MF2-H01: harden receiver-state issuance and dispute resolution

[philanton]

Summary

Fixes two security findings:

• MF2-H01 — receiver-credit issuance node-signed newer states for a ChannelStatusChallenged home channel, enabling dispute reset via checkpoint.
• MF2-H02 — receiver's latest stored state could pin a closed home channel as the active head: request_creation rejected fresh channels with channel is already initialized, follow-up RPCs failed with user has no active channel, and incoming receives could still node-sign credits onto the closed channel. User had to migrate wallets to recover use of the asset.

Five remediations, each adding tests:

1. Restrict node co-signing of receiver states to Open home channels. issueTransferReceiverState (channel_v1) and issueReleaseReceiverState (app_session_v1) now allowlist via CheckActiveChannel: node-signs only when the receiver's active home channel is Open. Receiver states for Challenged, Closing, and Closed channels are persisted unsigned (still tracked for reconciliation, never returned for onchain submission). Closes the MF2-H01 dust-checkpoint vector and also closes the MF2-H02 vector of incoming sends getting node-signed onto an already-closed home channel.

2. Backfill node sig on the off-chain head when a challenge clears. HandleHomeChannelCheckpointed now recomputes the node signature for the channel's highest stored version (GetLastStateByChannelID) rather than the on-chain enforced version, so any during-challenge receiver state that became the new latest row is fully co-signed. UpdateStateUserSigIfMissing is generalized to UpdateStateSigsIfMissing(channelID, version, userSig, nodeSig). Open→Open checkpoints stay on the prior user-sig-only path. Defensive guard skips backfill when the head transition is not a receiver-credit type.

3. Squash challenge-window net channel change into ChallengeRescue on Challenged → Closed; emit unconditionally to clear the closed-channel head (MF2-H02). New DB query SumNetTransitionAmountAfterVersion returns receives − sends above the closure version, where receives = (TransferReceive, Release) and sends = (TransferSend, Commit), across both signed and unsigned rows. Caller clamps net at zero (negative net is reachable only when the user closes at a version where her own channel balance exceeded the off-chain head — adversarial rollback of her own sends/commits; on-chain has already paid above head, rescue must not dock further). HomeChannelClosed emits a single ChallengeRescue (transition + transaction type 201) on the user's ledger — fresh epoch, version 1, HomeChannelID nil, AccountID = closed channel ID — built via core.NewChallengeRescueState. Emission is unconditional on Challenged → Closed (zero-amount allowed): this is the MF2-H02 fix. Without it, the receiver's latest stored state retains the closed HomeChannelID, IsFinal() returns false on the non-finalize head, NextState() inherits the closed channel ID, channels.v1.request_creation fails with channel is already initialized, and submit_state calls fail with user has no active channel. The rescue advances the user's head to HomeChannelID = nil so request_creation proceeds and subsequent receiver issuance produces the "credit a user with no open channel" shape. SumNetTransitionAmountAfterVersion is pinned to the previous head's epoch; the caller asserts prev.Version > closureVersion whenever the sum is non-zero. (Cooperative Open → Closing → Closed closes via Finalize, so IsFinal() is true and no rescue is needed; that path is unaffected.)

4. Serialize event-handler status mutations with receiver-issuance RPCs via LockUserState. HandleHomeChannelClosed, HandleHomeChannelChallenged, and HandleHomeChannelCheckpointed now acquire LockUserState(user, asset) after type guards and before status mutation / sum / rescue / backfill. Closes a race window where an in-flight RPC reading Status = Open (or Challenged) via CheckActiveChannel could commit a node-signed or unsigned receiver row after the handler had already flipped status, producing orphaned rows (Open channel with unsigned latest head not reached by backfill; node-signed receiver on a disputed channel; receiver row above closure version that the rescue sum already finalized). LockUserState added to core.ChannelHubEventHandlerStore and evm.ChannelHubReactorStore (DBStore already implemented it).

5. Document the accepted session-key off-chain scope-enforcement gap. SessionKeyValidator on-chain validates cryptographic signatures only; off-chain ValidateChannelSessionKeyForAsset (expiration, asset scope) runs only on the node's acknowledgement path (channels.v1.submit_state with TransitionTypeAcknowledgement). A holder of a session key ever authorized on the channel — including expired, revoked, or retired keys — can fetch the node-signed receive state, sign manually, and submit directly on-chain. Outcome is bounded by states the user already signed and the receive state's strictly-additive allocation effect on the user, so the gap is griefing-only on the user's own sends, not theft; and the direct-submission path is the only recovery when the node is unavailable. Documented in contracts/SECURITY.md and docs/protocol/security-and-limitations.md.

Protocol docs (docs/protocol/enforcement.md, protocol-description.md) updated to describe the broader scope. challenge_rescue added to transition_type and transaction_type enums in docs/api.yaml. contracts/SECURITY.md updated for the net-change rescue scope and the accepted limitation.

Test plan

• go test ./... — full suite green
• Unit: receiver-state issuance against a non-Open home channel (Challenged / Closing / Closed) produces unsigned rows in both channel_v1 (transfer) and app_session_v1 (release) flows; Open produces node-signed
• Unit: HandleHomeChannelCheckpointed re-signs the off-chain head (highest stored version) when challenge clears; no-op when head is already signed; skips when head transition is not a receiver-credit type; no head-sig call on Open→Open
• Unit + DB: HomeChannelClosed while Challenged emits one ChallengeRescue with max(0, receives − sends) above closure; zero-amount rescue still emitted to advance epoch (MF2-H02 regression); deterministic txID = GetReceiverTransactionID(closedChannelID, newStateID); no rescue on Open→Closed (cooperative finalize)
• DB: SumNetTransitionAmountAfterVersion — dust receives during challenge; signed pre-challenge receives stranded above closure included; HomeDeposit / finalize / acknowledgement / escrow / migrate excluded; adversarial rollback (negative net) returned; Commit deduction; strict > closure boundary; cross-epoch exclusion
• Handler: negative-net clamp at caller
• Concurrency: HandleHomeChannelClosed, HandleHomeChannelChallenged, HandleHomeChannelCheckpointed acquire LockUserState before status mutation / backfill — captured-flag ordering tests on UpdateChannel
• Core: NewChallengeRescueState accepts amount ≥ 0 (rejects negative), rejects prev.HomeChannelID == nil; produces version=1, empty token/blockchain, balance credited

Postgres FOR UPDATE integration coverage for both lock orders (RPC wins vs event wins) deferred to a follow-up; the lock primitive is proven by DBStore.LockUserState's own tests, and the call sites are pinned by the ordering tests above.

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements a challenge-rescue flow that preserves accrued unsigned receiver credits when a disputed home channel closes. When a channel enters CHALLENGED status, the node stops co-signing receive-state transitions and queues them unsigned; upon closure after challenge expiry, these credits are squashed into a ChallengeRescue state stored off-chain with transaction recording.

