg(test)]
pub(crate) fn txs(&self) -> &HashMap<[u8; 32], Transaction<T>> {
&self.txs
}
}

31
coordinator/tributary/src/merkle.rs
View File

@@ -1,31 +0,0 @@
use blake2::{Digest, Blake2s256};
pub(crate) fn merkle(hash_args: &[[u8; 32]]) -> [u8; 32] {
let mut hashes = Vec::with_capacity(hash_args.len());
for hash in hash_args {
hashes.push(Blake2s256::digest([b"leaf_hash".as_ref(), hash].concat()));
}
let zero = [0; 32];
let mut interim;
while hashes.len() > 1 {
interim = Vec::with_capacity((hashes.len() + 1) / 2);
let mut i = 0;
while i < hashes.len() {
interim.push(Blake2s256::digest(
[
b"branch_hash".as_ref(),
hashes[i].as_ref(),
hashes.get(i + 1).map_or(zero.as_ref(), AsRef::as_ref),
]
.concat(),
));
i += 2;
}
hashes = interim;
}
hashes.first().copied().map_or(zero, Into::into)
}

191
coordinator/tributary/src/provided.rs
View File

@@ -1,191 +0,0 @@
use std::collections::{VecDeque, HashMap};
use thiserror::Error;
use serai_db::{Get, DbTxn, Db};
use crate::transaction::{TransactionKind, TransactionError, Transaction, verify_transaction};
#[derive(Clone, PartialEq, Eq, Debug, Error)]
pub enum ProvidedError {
/// The provided transaction's kind wasn't Provided
#[error("transaction wasn't a provided transaction")]
NotProvided,
/// The provided transaction was invalid
#[error("provided transaction was invalid")]
InvalidProvided(TransactionError),
/// Transaction was already provided
#[error("transaction was already provided")]
AlreadyProvided,
/// Local transaction mismatches the on-chain provided
#[error("local provides mismatches on-chain provided")]
LocalMismatchesOnChain,
}
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct ProvidedTransactions<D: Db, T: Transaction> {
db: D,
genesis: [u8; 32],
pub(crate) transactions: HashMap<&'static str, VecDeque<T>>,
}
impl<D: Db, T: Transaction> ProvidedTransactions<D, T> {
fn transaction_key(&self, hash: &[u8]) -> Vec<u8> {
D::key(b"tributary_provided", b"transaction", [self.genesis.as_ref(), hash].concat())
}
fn current_provided_key(&self) -> Vec<u8> {
D::key(b"tributary_provided", b"current", self.genesis)
}
pub(crate) fn locally_provided_quantity_key(genesis: &[u8; 32], order: &str) -> Vec<u8> {
D::key(b"tributary_provided", b"local_quantity", [genesis, order.as_bytes()].concat())
}
pub(crate) fn on_chain_provided_quantity_key(genesis: &[u8; 32], order: &str) -> Vec<u8> {
D::key(b"tributary_provided", b"on_chain_quantity", [genesis, order.as_bytes()].concat())
}
pub(crate) fn block_provided_quantity_key(
genesis: &[u8; 32],
block: &[u8; 32],
order: &str,
) -> Vec<u8> {
D::key(b"tributary_provided", b"block_quantity", [genesis, block, order.as_bytes()].concat())
}
pub(crate) fn on_chain_provided_key(genesis: &[u8; 32], order: &str, id: u32) -> Vec<u8> {
D::key(
b"tributary_provided",
b"on_chain_tx",
[genesis, order.as_bytes(), &id.to_le_bytes()].concat(),
)
}
pub(crate) fn new(db: D, genesis: [u8; 32]) -> Self {
let mut res = ProvidedTransactions { db, genesis, transactions: HashMap::new() };
let currently_provided = res.db.get(res.current_provided_key()).unwrap_or(vec![]);
let mut i = 0;
while i < currently_provided.len() {
let tx = T::read::<&[u8]>(
&mut res.db.get(res.transaction_key(&currently_provided[i .. (i + 32)])).unwrap().as_ref(),
)
.unwrap();
let TransactionKind::Provided(order) = tx.kind() else {
panic!("provided transaction saved to disk wasn't provided");
};
if !res.transactions.contains_key(order) {
res.transactions.insert(order, VecDeque::new());
}
res.transactions.get_mut(order).unwrap().push_back(tx);
i += 32;
}
res
}
/// Provide a transaction for inclusion in a block.
pub(crate) fn provide(&mut self, tx: T) -> Result<(), ProvidedError> {
let TransactionKind::Provided(order) = tx.kind() else { Err(ProvidedError::NotProvided)? };
match verify_transaction(&tx, self.genesis, &mut |_, _| None) {
Ok(()) => {}
Err(e) => Err(ProvidedError::InvalidProvided(e))?,
}
let tx_hash = tx.hash();
// Check it wasn't already provided
let provided_key = self.transaction_key(&tx_hash);
if self.db.get(&provided_key).is_some() {
Err(ProvidedError::AlreadyProvided)?;
}
// get local and on-chain tx numbers
let local_key = Self::locally_provided_quantity_key(&self.genesis, order);
let mut local_quantity =
self.db.get(&local_key).map_or(0, |bytes| u32::from_le_bytes(bytes.try_into().unwrap()));
let on_chain_key = Self::on_chain_provided_quantity_key(&self.genesis, order);
let on_chain_quantity =
self.db.get(on_chain_key).map_or(0, |bytes| u32::from_le_bytes(bytes.try_into().unwrap()));
let current_provided_key = self.current_provided_key();
// This would have a race-condition with multiple calls to provide, though this takes &mut self
// peventing multiple calls at once
let mut txn = self.db.txn();
txn.put(provided_key, tx.serialize());
let this_provided_id = local_quantity;
local_quantity += 1;
txn.put(local_key, local_quantity.to_le_bytes());
if this_provided_id < on_chain_quantity {
// Verify against the on-chain version
if tx_hash.as_ref() !=
txn.get(Self::on_chain_provided_key(&self.genesis, order, this_provided_id)).unwrap()
{
Err(ProvidedError::LocalMismatchesOnChain)?;
}
txn.commit();
} else {
let mut currently_provided = txn.get(&current_provided_key).unwrap_or(vec![]);
currently_provided.extend(tx_hash);
txn.put(current_provided_key, currently_provided);
txn.commit();
if !self.transactions.contains_key(order) {
self.transactions.insert(order, VecDeque::new());
}
self.transactions.get_mut(order).unwrap().push_back(tx);
}
Ok(())
}
/// Complete a provided transaction, no longer proposing it nor voting for its validity.
pub(crate) fn complete(
&mut self,
txn: &mut D::Transaction<'_>,
order: &'static str,
block: [u8; 32],
tx: [u8; 32],
) {
if let Some(next_tx) = self.transactions.get_mut(order).and_then(VecDeque::pop_front) {
assert_eq!(next_tx.hash(), tx);
let current_provided_key = self.current_provided_key();
let mut currently_provided = txn.get(&current_provided_key).unwrap();
// Find this TX's hash
let mut i = 0;
loop {
if currently_provided[i .. (i + 32)] == tx {
assert_eq!(&currently_provided.drain(i .. (i + 32)).collect::<Vec<_>>(), &tx);
break;
}
i += 32;
if i >= currently_provided.len() {
panic!("couldn't find completed TX in currently provided");
}
}
txn.put(current_provided_key, currently_provided);
}
// bump the on-chain tx number.
let on_chain_key = Self::on_chain_provided_quantity_key(&self.genesis, order);
let block_order_key = Self::block_provided_quantity_key(&self.genesis, &block, order);
let mut on_chain_quantity =
self.db.get(&on_chain_key).map_or(0, |bytes| u32::from_le_bytes(bytes.try_into().unwrap()));
let this_provided_id = on_chain_quantity;
txn.put(Self::on_chain_provided_key(&self.genesis, order, this_provided_id), tx);
on_chain_quantity += 1;
txn.put(on_chain_key, on_chain_quantity.to_le_bytes());
txn.put(block_order_key, on_chain_quantity.to_le_bytes());
}
}

