Merge branch 'main' into joel/add-slashing-params-vaa

.github/CODEOWNERS

@@ -40,21 +40,21 @@
 
 # Protobuf for node
 
-/proto/node/ @evan-gray @bruce-riley
+/proto/node/ @evan-gray @bruce-riley @panoel
 
 # Guardiand node
 
 ## Fallback
 
-/node/ @bruce-riley @evan-gray @SEJeff
+/node/ @bruce-riley @evan-gray @panoel @SEJeff
 
 ## Entrypoint / RPC
 
 /node/cmd/ @bruce-riley @panoel @evan-gray
 
 ## DB
 
-/node/pkg/db/ @bruce-riley @panoel
+/node/pkg/db/ @bruce-riley @evan-gray @panoel
 
 ## Accountant
 
@@ -78,11 +78,11 @@
 
 ## Public RPC
 
-/node/pkg/publicrpc/ @bruce-riley @panoel
+/node/pkg/publicrpc/ @bruce-riley @evan-gray @panoel
 
 ## Supervisor Framework
 
-/node/pkg/supervisor/ @bruce-riley @evan-gray
+/node/pkg/supervisor/ @bruce-riley @evan-gray @panoel
 
 ## Watchers
 
@@ -91,6 +91,7 @@
 ## Hacks / Tools
 
 /node/hack/ @bruce-riley @panoel @evan-gray
+/node/hack/governor @claudijd @SEJeff @djb15 @johnsaigle
 
 ## Documentation
 

.github/workflows/wormchain-icts.yml

@@ -63,6 +63,7 @@ jobs:
           - "ictest-upgrade"
           - "ictest-wormchain"
           - "ictest-ibc-receiver"
+          - "ictest-cw-wormhole"
       fail-fast: false
 
     steps:

.golangci.yml

@@ -28,3 +28,7 @@ issues:
       text: "^func.*supervisor.*(waitSettle|waitSettleError).*$"
       linters:
         - unused
+    # This file contains hard-coded Sui core contract addresses that are marked as hardcoded credentials.
+    - path: pkg/txverifier/sui_test.go
+
+      text: "G101: Potential hardcoded credentials"

CONTRIBUTING.md

@@ -23,9 +23,7 @@ and code reviews are our most important tools to accomplish that.
   Small commits, meaningful commit messages and useful comments make it easier to review code and improve the
   quality of code review as well as review turnaround times. It's much easier to spot mistakes in small,
   well-defined changes.
-- We welcome typo and grammar fixes to *public facing* documents. This includes
-  things like the whitepapers, but excludes inline code comments. PRs that touch
-  only the latter will be rejected. Fixing typos in comments alongside other non-trivial engineering work is welcome.
+- PRs that only correct typos or make minor wording adjustments will be rejected. Fixing typos alongside other non-trivial engineering work is welcome.
 - Pull requests that modify dependencies must be well-documented so that the benefits of updating can be weighed against
   security and compatibility concerns. Low-effort PRs that update dependencies without any documentation will be rejected.
 

Tiltfile

@@ -604,6 +604,11 @@ if evm2:
     )
 
 
+# Note that ci_tests requires other resources in order to build properly:
+# - eth-devnet  -- required by: accountant_tests, ntt_accountant_tests, tx-verifier
+# - eth-devnet2 -- required by: accountant_tests, ntt_accountant_tests
+# - wormchain   -- required by: accountant_tests, ntt_accountant_tests
+# - solana      -- required by: spydk-ci-tests
 if ci_tests:
     docker_build(
         ref = "sdk-test-image",
@@ -635,6 +640,16 @@ if ci_tests:
             sync("./testing", "/app/testing"),
         ],
     )
+    docker_build(
+        ref = "tx-verifier-monitor", 
+        context = "./devnet/tx-verifier-monitor/",
+        dockerfile = "./devnet/tx-verifier-monitor/Dockerfile"
+    )
+    docker_build(
+        ref = "tx-verifier-test", 
+        context = "./devnet/tx-verifier-monitor/",
+        dockerfile = "./devnet/tx-verifier-monitor/Dockerfile.cast"
+    )
 
     k8s_yaml_with_ns(
         encode_yaml_stream(
@@ -644,6 +659,11 @@ if ci_tests:
                     "BOOTSTRAP_PEERS", str(ccqBootstrapPeers)),
                     "MAX_WORKERS", max_workers))
     )
+
+    # transfer-verifier -- daemon and log monitoring
+    k8s_yaml_with_ns("devnet/tx-verifier.yaml")
+
+    k8s_yaml_with_ns("devnet/tx-verifier-test.yaml")
 
     # separate resources to parallelize docker builds
     k8s_resource(
@@ -676,6 +696,20 @@ if ci_tests:
         trigger_mode = trigger_mode,
         resource_deps = [], # testing/querysdk.sh handles waiting for query-server, not having deps gets the build earlier
     )
+    # launches tx-verifier binary and sets up monitoring script
+    k8s_resource(
+        "tx-verifier-with-monitor",
+        resource_deps = ["eth-devnet"],
+        labels = ["tx-verifier"],
+        trigger_mode = trigger_mode,
+    )
+    # triggers the integration tests that will be detected by the monitor
+    k8s_resource(
+        "tx-verifier-test",
+        resource_deps = ["eth-devnet", "tx-verifier-with-monitor"],
+        labels = ["tx-verifier"],
+        trigger_mode = trigger_mode,
+    )
 
 if terra_classic:
     docker_build(

clients/js/src/cmds/aptos.ts

@@ -57,12 +57,19 @@ export const builder = (y: typeof yargs) =>
       "init-token-bridge",
       "Init token bridge contract",
       (yargs) =>
-        yargs.option("network", NETWORK_OPTIONS).option("rpc", RPC_OPTIONS),
+        yargs
+          .option("network", NETWORK_OPTIONS)
+          .option("rpc", RPC_OPTIONS)
+          .option("contract-address", {
+            describe: "Core contract address",
+            type: "string",
+            demandOption: false,
+          }),
       async (argv) => {
         const network = getNetwork(argv.network);
-        const contract_address = evm_address(
-          contracts.tokenBridge(network, "Aptos")
-        );
+        const contract_address =
+          argv["contract-address"] ||
+          evm_address(contracts.tokenBridge(network, "Aptos"));
         const rpc = argv.rpc ?? NETWORKS[network].Aptos.rpc;
         await callEntryFunc(
           network,
@@ -104,13 +111,18 @@ export const builder = (y: typeof yargs) =>
             demandOption: true,
             describe: "Initial guardian's addresses (CSV)",
             type: "string",
+          })
+          .option("contract-address", {
+            describe: "Core contract address",
+            type: "string",
+            demandOption: false,
           }),
       async (argv) => {
         const network = getNetwork(argv.network);
 
-        const contract_address = evm_address(
-          contracts.coreBridge(network, "Aptos")
-        );
+        const contract_address =
+          argv["contract-address"] ||
+          evm_address(contracts.coreBridge(network, "Aptos"));
         const guardian_addresses = argv["guardian-address"]
           .split(",")
           .map((address) => evm_address(address).substring(24));
@@ -196,11 +208,15 @@ export const builder = (y: typeof yargs) =>
         const b = serializePackage(p);
         const seed = Buffer.from(argv["seed"], "ascii");
 
