fix: persist signed-transfer nonces and reject replay across restarts (#728)#762
Merged
Scottcjn merged 1 commit intoScottcjn:mainfrom Mar 9, 2026
Conversation
- Add NonceStore for persistent tracking of used nonces per address - Integrate nonce persistence into WalletStorage with automatic migration - Add verify_nonce and verify_complete methods for replay protection - Nonce state persists across restarts via JSON file storage - Add comprehensive regression tests for persistence and replay detection - Update examples and CLI to handle Result-returning storage API
4 tasks
github-actions
bot
added
BCOS-L1
mgrigajtis
pushed a commit
to mgrigajtis/Rustchain
that referenced
this pull request
Mar 16, 2026
…Scottcjn#643) * feat(rip-0002): On-Chain Governance System — proposal creation, voting, lifecycle, Sophia AI analysis Implements RIP-0002 governance spec with: - POST /api/governance/propose — Create proposal (active miner required) - GET /api/governance/proposals — List proposals with status filter - GET /api/governance/proposal/<n> — Proposal details + vote history - POST /api/governance/vote — Cast/change vote (antiquity-weighted) - GET /api/governance/results/<n> — Final results + quorum status - POST /api/governance/veto/<n> — Founder veto (2-year window, env-key) - GET /api/governance/stats — Governance statistics Features: - 3 proposal types: parameter_change, feature_activation, emergency - 3 vote choices: for, against, abstain (vote changes allowed) - 7-day voting window with automatic settlement - 33% quorum threshold of active miners - Antiquity-weighted votes (from miners table) - Sophia AI lightweight risk analysis (HIGH/LOW) - Founder veto for security-critical proposals (first 2 years) - Anti-spam: max 10 active proposals per miner - 19 passing tests covering all scenarios Bounty: Scottcjn/rustchain-bounties#761 Wallet: nox-ventures * feat: pip install rustchainnode — installable RustChain attestation node Implements bounty Scottcjn#757: package the RustChain node as a pip-installable PyPI package. pip install rustchainnode rustchainnode init --wallet my-wallet-name rustchainnode start Features: - CLI commands: init, start, stop, status, config, dashboard, install-service - Auto-configuration: detects CPU arch, thread count, antiquity multiplier - Cross-platform: Linux x86_64/aarch64/ppc64, macOS x86/ARM64 - Systemd (Linux) + launchd (macOS) service generation - TUI dashboard: rustchainnode dashboard - Programmatic API: from rustchainnode import RustChainNode - Zero external dependencies (stdlib only) - Python 3.9+ compatible Bounty: Scottcjn/rustchain-bounties#757 Wallet: nox-ventures * feat: cross-node ledger verification tool (Scottcjn#763) Queries all 3 RustChain nodes, compares state, alerts on mismatches. Features: - Query /health, /epoch, /api/stats, /wallet/balance, /api/miners - Merkle root computation over sorted active miners list - SQLite historical tracking (~/.rustchain/ledger_verify.db) - Webhook alerting on mismatch (--webhook URL) - CI mode: --ci exits non-zero on any mismatch - Watch mode: --watch N runs every N seconds - History viewer: --history shows recent checks Sample output: Node 1 (Primary): v2.2.1-rip200 ✅ epoch=94 slot=13601 Node 2: v1.2.0 ✅ epoch=94 slot=13601 Node 3 (Ryan): ❌ unreachable (Tailscale) Merkle roots: node1=e318be4c... (both match ✅) Result: ✅ ALL NODES IN SYNC GitHub Actions: runs every 6h, CI mode, webhook on mismatch. Bounty: Scottcjn/rustchain-bounties#763 Wallet: nox-ventures * chore: remove workflow (scope issue, add manually) * feat: attestation fuzz harness (Scottcjn#762) Property-based fuzz testing for POST /attest/submit. Mutation strategies (11 total): - missing_field: Remove required fields at any nesting level - wrong_type: Replace field with wrong type (None, int, list, dict, float) - unknown_field: Inject unknown keys at any nesting level - nested_bomb: Create deeply nested structures (100-500 levels) - array_overflow: Huge MAC address arrays (1000-10000 entries) - float_edge: inf, nan, -inf, 1e308 in fingerprint data - unicode_miner: null bytes, RTL override, emoji, path traversal, SQLi - huge_miner: wallet names up to 1MB - null_miner: explicit null value - empty_payload: {} - not_json: random binary garbage with wrong Content-Type Crash detection: - HTTP 5xx = server error - Timeout (>90% of TIMEOUT) = potential DoS - Traceback/exception in response body - Connection refused (server crash) Features: - --count N: configurable iteration count (default 1000) - --save-corpus: save all generated payloads to fuzz_corpus/ - --ci: exit non-zero on crash found - --report: show saved crash report - --url: override target URL Bounty: Scottcjn/rustchain-bounties#762 Wallet: nox-ventures
createkr
pushed a commit
to createkr/Rustchain
that referenced
this pull request
Mar 22, 2026
…Scottcjn#643) * feat(rip-0002): On-Chain Governance System — proposal creation, voting, lifecycle, Sophia AI analysis Implements RIP-0002 governance spec with: - POST /api/governance/propose — Create proposal (active miner required) - GET /api/governance/proposals — List proposals with status filter - GET /api/governance/proposal/<n> — Proposal details + vote history - POST /api/governance/vote — Cast/change vote (antiquity-weighted) - GET /api/governance/results/<n> — Final results + quorum status - POST /api/governance/veto/<n> — Founder veto (2-year window, env-key) - GET /api/governance/stats — Governance statistics Features: - 3 proposal types: parameter_change, feature_activation, emergency - 3 vote choices: for, against, abstain (vote changes allowed) - 7-day voting window with automatic settlement - 33% quorum threshold of active miners - Antiquity-weighted votes (from miners table) - Sophia AI lightweight risk analysis (HIGH/LOW) - Founder veto for security-critical proposals (first 2 years) - Anti-spam: max 10 active proposals per miner - 19 passing tests covering all scenarios Bounty: Scottcjn/rustchain-bounties#761 Wallet: nox-ventures * feat: pip install rustchainnode — installable RustChain attestation node Implements bounty Scottcjn#757: package the RustChain node as a pip-installable PyPI package. pip install rustchainnode rustchainnode init --wallet my-wallet-name rustchainnode start Features: - CLI commands: init, start, stop, status, config, dashboard, install-service - Auto-configuration: detects CPU arch, thread count, antiquity multiplier - Cross-platform: Linux x86_64/aarch64/ppc64, macOS x86/ARM64 - Systemd (Linux) + launchd (macOS) service generation - TUI dashboard: rustchainnode dashboard - Programmatic API: from rustchainnode import RustChainNode - Zero external dependencies (stdlib only) - Python 3.9+ compatible Bounty: Scottcjn/rustchain-bounties#757 Wallet: nox-ventures * feat: cross-node ledger verification tool (Scottcjn#763) Queries all 3 RustChain nodes, compares state, alerts on mismatches. Features: - Query /health, /epoch, /api/stats, /wallet/balance, /api/miners - Merkle root computation over sorted active miners list - SQLite historical tracking (~/.rustchain/ledger_verify.db) - Webhook alerting on mismatch (--webhook URL) - CI mode: --ci exits non-zero on any mismatch - Watch mode: --watch N runs every N seconds - History viewer: --history shows recent checks Sample output: Node 1 (Primary): v2.2.1-rip200 ✅ epoch=94 slot=13601 Node 2: v1.2.0 ✅ epoch=94 slot=13601 Node 3 (Ryan): ❌ unreachable (Tailscale) Merkle roots: node1=e318be4c... (both match ✅) Result: ✅ ALL NODES IN SYNC GitHub Actions: runs every 6h, CI mode, webhook on mismatch. Bounty: Scottcjn/rustchain-bounties#763 Wallet: nox-ventures * chore: remove workflow (scope issue, add manually) * feat: attestation fuzz harness (Scottcjn#762) Property-based fuzz testing for POST /attest/submit. Mutation strategies (11 total): - missing_field: Remove required fields at any nesting level - wrong_type: Replace field with wrong type (None, int, list, dict, float) - unknown_field: Inject unknown keys at any nesting level - nested_bomb: Create deeply nested structures (100-500 levels) - array_overflow: Huge MAC address arrays (1000-10000 entries) - float_edge: inf, nan, -inf, 1e308 in fingerprint data - unicode_miner: null bytes, RTL override, emoji, path traversal, SQLi - huge_miner: wallet names up to 1MB - null_miner: explicit null value - empty_payload: {} - not_json: random binary garbage with wrong Content-Type Crash detection: - HTTP 5xx = server error - Timeout (>90% of TIMEOUT) = potential DoS - Traceback/exception in response body - Connection refused (server crash) Features: - --count N: configurable iteration count (default 1000) - --save-corpus: save all generated payloads to fuzz_corpus/ - --ci: exit non-zero on crash found - --report: show saved crash report - --url: override target URL Bounty: Scottcjn/rustchain-bounties#762 Wallet: nox-ventures
createkr
added a commit
to createkr/Rustchain
that referenced
this pull request
Mar 22, 2026
…Scottcjn#762) - Add NonceStore for persistent tracking of used nonces per address - Integrate nonce persistence into WalletStorage with automatic migration - Add verify_nonce and verify_complete methods for replay protection - Nonce state persists across restarts via JSON file storage - Add comprehensive regression tests for persistence and replay detection - Update examples and CLI to handle Result-returning storage API Co-authored-by: createkr <createkr@proton.me>
Owner
|
Transfer confirmed — this was included in the batch settlement of 1,091 RTC to @createkr's wallet. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes issue #728 by persisting nonce ledger and enforcing replay rejection across restarts, with regression tests.