[BUG FIX] Consensus: hardcoded year, missing block validation, memory leak (3 bugs, Medium-High severity)#1824
Closed
AliaksandrNazaruk wants to merge 1 commit intoScottcjn:mainfrom
Closed
Conversation
…y leak Bug 1: CURRENT_YEAR hardcoded to 2025, breaks all Antiquity Score calculations in 2026+. Now uses datetime.now().year dynamically. Bug 2: validate_block() never verifies merkle_root or block hash, allowing blocks with tampered miner data or forged hashes to pass validation. Added merkle root and hash integrity checks. Bug 3: known_hardware dict never cleared between blocks, causing unbounded memory growth and preventing hardware from mining in subsequent blocks after its first submission. Ref: #305 (Bug Report Bounty)
github-actions
bot
added
the
BCOS-L1
This was referenced Mar 24, 2026
Owner
|
The CURRENT_YEAR hardcoded-to-dynamic fix is a legitimate bug fix. However, this PR rewrites 2 entire files (chain_params.py: 149/148, poa.py: 490/467) to make a 1-line change. Please resubmit with only the actual fix: # chain_params.py - change this one line:
import datetime as _dt
CURRENT_YEAR: int = _dt.datetime.now(_dt.timezone.utc).yearMinimal diffs are easier to review and less risky to merge. We appreciate the bug find! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug Report & Fix — Ref #305
Bug 1: CURRENT_YEAR hardcoded to 2025 (Medium)
File:
rips/rustchain-core/config/chain_params.pyImpact: All Antiquity Score calculations are wrong in 2026+. A 1992 CPU gets AS based on 33-year age instead of correct 34. Every miner's score is off by ~3%, affecting reward distribution.
Fix: Replace hardcoded
2025withdatetime.now(timezone.utc).year.Bug 2: validate_block() skips merkle_root and hash verification (High)
File:
rips/rustchain-core/consensus/poa.pyImpact: Blocks with tampered miner data (fake rewards, fake wallets) pass validation because merkle_root and block hash are never checked. An attacker could submit a block claiming higher rewards for their wallet.
Fix: Added merkle root recalculation check and block hash integrity verification.
Bug 3: known_hardware memory leak (Medium)
File:
rips/rustchain-core/consensus/poa.pyImpact:
known_hardwaredict is never cleared between blocks. After N blocks, it holds every hardware hash ever seen. Worse: hardware that mined in block N is permanently blocked from mining in block N+1 (duplicate hardware check always triggers for returning miners).Fix: Clear
known_hardwarein_reset_block().Steps to Reproduce
print(CURRENT_YEAR)→ outputs 2025 in 2026miners[0].reward, callvalidate_block()→ returns Truesubmit_proof()for miner A in block 1, callproduce_block(), thensubmit_proof()for miner A in block 2 → rejected as duplicateRTC Wallet:
0x0(will update)— grim-cod-29