Skip to content

fix(db): re-verify block signature during fork replay#6777

Open
xxo1shine wants to merge 1 commit into
tronprotocol:release_v4.8.2from
xxo1shine:fix/fork-replay-signature-recheck
Open

fix(db): re-verify block signature during fork replay#6777
xxo1shine wants to merge 1 commit into
tronprotocol:release_v4.8.2from
xxo1shine:fix/fork-replay-signature-recheck

Conversation

@xxo1shine
Copy link
Copy Markdown
Collaborator

@xxo1shine xxo1shine commented May 18, 2026

What does this PR do?

  • Manager.switchFork now re-validates each replayed block's witness signature before applying. The witness account's permission can change between forks (via permission-update transactions), so a signature that was valid on the original chain may no longer be valid on the replay path.
  • Use if (!validateSignature(...)) throw new ValidateSignatureException rather than discarding the boolean return: validateSignature only throws on malformed signature bytes; an attacker-supplied valid-format signature with a wrong-signer address returns false. Discarding the return would let that attack through.
  • The existing switchFork catch list already includes ValidateSignatureException, so the new throw is wired into the existing switchback path with no additional handling.
  • Add three BlockCapsule.validateSignature contract tests pinning the two failure modes the fix relies on: signer-mismatch returns false, signer-match returns true, and a 65-byte malformed signature throws ValidateSignatureException.

Why are these changes required?

This PR has been tested by:

  • Unit Tests
  • Manual Testing

Follow up

Extra details

@github-actions github-actions Bot requested a review from halibobo1205 May 18, 2026 07:11
fix(security): re-verify block signature during fork replay
70e5b2e 
- Manager.switchFork now re-validates each replayed block's witness signature
  before applying. The witness account's permission can change between forks
  (via permission-update transactions), so a signature that was valid on the
  original chain may no longer be valid on the replay path.
- Use `if (!validateSignature(...)) throw new ValidateSignatureException`
  rather than discarding the boolean return: validateSignature only throws
  on malformed signature bytes; an attacker-supplied valid-format signature
  with a wrong-signer address returns false. Discarding the return would let
  that attack through.
- The existing switchFork catch list already includes
  ValidateSignatureException, so the new throw is wired into the existing
  switchback path with no additional handling.
- Add three BlockCapsule.validateSignature contract tests pinning the two
  failure modes the fix relies on: signer-mismatch returns false, signer-match
  returns true, and a 65-byte malformed signature throws
  ValidateSignatureException.
@xxo1shine xxo1shine force-pushed the fix/fork-replay-signature-recheck branch from 2d44164 to 70e5b2e Compare May 18, 2026 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@halibobo1205 halibobo1205 Awaiting requested review from halibobo1205

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xxo1shine