Skip to content

feat(ante): wire ethermint NewEVMSigPreVerifier for lock-free admission#2120

Merged
JayT106 merged 21 commits into
crypto-org-chain:mainfrom
JayT106:jt/refactor-evm-sig-preverifier
Jul 2, 2026
Merged

feat(ante): wire ethermint NewEVMSigPreVerifier for lock-free admission#2120
JayT106 merged 21 commits into
crypto-org-chain:mainfrom
JayT106:jt/refactor-evm-sig-preverifier

Conversation

@JayT106

@JayT106 JayT106 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Depends on: crypto-org-chain/ethermint#1011

  • Wire appmempool.NewEVMSigPreVerifier into InsertTxHandler — reject bad EVM sigs before mu.Lock().
  • Add SetPreVerify hook on mempool.Manager; nil skips.

Use ante.NewEVMSigPreVerifier from crypto-org-chain/ethermint#1011 instead
of duplicating the logic in cronos.

- Bump ethermint fork to 3247d33 (feat/evm-sig-preverifier branch)
- Add preVerify field + SetPreVerify to mempool.Manager
- Add lock-free pre-verify step in InsertTxHandler before mu.Lock()
- Wire ethante.NewEVMSigPreVerifier(chainId, activeDecoder) in app.go
@JayT106 JayT106 requested a review from a team as a code owner June 24, 2026 02:44
@JayT106 JayT106 requested review from ApacCronos and XinyuCRO June 24, 2026 02:44
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds a lock-free pre-verification hook to mempool admission, wires Ethermint’s EVM signature pre-verifier into app startup, and updates tests, dependency metadata, changelog, and one RPC receipt call.

Changes

EVM Sig Pre-Verifier for Mempool Admission

Layer / File(s) Summary
Mempool Manager pre-verify hook
app/mempool/manager.go
Adds preVerify func([]byte) error, a SetPreVerify method, and a lock-free pre-check in InsertTxHandler that returns an ABCI-coded response on hook error before the admission mutex.
App wiring for Ethermint pre-verifier
app/app.go
Imports appmempool, binds chainId earlier in New, wires SetPreVerify(appmempool.NewEVMSigPreVerifier(chainId, activeDecoder)) for mempool.type=app, and removes the later chainId reassignment before mem-iavl setup.
Validation and metadata updates
app/mempool/admission_test.go, go.mod, gomod2nix.toml, CHANGELOG.md, integration_tests/test_basic.py
Adds tests for tampered EVM signatures and non-EVM tx handling, updates indirect dependency pins and Ethermint replacement metadata, adds the changelog entry, and switches eth_getBlockReceipts to a hex block number.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

cronos

Suggested reviewers

  • calvinaco
  • XinyuCRO

Poem

🐇 I hopped through mempool gates at dawn,
With sig checks swift and locks moved on.
A tampered hop got bounced away,
Non-EVM trails still found their way.
Bright little checks in a rabbit’s song! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: wiring Ethermint’s EVMSig pre-verifier for lock-free admission.
Docstring Coverage ✅ Passed Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

This comment has been minimized.

@JayT106 JayT106 self-assigned this Jun 24, 2026
@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 78.57143% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 20.95%. Comparing base (a3c2f70) to head (418e095).
⚠️ Report is 216 commits behind head on main.

Files with missing lines Patch % Lines
app/mempool/manager.go 50.00% 2 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #2120      +/-   ##
==========================================
+ Coverage   16.87%   20.95%   +4.08%     
==========================================
  Files          72       82      +10     
  Lines        6163     5655     -508     
==========================================
+ Hits         1040     1185     +145     
+ Misses       5000     4373     -627     
+ Partials      123       97      -26     
Files with missing lines Coverage Δ
app/mempool/preverify.go 100.00% <100.00%> (ø)
app/mempool/manager.go 90.24% <50.00%> (ø)

... and 73 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JayT106

JayT106 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

@claude review

@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Claude finished @JayT106's task in 3m 13s —— View job


Code Review

  • Gather context and read changed files
  • Review mempool/manager.go changes
  • Review app/app.go wiring
  • Review go.mod dependency bump
  • Check for state-breaking changes
  • Post final review

Overall Assessment

The implementation is clean and the design intent is sound: doing the expensive ecrecover before acquiring mu is the right optimization. No state-breaking changes — this is a purely admission-side change, nothing touches committed state or consensus logic. A few notes worth discussing:

No test coverage for the new path

SetPreVerify / the early-return error path in InsertTxHandler has 0 test coverage (confirmed by Codecov's 33% patch coverage on manager.go and by grepping the test files — preVerify doesn't appear in any test). TestInsertTxConcurrentAdmission exercises InsertTx, but it only tests the success path. Two cases are missing:

  1. Pre-verify rejection — a tampered-sig EVM tx should be rejected by the pre-verifier before reaching RunTx. signTransfer already supports tamperFrom, so this test would be ~10 lines.
  2. Non-EVM tx fall-through — a plain Cosmos SDK tx should pass through preVerify == nil/no error and still go through RunTx.

Consider adding at least one negative test before merging.

Race-free only by convention

preVerify is written once at startup and read on every concurrent InsertTx, which is safe in practice. However, the Go memory model technically requires synchronization even for single-write/multi-read patterns unless there's a happens-before edge (the startup goroutine finishing before peers connect). Using a local copy fn := a.preVerify (see inline) removes the ambiguity and would pass the race detector cleanly even if SetPreVerify were ever called in a test mid-run.

Dependency additions

  • github.com/kcalvinalvin/anet — this is a new transitive dep that wasn't previously in the module graph. Worth confirming it's pulled in by the ethermint bump (not accidentally introduced) and that the package has acceptable licensing/maintenance posture.
  • All other bumps (btcutil 1.2.0, gjson 1.19.0, pprof, golang.org/x/net 0.56.0) are routine minor bumps.

No state-breaking concerns

This change only affects mempool admission (pre-RunTx). It does not touch:

  • Any ABCI message that affects committed state
  • Message signing or serialization
  • State migrations or module store keys
  • Consensus parameters

Safe to merge on a live release branch from a consensus/migration perspective.


Comment thread app/mempool/manager.go
Comment thread app/app.go Outdated
Comment thread app/mempool/manager.go
JayT106 added 5 commits June 23, 2026 23:19
Address review feedback on crypto-org-chain#2120:
- Snapshot preVerify in InsertTxHandler for race-detector cleanliness
- TestPreVerifyRejectsTamperedSig: tampered From rejected before RunTx
- TestPreVerifyPassesThroughNonEVMTx: non-EVM tx falls through to antehandler
…field

- Move chainId declaration before baseAppOptions closure so it can be
  captured; call SetPreVerify inside the closure before InsertTxHandler()
  so the preVerify snapshot captures the non-nil verifier
- ResponseInsertTx has no Log field; keep Code-only response
The ethermint bump changes GetBlockReceipts param from BlockNumber to
BlockNumberOrHash. BlockNumber accepted a plain decimal int (cast.ToUint64
fallback on missing 0x prefix); BlockNumberOrHash does not, so the raw int
arg now returns an error and the response has no 'result'. Pass hex().

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
app/mempool/admission_test.go (1)

163-171: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

These assertions are too broad to prove the pre-verify contract.

At Line 170 and Line 186, checking only “not OK” allows false positives if preVerify is skipped/broken and rejection happens later in RunTx. Please add a focused path assertion (ideally a manager-level test with a spy txRunner) to verify:

  1. preVerify error short-circuits before RunTx, and
  2. non-EVM tx reaches RunTx (preVerify passthrough).

