Skip to content

feat(upgrade): add v1.3.0 upgrade handler (noop) (release/1.3.x)#266

Merged
puneet2019 merged 5 commits into
release/1.3.xfrom
feat/v1.3.0-authz-recovery-1.3.x
Jun 15, 2026
Merged

feat(upgrade): add v1.3.0 upgrade handler (noop) (release/1.3.x)#266
puneet2019 merged 5 commits into
release/1.3.xfrom
feat/v1.3.0-authz-recovery-1.3.x

Conversation

@puneet2019

@puneet2019 puneet2019 commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Makes the v1.3.0 upgrade handler a noop (RunMigrations). After investigation, the authz-grant restoration originally proposed here is both unnecessary and unsafe, so it is dropped.

Why no restore is needed

The moca-iavl commit-time bug left authz fastnode-vs-merkle-tree drift. But the only authz grants moca's state machine reads are create-time gates, verified across staking / slashing / distribution / sp / virtualgroup:

consumer where gated
validator self-del → gov MsgDelegate MsgCreateValidator only blockHeight != 0 (genesis skips)
SP funding → gov MsgDeposit MsgCreateStorageProvider only blockHeight != 0

Nothing reads them after creation — Delegate, Redelegate, Undelegate, EditValidator, Unjail, Impeach, WithdrawReward, WithdrawCommission, slashing, SP Deposit top-ups, EditStorageProvider, UpdateSpStoragePrice/Status all skip the check. And a new validator/SP creator MsgGrants right before creating, so even creation needs no pre-existing grant. So the dropped grants need no restoration; existing validators/SPs are unaffected.

Why a handler can't safely touch them anyway

The only grant enumeration reachable from a handler is the store iterator, which reads the IAVL fastnode, not the tree. A 2-node test proved a purge/regrant keyed off it forks on a node whose fastnode is missing a tree-backed key (fastnode < tree): the key survives in that node's tree while others delete it → divergent apphash → halt.

The real v1.3.0 fixes (not a handler)

  • cosmos/iavl#1009 (in the v1.3.0 binary) — stops the prove=true panic on the phantom keys.
  • IAVL fastnode rebuild — state-sync the drifted nodes, or bump fastStorageVersionValue — rebuilds the fastnode from the canonical tree, covering both drift directions with zero consensus risk.

Change

Removes app/upgrades/v1_3_0_authz_recovery.go + test; the handler is an inline noop with a comment explaining the above.


Backport of #263 to release/1.3.x (module path evmos/evmos/v12; wires between the v1.2.0 and testnet handlers).

Backport of #263 to release/1.3.x. Replaces the noop
v1.3.0 handler with one that re-grants the authz grants moca's custom
handlers require but that the moca-iavl commit-time bug dropped from the
merkle tree:
  - each validator SelfDelAddress -> gov : MsgDelegate (Generic)
  - each SP FundingAddress       -> gov : MsgDeposit  (Generic)

Keyed off the canonical staking/sp stores, so the writes are identical on
every node regardless of per-node authz fastnode drift; SaveGrant's Set
re-adds each grant to the tree and overwrites any stale fastnode entry.
It does NOT purge the store (a 2-node test showed a fastnode-iterator
purge forks on a node whose fastnode is missing a tree-backed key); the
residual fastnode drift is left to an IAVL rebuild (state-sync or a
fastStorageVersionValue bump).

Adapted from main: module path mocachain/moca/v2 -> evmos/evmos/v12 in
the handler and test imports.
….3.x)

Mirror of the #263 review fix on release/1.3.x: drop the SP deposit grant
restoration (re-granting it generically broadened authority vs the scoped
DepositAuthorization, and was a no-op for the real incident) and narrow
the handler to the one grant the state machine requires —
validator SelfDelAddress -> gov : MsgDelegate (Generic), enforced by
CheckStakeAuthorization on MsgCreateValidator.

Renamed V1_3_0RestoreGovGrants -> V1_3_0RestoreValidatorDelegateGrant;
SpKeeper dependency removed. Module path evmos/evmos/v12 (release/1.3.x).
@puneet2019 puneet2019 changed the title feat(upgrade): v1.3.0 restore required gov authz grants (release/1.3.x) feat(upgrade): v1.3.0 restore validator delegate grant required for create-validator (release/1.3.x) Jun 12, 2026
…gates (release/1.3.x)

Mirror of the #263 decision on release/1.3.x. The only authz grants
moca's state machine reads are create-time gates (validator self-del ->
gov MsgDelegate in MsgCreateValidator, SP funding -> gov MsgDeposit in
MsgCreateStorageProvider); nothing consumes them after creation, and a
new creator re-grants before creating, so the grants the moca-iavl bug
dropped need no restoration. Restoring/deleting from a handler is also
consensus-unsafe (enumeration via the store iterator reads the fastnode,
not the tree, and forks on a node whose fastnode is missing a tree-backed
key).

Real fixes are not a handler: cosmos/iavl#1009 in the binary stops the
prove=true panic, and an IAVL fastnode rebuild (state-sync /
fastStorageVersionValue bump) clears the drift.

Removes app/upgrades/v1_3_0_authz_recovery.go and its test.
@puneet2019 puneet2019 changed the title feat(upgrade): v1.3.0 restore validator delegate grant required for create-validator (release/1.3.x) feat(upgrade): add v1.3.0 upgrade handler (noop) (release/1.3.x) Jun 12, 2026
Pin moca-iavl to v1.2.0-rc3 = v1.2.0-rc1 + the single fastStorageVersionValue
1.1.0 -> 1.1.1 change. On the v1.3.0 restart every node rebuilds its fastnode
index from the canonical IAVL tree, clearing residual fastnode phantoms left by
the commit-time SaveVersion early-return bug (node-local, non-consensus, no
operator action).

rc3 (not rc2): rc2 got proxy-locked to moca-iavl main HEAD, which carries an
unrelated x/crypto 0.53 bump (#33) and requires Go 1.25 -- that broke CI
(test-unit-cover/test-e2e run Go 1.23). rc3 is a minimal one-line delta off rc1,
so this is now a single go.mod line change and stays on Go 1.23.

Reframe: the validator->gov StakeAuthorization / SP->gov DepositAuthorization
grants that can look 'missing' are consumed and auto-deleted by normal authz
flow, not dropped by the bug, so nothing needs restoring.
@puneet2019 puneet2019 force-pushed the feat/v1.3.0-authz-recovery-1.3.x branch from f7f86ac to 4b9c298 Compare June 15, 2026 07:01
@phenix3443

Copy link
Copy Markdown
Contributor

[P2] (confidence: 10/10) .tool-versions:1 — the repo still pins golang 1.23.11, but this PR raises the module directive to Go 1.25.0 in go.mod:3, and the rest of the repo already expects 1.25.10 in Makefile:7 and CI workflows such as .github/workflows/build.yml:22. Anyone using asdf or mise from .tool-versions will get the wrong toolchain and hit avoidable build/test failures on this branch. Fix: update .tool-versions to the supported 1.25.x version, ideally 1.25.10 to match CI.

@puneet2019 puneet2019 merged commit 3097f6e into release/1.3.x Jun 15, 2026
18 of 24 checks passed
@puneet2019 puneet2019 deleted the feat/v1.3.0-authz-recovery-1.3.x branch June 15, 2026 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants