Merge release 2.2.2 into dev#5429
Draft
sacherjj wants to merge 122 commits into
Draft
Conversation
…redux Ta changes redux
…go_deb Correcting issue with cargo-deb install via fixed fork.
Assert that reward distribution updates the resolved new-key unbond, does not create a duplicate old-key unbond, and survives unbond processing after the delay.
Write validator rewards back to the resolved unbond record after a bid public key change, and assert the unbond is updated without creating a duplicate old-key record. Co-authored-by: Karan Dhareshwar <karan@casper.network> Co-authored-by: Jakub Zajkowski <ja.zajko@gmail.com>
…redux Fix issue in tracking validator bridge records
`verify_rejects_extra_approvals_hashes` and `verify_rejects_missing_approvals_hashes` in `storage/src/block_store/types/approvals_hashes.rs` exercise the `zip`-based deploy/transaction id construction. With extra supplied approvals hashes, `verify` currently returns Ok because the iterator silently truncates to the block transaction count, leaving the trailing hashes to slip into stored metadata. See `audit-confirmed-02-approvals-hashes-length-mismatch.md`.
Add `ensure_approvals_hashes_len` and call it at the entry of both `deploy_ids` and `transaction_ids`, plus a new `ApprovalsHashesLengthMismatch` error variant. This makes peer-supplied ApprovalsHashes with extra or missing entries fail validation up front instead of being silently truncated by `zip` and stored, which would later stall executable-block construction. See `audit-confirmed-02-approvals-hashes-length-mismatch.md`; regression in 6bfc3c3.
`rejects_nested_sync_response_signed_message_from_wrong_instance` and `rejects_nested_sync_response_evidence_from_wrong_instance` in `node/src/components/consensus/protocols/zug/tests.rs` wrap a wrong- instance signed Zug message inside a current-instance `SyncResponse` and check that the peer is disconnected without mutating the current round's vote/fault state. Without the fix, the signed message is accepted (the evidence variant even drives `FttExceeded`). See `audit-confirmed-03-zug-nested-instance-replay.md`.
Reject nested `SignedMessage`s and evidence carried in a `SyncResponse` unless their `instance_id` matches the current consensus instance, in both `handle_signed_message` and `handle_evidence`. Without this guard a peer can wrap signatures from a different consensus instance inside a current-instance `SyncResponse` and have them inserted as current-round votes/echoes/evidence, in the worst case driving `FttExceeded`. See `audit-confirmed-03-zug-nested-instance-replay.md`; regression in bf9ad4d.
…tall `make_executable_block_applies_finalized_approvals` in `node/src/components/storage/tests.rs` stores a transaction with one approval set, a `TransactionFinalizedApprovals` entry with a different set, and an `ApprovalsHashes` row computed from the finalized set, then calls `make_executable_block`. Without the fix `make_executable_block` pushes the original (non-finalized) transaction into the executable list, the block-level approvals-hash check fails, and it returns Ok(None) - stalling executable-block construction. See `audit-confirmed-81-storage-finalized-approvals-executable-block-stall.md`.
`read_block_and_finalized_transactions_by_hash` now overlays any stored `TransactionFinalizedApprovals` onto the original transaction via `Transaction::with_approvals` before pushing it into the executable transaction list. Without this overlay the block-level `ApprovalsHashes` check compares the finalized approvals hash against the original stored transaction's hash, fails, and stalls `make_executable_block` with Ok(None) for any node that saw the transaction earlier with a different approval set. See `audit-confirmed-81-storage-finalized-approvals-executable-block-stall.md`; regression in 38dc71c.
`system_key_rewards_must_not_mint_sustain_share` in `execution_engine_testing/tests/src/test/system_contracts/auction/distribute.rs` sets up a sustain-enabled era, then calls `distribute_with_rewards_handling` with a rewards map containing only `PublicKey::System`. Without the fix the sustain purse is credited (and total supply increased) by the sustain share of the system-key amount, even though the per-validator processing later filters `PublicKey::System` out and pays no validator reward. See `audit-confirmed-123-contract-runtime-system-reward-mints-sustain-share.md`.
`Auction::distribute` now skips `PublicKey::System` when computing the `total` reward used for the sustain-share calculation, matching the existing filter applied to per-validator reward processing. Without this fix a rewards map containing only `PublicKey::System` mints a sustain share (and increases total supply) even though no validator or delegator reward is distributed. See `audit-confirmed-123-contract-runtime-system-reward-mints-sustain-share.md`; regression in 0cf0b4d.
…udit-items Resolving audit items
…ate a MetaTransaction based from a VM2 targetting Transaction in an environment where vm2 is disabled
…call vm1 contract. Removed the possibility of gossiping a chainspec-violating gas_price_tolerance in a transaction
…vm2_transaction_smuggling_via_bogus_proposal Changing the MetaTransaction code so that it fails when trying to cre…
…it-out Use transaction acceptor when fetching proposed transactions
…on-update Updating versions for crates using updated casper-types.
Updating network config for release.
…ase-2.2.2-into-dev Silent merge conflicts with: node/src/testing/fake_transaction_acceptor.rs node/src/reactor/main_reactor/tests/transactions.rs 5 tests failing. # Conflicts: # .github/workflows/casper-node.yml # Makefile # execution_engine_testing/tests/src/test/regression/mod.rs # node/src/components/contract_runtime/operations.rs # node/src/components/storage/tests.rs # node/src/reactor/main_reactor/event.rs # node/src/reactor/main_reactor/tests/fixture.rs # node/src/types/transaction/meta_transaction.rs # node/src/types/transaction/meta_transaction/meta_transaction_v1.rs # node/src/utils/specimen.rs
…egraph. Bumped crossbeam-epoch and pprof for other audit issues.
EdHastingsCasperAssociation
approved these changes
Jul 17, 2026
Collaborator
|
preemptive approval so you are unblocked to merge when the ci issues are ironed out. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
meta_transaction had dev refactor of TransactionLaneDefinition to new constructor and deprecating public fields and 2.2.2 from_transaction to &Chainspec. Want another set of eyes to look this over.
node/src/testing/fake_transaction_acceptor.rs and node/src/reactor/main_reactor/tests/transactions.rs silently merge conflicted with renames and matching arms that needed synced.