424
coordinator/tributary/src/tendermint/mod.rs
View File

@@ -1,424 +0,0 @@
use core::{ops::Deref, future::Future};
use std::{sync::Arc, collections::HashMap};
use subtle::ConstantTimeEq;
use zeroize::{Zeroize, Zeroizing};
use rand::{SeedableRng, seq::SliceRandom};
use rand_chacha::ChaCha12Rng;
use transcript::{Transcript, RecommendedTranscript};
use ciphersuite::{
group::{
GroupEncoding,
ff::{Field, PrimeField},
},
Ciphersuite, Ristretto,
};
use schnorr::{
SchnorrSignature,
aggregate::{SchnorrAggregator, SchnorrAggregate},
};
use serai_db::Db;
use scale::{Encode, Decode};
use tendermint::{
SignedMessageFor,
ext::{
BlockNumber, RoundNumber, Signer as SignerTrait, SignatureScheme, Weights, Block as BlockTrait,
BlockError as TendermintBlockError, Commit, Network,
},
SlashEvent,
};
use tokio::sync::RwLock;
use crate::{
TENDERMINT_MESSAGE, TRANSACTION_MESSAGE, ReadWrite, transaction::Transaction as TransactionTrait,
Transaction, BlockHeader, Block, BlockError, Blockchain, P2p,
};
pub mod tx;
use tx::TendermintTx;
const DST: &[u8] = b"Tributary Tendermint Commit Aggregator";
fn challenge(
genesis: [u8; 32],
key: [u8; 32],
nonce: &[u8],
msg: &[u8],
) -> <Ristretto as Ciphersuite>::F {
let mut transcript = RecommendedTranscript::new(b"Tributary Chain Tendermint Message");
transcript.append_message(b"genesis", genesis);
transcript.append_message(b"key", key);
transcript.append_message(b"nonce", nonce);
transcript.append_message(b"message", msg);
<Ristretto as Ciphersuite>::F::from_bytes_mod_order_wide(&transcript.challenge(b"schnorr").into())
}
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct Signer {
genesis: [u8; 32],
key: Zeroizing<<Ristretto as Ciphersuite>::F>,
}
impl Signer {
pub(crate) fn new(genesis: [u8; 32], key: Zeroizing<<Ristretto as Ciphersuite>::F>) -> Signer {
Signer { genesis, key }
}
}
impl SignerTrait for Signer {
type ValidatorId = [u8; 32];
type Signature = [u8; 64];
/// Returns the validator's current ID. Returns None if they aren't a current validator.
fn validator_id(&self) -> impl Send + Future<Output = Option<Self::ValidatorId>> {
async move { Some((Ristretto::generator() * self.key.deref()).to_bytes()) }
}
/// Sign a signature with the current validator's private key.
fn sign(&self, msg: &[u8]) -> impl Send + Future<Output = Self::Signature> {
async move {
let mut nonce =
Zeroizing::new(RecommendedTranscript::new(b"Tributary Chain Tendermint Nonce"));
nonce.append_message(b"genesis", self.genesis);
nonce.append_message(b"key", Zeroizing::new(self.key.deref().to_repr()).as_ref());
nonce.append_message(b"message", msg);
let mut nonce = nonce.challenge(b"nonce");
let mut nonce_arr = [0; 64];
nonce_arr.copy_from_slice(nonce.as_ref());
let nonce_ref: &mut [u8] = nonce.as_mut();
nonce_ref.zeroize();
let nonce_ref: &[u8] = nonce.as_ref();
assert_eq!(nonce_ref, [0; 64].as_ref());
let nonce =
Zeroizing::new(<Ristretto as Ciphersuite>::F::from_bytes_mod_order_wide(&nonce_arr));
nonce_arr.zeroize();
assert!(!bool::from(nonce.ct_eq(&<Ristretto as Ciphersuite>::F::ZERO)));
let challenge = challenge(
self.genesis,
(Ristretto::generator() * self.key.deref()).to_bytes(),
(Ristretto::generator() * nonce.deref()).to_bytes().as_ref(),
msg,
);
let sig = SchnorrSignature::<Ristretto>::sign(&self.key, nonce, challenge).serialize();
let mut res = [0; 64];
res.copy_from_slice(&sig);
res
}
}
}
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct Validators {
genesis: [u8; 32],
total_weight: u64,
weights: HashMap<[u8; 32], u64>,
robin: Vec<[u8; 32]>,
}
impl Validators {
pub(crate) fn new(
genesis: [u8; 32],
validators: Vec<(<Ristretto as Ciphersuite>::G, u64)>,
) -> Option<Validators> {
let mut total_weight = 0;
let mut weights = HashMap::new();
let mut transcript = RecommendedTranscript::new(b"Round Robin Randomization");
let mut robin = vec![];
for (validator, weight) in validators {
let validator = validator.to_bytes();
if weight == 0 {
return None;
}
total_weight += weight;
weights.insert(validator, weight);
transcript.append_message(b"validator", validator);
transcript.append_message(b"weight", weight.to_le_bytes());
robin.extend(vec![validator; usize::try_from(weight).unwrap()]);
}
robin.shuffle(&mut ChaCha12Rng::from_seed(transcript.rng_seed(b"robin")));
Some(Validators { genesis, total_weight, weights, robin })
}
}
impl SignatureScheme for Validators {
type ValidatorId = [u8; 32];
type Signature = [u8; 64];
type AggregateSignature = Vec<u8>;
type Signer = Arc<Signer>;
#[must_use]
fn verify(&self, validator: Self::ValidatorId, msg: &[u8], sig: &Self::Signature) -> bool {
if !self.weights.contains_key(&validator) {
return false;
}
let Ok(validator_point) = Ristretto::read_G::<&[u8]>(&mut validator.as_ref()) else {
return false;
};
let Ok(actual_sig) = SchnorrSignature::<Ristretto>::read::<&[u8]>(&mut sig.as_ref()) else {
return false;
};
actual_sig.verify(validator_point, challenge(self.genesis, validator, &sig[.. 32], msg))
}
fn aggregate(
&self,
validators: &[Self::ValidatorId],
msg: &[u8],
sigs: &[Self::Signature],
) -> Self::AggregateSignature {
assert_eq!(validators.len(), sigs.len());
let mut aggregator = SchnorrAggregator::<Ristretto>::new(DST);
for (key, sig) in validators.iter().zip(sigs) {
let actual_sig = SchnorrSignature::<Ristretto>::read::<&[u8]>(&mut sig.as_ref()).unwrap();
let challenge = challenge(self.genesis, *key, actual_sig.R.to_bytes().as_ref(), msg);
aggregator.aggregate(challenge, actual_sig);
}
let aggregate = aggregator.complete().unwrap();
aggregate.serialize()
}
#[must_use]
fn verify_aggregate(
&self,
signers: &[Self::ValidatorId],
msg: &[u8],
sig: &Self::AggregateSignature,
) -> bool {
let Ok(aggregate) = SchnorrAggregate::<Ristretto>::read::<&[u8]>(&mut sig.as_slice()) else {
return false;
};
if signers.len() != aggregate.Rs().len() {
return false;
}
let mut challenges = vec![];
for (key, nonce) in signers.iter().zip(aggregate.Rs()) {
challenges.push(challenge(self.genesis, *key, nonce.to_bytes().as_ref(), msg));
}
aggregate.verify(
DST,
signers
.iter()
.zip(challenges)
.map(|(s, c)| (<Ristretto as Ciphersuite>::read_G(&mut s.as_slice()).unwrap(), c))
.collect::<Vec<_>>()
.as_slice(),
)
}
}
impl Weights for Validators {
type ValidatorId = [u8; 32];
fn total_weight(&self) -> u64 {
self.total_weight
}
fn weight(&self, validator: Self::ValidatorId) -> u64 {
self.weights[&validator]
}
fn proposer(&self, block: BlockNumber, round: RoundNumber) -> Self::ValidatorId {
let block = usize::try_from(block.0).unwrap();
let round = usize::try_from(round.0).unwrap();
// If multiple rounds are used, a naive block + round would cause the same index to be chosen
// in quick succession.
// Accordingly, if we use additional rounds, jump halfway around.
// While this is still game-able, it's not explicitly reusing indexes immediately after each
// other.
self.robin
[(block + (if round == 0 { 0 } else { round + (self.robin.len() / 2) })) % self.robin.len()]
}
}
#[derive(Clone, PartialEq, Eq, Debug, Encode, Decode)]
pub struct TendermintBlock(pub Vec<u8>);
impl BlockTrait for TendermintBlock {
type Id = [u8; 32];
fn id(&self) -> Self::Id {
BlockHeader::read::<&[u8]>(&mut self.0.as_ref()).unwrap().hash()
}
}
#[derive(Clone, Debug)]
pub struct TendermintNetwork<D: Db, T: TransactionTrait, P: P2p> {
pub(crate) genesis: [u8; 32],
pub(crate) signer: Arc<Signer>,
pub(crate) validators: Arc<Validators>,
pub(crate) blockchain: Arc<RwLock<Blockchain<D, T>>>,
pub(crate) p2p: P,
}
pub const BLOCK_PROCESSING_TIME: u32 = 999;
pub const LATENCY_TIME: u32 = 1667;
pub const TARGET_BLOCK_TIME: u32 = BLOCK_PROCESSING_TIME + (3 * LATENCY_TIME);
impl<D: Db, T: TransactionTrait, P: P2p> Network for TendermintNetwork<D, T, P> {
type Db = D;
type ValidatorId = [u8; 32];
type SignatureScheme = Arc<Validators>;
type Weights = Arc<Validators>;
type Block = TendermintBlock;
// These are in milliseconds and create a six-second block time.
// The block time is the latency on message delivery (where a message is some piece of data
// embedded in a transaction) times three plus the block processing time, hence why it should be
// kept low.
const BLOCK_PROCESSING_TIME: u32 = BLOCK_PROCESSING_TIME;
const LATENCY_TIME: u32 = LATENCY_TIME;
fn signer(&self) -> Arc<Signer> {
self.signer.clone()
}
fn signature_scheme(&self) -> Arc<Validators> {
self.validators.clone()
}
fn weights(&self) -> Arc<Validators> {
self.validators.clone()
}
fn broadcast(&mut self, msg: SignedMessageFor<Self>) -> impl Send + Future<Output = ()> {
async move {
let mut to_broadcast = vec![TENDERMINT_MESSAGE];
to_broadcast.extend(msg.encode());
self.p2p.broadcast(self.genesis, to_broadcast).await
}
}
fn slash(
&mut self,
validator: Self::ValidatorId,
slash_event: SlashEvent,
) -> impl Send + Future<Output = ()> {
async move {
log::error!(
"validator {} triggered a slash event on tributary {} (with evidence: {})",
hex::encode(validator),
hex::encode(self.genesis),
matches!(slash_event, SlashEvent::WithEvidence(_)),
);
let signer = self.signer();
let Some(tx) = (match slash_event {
SlashEvent::WithEvidence(evidence) => {
// create an unsigned evidence tx
Some(TendermintTx::SlashEvidence(evidence))
}
SlashEvent::Id(_reason, _block, _round) => {
// TODO: Increase locally observed slash points
None
}
}) else {
return;
};
// add tx to blockchain and broadcast to peers
let mut to_broadcast = vec![TRANSACTION_MESSAGE];
tx.write(&mut to_broadcast).unwrap();
if self.blockchain.write().await.add_transaction::<Self>(
true,
Transaction::Tendermint(tx),
&self.signature_scheme(),
) == Ok(true)
{
self.p2p.broadcast(signer.genesis, to_broadcast).await;
}
}
}
fn validate(
&self,
block: &Self::Block,
) -> impl Send + Future<Output = Result<(), TendermintBlockError>> {
async move {
let block =
Block::read::<&[u8]>(&mut block.0.as_ref()).map_err(|_| TendermintBlockError::Fatal)?;
self
.blockchain
.read()
.await
.verify_block::<Self>(&block, &self.signature_scheme(), false)
.map_err(|e| match e {
BlockError::NonLocalProvided(_) => TendermintBlockError::Temporal,
_ => {
log::warn!("Tributary Tendermint validate returning BlockError::Fatal due to {e:?}");
TendermintBlockError::Fatal
}
})
}
}
fn add_block(
&mut self,
serialized_block: Self::Block,
commit: Commit<Self::SignatureScheme>,
) -> impl Send + Future<Output = Option<Self::Block>> {
async move {
let invalid_block = || {
// There's a fatal flaw in the code, it's behind a hard fork, or the validators turned
// malicious
// All justify a halt to then achieve social consensus from
// TODO: Under multiple validator sets, a small validator set turning malicious knocks
// off the entire network. That's an unacceptable DoS.
panic!("validators added invalid block to tributary {}", hex::encode(self.genesis));
};
// Tendermint should only produce valid commits
assert!(self.verify_commit(serialized_block.id(), &commit));
let Ok(block) = Block::read::<&[u8]>(&mut serialized_block.0.as_ref()) else {
return invalid_block();
};
let encoded_commit = commit.encode();
loop {
let block_res = self.blockchain.write().await.add_block::<Self>(
&block,
encoded_commit.clone(),
&self.signature_scheme(),
);
match block_res {
Ok(()) => {
// If we successfully added this block, break
break;
}
Err(BlockError::NonLocalProvided(hash)) => {
log::error!(
"missing provided transaction {} which other validators on tributary {} had",
hex::encode(hash),
hex::encode(self.genesis)
);
tokio::time::sleep(core::time::Duration::from_secs(5)).await;
}
_ => return invalid_block(),
}
}
Some(TendermintBlock(
self.blockchain.write().await.build_block::<Self>(&self.signature_scheme()).serialize(),
))
}
}
}

76
coordinator/tributary/src/tendermint/tx.rs
View File

@@ -1,76 +0,0 @@
use std::io;
use scale::{Encode, Decode, IoReader};
use blake2::{Digest, Blake2s256};
use ciphersuite::{Ciphersuite, Ristretto};
use crate::{
transaction::{Transaction, TransactionKind, TransactionError},
ReadWrite,
};
use tendermint::{
verify_tendermint_evidence,
ext::{Network, Commit},
};
pub use tendermint::{Evidence, decode_signed_message};
#[allow(clippy::large_enum_variant)]
#[derive(Clone, PartialEq, Eq, Debug)]
pub enum TendermintTx {
SlashEvidence(Evidence),
}
impl ReadWrite for TendermintTx {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
Evidence::decode(&mut IoReader(reader))
.map(TendermintTx::SlashEvidence)
.map_err(|_| io::Error::new(io::ErrorKind::InvalidData, "invalid evidence format"))
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
match self {
TendermintTx::SlashEvidence(ev) => writer.write_all(&ev.encode()),
}
}
}
impl Transaction for TendermintTx {
fn kind(&self) -> TransactionKind {
// There's an assert elsewhere in the codebase expecting this behavior
// If we do want to add Provided/Signed TendermintTxs, review the implications carefully
TransactionKind::Unsigned
}
fn hash(&self) -> [u8; 32] {
Blake2s256::digest(self.serialize()).into()
}
fn sig_hash(&self, _genesis: [u8; 32]) -> <Ristretto as Ciphersuite>::F {
match self {
TendermintTx::SlashEvidence(_) => panic!("sig_hash called on slash evidence transaction"),
}
}
fn verify(&self) -> Result<(), TransactionError> {
Ok(())
}
}
pub(crate) fn verify_tendermint_tx<N: Network>(
tx: &TendermintTx,
schema: &N::SignatureScheme,
commit: impl Fn(u64) -> Option<Commit<N::SignatureScheme>>,
) -> Result<(), TransactionError> {
tx.verify()?;
match tx {
TendermintTx::SlashEvidence(ev) => verify_tendermint_evidence::<N>(ev, schema, commit)
.map_err(|_| TransactionError::InvalidContent)?,
}
Ok(())
}

