bridge: require single step guardian set index changes

ethereum/contracts/Wormhole.sol

@@ -133,6 +133,7 @@ contract Wormhole is ReentrancyGuard {
 
     function vaaUpdateGuardianSet(bytes memory data) private {
         uint32 new_guardian_set_index = data.toUint32(0);
+        require(new_guardian_set_index == guardian_set_index + 1, "index must increase in steps of 1");
         uint8 len = data.toUint8(4);
 
         address[] memory new_guardians = new address[](len);

solana/bridge/src/error.rs

@@ -82,7 +82,7 @@ pub enum Error {
     /// The given VAA was not signed by the latest guardian set
     #[error("OldGuardianSet")]
     OldGuardianSet,
-    /// The guardian set index must increase on update
+    /// The guardian set index must increase in steps of 1 on update
     #[error("GuardianIndexNotIncreasing")]
     GuardianIndexNotIncreasing,
     /// The given VAA does not match the proposal

solana/bridge/src/processor.rs

@@ -446,7 +446,6 @@ impl Bridge {
     ) -> ProgramResult {
         let new_guardian_info = next_account_info(account_info_iter)?;
 
-        // TODO this could deadlock the bridge if an update is performed with an invalid key
         // The new guardian set must be signed by the current one
         if bridge.guardian_set_index != old_guardian_set.index {
             return Err(Error::OldGuardianSet.into());
@@ -454,7 +453,7 @@ impl Bridge {
 
         // The new guardian set must have an index > current
         // We don't check +1 because we trust the set to not set something close to max(u32)
-        if bridge.guardian_set_index >= b.new_index {
+        if bridge.guardian_set_index + 1 != b.new_index {
             return Err(Error::GuardianIndexNotIncreasing.into());
         }