From a59cfe4a391a82f39021f4b31c5fa6f05dd8dc08 Mon Sep 17 00:00:00 2001
From: giwaov <giwavictor9@gmail.com>
Date: Mon, 2 Mar 2026 20:17:25 +0100
Subject: [PATCH] fix(types): return false instead of panic in
 verify_multi_proof

The final match arm in `MerkleTree::verify_multi_proof` called
`panic!()` when the stack/path lengths were in an unexpected state after
processing all flags. Proof data comes from external sources (RPC
responses, deserialized network messages), so a malformed proof would
crash the process rather than return a verification failure.

Two earlier guard checks in the same function already return `false` for
invalid proofs. Align this last branch with the same pattern: log a
debug message and return `false`.
---
 types/src/cryptography/merkle_tree.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/types/src/cryptography/merkle_tree.rs b/types/src/cryptography/merkle_tree.rs
index 0c3096b6..0ac1ae5b 100644
--- a/types/src/cryptography/merkle_tree.rs
+++ b/types/src/cryptography/merkle_tree.rs
@@ -432,7 +432,10 @@ impl MerkleTree {
         let reconstructed_root = match (stack.len(), path.len()) {
             (1, 0) => stack.remove(0),
             (0, 1) => path.remove(0),
-            _ => panic!("invalid multiproof: invalid total hashes"),
+            _ => {
+                tracing::debug!("invalid multiproof: invalid total hashes");
+                return false;
+            }
         };
 
         root == reconstructed_root