nklave-core 0.1.0

Core signing logic, BLS/Ed25519 keys, and slashing protection rules for Nklave
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313

//! Cosmos/CometBFT slashing protection policy enforcement
//!
//! Implements the Cosmos double-signing rule:
//! Never sign two different messages at the same (height, round, type).
//!
//! Unlike Ethereum, Cosmos does not have surround vote detection.
//! The only slashable condition is signing two different blocks/votes
//! at the same height and round.

use crate::policy::types::{PolicyDecision, RefusalCode};
use crate::state::validator::{CosmosSignedMsgType, CosmosState};

/// Cosmos/CometBFT slashing protection policy
pub struct CosmosPolicy;

impl CosmosPolicy {
    /// Create a new Cosmos policy instance
    pub fn new() -> Self {
        Self
    }

    /// Check if a prevote is safe to sign
    ///
    /// Returns `Allow` if:
    /// - No prevote has been signed for this (height, round), OR
    /// - A prevote with the same block_hash was already signed
    ///
    /// Returns `Refuse(CosmosDoubleSigning)` if:
    /// - A prevote for a different block was already signed at this (height, round)
    pub fn check_prevote(
        &self,
        state: &CosmosState,
        height: i64,
        round: i32,
        block_hash: Option<[u8; 32]>,
    ) -> PolicyDecision {
        self.check_vote(state, height, round, CosmosSignedMsgType::Prevote, block_hash)
    }

    /// Check if a precommit is safe to sign
    ///
    /// Returns `Allow` if:
    /// - No precommit has been signed for this (height, round), OR
    /// - A precommit with the same block_hash was already signed
    ///
    /// Returns `Refuse(CosmosDoubleSigning)` if:
    /// - A precommit for a different block was already signed at this (height, round)
    pub fn check_precommit(
        &self,
        state: &CosmosState,
        height: i64,
        round: i32,
        block_hash: Option<[u8; 32]>,
    ) -> PolicyDecision {
        self.check_vote(state, height, round, CosmosSignedMsgType::Precommit, block_hash)
    }

    /// Check if a proposal is safe to sign
    ///
    /// Returns `Allow` if:
    /// - No proposal has been signed for this (height, round), OR
    /// - A proposal with the same block_hash was already signed
    ///
    /// Returns `Refuse(CosmosDoubleSigning)` if:
    /// - A proposal for a different block was already signed at this (height, round)
    pub fn check_proposal(
        &self,
        state: &CosmosState,
        height: i64,
        round: i32,
        block_hash: [u8; 32],
    ) -> PolicyDecision {
        self.check_vote(
            state,
            height,
            round,
            CosmosSignedMsgType::Proposal,
            Some(block_hash),
        )
    }

    /// Generic vote checking logic
    ///
    /// The core slashing rule for Cosmos: never sign two different messages
    /// at the same (height, round, type).
    fn check_vote(
        &self,
        state: &CosmosState,
        height: i64,
        round: i32,
        msg_type: CosmosSignedMsgType,
        block_hash: Option<[u8; 32]>,
    ) -> PolicyDecision {
        // Check if we've already signed at this (height, round, type)
        if let Some(existing) = state.get_signed_vote(height, round, msg_type) {
            if existing.block_hash == block_hash {
                // Same block (or both nil), safe to re-sign (idempotent)
                PolicyDecision::Allow
            } else {
                // Different block at same (height, round, type) = double signing
                tracing::warn!(
                    height = height,
                    round = round,
                    msg_type = ?msg_type,
                    "Cosmos double signing detected: different block for same height/round"
                );
                PolicyDecision::Refuse(RefusalCode::CosmosDoubleSigning)
            }
        } else {
            // No vote signed for this (height, round, type) yet
            PolicyDecision::Allow
        }
    }

    /// Validate that the height and round are reasonable
    ///
    /// Returns true if the request is valid, false otherwise.
    pub fn validate_request(&self, height: i64, round: i32) -> bool {
        // Height must be positive
        if height <= 0 {
            return false;
        }
        // Round must be non-negative
        if round < 0 {
            return false;
        }
        true
    }
}

impl Default for CosmosPolicy {
    fn default() -> Self {
        Self::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn make_hash(val: u8) -> [u8; 32] {
        let mut hash = [0u8; 32];
        hash[0] = val;
        hash
    }

    #[test]
    fn test_prevote_first_sign() {
        let policy = CosmosPolicy::new();
        let state = CosmosState::new();
        let hash = make_hash(1);

        let decision = policy.check_prevote(&state, 100, 0, Some(hash));
        assert_eq!(decision, PolicyDecision::Allow);
    }

    #[test]
    fn test_prevote_nil_first_sign() {
        let policy = CosmosPolicy::new();
        let state = CosmosState::new();

        // Nil vote (no block hash)
        let decision = policy.check_prevote(&state, 100, 0, None);
        assert_eq!(decision, PolicyDecision::Allow);
    }

    #[test]
    fn test_prevote_same_block_allowed() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash = make_hash(1);

        // Record the first signing
        state.record_vote(100, 0, CosmosSignedMsgType::Prevote, Some(hash));

        // Same block should be allowed (idempotent)
        let decision = policy.check_prevote(&state, 100, 0, Some(hash));
        assert_eq!(decision, PolicyDecision::Allow);
    }

    #[test]
    fn test_prevote_double_sign_rejected() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash1 = make_hash(1);
        let hash2 = make_hash(2);

        // Record the first signing
        state.record_vote(100, 0, CosmosSignedMsgType::Prevote, Some(hash1));

        // Different block for same height/round should be refused
        let decision = policy.check_prevote(&state, 100, 0, Some(hash2));
        assert_eq!(decision, PolicyDecision::Refuse(RefusalCode::CosmosDoubleSigning));
    }

    #[test]
    fn test_prevote_nil_then_block_rejected() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash = make_hash(1);

        // Record a nil vote
        state.record_vote(100, 0, CosmosSignedMsgType::Prevote, None);

        // Trying to vote for a block after nil vote should be refused
        let decision = policy.check_prevote(&state, 100, 0, Some(hash));
        assert_eq!(decision, PolicyDecision::Refuse(RefusalCode::CosmosDoubleSigning));
    }

    #[test]
    fn test_prevote_block_then_nil_rejected() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash = make_hash(1);

        // Record a vote for a block
        state.record_vote(100, 0, CosmosSignedMsgType::Prevote, Some(hash));

        // Trying to vote nil after voting for a block should be refused
        let decision = policy.check_prevote(&state, 100, 0, None);
        assert_eq!(decision, PolicyDecision::Refuse(RefusalCode::CosmosDoubleSigning));
    }

    #[test]
    fn test_different_round_allowed() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash1 = make_hash(1);
        let hash2 = make_hash(2);

        // Record vote in round 0
        state.record_vote(100, 0, CosmosSignedMsgType::Prevote, Some(hash1));

        // Different block in round 1 should be allowed
        let decision = policy.check_prevote(&state, 100, 1, Some(hash2));
        assert_eq!(decision, PolicyDecision::Allow);
    }

    #[test]
    fn test_different_height_allowed() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash1 = make_hash(1);
        let hash2 = make_hash(2);

        // Record vote at height 100
        state.record_vote(100, 0, CosmosSignedMsgType::Prevote, Some(hash1));

        // Different block at height 101 should be allowed
        let decision = policy.check_prevote(&state, 101, 0, Some(hash2));
        assert_eq!(decision, PolicyDecision::Allow);
    }

    #[test]
    fn test_height_regression_allowed() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash1 = make_hash(1);
        let hash2 = make_hash(2);

        // Record vote at height 100
        state.record_vote(100, 0, CosmosSignedMsgType::Prevote, Some(hash1));

        // Voting at height 50 (regression) should be allowed
        // This happens during catch-up after restart
        let decision = policy.check_prevote(&state, 50, 0, Some(hash2));
        assert_eq!(decision, PolicyDecision::Allow);
    }

    #[test]
    fn test_precommit_independent_of_prevote() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash1 = make_hash(1);
        let hash2 = make_hash(2);

        // Record prevote for hash1
        state.record_vote(100, 0, CosmosSignedMsgType::Prevote, Some(hash1));

        // Precommit for hash2 should be allowed (different message type)
        let decision = policy.check_precommit(&state, 100, 0, Some(hash2));
        assert_eq!(decision, PolicyDecision::Allow);
    }

    #[test]
    fn test_proposal_double_sign_rejected() {
        let policy = CosmosPolicy::new();
        let mut state = CosmosState::new();
        let hash1 = make_hash(1);
        let hash2 = make_hash(2);

        // Record proposal for hash1
        state.record_vote(100, 0, CosmosSignedMsgType::Proposal, Some(hash1));

        // Proposal for hash2 should be refused
        let decision = policy.check_proposal(&state, 100, 0, hash2);
        assert_eq!(decision, PolicyDecision::Refuse(RefusalCode::CosmosDoubleSigning));
    }

    #[test]
    fn test_validate_request() {
        let policy = CosmosPolicy::new();

        // Valid requests
        assert!(policy.validate_request(1, 0));
        assert!(policy.validate_request(100, 5));

        // Invalid requests
        assert!(!policy.validate_request(0, 0));  // Height 0 invalid
        assert!(!policy.validate_request(-1, 0)); // Negative height invalid
        assert!(!policy.validate_request(1, -1)); // Negative round invalid
    }
}