zebra_consensus/transaction.rs
1//! Asynchronous verification of transactions.
2
3use std::{
4 collections::{HashMap, HashSet},
5 future::Future,
6 pin::Pin,
7 sync::Arc,
8 task::{Context, Poll},
9 time::Duration,
10};
11
12use chrono::{DateTime, Utc};
13use futures::{
14 stream::{FuturesUnordered, StreamExt},
15 FutureExt,
16};
17use tokio::sync::oneshot;
18use tower::{
19 buffer::Buffer,
20 timeout::{error::Elapsed, Timeout},
21 util::BoxService,
22 Service, ServiceExt,
23};
24use tracing::Instrument;
25
26use zcash_protocol::value::ZatBalance;
27
28use zebra_chain::{
29 amount::{Amount, NonNegative},
30 block,
31 parameters::{Network, NetworkUpgrade},
32 primitives::Groth16Proof,
33 serialization::DateTime32,
34 transaction::{
35 self, HashType, SigHash, Transaction, UnminedTx, UnminedTxId, VerifiedUnminedTx,
36 },
37 transparent,
38};
39
40use zebra_node_services::mempool;
41use zebra_script::{CachedFfiTransaction, Sigops};
42use zebra_state as zs;
43
44use crate::{error::TransactionError, groth16::DescriptionWrapper, primitives, script, BoxError};
45
46pub mod check;
47#[cfg(test)]
48mod tests;
49
50/// A timeout applied to UTXO lookup requests.
51///
52/// The exact value is non-essential, but this should be long enough to allow
53/// out-of-order verification of blocks (UTXOs are not required to be ready
54/// immediately) while being short enough to:
55/// * prune blocks that are too far in the future to be worth keeping in the
56/// queue,
57/// * fail blocks that reference invalid UTXOs, and
58/// * fail blocks that reference UTXOs from blocks that have temporarily failed
59/// to download, because a peer sent Zebra a bad list of block hashes. (The
60/// UTXO verification failure will restart the sync, and re-download the
61/// chain in the correct order.)
62const UTXO_LOOKUP_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(6 * 60);
63
64/// A timeout applied to output lookup requests sent to the mempool. This is shorter than the
65/// timeout for the state UTXO lookups because a block is likely to be mined every 75 seconds
66/// after Blossom is active, changing the best chain tip and requiring re-verification of transactions
67/// in the mempool.
68///
69/// This is how long Zebra will wait for an output to be added to the mempool before verification
70/// of the transaction that spends it will fail.
71const MEMPOOL_OUTPUT_LOOKUP_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(60);
72
73/// How long to wait after responding to a mempool request with a transaction that creates new
74/// transparent outputs before polling the mempool service so that it will try adding the verified
75/// transaction and responding to any potential `AwaitOutput` requests.
76///
77/// This should be long enough for the mempool service's `Downloads` to finish processing the
78/// response from the transaction verifier.
79const POLL_MEMPOOL_DELAY: std::time::Duration = Duration::from_millis(50);
80
81/// Asynchronous transaction verification.
82///
83/// # Correctness
84///
85/// Transaction verification requests should be wrapped in a timeout, so that
86/// out-of-order and invalid requests do not hang indefinitely. See the [`router`](`crate::router`)
87/// module documentation for details.
88pub struct Verifier<ZS, Mempool> {
89 network: Network,
90 state: Timeout<ZS>,
91 // TODO: Use an enum so that this can either be Pending(oneshot::Receiver) or Initialized(MempoolService)
92 mempool: Option<Timeout<Mempool>>,
93 script_verifier: script::Verifier,
94 mempool_setup_rx: oneshot::Receiver<Mempool>,
95}
96
97impl<ZS, Mempool> Verifier<ZS, Mempool>
98where
99 ZS: Service<zs::Request, Response = zs::Response, Error = BoxError> + Send + Clone + 'static,
100 ZS::Future: Send + 'static,
101 Mempool: Service<mempool::Request, Response = mempool::Response, Error = BoxError>
102 + Send
103 + Clone
104 + 'static,
105 Mempool::Future: Send + 'static,
106{
107 /// Create a new transaction verifier.
108 pub fn new(network: &Network, state: ZS, mempool_setup_rx: oneshot::Receiver<Mempool>) -> Self {
109 Self {
110 network: network.clone(),
111 state: Timeout::new(state, UTXO_LOOKUP_TIMEOUT),
112 mempool: None,
113 script_verifier: script::Verifier,
114 mempool_setup_rx,
115 }
116 }
117}
118
119impl<ZS>
120 Verifier<
121 ZS,
122 Buffer<BoxService<mempool::Request, mempool::Response, BoxError>, mempool::Request>,
123 >
124where
125 ZS: Service<zs::Request, Response = zs::Response, Error = BoxError> + Send + Clone + 'static,
126 ZS::Future: Send + 'static,
127{
128 /// Create a new transaction verifier with a closed channel receiver for mempool setup for tests.
129 #[cfg(test)]
130 pub fn new_for_tests(network: &Network, state: ZS) -> Self {
131 Self {
132 network: network.clone(),
133 state: Timeout::new(state, UTXO_LOOKUP_TIMEOUT),
134 mempool: None,
135 script_verifier: script::Verifier,
136 mempool_setup_rx: oneshot::channel().1,
137 }
138 }
139}
140
141/// Specifies whether a transaction should be verified as part of a block or as
142/// part of the mempool.
143///
144/// Transaction verification has slightly different consensus rules, depending on
145/// whether the transaction is to be included in a block on in the mempool.
146#[derive(Clone, Debug, Eq, PartialEq)]
147pub enum Request {
148 /// Verify the supplied transaction as part of a block.
149 Block {
150 /// The transaction hash.
151 transaction_hash: transaction::Hash,
152 /// The transaction itself.
153 transaction: Arc<Transaction>,
154 /// Set of transaction hashes that create new transparent outputs.
155 known_outpoint_hashes: Arc<HashSet<transaction::Hash>>,
156 /// Additional UTXOs which are known at the time of verification.
157 known_utxos: Arc<HashMap<transparent::OutPoint, transparent::OrderedUtxo>>,
158 /// The height of the block containing this transaction.
