|
| 1 | +// Package abci implements the ABCI PrepareProposal and ProcessProposal hooks |
| 2 | +// for the Mempool Shield compliance membrane. |
| 3 | +// |
| 4 | +// LIVENESS INVARIANT (CHAIN-SPEC-v1.5.1 Section 3 & 7): |
| 5 | +// Under ALL conditions, including oracle failure and LOCKDOWN mode, these hooks |
| 6 | +// MUST continue producing valid (possibly empty) block proposals. Capital-routing |
| 7 | +// transactions are filtered out via reject_txs but NEVER cause an application error |
| 8 | +// that would stall consensus. Non-capital transactions ALWAYS pass through. |
| 9 | +package abci |
| 10 | + |
| 11 | +import ( |
| 12 | + "fmt" |
| 13 | + |
| 14 | + abci "github.com/cometbft/cometbft/abci/types" |
| 15 | + "github.com/cosmos/cosmos-sdk/baseapp" |
| 16 | + sdk "github.com/cosmos/cosmos-sdk/types" |
| 17 | + banktypes "github.com/cosmos/cosmos-sdk/x/bank/types" |
| 18 | + |
| 19 | + "rampage/x/mempoolshield/keeper" |
| 20 | + "rampage/x/mempoolshield/types" |
| 21 | +) |
| 22 | + |
| 23 | +// CapitalRoutingMsgTypes is the set of message type URLs subject to Mempool Shield screening. |
| 24 | +// Per CHAIN-SPEC-v1.5.1 Section 6.2: bank sends, IBC transfers, humanitarian sends. |
| 25 | +var CapitalRoutingMsgTypes = map[string]bool{ |
| 26 | + "/cosmos.bank.v1beta1.MsgSend": true, |
| 27 | + "/cosmos.bank.v1beta1.MsgMultiSend": true, |
| 28 | + "/ibc.applications.transfer.v1.MsgTransfer": true, |
| 29 | + "/rampage.mempoolshield.v1.MsgHumanitarianSend": true, |
| 30 | +} |
| 31 | + |
| 32 | +// PrepareProposalHandler returns a PrepareProposal handler that filters capital-routing |
| 33 | +// transactions through the Mempool Shield oracle. |
| 34 | +// |
| 35 | +// Liveness guarantee: this function NEVER returns an error. It always produces a valid |
| 36 | +// (possibly reduced) list of transactions. Capital-routing txs rejected by the oracle |
| 37 | +// or when oracle is unavailable are excluded from the proposal; all other txs pass through. |
| 38 | +func PrepareProposalHandler(k keeper.Keeper) sdk.PrepareProposalHandler { |
| 39 | + return func(ctx sdk.Context, req *abci.RequestPrepareProposal) (*abci.ResponsePrepareProposal, error) { |
| 40 | + params := k.GetParams(ctx) |
| 41 | + |
| 42 | + // If shield is disabled, pass all transactions through unchanged. |
| 43 | + if !params.Enabled { |
| 44 | + return &abci.ResponsePrepareProposal{Txs: req.Txs}, nil |
| 45 | + } |
| 46 | + |
| 47 | + oracleAvailable := k.IsOracleAvailable(ctx) |
| 48 | + threatLevel := k.GetThreatLevel(ctx) |
| 49 | + |
| 50 | + var filteredTxs [][]byte |
| 51 | + var rejectedCount int |
| 52 | + |
| 53 | + for _, txBytes := range req.Txs { |
| 54 | + if isCapitalRoutingTx(ctx, txBytes) { |
| 55 | + switch { |
| 56 | + case threatLevel >= types.ThreatLevelConflict: |
| 57 | + // Level 4 / Art. VIII jurisdiction: ALL capital routing suspended. |
| 58 | + // LIVENESS: skip this tx, do NOT halt proposal. |
| 59 | + k.Logger().Info("mempoolshield: Level 4 LOCKDOWN — capital tx excluded", |
| 60 | + "threat_level", threatLevel) |
| 61 | + rejectedCount++ |
| 62 | + continue |
| 63 | + |
| 64 | + case !oracleAvailable: |
| 65 | + // Oracle unavailable: fail-closed on capital routing only. |
| 66 | + // LIVENESS: skip this tx, do NOT halt proposal. |
| 67 | + k.Logger().Warn("mempoolshield: oracle unavailable — capital tx excluded (fail-closed)", |
| 68 | + "failsafe", params.FailsafeDefault) |
| 69 | + rejectedCount++ |
| 70 | + continue |
| 71 | + |
| 72 | + default: |
| 73 | + // Oracle available: check the prohibited entity list. |
