fix: merge security-audit-fixes audit fixes into main#269
Merged
Conversation
* add: timeouts to server * refactor: harden health to accept only get req (cherry picked from commit 6f961a6)
… to the signer (cherry picked from commit 9c1d920)
…an Aggregation * feat: added min val required as 2 for first chain oracle vote * tests: updated tests for chain meta first vote changes * feat: updated min validator votes requird for first chain meta value to 3 instead of 2 (cherry picked from commit 8848c0a)
(cherry picked from commit b890c7f)
* feat: remove default admin addresses from modules * feat: added modules admin in testnet genesis creation script * tests: added default admin integration tests * tests: added default admin integration tests * fix: fixed interchain gh workflow e2e tests * fix: fixed interchain gh workflow e2e tests * fix: fixed interchain gh workflow e2e tests (cherry picked from commit 2003414)
(cherry picked from commit 7be2938)
…r ASCII hex, not the raw message (cherry picked from commit 5659657)
… block height expiry (cherry picked from commit 3948c36)
… ID collides when a single source tx contains multiple Inbounds (cherry picked from commit e46574f)
…m and can deadlock finalization (#259) * feat: narrowed eligible voters to only return the validators that are bonded * feat: added automatic staking hooks to handle bonding/unbonding of UVs * feat: added MsgRecomputeBallotQuorum for adjusting a ballot quorum and MsgRevertStuckInbound for reverting a stuck inbound when its ballot has been expired as an escape hatch (cherry picked from commit 38fbf73)
#219) * feat: added proto changes for pendingInbounds and expiredInbounds * refactor: added generated protobuf * feat: added ballot hooks and updated changes for pendingInbounds and pendingOutbounds * tests: added integration tests for pendingInbounds proto changes * docs: added pendingInbounds and pendingOutbounds lifecycle in README * test: assert signing_deadline + variants coexist on PendingOutboundEntry Guards the F-2026-16642 <- audit-fixes merge resolution where both branches claimed proto field 4 on PendingOutboundEntry. signing_deadline kept field 4 (deployed on testnet); the per-variant audit trail moved to field 5. This test seeds an entry with a signing deadline, records outbound votes, and asserts both fields survive the RecordOutboundVote read-modify-write. (cherry picked from commit cbb9cf4)
* feat(utils): per-namespace canonicalization helpers for keys Shared canonical string forms for ballot/storage keys, keyed by CAIP-2 namespace: eip155 addresses -> EIP-55, eip155 hashes -> 0x-lowercase, solana -> base58 preserved (case-significant) / hex lowercased, other -> trimmed. Strict variants reject malformed input; lenient variants fall back to trimmed input on the vote-ingress path that must never drop a vote. Foundation for the ballot-key and token-key canonicalization fixes. * fix(uregistry): canonicalize token addresses in storage keys [F-2026-17022] GetTokenConfigsStorageKey canonicalizes the address per CAIP-2 namespace (EIP-55 for eip155), making the storage key the single canonical chokepoint for add/update/remove/get. The PRC20 reverse index moves from lowercase to EIP-55 and GetTokenConfigByPRC20 canonicalizes its query identically. TokenConfig/NativeRepresentation ValidateBasic enforce parseable addresses, so case-variant duplicate registrations collide on the canonical key and are rejected. * fix(utss): canonicalize fund-migration txHash before ballot key [F-2026-17041] VoteFundMigration canonicalizes the observed txHash against the migration's chain namespace before deriving the ballot key, so equivalent hash encodings from different validators aggregate on one ballot instead of fragmenting. Adds MsgVoteFundMigration.ValidateBasic. * fix(uexecutor): canonical voting digests for inbound/outbound ballots [F-2026-16039, F-2026-16632] Replace full-proto-Marshal ballot identity with explicit injective digests (hashFields: sha256 over per-field sha256 hex digests joined by ':'), domain-separated via collections prefixes so inbound vs outbound keys stay disjoint in the shared Ballots map. The inbound digest covers every execution-relevant field except universal_payload (recomputed on-chain from raw_payload); the outbound digest covers all observation fields. Inbound fields are