fix: reorder UtxoOwners writes to prevent inconsistent persistence (PM-20218)#762
Merged
Merged
Conversation
Contributor
|
KICS version: v2.1.16
|
Audit finding Issue I: UtxoOwners persist inconsistently in handle_create and handle_redemption_create. Co-authored-by: Cursor <cursoragent@cursor.com>
f3b30e0 to
7317eed
Compare
…truction failure Add negative test for handle_create: when construct_cnight_generates_dust_event fails due to an invalid DustPublicKey (bytes exceeding Fr field modulus), UtxoOwners storage must not be written and no SystemTransactionApplied event should be emitted. Ref: PM-20218 Made-with: Cursor
Made-with: Cursor
…rs-inconsistent-persistence Made-with: Cursor # Conflicts: # pallets/cnight-observation/tests/tests.rs
…nge file Add test verifying that AssetSpend for a UTXO without prior AssetCreate does not emit a Destroy event. Add change file for audit test coverage. Made-with: Cursor
gilescope
reviewed
Feb 28, 2026
Signed-off-by: Giles Cope <gilescope@gmail.com>
gilescope
approved these changes
Feb 28, 2026
gilescope
pushed a commit
that referenced
this pull request
Apr 8, 2026
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
Signed-off-by: Mike Clay <mike.clay@shielded.io>
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
Signed-off-by: Mike Clay <mike.clay@shielded.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add test coverage for UtxoOwners persistence guards in the cNight observation pallet, verifying both the event construction failure path and the spend-without-create guard. Addresses audit finding Issue I (PM-20218).
🎫 Ticket 📐 Engineering
Motivation
The Least Authority audit (Issue I, High severity) identified that
handle_createwrote toUtxoOwnersbefore event construction, leaving orphaned entries on failure. PR #757 fixed the operation ordering so thatUtxoOwners::insertonly occurs after successful event construction. However, no tests exercised the failure paths to confirm the fix's correctness or the existing spend guard's behavior.This PR adds two negative test cases covering:
DustPublicKey) does not leave orphanedUtxoOwnersentriesChanges
handle_create_does_not_write_utxo_owners_on_event_construction_failureregisters a wallet with invalidDustPublicKeyBytes([0xFF; 32]), submits anAssetCreate, and verifies noUtxoOwnersentry is written and noSystemTransactionAppliedevent is emittedasset_spend_without_create_should_not_emit_destroy_eventregisters a valid wallet, submits anAssetSpendfor a UTXO that was never created, and verifies no Destroy event is emittedchanges/changed/audit-utxoowners-test-coverage.md📌 Submission Checklist
🔱 Fork Strategy
🗹 TODO before merging