159 height: block::Height,
160 /// The time that the block was mined.
161 time: DateTime<Utc>,
162 },
163 /// Verify the supplied transaction as part of the mempool.
164 ///
165 /// Mempool transactions do not have any additional UTXOs.
166 ///
167 /// Note: coinbase transactions are invalid in the mempool
168 Mempool {
169 /// The transaction itself.
170 transaction: UnminedTx,
171 /// The height of the next block.
172 ///
173 /// The next block is the first block that could possibly contain a
174 /// mempool transaction.
175 height: block::Height,
176 },
177}
178
179/// The response type for the transaction verifier service.
180/// Responses identify the transaction that was verified.
181#[derive(Clone, Debug, PartialEq)]
182pub enum Response {
183 /// A response to a block transaction verification request.
184 Block {
185 /// The witnessed transaction ID for this transaction.
186 ///
187 /// [`Response::Block`] responses can be uniquely identified by
188 /// [`UnminedTxId::mined_id`], because the block's authorizing data root
189 /// will be checked during contextual validation.
190 tx_id: UnminedTxId,
191
192 /// The miner fee for this transaction.
193 ///
194 /// `None` for coinbase transactions.
195 ///
196 /// # Consensus
197 ///
198 /// > The remaining value in the transparent transaction value pool
199 /// > of a coinbase transaction is destroyed.
200 ///
201 /// <https://zips.z.cash/protocol/protocol.pdf#transactions>
202 miner_fee: Option<Amount<NonNegative>>,
203
204 /// The number of legacy signature operations in this transaction's
205 /// transparent inputs and outputs.
206 sigops: u32,
207 },
208
209 /// A response to a mempool transaction verification request.
210 Mempool {
211 /// The full content of the verified mempool transaction.
212 /// Also contains the transaction fee and other associated fields.
213 ///
214 /// Mempool transactions always have a transaction fee,
215 /// because coinbase transactions are rejected from the mempool.
216 ///
217 /// [`Response::Mempool`] responses are uniquely identified by the
218 /// [`UnminedTxId`] variant for their transaction version.
219 transaction: VerifiedUnminedTx,
220
221 /// A list of spent [`transparent::OutPoint`]s that were found in
222 /// the mempool's list of `created_outputs`.
223 ///
224 /// Used by the mempool to determine dependencies between transactions
225 /// in the mempool and to avoid adding transactions with missing spends
226 /// to its verified set.
227 spent_mempool_outpoints: Vec<transparent::OutPoint>,
228 },
229}
230
231#[cfg(any(test, feature = "proptest-impl"))]
232impl From<VerifiedUnminedTx> for Response {
233 fn from(transaction: VerifiedUnminedTx) -> Self {
234 Response::Mempool {
235 transaction,
236 spent_mempool_outpoints: Vec::new(),
237 }
238 }
239}
240
241impl Request {
242 /// The transaction to verify that's in this request.
243 pub fn transaction(&self) -> Arc<Transaction> {
244 match self {
245 Request::Block { transaction, .. } => transaction.clone(),
246 Request::Mempool { transaction, .. } => transaction.transaction.clone(),
247 }
248 }
249
250 /// The unverified mempool transaction, if this is a mempool request.
251 pub fn mempool_transaction(&self) -> Option<UnminedTx> {
252 match self {
253 Request::Block { .. } => None,
254 Request::Mempool { transaction, .. } => Some(transaction.clone()),
255 }
256 }
257
258 /// The unmined transaction ID for the transaction in this request.
259 pub fn tx_id(&self) -> UnminedTxId {
260 match self {
261 // TODO: get the precalculated ID from the block verifier
262 Request::Block { transaction, .. } => transaction.unmined_id(),
263 Request::Mempool { transaction, .. } => transaction.id,
264 }
265 }
266
267 /// The mined transaction ID for the transaction in this request.
268 pub fn tx_mined_id(&self) -> transaction::Hash {
269 match self {
270 Request::Block {
271 transaction_hash, ..
272 } => *transaction_hash,
273 Request::Mempool { transaction, .. } => transaction.id.mined_id(),
274 }
275 }
276
277 /// The set of additional known unspent transaction outputs that's in this request.
278 pub fn known_utxos(&self) -> Arc<HashMap<transparent::OutPoint, transparent::OrderedUtxo>> {
279 match self {
280 Request::Block { known_utxos, .. } => known_utxos.clone(),
281 Request::Mempool { .. } => HashMap::new().into(),
282 }
283 }
284
285 /// The set of additional known [`transparent::OutPoint`]s of unspent transaction outputs that's in this request.
286 pub fn known_outpoint_hashes(&self) -> Arc<HashSet<transaction::Hash>> {
287 match self {
288 Request::Block {
289 known_outpoint_hashes,
290 ..
291 } => known_outpoint_hashes.clone(),
292 Request::Mempool { .. } => HashSet::new().into(),
293 }
294 }
295
296 /// The height used to select the consensus rules for verifying this transaction.
297 pub fn height(&self) -> block::Height {
298 match self {
299 Request::Block { height, .. } | Request::Mempool { height, .. } => *height,
300 }
301 }
302
303 /// The block time used for lock time consensus rules validation.
304 pub fn block_time(&self) -> Option<DateTime<Utc>> {
305 match self {
306 Request::Block { time, .. } => Some(*time),
307 Request::Mempool { .. } => None,
308 }
309 }
310
311 /// The network upgrade to consider for the verification.
312 ///
313 /// This is based on the block height from the request, and the supplied `network`.
314 pub fn upgrade(&self, network: &Network) -> NetworkUpgrade {
315 NetworkUpgrade::current(network, self.height())
316 }
317
318 /// Returns true if the request is a mempool request.
319 pub fn is_mempool(&self) -> bool {
320 matches!(self, Request::Mempool { .. })
321 }
322}
323
324impl Response {
325 /// The unmined transaction ID for the transaction in this response.
326 pub fn tx_id(&self) -> UnminedTxId {
327 match self {
328 Response::Block { tx_id, .. } => *tx_id,
329 Response::Mempool { transaction, .. } => transaction.transaction.id,
330 }
331 }
332
333 /// The miner fee for the transaction in this response.
334 ///
335 /// Coinbase transactions do not have a miner fee,
336 /// and they don't need UTXOs to calculate their value balance,
337 /// because they don't spend any inputs.
338 pub fn miner_fee(&self) -> Option<Amount<NonNegative>> {
339 match self {
340 Response::Block { miner_fee, .. } => *miner_fee,
341 Response::Mempool { transaction, .. } => Some(transaction.miner_fee),
342 }
343 }
344
345 /// The number of legacy transparent signature operations in this transaction's
346 /// inputs and outputs.
347 pub fn sigops(&self) -> u32 {
348 match self {
349 Response::Block { sigops, .. } => *sigops,
350 Response::Mempool { transaction, .. } => transaction.legacy_sigop_count,
351 }
352 }
353
354 /// Returns true if the request is a mempool request.
355 pub fn is_mempool(&self) -> bool {
356 match self {
357 Response::Block { .. } => false,
358 Response::Mempool { .. } => true,
359 }
360 }
361}
362
363impl<ZS, Mempool> Service<Request> for Verifier<ZS, Mempool>
364where
365 ZS: Service<zs::Request, Response = zs::Response, Error = BoxError> + Send + Clone + 'static,
366 ZS::Future: Send + 'static,
367 Mempool: Service<mempool::Request, Response = mempool::Response, Error = BoxError>
368 + Send
369 + Clone
370 + 'static,
371 Mempool::Future: Send + 'static,
372{
373 type Response = Response;
374 type Error = TransactionError;
375 type Future =
376 Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send + 'static>>;
377
378 fn poll_ready(&mut self, _cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
379 // Note: The block verifier expects the transaction verifier to always be ready.
380
381 if self.mempool.is_none() {
382 if let Ok(mempool) = self.mempool_setup_rx.try_recv() {
383 self.mempool = Some(Timeout::new(mempool, MEMPOOL_OUTPUT_LOOKUP_TIMEOUT));
384 }
385 }
386
387 Poll::Ready(Ok(()))
388 }
389
390 // TODO: break up each chunk into its own method
391 fn call(&mut self, req: Request) -> Self::Future {
392 let script_verifier = self.script_verifier;
393 let network = self.network.clone();
394 let state = self.state.clone();
395 let mempool = self.mempool.clone();
396
397 let tx = req.transaction();
398 let tx_id = req.tx_id();
399 let span = tracing::debug_span!("tx", ?tx_id);
400
401 async move {
402 tracing::trace!(?tx_id, ?req, "got tx verify request");
403
404 // Do quick checks first
405 check::has_inputs_and_outputs(&tx)?;
406 check::has_enough_orchard_flags(&tx)?;
407 check::consensus_branch_id(&tx, req.height(), &network)?;
408
409 // Validate the coinbase input consensus rules
410 if req.is_mempool() && tx.is_coinbase() {
411 return Err(TransactionError::CoinbaseInMempool);
412 }
413
414 if tx.is_coinbase() {
415 check::coinbase_tx_no_prevout_joinsplit_spend(&tx)?;
416 } else if !tx.is_valid_non_coinbase() {
417 return Err(TransactionError::NonCoinbaseHasCoinbaseInput);
418 }
419
420 // Validate `nExpiryHeight` consensus rules
421 if tx.is_coinbase() {
422 check::coinbase_expiry_height(&req.height(), &tx, &network)?;
423 } else {
424 check::non_coinbase_expiry_height(&req.height(), &tx)?;
425 }
426
427 // Consensus rule:
428 //
429 // > Either v_{pub}^{old} or v_{pub}^{new} MUST be zero.
430 //
431 // https://zips.z.cash/protocol/protocol.pdf#joinsplitdesc
432 check::joinsplit_has_vpub_zero(&tx)?;
433
434 // [Canopy onward]: `vpub_old` MUST be zero.
435 // https://zips.z.cash/protocol/protocol.pdf#joinsplitdesc
436 check::disabled_add_to_sprout_pool(&tx, req.height(), &network)?;
437
438 check::spend_conflicts(&tx)?;
439
440 tracing::trace!(?tx_id, "passed quick checks");
441
442 if let Some(block_time) = req.block_time() {
443 check::lock_time_has_passed(&tx, req.height(), block_time)?;
444 } else {
445 // Skip the state query if we don't need the time for this check.
446 let next_median_time_past = if tx.lock_time_is_time() {
447 // This state query is much faster than loading UTXOs from the database,
448 // so it doesn't need to be executed in parallel
449 let state = state.clone();
450 Some(Self::mempool_best_chain_next_median_time_past(state).await?.to_chrono())
451 } else {
452 None
453 };
454
455 // This consensus check makes sure Zebra produces valid block templates.
456 check::lock_time_has_passed(&tx, req.height(), next_median_time_past)?;
457 }
458
459 // "The consensus rules applied to valueBalance, vShieldedOutput, and bindingSig
460 // in non-coinbase transactions MUST also be applied to coinbase transactions."
461 //
462 // This rule is implicitly implemented during Sapling and Orchard verification,
463 // because they do not distinguish between coinbase and non-coinbase transactions.
464 //
465 // Note: this rule originally applied to Sapling, but we assume it also applies to Orchard.
466 //
467 // https://zips.z.cash/zip-0213#specification
468
469 // Load spent UTXOs from state.
470 // The UTXOs are required for almost all the async checks.
471 let load_spent_utxos_fut =
472 Self::spent_utxos(tx.clone(), req.clone(), state.clone(), mempool.clone(),);
473 let (spent_utxos, spent_outputs, spent_mempool_outpoints) = load_spent_utxos_fut.await?;
474
475 // WONTFIX: Return an error for Request::Block as well to replace this check in
476 // the state once #2336 has been implemented?
