Open
Conversation
Threads ChainInfo through some methods that externals needed to protect against replay attacks. While at it, protects our own entrypoints from them too Closes: #21572 --------- Co-authored-by: Jan Beneš <janbenes1234@gmail.com>
3 tasks
Calling `Array.from({length})` allocates length immediately. We were
calling this method in the context of deserialization with untrusted
input.
This PR changes it so we use `new Array(size)` for untrusted input. A
bit less efficient, but more secure.
3 tasks
…shipWitness (#21472) As I was going through TODOs I found this ancient TODO of mine (from November 2023): ``` * Note: This function returns the membership witness of the nullifier itself and not the low nullifier when * the nullifier already exists in the tree. This is because the `getPreviousValueIndex` function returns the * index of the nullifier itself when it already exists in the tree. * TODO: This is a confusing behavior and we should eventually address that. ``` In this PR i handle it by instead throwing an error in this scenario. This doesn't modify the interface so it was not urgent to do but felt like it makes sense to do now anyway so I went with it. (Pinged this PR to alpha team) ## Summary - `getLowNullifierMembershipWitness` now throws a descriptive error when the queried nullifier already exists in the tree, instead of silently returning the nullifier's own witness (which is wrong for a non-inclusion proof) - Removes the long-standing TODO about confusing behavior (open since Nov 2023) - Adds `@throws` JSDoc to both the interface and implementation - Adds unit tests for the throw and undefined-return paths ## Context Previously, `getPreviousValueIndex` returns the nullifier's own index when `alreadyPresent: true`. The method just logged a warning and returned that witness anyway. The Noir circuit would catch this implicitly (the `low < target` assertion fails), but the error surfaced as a cryptic circuit assertion rather than a clear "nullifier already exists" message. ## Test plan - Unit tests added in `server.test.ts` covering both the throw-on-exists and return-undefined paths - All 34 existing tests in `server.test.ts` continue to pass - Build, format, and lint pass 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This was referenced Mar 17, 2026
## Motivation
Errors during `readMessage` (oversized snappy responses, corrupt data,
etc.) were caught and silently converted to `{ status: UNKNOWN }` return
values instead of re-throwing. Since `sendRequestToPeer` only calls
`handleResponseError` in its own catch block, none of these errors
resulted in peer penalties. The request was simply retried with another
peer, allowing a malicious peer to waste bandwidth indefinitely.
## Approach
Re-throw non-protocol errors from `readMessage` so they propagate to
`sendRequestToPeer`'s catch block where `handleResponseError` applies
peer penalties. Additionally, introduce a dedicated
`OversizedSnappyResponseError` class so oversized responses get a
harsher `LowToleranceError` penalty (score -50, banned after 2 offenses)
instead of falling through to the generic `HighToleranceError`
catch-all.
## Changes
- **p2p (reqresp)**: Changed `readMessage` catch block to only return
status for `ReqRespStatusError` and re-throw all other errors, so they
reach `handleResponseError` for penalization
- **p2p (encoding)**: Added `OversizedSnappyResponseError` class for
explicit categorization
- **p2p (reqresp)**: Added `OversizedSnappyResponseError` handling in
`categorizeResponseError` with `LowToleranceError` severity
I simply asked Claude to go through our code and find bugs, and it found this ## Summary - Fixes an out-of-bounds array access in `extract_property_value_from_selector` when `PropertySelector.offset > 0`. The formula `31 + offset - i` produces index >= 32 at `i = 0`; corrected to `31 - offset - i`. - Adds a regression test exercising a nonzero offset. ## Note The bug was dormant -- every `PropertySelector` in the codebase uses `offset: 0` (the macro hardcodes it). But anyone trying to use sub-field byte selection would hit a runtime panic.
Collaborator
Author
Flakey Tests🤖 says: This CI run detected 1 tests that failed, but were tolerated due to a .test_patterns.yml entry. |
…21520) ## Motivation When building multiple blocks within a single checkpoint, the `CheckpointBuilder` was creating a new `PublicContractsDB` instance for each block. This meant that contracts deployed in an earlier block within the same checkpoint were not visible to subsequent blocks, causing calls to newly deployed contracts to fail. ## Approach Move the `PublicContractsDB` instance to be a persistent field on `CheckpointBuilder`, initialized once in the constructor and shared across all blocks in the checkpoint. Wrap block building in checkpoint/commit/revert semantics on the contracts DB so that failed blocks don't leak state. ## Changes - **validator-client**: Promote `contractsDB` from a local variable in `makeBlockBuilderDeps` to a class field on `CheckpointBuilder`. Wrap `buildBlock` in `createCheckpoint`/`commitCheckpoint`/`revertCheckpoint` calls on the contracts DB. - **validator-client (tests)**: Add tests verifying that the contracts DB checkpoint lifecycle is correctly managed across successful and failed block builds. - **end-to-end (tests)**: Add e2e test that deploys a contract and calls it in separate blocks within the same slot, validating cross-block contract visibility within a checkpoint. Fixes A-658 --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
AztecBot
requested review from
dbanks12,
fcarreiro and
sirasistant
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
BEGIN_COMMIT_OVERRIDE
feat: entrypoint replay protection (#21649)
feat: guard BoundedVec oracle returns against dirty trailing storage (#21589)
fix: add bounds when allocating arrays in deserialization (#21622)
feat: implement manual Packable for structs with sub-Field members (#21576)
fix(aztec-node): throw on existing nullifier in getLowNullifierMembershipWitness (#21472)
fix: use trait dispatch for array Packable::unpack in card_game_contract (#21683)
fix(p2p): penalize peers for errors during response reading (#21680)
fix: update nullifier non-inclusion test expectations after early oracle throw (backport #21600) (#21615)
fix(aztec-nr): fix OOB index with nonzero offset (#21613)
END_COMMIT_OVERRIDE