Skip to content

4305: check all blocks in chain for txid#126

Merged
liam merged 3 commits into
bsv-blockchain:mainfrom
liam:feature/fixTxInOldBlock
Nov 6, 2025
Merged

4305: check all blocks in chain for txid#126
liam merged 3 commits into
bsv-blockchain:mainfrom
liam:feature/fixTxInOldBlock

Conversation

@liam

@liam liam commented Nov 6, 2025

Copy link
Copy Markdown
Collaborator

No description provided.

@liam liam requested a review from freemans13 November 6, 2025 11:59
@github-actions

github-actions Bot commented Nov 6, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

🤖 Claude Code Review

Status: Complete

Summary

This PR fixes a critical security vulnerability by ensuring duplicate transaction detection works across the entire blockchain history, not just a limited depth window. The change is correct and necessary.

Security Context:
The previous implementation only checked retention*2 blocks (~576 blocks with default settings) when detecting if a transaction was already mined on the chain. An attacker could exploit this by including duplicate transactions that were mined outside this window, which Bitcoin consensus rules prohibit.

Changes:

  • BlockValidation.go:854: Changed depth limit from retention*2 to math.MaxUint64 for full chain checking
  • Added comprehensive test case covering this scenario

Analysis

Implementation is correct:

  • The SQL implementation (GetBlockHeaderIDs.go:110-114) already has safeguards against excessive memory allocation, capping pre-allocation at 10K entries regardless of the requested depth
  • The recursive CTE query uses LIMIT $2 to constrain results, preventing runaway queries
  • Response caching minimizes performance impact for repeated queries

Test coverage is appropriate:

  • The new test simulates a transaction mined at block 1000 being duplicated in block 1600
  • Verifies the error message includes the conflicting block ID
  • Properly tests the security fix beyond the old retention window

No issues found - this is a well-designed security fix with proper safeguards already in place.

@liam liam merged commit ca4ccf0 into bsv-blockchain:main Nov 6, 2025
13 of 14 checks passed
icellan added a commit that referenced this pull request May 19, 2026
@icellan
test(blockassembly): inline empty TxInpoints in Block_test fixtures
bcd3f00 
go-subtree v1.4.0's NewTxInpoints() returns the zero value (nil
ParentTxHashes). Meta.Serialize rejects nil ParentTxHashes for
non-coinbase nodes, so createValidSubtreeMetadata and the two
inline-init sites in Block_test.go fail with "cannot serialize, parent
tx hashes are not set for node N" when constructing test fixtures.

Pre-v1.4.0 NewTxInpoints returned a cap-8 empty slice, so the same
code path worked. Replace those five sites with an explicit
TxInpoints{ParentTxHashes: []chainhash.Hash{}} literal — semantically
identical and unambiguous about the invariant the test relies on.

The proper fix is upstream — go-subtree PR #126 restores the non-nil
empty ParentTxHashes from NewTxInpoints. Once v1.4.1 lands these
literals can be reverted to NewTxInpoints() calls.
icellan added a commit that referenced this pull request May 19, 2026
@icellan
chore(deps): bump go-subtree v1.4.0 -> v1.4.1
0c9e282 
v1.4.1 lands the NewTxInpoints empty-but-non-nil ParentTxHashes fix
(go-subtree #126). With that in place the interim Block_test.go
workaround reverted in the previous commit is no longer needed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@freemans13 freemans13 freemans13 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liam @freemans13