Also applies to: 173-187

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/mempool/admission_test.go` around lines 163 - 171, The assertions in
TestPreVerifyRejectsTamperedSig are too broad and only verify the response code
is not OK, which doesn't prove the rejection came from preVerify rather than
from RunTx or later stages. Replace the current assertions in this test with
more focused checks: implement a manager-level test with a spy or mock txRunner
that tracks whether RunTx was actually called. This will verify that preVerify
errors properly short-circuit execution before RunTx is invoked, and separately
test that non-EVM transactions correctly pass through preVerify to reach RunTx,
providing concrete evidence of the preVerify contract being enforced.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@app/mempool/admission_test.go`:
- Around line 163-171: The assertions in TestPreVerifyRejectsTamperedSig are too
broad and only verify the response code is not OK, which doesn't prove the
rejection came from preVerify rather than from RunTx or later stages. Replace
the current assertions in this test with more focused checks: implement a
manager-level test with a spy or mock txRunner that tracks whether RunTx was
actually called. This will verify that preVerify errors properly short-circuit
execution before RunTx is invoked, and separately test that non-EVM transactions
correctly pass through preVerify to reach RunTx, providing concrete evidence of
the preVerify contract being enforced.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2b25f7ab-d9fb-4989-8cf8-328ac838aa49

📥 Commits

Reviewing files that changed from the base of the PR and between 70c502f and 8ab07e4.

📒 Files selected for processing (5)
  • app/app.go
  • app/mempool/admission_test.go
  • app/mempool/manager.go
  • gomod2nix.toml
  • integration_tests/test_basic.py
🚧 Files skipped from review as they are similar to previous changes (2)
  • app/app.go
  • app/mempool/manager.go

Comment thread app/mempool/manager.go Outdated
Comment thread app/mempool/manager.go Outdated
JayT106 and others added 7 commits June 25, 2026 16:27
Ethermint moved the sig pre-verifier out of the ante package into the new
appmempool package (stack crypto-org-chain#1016+crypto-org-chain#1019+crypto-org-chain#1011); ante/preverify.go is gone.

- Repoint app.go: ethante.NewEVMSigPreVerifier -> appmempool.NewEVMSigPreVerifier.
  SigPreVerifier is still func([]byte) error, so SetPreVerify is unchanged.
- Bump ethermint pin to 562fa2a2 (go.mod, go.sum, gomod2nix.toml).
Move PreVerifierRegistry out of ethermint into cronos per review
(crypto-org-chain/ethermint#1011): the registry is an app-level
composition concern. The app registers per-module verifiers — today
just ethermint's NewEVMSigPreVerifier for EVM txs — and hands the
composite registry.Verify to the mempool manager. The manager stays
generic (SetPreVerify takes any func([]byte) error), so this is wiring
only; no manager change.
Comment thread app/mempool/manager.go Outdated
Comment thread app/mempool/manager.go Outdated
Comment thread app/app.go Outdated
Comment thread app/preverify.go Outdated
Comment thread app/app.go

@thomas-nguy thomas-nguy left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM except some minor cleaning TODO

JayT106 and others added 3 commits June 30, 2026 14:29
…elop merge)

- move PreVerifierRegistry from app/ to app/mempool/ (thomas-nguy suggestion)
- tighten preVerify field comment in manager.go
- drop Decode-before-locking comment; add Register EVM module preverifier comment
- remove two-line comment block before registry setup in app.go
- bump ethermint replace to v0.22.1-0.20260630170128-dadacd149b92 (develop merge)
Remove the local snapshot `preVerify := a.preVerify` — SetPreVerify is
called once at startup before InsertTxHandler runs, so reading a.preVerify
directly inside the closure is correct and clearer.
@thomas-nguy

Copy link
Copy Markdown
Collaborator

@JayT106 please update the latest ethermint and we can merge it 👌

@JayT106 JayT106 enabled auto-merge July 2, 2026 17:28
@JayT106 JayT106 added this pull request to the merge queue Jul 2, 2026
Merged via the queue into crypto-org-chain:main with commit 4379c1f Jul 2, 2026
54 checks passed
@JayT106 JayT106 deleted the jt/refactor-evm-sig-preverifier branch July 2, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants