What
In packages/rs-platform-wallet/src/wallet/shielded/operations.rs, the five shielded transition builders split into two broadcast styles:
transfer, unshield, withdraw use state_transition.broadcast_and_wait::<StateTransitionProofResult>(sdk, None) — waits until Platform has processed the transition and returns a cryptographic proof of the result.shield (Type 15) and shield_from_asset_lock (Type 18) use state_transition.broadcast(sdk, None) and return Ok(()) as soon as a single DAPI gateway accepts the bytes for relay.
Why it needs fixing
"One peer accepted my submission" ≠ "Platform included and executed it." A faulty or hostile DAPI node can ACK submission, then the transition is rejected at consensus or silently dropped — and the host has already told the user the shield succeeded.
- The rich
addresses_not_enough_funds diagnostic in the shield path is mostly unreachable, because the error surfaces only after we've already returned Ok.
- Type 18 is worse: the asset-lock proof is single-use. A false-positive success can strand the user's funds.
Success should mean "Platform proved execution", matching the other three transition types.
Fix
Switch shield and shield_from_asset_lock to broadcast_and_wait::<StateTransitionProofResult>. This is a behavior change (longer call, error timing moves to confirmation), so it warrants its own commit + testing.
Deferred from #3603 review (thepastaclaw).
What
In
packages/rs-platform-wallet/src/wallet/shielded/operations.rs, the five shielded transition builders split into two broadcast styles:transfer,unshield,withdrawusestate_transition.broadcast_and_wait::<StateTransitionProofResult>(sdk, None)— waits until Platform has processed the transition and returns a cryptographic proof of the result.shield(Type 15) andshield_from_asset_lock(Type 18) usestate_transition.broadcast(sdk, None)and returnOk(())as soon as a single DAPI gateway accepts the bytes for relay.Why it needs fixing
"One peer accepted my submission" ≠ "Platform included and executed it." A faulty or hostile DAPI node can ACK submission, then the transition is rejected at consensus or silently dropped — and the host has already told the user the shield succeeded.
addresses_not_enough_fundsdiagnostic in the shield path is mostly unreachable, because the error surfaces only after we've already returnedOk.Success should mean "Platform proved execution", matching the other three transition types.
Fix
Switch
shieldandshield_from_asset_locktobroadcast_and_wait::<StateTransitionProofResult>. This is a behavior change (longer call, error timing moves to confirmation), so it warrants its own commit + testing.Deferred from #3603 review (thepastaclaw).