diff --git a/packages/rs-platform-wallet-ffi/src/core_wallet/broadcast.rs b/packages/rs-platform-wallet-ffi/src/core_wallet/broadcast.rs index 24d54bb077..f10d71848e 100644 --- a/packages/rs-platform-wallet-ffi/src/core_wallet/broadcast.rs +++ b/packages/rs-platform-wallet-ffi/src/core_wallet/broadcast.rs @@ -70,17 +70,32 @@ pub unsafe extern "C" fn core_wallet_send_to_addresses( check_ptr!(out_tx_bytes); check_ptr!(out_tx_len); - let mut outputs = Vec::with_capacity(count); - let addr_ptrs = std::slice::from_raw_parts(addresses, count); - let amount_slice = std::slice::from_raw_parts(amounts, count); + // `std::slice::from_raw_parts` requires a non-null, properly + // aligned pointer even for `len == 0`. Swift's empty + // `Array.withUnsafeBufferPointer.baseAddress` returns `nil`, so + // the `count == 0` path is allowed to ship null `addresses` / + // `amounts` — guard against constructing the slice in that case. + let outputs: Vec<(dashcore::Address, u64)> = if count == 0 { + Vec::new() + } else { + let addr_ptrs = std::slice::from_raw_parts(addresses, count); + let amount_slice = std::slice::from_raw_parts(amounts, count); - for i in 0..count { - let c_str = unwrap_result_or_return!(std::ffi::CStr::from_ptr(addr_ptrs[i]).to_str()); - - let addr = unwrap_result_or_return!(dashcore::Address::from_str(c_str)).assume_checked(); - - outputs.push((addr, amount_slice[i])); - } + let mut outputs = Vec::with_capacity(count); + for i in 0..count { + if addr_ptrs[i].is_null() { + return PlatformWalletFFIResult::err( + PlatformWalletFFIResultCode::ErrorNullPointer, + format!("null address pointer at index {i}"), + ); + } + let c_str = unwrap_result_or_return!(std::ffi::CStr::from_ptr(addr_ptrs[i]).to_str()); + let addr = + unwrap_result_or_return!(dashcore::Address::from_str(c_str)).assume_checked(); + outputs.push((addr, amount_slice[i])); + } + outputs + }; use key_wallet::account::account_type::StandardAccountType; let std_account_type = match account_type { @@ -134,3 +149,93 @@ pub unsafe extern "C" fn core_wallet_free_tx_bytes(bytes: *mut u8, len: usize) { let _ = Box::from_raw(std::ptr::slice_from_raw_parts_mut(bytes, len)); } } + +#[cfg(test)] +mod tests { + use super::*; + use crate::handle::NULL_HANDLE; + + /// `count == 0` MUST NOT touch `addresses` / `amounts` — Swift's + /// empty `Array.withUnsafeBufferPointer.baseAddress` gives `nil`, + /// and `slice::from_raw_parts` is UB on a null pointer regardless + /// of length. Pass `NULL_HANDLE` so the storage lookup short- + /// circuits to `NotFound` before any wallet code runs — we only + /// care that input marshalling did not blow up. + #[test] + fn send_to_addresses_zero_count_null_pointers_is_safe() { + // Use a non-null but fake signer pointer; the closure that + // would dereference it is never entered because `NULL_HANDLE` + // makes `with_item` return `None`. + let fake_signer = 0x1 as *mut MnemonicResolverHandle; + let mut out_tx: *mut u8 = std::ptr::null_mut(); + let mut out_len: usize = 0; + + let result = unsafe { + core_wallet_send_to_addresses( + NULL_HANDLE, + 0, // BIP44Account + 0, + std::ptr::null(), // null addresses — allowed because count == 0 + std::ptr::null(), // null amounts — allowed because count == 0 + 0, + fake_signer, + &mut out_tx, + &mut out_len, + ) + }; + assert_eq!(result.code, PlatformWalletFFIResultCode::NotFound); + } + + /// Non-null `addresses` array with `count == 0` is also fine. + #[test] + fn send_to_addresses_zero_count_nonnull_pointers_is_safe() { + let dummy_addr: *const c_char = std::ptr::null(); + let dummy_amount: u64 = 0; + let addrs: [*const c_char; 1] = [dummy_addr]; + let amts: [u64; 1] = [dummy_amount]; + let fake_signer = 0x1 as *mut MnemonicResolverHandle; + let mut out_tx: *mut u8 = std::ptr::null_mut(); + let mut out_len: usize = 0; + + let result = unsafe { + core_wallet_send_to_addresses( + NULL_HANDLE, + 0, + 0, + addrs.as_ptr(), + amts.as_ptr(), + 0, // count = 0 → array contents ignored + fake_signer, + &mut out_tx, + &mut out_len, + ) + }; + assert_eq!(result.code, PlatformWalletFFIResultCode::NotFound); + } + + /// A null entry inside the address array must surface as + /// `ErrorNullPointer`, not UB. + #[test] + fn send_to_addresses_null_element_is_rejected() { + let addrs: [*const c_char; 2] = [std::ptr::null(), std::ptr::null()]; + let amts: [u64; 2] = [1, 2]; + let fake_signer = 0x1 as *mut MnemonicResolverHandle; + let mut out_tx: *mut u8 = std::ptr::null_mut(); + let mut out_len: usize = 0; + + let result = unsafe { + core_wallet_send_to_addresses( + NULL_HANDLE, + 0, + 0, + addrs.as_ptr(), + amts.as_ptr(), + 2, + fake_signer, + &mut out_tx, + &mut out_len, + ) + }; + assert_eq!(result.code, PlatformWalletFFIResultCode::ErrorNullPointer); + } +} diff --git a/packages/rs-platform-wallet-ffi/src/error.rs b/packages/rs-platform-wallet-ffi/src/error.rs index adbe771c8c..9a65d70374 100644 --- a/packages/rs-platform-wallet-ffi/src/error.rs +++ b/packages/rs-platform-wallet-ffi/src/error.rs @@ -77,6 +77,21 @@ pub enum PlatformWalletFFIResultCode { ErrorMemoryAllocation = 11, ErrorUtf8Conversion = 12, + /// No spendable inputs available on the account — wait for sync / + /// new UTXOs and retry, or surface a depleted-wallet message. + /// Carries the typed [`PlatformWalletError::NoSpendableInputs`] + /// (account_type / account_index / context) stringified in the + /// `message` field. + ErrorNoSpendableInputs = 30, + /// Transaction builder selected an outpoint that another in-flight + /// build had already reserved — retryable. The originating + /// [`PlatformWalletError::ConcurrentSpendConflict`] carries a + /// `Vec` of the colliding inputs; that payload is + /// stringified into the `message` field for now (TODO: propagate + /// the structured outpoint list across the FFI when a generic + /// payload sidecar exists). + ErrorConcurrentSpendConflict = 31, + NotFound = 98, // Used exclusively for all the Option that are retuned as errors ErrorUnknown = 99, } @@ -156,7 +171,16 @@ impl From> for PlatformWalletFFIResult { impl From for PlatformWalletFFIResult { fn from(error: PlatformWalletError) -> Self { - PlatformWalletFFIResult::err(PlatformWalletFFIResultCode::ErrorUnknown, error.to_string()) + let code = match &error { + PlatformWalletError::NoSpendableInputs { .. } => { + PlatformWalletFFIResultCode::ErrorNoSpendableInputs + } + PlatformWalletError::ConcurrentSpendConflict { .. } => { + PlatformWalletFFIResultCode::ErrorConcurrentSpendConflict + } + _ => PlatformWalletFFIResultCode::ErrorUnknown, + }; + PlatformWalletFFIResult::err(code, error.to_string()) } } diff --git a/packages/rs-platform-wallet/src/error.rs b/packages/rs-platform-wallet/src/error.rs index 717462e065..306a194b9b 100644 --- a/packages/rs-platform-wallet/src/error.rs +++ b/packages/rs-platform-wallet/src/error.rs @@ -1,5 +1,6 @@ +use dashcore::OutPoint; use dpp::identifier::Identifier; -use key_wallet::Network; +use key_wallet::{account::StandardAccountType, Network}; /// Errors that can occur in platform wallet operations #[derive(Debug, thiserror::Error)] @@ -60,6 +61,19 @@ pub enum PlatformWalletError { #[error("Transaction building failed: {0}")] TransactionBuild(String), + #[error( + "Transaction builder selected an unavailable UTXO (concurrent spend); retry. \ + Selected outpoints: {selected:?}" + )] + ConcurrentSpendConflict { selected: Vec }, + + #[error("no spendable inputs available on {account_type} account {account_index}: {context}")] + NoSpendableInputs { + account_type: StandardAccountType, + account_index: u32, + context: String, + }, + #[error("Asset lock proof waiting failed: {0}")] AssetLockProofWait(String), diff --git a/packages/rs-platform-wallet/src/wallet/core/broadcast.rs b/packages/rs-platform-wallet/src/wallet/core/broadcast.rs index 4609d1fb6d..bd4ba64d90 100644 --- a/packages/rs-platform-wallet/src/wallet/core/broadcast.rs +++ b/packages/rs-platform-wallet/src/wallet/core/broadcast.rs @@ -1,7 +1,11 @@ -use dashcore::{Address as DashAddress, Transaction}; +use std::collections::BTreeSet; + +use dashcore::{Address as DashAddress, OutPoint, Transaction}; use key_wallet::account::account_type::StandardAccountType; use key_wallet::managed_account::managed_account_trait::ManagedAccountTrait; use key_wallet::signer::Signer; +use key_wallet::transaction_checking::{TransactionContext, WalletTransactionChecker}; +use key_wallet::wallet::managed_wallet_info::wallet_info_interface::WalletInfoInterface; use crate::broadcaster::TransactionBroadcaster; use crate::{CoreWallet, PlatformWalletError}; @@ -31,21 +35,19 @@ impl CoreWallet { /// for UTXO selection, fee estimation, and signing. Change is sent to /// the next internal address of the specified account. /// + /// Concurrent calls on the same wallet handle are race-safe via the + /// reservation set in [`super::reservations`]: the second caller + /// short-circuits with [`PlatformWalletError::NoSpendableInputs`] + /// before touching the network if all UTXOs are reserved by an + /// in-flight broadcast. + /// /// Signing is delegated to the caller-supplied /// [`Signer`](key_wallet::signer::Signer) via the /// `impl TransactionSigner for S` blanket in /// `key-wallet`'s `transaction_builder.rs`. For Swift wallets this - /// is typically a - /// [`MnemonicResolverCoreSigner`](crate::wallet::asset_lock::build) - /// from `platform-wallet-ffi`, backed by the Keychain-resolver - /// vtable so private keys never cross the FFI boundary. - /// - /// **Note (smell):** the body of this method is a near-duplicate of - /// `ManagedWalletInfo::build_and_sign_transaction` in `key-wallet` - /// (`wallet/managed_wallet_info/transaction_building.rs`). - /// It's reimplemented here because the upstream helper is BIP-44-only, - /// parametrizing upstream on `AccountTypePreference` so it picks - /// `standard_bip{32,44}_accounts` would be a trivial change + /// is typically a `MnemonicResolverCoreSigner` from + /// `platform-wallet-ffi`, backed by the Keychain-resolver vtable so + /// private keys never cross the FFI boundary. pub async fn send_to_addresses( &self, account_type: StandardAccountType, @@ -55,7 +57,6 @@ impl CoreWallet { ) -> Result { use key_wallet::wallet::managed_wallet_info::coin_selection::SelectionStrategy; use key_wallet::wallet::managed_wallet_info::transaction_builder::TransactionBuilder; - use key_wallet::wallet::managed_wallet_info::wallet_info_interface::WalletInfoInterface; if outputs.is_empty() { return Err(PlatformWalletError::TransactionBuild( @@ -63,7 +64,7 @@ impl CoreWallet { )); } - let tx = { + let (tx, _reservation) = { let mut wm = self.wallet_manager.write().await; let (wallet, info) = wm.get_wallet_and_info_mut(&self.wallet_id).ok_or_else(|| { crate::error::PlatformWalletError::WalletNotFound( @@ -120,15 +121,63 @@ impl CoreWallet { ), }; - // The blanket `impl TransactionSigner for S` in - // `key-wallet/src/wallet/managed_wallet_info/transaction_builder.rs:482` - // makes the signer drop-in for the previously `Wallet`-backed - // path; the funds-derived `address_derivation_path` lookup is - // unchanged. + let xpub = account.account_xpub; + + // Snapshot spendable UTXOs minus any in-flight reservations from + // a concurrent `send_to_addresses` on this handle. Single lock + // acquisition for the whole filter pass. + let reserved = self.reservations.snapshot(); + let spendable: Vec<_> = managed_account + .spendable_utxos(current_height) + .into_iter() + .filter(|utxo| !reserved.contains(&utxo.outpoint)) + .cloned() + .collect(); + + if spendable.is_empty() { + return Err(PlatformWalletError::NoSpendableInputs { + account_index, + account_type, + context: "all UTXOs used or reserved by in-flight transactions".to_string(), + }); + } + + // Pick the next change address. Peek (advance=false) first; if the + // peeked address is already pending from a concurrent in-flight + // send (CMT-006), advance the derivation index and peek again + // until we find one that is not pending. The final chosen + // address is committed (advance=true) inside this same write + // lock and inserted into the reservation set so a concurrent + // caller can never select the same change address. Advancing + // burns at most one index per concurrent in-flight send — a + // bounded, acceptable cost for privacy. + let pending_change = self.reservations.pending_change_snapshot(); + let change_addr = loop { + let peeked = managed_account + .next_change_address(Some(&xpub), false) + .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; + if !pending_change.contains(&peeked) { + // Commit the advance now (under the same write lock as + // the outpoint reservation below). On broadcast failure + // a single index is burned — acceptable; on success the + // pending-change entry is released when the guard drops + // post-`check_core_transaction`. + let _ = managed_account + .next_change_address(Some(&xpub), true) + .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; + break peeked; + } + // Burn this index by advancing past it and try again. + let _ = managed_account + .next_change_address(Some(&xpub), true) + .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; + }; + let mut builder = TransactionBuilder::new() .set_current_height(current_height) .set_selection_strategy(SelectionStrategy::LargestFirst) - .set_funding(managed_account, account); + .set_change_address(change_addr.clone()) + .add_inputs(spendable.iter().cloned()); for (addr, amount) in &outputs { builder = builder.add_output(addr, *amount); } @@ -138,11 +187,761 @@ impl CoreWallet { managed_account.address_derivation_path(&addr) }) .await - .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; - tx + .map_err(|e| { + // TODO(CMT-005, #3585): Brittle substring match against upstream Display impl. + // Pinned key-wallet exposes typed BuilderError::CoinSelection(SelectionError::…) + // (InsufficientFunds, NoUtxosAvailable). Pattern-match the enum here once the + // classification can be threaded through `build_signed`'s error type. Deferred + // pending a focused refactor with test coverage for the typed variants. + let msg = e.to_string(); + if msg.contains("Insufficient funds") || msg.contains("No UTXOs available") { + PlatformWalletError::NoSpendableInputs { + account_type, + account_index, + context: msg, + } + } else { + PlatformWalletError::TransactionBuild(msg) + } + })?; + + // Defense-in-depth: unreachable under normal builder contract but guards against + // a future regression where coin selection picks an outpoint outside `spendable`. + let selected: BTreeSet = + tx.input.iter().map(|txin| txin.previous_output).collect(); + let spendable_outpoints: BTreeSet = + spendable.iter().map(|utxo| utxo.outpoint).collect(); + if !selected.is_subset(&spendable_outpoints) { + // Typed retryable variant: forward-compatible with cross-process + // concurrent-spend surfacing; today only a builder regression hits it. + return Err(PlatformWalletError::ConcurrentSpendConflict { + selected: selected.into_iter().collect(), + }); + } + + // Defense-in-depth: re-snapshot spendable UTXOs after `build_signed` and confirm + // every selected outpoint is still present. Today every UTXO mutator goes through + // the wallet write lock that we hold across build, so this is unreachable — but + // a future mutator running outside the lock (mempool listener, chain reorg, etc.) + // would slip through the pre-build `spendable` snapshot above; this fresh re-fetch + // catches it before broadcast. The reservations guard remains the primary in-process + // race defense; this is the cross-process / cross-subsystem net. + let fresh_spendable_outpoints: BTreeSet = managed_account + .spendable_utxos(current_height) + .into_iter() + .map(|utxo| utxo.outpoint) + .collect(); + if !selected.is_subset(&fresh_spendable_outpoints) { + let missing: Vec = selected + .difference(&fresh_spendable_outpoints) + .copied() + .collect(); + return Err(PlatformWalletError::ConcurrentSpendConflict { selected: missing }); + } + + // Reserve before releasing the lock so the next caller sees these outpoints + // filtered out *and* skips the peeked change address. Guard held until + // `check_core_transaction` marks them spent (success) or the error + // unwinds (failure → outpoints released for retry). + let reservation = self + .reservations + .reserve(selected.into_iter().collect(), Some(change_addr.clone())); + + (tx, reservation) }; + // Broadcast first — on error we leave wallet state untouched so the caller can retry. + // If the network accepted but the call errored (ambiguous outcome), a retry will be + // rejected as a duplicate spend rather than us marking UTXOs spent prematurely. self.broadcast_transaction(&tx).await?; + + // Mark inputs spent under the write lock, transitioning them from "reserved" to "spent" + // before the reservation guard drops — no observable gap for concurrent callers. + // Warning paths below do NOT return Err: the network already accepted the tx. + // + // CMT-003: the reservation is released *only* when both + // (a) the wallet lookup succeeded, and + // (b) `check_core_transaction` recognised the tx as relevant (i.e. it marked + // the inputs as spent in `managed_account.utxos`). + // If either fails, releasing the reservation would let a concurrent caller + // select the same UTXO and produce a double-spend on the network. The change + // index was already committed inside the build write lock above, so a single + // gap is acceptable — leak the reservation until a full sync reconciles. + let mut reconciled = false; + { + let mut wm = self.wallet_manager.write().await; + if let Some((wallet, info)) = wm.get_wallet_mut_and_info_mut(&self.wallet_id) { + let check_result = info + .check_core_transaction(&tx, TransactionContext::Mempool, wallet, true, true) + .await; + if check_result.is_relevant { + reconciled = true; + } else { + // Own-built tx unrecognised by our checker is an internal invariant + // violation, not a transient. Stable event field for operator alerting. + tracing::error!( + target: "platform_wallet::broadcast", + event = "post_broadcast_unrelated_to_own_wallet", + txid = %tx.txid(), + wallet_id = %hex::encode(self.wallet_id), + "Internal invariant violation: own-built broadcast not recognized by post-broadcast check" + ); + } + } else { + // Log-only: broadcast already succeeded; the wallet handle is stale and + // future sends will surface a clean `WalletNotFound` from the lookup above. + tracing::warn!( + target: "platform_wallet::broadcast", + event = "post_broadcast_wallet_missing", + wallet_id = %hex::encode(self.wallet_id), + txid = %tx.txid(), + "wallet missing during post-broadcast transaction registration" + ); + } + } + + if reconciled { + // Inputs are now marked spent; safe to release reservation. + _reservation.release_after_commit(); + } else { + // Broadcast succeeded but state could not be reconciled. Releasing the + // reservation now risks a concurrent send re-selecting the same UTXO and + // producing a double-spend the network would reject. Keep it held until + // a future sync reconciles — a wallet restart is the eventual relief. + tracing::warn!( + target: "platform_wallet::broadcast", + event = "post_broadcast_reservation_leaked_until_sync", + txid = %tx.txid(), + wallet_id = %hex::encode(self.wallet_id), + "leaking outpoint reservation: post-broadcast reconciliation failed" + ); + _reservation.leak_until_sync(); + } + Ok(tx) } } + +#[cfg(test)] +mod tests { + //! Broadcast and `send_to_addresses` contracts. + //! + //! Pins: + //! - `broadcast_transaction` forwards the broadcaster's `Ok`/`Err` unchanged. + //! - Concurrent `send_to_addresses` on the same wallet handle resolves via + //! the reservation set: the loser short-circuits with `NoSpendableInputs` + //! before reaching the broadcaster. + //! - A broadcast failure releases the reservation so a retry sees the same + //! UTXO as spendable again. + //! - An empty spendable snapshot (e.g. all UTXOs reserved) maps to + //! `NoSpendableInputs` via the early-exit guard. + use std::sync::atomic::{AtomicUsize, Ordering}; + use std::sync::Arc; + + use async_trait::async_trait; + use dashcore::consensus::deserialize; + use dashcore::{Transaction, Txid}; + use tokio::sync::RwLock; + + use crate::broadcaster::TransactionBroadcaster; + use crate::wallet::core::balance::WalletBalance; + use crate::wallet::core::CoreWallet; + use crate::PlatformWalletError; + use key_wallet::Network; + use key_wallet_manager::WalletManager; + + /// Records every call and returns a canned outcome. + struct MockBroadcaster { + outcome: BroadcastOutcome, + calls: AtomicUsize, + } + + enum BroadcastOutcome { + Ok(Txid), + Err(String), + } + + impl MockBroadcaster { + fn new(outcome: BroadcastOutcome) -> Self { + Self { + outcome, + calls: AtomicUsize::new(0), + } + } + + fn call_count(&self) -> usize { + self.calls.load(Ordering::SeqCst) + } + } + + #[async_trait] + impl TransactionBroadcaster for MockBroadcaster { + async fn broadcast(&self, _transaction: &Transaction) -> Result { + self.calls.fetch_add(1, Ordering::SeqCst); + match &self.outcome { + BroadcastOutcome::Ok(txid) => Ok(*txid), + BroadcastOutcome::Err(msg) => { + Err(PlatformWalletError::TransactionBroadcast(msg.clone())) + } + } + } + } + + /// Minimal serialized tx (1 input, 1 output, 0 value) — only the + /// broadcaster's Err/Ok branch matters here, not the shape. + fn dummy_transaction() -> Transaction { + let bytes = hex::decode( + "010000000100000000000000000000000000000000000000000000000000000000000000\ + 00ffffffff00ffffffff0100000000000000000000000000", + ) + .expect("valid hex"); + deserialize(&bytes).expect("deserializable tx") + } + + fn make_core_wallet(broadcaster: Arc) -> CoreWallet { + let sdk = Arc::new( + dash_sdk::SdkBuilder::new_mock() + .build() + .expect("mock sdk build"), + ); + let wallet_manager = Arc::new(RwLock::new(WalletManager::new(Network::Testnet))); + CoreWallet::new( + sdk, + wallet_manager, + [0u8; 32], + broadcaster, + Arc::new(WalletBalance::new()), + ) + } + + /// `broadcast_transaction` forwards a broadcaster `Err` to the caller + /// without transformation. + #[tokio::test] + async fn broadcast_transaction_passes_through_err_unchanged() { + let broadcaster = Arc::new(MockBroadcaster::new(BroadcastOutcome::Err( + "simulated network rejection".to_string(), + ))); + let wallet = make_core_wallet(Arc::clone(&broadcaster)); + let tx = dummy_transaction(); + + let result = wallet.broadcast_transaction(&tx).await; + + assert!( + matches!(result, Err(PlatformWalletError::TransactionBroadcast(_))), + "expected broadcast Err to propagate, got {:?}", + result + ); + assert_eq!( + broadcaster.call_count(), + 1, + "broadcaster must be called exactly once on a failed broadcast" + ); + } + + /// `broadcast_transaction` forwards the broadcaster's `Txid` to the + /// caller without transformation. + #[tokio::test] + async fn broadcast_transaction_passes_through_ok_unchanged() { + let expected_txid = dummy_transaction().txid(); + let broadcaster = Arc::new(MockBroadcaster::new(BroadcastOutcome::Ok(expected_txid))); + let wallet = make_core_wallet(Arc::clone(&broadcaster)); + let tx = dummy_transaction(); + + let result = wallet.broadcast_transaction(&tx).await; + + assert_eq!( + result.expect("broadcast Ok"), + expected_txid, + "broadcast_transaction must pass the broadcaster's Txid through unchanged" + ); + assert_eq!( + broadcaster.call_count(), + 1, + "broadcaster must be called exactly once on a successful broadcast" + ); + } + + // Race-closing tests: same-UTXO concurrent `send_to_addresses`. + // B must short-circuit with `NoSpendableInputs` before the network — a `TransactionBroadcast` + // failure from B would mean the bug is still open. + + use std::collections::BTreeMap; + + use dashcore::hashes::Hash; + use dashcore::{Address as DashAddress, OutPoint, TxOut}; + use key_wallet::wallet::initialization::WalletAccountCreationOptions; + use key_wallet::wallet::Wallet; + use key_wallet::Utxo; + use tokio::sync::Notify; + + use crate::wallet::platform_wallet::PlatformWalletInfo; + use key_wallet::wallet::managed_wallet_info::ManagedWalletInfo; + + /// In-memory `Signer` for tests — mirrors the one in key-wallet's own + /// transaction-building tests. Backed by the mnemonic wallet's root + /// extended private key, so derivation paths from the funded account + /// resolve to the keys that actually own the seeded UTXO. + struct InMemorySigner { + root: key_wallet::wallet::root_extended_keys::RootExtendedPrivKey, + network: Network, + } + + const IN_MEMORY_METHODS: &[key_wallet::signer::SignerMethod] = + &[key_wallet::signer::SignerMethod::Digest]; + + #[async_trait] + impl key_wallet::signer::Signer for InMemorySigner { + type Error = String; + + fn supported_methods(&self) -> &[key_wallet::signer::SignerMethod] { + IN_MEMORY_METHODS + } + + async fn sign_ecdsa( + &self, + path: &key_wallet::bip32::DerivationPath, + sighash: [u8; 32], + ) -> Result< + ( + dashcore::secp256k1::ecdsa::Signature, + dashcore::secp256k1::PublicKey, + ), + Self::Error, + > { + let secp = dashcore::secp256k1::Secp256k1::new(); + let xpriv = self + .root + .to_extended_priv_key(self.network) + .derive_priv(&secp, path) + .map_err(|e| e.to_string())?; + let msg = dashcore::secp256k1::Message::from_digest(sighash); + let sig = secp.sign_ecdsa(&msg, &xpriv.private_key); + let pk = dashcore::secp256k1::PublicKey::from_secret_key(&secp, &xpriv.private_key); + Ok((sig, pk)) + } + + async fn public_key( + &self, + path: &key_wallet::bip32::DerivationPath, + ) -> Result { + let secp = dashcore::secp256k1::Secp256k1::new(); + let xpriv = self + .root + .to_extended_priv_key(self.network) + .derive_priv(&secp, path) + .map_err(|e| e.to_string())?; + Ok(dashcore::secp256k1::PublicKey::from_secret_key( + &secp, + &xpriv.private_key, + )) + } + } + + fn root_from( + wallet: &key_wallet::wallet::Wallet, + ) -> key_wallet::wallet::root_extended_keys::RootExtendedPrivKey { + match &wallet.wallet_type { + key_wallet::wallet::WalletType::Mnemonic { + root_extended_private_key, + .. + } => root_extended_private_key.clone(), + _ => unreachable!("test wallets are mnemonic"), + } + } + + /// Mock broadcaster that gates the broadcast on an external `Notify`. + /// `entered` fires the moment `broadcast()` is awaited — by then the + /// caller has reserved its outpoints and dropped the wallet write lock. + struct GatedBroadcaster { + gate: Arc, + entered: Arc, + calls: AtomicUsize, + succeed: bool, + } + + #[async_trait] + impl TransactionBroadcaster for GatedBroadcaster { + async fn broadcast(&self, transaction: &Transaction) -> Result { + self.calls.fetch_add(1, Ordering::SeqCst); + self.entered.notify_one(); + self.gate.notified().await; + if self.succeed { + Ok(transaction.txid()) + } else { + Err(PlatformWalletError::TransactionBroadcast( + "mock failure".to_string(), + )) + } + } + } + + /// Always-failing mock broadcaster — used to assert that a failed + /// broadcast releases the reservation so a retry can pick up the + /// same UTXO. + struct FailingBroadcaster; + + #[async_trait] + impl TransactionBroadcaster for FailingBroadcaster { + async fn broadcast(&self, _transaction: &Transaction) -> Result { + Err(PlatformWalletError::TransactionBroadcast( + "always fails".to_string(), + )) + } + } + + /// Build a single-wallet `WalletManager` containing one BIP-44 + /// account (index 0) funded with one large UTXO at the account's + /// first receive address. Returns the wallet manager handle, the + /// wallet id, a recipient address (a separate derived address in the + /// same account — funding/sending to the same address is not the + /// property under test), and a signer backed by the wallet's + /// mnemonic root so `build_signed` can sign the seeded UTXO. + fn build_funded_wallet_manager( + utxo_value: u64, + ) -> ( + Arc>>, + crate::wallet::platform_wallet::WalletId, + DashAddress, + InMemorySigner, + ) { + let wallet = Wallet::new_random(Network::Testnet, WalletAccountCreationOptions::Default) + .expect("test wallet"); + let signer = InMemorySigner { + root: root_from(&wallet), + network: Network::Testnet, + }; + + let xpub = wallet + .accounts + .standard_bip44_accounts + .get(&0) + .expect("bip44 account 0") + .account_xpub; + let mut wallet_info = ManagedWalletInfo::from_wallet(&wallet, 0); + + // Height must be well past UTXO height: `select_coins_with_size` enforces + // `min_confirmations >= 1`, which requires synced_height > utxo_height. + use key_wallet::wallet::managed_wallet_info::wallet_info_interface::WalletInfoInterface as _; + wallet_info.update_synced_height(100); + + let funding_address = wallet_info + .accounts + .standard_bip44_accounts + .get_mut(&0) + .expect("managed bip44 account 0") + .next_receive_address(Some(&xpub), true) + .expect("derive receive address"); + + let outpoint = OutPoint::new(Txid::from_byte_array([7u8; 32]), 0); + let mut utxo = Utxo::new( + outpoint, + TxOut { + value: utxo_value, + script_pubkey: funding_address.script_pubkey(), + }, + funding_address, + 1, + false, + ); + utxo.is_confirmed = true; + wallet_info + .accounts + .standard_bip44_accounts + .get_mut(&0) + .expect("managed bip44 account 0") + .utxos + .insert(outpoint, utxo); + + let info = PlatformWalletInfo { + core_wallet: wallet_info, + balance: Arc::new(WalletBalance::new()), + identity_manager: crate::wallet::identity::IdentityManager::new(), + tracked_asset_locks: BTreeMap::new(), + }; + + let mut wm: WalletManager = WalletManager::new(Network::Testnet); + let wallet_id = wm.insert_wallet(wallet, info).expect("insert"); + + // Recipient — use the second receive address as a stable target. + let recipient = { + let info = wm.get_wallet_info_mut(&wallet_id).expect("info"); + info.core_wallet + .accounts + .standard_bip44_accounts + .get_mut(&0) + .expect("acc") + .next_receive_address(Some(&xpub), true) + .expect("derive recipient") + }; + + (Arc::new(RwLock::new(wm)), wallet_id, recipient, signer) + } + + fn make_core_wallet_for_manager( + wm: Arc>>, + wallet_id: crate::wallet::platform_wallet::WalletId, + broadcaster: Arc, + ) -> CoreWallet { + let sdk = Arc::new(dash_sdk::SdkBuilder::new_mock().build().expect("mock sdk")); + CoreWallet::new( + sdk, + wm, + wallet_id, + broadcaster, + Arc::new(WalletBalance::new()), + ) + } + + /// Two concurrent `send_to_addresses` calls on one wallet with one UTXO must yield exactly + /// one broadcast. The loser must get [`PlatformWalletError::NoSpendableInputs`] — never + /// `TransactionBroadcast` (that would mean it reached the network, which is the bug closed). + #[tokio::test] + async fn concurrent_same_utxo_sends_resolve_via_reservation_set() { + use key_wallet::account::account_type::StandardAccountType; + + let (wm, wallet_id, recipient, signer) = build_funded_wallet_manager(2_000_000); + let signer = Arc::new(signer); + let gate = Arc::new(Notify::new()); + let entered = Arc::new(Notify::new()); + let broadcaster = Arc::new(GatedBroadcaster { + gate: Arc::clone(&gate), + entered: Arc::clone(&entered), + calls: AtomicUsize::new(0), + succeed: true, + }); + let core = make_core_wallet_for_manager( + wm, + wallet_id, + Arc::clone(&broadcaster) as Arc, + ); + + let send_value = 100_000; + let outputs_a = vec![(recipient.clone(), send_value)]; + let outputs_b = vec![(recipient.clone(), send_value)]; + + // Spawn caller A. It will reserve the only spendable outpoint + // under the wallet write lock, drop the lock, and block on the + // broadcast `Notify`. + let core_a = core.clone(); + let signer_a = Arc::clone(&signer); + let a_handle = tokio::spawn(async move { + core_a + .send_to_addresses( + StandardAccountType::BIP44Account, + 0, + outputs_a, + signer_a.as_ref(), + ) + .await + }); + + // Deterministic handshake: wait until A has reached the broadcast gate. + // By that point A has reserved the outpoint and dropped the wallet write lock. + entered.notified().await; + + // Caller B starts now. The wallet's only UTXO is reserved by A, + // so B's spendable snapshot is empty → `NoSpendableInputs`. + let b_result = core + .send_to_addresses( + StandardAccountType::BIP44Account, + 0, + outputs_b, + signer.as_ref(), + ) + .await; + + match &b_result { + Err(PlatformWalletError::NoSpendableInputs { context, .. }) => { + assert!( + context.contains("reserved") + || context.contains("Insufficient") + || context.contains("No UTXOs"), + "B's NoSpendableInputs context should mention reservation \ + or insufficient/no-utxos; got: {context}" + ); + } + other => panic!( + "B must short-circuit with NoSpendableInputs (the race-loser \ + must not reach the broadcaster); got: {other:?}" + ), + } + + // Now release A's broadcast. + gate.notify_one(); + + let a_result = a_handle.await.expect("a task panicked"); + assert!( + a_result.is_ok(), + "A must succeed once its broadcast gate fires; got: {a_result:?}" + ); + + // Pin "loser never reached the network" directly: only A invoked the broadcaster. + assert_eq!( + broadcaster.calls.load(Ordering::SeqCst), + 1, + "broadcaster must be called exactly once across both concurrent senders" + ); + } + + /// On broadcast failure, the reservation must be released so the + /// caller can retry. This is the regression-tripwire for the + /// reservation guard's Drop semantics. + #[tokio::test] + async fn broadcast_failure_releases_reservation_for_retry() { + use key_wallet::account::account_type::StandardAccountType; + + let (wm, wallet_id, recipient, signer) = build_funded_wallet_manager(2_000_000); + let broadcaster: Arc = Arc::new(FailingBroadcaster); + let core = make_core_wallet_for_manager(wm, wallet_id, broadcaster); + + let outputs = vec![(recipient.clone(), 100_000)]; + + // First call fails at the broadcast step → guard drops → + // reservation released. The change-address index is also rolled + // back by virtue of #3585's peek-then-commit pattern. + let first = core + .send_to_addresses( + StandardAccountType::BIP44Account, + 0, + outputs.clone(), + &signer, + ) + .await; + assert!( + matches!(first, Err(PlatformWalletError::TransactionBroadcast(_))), + "first call must surface broadcast failure; got: {first:?