Changes

Challenge Rescue Implementation

Layer / File(s)	Summary
Specification and challenge-rescue types contracts/SECURITY.md, docs/api.yaml, docs/protocol/enforcement.md, protocol-description.md, pkg/core/types.go, pkg/core/types_test.go	Specification documents define queued unsigned receive-credit behavior and challenge-resolution paths during CHALLENGED status; core types introduce NewChallengeRescueState constructor, TransitionTypeChallengeRescue/TransactionTypeChallengeRescue enums (value 201), string mappings, and logic to derive rescue transactions; tests validate rescue state construction and error handling.
Storage layer interfaces and implementations nitronode/store/database/interface.go, nitronode/store/database/state.go, nitronode/store/database/channel.go, nitronode/store/database/channel_test.go, nitronode/store/database/db_store_test.go, pkg/core/interface.go, pkg/blockchain/evm/channel_hub_reactor.go	Database interfaces add GetHomeChannelStatus, UpdateStateSigsIfMissing (dual-signature idempotent backfill), and SumUnsignedReceiverStateAmountsAfterVersion (unsigned-receiver credit aggregation); DBStore implements home-channel status lookup, combined signature backfilling across home/escrow columns, and signed/unsigned receiver-state amount summation; comprehensive tests verify backfill idempotency, credit summation filtering, and channel-ID normalization.
Handler APIs: status-aware state-signing nitronode/api/app_session_v1/interface.go, nitronode/api/app_session_v1/handler.go, nitronode/api/app_session_v1/testing.go, nitronode/api/channel_v1/interface.go, nitronode/api/channel_v1/handler.go, nitronode/api/channel_v1/testing.go	Handler Store interfaces add GetHomeChannelStatus; app-session and channel handlers check receiver home-channel status and conditionally sign receiver states—signing proceeds normally unless the home channel is in ChannelStatusChallenged, in which case state packing/signing is skipped and logged; mock implementations support test configuration of home-channel status.
Handler tests: challenged receiver status nitronode/api/app_session_v1/submit_app_state_test.go, nitronode/api/channel_v1/submit_state_test.go	New tests for withdraw-intent and transfer-send flows verify that when receiver home-channel is Challenged, the persisted receiver state includes no node signature while sender state retains it; existing tests updated to mock GetHomeChannelStatus returning ChannelStatusOpen.
Event handler service: wiring and rescue issuance nitronode/event_handlers/service.go, nitronode/main.go	EventHandlerService gains nodeSigner and statePacker dependencies injected at construction; HandleHomeChannelCheckpointed tracks prior-challenged state and backfills missing node signature on the off-chain head when challenge was cleared; HandleHomeChannelClosed computes unsigned receiver-credit sum via the new database method and issues a ChallengeRescue state with transaction recording when closure resolves a prior challenge.
Lifecycle handler API migration nitronode/event_handlers/service.go, nitronode/event_handlers/testing.go	All home and escrow channel lifecycle handlers (Created, Checkpointed, Challenged, Closed, escrow deposit/withdrawal initiated/challenged/finalized) updated from UpdateStateUserSigIfMissing to UpdateStateSigsIfMissing to support both user and node signature backfilling; mock store updated with new methods for dual-signature backfill, unsigned-receiver aggregation, user-state persistence, and transaction recording.
Event handler comprehensive testing nitronode/event_handlers/service_test.go	All existing lifecycle tests updated to use UpdateStateSigsIfMissing; new tests validate head-node signature backfill with on-the-fly verification, no re-signing when head is already node-signed, rescue-state emission with unsigned-receiver credit squashing, rescue suppression when no credits accrue, and deterministic transaction recording; uses real signer and mocked asset store for cryptographic validation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• layer-3/nitrolite#753: Both PRs modify the escrow "challenged" event handling in nitronode/event_handlers/service.go (notably HandleEscrowDepositChallenged): the main PR changes the state-signature backfill semantics during disputes, while the retrieved PR adds scheduling of a home-chain Challenge via ScheduleChallenge, so the changes are directly related at the handler/code-path level.

Suggested reviewers

• dimast-x
• nksazonov
• ihsraham

Poem

🐇 When channels face dispute, we queue without haste,
No signatures needed while challenges taste
The off-chain delays, then when closures align,
A rescue state squashes the credits so fine.
The rabbit approves! 🎯

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.41% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main security remediation focus: hardening receiver-state issuance and dispute resolution mechanisms.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/nitronode-mf2-h01

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

nitronode/event_handlers/service.go (2)

22-30: 💤 Low value

Doc comment understates NewEventHandlerService responsibilities.

The signer/packer are also used to construct the rescue path on HomeChannelClosed, not just the checkpoint backfill. Worth a small expansion so future readers don't assume the deps are checkpoint-only.

📝 Proposed doc tweak

 // NewEventHandlerService creates a new EventHandlerService instance.
-// nodeSigner and statePacker are used to backfill the node signature on the
-// checkpointed head state when it is missing from the local record.
+// nodeSigner and statePacker are used to backfill the node signature on the
+// off-chain head state when a challenge clears, and (via the rescue path)
+// to produce signed state material during HomeChannelClosed handling.
 func NewEventHandlerService(nodeSigner *core.ChannelDefaultSigner, statePacker core.StatePacker) *EventHandlerService {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nitronode/event_handlers/service.go` around lines 22 - 30, The doc comment
for NewEventHandlerService currently says nodeSigner and statePacker are used to
backfill the node signature on the checkpointed head state; update it to also
state these dependencies are used to construct the rescue path on
HomeChannelClosed. Locate the NewEventHandlerService constructor and the
EventHandlerService type and expand the comment to mention both responsibilities
(checkpoint backfill and rescue-path construction for HomeChannelClosed) and
reference nodeSigner and statePacker by name so future readers aren’t misled.

---

152-174: 💤 Low value

Helper looks correct; verify it tolerates head.Version == event.StateVersion.

When a challenge clears without any during-challenge receiver state, the head equals the on-chain checkpointed row, which was just user-sig-backfilled on lines 126–130. In that case the row at head.Version may already be node-signed (if the original RPC path signed it) or still missing a node sig (if it was originally a receiver-only state checkpointed on chain). The current logic correctly node-signs the missing case and is a no-op when head.NodeSig != nil, so this is well-behaved. The doc comment on lines 132–136 ("the off-chain head may sit above event.StateVersion") reads as if head.Version > event.StateVersion is the only invocation case — consider rewording slightly so the head-equals-checkpoint case is documented as the "no-op" path explicitly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nitronode/event_handlers/service.go` around lines 152 - 174, Update the
function comment for backfillOffChainHeadNodeSig to clarify that the off-chain
head can be equal to event.StateVersion (not only greater), and explicitly
document that when head.Version equals the checkpointed on-chain state the
function is a no-op if head.NodeSig is already present; mention that the
function will still sign the row if the checkpointed head is missing the node
signature. Reference the backfillOffChainHeadNodeSig function and its behavior
around head.Version and head.NodeSig when rewording.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@nitronode/api/channel_v1/submit_state_test.go`:
- Around line 240-261: The test setup currently ignores errors returned from
core.NewChannelDefaultSigner for nodeSigner and userWalletSigner; update these
calls to capture the error values and fail the test on error (e.g., check err
and call t.Fatalf/t.Fatal or require.NoError) so setup failures are not
swallowed. Locate the two NewChannelDefaultSigner calls (assigning nodeSigner
and userWalletSigner) and replace the blank-identifier ignores with proper error
variables and assertions that abort the test if an error is returned.

In `@nitronode/event_handlers/service_test.go`:
- Around line 1433-1475: The test comment for
TestHandleHomeChannelClosed_OpenChannel_NoRescue is inaccurate: the code sets
channel.Status = core.ChannelStatusOpen and asserts that
SumUnsignedReceiverStateAmountsAfterVersion is not called, so this is an
Open→Closed happy-path test, not a "Finalize on Challenged" race; either update
the function comment to describe the Open→Closed scenario (referencing
TestHandleHomeChannelClosed_OpenChannel_NoRescue, channel.Status, and the mocked
calls: GetChannelByID, UpdateChannel, RefreshUserEnforcedBalance,
UpdateStateSigsIfMissing and the negative assertions on
SumUnsignedReceiverStateAmountsAfterVersion/StoreUserState/RecordTransaction),
or modify the test to exercise the Challenged→Finalize race by setting
channel.Status = core.ChannelStatusChallenged, stubbing
mockStore.SumUnsignedReceiverStateAmountsAfterVersion(channelID, closureVersion)
to return 0, and then keeping the same assertions that StoreUserState and
RecordTransaction are not called; pick one and make the corresponding change so
comment, setup, and assertions align.

In `@nitronode/event_handlers/service.go`:
- Around line 295-318: Clarify and harden issueChallengeRescueIfNeeded:
explicitly document/verify SumUnsignedReceiverStateAmountsAfterVersion's ">"
semantics so we don't silently exclude unsigned receiver states at version ==
closureVersion (add a comment and/or an explicit DB check that no unsigned
receiver-state rows exist with version == closureVersion if the protocol forbids
them), and add an assertion or explicit error check after retrieving prev with
GetLastStateByChannelID(channel.ChannelID, false) that prev.Version >
closureVersion (or return a clear error/log if not) before using prev as the
predecessor for core.NewChallengeRescueState to surface DB/invariant violations
early.

---

Nitpick comments:
In `@nitronode/event_handlers/service.go`:
- Around line 22-30: The doc comment for NewEventHandlerService currently says
nodeSigner and statePacker are used to backfill the node signature on the
checkpointed head state; update it to also state these dependencies are used to
construct the rescue path on HomeChannelClosed. Locate the
NewEventHandlerService constructor and the EventHandlerService type and expand
the comment to mention both responsibilities (checkpoint backfill and
rescue-path construction for HomeChannelClosed) and reference nodeSigner and
statePacker by name so future readers aren’t misled.
- Around line 152-174: Update the function comment for
backfillOffChainHeadNodeSig to clarify that the off-chain head can be equal to
event.StateVersion (not only greater), and explicitly document that when
head.Version equals the checkpointed on-chain state the function is a no-op if
head.NodeSig is already present; mention that the function will still sign the
row if the checkpointed head is missing the node signature. Reference the
backfillOffChainHeadNodeSig function and its behavior around head.Version and
head.NodeSig when rewording.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1f3e5a54-b3a6-42c6-85ab-3f16330c5f7d

📥 Commits

Reviewing files that changed from the base of the PR and between 80af194 and aeb0a6f.

📒 Files selected for processing (26)

• contracts/SECURITY.md
• docs/api.yaml
• docs/protocol/enforcement.md
• nitronode/api/app_session_v1/handler.go
• nitronode/api/app_session_v1/interface.go
• nitronode/api/app_session_v1/submit_app_state_test.go
• nitronode/api/app_session_v1/testing.go
• nitronode/api/channel_v1/handler.go
• nitronode/api/channel_v1/interface.go
• nitronode/api/channel_v1/submit_state_test.go
• nitronode/api/channel_v1/testing.go
• nitronode/event_handlers/service.go
• nitronode/event_handlers/service_test.go
• nitronode/event_handlers/testing.go
• nitronode/main.go
• nitronode/store/database/channel.go
• nitronode/store/database/channel_test.go
• nitronode/store/database/db_store_test.go
• nitronode/store/database/interface.go
• nitronode/store/database/state.go
• pkg/blockchain/evm/channel_hub_reactor.go
• pkg/blockchain/evm/channel_hub_reactor_test.go
• pkg/core/interface.go
• pkg/core/types.go
• pkg/core/types_test.go
• protocol-description.md

[nksazonov]

Nice work! The three security remediations described in the added docs are all correctly implemented, well-tested, and match the spec. All findings below are informational.

[ihsraham]

I would hold approval for now. The receiver-state signing rule looks right in the steady state, but challenge enter/clear is not serialized with the receiver issuance path. That leaves a race where a receive/release RPC can make a node-signed state after the challenge is observed onchain but before the local DB status update is visible, which is enough to recreate the H-01 reset precondition.

[ihsraham]

[P1/blocking] This handler needs to take the same LockUserState(channel.UserWallet, channel.Asset) lock before mutating the channel to Challenged.

The receiver issuance paths already lock that row, then call CheckActiveChannel and may attach NodeSig when they still see Open. Without the same lock here, an in-flight transfer receive or app-session release can read Open, sign the receiver state, and commit after this challenge event, leaving a node-signed higher-version receiver state for a disputed channel.

I would make challenge entry use the same serialization pattern as HandleHomeChannelClosed: load the channel, lock the user/asset row, then update status/backfill signatures while still inside the transaction.

[philanton]

Yep, good catch — same race class as the one 24cdaff1 closed for HandleHomeChannelClosed. Fixed in 8d914687: LockUserState(channel.UserWallet, channel.Asset) acquired right after the nil/type guards, before any mutation. RPC paths block until the challenge event commits and then re-check Status via CheckActiveChannel.

Added TestHandleHomeChannelChallenged_AcquiresUserLockBeforeMutation to pin the ordering via a captured-flag guard on UpdateChannel)

[ihsraham]

[P2] Challenge clearance should also take the user-state lock before flipping back to Open and calling backfillOffChainHeadNodeSig.

Otherwise a receiver RPC can read Challenged, choose to store an unsigned receiver state, then this handler can backfill the old head and commit before that RPC stores a newer unsigned head. The channel is now open, but the latest local head remains unsigned.

One way to close this is to lock (channel.UserWallet, channel.Asset) before UpdateChannel and the backfill. Then the RPC either commits before the backfill and is included, or waits and sees Open and signs normally.

[philanton]

Yep, same fix applied to HandleHomeChannelCheckpointed in 8d914687. LockUserState goes in after the nil/type guards and before UpdateChannel + backfillOffChainHeadNodeSig, so an RPC that read Status=Challenged either commits its unsigned row before us (and the backfill picks it as the head) or blocks until we set Status=Open and then sees that via its own re-check.

Took the lock unconditionally rather than only on wasChallenged — the Open→Open path still mutates StateVersion and calls UpdateStateSigsIfMissing, and uniform pattern across the three handlers is easier to reason about. Added TestHandleHomeChannelCheckpointed_AcquiresUserLockBeforeMutation to pin the ordering)

[ihsraham]

Re-reviewed the latest head, the blocking race is addressed and focused checks pass.