Hardening against governance message spoofing (#938)

node/pkg/processor/message.go

@@ -3,6 +3,7 @@ package processor
 import (
 	"context"
 	"encoding/hex"
+
 	"github.com/certusone/wormhole/node/pkg/db"
 	"github.com/mr-tron/base58"
 
@@ -79,6 +80,18 @@ func (p *Processor) handleMessage(ctx context.Context, k *common.MessagePublicat
 		ConsistencyLevel: k.ConsistencyLevel,
 	}
 
+	// A governance message should never be emitted on-chain
+	if v.EmitterAddress == vaa.GovernanceEmitter && v.EmitterChain == vaa.GovernanceChain {
+		supervisor.Logger(ctx).Error(
+			"EMERGENCY: PLEASE REPORT THIS IMMEDIATELY! A Solana message was emitted from the governance emitter. This should never be possible.",
+			zap.Stringer("emitter_chain", k.EmitterChain),
+			zap.Stringer("emitter_address", k.EmitterAddress),
+			zap.Uint32("nonce", k.Nonce),
+			zap.Stringer("txhash", k.TxHash),
+			zap.Time("timestamp", k.Timestamp))
+		return
+	}
+
 	// Ignore incoming observations when our database already has a quorum VAA for it.
 	// This can occur when we're receiving late observations due to node catchup, and
 	// processing those won't do us any good.

node/pkg/vaa/governance.go

@@ -4,8 +4,8 @@ import (
 	"time"
 )
 
-var governanceEmitter = Address{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4}
-var governanceChain = ChainIDSolana
+var GovernanceEmitter = Address{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4}
+var GovernanceChain = ChainIDSolana
 
 func CreateGovernanceVAA(nonce uint32, sequence uint64, guardianSetIndex uint32, payload []byte) *VAA {
 	vaa := &VAA{
@@ -16,8 +16,8 @@ func CreateGovernanceVAA(nonce uint32, sequence uint64, guardianSetIndex uint32,
 		Nonce:            nonce,
 		Sequence:         sequence,
 		ConsistencyLevel: 32,
-		EmitterChain:     governanceChain,
-		EmitterAddress:   governanceEmitter,
+		EmitterChain:     GovernanceChain,
+		EmitterAddress:   GovernanceEmitter,
 		Payload:          payload,
 	}