Problem (Fix #1313): light client doesn't verify the fetched staking …

…state

Solution:
- Add staking_root in sync state
- Remove the "account" path in favor of the new "staking" path
- Client staking state command add wallet name parameter,
  and verify staking state and proof against the trusted staking_root in sync state
- Need to sync wallet before fetching the new staking state now.

chain-abci/src/app/query.rs

@@ -170,26 +170,6 @@ impl<T: EnclaveProxy> ChainNodeApp<T> {
                     "app state not found",
                 );
             }
-            "account" => {
-                let account_address = StakedStateAddress::try_from(_req.data.as_slice());
-                if let (Some(state), Ok(address)) = (&self.last_state, account_address) {
-                    let (account, _proof) =
-                        get_with_proof(&self.storage, state.staking_version, &address);
-                    match account {
-                        Some(a) => {
-                            resp.value = a.encode();
-                            // TODO: inclusion proof
-                        }
-                        None => {
-                            resp.log += "account lookup failed: account not exists";
-                            resp.code = 1;
-                        }
-                    }
-                } else {
-                    resp.log += "account lookup failed (either invalid address or node not correctly restored / initialized)";
-                    resp.code = 3;
-                }
-            }
             "staking" => {
                 let mversion = if let Ok(height) = _req.height.try_into() {
                     self.storage.get_historical_staking_version(height)

chain-abci/tests/abci_app.rs

@@ -779,18 +779,6 @@ fn no_delivered_tx_commit_should_keep_apphash() {
     assert_eq!(&old_app_hash[..], &cresp.data[..]);
 }
 
-#[test]
-fn query_should_return_an_account() {
-    let addr = "fe7c045110b8dbf29765047380898919c5cb56f9";
-    let mut app = init_chain_for(addr.parse().unwrap());
-    let mut qreq = RequestQuery::new();
-    qreq.data = hex::decode(&addr).unwrap();
-    qreq.path = "account".into();
-    let qresp = app.query(&qreq);
-    let account = StakedState::decode(&mut qresp.value.as_slice()).unwrap();
-    assert_eq!(account.address, StakedStateAddress::from_str(addr).unwrap());
-}
-
 #[test]
 fn staking_query_should_return_an_account() {
     let addr = "fe7c045110b8dbf29765047380898919c5cb56f9";

chain-core/src/init/config.rs

@@ -149,7 +149,7 @@ impl InitConfig {
 
     /// returns the initial accounts
     /// assumes one called [validate_config_get_genesis], otherwise it may panic
-    fn get_account(&self, genesis_time: Timespec) -> Vec<StakedState> {
+    pub fn get_account(&self, genesis_time: Timespec) -> Vec<StakedState> {
         self.distribution
             .iter()
             .map(|(address, (destination, amount))| {

chain-core/src/state/account/address.rs

@@ -121,3 +121,11 @@ impl FromStr for StakedStateAddress {
         Ok(StakedStateAddress::BasicRedeem(RedeemAddress::from_str(s)?))
     }
 }
+
+impl AsRef<[u8]> for StakedStateAddress {
+    fn as_ref(&self) -> &[u8] {
+        match self {
+            StakedStateAddress::BasicRedeem(a) => &a,
+        }
+    }
+}

client-cli/src/command.rs

@@ -50,7 +50,11 @@ use client_core::cipher::mock::MockAbciTransactionObfuscation;
 #[cfg(not(feature = "mock-enclave"))]
 use client_core::cipher::DefaultTransactionObfuscation;
 
+#[cfg(not(feature = "mock-enclave"))]
 type AppTransactionCipher = DefaultTransactionObfuscation;
+#[cfg(feature = "mock-enclave")]
+type AppTransactionCipher = MockAbciTransactionObfuscation<WebsocketRpcClient>;
+
 type AppTxBuilder = DefaultWalletTransactionBuilder<SledStorage, LinearFee, AppTransactionCipher>;
 type AppWalletClient = DefaultWalletClient<SledStorage, WebsocketRpcClient, AppTxBuilder>;
 
