Require server-issued challenges for attestation submit

[Mavline]

Follow-up to #1746.

This tightens the attestation nonce contract so /attest/submit only accepts live server-issued challenges from /attest/challenge. The previous merged path could still be bypassed by supplying client-controlled timestamp fields, and in-tree pico_bridge still had an insecure local-nonce fallback.

What changed:

• require a live challenge nonce for every attestation submit
• stop consulting client-provided timestamp fields during nonce validation
• keep replay tracking in used_nonces after successful challenge consumption
• fail pico_bridge closed when challenge fetch fails instead of synthesizing a local nonce
• add regression coverage for arbitrary nonce rejection, timestamp-bypass rejection, and pico fail-closed behavior

Validation:

• /tmp/rustchain-test-venv/bin/python -m unittest node/tests/test_attest_nonce_replay.py node/tests/test_attest_submit_challenge_binding.py
• /tmp/rustchain-test-venv/bin/python miners/pico_bridge/tests/test_pico_bridge_miner.py

Important deployment note:

• this PR keeps the existing node-local challenge store model; multi-backend deployments still need sticky routing or a shared nonce store for first-submit success across nodes.

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Your PR has a BCOS-L1 or BCOS-L2 label
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

[Mavline]

Review-ready. This PR is a focused security hardening follow-up to merged PR #1746.

It closes the remaining client-controlled timestamp / arbitrary-nonce path in /attest/submit and makes pico_bridge fail closed
when a live server-issued challenge cannot be fetched. The targeted regression coverage listed in the PR body is green.

Happy to answer any review questions or adjust the patch if needed.

[Scottcjn]

Review: Approve ✅

Excellent security hardening. Removing the local nonce fallback and requiring server-issued challenges closes a real replay attack surface. Test coverage is thorough.

One minor: expires_at = int(challenge_expires_at) could crash if None — add a guard. Also a breaking change for multi-node setups (documented in the docstring, but worth release notes).

💰 75 RTC — solid security contribution @Mavline.

Please share your RTC wallet address.

[Scottcjn]

Excellent security hardening — removing the client-supplied timestamp attack surface is the right call. Has a merge conflict with main though. Can you rebase? Will merge immediately after.

[Scottcjn]

Update: CI fix just landed on main (removed broken blake2 pip dep). The BCOS scan should pass now. Just need a rebase to resolve merge conflicts, then I'll merge immediately. git fetch origin && git rebase origin/main && git push --force-with-lease

[Scottcjn]

Still approved — excellent security hardening. Just needs rebase against current main. The BCOS scan CI is being fixed separately.

[Scottcjn]

The other 3 createkr PRs just merged via auto-update. Your PR has a real merge conflict that can't be auto-resolved. Can you rebase manually? git fetch origin && git rebase origin/main && git push --force-with-lease

[Scottcjn]

@Mavline — This is solid security work (server-issued challenges for attestation). It has merge conflicts with main after today's merges. Could you rebase? We'll merge promptly.

[Scottcjn]

Thorough review complete. This closes the timestamp-bypass vulnerability cleanly.

What was vulnerable: extract_attestation_timestamp() let clients supply server_time/nonce_ts in the payload, which caused _attest_nonce_requires_challenge() to skip challenge validation entirely. Any miner could forge attestations without fetching a server challenge.

What this fixes:

• Removes the timestamp-based skew fallback path entirely
• attest_validate_and_store_nonce() now unconditionally requires a live challenge from /attest/challenge
• Pico bridge fails closed instead of synthesizing local nonces
• All test suites updated to use _attach_live_challenge() helper
• New regression tests cover: arbitrary nonce rejection, timestamp bypass, expired challenges, pico fail-closed
• DB schema consistency fixed across test fixtures
• tempfile.mktemp → tempfile.mkstemp (minor safety fix)

Deployment note about multi-node sticky routing is appreciated and accurate.

Approved — merging via squash.

[Scottcjn]

Code reviewed and approved — this is solid security work that closes a real bypass vector.

However, the branch has merge conflicts with main (mergeable_state: dirty). Could you rebase onto current main and force-push? Once conflicts are resolved I will merge immediately.

git fetch origin main
git rebase origin/main
# resolve any conflicts
git push --force-with-lease

The conflicts are likely from recent changes to the test fixtures or the main node file. Should be straightforward to resolve.

[Scottcjn]

This is excellent security work — removing the local nonce fallback and requiring server-issued challenges is exactly right. We want to merge this.

However, there are merge conflicts with main. Could you rebase onto main and resolve the conflicts?

git fetch origin
git rebase origin/main
# resolve any conflicts
git push --force-with-lease

Approved: 75 RTC once rebased and merged.

[Scottcjn]

Still has merge conflicts. This is a good security fix — please rebase so we can merge. git fetch origin && git rebase origin/main && git push --force-with-lease

[Scottcjn]

Rebased onto current main — resolved one conflict in tests/test_epoch_settlement_formal.py (trivial: fd → db_fd variable rename from both sides). All 3 commits preserved with original authorship. PR is now mergeable.

[Scottcjn]

Merged! We rebased this for you (trivial conflict in test variable naming). This is excellent security work — removing the local nonce fallback closes a genuine attestation bypass.

Payment: 75 RTC

Please share your RTC wallet address to receive payment (or confirm the one from previous PRs).