140
coordinator/tributary/src/tests/block.rs
View File

@@ -1,140 +0,0 @@
use std::{sync::Arc, io, collections::HashMap, fmt::Debug};
use blake2::{Digest, Blake2s256};
use ciphersuite::{
group::{ff::Field, Group},
Ciphersuite, Ristretto,
};
use schnorr::SchnorrSignature;
use serai_db::MemDb;
use tendermint::ext::Commit;
use crate::{
ReadWrite, BlockError, Block, Transaction,
tests::p2p::DummyP2p,
transaction::{TransactionError, Signed, TransactionKind, Transaction as TransactionTrait},
tendermint::{TendermintNetwork, Validators},
};
type N = TendermintNetwork<MemDb, NonceTransaction, DummyP2p>;
// A transaction solely defined by its nonce and a distinguisher (to allow creating distinct TXs
// sharing a nonce).
#[derive(Clone, PartialEq, Eq, Debug)]
struct NonceTransaction(u32, u8, Signed);
impl NonceTransaction {
fn new(nonce: u32, distinguisher: u8) -> Self {
NonceTransaction(
nonce,
distinguisher,
Signed {
signer: <Ristretto as Ciphersuite>::G::identity(),
nonce,
signature: SchnorrSignature::<Ristretto> {
R: <Ristretto as Ciphersuite>::G::identity(),
s: <Ristretto as Ciphersuite>::F::ZERO,
},
},
)
}
}
impl ReadWrite for NonceTransaction {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
let mut nonce = [0; 4];
reader.read_exact(&mut nonce)?;
let nonce = u32::from_le_bytes(nonce);
let mut distinguisher = [0];
reader.read_exact(&mut distinguisher)?;
Ok(NonceTransaction::new(nonce, distinguisher[0]))
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
writer.write_all(&self.0.to_le_bytes())?;
writer.write_all(&[self.1])
}
}
impl TransactionTrait for NonceTransaction {
fn kind(&self) -> TransactionKind {
TransactionKind::Signed(vec![], self.2.clone())
}
fn hash(&self) -> [u8; 32] {
Blake2s256::digest([self.0.to_le_bytes().as_ref(), &[self.1]].concat()).into()
}
fn verify(&self) -> Result<(), TransactionError> {
Ok(())
}
}
#[test]
fn empty_block() {
const GENESIS: [u8; 32] = [0xff; 32];
const LAST: [u8; 32] = [0x01; 32];
let validators = Arc::new(Validators::new(GENESIS, vec![]).unwrap());
let commit = |_: u64| -> Option<Commit<Arc<Validators>>> {
Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
};
let provided_or_unsigned_in_chain = |_: [u8; 32]| false;
Block::<NonceTransaction>::new(LAST, vec![], vec![])
.verify::<N, _>(
GENESIS,
LAST,
HashMap::new(),
&mut |_, _| None,
&validators,
commit,
provided_or_unsigned_in_chain,
false,
)
.unwrap();
}
#[test]
fn duplicate_nonces() {
const GENESIS: [u8; 32] = [0xff; 32];
const LAST: [u8; 32] = [0x01; 32];
let validators = Arc::new(Validators::new(GENESIS, vec![]).unwrap());
// Run once without duplicating a nonce, and once with, so that's confirmed to be the faulty
// component
for i in [1, 0] {
let mut mempool = vec![];
let mut insert = |tx: NonceTransaction| mempool.push(Transaction::Application(tx));
insert(NonceTransaction::new(0, 0));
insert(NonceTransaction::new(i, 1));
let commit = |_: u64| -> Option<Commit<Arc<Validators>>> {
Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
};
let provided_or_unsigned_in_chain = |_: [u8; 32]| false;
let mut last_nonce = 0;
let res = Block::new(LAST, vec![], mempool).verify::<N, _>(
GENESIS,
LAST,
HashMap::new(),
&mut |_, _| {
let res = last_nonce;
last_nonce += 1;
Some(res)
},
&validators,
commit,
provided_or_unsigned_in_chain,
false,
);
if i == 1 {
res.unwrap();
} else {
assert_eq!(res, Err(BlockError::TransactionError(TransactionError::InvalidNonce)));
}
}
}

540
coordinator/tributary/src/tests/blockchain.rs
View File

@@ -1,540 +0,0 @@
use core::ops::Deref;
use std::{
collections::{VecDeque, HashMap},
sync::Arc,
io,
};
use zeroize::Zeroizing;
use rand::rngs::OsRng;
use blake2::{Digest, Blake2s256};
use ciphersuite::{group::ff::Field, Ciphersuite, Ristretto};
use serai_db::{DbTxn, Db, MemDb};
use crate::{
ReadWrite, TransactionKind,
transaction::Transaction as TransactionTrait,
TransactionError, Transaction, ProvidedError, ProvidedTransactions, merkle, BlockError, Block,
Blockchain,
tendermint::{TendermintNetwork, Validators, Signer, TendermintBlock},
tests::{
ProvidedTransaction, SignedTransaction, random_provided_transaction, p2p::DummyP2p,
new_genesis, random_evidence_tx,
},
};
type N = TendermintNetwork<MemDb, SignedTransaction, DummyP2p>;
fn new_blockchain<T: TransactionTrait>(
genesis: [u8; 32],
participants: &[<Ristretto as Ciphersuite>::G],
) -> (MemDb, Blockchain<MemDb, T>) {
let db = MemDb::new();
let blockchain = Blockchain::new(db.clone(), genesis, participants);
assert_eq!(blockchain.tip(), genesis);
assert_eq!(blockchain.block_number(), 0);
(db, blockchain)
}
#[test]
fn block_addition() {
let genesis = new_genesis();
let validators = Arc::new(Validators::new(genesis, vec![]).unwrap());
let (db, mut blockchain) = new_blockchain::<SignedTransaction>(genesis, &[]);
let block = blockchain.build_block::<N>(&validators);
assert_eq!(block.header.parent, genesis);
assert_eq!(block.header.transactions, [0; 32]);
blockchain.verify_block::<N>(&block, &validators, false).unwrap();
assert!(blockchain.add_block::<N>(&block, vec![], &validators).is_ok());
assert_eq!(blockchain.tip(), block.hash());
assert_eq!(blockchain.block_number(), 1);
assert_eq!(
Blockchain::<MemDb, SignedTransaction>::block_after(&db, genesis, &block.parent()).unwrap(),
block.hash()
);
}
#[test]
fn invalid_block() {
let genesis = new_genesis();
let validators = Arc::new(Validators::new(genesis, vec![]).unwrap());
let (_, mut blockchain) = new_blockchain::<SignedTransaction>(genesis, &[]);
let block = blockchain.build_block::<N>(&validators);
// Mutate parent
{
#[allow(clippy::redundant_clone)] // False positive
let mut block = block.clone();
block.header.parent = Blake2s256::digest(block.header.parent).into();
assert!(blockchain.verify_block::<N>(&block, &validators, false).is_err());
}
// Mutate transactions merkle
{
let mut block = block;
block.header.transactions = Blake2s256::digest(block.header.transactions).into();
assert!(blockchain.verify_block::<N>(&block, &validators, false).is_err());
}
let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
let tx = crate::tests::signed_transaction(&mut OsRng, genesis, &key, 0);
// Not a participant
{
// Manually create the block to bypass build_block's checks
let block = Block::new(blockchain.tip(), vec![], vec![Transaction::Application(tx.clone())]);
assert_eq!(block.header.transactions, merkle(&[tx.hash()]));
assert!(blockchain.verify_block::<N>(&block, &validators, false).is_err());
}
// Run the rest of the tests with them as a participant
let (_, blockchain) = new_blockchain(genesis, &[tx.1.signer]);
// Re-run the not a participant block to make sure it now works
{
let block = Block::new(blockchain.tip(), vec![], vec![Transaction::Application(tx.clone())]);
assert_eq!(block.header.transactions, merkle(&[tx.hash()]));
blockchain.verify_block::<N>(&block, &validators, false).unwrap();
}
{
// Add a valid transaction
let (_, mut blockchain) = new_blockchain(genesis, &[tx.1.signer]);
blockchain
.add_transaction::<N>(true, Transaction::Application(tx.clone()), &validators)
.unwrap();
let mut block = blockchain.build_block::<N>(&validators);
assert_eq!(block.header.transactions, merkle(&[tx.hash()]));
blockchain.verify_block::<N>(&block, &validators, false).unwrap();
// And verify mutating the transactions merkle now causes a failure
block.header.transactions = merkle(&[]);
assert!(blockchain.verify_block::<N>(&block, &validators, false).is_err());
}
{
// Invalid nonce
let tx = crate::tests::signed_transaction(&mut OsRng, genesis, &key, 5);
// Manually create the block to bypass build_block's checks
let block = Block::new(blockchain.tip(), vec![], vec![Transaction::Application(tx)]);
assert!(blockchain.verify_block::<N>(&block, &validators, false).is_err());
}
{
// Invalid signature
let (_, mut blockchain) = new_blockchain(genesis, &[tx.1.signer]);
blockchain.add_transaction::<N>(true, Transaction::Application(tx), &validators).unwrap();
let mut block = blockchain.build_block::<N>(&validators);
blockchain.verify_block::<N>(&block, &validators, false).unwrap();
match &mut block.transactions[0] {
Transaction::Application(tx) => {
tx.1.signature.s += <Ristretto as Ciphersuite>::F::ONE;
}
_ => panic!("non-signed tx found"),
}
assert!(blockchain.verify_block::<N>(&block, &validators, false).is_err());
// Make sure this isn't because the merkle changed due to the transaction hash including the
// signature (which it explicitly isn't allowed to anyways)
assert_eq!(block.header.transactions, merkle(&[block.transactions[0].hash()]));
}
}
#[test]
fn signed_transaction() {
let genesis = new_genesis();
let validators = Arc::new(Validators::new(genesis, vec![]).unwrap());
let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
let tx = crate::tests::signed_transaction(&mut OsRng, genesis, &key, 0);
let signer = tx.1.signer;
let (_, mut blockchain) = new_blockchain::<SignedTransaction>(genesis, &[signer]);
assert_eq!(blockchain.next_nonce(&signer, &[]), Some(0));
let test = |blockchain: &mut Blockchain<MemDb, SignedTransaction>,
mempool: Vec<Transaction<SignedTransaction>>| {
let tip = blockchain.tip();
for tx in mempool.clone() {
let Transaction::Application(tx) = tx else {
panic!("tendermint tx found");
};
let next_nonce = blockchain.next_nonce(&signer, &[]).unwrap();
blockchain.add_transaction::<N>(true, Transaction::Application(tx), &validators).unwrap();
assert_eq!(next_nonce + 1, blockchain.next_nonce(&signer, &[]).unwrap());
}
let block = blockchain.build_block::<N>(&validators);
assert_eq!(block, Block::new(blockchain.tip(), vec![], mempool.clone()));
assert_eq!(blockchain.tip(), tip);
assert_eq!(block.header.parent, tip);
// Make sure all transactions were included
assert_eq!(block.transactions, mempool);
// Make sure the merkle was correct
assert_eq!(
block.header.transactions,
merkle(&mempool.iter().map(Transaction::hash).collect::<Vec<_>>())
);
// Verify and add the block
blockchain.verify_block::<N>(&block, &validators, false).unwrap();
assert!(blockchain.add_block::<N>(&block, vec![], &validators).is_ok());
assert_eq!(blockchain.tip(), block.hash());
};
// Test with a single nonce
test(&mut blockchain, vec![Transaction::Application(tx)]);
assert_eq!(blockchain.next_nonce(&signer, &[]), Some(1));
// Test with a flood of nonces
let mut mempool = vec![];
for nonce in 1 .. 64 {
mempool.push(Transaction::Application(crate::tests::signed_transaction(
&mut OsRng, genesis, &key, nonce,
)));
}
test(&mut blockchain, mempool);
assert_eq!(blockchain.next_nonce(&signer, &[]), Some(64));
}
#[test]
fn provided_transaction() {
let genesis = new_genesis();
let validators = Arc::new(Validators::new(genesis, vec![]).unwrap());
let (db, mut blockchain) = new_blockchain::<ProvidedTransaction>(genesis, &[]);
let tx = random_provided_transaction(&mut OsRng, "order1");
// This should be providable
let mut temp_db = MemDb::new();
let mut txs = ProvidedTransactions::<_, ProvidedTransaction>::new(temp_db.clone(), genesis);
txs.provide(tx.clone()).unwrap();
assert_eq!(txs.provide(tx.clone()), Err(ProvidedError::AlreadyProvided));
assert_eq!(
ProvidedTransactions::<_, ProvidedTransaction>::new(temp_db.clone(), genesis).transactions,
HashMap::from([("order1", VecDeque::from([tx.clone()]))]),
);
let mut txn = temp_db.txn();
txs.complete(&mut txn, "order1", [0u8; 32], tx.hash());
txn.commit();
assert!(ProvidedTransactions::<_, ProvidedTransaction>::new(db.clone(), genesis)
.transactions
.is_empty());
// case we have the block's provided txs in our local as well
{
// Non-provided transactions should fail verification because we don't have them locally.
let block = Block::new(blockchain.tip(), vec![tx.clone()], vec![]);
assert!(blockchain.verify_block::<N>(&block, &validators, false).is_err());
// Provided transactions should pass verification
blockchain.provide_transaction(tx.clone()).unwrap();
blockchain.verify_block::<N>(&block, &validators, false).unwrap();
// add_block should work for verified blocks
assert!(blockchain.add_block::<N>(&block, vec![], &validators).is_ok());
let block = Block::new(blockchain.tip(), vec![tx.clone()], vec![]);
// The provided transaction should no longer considered provided but added to chain,
// causing this error
assert_eq!(
blockchain.verify_block::<N>(&block, &validators, false),
Err(BlockError::ProvidedAlreadyIncluded)
);
}
// case we don't have the block's provided txs in our local
{
let tx1 = random_provided_transaction(&mut OsRng, "order1");
let tx2 = random_provided_transaction(&mut OsRng, "order1");
let tx3 = random_provided_transaction(&mut OsRng, "order2");
let tx4 = random_provided_transaction(&mut OsRng, "order2");
// add_block DOES NOT fail for unverified provided transactions if told to add them,
// since now we can have them later.
let block1 = Block::new(blockchain.tip(), vec![tx1.clone(), tx3.clone()], vec![]);
assert!(blockchain.add_block::<N>(&block1, vec![], &validators).is_ok());
// in fact, we can have many blocks that have provided txs that we don't have locally.
let block2 = Block::new(blockchain.tip(), vec![tx2.clone(), tx4.clone()], vec![]);
assert!(blockchain.add_block::<N>(&block2, vec![], &validators).is_ok());
// make sure we won't return ok for the block before we actually got the txs
let TransactionKind::Provided(order) = tx1.kind() else { panic!("tx wasn't provided") };
assert!(!Blockchain::<MemDb, ProvidedTransaction>::locally_provided_txs_in_block(
&db,
&genesis,
&block1.hash(),
order
));
// provide the first tx
blockchain.provide_transaction(tx1).unwrap();
// it should be ok for this order now, since the second tx has different order.
assert!(Blockchain::<MemDb, ProvidedTransaction>::locally_provided_txs_in_block(
&db,
&genesis,
&block1.hash(),
order
));
// give the second tx
let TransactionKind::Provided(order) = tx3.kind() else { panic!("tx wasn't provided") };
assert!(!Blockchain::<MemDb, ProvidedTransaction>::locally_provided_txs_in_block(
&db,
&genesis,
&block1.hash(),
order
));
blockchain.provide_transaction(tx3).unwrap();
// it should be ok now for the first block
assert!(Blockchain::<MemDb, ProvidedTransaction>::locally_provided_txs_in_block(
&db,
&genesis,
&block1.hash(),
order
));
// provide the second block txs
let TransactionKind::Provided(order) = tx4.kind() else { panic!("tx wasn't provided") };
// not ok yet
assert!(!Blockchain::<MemDb, ProvidedTransaction>::locally_provided_txs_in_block(
&db,
&genesis,
&block2.hash(),
order
));
blockchain.provide_transaction(tx4).unwrap();
// ok now
assert!(Blockchain::<MemDb, ProvidedTransaction>::locally_provided_txs_in_block(
&db,
&genesis,
&block2.hash(),
order
));
// provide the second block txs
let TransactionKind::Provided(order) = tx2.kind() else { panic!("tx wasn't provided") };
assert!(!Blockchain::<MemDb, ProvidedTransaction>::locally_provided_txs_in_block(
&db,
&genesis,
&block2.hash(),
order
));
blockchain.provide_transaction(tx2).unwrap();
assert!(Blockchain::<MemDb, ProvidedTransaction>::locally_provided_txs_in_block(
&db,
&genesis,
&block2.hash(),
order
));
}
}
#[tokio::test]
async fn tendermint_evidence_tx() {
let genesis = new_genesis();
let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
let signer = Signer::new(genesis, key.clone());
let signer_id = Ristretto::generator() * key.deref();
let validators = Arc::new(Validators::new(genesis, vec![(signer_id, 1)]).unwrap());
let (_, mut blockchain) = new_blockchain::<SignedTransaction>(genesis, &[]);
let test = |blockchain: &mut Blockchain<MemDb, SignedTransaction>,
mempool: Vec<Transaction<SignedTransaction>>,
validators: Arc<Validators>| {
let tip = blockchain.tip();
for tx in mempool.clone() {
let Transaction::Tendermint(tx) = tx else {
panic!("non-tendermint tx found");
};
blockchain.add_transaction::<N>(true, Transaction::Tendermint(tx), &validators).unwrap();
}
let block = blockchain.build_block::<N>(&validators);
assert_eq!(blockchain.tip(), tip);
assert_eq!(block.header.parent, tip);
// Make sure all transactions were included
for bt in &block.transactions {
assert!(mempool.contains(bt));
}
// Verify and add the block
blockchain.verify_block::<N>(&block, &validators, false).unwrap();
assert!(blockchain.add_block::<N>(&block, vec![], &validators).is_ok());
assert_eq!(blockchain.tip(), block.hash());
};
// test with single tx
let tx = random_evidence_tx::<N>(signer.into(), TendermintBlock(vec![0x12])).await;
test(&mut blockchain, vec![Transaction::Tendermint(tx)], validators);
// test with multiple txs
let mut mempool: Vec<Transaction<SignedTransaction>> = vec![];
let mut signers = vec![];
for _ in 0 .. 5 {
let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
let signer = Signer::new(genesis, key.clone());
let signer_id = Ristretto::generator() * key.deref();
signers.push((signer_id, 1));
mempool.push(Transaction::Tendermint(
random_evidence_tx::<N>(signer.into(), TendermintBlock(vec![0x12])).await,
));
}
// update validators
let validators = Arc::new(Validators::new(genesis, signers).unwrap());
test(&mut blockchain, mempool, validators);
}
#[tokio::test]
async fn block_tx_ordering() {
#[derive(Debug, PartialEq, Eq, Clone)]
enum SignedTx {
Signed(Box<SignedTransaction>),
Provided(Box<ProvidedTransaction>),
}
impl ReadWrite for SignedTx {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
let mut kind = [0];
reader.read_exact(&mut kind)?;
match kind[0] {
0 => Ok(SignedTx::Signed(Box::new(SignedTransaction::read(reader)?))),
1 => Ok(SignedTx::Provided(Box::new(ProvidedTransaction::read(reader)?))),
_ => Err(io::Error::other("invalid transaction type")),
}
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
match self {
SignedTx::Signed(signed) => {
writer.write_all(&[0])?;
signed.write(writer)
}
SignedTx::Provided(pro) => {
writer.write_all(&[1])?;
pro.write(writer)
}
}
}
}
impl TransactionTrait for SignedTx {
fn kind(&self) -> TransactionKind {
match self {
SignedTx::Signed(signed) => signed.kind(),
SignedTx::Provided(pro) => pro.kind(),
}
}
fn hash(&self) -> [u8; 32] {
match self {
SignedTx::Signed(signed) => signed.hash(),
SignedTx::Provided(pro) => pro.hash(),
}
}
fn verify(&self) -> Result<(), TransactionError> {
Ok(())
}
}
let genesis = new_genesis();
let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
// signer
let signer = crate::tests::signed_transaction(&mut OsRng, genesis, &key, 0).1.signer;
let validators = Arc::new(Validators::new(genesis, vec![(signer, 1)]).unwrap());
let (_, mut blockchain) = new_blockchain::<SignedTx>(genesis, &[signer]);
let tip = blockchain.tip();
// add txs
let mut mempool = vec![];
let mut provided_txs = vec![];
for i in 0 .. 128 {
let signed_tx = Transaction::Application(SignedTx::Signed(Box::new(
crate::tests::signed_transaction(&mut OsRng, genesis, &key, i),
)));
blockchain.add_transaction::<N>(true, signed_tx.clone(), &validators).unwrap();
mempool.push(signed_tx);
let unsigned_tx = Transaction::Tendermint(
random_evidence_tx::<N>(
Signer::new(genesis, key.clone()).into(),
TendermintBlock(vec![u8::try_from(i).unwrap()]),
)
.await,
);
blockchain.add_transaction::<N>(true, unsigned_tx.clone(), &validators).unwrap();
mempool.push(unsigned_tx);
let provided_tx =
SignedTx::Provided(Box::new(random_provided_transaction(&mut OsRng, "order1")));
blockchain.provide_transaction(provided_tx.clone()).unwrap();
provided_txs.push(provided_tx);
}
let block = blockchain.build_block::<N>(&validators);
assert_eq!(blockchain.tip(), tip);
assert_eq!(block.header.parent, tip);
// Make sure all transactions were included
assert_eq!(block.transactions.len(), 3 * 128);
for bt in &block.transactions[128 ..] {
assert!(mempool.contains(bt));
}
// check the tx order
let txs = &block.transactions;
for tx in txs.iter().take(128) {
assert!(matches!(tx.kind(), TransactionKind::Provided(..)));
}
for tx in txs.iter().take(128).skip(128) {
assert!(matches!(tx.kind(), TransactionKind::Unsigned));
}
for tx in txs.iter().take(128).skip(256) {
assert!(matches!(tx.kind(), TransactionKind::Signed(..)));
}
// should be a valid block
blockchain.verify_block::<N>(&block, &validators, false).unwrap();
// Unsigned before Provided
{
let mut block = block.clone();
// Doesn't use swap to preserve the order of Provided, as that's checked before kind ordering
let unsigned = block.transactions.remove(128);
block.transactions.insert(0, unsigned);
assert_eq!(
blockchain.verify_block::<N>(&block, &validators, false).unwrap_err(),
BlockError::WrongTransactionOrder
);
}
// Signed before Provided
{
let mut block = block.clone();
let signed = block.transactions.remove(256);
block.transactions.insert(0, signed);
assert_eq!(
blockchain.verify_block::<N>(&block, &validators, false).unwrap_err(),
BlockError::WrongTransactionOrder
);
}
// Signed before Unsigned
{
let mut block = block;
block.transactions.swap(128, 256);
assert_eq!(
blockchain.verify_block::<N>(&block, &validators, false).unwrap_err(),
BlockError::WrongTransactionOrder
);
}
}

