* Add unit tests for db
* Fix error checks and clean up tempdirs
* Add string explainer in the absence of a panic
* Remove unnecessary comment
* Fix NoError suggestion
* Add linter exception for panic test
* node: Shrink final docker image size
* Tiltfile: guardiand should run the build stage
* node: allow building without -race
* node: Support development builds
A development build must use the --unsafeDevMode flag.
* CI: build docker image
Co-authored-by: Csongor Kiss <ckiss@jumptrading.com>
* Add unit-test coverage for marshalling
* Add test to see if Unmarshal will panic on a > 1000 payload
* Error instead of truncate on payloads over 1000 bytes
* Clarify intents and tests for vaa.Unmarshal
* Implement message posting with account reuse
Change-Id: I195f493f6816048f5f8f76e1f0f6e561fa0fe692
* Use different magic for unreliable messages
* guardiand: Ignore solana instructions with empty data
Co-authored-by: Csongor Kiss <ckiss@jumptrading.com>
The current guardian set index is 2, so the `guardiand` template command
should generate prototxt files accordingly.
Co-authored-by: Csongor Kiss <ckiss@jumptrading.com>
* Added the `User-Agent` header to all requests to the block explorer
so cloudflare's browser check is happier.
* Add an option to sleep between loops hitting the block explorer. More
than 1 / second on polygonscan gets you blocked temporarily.
These changes are required to repair missed messages on polygon.
* Initial Celo support
Change-Id: Iee98ee29a8b09af9ca76945792b750d96a170702
* Watcher support
* Fix high level make file
* Remove node binary committed by mistake
* Port change from EthWatcher to CeloWatcher
* Use docker to build ABIs
* Refactor watcher to eliminate massive redunancy
* Fix lint-and-tests to handle multiple defs on link
* Minor code cleanup
* Celo should use ganache in devnet
* Prep for mainnet deploy
* Code review rework
* Remove celo from sdk package.json
* node/hack/repair_eth: use a cookiejar for http
Otherwise, explorers like polygonscan, which implement a cloudflare WAF,
will block all requests.
* node/hack/repair_eth: add -showError flag
When an explorer is having problems or blocks a repair http request, it returns an error like:
Failed to get current height: failed to decode response: invalid character '<' looking for beginning of value
This allows showing the actual response body to better troubleshoot the problem.
The 'timestamp' field is now allowed in a governance prototxt, which
applies to all the messages in the struct. If the timestamp is not
specified, then it defaults to 0, which is identical to the existing
behaviour.
* Add more comprehensive structs unit-tests
* Make VerifySignatures fail on duplicate addresses
* Adjust duplicate detection to guard on signatures instead of addresses
* Add monotonic check in VerifySignatures
* Move logic into VerifySignatures and add more test cases
* Add a paranoid check for duplicate signers
* Make VerifySignatures unit-tests less contrived
* Add more verify signature test cases
* Refactor VerifySignatures tests
* Add VerifySignature fuzz tests
* Add tc.result checking instead of hardcoded true
* Change comparison so it throws debug on failure for fuzz tests
* Add unit-tests for observation signature logic
* Fix comment typos
* Refactor observation tests
* Add missing test case
* Fix VAAInvalidSignatures test case label
* Clean up unit-tests for observation and structs
* Change errorString convention in test
* Format Signature Verification Test Cases
* Remove unnecessary casting
* Add multi-signer same key cases
* Fix err usage in test cases
* Remove duplicate getVAA
* Klaytn support for testnet
Change-Id: Id0647fd6c603ab298f860c2cae20481555467315
* token_bridge client changes
Change-Id: If49ba994a67041044bdec054f19e69b4cfc2785b
* Get rid of special handling
* More cleanup
* Need to add Klaytn to structs tests
* Update SDK version
* Add SDK version
* fix klaytn bridge chain id
Co-authored-by: Evan Gray <battledingo@gmail.com>
* Aurora and Fantom handled wrong in a couple cases
Change-Id: I09b7d2da46507e219bd99d945256e63fefad529c
* Original test covered upper / lower case
Change-Id: I0384b0aac6f63bf9782d393fcd4e4e67f353775a
This retrieves a single transaction's MessagePublication events. This
has the same security assumptions than listening to the log events -
namely, ensuring the right contract has emitted them.
Tested locally with a mainnet transaction.
commit-id:64347ecc
It appears that in spite of exceeding the recommended value by 2x,
256 offers insufficient safety margin given that we saw two reorgs
of depths 178 and 187 recently: https://polygonscan.com/blocks_forked
This will increase confirmation delay from ~10 minutes to ~20 minutes.
commit-id:cf2b1503
Avoid unnecessary RPC calls/retries.
Makes no difference for safety, which relies on VAA accounts rather than
any transaction metadata.
commit-id:0cd82ed4
Fetches the list of missing Solana messages, finds the corresponding
on-chain transactions, sends an ObservationRequest to the network
and waits for consensus.
Hacky one-off script with a couple of edge cases (doesn't filter
failed txs, crashes if the boundary is not a valid tx). We can later
refactor this and add it to the find-missing-messages admin command
if we keep needing it.
commit-id:9b338dfa
Limitations:
- Only supported for Solana and for confirmation level Finalized,
which the token/NFT bridges use. Need to take a close look before
enabling it for both (since we're bypassing the tx fetcher and would
fetch and process accounts of the "wrong" confirmation levels).
- Rate limiting not implemented yet, will be done in a future release
when things are not currently on fire.
Test: https://gist.github.com/leoluk/bab3a18e922057109facea1cf1f26b2f
commit-id:6a0d4c32
It appears that GCP Cloud Logging cannot handle the volume of logs
we're throwing at it... full text search slows to a crawl (LOL)
Reduce log level until we can move to something else.
commit-id:b71c3467
Fixes https://github.com/certusone/wormhole/issues/685.
Example occurrence this fixes: https://i.imgur.com/gZWKf1n.png
Possible future optimizations include:
- Ignore late messages in the processor (but we can only ignore
them post settlement time, so we need the cleanup logic regardless).
- Ignoring late observations from other nodes.
- Using the stored VAA to calculate misses.
- Drop incomplete local observations. However, this is not trivial
since we do not know the message ID for those.
commit-id:47e1e59f
This cannot currently happen the way TransactionReceipt is implemented,
but make sure to check the tx != nil case anyway in case the API
is changed in future releases of go-ethereum.
commit-id:b721f0be
* Stub out algorand support in wormhole
1) Introduce the algorand chain constant in all the appropriate places
2) Deploy pyth/hernandc algorand smart contracts into devnet
3) Fund all the correct contracts for devnet testing
Change-Id: I6e4402b5b21223b32ea89653f8c7606f5c7f2843
* pr/jsiegel/algorand-v1: ALGORAND is not a EVM chain @ gusc1a-ossdev-jsl1
* pr/jsiegel/algorand-v1: fix lint @ gusc1a-ossdev-jsl1
* pr/jsiegel/algorand-v1: put the requirements into the image @ gusc1a-ossdev-jsl1
* jsiegel/algorand: make the watcher hang forever @ gusc1a-ossdev-jsl1
* jsiegel/algorand: comment these out @ gusc1a-ossdev-jsl1
* jsiegel/algorand: put this back in @ gusc1a-ossdev-jsl1
* jsiegel/algorand: fix guardian example @ gusc1a-ossdev-jsl1
* Generate teal source code
commit-id:a537a109
* jsiegel/algorand: it builds @ gusc1a-ossdev-jsl1
* pr/jsiegel/algorand-v1: add Dockerfile.teal @ gusc1a-ossdev-jsl1
* jsiegel/algorand: improve the dependencies @ gusc1a-ossdev-jsl1
* pr/jsiegel/algorand-v1: Fix up build @ gusc1a-ossdev-jsl1
* dead file
* pr/jsiegel/algorand-v1: remove more stuff @ gusc1a-ossdev-jsl1
* pr/jsiegel/algorand-v1: fix build @ gusc1a-ossdev-jsl1
* pr/jsiegel/algorand-v1: freeze the requirements @ gusc1a-ossdev-jsl1
* pr/jsiegel/algorand-v1: Fix teal to use pipenv @ gusc1a-ossdev-jsl1
* pr/jsiegel/algorand-v1: fix miss-merge @ gusc1a-ossdev-jsl1
Co-authored-by: Leo <leo@certus.one>
This should reduce the number of misses during periods of heavy weather
and high winds, at the expense of increasing load on the RPC nodes.
commit-id:98704274
This avoids gossip spam and false positive Discord notifications
when a connected node catches up and late observations are made.
