Skip to main content

zebra_consensus/
transaction.rs

1//! Asynchronous verification of transactions.
2
3use std::{
4    collections::{HashMap, HashSet},
5    future::Future,
6    pin::Pin,
7    sync::Arc,
8    task::{Context, Poll},
9    time::Duration,
10};
11
12use chrono::{DateTime, Utc};
13use futures::{
14    stream::{FuturesUnordered, StreamExt},
15    FutureExt,
16};
17use tokio::sync::oneshot;
18use tower::{
19    buffer::Buffer,
20    timeout::{error::Elapsed, Timeout},
21    util::BoxService,
22    Service, ServiceExt,
23};
24use tracing::Instrument;
25
26use zcash_protocol::value::ZatBalance;
27
28use zebra_chain::{
29    amount::{Amount, NonNegative},
30    block,
31    parameters::{Network, NetworkUpgrade},
32    primitives::Groth16Proof,
33    serialization::DateTime32,
34    transaction::{
35        self, HashType, SigHash, Transaction, UnminedTx, UnminedTxId, VerifiedUnminedTx,
36    },
37    transparent,
38};
39
40use zebra_node_services::mempool;
41use zebra_script::{CachedFfiTransaction, Sigops};
42use zebra_state as zs;
43
44use crate::{error::TransactionError, groth16::DescriptionWrapper, primitives, script, BoxError};
45
46pub mod check;
47#[cfg(test)]
48mod tests;
49
50/// A timeout applied to UTXO lookup requests.
51///
52/// The exact value is non-essential, but this should be long enough to allow
53/// out-of-order verification of blocks (UTXOs are not required to be ready
54/// immediately) while being short enough to:
55///   * prune blocks that are too far in the future to be worth keeping in the
56///     queue,
57///   * fail blocks that reference invalid UTXOs, and
58///   * fail blocks that reference UTXOs from blocks that have temporarily failed
59///     to download, because a peer sent Zebra a bad list of block hashes. (The
60///     UTXO verification failure will restart the sync, and re-download the
61///     chain in the correct order.)
62const UTXO_LOOKUP_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(6 * 60);
63
64/// A timeout applied to output lookup requests sent to the mempool. This is shorter than the
65/// timeout for the state UTXO lookups because a block is likely to be mined every 75 seconds
66/// after Blossom is active, changing the best chain tip and requiring re-verification of transactions
67/// in the mempool.
68///
69/// This is how long Zebra will wait for an output to be added to the mempool before verification
70/// of the transaction that spends it will fail.
71const MEMPOOL_OUTPUT_LOOKUP_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(60);
72
73/// How long to wait after responding to a mempool request with a transaction that creates new
74/// transparent outputs before polling the mempool service so that it will try adding the verified
75/// transaction and responding to any potential `AwaitOutput` requests.
76///
77/// This should be long enough for the mempool service's `Downloads` to finish processing the
78/// response from the transaction verifier.
79const POLL_MEMPOOL_DELAY: std::time::Duration = Duration::from_millis(50);
80
81/// Asynchronous transaction verification.
82///
83/// # Correctness
84///
85/// Transaction verification requests should be wrapped in a timeout, so that
86/// out-of-order and invalid requests do not hang indefinitely. See the [`router`](`crate::router`)
87/// module documentation for details.
88pub struct Verifier<ZS, Mempool> {
89    network: Network,
90    state: Timeout<ZS>,
91    // TODO: Use an enum so that this can either be Pending(oneshot::Receiver) or Initialized(MempoolService)
92    mempool: Option<Timeout<Mempool>>,
93    script_verifier: script::Verifier,
94    mempool_setup_rx: oneshot::Receiver<Mempool>,
95}
96
97impl<ZS, Mempool> Verifier<ZS, Mempool>
98where
99    ZS: Service<zs::Request, Response = zs::Response, Error = BoxError> + Send + Clone + 'static,
100    ZS::Future: Send + 'static,
101    Mempool: Service<mempool::Request, Response = mempool::Response, Error = BoxError>
102        + Send
103        + Clone
104        + 'static,
105    Mempool::Future: Send + 'static,
106{
107    /// Create a new transaction verifier.
108    pub fn new(network: &Network, state: ZS, mempool_setup_rx: oneshot::Receiver<Mempool>) -> Self {
109        Self {
110            network: network.clone(),
111            state: Timeout::new(state, UTXO_LOOKUP_TIMEOUT),
112            mempool: None,
113            script_verifier: script::Verifier,
114            mempool_setup_rx,
115        }
116    }
117}
118
119impl<ZS>
120    Verifier<
121        ZS,
122        Buffer<BoxService<mempool::Request, mempool::Response, BoxError>, mempool::Request>,
123    >
124where
125    ZS: Service<zs::Request, Response = zs::Response, Error = BoxError> + Send + Clone + 'static,
126    ZS::Future: Send + 'static,
127{
128    /// Create a new transaction verifier with a closed channel receiver for mempool setup for tests.
129    #[cfg(test)]
130    pub fn new_for_tests(network: &Network, state: ZS) -> Self {
131        Self {
132            network: network.clone(),
133            state: Timeout::new(state, UTXO_LOOKUP_TIMEOUT),
134            mempool: None,
135            script_verifier: script::Verifier,
136            mempool_setup_rx: oneshot::channel().1,
137        }
138    }
139}
140
141/// Specifies whether a transaction should be verified as part of a block or as
142/// part of the mempool.
143///
144/// Transaction verification has slightly different consensus rules, depending on
145/// whether the transaction is to be included in a block on in the mempool.
146#[derive(Clone, Debug, Eq, PartialEq)]
147pub enum Request {
148    /// Verify the supplied transaction as part of a block.
149    Block {
150        /// The transaction hash.
151        transaction_hash: transaction::Hash,
152        /// The transaction itself.
153        transaction: Arc<Transaction>,
154        /// Set of transaction hashes that create new transparent outputs.
155        known_outpoint_hashes: Arc<HashSet<transaction::Hash>>,
156        /// Additional UTXOs which are known at the time of verification.
157        known_utxos: Arc<HashMap<transparent::OutPoint, transparent::OrderedUtxo>>,
158        /// The height of the block containing this transaction.
159        height: block::Height,
160        /// The time that the block was mined.
161        time: DateTime<Utc>,
162    },
163    /// Verify the supplied transaction as part of the mempool.
164    ///
165    /// Mempool transactions do not have any additional UTXOs.
166    ///
167    /// Note: coinbase transactions are invalid in the mempool
168    Mempool {
169        /// The transaction itself.
170        transaction: UnminedTx,
171        /// The height of the next block.
172        ///
173        /// The next block is the first block that could possibly contain a
174        /// mempool transaction.
175        height: block::Height,
176    },
177}
178
179/// The response type for the transaction verifier service.
180/// Responses identify the transaction that was verified.
181#[derive(Clone, Debug, PartialEq)]
182pub enum Response {
183    /// A response to a block transaction verification request.
184    Block {
185        /// The witnessed transaction ID for this transaction.
186        ///
187        /// [`Response::Block`] responses can be uniquely identified by
188        /// [`UnminedTxId::mined_id`], because the block's authorizing data root
189        /// will be checked during contextual validation.
190        tx_id: UnminedTxId,
191
192        /// The miner fee for this transaction.
193        ///
194        /// `None` for coinbase transactions.
195        ///
196        /// # Consensus
197        ///
198        /// > The remaining value in the transparent transaction value pool
199        /// > of a coinbase transaction is destroyed.
200        ///
201        /// <https://zips.z.cash/protocol/protocol.pdf#transactions>
202        miner_fee: Option<Amount<NonNegative>>,
203
204        /// The number of legacy signature operations in this transaction's
205        /// transparent inputs and outputs.
206        sigops: u32,
207    },
208
209    /// A response to a mempool transaction verification request.
210    Mempool {
211        /// The full content of the verified mempool transaction.
212        /// Also contains the transaction fee and other associated fields.
213        ///
214        /// Mempool transactions always have a transaction fee,
215        /// because coinbase transactions are rejected from the mempool.
216        ///
217        /// [`Response::Mempool`] responses are uniquely identified by the
218        /// [`UnminedTxId`] variant for their transaction version.
219        transaction: VerifiedUnminedTx,
220
221        /// A list of spent [`transparent::OutPoint`]s that were found in
222        /// the mempool's list of `created_outputs`.
223        ///
224        /// Used by the mempool to determine dependencies between transactions
225        /// in the mempool and to avoid adding transactions with missing spends
226        /// to its verified set.
227        spent_mempool_outpoints: Vec<transparent::OutPoint>,
228    },
229}
230
231#[cfg(any(test, feature = "proptest-impl"))]
232impl From<VerifiedUnminedTx> for Response {
233    fn from(transaction: VerifiedUnminedTx) -> Self {
234        Response::Mempool {
235            transaction,
236            spent_mempool_outpoints: Vec::new(),
237        }
238    }
239}
240
241impl Request {
242    /// The transaction to verify that's in this request.
243    pub fn transaction(&self) -> Arc<Transaction> {
244        match self {
245            Request::Block { transaction, .. } => transaction.clone(),
246            Request::Mempool { transaction, .. } => transaction.transaction.clone(),
247        }
248    }
249
250    /// The unverified mempool transaction, if this is a mempool request.
251    pub fn mempool_transaction(&self) -> Option<UnminedTx> {
252        match self {
253            Request::Block { .. } => None,
254            Request::Mempool { transaction, .. } => Some(transaction.clone()),
255        }
256    }
257
258    /// The unmined transaction ID for the transaction in this request.
259    pub fn tx_id(&self) -> UnminedTxId {
260        match self {
261            // TODO: get the precalculated ID from the block verifier
262            Request::Block { transaction, .. } => transaction.unmined_id(),
263            Request::Mempool { transaction, .. } => transaction.id,
264        }
265    }
266
267    /// The mined transaction ID for the transaction in this request.
268    pub fn tx_mined_id(&self) -> transaction::Hash {
269        match self {
270            Request::Block {
271                transaction_hash, ..
272            } => *transaction_hash,
273            Request::Mempool { transaction, .. } => transaction.id.mined_id(),
274        }
275    }
276
277    /// The set of additional known unspent transaction outputs that's in this request.
278    pub fn known_utxos(&self) -> Arc<HashMap<transparent::OutPoint, transparent::OrderedUtxo>> {
279        match self {
280            Request::Block { known_utxos, .. } => known_utxos.clone(),
281            Request::Mempool { .. } => HashMap::new().into(),
282        }
283    }
284
285    /// The set of additional known [`transparent::OutPoint`]s of unspent transaction outputs that's in this request.
286    pub fn known_outpoint_hashes(&self) -> Arc<HashSet<transaction::Hash>> {
287        match self {
288            Request::Block {
289                known_outpoint_hashes,
290                ..
291            } => known_outpoint_hashes.clone(),
292            Request::Mempool { .. } => HashSet::new().into(),
293        }
294    }
295
296    /// The height used to select the consensus rules for verifying this transaction.
297    pub fn height(&self) -> block::Height {
298        match self {
299            Request::Block { height, .. } | Request::Mempool { height, .. } => *height,
300        }
301    }
302
303    /// The block time used for lock time consensus rules validation.
304    pub fn block_time(&self) -> Option<DateTime<Utc>> {
305        match self {
306            Request::Block { time, .. } => Some(*time),
307            Request::Mempool { .. } => None,
308        }
309    }
310
311    /// The network upgrade to consider for the verification.
312    ///
313    /// This is based on the block height from the request, and the supplied `network`.
314    pub fn upgrade(&self, network: &Network) -> NetworkUpgrade {
315        NetworkUpgrade::current(network, self.height())
316    }
317
318    /// Returns true if the request is a mempool request.
319    pub fn is_mempool(&self) -> bool {
320        matches!(self, Request::Mempool { .. })
321    }
322}
323
324impl Response {
325    /// The unmined transaction ID for the transaction in this response.
326    pub fn tx_id(&self) -> UnminedTxId {
327        match self {
328            Response::Block { tx_id, .. } => *tx_id,
329            Response::Mempool { transaction, .. } => transaction.transaction.id,
330        }
331    }
332
333    /// The miner fee for the transaction in this response.
334    ///
335    /// Coinbase transactions do not have a miner fee,
336    /// and they don't need UTXOs to calculate their value balance,
337    /// because they don't spend any inputs.
338    pub fn miner_fee(&self) -> Option<Amount<NonNegative>> {
339        match self {
340            Response::Block { miner_fee, .. } => *miner_fee,
341            Response::Mempool { transaction, .. } => Some(transaction.miner_fee),
342        }
343    }
344
345    /// The number of legacy transparent signature operations in this transaction's
346    /// inputs and outputs.
347    pub fn sigops(&self) -> u32 {
348        match self {
349            Response::Block { sigops, .. } => *sigops,
350            Response::Mempool { transaction, .. } => transaction.legacy_sigop_count,
351        }
352    }
353
354    /// Returns true if the request is a mempool request.
355    pub fn is_mempool(&self) -> bool {
356        match self {
357            Response::Block { .. } => false,
358            Response::Mempool { .. } => true,
359        }
360    }
361}
362
363impl<ZS, Mempool> Service<Request> for Verifier<ZS, Mempool>
364where
365    ZS: Service<zs::Request, Response = zs::Response, Error = BoxError> + Send + Clone + 'static,
366    ZS::Future: Send + 'static,
367    Mempool: Service<mempool::Request, Response = mempool::Response, Error = BoxError>
368        + Send
369        + Clone
370        + 'static,
371    Mempool::Future: Send + 'static,
372{
373    type Response = Response;
374    type Error = TransactionError;
375    type Future =
376        Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send + 'static>>;
377
378    fn poll_ready(&mut self, _cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
379        // Note: The block verifier expects the transaction verifier to always be ready.
380
381        if self.mempool.is_none() {
382            if let Ok(mempool) = self.mempool_setup_rx.try_recv() {
383                self.mempool = Some(Timeout::new(mempool, MEMPOOL_OUTPUT_LOOKUP_TIMEOUT));
384            }
385        }
386
387        Poll::Ready(Ok(()))
388    }
389
390    // TODO: break up each chunk into its own method
391    fn call(&mut self, req: Request) -> Self::Future {
392        let script_verifier = self.script_verifier;
393        let network = self.network.clone();
394        let state = self.state.clone();
395        let mempool = self.mempool.clone();
396
397        let tx = req.transaction();
398        let tx_id = req.tx_id();
399        let span = tracing::debug_span!("tx", ?tx_id);
400
401        async move {
402            tracing::trace!(?tx_id, ?req, "got tx verify request");
403
404            // Do quick checks first
405            check::has_inputs_and_outputs(&tx)?;
406            check::has_enough_orchard_flags(&tx)?;
407            check::consensus_branch_id(&tx, req.height(), &network)?;
408
409            // Validate the coinbase input consensus rules
410            if req.is_mempool() && tx.is_coinbase() {
411                return Err(TransactionError::CoinbaseInMempool);
412            }
413
414            if tx.is_coinbase() {
415                check::coinbase_tx_no_prevout_joinsplit_spend(&tx)?;
416            } else if !tx.is_valid_non_coinbase() {
417                return Err(TransactionError::NonCoinbaseHasCoinbaseInput);
418            }
419
420            // Validate `nExpiryHeight` consensus rules
421            if tx.is_coinbase() {
422                check::coinbase_expiry_height(&req.height(), &tx, &network)?;
423            } else {
424                check::non_coinbase_expiry_height(&req.height(), &tx)?;
425            }
426
427            // Consensus rule:
428            //
429            // > Either v_{pub}^{old} or v_{pub}^{new} MUST be zero.
430            //
431            // https://zips.z.cash/protocol/protocol.pdf#joinsplitdesc
432            check::joinsplit_has_vpub_zero(&tx)?;
433
434            // [Canopy onward]: `vpub_old` MUST be zero.
435            // https://zips.z.cash/protocol/protocol.pdf#joinsplitdesc
436            check::disabled_add_to_sprout_pool(&tx, req.height(), &network)?;
437
438            check::spend_conflicts(&tx)?;
439
440            tracing::trace!(?tx_id, "passed quick checks");
441
442            if let Some(block_time) = req.block_time() {
443                check::lock_time_has_passed(&tx, req.height(), block_time)?;
444            } else {
445                // Skip the state query if we don't need the time for this check.
446                let next_median_time_past = if tx.lock_time_is_time() {
447                    // This state query is much faster than loading UTXOs from the database,
448                    // so it doesn't need to be executed in parallel
449                    let state = state.clone();
450                    Some(Self::mempool_best_chain_next_median_time_past(state).await?.to_chrono())
451                } else {
452                    None
453                };
454
455                // This consensus check makes sure Zebra produces valid block templates.
456                check::lock_time_has_passed(&tx, req.height(), next_median_time_past)?;
457            }
458
459            // "The consensus rules applied to valueBalance, vShieldedOutput, and bindingSig
460            // in non-coinbase transactions MUST also be applied to coinbase transactions."
461            //
462            // This rule is implicitly implemented during Sapling and Orchard verification,
463            // because they do not distinguish between coinbase and non-coinbase transactions.
464            //
465            // Note: this rule originally applied to Sapling, but we assume it also applies to Orchard.
466            //
467            // https://zips.z.cash/zip-0213#specification
468
469            // Load spent UTXOs from state.
470            // The UTXOs are required for almost all the async checks.
471            let load_spent_utxos_fut =
472                Self::spent_utxos(tx.clone(), req.clone(), state.clone(), mempool.clone(),);
473            let (spent_utxos, spent_outputs, spent_mempool_outpoints) = load_spent_utxos_fut.await?;
474
475            // WONTFIX: Return an error for Request::Block as well to replace this check in
476            //       the state once #2336 has been implemented?
477            if req.is_mempool() {
478                Self::check_maturity_height(&network, &req, &spent_utxos)?;
479            }
480
481            let nu = req.upgrade(&network);
482            let cached_ffi_transaction =
483                Arc::new(CachedFfiTransaction::new(tx.clone(), Arc::new(spent_outputs), nu).map_err(|_| TransactionError::UnsupportedByNetworkUpgrade(tx.version(), nu))?);
484
485            tracing::trace!(?tx_id, "got state UTXOs");
486
487            let mut async_checks = match tx.as_ref() {
488                Transaction::V1 { .. } | Transaction::V2 { .. } | Transaction::V3 { .. } => {
489                    tracing::debug!(?tx, "got transaction with wrong version");
490                    return Err(TransactionError::WrongVersion);
491                }
492                Transaction::V4 {
493                    joinsplit_data,
494                    ..
495                } => Self::verify_v4_transaction(
496                    &req,
497                    &network,
498                    script_verifier,
499                    cached_ffi_transaction.clone(),
500                    joinsplit_data,
501                )?,
502                Transaction::V5 {
503                    ..
504                } => Self::verify_v5_transaction(
505                    &req,
506                    &network,
507                    script_verifier,
508                    cached_ffi_transaction.clone(),
509                )?,
510                #[cfg(all(zcash_unstable = "nu7", feature = "tx_v6"))]
511                Transaction::V6 {
512                    ..
513                } => Self::verify_v6_transaction(
514                    &req,
515                    &network,
516                    script_verifier,
517                    cached_ffi_transaction.clone(),
518                )?,
519            };
520
521            if let Some(unmined_tx) = req.mempool_transaction() {
522                let check_anchors_and_revealed_nullifiers_query = state
523                    .clone()
524                    .oneshot(zs::Request::CheckBestChainTipNullifiersAndAnchors(
525                        unmined_tx,
526                    ))
527                    .map(|res| {
528                        assert!(
529                            res? == zs::Response::ValidBestChainTipNullifiersAndAnchors,
530                            "unexpected response to CheckBestChainTipNullifiersAndAnchors request"
531                        );
532                        Ok(())
533                    }
534                );
535
536                async_checks.push(check_anchors_and_revealed_nullifiers_query);
537            }
538
539            tracing::trace!(?tx_id, "awaiting async checks...");
540
541            async_checks.check().await?;
542
543            tracing::trace!(?tx_id, "finished async checks");
544
545            // Get the `value_balance` to calculate the transaction fee.
546            let value_balance = tx.value_balance(&spent_utxos);
547
548            let zip233_amount = match *tx {
549            	#[cfg(all(zcash_unstable = "nu7", feature = "tx_v6"))]
550                Transaction::V6{ .. } => tx.zip233_amount(),
551                _ => Amount::zero()
552            };
553
554            // Calculate the fee only for non-coinbase transactions.
555            let mut miner_fee = None;
556            if !tx.is_coinbase() {
557                // TODO: deduplicate this code with remaining_transaction_value()?
558                miner_fee = match value_balance {
559                    Ok(vb) => match vb.remaining_transaction_value() {
560                        Ok(tx_rtv) => match tx_rtv - zip233_amount {
561                            Ok(fee) => Some(fee),
562                            Err(_) => return Err(TransactionError::IncorrectFee),
563                        }
564                        Err(_) => return Err(TransactionError::IncorrectFee),
565                    },
566                    Err(_) => return Err(TransactionError::IncorrectFee),
567                };
568            }
569
570            let sigops = tx.sigops().map_err(zebra_script::Error::from)?;
571
572            let rsp = match req {
573                Request::Block { .. } => Response::Block {
574                    tx_id,
575                    miner_fee,
576                    sigops,
577                },
578                Request::Mempool { transaction: tx, .. } => {
579                    // TODO: `spent_outputs` may not align with `tx.inputs()` when a transaction
580                    // spends both chain and mempool UTXOs (mempool outputs are appended last by
581                    // `spent_utxos()`), causing policy checks to pair the wrong input with
582                    // the wrong spent output.
583                    // https://github.com/ZcashFoundation/zebra/issues/10346
584                    let spent_outputs = cached_ffi_transaction.all_previous_outputs().clone();
585                    let transaction = VerifiedUnminedTx::new(
586                        tx,
587                        miner_fee.expect("fee should have been checked earlier"),
588                        sigops,
589                        spent_outputs.into(),
590                    )?;
591
592                    if let Some(mut mempool) = mempool {
593                        tokio::spawn(async move {
594                            // Best-effort poll of the mempool to provide a timely response to
595                            // `sendrawtransaction` RPC calls or `AwaitOutput` mempool calls.
596                            tokio::time::sleep(POLL_MEMPOOL_DELAY).await;
597                            let _ = mempool
598                                .ready()
599                                .await
600                                .expect("mempool poll_ready() method should not return an error")
601                                .call(mempool::Request::CheckForVerifiedTransactions)
602                                .await;
603                        });
604                    }
605
606                    Response::Mempool { transaction, spent_mempool_outpoints }
607                },
608            };
609
610            Ok(rsp)
611        }
612        .inspect(move |result| {
613            // Hide the transaction data to avoid filling the logs
614            tracing::trace!(?tx_id, result = ?result.as_ref().map(|_tx| ()), "got tx verify result");
615        })
616        .instrument(span)
617        .boxed()
618    }
619}
620
621impl<ZS, Mempool> Verifier<ZS, Mempool>
622where
623    ZS: Service<zs::Request, Response = zs::Response, Error = BoxError> + Send + Clone + 'static,
624    ZS::Future: Send + 'static,
625    Mempool: Service<mempool::Request, Response = mempool::Response, Error = BoxError>
626        + Send
627        + Clone
628        + 'static,
629    Mempool::Future: Send + 'static,
630{
631    /// Fetches the median-time-past of the *next* block after the best state tip.
632    ///
633    /// This is used to verify that the lock times of mempool transactions
634    /// can be included in any valid next block.
635    async fn mempool_best_chain_next_median_time_past(
636        state: Timeout<ZS>,
637    ) -> Result<DateTime32, TransactionError> {
638        let query = state
639            .clone()
640            .oneshot(zs::Request::BestChainNextMedianTimePast);
641
642        if let zebra_state::Response::BestChainNextMedianTimePast(median_time_past) = query
643            .await
644            .map_err(|e| TransactionError::ValidateMempoolLockTimeError(e.to_string()))?
