feat(upgrade): add v1.3.0 upgrade handler (noop) (release/1.3.x)#266
Merged
Conversation
Backport of #263 to release/1.3.x. Replaces the noop v1.3.0 handler with one that re-grants the authz grants moca's custom handlers require but that the moca-iavl commit-time bug dropped from the merkle tree: - each validator SelfDelAddress -> gov : MsgDelegate (Generic) - each SP FundingAddress -> gov : MsgDeposit (Generic) Keyed off the canonical staking/sp stores, so the writes are identical on every node regardless of per-node authz fastnode drift; SaveGrant's Set re-adds each grant to the tree and overwrites any stale fastnode entry. It does NOT purge the store (a 2-node test showed a fastnode-iterator purge forks on a node whose fastnode is missing a tree-backed key); the residual fastnode drift is left to an IAVL rebuild (state-sync or a fastStorageVersionValue bump). Adapted from main: module path mocachain/moca/v2 -> evmos/evmos/v12 in the handler and test imports.
….3.x) Mirror of the #263 review fix on release/1.3.x: drop the SP deposit grant restoration (re-granting it generically broadened authority vs the scoped DepositAuthorization, and was a no-op for the real incident) and narrow the handler to the one grant the state machine requires — validator SelfDelAddress -> gov : MsgDelegate (Generic), enforced by CheckStakeAuthorization on MsgCreateValidator. Renamed V1_3_0RestoreGovGrants -> V1_3_0RestoreValidatorDelegateGrant; SpKeeper dependency removed. Module path evmos/evmos/v12 (release/1.3.x).
…gates (release/1.3.x) Mirror of the #263 decision on release/1.3.x. The only authz grants moca's state machine reads are create-time gates (validator self-del -> gov MsgDelegate in MsgCreateValidator, SP funding -> gov MsgDeposit in MsgCreateStorageProvider); nothing consumes them after creation, and a new creator re-grants before creating, so the grants the moca-iavl bug dropped need no restoration. Restoring/deleting from a handler is also consensus-unsafe (enumeration via the store iterator reads the fastnode, not the tree, and forks on a node whose fastnode is missing a tree-backed key). Real fixes are not a handler: cosmos/iavl#1009 in the binary stops the prove=true panic, and an IAVL fastnode rebuild (state-sync / fastStorageVersionValue bump) clears the drift. Removes app/upgrades/v1_3_0_authz_recovery.go and its test.
Pin moca-iavl to v1.2.0-rc3 = v1.2.0-rc1 + the single fastStorageVersionValue 1.1.0 -> 1.1.1 change. On the v1.3.0 restart every node rebuilds its fastnode index from the canonical IAVL tree, clearing residual fastnode phantoms left by the commit-time SaveVersion early-return bug (node-local, non-consensus, no operator action). rc3 (not rc2): rc2 got proxy-locked to moca-iavl main HEAD, which carries an unrelated x/crypto 0.53 bump (#33) and requires Go 1.25 -- that broke CI (test-unit-cover/test-e2e run Go 1.23). rc3 is a minimal one-line delta off rc1, so this is now a single go.mod line change and stays on Go 1.23. Reframe: the validator->gov StakeAuthorization / SP->gov DepositAuthorization grants that can look 'missing' are consumed and auto-deleted by normal authz flow, not dropped by the bug, so nothing needs restoring.
f7f86ac to
4b9c298
Compare
Contributor
|
[P2] (confidence: 10/10) |
phenix3443
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes the
v1.3.0upgrade handler a noop (RunMigrations). After investigation, the authz-grant restoration originally proposed here is both unnecessary and unsafe, so it is dropped.Why no restore is needed
The moca-iavl commit-time bug left authz fastnode-vs-merkle-tree drift. But the only authz grants moca's state machine reads are create-time gates, verified across staking / slashing / distribution / sp / virtualgroup:
MsgDelegateMsgCreateValidatoronlyblockHeight != 0(genesis skips)MsgDepositMsgCreateStorageProvideronlyblockHeight != 0Nothing reads them after creation — Delegate, Redelegate, Undelegate, EditValidator, Unjail, Impeach, WithdrawReward, WithdrawCommission, slashing, SP Deposit top-ups, EditStorageProvider, UpdateSpStoragePrice/Status all skip the check. And a new validator/SP creator
MsgGrants right before creating, so even creation needs no pre-existing grant. So the dropped grants need no restoration; existing validators/SPs are unaffected.Why a handler can't safely touch them anyway
The only grant enumeration reachable from a handler is the store iterator, which reads the IAVL fastnode, not the tree. A 2-node test proved a purge/regrant keyed off it forks on a node whose fastnode is missing a tree-backed key (fastnode < tree): the key survives in that node's tree while others delete it → divergent apphash → halt.
The real v1.3.0 fixes (not a handler)
cosmos/iavl#1009(in the v1.3.0 binary) — stops theprove=truepanic on the phantom keys.fastStorageVersionValue— rebuilds the fastnode from the canonical tree, covering both drift directions with zero consensus risk.Change
Removes
app/upgrades/v1_3_0_authz_recovery.go+ test; the handler is an inline noop with a comment explaining the above.Backport of #263 to
release/1.3.x(module pathevmos/evmos/v12; wires between the v1.2.0 and testnet handlers).