XDC: Fix duplicate signature quorum bypass (#11379)

* `QuorumCertificateManager` deduplication fix

* Parallize `CountValidSignatures` and make it static

* Introduce `CertificateManagerBase`, move `CountValidSignatures` there and reuse it in `TimeoutCertificateManager`

* Code cleanup

* Remove `CertificateManagerBase`, move `CountValidSignatures` to `VotesManager` and fix `GetValidSignatures` there

* PR feedback & code cleanup

* Build fix

* PR feedback

* spelling

* Code cleanup

* Revert `VotesManager.GetValidSignatures` changes

Author: alexb5dh

src/Nethermind/Nethermind.Xdc.Test/Helpers/XdcTestHelper.cs

@@ -1,9 +1,10 @@
-// SPDX-FileCopyrightText: 2025 Demerzel Solutions Limited
+// SPDX-FileCopyrightText: 2026 Demerzel Solutions Limited
 // SPDX-License-Identifier: LGPL-3.0-only
 
 using Nethermind.Core;
 using Nethermind.Core.Crypto;
 using Nethermind.Crypto;
+using Nethermind.Int256;
 using Nethermind.Serialization.Rlp;
 using Nethermind.Xdc.RLP;
 using Nethermind.Xdc.Types;
@@ -72,6 +73,27 @@ public static Vote BuildSignedVote(BlockRoundInfo info, ulong gap, PrivateKey ke
         return vote;
     }
 
+    /// <summary>
+    /// Produces a byte-distinct but cryptographically valid alternative signature for the same
+    /// message and private key by exploiting secp256k1 malleability: (r, s) → (r, N−s, flipped v).
+    /// Both signatures recover to the same signer address, so they represent a single vote from
+    /// one validator regardless of how many byte-distinct copies exist.
+    /// </summary>
+    public static Signature CreateMalleableSignature(Signature original)
+    {
+        ReadOnlySpan<byte> bytes = original.Bytes; // 64 bytes: r (0..31), s (32..63)
+
+        UInt256 s = new(bytes[32..], true);
+        UInt256 sNew = SecP256k1Curve.N - s;
+
+        byte[] result = new byte[65];
+        bytes[..32].CopyTo(result); // r unchanged
+        sNew.ToBigEndian(result.AsSpan(32, 32));
+        result[64] = original.V == 27 ? (byte)28 : (byte)27; // flip recovery id
+
+        return new Signature(result);
+    }
+
     public static byte[] BuildV1ExtraData(Address[] addresses)
     {
         byte[] extraData = new byte[XdcConstants.ExtraVanity + addresses.Length * Address.Size + XdcConstants.ExtraSeal];

src/Nethermind/Nethermind.Xdc.Test/ModuleTests/VotesManagerTests.cs

@@ -1,6 +1,7 @@
-// SPDX-FileCopyrightText: 2025 Demerzel Solutions Limited
+// SPDX-FileCopyrightText: 2026 Demerzel Solutions Limited
 // SPDX-License-Identifier: LGPL-3.0-only
 
+using System;
 using Nethermind.Blockchain;
 using Nethermind.Consensus;
 using Nethermind.Core;
@@ -28,6 +29,7 @@ public static IEnumerable<TestCaseData> HandleVoteCases()
         PrivateKey[] keysForMasternodes = keys.Take(20).ToArray();
         PrivateKey[] extraKeys = keys.Skip(20).ToArray();
         Address[] masternodes = keysForMasternodes.Select(k => k.Address).ToArray();
+        int quorumCount = (int)Math.Ceiling(keysForMasternodes.Length * 0.667);
 
