Skip to content

[equiv-check · DO NOT MERGE] testnet/donut ≡ main (0 files changed)#278

Closed
0xNilesh wants to merge 59 commits into
mainfrom
testnet/donut
Closed

[equiv-check · DO NOT MERGE] testnet/donut ≡ main (0 files changed)#278
0xNilesh wants to merge 59 commits into
mainfrom
testnet/donut

Conversation

@0xNilesh

@0xNilesh 0xNilesh commented Jul 9, 2026

Copy link
Copy Markdown
Member

Equivalence check only — do not merge.

testnet/donut = develop + git revert -m 1 of the merge (relative to parent 1 = main) → tree back to main. main is an ancestor → three-dot diff = tip-to-tip → 0 files changed.

tree SHA == main = 1f99f27d….

(Supersedes #277, auto-closed when testnet-donut was renamed to testnet/donut.)

0xNilesh and others added 30 commits April 2, 2026 20:39
* add: timeouts to server

* refactor: harden health to accept only get req
* feat: updated READMEs of core validator and specific modules

* feat: updated READMEs of core validator and specific modules
* fix: Arbitrary memory allocation at UniversalClient

* fix: decodepayload validation
…an Aggregation

* feat: added min val required as 2 for first chain oracle vote

* tests: updated tests for chain meta first vote changes

* feat: updated min validator votes requird for first chain meta value to 3 instead of 2
Mirrors release.yml for the puniversald binary. Triggers on tags
matching puniversald/v* (independent from chain releases on v*) and
supports manual dispatch. Builds linux/amd64, linux/arm64, and
darwin/arm64 with Apple signing + notarization.
puniversald links libgodkls (via universalClient/tss/dkls) but the
workspace-root cargo build skips the go-dkls crate. Mirror the Linux
build by entering wrapper/go-dkls and adding the hd-migration path
patch so the local garbling tree is used (no GitHub auth in cargo).
cd-ing into wrapper/go-dkls picks up a .cargo/config.toml that
injects `-Wl,-soname=...` (Linux-only ld flag) into every link
command — including build-script compiles — failing on macOS.
Use `cargo build -p go-dkls --release` from dkls23-rs root so the
wrapper config stays out of scope.
Drop the branch, commit_id, and compare_from inputs from both
pchaind and puniversald release workflows. The dispatch form now
shows just the version tag and pre-release toggle alongside the
built-in 'Use workflow from' branch dropdown.

Removed the resolve-ref steps (checkout uses github.ref by default)
and dropped commit_id plumbing from the tag-creation step (tags
HEAD of the dispatched branch). Changelog still auto-detects the
prior tag.
Companion to the previous dispatch-UI simplification. Removed the
COMMIT_REF plumbing but missed the git tag -a line that still
referenced the now-undefined variable, breaking workflow_dispatch.
Each pchaind release now publishes a ready-to-paste JSON payload
matching the format expected by `--upgrade-info` on a software-upgrade
governance proposal. URLs are constructed from the actual release tag
and the existing .sha256 companion files (single source of truth for
checksums), covering linux/amd64, linux/arm64, and darwin/arm64.
…udit-fixes

ci: cherry-pick release pipeline improvements
…224)

* add: opts in svm rpc client

* add: pagination in GetSignaturesForAddress, fix: slot sig order issue

* chore: tc
* feat: remove default admin addresses from modules

* feat: added modules admin in testnet genesis creation script

* tests: added default admin integration tests

* tests: added default admin integration tests

* fix: fixed interchain gh workflow e2e tests

* fix: fixed interchain gh workflow e2e tests

* fix: fixed interchain gh workflow e2e tests
* remove: initial config log

* fix: remove logging rpc url in pushcore

* refactor: pushsigner logger

* refactor: core logs, remove unnecessary info logs

* fix: common chain logs

* fix: push client logs

* fix: chains log refactor

* fix: tss logs
* add: MaxFrameSize to p2p network

* refactor: move coordinator check up so malicious peer req are rejected sooner

* chore: fix tc
…ecution success

* add: evm event confirmation check receipt status

* add: svm tx confirmation check err status

* chore: tc
…RPC fails

* add: cache with staleness

* chore: tc
0xNilesh and others added 28 commits May 21, 2026 11:37
…due to hardcoded GasLimit and missing L1GasFeeBuffer

* F-2026-16961 | dynamic gas limit in fund migration

Brings PR #206 (pushchain/push-chain-node) onto audit-fixes for audit
review. App-level upgrade handler is intentionally omitted —
audit-fixes is not deployed, so Upgrades stays empty.

- utss FundMigration proto: add l1_gas_fee (field 13)
- utss ConsensusVersion 1 -> 4 with v1->v2, v2->v3, v3->v4 migrations
  (v4 backfills l1_gas_fee = "0" for pre-existing records)
- x/utss msg_initiate_fund_migration: source gas_limit and l1_gas_fee
  from UniversalCore tssFundMigrationGasLimitByChainNamespace and
  l1GasFeeByChainNamespace mappings at call time
- universalClient EVM tx_builder, sessionmanager, coordinator,
  txbroadcaster: broadcast fund migration with dynamic gas limit
- push event_parser: include l1_gas_fee in FundMigration event

* fix: removed migrations added for testnet

* tests: fixed unit tests

---------

Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com>
…st retry storm after peer already migrated funds

* F-2026-16962 | fund migration vote races on balance re-query

Brings PR #209 (pushchain/push-chain-node) onto audit-fixes for audit
review.

The migration sweep amount is computed at signing time from the old
vault's balance, but the broadcast path was re-querying the balance —
racing with another validator's successful sweep would produce a
different sweep amount and a different signed tx hash.

- UnsignedSigningReq: add TSSFundMigrationAmount carried alongside Nonce
  from signing to broadcast (both are signing-time-decided values that
  must reach broadcast unchanged)
- EVM tx_builder: store maxTransfer in the signing request; broadcast
  reuses it verbatim instead of recomputing
- sessionmanager: persist and forward TSSFundMigrationAmount through
  the signing session
- txbroadcaster: pass the stored amount to the broadcast call

* add: tc
* refactor: return last error

* remove: best effort approach

* fix: tx builder

* feat: add rent reclaimer for orphan pdas

* revert: rpc fn

* fix: lazy handling in tx builder

* fix: add temp retires approach in svm

* skip svm chains in coordinator to prevent slowness from svm retires

* fix: orphan pda closure

* fix: txBuilder ref finalize account write status

* fix: tc

* fix: storeRefundRecipient
… way to differentiate invalid signature vs transient simulation failure

* feat: added tss signing deadline in chainConfig and pendingOutboundEntry

* tests: added tests for deadline changes

* feat: added signingDeadline in OutboundCreated event

* fix: parse signatureDeadline

* fix: tx builder tss msg creation

* add: check for queryTime

* fix: add deadline check in broadcast

* fix: handle deadline = 0 , legacy tx

* fix: svm revert logic

* fix: tc

* fix: simulation tc

* chore: fix tc

---------

Co-authored-by: aman035 <guptaaman200115@gmail.com>
…Tx not found” as reverted

* feat: added tss signing deadline in chainConfig and pendingOutboundEntry

* tests: added tests for deadline changes

* feat: added signingDeadline in OutboundCreated event

* fix: parse signatureDeadline

* fix: tx builder tss msg creation

* add: check for queryTime

* fix: add deadline check in broadcast

* fix: handle deadline = 0 , legacy tx

* fix: svm revert logic

* fix: tc

* fix: simulation tc

* fix: evm revert logic when tx is not found

* fix: log binding

* remove unused fn

* chore: tc

* fix: nonce handling + refactor

---------

Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com>
… ID collides when a single source tx contains multiple Inbounds
…m and can deadlock finalization (#259)

* feat: narrowed eligible voters to only return the validators that are bonded

* feat: added automatic staking hooks to handle bonding/unbonding of UVs

* feat: added MsgRecomputeBallotQuorum for adjusting a ballot quorum and MsgRevertStuckInbound for reverting a stuck inbound when its ballot has been expired as an escape hatch
…ts when precomputed UEA is pre-funded but not deployed (#260)

* feat: MsgExecutePayload deploys UEA if UEA address has non-zero balance

* tests: added integration tests for UEA deployment edge case in MsgExecutePayload
#219)

* feat: added proto changes for pendingInbounds and expiredInbounds

* refactor: added generated protobuf

* feat: added ballot hooks and updated changes for pendingInbounds and pendingOutbounds

* tests: added integration tests for pendingInbounds proto changes

* docs: added pendingInbounds and pendingOutbounds lifecycle in README

* test: assert signing_deadline + variants coexist on PendingOutboundEntry

Guards the F-2026-16642 <- audit-fixes merge resolution where both branches
claimed proto field 4 on PendingOutboundEntry. signing_deadline kept field 4
(deployed on testnet); the per-variant audit trail moved to field 5. This test
seeds an entry with a signing deadline, records outbound votes, and asserts
both fields survive the RecordOutboundVote read-modify-write.
…tuck due to architecture (failure visibility limited to signer set)

* feat: added tss signing deadline in chainConfig and pendingOutboundEntry

* tests: added tests for deadline changes

* feat: added signingDeadline in OutboundCreated event

* fix: parse signatureDeadline

* fix: tx builder tss msg creation

* add: check for queryTime

* fix: add deadline check in broadcast

* fix: handle deadline = 0 , legacy tx

* fix: svm revert logic

* fix: tc

* fix: simulation tc

* fix: evm revert logic when tx is not found

* fix: log binding

* remove unused fn

* chore: tc

* fix: nonce handling + refactor

* route internal messages via sessionManager

* fix: log level

* remove: deprecated doc

* chore: fix formating

* fix: allow balance to be added to query for verification and avoiding query

* feat: add ack with sig & coordinator verification

* fix: msgHandler validation

* fix: add broadcasting and handling to increase set

* minor error logs + tc

* persist signature

* mark found tx as braodcasted

---------

Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com>
…EVERT based on push chain state, not observed chain state and can result into false voting

* feat: added tss signing deadline in chainConfig and pendingOutboundEntry

* tests: added tests for deadline changes

* feat: added signingDeadline in OutboundCreated event

* fix: parse signatureDeadline

* fix: tx builder tss msg creation

* add: check for queryTime

* fix: add deadline check in broadcast

* fix: handle deadline = 0 , legacy tx

* fix: svm revert logic

* fix: tc

* fix: simulation tc

* fix: evm revert logic when tx is not found

* fix: log binding

* remove unused fn

* chore: tc

* fix: nonce handling + refactor

* route internal messages via sessionManager

* fix: log level

* remove: deprecated doc

* chore: fix formating

* fix: allow balance to be added to query for verification and avoiding query

* feat: add ack with sig & coordinator verification

* fix: msgHandler validation

* fix: add broadcasting and handling to increase set

* minor error logs + tc

* change to hard delete

* fix: attach eventCleaners to external chains

* removed artifical expiry and fixed sweeper

* fix: event cleaner closing

* fix: tc

---------

Co-authored-by: Nilesh Gupta <guptanilesh2312@gmail.com>
* feat(utils): per-namespace canonicalization helpers for keys

Shared canonical string forms for ballot/storage keys, keyed by CAIP-2
namespace: eip155 addresses -> EIP-55, eip155 hashes -> 0x-lowercase,
solana -> base58 preserved (case-significant) / hex lowercased, other ->
trimmed. Strict variants reject malformed input; lenient variants fall back
to trimmed input on the vote-ingress path that must never drop a vote.
Foundation for the ballot-key and token-key canonicalization fixes.

* fix(uregistry): canonicalize token addresses in storage keys [F-2026-17022]

GetTokenConfigsStorageKey canonicalizes the address per CAIP-2 namespace
(EIP-55 for eip155), making the storage key the single canonical chokepoint
for add/update/remove/get. The PRC20 reverse index moves from lowercase to
EIP-55 and GetTokenConfigByPRC20 canonicalizes its query identically.
TokenConfig/NativeRepresentation ValidateBasic enforce parseable addresses,
so case-variant duplicate registrations collide on the canonical key and are
rejected.

* fix(utss): canonicalize fund-migration txHash before ballot key [F-2026-17041]

VoteFundMigration canonicalizes the observed txHash against the migration's
chain namespace before deriving the ballot key, so equivalent hash encodings
from different validators aggregate on one ballot instead of fragmenting.
Adds MsgVoteFundMigration.ValidateBasic.

* fix(uexecutor): canonical voting digests for inbound/outbound ballots [F-2026-16039, F-2026-16632]

Replace full-proto-Marshal ballot identity with explicit injective digests
(hashFields: sha256 over per-field sha256 hex digests joined by ':'),
domain-separated via collections prefixes so inbound vs outbound keys stay
disjoint in the shared Ballots map. The inbound digest covers every
execution-relevant field except universal_payload (recomputed on-chain from
raw_payload); the outbound digest covers all observation fields. Inbound
fields are canonicalized at vote / admin-revert ingress and the key functions
self-canonicalize, so stored state, UTX keys and registry lookups all
converge on one representation per logical event.

Because the digests are one-way, the ballot terminal hook now locates the
audit-trail entry by scanning PendingInbounds for the ballot id instead of
decoding the inbound back out of the id. Existing test assertions updated for
the canonical (EIP-55 / lowercase-hash) stored forms.

* feat(uexecutor): InboundKeys and OutboundBallotKey queries

Let off-chain validators read the canonical UTX id + ballot ids from the
chain rather than re-implementing the canonicalization/digest rules.
InboundKeys(inbound) returns utx_id, ballot_id and the canonical inbound;
OutboundBallotKey(utx_id, outbound_id, observed_tx) looks up the outbound's
destination chain to canonicalize the observed hash, then returns the ballot
id and canonical observation. Includes generated proto.
…tuck due to architecture (failure visibility limited to signer set)

* fix: inprogress settlement

* fix: solana tx resolving
* feat: added changes in core validator as per contract audit changes

* docs(uregistry): drop 0xCA special-case comments (normal reserved slot)

* chore(usigverifier): drop legacy 0xCA address from .sol + READMEs (precompile is 0xEC..01 only)
Makes the Push-origin UTX id robust by contract (mirrors GetInboundUniversalTxKey, normalizes case/0x); no behavior change for real EVM receipt hashes. Adds Pc UTX key tests.
) (#266)

* chore(evm): upgrade pushchain/evm to v0.5.1 on audit-fixes (port of #265)

* test(e2e): inject bank denom_metadata for upc into interchaintest genesis (evm v0.5 coin-info)
This reverts commit 47ef4c9, reversing
changes made to dff0bb0.
# Conflicts:
#	audits/Hacken_Push Chain_[L1] Push Chain _ Blockchain Audit _ Apr2026_P-2025-1758_6_20260629 17_10.pdf
@0xNilesh

Copy link
Copy Markdown
Member Author

Equivalence-check PR — served its purpose (0-file proof recorded). Closing; branch retained.

@0xNilesh 0xNilesh closed this Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants