fix(malachite): tighten proposal validation bounds#5514
Conversation
ukint-vs
changed the title
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request strengthens the security and stability of the Malachite validation path by enforcing resource constraints on injected transactions and proposal stream reassembly. Additionally, it updates the ethexe contracts to maintain compatibility with recent changes in vendored dependencies and helper APIs. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
ukint-vs
added
type: fix
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several security and correctness improvements to the ethexe module. In ethexe/malachite/core/src/streaming.rs, it resolves a potential denial-of-service vulnerability (unbounded memory growth) by introducing per-peer and total stream limits (MAX_STREAMS_PER_PEER, MAX_STREAMS_TOTAL) and automatically evicting malformed far-future streams. In ethexe/malachite/service/src/externalities.rs, it adds participant-side validation to reject blocks that exceed cumulative injected transaction size limits or contain duplicate injected transactions. Additionally, minor updates were made to the Solidity contracts to use Memory.writeWord and Hashes.efficientKeccak256 directly, and subproject commits for forge-std and frost-secp256k1-evm were updated. No review comments were provided, so there is no feedback to filter.
ukint-vs
changed the title
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request enhances the security and robustness of the Malachite consensus engine in ethexe by introducing validator identities that bind Ethereum addresses to both secp256k1 public keys and libp2p peer IDs, allowing the engine to drop proposal parts from non-validator peers before buffering. Additionally, it implements strict resource limits on proposal streams (caps on stream messages, per-peer streams, and total streams with LRU eviction) to prevent denial-of-service attacks, and adds validation checks to reject blocks exceeding injected transaction size caps or containing duplicate transactions. There are no review comments, and I have no feedback to provide.
ukint-vs
force-pushed
the
vs/malachite-bounded-fixes
branch
from
e2a4765 to
d55ea36
Compare
ukint-vs
changed the title
1 participant
Addresses the bounded-memory proposal-validation portion of #5473.
Summary
Validator identity and peer-admission config was split to #5536.
Tests