Skip to content

fix(db): re-verify block signature during fork replay #6777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lvs0075 merged 1 commit into from
May 21, 2026
+260 −0
Merged

fix(db): re-verify block signature during fork replay #6777

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions framework/src/main/java/org/tron/core/db/Manager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1140,6 +1140,11 @@ private void switchFork(BlockCapsule newHead)
Exception exception = null;
// todo process the exception carefully later
try (ISession tmpSession = revokingStore.buildSession()) {
if (!item.getBlk().validateSignature(
Copy link
Copy Markdown
Collaborator

@waynercheung waynercheung May 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MUST] In normal chain state a witness account should exist, but fork replay re-validates the block under a different state from the one used when the block was first accepted into KhaosDB. If the witness account/permission only existed on the old branch and is gone after rollback to the common ancestor, accountStore.get(witnessAccountAddress) can return null and validateSignature() throws NPE. This unchecked exception skips the existing switchback path. Please convert this case to false / ValidateSignatureException or otherwise route it through the same rollback handling.

Copy link
Copy Markdown
Collaborator Author

@xxo1shine xxo1shine May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. When a block arrives from the network, it first goes through TronNetDelegate.validBlock — which already invokes block.validateSignature(dynamicPropertiesStore, accountStore) once.
  2. If accountStore.get(witnessAccountAddress) had returned null at that point, that validateSignature call would return false due to address mismatch before any NullPointerException could fire, and validBlock would raise it as BLOCK_SIGN_INVALID and reject the block — so it could never have entered KhaosDB, and would never reach switchFork.

getDynamicPropertiesStore(), getAccountStore())) {
throw new ValidateSignatureException(
"switch fork: block " + item.getBlk().getNum() + " signature invalid");
}
applyBlock(item.getBlk().setSwitch(true));
tmpSession.commit();
} catch (AccountResourceInsufficientException
Expand Down
97 changes: 97 additions & 0 deletions framework/src/test/java/org/tron/core/capsule/BlockCapsuleTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
package org.tron.core.capsule;

import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

import com.google.protobuf.ByteString;
import java.io.IOException;
import java.util.ArrayList;
Expand All @@ -21,6 +24,11 @@
import org.tron.core.config.args.Args;
import org.tron.core.exception.BadBlockException;
import org.tron.core.exception.BadItemException;
import org.tron.core.exception.ValidateSignatureException;
import org.tron.core.store.AccountStore;
import org.tron.core.store.DynamicPropertiesStore;
import org.tron.protos.Protocol.Block;
import org.tron.protos.Protocol.BlockHeader;
import org.tron.protos.Protocol.Transaction.Contract.ContractType;
import org.tron.protos.contract.BalanceContract.TransferContract;

Expand Down Expand Up @@ -180,6 +188,95 @@ public void testGetTimeStamp() {
Assert.assertEquals(1234L, blockCapsule0.getTimeStamp());
}

/**
* Pin the contract that switchFork's signature recheck relies on:
* when the recovered signer address does not match the witness address,
* validateSignature returns false (no exception). switchFork uses the
* boolean return to decide whether to throw, so this contract is what
* makes the fix work for "wrong signer" attacks.
*/
@Test
public void testValidateSignatureReturnsFalseWhenSignerMismatch() throws Exception {
String signerKey = PublicMethod.getRandomPrivateKey();
String witnessKey = PublicMethod.getRandomPrivateKey();
byte[] witnessAddress = PublicMethod.getAddressByteByPrivateKey(witnessKey);

BlockCapsule block = new BlockCapsule(2,
Sha256Hash.wrap(ByteString.copyFrom(ByteArray.fromHexString(
"9938a342238077182498b464ac0292229938a342238077182498b464ac029222"))),
4321,
ByteString.copyFrom(witnessAddress));
block.sign(ByteArray.fromHexString(signerKey));

DynamicPropertiesStore dps = mock(DynamicPropertiesStore.class);
when(dps.getAllowMultiSign()).thenReturn(0L);
AccountStore accountStore = mock(AccountStore.class);