@@ -152,6 +156,8 @@ pub enum Command {
     },
     #[structopt(name = "state", about = "Get staked state of an address")]
     StakedState {
+        #[structopt(name = "wallet name", short = "n", long = "name", help = "Wallet name")]
+        name: String,
         #[structopt(
             name = "staking address",
             short = "a",
@@ -327,7 +333,11 @@ impl Command {
                 transaction_command
                     .execute(network_ops_client.get_wallet_client(), &network_ops_client)
             }
-            Command::StakedState { address, hardware } => {
+            Command::StakedState {
+                name,
+                address,
+                hardware,
+            } => {
                 let hw_key_service = match hardware {
                     None => HwKeyService::default(),
                     #[cfg(feature = "mock-hardware-wallet")]
@@ -361,7 +371,7 @@ impl Command {
                     fee_algorithm,
                     transaction_obfuscation,
                 );
-                Self::get_staked_stake(&network_ops_client, address)
+                Self::get_staked_stake(&network_ops_client, &name, address)
             }
             Command::Sync {
                 name,
@@ -395,9 +405,10 @@ impl Command {
 
     fn get_staked_stake<N: NetworkOpsClient>(
         network_ops_client: &N,
+        name: &str,
         address: &StakedStateAddress,
     ) -> Result<()> {
-        let staked_state = network_ops_client.get_staked_state(address)?;
+        let staked_state = network_ops_client.get_staked_state(name, address, true)?;
 
         let bold = CellFormat::builder().bold(true).build();
         let justify_right = CellFormat::builder().justify(Justify::Right).build();

client-cli/src/command/transaction_command.rs

@@ -602,6 +602,7 @@ fn new_withdraw_transaction<T: WalletClient, N: NetworkOpsClient>(
         &from_address,
         to_address,
         attributes,
+        true,
     )
 }
 
@@ -613,7 +614,8 @@ fn new_unbond_transaction<N: NetworkOpsClient>(
     let attributes = StakedStateOpAttributes::new(get_network_id());
     let address = ask_staking_address()?;
     let value = ask_cro()?;
-    network_ops_client.create_unbond_stake_transaction(name, enckey, address, value, attributes)
+    network_ops_client
+        .create_unbond_stake_transaction(name, enckey, address, value, attributes, true)
 }
 
 fn new_deposit_transaction<T: WalletClient, N: NetworkOpsClient>(
@@ -644,6 +646,7 @@ fn new_deposit_transaction<T: WalletClient, N: NetworkOpsClient>(
         transactions,
         to_address,
         attributes,
+        true,
     )
 }
 
@@ -701,6 +704,7 @@ fn new_deposit_amount_transaction<T: WalletClient, N: NetworkOpsClient>(
         transactions,
         to_staking_address,
         attr,
+        true,
     )?;
     let tx_id = transaction.tx_id();
     success(&format!(
@@ -758,7 +762,7 @@ fn new_unjail_transaction<N: NetworkOpsClient>(
     let attributes = StakedStateOpAttributes::new(get_network_id());
     let address = ask_staking_address()?;
 
-    network_ops_client.create_unjail_transaction(name, enckey, address, attributes)
+    network_ops_client.create_unjail_transaction(name, enckey, address, attributes, true)
 }
 
 fn new_node_join_transaction<N: NetworkOpsClient>(
@@ -776,6 +780,7 @@ fn new_node_join_transaction<N: NetworkOpsClient>(
         staking_account_address,
         attributes,
         node_metadata,
+        true,
     )
 }
 

client-core/Cargo.toml

@@ -11,6 +11,7 @@ client-common = { path = "../client-common" }
 chain-tx-filter = { path = "../chain-tx-filter" }
 enclave-protocol = { path = "../enclave-protocol" }
 chain-tx-validation = { path = "../chain-tx-validation" }
+chain-storage = { path = "../chain-storage" }
 mock-utils = { path = "../chain-tx-enclave/mock-utils" }
 secp256k1zkp = { git = "https://github.com/crypto-com/rust-secp256k1-zkp.git", rev = "f8759809f6e3fed793b37166f7cd91c57cdb2eab", features = ["serde", "zeroize", "rand", "recovery", "endomorphism", "musig"] }
 parity-scale-codec = { features = ["derive"], version = "1.3" }

client-core/src/service/sync_state_service.rs

@@ -1,3 +1,4 @@
+use chain_core::common::H256;
 use client_common::tendermint::lite;
 use client_common::{ErrorKind, Result, ResultExt, Storage};
 use parity_scale_codec::{Decode, Encode};
@@ -15,15 +16,18 @@ pub struct SyncState {
     pub last_app_hash: String,
     /// current trusted state for lite client verification
     pub trusted_state: lite::TrustedState,
+    /// current trusted staking_root
+    pub staking_root: H256,
 }
 
 impl SyncState {
     /// construct genesis global state
-    pub fn genesis(genesis_validators: Vec<validator::Info>) -> SyncState {
+    pub fn genesis(genesis_validators: Vec<validator::Info>, staking_root: H256) -> SyncState {
         SyncState {
             last_block_height: 0,
             last_app_hash: "".to_owned(),
             trusted_state: lite::TrustedState::genesis(genesis_validators),
+            staking_root,
         }
     }
 }
@@ -131,6 +135,7 @@ mod tests {
                         "3891040F29C6A56A5E36B17DCA6992D8F91D1EAAB4439D008D19A9D703271D3C"
                             .to_string(),
                     trusted_state: TrustedState::genesis(vec![]),
+                    staking_root: [0u8; 32],
                 }
             )
             .is_ok());
@@ -174,7 +179,7 @@ mod tests {
             gen.validators.clone(),
         )
         .into();
-        let mut state = SyncState::genesis(vec![]);
+        let mut state = SyncState::genesis(vec![], [0u8; 32]);
         state.last_block_height = 1;
         state.last_app_hash =
             "0F46E113C21F9EACB26D752F9523746CF8D47ECBEA492736D176005911F973A5".to_owned();

client-core/src/wallet.rs

@@ -29,7 +29,7 @@ use client_common::{
 use serde::{Deserialize, Serialize};
 
 use crate::hd_wallet::HardwareKind;
-use crate::service::WalletInfo;
+use crate::service::{SyncState, WalletInfo};
 use crate::transaction_builder::{SignedTransferTransaction, UnsignedTransferTransaction};
 use crate::types::{AddressType, TransactionChange, TransactionPending, WalletBalance, WalletKind};
 use crate::{InputSelectionStrategy, Mnemonic, UnspentTransactions};
@@ -379,6 +379,9 @@ pub trait WalletClient: Send + Sync {
         enckey: &SecKey,
         signed_tx: SignedTransferTransaction,
     ) -> Result<TxId>;
+
+    /// Get current sync state of wallet, return genesis one if not exists.
+    fn get_sync_state(&self, name: &str) -> Result<SyncState>;
 }
 
 /// Interface for a generic wallet for multi-signature transactions

client-core/src/wallet/default_wallet_client.rs

@@ -5,7 +5,7 @@ use crate::transaction_builder::{SignedTransferTransaction, UnsignedTransferTran
 use crate::types::{
     AddressType, BalanceChange, TransactionChange, TransactionPending, WalletBalance, WalletKind,
 };
-use crate::wallet::syncer::AddressRecovery;
+use crate::wallet::syncer::{get_genesis_sync_state, AddressRecovery};
 use crate::wallet::syncer_logic::create_transaction_change;
 use crate::{
     InputSelectionStrategy, Mnemonic, MultiSigWalletClient, UnspentTransactions, WalletClient,
@@ -1084,6 +1084,16 @@ where
             ))
         }
     }
+
+    fn get_sync_state(&self, name: &str) -> Result<SyncState> {
+        let mstate = self.sync_state_service.get_global_state(name)?;
+        let sync_state = if let Some(sync_state) = mstate {
+            sync_state
+        } else {
+            get_genesis_sync_state(&self.tendermint_client)?
+        };
+        Ok(sync_state)
+    }
 }
 
 impl<S, C, T> MultiSigWalletClient for DefaultWalletClient<S, C, T>