canonicalized at vote / admin-revert ingress and the key functions self-canonicalize, so stored state, UTX keys and registry lookups all converge on one representation per logical event. Because the digests are one-way, the ballot terminal hook now locates the audit-trail entry by scanning PendingInbounds for the ballot id instead of decoding the inbound back out of the id. Existing test assertions updated for the canonical (EIP-55 / lowercase-hash) stored forms. * feat(uexecutor): InboundKeys and OutboundBallotKey queries Let off-chain validators read the canonical UTX id + ballot ids from the chain rather than re-implementing the canonicalization/digest rules. InboundKeys(inbound) returns utx_id, ballot_id and the canonical inbound; OutboundBallotKey(utx_id, outbound_id, observed_tx) looks up the outbound's destination chain to canonicalize the observed hash, then returns the ballot id and canonical observation. Includes generated proto. (cherry picked from commit 93de525)
F-16996's fix was deleting the buggy v2 migrate.go, which is correct for the fresh-genesis mainnet branch. On testnet the v2 migration already executed (module is at consensus v2) and must stay registered so new nodes replaying from genesis reach the same state. The placeholder-identity bug is a separate forward-remediation decision, out of scope for this upgrade port.
- implement RebuildPRC20Index (M2 migration helper; test existed, impl didn't) - genesis_internal_test: statedb.Account.Balance is *uint256.Int on evm v1.0 (was *big.Int on v0.2.1); system-contract count 46->47 to match final audit-fixes (0xCA auto-reserved after legacy usigverifier removal) - utss v4 migrate_test stub: UpdateValidatorStatus gained TransitionReason param from F-16991 - go.mod/go.sum: go mod tidy (base58 for canonicalization)
New gov software-upgrade 'security-audit-fixes' appended to the Upgrades slice (main's existing handlers untouched). RunMigrations drives two state migrations: - uexecutor v6 -> v7: PendingInbounds KeySet -> variant-aware Map reshape at prefix 2 (F-2026-16642). Legacy bare keys rewritten as PendingInboundEntry. - uregistry v3 -> v4: re-key TokenConfigs under canonical (EIP-55) keys and backfill the PRC20 reverse index (F-2026-17022). utss/uvalidator changes are additive (TransitionReason defaults, new msgs) so their consensus versions are unchanged. Staking-hook wiring for F-16991 came in via app/app.go with that commit. Reserved system-contract deploy (F-17025, 41 slots) intentionally deferred to fresh-genesis/mainnet.
v1.0 CallEVM added a gasCap *big.Int param after commit; the ported balanceOf assertion used the v0.2.1 arg order.
* remove: initial config log * fix: remove logging rpc url in pushcore * refactor: pushsigner logger * refactor: core logs, remove unnecessary info logs * fix: common chain logs * fix: push client logs * fix: chains log refactor * fix: tss logs (cherry picked from commit a00e7d6)
* add: MaxFrameSize to p2p network * refactor: move coordinator check up so malicious peer req are rejected sooner * chore: fix tc (cherry picked from commit 9524142)
… chain client is not attached (cherry picked from commit 634e234)
…ecution success * add: evm event confirmation check receipt status * add: svm tx confirmation check err status * chore: tc (cherry picked from commit ed82cbe)
…RPC fails * add: cache with staleness * chore: tc (cherry picked from commit 7d748bd)
…st retry storm after peer already migrated funds * F-2026-16962 | fund migration vote races on balance re-query Brings PR #209 (pushchain/push-chain-node) onto audit-fixes for audit review. The migration sweep amount is computed at signing time from the old vault's balance, but the broadcast path was re-querying the balance — racing with another validator's successful sweep would produce a different sweep amount and a different signed tx hash. - UnsignedSigningReq: add TSSFundMigrationAmount carried alongside Nonce from signing to broadcast (both are signing-time-decided values that must reach broadcast unchanged) - EVM tx_builder: store maxTransfer in the signing request; broadcast reuses it verbatim instead of recomputing - sessionmanager: persist and forward TSSFundMigrationAmount through the signing session - txbroadcaster: pass the stored amount to the broadcast call * add: tc (cherry picked from commit 58ed01b)
…Tx not found” as reverted * feat: added tss signing deadline in chainConfig and pendingOutboundEntry * tests: added tests for deadline changes * feat: added signingDeadline in OutboundCreated event * fix: parse signatureDeadline * fix: tx builder tss msg creation * add: check for queryTime * fix: add deadline check in broadcast * fix: handle deadline = 0 , legacy tx * fix: svm revert logic * fix: tc * fix: simulation tc * fix: evm revert logic when tx is not found * fix: log binding * remove unused fn * chore: tc * fix: nonce handling + refactor --------- Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com> (cherry picked from commit 78a44a4)
(cherry picked from commit dbf6772)
* refactor: return last error * remove: best effort approach * fix: tx builder * feat: add rent reclaimer for orphan pdas * revert: rpc fn * fix: lazy handling in tx builder * fix: add temp retires approach in svm * skip svm chains in coordinator to prevent slowness from svm retires * fix: orphan pda closure * fix: txBuilder ref finalize account write status * fix: tc * fix: storeRefundRecipient (cherry picked from commit 2882a17)
…tuck due to architecture (failure visibility limited to signer set) * feat: added tss signing deadline in chainConfig and pendingOutboundEntry * tests: added tests for deadline changes * feat: added signingDeadline in OutboundCreated event * fix: parse signatureDeadline * fix: tx builder tss msg creation * add: check for queryTime * fix: add deadline check in broadcast * fix: handle deadline = 0 , legacy tx * fix: svm revert logic * fix: tc * fix: simulation tc * fix: evm revert logic when tx is not found * fix: log binding * remove unused fn * chore: tc * fix: nonce handling + refactor * route internal messages via sessionManager * fix: log level * remove: deprecated doc * chore: fix formating * fix: allow balance to be added to query for verification and avoiding query * feat: add ack with sig & coordinator verification * fix: msgHandler validation * fix: add broadcasting and handling to increase set * minor error logs + tc * persist signature * mark found tx as braodcasted --------- Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com> (cherry picked from commit 83a0528)
…EVERT based on push chain state, not observed chain state and can result into false voting * feat: added tss signing deadline in chainConfig and pendingOutboundEntry * tests: added tests for deadline changes * feat: added signingDeadline in OutboundCreated event * fix: parse signatureDeadline * fix: tx builder tss msg creation * add: check for queryTime * fix: add deadline check in broadcast * fix: handle deadline = 0 , legacy tx * fix: svm revert logic * fix: tc * fix: simulation tc * fix: evm revert logic when tx is not found * fix: log binding * remove unused fn * chore: tc * fix: nonce handling + refactor * route internal messages via sessionManager * fix: log level * remove: deprecated doc * chore: fix formating * fix: allow balance to be added to query for verification and avoiding query * feat: add ack with sig & coordinator verification * fix: msgHandler validation * fix: add broadcasting and handling to increase set * minor error logs + tc * change to hard delete * fix: attach eventCleaners to external chains * removed artifical expiry and fixed sweeper * fix: event cleaner closing * fix: tc --------- Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com> (cherry picked from commit 65b529a)
…tuck due to architecture (failure visibility limited to signer set) * fix: inprogress settlement * fix: solana tx resolving (cherry picked from commit 1fa5a61)
…e endpoint under concurrent load (cherry picked from commit 4706e90)
fix: port remaining audit-fixes commits onto security-audit-fixes
Makes the Push-origin UTX id robust by contract (mirrors GetInboundUniversalTxKey, normalizes case/0x); no behavior change for real EVM receipt hashes. Adds Pc UTX key tests.
…esis (evm v0.5 coin-info)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes the accumulated audit fixes on
security-audit-fixestomain, including the 14 commits just merged via #268.Heads-up for the merge:
mainis ahead ofsecurity-audit-fixeson the evm dependency (pushchain/evm …20260616vs…20260604) and has 1 commit security-audit-fixes lacks. Expect ago.modresolution at merge — keep main's newer evm pin.