test(outbox): add tampered size outbox proof test

Ryan Tan · Ryan Tan · commit 502cfd5d98eb · 2026-03-25T16:57:16.000Z
diff --git a/pvm/tests/test_outbox_proofs.rs b/pvm/tests/test_outbox_proofs.rs
@@ -173,16 +173,40 @@ fn test_tampered_zero_sized_message(inputs: &TestConfig) {
     assert!(verify_outbox_proof(&tampered_outbox_proof).is_ok());
 }
 
+fn test_tampered_size(inputs: &TestConfig) {
+    let make_stepper = make_stepper_factory::<M64M>(inputs, Some(ROLLUP_ADDRESS));
+    let mut stepper = make_stepper();
+    let _result = stepper.step_max(Bound::Unbounded);
+    let level = stepper.level().unwrap();
+    let outbox_proof = stepper
+        .produce_outbox_proof(OutputInfo { level, index: 0 })
+        .expect("Outbox proof should be valid");
+
+    let proof_bytes = OutboxProof::serialise(&outbox_proof);
+    let message_size = 4096;
+    let message_pos = find_message_pos(message_size, proof_bytes.as_slice());
+    let len_pos = message_pos - 8;
+
+    let mut zero_sized = proof_bytes.clone();
+    zero_sized[len_pos..len_pos + 8].copy_from_slice(&0usize.to_le_bytes());
+    OutboxProof::deserialise(zero_sized.as_slice()).expect_err("Should fail to deserialise");
+
+    let mut incoherent_size = proof_bytes.clone();
+    incoherent_size[len_pos..len_pos + 8].copy_from_slice(&2000usize.to_le_bytes());
+    OutboxProof::deserialise(incoherent_size.as_slice()).expect_err("Should fail to deserialise");
+
+    let mut oversized = proof_bytes.clone();
+    oversized[len_pos..len_pos + 8].copy_from_slice(&8192usize.to_le_bytes());
+    OutboxProof::deserialise(oversized.as_slice()).expect_err("Should fail to deserialise");
+}
+
 /// Returns a serialized [OutboxProof] with the outbox message
 /// portion set to [message]. The original outbox proof message
 /// is expected to be 4096 B
 fn replace_outbox_message_of_proof(proof: &OutboxProof, message: &[u8]) -> Vec<u8> {
-    let proof_bytes = OutboxProof::serialise(&proof);
+    let proof_bytes = OutboxProof::serialise(proof);
     let message_size = 4096;
-    let message_pos = proof_bytes
-        .windows(message_size)
-        .position(|w| w.iter().all(|&b| b == 0x01))
-        .expect("Message content should be present in serialized proof");
+    let message_pos = find_message_pos(message_size, proof_bytes.as_slice());
     let len_pos = message_pos - 8;
 
     // Sanity check that the length prefix is correct
@@ -202,6 +226,13 @@ fn replace_outbox_message_of_proof(proof: &OutboxProof, message: &[u8]) -> Vec<u
     tampered
 }
 
+fn find_message_pos(message_size: usize, proof_bytes: &[u8]) -> usize {
+    proof_bytes
+        .windows(message_size)
+        .position(|w| w.iter().all(|&b| b == 0x01))
+        .expect("Message content should be present in serialized proof")
+}
+
 #[test]
 fn test_outbox_proofs_dummy_kernel() {
     test_outbox_proofs(&DUMMY)
@@ -217,3 +248,8 @@ fn test_tampered_oversize_message_dummy_kernel() {
 fn test_zero_sized_message_dummy_kernel() {
     test_tampered_zero_sized_message(&DUMMY)
 }
+
+#[test]
+fn test_tampered_size_dummy_kernel() {
+    test_tampered_size(&DUMMY);
+}