-        let module_name = APTOS_DEPLOYER_ADDRESS_DEVNET + "::deployer";
-        if (network == "Testnet" || network == "Mainnet") {
-          module_name =
-            "0x0108bc32f7de18a5f6e1e7d6ee7aff9f5fc858d0d87ac0da94dd8d2a5d267d6b::deployer";
+        let deployer = APTOS_DEPLOYER_ADDRESS_DEVNET;
+        const addresses = argv["named-addresses"]?.split(",") || [];
+        for (const addressPair of addresses) {
+          const [name, address] = addressPair.split("=");
+          if (name === "deployer") {
+            deployer = address;
+          }
         }
+        const module_name = deployer + "::deployer";
         const rpc = argv.rpc ?? NETWORKS[network].Aptos.rpc;
         await callEntryFunc(
           network,
@@ -223,12 +239,19 @@ export const builder = (y: typeof yargs) =>
             describe: "Message to send",
             demandOption: true,
           })
-          .option("network", NETWORK_OPTIONS),
+          .option("network", NETWORK_OPTIONS)
+          .option("rpc", RPC_OPTIONS)
+          .option("sender", {
+            describe: "Sender address",
+            type: "string",
+            demandOption: false,
+          }),
       async (argv) => {
         const network = getNetwork(argv.network);
-        const rpc = NETWORKS[network].Aptos.rpc;
-        let module_name = APTOS_DEPLOYER_ADDRESS_DEVNET + "::sender";
-        if (network == "Testnet" || network == "Mainnet") {
+        const rpc = argv.rpc ?? NETWORKS[network].Aptos.rpc;
+        let module_name =
+          (argv.sender || APTOS_DEPLOYER_ADDRESS_DEVNET) + "::sender";
+        if (!argv.sender && (network == "Testnet" || network == "Mainnet")) {
           module_name =
             "0x0108bc32f7de18a5f6e1e7d6ee7aff9f5fc858d0d87ac0da94dd8d2a5d267d6b::sender";
         }

devnet/eth-devnet.yaml

@@ -33,13 +33,16 @@ spec:
       containers:
         - name: anvil
           image: eth-node
+          # This command generates additional accounts compared to the default of 10. The purpose is to use dedicated
+          # accounts for different aspects of the test suite. When adding new integration tests, consider increasing
+          # the number of accounts below and using a fresh key for the new tests.
           command:
             - anvil
             - --silent
             - --mnemonic=myth like bonus scare over problem client lizard pioneer submit female collect
             - --block-time=1
             - --host=0.0.0.0
-            - --accounts=13
+            - --accounts=14
             - --chain-id=1337
           ports:
             - containerPort: 8545

devnet/eth-devnet2.yaml

@@ -34,13 +34,16 @@ spec:
       containers:
         - name: anvil
           image: eth-node
+          # This command generates additional accounts compared to the default of 10. The purpose is to use dedicated
+          # accounts for different aspects of the test suite. When adding new integration tests, consider increasing
+          # the number of accounts below and using a fresh key for the new tests.
           command:
             - anvil
             - --silent
             - --mnemonic=myth like bonus scare over problem client lizard pioneer submit female collect
             - --block-time=1
             - --host=0.0.0.0
-            - --accounts=13
+            - --accounts=14
             - --chain-id=1397
           ports:
             - containerPort: 8545

devnet/tx-verifier-monitor/Dockerfile

@@ -0,0 +1,10 @@
+# There's nothing special about this version, it is simply the `latest` as of
+# the creation date of this file.
+FROM alpine:3.20.3@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a
+
+RUN apk add --no-cache inotify-tools
+
+COPY monitor.sh /monitor.sh
+RUN chmod +x /monitor.sh
+
+CMD ["/monitor.sh"]

devnet/tx-verifier-monitor/Dockerfile.cast

@@ -0,0 +1,13 @@
+# These versions are pinned to match the Dockerfile in the `ethereum/`
+# directory. Otherwise, there is nothing special about them and they can be
+# updated alongside the other Dockerfile.
+FROM --platform=linux/amd64 ghcr.io/foundry-rs/foundry:nightly-55bf41564f605cae3ca4c95ac5d468b1f14447f9@sha256:8c15d322da81a6deaf827222e173f3f81c653136a3518d5eeb41250a0f2e17ea as foundry
+# node is required to install Foundry
+FROM node:19.6.1-slim@sha256:a1ba21bf0c92931d02a8416f0a54daad66cb36a85d2b73af9d73b044f5f57cfc
+
+COPY --from=foundry /usr/local/bin/cast /bin/cast
+
+COPY transfer-verifier-test.sh /transfer-verifier-test.sh
+RUN chmod +x /transfer-verifier-test.sh
+
+CMD ["/transfer-verifier-test.sh"]

devnet/tx-verifier-monitor/README.md

@@ -0,0 +1,64 @@
+# Transfer Verifier -- Integration Tests
+
+## EVM Integration Tests
+
+### Overview
+
+The Transfer Verifier tests involve interacting with the local ethereum devnet defined by the Tilt set-up in this repository.
+
+The basic idea is as follows:
+* Interact with the local Ethereum testnet. This should already have important pieces such as the Token Bridge and Core Bridge deployed.
+* Use `cast` from the foundry tool set to simulate malicious interactions with the Token Bridge.
+* Transfer Verifier detects the malicious messages and emits errors about what went wrong.
+* The error messages are logged to a file
+* A "monitor" script is used to detect the expected error message, waiting until the file is written to
+* If the monitor script sees the expected error message in the error log, it terminates
+
+## Components
+
+### Scripts
+
+#### transfer-verifier-test.sh
+
+Contains the `cast` commands that simulate malicious interactions with the Token Bridge and Core Bridge. It is able to broadcast
+transactions to the `anvil` instance that powers the Ethereum testnet while being able to impersonate arbitrary senders.
+
+This lets us perform actions that otherwise should be impossible, like causing a Publish Message event to be emitted from the Core Bridge
+without a corresponding deposit or transfer into the Token Bridge.
+
+#### monitor.sh
+
+A bash script that monitors the error log file for a specific error pattern. It runs in an infinite loop so it will
+not exit until the error pattern is detected.
+
+The error pattern is defined in `wormhole/devnet/tx-verifier.yaml` and matches an error string in the Transfer Verifier package.
+
+Once the pattern is detected, a success message is logged to a status file. Currently this is unused but this set-up
+could be modified to detect that this script has written the success message to figure out whether the whole test completed successfully.
+
+### Pods
+
+The files detailed below each have a primary role and are responsible for running one of the main pieces of the test functionality:
+
+* The Transfer Verifier binary which monitors the state of the local Ethereum network
+* The integration test script that generates activity that the Transfer Verifier classifies as malicious
+* The monitor script which ensures that the Transfer Verifier successfully
+detected the error we expected, and signals to Tilt that the overall test has
+succeeded
+
+#### devnet/tx-verifier.yaml
+
+Runs the Transfer Verifier binary and redirects its STDERR to the error log file. This allows the output of the binary
+to be monitored by `monitor.sh`.
+
+#### devnet/tx-verifier-test.yaml
+
+Runs the `transfer-verifier-test.sh` script which simulates malicious Token Bridge activity. Defines the RPC URL used
+by that bash script, which corresponds to the `anvil` instance created in the Ethereum devnet.
+
+#### devnet/tx-verifier-monitor.yaml
+
+Defines the expected error string that should be emitted by the Transfer Verifier code assuming that it successfully recognizes
+the malicious Token Bridge activity simulated by the `cast` commands in `transfer-verifier-test.sh`.
+
+It also defines a path to the log file that contains this string.

devnet/tx-verifier-monitor/monitor.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+log_file="${ERROR_LOG_PATH:-/logs/error.log}"
+error_pattern="${ERROR_PATTERN:-ERROR}"
+status_file="/logs/status"
+
+# Wait for log file to exist and be non-empty
+while [ ! -s "${log_file}" ]; do
+    echo "Waiting for ${log_file} to be created and contain data..."
+    sleep 5
+done
+
+# Initialize status
+echo "RUNNING" > "$status_file"
+echo "Monitoring file '${log_file}' for error pattern: '${error_pattern}'"
+
+# Watch for changes in the log file. If we find the error pattern that means we have
+# succeeded. (Transfer verifier should correctly detect errors.
+inotifywait -m -e modify "${log_file}" | while read -r directory events filename; do
+    if grep -q "$error_pattern" "$log_file"; then
+        echo "SUCCESS" > "$status_file"
+        echo "Found error pattern. Exiting."
+        exit 0
+    fi
+done