Special case onblock action from contract whitelist/blacklist to avoid misuse

[arhag]

As of v1.0.1, if a producer sets up their contract-whitelist to include accounts other than eosio, or alternatively has an empty contract-whitelist but includes eosio in the contract-blacklist, then that producer will reject the onblock transaction from executing. However, since we have no way of signaling whether the onblock transaction executed or not in the block structure, other nodes with a different whitelist/blacklist configuration may attempt to the run the onblock transaction. This leads to a discrepancy of the action_mroot and therefore the digest that the block producers signs compared to the digest other nodes expect the producer to have signed.

With the current behavior, it is inappropriate for a block producer to include eosio in the blacklist (or if a whitelist is set, to not include eosio in the whitelist). Either this needs to be made clear in the documentation, or better yet we should special case the eosio::onblock action so that it is not possible for a block producer to badly configure the whitelist/blacklist.

Thanks to EOS Canada for bringing this to our attention.