477 if req.is_mempool() {
478 Self::check_maturity_height(&network, &req, &spent_utxos)?;
479 }
480
481 let nu = req.upgrade(&network);
482 let cached_ffi_transaction =
483 Arc::new(CachedFfiTransaction::new(tx.clone(), Arc::new(spent_outputs), nu).map_err(|_| TransactionError::UnsupportedByNetworkUpgrade(tx.version(), nu))?);
484
485 tracing::trace!(?tx_id, "got state UTXOs");
486
487 let mut async_checks = match tx.as_ref() {
488 Transaction::V1 { .. } | Transaction::V2 { .. } | Transaction::V3 { .. } => {
489 tracing::debug!(?tx, "got transaction with wrong version");
490 return Err(TransactionError::WrongVersion);
491 }
492 Transaction::V4 {
493 joinsplit_data,
494 ..
495 } => Self::verify_v4_transaction(
496 &req,
497 &network,
498 script_verifier,
499 cached_ffi_transaction.clone(),
500 joinsplit_data,
501 )?,
502 Transaction::V5 {
503 ..
504 } => Self::verify_v5_transaction(
505 &req,
506 &network,
507 script_verifier,
508 cached_ffi_transaction.clone(),
509 )?,
510 #[cfg(all(zcash_unstable = "nu7", feature = "tx_v6"))]
511 Transaction::V6 {
512 ..
513 } => Self::verify_v6_transaction(
514 &req,
515 &network,
516 script_verifier,
517 cached_ffi_transaction.clone(),
518 )?,
519 };
520
521 if let Some(unmined_tx) = req.mempool_transaction() {
522 let check_anchors_and_revealed_nullifiers_query = state
523 .clone()
524 .oneshot(zs::Request::CheckBestChainTipNullifiersAndAnchors(
525 unmined_tx,
526 ))
527 .map(|res| {
528 assert!(
529 res? == zs::Response::ValidBestChainTipNullifiersAndAnchors,
530 "unexpected response to CheckBestChainTipNullifiersAndAnchors request"
531 );
532 Ok(())
533 }
534 );
535
536 async_checks.push(check_anchors_and_revealed_nullifiers_query);
537 }
538
539 tracing::trace!(?tx_id, "awaiting async checks...");
540
541 async_checks.check().await?;
542
543 tracing::trace!(?tx_id, "finished async checks");
544
545 // Get the `value_balance` to calculate the transaction fee.
546 let value_balance = tx.value_balance(&spent_utxos);
547
548 let zip233_amount = match *tx {
549 #[cfg(all(zcash_unstable = "nu7", feature = "tx_v6"))]
550 Transaction::V6{ .. } => tx.zip233_amount(),
551 _ => Amount::zero()
552 };
553
554 // Calculate the fee only for non-coinbase transactions.
555 let mut miner_fee = None;
556 if !tx.is_coinbase() {
557 // TODO: deduplicate this code with remaining_transaction_value()?
558 miner_fee = match value_balance {
559 Ok(vb) => match vb.remaining_transaction_value() {
560 Ok(tx_rtv) => match tx_rtv - zip233_amount {
561 Ok(fee) => Some(fee),
562 Err(_) => return Err(TransactionError::IncorrectFee),
563 }
564 Err(_) => return Err(TransactionError::IncorrectFee),
565 },
566 Err(_) => return Err(TransactionError::IncorrectFee),
567 };
568 }
569
570 let sigops = tx.sigops().map_err(zebra_script::Error::from)?;
571
572 let rsp = match req {
573 Request::Block { .. } => Response::Block {
574 tx_id,
575 miner_fee,
576 sigops,
577 },
578 Request::Mempool { transaction: tx, .. } => {
579 // TODO: `spent_outputs` may not align with `tx.inputs()` when a transaction
580 // spends both chain and mempool UTXOs (mempool outputs are appended last by
581 // `spent_utxos()`), causing policy checks to pair the wrong input with
582 // the wrong spent output.
583 // https://github.com/ZcashFoundation/zebra/issues/10346
584 let spent_outputs = cached_ffi_transaction.all_previous_outputs().clone();
585 let transaction = VerifiedUnminedTx::new(
586 tx,
587 miner_fee.expect("fee should have been checked earlier"),
588 sigops,
589 spent_outputs.into(),
590 )?;
591
592 if let Some(mut mempool) = mempool {
593 tokio::spawn(async move {
594 // Best-effort poll of the mempool to provide a timely response to
595 // `sendrawtransaction` RPC calls or `AwaitOutput` mempool calls.
596 tokio::time::sleep(POLL_MEMPOOL_DELAY).await;
597 let _ = mempool
598 .ready()
599 .await
600 .expect("mempool poll_ready() method should not return an error")
601 .call(mempool::Request::CheckForVerifiedTransactions)
602 .await;
603 });
604 }
605
606 Response::Mempool { transaction, spent_mempool_outpoints }
607 },
608 };
609
610 Ok(rsp)
611 }
612 .inspect(move |result| {
613 // Hide the transaction data to avoid filling the logs
614 tracing::trace!(?tx_id, result = ?result.as_ref().map(|_tx| ()), "got tx verify result");
615 })
616 .instrument(span)
617 .boxed()
618 }
619}
620
621impl<ZS, Mempool> Verifier<ZS, Mempool>
622where
623 ZS: Service<zs::Request, Response = zs::Response, Error = BoxError> + Send + Clone + 'static,
624 ZS::Future: Send + 'static,
625 Mempool: Service<mempool::Request, Response = mempool::Response, Error = BoxError>
626 + Send
627 + Clone
628 + 'static,
629 Mempool::Future: Send + 'static,
630{
631 /// Fetches the median-time-past of the *next* block after the best state tip.
632 ///
633 /// This is used to verify that the lock times of mempool transactions
634 /// can be included in any valid next block.
635 async fn mempool_best_chain_next_median_time_past(
636 state: Timeout<ZS>,
637 ) -> Result<DateTime32, TransactionError> {
638 let query = state
639 .clone()
640 .oneshot(zs::Request::BestChainNextMedianTimePast);
641
642 if let zebra_state::Response::BestChainNextMedianTimePast(median_time_past) = query
643 .await
644 .map_err(|e| TransactionError::ValidateMempoolLockTimeError(e.to_string()))?
645 {
646 Ok(median_time_past)
647 } else {
648 unreachable!("Request::BestChainNextMedianTimePast always responds with BestChainNextMedianTimePast")
649 }
650 }
651
652 /// Wait for the UTXOs that are being spent by the given transaction.
653 ///
654 /// Looks up UTXOs that are being spent by the given transaction in the state or waits
655 /// for them to be added to the mempool for [`Mempool`](Request::Mempool) requests.
656 ///
657 /// Returns a triple containing:
658 /// - `OutPoint` -> `Utxo` map,
659 /// - vec of `Output`s in the same order as the matching inputs in the `tx`,
660 /// - vec of `Outpoint`s spent by a mempool `tx` that were not found in the best chain's utxo set.
661 async fn spent_utxos(
662 tx: Arc<Transaction>,
663 req: Request,
664 state: Timeout<ZS>,
665 mempool: Option<Timeout<Mempool>>,
666 ) -> Result<
667 (
668 HashMap<transparent::OutPoint, transparent::Utxo>,
669 Vec<transparent::Output>,
670 Vec<transparent::OutPoint>,
671 ),
672 TransactionError,
673 > {
674 let is_mempool = req.is_mempool();
675 // Additional UTXOs known at the time of validation,
676 // i.e., from previous transactions in the block.
677 let known_utxos = req.known_utxos();
678
679 let inputs = tx.inputs();
680 let mut spent_utxos = HashMap::new();
681 // Pre-allocate with None so we can fill each slot by input index, preserving input order
682 // even when chain and mempool UTXOs are fetched in separate passes.
683 let mut spent_outputs: Vec<Option<transparent::Output>> = vec![None; inputs.len()];
684 // Stores (input_idx, outpoint) for UTXOs not found in the best chain (fetched from mempool later).
685 let mut spent_mempool_outpoints: Vec<(usize, transparent::OutPoint)> = Vec::new();
686
687 for (input_idx, input) in inputs.iter().enumerate() {
688 if let transparent::Input::PrevOut { outpoint, .. } = input {
689 tracing::trace!("awaiting outpoint lookup");
690 let utxo = if let Some(output) = known_utxos.get(outpoint) {
691 tracing::trace!("UXTO in known_utxos, discarding query");
692 output.utxo.clone()
693 } else if is_mempool {
694 let query = state
695 .clone()
696 .oneshot(zs::Request::UnspentBestChainUtxo(*outpoint));
697
698 let zebra_state::Response::UnspentBestChainUtxo(utxo) = query
699 .await
700 .map_err(|_| TransactionError::TransparentInputNotFound)?
701 else {
702 unreachable!("UnspentBestChainUtxo always responds with Option<Utxo>")
703 };
704
705 let Some(utxo) = utxo else {
706 spent_mempool_outpoints.push((input_idx, *outpoint));
707 continue;
708 };
709
710 utxo
711 } else {
712 let query = state
713 .clone()
714 .oneshot(zebra_state::Request::AwaitUtxo(*outpoint));
715 if let zebra_state::Response::Utxo(utxo) = query.await? {
716 utxo
717 } else {
718 unreachable!("AwaitUtxo always responds with Utxo")
719 }
720 };
721 tracing::trace!(?utxo, "got UTXO");
722 spent_outputs[input_idx] = Some(utxo.output.clone());
723 spent_utxos.insert(*outpoint, utxo);
724 } else {
725 continue;
726 }
727 }
728
729 if let Some(mempool) = mempool {
730 for &(input_idx, spent_mempool_outpoint) in &spent_mempool_outpoints {
731 let query = mempool
732 .clone()
733 .oneshot(mempool::Request::AwaitOutput(spent_mempool_outpoint));
734
735 let output = match query.await {
736 Ok(mempool::Response::UnspentOutput(output)) => output,
737 Ok(_) => unreachable!("UnspentOutput always responds with UnspentOutput"),
738 Err(err) => {
739 return match err.downcast::<Elapsed>() {
740 Ok(_) => Err(TransactionError::TransparentInputNotFound),
741 Err(err) => Err(err.into()),
742 };
743 }
744 };
745
746 spent_outputs[input_idx] = Some(output.clone());
747 spent_utxos.insert(
748 spent_mempool_outpoint,
749 // Assume the Utxo height will be next height after the best chain tip height
750 //
751 // # Correctness
752 //
753 // If the tip height changes while an umined transaction is being verified,
754 // the transaction must be re-verified before being added to the mempool.
755 transparent::Utxo::new(output, req.height(), false),
756 );
757 }
758 } else if !spent_mempool_outpoints.is_empty() {
759 return Err(TransactionError::TransparentInputNotFound);
760 }
761
762 // Convert back to return types; slots are in input order.
763 let spent_outputs: Vec<transparent::Output> = spent_outputs.into_iter().flatten().collect();
764 let spent_mempool_outpoints: Vec<transparent::OutPoint> = spent_mempool_outpoints
765 .into_iter()
766 .map(|(_, op)| op)
767 .collect();
768
769 Ok((spent_utxos, spent_outputs, spent_mempool_outpoints))
770 }
771
772 /// Accepts `request`, a transaction verifier [`&Request`](Request),
773 /// and `spent_utxos`, a HashMap of UTXOs in the chain that are spent by this transaction.
774 ///
775 /// Gets the `transaction`, `height`, and `known_utxos` for the request and checks calls
776 /// [`check::tx_transparent_coinbase_spends_maturity`] to verify that every transparent
777 /// coinbase output spent by the transaction will have matured by `height`.
778 ///
779 /// Returns `Ok(())` if every transparent coinbase output spent by the transaction is
780 /// mature and valid for the request height, or a [`TransactionError`] if the transaction
781 /// spends transparent coinbase outputs that are immature and invalid for the request height.
782 pub fn check_maturity_height(
783 network: &Network,
784 request: &Request,
785 spent_utxos: &HashMap<transparent::OutPoint, transparent::Utxo>,
786 ) -> Result<(), TransactionError> {
787 check::tx_transparent_coinbase_spends_maturity(
788 network,
789 request.transaction(),
790 request.height(),
791 request.known_utxos(),
792 spent_utxos,
793 )
794 }
795
796 /// Verify a V4 transaction.
797 ///
798 /// Returns a set of asynchronous checks that must all succeed for the transaction to be
799 /// considered valid. These checks include:
800 ///
801 /// - transparent transfers
802 /// - sprout shielded data
803 /// - sapling shielded data
804 ///
805 /// The parameters of this method are:
806 ///
807 /// - the `request` to verify (that contains the transaction and other metadata, see [`Request`]
808 /// for more information)
809 /// - the `network` to consider when verifying
810 /// - the `script_verifier` to use for verifying the transparent transfers
811 /// - the prepared `cached_ffi_transaction` used by the script verifier
812 /// - the Sprout `joinsplit_data` shielded data in the transaction
813 /// - the `sapling_shielded_data` in the transaction
814 #[allow(clippy::unwrap_in_result)]
815 fn verify_v4_transaction(
816 request: &Request,
817 network: &Network,
818 script_verifier: script::Verifier,
819 cached_ffi_transaction: Arc<CachedFfiTransaction>,
820 joinsplit_data: &Option<transaction::JoinSplitData<Groth16Proof>>,
821 ) -> Result<AsyncChecks, TransactionError> {
822 let tx = request.transaction();
823 let nu = request.upgrade(network);
824
825 Self::verify_v4_transaction_network_upgrade(&tx, nu)?;
826
827 let sapling_bundle = cached_ffi_transaction.sighasher().sapling_bundle();
828
829 let sighash = cached_ffi_transaction
830 .sighasher()
831 .sighash(HashType::ALL, None);
832
833 Ok(Self::verify_transparent_inputs_and_outputs(
834 request,
835 script_verifier,
836 cached_ffi_transaction,
837 )?
838 .and(Self::verify_sprout_shielded_data(joinsplit_data, &sighash)?)
839 .and(Self::verify_sapling_bundle(sapling_bundle, &sighash)))
840 }
841
842 /// Verifies if a V4 `transaction` is supported by `network_upgrade`.
843 fn verify_v4_transaction_network_upgrade(
844 transaction: &Transaction,
845 network_upgrade: NetworkUpgrade,
846 ) -> Result<(), TransactionError> {
847 match network_upgrade {
848 // Supports V4 transactions
849 //
850 // # Consensus
851 //
852 // > [Sapling to Canopy inclusive, pre-NU5] The transaction version number MUST be 4,
853 // > and the version group ID MUST be 0x892F2085.
854 //
855 // > [NU5 onward] The transaction version number MUST be 4 or 5.
856 // > If the transaction version number is 4 then the version group ID MUST be 0x892F2085.
857 // > If the transaction version number is 5 then the version group ID MUST be 0x26A7270A.
858 //
859 // https://zips.z.cash/protocol/protocol.pdf#txnconsensus
860 //
861 // Note: Here we verify the transaction version number of the above two rules, the group
862 // id is checked in zebra-chain crate, in the transaction serialize.
863 NetworkUpgrade::Sapling
864 | NetworkUpgrade::Blossom
865 | NetworkUpgrade::Heartwood
866 | NetworkUpgrade::Canopy
867 | NetworkUpgrade::Nu5
868 | NetworkUpgrade::Nu6
869 | NetworkUpgrade::Nu6_1 => Ok(()),
870
871 #[cfg(zcash_unstable = "zfuture")]
872 NetworkUpgrade::ZFuture => Ok(()),
873
874 // Does not support V4 transactions
875 NetworkUpgrade::Genesis
876 | NetworkUpgrade::BeforeOverwinter
877 | NetworkUpgrade::Overwinter
878 | NetworkUpgrade::Nu7 => Err(TransactionError::UnsupportedByNetworkUpgrade(
879 transaction.version(),
880 network_upgrade,
881 )),
882 }
883 }
884
885 /// Verify a V5 transaction.
886 ///
887 /// Returns a set of asynchronous checks that must all succeed for the transaction to be
888 /// considered valid. These checks include:
889 ///
890 /// - transaction support by the considered network upgrade (see [`Request::upgrade`])
891 /// - transparent transfers
892 /// - sapling shielded data (TODO)
893 /// - orchard shielded data (TODO)
894 ///
895 /// The parameters of this method are:
896 ///
897 /// - the `request` to verify (that contains the transaction and other metadata, see [`Request`]
898 /// for more information)
899 /// - the `network` to consider when verifying
900 /// - the `script_verifier` to use for verifying the transparent transfers
901 /// - the prepared `cached_ffi_transaction` used by the script verifier
902 /// - the sapling shielded data of the transaction, if any
903 /// - the orchard shielded data of the transaction, if any
904 #[allow(clippy::unwrap_in_result)]
905 fn verify_v5_transaction(
906 request: &Request,
907 network: &Network,
908 script_verifier: script::Verifier,
909 cached_ffi_transaction: Arc<CachedFfiTransaction>,
910 ) -> Result<AsyncChecks, TransactionError> {
911 let transaction = request.transaction();
912 let nu = request.upgrade(network);
913
914 Self::verify_v5_transaction_network_upgrade(&transaction, nu)?;
915
916 let sapling_bundle = cached_ffi_transaction.sighasher().sapling_bundle();
917 let orchard_bundle = cached_ffi_transaction.sighasher().orchard_bundle();
918
919 let sighash = cached_ffi_transaction
920 .sighasher()
921 .sighash(HashType::ALL, None);
922
923 Ok(Self::verify_transparent_inputs_and_outputs(
924 request,
925 script_verifier,
926 cached_ffi_transaction,
927 )?
928 .and(Self::verify_sapling_bundle(sapling_bundle, &sighash))
929 .and(Self::verify_orchard_bundle(orchard_bundle, &sighash)))
930 }
931
932 /// Verifies if a V5 `transaction` is supported by `network_upgrade`.
933 fn verify_v5_transaction_network_upgrade(
934 transaction: &Transaction,
935 network_upgrade: NetworkUpgrade,
936 ) -> Result<(), TransactionError> {
937 match network_upgrade {
938 // Supports V5 transactions
939 //
940 // # Consensus
941 //
942 // > [NU5 onward] The transaction version number MUST be 4 or 5.
943 // > If the transaction version number is 4 then the version group ID MUST be 0x892F2085.
944 // > If the transaction version number is 5 then the version group ID MUST be 0x26A7270A.
945 //
946 // https://zips.z.cash/protocol/protocol.pdf#txnconsensus
947 //
948 // Note: Here we verify the transaction version number of the above rule, the group
949 // id is checked in zebra-chain crate, in the transaction serialize.
950 NetworkUpgrade::Nu5
951 | NetworkUpgrade::Nu6
952 | NetworkUpgrade::Nu6_1
953 | NetworkUpgrade::Nu7 => Ok(()),
954
955 #[cfg(zcash_unstable = "zfuture")]
956 NetworkUpgrade::ZFuture => Ok(()),
957
958 // Does not support V5 transactions
959 NetworkUpgrade::Genesis
960 | NetworkUpgrade::BeforeOverwinter
961 | NetworkUpgrade::Overwinter
962 | NetworkUpgrade::Sapling
963 | NetworkUpgrade::Blossom
964 | NetworkUpgrade::Heartwood
965 | NetworkUpgrade::Canopy => Err(TransactionError::UnsupportedByNetworkUpgrade(
966 transaction.version(),
967 network_upgrade,
968 )),
969 }
970 }
971
972 /// Passthrough to verify_v5_transaction, but for V6 transactions.
973 #[cfg(all(zcash_unstable = "nu7", feature = "tx_v6"))]
974 fn verify_v6_transaction(
975 request: &Request,
976 network: &Network,
977 script_verifier: script::Verifier,
978 cached_ffi_transaction: Arc<CachedFfiTransaction>,
979 ) -> Result<AsyncChecks, TransactionError> {
980 Self::verify_v5_transaction(request, network, script_verifier, cached_ffi_transaction)
981 }
982
983 /// Verifies if a transaction's transparent inputs are valid using the provided
984 /// `script_verifier` and `cached_ffi_transaction`.
985 ///
986 /// Returns script verification responses via the `utxo_sender`.
987 fn verify_transparent_inputs_and_outputs(
988 request: &Request,
989 script_verifier: script::Verifier,
990 cached_ffi_transaction: Arc<CachedFfiTransaction>,
991 ) -> Result<AsyncChecks, TransactionError> {
992 let transaction = request.transaction();
993
994 if transaction.is_coinbase() {
995 // The script verifier only verifies PrevOut inputs and their corresponding UTXOs.
996 // Coinbase transactions don't have any PrevOut inputs.
997 Ok(AsyncChecks::new())
998 } else {
999 // feed all of the inputs to the script verifier
1000 let inputs = transaction.inputs();
1001
1002 let script_checks = (0..inputs.len())
1003 .map(move |input_index| {
1004 let request = script::Request {
1005 cached_ffi_transaction: cached_ffi_transaction.clone(),
1006 input_index,
1007 };
1008
1009 script_verifier.oneshot(request)
1010 })
1011 .collect();
1012
1013 Ok(script_checks)
1014 }
1015 }
1016
1017 /// Verifies a transaction's Sprout shielded join split data.
1018 fn verify_sprout_shielded_data(
1019 joinsplit_data: &Option<transaction::JoinSplitData<Groth16Proof>>,
1020 shielded_sighash: &SigHash,
1021 ) -> Result<AsyncChecks, TransactionError> {
1022 let mut checks = AsyncChecks::new();
1023
1024 if let Some(joinsplit_data) = joinsplit_data {
1025 for joinsplit in joinsplit_data.joinsplits() {
1026 // # Consensus
1027 //
1028 // > The proof π_ZKJoinSplit MUST be valid given a
1029 // > primary input formed from the relevant other fields and h_{Sig}
1030 //
1031 // https://zips.z.cash/protocol/protocol.pdf#joinsplitdesc
1032 //
1033 // Queue the verification of the Groth16 spend proof
1034 // for each JoinSplit description while adding the
1035 // resulting future to our collection of async
1036 // checks that (at a minimum) must pass for the
1037 // transaction to verify.
1038 checks.push(primitives::groth16::JOINSPLIT_VERIFIER.oneshot(
1039 DescriptionWrapper(&(joinsplit, &joinsplit_data.pub_key)).try_into()?,
1040 ));
1041 }
1042
1043 // # Consensus
1044 //
1045 // > If effectiveVersion ≥ 2 and nJoinSplit > 0, then:
1046 // > - joinSplitPubKey MUST be a valid encoding of an Ed25519 validating key
1047 // > - joinSplitSig MUST represent a valid signature under
1048 // joinSplitPubKey of dataToBeSigned, as defined in § 4.11
1049 //
1050 // https://zips.z.cash/protocol/protocol.pdf#txnconsensus
1051 //
1052 // The `if` part is indirectly enforced, since the `joinsplit_data`
1053 // is only parsed if those conditions apply in
1054 // [`Transaction::zcash_deserialize`].
1055 //
1056 // The valid encoding is defined in
1057 //
1058 // > A valid Ed25519 validating key is defined as a sequence of 32
1059 // > bytes encoding a point on the Ed25519 curve
1060 //
1061 // https://zips.z.cash/protocol/protocol.pdf#concreteed25519
1062 //
1063 // which is enforced during signature verification, in both batched
1064 // and single verification, when decompressing the encoded point.
1065 //
1066 // Queue the validation of the JoinSplit signature while
1067 // adding the resulting future to our collection of
1068 // async checks that (at a minimum) must pass for the
1069 // transaction to verify.
1070 //
1071 // https://zips.z.cash/protocol/protocol.pdf#sproutnonmalleability
1072 // https://zips.z.cash/protocol/protocol.pdf#txnencodingandconsensus
1073 let ed25519_verifier = primitives::ed25519::VERIFIER.clone();
1074 let ed25519_item =
1075 (joinsplit_data.pub_key, joinsplit_data.sig, shielded_sighash).into();
1076
1077 checks.push(ed25519_verifier.oneshot(ed25519_item));
1078 }
1079
1080 Ok(checks)
1081 }
1082
1083 /// Verifies a transaction's Sapling shielded data.
1084 fn verify_sapling_bundle(
1085 bundle: Option<sapling_crypto::Bundle<sapling_crypto::bundle::Authorized, ZatBalance>>,
1086 sighash: &SigHash,
1087 ) -> AsyncChecks {
1088 let mut async_checks = AsyncChecks::new();
1089
1090 // The Sapling batch verifier checks the following consensus rules:
1091 //
1092 // # Consensus
1093 //
1094 // > The proof π_ZKSpend MUST be valid given a primary input formed from the other fields
1095 // > except spendAuthSig.
1096 //
1097 // > The spend authorization signature MUST be a valid SpendAuthSig signature over SigHash
1098 // > using rk as the validating key.
1099 //
1100 // > [NU5 onward] As specified in § 5.4.7 ‘RedDSA, RedJubjub, and RedPallas’ on p. 88, the
1101 // > validation of the 𝑅 component of the signature changes to prohibit non-canonical
1102 // > encodings.
1103 //
1104 // https://zips.z.cash/protocol/protocol.pdf#spenddesc
1105 //
1106 // # Consensus
1107 //
1108 // > The proof π_ZKOutput MUST be valid given a primary input formed from the other fields
1109 // > except C^enc and C^out.
1110 //
1111 // https://zips.z.cash/protocol/protocol.pdf#outputdesc
1112 //
1113 // # Consensus
1114 //
1115 // > The Spend transfers and Action transfers of a transaction MUST be consistent with its
1116 // > vbalanceSapling value as specified in § 4.13 ‘Balance and Binding Signature (Sapling)’.
1117 //
1118 // https://zips.z.cash/protocol/protocol.pdf#spendsandoutputs
1119 //
1120 // # Consensus
1121 //
1122 // > [Sapling onward] If effectiveVersion ≥ 4 and nSpendsSapling + nOutputsSapling > 0,
1123 // > then:
1124 // >
1125 // > – let bvk^{Sapling} and SigHash be as defined in § 4.13;
1126 // > – bindingSigSapling MUST represent a valid signature under the transaction binding
1127 // > validating key bvk Sapling of SigHash — i.e.
1128 // > BindingSig^{Sapling}.Validate_{bvk^{Sapling}}(SigHash, bindingSigSapling ) = 1.
1129 //
1130 // Note that the `if` part is indirectly enforced, since the `sapling_shielded_data` is only
1131 // parsed if those conditions apply in [`Transaction::zcash_deserialize`].
1132 //
1133 // > [NU5 onward] As specified in § 5.4.7, the validation of the 𝑅 component of the
1134 // > signature changes to prohibit non-canonical encodings.
1135 //
1136 // https://zips.z.cash/protocol/protocol.pdf#txnconsensus
1137 if let Some(bundle) = bundle {
1138 async_checks.push(
1139 primitives::sapling::VERIFIER
1140 .clone()
1141 .oneshot(primitives::sapling::Item::new(bundle, *sighash)),
1142 );
1143 }
1144
1145 async_checks
1146 }
1147
1148 /// Verifies a transaction's Orchard shielded data.
1149 fn verify_orchard_bundle(
1150 bundle: Option<::orchard::bundle::Bundle<::orchard::bundle::Authorized, ZatBalance>>,
1151 sighash: &SigHash,
1152 ) -> AsyncChecks {
1153 let mut async_checks = AsyncChecks::new();
1154
1155 if let Some(bundle) = bundle {
1156 // # Consensus
1157 //
1158 // > The proof 𝜋 MUST be valid given a primary input (cv, rt^{Orchard},
1159 // > nf, rk, cm_x, enableSpends, enableOutputs)
1160 //
1161 // https://zips.z.cash/protocol/protocol.pdf#actiondesc
1162 //
1163 // Unlike Sapling, Orchard shielded transactions have a single
1164 // aggregated Halo2 proof per transaction, even with multiple
1165 // Actions in one transaction. So we queue it for verification
1166 // only once instead of queuing it up for every Action description.
1167 async_checks.push(
1168 primitives::halo2::VERIFIER
1169 .clone()
1170 .oneshot(primitives::halo2::Item::new(bundle, *sighash)),
1171 );
1172 }
1173
1174 async_checks
1175 }
1176}
1177
1178/// A set of unordered asynchronous checks that should succeed.
1179///
1180/// A wrapper around [`FuturesUnordered`] with some auxiliary methods.
1181struct AsyncChecks(FuturesUnordered<Pin<Box<dyn Future<Output = Result<(), BoxError>> + Send>>>);
1182
1183impl AsyncChecks {
1184 /// Create an empty set of unordered asynchronous checks.
1185 pub fn new() -> Self {
1186 AsyncChecks(FuturesUnordered::new())
1187 }
1188
1189 /// Push a check into the set.
1190 pub fn push(&mut self, check: impl Future<Output = Result<(), BoxError>> + Send + 'static) {
1191 self.0.push(check.boxed());
1192 }
1193
1194 /// Push a set of checks into the set.
1195 ///
1196 /// This method can be daisy-chained.
1197 pub fn and(mut self, checks: AsyncChecks) -> Self {
1198 self.0.extend(checks.0);
1199 self
1200 }
1201
1202 /// Wait until all checks in the set finish.
1203 ///
1204 /// If any of the checks fail, this method immediately returns the error and cancels all other
1205 /// checks by dropping them.
1206 async fn check(mut self) -> Result<(), BoxError> {
1207 // Wait for all asynchronous checks to complete
1208 // successfully, or fail verification if they error.
1209 while let Some(check) = self.0.next().await {
1210 tracing::trace!(?check, remaining = self.0.len());
1211 check?;
1212 }
1213
1214 Ok(())
1215 }
1216}
1217
1218impl<F> FromIterator<F> for AsyncChecks
1219where
1220 F: Future<Output = Result<(), BoxError>> + Send + 'static,
1221{
1222 fn from_iter<I>(iterator: I) -> Self
1223 where
1224 I: IntoIterator<Item = F>,
1225 {
1226 AsyncChecks(iterator.into_iter().map(FutureExt::boxed).collect())
1227 }
1228}