645        {
646            Ok(median_time_past)
647        } else {
648            unreachable!("Request::BestChainNextMedianTimePast always responds with BestChainNextMedianTimePast")
649        }
650    }
651
652    /// Wait for the UTXOs that are being spent by the given transaction.
653    ///
654    /// Looks up UTXOs that are being spent by the given transaction in the state or waits
655    /// for them to be added to the mempool for [`Mempool`](Request::Mempool) requests.
656    ///
657    /// Returns a triple containing:
658    /// - `OutPoint` -> `Utxo` map,
659    /// - vec of `Output`s in the same order as the matching inputs in the `tx`,
660    /// - vec of `Outpoint`s spent by a mempool `tx` that were not found in the best chain's utxo set.
661    async fn spent_utxos(
662        tx: Arc<Transaction>,
663        req: Request,
664        state: Timeout<ZS>,
665        mempool: Option<Timeout<Mempool>>,
666    ) -> Result<
667        (
668            HashMap<transparent::OutPoint, transparent::Utxo>,
669            Vec<transparent::Output>,
670            Vec<transparent::OutPoint>,
671        ),
672        TransactionError,
673    > {
674        let is_mempool = req.is_mempool();
675        // Additional UTXOs known at the time of validation,
676        // i.e., from previous transactions in the block.
677        let known_utxos = req.known_utxos();
678
679        let inputs = tx.inputs();
680        let mut spent_utxos = HashMap::new();
681        // Pre-allocate with None so we can fill each slot by input index, preserving input order
682        // even when chain and mempool UTXOs are fetched in separate passes.
683        let mut spent_outputs: Vec<Option<transparent::Output>> = vec![None; inputs.len()];
684        // Stores (input_idx, outpoint) for UTXOs not found in the best chain (fetched from mempool later).
685        let mut spent_mempool_outpoints: Vec<(usize, transparent::OutPoint)> = Vec::new();
686
687        for (input_idx, input) in inputs.iter().enumerate() {
688            if let transparent::Input::PrevOut { outpoint, .. } = input {
689                tracing::trace!("awaiting outpoint lookup");
690                let utxo = if let Some(output) = known_utxos.get(outpoint) {
691                    tracing::trace!("UXTO in known_utxos, discarding query");
692                    output.utxo.clone()
693                } else if is_mempool {
694                    let query = state
695                        .clone()
696                        .oneshot(zs::Request::UnspentBestChainUtxo(*outpoint));
697
698                    let zebra_state::Response::UnspentBestChainUtxo(utxo) = query
699                        .await
700                        .map_err(|_| TransactionError::TransparentInputNotFound)?
701                    else {
702                        unreachable!("UnspentBestChainUtxo always responds with Option<Utxo>")
703                    };
704
705                    let Some(utxo) = utxo else {
706                        spent_mempool_outpoints.push((input_idx, *outpoint));
707                        continue;
708                    };
709
710                    utxo
711                } else {
712                    let query = state
713                        .clone()
714                        .oneshot(zebra_state::Request::AwaitUtxo(*outpoint));
715                    if let zebra_state::Response::Utxo(utxo) = query.await? {
716                        utxo
717                    } else {
718                        unreachable!("AwaitUtxo always responds with Utxo")
719                    }
720                };
721                tracing::trace!(?utxo, "got UTXO");
722                spent_outputs[input_idx] = Some(utxo.output.clone());
723                spent_utxos.insert(*outpoint, utxo);
724            } else {
725                continue;
726            }
727        }
728
729        if let Some(mempool) = mempool {
730            for &(input_idx, spent_mempool_outpoint) in &spent_mempool_outpoints {
731                let query = mempool
732                    .clone()
733                    .oneshot(mempool::Request::AwaitOutput(spent_mempool_outpoint));
734
735                let output = match query.await {
736                    Ok(mempool::Response::UnspentOutput(output)) => output,
737                    Ok(_) => unreachable!("UnspentOutput always responds with UnspentOutput"),
738                    Err(err) => {
739                        return match err.downcast::<Elapsed>() {
740                            Ok(_) => Err(TransactionError::TransparentInputNotFound),
741                            Err(err) => Err(err.into()),
742                        };
743                    }
744                };
745
746                spent_outputs[input_idx] = Some(output.clone());
747                spent_utxos.insert(
748                    spent_mempool_outpoint,
749                    // Assume the Utxo height will be next height after the best chain tip height
750                    //
751                    // # Correctness
752                    //
753                    // If the tip height changes while an umined transaction is being verified,
754                    // the transaction must be re-verified before being added to the mempool.
755                    transparent::Utxo::new(output, req.height(), false),
756                );
757            }
758        } else if !spent_mempool_outpoints.is_empty() {
759            return Err(TransactionError::TransparentInputNotFound);
760        }
761
762        // Convert back to return types; slots are in input order.
763        let spent_outputs: Vec<transparent::Output> = spent_outputs.into_iter().flatten().collect();
764        let spent_mempool_outpoints: Vec<transparent::OutPoint> = spent_mempool_outpoints
765            .into_iter()
766            .map(|(_, op)| op)
767            .collect();
768
769        Ok((spent_utxos, spent_outputs, spent_mempool_outpoints))
770    }
771
772    /// Accepts `request`, a transaction verifier [`&Request`](Request),
773    /// and `spent_utxos`, a HashMap of UTXOs in the chain that are spent by this transaction.
774    ///
775    /// Gets the `transaction`, `height`, and `known_utxos` for the request and checks calls
776    /// [`check::tx_transparent_coinbase_spends_maturity`] to verify that every transparent
777    /// coinbase output spent by the transaction will have matured by `height`.
778    ///
779    /// Returns `Ok(())` if every transparent coinbase output spent by the transaction is
780    /// mature and valid for the request height, or a [`TransactionError`] if the transaction
781    /// spends transparent coinbase outputs that are immature and invalid for the request height.
782    pub fn check_maturity_height(
783        network: &Network,
784        request: &Request,
785        spent_utxos: &HashMap<transparent::OutPoint, transparent::Utxo>,
786    ) -> Result<(), TransactionError> {
787        check::tx_transparent_coinbase_spends_maturity(
788            network,
789            request.transaction(),
790            request.height(),
791            request.known_utxos(),
792            spent_utxos,
793        )
794    }
795
796    /// Verify a V4 transaction.
797    ///
798    /// Returns a set of asynchronous checks that must all succeed for the transaction to be
799    /// considered valid. These checks include:
800    ///
801    /// - transparent transfers
802    /// - sprout shielded data
803    /// - sapling shielded data
804    ///
805    /// The parameters of this method are:
806    ///
807    /// - the `request` to verify (that contains the transaction and other metadata, see [`Request`]
808    ///   for more information)
809    /// - the `network` to consider when verifying
810    /// - the `script_verifier` to use for verifying the transparent transfers
811    /// - the prepared `cached_ffi_transaction` used by the script verifier
812    /// - the Sprout `joinsplit_data` shielded data in the transaction
813    /// - the `sapling_shielded_data` in the transaction
814    #[allow(clippy::unwrap_in_result)]
815    fn verify_v4_transaction(
816        request: &Request,
817        network: &Network,
818        script_verifier: script::Verifier,
819        cached_ffi_transaction: Arc<CachedFfiTransaction>,
820        joinsplit_data: &Option<transaction::JoinSplitData<Groth16Proof>>,
821    ) -> Result<AsyncChecks, TransactionError> {
822        let tx = request.transaction();
823        let nu = request.upgrade(network);
824
825        Self::verify_v4_transaction_network_upgrade(&tx, nu)?;
826
827        let sapling_bundle = cached_ffi_transaction.sighasher().sapling_bundle();
828
829        let sighash = cached_ffi_transaction
830            .sighasher()
831            .sighash(HashType::ALL, None);
832
833        Ok(Self::verify_transparent_inputs_and_outputs(
834            request,
835            script_verifier,
836            cached_ffi_transaction,
837        )?
838        .and(Self::verify_sprout_shielded_data(joinsplit_data, &sighash)?)
839        .and(Self::verify_sapling_bundle(sapling_bundle, &sighash)))
840    }
841
842    /// Verifies if a V4 `transaction` is supported by `network_upgrade`.
843    fn verify_v4_transaction_network_upgrade(
844        transaction: &Transaction,
845        network_upgrade: NetworkUpgrade,
846    ) -> Result<(), TransactionError> {
847        match network_upgrade {
848            // Supports V4 transactions
849            //
850            // # Consensus
851            //
852            // > [Sapling to Canopy inclusive, pre-NU5] The transaction version number MUST be 4,
853            // > and the version group ID MUST be 0x892F2085.
854            //
855            // > [NU5 onward] The transaction version number MUST be 4 or 5.
856            // > If the transaction version number is 4 then the version group ID MUST be 0x892F2085.
857            // > If the transaction version number is 5 then the version group ID MUST be 0x26A7270A.
858            //
859            // https://zips.z.cash/protocol/protocol.pdf#txnconsensus
860            //
861            // Note: Here we verify the transaction version number of the above two rules, the group
862            // id is checked in zebra-chain crate, in the transaction serialize.
863            NetworkUpgrade::Sapling
864            | NetworkUpgrade::Blossom
865            | NetworkUpgrade::Heartwood
866            | NetworkUpgrade::Canopy
867            | NetworkUpgrade::Nu5
868            | NetworkUpgrade::Nu6
869            | NetworkUpgrade::Nu6_1 => Ok(()),
870
871            #[cfg(zcash_unstable = "zfuture")]
872            NetworkUpgrade::ZFuture => Ok(()),
873
874            // Does not support V4 transactions
875            NetworkUpgrade::Genesis
876            | NetworkUpgrade::BeforeOverwinter
877            | NetworkUpgrade::Overwinter
878            | NetworkUpgrade::Nu7 => Err(TransactionError::UnsupportedByNetworkUpgrade(
879                transaction.version(),
880                network_upgrade,
881            )),
882        }
883    }
884
885    /// Verify a V5 transaction.
886    ///
887    /// Returns a set of asynchronous checks that must all succeed for the transaction to be
888    /// considered valid. These checks include:
889    ///
890    /// - transaction support by the considered network upgrade (see [`Request::upgrade`])
891    /// - transparent transfers
892    /// - sapling shielded data (TODO)
893    /// - orchard shielded data (TODO)
894    ///
895    /// The parameters of this method are:
896    ///
897    /// - the `request` to verify (that contains the transaction and other metadata, see [`Request`]
898    ///   for more information)
899    /// - the `network` to consider when verifying
900    /// - the `script_verifier` to use for verifying the transparent transfers
901    /// - the prepared `cached_ffi_transaction` used by the script verifier
902    /// - the sapling shielded data of the transaction, if any
903    /// - the orchard shielded data of the transaction, if any
904    #[allow(clippy::unwrap_in_result)]
905    fn verify_v5_transaction(
906        request: &Request,
907        network: &Network,
908        script_verifier: script::Verifier,
909        cached_ffi_transaction: Arc<CachedFfiTransaction>,
910    ) -> Result<AsyncChecks, TransactionError> {
911        let transaction = request.transaction();
912        let nu = request.upgrade(network);
913
914        Self::verify_v5_transaction_network_upgrade(&transaction, nu)?;
915
916        let sapling_bundle = cached_ffi_transaction.sighasher().sapling_bundle();
917        let orchard_bundle = cached_ffi_transaction.sighasher().orchard_bundle();
918
919        let sighash = cached_ffi_transaction
920            .sighasher()
921            .sighash(HashType::ALL, None);
922
923        Ok(Self::verify_transparent_inputs_and_outputs(
924            request,
925            script_verifier,
926            cached_ffi_transaction,
927        )?
928        .and(Self::verify_sapling_bundle(sapling_bundle, &sighash))
929        .and(Self::verify_orchard_bundle(orchard_bundle, &sighash)))
930    }
931
932    /// Verifies if a V5 `transaction` is supported by `network_upgrade`.
933    fn verify_v5_transaction_network_upgrade(
934        transaction: &Transaction,
935        network_upgrade: NetworkUpgrade,
936    ) -> Result<(), TransactionError> {
937        match network_upgrade {
938            // Supports V5 transactions
939            //
940            // # Consensus
941            //
942            // > [NU5 onward] The transaction version number MUST be 4 or 5.
943            // > If the transaction version number is 4 then the version group ID MUST be 0x892F2085.
944            // > If the transaction version number is 5 then the version group ID MUST be 0x26A7270A.
945            //
946            // https://zips.z.cash/protocol/protocol.pdf#txnconsensus
947            //
948            // Note: Here we verify the transaction version number of the above rule, the group
949            // id is checked in zebra-chain crate, in the transaction serialize.
950            NetworkUpgrade::Nu5
951            | NetworkUpgrade::Nu6
952            | NetworkUpgrade::Nu6_1
953            | NetworkUpgrade::Nu7 => Ok(()),
954
955            #[cfg(zcash_unstable = "zfuture")]
956            NetworkUpgrade::ZFuture => Ok(()),
957
958            // Does not support V5 transactions
959            NetworkUpgrade::Genesis
960            | NetworkUpgrade::BeforeOverwinter
961            | NetworkUpgrade::Overwinter
962            | NetworkUpgrade::Sapling
963            | NetworkUpgrade::Blossom
964            | NetworkUpgrade::Heartwood
965            | NetworkUpgrade::Canopy => Err(TransactionError::UnsupportedByNetworkUpgrade(
966                transaction.version(),
967                network_upgrade,
968            )),
969        }
970    }
971
972    /// Passthrough to verify_v5_transaction, but for V6 transactions.
973    #[cfg(all(zcash_unstable = "nu7", feature = "tx_v6"))]
974    fn verify_v6_transaction(
975        request: &Request,
976        network: &Network,
977        script_verifier: script::Verifier,
978        cached_ffi_transaction: Arc<CachedFfiTransaction>,
979    ) -> Result<AsyncChecks, TransactionError> {
980        Self::verify_v5_transaction(request, network, script_verifier, cached_ffi_transaction)
981    }
982
983    /// Verifies if a transaction's transparent inputs are valid using the provided
984    /// `script_verifier` and `cached_ffi_transaction`.
985    ///
986    /// Returns script verification responses via the `utxo_sender`.
987    fn verify_transparent_inputs_and_outputs(
988        request: &Request,
989        script_verifier: script::Verifier,
990        cached_ffi_transaction: Arc<CachedFfiTransaction>,
991    ) -> Result<AsyncChecks, TransactionError> {
992        let transaction = request.transaction();
993
994        if transaction.is_coinbase() {
995            // The script verifier only verifies PrevOut inputs and their corresponding UTXOs.
996            // Coinbase transactions don't have any PrevOut inputs.
997            Ok(AsyncChecks::new())
998        } else {
999            // feed all of the inputs to the script verifier
1000            let inputs = transaction.inputs();
1001
1002            let script_checks = (0..inputs.len())
1003                .map(move |input_index| {
1004                    let request = script::Request {
1005                        cached_ffi_transaction: cached_ffi_transaction.clone(),
1006                        input_index,
1007                    };
1008
1009                    script_verifier.oneshot(request)
1010                })
1011                .collect();
1012
1013            Ok(script_checks)
1014        }
1015    }
1016
1017    /// Verifies a transaction's Sprout shielded join split data.
1018    fn verify_sprout_shielded_data(
1019        joinsplit_data: &Option<transaction::JoinSplitData<Groth16Proof>>,
1020        shielded_sighash: &SigHash,
1021    ) -> Result<AsyncChecks, TransactionError> {
1022        let mut checks = AsyncChecks::new();
1023
1024        if let Some(joinsplit_data) = joinsplit_data {
1025            for joinsplit in joinsplit_data.joinsplits() {
1026                // # Consensus
1027                //
1028                // > The proof π_ZKJoinSplit MUST be valid given a
1029                // > primary input formed from the relevant other fields and h_{Sig}
1030                //
1031                // https://zips.z.cash/protocol/protocol.pdf#joinsplitdesc
1032                //
1033                // Queue the verification of the Groth16 spend proof
1034                // for each JoinSplit description while adding the
1035                // resulting future to our collection of async
1036                // checks that (at a minimum) must pass for the
1037                // transaction to verify.
1038                checks.push(primitives::groth16::JOINSPLIT_VERIFIER.oneshot(
1039                    DescriptionWrapper(&(joinsplit, &joinsplit_data.pub_key)).try_into()?,
1040                ));
1041            }
1042
1043            // # Consensus
1044            //
1045            // > If effectiveVersion ≥ 2 and nJoinSplit > 0, then:
1046            // > - joinSplitPubKey MUST be a valid encoding of an Ed25519 validating key
1047            // > - joinSplitSig MUST represent a valid signature under
1048            //     joinSplitPubKey of dataToBeSigned, as defined in § 4.11
1049            //
1050            // https://zips.z.cash/protocol/protocol.pdf#txnconsensus
1051            //
1052            // The `if` part is indirectly enforced, since the `joinsplit_data`
1053            // is only parsed if those conditions apply in
1054            // [`Transaction::zcash_deserialize`].
1055            //
1056            // The valid encoding is defined in
1057            //
1058            // > A valid Ed25519 validating key is defined as a sequence of 32
1059            // > bytes encoding a point on the Ed25519 curve
1060            //
1061            // https://zips.z.cash/protocol/protocol.pdf#concreteed25519
1062            //
1063            // which is enforced during signature verification, in both batched
1064            // and single verification, when decompressing the encoded point.
1065            //
1066            // Queue the validation of the JoinSplit signature while
1067            // adding the resulting future to our collection of
1068            // async checks that (at a minimum) must pass for the
1069            // transaction to verify.
1070            //
1071            // https://zips.z.cash/protocol/protocol.pdf#sproutnonmalleability
1072            // https://zips.z.cash/protocol/protocol.pdf#txnencodingandconsensus
1073            let ed25519_verifier = primitives::ed25519::VERIFIER.clone();
1074            let ed25519_item =
1075                (joinsplit_data.pub_key, joinsplit_data.sig, shielded_sighash).into();
1076
1077            checks.push(ed25519_verifier.oneshot(ed25519_item));
1078        }
1079
1080        Ok(checks)
1081    }
1082
1083    /// Verifies a transaction's Sapling shielded data.