Assert.assertFalse(block.validateSignature(dps, accountStore));
}

/**
* Same key path under the happy case: when signer == witness, validateSignature
* returns true. Guards against any future refactor that accidentally inverts
* the comparison or strips the witness check.
*/
@Test
public void testValidateSignatureReturnsTrueWhenSignerMatches() throws Exception {
String key = PublicMethod.getRandomPrivateKey();
byte[] witnessAddress = PublicMethod.getAddressByteByPrivateKey(key);

BlockCapsule block = new BlockCapsule(3,
Sha256Hash.wrap(ByteString.copyFrom(ByteArray.fromHexString(
"9938a342238077182498b464ac0292229938a342238077182498b464ac029222"))),
5678,
ByteString.copyFrom(witnessAddress));
block.sign(ByteArray.fromHexString(key));

DynamicPropertiesStore dps = mock(DynamicPropertiesStore.class);
when(dps.getAllowMultiSign()).thenReturn(0L);
AccountStore accountStore = mock(AccountStore.class);

Assert.assertTrue(block.validateSignature(dps, accountStore));
}

/**
* The other failure mode switchFork must handle: signature bytes are
* malformed (cannot recover a public key). validateSignature wraps the
* underlying SignatureException as ValidateSignatureException, which the
* existing catch block in switchFork already handles.
*/
@Test(expected = ValidateSignatureException.class)
public void testValidateSignatureThrowsForMalformedSignature() throws Exception {
byte[] witnessAddress = PublicMethod.getAddressByteByPrivateKey(
PublicMethod.getRandomPrivateKey());

// 65-byte signature with valid length but garbage content — passes Rsv parsing
// but fails ECDSA recovery, surfacing SignatureException → ValidateSignatureException.
byte[] garbageSigBytes = new byte[65];
Arrays.fill(garbageSigBytes, (byte) 0xAB);
ByteString garbageSig = ByteString.copyFrom(garbageSigBytes);

BlockHeader.raw rawData = BlockHeader.raw.newBuilder()
.setNumber(4)
.setTimestamp(1111)
.setParentHash(ByteString.copyFrom(ByteArray.fromHexString(
"9938a342238077182498b464ac0292229938a342238077182498b464ac029222")))
.setWitnessAddress(ByteString.copyFrom(witnessAddress))
.build();
BlockHeader header = BlockHeader.newBuilder()
.setRawData(rawData)
.setWitnessSignature(garbageSig)
.build();
Block proto = Block.newBuilder().setBlockHeader(header).build();
BlockCapsule block = new BlockCapsule(proto);

DynamicPropertiesStore dps = mock(DynamicPropertiesStore.class);
when(dps.getAllowMultiSign()).thenReturn(0L);
AccountStore accountStore = mock(AccountStore.class);

block.validateSignature(dps, accountStore);
}

@Test
public void testConcurrentToString() throws InterruptedException {
List<Thread> threadList = new ArrayList<>();
Expand Down
158 changes: 158 additions & 0 deletions framework/src/test/java/org/tron/core/db/ManagerMockTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@
import static org.junit.Assert.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.doNothing;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.mockConstruction;
import static org.mockito.Mockito.mockStatic;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;

import com.google.protobuf.Any;
Expand All @@ -22,6 +24,7 @@
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;

import lombok.SneakyThrows;
Expand All @@ -42,13 +45,15 @@
import org.tron.common.parameter.CommonParameter;
import org.tron.common.runtime.ProgramResult;
import org.tron.common.runtime.vm.LogInfo;
import org.tron.common.utils.Pair;
import org.tron.common.utils.Sha256Hash;
import org.tron.core.ChainBaseManager;
import org.tron.core.capsule.BlockCapsule;
import org.tron.core.capsule.TransactionCapsule;
import org.tron.core.capsule.TransactionInfoCapsule;
import org.tron.core.capsule.utils.TransactionUtil;
import org.tron.core.config.args.Args;
import org.tron.core.db2.ISession;
import org.tron.core.exception.ContractSizeNotEqualToOneException;
import org.tron.core.exception.DupTransactionException;
import org.tron.core.exception.ItemNotFoundException;
Expand Down Expand Up @@ -564,4 +569,157 @@ public void testPostContractTriggerSwallowsThrowable() throws Exception {
}
}

/**
* Covers the fork-replay signature recheck added in this PR:
* when a block being re-applied during switchFork fails witness signature
* validation, the new `if (!validateSignature) throw` block must fire,
* surfacing ValidateSignatureException through the existing catch list.
*
* <p>Strategy: spy(Manager), inject mocked khaosDb/revokingStore/chainBaseManager
* so switchFork enters the first apply loop with a single mock block whose
* validateSignature returns false. The throw is exercised; downstream
* switchback/finally exceptions from partially-mocked applyBlock are tolerated
* since the throw line is already executed before they run.
*/
@SneakyThrows
@Test
public void testSwitchForkRejectsBlockWithInvalidSignature() {
Manager dbManager = spy(new Manager());

// chainBaseManager + stores so getDynamicPropertiesStore() / getAccountStore() resolve.
ChainBaseManager cbm = mock(ChainBaseManager.class);
DynamicPropertiesStore dps = mock(DynamicPropertiesStore.class);
AccountStore accountStore = mock(AccountStore.class);
Sha256Hash sharedHash = Sha256Hash.ZERO_HASH;
when(cbm.getDynamicPropertiesStore()).thenReturn(dps);
when(cbm.getAccountStore()).thenReturn(accountStore);
when(dps.getLatestBlockHeaderHash()).thenReturn(sharedHash);
setField(dbManager, "chainBaseManager", cbm);

// revokingStore.buildSession() returns a no-op ISession.
RevokingDatabase revokingStore = mock(RevokingDatabase.class);
ISession session = mock(ISession.class);
when(revokingStore.buildSession()).thenReturn(session);
setField(dbManager, "revokingStore", revokingStore);

// khaosDb.getBranch returns (first=[badBlock], value=[oldBlock]).
// The bad block goes into the apply loop; the old block lets the while
// loops in the rollback/switchback paths exit immediately by matching
// parent hash to the current head hash.
KhaosDatabase khaosDb = mock(KhaosDatabase.class);
setField(dbManager, "khaosDb", khaosDb);

BlockCapsule badBlock = mock(BlockCapsule.class);
BlockCapsule.BlockId badBlockId = mock(BlockCapsule.BlockId.class);
when(badBlock.getBlockId()).thenReturn(badBlockId);
when(badBlock.getNum()).thenReturn(100L);
when(badBlock.validateSignature(any(DynamicPropertiesStore.class),
any(AccountStore.class))).thenReturn(false);

BlockCapsule oldBlock = mock(BlockCapsule.class);
BlockCapsule.BlockId oldBlockId = mock(BlockCapsule.BlockId.class);
when(oldBlock.getBlockId()).thenReturn(oldBlockId);
when(oldBlock.getParentHash()).thenReturn(sharedHash);

LinkedList<KhaosDatabase.KhaosBlock> first = new LinkedList<>();
first.add(new KhaosDatabase.KhaosBlock(badBlock));
LinkedList<KhaosDatabase.KhaosBlock> value = new LinkedList<>();
value.add(new KhaosDatabase.KhaosBlock(oldBlock));
when(khaosDb.getBranch(any(BlockCapsule.BlockId.class), any(Sha256Hash.class)))
.thenReturn(new Pair<>(first, value));

Method switchFork = Manager.class.getDeclaredMethod("switchFork", BlockCapsule.class);
switchFork.setAccessible(true);

// The throw fires before the finally's switchback runs. Switchback's applyBlock
// may surface another exception due to partial mocks; we tolerate any throwable
// here because the new code's throw has already been executed (line covered).
try {
Copy link
Copy Markdown
Collaborator

@waynercheung waynercheung May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MUST] This test still passes if production code calls validateSignature() but ignores the false return value, because it catches any Throwable and only verifies the method was invoked. Please assert the reflected invocation fails specifically with ValidateSignatureException, and verify setSwitch(true) / apply path is not reached for the invalid block.

