[equiv-check · DO NOT MERGE] testnet/donut ≡ main (0 files changed)#278
Closed
0xNilesh wants to merge 59 commits into
Closed
[equiv-check · DO NOT MERGE] testnet/donut ≡ main (0 files changed)#2780xNilesh wants to merge 59 commits into
0xNilesh wants to merge 59 commits into
Conversation
* add: timeouts to server * refactor: harden health to accept only get req
* feat: updated READMEs of core validator and specific modules * feat: updated READMEs of core validator and specific modules
…) and MarkBallotFinalized() (#217)
* fix: Arbitrary memory allocation at UniversalClient * fix: decodepayload validation
…an Aggregation * feat: added min val required as 2 for first chain oracle vote * tests: updated tests for chain meta first vote changes * feat: updated min validator votes requird for first chain meta value to 3 instead of 2
Mirrors release.yml for the puniversald binary. Triggers on tags matching puniversald/v* (independent from chain releases on v*) and supports manual dispatch. Builds linux/amd64, linux/arm64, and darwin/arm64 with Apple signing + notarization.
puniversald links libgodkls (via universalClient/tss/dkls) but the workspace-root cargo build skips the go-dkls crate. Mirror the Linux build by entering wrapper/go-dkls and adding the hd-migration path patch so the local garbling tree is used (no GitHub auth in cargo).
cd-ing into wrapper/go-dkls picks up a .cargo/config.toml that injects `-Wl,-soname=...` (Linux-only ld flag) into every link command — including build-script compiles — failing on macOS. Use `cargo build -p go-dkls --release` from dkls23-rs root so the wrapper config stays out of scope.
Drop the branch, commit_id, and compare_from inputs from both pchaind and puniversald release workflows. The dispatch form now shows just the version tag and pre-release toggle alongside the built-in 'Use workflow from' branch dropdown. Removed the resolve-ref steps (checkout uses github.ref by default) and dropped commit_id plumbing from the tag-creation step (tags HEAD of the dispatched branch). Changelog still auto-detects the prior tag.
Companion to the previous dispatch-UI simplification. Removed the COMMIT_REF plumbing but missed the git tag -a line that still referenced the now-undefined variable, breaking workflow_dispatch.
Each pchaind release now publishes a ready-to-paste JSON payload matching the format expected by `--upgrade-info` on a software-upgrade governance proposal. URLs are constructed from the actual release tag and the existing .sha256 companion files (single source of truth for checksums), covering linux/amd64, linux/arm64, and darwin/arm64.
…udit-fixes ci: cherry-pick release pipeline improvements
…224) * add: opts in svm rpc client * add: pagination in GetSignaturesForAddress, fix: slot sig order issue * chore: tc
* feat: remove default admin addresses from modules * feat: added modules admin in testnet genesis creation script * tests: added default admin integration tests * tests: added default admin integration tests * fix: fixed interchain gh workflow e2e tests * fix: fixed interchain gh workflow e2e tests * fix: fixed interchain gh workflow e2e tests
* remove: initial config log * fix: remove logging rpc url in pushcore * refactor: pushsigner logger * refactor: core logs, remove unnecessary info logs * fix: common chain logs * fix: push client logs * fix: chains log refactor * fix: tss logs
* add: MaxFrameSize to p2p network * refactor: move coordinator check up so malicious peer req are rejected sooner * chore: fix tc
… chain client is not attached
…ecution success * add: evm event confirmation check receipt status * add: svm tx confirmation check err status * chore: tc
…RPC fails * add: cache with staleness * chore: tc
…r ASCII hex, not the raw message
… code hash as a deployed contract (#237)
… block height expiry
…e endpoint under concurrent load
…alidation and in the handler (#242)
… in validation and logging (#244)
…etTokenConfigByPRC20 (#245)
…due to hardcoded GasLimit and missing L1GasFeeBuffer * F-2026-16961 | dynamic gas limit in fund migration Brings PR #206 (pushchain/push-chain-node) onto audit-fixes for audit review. App-level upgrade handler is intentionally omitted — audit-fixes is not deployed, so Upgrades stays empty. - utss FundMigration proto: add l1_gas_fee (field 13) - utss ConsensusVersion 1 -> 4 with v1->v2, v2->v3, v3->v4 migrations (v4 backfills l1_gas_fee = "0" for pre-existing records) - x/utss msg_initiate_fund_migration: source gas_limit and l1_gas_fee from UniversalCore tssFundMigrationGasLimitByChainNamespace and l1GasFeeByChainNamespace mappings at call time - universalClient EVM tx_builder, sessionmanager, coordinator, txbroadcaster: broadcast fund migration with dynamic gas limit - push event_parser: include l1_gas_fee in FundMigration event * fix: removed migrations added for testnet * tests: fixed unit tests --------- Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com>
…st retry storm after peer already migrated funds * F-2026-16962 | fund migration vote races on balance re-query Brings PR #209 (pushchain/push-chain-node) onto audit-fixes for audit review. The migration sweep amount is computed at signing time from the old vault's balance, but the broadcast path was re-querying the balance — racing with another validator's successful sweep would produce a different sweep amount and a different signed tx hash. - UnsignedSigningReq: add TSSFundMigrationAmount carried alongside Nonce from signing to broadcast (both are signing-time-decided values that must reach broadcast unchanged) - EVM tx_builder: store maxTransfer in the signing request; broadcast reuses it verbatim instead of recomputing - sessionmanager: persist and forward TSSFundMigrationAmount through the signing session - txbroadcaster: pass the stored amount to the broadcast call * add: tc
* refactor: return last error * remove: best effort approach * fix: tx builder * feat: add rent reclaimer for orphan pdas * revert: rpc fn * fix: lazy handling in tx builder * fix: add temp retires approach in svm * skip svm chains in coordinator to prevent slowness from svm retires * fix: orphan pda closure * fix: txBuilder ref finalize account write status * fix: tc * fix: storeRefundRecipient
… way to differentiate invalid signature vs transient simulation failure * feat: added tss signing deadline in chainConfig and pendingOutboundEntry * tests: added tests for deadline changes * feat: added signingDeadline in OutboundCreated event * fix: parse signatureDeadline * fix: tx builder tss msg creation * add: check for queryTime * fix: add deadline check in broadcast * fix: handle deadline = 0 , legacy tx * fix: svm revert logic * fix: tc * fix: simulation tc * chore: fix tc --------- Co-authored-by: aman035 <guptaaman200115@gmail.com>
…Tx not found” as reverted * feat: added tss signing deadline in chainConfig and pendingOutboundEntry * tests: added tests for deadline changes * feat: added signingDeadline in OutboundCreated event * fix: parse signatureDeadline * fix: tx builder tss msg creation * add: check for queryTime * fix: add deadline check in broadcast * fix: handle deadline = 0 , legacy tx * fix: svm revert logic * fix: tc * fix: simulation tc * fix: evm revert logic when tx is not found * fix: log binding * remove unused fn * chore: tc * fix: nonce handling + refactor --------- Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com>
… ID collides when a single source tx contains multiple Inbounds
…going-TSS guard used elsewhere (#258)
…m and can deadlock finalization (#259) * feat: narrowed eligible voters to only return the validators that are bonded * feat: added automatic staking hooks to handle bonding/unbonding of UVs * feat: added MsgRecomputeBallotQuorum for adjusting a ballot quorum and MsgRevertStuckInbound for reverting a stuck inbound when its ballot has been expired as an escape hatch
…ts when precomputed UEA is pre-funded but not deployed (#260) * feat: MsgExecutePayload deploys UEA if UEA address has non-zero balance * tests: added integration tests for UEA deployment edge case in MsgExecutePayload
#219) * feat: added proto changes for pendingInbounds and expiredInbounds * refactor: added generated protobuf * feat: added ballot hooks and updated changes for pendingInbounds and pendingOutbounds * tests: added integration tests for pendingInbounds proto changes * docs: added pendingInbounds and pendingOutbounds lifecycle in README * test: assert signing_deadline + variants coexist on PendingOutboundEntry Guards the F-2026-16642 <- audit-fixes merge resolution where both branches claimed proto field 4 on PendingOutboundEntry. signing_deadline kept field 4 (deployed on testnet); the per-variant audit trail moved to field 5. This test seeds an entry with a signing deadline, records outbound votes, and asserts both fields survive the RecordOutboundVote read-modify-write.
…tuck due to architecture (failure visibility limited to signer set) * feat: added tss signing deadline in chainConfig and pendingOutboundEntry * tests: added tests for deadline changes * feat: added signingDeadline in OutboundCreated event * fix: parse signatureDeadline * fix: tx builder tss msg creation * add: check for queryTime * fix: add deadline check in broadcast * fix: handle deadline = 0 , legacy tx * fix: svm revert logic * fix: tc * fix: simulation tc * fix: evm revert logic when tx is not found * fix: log binding * remove unused fn * chore: tc * fix: nonce handling + refactor * route internal messages via sessionManager * fix: log level * remove: deprecated doc * chore: fix formating * fix: allow balance to be added to query for verification and avoiding query * feat: add ack with sig & coordinator verification * fix: msgHandler validation * fix: add broadcasting and handling to increase set * minor error logs + tc * persist signature * mark found tx as braodcasted --------- Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com>
…EVERT based on push chain state, not observed chain state and can result into false voting * feat: added tss signing deadline in chainConfig and pendingOutboundEntry * tests: added tests for deadline changes * feat: added signingDeadline in OutboundCreated event * fix: parse signatureDeadline * fix: tx builder tss msg creation * add: check for queryTime * fix: add deadline check in broadcast * fix: handle deadline = 0 , legacy tx * fix: svm revert logic * fix: tc * fix: simulation tc * fix: evm revert logic when tx is not found * fix: log binding * remove unused fn * chore: tc * fix: nonce handling + refactor * route internal messages via sessionManager * fix: log level * remove: deprecated doc * chore: fix formating * fix: allow balance to be added to query for verification and avoiding query * feat: add ack with sig & coordinator verification * fix: msgHandler validation * fix: add broadcasting and handling to increase set * minor error logs + tc * change to hard delete * fix: attach eventCleaners to external chains * removed artifical expiry and fixed sweeper * fix: event cleaner closing * fix: tc --------- Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com>
* feat(utils): per-namespace canonicalization helpers for keys Shared canonical string forms for ballot/storage keys, keyed by CAIP-2 namespace: eip155 addresses -> EIP-55, eip155 hashes -> 0x-lowercase, solana -> base58 preserved (case-significant) / hex lowercased, other -> trimmed. Strict variants reject malformed input; lenient variants fall back to trimmed input on the vote-ingress path that must never drop a vote. Foundation for the ballot-key and token-key canonicalization fixes. * fix(uregistry): canonicalize token addresses in storage keys [F-2026-17022] GetTokenConfigsStorageKey canonicalizes the address per CAIP-2 namespace (EIP-55 for eip155), making the storage key the single canonical chokepoint for add/update/remove/get. The PRC20 reverse index moves from lowercase to EIP-55 and GetTokenConfigByPRC20 canonicalizes its query identically. TokenConfig/NativeRepresentation ValidateBasic enforce parseable addresses, so case-variant duplicate registrations collide on the canonical key and are rejected. * fix(utss): canonicalize fund-migration txHash before ballot key [F-2026-17041] VoteFundMigration canonicalizes the observed txHash against the migration's chain namespace before deriving the ballot key, so equivalent hash encodings from different validators aggregate on one ballot instead of fragmenting. Adds MsgVoteFundMigration.ValidateBasic. * fix(uexecutor): canonical voting digests for inbound/outbound ballots [F-2026-16039, F-2026-16632] Replace full-proto-Marshal ballot identity with explicit injective digests (hashFields: sha256 over per-field sha256 hex digests joined by ':'), domain-separated via collections prefixes so inbound vs outbound keys stay disjoint in the shared Ballots map. The inbound digest covers every execution-relevant field except universal_payload (recomputed on-chain from raw_payload); the outbound digest covers all observation fields. Inbound fields are canonicalized at vote / admin-revert ingress and the key functions self-canonicalize, so stored state, UTX keys and registry lookups all converge on one representation per logical event. Because the digests are one-way, the ballot terminal hook now locates the audit-trail entry by scanning PendingInbounds for the ballot id instead of decoding the inbound back out of the id. Existing test assertions updated for the canonical (EIP-55 / lowercase-hash) stored forms. * feat(uexecutor): InboundKeys and OutboundBallotKey queries Let off-chain validators read the canonical UTX id + ballot ids from the chain rather than re-implementing the canonicalization/digest rules. InboundKeys(inbound) returns utx_id, ballot_id and the canonical inbound; OutboundBallotKey(utx_id, outbound_id, observed_tx) looks up the outbound's destination chain to canonicalize the observed hash, then returns the ballot id and canonical observation. Includes generated proto.
…tuck due to architecture (failure visibility limited to signer set) * fix: inprogress settlement * fix: solana tx resolving
* feat: added changes in core validator as per contract audit changes * docs(uregistry): drop 0xCA special-case comments (normal reserved slot) * chore(usigverifier): drop legacy 0xCA address from .sol + READMEs (precompile is 0xEC..01 only)
Makes the Push-origin UTX id robust by contract (mirrors GetInboundUniversalTxKey, normalizes case/0x); no behavior change for real EVM receipt hashes. Adds Pc UTX key tests.
# Conflicts: # audits/Hacken_Push Chain_[L1] Push Chain _ Blockchain Audit _ Apr2026_P-2025-1758_6_20260629 17_10.pdf
Member
Author
|
Equivalence-check PR — served its purpose (0-file proof recorded). Closing; branch retained. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Equivalence check only — do not merge.
testnet/donut=develop+git revert -m 1of the merge (relative to parent 1 = main) → tree back tomain. main is an ancestor → three-dot diff = tip-to-tip → 0 files changed.tree SHA == main =
1f99f27d….(Supersedes #277, auto-closed when
testnet-donutwas renamed totestnet/donut.)