test: demonstrate non-empty CountTree count swap vulnerability (C1)

[QuantumExplorer]

Summary

• Adds a test (non_empty_count_tree_count_swap_in_result_set) proving that a non-empty CountTree's count metadata can be swapped from 3 to 999 without the verifier detecting the tampering
• The vulnerability exists because when a tree element appears in a proof result set without a lower-layer subquery, no combine_hash verification is performed — the verifier trusts the KVValueHash node's value directly
• The test documents the known vulnerability by asserting the tampered count is accepted (flipping to Err expectation once a fix lands)

Root Cause

In proof verification (verify_layer_proof V0/V1), non-empty trees that appear in the result set without being drilled into via subquery skip the combine_hash(H(value_bytes), child_merk_root) == proof_hash check. This allows an attacker to substitute the serialized element bytes (changing count, sum, or other metadata) while keeping the same value_hash, since KVValueHash nodes trust the provided hash.

Fix Direction

The fix requires prover-side changes: include child merk root hashes for non-empty trees even when no subquery drills into them (either via a minimal lower layer or a new proof field). This enables the verifier to perform combine_hash checks on all tree elements.

Test plan

• Test compiles and passes (cargo test -p grovedb --lib non_empty_count_tree_count_swap_in_result_set)
• Test asserts the vulnerability exists (tampered count=999 accepted)
• Test will panic with clear message when the vulnerability is fixed

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@QuantumExplorer has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 36 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 73a04b13-a3f2-45cf-bae2-2a806f5c5fbe

📥 Commits

Reviewing files that changed from the base of the PR and between e2fa568 and 6ddcd2f.

📒 Files selected for processing (1)

• grovedb/src/tests/proof_coverage_tests.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/C1-non-empty-tree-type-swap-investigation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[QuantumExplorer]

Closing — this vulnerability demonstration is superseded by PR #633, which fixes the issue and includes a test (non_empty_count_tree_count_swap_is_detected) that verifies the tampering is now rejected.