199
coordinator/tributary/src/tests/mempool.rs
View File

@@ -1,199 +0,0 @@
use std::{sync::Arc, collections::HashMap};
use zeroize::Zeroizing;
use rand::{RngCore, rngs::OsRng};
use ciphersuite::{group::ff::Field, Ciphersuite, Ristretto};
use tendermint::ext::Commit;
use serai_db::MemDb;
use crate::{
transaction::{TransactionError, Transaction as TransactionTrait},
tendermint::{TendermintBlock, Validators, Signer, TendermintNetwork},
ACCOUNT_MEMPOOL_LIMIT, Transaction, Mempool,
tests::{SignedTransaction, signed_transaction, p2p::DummyP2p, random_evidence_tx},
};
type N = TendermintNetwork<MemDb, SignedTransaction, DummyP2p>;
fn new_mempool<T: TransactionTrait>() -> ([u8; 32], MemDb, Mempool<MemDb, T>) {
let mut genesis = [0; 32];
OsRng.fill_bytes(&mut genesis);
let db = MemDb::new();
(genesis, db.clone(), Mempool::new(db, genesis))
}
#[tokio::test]
async fn mempool_addition() {
let (genesis, db, mut mempool) = new_mempool::<SignedTransaction>();
let commit = |_: u64| -> Option<Commit<Arc<Validators>>> {
Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
};
let unsigned_in_chain = |_: [u8; 32]| false;
let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
let first_tx = signed_transaction(&mut OsRng, genesis, &key, 0);
let signer = first_tx.1.signer;
assert_eq!(mempool.next_nonce_in_mempool(&signer, vec![]), None);
// validators
let validators = Arc::new(Validators::new(genesis, vec![(signer, 1)]).unwrap());
// Add TX 0
assert!(mempool
.add::<N, _>(
&|_, _| Some(0),
true,
Transaction::Application(first_tx.clone()),
&validators,
unsigned_in_chain,
commit,
)
.unwrap());
assert_eq!(mempool.next_nonce_in_mempool(&signer, vec![]), Some(1));
// add a tendermint evidence tx
let evidence_tx =
random_evidence_tx::<N>(Signer::new(genesis, key.clone()).into(), TendermintBlock(vec![]))
.await;
assert!(mempool
.add::<N, _>(
&|_, _| None,
true,
Transaction::Tendermint(evidence_tx.clone()),
&validators,
unsigned_in_chain,
commit,
)
.unwrap());
// Test reloading works
assert_eq!(mempool, Mempool::new(db, genesis));
// Adding them again should fail
assert_eq!(
mempool.add::<N, _>(
&|_, _| Some(0),
true,
Transaction::Application(first_tx.clone()),
&validators,
unsigned_in_chain,
commit,
),
Err(TransactionError::InvalidNonce)
);
assert_eq!(
mempool.add::<N, _>(
&|_, _| None,
true,
Transaction::Tendermint(evidence_tx.clone()),
&validators,
unsigned_in_chain,
commit,
),
Ok(false)
);
// Do the same with the next nonce
let second_tx = signed_transaction(&mut OsRng, genesis, &key, 1);
assert_eq!(
mempool.add::<N, _>(
&|_, _| Some(0),
true,
Transaction::Application(second_tx.clone()),
&validators,
unsigned_in_chain,
commit,
),
Ok(true)
);
assert_eq!(mempool.next_nonce_in_mempool(&signer, vec![]), Some(2));
assert_eq!(
mempool.add::<N, _>(
&|_, _| Some(0),
true,
Transaction::Application(second_tx.clone()),
&validators,
unsigned_in_chain,
commit,
),
Err(TransactionError::InvalidNonce)
);
// If the mempool doesn't have a nonce for an account, it should successfully use the
// blockchain's
let second_key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
let tx = signed_transaction(&mut OsRng, genesis, &second_key, 2);
let second_signer = tx.1.signer;
assert_eq!(mempool.next_nonce_in_mempool(&second_signer, vec![]), None);
assert!(mempool
.add::<N, _>(
&|_, _| Some(2),
true,
Transaction::Application(tx.clone()),
&validators,
unsigned_in_chain,
commit
)
.unwrap());
assert_eq!(mempool.next_nonce_in_mempool(&second_signer, vec![]), Some(3));
// Getting a block should work
assert_eq!(mempool.block().len(), 4);
// Removing should successfully prune
mempool.remove(&tx.hash());
assert_eq!(
mempool.txs(),
&HashMap::from([
(first_tx.hash(), Transaction::Application(first_tx)),
(second_tx.hash(), Transaction::Application(second_tx)),
(evidence_tx.hash(), Transaction::Tendermint(evidence_tx))
])
);
}
#[test]
fn too_many_mempool() {
let (genesis, _, mut mempool) = new_mempool::<SignedTransaction>();
let validators = Arc::new(Validators::new(genesis, vec![]).unwrap());
let commit = |_: u64| -> Option<Commit<Arc<Validators>>> {
Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
};
let unsigned_in_chain = |_: [u8; 32]| false;
let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng));
// We should be able to add transactions up to the limit
for i in 0 .. ACCOUNT_MEMPOOL_LIMIT {
assert!(mempool
.add::<N, _>(
&|_, _| Some(0),
false,
Transaction::Application(signed_transaction(&mut OsRng, genesis, &key, i)),
&validators,
unsigned_in_chain,
commit,
)
.unwrap());
}
// Yet adding more should fail
assert_eq!(
mempool.add::<N, _>(
&|_, _| Some(0),
false,
Transaction::Application(signed_transaction(
&mut OsRng,
genesis,
&key,
ACCOUNT_MEMPOOL_LIMIT
)),
&validators,
unsigned_in_chain,
commit,
),
Err(TransactionError::TooManyInMempool)
);
}

34
coordinator/tributary/src/tests/merkle.rs
View File

@@ -1,34 +0,0 @@
use std::collections::HashSet;
use rand::{RngCore, rngs::OsRng};
#[test]
fn merkle() {
let mut used = HashSet::new();
// Test this produces a unique root
let mut test = |hashes: &[[u8; 32]]| {
let hash = crate::merkle(hashes);
assert!(!used.contains(&hash));
used.insert(hash);
};
// Zero should be a special case which return 0
assert_eq!(crate::merkle(&[]), [0; 32]);
test(&[]);
let mut one = [0; 32];
OsRng.fill_bytes(&mut one);
let mut two = [0; 32];
OsRng.fill_bytes(&mut two);
let mut three = [0; 32];
OsRng.fill_bytes(&mut three);
// Make sure it's deterministic
assert_eq!(crate::merkle(&[one]), crate::merkle(&[one]));
// Test a few basic structures
test(&[one]);
test(&[one, two]);
test(&[one, two, three]);
test(&[one, three]);
}

17
coordinator/tributary/src/tests/mod.rs
View File

@@ -1,17 +0,0 @@
#[cfg(test)]
mod tendermint;
mod transaction;
pub use transaction::*;
#[cfg(test)]
mod merkle;
#[cfg(test)]
mod block;
#[cfg(test)]
mod blockchain;
#[cfg(test)]
mod mempool;
#[cfg(test)]
mod p2p;

12
coordinator/tributary/src/tests/p2p.rs
View File

@@ -1,12 +0,0 @@
use core::future::Future;
pub use crate::P2p;
#[derive(Clone, Debug)]
pub struct DummyP2p;
impl P2p for DummyP2p {
fn broadcast(&self, _: [u8; 32], _: Vec<u8>) -> impl Send + Future<Output = ()> {
async move { unimplemented!() }
}
}

30
coordinator/tributary/src/tests/tendermint.rs
View File

@@ -1,30 +0,0 @@
use core::future::Future;
use tendermint::ext::Network;
use crate::{
P2p, TendermintTx,
tendermint::{TARGET_BLOCK_TIME, TendermintNetwork},
};
#[test]
fn assert_target_block_time() {
use serai_db::MemDb;
#[derive(Clone, Debug)]
pub struct DummyP2p;
impl P2p for DummyP2p {
fn broadcast(&self, _: [u8; 32], _: Vec<u8>) -> impl Send + Future<Output = ()> {
async move { unimplemented!() }
}
}
// Type paremeters don't matter here since we only need to call the block_time()
// and it only relies on the constants of the trait implementation. block_time() is in seconds,
// TARGET_BLOCK_TIME is in milliseconds.
assert_eq!(
<TendermintNetwork<MemDb, TendermintTx, DummyP2p> as Network>::block_time(),
TARGET_BLOCK_TIME / 1000
)
}

220
coordinator/tributary/src/tests/transaction/mod.rs
View File

@@ -1,220 +0,0 @@
use core::ops::Deref;
use std::{sync::Arc, io};
use zeroize::Zeroizing;
use rand::{RngCore, CryptoRng, rngs::OsRng};
use blake2::{Digest, Blake2s256};
use ciphersuite::{
group::{ff::Field, Group},
Ciphersuite, Ristretto,
};
use schnorr::SchnorrSignature;
use scale::Encode;
use ::tendermint::{
ext::{Network, Signer as SignerTrait, SignatureScheme, BlockNumber, RoundNumber},
SignedMessageFor, DataFor, Message, SignedMessage, Data, Evidence,
};
use crate::{
transaction::{Signed, TransactionError, TransactionKind, Transaction, verify_transaction},
ReadWrite,
tendermint::{tx::TendermintTx, Validators, Signer},
};
#[cfg(test)]
mod signed;
#[cfg(test)]
mod tendermint;
pub fn random_signed<R: RngCore + CryptoRng>(rng: &mut R) -> Signed {
Signed {
signer: <Ristretto as Ciphersuite>::G::random(&mut *rng),
nonce: u32::try_from(rng.next_u64() >> 32 >> 1).unwrap(),
signature: SchnorrSignature::<Ristretto> {
R: <Ristretto as Ciphersuite>::G::random(&mut *rng),
s: <Ristretto as Ciphersuite>::F::random(rng),
},
}
}
pub fn random_signed_with_nonce<R: RngCore + CryptoRng>(rng: &mut R, nonce: u32) -> Signed {
let mut signed = random_signed(rng);
signed.nonce = nonce;
signed
}
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct ProvidedTransaction(pub Vec<u8>);
impl ReadWrite for ProvidedTransaction {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
let mut len = [0; 4];
reader.read_exact(&mut len)?;
let mut data = vec![0; usize::try_from(u32::from_le_bytes(len)).unwrap()];
reader.read_exact(&mut data)?;
Ok(ProvidedTransaction(data))
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
writer.write_all(&u32::try_from(self.0.len()).unwrap().to_le_bytes())?;
writer.write_all(&self.0)
}
}
impl Transaction for ProvidedTransaction {
fn kind(&self) -> TransactionKind {
match self.0[0] {
1 => TransactionKind::Provided("order1"),
2 => TransactionKind::Provided("order2"),
_ => panic!("unknown order"),
}
}
fn hash(&self) -> [u8; 32] {
Blake2s256::digest(self.serialize()).into()
}
fn verify(&self) -> Result<(), TransactionError> {
Ok(())
}
}
pub fn random_provided_transaction<R: RngCore + CryptoRng>(
rng: &mut R,
order: &str,
) -> ProvidedTransaction {
let mut data = vec![0; 512];
rng.fill_bytes(&mut data);
data[0] = match order {
"order1" => 1,
"order2" => 2,
_ => panic!("unknown order"),
};
ProvidedTransaction(data)
}
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct SignedTransaction(pub Vec<u8>, pub Signed);
impl ReadWrite for SignedTransaction {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
let mut len = [0; 4];
reader.read_exact(&mut len)?;
let mut data = vec![0; usize::try_from(u32::from_le_bytes(len)).unwrap()];
reader.read_exact(&mut data)?;
Ok(SignedTransaction(data, Signed::read(reader)?))
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
writer.write_all(&u32::try_from(self.0.len()).unwrap().to_le_bytes())?;
writer.write_all(&self.0)?;
self.1.write(writer)
}
}
impl Transaction for SignedTransaction {
fn kind(&self) -> TransactionKind {
TransactionKind::Signed(vec![], self.1.clone())
}
fn hash(&self) -> [u8; 32] {
let serialized = self.serialize();
Blake2s256::digest(&serialized[.. (serialized.len() - 64)]).into()
}
fn verify(&self) -> Result<(), TransactionError> {
Ok(())
}
}
pub fn signed_transaction<R: RngCore + CryptoRng>(
rng: &mut R,
genesis: [u8; 32],
key: &Zeroizing<<Ristretto as Ciphersuite>::F>,
nonce: u32,
) -> SignedTransaction {
let mut data = vec![0; 512];
rng.fill_bytes(&mut data);
let signer = <Ristretto as Ciphersuite>::generator() * **key;
let mut tx =
SignedTransaction(data, Signed { signer, nonce, signature: random_signed(rng).signature });
let sig_nonce = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng));
tx.1.signature.R = Ristretto::generator() * sig_nonce.deref();
tx.1.signature = SchnorrSignature::sign(key, sig_nonce, tx.sig_hash(genesis));
verify_transaction(&tx, genesis, &mut |_, _| Some(tx.1.nonce)).unwrap();
tx
}
pub fn random_signed_transaction<R: RngCore + CryptoRng>(
rng: &mut R,
) -> ([u8; 32], SignedTransaction) {
let mut genesis = [0; 32];
rng.fill_bytes(&mut genesis);
let key = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut *rng));
// Shift over an additional bit to ensure it won't overflow when incremented
let nonce = u32::try_from(rng.next_u64() >> 32 >> 1).unwrap();
(genesis, signed_transaction(rng, genesis, &key, nonce))
}
pub fn new_genesis() -> [u8; 32] {
let mut genesis = [0; 32];
OsRng.fill_bytes(&mut genesis);
genesis
}
pub async fn tendermint_meta() -> ([u8; 32], Signer, [u8; 32], Arc<Validators>) {
// signer
let genesis = new_genesis();
let signer =
Signer::new(genesis, Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng)));
let validator_id = signer.validator_id().await.unwrap();
// schema
let signer_pub =
<Ristretto as Ciphersuite>::read_G::<&[u8]>(&mut validator_id.as_slice()).unwrap();
let validators = Arc::new(Validators::new(genesis, vec![(signer_pub, 1)]).unwrap());
(genesis, signer, validator_id, validators)
}
pub async fn signed_from_data<N: Network>(
signer: <N::SignatureScheme as SignatureScheme>::Signer,
signer_id: N::ValidatorId,
block_number: u64,
round_number: u32,
data: DataFor<N>,
) -> SignedMessageFor<N> {
let msg = Message {
sender: signer_id,
block: BlockNumber(block_number),
round: RoundNumber(round_number),
data,
};
let sig = signer.sign(&msg.encode()).await;
SignedMessage { msg, sig }
}
pub async fn random_evidence_tx<N: Network>(
signer: <N::SignatureScheme as SignatureScheme>::Signer,
b: N::Block,
) -> TendermintTx {
// Creates a TX with an invalid valid round number
// TODO: Use a random failure reason
let data = Data::Proposal(Some(RoundNumber(0)), b);
let signer_id = signer.validator_id().await.unwrap();
let signed = signed_from_data::<N>(signer, signer_id, 0, 0, data).await;
TendermintTx::SlashEvidence(Evidence::InvalidValidRound(signed.encode()))
}

84
coordinator/tributary/src/tests/transaction/signed.rs
View File

@@ -1,84 +0,0 @@
use rand::rngs::OsRng;
use blake2::{Digest, Blake2s256};
use ciphersuite::{group::ff::Field, Ciphersuite, Ristretto};
use crate::{
ReadWrite,
transaction::{Signed, Transaction, verify_transaction},
tests::{random_signed, random_signed_transaction},
};
#[test]
fn serialize_signed() {
let signed = random_signed(&mut rand::rngs::OsRng);
assert_eq!(Signed::read::<&[u8]>(&mut signed.serialize().as_ref()).unwrap(), signed);
}
#[test]
fn sig_hash() {
let (genesis, tx1) = random_signed_transaction(&mut OsRng);
assert!(tx1.sig_hash(genesis) != tx1.sig_hash(Blake2s256::digest(genesis).into()));
let (_, tx2) = random_signed_transaction(&mut OsRng);
assert!(tx1.hash() != tx2.hash());
assert!(tx1.sig_hash(genesis) != tx2.sig_hash(genesis));
}
#[test]
fn signed_transaction() {
let (genesis, tx) = random_signed_transaction(&mut OsRng);
// Mutate various properties and verify it no longer works
// Different genesis
assert!(verify_transaction(&tx, Blake2s256::digest(genesis).into(), &mut |_, _| Some(
tx.1.nonce
))
.is_err());
// Different data
{
let mut tx = tx.clone();
tx.0 = Blake2s256::digest(tx.0).to_vec();
assert!(verify_transaction(&tx, genesis, &mut |_, _| Some(tx.1.nonce)).is_err());
}
// Different signer
{
let mut tx = tx.clone();
tx.1.signer += Ristretto::generator();
assert!(verify_transaction(&tx, genesis, &mut |_, _| Some(tx.1.nonce)).is_err());
}
// Different nonce
{
#[allow(clippy::redundant_clone)] // False positive?
let mut tx = tx.clone();
tx.1.nonce = tx.1.nonce.wrapping_add(1);
assert!(verify_transaction(&tx, genesis, &mut |_, _| Some(tx.1.nonce)).is_err());
}
// Different signature
{
let mut tx = tx.clone();
tx.1.signature.R += Ristretto::generator();
assert!(verify_transaction(&tx, genesis, &mut |_, _| Some(tx.1.nonce)).is_err());
}
{
let mut tx = tx.clone();
tx.1.signature.s += <Ristretto as Ciphersuite>::F::ONE;
assert!(verify_transaction(&tx, genesis, &mut |_, _| Some(tx.1.nonce)).is_err());
}
// Sanity check the original TX was never mutated and is valid
verify_transaction(&tx, genesis, &mut |_, _| Some(tx.1.nonce)).unwrap();
}
#[test]
fn invalid_nonce() {
let (genesis, tx) = random_signed_transaction(&mut OsRng);
assert!(verify_transaction(&tx, genesis, &mut |_, _| Some(tx.1.nonce.wrapping_add(1)),).is_err());
}

300
coordinator/tributary/src/tests/transaction/tendermint.rs
View File

@@ -1,300 +0,0 @@
use std::sync::Arc;
use zeroize::Zeroizing;
use rand::{RngCore, rngs::OsRng};
use ciphersuite::{Ristretto, Ciphersuite, group::ff::Field};
use scale::Encode;
use tendermint::{
time::CanonicalInstant,
round::RoundData,
Data, commit_msg, Evidence,
ext::{RoundNumber, Commit, Signer as SignerTrait},
};
use serai_db::MemDb;
use crate::{
ReadWrite,
tendermint::{
tx::{TendermintTx, verify_tendermint_tx},
TendermintBlock, Signer, Validators, TendermintNetwork,
},
