fix(core): REDEEM/UNSTAKE/SLASH 未激活守卫补 amount=0+burn=0,防历史消息 retroactive 分叉#71
Merged
Merged
Conversation
…oactive 判非法 redOpError 里两处「激活前」守卫此前会误伤历史合法链上消息,与已修的 IDRELEASE(12d9798, PR #69)同一 bug 类;这两处因触及 mint/staking 共识路径,当时不在那轮范围,现单独处理。 1) 铸币 REDEEM(mintActive):`!mintActive && REDEEM_PREFIX && amount===0` 会拒掉「amount=0 + burn>0 + 正文恰好以 REDEEM| 开头」的普通消息——这类消息在本 PR 之前旧节点照收(burn>0 即非空操作)。真实兑现的形态是 amount=0 **且 burn=0**(见 mintActive REDEEM 分支强制 burn=0)。补 `&& (tx.burn ?? 0) === 0` 收窄守卫。 2) 质押 UNSTAKE/SLASH(stakingActive):`!stakingActive && (UNSTAKE|SLASH)` 更宽——完全没有 amount/burn 判定,任何以 UNSTAKE|/SLASH| 开头的历史交易(含 amount>0 普通转账、burn>0 消息) 都被拒。真实赎回/罚没的形态是 amount=0 **且 burn=0**(见 stakingActive UNSTAKE/SLASH 分支)。 补 `&& tx.amount === 0 && (tx.burn ?? 0) === 0` 收窄守卫。 两处均为**纯收窄**(只加 AND 条件 → 只会比旧行为更宽松、绝不多拒),因此:升级节点重放历史链时 不再把这些老消息判非法(validateChain/loadChain/replaceChain 不再 retroactive 拒整条链);真实 兑现/赎回/罚没(amount=0+burn=0)仍被拦(与旧节点一致地拒空操作);对激活后共识零影响(守卫仅在 未激活时触发)。无论实时链在激活高度下是否真有这类历史消息,收窄都安全。 回归: - mint-selftest:激活前 REDEEM| 开头的普通消息(burn>0)必须仍被接受、整链校验通过。 - staking-selftest:激活前 UNSTAKE|/SLASH| 开头的普通消息(burn>0)必须仍被接受、整链校验通过; 并补 SLASH 零额新边界(amount=0+burn=0)仍被拒的对照断言。 经实证:回退守卫后这三条消息全被「尚未激活」拒 → 回归确实咬住该 bug。 typecheck(6 包)/smoke/staking/mint/onion/antireplay 全绿。 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Owner
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. 🎉 Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
redOpError(packages/core/src/blockchain.ts)里两处「激活前」守卫会误伤历史合法的链上消息——与feat/l1-anti-abuse(PR #69)里已修的 IDRELEASE 守卫(commit12d9798)是同一 bug 类。这两处因为触及 mint/staking 共识路径,不在那轮范围;本 PR 单独、最小化地处理。一条普通链上消息(
createMessage:amount=0、burn>0、memo任意)若正文恰好以协议前缀开头,在本 PR 之前的旧节点是合法接受的(burn>0即非空操作,见addTransaction空交易判定 line 595)。当前守卫却会在validateChain重放历史链时把它判非法 →loadChain/replaceChain拒绝整条链(retroactive 分叉)。改动(两处纯收窄)
铸币 REDEEM(
~line 207,!mintActive):… && tx.amount === 0→… && tx.amount === 0 && (tx.burn ?? 0) === 0真实兑现形态是
amount=0且burn=0(见mintActiveREDEEM 分支强制burn=0/amount=0)。质押 UNSTAKE/SLASH(
~line 198,!stakingActive,更宽——原本无任何 amount/burn 判定):!stakingActive && (UNSTAKE|SLASH)→… && tx.amount === 0 && (tx.burn ?? 0) === 0真实赎回/罚没形态是
amount=0且burn=0(见stakingActiveUNSTAKE/SLASH 分支)。两处均为纯收窄(只加 AND 条件)——只会比旧行为更宽松、绝不多拒,故:
amount=0+burn=0)仍被拦(与旧节点一致地拒空操作);MINT_ACTIVATION_HEIGHT=30000/STAKING_ACTIVATION_HEIGHT=16000之下是否真有这类历史消息,收窄都安全。回归测试
scripts/mint-selftest.ts:激活前REDEEM|开头的普通消息(burn>0)必须仍被接受、整链校验通过。scripts/staking-selftest.ts:激活前UNSTAKE|/SLASH|开头的普通消息(burn>0)必须仍被接受、整链校验通过;并补「SLASH 零额新边界(amount=0+burn=0)仍被拒」对照断言。burn>0消息全被「尚未激活」拒 → 回归确实咬住该 bug;恢复后全绿。验证
corepack pnpm -r run typecheck— 6 包全绿corepack pnpm smoke— 通过staking/mint/onion/antireplayselftests — 全绿(注:
identity-selftest与message-burn-floor在本仓main尚不存在,属 PR L1 反滥用共识内核:消息防刷底线 + 质押式匿名身份 #69 分支,故未跑。)🤖 Generated with Claude Code