Previously, ValidateBlock (and by extension, ApplyBlock) assumed that the supplied V1BlockSupplement was valid. This is not entirely unreasonable, since the supplement is computed locally -- unlike the Block itself, it is not directly manipulable by an attacker. However, even if a local computation isn't malicious, it can still be buggy! And indeed, we recently discovered that the consensusDB helper in validation_test.go was not updating the Merkle proofs of its elements, which ultimately lead to a panic in ApplyBlock.
This PR adds a validateSupplement step to ApplyBlock, which ensures that all of the state elements in the supplement exist in the accumulator (and have not been spent or resolved). Note that this is different from how we handle accumulator checks in v2 transactions: in v2, we check the Merkle proofs individually (e.g. in validateV2Siacoins), whereas with v1 we validate all of the proofs in one place. Each strategy has its pros and cons; personally, doing accumulator checks in v1 validation functions just felt a bit out-of-place to me. Besides, there are other checks that need to be performed for the supplement, so centralizing them seemed sensible.
Previously,
ValidateBlock(and by extension,ApplyBlock) assumed that the suppliedV1BlockSupplementwas valid. This is not entirely unreasonable, since the supplement is computed locally -- unlike theBlockitself, it is not directly manipulable by an attacker. However, even if a local computation isn't malicious, it can still be buggy! And indeed, we recently discovered that theconsensusDBhelper invalidation_test.gowas not updating the Merkle proofs of its elements, which ultimately lead to a panic inApplyBlock.This PR adds a
validateSupplementstep toApplyBlock, which ensures that all of the state elements in the supplement exist in the accumulator (and have not been spent or resolved). Note that this is different from how we handle accumulator checks in v2 transactions: in v2, we check the Merkle proofs individually (e.g. invalidateV2Siacoins), whereas with v1 we validate all of the proofs in one place. Each strategy has its pros and cons; personally, doing accumulator checks in v1 validation functions just felt a bit out-of-place to me. Besides, there are other checks that need to be performed for the supplement, so centralizing them seemed sensible.