1084    fn verify_sapling_bundle(
1085        bundle: Option<sapling_crypto::Bundle<sapling_crypto::bundle::Authorized, ZatBalance>>,
1086        sighash: &SigHash,
1087    ) -> AsyncChecks {
1088        let mut async_checks = AsyncChecks::new();
1089
1090        // The Sapling batch verifier checks the following consensus rules:
1091        //
1092        // # Consensus
1093        //
1094        // > The proof π_ZKSpend MUST be valid given a primary input formed from the other fields
1095        // > except spendAuthSig.
1096        //
1097        // > The spend authorization signature MUST be a valid SpendAuthSig signature over SigHash
1098        // > using rk as the validating key.
1099        //
1100        // > [NU5 onward] As specified in § 5.4.7 ‘RedDSA, RedJubjub, and RedPallas’ on p. 88, the
1101        // > validation of the 𝑅 component of the signature changes to prohibit non-canonical
1102        // > encodings.
1103        //
1104        // https://zips.z.cash/protocol/protocol.pdf#spenddesc
1105        //
1106        // # Consensus
1107        //
1108        // > The proof π_ZKOutput MUST be valid given a primary input formed from the other fields
1109        // > except C^enc and C^out.
1110        //
1111        // https://zips.z.cash/protocol/protocol.pdf#outputdesc
1112        //
1113        // # Consensus
1114        //
1115        // > The Spend transfers and Action transfers of a transaction MUST be consistent with its
1116        // > vbalanceSapling value as specified in § 4.13 ‘Balance and Binding Signature (Sapling)’.
1117        //
1118        // https://zips.z.cash/protocol/protocol.pdf#spendsandoutputs
1119        //
1120        // # Consensus
1121        //
1122        // > [Sapling onward] If effectiveVersion ≥ 4 and nSpendsSapling + nOutputsSapling > 0,
1123        // > then:
1124        // >
1125        // > – let bvk^{Sapling} and SigHash be as defined in § 4.13;
1126        // > – bindingSigSapling MUST represent a valid signature under the transaction binding
1127        // >   validating key bvk Sapling of SigHash — i.e.
1128        // >   BindingSig^{Sapling}.Validate_{bvk^{Sapling}}(SigHash, bindingSigSapling ) = 1.
1129        //
1130        // Note that the `if` part is indirectly enforced, since the `sapling_shielded_data` is only
1131        // parsed if those conditions apply in [`Transaction::zcash_deserialize`].
1132        //
1133        // > [NU5 onward] As specified in § 5.4.7, the validation of the 𝑅 component of the
1134        // > signature changes to prohibit non-canonical encodings.
1135        //
1136        // https://zips.z.cash/protocol/protocol.pdf#txnconsensus
1137        if let Some(bundle) = bundle {
1138            async_checks.push(
1139                primitives::sapling::VERIFIER
1140                    .clone()
1141                    .oneshot(primitives::sapling::Item::new(bundle, *sighash)),
1142            );
1143        }
1144
1145        async_checks
1146    }
1147
1148    /// Verifies a transaction's Orchard shielded data.
1149    fn verify_orchard_bundle(
1150        bundle: Option<::orchard::bundle::Bundle<::orchard::bundle::Authorized, ZatBalance>>,
1151        sighash: &SigHash,
1152    ) -> AsyncChecks {
1153        let mut async_checks = AsyncChecks::new();
1154
1155        if let Some(bundle) = bundle {
1156            // # Consensus
1157            //
1158            // > The proof 𝜋 MUST be valid given a primary input (cv, rt^{Orchard},
1159            // > nf, rk, cm_x, enableSpends, enableOutputs)
1160            //
1161            // https://zips.z.cash/protocol/protocol.pdf#actiondesc
1162            //
1163            // Unlike Sapling, Orchard shielded transactions have a single
1164            // aggregated Halo2 proof per transaction, even with multiple
1165            // Actions in one transaction. So we queue it for verification
1166            // only once instead of queuing it up for every Action description.
1167            async_checks.push(
1168                primitives::halo2::VERIFIER
1169                    .clone()
1170                    .oneshot(primitives::halo2::Item::new(bundle, *sighash)),
1171            );
1172        }
1173
1174        async_checks
1175    }
1176}
1177
1178/// A set of unordered asynchronous checks that should succeed.
1179///
1180/// A wrapper around [`FuturesUnordered`] with some auxiliary methods.
1181struct AsyncChecks(FuturesUnordered<Pin<Box<dyn Future<Output = Result<(), BoxError>> + Send>>>);
1182
1183impl AsyncChecks {
1184    /// Create an empty set of unordered asynchronous checks.
1185    pub fn new() -> Self {
1186        AsyncChecks(FuturesUnordered::new())
1187    }
1188
1189    /// Push a check into the set.
1190    pub fn push(&mut self, check: impl Future<Output = Result<(), BoxError>> + Send + 'static) {
1191        self.0.push(check.boxed());
1192    }
1193
1194    /// Push a set of checks into the set.
1195    ///
1196    /// This method can be daisy-chained.
1197    pub fn and(mut self, checks: AsyncChecks) -> Self {
1198        self.0.extend(checks.0);
1199        self
1200    }
1201
1202    /// Wait until all checks in the set finish.
1203    ///
1204    /// If any of the checks fail, this method immediately returns the error and cancels all other
1205    /// checks by dropping them.
1206    async fn check(mut self) -> Result<(), BoxError> {
1207        // Wait for all asynchronous checks to complete
1208        // successfully, or fail verification if they error.
1209        while let Some(check) = self.0.next().await {
1210            tracing::trace!(?check, remaining = self.0.len());
1211            check?;
1212        }
1213
1214        Ok(())
1215    }
1216}
1217
1218impl<F> FromIterator<F> for AsyncChecks
1219where
1220    F: Future<Output = Result<(), BoxError>> + Send + 'static,
1221{
1222    fn from_iter<I>(iterator: I) -> Self
1223    where
1224        I: IntoIterator<Item = F>,
1225    {
1226        AsyncChecks(iterator.into_iter().map(FutureExt::boxed).collect())
1227    }
1228}