tests::{
p2p::DummyP2p, SignedTransaction, random_evidence_tx, tendermint_meta, signed_from_data,
},
};
type N = TendermintNetwork<MemDb, SignedTransaction, DummyP2p>;
#[tokio::test]
async fn serialize_tendermint() {
// make a tendermint tx with random evidence
let (_, signer, _, _) = tendermint_meta().await;
let tx = random_evidence_tx::<N>(signer.into(), TendermintBlock(vec![])).await;
let res = TendermintTx::read::<&[u8]>(&mut tx.serialize().as_ref()).unwrap();
assert_eq!(res, tx);
}
#[tokio::test]
async fn invalid_valid_round() {
// signer
let (_, signer, signer_id, validators) = tendermint_meta().await;
let commit = |_: u64| -> Option<Commit<Arc<Validators>>> {
Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
};
let valid_round_tx = |valid_round| {
let signer = signer.clone();
async move {
let data = Data::Proposal(valid_round, TendermintBlock(vec![]));
let signed = signed_from_data::<N>(signer.clone().into(), signer_id, 0, 0, data).await;
(signed.clone(), TendermintTx::SlashEvidence(Evidence::InvalidValidRound(signed.encode())))
}
};
// This should be invalid evidence if a valid valid round is specified
let (_, tx) = valid_round_tx(None).await;
assert!(verify_tendermint_tx::<N>(&tx, &validators, commit).is_err());
// If an invalid valid round is specified (>= current), this should be invalid evidence
let (mut signed, tx) = valid_round_tx(Some(RoundNumber(0))).await;
// should pass
verify_tendermint_tx::<N>(&tx, &validators, commit).unwrap();
// change the signature
let mut random_sig = [0u8; 64];
OsRng.fill_bytes(&mut random_sig);
signed.sig = random_sig;
let tx = TendermintTx::SlashEvidence(Evidence::InvalidValidRound(signed.encode()));
// should fail
assert!(verify_tendermint_tx::<N>(&tx, &validators, commit).is_err());
}
#[tokio::test]
async fn invalid_precommit_signature() {
let (_, signer, signer_id, validators) = tendermint_meta().await;
let commit = |i: u64| -> Option<Commit<Arc<Validators>>> {
assert_eq!(i, 0);
Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
};
let precommit = |precommit| {
let signer = signer.clone();
async move {
let signed =
signed_from_data::<N>(signer.clone().into(), signer_id, 1, 0, Data::Precommit(precommit))
.await;
(signed.clone(), TendermintTx::SlashEvidence(Evidence::InvalidPrecommit(signed.encode())))
}
};
// Empty Precommit should fail.
assert!(verify_tendermint_tx::<N>(&precommit(None).await.1, &validators, commit).is_err());
// valid precommit signature should fail.
let block_id = [0x22u8; 32];
let last_end_time =
RoundData::<N>::new(RoundNumber(0), CanonicalInstant::new(commit(0).unwrap().end_time))
.end_time();
let commit_msg = commit_msg(last_end_time.canonical(), block_id.as_ref());
assert!(verify_tendermint_tx::<N>(
&precommit(Some((block_id, signer.clone().sign(&commit_msg).await))).await.1,
&validators,
commit
)
.is_err());
// any other signature can be used as evidence.
{
let (mut signed, tx) = precommit(Some((block_id, signer.sign(&[]).await))).await;
verify_tendermint_tx::<N>(&tx, &validators, commit).unwrap();
// So long as we can authenticate where it came from
let mut random_sig = [0u8; 64];
OsRng.fill_bytes(&mut random_sig);
signed.sig = random_sig;
let tx = TendermintTx::SlashEvidence(Evidence::InvalidPrecommit(signed.encode()));
assert!(verify_tendermint_tx::<N>(&tx, &validators, commit).is_err());
}
}
#[tokio::test]
async fn evidence_with_prevote() {
let (_, signer, signer_id, validators) = tendermint_meta().await;
let commit = |_: u64| -> Option<Commit<Arc<Validators>>> {
Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
};
let prevote = |block_id| {
let signer = signer.clone();
async move {
// it should fail for all reasons.
let mut txs = vec![];
txs.push(TendermintTx::SlashEvidence(Evidence::InvalidPrecommit(
signed_from_data::<N>(signer.clone().into(), signer_id, 0, 0, Data::Prevote(block_id))
.await
.encode(),
)));
txs.push(TendermintTx::SlashEvidence(Evidence::InvalidValidRound(
signed_from_data::<N>(signer.clone().into(), signer_id, 0, 0, Data::Prevote(block_id))
.await
.encode(),
)));
// Since these require a second message, provide this one again
// ConflictingMessages can be fired for actually conflicting Prevotes however
txs.push(TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_from_data::<N>(signer.clone().into(), signer_id, 0, 0, Data::Prevote(block_id))
.await
.encode(),
signed_from_data::<N>(signer.clone().into(), signer_id, 0, 0, Data::Prevote(block_id))
.await
.encode(),
)));
txs
}
};
// No prevote message alone should be valid as slash evidence at this time
for prevote in prevote(None).await {
assert!(verify_tendermint_tx::<N>(&prevote, &validators, commit).is_err());
}
for prevote in prevote(Some([0x22u8; 32])).await {
assert!(verify_tendermint_tx::<N>(&prevote, &validators, commit).is_err());
}
}
#[tokio::test]
async fn conflicting_msgs_evidence_tx() {
let (genesis, signer, signer_id, validators) = tendermint_meta().await;
let commit = |i: u64| -> Option<Commit<Arc<Validators>>> {
assert_eq!(i, 0);
Some(Commit::<Arc<Validators>> { end_time: 0, validators: vec![], signature: vec![] })
};
// Block b, round n
let signed_for_b_r = |block, round, data| {
let signer = signer.clone();
async move { signed_from_data::<N>(signer.clone().into(), signer_id, block, round, data).await }
};
// Proposal
{
// non-conflicting data should fail
let signed_1 = signed_for_b_r(0, 0, Data::Proposal(None, TendermintBlock(vec![0x11]))).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_1.encode(),
));
assert!(verify_tendermint_tx::<N>(&tx, &validators, commit).is_err());
// conflicting data should pass
let signed_2 = signed_for_b_r(0, 0, Data::Proposal(None, TendermintBlock(vec![0x22]))).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_2.encode(),
));
verify_tendermint_tx::<N>(&tx, &validators, commit).unwrap();
// Except if it has a distinct round number, as we don't check cross-round conflicts
// (except for Precommit)
let signed_2 = signed_for_b_r(0, 1, Data::Proposal(None, TendermintBlock(vec![0x22]))).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_2.encode(),
));
verify_tendermint_tx::<N>(&tx, &validators, commit).unwrap_err();
// Proposals for different block numbers should also fail as evidence
let signed_2 = signed_for_b_r(1, 0, Data::Proposal(None, TendermintBlock(vec![0x22]))).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_2.encode(),
));
verify_tendermint_tx::<N>(&tx, &validators, commit).unwrap_err();
}
// Prevote
{
// non-conflicting data should fail
let signed_1 = signed_for_b_r(0, 0, Data::Prevote(Some([0x11; 32]))).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_1.encode(),
));
assert!(verify_tendermint_tx::<N>(&tx, &validators, commit).is_err());
// conflicting data should pass
let signed_2 = signed_for_b_r(0, 0, Data::Prevote(Some([0x22; 32]))).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_2.encode(),
));
verify_tendermint_tx::<N>(&tx, &validators, commit).unwrap();
// Except if it has a distinct round number, as we don't check cross-round conflicts
// (except for Precommit)
let signed_2 = signed_for_b_r(0, 1, Data::Prevote(Some([0x22; 32]))).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_2.encode(),
));
verify_tendermint_tx::<N>(&tx, &validators, commit).unwrap_err();
// Proposals for different block numbers should also fail as evidence
let signed_2 = signed_for_b_r(1, 0, Data::Prevote(Some([0x22; 32]))).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_2.encode(),
));
verify_tendermint_tx::<N>(&tx, &validators, commit).unwrap_err();
}
// msgs from different senders should fail
{
let signed_1 = signed_for_b_r(0, 0, Data::Proposal(None, TendermintBlock(vec![0x11]))).await;
let signer_2 =
Signer::new(genesis, Zeroizing::new(<Ristretto as Ciphersuite>::F::random(&mut OsRng)));
let signed_id_2 = signer_2.validator_id().await.unwrap();
let signed_2 = signed_from_data::<N>(
signer_2.into(),
signed_id_2,
0,
0,
Data::Proposal(None, TendermintBlock(vec![0x22])),
)
.await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_2.encode(),
));
// update schema so that we don't fail due to invalid signature
let signer_pub =
<Ristretto as Ciphersuite>::read_G::<&[u8]>(&mut signer_id.as_slice()).unwrap();
let signer_pub_2 =
<Ristretto as Ciphersuite>::read_G::<&[u8]>(&mut signed_id_2.as_slice()).unwrap();
let validators =
Arc::new(Validators::new(genesis, vec![(signer_pub, 1), (signer_pub_2, 1)]).unwrap());
assert!(verify_tendermint_tx::<N>(&tx, &validators, commit).is_err());
}
// msgs with different steps should fail
{
let signed_1 = signed_for_b_r(0, 0, Data::Proposal(None, TendermintBlock(vec![]))).await;
let signed_2 = signed_for_b_r(0, 0, Data::Prevote(None)).await;
let tx = TendermintTx::SlashEvidence(Evidence::ConflictingMessages(
signed_1.encode(),
signed_2.encode(),
));
assert!(verify_tendermint_tx::<N>(&tx, &validators, commit).is_err());
}
}

481
coordinator/tributary/src/transaction.rs
View File

@@ -1,218 +1,353 @@
use core::fmt::Debug;
use core::{ops::Deref, fmt::Debug};
use std::io;
use zeroize::Zeroize;
use thiserror::Error;
use blake2::{Digest, Blake2b512};
use zeroize::Zeroizing;
use rand_core::{RngCore, CryptoRng};
use blake2::{digest::typenum::U32, Digest, Blake2b};
use ciphersuite::{
group::{Group, GroupEncoding},
group::{ff::Field, GroupEncoding},
Ciphersuite, Ristretto,
};
use schnorr::SchnorrSignature;
use crate::{TRANSACTION_SIZE_LIMIT, ReadWrite};
use scale::Encode;
use borsh::{BorshSerialize, BorshDeserialize};
#[derive(Clone, PartialEq, Eq, Debug, Error)]
pub enum TransactionError {
/// Transaction exceeded the size limit.
#[error("transaction is too large")]
TooLargeTransaction,
/// Transaction's signer isn't a participant.
#[error("invalid signer")]
InvalidSigner,
/// Transaction's nonce isn't the prior nonce plus one.
#[error("invalid nonce")]
InvalidNonce,
/// Transaction's signature is invalid.
#[error("invalid signature")]
InvalidSignature,
/// Transaction's content is invalid.
#[error("transaction content is invalid")]
InvalidContent,
/// Transaction's signer has too many transactions in the mempool.
#[error("signer has too many transactions in the mempool")]
TooManyInMempool,
/// Provided Transaction added to mempool.
#[error("provided transaction added to mempool")]
ProvidedAddedToMempool,
use serai_client::{primitives::SeraiAddress, validator_sets::primitives::MAX_KEY_SHARES_PER_SET};
use messages::sign::VariantSignId;
use tributary_sdk::{
ReadWrite,
transaction::{
Signed as TributarySigned, TransactionError, TransactionKind, Transaction as TransactionTrait,
},
};
/// The round this data is for, within a signing protocol.
#[derive(Clone, Copy, PartialEq, Eq, Debug, Encode, BorshSerialize, BorshDeserialize)]
pub enum SigningProtocolRound {
/// A preprocess.
Preprocess,
/// A signature share.
Share,
}
/// Data for a signed transaction.
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct Signed {
pub signer: <Ristretto as Ciphersuite>::G,
pub nonce: u32,
pub signature: SchnorrSignature<Ristretto>,
}
impl ReadWrite for Signed {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
let signer = Ristretto::read_G(reader)?;
let mut nonce = [0; 4];
reader.read_exact(&mut nonce)?;
let nonce = u32::from_le_bytes(nonce);
if nonce >= (u32::MAX - 1) {
Err(io::Error::other("nonce exceeded limit"))?;
impl SigningProtocolRound {
fn nonce(&self) -> u32 {
match self {
SigningProtocolRound::Preprocess => 0,
SigningProtocolRound::Share => 1,
}
let mut signature = SchnorrSignature::<Ristretto>::read(reader)?;
if signature.R.is_identity().into() {
// Anyone malicious could remove this and try to find zero signatures
// We should never produce zero signatures though meaning this should never come up
// If it does somehow come up, this is a decent courtesy
signature.zeroize();
Err(io::Error::other("signature nonce was identity"))?;
}
Ok(Signed { signer, nonce, signature })
}
}
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
// This is either an invalid signature or a private key leak
if self.signature.R.is_identity().into() {
Err(io::Error::other("signature nonce was identity"))?;
}
writer.write_all(&self.signer.to_bytes())?;
writer.write_all(&self.nonce.to_le_bytes())?;
/// `tributary::Signed` but without the nonce.
///
/// All of our nonces are deterministic to the type of transaction and fields within.
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
pub struct Signed {
/// The signer.
signer: <Ristretto as Ciphersuite>::G,
/// The signature.
signature: SchnorrSignature<Ristretto>,
}
impl BorshSerialize for Signed {
fn serialize<W: io::Write>(&self, writer: &mut W) -> Result<(), io::Error> {
writer.write_all(self.signer.to_bytes().as_ref())?;
self.signature.write(writer)
}
}
impl BorshDeserialize for Signed {
fn deserialize_reader<R: io::Read>(reader: &mut R) -> Result<Self, io::Error> {
let signer = Ristretto::read_G(reader)?;
let signature = SchnorrSignature::read(reader)?;
Ok(Self { signer, signature })
}
}
impl Signed {
pub fn read_without_nonce<R: io::Read>(reader: &mut R, nonce: u32) -> io::Result<Self> {
let signer = Ristretto::read_G(reader)?;
let mut signature = SchnorrSignature::<Ristretto>::read(reader)?;
if signature.R.is_identity().into() {
// Anyone malicious could remove this and try to find zero signatures
// We should never produce zero signatures though meaning this should never come up
// If it does somehow come up, this is a decent courtesy
signature.zeroize();
Err(io::Error::other("signature nonce was identity"))?;
}
Ok(Signed { signer, nonce, signature })
/// Fetch the signer.
pub(crate) fn signer(&self) -> <Ristretto as Ciphersuite>::G {
self.signer
}
pub fn write_without_nonce<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
// This is either an invalid signature or a private key leak
if self.signature.R.is_identity().into() {
Err(io::Error::other("signature nonce was identity"))?;
}
writer.write_all(&self.signer.to_bytes())?;
self.signature.write(writer)
/// Provide a nonce to convert a `Signed` into a `tributary::Signed`.
fn to_tributary_signed(self, nonce: u32) -> TributarySigned {
TributarySigned { signer: self.signer, nonce, signature: self.signature }
}
}
#[allow(clippy::large_enum_variant)]
#[derive(Clone, PartialEq, Eq, Debug)]
pub enum TransactionKind {
/// This transaction should be provided by every validator, in an exact order.
///
/// The contained static string names the orderer to use. This allows two distinct provided
/// transaction kinds, without a synchronized order, to be ordered within their own kind without
/// requiring ordering with each other.
///
/// The only malleability is in when this transaction appears on chain. The block producer will
/// include it when they have it. Block verification will fail for validators without it.
///
/// If a supermajority of validators produce a commit for a block with a provided transaction
/// which isn't locally held, the block will be added to the local chain. When the transaction is
/// locally provided, it will be compared for correctness to the on-chain version
///
/// In order to ensure TXs aren't accidentally provided multiple times, all provided transactions
/// must have a unique hash which is also unique to all Unsigned transactions.
Provided(&'static str),
/// The Tributary transaction definition used by Serai
#[derive(Clone, PartialEq, Eq, Debug, BorshSerialize, BorshDeserialize)]
pub enum Transaction {
/// A vote to remove a participant for invalid behavior
RemoveParticipant {
/// The participant to remove
participant: SeraiAddress,
/// The transaction's signer and signature
signed: Signed,
},
/// An unsigned transaction, only able to be included by the block producer.
///
/// Once an Unsigned transaction is included on-chain, it may not be included again. In order to
/// have multiple Unsigned transactions with the same values included on-chain, some distinct
/// nonce must be included in order to cause a distinct hash.
///
/// The hash must also be unique with all Provided transactions.
Unsigned,
/// A participation in the DKG
DkgParticipation {
/// The serialized participation
participation: Vec<u8>,
/// The transaction's signer and signature
signed: Signed,
},
/// The preprocess to confirm the DKG results on-chain
DkgConfirmationPreprocess {
/// The attempt number of this signing protocol
attempt: u32,
/// The preprocess
preprocess: [u8; 64],
/// The transaction's signer and signature
signed: Signed,
},
/// The signature share to confirm the DKG results on-chain
DkgConfirmationShare {
/// The attempt number of this signing protocol
attempt: u32,
/// The signature share
share: [u8; 32],
/// The transaction's signer and signature
signed: Signed,
},
/// A signed transaction.
Signed(Vec<u8>, Signed),
/// Intend to cosign a finalized Substrate block
///
/// When the time comes to start a new cosigning protocol, the most recent Substrate block will
/// be the one selected to be cosigned.
Cosign {
/// The hash of the Substrate block to cosign
substrate_block_hash: [u8; 32],
},
/// Note an intended-to-be-cosigned Substrate block as cosigned
///
/// After producing this cosign, we need to start work on the latest intended-to-be cosigned
/// block. That requires agreement on when this cosign was produced, which we solve by noting
/// this cosign on-chain.
///
/// We ideally don't have this transaction at all. The coordinator, without access to any of the
/// key shares, could observe the FROST signing session and determine a successful completion.
/// Unfortunately, that functionality is not present in modular-frost, so we do need to support
/// *some* asynchronous flow (where the processor or P2P network informs us of the successful
/// completion).
///
/// If we use a `Provided` transaction, that requires everyone observe this cosign.
///
/// If we use an `Unsigned` transaction, we can't verify the cosign signature inside
/// `Transaction::verify` unless we embedded the full `SignedCosign` on-chain. The issue is since
/// a Tributary is stateless with regards to the on-chain logic, including `Transaction::verify`,
/// we can't verify the signature against the group's public key unless we also include that (but
/// then we open a DoS where arbitrary group keys are specified to cause inclusion of arbitrary
/// blobs on chain).
///
/// If we use a `Signed` transaction, we mitigate the DoS risk by having someone to fatally
/// slash. We have horrible performance though as for 100 validators, all 100 will publish this
/// transaction.
///
/// We could use a signed `Unsigned` transaction, where it includes a signer and signature but
/// isn't technically a Signed transaction. This lets us de-duplicate the transaction premised on
/// its contents.
///
/// The optimal choice is likely to use a `Provided` transaction. We don't actually need to
/// observe the produced cosign (which is ephemeral). As long as it's agreed the cosign in
/// question no longer needs to produced, which would mean the cosigning protocol at-large
/// cosigning the block in question, it'd be safe to provide this and move on to the next cosign.
Cosigned {
/// The hash of the Substrate block which was cosigned
substrate_block_hash: [u8; 32],
},
/// Acknowledge a Substrate block
///
/// This is provided after the block has been cosigned.
///
/// With the acknowledgement of a Substrate block, we can whitelist all the `VariantSignId`s
/// resulting from its handling.
SubstrateBlock {
/// The hash of the Substrate block
hash: [u8; 32],
},
/// Acknowledge a Batch
///
/// Once everyone has acknowledged the Batch, we can begin signing it.
Batch {
/// The hash of the Batch's serialization.
///
/// Generally, we refer to a Batch by its ID/the hash of its instructions. Here, we want to
/// ensure consensus on the Batch, and achieving consensus on its hash is the most effective
/// way to do that.
hash: [u8; 32],
},
/// Data from a signing protocol.
Sign {
/// The ID of the object being signed
id: VariantSignId,
/// The attempt number of this signing protocol
attempt: u32,
/// The round this data is for, within the signing protocol
round: SigningProtocolRound,
/// The data itself
///
/// There will be `n` blobs of data where `n` is the amount of key shares the validator sending
/// this transaction has.
data: Vec<Vec<u8>>,
/// The transaction's signer and signature
signed: Signed,
},
/// The local view of slashes observed by the transaction's sender
SlashReport {
/// The slash points accrued by each validator
slash_points: Vec<u32>,
/// The transaction's signer and signature
signed: Signed,
},
}
// TODO: Should this be renamed TransactionTrait now that a literal Transaction exists?
// Or should the literal Transaction be renamed to Event?
pub trait Transaction: 'static + Send + Sync + Clone + Eq + Debug + ReadWrite {
/// Return what type of transaction this is.
fn kind(&self) -> TransactionKind;
impl ReadWrite for Transaction {
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
borsh::from_reader(reader)
}
/// Return the hash of this transaction.
///
/// The hash must NOT commit to the signature.
fn hash(&self) -> [u8; 32];
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
borsh::to_writer(writer, self)
}
}
/// Perform transaction-specific verification.
fn verify(&self) -> Result<(), TransactionError>;
impl TransactionTrait for Transaction {
fn kind(&self) -> TransactionKind {
match self {
Transaction::RemoveParticipant { participant, signed } => TransactionKind::Signed(
(b"RemoveParticipant", participant).encode(),
signed.to_tributary_signed(0),
),
/// Obtain the challenge for this transaction's signature.
///
/// Do not override this unless you know what you're doing.
///
/// Panics if called on non-signed transactions.
fn sig_hash(&self, genesis: [u8; 32]) -> <Ristretto as Ciphersuite>::F {
match self.kind() {
TransactionKind::Signed(order, Signed { signature, .. }) => {
<Ristretto as Ciphersuite>::F::from_bytes_mod_order_wide(
&Blake2b512::digest(
[
b"Tributary Signed Transaction",
genesis.as_ref(),
&self.hash(),
order.as_ref(),
signature.R.to_bytes().as_ref(),
]
.concat(),
)
.into(),
)
Transaction::DkgParticipation { signed, .. } => {
TransactionKind::Signed(b"DkgParticipation".encode(), signed.to_tributary_signed(0))
}
Transaction::DkgConfirmationPreprocess { attempt, signed, .. } => TransactionKind::Signed(
(b"DkgConfirmation", attempt).encode(),
signed.to_tributary_signed(0),
),
Transaction::DkgConfirmationShare { attempt, signed, .. } => TransactionKind::Signed(
(b"DkgConfirmation", attempt).encode(),
signed.to_tributary_signed(1),
),
Transaction::Cosign { .. } => TransactionKind::Provided("Cosign"),
Transaction::Cosigned { .. } => TransactionKind::Provided("Cosigned"),
// TODO: Provide this
Transaction::SubstrateBlock { .. } => TransactionKind::Provided("SubstrateBlock"),
// TODO: Provide this
Transaction::Batch { .. } => TransactionKind::Provided("Batch"),
Transaction::Sign { id, attempt, round, signed, .. } => TransactionKind::Signed(
(b"Sign", id, attempt).encode(),
signed.to_tributary_signed(round.nonce()),
),
Transaction::SlashReport { signed, .. } => {
TransactionKind::Signed(b"SlashReport".encode(), signed.to_tributary_signed(0))
}
_ => panic!("sig_hash called on non-signed transaction"),
}
}
}
pub trait GAIN: FnMut(&<Ristretto as Ciphersuite>::G, &[u8]) -> Option<u32> {}
impl<F: FnMut(&<Ristretto as Ciphersuite>::G, &[u8]) -> Option<u32>> GAIN for F {}
pub(crate) fn verify_transaction<F: GAIN, T: Transaction>(
tx: &T,
genesis: [u8; 32],
get_and_increment_nonce: &mut F,
) -> Result<(), TransactionError> {
if tx.serialize().len() > TRANSACTION_SIZE_LIMIT {
Err(TransactionError::TooLargeTransaction)?;
fn hash(&self) -> [u8; 32] {
let mut tx = ReadWrite::serialize(self);
if let TransactionKind::Signed(_, signed) = self.kind() {
// Make sure the part we're cutting off is the signature
assert_eq!(tx.drain((tx.len() - 64) ..).collect::<Vec<_>>(), signed.signature.serialize());
}
Blake2b::<U32>::digest(&tx).into()
}
tx.verify()?;
// This is a stateless verification which we use to enforce some size limits.
fn verify(&self) -> Result<(), TransactionError> {
#[allow(clippy::match_same_arms)]
match self {
// Fixed-length TX
Transaction::RemoveParticipant { .. } => {}
match tx.kind() {
TransactionKind::Provided(_) | TransactionKind::Unsigned => {}
TransactionKind::Signed(order, Signed { signer, nonce, signature }) => {
if let Some(next_nonce) = get_and_increment_nonce(&signer, &order) {
if nonce != next_nonce {
Err(TransactionError::InvalidNonce)?;
// TODO: MAX_DKG_PARTICIPATION_LEN
Transaction::DkgParticipation { .. } => {}
// These are fixed-length TXs
Transaction::DkgConfirmationPreprocess { .. } | Transaction::DkgConfirmationShare { .. } => {}
// Provided TXs
Transaction::Cosign { .. } |
Transaction::Cosigned { .. } |
Transaction::SubstrateBlock { .. } |
Transaction::Batch { .. } => {}
Transaction::Sign { data, .. } => {
if data.len() > usize::try_from(MAX_KEY_SHARES_PER_SET).unwrap() {
Err(TransactionError::InvalidContent)?
}
} else {
// Not a participant
Err(TransactionError::InvalidSigner)?;
// TODO: MAX_SIGN_LEN
}
// TODO: Use a batch verification here
if !signature.verify(signer, tx.sig_hash(genesis)) {
Err(TransactionError::InvalidSignature)?;
Transaction::SlashReport { slash_points, .. } => {
if slash_points.len() > usize::try_from(MAX_KEY_SHARES_PER_SET).unwrap() {
Err(TransactionError::InvalidContent)?
}
}
};
Ok(())
}
}
impl Transaction {
/// Sign a transaction.
///
/// Panics if signing a transaction whose type isn't `TransactionKind::Signed`.
pub fn sign<R: RngCore + CryptoRng>(
&mut self,
rng: &mut R,
genesis: [u8; 32],
key: &Zeroizing<<Ristretto as Ciphersuite>::F>,
) {
fn signed(tx: &mut Transaction) -> &mut Signed {
#[allow(clippy::match_same_arms)] // This doesn't make semantic sense here
match tx {
Transaction::RemoveParticipant { ref mut signed, .. } |
Transaction::DkgParticipation { ref mut signed, .. } |
Transaction::DkgConfirmationPreprocess { ref mut signed, .. } => signed,
Transaction::DkgConfirmationShare { ref mut signed, .. } => signed,
Transaction::Cosign { .. } => panic!("signing CosignSubstrateBlock"),
Transaction::Cosigned { .. } => panic!("signing Cosigned"),
Transaction::SubstrateBlock { .. } => panic!("signing SubstrateBlock"),
Transaction::Batch { .. } => panic!("signing Batch"),
Transaction::Sign { ref mut signed, .. } => signed,
Transaction::SlashReport { ref mut signed, .. } => signed,
}
}
}
Ok(())
// Decide the nonce to sign with
let sig_nonce = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng));
{
// Set the signer and the nonce
let signed = signed(self);
signed.signer = Ristretto::generator() * key.deref();
signed.signature.R = <Ristretto as Ciphersuite>::generator() * sig_nonce.deref();
}
// Get the signature hash (which now includes `R || A` making it valid as the challenge)
let sig_hash = self.sig_hash(genesis);
// Sign the signature
signed(self).signature = SchnorrSignature::<Ristretto>::sign(key, sig_nonce, sig_hash);
}
}