Skip to content

Pr/blocktime-check#4

Merged
DankFC merged 1 commit into
community-devfrom
pr/blocktime-check
Feb 6, 2026
Merged

Pr/blocktime-check#4
DankFC merged 1 commit into
community-devfrom
pr/blocktime-check

Conversation

@8lecramm

@8lecramm 8lecramm commented Feb 6, 2026

Copy link
Copy Markdown

Description

DOS prevention.
More details in group chat.

Type of change

Please select the right one.

  • Bug fix (non-breaking change which fixes an issue)

Which part is impacted ?

  • Daemon

Checklist:

  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • My changes generate no new warnings

License

Im am contributing & releasing the code under DERO Research License (which can be found here).

@DankFC DankFC self-assigned this Feb 6, 2026
@DankFC DankFC merged commit 5f08637 into community-dev Feb 6, 2026
@DankFC DankFC deleted the pr/blocktime-check branch February 6, 2026 23:00
DHEBP added a commit to DHEBP/derohe that referenced this pull request Jun 24, 2026
…anon

Addresses the DEROFDN#22 review:

- curatedRingCandidates canonicalizes the sender, recipient, and every
  preferred decoy to its base address before the distinctness/dedup checks,
  and the ring carries the base form. A ring member is identified by its
  pubkey, not its address string, so an integrated/payment-id encoding of an
  account already in the ring (sender, recipient, or another decoy) no longer
  slips the string-keyed checks and lands a duplicate pubkey that consensus
  rejects AFTER signing. Test_CuratedRing_AltEncoding_NoDuplicate_A2 covers
  recipient / sender / decoy-vs-decoy / cross-network, each mutation-proven. (review #1)
- Anonymous attribution now fails closed at ring size < 4 (no decoy slot)
  instead of silently falling through to honest attribution. (review DEROFDN#8)
- Port the unverified-attribution export scrub + self-send flag into the decode
  arms (this stack predates it); behavioral scrub test + an honest-byte guard
  that asserts honest mode writes the receiver slot (closes the grep guard's
  reassignment blind spot). (review DEROFDN#3, DEROFDN#9)

The bounds guard is sufficient for the same reason as DEROFDN#21: bad ring keys panic
at NewAddress before the Publickeylist rebuild, so len==RingSize. (review DEROFDN#4)
DHEBP added a commit to DHEBP/derohe that referenced this pull request Jul 2, 2026
…etroactive scrub (review #1/DEROFDN#4/DEROFDN#5/DEROFDN#6)

DEROFDN#6 — Entry.String() printed "Sender: %s" unconditionally: a scrubbed ring>2
transfer rendered a bare "Sender: " line that reads as a decode bug — the
exact "looks broken" outcome the design meant to avoid, contradicting the
truth table documented on SenderVerified in the same file. The Sender line
now follows the table: verified -> the address; scrubbed (no payload
error) -> "unknown (unverifiable, ring size N)"; decode failure -> a
distinct "unknown (payload decode failed)". Blast radius: two CLI debug
dumps (%+v in show_transfers error paths); JSON marshalling untouched.
Pinned by rpc/wallet_rpc_test.go (offline, sub-second): all three arms,
plus forbids the bare line and scrub/decode-failure conflation.

DEROFDN#4/DEROFDN#5 — the non-retroactive caveat lived only in commit 4e9de56's message.
Now in the docs consumers read: SenderVerified's doc comment states the
scrub is decode-time only (pre-upgrade entries keep their guessed Sender
and unscrubbed Data[0], served as-is by Get_Transfers; the guarantee holds
only for blocks decoded post-upgrade), the upgrade is one-way for the
privacy property, and pre-upgrade entries deserialize
SenderVerified=false, RingSize=0 — indistinguishable from a scrub without
re-decoding, so a migration MUST re-derive RingSize from chain data (a
read-path scrub keyed on persisted fields would wrongly blank the wallet's
own verified sends — why the rescan is a follow-up, not this commit).
RingSize's doc gains the "0 = pre-upgrade/unknown, not a real ring" note;
the GetTransfers handler doc points RPC consumers at the contract.

#1 hardening — both decode arms bounded sender_idx against
Statement.RingSize while indexing Statement.Publickeylist. Safe today
(len(Publickeylist)==RingSize holds at that point), but the guard now
bounds against the slice actually indexed, so it survives any future break
of that invariant.

Existing pins green: the scrub-behavior sim test and the source-grep guard
(its regexes key on the scrub lines, untouched here).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants