feat: harden misbehaviour/double-vote validation and remove infraction_parameters from APIs#16
Merged
Merged
Conversation
Pantani
requested review from
giuliostramondo,
giunatale,
julienrbrt and
tbruyelle
…idation # Conflicts: # x/vaas/provider/types/keys.go # x/vaas/provider/types/keys_test.go
… already tombstoned - Enforce infraction header height == evidence height and header chain-id matches the consumer chain-id.
Pantani
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes per-consumer infraction parameters from the VAAS provider module and hardens evidence submission handling against malformed inputs. The changes implement validation improvements for double-voting evidence submissions and make misbehaviour handling non-punitive (validate and log only).
Changes:
- Removed
infraction_parametersfield fromMsgCreateConsumer,MsgUpdateConsumer,Chain, andQueryConsumerChainResponsewith proper protobuf field reservation - Added nil input validation for evidence submission messages to prevent panics
- Added chain_id and height matching validation for double-voting evidence submissions
- Made repeated double-vote evidence submissions idempotent when validator is already tombstoned
- Changed misbehaviour handling to validate and log only (removed slashing/jailing/tombstoning)
Reviewed changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| proto/vaas/provider/v1/tx.proto | Reserved field 5 and 7 for removed infraction_parameters in MsgCreateConsumer and MsgUpdateConsumer |
| proto/vaas/provider/v1/query.proto | Reserved field 6 and 7 for removed infraction_parameters in Chain and QueryConsumerChainResponse |
| x/vaas/provider/types/tx.pb.go | Generated code for removed infraction_parameters fields |
| x/vaas/provider/types/query.pb.go | Generated code for removed infraction_parameters fields |
| x/vaas/provider/types/msg.go | Added submitter validation, nil misbehaviour check, and height matching validation in ValidateBasic; removed ValidateInfractionParameters function |
| x/vaas/provider/types/msg_test.go | Updated tests to remove infraction_parameters usage |
| x/vaas/provider/types/submit_msgs_test.go | Added new tests for nil misbehaviour validation and height mismatch |
| x/vaas/provider/keeper/msg_server.go | Added extensive nil checks, chain_id validation, and height validation for evidence submissions |
| x/vaas/provider/keeper/msg_server_test.go | Added tests for nil message and header validation |
| x/vaas/provider/keeper/consumer_equivocation.go | Made double-voting idempotent for tombstoned validators; changed misbehaviour to log-only |
| x/vaas/provider/keeper/grpc_query.go | Removed infraction_parameters from query responses |
| x/vaas/provider/types/keys.go | Removed infraction-related key constants; renamed PrioritylistPrefix to PriorityListPrefix |
| x/vaas/provider/types/errors.go | Removed ErrInvalidConsumerInfractionParameters error |
| x/vaas/provider/client/cli/tx.go | Updated CLI examples to remove infraction_parameters |
| go.mod, go.sum | Updated bytedance/sonic dependency from v1.12.7 to v1.15.0 |
| REWRITE_SUMMARY.md, README.md, PLAN.md | Updated documentation to reflect removal of per-consumer infraction parameters |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Pantani
changed the title
tbruyelle
requested changes
Mar 9, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 18 out of 19 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…idation # Conflicts: # x/vaas/provider/keeper/msg_server_test.go # x/vaas/provider/types/errors.go
…ght/round/type CometBFT's DuplicateVoteEvidence.ValidateBasic only enforces block-ID ordering between the two votes, so a malformed payload with diverging VoteA/VoteB height (or round, or type) would otherwise reach signature verification before being rejected. Catch it in MsgSubmitConsumerDoubleVoting ValidateBasic and add a covering test.
…n-only Explain the design choice in a doc comment so the absence of slash/jail/ tombstone in light-client misbehaviour handling reads as intentional rather than a regression. Cross-references the README and DESIGN_RATIONALE entries that document the same posture.
HandleConsumerMisbehaviour now returns the identified byzantine validator set and the SubmitConsumerMisbehaviour event includes it as a chain attribute. The previous detection-only path silently swallowed the result, so submitters had no on-chain way to tell whether the evidence identified anyone, whether it was an unidentifiable amnesia attack, or whether the two-header overlap was empty. Differentiate the two empty-set cases in the keeper log as well.
Drives the message end-to-end through HandleConsumerDoubleVoting with mocked staking/slashing keepers, asserting both that the slash+jail+tombstone sequence completes without error and that the emitted chain event carries the expected consumer_id and consumer_chain_id attributes. Existing tests in this file only covered rejection paths.
…msg server baseapp's msg service router calls msg.ValidateBasic() on every sdk.HasValidateBasic message before dispatching to the handler, and the auth ante chain enforces non-nil tx messages, so the explicit guards in SubmitConsumerMisbehaviour and SubmitConsumerDoubleVoting were redundant in production flow. Remove the guards and the msg_server tests that only existed to exercise them; the ValidateBasic behaviour is already covered directly in submit_msgs_test.go.
tbruyelle
approved these changes
May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
close #5
Description
This PR improves provider-side validation for misbehaviour and double-voting submissions, fixes missing nil/consistency checks, and adds tests for chain-id/height mismatch and invalid payloads. It also removes deprecated per-consumer infraction_parameters from tx/query APIs (reserved in proto) and updates CLI/generated code accordingly.