Skip to content

Validate PartiallySignedTransaction after decoding#2093

Open
oliv3rdrt wants to merge 1 commit into
mintlayer:masterfrom
oliv3rdrt:validate_partially_signed_tx
Open

Validate PartiallySignedTransaction after decoding#2093
oliv3rdrt wants to merge 1 commit into
mintlayer:masterfrom
oliv3rdrt:validate_partially_signed_tx

Conversation

@oliv3rdrt

Copy link
Copy Markdown

Problem

Wallet RPC methods and CLI commands that accept a PartiallySignedTransaction decode it from bytes with SCALE, which skips the checks that PartiallySignedTransaction::new performs. A malformed but still decodable transaction (for example one whose witness count does not match the number of inputs) can therefore reach the wallet and make it panic instead of returning an error.

Fix

Call ensure_consistency immediately after decoding in GenericTransaction::decode_from_untagged_bytes, the shared path used by account_sign_raw_transaction and transaction_inspect (and the CLI commands that call them). A new GenericTransactionError::InconsistentPartiallySignedTransaction variant is returned on failure.

The Basic consistency level is used on purpose: it enforces the structural invariants that prevent the panics, while still accepting partial transactions that are legitimately incomplete during signing. Using WithAdditionalInfo here would reject those and also break the existing decode test.

Tests

Added a unit test that feeds a hand-encoded, inconsistent PartiallySignedTransaction through the decode path and asserts it is rejected. The existing tests still pass and clippy is clean for the changed crate.

Closes #2069

Wallet RPC methods and CLI commands accept a hex-encoded
PartiallySignedTransaction and decode it with SCALE, which bypasses the
invariants that PartiallySignedTransaction::new enforces. A malformed but
still decodable transaction could then make the wallet panic, e.g. on a
witness/input count mismatch.

Call ensure_consistency right after decoding in
GenericTransaction::decode_from_untagged_bytes, the shared decode path used by
account_sign_raw_transaction and transaction_inspect, so such input is rejected
with a proper error instead. The Basic level is used so that transactions that
are still being assembled are not rejected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Wallet should validate PartiallySignedTransaction

1 participant