fix(ledger): replace unsafe usize-to-u32 cast in utxos_info_from_output [PM-20208]#668
Merged
Merged
Conversation
Placeholder commit to establish draft PR for tracked work on unsafe usize-to-u32 conversion in utxos_info_from_output. Ref: PM-20208 Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
|
KICS version: v2.1.16
|
… in utxos_info_from_output Replace `output_no as u32` with `u32::try_from(output_no)?` to prevent silent truncation when output indices exceed u32::MAX. The function now returns Result<Vec<UtxoInfo>, TryFromIntError>, with callers in unshielded_utxos logging the error and returning a default value. Addresses Least Authority audit Issue AA (PM-20208). Co-authored-by: Cursor <cursoragent@cursor.com>
…onversion-utxos-info Co-authored-by: Cursor <cursoragent@cursor.com> # Conflicts: # ledger/src/versions/common/api/transaction.rs
Co-authored-by: Cursor <cursoragent@cursor.com>
justinfrevert
approved these changes
Feb 23, 2026
gilescope
pushed a commit
that referenced
this pull request
Apr 8, 2026
added: - `--multisig` switch executes tests with multi signature governance authority changed: - `smart-contracts` commands will automatically handle signing and submitting multisig tx based on the output it gets and tests configuration removed: - `get_pty=True` is removed from `run_command.py` because we no longer need it; ogmios logs are written on remote host without it (PCSC CLI wasn't) - `test_multisig_governance.py` integration tests are removed, please run whole e2e suite with new `--multisg` switch Refs: ETCM-9629
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
added: - `--multisig` switch executes tests with multi signature governance authority changed: - `smart-contracts` commands will automatically handle signing and submitting multisig tx based on the output it gets and tests configuration removed: - `get_pty=True` is removed from `run_command.py` because we no longer need it; ogmios logs are written on remote host without it (PCSC CLI wasn't) - `test_multisig_governance.py` integration tests are removed, please run whole e2e suite with new `--multisg` switch Refs: ETCM-9629 Signed-off-by: Mike Clay <mike.clay@shielded.io>
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
added: - `--multisig` switch executes tests with multi signature governance authority changed: - `smart-contracts` commands will automatically handle signing and submitting multisig tx based on the output it gets and tests configuration removed: - `get_pty=True` is removed from `run_command.py` because we no longer need it; ogmios logs are written on remote host without it (PCSC CLI wasn't) - `test_multisig_governance.py` integration tests are removed, please run whole e2e suite with new `--multisg` switch Refs: ETCM-9629 Signed-off-by: Mike Clay <mike.clay@shielded.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the unsafe
usize→u32narrowing cast inutxos_info_from_outputwith a checkedu32::try_from()conversion to eliminate silent truncation and potential UTXO index corruption.🎫 Ticket 📐 Engineering
Motivation
The Least Authority audit (October 2025, Issue AA) identified an unchecked
as u32cast inutxos_info_from_output(ledger/src/versions/common/api/transaction.rs). On 64-bit platforms, ifoutput_noexceedsu32::MAX, the value is silently truncated via wrapping, producing an incorrect UTXO output index. While the practical likelihood is low (a transaction with >4B outputs is not expected), the defect violates correctness invariants and was flagged as High severity.Changes
output_no as u32→u32::try_from(output_no)?inutxos_info_from_outputVec<UtxoInfo>→Result<Vec<UtxoInfo>, TryFromIntError>unshielded_utxoshandle theResultwithlog::error!+return UnshieldedUtxos::default()Testing
cargo check -p midnight-node-ledger— passescargo clippy -p midnight-node-ledger --lib -- -D warnings— passes, no warningscargo fmt -- --check— passescargo test— blocked by pre-existinghard_fork_testcompilation error (extract_info_from_tx_with_contextimport); unrelated to this change📌 Submission Checklist
🔱 Fork Strategy