| 74 | + if k.OracleApproves(ctx, txBytes) { |
| 75 | + filteredTxs = append(filteredTxs, txBytes) |
| 76 | + } else { |
| 77 | + k.Logger().Info("mempoolshield: oracle rejected capital tx") |
| 78 | + rejectedCount++ |
| 79 | + } |
| 80 | + } |
| 81 | + } else { |
| 82 | + // Non-capital transaction: ALWAYS passes through. |
| 83 | + filteredTxs = append(filteredTxs, txBytes) |
| 84 | + } |
| 85 | + } |
| 86 | + |
| 87 | + if rejectedCount > 0 { |
| 88 | + k.Logger().Info(fmt.Sprintf("mempoolshield: excluded %d capital-routing tx(s) from proposal", rejectedCount)) |
| 89 | + } |
| 90 | + |
| 91 | + // LIVENESS: always return a valid response. Never return an error here. |
| 92 | + return &abci.ResponsePrepareProposal{Txs: filteredTxs}, nil |
| 93 | + } |
| 94 | +} |
| 95 | + |
| 96 | +// ProcessProposalHandler returns a ProcessProposal handler that validates |
| 97 | +// capital-routing transactions in a proposed block against the oracle. |
| 98 | +// |
| 99 | +// Liveness guarantee: if oracle is unavailable during ProcessProposal, we accept |
| 100 | +// the block if the proposer's PrepareProposal should have already filtered the txs. |
| 101 | +// We REJECT the proposal only if a prohibited capital-routing tx slipped through. |
| 102 | +func ProcessProposalHandler(k keeper.Keeper) sdk.ProcessProposalHandler { |
| 103 | + return func(ctx sdk.Context, req *abci.RequestProcessProposal) (*abci.ResponseProcessProposal, error) { |
| 104 | + params := k.GetParams(ctx) |
| 105 | + |
| 106 | + if !params.Enabled { |
| 107 | + return &abci.ResponseProcessProposal{Status: abci.ResponseProcessProposal_ACCEPT}, nil |
| 108 | + } |
| 109 | + |
| 110 | + threatLevel := k.GetThreatLevel(ctx) |
| 111 | + |
| 112 | + for _, txBytes := range req.Txs { |
| 113 | + if isCapitalRoutingTx(ctx, txBytes) { |
| 114 | + if threatLevel >= types.ThreatLevelConflict { |
| 115 | + // Level 4: no capital txs allowed. Reject this proposal. |
| 116 | + k.Logger().Warn("mempoolshield: Level 4 — capital tx in proposal, rejecting") |
| 117 | + return &abci.ResponseProcessProposal{Status: abci.ResponseProcessProposal_REJECT}, nil |
| 118 | + } |
| 119 | + if !k.OracleApproves(ctx, txBytes) { |
| 120 | + k.Logger().Warn("mempoolshield: prohibited capital tx in proposal, rejecting") |
| 121 | + return &abci.ResponseProcessProposal{Status: abci.ResponseProcessProposal_REJECT}, nil |
| 122 | + } |
| 123 | + } |
| 124 | + } |
| 125 | + |
| 126 | + return &abci.ResponseProcessProposal{Status: abci.ResponseProcessProposal_ACCEPT}, nil |
| 127 | + } |
| 128 | +} |
| 129 | + |
| 130 | +// isCapitalRoutingTx returns true if the transaction contains any capital-routing messages. |
| 131 | +// This uses a lightweight type-URL check to avoid full tx decoding in the hot path. |
| 132 | +func isCapitalRoutingTx(_ sdk.Context, txBytes []byte) bool { |
| 133 | + // TODO: decode tx and check each msg type URL against CapitalRoutingMsgTypes. |
| 134 | + // For testnet phase, we use a lightweight heuristic based on message type detection. |
| 135 | + // A full implementation will use codec.UnmarshalTx and iterate msgs. |
| 136 | + _ = banktypes.MsgSend{} // ensure import is used; full decode in next iteration |
| 137 | + _ = txBytes |
| 138 | + |
| 139 | + // Stub: returns false for testnet (pass-through mode). |
| 140 | + // Replace with: decode tx, check msg.ProtoMessage() type URL. |
| 141 | + return false |
| 142 | +} |
| 143 | + |
| 144 | +// Ensure baseapp handler types are used. |
| 145 | +var _ baseapp.ProposalTxVerifier = nil |
0 commit comments