}" + ); + + // Reservation released: the second call must reach the broadcaster (same UTXO visible), + // not short-circuit with `NoSpendableInputs` (which would indicate a leaked reservation). + let second = core + .send_to_addresses(StandardAccountType::BIP44Account, 0, outputs, &signer) + .await; + match second { + Err(PlatformWalletError::TransactionBroadcast(_)) => { + // Expected — reservation released, coin selection + // succeeded, broadcaster rejected as designed. + } + Err(PlatformWalletError::NoSpendableInputs { .. }) => { + panic!( + "reservation leaked after broadcast failure — second \ + call should have selected the released UTXO" + ); + } + other => panic!("unexpected second call result: {other:?}"), + } + } + + /// CMT-003: if `check_core_transaction` returns `is_relevant = false` + /// after a successful broadcast (an internal invariant violation but a + /// real-world possibility on a corrupted/stale wallet state), the + /// reservation must stay held — releasing it could let a concurrent + /// caller select the same already-broadcast outpoint and produce a + /// double-spend the network would reject. + /// + /// We force `is_relevant = false` by clearing the funding account's + /// address-pool entries between the broadcast and the reconcile step; + /// the post-broadcast `check_core_transaction` then matches nothing. + #[tokio::test] + async fn unreconciled_broadcast_keeps_reservation_held() { + use key_wallet::account::account_type::StandardAccountType; + + let (wm, wallet_id, recipient, signer) = build_funded_wallet_manager(2_000_000); + let signer = Arc::new(signer); + + let gate = Arc::new(Notify::new()); + let entered = Arc::new(Notify::new()); + let broadcaster = Arc::new(GatedBroadcaster { + gate: Arc::clone(&gate), + entered: Arc::clone(&entered), + calls: AtomicUsize::new(0), + succeed: true, + }); + + let core = make_core_wallet_for_manager( + Arc::clone(&wm), + wallet_id, + Arc::clone(&broadcaster) as Arc, + ); + + let outputs = vec![(recipient.clone(), 100_000)]; + + let core_send = core.clone(); + let signer_send = Arc::clone(&signer); + let handle = tokio::spawn(async move { + core_send + .send_to_addresses( + StandardAccountType::BIP44Account, + 0, + outputs, + signer_send.as_ref(), + ) + .await + }); + + // Wait until the broadcast call has been entered — by then the + // outpoint is reserved, the change index is committed, and the + // wallet write lock has been released. + entered.notified().await; + + // Sabotage the wallet so `check_core_transaction` cannot match + // anything. Clearing the account-collection map entirely is the + // surest way: with no accounts the checker walks zero entries. + { + let mut wm_guard = wm.write().await; + let info = wm_guard.get_wallet_info_mut(&wallet_id).expect("info"); + info.core_wallet.accounts.standard_bip44_accounts.clear(); + } + + // Capture the reservation's outpoint *before* releasing the gate + // so the assertion target is stable. + let funding_outpoint = OutPoint::new(Txid::from_byte_array([7u8; 32]), 0); + + // Release the broadcast — the post-broadcast reconcile sees + // `is_relevant=false` and (per CMT-003) leaks the reservation. + gate.notify_one(); + + let result = handle.await.expect("task panicked"); + assert!( + result.is_ok(), + "send_to_addresses must succeed when broadcast succeeds; got: {result:?}" + ); + + assert!( + core.reservations.contains(&funding_outpoint), + "reservation must remain held when post-broadcast reconcile fails (is_relevant=false), \ + otherwise a concurrent caller could re-select the same already-broadcast outpoint" + ); + } + + /// Pins the early-exit guard: when the spendable snapshot is empty + /// (e.g. all UTXOs reserved by in-flight broadcasts), `send_to_addresses` + /// surfaces `NoSpendableInputs` without invoking the builder. + /// + /// Note: the upstream coin-selection string-match in `send_to_addresses` + /// is not exercised here — that path is currently unpinned. + #[tokio::test] + async fn builder_error_text_contract_for_no_inputs() { + use key_wallet::account::account_type::StandardAccountType; + + let (wm, wallet_id, recipient, signer) = build_funded_wallet_manager(2_000_000); + let broadcaster: Arc = Arc::new(FailingBroadcaster); + let core = make_core_wallet_for_manager(wm, wallet_id, broadcaster); + + let outputs = vec![(recipient.clone(), 100_000)]; + + // Reserve the wallet's only outpoint so the spendable snapshot is + // empty for the next caller, exercising the early-exit guard. + let outpoint = OutPoint::new(Txid::from_byte_array([7u8; 32]), 0); + let _guard = core.reservations.reserve(vec![outpoint], None); + + let result = core + .send_to_addresses(StandardAccountType::BIP44Account, 0, outputs, &signer) + .await; + + assert!( + matches!(result, Err(PlatformWalletError::NoSpendableInputs { .. })), + "send_to_addresses must map a fully-reserved wallet to NoSpendableInputs; got: {result:?}" + ); + } +} diff --git a/packages/rs-platform-wallet/src/wallet/core/mod.rs b/packages/rs-platform-wallet/src/wallet/core/mod.rs index 106a4108c2..d53ea482fb 100644 --- a/packages/rs-platform-wallet/src/wallet/core/mod.rs +++ b/packages/rs-platform-wallet/src/wallet/core/mod.rs @@ -1,6 +1,7 @@ pub mod balance; pub mod balance_handler; mod broadcast; +pub(crate) mod reservations; pub mod wallet; pub use balance::WalletBalance; diff --git a/packages/rs-platform-wallet/src/wallet/core/reservations.rs b/packages/rs-platform-wallet/src/wallet/core/reservations.rs new file mode 100644 index 0000000000..6c8461c48b --- /dev/null +++ b/packages/rs-platform-wallet/src/wallet/core/reservations.rs @@ -0,0 +1,290 @@ +//! Per-wallet outpoint reservation set for [`CoreWallet::send_to_addresses`](super::broadcast). +//! +//! Closes the same-UTXO concurrent-selection race: the first caller reserves its selected +//! outpoints under the write lock; subsequent callers filter them out and short-circuit with +//! [`PlatformWalletError::NoSpendableInputs`](crate::PlatformWalletError) before hitting the +//! network. Reservations are released by an RAII guard on success, error, or panic. + +use std::collections::HashSet; +use std::sync::{Arc, Mutex}; + +use dashcore::{Address, OutPoint}; + +/// Inner state shared between an [`OutpointReservations`] handle and every +/// outstanding [`OutpointReservationGuard`]. Held behind a single `Mutex` +/// so reservation + change-address tracking commit atomically. +#[derive(Debug, Default)] +struct ReservationsInner { + outpoints: HashSet, + /// Change addresses already committed (`advance=true`) by an + /// in-flight `send_to_addresses` whose broadcast has not yet + /// completed. Concurrent senders that peek a change address still + /// present here advance past it under the same write lock so two + /// disjoint-UTXO sends do not both broadcast with the same change + /// address (privacy regression — CMT-006). Address-keyed rather than + /// `(account, index)` because the upstream pool API exposes addresses + /// but not indices. + pending_change: HashSet
, +} + +/// Per-wallet set of outpoints that have been selected for an in-flight +/// broadcast but not yet marked spent in `ManagedWalletInfo`, plus any +/// change addresses peeked but not yet reconciled with a confirmed +/// broadcast. +/// +/// Cheaply cloneable: holds an `Arc>` internally. All clones share +/// the same set. +#[derive(Debug, Default, Clone)] +pub(crate) struct OutpointReservations { + inner: Arc>, +} + +impl OutpointReservations { + pub(crate) fn new() -> Self { + Self::default() + } + + /// Test whether `outpoint` is currently reserved. + #[cfg(test)] + pub(crate) fn contains(&self, outpoint: &OutPoint) -> bool { + let guard = self + .inner + .lock() + .unwrap_or_else(|poisoned| poisoned.into_inner()); + guard.outpoints.contains(outpoint) + } + + /// Test whether a change address is currently pending. + #[cfg(test)] + pub(crate) fn change_address_pending(&self, addr: &Address) -> bool { + let guard = self + .inner + .lock() + .unwrap_or_else(|poisoned| poisoned.into_inner()); + guard.pending_change.contains(addr) + } + + /// Clone the current outpoint reservation set under a single lock + /// acquisition. Callers filter spendable UTXOs against the returned + /// snapshot to avoid one mutex lock per candidate outpoint. + pub(crate) fn snapshot(&self) -> HashSet { + let guard = self + .inner + .lock() + .unwrap_or_else(|poisoned| poisoned.into_inner()); + guard.outpoints.clone() + } + + /// Clone the current pending-change-address set so callers can skip + /// past in-flight peeks without holding the reservation mutex. + pub(crate) fn pending_change_snapshot(&self) -> HashSet
{ + let guard = self + .inner + .lock() + .unwrap_or_else(|poisoned| poisoned.into_inner()); + guard.pending_change.clone() + } + + /// Reserve `outpoints` and (optionally) a chosen change address in + /// the same lock acquisition, returning an RAII guard that releases + /// both on drop. The guard must be held until the broadcast outcome + /// is reconciled into wallet state. + pub(crate) fn reserve( + &self, + outpoints: Vec, + change_address: Option
, + ) -> OutpointReservationGuard { + { + let mut guard = self + .inner + .lock() + .unwrap_or_else(|poisoned| poisoned.into_inner()); + for op in &outpoints { + guard.outpoints.insert(*op); + } + if let Some(addr) = &change_address { + guard.pending_change.insert(addr.clone()); + } + } + OutpointReservationGuard { + reservations: Arc::clone(&self.inner), + outpoints, + pending_change: change_address, + released: false, + } + } +} + +/// RAII guard releasing reservations on drop. +/// +/// Drop is infallible and panic-safe — the underlying `Mutex` is recovered +/// from poisoning so a panicking caller still releases its outpoints +/// and pending change index (if any). +#[must_use = "dropping the guard immediately releases the reservation"] +pub(crate) struct OutpointReservationGuard { + reservations: Arc>, + outpoints: Vec, + /// Pending change address reserved for this in-flight send (if any). + pending_change: Option
, + /// Set after a successful `release_after_commit` so `Drop` is a no-op. + released: bool, +} + +impl OutpointReservationGuard { + /// Release outpoints and any pending change index now, marking the + /// guard inert so its `Drop` is a no-op. Called by the broadcast + /// path after `check_core_transaction` has transitioned the inputs + /// from "reserved" to "spent" and the change index has been + /// committed via `next_change_address(..., true)`. The deliberate + /// release point exists so the same code path that *succeeded* the + /// broadcast also relinquishes the reservation — separating it from + /// the panic/drop path keeps post-broadcast-failure handling + /// (CMT-003) on the implicit `Drop` branch. + pub(crate) fn release_after_commit(mut self) { + self.do_release(); + self.released = true; + } + + /// Keep the reservation held for the lifetime of the process by + /// leaking the guard. Use this when the broadcast succeeded but + /// wallet state could not be reconciled (e.g., own-built tx not + /// recognised by `check_core_transaction`, or the wallet handle + /// went stale post-broadcast). Releasing the outpoints in that + /// scenario would let a concurrent caller select the same UTXO and + /// produce a double-spend the network would reject — keeping the + /// reservation is the safer of two bad outcomes; a wallet restart + /// or full sync will reconcile. + pub(crate) fn leak_until_sync(self) { + // `Box::leak` is the standard way to drop the ownership without + // running `Drop`. We don't actually heap-allocate — `mem::forget` + // is equivalent and avoids the allocation. + std::mem::forget(self); + } + + fn do_release(&mut self) { + let mut inner = self + .reservations + .lock() + .unwrap_or_else(|poisoned| poisoned.into_inner()); + for op in &self.outpoints { + inner.outpoints.remove(op); + } + if let Some(addr) = self.pending_change.take() { + inner.pending_change.remove(&addr); + } + } +} + +impl Drop for OutpointReservationGuard { + fn drop(&mut self) { + if self.released { + return; + } + self.do_release(); + } +} + +#[cfg(test)] +mod tests { + use super::*; + use dashcore::hashes::Hash; + use dashcore::Txid; + + fn op(n: u32) -> OutPoint { + OutPoint::new(Txid::all_zeros(), n) + } + + fn addr(byte: u8) -> Address { + use dashcore::secp256k1::{PublicKey, Secp256k1, SecretKey}; + let secp = Secp256k1::new(); + let sk = SecretKey::from_slice(&[byte; 32]).expect("valid sk"); + let pk = PublicKey::from_secret_key(&secp, &sk); + let cpk = dashcore::PublicKey::new(pk); + Address::p2pkh(&cpk, dashcore::Network::Testnet) + } + + #[test] + fn reserve_then_drop_releases() { + let res = OutpointReservations::new(); + let a = op(1); + { + let _g = res.reserve(vec![a], None); + assert!(res.contains(&a)); + } + assert!(!res.contains(&a)); + } + + #[test] + fn second_reservation_is_disjoint() { + let res = OutpointReservations::new(); + let a = op(1); + let b = op(2); + let _g1 = res.reserve(vec![a], None); + let _g2 = res.reserve(vec![b], None); + assert!(res.contains(&a)); + assert!(res.contains(&b)); + } + + #[test] + fn poisoned_mutex_still_releases() { + let res = OutpointReservations::new(); + let a = op(7); + let res_clone = res.clone(); + let _ = std::thread::spawn(move || { + let _g = res_clone.reserve(vec![a], None); + panic!("intentional"); + }) + .join(); + // Guard dropped during unwind — outpoint must be released even + // though the mutex was poisoned. + assert!(!res.contains(&a)); + } + + #[test] + fn change_address_reserved_and_released_on_drop() { + let res = OutpointReservations::new(); + let ch = addr(0x42); + { + let _g = res.reserve(vec![op(1)], Some(ch.clone())); + assert!(res.change_address_pending(&ch)); + } + assert!(!res.change_address_pending(&ch)); + } + + #[test] + fn pending_change_snapshot_reflects_reservations() { + let res = OutpointReservations::new(); + let ch1 = addr(0x11); + let ch2 = addr(0x22); + let _g1 = res.reserve(vec![op(1)], Some(ch1.clone())); + let _g2 = res.reserve(vec![op(2)], Some(ch2.clone())); + let snap = res.pending_change_snapshot(); + assert!(snap.contains(&ch1)); + assert!(snap.contains(&ch2)); + } + + #[test] + fn release_after_commit_is_drop_noop() { + let res = OutpointReservations::new(); + let a = op(11); + let ch = addr(0x55); + let g = res.reserve(vec![a], Some(ch.clone())); + assert!(res.contains(&a)); + assert!(res.change_address_pending(&ch)); + g.release_after_commit(); + assert!(!res.contains(&a)); + assert!(!res.change_address_pending(&ch)); + } + + #[test] + fn leak_until_sync_keeps_reservation_held() { + let res = OutpointReservations::new(); + let a = op(13); + let g = res.reserve(vec![a], None); + g.leak_until_sync(); + assert!( + res.contains(&a), + "leak_until_sync must keep the outpoint reserved until process restart" + ); + } +} diff --git a/packages/rs-platform-wallet/src/wallet/core/wallet.rs b/packages/rs-platform-wallet/src/wallet/core/wallet.rs index 8e83fd6b94..1476f0ac45 100644 --- a/packages/rs-platform-wallet/src/wallet/core/wallet.rs +++ b/packages/rs-platform-wallet/src/wallet/core/wallet.rs @@ -3,6 +3,7 @@ use std::sync::Arc; use super::balance::WalletBalance; +use super::reservations::OutpointReservations; use dashcore::Address as DashAddress; use tokio::sync::RwLock; @@ -31,6 +32,10 @@ pub struct CoreWallet { pub(crate) broadcaster: Arc, /// Lock-free balance for UI reads. balance: Arc, + /// Outpoints currently reserved by an in-flight `send_to_addresses` + /// call on this handle. Closes the same-UTXO concurrent-selection + /// race — see [`super::reservations`]. + pub(crate) reservations: OutpointReservations, } impl CoreWallet { @@ -47,6 +52,7 @@ impl CoreWallet { wallet_id, broadcaster, balance, + reservations: OutpointReservations::new(), } } @@ -252,6 +258,7 @@ impl Clone for CoreWallet { wallet_id: self.wallet_id, broadcaster: Arc::clone(&self.broadcaster), balance: Arc::clone(&self.balance), + reservations: self.reservations.clone(), } } } diff --git a/packages/rs-platform-wallet/src/wallet/identity/network/identity_handle.rs b/packages/rs-platform-wallet/src/wallet/identity/network/identity_handle.rs index 83a94d3011..268c56f89d 100644 --- a/packages/rs-platform-wallet/src/wallet/identity/network/identity_handle.rs +++ b/packages/rs-platform-wallet/src/wallet/identity/network/identity_handle.rs @@ -274,6 +274,13 @@ pub struct IdentityWallet { /// `SpvBroadcaster`-pinned, while this one picks the broadcaster /// used by `send_payment` (static dispatch per call). pub(crate) broadcaster: Arc, + /// Shared outpoint reservation set (cloned from the sibling + /// [`crate::CoreWallet`]). DashPay `send_payment` and core + /// `send_to_addresses` both fund from the same BIP-44 account 0 + /// UTXOs, so they must consult the same reservation set to avoid + /// the same-UTXO concurrent-selection race (CMT-001). See + /// [`crate::wallet::core::reservations`]. + pub(crate) reservations: crate::wallet::core::reservations::OutpointReservations, } // Manual `Debug`: the derive would require `B: Debug`, which is not part @@ -296,6 +303,7 @@ impl Clone for IdentityWallet { asset_locks: Arc::clone(&self.asset_locks), persister: self.persister.clone(), broadcaster: Arc::clone(&self.broadcaster), + reservations: self.reservations.clone(), } } } diff --git a/packages/rs-platform-wallet/src/wallet/identity/network/payments.rs b/packages/rs-platform-wallet/src/wallet/identity/network/payments.rs index c135e04e6f..4fed7fbca6 100644 --- a/packages/rs-platform-wallet/src/wallet/identity/network/payments.rs +++ b/packages/rs-platform-wallet/src/wallet/identity/network/payments.rs @@ -103,6 +103,9 @@ impl IdentityWallet { ), PlatformWalletError, > { + use std::collections::BTreeSet; + + use dashcore::OutPoint; use key_wallet::account::account_collection::DashpayAccountKey; use key_wallet::wallet::managed_wallet_info::coin_selection::SelectionStrategy; use key_wallet::wallet::managed_wallet_info::transaction_builder::TransactionBuilder; @@ -110,16 +113,14 @@ impl IdentityWallet { let account_index: u32 = 0; - let (payment_address, tx) = { + // Build, sign, reserve — all under one write-lock acquisition. Mirrors + // `CoreWallet::send_to_addresses` so concurrent calls between this and + // core `send_to_addresses` cannot select the same UTXO (CMT-001 / #3585). + let (payment_address, tx, _reservation) = { let mut wm = self.wallet_manager.write().await; // Resolve the external account's xpub so we can derive addresses. let contact_xpub = { - // Look up the external account in the *immutable* AccountCollection on - // `Wallet`. The ManagedAccountCollection only stores the managed state; - // the xpub lives on the immutable Account in `wallet.accounts`. - // For a watch-only external account we stored the contact's xpub directly - // as `account_xpub` on the Account struct — look it up via DashpayAccountKey. let wallet = wm.get_wallet(&self.wallet_id).ok_or_else(|| { PlatformWalletError::WalletNotFound(hex::encode(self.wallet_id)) })?; @@ -145,7 +146,74 @@ impl IdentityWallet { .get_wallet_and_info_mut(&self.wallet_id) .ok_or_else(|| PlatformWalletError::WalletNotFound(hex::encode(self.wallet_id)))?; - // Derive the next unused address from the external account's address pool. + // Resolve the funding-account xpub up front so we can advance the + // change-address derivation under the same lock. + let funding_xpub = wallet + .accounts + .standard_bip44_accounts + .get(&0) + .map(|a| a.account_xpub) + .ok_or_else(|| { + PlatformWalletError::TransactionBuild( + "BIP-44 account 0 not found in wallet".to_string(), + ) + })?; + + let current_height = info.core_wallet.synced_height(); + + let managed_account = info + .core_wallet + .accounts + .standard_bip44_accounts + .get_mut(&0) + .ok_or_else(|| { + PlatformWalletError::TransactionBuild( + "BIP-44 managed account 0 not found".to_string(), + ) + })?; + + // Snapshot spendable UTXOs minus any in-flight reservations from + // a concurrent `send_to_addresses`/`send_payment` on this wallet. + let reserved = self.reservations.snapshot(); + let spendable: Vec<_> = managed_account + .spendable_utxos(current_height) + .into_iter() + .filter(|utxo| !reserved.contains(&utxo.outpoint)) + .cloned() + .collect(); + if spendable.is_empty() { + return Err(PlatformWalletError::NoSpendableInputs { + account_index, + account_type: + key_wallet::account::account_type::StandardAccountType::BIP44Account, + context: "all UTXOs used or reserved by in-flight transactions".to_string(), + }); + } + + // Pick a change address that no concurrent send has already + // peeked. Commit the advance inside this write lock so the + // privacy property holds even if broadcast fails later (one + // burned index per failure is acceptable; reuse is not). + let pending_change = self.reservations.pending_change_snapshot(); + let change_addr = loop { + let peeked = managed_account + .next_change_address(Some(&funding_xpub), false) + .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; + if !pending_change.contains(&peeked) { + let _ = managed_account + .next_change_address(Some(&funding_xpub), true) + .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; + break peeked; + } + let _ = managed_account + .next_change_address(Some(&funding_xpub), true) + .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; + }; + + // Derive the recipient's payment address from the external pool. + // Done *after* the change-address pick so a derivation failure + // doesn't leave a committed funding-side change advance dangling + // without a matching outpoint reservation. let key = DashpayAccountKey { index: account_index, user_identity_id: from_identity_id.to_buffer(), @@ -162,13 +230,12 @@ impl IdentityWallet { to_contact_id )) })?; - let payment_address = external_account .next_address(Some(&contact_xpub), true) .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; - let current_height = info.core_wallet.synced_height(); - + // Re-borrow the managed funding account for the builder (the + // external_account borrow above ended at `payment_address`). let managed_account = info .core_wallet .accounts @@ -179,20 +246,12 @@ impl IdentityWallet { "BIP-44 managed account 0 not found".to_string(), ) })?; - let account = wallet - .accounts - .standard_bip44_accounts - .get(&0) - .ok_or_else(|| { - PlatformWalletError::TransactionBuild( - "BIP-44 account 0 not found in wallet".to_string(), - ) - })?; let builder = TransactionBuilder::new() .set_current_height(current_height) .set_selection_strategy(SelectionStrategy::LargestFirst) - .set_funding(managed_account, account) + .set_change_address(change_addr.clone()) + .add_inputs(spendable.iter().cloned()) .add_output(&payment_address, amount_duffs); let (tx, _fee) = builder @@ -202,10 +261,26 @@ impl IdentityWallet { .await .map_err(|e| PlatformWalletError::TransactionBuild(e.to_string()))?; - (payment_address, tx) + // Defense-in-depth: confirm the builder picked only outpoints + // from our pre-filtered spendable snapshot. + let selected: BTreeSet = + tx.input.iter().map(|txin| txin.previous_output).collect(); + let spendable_outpoints: BTreeSet = + spendable.iter().map(|utxo| utxo.outpoint).collect(); + if !selected.is_subset(&spendable_outpoints) { + return Err(PlatformWalletError::ConcurrentSpendConflict { + selected: selected.into_iter().collect(), + }); + } + + let reservation = self + .reservations + .reserve(selected.into_iter().collect(), Some(change_addr)); + + (payment_address, tx, reservation) }; - // --- 3. Broadcast the transaction. --- + // --- 3. Broadcast the transaction (lock released). --- let txid = self .broadcaster .broadcast(&tx) @@ -221,15 +296,35 @@ impl IdentityWallet { "DashPay payment broadcast" ); - // --- 4. Record the outgoing payment on the sender's ManagedIdentity. --- + // --- 4. Record the outgoing payment + reconcile UTXO state. --- let entry = crate::wallet::identity::types::dashpay::payment::PaymentEntry::new_sent( *to_contact_id, amount_duffs, memo, ); + let mut reconciled = false; { let mut wm = self.wallet_manager.write().await; - if let Some(info) = wm.get_wallet_info_mut(&self.wallet_id) { + if let Some((wallet, info)) = wm.get_wallet_mut_and_info_mut(&self.wallet_id) { + // Transition inputs from "reserved" → "spent" via the same + // post-broadcast checker the core path uses, so the + // reservation can be safely released below. + use key_wallet::transaction_checking::{ + TransactionContext, WalletTransactionChecker, + }; + let check_result = info + .check_core_transaction(&tx, TransactionContext::Mempool, wallet, true, true) + .await; + reconciled = check_result.is_relevant; + if !reconciled { + tracing::error!( + target: "platform_wallet::broadcast", + event = "post_broadcast_unrelated_to_own_wallet", + txid = %txid, + wallet_id = %hex::encode(self.wallet_id), + "Internal invariant violation: own-built DashPay payment not recognized by post-broadcast check" + ); + } if let Some(managed) = info.identity_manager.managed_identity_mut(from_identity_id) { managed.record_dashpay_payment( @@ -238,9 +333,30 @@ impl IdentityWallet { &self.persister, ); } + } else { + tracing::warn!( + target: "platform_wallet::broadcast", + event = "post_broadcast_wallet_missing", + wallet_id = %hex::encode(self.wallet_id), + %txid, + "wallet missing during post-broadcast DashPay payment registration" + ); } } + if reconciled { + _reservation.release_after_commit(); + } else { + tracing::warn!