Skip to content

fix(types): return false instead of panic in verify_multi_proof#177

Merged
poszu merged 1 commit intopodnetwork:mainfrom
giwaov:fix/merkle-verify-panic
Mar 3, 2026
Merged

fix(types): return false instead of panic in verify_multi_proof#177
poszu merged 1 commit intopodnetwork:mainfrom
giwaov:fix/merkle-verify-panic

Conversation

@giwaov
Copy link
Contributor

@giwaov giwaov commented Mar 2, 2026

Summary

MerkleTree::verify_multi_proof panicked instead of returning false when the stack and path lengths were in an unexpected state after processing all proof flags.

Proof verification functions handle untrusted external data — proofs come from RPC responses and deserialized network messages. A malformed or adversarially crafted proof would crash the process rather than be rejected as invalid.

The same function already returns false in two earlier guard checks for invalid proofs:

if path_len < proof.flags.iter().filter(|&&f| !f).count() {
    tracing::debug!("invalid multiproof: too few path hashes");
    return false;
}

if leaves.len() + path_len != proof.flags.len() + 1 {
    tracing::debug!("invalid multiproof: invalid total hashes");
    return false;
}

The final match arm was inconsistent with these:

// Before
_ => panic!("invalid multiproof: invalid total hashes"),

// After
_ => {
    tracing::debug!("invalid multiproof: invalid total hashes");
    return false;
}

Test plan

  • Confirm that passing a malformed MerkleMultiProof (e.g. mismatched flags/path lengths that bypass the early guards) returns false instead of panicking
  • Confirm existing multi-proof tests still pass

@giwaov
fix(types): return false instead of panic in verify_multi_proof
a59cfe4 
The final match arm in `MerkleTree::verify_multi_proof` called
`panic!()` when the stack/path lengths were in an unexpected state after
processing all flags. Proof data comes from external sources (RPC
responses, deserialized network messages), so a malformed proof would
crash the process rather than return a verification failure.

Two earlier guard checks in the same function already return `false` for
invalid proofs. Align this last branch with the same pattern: log a
debug message and return `false`.
poszu
poszu approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@poszu poszu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose the intent of the author was to show that this path is not possible to be executed (even on invalid input) but it's difficult to prove this is true.

@poszu poszu merged commit ec9d628 into podnetwork:main Mar 3, 2026
13 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@poszu poszu poszu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@giwaov @poszu