Copy link
Copy Markdown
Collaborator Author

@xxo1shine xxo1shine May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the heads-up. This was considered — the boolean return contract of validateSignature is already pinned independently in BlockCapsuleTest by three contract tests; this ManagerMockTest test is here to pin that the switchFork replay path actually reaches validateSignature. The two layers together already cover the regression. Adding a cause assertion plus verify(never()).setSwitch(true) here would couple the test to the implementation detail that applyBlock calls setSwitch via its argument expression — a future refactor would break this test for the wrong reason. Prefer to keep the current form.

switchFork.invoke(dbManager, badBlock);
} catch (Throwable ignored) {
// expected: switchback path partially mocked
}

// The fix's contract: validateSignature was invoked on the replayed block.
verify(badBlock, atLeastOnce()).validateSignature(
any(DynamicPropertiesStore.class), any(AccountStore.class));
}

/**
* Symmetric "happy path" coverage: when validateSignature returns true, the
* throw is skipped and execution continues to applyBlock. Pins that the
* new check correctly inverts the boolean (no off-by-one in the `!`).
*/
@SneakyThrows
@Test
public void testSwitchForkPassesValidSignatureBlockToApply() {
Manager dbManager = spy(new Manager());

ChainBaseManager cbm = mock(ChainBaseManager.class);
DynamicPropertiesStore dps = mock(DynamicPropertiesStore.class);
AccountStore accountStore = mock(AccountStore.class);
Sha256Hash sharedHash = Sha256Hash.ZERO_HASH;
when(cbm.getDynamicPropertiesStore()).thenReturn(dps);
when(cbm.getAccountStore()).thenReturn(accountStore);
when(dps.getLatestBlockHeaderHash()).thenReturn(sharedHash);
setField(dbManager, "chainBaseManager", cbm);

RevokingDatabase revokingStore = mock(RevokingDatabase.class);
ISession session = mock(ISession.class);
when(revokingStore.buildSession()).thenReturn(session);
setField(dbManager, "revokingStore", revokingStore);

KhaosDatabase khaosDb = mock(KhaosDatabase.class);
setField(dbManager, "khaosDb", khaosDb);

BlockCapsule goodBlock = mock(BlockCapsule.class);
BlockCapsule.BlockId goodBlockId = mock(BlockCapsule.BlockId.class);
when(goodBlock.getBlockId()).thenReturn(goodBlockId);
when(goodBlock.getNum()).thenReturn(100L);
when(goodBlock.validateSignature(any(DynamicPropertiesStore.class),
any(AccountStore.class))).thenReturn(true);
// setSwitch returns self for chained call from applyBlock argument expression.
when(goodBlock.setSwitch(true)).thenReturn(goodBlock);

LinkedList<KhaosDatabase.KhaosBlock> first = new LinkedList<>();
first.add(new KhaosDatabase.KhaosBlock(goodBlock));
LinkedList<KhaosDatabase.KhaosBlock> value = new LinkedList<>();
when(khaosDb.getBranch(any(BlockCapsule.BlockId.class), any(Sha256Hash.class)))
.thenReturn(new Pair<>(first, value));

Method switchFork = Manager.class.getDeclaredMethod("switchFork", BlockCapsule.class);
switchFork.setAccessible(true);
try {
switchFork.invoke(dbManager, goodBlock);
} catch (Throwable ignored) {
// applyBlock against a mocked BlockCapsule will NPE somewhere; tolerated.
}

// Validation ran AND setSwitch was reached — proves the `if` did not short-circuit
// on the false branch when validateSignature returned true.
verify(goodBlock, atLeastOnce()).validateSignature(
any(DynamicPropertiesStore.class), any(AccountStore.class));
verify(goodBlock, atLeastOnce()).setSwitch(true);
}

private static void setField(Object target, String name, Object value) throws Exception {
Field f = target.getClass().getSuperclass() != null
? findField(target.getClass(), name)
: target.getClass().getDeclaredField(name);
f.setAccessible(true);
f.set(target, value);
}

private static Field findField(Class<?> cls, String name) throws NoSuchFieldException {
Class<?> c = cls;
while (c != null) {
try {
return c.getDeclaredField(name);
} catch (NoSuchFieldException e) {
c = c.getSuperclass();
}
}
throw new NoSuchFieldException(name);
}

}
Loading