( + target: "platform_wallet::broadcast", + event = "post_broadcast_reservation_leaked_until_sync", + %txid, + wallet_id = %hex::encode(self.wallet_id), + "leaking outpoint reservation: DashPay post-broadcast reconciliation failed" + ); + _reservation.leak_until_sync(); + } + Ok((txid, entry)) } } diff --git a/packages/rs-platform-wallet/src/wallet/platform_wallet.rs b/packages/rs-platform-wallet/src/wallet/platform_wallet.rs index dcd9486798..f5d4b11d90 100644 --- a/packages/rs-platform-wallet/src/wallet/platform_wallet.rs +++ b/packages/rs-platform-wallet/src/wallet/platform_wallet.rs @@ -267,6 +267,9 @@ impl PlatformWallet { asset_locks: Arc::clone(&asset_locks), persister: wallet_persister.clone(), broadcaster: dashpay_broadcaster, + // Shared with `CoreWallet::send_to_addresses` so DashPay + // payments do not race the same UTXO. See CMT-001 / #3585. + reservations: core.reservations.clone(), }; let platform = PlatformAddressWallet::new( diff --git a/packages/rs-sdk/src/platform/dpns_usernames/mod.rs b/packages/rs-sdk/src/platform/dpns_usernames/mod.rs index cfb47694ce..620beb2b7a 100644 --- a/packages/rs-sdk/src/platform/dpns_usernames/mod.rs +++ b/packages/rs-sdk/src/platform/dpns_usernames/mod.rs @@ -35,6 +35,27 @@ pub fn convert_to_homograph_safe_chars(input: &str) -> String { .collect() } +fn extract_dpns_label(name: &str) -> &str { + if let Some(dot_pos) = name.rfind('.') { + let (label_part, suffix) = name.split_at(dot_pos); + if suffix.eq_ignore_ascii_case(".dash") { + return label_part; + } + } + name +} + +/// Strip an optional case-insensitive `.dash` suffix and apply DPNS +/// homograph-safe normalization, producing a value suitable for matching +/// against the `normalizedLabel` field of `domain` documents. +/// +/// Accepts either a bare label (e.g. `"alice"`) or a full DPNS name +/// (e.g. `"alice.dash"`, `"Alice.DASH"`) and returns the normalized label +/// (e.g. `"a11ce"`). +fn normalize_dpns_label(input: &str) -> String { + convert_to_homograph_safe_chars(extract_dpns_label(input)) +} + /// Check if a username is valid according to DPNS rules /// /// A username is valid if: @@ -365,19 +386,31 @@ impl Sdk { /// /// # Arguments /// - /// * `label` - The username label to check (e.g., "alice") + /// * `name` - The username label (e.g., "alice") or full DPNS name + /// (e.g., "alice.dash"). The `.dash` suffix is matched + /// case-insensitively and stripped before normalization, mirroring + /// [`Sdk::resolve_dpns_name`]. /// /// # Returns /// /// Returns `true` if the name is available, `false` if it's taken - pub async fn is_dpns_name_available(&self, label: &str) -> Result { + pub async fn is_dpns_name_available(&self, name: &str) -> Result { use crate::platform::documents::document_query::DocumentQuery; use drive::query::WhereClause; use drive::query::WhereOperator; - let dpns_contract = self.fetch_dpns_contract().await?; + let normalized_label = normalize_dpns_label(name); - let normalized_label = convert_to_homograph_safe_chars(label); + // An empty normalized label (e.g. `""`, `".dash"`, `".DASH"`) is not + // a registrable DPNS name, so report it as unavailable rather than + // doing a network round-trip that would query for + // `normalizedLabel == ""`. This mirrors the early-return guard in + // `resolve_dpns_name` so the two APIs agree on malformed input. + if normalized_label.is_empty() { + return Ok(false); + } + + let dpns_contract = self.fetch_dpns_contract().await?; // Query for existing domain with this label let query = DocumentQuery { @@ -423,30 +456,15 @@ impl Sdk { use drive::query::WhereClause; use drive::query::WhereOperator; - let dpns_contract = self.fetch_dpns_contract().await?; - - // Extract label from full name if needed - // Handle both "alice" and "alice.dash" formats - let label = if let Some(dot_pos) = name.rfind('.') { - let (label_part, suffix) = name.split_at(dot_pos); - // Only strip the suffix if it's exactly ".dash" - if suffix == ".dash" { - label_part - } else { - // If it's not ".dash", treat the whole thing as the label - name - } - } else { - // No dot found, use the whole name as the label - name - }; + let normalized_label = normalize_dpns_label(name); - // Validate the label before proceeding - if label.is_empty() { + // Empty normalized label (e.g. `""`, `".dash"`) can't resolve to an + // identity; bail before the contract fetch. Mirrors `is_dpns_name_available`. + if normalized_label.is_empty() { return Ok(None); } - let normalized_label = convert_to_homograph_safe_chars(label); + let dpns_contract = self.fetch_dpns_contract().await?; // Query for domain with this label let query = DocumentQuery { @@ -505,6 +523,40 @@ mod tests { assert_eq!(convert_to_homograph_safe_chars("test123"), "test123"); } + #[test] + fn test_normalize_dpns_label_strips_dash_suffix_case_insensitively() { + // Bare label and full name normalize to the same value, regardless + // of the case of the .dash suffix. This is the contract that + // `is_dpns_name_available` and `resolve_dpns_name` share so that + // queries against `normalizedLabel` agree. + let expected = "a11ce"; + assert_eq!(normalize_dpns_label("alice"), expected); + assert_eq!(normalize_dpns_label("alice.dash"), expected); + assert_eq!(normalize_dpns_label("alice.DASH"), expected); + assert_eq!(normalize_dpns_label("Alice.DaSh"), expected); + assert_eq!(normalize_dpns_label("ALICE.DASH"), expected); + + // Non-.dash suffixes are not stripped (they are treated as part of + // the label and normalized whole). + assert_eq!(normalize_dpns_label("alice.eth"), "a11ce.eth"); + + // Empty / suffix-only inputs normalize to an empty label. + assert_eq!(normalize_dpns_label(""), ""); + assert_eq!(normalize_dpns_label(".dash"), ""); + assert_eq!(normalize_dpns_label(".DASH"), ""); + } + + #[test] + fn test_extract_dpns_label() { + assert_eq!(extract_dpns_label("alice.dash"), "alice"); + assert_eq!(extract_dpns_label("alice.DASH"), "alice"); + assert_eq!(extract_dpns_label("alice.DaSh"), "alice"); + assert_eq!(extract_dpns_label("Alice.DASH"), "Alice"); + assert_eq!(extract_dpns_label("alice"), "alice"); + assert_eq!(extract_dpns_label("alice.eth"), "alice.eth"); + assert_eq!(extract_dpns_label(".dash"), ""); + } + #[test] fn test_is_valid_username() { // Valid usernames diff --git a/packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletResult.swift b/packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletResult.swift index 199d07bd5e..f1340a4fc2 100644 --- a/packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletResult.swift +++ b/packages/swift-sdk/Sources/SwiftDashSDK/PlatformWallet/PlatformWalletResult.swift @@ -18,6 +18,8 @@ public enum PlatformWalletResultCode: Int32, Sendable { case errorInvalidIdentifier = 10 case errorMemoryAllocation = 11 case errorUtf8Conversion = 12 + case errorNoSpendableInputs = 30 + case errorConcurrentSpendConflict = 31 case notFound = 98 case errorUnknown = 99 @@ -49,6 +51,10 @@ public enum PlatformWalletResultCode: Int32, Sendable { self = .errorMemoryAllocation case PLATFORM_WALLET_FFI_RESULT_CODE_ERROR_UTF8_CONVERSION: self = .errorUtf8Conversion + case PLATFORM_WALLET_FFI_RESULT_CODE_ERROR_NO_SPENDABLE_INPUTS: + self = .errorNoSpendableInputs + case PLATFORM_WALLET_FFI_RESULT_CODE_ERROR_CONCURRENT_SPEND_CONFLICT: + self = .errorConcurrentSpendConflict case PLATFORM_WALLET_FFI_RESULT_CODE_NOT_FOUND: self = .notFound case PLATFORM_WALLET_FFI_RESULT_CODE_ERROR_UNKNOWN: @@ -124,6 +130,15 @@ public enum PlatformWalletError: LocalizedError { case serialization(String) case deserialization(String) case memoryAllocation(String) + /// No spendable inputs on the requested account — retryable after + /// sync, or surface a depleted-wallet message. Mirrors the Rust + /// `PlatformWalletError::NoSpendableInputs` variant. + case noSpendableInputs(String) + /// Transaction builder picked an outpoint another concurrent + /// build had already selected. Retry — the underlying reservation + /// will have cleared. Mirrors the Rust + /// `PlatformWalletError::ConcurrentSpendConflict` variant. + case concurrentSpendConflict(String) case notFound(String) case unknown(String) @@ -136,6 +151,7 @@ public enum PlatformWalletError: LocalizedError { .invalidIdentifier(let m), .invalidNetwork(let m), .walletOperation(let m), .identityNotFound(let m), .contactNotFound(let m), .utf8Conversion(let m), .serialization(let m), .deserialization(let m), .memoryAllocation(let m), + .noSpendableInputs(let m), .concurrentSpendConflict(let m), .notFound(let m), .unknown(let m): return m } @@ -160,6 +176,9 @@ public enum PlatformWalletError: LocalizedError { case .errorInvalidIdentifier: self = .invalidIdentifier(detail) case .errorMemoryAllocation: self = .memoryAllocation(detail) case .errorUtf8Conversion: self = .utf8Conversion(detail) + case .errorNoSpendableInputs: self = .noSpendableInputs(detail) + case .errorConcurrentSpendConflict: + self = .concurrentSpendConflict(detail) case .notFound: self = .notFound(detail) case .errorUnknown: self = .unknown(detail) }