         ulong currentRound = 1;
         XdcBlockHeader header = Build.A.XdcBlockHeader()
@@ -49,6 +51,12 @@ public static IEnumerable<TestCaseData> HandleVoteCases()
         for (int i = 0; i < keysForVotes.Length - 3; i++) votesWithDiffGap.Add(XdcTestHelper.BuildSignedVote(info, 450, keysForVotes[i]));
         for (int i = keysForVotes.Length - 3; i < keysForVotes.Length; i++) votesWithDiffGap.Add(XdcTestHelper.BuildSignedVote(info, 451, keysForVotes[i]));
         yield return new TestCaseData(masternodes, header, currentRound, votesWithDiffGap.ToArray(), info, 0);
+
+        //N byte-distinct votes but only N-1 unique addresses (keys[0] signs twice via ECDSA malleability)
+        Vote[] legitimateVotes = [.. keysForMasternodes.Take(quorumCount - 1).Select(k => XdcTestHelper.BuildSignedVote(info, 450, k))];
+        Signature malleableSig = XdcTestHelper.CreateMalleableSignature(legitimateVotes[0].Signature!);
+        Vote malleableVote = new(info, 450) { Signature = malleableSig, Signer = legitimateVotes[0].Signer };
+        yield return new TestCaseData(masternodes, header, currentRound, (Vote[])[.. legitimateVotes, malleableVote], info, 0);
     }
 
     [TestCaseSource(nameof(HandleVoteCases))]

src/Nethermind/Nethermind.Xdc.Test/QuorumCertificateManagerTest.cs

@@ -1,6 +1,7 @@
-// SPDX-FileCopyrightText: 2025 Demerzel Solutions Limited
+// SPDX-FileCopyrightText: 2026 Demerzel Solutions Limited
 // SPDX-License-Identifier: LGPL-3.0-only
 
+using System;
 using Nethermind.Blockchain;
 using Nethermind.Core;
 using Nethermind.Core.Crypto;
@@ -51,13 +52,15 @@ public static IEnumerable<TestCaseData> QcCases()
     {
         XdcBlockHeaderBuilder headerBuilder = Build.A.XdcBlockHeader().WithGeneratedExtraConsensusData();
         PrivateKeyGenerator keyBuilder = new();
-        //Base valid control case
         PrivateKey[] keys = keyBuilder.Generate(20).ToArray();
         IEnumerable<Address> masterNodes = keys.Select(k => k.Address);
+        int quorumCount = (int)Math.Ceiling(keys.Length * 0.667);
+
+        //Base valid control case
         yield return new TestCaseData(XdcTestHelper.CreateQc(new BlockRoundInfo(headerBuilder.TestObject.Hash!, 1, 1), 0, keys), headerBuilder, keys.Select(k => k.Address), true);
 
         //Not enough signatures
-        yield return new TestCaseData(XdcTestHelper.CreateQc(new BlockRoundInfo(headerBuilder.TestObject.Hash!, 1, 1), 0, keys.Take(13).ToArray()), headerBuilder, keys.Select(k => k.Address), false);
+        yield return new TestCaseData(XdcTestHelper.CreateQc(new BlockRoundInfo(headerBuilder.TestObject.Hash!, 1, 1), 0, [.. keys.Take(quorumCount - 1)]), headerBuilder, keys.Select(k => k.Address), false);
 
         //1 Vote is not master node
         yield return new TestCaseData(XdcTestHelper.CreateQc(new BlockRoundInfo(headerBuilder.TestObject.Hash!, 1, 1), 0, keys), headerBuilder, keys.Skip(1).Select(k => k.Address), false);
@@ -73,6 +76,12 @@ public static IEnumerable<TestCaseData> QcCases()
 
         //Wrong round number in QC
         yield return new TestCaseData(XdcTestHelper.CreateQc(new BlockRoundInfo(headerBuilder.TestObject.Hash!, 0, 1), 0, keys), headerBuilder, masterNodes, false);
+
+        //N byte-distinct signatures but only N-1 unique signer addresses (keys[0] signs twice via ECDSA malleability)
+        BlockRoundInfo roundInfo = new(headerBuilder.TestObject.Hash!, 1, 1);
+        Signature[] sigs = XdcTestHelper.CreateVoteSignatures(roundInfo, 0, [.. keys.Take(quorumCount - 1)]);
+        Signature malleable = XdcTestHelper.CreateMalleableSignature(sigs[0]);
+        yield return new TestCaseData(new QuorumCertificate(roundInfo, [.. sigs, malleable], 0), headerBuilder, masterNodes, false);
     }
 
     [TestCaseSource(nameof(QcCases))]

src/Nethermind/Nethermind.Xdc.Test/SyncInfoManagerTests.cs

@@ -163,7 +163,7 @@ public void VerifySyncInfo_WhenAllVerificationsPass_ReturnsTrue()
         ILogManager logManager = Substitute.For<ILogManager>();
 
         qcManager.VerifyCertificate(qc, out Arg.Any<string>()).Returns(true);
-        timeoutManager.VerifyTimeoutCertificate(tc, out Arg.Any<string>()).Returns(true);
+        timeoutManager.VerifyTimeoutCertificate(tc, out Arg.Any<string?>()).Returns(true);
 
         SyncInfoManager manager = new(xdcContext, qcManager, timeoutManager, logManager);
 
@@ -194,7 +194,7 @@ public void VerifySyncInfo_WhenBothCertificatesAreHigher_ReturnsTrue()
         ILogManager logManager = Substitute.For<ILogManager>();
 
         qcManager.VerifyCertificate(qc, out Arg.Any<string>()).Returns(true);
-        timeoutManager.VerifyTimeoutCertificate(tc, out Arg.Any<string>()).Returns(true);
+        timeoutManager.VerifyTimeoutCertificate(tc, out Arg.Any<string?>()).Returns(true);
 
         SyncInfoManager manager = new(xdcContext, qcManager, timeoutManager, logManager);
 
@@ -225,7 +225,7 @@ public void VerifySyncInfo_WhenOnlyQuorumCertificateIsHigher_ReturnsTrue()
         ILogManager logManager = Substitute.For<ILogManager>();
 
         qcManager.VerifyCertificate(qc, out Arg.Any<string>()).Returns(true);
-        timeoutManager.VerifyTimeoutCertificate(tc, out Arg.Any<string>()).Returns(true);
+        timeoutManager.VerifyTimeoutCertificate(tc, out Arg.Any<string?>()).Returns(true);
 
         SyncInfoManager manager = new(xdcContext, qcManager, timeoutManager, logManager);
 
@@ -256,7 +256,7 @@ public void VerifySyncInfo_WhenOnlyTimeoutCertificateIsHigher_ReturnsTrue()
         ILogManager logManager = Substitute.For<ILogManager>();
 
         qcManager.VerifyCertificate(qc, out Arg.Any<string>()).Returns(true);
-        timeoutManager.VerifyTimeoutCertificate(tc, out Arg.Any<string>()).Returns(true);
+        timeoutManager.VerifyTimeoutCertificate(tc, out Arg.Any<string?>()).Returns(true);
 
         SyncInfoManager manager = new(xdcContext, qcManager, timeoutManager, logManager);
 

src/Nethermind/Nethermind.Xdc.Test/TimeoutCertificateManagerTests.cs

@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2025 Demerzel Solutions Limited
+// SPDX-FileCopyrightText: 2026 Demerzel Solutions Limited
 // SPDX-License-Identifier: LGPL-3.0-only
 
 using Nethermind.Blockchain;
@@ -23,7 +23,6 @@ namespace Nethermind.Xdc.Test;
 [Parallelizable(ParallelScope.All)]
 public class TimeoutCertificateManagerTests
 {
-
     [Test]
     public void VerifyTC_NullCert_Throws()
     {
@@ -102,22 +101,30 @@ public static IEnumerable<TestCaseData> TcCases()
         PrivateKeyGenerator keyBuilder = new();
         PrivateKey[] keys = keyBuilder.Generate(20).ToArray();
         IEnumerable<Address> masterNodes = keys.Select(k => k.Address);
+        int quorumCount = (int)Math.Ceiling(keys.Length * 0.667);
 
         // Base case
         yield return new TestCaseData(BuildTimeoutCertificate(keys), masterNodes, true);
 
         // Insufficient signature count
-        PrivateKey[] notEnoughKeys = keys.Take(13).ToArray();
+        PrivateKey[] notEnoughKeys = [.. keys.Take(quorumCount - 1)];
         yield return new TestCaseData(BuildTimeoutCertificate(notEnoughKeys), masterNodes, false);
 
         // Duplicated signatures still should fail if not enough
-        yield return new TestCaseData(BuildTimeoutCertificate(notEnoughKeys.Concat(notEnoughKeys).ToArray()), masterNodes, false);
+        yield return new TestCaseData(BuildTimeoutCertificate([.. notEnoughKeys, .. notEnoughKeys]), masterNodes, false);
 
         // Sufficient signature count
-        yield return new TestCaseData(BuildTimeoutCertificate(keys.Take(14).ToArray()), masterNodes, true);
+        yield return new TestCaseData(BuildTimeoutCertificate([.. keys.Take(quorumCount)]), masterNodes, true);
 
         // Signer not in master nodes
         yield return new TestCaseData(BuildTimeoutCertificate(keys), keys.Skip(1).Select(k => k.Address), false);
+
+        //N byte-distinct signatures but only N-1 unique signer addresses (keys[0] signs twice via ECDSA malleability)
+        EthereumEcdsa ecdsa = new(0);
+        ValueHash256 msgHash = TimeoutCertificateManager.ComputeTimeoutMsgHash(1, 0);
+        Signature[] sigs = [.. keys.Take(quorumCount - 1).Select(k => ecdsa.Sign(k, msgHash))];
+        Signature malleable = XdcTestHelper.CreateMalleableSignature(sigs[0]);
+        yield return new TestCaseData(new TimeoutCertificate(1, [.. sigs, malleable], 0), masterNodes, false);
     }
 
     [TestCaseSource(nameof(TcCases))]

src/Nethermind/Nethermind.Xdc/ITimeoutCertificateManager.cs

@@ -13,6 +13,6 @@ public interface ITimeoutCertificateManager
     Task HandleTimeoutVote(Timeout timeout);
     void OnCountdownTimer();
     void ProcessTimeoutCertificate(TimeoutCertificate timeoutCertificate);
-    bool VerifyTimeoutCertificate(TimeoutCertificate timeoutCertificate, out string errorMessage);
+    bool VerifyTimeoutCertificate(TimeoutCertificate timeoutCertificate, out string? errorMessage);
     long GetTimeoutsCount(Timeout timeout);
 }

src/Nethermind/Nethermind.Xdc/QuorumCertificateManager.cs

@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2025 Demerzel Solutions Limited
+// SPDX-FileCopyrightText: 2026 Demerzel Solutions Limited
 // SPDX-License-Identifier: LGPL-3.0-only
 
 using Nethermind.Blockchain;
@@ -13,8 +13,6 @@
 using Nethermind.Xdc.Types;
 using System;
 using System.Diagnostics.CodeAnalysis;
-using System.Linq;
-using System.Threading.Tasks;
 
 namespace Nethermind.Xdc;
 
@@ -32,8 +30,7 @@ internal class QuorumCertificateManager(
     private ILogger _logger = logManager.GetClassLogger<QuorumCertificateManager>();
 
     private ISpecProvider _specProvider { get; } = xdcConfig;
-    private readonly EthereumEcdsa _ethereumEcdsa = new(0);
-    private readonly static VoteDecoder _voteDecoder = new();
+    private static readonly VoteDecoder _voteDecoder = new();
 
     public QuorumCertificate HighestKnownCertificate => _context.HighestQC;
     public QuorumCertificate LockCertificate => _context.LockQC;
@@ -45,18 +42,16 @@ public void CommitCertificate(QuorumCertificate qc)
             _context.HighestQC = qc;
         }
 
-        XdcBlockHeader proposedBlockHeader = (XdcBlockHeader)_blockTree.FindHeader(qc.ProposedBlockInfo.Hash);
-        if (proposedBlockHeader is null)
-            throw new IncomingMessageBlockNotFoundException(qc.ProposedBlockInfo.Hash, qc.ProposedBlockInfo.BlockNumber);
+        XdcBlockHeader proposedBlockHeader = (XdcBlockHeader)_blockTree.FindHeader(qc.ProposedBlockInfo.Hash)
+            ?? throw new IncomingMessageBlockNotFoundException(qc.ProposedBlockInfo.Hash, qc.ProposedBlockInfo.BlockNumber);
 
         IXdcReleaseSpec spec = _specProvider.GetXdcSpec(proposedBlockHeader, _context.CurrentRound);
 
         //Can only look for a QC in proposed block after the switch block
         if (proposedBlockHeader.Number > spec.SwitchBlock)
         {
-            QuorumCertificate? parentQc = proposedBlockHeader.ExtraConsensusData?.QuorumCert;
-            if (parentQc is null)
-                throw new BlockchainException("QC is targeting a block without required consensus data.");
+            QuorumCertificate? parentQc = proposedBlockHeader.ExtraConsensusData?.QuorumCert
+                ?? throw new BlockchainException("QC is targeting a block without required consensus data.");
 
             if (_context.LockQC is null || parentQc.ProposedBlockInfo.Round > _context.LockQC.ProposedBlockInfo.Round)
             {
@@ -68,7 +63,6 @@ public void CommitCertificate(QuorumCertificate qc)
             {
                 if (_logger.IsWarn) _logger.Warn($"Could not commit block ({proposedBlockHeader.Hash}). {error}");
             }
-
         }
 
         if (qc.ProposedBlockInfo.Round >= _context.CurrentRound)
@@ -124,7 +118,7 @@ private bool CommitBlock(XdcBlockHeader proposedBlockHeader, ulong proposedRound
             return false;
         }
 
-        //We will normally commit twice - once when QC vote finished and once when we receive new block containing the same QC most likely 
+        //We will normally commit twice - once when QC vote finished and once when we receive new block containing the same QC most likely
         if (_context.HighestCommitBlock is not null && grandParentHeader.Hash == _context.HighestCommitBlock.Hash)
         {
             error = null;
@@ -171,35 +165,31 @@ public bool VerifyCertificate(QuorumCertificate qc, XdcBlockHeader certificateTa
             return false;
         }
 
-        //Possible optimize here
-        Signature[] uniqueSignatures = qc.Signatures.Distinct().ToArray();
-
         ulong qcRound = qc.ProposedBlockInfo.Round;
         IXdcReleaseSpec spec = _specProvider.GetXdcSpec(certificateTarget, qcRound);
         double certificateThreshold = spec.CertificateThreshold;
         double required = Math.Ceiling(epochSwitchInfo.Masternodes.Length * certificateThreshold);
-        if ((qcRound > 0) && (uniqueSignatures.Length < required))
-        {
-            error = $"Number of votes ({uniqueSignatures.Length}/{epochSwitchInfo.Masternodes.Length}) does not meet threshold of {certificateThreshold}";
-            return false;
-        }
 
-        ValueHash256 voteHash = VoteHash(qc.ProposedBlockInfo, qc.GapNumber);
-        bool allValid = true;
-        Parallel.ForEach(uniqueSignatures, (s, state) =>
+        if (qcRound > 0)
         {
-            Address signer = _ethereumEcdsa.RecoverAddress(s, voteHash);
-            if (!epochSwitchInfo.Masternodes.Contains(signer))
+            (Address[] masternodes, Signature[] signatures) = (epochSwitchInfo.Masternodes, qc.Signatures);
+            if (signatures.Length < required)
             {
-                allValid = false;
-                state.Stop();
+                error = $"Number of signatures ({signatures.Length}) does not meet threshold of {required}";
+                return false;
             }
-        });
 
-        if (!allValid)
-        {
-            error = $"Quorum certificate contains one or more invalid vote signatures";
-            return false;
+            ValueHash256 voteHash = VoteHash(qc.ProposedBlockInfo, qc.GapNumber);
+            if (VotesManager.CountValidSignatures(masternodes, signatures, voteHash, out error) is not { } signCount)
+            {
+                return false;
+            }
+
+            if (signCount < required)
+            {
+                error = $"Number of votes ({signCount}/{masternodes.Length}) does not meet threshold of {certificateThreshold}";
+                return false;
+            }
         }
 
         long epochSwitchNumber = epochSwitchInfo.EpochSwitchBlockInfo.BlockNumber;
@@ -232,7 +222,8 @@ public bool VerifyCertificate(QuorumCertificate qc, XdcBlockHeader certificateTa
         error = null;
         return true;
     }
-    private ValueHash256 VoteHash(BlockRoundInfo proposedBlockInfo, ulong gapNumber)
+
+    private static ValueHash256 VoteHash(BlockRoundInfo proposedBlockInfo, ulong gapNumber)
     {
         KeccakRlpStream stream = new();
         _voteDecoder.Encode(stream, new Vote(proposedBlockInfo, gapNumber), RlpBehaviors.ForSealing);