Change-Id: If9562661487d3d3d5138d27298b005f278f9e9ce
Fixes https://github.com/certusone/wormhole/issues/305
The logic to do this seemingly simple task is hilariously complex
due to the version string being attacker-controlled.
Change-Id: Ia1758418a67c082595affe0b7f2bb801e9434733
The template commands now support generating full governance messages
with all required fields. Outputs to stdout instead of a file.
Change-Id: I3837107c3075363a54d31f9dfb4d6dc07c79daa5
- Add Cloud Functions:
- "Recent" gap list, can filter and/or group by chain or address.
- "Totals" counts 24h, 30d, rolling daily. can filter and group.
- "Transaction" lookup row by chain-native transaction identifier.
- Pad sequence in rowkey to fixed length, for sequential row order.
- Add Cloud Function deploy instructions.
- Fix#410 Buildpack image cleanup
Change-Id: Ifa3110a3d58e2f94adb48ccb451c27ab3add0611
This allows us to associate an observation from the log
for messages that the local node did not observe.
Change-Id: I6ece7bfe3e6b878bdb7ee4ac03c81cb424a329b3
Adds extra logging to validate hypothesis that we've found a bug in
GetConfirmedBlocks, rather than a general issue.
Change-Id: Ia3acfd7fa393091a3892c453433255cfbe38e4a0
We encountered a bug on mainnet where GetConfirmedBlocks with
commitment level Finalized would fail to return a valid block.
Remove the optimization and simply fetch every slot.
Change-Id: Idce939c6c5f3303a5046efdfd31833fab3d465ba
Optional metadata for debugging. Allows tying a received observation
to an on-chain transaction even if the node missed the observation.
Change-Id: Ie50c10c8ab7f65469555674d90645f91092fb2e3
In cases where we observed a VAA, there is no possibility of gossip DoS.
Increase the timeout to 24 hours to facilitate manual interventions
(like submission of governance VAAs or node restarts/catchup).
Keep the existing five minute timeout for observation-less VAAs.
Change-Id: Ic626108190bd60cf812daadbe191b31cc48c7296
Chances are that more requests will fail until the scheduled
recovery date, so we can't hardcode them.
Change-Id: Ief45c1f7a455827b32e154fae5c8eed366dd3ff7
Surfaced by the retry code:
https://gist.github.com/leoluk/b5d05ed27269b077b834eda771a50058
Accessing s.logger from a goroutine will cause a data race. We didn't
previously encounter this since supervisor would wait for Run() to
return before rescheduling it.
Change-Id: I56a7503081485e58975103d0e25e0c2baf19ca08
rustfmt appears to be a little more complicated since it wants to
download dependencies and needs nightly Rust.
Change-Id: Ia348def30a6459ae2ab6c29a8c3a413216f5eb4b
Ensure there's no core vs. token bridge ambiguity.
Breaking changes to the CLI:
* "guardiand bridge" CLI is now "guardiand node"
* --solanaBridgeAddress is now --solanaContract
* --bridgeKey is now --guardianKey
The Heartbeat proto message had one of its fields renamed from
BridgeAddress to ContractAddress, but this won't break the wire
format and the only consumer appears to be the CLI.
Change includes a "go mod tidy" - it insisted.
Change-Id: Id8b312827737f07f2d5f3944ebce469d946e7f51
Jonathan Claudius
Evan Gray
Csongor Kiss
bruce-riley
Csongor Kiss
Hendrik Hofstadt
Jeff Schroeder
Bruce Riley
Leo
tbjump
Chirantan Ekbote
Josh Siegel
tbjump
Leopold Schabel
justinschuldt
Paul Noel
Jonathan Claudius
Paul Noel
justinschuldt
jumpsiegel
